commit 29dcea88779c856c7dc92040a0c01233263101d4 Author: Linus Torvalds Date: Sun Jun 3 14:15:21 2018 -0700 Linux 4.17 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 325e14f97e0c92735d10d9922cbb73ad521de4c4 Merge: 874cd33 af04fad Author: Linus Torvalds Date: Sun Jun 3 11:01:28 2018 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fixes from Al Viro. - fix io_destroy()/aio_complete() race - the vfs_open() change to get rid of open_check_o_direct() boilerplate was nice, but buggy. Al has a patch avoiding a revert, but that's definitely not a last-day fodder, so for now revert it is... * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: Revert "fs: fold open_check_o_direct into do_dentry_open" fix io_destroy()/aio_complete() race commit af04fadcaa932d2d804699409d9d96dd5d85ce7f Author: Al Viro Date: Sat Jun 2 01:31:02 2018 -0400 Revert "fs: fold open_check_o_direct into do_dentry_open" This reverts commit cab64df194667dc5d9d786f0a895f647f5501c0d. Having vfs_open() in some cases drop the reference to struct file combined with error = vfs_open(path, f, cred); if (error) { put_filp(f); return ERR_PTR(error); } return f; is flat-out wrong. It used to be error = vfs_open(path, f, cred); if (!error) { /* from now on we need fput() to dispose of f */ error = open_check_o_direct(f); if (error) { fput(f); f = ERR_PTR(error); } } else { put_filp(f); f = ERR_PTR(error); } and sure, having that open_check_o_direct() boilerplate gotten rid of is nice, but not that way... Worse, another call chain (via finish_open()) is FUBAR now wrt FILE_OPENED handling - in that case we get error returned, with file already hit by fput() *AND* FILE_OPENED not set. Guess what happens in path_openat(), when it hits if (!(opened & FILE_OPENED)) { BUG_ON(!error); put_filp(file); } The root cause of all that crap is that the callers of do_dentry_open() have no way to tell which way did it fail; while that could be fixed up (by passing something like int *opened to do_dentry_open() and have it marked if we'd called ->open()), it's probably much too late in the cycle to do so right now. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds fs/internal.h | 1 + fs/namei.c | 7 ++++++- fs/open.c | 44 ++++++++++++++++++++++++++------------------ 3 files changed, 33 insertions(+), 19 deletions(-) commit 874cd339acdfe734b5418e36e3ad40fd4c573155 Merge: 26bdace 595058b Author: Linus Torvalds Date: Sun Jun 3 09:01:41 2018 -0700 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Thomas Gleixner: - two patches addressing the problem that the scheduler allows under certain conditions user space tasks to be scheduled on CPUs which are not yet fully booted which causes a few subtle and hard to debug issue - add a missing runqueue clock update in the deadline scheduler which triggers a warning under certain circumstances - fix a silly typo in the scheduler header file * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/headers: Fix typo sched/deadline: Fix missing clock update sched/core: Require cpu_active() in select_task_rq(), for user tasks sched/core: Fix rules for running on online && !active CPUs commit 26bdace74c857ce370ca23344e79b0b7cc17e9b3 Merge: 918fe1b 6497bbc Author: Linus Torvalds Date: Sun Jun 3 08:58:59 2018 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf tooling fixes from Thomas Gleixner: - fix 'perf test Session topology' segfault on s390 (Thomas Richter) - fix NULL return handling in bpf__prepare_load() (YueHaibing) - fix indexing on Coresight ETM packet queue decoder (Mathieu Poirier) - fix perf.data format description of NRCPUS header (Arnaldo Carvalho de Melo) - update perf.data documentation section on cpu topology - handle uncore event aliases in small groups properly (Kan Liang) - add missing perf_sample.addr into python sample dictionary (Leo Yan) * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf tools: Fix perf.data format description of NRCPUS header perf script python: Add addr into perf sample dict perf data: Update documentation section on cpu topology perf cs-etm: Fix indexing for decoder packet queue perf bpf: Fix NULL return handling in bpf__prepare_load() perf test: "Session topology" dumps core on s390 perf parse-events: Handle uncore event aliases in small groups properly commit 918fe1b3157978ada4267468008c5f89ef101e7d Merge: e0255aec cd075ce Author: Linus Torvalds Date: Sat Jun 2 17:35:53 2018 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Infinite loop in _decode_session6(), from Eric Dumazet. 2) Pass correct argument to nla_strlcpy() in netfilter, also from Eric Dumazet. 3) Out of bounds memory access in ipv6 srh code, from Mathieu Xhonneux. 4) NULL deref in XDP_REDIRECT handling of tun driver, from Toshiaki Makita. 5) Incorrect idr release in cls_flower, from Paul Blakey. 6) Probe error handling fix in davinci_emac, from Dan Carpenter. 7) Memory leak in XPS configuration, from Alexander Duyck. 8) Use after free with cloned sockets in kcm, from Kirill Tkhai. 9) MTU handling fixes fo ip_tunnel and ip6_tunnel, from Nicolas Dichtel. 10) Fix UAPI hole in bpf data structure for 32-bit compat applications, from Daniel Borkmann. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits) bpf: fix uapi hole for 32 bit compat applications net: usb: cdc_mbim: add flag FLAG_SEND_ZLP ip6_tunnel: remove magic mtu value 0xFFF8 ip_tunnel: restore binding to ifaces with a large mtu net: dsa: b53: Add BCM5389 support kcm: Fix use-after-free caused by clonned sockets net-sysfs: Fix memory leak in XPS configuration ixgbe: fix parsing of TC actions for HW offload net: ethernet: davinci_emac: fix error handling in probe() net/ncsi: Fix array size in dumpit handler cls_flower: Fix incorrect idr release when failing to modify rule net/sonic: Use dma_mapping_error() xfrm Fix potential error pointer dereference in xfrm_bundle_create. vhost_net: flush batched heads before trying to busy polling tun: Fix NULL pointer dereference in XDP redirect be2net: Fix error detection logic for BE3 net: qmi_wwan: Add Netgear Aircard 779S mlxsw: spectrum: Forbid creation of VLAN 1 over port/LAG atm: zatm: fix memcmp casting iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs ... commit e0255aec66a156b4062a486878d8bb0355a4abc5 Merge: ada7339 c9ddf73 Author: Linus Torvalds Date: Sat Jun 2 15:54:49 2018 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "Eve of merge window fix: The original code was so bogus as to be casting the wrong generic device to an rport and proceeding to take actions based on the bogus values it found. Fortunately it seems the location that is dereferenced always exists, so the code hasn't oopsed yet, but it certainly annoys the memory checkers" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: scsi_transport_srp: Fix shost to rport translation commit ada7339efeb94690a7ad15de69a3af186b9a55b5 Merge: 4277e6b 012cfac Author: Linus Torvalds Date: Sat Jun 2 15:24:45 2018 -0700 Merge tag 'drm-fixes-for-v4.17-rc8' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "A few final fixes: i915: - fix for potential Spectre vector in the new query uAPI - fix NULL pointer deref (FDO #106559) - DMI fix to hide LVDS for Radiant P845 (FDO #105468) amdgpu: - suspend/resume DC regression fix - underscan flicker fix on fiji - gamma setting fix after dpms omap: - fix oops regression core: - fix PSR timing dw-hdmi: - fix oops regression" * tag 'drm-fixes-for-v4.17-rc8' of git://people.freedesktop.org/~airlied/linux: drm/amd/display: Update color props when modeset is required drm/amd/display: Make atomic-check validate underscan changes drm/bridge/synopsys: dw-hdmi: fix dw_hdmi_setup_rx_sense drm/amd/display: Fix BUG_ON during CRTC atomic check update drm/i915/query: nospec expects no more than an unsigned long drm/i915/query: Protect tainted function pointer lookup drm/i915/lvds: Move acpi lid notification registration to registration phase drm/i915: Disable LVDS on Radiant P845 drm/omap: fix NULL deref crash with SDI displays drm/psr: Fix missed entry in PSR setup time table. commit 012cfaced00b7a9498227504c4d37a1c4619403d Merge: 0e33375 bc13f2f Author: Dave Airlie Date: Sun Jun 3 06:13:57 2018 +1000 Merge branch 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux into drm-fixes Two last minute DC fixes for 4.17. A fix for underscan on fiji and a fix for gamma settings getting after dpms. * 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux: drm/amd/display: Update color props when modeset is required drm/amd/display: Make atomic-check validate underscan changes commit 4277e6b9fd44a42d13f1c47fb403167718e9bed4 Merge: 7172a69 c7e8146 Author: Linus Torvalds Date: Sat Jun 2 10:12:23 2018 -0700 Merge tag 'mips_fixes_4.17_3' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS fixes from James Hogan: "A final few MIPS fixes for 4.17: - drop Lantiq gphy reboot/remove reset (4.14) - prctl(PR_SET_FP_MODE): Disallow PRE without FR (4.0) - ptrace(PTRACE_PEEKUSR): Fix 64-bit FGRs (3.15)" * tag 'mips_fixes_4.17_3' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs MIPS: prctl: Disallow FRE without FR with PR_SET_FP_MODE requests MIPS: lantiq: gphy: Drop reboot/remove reset asserts commit 7172a69c10466966499730b4e870700abdb63be8 Merge: 6ac9f42 89c29de Author: Linus Torvalds Date: Sat Jun 2 10:08:45 2018 -0700 Merge tag 'vfio-v4.17' of git://github.com/awilliam/linux-vfio Pull VFIO fix from Alex Williamson: "Revert a pfn page mapping optimization identified as introducing a bad page state regression (Alex Williamson)" * tag 'vfio-v4.17' of git://github.com/awilliam/linux-vfio: Revert "vfio/type1: Improve memory pinning process for raw PFN mapping" commit 6ac9f42cda9449dbd7f07a0bf7819d1dccd46ae8 Merge: 34a8e64 806e308 Author: Linus Torvalds Date: Sat Jun 2 10:05:45 2018 -0700 Merge tag 'char-misc-4.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are four small bugfixes for some char/misc drivers. Well, really three fixes and one fix for one of those fixes due to problems found by 0-day. This resolves some reported issues with the hwtracing drivers, and a reported regression for the thunderbolt subsystem. All of these have been in linux-next for a while now with no reported problems" * tag 'char-misc-4.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: hwtracing: stm: fix build error on some arches intel_th: Use correct device when freeing buffers stm class: Use vmalloc for the master map thunderbolt: Handle NULL boot ACL entries properly commit 34a8e640d1eaaea99d79bb7f75bc3d7e336da167 Merge: 7fdf3e8 9d569b1 Author: Linus Torvalds Date: Sat Jun 2 10:02:14 2018 -0700 Merge tag 'staging-4.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull IIO driver fixes from Greg KH: "Here are some old IIO driver fixes that were sitting in my tree for a few weeks. Sorry about not getting them to you sooner. They fix a number of small IIO driver issues that have been reported. All of these have been in linux-next for a while with no reported problems" * tag 'staging-4.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: iio: adc: select buffer for at91-sama5d2_adc iio: hid-sensor-trigger: Fix sometimes not powering up the sensor after resume iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels iio:kfifo_buf: check for uint overflow iio:buffer: make length types match kfifo types iio: adc: stm32-dfsdm: fix sample rate for div2 spi clock iio: adc: stm32-dfsdm: fix successive oversampling settings iio: ad7793: implement IIO_CHAN_INFO_SAMP_FREQ commit 7fdf3e8616c5c2622b13120fc14328d58792abf3 Merge: a36b796 a840c93 Author: Linus Torvalds Date: Sat Jun 2 09:55:44 2018 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "Just three small last minute regressions that were found in the last week. The Broadcom fix is a bit big for rc7, but since it is fixing driver crash regressions that were merged via netdev into rc1, I am sending it. - bnxt netdev changes merged this cycle caused the bnxt RDMA driver to crash under certain situations - Arnd found (several, unfortunately) kconfig problems with the patches adding INFINIBAND_ADDR_TRANS. Reverting this last part, will fix it more fully outside -rc. - Subtle change in error code for a uapi function caused breakage in userspace. This was bug was subtly introduced cycle" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: IB/core: Fix error code for invalid GID entry IB: Revert "remove redundant INFINIBAND kconfig dependencies" RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes commit a36b7968909627d83af03d24a45e2d5f966cacff Merge: 0938a8f a0ccb6b Author: Linus Torvalds Date: Sat Jun 2 09:52:22 2018 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "A documentation bugfix and a MAINTAINERS addition" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: ocores: update HDL sources URL i2c: xlp9xx: Add MAINTAINERS entry commit 0938a8f52d10fc917eecc5c1b2fb7d3a7dedfa41 Merge: 0512e01 145e1a7 Author: Linus Torvalds Date: Sat Jun 2 09:44:15 2018 -0700 Merge branch 'akpm' (patches from Andrew) Merge two fixes from Andrew Morton. * emailed patches from Andrew Morton : mm: fix the NULL mapping case in __isolate_lru_page() mm/huge_memory.c: __split_huge_page() use atomic ClearPageDirty() commit 145e1a71e090575c74969e3daa8136d1e5b99fc8 Author: Hugh Dickins Date: Fri Jun 1 16:50:50 2018 -0700 mm: fix the NULL mapping case in __isolate_lru_page() George Boole would have noticed a slight error in 4.16 commit 69d763fc6d3a ("mm: pin address_space before dereferencing it while isolating an LRU page"). Fix it, to match both the comment above it, and the original behaviour. Although anonymous pages are not marked PageDirty at first, we have an old habit of calling SetPageDirty when a page is removed from swap cache: so there's a category of ex-swap pages that are easily migratable, but were inadvertently excluded from compaction's async migration in 4.16. Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1805302014001.12558@eggly.anvils Fixes: 69d763fc6d3a ("mm: pin address_space before dereferencing it while isolating an LRU page") Signed-off-by: Hugh Dickins Acked-by: Minchan Kim Acked-by: Mel Gorman Reported-by: Ivan Kalvachev Cc: "Huang, Ying" Cc: Jan Kara Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/vmscan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2d077d4b59924acd1f5180c6fb73b57f4771fde6 Author: Hugh Dickins Date: Fri Jun 1 16:50:45 2018 -0700 mm/huge_memory.c: __split_huge_page() use atomic ClearPageDirty() Swapping load on huge=always tmpfs (with khugepaged tuned up to be very eager, but I'm not sure that is relevant) soon hung uninterruptibly, waiting for page lock in shmem_getpage_gfp()'s find_lock_entry(), most often when "cp -a" was trying to write to a smallish file. Debug showed that the page in question was not locked, and page->mapping NULL by now, but page->index consistent with having been in a huge page before. Reproduced in minutes on a 4.15 kernel, even with 4.17's 605ca5ede764 ("mm/huge_memory.c: reorder operations in __split_huge_page_tail()") added in; but took hours to reproduce on a 4.17 kernel (no idea why). The culprit proved to be the __ClearPageDirty() on tails beyond i_size in __split_huge_page(): the non-atomic __bitoperation may have been safe when 4.8's baa355fd3314 ("thp: file pages support for split_huge_page()") introduced it, but liable to erase PageWaiters after 4.10's 62906027091f ("mm: add PageWaiters indicating tasks are waiting for a page bit"). Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1805291841070.3197@eggly.anvils Fixes: 62906027091f ("mm: add PageWaiters indicating tasks are waiting for a page bit") Signed-off-by: Hugh Dickins Acked-by: Kirill A. Shutemov Cc: Konstantin Khlebnikov Cc: Nicholas Piggin Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 89c29def6b0101fff66a3d74d0178b844f88d732 Author: Alex Williamson Date: Sat Jun 2 08:41:44 2018 -0600 Revert "vfio/type1: Improve memory pinning process for raw PFN mapping" Bisection by Amadeusz Sławiński implicates this commit leading to bad page state issues after VM shutdown, likely due to unbalanced page references. The original commit was intended only as a performance improvement, therefore revert for offline rework. Link: https://lkml.org/lkml/2018/6/2/97 Fixes: 356e88ebe447 ("vfio/type1: Improve memory pinning process for raw PFN mapping") Cc: Jason Cai (Xiang Feng) Reported-by: Amadeusz Sławiński Signed-off-by: Alex Williamson drivers/vfio/vfio_iommu_type1.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) commit cd075ce4679ca7797734c4f6c5aa23878c8e2208 Merge: 9f7c728 36f9814 Author: David S. Miller Date: Sat Jun 2 08:07:52 2018 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2018-06-02 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) BPF uapi fix in struct bpf_prog_info and struct bpf_map_info in order to fix offsets on 32 bit archs. This will have a minor merge conflict with net-next which has the __u32 gpl_compatible:1 bitfield in struct bpf_prog_info at this location. Resolution is to use the gpl_compatible member. ==================== Signed-off-by: David S. Miller commit 36f9814a494a874d5a0f44843544b4b2539022db Author: Daniel Borkmann Date: Sat Jun 2 05:21:59 2018 +0200 bpf: fix uapi hole for 32 bit compat applications In 64 bit, we have a 4 byte hole between ifindex and netns_dev in the case of struct bpf_map_info but also struct bpf_prog_info. In net-next commit b85fab0e67b ("bpf: Add gpl_compatible flag to struct bpf_prog_info") added a bitfield into it to expose some flags related to programs. Thus, add an unnamed __u32 bitfield for both so that alignment keeps the same in both 32 and 64 bit cases, and can be naturally extended from there as in b85fab0e67b. Before: # file test.o test.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped # pahole test.o struct bpf_map_info { __u32 type; /* 0 4 */ __u32 id; /* 4 4 */ __u32 key_size; /* 8 4 */ __u32 value_size; /* 12 4 */ __u32 max_entries; /* 16 4 */ __u32 map_flags; /* 20 4 */ char name[16]; /* 24 16 */ __u32 ifindex; /* 40 4 */ __u64 netns_dev; /* 44 8 */ __u64 netns_ino; /* 52 8 */ /* size: 64, cachelines: 1, members: 10 */ /* padding: 4 */ }; After (same as on 64 bit): # file test.o test.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped # pahole test.o struct bpf_map_info { __u32 type; /* 0 4 */ __u32 id; /* 4 4 */ __u32 key_size; /* 8 4 */ __u32 value_size; /* 12 4 */ __u32 max_entries; /* 16 4 */ __u32 map_flags; /* 20 4 */ char name[16]; /* 24 16 */ __u32 ifindex; /* 40 4 */ /* XXX 4 bytes hole, try to pack */ __u64 netns_dev; /* 48 8 */ __u64 netns_ino; /* 56 8 */ /* --- cacheline 1 boundary (64 bytes) --- */ /* size: 64, cachelines: 1, members: 10 */ /* sum members: 60, holes: 1, sum holes: 4 */ }; Reported-by: Dmitry V. Levin Reported-by: Eugene Syromiatnikov Fixes: 52775b33bb507 ("bpf: offload: report device information about offloaded maps") Fixes: 675fc275a3a2d ("bpf: offload: report device information for offloaded programs") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Alexei Starovoitov include/uapi/linux/bpf.h | 2 ++ tools/include/uapi/linux/bpf.h | 2 ++ 2 files changed, 4 insertions(+) commit 9f7c728332e8966084242fcd951aa46583bc308c Author: Daniele Palmas Date: Thu May 31 11:18:29 2018 +0200 net: usb: cdc_mbim: add flag FLAG_SEND_ZLP Testing Telit LM940 with ICMP packets > 14552 bytes revealed that the modem needs FLAG_SEND_ZLP to properly work, otherwise the cdc mbim data interface won't be anymore responsive. Signed-off-by: Daniele Palmas Acked-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8a118015816f82c16b446e6599d35d483883d238 Merge: ccfde6e f7ff1fd Author: David S. Miller Date: Fri Jun 1 13:56:31 2018 -0400 Merge branch 'tunnel-mtus' Nicolas Dichtel says: ==================== ip[6] tunnels: fix mtu calculations The first patch restores the possibility to bind an ip4 tunnel to an interface whith a large mtu. The second patch was spotted after the first fix. I also target it to net because it fixes the max mtu value that can be used for ipv6 tunnels. v2: remove the 0xfff8 in ip_tunnel_newlink() ==================== Signed-off-by: David S. Miller commit f7ff1fde9441b4fcc8ffb6e66e6e5a00d008937e Author: Nicolas Dichtel Date: Thu May 31 10:59:33 2018 +0200 ip6_tunnel: remove magic mtu value 0xFFF8 I don't know where this value comes from (probably a copy and paste and paste and paste ...). Let's use standard values which are a bit greater. Link: https://git.kernel.org/pub/scm/linux/kernel/git/davem/netdev-vger-cvs.git/commit/?id=e5afd356a411a Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller net/ipv6/ip6_tunnel.c | 11 ++++++++--- net/ipv6/sit.c | 5 +++-- 2 files changed, 11 insertions(+), 5 deletions(-) commit 82612de1c98e610d194e34178bde3cca7dedce41 Author: Nicolas Dichtel Date: Thu May 31 10:59:32 2018 +0200 ip_tunnel: restore binding to ifaces with a large mtu After commit f6cc9c054e77, the following conf is broken (note that the default loopback mtu is 65536, ie IP_MAX_MTU + 1): $ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev lo add tunnel "gre0" failed: Invalid argument $ ip l a type dummy $ ip l s dummy1 up $ ip l s dummy1 mtu 65535 $ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev dummy1 add tunnel "gre0" failed: Invalid argument dev_set_mtu() doesn't allow to set a mtu which is too large. First, let's cap the mtu returned by ip_tunnel_bind_dev(). Second, remove the magic value 0xFFF8 and use IP_MAX_MTU instead. 0xFFF8 seems to be there for ages, I don't know why this value was used. With a recent kernel, it's also possible to set a mtu > IP_MAX_MTU: $ ip l s dummy1 mtu 66000 After that patch, it's also possible to bind an ip tunnel on that kind of interface. CC: Petr Machata CC: Ido Schimmel Link: https://git.kernel.org/pub/scm/linux/kernel/git/davem/netdev-vger-cvs.git/commit/?id=e5afd356a411a Fixes: f6cc9c054e77 ("ip_tunnel: Emit events for post-register MTU changes") Signed-off-by: Nicolas Dichtel Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller net/ipv4/ip_tunnel.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit ccfde6e27d9566bee596d41a2cc6f158af8595d5 Merge: a95691b 38369f5 Author: David S. Miller Date: Fri Jun 1 13:25:41 2018 -0400 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2018-05-31 1) Avoid possible overflow of the offset variable in _decode_session6(), this fixes an infinite lookp there. From Eric Dumazet. 2) We may use an error pointer in the error path of xfrm_bundle_create(). Fix this by returning this pointer directly to the caller. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller commit a95691bc54af1ac4b12c354f91e9cabf1cb068df Author: Damien Thébault Date: Thu May 31 07:04:01 2018 +0000 net: dsa: b53: Add BCM5389 support This patch adds support for the BCM5389 switch connected through MDIO. Signed-off-by: Damien Thébault Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Documentation/devicetree/bindings/net/dsa/b53.txt | 1 + drivers/net/dsa/b53/b53_common.c | 13 +++++++++++++ drivers/net/dsa/b53/b53_mdio.c | 5 ++++- drivers/net/dsa/b53/b53_priv.h | 1 + 4 files changed, 19 insertions(+), 1 deletion(-) commit eb7f54b90bd8f469834c5e86dcf72ebf9a629811 Author: Kirill Tkhai Date: Fri Jun 1 14:30:38 2018 +0300 kcm: Fix use-after-free caused by clonned sockets (resend for properly queueing in patchwork) kcm_clone() creates kernel socket, which does not take net counter. Thus, the net may die before the socket is completely destructed, i.e. kcm_exit_net() is executed before kcm_done(). Reported-by: syzbot+5f1a04e374a635efc426@syzkaller.appspotmail.com Signed-off-by: Kirill Tkhai Signed-off-by: David S. Miller net/kcm/kcmsock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 664088f8d68178809b848ca450f2797efb34e8e7 Author: Alexander Duyck Date: Thu May 31 15:59:46 2018 -0400 net-sysfs: Fix memory leak in XPS configuration This patch reorders the error cases in showing the XPS configuration so that we hold off on memory allocation until after we have verified that we can support XPS on a given ring. Fixes: 184c449f91fe ("net: Add support for XPS with QoS via traffic classes") Signed-off-by: Alexander Duyck Signed-off-by: David S. Miller net/core/net-sysfs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 16e6653c8259ca5383126e1c6bcf7fe062af87fc Author: Ondřej Hlavatý Date: Thu May 31 23:21:04 2018 +0200 ixgbe: fix parsing of TC actions for HW offload The previous code was optimistic, accepting the offload of whole action chain when there was a single known action (drop/redirect). This results in offloading a rule which should not be offloaded, because its behavior cannot be reproduced in the hardware. For example: $ tc filter add dev eno1 parent ffff: protocol ip \ u32 ht 800: order 1 match tcp src 42 FFFF \ action mirred egress mirror dev enp1s16 pipe \ drop The controller is unable to mirror the packet to a VF, but still offloads the rule by dropping the packet. Change the approach of the function to a pessimistic one, rejecting the chain when an unknown action is found. This is better suited for future extensions. Note that both recognized actions always return TC_ACT_SHOT, therefore it is safe to ignore actions behind them. Signed-off-by: Ondřej Hlavatý Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) commit 0512e0134582ef85dee77d51aae77dcd1edec495 Merge: dd52cb8 829bc787 Author: Linus Torvalds Date: Thu May 31 16:23:07 2018 -0500 Merge tag 'xfs-4.17-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fix from Darrick Wong: "Clear out i_mapping error state when we're reinitializing inodes. This last minute fix prevents writeback error state from persisting past the end of the in-core inode lifecycle and causing EIO errors to be reported to userspace when no error has occurred. This fix for the behavioral regression has been soaking in for-next for a while, but various fs developers persuaded me to try to get it upstream for 4.17 because the patch that broke things was introduced in 4.17-rc4" * tag 'xfs-4.17-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: fs: clear writeback errors in inode_init_always commit 8005b09d99fac78e6f5fb9da30b5ae94840af03b Author: Dan Carpenter Date: Thu May 31 09:44:49 2018 +0300 net: ethernet: davinci_emac: fix error handling in probe() The current error handling code has an issue where it does: if (priv->txchan) cpdma_chan_destroy(priv->txchan); The problem is that ->txchan is either valid or an error pointer (which would lead to an Oops). I've changed it to use multiple error labels so that the test can be removed. Also there were some missing calls to netif_napi_del(). Fixes: 3ef0fdb2342c ("net: davinci_emac: switch to new cpdma layer") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/ethernet/ti/davinci_emac.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) commit 0f51f3582f22e543b78c4e113220ed1c35acbd97 Author: Samuel Mendoza-Jonas Date: Thu May 31 14:10:04 2018 +1000 net/ncsi: Fix array size in dumpit handler With CONFIG_CC_STACKPROTECTOR enabled the kernel panics as below when parsing a NCSI_CMD_PKG_INFO command: [ 150.149711] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 805cff08 [ 150.149711] [ 150.159919] CPU: 0 PID: 1301 Comm: ncsi-netlink Not tainted 4.13.16-468cbec6d2c91239332cb91b1f0a73aafcb6f0c6 #1 [ 150.170004] Hardware name: Generic DT based system [ 150.174852] [<80109930>] (unwind_backtrace) from [<80106bc4>] (show_stack+0x20/0x24) [ 150.182641] [<80106bc4>] (show_stack) from [<805d36e4>] (dump_stack+0x20/0x28) [ 150.189888] [<805d36e4>] (dump_stack) from [<801163ac>] (panic+0xdc/0x278) [ 150.196780] [<801163ac>] (panic) from [<801162cc>] (__stack_chk_fail+0x20/0x24) [ 150.204111] [<801162cc>] (__stack_chk_fail) from [<805cff08>] (ncsi_pkg_info_all_nl+0x244/0x258) [ 150.212912] [<805cff08>] (ncsi_pkg_info_all_nl) from [<804f939c>] (genl_lock_dumpit+0x3c/0x54) [ 150.221535] [<804f939c>] (genl_lock_dumpit) from [<804f873c>] (netlink_dump+0xf8/0x284) [ 150.229550] [<804f873c>] (netlink_dump) from [<804f8d44>] (__netlink_dump_start+0x124/0x17c) [ 150.237992] [<804f8d44>] (__netlink_dump_start) from [<804f9880>] (genl_rcv_msg+0x1c8/0x3d4) [ 150.246440] [<804f9880>] (genl_rcv_msg) from [<804f9174>] (netlink_rcv_skb+0xd8/0x134) [ 150.254361] [<804f9174>] (netlink_rcv_skb) from [<804f96a4>] (genl_rcv+0x30/0x44) [ 150.261850] [<804f96a4>] (genl_rcv) from [<804f7790>] (netlink_unicast+0x198/0x234) [ 150.269511] [<804f7790>] (netlink_unicast) from [<804f7ffc>] (netlink_sendmsg+0x368/0x3b0) [ 150.277783] [<804f7ffc>] (netlink_sendmsg) from [<804abea4>] (sock_sendmsg+0x24/0x34) [ 150.285625] [<804abea4>] (sock_sendmsg) from [<804ac1dc>] (___sys_sendmsg+0x244/0x260) [ 150.293556] [<804ac1dc>] (___sys_sendmsg) from [<804ad98c>] (__sys_sendmsg+0x5c/0x9c) [ 150.301400] [<804ad98c>] (__sys_sendmsg) from [<804ad9e4>] (SyS_sendmsg+0x18/0x1c) [ 150.308984] [<804ad9e4>] (SyS_sendmsg) from [<80102640>] (ret_fast_syscall+0x0/0x3c) [ 150.316743] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 805cff08 This turns out to be because the attrs array in ncsi_pkg_info_all_nl() is initialised to a length of NCSI_ATTR_MAX which is the maximum attribute number, not the number of attributes. Fixes: 955dc68cb9b2 ("net/ncsi: Add generic netlink family") Signed-off-by: Samuel Mendoza-Jonas Signed-off-by: David S. Miller net/ncsi/ncsi-netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit be20f28fbd1a3f09fb16398b304a7a4546f9f97a Merge: 8258d2d ab1068d Author: David S. Miller Date: Thu May 31 15:27:39 2018 -0400 Merge tag 'wireless-drivers-for-davem-2018-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.17 Two last minute fixes, hopefully they make it to 4.17 still. rt2x00 * revert a fix which caused even more problems iwlwifi * fix a crash when there are 16 or more logical CPUs ==================== Signed-off-by: David S. Miller commit 8258d2da9f9f521dce7019e018360c28d116354e Author: Paul Blakey Date: Wed May 30 11:29:15 2018 +0300 cls_flower: Fix incorrect idr release when failing to modify rule When we fail to modify a rule, we incorrectly release the idr handle of the unmodified old rule. Fix that by checking if we need to release it. Fixes: fe2502e49b58 ("net_sched: remove cls_flower idr on failure") Reported-by: Vlad Buslov Reviewed-by: Roi Dayan Acked-by: Jiri Pirko Signed-off-by: Paul Blakey Signed-off-by: David S. Miller net/sched/cls_flower.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 Author: Finn Thain Date: Wed May 30 13:03:51 2018 +1000 net/sonic: Use dma_mapping_error() With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the message, "DMA-API: device driver failed to check map error". Add the missing dma_mapping_error() call. Cc: Thomas Bogendoerfer Signed-off-by: Finn Thain Acked-by: Thomas Bogendoerfer Signed-off-by: David S. Miller drivers/net/ethernet/natsemi/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bc13f2f88eae63af943ab967cb14bb602f8f2eeb Author: Leo (Sunpeng) Li Date: Thu May 31 10:23:37 2018 -0400 drm/amd/display: Update color props when modeset is required This fixes issues where color management properties don't persist over DPMS on/off, or when the CRTC is moved across connectors. Signed-off-by: Leo (Sunpeng) Li Reviewed-by: Harry Wentland Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit a9e8d27574f26700575473011cb607d4abdbda5f Author: David Francis Date: Thu May 31 13:48:31 2018 -0400 drm/amd/display: Make atomic-check validate underscan changes When the underscan state was changed, atomic-check was triggering a validation but passing the old underscan values. This change adds a somewhat hacky check in dm_update_crtcs_state that will update the stream if old and newunderscan values are different. This was causing 4k on Fiji to allow underscan when it wasn't permitted. Signed-off-by: David Francis Reviewed-by: David Francis Acked-by: Harry Wentland Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) commit dd52cb879063ca5470d5a093c32180ba74fa528e Merge: 88a8676 32ffd6e Author: Linus Torvalds Date: Thu May 31 09:39:57 2018 -0500 Merge tag 'platform-drivers-x86-v4.17-4' of git://git.infradead.org/linux-platform-drivers-x86 Pull x86 platform driver fix from Andy Shevchenko: "Fix NULL pointer dereference in asus-wmi on rfkill cleanup. The effective change is just one new condition - two lines of code. But it required moving one static helper function, which is why the diff looks a bit bigger" * tag 'platform-drivers-x86-v4.17-4' of git://git.infradead.org/linux-platform-drivers-x86: platform/x86: asus-wmi: Fix NULL pointer dereference commit 32ffd6e8d1f6cef94bedca15dfcdebdeb590499d Author: João Paulo Rechi Vita Date: Tue May 22 14:30:15 2018 -0700 platform/x86: asus-wmi: Fix NULL pointer dereference Do not perform the rfkill cleanup routine when (asus->driver->wlan_ctrl_by_user && ashs_present()) is true, since nothing is registered with the rfkill subsystem in that case. Doing so leads to the following kernel NULL pointer dereference: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] __mutex_lock_slowpath+0x98/0x120 PGD 1a3aa8067 PUD 1a3b3d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP Modules linked in: bnep ccm binfmt_misc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core hid_a4tech videodev x86_pkg_temp_thermal intel_powerclamp coretemp ath3k btusb btrtl btintel bluetooth kvm_intel snd_hda_codec_hdmi kvm snd_hda_codec_realtek snd_hda_codec_generic irqbypass crc32c_intel arc4 i915 snd_hda_intel snd_hda_codec ath9k ath9k_common ath9k_hw ath i2c_algo_bit snd_hwdep mac80211 ghash_clmulni_intel snd_hda_core snd_pcm snd_timer cfg80211 ehci_pci xhci_pci drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_hcd ehci_hcd asus_nb_wmi(-) asus_wmi sparse_keymap r8169 rfkill mxm_wmi serio_raw snd mii mei_me lpc_ich i2c_i801 video soundcore mei i2c_smbus wmi i2c_core mfd_core CPU: 3 PID: 3275 Comm: modprobe Not tainted 4.9.34-gentoo #34 Hardware name: ASUSTeK COMPUTER INC. K56CM/K56CM, BIOS K56CM.206 08/21/2012 task: ffff8801a639ba00 task.stack: ffffc900014cc000 RIP: 0010:[] [] __mutex_lock_slowpath+0x98/0x120 RSP: 0018:ffffc900014cfce0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8801a54315b0 RCX: 00000000c0000100 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801a54315b4 RBP: ffffc900014cfd30 R08: 0000000000000000 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801a54315b4 R13: ffff8801a639ba00 R14: 00000000ffffffff R15: ffff8801a54315b8 FS: 00007faa254fb700(0000) GS:ffff8801aef80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001a3b1b000 CR4: 00000000001406e0 Stack: ffff8801a54315b8 0000000000000000 ffffffff814733ae ffffc900014cfd28 ffffffff8146a28c ffff8801a54315b0 0000000000000000 ffff8801a54315b0 ffff8801a66f3820 0000000000000000 ffffc900014cfd48 ffffffff816c73e7 Call Trace: [] ? acpi_ut_release_mutex+0x5d/0x61 [] ? acpi_ns_get_node+0x49/0x52 [] mutex_lock+0x17/0x30 [] asus_rfkill_hotplug+0x24/0x1a0 [asus_wmi] [] asus_wmi_rfkill_exit+0x61/0x150 [asus_wmi] [] asus_wmi_remove+0x61/0xb0 [asus_wmi] [] platform_drv_remove+0x28/0x40 [] __device_release_driver+0xa1/0x160 [] device_release_driver+0x23/0x30 [] bus_remove_device+0xfd/0x170 [] device_del+0x139/0x270 [] platform_device_del+0x28/0x90 [] platform_device_unregister+0x12/0x30 [] asus_wmi_unregister_driver+0x19/0x30 [asus_wmi] [] asus_nb_wmi_exit+0x10/0xf26 [asus_nb_wmi] [] SyS_delete_module+0x192/0x270 [] ? exit_to_usermode_loop+0x92/0xa0 [] entry_SYSCALL_64_fastpath+0x13/0x94 Code: e8 5e 30 00 00 8b 03 83 f8 01 0f 84 93 00 00 00 48 8b 43 10 4c 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48> 89 20 4c 89 6c 24 10 eb 1d 4c 89 e7 49 c7 45 08 02 00 00 00 RIP [] __mutex_lock_slowpath+0x98/0x120 RSP CR2: 0000000000000000 ---[ end trace 8d484233fa7cb512 ]--- note: modprobe[3275] exited with preempt_count 2 https://bugzilla.kernel.org/show_bug.cgi?id=196467 Reported-by: red.f0xyz@gmail.com Signed-off-by: João Paulo Rechi Vita Signed-off-by: Andy Shevchenko drivers/platform/x86/asus-wmi.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) commit 6497bbc35ac5efce3bccd31d3719bae020282da6 Merge: 786b71f 18a7057 Author: Ingo Molnar Date: Thu May 31 12:37:07 2018 +0200 Merge tag 'perf-urgent-for-mingo-4.17-20180531' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Fix 'perf test Session topology' segfault on s390 (Thomas Richter) - Fix NULL return handling in bpf__prepare_load() (YueHaibing) - Fix indexing on Coresight ETM packet queue decoder (Mathieu Poirier) - Fix perf.data format description of NRCPUS header (Arnaldo Carvalho de Melo) - Update perf.data documentation section on cpu topology - Handle uncore event aliases in small groups properly (Kan Liang) - Add missing perf_sample.addr into python sample dictionary (Leo Yan) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 595058b6675e4d2a70dcd867c84d922975f9d22b Author: Davidlohr Bueso Date: Wed May 30 15:49:40 2018 -0700 sched/headers: Fix typo I cannot spell 'throttling'. Signed-off-by: Davidlohr Bueso Signed-off-by: Peter Zijlstra (Intel) Cc: Davidlohr Bueso Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180530224940.17839-1-dave@stgolabs.net Signed-off-by: Ingo Molnar kernel/sched/sched.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ecda2b66e263dfd6c1d6113add19150f4e235bb3 Author: Juri Lelli Date: Wed May 30 18:08:09 2018 +0200 sched/deadline: Fix missing clock update A missing clock update is causing the following warning: rq->clock_update_flags < RQCF_ACT_SKIP WARNING: CPU: 10 PID: 0 at kernel/sched/sched.h:963 inactive_task_timer+0x5d6/0x720 Call Trace: __hrtimer_run_queues+0x10f/0x530 hrtimer_interrupt+0xe5/0x240 smp_apic_timer_interrupt+0x79/0x2b0 apic_timer_interrupt+0xf/0x20 do_idle+0x203/0x280 cpu_startup_entry+0x6f/0x80 start_secondary+0x1b0/0x200 secondary_startup_64+0xa5/0xb0 hardirqs last enabled at (793919): [] cpuidle_enter_state+0x9e/0x360 hardirqs last disabled at (793920): [] interrupt_entry+0xce/0xe0 softirqs last enabled at (793922): [] irq_enter+0x68/0x70 softirqs last disabled at (793921): [] irq_enter+0x4d/0x70 This happens because inactive_task_timer() calls sub_running_bw() (if TASK_DEAD and non_contending) that might trigger a schedutil update, which might access the clock. Clock is however currently updated only later in inactive_task_timer() function. Fix the problem by updating the clock right after task_rq_lock(). Reported-by: kernel test robot Signed-off-by: Juri Lelli Signed-off-by: Peter Zijlstra (Intel) Cc: Claudio Scordino Cc: Linus Torvalds Cc: Luca Abeni Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180530160809.9074-1-juri.lelli@redhat.com Signed-off-by: Ingo Molnar kernel/sched/deadline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 7af443ee1697607541c6346c87385adab2214743 Author: Paul Burton Date: Sat May 26 08:46:47 2018 -0700 sched/core: Require cpu_active() in select_task_rq(), for user tasks select_task_rq() is used in a few paths to select the CPU upon which a thread should be run - for example it is used by try_to_wake_up() & by fork or exec balancing. As-is it allows use of any online CPU that is present in the task's cpus_allowed mask. This presents a problem because there is a period whilst CPUs are brought online where a CPU is marked online, but is not yet fully initialized - ie. the period where CPUHP_AP_ONLINE_IDLE <= state < CPUHP_ONLINE. Usually we don't run any user tasks during this window, but there are corner cases where this can happen. An example observed is: - Some user task A, running on CPU X, forks to create task B. - sched_fork() calls __set_task_cpu() with cpu=X, setting task B's task_struct::cpu field to X. - CPU X is offlined. - Task A, currently somewhere between the __set_task_cpu() in copy_process() and the call to wake_up_new_task(), is migrated to CPU Y by migrate_tasks() when CPU X is offlined. - CPU X is onlined, but still in the CPUHP_AP_ONLINE_IDLE state. The scheduler is now active on CPU X, but there are no user tasks on the runqueue. - Task A runs on CPU Y & reaches wake_up_new_task(). This calls select_task_rq() with cpu=X, taken from task B's task_struct, and select_task_rq() allows CPU X to be returned. - Task A enqueues task B on CPU X's runqueue, via activate_task() & enqueue_task(). - CPU X now has a user task on its runqueue before it has reached the CPUHP_ONLINE state. In most cases, the user tasks that schedule on the newly onlined CPU have no idea that anything went wrong, but one case observed to be problematic is if the task goes on to invoke the sched_setaffinity syscall. The newly onlined CPU reaches the CPUHP_AP_ONLINE_IDLE state before the CPU that brought it online calls stop_machine_unpark(). This means that for a portion of the window of time between CPUHP_AP_ONLINE_IDLE & CPUHP_ONLINE the newly onlined CPU's struct cpu_stopper has its enabled field set to false. If a user thread is executed on the CPU during this window and it invokes sched_setaffinity with a CPU mask that does not include the CPU it's running on, then when __set_cpus_allowed_ptr() calls stop_one_cpu() intending to invoke migration_cpu_stop() and perform the actual migration away from the CPU it will simply return -ENOENT rather than calling migration_cpu_stop(). We then return from the sched_setaffinity syscall back to the user task that is now running on a CPU which it just asked not to run on, and which is not present in its cpus_allowed mask. This patch resolves the problem by having select_task_rq() enforce that user tasks run on CPUs that are active - the same requirement that select_fallback_rq() already enforces. This should ensure that newly onlined CPUs reach the CPUHP_AP_ACTIVE state before being able to schedule user tasks, and also implies that bringup_wait_for_ap() will have called stop_machine_unpark() which resolves the sched_setaffinity issue above. I haven't yet investigated them, but it may be of interest to review whether any of the actions performed by hotplug states between CPUHP_AP_ONLINE_IDLE & CPUHP_AP_ACTIVE could have similar unintended effects on user tasks that might schedule before they are reached, which might widen the scope of the problem from just affecting the behaviour of sched_setaffinity. Signed-off-by: Paul Burton Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180526154648.11635-2-paul.burton@mips.com Signed-off-by: Ingo Molnar kernel/sched/core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 175f0e25abeaa2218d431141ce19cf1de70fa82d Author: Peter Zijlstra Date: Tue Jul 25 18:58:21 2017 +0200 sched/core: Fix rules for running on online && !active CPUs As already enforced by the WARN() in __set_cpus_allowed_ptr(), the rules for running on an online && !active CPU are stricter than just being a kthread, you need to be a per-cpu kthread. If you're not strictly per-CPU, you have better CPUs to run on and don't need the partially booted one to get your work done. The exception is to allow smpboot threads to bootstrap the CPU itself and get kernel 'services' initialized before we allow userspace on it. Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Tejun Heo Cc: Thomas Gleixner Fixes: 955dbdf4ce87 ("sched: Allow migrating kthreads into online but inactive CPUs") Link: http://lkml.kernel.org/r/20170725165821.cejhb7v2s3kecems@hirez.programming.kicks-ass.net Signed-off-by: Ingo Molnar kernel/sched/core.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) commit 38369f54d97dd7dc50c73a2797bfeb53c2e87d2d Author: Steffen Klassert Date: Thu May 31 09:45:18 2018 +0200 xfrm Fix potential error pointer dereference in xfrm_bundle_create. We may derference an invalid pointer in the error path of xfrm_bundle_create(). Fix this by returning this error pointer directly instead of assigning it to xdst0. Fixes: 45b018beddb6 ("ipsec: Create and use new helpers for dst child access.") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 829bc787c1a0403e4d886296dd4d90c5f9c1744a Author: Darrick J. Wong Date: Wed May 30 19:43:53 2018 -0700 fs: clear writeback errors in inode_init_always In inode_init_always(), we clear the inode mapping flags, which clears any retained error (AS_EIO, AS_ENOSPC) bits. Unfortunately, we do not also clear wb_err, which means that old mapping errors can leak through to new inodes. This is crucial for the XFS inode allocation path because we recycle old in-core inodes and we do not want error state from an old file to leak into the new file. This bug was discovered by running generic/036 and generic/047 in a loop and noticing that the EIOs generated by the collision of direct and buffered writes in generic/036 would survive the remount between 036 and 047, and get reported to the fsyncs (on different files!) in generic/047. Signed-off-by: Darrick J. Wong Reviewed-by: Jeff Layton Reviewed-by: Brian Foster fs/inode.c | 1 + 1 file changed, 1 insertion(+) commit 0e333751cff1dd7383be15372960a1be6e2b4e47 Merge: 2b85352 c32048d Author: Dave Airlie Date: Thu May 31 08:35:47 2018 +1000 Merge tag 'drm-misc-fixes-2018-05-30' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes dw-hdmi: Fix Oops regression from rc1 (Neil) Cc: Neil Armstrong * tag 'drm-misc-fixes-2018-05-30' of git://anongit.freedesktop.org/drm/drm-misc: drm/bridge/synopsys: dw-hdmi: fix dw_hdmi_setup_rx_sense commit 88a867653065dc14b0fdeeb626efb8d7ebe39be5 Merge: 943cf9f 43b4d1e Author: Linus Torvalds Date: Wed May 30 16:37:59 2018 -0500 Merge tag 'for-linus-20180530' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "Just a single fix that should make it into this release, fixing a regression with T10-DIF on NVMe" * tag 'for-linus-20180530' of git://git.kernel.dk/linux-block: nvme: fix extended data LBA supported setting commit 943cf9f3ca16133dbd00f9a4cbfea46512fcb0e8 Merge: c462f16 efe3de7 Author: Linus Torvalds Date: Wed May 30 16:35:07 2018 -0500 Merge tag 'selinux-pr-20180530' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull SELinux fix from Paul Moore: "One more small fix for SELinux: a small string length fix found by KASAN. I dislike sending patches this late in the release cycle, but this patch fixes a legitimate problem, is very small, limited in scope, and well understood. There are two threads with more information on the problem, the latest is linked below: https://marc.info/?t=152723737400001&r=1&w=2 Stephen points out in the thread linked above: 'Such a setxattr() call can only be performed by a process with CAP_MAC_ADMIN that is also allowed mac_admin permission in SELinux policy. Consequently, this is never possible on Android (no process is allowed mac_admin permission, always enforcing) and is only possible in Fedora/RHEL for a few domains (if enforcing)'" * tag 'selinux-pr-20180530' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: KASAN: slab-out-of-bounds in xattr_getsecurity commit c462f16b1a319991c59747e65837924a5ff17755 Merge: d60d61f bf4407f Author: Linus Torvalds Date: Wed May 30 16:33:22 2018 -0500 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fix from Herbert Xu: "This fixes a potential kernel panic in the inside-secure driver" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: inside-secure - do not use memset on MMIO commit 18a7057420f8b67f15d17087bf5c0863db752c8b Author: Arnaldo Carvalho de Melo Date: Fri May 25 16:37:36 2018 -0300 perf tools: Fix perf.data format description of NRCPUS header In the perf.data HEADER_CPUDESC feadure header we store first the number of available CPUs in the system, then the number of CPUs at the time of writing the header, not the other way around. Reported-by: Thomas-Mich Richter Acked-by: Andi Kleen Cc: Adrian Hunter Cc: David Ahern Cc: He Kuang Cc: Hendrik Brueckner Cc: Jin Yao Cc: Jiri Olsa Cc: Kim Phillips Cc: Lakshman Annadorai Cc: Namhyung Kim Cc: Simon Que Cc: Stephane Eranian Cc: Wang Nan Link: https://lkml.kernel.org/n/tip-j7o92acm2vnxjv70y4o3swoc@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Documentation/perf.data-file-format.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 943f32a0e8a4ea513dc68b00720a6c65842135e8 Author: Leo Yan Date: Mon May 28 16:45:01 2018 +0800 perf script python: Add addr into perf sample dict ARM CoreSight auxtrace uses 'sample->addr' to record the target address for branch instructions, so the data of 'sample->addr' is required for tracing data analysis. This commit collects data of 'sample->addr' into perf sample dict, finally can be used for python script for parsing event. Signed-off-by: Leo Yan Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Jonathan Corbet Cc: Mathieu Poirier Cc: Mike Leach Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Robert Walker Cc: Tor Jeremiassen Cc: coresight@lists.linaro.org Cc: kim.phillips@arm.co Cc: linux-arm-kernel@lists.infradead.org Cc: linux-doc@vger.kernel.org Link: http://lkml.kernel.org/r/1527497103-3593-3-git-send-email-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/scripting-engines/trace-event-python.c | 2 ++ 1 file changed, 2 insertions(+) commit 0c711138fa61188aa379210e9e08ac76838dea03 Author: Thomas Richter Date: Mon May 28 09:44:33 2018 +0200 perf data: Update documentation section on cpu topology Add an explanation of each cpu's core and socket identifier to the perf.data file format documentation. Signed-off-by: Thomas Richter Cc: Heiko Carstens Cc: Hendrik Brueckner Cc: Martin Schwidefsky Link: http://lkml.kernel.org/r/20180528074433.16652-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Documentation/perf.data-file-format.txt | 8 ++++++++ 1 file changed, 8 insertions(+) commit e2ab28521a588785c3e053098ffe607b5ff54634 Author: Mathieu Poirier Date: Fri May 25 17:10:54 2018 -0600 perf cs-etm: Fix indexing for decoder packet queue The tail of a queue is supposed to be pointing to the next available slot in a queue. In this implementation the tail is incremented before it is used and as such points to the last used element, something that has the immense advantage of centralizing tail management at a single location and eliminating a lot of redundant code. But this needs to be taken into consideration on the dequeueing side where the head also needs to be incremented before it is used, or the first available element of the queue will be skipped. Signed-off-by: Mathieu Poirier Tested-by: Leo Yan Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Robert Walker Cc: linux-arm-kernel@lists.infradead.org Link: http://lkml.kernel.org/r/1527289854-10755-1-git-send-email-mathieu.poirier@linaro.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/cs-etm-decoder/cs-etm-decoder.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) commit ab4e32ff5aa797eaea551dbb67946e2fcb56cc7e Author: YueHaibing Date: Fri May 11 19:21:42 2018 +0800 perf bpf: Fix NULL return handling in bpf__prepare_load() bpf_object__open()/bpf_object__open_buffer can return error pointer or NULL, check the return values with IS_ERR_OR_NULL() in bpf__prepare_load and bpf__prepare_load_buffer Signed-off-by: YueHaibing Acked-by: Daniel Borkmann Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Peter Zijlstra Cc: netdev@vger.kernel.org Link: https://lkml.kernel.org/n/tip-psf4xwc09n62al2cb9s33v9h@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/bpf-loader.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit c32048d9e93a5ab925d745396c63e7b912147f0a Author: Neil Armstrong Date: Wed May 30 11:43:58 2018 +0200 drm/bridge/synopsys: dw-hdmi: fix dw_hdmi_setup_rx_sense The dw_hdmi_setup_rx_sense exported function should not use struct device to recover the dw-hdmi context using drvdata, but take struct dw_hdmi directly like other exported functions. This caused a regression using Meson DRM on S905X since v4.17-rc1 : Internal error: Oops: 96000007 [#1] PREEMPT SMP [...] CPU: 0 PID: 124 Comm: irq/32-dw_hdmi_ Not tainted 4.17.0-rc7 #2 Hardware name: Libre Technology CC (DT) [...] pc : osq_lock+0x54/0x188 lr : __mutex_lock.isra.0+0x74/0x530 [...] Process irq/32-dw_hdmi_ (pid: 124, stack limit = 0x00000000adf418cb) Call trace: osq_lock+0x54/0x188 __mutex_lock_slowpath+0x10/0x18 mutex_lock+0x30/0x38 __dw_hdmi_setup_rx_sense+0x28/0x98 dw_hdmi_setup_rx_sense+0x10/0x18 dw_hdmi_top_thread_irq+0x2c/0x50 irq_thread_fn+0x28/0x68 irq_thread+0x10c/0x1a0 kthread+0x128/0x130 ret_from_fork+0x10/0x18 Code: 34000964 d00050a2 51000484 9135c042 (f864d844) ---[ end trace 945641e1fbbc07da ]--- note: irq/32-dw_hdmi_[124] exited with preempt_count 1 genirq: exiting task "irq/32-dw_hdmi_" (124) is an active IRQ thread (irq 32) Fixes: eea034af90c6 ("drm/bridge/synopsys: dw-hdmi: don't clobber drvdata") Signed-off-by: Neil Armstrong Tested-by: Koen Kooi Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/1527673438-20643-1-git-send-email-narmstrong@baylibre.com drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 15 ++++----------- drivers/gpu/drm/meson/meson_dw_hdmi.c | 2 +- include/drm/bridge/dw_hdmi.h | 2 +- 3 files changed, 6 insertions(+), 13 deletions(-) commit f5a4941aa6d190e676065e8f4ed35999f52a01c3 Author: Jason Wang Date: Tue May 29 14:18:19 2018 +0800 vhost_net: flush batched heads before trying to busy polling After commit e2b3b35eb989 ("vhost_net: batch used ring update in rx"), we tend to batch updating used heads. But it doesn't flush batched heads before trying to do busy polling, this will cause vhost to wait for guest TX which waits for the used RX. Fixing by flush batched heads before busy loop. 1 byte TCP_RR performance recovers from 13107.83 to 50402.65. Fixes: e2b3b35eb989 ("vhost_net: batch used ring update in rx") Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) commit d60d61f36b8f8d3f67c3fe49ee35cfd54b3bc49b Merge: 0044cde f0f59a2 Author: Linus Torvalds Date: Wed May 30 10:30:30 2018 -0500 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Martin Schwidefsky: - a missing -msoft-float for the compile of the kexec purgatory - a fix for the dasd driver to avoid the double use of a field in the 'struct request' [ That latter one is being discussed, and Christoph asked for something cleaner, but for now it's a fix ] * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/dasd: use blk_mq_rq_from_pdu for per request data s390/purgatory: Fix endless interrupt loop commit d121109100bda84bbbb199dab97f9d56432ab235 Author: Thomas Richter Date: Mon May 28 09:36:57 2018 +0200 perf test: "Session topology" dumps core on s390 The "perf test Session topology" entry fails with core dump on s390. The root cause is a NULL pointer dereference in function check_cpu_topology() line 76 (or line 82 without -v). The session->header.env.cpu variable is NULL because on s390 function process_cpu_topology() returns with error: socket_id number is too big. You may need to upgrade the perf tool. and releases the env.cpu variable via zfree() and sets it to NULL. Here is the gdb output: (gdb) n 76 pr_debug("CPU %d, core %d, socket %d\n", i, (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x00000000010f4d9e in check_cpu_topology (path=0x3ffffffd6c8 "/tmp/perf-test-J6CHMa", map=0x14a1740) at tests/topology.c:76 76 pr_debug("CPU %d, core %d, socket %d\n", i, (gdb) Make sure the env.cpu variable is not used when its NULL. Test for NULL pointer and return TEST_SKIP if so. Output before: [root@p23lp27 perf]# ./perf test -F 39 39: Session topology :Segmentation fault (core dumped) [root@p23lp27 perf]# Output after: [root@p23lp27 perf]# ./perf test -vF 39 39: Session topology : --- start --- templ file: /tmp/perf-test-Ajx59D socket_id number is too big.You may need to upgrade the perf tool. ---- end ---- Session topology: Skip [root@p23lp27 perf]# Signed-off-by: Thomas Richter Cc: Heiko Carstens Cc: Hendrik Brueckner Cc: Martin Schwidefsky Link: http://lkml.kernel.org/r/20180528073657.11743-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/tests/topology.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) commit 369b230806a9f3ff691466d54795e5e3ff3f8f5c Author: Kan Liang Date: Mon May 7 14:13:43 2018 -0700 perf parse-events: Handle uncore event aliases in small groups properly Perf stat doesn't count the uncore event aliases from the same uncore block in a group, for example: perf stat -e '{unc_m_cas_count.all,unc_m_clockticks}' -a -I 1000 # time counts unit events 1.000447342 unc_m_cas_count.all 1.000447342 unc_m_clockticks 2.000740654 unc_m_cas_count.all 2.000740654 unc_m_clockticks The output is very misleading. It gives a wrong impression that the uncore event doesn't work. An uncore block could be composed by several PMUs. An uncore event alias is a joint name which means the same event runs on all PMUs of a block. Perf doesn't support mixed events from different PMUs in the same group. It is wrong to put uncore event aliases in a big group. The right way is to split the big group into multiple small groups which only include the events from the same PMU. Only uncore event aliases from the same uncore block should be specially handled here. It doesn't make sense to mix the uncore events with other uncore events from different blocks or even core events in a group. With the patch: # time counts unit events 1.001557653 140,833 unc_m_cas_count.all 1.001557653 1,330,231,332 unc_m_clockticks 2.002709483 85,007 unc_m_cas_count.all 2.002709483 1,429,494,563 unc_m_clockticks Reported-by: Andi Kleen Signed-off-by: Kan Liang Acked-by: Jiri Olsa Cc: Agustin Vega-Frias Cc: Ganapatrao Kulkarni Cc: Jin Yao Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Shaokun Zhang Cc: Will Deacon Link: http://lkml.kernel.org/r/1525727623-19768-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/evsel.h | 1 + tools/perf/util/parse-events.c | 130 ++++++++++++++++++++++++++++++++++++++++- tools/perf/util/parse-events.h | 7 ++- tools/perf/util/parse-events.y | 8 +-- 4 files changed, 137 insertions(+), 9 deletions(-) commit 0044cdeb731313f20b63cb5644de7588731de32b Merge: 91fc957 40f7090 Author: Linus Torvalds Date: Tue May 29 22:22:15 2018 -0500 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: "We are switching a bunch of Lenovo devices with Synaptics touchpads from PS/2 emulation over to native RMI/SMbus. Given that all commits are marked for stable there is no point delaying them till next release" [ Also fix a too-small stack array for i2c communication in elan driver ] * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: elan_i2c_smbus - fix corrupted stack Input: synaptics - add Lenovo 80 series ids to SMBus Input: synaptics - add Intertouch support on X1 Carbon 6th and X280 Input: synaptics - Lenovo Thinkpad X1 Carbon G5 (2017) with Elantech trackpoints should use RMI Input: synaptics - Lenovo Carbon X1 Gen5 (2017) devices should use RMI commit 2b85352e3b08159c9d5c82144d05767a00169f9d Merge: ebb442b 20fa2ff Author: Dave Airlie Date: Wed May 30 10:58:31 2018 +1000 Merge branch 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux into drm-fixes One last fix for 4.17. Fix a suspend regression in DC. * 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux: drm/amd/display: Fix BUG_ON during CRTC atomic check update commit ebb442bb35e8c35eb765b04423b28392b4df7a04 Merge: 801dff4 2bc5ff0 Author: Dave Airlie Date: Wed May 30 10:57:57 2018 +1000 Merge tag 'drm-misc-fixes-2018-05-29' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes core: Add 220us psr setup time (Dhinakaran) omap: Fix NULL deref (Tomi) Cc: Dhinakaran Pandiyan Cc: Tomi Valkeinen * tag 'drm-misc-fixes-2018-05-29' of git://anongit.freedesktop.org/drm/drm-misc: drm/omap: fix NULL deref crash with SDI displays drm/psr: Fix missed entry in PSR setup time table. commit efe3de79e0b52ca281ef6691480c8c68c82a4657 Author: Sachin Grover Date: Fri May 25 14:01:39 2018 +0530 selinux: KASAN: slab-out-of-bounds in xattr_getsecurity Call trace: [] dump_backtrace+0x0/0x428 [] show_stack+0x28/0x38 [] dump_stack+0xd4/0x124 [] print_address_description+0x68/0x258 [] kasan_report.part.2+0x228/0x2f0 [] kasan_report+0x5c/0x70 [] check_memory_region+0x12c/0x1c0 [] memcpy+0x34/0x68 [] xattr_getsecurity+0xe0/0x160 [] vfs_getxattr+0xc8/0x120 [] getxattr+0x100/0x2c8 [] SyS_fgetxattr+0x64/0xa0 [] el0_svc_naked+0x24/0x28 If user get root access and calls security.selinux setxattr() with an embedded NUL on a file and then if some process performs a getxattr() on that file with a length greater than the actual length of the string, it would result in a panic. To fix this, add the actual length of the string to the security context instead of the length passed by the userspace process. Signed-off-by: Sachin Grover Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/ss/services.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 801dff41ba482dc539c8ecab73192bcd8665bb29 Merge: b04e217 65b3bdc Author: Dave Airlie Date: Wed May 30 10:00:01 2018 +1000 Merge tag 'drm-intel-fixes-2018-05-29' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fix for potential Spectre vector in the new query uAPI - Fix NULL pointer deref (FDO #106559) - DMI fix to hide LVDS for Radiant P845 (FDO #105468) * tag 'drm-intel-fixes-2018-05-29' of git://anongit.freedesktop.org/drm/drm-intel: drm/i915/query: nospec expects no more than an unsigned long drm/i915/query: Protect tainted function pointer lookup drm/i915/lvds: Move acpi lid notification registration to registration phase drm/i915: Disable LVDS on Radiant P845 commit 91fc957a61fac43f05dfbe1877bc371271f4dd5f Merge: 3d661e2 1fba586 Author: Linus Torvalds Date: Tue May 29 15:30:16 2018 -0500 Merge tag 'afs-fixes-20180529' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull AFS fixes from David Howells: - fix a BUG triggerable from faccessat() - fix the mounting of backup volumes * tag 'afs-fixes-20180529' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: afs: Fix mounting of backup volumes afs: Fix directory permissions check commit 20fa2ff0441eabc8e6263b428191228d9599ea9d Author: Leo (Sunpeng) Li Date: Tue May 29 09:51:51 2018 -0400 drm/amd/display: Fix BUG_ON during CRTC atomic check update For cases where the CRTC is inactive (DPMS off), where a modeset is not required, yet the CRTC is still in the atomic state, we should not attempt to update anything on it. Previously, we were relying on the modereset_required() helper to check the above condition. However, the function returns false immediately if a modeset is not required, ignoring the CRTC's enable/active state flags. The correct way to filter is by looking at these flags instead. Fixes: e277adc5a06c "drm/amd/display: Hookup color management functions" Bugzilla: https://bugs.freedesktop.org/106194 Signed-off-by: Leo (Sunpeng) Li Reviewed-by: Harry Wentland Tested-by: Michel Dänzer Signed-off-by: Alex Deucher drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) commit 43b4d1e122914c87e26bd83f6c0a1c50ddf31178 Merge: eedffa2 c97f414 Author: Jens Axboe Date: Tue May 29 12:54:12 2018 -0600 Merge branch 'nvme-4.17' of git://git.infradead.org/nvme into for-linus Pull NVMe fix from Christoph: "Below is a one-liner fix from Max that unbreaks T10-DIF support, which got broken in 4.15." * 'nvme-4.17' of git://git.infradead.org/nvme: nvme: fix extended data LBA supported setting commit c97f414c54a255f4f05a50a2625efaeee406e134 Author: Max Gurtovoy Date: Sun May 27 18:50:10 2018 +0300 nvme: fix extended data LBA supported setting This value depands on the metadata support value, so reorder the initialization to fit. Fixes: b5be3b392 ("nvme: always unregister the integrity profile in __nvme_revalidate_disk") Signed-off-by: Max Gurtovoy Signed-off-by: Christoph Hellwig Cc: stable@vger.kernel.org drivers/nvme/host/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a0ccb6b54bdde16885ac99f49ee8031cf1c71abe Author: Federico Vaga Date: Mon May 28 10:59:14 2018 +0200 i2c: ocores: update HDL sources URL The URL is broken. This patch fixes it. Signed-off-by: Federico Vaga [wsa: shortened the URL a bit] Signed-off-by: Wolfram Sang Documentation/i2c/busses/i2c-ocores | 2 +- drivers/i2c/busses/i2c-ocores.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit a840c93ca7582bb6c88df2345a33f979b7a67874 Author: Parav Pandit Date: Sun May 27 14:49:16 2018 +0300 IB/core: Fix error code for invalid GID entry When a GID entry is invalid EAGAIN is returned. This is an incorrect error code, there is nothing that will make this GID entry valid again in bounded time. Some user space tools fail incorrectly if EAGAIN is returned here, and this represents a small ABI change from earlier kernels. The first patch in the Fixes list makes entries that were valid before to become invalid, allowing this code to trigger, while the second patch in the Fixes list introduced the wrong EAGAIN. Therefore revert the return result to EINVAL which matches the historical expectations of the ibv_query_gid_type() API of the libibverbs user space library. Cc: Fixes: 598ff6bae689 ("IB/core: Refactor GID modify code for RoCE") Fixes: 03db3a2d81e6 ("IB/core: Add RoCE GID table management") Reviewed-by: Daniel Jurgens Signed-off-by: Parav Pandit Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe drivers/infiniband/core/cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6547e387d7f52f2ba681a229de3c13e5b9e01ee1 Author: Toshiaki Makita Date: Mon May 28 19:37:49 2018 +0900 tun: Fix NULL pointer dereference in XDP redirect Calling XDP redirection requires bh disabled. Softirq can call another XDP function and redirection functions, then the percpu static variable ri->map can be overwritten to NULL. This is a generic XDP case called from tun. [ 3535.736058] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 3535.743974] PGD 0 P4D 0 [ 3535.746530] Oops: 0000 [#1] SMP PTI [ 3535.750049] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel crypto_simd cryptd enclosure hpwdt hpilo glue_helper ipmi_si pcspkr wmi mei_me ioatdma mei ipmi_devintf shpchp dca ipmi_msghandler lpc_ich acpi_power_meter sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm smartpqi i40e crc32c_intel scsi_transport_sas tg3 i2c_core ptp pps_core [ 3535.813456] CPU: 5 PID: 1630 Comm: vhost-1614 Not tainted 4.17.0-rc4 #2 [ 3535.820127] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017 [ 3535.828732] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30 [ 3535.833740] RSP: 0018:ffffb4bc47bf7c58 EFLAGS: 00010246 [ 3535.839009] RAX: ffff9fdfcfea1c40 RBX: 0000000000000000 RCX: ffff9fdf27fe3100 [ 3535.846205] RDX: ffff9fdfca769200 RSI: 0000000000000000 RDI: 0000000000000000 [ 3535.853402] RBP: ffffb4bc491d9000 R08: 00000000000045ad R09: 0000000000000ec0 [ 3535.860597] R10: 0000000000000001 R11: ffff9fdf26c3ce4e R12: ffff9fdf9e72c000 [ 3535.867794] R13: 0000000000000000 R14: fffffffffffffff2 R15: ffff9fdfc82cdd00 [ 3535.874990] FS: 0000000000000000(0000) GS:ffff9fdfcfe80000(0000) knlGS:0000000000000000 [ 3535.883152] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3535.888948] CR2: 0000000000000018 CR3: 0000000bde724004 CR4: 00000000007626e0 [ 3535.896145] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3535.903342] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3535.910538] PKRU: 55555554 [ 3535.913267] Call Trace: [ 3535.915736] xdp_do_generic_redirect+0x7a/0x310 [ 3535.920310] do_xdp_generic.part.117+0x285/0x370 [ 3535.924970] tun_get_user+0x5b9/0x1260 [tun] [ 3535.929279] tun_sendmsg+0x52/0x70 [tun] [ 3535.933237] handle_tx+0x2ad/0x5f0 [vhost_net] [ 3535.937721] vhost_worker+0xa5/0x100 [vhost] [ 3535.942030] kthread+0xf5/0x130 [ 3535.945198] ? vhost_dev_ioctl+0x3b0/0x3b0 [vhost] [ 3535.950031] ? kthread_bind+0x10/0x10 [ 3535.953727] ret_from_fork+0x35/0x40 [ 3535.957334] Code: 0e 74 15 83 f8 10 75 05 e9 49 aa b3 ff f3 c3 0f 1f 80 00 00 00 00 f3 c3 e9 29 9d b3 ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <8b> 47 18 83 f8 0e 74 0d 83 f8 10 75 05 e9 49 a9 b3 ff 31 c0 c3 [ 3535.976387] RIP: __xdp_map_lookup_elem+0x5/0x30 RSP: ffffb4bc47bf7c58 [ 3535.982883] CR2: 0000000000000018 [ 3535.987096] ---[ end trace 383b299dd1430240 ]--- [ 3536.131325] Kernel panic - not syncing: Fatal exception [ 3536.137484] Kernel Offset: 0x26a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 3536.281406] ---[ end Kernel panic - not syncing: Fatal exception ]--- And a kernel with generic case fixed still panics in tun driver XDP redirect, because it disabled only preemption, but not bh. [ 2055.128746] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 2055.136662] PGD 0 P4D 0 [ 2055.139219] Oops: 0000 [#1] SMP PTI [ 2055.142736] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel ipmi_ssif crypto_simd enclosure cryptd hpwdt glue_helper ioatdma hpilo wmi dca pcspkr ipmi_si acpi_power_meter ipmi_devintf shpchp mei_me ipmi_msghandler mei lpc_ich sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm i40e smartpqi tg3 scsi_transport_sas crc32c_intel i2c_core ptp pps_core [ 2055.206142] CPU: 6 PID: 1693 Comm: vhost-1683 Tainted: G W 4.17.0-rc5-fix-tun+ #1 [ 2055.215011] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017 [ 2055.223617] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30 [ 2055.228624] RSP: 0018:ffff998b07607cc0 EFLAGS: 00010246 [ 2055.233892] RAX: ffff8dbd8e235700 RBX: ffff8dbd8ff21c40 RCX: 0000000000000004 [ 2055.241089] RDX: ffff998b097a9000 RSI: 0000000000000000 RDI: 0000000000000000 [ 2055.248286] RBP: 0000000000000000 R08: 00000000000065a8 R09: 0000000000005d80 [ 2055.255483] R10: 0000000000000040 R11: ffff8dbcf0100000 R12: ffff998b097a9000 [ 2055.262681] R13: ffff8dbd8c98c000 R14: 0000000000000000 R15: ffff998b07607d78 [ 2055.269879] FS: 0000000000000000(0000) GS:ffff8dbd8ff00000(0000) knlGS:0000000000000000 [ 2055.278039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2055.283834] CR2: 0000000000000018 CR3: 0000000c0c8cc005 CR4: 00000000007626e0 [ 2055.291030] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2055.298227] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2055.305424] PKRU: 55555554 [ 2055.308153] Call Trace: [ 2055.310624] xdp_do_redirect+0x7b/0x380 [ 2055.314499] tun_get_user+0x10fe/0x12a0 [tun] [ 2055.318895] tun_sendmsg+0x52/0x70 [tun] [ 2055.322852] handle_tx+0x2ad/0x5f0 [vhost_net] [ 2055.327337] vhost_worker+0xa5/0x100 [vhost] [ 2055.331646] kthread+0xf5/0x130 [ 2055.334813] ? vhost_dev_ioctl+0x3b0/0x3b0 [vhost] [ 2055.339646] ? kthread_bind+0x10/0x10 [ 2055.343343] ret_from_fork+0x35/0x40 [ 2055.346950] Code: 0e 74 15 83 f8 10 75 05 e9 e9 aa b3 ff f3 c3 0f 1f 80 00 00 00 00 f3 c3 e9 c9 9d b3 ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <8b> 47 18 83 f8 0e 74 0d 83 f8 10 75 05 e9 e9 a9 b3 ff 31 c0 c3 [ 2055.366004] RIP: __xdp_map_lookup_elem+0x5/0x30 RSP: ffff998b07607cc0 [ 2055.372500] CR2: 0000000000000018 [ 2055.375856] ---[ end trace 2a2dcc5e9e174268 ]--- [ 2055.523626] Kernel panic - not syncing: Fatal exception [ 2055.529796] Kernel Offset: 0x2e000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 2055.677539] ---[ end Kernel panic - not syncing: Fatal exception ]--- v2: - Removed preempt_disable/enable since local_bh_disable will prevent preemption as well, feedback from Jason Wang. Fixes: 761876c857cb ("tap: XDP support") Signed-off-by: Toshiaki Makita Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/tun.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) commit d2c2725c2cdbcc108a191f50953d31c7b6556761 Author: Suresh Reddy Date: Mon May 28 01:26:06 2018 -0400 be2net: Fix error detection logic for BE3 Check for 0xE00 (RECOVERABLE_ERR) along with ARMFW UE (0x0) in be_detect_error() to know whether the error is valid error or not Fixes: 673c96e5a ("be2net: Fix UE detection logic for BE3") Signed-off-by: Suresh Reddy Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 Author: Josh Hill Date: Sun May 27 20:10:41 2018 -0400 net: qmi_wwan: Add Netgear Aircard 779S Add support for Netgear Aircard 779S Signed-off-by: Josh Hill Acked-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/qmi_wwan.c | 1 + 1 file changed, 1 insertion(+) commit 47bf9df2e8201d07c40670e093629f8dfd1b5d9f Author: Petr Machata Date: Sun May 27 09:48:41 2018 +0300 mlxsw: spectrum: Forbid creation of VLAN 1 over port/LAG VLAN 1 is internally used for untagged traffic. Prevent creation of explicit netdevice for that VLAN, because that currently isn't supported and leads to the NULL pointer dereference cited below. Fix by preventing creation of VLAN devices with VID of 1 over mlxsw devices or LAG devices that involve mlxsw devices. [ 327.175816] ================================================================================ [ 327.184544] UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c:200:12 [ 327.193667] member access within null pointer of type 'const struct mlxsw_sp_fid' [ 327.201226] CPU: 0 PID: 8983 Comm: ip Not tainted 4.17.0-rc4-petrm_net_ip6gre_headroom-custom-140 #11 [ 327.210496] Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2F"/"SA000874", BIOS 4.6.5 03/08/2016 [ 327.219872] Call Trace: [ 327.222384] dump_stack+0xc3/0x12b [ 327.234007] ubsan_epilogue+0x9/0x49 [ 327.237638] ubsan_type_mismatch_common+0x1f9/0x2d0 [ 327.255769] __ubsan_handle_type_mismatch+0x90/0xa7 [ 327.264716] mlxsw_sp_fid_type+0x35/0x50 [mlxsw_spectrum] [ 327.270255] mlxsw_sp_port_vlan_router_leave+0x46/0xc0 [mlxsw_spectrum] [ 327.277019] mlxsw_sp_inetaddr_port_vlan_event+0xe1/0x340 [mlxsw_spectrum] [ 327.315031] mlxsw_sp_netdevice_vrf_event+0xa8/0x100 [mlxsw_spectrum] [ 327.321626] mlxsw_sp_netdevice_event+0x276/0x430 [mlxsw_spectrum] [ 327.367863] notifier_call_chain+0x4c/0x150 [ 327.372128] __netdev_upper_dev_link+0x1b3/0x260 [ 327.399450] vrf_add_slave+0xce/0x170 [vrf] [ 327.403703] do_setlink+0x658/0x1d70 [ 327.508998] rtnl_newlink+0x908/0xf20 [ 327.559128] rtnetlink_rcv_msg+0x50c/0x720 [ 327.571720] netlink_rcv_skb+0x16a/0x1f0 [ 327.583450] netlink_unicast+0x2ca/0x3e0 [ 327.599305] netlink_sendmsg+0x3e2/0x7f0 [ 327.616655] sock_sendmsg+0x76/0xc0 [ 327.620207] ___sys_sendmsg+0x494/0x5d0 [ 327.666117] __sys_sendmsg+0xc2/0x130 [ 327.690953] do_syscall_64+0x66/0x370 [ 327.694677] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 327.699782] RIP: 0033:0x7f4c2f3f8037 [ 327.703393] RSP: 002b:00007ffe8c389708 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 327.711035] RAX: ffffffffffffffda RBX: 000000005b03f53e RCX: 00007f4c2f3f8037 [ 327.718229] RDX: 0000000000000000 RSI: 00007ffe8c389760 RDI: 0000000000000003 [ 327.725431] RBP: 00007ffe8c389760 R08: 0000000000000000 R09: 00007f4c2f443630 [ 327.732632] R10: 00000000000005eb R11: 0000000000000246 R12: 0000000000000000 [ 327.739833] R13: 00000000006774e0 R14: 00007ffe8c3897e8 R15: 0000000000000000 [ 327.747096] ================================================================================ Fixes: 9589a7b5d7d9 ("mlxsw: spectrum: Handle VLAN devices linking / unlinking") Suggested-by: Ido Schimmel Signed-off-by: Petr Machata Signed-off-by: Ido Schimmel Acked-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 5 +++++ 1 file changed, 5 insertions(+) commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc Author: Ivan Bornyakov Date: Fri May 25 20:49:52 2018 +0300 atm: zatm: fix memcmp casting memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One can lose significant bits and get 0 from non-0 value returned by the memcmp(). Signed-off-by: Ivan Bornyakov Signed-off-by: David S. Miller drivers/atm/zatm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3d661e2a2d1cf0ad1ce54d690f05e755da59e6c9 Merge: 786b71f 2824f50 Author: Linus Torvalds Date: Tue May 29 07:28:48 2018 -0500 Merge tag 'trace-v4.17-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fixes from Steven Rostedt: "While writing selftests for a new feature, I triggered two existing bugs that deal with triggers and instances. - a generic trigger bug where the triggers are not removed from a linked list properly when deleting an instance. - a bug specific to snapshots, where the snapshot is done in the top level buffer, when it is supposed to snapshot the buffer associated to the instance the snapshot trigger exists in" * tag 'trace-v4.17-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing: Make the snapshot trigger work with instances tracing: Fix crash when freeing instances with event triggers commit 65b3bdc807ac7bd83f5b27bc2c29a3c631eed7dd Author: Chris Wilson Date: Tue May 22 13:10:18 2018 +0100 drm/i915/query: nospec expects no more than an unsigned long nospec quite reasonably asserts that it will never be used with an index larger than unsigned long (that being the largest possibly index into an C array). However, our ubi uses the convention of u64 for any large integer, running afoul of the assertion on 32b. Reduce our index to an unsigned long, checking for type overflow first. drivers/gpu/drm/i915/i915_query.c: In function 'i915_query_ioctl': include/linux/compiler.h:339:38: error: call to '__compiletime_assert_119' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long) Reported-by: kbuild-all@01.org Fixes: 84b510e22da7 ("drm/i915/query: Protect tainted function pointer lookup") Signed-off-by: Chris Wilson Cc: Lionel Landwerlin Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Reviewed-by: Lionel Landwerlin Link: https://patchwork.freedesktop.org/patch/msgid/20180522121018.15199-1-chris@chris-wilson.co.uk (cherry picked from commit a33b1dc8a732144e11cb4bf067d24ba51e6b8ab0) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/i915_query.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit ab1068d6866e28bf6427ceaea681a381e5870a4a Author: Hao Wei Tee Date: Tue May 29 10:25:17 2018 +0300 iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs When there are 16 or more logical CPUs, we request for `IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of IRQs, but later on we compare the number of IRQs returned to nr_online_cpus+2 instead of max_irqs, the latter being what we actually asked for. This ends up setting num_rx_queues to 17 which causes lots of out-of-bounds array accesses later on. Compare to max_irqs instead, and also add an assertion in case num_rx_queues > IWM_MAX_RX_HW_QUEUES. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551 Fixes: 2e5d4a8f61dc ("iwlwifi: pcie: Add new configuration to enable MSIX") Signed-off-by: Hao Wei Tee Tested-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 52a192362932f333a7ebafd581c4d9b81da2fec8 Author: Stanislaw Gruszka Date: Mon May 28 13:25:06 2018 +0200 Revert "rt2800: use TXOP_BACKOFF for probe frames" This reverts commit fb47ada8dc3c30c8e7b415da155742b49536c61e. In some situations when we set TXOP_BACKOFF, the probe frame is not sent at all. What it worse then sending probe frame as part of AMPDU and can degrade 11n performance to 11g rates. Cc: stable@vger.kernel.org Signed-off-by: Stanislaw Gruszka Signed-off-by: Kalle Valo drivers/net/wireless/ralink/rt2x00/rt2x00queue.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 312564269535892cc082bc80592150cd1f5e8ec3 Author: Ard Biesheuvel Date: Fri May 25 14:50:37 2018 +0200 net: netsec: reduce DMA mask to 40 bits The netsec network controller IP can drive 64 address bits for DMA, and the DMA mask is set accordingly in the driver. However, the SynQuacer SoC, which is the only silicon incorporating this IP at the moment, integrates this IP in a manner that leaves address bits [63:40] unconnected. Up until now, this has not resulted in any problems, given that the DDR controller doesn't decode those bits to begin with. However, recent firmware updates for platforms incorporating this SoC allow the IOMMU to be enabled, which does decode address bits [47:40], and allocates top down from the IOVA space, producing DMA addresses that have bits set that have been left unconnected. Both the DT and ACPI (IORT) descriptions of the platform take this into account, and only describe a DMA address space of 40 bits (using either dma-ranges DT properties, or DMA address limits in IORT named component nodes). However, even though our IOMMU and bus layers may take such limitations into account by setting a narrower DMA mask when creating the platform device, the netsec probe() entrypoint follows the common practice of setting the DMA mask uncondionally, according to the capabilities of the IP block itself rather than to its integration into the chip. It is currently unclear what the correct fix is here. We could hack around it by only setting the DMA mask if it deviates from its default value of DMA_BIT_MASK(32). However, this makes it impossible for the bus layer to use DMA_BIT_MASK(32) as the bus limit, and so it appears that a more comprehensive approach is required to take DMA limits imposed by the SoC as a whole into account. In the mean time, let's limit the DMA mask to 40 bits. Given that there is currently only one SoC that incorporates this IP, this is a reasonable approach that can be backported to -stable and buys us some time to come up with a proper fix going forward. Fixes: 533dd11a12f6 ("net: socionext: Add Synquacer NetSec driver") Cc: Robin Murphy Cc: Jassi Brar Cc: Masahisa Kojima Cc: Ilias Apalodimas Signed-off-by: Ard Biesheuvel Reviewed-by: Robin Murphy Acked-by: Jassi Brar Signed-off-by: David S. Miller drivers/net/ethernet/socionext/netsec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bbb40a0b75209734ff9286f3326171638c9f6569 Author: Mathieu Xhonneux Date: Fri May 25 13:29:41 2018 +0100 ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline seg6_do_srh_encap and seg6_do_srh_inline can possibly do an out-of-bounds access when adding the SRH to the packet. This no longer happen when expanding the skb not only by the size of the SRH (+ outer IPv6 header), but also by skb->mac_len. [ 53.793056] BUG: KASAN: use-after-free in seg6_do_srh_encap+0x284/0x620 [ 53.794564] Write of size 14 at addr ffff88011975ecfa by task ping/674 [ 53.796665] CPU: 0 PID: 674 Comm: ping Not tainted 4.17.0-rc3-ARCH+ #90 [ 53.796670] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 [ 53.796673] Call Trace: [ 53.796679] [ 53.796689] dump_stack+0x71/0xab [ 53.796700] print_address_description+0x6a/0x270 [ 53.796707] kasan_report+0x258/0x380 [ 53.796715] ? seg6_do_srh_encap+0x284/0x620 [ 53.796722] memmove+0x34/0x50 [ 53.796730] seg6_do_srh_encap+0x284/0x620 [ 53.796741] ? seg6_do_srh+0x29b/0x360 [ 53.796747] seg6_do_srh+0x29b/0x360 [ 53.796756] seg6_input+0x2e/0x2e0 [ 53.796765] lwtunnel_input+0x93/0xd0 [ 53.796774] ipv6_rcv+0x690/0x920 [ 53.796783] ? ip6_input+0x170/0x170 [ 53.796791] ? eth_gro_receive+0x2d0/0x2d0 [ 53.796800] ? ip6_input+0x170/0x170 [ 53.796809] __netif_receive_skb_core+0xcc0/0x13f0 [ 53.796820] ? netdev_info+0x110/0x110 [ 53.796827] ? napi_complete_done+0xb6/0x170 [ 53.796834] ? e1000_clean+0x6da/0xf70 [ 53.796845] ? process_backlog+0x129/0x2a0 [ 53.796853] process_backlog+0x129/0x2a0 [ 53.796862] net_rx_action+0x211/0x5c0 [ 53.796870] ? napi_complete_done+0x170/0x170 [ 53.796887] ? run_rebalance_domains+0x11f/0x150 [ 53.796891] __do_softirq+0x10e/0x39e [ 53.796894] do_softirq_own_stack+0x2a/0x40 [ 53.796895] [ 53.796898] do_softirq.part.16+0x54/0x60 [ 53.796900] __local_bh_enable_ip+0x5b/0x60 [ 53.796903] ip6_finish_output2+0x416/0x9f0 [ 53.796906] ? ip6_dst_lookup_flow+0x110/0x110 [ 53.796909] ? ip6_sk_dst_lookup_flow+0x390/0x390 [ 53.796911] ? __rcu_read_unlock+0x66/0x80 [ 53.796913] ? ip6_mtu+0x44/0xf0 [ 53.796916] ? ip6_output+0xfc/0x220 [ 53.796918] ip6_output+0xfc/0x220 [ 53.796921] ? ip6_finish_output+0x2b0/0x2b0 [ 53.796923] ? memcpy+0x34/0x50 [ 53.796926] ip6_send_skb+0x43/0xc0 [ 53.796929] rawv6_sendmsg+0x1216/0x1530 [ 53.796932] ? __orc_find+0x6b/0xc0 [ 53.796934] ? rawv6_rcv_skb+0x160/0x160 [ 53.796937] ? __rcu_read_unlock+0x66/0x80 [ 53.796939] ? __rcu_read_unlock+0x66/0x80 [ 53.796942] ? is_bpf_text_address+0x1e/0x30 [ 53.796944] ? kernel_text_address+0xec/0x100 [ 53.796946] ? __kernel_text_address+0xe/0x30 [ 53.796948] ? unwind_get_return_address+0x2f/0x50 [ 53.796950] ? __save_stack_trace+0x92/0x100 [ 53.796954] ? save_stack+0x89/0xb0 [ 53.796956] ? kasan_kmalloc+0xa0/0xd0 [ 53.796958] ? kmem_cache_alloc+0xd2/0x1f0 [ 53.796961] ? prepare_creds+0x23/0x160 [ 53.796963] ? __x64_sys_capset+0x252/0x3e0 [ 53.796966] ? do_syscall_64+0x69/0x160 [ 53.796968] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.796971] ? __alloc_pages_nodemask+0x170/0x380 [ 53.796973] ? __alloc_pages_slowpath+0x12c0/0x12c0 [ 53.796977] ? tty_vhangup+0x20/0x20 [ 53.796979] ? policy_nodemask+0x1a/0x90 [ 53.796982] ? __mod_node_page_state+0x8d/0xa0 [ 53.796986] ? __check_object_size+0xe7/0x240 [ 53.796989] ? __sys_sendto+0x229/0x290 [ 53.796991] ? rawv6_rcv_skb+0x160/0x160 [ 53.796993] __sys_sendto+0x229/0x290 [ 53.796996] ? __ia32_sys_getpeername+0x50/0x50 [ 53.796999] ? commit_creds+0x2de/0x520 [ 53.797002] ? security_capset+0x57/0x70 [ 53.797004] ? __x64_sys_capset+0x29f/0x3e0 [ 53.797007] ? __x64_sys_rt_sigsuspend+0xe0/0xe0 [ 53.797011] ? __do_page_fault+0x664/0x770 [ 53.797014] __x64_sys_sendto+0x74/0x90 [ 53.797017] do_syscall_64+0x69/0x160 [ 53.797019] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.797022] RIP: 0033:0x7f43b7a6714a [ 53.797023] RSP: 002b:00007ffd891bd368 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 53.797026] RAX: ffffffffffffffda RBX: 00000000006129c0 RCX: 00007f43b7a6714a [ 53.797028] RDX: 0000000000000040 RSI: 00000000006129c0 RDI: 0000000000000004 [ 53.797029] RBP: 00007ffd891be640 R08: 0000000000610940 R09: 000000000000001c [ 53.797030] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 [ 53.797032] R13: 000000000060e6a0 R14: 0000000000008004 R15: 000000000040b661 [ 53.797171] Allocated by task 642: [ 53.797460] kasan_kmalloc+0xa0/0xd0 [ 53.797463] kmem_cache_alloc+0xd2/0x1f0 [ 53.797465] getname_flags+0x40/0x210 [ 53.797467] user_path_at_empty+0x1d/0x40 [ 53.797469] do_faccessat+0x12a/0x320 [ 53.797471] do_syscall_64+0x69/0x160 [ 53.797473] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.797607] Freed by task 642: [ 53.797869] __kasan_slab_free+0x130/0x180 [ 53.797871] kmem_cache_free+0xa8/0x230 [ 53.797872] filename_lookup+0x15b/0x230 [ 53.797874] do_faccessat+0x12a/0x320 [ 53.797876] do_syscall_64+0x69/0x160 [ 53.797878] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.798014] The buggy address belongs to the object at ffff88011975e600 which belongs to the cache names_cache of size 4096 [ 53.799043] The buggy address is located 1786 bytes inside of 4096-byte region [ffff88011975e600, ffff88011975f600) [ 53.800013] The buggy address belongs to the page: [ 53.800414] page:ffffea000465d600 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [ 53.801259] flags: 0x17fff0000008100(slab|head) [ 53.801640] raw: 017fff0000008100 0000000000000000 0000000000000000 0000000100070007 [ 53.803147] raw: dead000000000100 dead000000000200 ffff88011b185a40 0000000000000000 [ 53.803787] page dumped because: kasan: bad access detected [ 53.804384] Memory state around the buggy address: [ 53.804788] ffff88011975eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.805384] ffff88011975ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.805979] >ffff88011975ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.806577] ^ [ 53.807165] ffff88011975ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.807762] ffff88011975ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.808356] ================================================================== [ 53.808949] Disabling lock debugging due to kernel taint Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") Signed-off-by: David Lebrun Signed-off-by: Mathieu Xhonneux Signed-off-by: David S. Miller net/ipv6/seg6_iptunnel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 513acc5b746b8b86eb4f97efe2d874fd3087ff99 Merge: bc2dbc5 bbb8c61 Author: David S. Miller Date: Mon May 28 22:39:09 2018 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter/IPVS fixes for net The following patchset contains Netfilter/IPVS fixes for your net tree: 1) Null pointer dereference when dumping conntrack helper configuration, from Taehee Yoo. 2) Missing sanitization in ebtables extension name through compat, from Paolo Abeni. 3) Broken fetch of tracing value, from Taehee Yoo. 4) Incorrect arithmetics in packet ratelimiting. 5) Buffer overflow in IPVS sync daemon, from Julian Anastasov. 6) Wrong argument to nla_strlcpy() in nfnetlink_{acct,cthelper}, from Eric Dumazet. 7) Fix splat in nft_update_chain_stats(). 8) Null pointer dereference from object netlink dump path, from Taehee Yoo. 9) Missing static_branch_inc() when enabling counters in existing chain, from Taehee Yoo. ==================== Signed-off-by: David S. Miller commit c9ddf73476ff4fffb7a87bd5107a0705bf2cf64b Author: Bart Van Assche Date: Mon May 21 11:17:29 2018 -0700 scsi: scsi_transport_srp: Fix shost to rport translation Since an SRP remote port is attached as a child to shost->shost_gendev and as the only child, the translation from the shost pointer into an rport pointer must happen by looking up the shost child that is an rport. This patch fixes the following KASAN complaint: BUG: KASAN: slab-out-of-bounds in srp_timed_out+0x57/0x110 [scsi_transport_srp] Read of size 4 at addr ffff880035d3fcc0 by task kworker/1:0H/19 CPU: 1 PID: 19 Comm: kworker/1:0H Not tainted 4.16.0-rc3-dbg+ #1 Workqueue: kblockd blk_mq_timeout_work Call Trace: dump_stack+0x85/0xc7 print_address_description+0x65/0x270 kasan_report+0x231/0x350 srp_timed_out+0x57/0x110 [scsi_transport_srp] scsi_times_out+0xc7/0x3f0 [scsi_mod] blk_mq_terminate_expired+0xc2/0x140 bt_iter+0xbc/0xd0 blk_mq_queue_tag_busy_iter+0x1c7/0x350 blk_mq_timeout_work+0x325/0x3f0 process_one_work+0x441/0xa50 worker_thread+0x76/0x6c0 kthread+0x1b2/0x1d0 ret_from_fork+0x24/0x30 Fixes: e68ca75200fe ("scsi_transport_srp: Reduce failover time") Signed-off-by: Bart Van Assche Cc: Hannes Reinecke Cc: Johannes Thumshirn Cc: Jason Gunthorpe Cc: Doug Ledford Cc: Laurence Oberman Cc: stable@vger.kernel.org Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen drivers/scsi/scsi_transport_srp.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) commit bbb8c61f97e3a2dd91b30d3e57b7964a67569d11 Author: Taehee Yoo Date: Tue May 29 01:14:12 2018 +0900 netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace() When a chain is updated, a counter can be attached. if so, the nft_counters_enabled should be increased. test commands: %nft add table ip filter %nft add chain ip filter input { type filter hook input priority 4\; } %iptables-compat -Z input %nft delete chain ip filter input we can see below messages. [ 286.443720] jump label: negative count! [ 286.448278] WARNING: CPU: 0 PID: 1459 at kernel/jump_label.c:197 __static_key_slow_dec_cpuslocked+0x6f/0xf0 [ 286.449144] Modules linked in: nf_tables nfnetlink ip_tables x_tables [ 286.449144] CPU: 0 PID: 1459 Comm: nft Tainted: G W 4.17.0-rc2+ #12 [ 286.449144] RIP: 0010:__static_key_slow_dec_cpuslocked+0x6f/0xf0 [ 286.449144] RSP: 0018:ffff88010e5176f0 EFLAGS: 00010286 [ 286.449144] RAX: 000000000000001b RBX: ffffffffc0179500 RCX: ffffffffb8a82522 [ 286.449144] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88011b7e5eac [ 286.449144] RBP: 0000000000000000 R08: ffffed00236fce5c R09: ffffed00236fce5b [ 286.449144] R10: ffffffffc0179503 R11: ffffed00236fce5c R12: 0000000000000000 [ 286.449144] R13: ffff88011a28e448 R14: ffff88011a28e470 R15: dffffc0000000000 [ 286.449144] FS: 00007f0384328700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000 [ 286.449144] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.449144] CR2: 00007f038394bf10 CR3: 0000000104a86000 CR4: 00000000001006f0 [ 286.449144] Call Trace: [ 286.449144] static_key_slow_dec+0x6a/0x70 [ 286.449144] nf_tables_chain_destroy+0x19d/0x210 [nf_tables] [ 286.449144] nf_tables_commit+0x1891/0x1c50 [nf_tables] [ 286.449144] nfnetlink_rcv+0x1148/0x13d0 [nfnetlink] [ ... ] Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 360cc79d9d299ce297b205508276285ceffc5fa8 Author: Taehee Yoo Date: Tue May 29 01:13:45 2018 +0900 netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj() The table field in nft_obj_filter is not an array. In order to check tablename, we should check if the pointer is set. Test commands: %nft add table ip filter %nft add counter ip filter ct1 %nft reset counters Splat looks like: [ 306.510504] kasan: CONFIG_KASAN_INLINE enabled [ 306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables [ 306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17 [ 306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 [ 306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables] [ 306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246 [ 306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000 [ 306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a [ 306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b [ 306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108 [ 306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860 [ 306.528284] FS: 00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000 [ 306.528284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0 [ 306.528284] Call Trace: [ 306.528284] netlink_dump+0x470/0xa20 [ 306.528284] __netlink_dump_start+0x5ae/0x690 [ 306.528284] ? nf_tables_getobj+0x1b3/0x740 [nf_tables] [ 306.528284] nf_tables_getobj+0x2f5/0x740 [nf_tables] [ 306.528284] ? nft_obj_notify+0x100/0x100 [nf_tables] [ 306.528284] ? nf_tables_getobj+0x740/0x740 [nf_tables] [ 306.528284] ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables] [ 306.528284] ? nft_obj_notify+0x100/0x100 [nf_tables] [ 306.528284] nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink] [ 306.528284] ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink] [ 306.528284] netlink_rcv_skb+0x1c9/0x2f0 [ 306.528284] ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink] [ 306.528284] ? debug_check_no_locks_freed+0x270/0x270 [ 306.528284] ? netlink_ack+0x7a0/0x7a0 [ 306.528284] ? ns_capable_common+0x6e/0x110 [ ... ] Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255 chars") Signed-off-by: Taehee Yoo Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ad9d9e85072b668731f356be0a3750a3ba22a607 Author: Pablo Neira Ayuso Date: Sun May 27 21:08:13 2018 +0200 netfilter: nf_tables: disable preemption in nft_update_chain_stats() This patch fixes the following splat. [118709.054937] BUG: using smp_processor_id() in preemptible [00000000] code: test/1571 [118709.054970] caller is nft_update_chain_stats.isra.4+0x53/0x97 [nf_tables] [118709.054980] CPU: 2 PID: 1571 Comm: test Not tainted 4.17.0-rc6+ #335 [...] [118709.054992] Call Trace: [118709.055011] dump_stack+0x5f/0x86 [118709.055026] check_preemption_disabled+0xd4/0xe4 Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 2824f5033248600673e3e126a4d135363cbfd9ac Author: Steven Rostedt (VMware) Date: Mon May 28 10:56:36 2018 -0400 tracing: Make the snapshot trigger work with instances The snapshot trigger currently only affects the main ring buffer, even when it is used by the instances. This can be confusing as the snapshot trigger is listed in the instance. > # cd /sys/kernel/tracing > # mkdir instances/foo > # echo snapshot > instances/foo/events/syscalls/sys_enter_fchownat/trigger > # echo top buffer > trace_marker > # echo foo buffer > instances/foo/trace_marker > # touch /tmp/bar > # chown rostedt /tmp/bar > # cat instances/foo/snapshot # tracer: nop # # # * Snapshot is freed * # # Snapshot commands: # echo 0 > snapshot : Clears and frees snapshot buffer # echo 1 > snapshot : Allocates snapshot buffer, if not already allocated. # Takes a snapshot of the main buffer. # echo 2 > snapshot : Clears snapshot buffer (but does not allocate or free) # (Doesn't have to be '2' works with any number that # is not a '0' or '1') > # cat snapshot # tracer: nop # # _-----=> irqs-off # / _----=> need-resched # | / _---=> hardirq/softirq # || / _--=> preempt-depth # ||| / delay # TASK-PID CPU# |||| TIMESTAMP FUNCTION # | | | |||| | | bash-1189 [000] .... 111.488323: tracing_mark_write: top buffer Not only did the snapshot occur in the top level buffer, but the instance snapshot buffer should have been allocated, and it is still free. Cc: stable@vger.kernel.org Fixes: 85f2b08268c01 ("tracing: Add basic event trigger framework") Signed-off-by: Steven Rostedt (VMware) kernel/trace/trace.c | 12 ++++++------ kernel/trace/trace.h | 11 +++++++++++ kernel/trace/trace_events_trigger.c | 10 ++++++++-- 3 files changed, 25 insertions(+), 8 deletions(-) commit 533d1daea8d8a389b37207ad7b50c4e750969231 Author: Arnd Bergmann Date: Fri May 25 23:29:59 2018 +0200 IB: Revert "remove redundant INFINIBAND kconfig dependencies" Several subsystems depend on INFINIBAND_ADDR_TRANS, which in turn depends on INFINIBAND. However, when with CONFIG_INIFIBAND=m, this leads to a link error when another driver using it is built-in. The INFINIBAND_ADDR_TRANS dependency is insufficient here as this is a 'bool' symbol that does not force anything to be a module in turn. fs/cifs/smbdirect.o: In function `smbd_disconnect_rdma_work': smbdirect.c:(.text+0x1e4): undefined reference to `rdma_disconnect' net/9p/trans_rdma.o: In function `rdma_request': trans_rdma.c:(.text+0x7bc): undefined reference to `rdma_disconnect' net/9p/trans_rdma.o: In function `rdma_destroy_trans': trans_rdma.c:(.text+0x830): undefined reference to `ib_destroy_qp' trans_rdma.c:(.text+0x858): undefined reference to `ib_dealloc_pd' Fixes: 9533b292a7ac ("IB: remove redundant INFINIBAND kconfig dependencies") Signed-off-by: Arnd Bergmann Acked-by: Greg Thelen Signed-off-by: Jason Gunthorpe drivers/infiniband/ulp/srpt/Kconfig | 2 +- drivers/nvme/host/Kconfig | 2 +- drivers/nvme/target/Kconfig | 2 +- drivers/staging/lustre/lnet/Kconfig | 2 +- fs/cifs/Kconfig | 2 +- net/9p/Kconfig | 2 +- net/rds/Kconfig | 2 +- net/sunrpc/Kconfig | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) commit 786b71f5b754273ccef6d9462e52062b3e1f9877 Merge: b04e217 a30e7d1 Author: Linus Torvalds Date: Mon May 28 05:25:57 2018 -0700 Merge tag 'nds32-for-linus-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/greentime/linux Pull nds32 fixes from Greentime Hu: "Bug fixes and build error fixes for nds32" * tag 'nds32-for-linus-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/greentime/linux: nds32: Fix compiler warning, Wstringop-overflow, in vdso.c nds32: Disable local irq before calling cpu_dcache_wb_page in copy_user_highpage nds32: Flush the cache of the page at vmaddr instead of kaddr in flush_anon_page nds32: Correct flush_dcache_page function nds32: Fix the unaligned access handler nds32: Renaming the file for unaligned access nds32: To fix a cache inconsistency issue by setting correct cacheability of NTC nds32: To refine readability of INT_MASK_INITAIAL_VAL nds32: Fix the virtual address may map too much range by tlbop issue. nds32: Fix the allmodconfig build. To make sure CONFIG_CPU_LITTLE_ENDIAN is default y nds32: Fix build failed because arch_trace_hardirqs_off is changed to trace_hardirqs_off. nds32: Fix the unknown type u8 issue. nds32: Fix the symbols undefined issue by exporting them. nds32: Fix xfs_buf built failed by export invalidate_kernel_vmap_range and flush_kernel_vmap_range nds32: Fix drivers/gpu/drm/udl/udl_fb.c building error by defining PAGE_SHARED nds32: Fix building error of crypto/xor.c by adding xor.h nds32: Fix building error when CONFIG_FREEZE is enabled. nds32: lib: To use generic lib instead of libgcc to prevent the symbol undefined issue. commit 540ead8c5a0e2910fc7bf0839982921c8f11b31c Author: Chris Wilson Date: Mon May 21 22:05:30 2018 +0100 drm/i915/query: Protect tainted function pointer lookup Smatch identifies i915_query_ioctl() as being a potential victim of Spectre due to its use of a tainted user index into a function pointer array. Use array_index_nospec() to defang the user index before using it to lookup the function pointer. Fixes: a446ae2c6e65 ("drm/i915: add query uAPI") Signed-off-by: Chris Wilson Cc: Lionel Landwerlin Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Reviewed-by: Lionel Landwerlin Link: https://patchwork.freedesktop.org/patch/msgid/20180521210530.26008-1-chris@chris-wilson.co.uk (cherry picked from commit 84b510e22da7926522a257cfe295d3695346a0bd) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/i915_query.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit b9eb9c92899a509fe258d38dd6c214b1de69eee0 Author: Chris Wilson Date: Fri May 18 08:48:40 2018 +0100 drm/i915/lvds: Move acpi lid notification registration to registration phase Delay registering ourselves with the acpi lid notification mechanism until we are registering the connectors after initialisation is complete. This prevents a possibility of trying to handle the lid notification before we are ready with the danger of chasing uninitialised function pointers. BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 IP: (null) PGD 0 P4D 0 Oops: 0010 [#1] PREEMPT SMP PTI Modules linked in: arc4(+) iwldvm(+) i915(+) mac80211 i2c_algo_bit coretemp mei_wdt iwlwifi drm_kms_helper kvm_intel wmi_bmof iTCO_wdt iTCO_vendor_support kvm snd_hda_codec_conexant snd_hda_codec_generic drm psmouse cfg80211 irqbypass input_leds pcspkr i2c_i801 snd_hda_intel snd_hda_codec thinkpad_acpi snd_hda_core mei_me lpc_ich snd_hwdep e1000e wmi nvram snd_pcm mei snd_timer shpchp ptp pps_core rfkill syscopyarea snd intel_agp sysfillrect intel_gtt soundcore sysimgblt battery led_class fb_sys_fops ac rtc_cmos agpgart evdev mac_hid acpi_cpufreq ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto crypto_simd glue_helper cryptd aes_x86_64 xts algif_skcipher af_alg dm_crypt dm_mod sd_mod uas usb_storage serio_raw atkbd libps2 ahci libahci uhci_hcd libata scsi_mod ehci_pci ehci_hcd usbcore usb_common i8042 serio CPU: 1 PID: 378 Comm: systemd-logind Not tainted 4.16.8-1-ARCH #1 Hardware name: LENOVO 7454CTO/7454CTO, BIOS 6DET72WW (3.22 ) 10/25/2012 RIP: 0010: (null) RSP: 0018:ffffaf4580c33a18 EFLAGS: 00010287 RAX: 0000000000000000 RBX: ffff947533558000 RCX: 000000000000003e RDX: ffffffffc0aa80c0 RSI: ffffaf4580c33a3c RDI: ffff947534e4c000 RBP: ffff947533558338 R08: ffff947534598930 R09: ffffffffc0a928b1 R10: ffffd8f181d5fd40 R11: 0000000000000000 R12: ffffffffc0a928b1 R13: ffff947533558368 R14: ffffffffc0a928a9 R15: ffff947534e4c000 FS: 00007f3dc4ddb940(0000) GS:ffff947539280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000006e214000 CR4: 00000000000406e0 Call Trace: ? intel_modeset_setup_hw_state+0x385/0xf60 [i915] ? __intel_display_resume+0x1e/0xc0 [i915] ? intel_display_resume+0xcc/0x120 [i915] ? intel_lid_notify+0xbc/0xc0 [i915] ? notifier_call_chain+0x47/0x70 ? blocking_notifier_call_chain+0x3e/0x60 ? acpi_lid_notify_state+0x8f/0x1d0 ? acpi_lid_update_state+0x49/0x70 ? acpi_lid_input_open+0x60/0x90 ? input_open_device+0x5d/0xa0 ? evdev_open+0x1ba/0x1e0 [evdev] ? chrdev_open+0xa3/0x1b0 ? cdev_put.part.0+0x20/0x20 ? do_dentry_open+0x14c/0x300 ? path_openat+0x30c/0x1240 ? current_time+0x16/0x60 ? do_filp_open+0x93/0x100 ? __check_object_size+0xfb/0x180 ? do_sys_open+0x186/0x210 ? do_syscall_64+0x74/0x190 ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Code: Bad RIP value. RIP: (null) RSP: ffffaf4580c33a18 CR2: 0000000000000000 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=106559 Fixes: c1c7af608920 ("drm/i915: force mode set at lid open time") Signed-off-by: Chris Wilson Cc: Maarten Lankhorst Cc: Ville Syrjälä Cc: Daniel Vetter Reviewed-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20180518074840.16194-1-chris@chris-wilson.co.uk Cc: stable@vger.kernel.org (cherry picked from commit e578a570dc7c20475774d1ff993825e3bd7a7011) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/intel_lvds.c | 43 +++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 11 deletions(-) commit b3fb22733ae61050f8d10a1d6a8af176c5c5db1a Author: Ondrej Zary Date: Fri Mar 9 23:22:04 2018 +0100 drm/i915: Disable LVDS on Radiant P845 Radiant P845 does not have LVDS, only VGA. Cc: stable@vger.kernel.org Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105468 Signed-off-by: Ondrej Zary Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20180309222204.4771-1-linux@rainbow-software.org (cherry picked from commit 7f7105f99b75aca4f8c2a748ed6b82c7f8be3293) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/intel_lvds.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 Author: Steven Rostedt (VMware) Date: Sun May 27 20:54:44 2018 -0400 tracing: Fix crash when freeing instances with event triggers If a instance has an event trigger enabled when it is freed, it could cause an access of free memory. Here's the case that crashes: # cd /sys/kernel/tracing # mkdir instances/foo # echo snapshot > instances/foo/events/initcall/initcall_start/trigger # rmdir instances/foo Would produce: general protection fault: 0000 [#1] PREEMPT SMP PTI Modules linked in: tun bridge ... CPU: 5 PID: 6203 Comm: rmdir Tainted: G W 4.17.0-rc4-test+ #933 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 RIP: 0010:clear_event_triggers+0x3b/0x70 RSP: 0018:ffffc90003783de0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b2b RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800c7130ba0 RBP: ffffc90003783e00 R08: ffff8801131993f8 R09: 0000000100230016 R10: ffffc90003783d80 R11: 0000000000000000 R12: ffff8800c7130ba0 R13: ffff8800c7130bd8 R14: ffff8800cc093768 R15: 00000000ffffff9c FS: 00007f6f4aa86700(0000) GS:ffff88011eb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6f4a5aed60 CR3: 00000000cd552001 CR4: 00000000001606e0 Call Trace: event_trace_del_tracer+0x2a/0xc5 instance_rmdir+0x15c/0x200 tracefs_syscall_rmdir+0x52/0x90 vfs_rmdir+0xdb/0x160 do_rmdir+0x16d/0x1c0 __x64_sys_rmdir+0x17/0x20 do_syscall_64+0x55/0x1a0 entry_SYSCALL_64_after_hwframe+0x49/0xbe This was due to the call the clears out the triggers when an instance is being deleted not removing the trigger from the link list. Cc: stable@vger.kernel.org Fixes: 85f2b08268c01 ("tracing: Add basic event trigger framework") Signed-off-by: Steven Rostedt (VMware) kernel/trace/trace_events_trigger.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit b04e217704b7f879c6b91222b066983a44a7a09f Author: Linus Torvalds Date: Sun May 27 13:01:47 2018 -0700 Linux 4.17-rc7 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 861d9dd375269c695be8860387b4bb522f8b490a Merge: 7fbb615 8438ee7 Author: Linus Torvalds Date: Sun May 27 09:27:27 2018 -0700 Merge tag 'kbuild-fixes-v4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull more Kbuild fixes from Masahiro Yamada: - enable '-fno-tree-loop-im' only when supported - add '-fno-PIE' option before the asm-goto test * tag 'kbuild-fixes-v4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: Makefile: disable PIE before testing asm goto kbuild: gcov: enable -fno-tree-loop-im if supported commit 7fbb6157630f2ba6ee355689061f9596b84373ef Merge: b2096a5 e5dd615 Author: Linus Torvalds Date: Sat May 26 14:05:16 2018 -0700 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "A few more fixes for v4.17: - a fix for a crash in scm_call_atomic on qcom platforms - display fix for Allwinner A10 - a fix that re-enables ethernet on Allwinner H3 (C.H.I.P et al) - a fix for eMMC corruption on hikey - i2c-gpio descriptor tables for ixp4xx ... plus a small typo fix" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: ARM: Fix i2c-gpio GPIO descriptor tables arm64: dts: hikey: Fix eMMC corruption regression firmware: qcom: scm: Fix crash in qcom_scm_call_atomic1() ARM: sun8i: v3s: fix spelling mistake: "disbaled" -> "disabled" ARM: dts: sun4i: Fix incorrect clocks for displays ARM: dts: sun8i: h3: Re-enable EMAC on Orange Pi One commit b2096a5e071ab9e9856375d1da2c6209cc57690f Merge: cc71efd 8ecc497 Author: Linus Torvalds Date: Sat May 26 13:24:16 2018 -0700 Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 store buffer fixes from Thomas Gleixner: "Two fixes for the SSBD mitigation code: - expose SSBD properly to guests. This got broken when the CPU feature flags got reshuffled. - simplify the CPU detection logic to avoid duplicate entries in the tables" * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/speculation: Simplify the CPU bug detection logic KVM/VMX: Expose SSBD properly to guests commit cc71efda829413b734a2349ed4b9de1ac012bbc2 Merge: ec30dcf 4ff648d Author: Linus Torvalds Date: Sat May 26 13:10:16 2018 -0700 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Thomas Gleixner: "Three fixes for scheduler and kthread code: - allow calling kthread_park() on an already parked thread - restore the sched_pi_setprio() tracepoint behaviour - clarify the unclear string for the scheduling domain debug output" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched, tracing: Fix trace_sched_pi_setprio() for deboosting kthread: Allow kthread_park() on a parked kthread sched/topology: Clarify root domain(s) debug string commit e5dd61546a777d19d4fe35e2d0a2b664ca49f6b2 Merge: f59c303 9c6d26d Author: Olof Johansson Date: Sat May 26 12:12:44 2018 -0700 Merge tag 'hisi-fixes-for-4.17v2' of git://github.com/hisilicon/linux-hisi into fixes ARM64: hisi fixes for 4.17 - Remove eMMC max-frequency property to fix eMMC corruption on hikey board * tag 'hisi-fixes-for-4.17v2' of git://github.com/hisilicon/linux-hisi: arm64: dts: hikey: Fix eMMC corruption regression Signed-off-by: Olof Johansson commit f59c303b59b7404e5da70b80b6340b199cb95650 Author: Linus Walleij Date: Sat May 26 18:37:34 2018 +0200 ARM: Fix i2c-gpio GPIO descriptor tables I used bad names in my clumsiness when rewriting many board files to use GPIO descriptors instead of platform data. A few had the platform_device ID set to -1 which would indeed give the device name "i2c-gpio". But several had it set to >=0 which gives the names "i2c-gpio.0", "i2c-gpio.1" ... Fix the offending instances in the ARM tree. Sorry for the mess. Fixes: b2e63555592f ("i2c: gpio: Convert to use descriptors") Cc: Wolfram Sang Cc: Simon Guinot Reported-by: Simon Guinot Signed-off-by: Linus Walleij Signed-off-by: Olof Johansson arch/arm/mach-ep93xx/core.c | 2 +- arch/arm/mach-ixp4xx/avila-setup.c | 2 +- arch/arm/mach-ixp4xx/dsmg600-setup.c | 2 +- arch/arm/mach-ixp4xx/fsg-setup.c | 2 +- arch/arm/mach-ixp4xx/ixdp425-setup.c | 2 +- arch/arm/mach-ixp4xx/nas100d-setup.c | 2 +- arch/arm/mach-ixp4xx/nslu2-setup.c | 2 +- arch/arm/mach-pxa/palmz72.c | 2 +- arch/arm/mach-pxa/viper.c | 4 ++-- arch/arm/mach-sa1100/simpad.c | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) commit ec30dcf7f425dc811ac365b5c4b0f097f98e569f Merge: bc2dbc5 696ca77 Author: Linus Torvalds Date: Sat May 26 10:46:57 2018 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Radim Krčmář: "PPC: - Close a hole which could possibly lead to the host timebase getting out of sync. - Three fixes relating to PTEs and TLB entries for radix guests. - Fix a bug which could lead to an interrupt never getting delivered to the guest, if it is pending for a guest vCPU when the vCPU gets offlined. s390: - Fix false negatives in VSIE validity check (Cc stable) x86: - Fix time drift of VMX preemption timer when a guest uses LAPIC timer in periodic mode (Cc stable) - Unconditionally expose CPUID.IA32_ARCH_CAPABILITIES to allow migration from hosts that don't need retpoline mitigation (Cc stable) - Fix guest crashes on reboot by properly coupling CR4.OSXSAVE and CPUID.OSXSAVE (Cc stable) - Report correct RIP after Hyper-V hypercall #UD (introduced in -rc6)" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: fix #UD address of failed Hyper-V hypercalls kvm: x86: IA32_ARCH_CAPABILITIES is always supported KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed x86/kvm: fix LAPIC timer drift when guest uses periodic mode KVM: s390: vsie: fix < 8k check for the itdba KVM: PPC: Book 3S HV: Do ptesync in radix guest exit path KVM: PPC: Book3S HV: XIVE: Resend re-routed interrupts on CPU priority change KVM: PPC: Book3S HV: Make radix clear pte when unmapping KVM: PPC: Book3S HV: Make radix use correct tlbie sequence in kvmppc_radix_tlbie_page KVM: PPC: Book3S HV: Snapshot timebase offset on guest entry commit 9c6d26df1fae6ad4718d51c48e6517913304ed27 Author: John Stultz Date: Fri May 25 20:10:47 2018 -0700 arm64: dts: hikey: Fix eMMC corruption regression This patch is a partial revert of commit abd7d0972a19 ("arm64: dts: hikey: Enable HS200 mode on eMMC") which has been causing eMMC corruption on my HiKey board. Symptoms usually looked like: mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) ... mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) mmc0: new HS200 MMC card at address 0001 ... dwmmc_k3 f723d000.dwmmc0: Unexpected command timeout, state 3 mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) print_req_error: I/O error, dev mmcblk0, sector 8810504 Aborting journal on device mmcblk0p10-8. mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) mmc_host mmc0: Bus speed (slot 0) = 24800000Hz (slot req 400000Hz, actual 400000HZ div = 31) mmc_host mmc0: Bus speed (slot 0) = 148800000Hz (slot req 150000000Hz, actual 148800000HZ div = 0) EXT4-fs error (device mmcblk0p10): ext4_journal_check_start:61: Detected aborted journal EXT4-fs (mmcblk0p10): Remounting filesystem read-only And quite often this would result in a disk that wouldn't properly boot even with older kernels. It seems the max-frequency property added by the above patch is causing the problem, so remove it. Cc: Ryan Grachek Cc: Wei Xu Cc: Arnd Bergmann Cc: Ulf Hansson Cc: YongQin Liu Cc: Leo Yan Signed-off-by: John Stultz Tested-by: Leo Yan Signed-off-by: Wei Xu arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts | 1 - 1 file changed, 1 deletion(-) commit bf4407f081f33466ef0b06e213c04264d356aa35 Author: Antoine Tenart Date: Thu May 17 15:22:14 2018 +0200 crypto: inside-secure - do not use memset on MMIO This patch fixes the Inside Secure driver which uses a memtset() call to set an MMIO area from the cryptographic engine to 0. This is wrong as memset() isn't guaranteed to work on MMIO for many reasons. This led to kernel paging request panics in certain cases. Use memset_io() instead. Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") Reported-by: Ofer Heifetz Signed-off-by: Antoine Tenart Signed-off-by: Herbert Xu drivers/crypto/inside-secure/safexcel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 806e30873f0e74d9d41b0ef761bd4d3e55c7d510 Author: Greg Kroah-Hartman Date: Sat May 26 08:49:24 2018 +0200 hwtracing: stm: fix build error on some arches Commit b5e2ced9bf81 ("stm class: Use vmalloc for the master map") caused a build error on some arches as vmalloc.h was not explicitly included. Fix that by adding it to the list of includes. Fixes: b5e2ced9bf81 ("stm class: Use vmalloc for the master map") Reported-by: kbuild test robot Cc: Alexander Shishkin Signed-off-by: Greg Kroah-Hartman drivers/hwtracing/stm/core.c | 1 + 1 file changed, 1 insertion(+) commit bc2dbc5420e82560e650f8531ceca597441ca171 Merge: 03250e10 3f19597 Author: Linus Torvalds Date: Fri May 25 20:24:28 2018 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "16 fixes" * emailed patches from Andrew Morton : kasan: fix memory hotplug during boot kasan: free allocated shadow memory on MEM_CANCEL_ONLINE checkpatch: fix macro argument precedence test init/main.c: include kernel/sys.c: fix potential Spectre v1 issue mm/memory_hotplug: fix leftover use of struct page during hotplug proc: fix smaps and meminfo alignment mm: do not warn on offline nodes unless the specific node is explicitly requested mm, memory_hotplug: make has_unmovable_pages more robust mm/kasan: don't vfree() nonexistent vm_area MAINTAINERS: change hugetlbfs maintainer and update files ipc/shm: fix shmat() nil address after round-down when remapping Revert "ipc/shm: Fix shmat mmap nil-page protection" idr: fix invalid ptr dereference on item delete ocfs2: revert "ocfs2/o2hb: check len for bio_add_page() to avoid getting incorrect bio" mm: fix nr_rotate_swap leak in swapon() error case commit 03250e1028057173b212341015d5fbf53327042c Merge: 62d18ec eb11041 Author: Linus Torvalds Date: Fri May 25 19:54:42 2018 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: "Let's begin the holiday weekend with some networking fixes: 1) Whoops need to restrict cfg80211 wiphy names even more to 64 bytes. From Eric Biggers. 2) Fix flags being ignored when using kernel_connect() with SCTP, from Xin Long. 3) Use after free in DCCP, from Alexey Kodanev. 4) Need to check rhltable_init() return value in ipmr code, from Eric Dumazet. 5) XDP handling fixes in virtio_net from Jason Wang. 6) Missing RTA_TABLE in rtm_ipv4_policy[], from Roopa Prabhu. 7) Need to use IRQ disabling spinlocks in mlx4_qp_lookup(), from Jack Morgenstein. 8) Prevent out-of-bounds speculation using indexes in BPF, from Daniel Borkmann. 9) Fix regression added by AF_PACKET link layer cure, from Willem de Bruijn. 10) Correct ENIC dma mask, from Govindarajulu Varadarajan. 11) Missing config options for PMTU tests, from Stefano Brivio" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (48 commits) ibmvnic: Fix partial success login retries selftests/net: Add missing config options for PMTU tests mlx4_core: allocate ICM memory in page size chunks enic: set DMA mask to 47 bit ppp: remove the PPPIOCDETACH ioctl ipv4: remove warning in ip_recv_error net : sched: cls_api: deal with egdev path only if needed vhost: synchronize IOTLB message with dev cleanup packet: fix reserve calculation net/mlx5: IPSec, Fix a race between concurrent sandbox QP commands net/mlx5e: When RXFCS is set, add FCS data into checksum calculation bpf: properly enforce index mask to prevent out-of-bounds speculation net/mlx4: Fix irq-unsafe spinlock usage net: phy: broadcom: Fix bcm_write_exp() net: phy: broadcom: Fix auxiliary control register reads net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy net/mlx4: fix spelling mistake: "Inrerface" -> "Interface" and rephrase message ibmvnic: Only do H_EOI for mobility events tuntap: correctly set SOCKWQ_ASYNC_NOSPACE virtio-net: fix leaking page for gso packet during mergeable XDP ... commit 3f1959721558a976aaf9c2024d5bc884e6411bf7 Author: David Hildenbrand Date: Fri May 25 14:48:11 2018 -0700 kasan: fix memory hotplug during boot Using module_init() is wrong. E.g. ACPI adds and onlines memory before our memory notifier gets registered. This makes sure that ACPI memory detected during boot up will not result in a kernel crash. Easily reproducible with QEMU, just specify a DIMM when starting up. Link: http://lkml.kernel.org/r/20180522100756.18478-3-david@redhat.com Fixes: 786a8959912e ("kasan: disable memory hotplug") Signed-off-by: David Hildenbrand Acked-by: Andrey Ryabinin Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/kasan/kasan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ed1596f9ab958dd156a66c9ff1029d3761c1786a Author: David Hildenbrand Date: Fri May 25 14:48:08 2018 -0700 kasan: free allocated shadow memory on MEM_CANCEL_ONLINE We have to free memory again when we cancel onlining, otherwise a later onlining attempt will fail. Link: http://lkml.kernel.org/r/20180522100756.18478-2-david@redhat.com Fixes: fa69b5989bb0 ("mm/kasan: add support for memory hotplug") Signed-off-by: David Hildenbrand Acked-by: Andrey Ryabinin Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/kasan/kasan.c | 1 + 1 file changed, 1 insertion(+) commit d41362ed12b6402f0bba044037653f916757c3b2 Author: Joe Perches Date: Fri May 25 14:48:04 2018 -0700 checkpatch: fix macro argument precedence test checkpatch's macro argument precedence test is broken so fix it. Link: http://lkml.kernel.org/r/5dd900e9197febc1995604bb33c23c136d8b33ce.camel@perches.com Signed-off-by: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds scripts/checkpatch.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ae67d58d0546ad3e1ef323d69de6c3708022791f Author: Mathieu Malaterre Date: Fri May 25 14:48:00 2018 -0700 init/main.c: include In commit c7753208a94c ("x86, swiotlb: Add memory encryption support") a call to function `mem_encrypt_init' was added. Include prototype defined in header to prevent a warning reported during compilation with W=1: init/main.c:494:20: warning: no previous prototype for `mem_encrypt_init' [-Wmissing-prototypes] Link: http://lkml.kernel.org/r/20180522195533.31415-1-malat@debian.org Signed-off-by: Mathieu Malaterre Reviewed-by: Andrew Morton Acked-by: Steven Rostedt (VMware) Cc: Tom Lendacky Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Kees Cook Cc: Laura Abbott Cc: Dominik Brodowski Cc: Gargi Sharma Cc: Josh Poimboeuf Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds init/main.c | 1 + 1 file changed, 1 insertion(+) commit 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 Author: Gustavo A. R. Silva Date: Fri May 25 14:47:57 2018 -0700 kernel/sys.c: fix potential Spectre v1 issue `resource' can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) Fix this by sanitizing *resource* before using it to index current->signal->rlim Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com Signed-off-by: Gustavo A. R. Silva Reviewed-by: Andrew Morton Cc: Alexei Starovoitov Cc: Dan Williams Cc: Thomas Gleixner Cc: Peter Zijlstra Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 5 +++++ 1 file changed, 5 insertions(+) commit a21558618c5dfc55b6086743a88ce5a9c1588f0a Author: Jonathan Cameron Date: Fri May 25 14:47:53 2018 -0700 mm/memory_hotplug: fix leftover use of struct page during hotplug The case of a new numa node got missed in avoiding using the node info from page_struct during hotplug. In this path we have a call to register_mem_sect_under_node (which allows us to specify it is hotplug so don't change the node), via link_mem_sections which unfortunately does not. Fix is to pass check_nid through link_mem_sections as well and disable it in the new numa node path. Note the bug only 'sometimes' manifests depending on what happens to be in the struct page structures - there are lots of them and it only needs to match one of them. The result of the bug is that (with a new memory only node) we never successfully call register_mem_sect_under_node so don't get the memory associated with the node in sysfs and meminfo for the node doesn't report it. It came up whilst testing some arm64 hotplug patches, but appears to be universal. Whilst I'm triggering it by removing then reinserting memory to a node with no other elements (thus making the node disappear then appear again), it appears it would happen on hotplugging memory where there was none before and it doesn't seem to be related the arm64 patches. These patches call __add_pages (where most of the issue was fixed by Pavel's patch). If there is a node at the time of the __add_pages call then all is well as it calls register_mem_sect_under_node from there with check_nid set to false. Without a node that function returns having not done the sysfs related stuff as there is no node to use. This is expected but it is the resulting path that fails... Exact path to the problem is as follows: mm/memory_hotplug.c: add_memory_resource() The node is not online so we enter the 'if (new_node)' twice, on the second such block there is a call to link_mem_sections which calls into drivers/node.c: link_mem_sections() which calls drivers/node.c: register_mem_sect_under_node() which calls get_nid_for_pfn and keeps trying until the output of that matches the expected node (passed all the way down from add_memory_resource) It is effectively the same fix as the one referred to in the fixes tag just in the code path for a new node where the comments point out we have to rerun the link creation because it will have failed in register_new_memory (as there was no node at the time). (actually that comment is wrong now as we don't have register_new_memory any more it got renamed to hotplug_memory_register in Pavel's patch). Link: http://lkml.kernel.org/r/20180504085311.1240-1-Jonathan.Cameron@huawei.com Fixes: fc44f7f9231a ("mm/memory_hotplug: don't read nid from struct page during hotplug") Signed-off-by: Jonathan Cameron Reviewed-by: Pavel Tatashin Acked-by: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/base/node.c | 5 +++-- include/linux/node.h | 8 +++++--- mm/memory_hotplug.c | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) commit 6c04ab0eddc9a38e6c14ae4b6217db1e34436b8c Author: Hugh Dickins Date: Fri May 25 14:47:50 2018 -0700 proc: fix smaps and meminfo alignment The 4.17-rc /proc/meminfo and /proc//smaps look ugly: single-digit numbers (commonly 0) are misaligned. Remove seq_put_decimal_ull_width()'s leftover optimization for single digits: it's wrong now that num_to_str() takes care of the width. Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1805241554210.1326@eggly.anvils Fixes: d1be35cb6f96 ("proc: add seq_put_decimal_ull_width to speed up /proc/pid/smaps") Signed-off-by: Hugh Dickins Cc: Andrei Vagin Cc: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/seq_file.c | 5 ----- 1 file changed, 5 deletions(-) commit 8addc2d00fe171c89b5fcbafe583c2b90574d301 Author: Michal Hocko Date: Fri May 25 14:47:46 2018 -0700 mm: do not warn on offline nodes unless the specific node is explicitly requested Oscar has noticed that we splat WARNING: CPU: 0 PID: 64 at ./include/linux/gfp.h:467 vmemmap_alloc_block+0x4e/0xc9 [...] CPU: 0 PID: 64 Comm: kworker/u4:1 Tainted: G W E 4.17.0-rc5-next-20180517-1-default+ #66 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: kacpi_hotplug acpi_hotplug_work_fn Call Trace: vmemmap_populate+0xf2/0x2ae sparse_mem_map_populate+0x28/0x35 sparse_add_one_section+0x4c/0x187 __add_pages+0xe7/0x1a0 add_pages+0x16/0x70 add_memory_resource+0xa3/0x1d0 add_memory+0xe4/0x110 acpi_memory_device_add+0x134/0x2e0 acpi_bus_attach+0xd9/0x190 acpi_bus_scan+0x37/0x70 acpi_device_hotplug+0x389/0x4e0 acpi_hotplug_work_fn+0x1a/0x30 process_one_work+0x146/0x340 worker_thread+0x47/0x3e0 kthread+0xf5/0x130 ret_from_fork+0x35/0x40 when adding memory to a node that is currently offline. The VM_WARN_ON is just too loud without a good reason. In this particular case we are doing alloc_pages_node(node, GFP_KERNEL|__GFP_RETRY_MAYFAIL|__GFP_NOWARN, order) so we do not insist on allocating from the given node (it is more a hint) so we can fall back to any other populated node and moreover we explicitly ask to not warn for the allocation failure. Soften the warning only to cases when somebody asks for the given node explicitly by __GFP_THISNODE. Link: http://lkml.kernel.org/r/20180523125555.30039-3-mhocko@kernel.org Signed-off-by: Michal Hocko Reported-by: Oscar Salvador Tested-by: Oscar Salvador Reviewed-by: Pavel Tatashin Cc: Vlastimil Babka Cc: Reza Arbab Cc: Igor Mammedov Cc: Vitaly Kuznetsov Cc: Anshuman Khandual Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/gfp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 15c30bc0908514b4a72fadc3995d32313500393a Author: Michal Hocko Date: Fri May 25 14:47:42 2018 -0700 mm, memory_hotplug: make has_unmovable_pages more robust Oscar has reported: : Due to an unfortunate setting with movablecore, memblocks containing bootmem : memory (pages marked by get_page_bootmem()) ended up marked in zone_movable. : So while trying to remove that memory, the system failed in do_migrate_range : and __offline_pages never returned. : : This can be reproduced by running : qemu-system-x86_64 -m 6G,slots=8,maxmem=8G -numa node,mem=4096M -numa node,mem=2048M : and movablecore=4G kernel command line : : linux kernel: BIOS-provided physical RAM map: : linux kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable : linux kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved : linux kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved : linux kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000bffdffff] usable : linux kernel: BIOS-e820: [mem 0x00000000bffe0000-0x00000000bfffffff] reserved : linux kernel: BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved : linux kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved : linux kernel: BIOS-e820: [mem 0x0000000100000000-0x00000001bfffffff] usable : linux kernel: NX (Execute Disable) protection: active : linux kernel: SMBIOS 2.8 present. : linux kernel: DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org : linux kernel: Hypervisor detected: KVM : linux kernel: e820: update [mem 0x00000000-0x00000fff] usable ==> reserved : linux kernel: e820: remove [mem 0x000a0000-0x000fffff] usable : linux kernel: last_pfn = 0x1c0000 max_arch_pfn = 0x400000000 : : linux kernel: SRAT: PXM 0 -> APIC 0x00 -> Node 0 : linux kernel: SRAT: PXM 1 -> APIC 0x01 -> Node 1 : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff] : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0xbfffffff] : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x13fffffff] : linux kernel: ACPI: SRAT: Node 1 PXM 1 [mem 0x140000000-0x1bfffffff] : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x1c0000000-0x43fffffff] hotplug : linux kernel: NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0xbfffffff] -> [mem 0x0 : linux kernel: NUMA: Node 0 [mem 0x00000000-0xbfffffff] + [mem 0x100000000-0x13fffffff] -> [mem 0 : linux kernel: NODE_DATA(0) allocated [mem 0x13ffd6000-0x13fffffff] : linux kernel: NODE_DATA(1) allocated [mem 0x1bffd3000-0x1bfffcfff] : : zoneinfo shows that the zone movable is placed into both numa nodes: : Node 0, zone Movable : pages free 160140 : min 1823 : low 2278 : high 2733 : spanned 262144 : present 262144 : managed 245670 : Node 1, zone Movable : pages free 448427 : min 3827 : low 4783 : high 5739 : spanned 524288 : present 524288 : managed 515766 Note how only Node 0 has a hutplugable memory region which would rule it out from the early memblock allocations (most likely memmap). Node1 will surely contain memmaps on the same node and those would prevent offlining to succeed. So this is arguably a configuration issue. Although one could argue that we should be more clever and rule early allocations from the zone movable. This would be correct but probably not worth the effort considering what a hack movablecore is. Anyway, We could do better for those cases though. We rely on start_isolate_page_range resp. has_unmovable_pages to do their job. The first one isolates the whole range to be offlined so that we do not allocate from it anymore and the later makes sure we are not stumbling over non-migrateable pages. has_unmovable_pages is overly optimistic, however. It doesn't check all the pages if we are withing zone_movable because we rely that those pages will be always migrateable. As it turns out we are still not perfect there. While bootmem pages in zonemovable sound like a clear bug which should be fixed let's remove the optimization for now and warn if we encounter unmovable pages in zone_movable in the meantime. That should help for now at least. Btw. this wasn't a real problem until commit 72b39cfc4d75 ("mm, memory_hotplug: do not fail offlining too early") because we used to have a small number of retries and then failed. This turned out to be too fragile though. Link: http://lkml.kernel.org/r/20180523125555.30039-2-mhocko@kernel.org Signed-off-by: Michal Hocko Reported-by: Oscar Salvador Tested-by: Oscar Salvador Reviewed-by: Pavel Tatashin Cc: Vlastimil Babka Cc: Reza Arbab Cc: Igor Mammedov Cc: Vitaly Kuznetsov Cc: Anshuman Khandual Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/page_alloc.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) commit 0f901dcbc31f88ae41a2aaa365f7802b5d520a28 Author: Andrey Ryabinin Date: Fri May 25 14:47:38 2018 -0700 mm/kasan: don't vfree() nonexistent vm_area KASAN uses different routines to map shadow for hot added memory and memory obtained in boot process. Attempt to offline memory onlined by normal boot process leads to this: Trying to vfree() nonexistent vm area (000000005d3b34b9) WARNING: CPU: 2 PID: 13215 at mm/vmalloc.c:1525 __vunmap+0x147/0x190 Call Trace: kasan_mem_notifier+0xad/0xb9 notifier_call_chain+0x166/0x260 __blocking_notifier_call_chain+0xdb/0x140 __offline_pages+0x96a/0xb10 memory_subsys_offline+0x76/0xc0 device_offline+0xb8/0x120 store_mem_state+0xfa/0x120 kernfs_fop_write+0x1d5/0x320 __vfs_write+0xd4/0x530 vfs_write+0x105/0x340 SyS_write+0xb0/0x140 Obviously we can't call vfree() to free memory that wasn't allocated via vmalloc(). Use find_vm_area() to see if we can call vfree(). Unfortunately it's a bit tricky to properly unmap and free shadow allocated during boot, so we'll have to keep it. If memory will come online again that shadow will be reused. Matthew asked: how can you call vfree() on something that isn't a vmalloc address? vfree() is able to free any address returned by __vmalloc_node_range(). And __vmalloc_node_range() gives you any address you ask. It doesn't have to be an address in [VMALLOC_START, VMALLOC_END] range. That's also how the module_alloc()/module_memfree() works on architectures that have designated area for modules. [aryabinin@virtuozzo.com: improve comments] Link: http://lkml.kernel.org/r/dabee6ab-3a7a-51cd-3b86-5468718e0390@virtuozzo.com [akpm@linux-foundation.org: fix typos, reflow comment] Link: http://lkml.kernel.org/r/20180201163349.8700-1-aryabinin@virtuozzo.com Fixes: fa69b5989bb0 ("mm/kasan: add support for memory hotplug") Signed-off-by: Andrey Ryabinin Reported-by: Paul Menzel Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Matthew Wilcox Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/kasan/kasan.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 2 deletions(-) commit b9ddff9b85036292f8b6d4ac37e21fc229fedea1 Author: Mike Kravetz Date: Fri May 25 14:47:35 2018 -0700 MAINTAINERS: change hugetlbfs maintainer and update files The current hugetlbfs maintainer has not been active for more than a few years. I have been been active in this area for more than two years and plan to remain active in the foreseeable future. Also, update the hugetlbfs entry to include linux-mm mail list and additional hugetlbfs related files. hugetlb.c and hugetlb.h are not 100% hugetlbfs, but a majority of their content is hugetlbfs related. Link: http://lkml.kernel.org/r/20180518225236.19079-1-mike.kravetz@oracle.com Signed-off-by: Mike Kravetz Acked-by: Naoya Horiguchi Acked-by: Kirill A. Shutemov Acked-by: Vlastimil Babka Acked-by: Michal Hocko Cc: Nadia Yvette Chambers Cc: "Aneesh Kumar K . V" Cc: Jan Kara Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds MAINTAINERS | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc Author: Davidlohr Bueso Date: Fri May 25 14:47:30 2018 -0700 ipc/shm: fix shmat() nil address after round-down when remapping shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for. Andrea reported that for SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, but we need to check again if the address was rounded down to nil. As of this patch, such cases will return -EINVAL. Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 Signed-off-by: Davidlohr Bueso Reported-by: Andrea Arcangeli Cc: Joe Lawrence Cc: Manfred Spraul Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/shm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 Author: Davidlohr Bueso Date: Fri May 25 14:47:27 2018 -0700 Revert "ipc/shm: Fix shmat mmap nil-page protection" Patch series "ipc/shm: shmat() fixes around nil-page". These patches fix two issues reported[1] a while back by Joe and Andrea around how shmat(2) behaves with nil-page. The first reverts a commit that it was incorrectly thought that mapping nil-page (address=0) was a no no with MAP_FIXED. This is not the case, with the exception of SHM_REMAP; which is address in the second patch. I chose two patches because it is easier to backport and it explicitly reverts bogus behaviour. Both patches ought to be in -stable and ltp testcases need updated (the added testcase around the cve can be modified to just test for SHM_RND|SHM_REMAP). [1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805 This patch (of 2): Commit 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") worked on the idea that we should not be mapping as root addr=0 and MAP_FIXED. However, it was reported that this scenario is in fact valid, thus making the patch both bogus and breaks userspace as well. For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem initialization[1]. [1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int10/linux.c#n347 Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") Signed-off-by: Davidlohr Bueso Reported-by: Joe Lawrence Reported-by: Andrea Arcangeli Cc: Manfred Spraul Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/shm.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) commit 7a4deea1aa8bddfed4ef1b35fc2b6732563d8ad5 Author: Matthew Wilcox Date: Fri May 25 14:47:24 2018 -0700 idr: fix invalid ptr dereference on item delete If the radix tree underlying the IDR happens to be full and we attempt to remove an id which is larger than any id in the IDR, we will call __radix_tree_delete() with an uninitialised 'slot' pointer, at which point anything could happen. This was easiest to hit with a single entry at id 0 and attempting to remove a non-0 id, but it could have happened with 64 entries and attempting to remove an id >= 64. Roman said: The syzcaller test boils down to opening /dev/kvm, creating an eventfd, and calling a couple of KVM ioctls. None of this requires superuser. And the result is dereferencing an uninitialized pointer which is likely a crash. The specific path caught by syzbot is via KVM_HYPERV_EVENTD ioctl which is new in 4.17. But I guess there are other user-triggerable paths, so cc:stable is probably justified. Matthew added: We have around 250 calls to idr_remove() in the kernel today. Many of them pass an ID which is embedded in the object they're removing, so they're safe. Picking a few likely candidates: drivers/firewire/core-cdev.c looks unsafe; the ID comes from an ioctl. drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c is similar drivers/atm/nicstar.c could be taken down by a handcrafted packet Link: http://lkml.kernel.org/r/20180518175025.GD6361@bombadil.infradead.org Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree") Reported-by: Debugged-by: Roman Kagan Signed-off-by: Matthew Wilcox Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/radix-tree.c | 4 +++- tools/testing/radix-tree/idr-test.c | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) commit 3373de209cb123462954740f41c324d03ecfb6d0 Author: Changwei Ge Date: Fri May 25 14:47:20 2018 -0700 ocfs2: revert "ocfs2/o2hb: check len for bio_add_page() to avoid getting incorrect bio" This reverts commit ba16ddfbeb9d ("ocfs2/o2hb: check len for bio_add_page() to avoid getting incorrect bio"). In my testing, this patch introduces a problem that mkfs can't have slots more than 16 with 4k block size. And the original logic is safe actually with the situation it mentions so revert this commit. Attach test log: (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 0, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 1, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 2, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 3, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 4, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 5, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 6, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 7, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 8, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 9, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 10, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 11, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 12, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 13, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 14, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 15, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 16, vec_len = 4096, vec_start = 0 (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:471 ERROR: Adding page[16] to bio failed, page ffffea0002d7ed40, len 0, vec_len 4096, vec_start 0,bi_sector 8192 (mkfs.ocfs2,27479,2):o2hb_read_slots:500 ERROR: status = -5 (mkfs.ocfs2,27479,2):o2hb_populate_slot_data:1911 ERROR: status = -5 (mkfs.ocfs2,27479,2):o2hb_region_dev_write:2012 ERROR: status = -5 Link: http://lkml.kernel.org/r/SIXPR06MB0461721F398A5A92FC68C39ED5920@SIXPR06MB0461.apcprd06.prod.outlook.com Signed-off-by: Changwei Ge Cc: Jun Piao Cc: Yiwen Jiang Cc: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/cluster/heartbeat.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) commit 7cbf319234adaa4518a28c8c523d3330e06638f0 Author: Omar Sandoval Date: Fri May 25 14:47:17 2018 -0700 mm: fix nr_rotate_swap leak in swapon() error case If swapon() fails after incrementing nr_rotate_swap, we don't decrement it and thus effectively leak it. Make sure we decrement it if we incremented it. Link: http://lkml.kernel.org/r/b6fe6b879f17fa68eee6cbd876f459f6e5e33495.1526491581.git.osandov@fb.com Fixes: 81a0298bdfab ("mm, swap: don't use VMA based swap readahead if HDD is used as swap") Signed-off-by: Omar Sandoval Reviewed-by: Rik van Riel Reviewed-by: "Huang, Ying" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/swapfile.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 0ec46ab6425dfd4592989ca53fb6d8492e5d15dd Merge: f2c56aa 5ec3444 Author: Olof Johansson Date: Fri May 25 15:00:26 2018 -0700 Merge tag 'qcom-fixes-for-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux into fixes Qualcomm Fixes for 4.17-rc7 * Fix crash in qcom_scm_call_atomic1() * tag 'qcom-fixes-for-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux: firmware: qcom: scm: Fix crash in qcom_scm_call_atomic1() Signed-off-by: Olof Johansson commit f2c56aac9573c1bcb54d5c06f4a0d0f23532aad1 Merge: 771c577 d89ad4f Author: Olof Johansson Date: Fri May 25 14:03:53 2018 -0700 Merge tag 'sunxi-fixes-for-4.17' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into fixes Allwinner fixes for 4.17 Here is a bunch of fixes for merge issues, typos and wrong clocks being described for simplefb, resulting in non-working displays. * tag 'sunxi-fixes-for-4.17' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: ARM: sun8i: v3s: fix spelling mistake: "disbaled" -> "disabled" ARM: dts: sun4i: Fix incorrect clocks for displays ARM: dts: sun8i: h3: Re-enable EMAC on Orange Pi One Signed-off-by: Olof Johansson commit eb110410b9f6477726026669f3f0c0567e8241e6 Author: Thomas Falcon Date: Thu May 24 14:37:53 2018 -0500 ibmvnic: Fix partial success login retries In its current state, the driver will handle backing device login in a loop for a certain number of retries while the device returns a partial success, indicating that the driver may need to try again using a smaller number of resources. The variable it checks to continue retrying may change over the course of operations, resulting in reallocation of resources but exits without sending the login attempt. Guard against this by introducing a boolean variable that will retain the state indicating that the driver needs to reattempt login with backing device firmware. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller drivers/net/ethernet/ibm/ibmvnic.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit d2f30f5172603bacaf34f0fdb021c25ad1915b05 Merge: 24e4b07 c93552c Author: David S. Miller Date: Fri May 25 15:37:41 2018 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2018-05-24 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix a bug in the original fix to prevent out of bounds speculation when multiple tail call maps from different branches or calls end up at the same tail call helper invocation, from Daniel. 2) Two selftest fixes, one in reuseport_bpf_numa where test is skipped in case of missing numa support and another one to update kernel config to properly support xdp_meta.sh test, from Anders. ... Would be great if you have a chance to merge net into net-next after that. The verifier fix would be needed later as a dependency in bpf-next for upcomig work there. When you do the merge there's a trivial conflict on BPF side with 849fa50662fb ("bpf/verifier: refine retval R0 state for bpf_get_stack helper"): Resolution is to keep both functions, the do_refine_retval_range() and record_func_map(). ==================== Signed-off-by: David S. Miller commit 696ca779a928d0e93d61c38ffc3a4d8914a9b9a0 Author: Radim Krčmář Date: Thu May 24 17:50:56 2018 +0200 KVM: x86: fix #UD address of failed Hyper-V hypercalls If the hypercall was called from userspace or real mode, KVM injects #UD and then advances RIP, so it looks like #UD was caused by the following instruction. This probably won't cause more than confusion, but could give an unexpected access to guest OS' instruction emulator. Also, refactor the code to count hv hypercalls that were handled by the virt userspace. Fixes: 6356ee0c9602 ("x86: Delay skip of emulated hypercall instruction") Reviewed-by: Paolo Bonzini Signed-off-by: Radim Krčmář arch/x86/kvm/hyperv.c | 19 +++++++++++-------- arch/x86/kvm/x86.c | 12 ++++-------- 2 files changed, 15 insertions(+), 16 deletions(-) commit 24e4b075d899e5376dfa39fecd1dbc12bddc1e98 Author: Stefano Brivio Date: Thu May 24 16:10:12 2018 +0200 selftests/net: Add missing config options for PMTU tests PMTU tests in pmtu.sh need support for VTI, VTI6 and dummy interfaces: add them to config file. Reported-by: Naresh Kamboju Fixes: d1f1b9cbf34c ("selftests: net: Introduce first PMTU test") Signed-off-by: Stefano Brivio Signed-off-by: David S. Miller tools/testing/selftests/net/config | 5 +++++ 1 file changed, 5 insertions(+) commit e3ffec48b22f3427a576ab6ca58ba5e9c46923f2 Merge: 1383cb8 16116da Author: David S. Miller Date: Fri May 25 14:54:19 2018 -0400 Merge tag 'batadv-net-for-davem-20180524' of git://git.open-mesh.org/linux-merge Simon Wunderlich says: ==================== Here are some batman-adv bugfixes: - prevent hardif_put call with NULL parameter, by Colin Ian King - Avoid race in Translation Table allocator, by Sven Eckelmann - Fix Translation Table sync flags for intermediate Responses, by Linus Luessing - prevent sending inconsistent Translation Table TVLVs, by Marek Lindner ==================== Signed-off-by: David S. Miller commit 6e04b103568983bd699fac96b80a9b96ede68118 Author: Devesh Sharma Date: Fri May 25 12:01:21 2018 -0400 RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes The recent changes in Broadcom's ethernet driver(L2 driver) broke RoCE functionality in terms of MSIx vector allocation and de-allocation. There is a possibility that L2 driver would initiate MSIx vector reallocation depending upon the requests coming from administrator. In such cases L2 driver needs to free up all the MSIx vectors allocated previously and reallocate/initialize those. If RoCE driver is loaded and reshuffling is attempted, there will be kernel crashes because RoCE driver would still be holding the MSIx vectors but L2 driver would attempt to free in-use vectors. Thus leading to a kernel crash. Making changes in roce driver to fix crashes described above. As part of solution L2 driver tells RoCE driver to release the MSIx vector whenever there is a need. When RoCE driver get message it sync up with all the running tasklets and IRQ handlers and releases the vectors. L2 driver send one more message to RoCE driver to resume the MSIx vectors. L2 driver guarantees that RoCE vector do not change during reshuffling. Fixes: ec86f14ea506 ("bnxt_en: Add ULP calls to stop and restart IRQs.") Fixes: 08654eb213a8 ("bnxt_en: Change IRQ assignment for RDMA driver.") Signed-off-by: Devesh Sharma Signed-off-by: Jason Gunthorpe drivers/infiniband/hw/bnxt_re/main.c | 55 ++++++++++++++++- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 94 +++++++++++++++++++----------- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 3 + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 61 +++++++++++++------ drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 + 5 files changed, 163 insertions(+), 53 deletions(-) commit 62d18ecfa64137349fac9c5817784fbd48b54f48 Merge: b133ef6 82034c2 Author: Linus Torvalds Date: Fri May 25 09:35:11 2018 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull more arm64 fixes from Will Deacon: - fix application of read-only permissions to kernel section mappings - sanitise reported ESR values for signals delivered on a kernel address - ensure tishift GCC helpers are exported to modules - fix inline asm constraints for some LSE atomics * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: Make sure permission updates happen for pmd/pud arm64: fault: Don't leak data in ESR context for user fault on kernel VA arm64: export tishift functions to modules arm64: lse: Add early clobbers to some input/output asm operands commit b133ef6ea4c918bb70f40e6c522f1a474eecd589 Merge: f287fe3 faf37c4 Author: Linus Torvalds Date: Fri May 25 09:32:00 2018 -0700 Merge tag 'powerpc-4.17-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fix from Michael Ellerman: "Just one fix, to make sure the PCR (Processor Compatibility Register) is reset on boot. Otherwise if we're running in compat mode in a guest (eg. pretending a Power9 is a Power8) and the host kernel oopses and kdumps then the kdump kernel's userspace will be running in Power8 mode, and will SIGILL if it uses Power9-only instructions. Thanks to Michael Neuling" * tag 'powerpc-4.17-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64s: Clear PCR on boot commit f287fe35ded1f07c42fc8d21476fa9a7d64e89b7 Merge: b9f5701 3de06d5 Author: Linus Torvalds Date: Fri May 25 09:29:17 2018 -0700 Merge tag 'mmc-v4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "MMC core: - Propagate correct error code for RPMB requests MMC host: - sdhci-iproc: Drop hard coded cap for 1.8v - sdhci-iproc: Fix 32bit writes for transfer mode - sdhci-iproc: Enable SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus" * tag 'mmc-v4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sdhci-iproc: add SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register mmc: sdhci-iproc: remove hard coded mmc cap 1.8v mmc: block: propagate correct returned value in mmc_rpmb_ioctl commit b9f57019a9ec74f4c6f0b475e9d6bfdd6fa38f37 Merge: a1a9f53 4bc6f77 Author: Linus Torvalds Date: Fri May 25 09:15:13 2018 -0700 Merge tag 'drm-fixes-for-v4.17-rc7' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Only two sets of drivers fixes: one rcar-du lvds regression fix, and a group of fixes for vmwgfx" * tag 'drm-fixes-for-v4.17-rc7' of git://people.freedesktop.org/~airlied/linux: drm/vmwgfx: Schedule an fb dirty update after resume drm/vmwgfx: Fix host logging / guestinfo reading error paths drm/vmwgfx: Fix 32-bit VMW_PORT_HB_[IN|OUT] macros drm: rcar-du: lvds: Fix crash in .atomic_check when disabling connector commit a1a9f537aa44862a14c00c52f934b79fb725292d Merge: b506943 009f8c9 Author: Linus Torvalds Date: Fri May 25 09:13:34 2018 -0700 Merge tag 'sound-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Two fixes: - a timer pause event notification was garbled upon the recent hardening work; corrected now - HD-audio runtime PM regression fix due to the incorrect return type" * tag 'sound-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda - Fix runtime PM ALSA: timer: Fix pause event notification commit 0ed2424b911f3a058dfea01b78817abed767433d Author: Alexander Shishkin Date: Thu May 24 11:27:27 2018 +0300 intel_th: Use correct device when freeing buffers Commit d5c435df4a890 ("intel_th: msu: Use the real device in case of IOMMU domain allocation") changes dma buffer allocation to use the actual underlying device, but forgets to change the deallocation path, which leads to (if you've got CAP_SYS_RAWIO): > # echo 0,0 > /sys/bus/intel_th/devices/0-msc0/nr_pages > ------------[ cut here ]------------ > kernel BUG at ../linux/drivers/iommu/intel-iommu.c:3670! > CPU: 3 PID: 231 Comm: sh Not tainted 4.17.0-rc1+ #2729 > RIP: 0010:intel_unmap+0x11e/0x130 ... > Call Trace: > intel_free_coherent+0x3e/0x60 > msc_buffer_win_free+0x100/0x160 [intel_th_msu] This patch fixes the buffer deallocation code to use the correct device. Signed-off-by: Alexander Shishkin Fixes: d5c435df4a890 ("intel_th: msu: Use the real device in case of IOMMU domain allocation") Reported-by: Baofeng Tian CC: stable@vger.kernel.org # v4.14+ Signed-off-by: Greg Kroah-Hartman drivers/hwtracing/intel_th/msu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit b5e2ced9bf81393034072dd4d372f6b430bc1f0a Author: Alexander Shishkin Date: Thu May 24 11:27:26 2018 +0300 stm class: Use vmalloc for the master map Fengguang is running into a warning from the buddy allocator: > swapper/0: page allocation failure: order:9, mode:0x14040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null) > CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.17.0-rc1 #262 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 > Call Trace: ... > __kmalloc+0x14b/0x180: ____cache_alloc at mm/slab.c:3127 > stm_register_device+0xf3/0x5c0: stm_register_device at drivers/hwtracing/stm/core.c:695 ... Which is basically a result of the stm class trying to allocate ~512kB for the dummy_stm with its default parameters. There's no reason, however, for it not to be vmalloc()ed instead, which is what this patch does. Reported-by: Fengguang Wu Signed-off-by: Alexander Shishkin CC: stable@vger.kernel.org # v4.4+ Signed-off-by: Greg Kroah-Hartman drivers/hwtracing/stm/core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 1383cb8103bb166e50cbab1543bb3b5118fccf82 Author: Qing Huang Date: Wed May 23 16:22:46 2018 -0700 mlx4_core: allocate ICM memory in page size chunks When a system is under memory presure (high usage with fragments), the original 256KB ICM chunk allocations will likely trigger kernel memory management to enter slow path doing memory compact/migration ops in order to complete high order memory allocations. When that happens, user processes calling uverb APIs may get stuck for more than 120s easily even though there are a lot of free pages in smaller chunks available in the system. Syslog: ... Dec 10 09:04:51 slcc03db02 kernel: [397078.572732] INFO: task oracle_205573_e:205573 blocked for more than 120 seconds. ... With 4KB ICM chunk size on x86_64 arch, the above issue is fixed. However in order to support smaller ICM chunk size, we need to fix another issue in large size kcalloc allocations. E.g. Setting log_num_mtt=30 requires 1G mtt entries. With the 4KB ICM chunk size, each ICM chunk can only hold 512 mtt entries (8 bytes for each mtt entry). So we need a 16MB allocation for a table->icm pointer array to hold 2M pointers which can easily cause kcalloc to fail. The solution is to use kvzalloc to replace kcalloc which will fall back to vmalloc automatically if kmalloc fails. Signed-off-by: Qing Huang Acked-by: Daniel Jurgens Reviewed-by: Zhu Yanjun Reviewed-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/icm.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) commit 4ff648decf4712d39f184fc2df3163f43975575a Author: Sebastian Andrzej Siewior Date: Thu May 24 15:26:48 2018 +0200 sched, tracing: Fix trace_sched_pi_setprio() for deboosting Since the following commit: b91473ff6e97 ("sched,tracing: Update trace_sched_pi_setprio()") the sched_pi_setprio trace point shows the "newprio" during a deboost: |futex sched_pi_setprio: comm=futex_requeue_p pid"34 oldprio˜ newprio=3D98 |futex sched_switch: prev_comm=futex_requeue_p prev_pid"34 prev_prio=120 This patch open codes __rt_effective_prio() in the tracepoint as the 'newprio' to get the old behaviour back / the correct priority: |futex sched_pi_setprio: comm=futex_requeue_p pid"20 oldprio˜ newprio=3D120 |futex sched_switch: prev_comm=futex_requeue_p prev_pid"20 prev_prio=120 Peter suggested to open code the new priority so people using tracehook could get the deadline data out. Reported-by: Mansky Christian Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Thomas Gleixner Fixes: b91473ff6e97 ("sched,tracing: Update trace_sched_pi_setprio()") Link: http://lkml.kernel.org/r/20180524132647.gg6ziuogczdmjjzu@linutronix.de Signed-off-by: Ingo Molnar include/trace/events/sched.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit b1f5b378e126133521df668379249fb8265121f1 Author: Peter Zijlstra Date: Fri May 4 11:11:42 2018 +0200 kthread: Allow kthread_park() on a parked kthread The following commit: 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme() completion issue") added a WARN() in the case where we call kthread_park() on an already parked thread, because the old code wasn't doing the right thing there and it wasn't at all clear that would happen. It turns out, this does in fact happen, so we have to deal with it. Instead of potentially returning early, also wait for the completion. This does however mean we have to use complete_all() and re-initialize the completion on re-use. Reported-by: LKP Tested-by: Meelis Roos Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: kernel test robot Cc: wfg@linux.intel.com Cc: Thomas Gleixner Fixes: 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme() completion issue") Link: http://lkml.kernel.org/r/20180504091142.GI12235@hirez.programming.kicks-ass.net Signed-off-by: Ingo Molnar kernel/kthread.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit bf5015a50f1fdb248b48405b67cae24dc02605d6 Author: Juri Lelli Date: Thu May 24 17:29:36 2018 +0200 sched/topology: Clarify root domain(s) debug string When scheduler debug is enabled, building scheduling domains outputs information about how the domains are laid out and to which root domain each CPU (or sets of CPUs) belongs, e.g.: CPU0 attaching sched-domain(s): domain-0: span=0-5 level=MC groups: 0:{ span=0 }, 1:{ span=1 }, 2:{ span=2 }, 3:{ span=3 }, 4:{ span=4 }, 5:{ span=5 } CPU1 attaching sched-domain(s): domain-0: span=0-5 level=MC groups: 1:{ span=1 }, 2:{ span=2 }, 3:{ span=3 }, 4:{ span=4 }, 5:{ span=5 }, 0:{ span=0 } [...] span: 0-5 (max cpu_capacity = 1024) The fact that latest line refers to CPUs 0-5 root domain doesn't however look immediately obvious to me: one might wonder why span 0-5 is reported "again". Make it more clear by adding "root domain" to it, as to end with the following: CPU0 attaching sched-domain(s): domain-0: span=0-5 level=MC groups: 0:{ span=0 }, 1:{ span=1 }, 2:{ span=2 }, 3:{ span=3 }, 4:{ span=4 }, 5:{ span=5 } CPU1 attaching sched-domain(s): domain-0: span=0-5 level=MC groups: 1:{ span=1 }, 2:{ span=2 }, 3:{ span=3 }, 4:{ span=4 }, 5:{ span=5 }, 0:{ span=0 } [...] root domain span: 0-5 (max cpu_capacity = 1024) Signed-off-by: Juri Lelli Signed-off-by: Peter Zijlstra (Intel) Cc: Dietmar Eggemann Cc: Linus Torvalds Cc: Patrick Bellasi Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180524152936.17611-1-juri.lelli@redhat.com Signed-off-by: Ingo Molnar kernel/sched/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5ec3444c8346c922316f4effafa8afc17defda0e Author: Niklas Cassel Date: Mon Apr 9 23:40:15 2018 +0200 firmware: qcom: scm: Fix crash in qcom_scm_call_atomic1() qcom_scm_call_atomic1() can crash with a NULL pointer dereference at qcom_scm_call_atomic1+0x30/0x48. disassembly of qcom_scm_call_atomic1(): ... <0xc08d73b0 <+12>: ldr r3, [r12] ... (no instruction explicitly modifies r12) 0xc08d73cc <+40>: smc 0 ... (no instruction explicitly modifies r12) 0xc08d73d4 <+48>: ldr r3, [r12] <- crashing instruction ... Since the first ldr is successful, and since r12 isn't explicitly modified by any instruction between the first and the second ldr, it must have been modified by the smc call, which is ok, since r12 is caller save according to the AAPCS. Add r12 to the clobber list so that the compiler knows that the callee potentially overwrites the value in r12. Clobber descriptions may not in any way overlap with an input or output operand. Signed-off-by: Niklas Cassel Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Andy Gross drivers/firmware/qcom_scm-32.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 322eaa06d55ebc1402a4a8d140945cff536638b4 Author: Govindarajulu Varadarajan Date: Wed May 23 11:17:39 2018 -0700 enic: set DMA mask to 47 bit In commit 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then failover to DMA") DMA mask was changed from 40 bits to 64 bits. Hardware actually supports only 47 bits. Fixes: 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then failover to DMA") Signed-off-by: Govindarajulu Varadarajan Signed-off-by: David S. Miller drivers/net/ethernet/cisco/enic/enic_main.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit af8d3c7c001ae7df1ed2b2715f058113efc86187 Author: Eric Biggers Date: Wed May 23 14:37:38 2018 -0700 ppp: remove the PPPIOCDETACH ioctl The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file before f_count has reached 0, which is fundamentally a bad idea. It does check 'f_count < 2', which excludes concurrent operations on the file since they would only be possible with a shared fd table, in which case each fdget() would take a file reference. However, it fails to account for the fact that even with 'f_count == 1' the file can still be linked into epoll instances. As reported by syzbot, this can trivially be used to cause a use-after-free. Yet, the only known user of PPPIOCDETACH is pppd versions older than ppp-2.4.2, which was released almost 15 years ago (November 2003). Also, PPPIOCDETACH apparently stopped working reliably at around the same time, when the f_count check was added to the kernel, e.g. see https://lkml.org/lkml/2002/12/31/83. Also, the current 'f_count < 2' check makes PPPIOCDETACH only work in single-threaded applications; it always fails if called from a multithreaded application. All pppd versions released in the last 15 years just close() the file descriptor instead. Therefore, instead of hacking around this bug by exporting epoll internals to modules, and probably missing other related bugs, just remove the PPPIOCDETACH ioctl and see if anyone actually notices. Leave a stub in place that prints a one-time warning and returns EINVAL. Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Biggers Acked-by: Paul Mackerras Reviewed-by: Guillaume Nault Tested-by: Guillaume Nault Signed-off-by: David S. Miller Documentation/networking/ppp_generic.txt | 6 ------ drivers/net/ppp/ppp_generic.c | 27 +++++---------------------- include/uapi/linux/ppp-ioctl.h | 2 +- 3 files changed, 6 insertions(+), 29 deletions(-) commit 730c54d59403658a62af6517338fa8d4922c1b28 Author: Willem de Bruijn Date: Wed May 23 14:29:52 2018 -0400 ipv4: remove warning in ip_recv_error A precondition check in ip_recv_error triggered on an otherwise benign race. Remove the warning. The warning triggers when passing an ipv6 socket to this ipv4 error handling function. RaceFuzzer was able to trigger it due to a race in setsockopt IPV6_ADDRFORM. --- CPU0 do_ipv6_setsockopt sk->sk_socket->ops = &inet_dgram_ops; --- CPU1 sk->sk_prot->recvmsg udp_recvmsg ip_recv_error WARN_ON_ONCE(sk->sk_family == AF_INET6); --- CPU0 do_ipv6_setsockopt sk->sk_family = PF_INET; This socket option converts a v6 socket that is connected to a v4 peer to an v4 socket. It updates the socket on the fly, changing fields in sk as well as other structs. This is inherently non-atomic. It races with the lockless udp_recvmsg path. No other code makes an assumption that these fields are updated atomically. It is benign here, too, as ip_recv_error cares only about the protocol of the skbs enqueued on the error queue, for which sk_family is not a precise predictor (thanks to another isue with IPV6_ADDRFORM). Link: http://lkml.kernel.org/r/20180518120826.GA19515@dragonet.kaist.ac.kr Fixes: 7ce875e5ecb8 ("ipv4: warn once on passing AF_INET6 socket to ip_recv_error") Reported-by: DaeRyong Jeong Suggested-by: Eric Dumazet Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller net/ipv4/ip_sockglue.c | 2 -- 1 file changed, 2 deletions(-) commit f8f4bef322e4600c5856911c7a632c0e3da920d6 Author: Or Gerlitz Date: Wed May 23 19:24:48 2018 +0300 net : sched: cls_api: deal with egdev path only if needed When dealing with ingress rule on a netdev, if we did fine through the conventional path, there's no need to continue into the egdev route, and we can stop right there. Not doing so may cause a 2nd rule to be added by the cls api layer with the ingress being the egdev. For example, under sriov switchdev scheme, a user rule of VFR A --> VFR B will end up with two HW rules (1) VF A --> VF B and (2) uplink --> VF B Fixes: 208c0f4b5237 ('net: sched: use tc_setup_cb_call to call per-block callbacks') Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller net/sched/cls_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1b15ad683ab42a203f98b67045b40720e99d0e9a Author: Jason Wang Date: Tue May 22 19:58:57 2018 +0800 vhost: synchronize IOTLB message with dev cleanup DaeRyong Jeong reports a race between vhost_dev_cleanup() and vhost_process_iotlb_msg(): Thread interleaving: CPU0 (vhost_process_iotlb_msg) CPU1 (vhost_dev_cleanup) (In the case of both VHOST_IOTLB_UPDATE and VHOST_IOTLB_INVALIDATE) ===== ===== vhost_umem_clean(dev->iotlb); if (!dev->iotlb) { ret = -EFAULT; break; } dev->iotlb = NULL; The reason is we don't synchronize between them, fixing by protecting vhost_process_iotlb_msg() with dev mutex. Reported-by: DaeRyong Jeong Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/vhost.c | 3 +++ 1 file changed, 3 insertions(+) commit d681bc027a133f5c19e037f1bd3a142cffc566b4 Merge: 9aad13b 1dcbc01 Author: David S. Miller Date: Thu May 24 22:01:06 2018 -0400 Merge tag 'mlx5-fixes-2018-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== Mellanox, mlx5 fixes 2018-05-24 This series includes two mlx5 fixes. 1) add FCS data to checksum complete when required, from Eran Ben Elisha. 2) Fix A race in IPSec sandbox QP commands, from Yossi Kuperman. Please pull and let me know if there's any problem. for -stable v4.15 ("net/mlx5e: When RXFCS is set, add FCS data into checksum calculation") ==================== Signed-off-by: David S. Miller commit 9aad13b087ab0a588cd68259de618f100053360e Author: Willem de Bruijn Date: Thu May 24 18:10:30 2018 -0400 packet: fix reserve calculation Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") ensures that packet_snd always starts writing the link layer header in reserved headroom allocated for this purpose. This is needed because packets may be shorter than hard_header_len, in which case the space up to hard_header_len may be zeroed. But that necessary padding is not accounted for in skb->len. The fix, however, is buggy. It calls skb_push, which grows skb->len when moving skb->data back. But in this case packet length should not change. Instead, call skb_reserve, which moves both skb->data and skb->tail back, without changing length. Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") Reported-by: Tariq Toukan Signed-off-by: Willem de Bruijn Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller net/packet/af_packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4bc6f777952cf2d5b39e0c5a97a18caa743f03b7 Merge: 35904d6 6a93cea Author: Dave Airlie Date: Fri May 25 09:47:56 2018 +1000 Merge branch 'vmwgfx-fixes-4.17' of git://people.freedesktop.org/~thomash/linux into drm-fixes Three fixes for vmwgfx. Two are cc'd stable and fix host logging and its error paths on 32-bit VMs. One is a fix for a hibernate flaw introduced with the 4.17 merge window. * 'vmwgfx-fixes-4.17' of git://people.freedesktop.org/~thomash/linux: drm/vmwgfx: Schedule an fb dirty update after resume drm/vmwgfx: Fix host logging / guestinfo reading error paths drm/vmwgfx: Fix 32-bit VMW_PORT_HB_[IN|OUT] macros commit b50694381cfc22dce3a60a291cdae294a5e5777c Merge: 34b48b8 4855c92 Author: Linus Torvalds Date: Thu May 24 14:42:43 2018 -0700 Merge branch 'stable/for-linus-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb Pull swiotlb fix from Konrad Rzeszutek Wilk: "One single fix in here: under Xen the DMA32 heap (in the hypervisor) would end up looking like swiss cheese. The reason being that for every coherent DMA allocation we didn't do the proper hypercall to tell Xen to return the page back to the DMA32 heap. End result was (eventually) no DMA32 space if you (for example) continously unloaded and loaded modules" * 'stable/for-linus-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb: xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent commit 1dcbc01f73f9abc4779f71eae5e6dc61bee37229 Author: Yossi Kuperman Date: Tue Oct 17 20:39:17 2017 +0300 net/mlx5: IPSec, Fix a race between concurrent sandbox QP commands Sandbox QP Commands are retired in the order they are sent. Outstanding commands are stored in a linked-list in the order they appear. Once a response is received and the callback gets called, we pull the first element off the pending list, assuming they correspond. Sending a message and adding it to the pending list is not done atomically, hence there is an opportunity for a race between concurrent requests. Bind both send and add under a critical section. Fixes: bebb23e6cb02 ("net/mlx5: Accel, Add IPSec acceleration interface") Signed-off-by: Yossi Kuperman Signed-off-by: Adi Nissim Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) commit 902a545904c71d719ed144234d67df75f31db63b Author: Eran Ben Elisha Date: Tue May 1 16:25:07 2018 +0300 net/mlx5e: When RXFCS is set, add FCS data into checksum calculation When RXFCS feature is enabled, the HW do not strip the FCS data, however it is not present in the checksum calculated by the HW. Fix that by manually calculating the FCS checksum and adding it to the SKB checksum field. Add helper function to find the FCS data for all SKB forms (linear, one fragment or more). Fixes: 102722fc6832 ("net/mlx5e: Add support for RXFCS feature flag") Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 42 +++++++++++++++++++++++++ 1 file changed, 42 insertions(+) commit 34b48b8789adf344d1012fda5d796994d4ddfc14 Merge: d7b66b4 55ba49c Author: Linus Torvalds Date: Thu May 24 14:12:05 2018 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "This is pretty much just the usual array of smallish driver bugs. - remove bouncing addresses from the MAINTAINERS file - kernel oops and bad error handling fixes for hfi, i40iw, cxgb4, and hns drivers - various small LOC behavioral/operational bugs in mlx5, hns, qedr and i40iw drivers - two fixes for patches already sent during the merge window - a long-standing bug related to not decreasing the pinned pages count in the right MM was found and fixed" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (28 commits) RDMA/hns: Move the location for initializing tmp_len RDMA/hns: Bugfix for cq record db for kernel IB/uverbs: Fix uverbs_attr_get_obj RDMA/qedr: Fix doorbell bar mapping for dpi > 1 IB/umem: Use the correct mm during ib_umem_release iw_cxgb4: Fix an error handling path in 'c4iw_get_dma_mr()' RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint RDMA/i40iw: Avoid reference leaks when processing the AEQ RDMA/i40iw: Avoid panic when objects are being created and destroyed RDMA/hns: Fix the bug with NULL pointer RDMA/hns: Set NULL for __internal_mr RDMA/hns: Enable inner_pa_vld filed of mpt RDMA/hns: Set desc_dma_addr for zero when free cmq desc RDMA/hns: Fix the bug with rq sge RDMA/hns: Not support qp transition from reset to reset for hip06 RDMA/hns: Add return operation when configured global param fail RDMA/hns: Update convert function of endian format RDMA/hns: Load the RoCE dirver automatically RDMA/hns: Bugfix for rq record db for kernel RDMA/hns: Add rq inline flags judgement ... commit d7b66b4ab0344dcc4bf169e0bbfda6234cdf6966 Merge: d883c6c d501473 Author: Linus Torvalds Date: Thu May 24 11:47:43 2018 -0700 Merge tag 'for-4.17-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fix from David Sterba: "A one-liner that prevents leaking an internal error value 1 out of the ftruncate syscall. This has been observed in practice. The steps to reproduce make a common pattern (open/write/fync/ftruncate) but also need the application to not check only for negative values and happens only for compressed inlined files. The conditions are narrow but as this could break userspace I think it's better to merge it now and not wait for the merge window" * tag 'for-4.17-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: Btrfs: fix error handling in btrfs_truncate() commit 009f8c90f571d87855914dbc20e6c0ea2a3b19ae Author: Lukas Wunner Date: Thu May 24 19:01:07 2018 +0200 ALSA: hda - Fix runtime PM Before commit 3b5b899ca67d ("ALSA: hda: Make use of core codec functions to sync power state"), hda_set_power_state() returned the response to the Get Power State verb, a 32-bit unsigned integer whose expected value is 0x233 after transitioning a codec to D3, and 0x0 after transitioning it to D0. The response value is significant because hda_codec_runtime_suspend() does not clear the codec's bit in the codec_powered bitmask unless the AC_PWRST_CLK_STOP_OK bit (0x200) is set in the response value. That in turn prevents the HDA controller from runtime suspending because azx_runtime_idle() checks that the codec_powered bitmask is zero. Since commit 3b5b899ca67d, hda_set_power_state() only returns 0x0 or 0x1, thereby breaking runtime PM for any HDA controller. That's because an inline function introduced by the commit returns a bool instead of a 32-bit unsigned int. The change was likely erroneous and resulted from copying and pasting snd_hda_check_power_state(), which is immediately preceding the newly introduced inline function. Fix it. Link: https://bugs.freedesktop.org/show_bug.cgi?id=106597 Fixes: 3b5b899ca67d ("ALSA: hda: Make use of core codec functions to sync power state") Cc: Alex Deucher Cc: Abhijeet Kumar Reported-and-tested-by: Gunnar Krüger Signed-off-by: Lukas Wunner Acked-by: Alex Deucher Signed-off-by: Takashi Iwai sound/pci/hda/hda_local.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit d883c6cf3b39f1f42506e82ad2779fb88004acf3 Author: Joonsoo Kim Date: Wed May 23 10:18:21 2018 +0900 Revert "mm/cma: manage the memory of the CMA area by using the ZONE_MOVABLE" This reverts the following commits that change CMA design in MM. 3d2054ad8c2d ("ARM: CMA: avoid double mapping to the CMA area if CONFIG_HIGHMEM=y") 1d47a3ec09b5 ("mm/cma: remove ALLOC_CMA") bad8c6c0b114 ("mm/cma: manage the memory of the CMA area by using the ZONE_MOVABLE") Ville reported a following error on i386. Inode-cache hash table entries: 65536 (order: 6, 262144 bytes) microcode: microcode updated early to revision 0x4, date = 2013-06-28 Initializing CPU#0 Initializing HighMem for node 0 (000377fe:00118000) Initializing Movable for node 0 (00000001:00118000) BUG: Bad page state in process swapper pfn:377fe page:f53effc0 count:0 mapcount:-127 mapping:00000000 index:0x0 flags: 0x80000000() raw: 80000000 00000000 00000000 ffffff80 00000000 00000100 00000200 00000001 page dumped because: nonzero mapcount Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 4.17.0-rc5-elk+ #145 Hardware name: Dell Inc. Latitude E5410/03VXMC, BIOS A15 07/11/2013 Call Trace: dump_stack+0x60/0x96 bad_page+0x9a/0x100 free_pages_check_bad+0x3f/0x60 free_pcppages_bulk+0x29d/0x5b0 free_unref_page_commit+0x84/0xb0 free_unref_page+0x3e/0x70 __free_pages+0x1d/0x20 free_highmem_page+0x19/0x40 add_highpages_with_active_regions+0xab/0xeb set_highmem_pages_init+0x66/0x73 mem_init+0x1b/0x1d7 start_kernel+0x17a/0x363 i386_start_kernel+0x95/0x99 startup_32_smp+0x164/0x168 The reason for this error is that the span of MOVABLE_ZONE is extended to whole node span for future CMA initialization, and, normal memory is wrongly freed here. I submitted the fix and it seems to work, but, another problem happened. It's so late time to fix the later problem so I decide to reverting the series. Reported-by: Ville Syrjälä Acked-by: Laura Abbott Acked-by: Michal Hocko Cc: Andrew Morton Signed-off-by: Joonsoo Kim Signed-off-by: Linus Torvalds arch/arm/mm/dma-mapping.c | 16 +------- include/linux/memory_hotplug.h | 3 ++ include/linux/mm.h | 1 - mm/cma.c | 83 ++++++------------------------------------ mm/compaction.c | 4 +- mm/internal.h | 4 +- mm/page_alloc.c | 83 +++++++++++++++--------------------------- 7 files changed, 49 insertions(+), 145 deletions(-) commit 1eaafe91a0df4157521b6417b3dd8430bf5f52f0 Author: Jim Mattson Date: Wed May 9 14:29:35 2018 -0700 kvm: x86: IA32_ARCH_CAPABILITIES is always supported If there is a possibility that a VM may migrate to a Skylake host, then the hypervisor should report IA32_ARCH_CAPABILITIES.RSBA[bit 2] as being set (future work, of course). This implies that CPUID.(EAX=7,ECX=0):EDX.ARCH_CAPABILITIES[bit 29] should be set. Therefore, kvm should report this CPUID bit as being supported whether or not the host supports it. Userspace is still free to clear the bit if it chooses. For more information on RSBA, see Intel's white paper, "Retpoline: A Branch Target Injection Mitigation" (Document Number 337131-001), currently available at https://bugzilla.kernel.org/show_bug.cgi?id=199511. Since the IA32_ARCH_CAPABILITIES MSR is emulated in kvm, there is no dependency on hardware support for this feature. Signed-off-by: Jim Mattson Reviewed-by: Konrad Rzeszutek Wilk Fixes: 28c1c9fabf48 ("KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES") Cc: stable@vger.kernel.org Signed-off-by: Radim Krčmář arch/x86/kvm/cpuid.c | 5 +++++ 1 file changed, 5 insertions(+) commit 577e75e0c9da98b898d2dbe94c30b40eec5b9c99 Merge: b68ea0e 4544e40 Author: Linus Torvalds Date: Thu May 24 09:36:16 2018 -0700 Merge branch 'for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata Pull libata fixes from Tejun Heo: "Nothing too interesting. Four patches to update the blacklist and add a controller ID" * 'for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: ahci: Add PCI ID for Cannon Lake PCH-LP AHCI libata: blacklist Micron 500IT SSD with MU01 firmware libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q. libata: Blacklist some Sandisk SSDs for NCQ commit 2bc5ff0bdc00d81d719dad74589317a260d583ed Author: Tomi Valkeinen Date: Thu May 24 10:58:25 2018 +0300 drm/omap: fix NULL deref crash with SDI displays Fix a NULL deref bug introduced in commit 24aac6011f70 ("drm: omapdrm: sdi: Allocate the sdi private data structure dynamically"). Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/2f803bfc-3ffe-332a-7b9a-d59a39db4630@ti.com Fixes: 24aac6011f70 ("drm: omapdrm: sdi: Allocate the sdi private data structure dynamically") Reported-by: Tony Lindgren Tested-by: Tony Lindgren Reviewed-by: Benoit Parrot drivers/gpu/drm/omapdrm/dss/sdi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit c4d2188206bafa177ea58e9a25b952baa0bf7712 Author: Wei Huang Date: Tue May 1 09:49:54 2018 -0500 KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed The CPUID bits of OSXSAVE (function=0x1) and OSPKE (func=0x7, leaf=0x0) allows user apps to detect if OS has set CR4.OSXSAVE or CR4.PKE. KVM is supposed to update these CPUID bits when CR4 is updated. Current KVM code doesn't handle some special cases when updates come from emulator. Here is one example: Step 1: guest boots Step 2: guest OS enables XSAVE ==> CR4.OSXSAVE=1 and CPUID.OSXSAVE=1 Step 3: guest hot reboot ==> QEMU reset CR4 to 0, but CPUID.OSXAVE==1 Step 4: guest os checks CPUID.OSXAVE, detects 1, then executes xgetbv Step 4 above will cause an #UD and guest crash because guest OS hasn't turned on OSXAVE yet. This patch solves the problem by comparing the the old_cr4 with cr4. If the related bits have been changed, kvm_update_cpuid() needs to be called. Signed-off-by: Wei Huang Reviewed-by: Bandan Das Cc: stable@vger.kernel.org Signed-off-by: Radim Krčmář arch/x86/kvm/x86.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit b68ea0ee0362e935a7b4627b9728f6cee95286d7 Merge: 9ca5a2a eedffa2 Author: Linus Torvalds Date: Thu May 24 08:53:20 2018 -0700 Merge tag 'for-linus-20180524' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Two fixes that should go into this release: - a loop writeback error clearing fix from Jeff - the sr sense fix from myself" * tag 'for-linus-20180524' of git://git.kernel.dk/linux-block: loop: clear wb_err in bd_inode when detaching backing file sr: pass down correctly sized SCSI sense buffer commit 9ca5a2ae4259e7aec8efb0db0f6ec721a6854c54 Merge: bee7975 c62ec46 Author: Linus Torvalds Date: Thu May 24 08:49:56 2018 -0700 Merge tag 'pm-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Fix a regression from the 4.15 cycle that caused the system suspend and resume overhead to increase on many systems and triggered more serious problems on some of them (Rafael Wysocki)" * tag 'pm-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / core: Fix direct_complete handling for devices with no callbacks commit c93552c443ebc63b14e26e46d2e76941c88e0d71 Author: Daniel Borkmann Date: Thu May 24 02:32:53 2018 +0200 bpf: properly enforce index mask to prevent out-of-bounds speculation While reviewing the verifier code, I recently noticed that the following two program variants in relation to tail calls can be loaded. Variant 1: # bpftool p d x i 15 0: (15) if r1 == 0x0 goto pc+3 1: (18) r2 = map[id:5] 3: (05) goto pc+2 4: (18) r2 = map[id:6] 6: (b7) r3 = 7 7: (35) if r3 >= 0xa0 goto pc+2 8: (54) (u32) r3 &= (u32) 255 9: (85) call bpf_tail_call#12 10: (b7) r0 = 1 11: (95) exit # bpftool m s i 5 5: prog_array flags 0x0 key 4B value 4B max_entries 4 memlock 4096B # bpftool m s i 6 6: prog_array flags 0x0 key 4B value 4B max_entries 160 memlock 4096B Variant 2: # bpftool p d x i 20 0: (15) if r1 == 0x0 goto pc+3 1: (18) r2 = map[id:8] 3: (05) goto pc+2 4: (18) r2 = map[id:7] 6: (b7) r3 = 7 7: (35) if r3 >= 0x4 goto pc+2 8: (54) (u32) r3 &= (u32) 3 9: (85) call bpf_tail_call#12 10: (b7) r0 = 1 11: (95) exit # bpftool m s i 8 8: prog_array flags 0x0 key 4B value 4B max_entries 160 memlock 4096B # bpftool m s i 7 7: prog_array flags 0x0 key 4B value 4B max_entries 4 memlock 4096B In both cases the index masking inserted by the verifier in order to control out of bounds speculation from a CPU via b2157399cc98 ("bpf: prevent out-of-bounds speculation") seems to be incorrect in what it is enforcing. In the 1st variant, the mask is applied from the map with the significantly larger number of entries where we would allow to a certain degree out of bounds speculation for the smaller map, and in the 2nd variant where the mask is applied from the map with the smaller number of entries, we get buggy behavior since we truncate the index of the larger map. The original intent from commit b2157399cc98 is to reject such occasions where two or more different tail call maps are used in the same tail call helper invocation. However, the check on the BPF_MAP_PTR_POISON is never hit since we never poisoned the saved pointer in the first place! We do this explicitly for map lookups but in case of tail calls we basically used the tail call map in insn_aux_data that was processed in the most recent path which the verifier walked. Thus any prior path that stored a pointer in insn_aux_data at the helper location was always overridden. Fix it by moving the map pointer poison logic into a small helper that covers both BPF helpers with the same logic. After that in fixup_bpf_calls() the poison check is then hit for tail calls and the program rejected. Latter only happens in unprivileged case since this is the *only* occasion where a rewrite needs to happen, and where such rewrite is specific to the map (max_entries, index_mask). In the privileged case the rewrite is generic for the insn->imm / insn->code update so multiple maps from different paths can be handled just fine since all the remaining logic happens in the instruction processing itself. This is similar to the case of map lookups: in case there is a collision of maps in fixup_bpf_calls() we must skip the inlined rewrite since this will turn the generic instruction sequence into a non- generic one. Thus the patch_call_imm will simply update the insn->imm location where the bpf_map_lookup_elem() will later take care of the dispatch. Given we need this 'poison' state as a check, the information of whether a map is an unpriv_array gets lost, so enforcing it prior to that needs an additional state. In general this check is needed since there are some complex and tail call intensive BPF programs out there where LLVM tends to generate such code occasionally. We therefore convert the map_ptr rather into map_state to store all this w/o extra memory overhead, and the bit whether one of the maps involved in the collision was from an unpriv_array thus needs to be retained as well there. Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Alexei Starovoitov include/linux/bpf_verifier.h | 2 +- kernel/bpf/verifier.c | 86 ++++++++++++++++++++++++++++++++------------ 2 files changed, 65 insertions(+), 23 deletions(-) commit d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Author: David Vrabel Date: Fri May 18 16:55:46 2018 +0100 x86/kvm: fix LAPIC timer drift when guest uses periodic mode Since 4.10, commit 8003c9ae204e (KVM: LAPIC: add APIC Timer periodic/oneshot mode VMX preemption timer support), guests using periodic LAPIC timers (such as FreeBSD 8.4) would see their timers drift significantly over time. Differences in the underlying clocks and numerical errors means the periods of the two timers (hv and sw) are not the same. This difference will accumulate with every expiry resulting in a large error between the hv and sw timer. This means the sw timer may be running slow when compared to the hv timer. When the timer is switched from hv to sw, the now active sw timer will expire late. The guest VCPU is reentered and it switches to using the hv timer. This timer catches up, injecting multiple IRQs into the guest (of which the guest only sees one as it does not get to run until the hv timer has caught up) and thus the guest's timer rate is low (and becomes increasing slower over time as the sw timer lags further and further behind). I believe a similar problem would occur if the hv timer is the slower one, but I have not observed this. Fix this by synchronizing the deadlines for both timers to the same time source on every tick. This prevents the errors from accumulating. Fixes: 8003c9ae204e21204e49816c5ea629357e283b06 Cc: Wanpeng Li Signed-off-by: David Vrabel Cc: stable@vger.kernel.org Reviewed-by: Paolo Bonzini Reviewed-by: Wanpeng Li Signed-off-by: Radim Krčmář arch/x86/kvm/lapic.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) commit b09efdc250f0df1bea73f83ef8fb9e9a16229fc5 Merge: e20ac8b df15818 Author: Radim Krčmář Date: Thu May 24 16:48:05 2018 +0200 Merge tag 'kvm-ppc-fixes-4.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc Fixes for PPC KVM: - Close a hole which could possibly lead to the host timebase getting out of sync. - Three fixes relating to PTEs and TLB entries for radix guests. - Fix a bug which could lead to an interrupt never getting delivered to the guest, if it is pending for a guest vCPU when the vCPU gets offlined. commit 4544e403eb25552aed7f0ee181a7a506b8800403 Author: Mika Westerberg Date: Thu May 24 11:12:16 2018 +0300 ahci: Add PCI ID for Cannon Lake PCH-LP AHCI This one should be using the default LPM policy for mobile chipsets so add the PCI ID to the driver list of supported revices. Signed-off-by: Mika Westerberg Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org drivers/ata/ahci.c | 1 + 1 file changed, 1 insertion(+) commit bdcc02cf1bb508fc700df7662f55058f651f2621 Author: Dhinakaran Pandiyan Date: Fri May 11 12:51:42 2018 -0700 drm/psr: Fix missed entry in PSR setup time table. Entry corresponding to 220 us setup time was missing. I am not aware of any specific bug this fixes, but this could potentially result in enabling PSR on a panel with a higher setup time requirement than supported by the hardware. I verified the value is present in eDP spec versions 1.3, 1.4 and 1.4a. Fixes: 6608804b3d7f ("drm/dp: Add drm_dp_psr_setup_time()") Cc: stable@vger.kernel.org Cc: Ville Syrjälä Cc: Jose Roberto de Souza Cc: dri-devel@lists.freedesktop.org Reviewed-by: José Roberto de Souza Reviewed-by: Tarun Vyas Signed-off-by: Dhinakaran Pandiyan Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20180511195145.3829-3-dhinakaran.pandiyan@intel.com drivers/gpu/drm/drm_dp_helper.c | 1 + 1 file changed, 1 insertion(+) commit c7e814628df65f424fe197dde73bfc67e4a244d7 Author: Maciej W. Rozycki Date: Wed May 16 16:39:58 2018 +0100 MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs Use 64-bit accesses for 64-bit floating-point general registers with PTRACE_PEEKUSR, removing the truncation of their upper halves in the FR=1 mode, caused by commit bbd426f542cb ("MIPS: Simplify FP context access"), which inadvertently switched them to using 32-bit accesses. The PTRACE_POKEUSR side is fine as it's never been broken and continues using 64-bit accesses. Fixes: bbd426f542cb ("MIPS: Simplify FP context access") Signed-off-by: Maciej W. Rozycki Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 3.15+ Patchwork: https://patchwork.linux-mips.org/patch/19334/ Signed-off-by: James Hogan arch/mips/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace32.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 28e4213dd331e944e7fca1954a946829162ed9d4 Author: Maciej W. Rozycki Date: Tue May 15 23:04:44 2018 +0100 MIPS: prctl: Disallow FRE without FR with PR_SET_FP_MODE requests Having PR_FP_MODE_FRE (i.e. Config5.FRE) set without PR_FP_MODE_FR (i.e. Status.FR) is not supported as the lone purpose of Config5.FRE is to emulate Status.FR=0 handling on FPU hardware that has Status.FR=1 hardwired[1][2]. Also we do not handle this case elsewhere, and assume throughout our code that TIF_HYBRID_FPREGS and TIF_32BIT_FPREGS cannot be set both at once for a task, leading to inconsistent behaviour if this does happen. Return unsuccessfully then from prctl(2) PR_SET_FP_MODE calls requesting PR_FP_MODE_FRE to be set with PR_FP_MODE_FR clear. This corresponds to modes allowed by `mips_set_personality_fp'. References: [1] "MIPS Architecture For Programmers, Vol. III: MIPS32 / microMIPS32 Privileged Resource Architecture", Imagination Technologies, Document Number: MD00090, Revision 6.02, July 10, 2015, Table 9.69 "Config5 Register Field Descriptions", p. 262 [2] "MIPS Architecture For Programmers, Volume III: MIPS64 / microMIPS64 Privileged Resource Architecture", Imagination Technologies, Document Number: MD00091, Revision 6.03, December 22, 2015, Table 9.72 "Config5 Register Field Descriptions", p. 288 Fixes: 9791554b45a2 ("MIPS,prctl: add PR_[GS]ET_FP_MODE prctl options for MIPS") Signed-off-by: Maciej W. Rozycki Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 4.0+ Patchwork: https://patchwork.linux-mips.org/patch/19327/ Signed-off-by: James Hogan arch/mips/kernel/process.c | 4 ++++ 1 file changed, 4 insertions(+) commit 32795631e67e16141aa5e065c28ba03bf17abb90 Author: Mathias Kresin Date: Sun Apr 8 10:30:03 2018 +0200 MIPS: lantiq: gphy: Drop reboot/remove reset asserts While doing a global software reset, these bits are not cleared and let some bootloader fail to initialise the GPHYs. The bootloader don't expect the GPHYs in reset, as they aren't during power on. The asserts were a workaround for a wrong syscon-reboot mask. With a mask set which includes the GPHY resets, these resets aren't required any more. Fixes: 126534141b45 ("MIPS: lantiq: Add a GPHY driver which uses the RCU syscon-mfd") Signed-off-by: Mathias Kresin Acked-by: Martin Blumenstingl Acked-by: Hauke Mehrtens Cc: John Crispin Cc: linux-mips@linux-mips.org Cc: # 4.14+ Patchwork: https://patchwork.linux-mips.org/patch/19003/ [jhogan@kernel.org: Fix build warnings] Signed-off-by: James Hogan drivers/soc/lantiq/gphy.c | 36 ------------------------------------ 1 file changed, 36 deletions(-) commit 82034c23fcbc2389c73d97737f61fa2dd6526413 Author: Laura Abbott Date: Wed May 23 11:43:46 2018 -0700 arm64: Make sure permission updates happen for pmd/pud Commit 15122ee2c515 ("arm64: Enforce BBM for huge IO/VMAP mappings") disallowed block mappings for ioremap since that code does not honor break-before-make. The same APIs are also used for permission updating though and the extra checks prevent the permission updates from happening, even though this should be permitted. This results in read-only permissions not being fully applied. Visibly, this can occasionaly be seen as a failure on the built in rodata test when the test data ends up in a section or as an odd RW gap on the page table dump. Fix this by using pgattr_change_is_safe instead of p*d_present for determining if the change is permitted. Reviewed-by: Kees Cook Tested-by: Peter Robinson Reported-by: Peter Robinson Fixes: 15122ee2c515 ("arm64: Enforce BBM for huge IO/VMAP mappings") Signed-off-by: Laura Abbott Signed-off-by: Will Deacon arch/arm64/mm/mmu.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) commit d50147381aa0c9725d63a677c138c47f55d6d3bc Author: Omar Sandoval Date: Tue May 22 09:47:58 2018 -0700 Btrfs: fix error handling in btrfs_truncate() Jun Wu at Facebook reported that an internal service was seeing a return value of 1 from ftruncate() on Btrfs in some cases. This is coming from the NEED_TRUNCATE_BLOCK return value from btrfs_truncate_inode_items(). btrfs_truncate() uses two variables for error handling, ret and err. When btrfs_truncate_inode_items() returns non-zero, we set err to the return value. However, NEED_TRUNCATE_BLOCK is not an error. Make sure we only set err if ret is an error (i.e., negative). To reproduce the issue: mount a filesystem with -o compress-force=zstd and the following program will encounter return value of 1 from ftruncate: int main(void) { char buf[256] = { 0 }; int ret; int fd; fd = open("test", O_CREAT | O_WRONLY | O_TRUNC, 0666); if (fd == -1) { perror("open"); return EXIT_FAILURE; } if (write(fd, buf, sizeof(buf)) != sizeof(buf)) { perror("write"); close(fd); return EXIT_FAILURE; } if (fsync(fd) == -1) { perror("fsync"); close(fd); return EXIT_FAILURE; } ret = ftruncate(fd, 128); if (ret) { printf("ftruncate() returned %d\n", ret); close(fd); return EXIT_FAILURE; } close(fd); return EXIT_SUCCESS; } Fixes: ddfae63cc8e0 ("btrfs: move btrfs_truncate_block out of trans handle") CC: stable@vger.kernel.org # 4.15+ Reported-by: Jun Wu Signed-off-by: Omar Sandoval Signed-off-by: David Sterba fs/btrfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 4faa99965e027cc057c5145ce45fa772caa04e8d Author: Al Viro Date: Wed May 23 22:53:22 2018 -0400 fix io_destroy()/aio_complete() race If io_destroy() gets to cancelling everything that can be cancelled and gets to kiocb_cancel() calling the function driver has left in ->ki_cancel, it becomes vulnerable to a race with IO completion. At that point req is already taken off the list and aio_complete() does *NOT* spin until we (in free_ioctx_users()) releases ->ctx_lock. As the result, it proceeds to kiocb_free(), freing req just it gets passed to ->ki_cancel(). Fix is simple - remove from the list after the call of kiocb_cancel(). All instances of ->ki_cancel() already have to cope with the being called with iocb still on list - that's what happens in io_cancel(2). Cc: stable@kernel.org Fixes: 0460fef2a921 "aio: use cancellation list lazily" Signed-off-by: Al Viro fs/aio.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 4b83a9049a983b20b1ec2757727c5e39f5847ad2 Author: Eric Dumazet Date: Mon May 21 16:35:24 2018 -0700 netfilter: provide correct argument to nla_strlcpy() Recent patch forgot to remove nla_data(), upsetting syzkaller a bit. BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 lib/nlattr.c:314 Read of size 1 at addr ffff8801ad1f4fdd by task syz-executor189/4509 CPU: 1 PID: 4509 Comm: syz-executor189 Not tainted 4.17.0-rc6+ #62 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 nla_strlcpy+0x13d/0x150 lib/nlattr.c:314 nfnl_acct_new+0x574/0xc50 net/netfilter/nfnetlink_acct.c:118 nfnetlink_rcv_msg+0xdb5/0xff0 net/netfilter/nfnetlink.c:212 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448 nfnetlink_rcv+0x1fe/0x1ba0 net/netfilter/nfnetlink.c:513 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 sock_write_iter+0x35a/0x5a0 net/socket.c:908 call_write_iter include/linux/fs.h:1784 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x64d/0x960 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0xf9/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 Fixes: 4e09fc873d92 ("netfilter: prefer nla_strlcpy for dealing with NLA_STRING attributes") Signed-off-by: Eric Dumazet Acked-by: Florian Westphal Reported-by: syzbot Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 +- net/netfilter/nfnetlink_cthelper.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit 55ba49cbcef37053d973f9a45bc58818c333fe13 Author: oulijun Date: Tue May 22 20:47:15 2018 +0800 RDMA/hns: Move the location for initializing tmp_len When posted work request, it need to compute the length of all sges of every wr and fill it into the msg_len field of send wqe. Thus, While posting multiple wr, tmp_len should be reinitialized to zero. Fixes: 8b9b8d143b46 ("RDMA/hns: Fix the endian problem for hns") Signed-off-by: Lijun Ou Signed-off-by: Jason Gunthorpe drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 05d6a4ddb654ef6f2fbbcf9dcb3b263184baa8e4 Author: oulijun Date: Tue May 22 20:47:14 2018 +0800 RDMA/hns: Bugfix for cq record db for kernel When use cq record db for kernel, it needs to set the hr_cq->db_en to 1 and configure the dma address of record cq db of qp context. Fixes: 86188a8810ed ("RDMA/hns: Support cq record doorbell for kernel space") Signed-off-by: Lijun Ou Signed-off-by: Jason Gunthorpe drivers/infiniband/hw/hns/hns_roce_cq.c | 1 + 1 file changed, 1 insertion(+) commit f4602cbb0a2478dda8238a4f382867da425daa8e Author: Jason Gunthorpe Date: Tue May 22 15:56:51 2018 -0600 IB/uverbs: Fix uverbs_attr_get_obj The err pointer comes from uverbs_attr_get, not from the uobject member, which does not store an ERR_PTR. Fixes: be934cca9e98 ("IB/uverbs: Add device memory registration ioctl support") Signed-off-by: Jason Gunthorpe Reviewed-by: Leon Romanovsky include/rdma/uverbs_ioctl.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 30bf066cd9989fef34aeeef9080368867fe42be7 Author: Kalderon, Michal Date: Tue May 15 15:13:33 2018 +0300 RDMA/qedr: Fix doorbell bar mapping for dpi > 1 Each user_context receives a separate dpi value and thus a different address on the doorbell bar. The qedr_mmap function needs to validate the address and map the doorbell bar accordingly. The current implementation always checked against dpi=0 doorbell range leading to a wrong mapping for doorbell bar. (It entered an else case that mapped the address differently). qedr_mmap should only be used for doorbells, so the else was actually wrong in the first place. This only has an affect on arm architecture and not an issue on a x86 based architecture. This lead to doorbells not occurring on arm based systems and left applications that use more than one dpi (or several applications run simultaneously ) to hang. Fixes: ac1b36e55a51 ("qedr: Add support for user context verbs") Signed-off-by: Ariel Elior Signed-off-by: Michal Kalderon Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe drivers/infiniband/hw/qedr/verbs.c | 60 ++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 31 deletions(-) commit d546b67cda015fb92bfee93d5dc0ceadb91deaee Author: Jack Morgenstein Date: Wed May 23 10:41:59 2018 +0300 net/mlx4: Fix irq-unsafe spinlock usage spin_lock/unlock was used instead of spin_un/lock_irq in a procedure used in process space, on a spinlock which can be grabbed in an interrupt. This caused the stack trace below to be displayed (on kernel 4.17.0-rc1 compiled with Lock Debugging enabled): [ 154.661474] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 154.668909] 4.17.0-rc1-rdma_rc_mlx+ #3 Tainted: G I [ 154.675856] ----------------------------------------------------- [ 154.682706] modprobe/10159 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 154.690254] 00000000f3b0e495 (&(&qp_table->lock)->rlock){+.+.}, at: mlx4_qp_remove+0x20/0x50 [mlx4_core] [ 154.700927] and this task is already holding: [ 154.707461] 0000000094373b5d (&(&cq->lock)->rlock/1){....}, at: destroy_qp_common+0x111/0x560 [mlx4_ib] [ 154.718028] which would create a new lock dependency: [ 154.723705] (&(&cq->lock)->rlock/1){....} -> (&(&qp_table->lock)->rlock){+.+.} [ 154.731922] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 154.740798] (&(&cq->lock)->rlock){..-.} [ 154.740800] ... which became SOFTIRQ-irq-safe at: [ 154.752163] _raw_spin_lock_irqsave+0x3e/0x50 [ 154.757163] mlx4_ib_poll_cq+0x36/0x900 [mlx4_ib] [ 154.762554] ipoib_tx_poll+0x4a/0xf0 [ib_ipoib] ... to a SOFTIRQ-irq-unsafe lock: [ 154.815603] (&(&qp_table->lock)->rlock){+.+.} [ 154.815604] ... which became SOFTIRQ-irq-unsafe at: [ 154.827718] ... [ 154.827720] _raw_spin_lock+0x35/0x50 [ 154.833912] mlx4_qp_lookup+0x1e/0x50 [mlx4_core] [ 154.839302] mlx4_flow_attach+0x3f/0x3d0 [mlx4_core] Since mlx4_qp_lookup() is called only in process space, we can simply replace the spin_un/lock calls with spin_un/lock_irq calls. Fixes: 6dc06c08bef1 ("net/mlx4: Fix the check in attaching steering rules") Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/qp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 79fb218d97980d4fee9a64f4c8ff05289364ba25 Author: Florian Fainelli Date: Tue May 22 17:04:49 2018 -0700 net: phy: broadcom: Fix bcm_write_exp() On newer PHYs, we need to select the expansion register to write with setting bits [11:8] to 0xf. This was done correctly by bcm7xxx.c prior to being migrated to generic code under bcm-phy-lib.c which unfortunately used the older implementation from the BCM54xx days. Fix this by creating an inline stub: bcm_write_exp_sel() which adds the correct value (MII_BCM54XX_EXP_SEL_ER) and update both the Cygnus PHY and BCM7xxx PHY drivers which require setting these bits. broadcom.c is unchanged because some PHYs even use a different selector method, so let them specify it directly (e.g: SerDes secondary selector). Fixes: a1cba5613edf ("net: phy: Add Broadcom phy library for common interfaces") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/phy/bcm-cygnus.c | 6 +++--- drivers/net/phy/bcm-phy-lib.h | 7 +++++++ drivers/net/phy/bcm7xxx.c | 4 ++-- 3 files changed, 12 insertions(+), 5 deletions(-) commit 733a969a7ed14fc5786bcc59c1bdda83c7ddb46e Author: Florian Fainelli Date: Tue May 22 16:22:26 2018 -0700 net: phy: broadcom: Fix auxiliary control register reads We are currently doing auxiliary control register reads with the shadow register value 0b111 (0x7) which incidentally is also the selector value that should be present in bits [2:0]. Fix this by using the appropriate selector mask which is defined (MII_BCM54XX_AUXCTL_SHDWSEL_MASK). This does not have a functional impact yet because we always access the MII_BCM54XX_AUXCTL_SHDWSEL_MISC (0x7) register in the current code. This might change at some point though. Fixes: 5b4e29005123 ("net: phy: broadcom: add bcm54xx_auxctl_read") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/phy/bcm-phy-lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2eabd764cb5512f1338d06ffc054c8bc9fbe9104 Author: Roopa Prabhu Date: Tue May 22 13:44:51 2018 -0700 net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy Signed-off-by: Roopa Prabhu Signed-off-by: David S. Miller net/ipv4/fib_frontend.c | 1 + 1 file changed, 1 insertion(+) commit 4f7f56b6b11296909897696c0ad09d420b34208a Author: Colin Ian King Date: Tue May 22 16:42:51 2018 +0100 net/mlx4: fix spelling mistake: "Inrerface" -> "Interface" and rephrase message Trivial fix to spelling mistake in mlx4_dbg debug message and also change the phrasing of the message so that is is more readable Signed-off-by: Colin Ian King Reviewed-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/intf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 73f9d36440a3bbaa034013e17d2032a905552ab2 Author: Nathan Fontenot Date: Tue May 22 11:21:10 2018 -0500 ibmvnic: Only do H_EOI for mobility events When enabling the sub-CRQ IRQ a previous update sent a H_EOI prior to the enablement to clear any pending interrupts that may be present across a partition migration. This fixed a firmware bug where a migration could erroneously indicate that a H_EOI was pending. The H_EOI should only be sent when enabling during a mobility event though. Doing so at other time could wrong and can produce extra driver output when IRQs are enabled when doing TX completion. Signed-off-by: Nathan Fontenot Signed-off-by: David S. Miller drivers/net/ethernet/ibm/ibmvnic.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) commit 40f7090bb1b4ec327ea1e1402ff5783af5b35195 Author: Benjamin Tissoires Date: Tue May 22 17:19:57 2018 -0700 Input: elan_i2c_smbus - fix corrupted stack New ICs (like the one on the Lenovo T480s) answer to ETP_SMBUS_IAP_VERSION_CMD 4 bytes instead of 3. This corrupts the stack as i2c_smbus_read_block_data() uses the values returned by the i2c device to know how many data it need to return. i2c_smbus_read_block_data() can read up to 32 bytes (I2C_SMBUS_BLOCK_MAX) and there is no safeguard on how many bytes are provided in the return value. Ensure we always have enough space for any future firmware. Also 0-initialize the values to prevent any access to uninitialized memory. Cc: # v4.4.x, v4.9.x, v4.14.x, v4.15.x, v4.16.x Signed-off-by: Benjamin Tissoires Acked-by: KT Liao Signed-off-by: Dmitry Torokhov drivers/input/mouse/elan_i2c_smbus.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) commit ad8fb554f04e38f155c9bc34bbf521fc592ceee7 Author: Benjamin Tissoires Date: Tue May 22 17:16:08 2018 -0700 Input: synaptics - add Lenovo 80 series ids to SMBus This time, Lenovo decided to go with different pieces in its latest series of Thinkpads. For those we have been able to test: - the T480 is using Synaptics with an IBM trackpoint -> it behaves properly with or without intertouch, there is no point not using RMI4 - the X1 Carbon 6th gen is using Synaptics with an IBM trackpoint -> the touchpad doesn't behave properly under PS/2 so we have to switch it to RMI4 if we do not want to have disappointed users - the X280 is using Synaptics with an ALPS trackpoint -> the recent fixes in the trackpoint handling fixed it so upstream now works fine with or without RMI4, and there is no point not using RMI4 - the T480s is using an Elan touchpad, so that's a different story Cc: # v4.14.x, v4.15.x, v4.16.x Signed-off-by: Benjamin Tissoires Acked-by: KT Liao Signed-off-by: Dmitry Torokhov drivers/input/mouse/synaptics.c | 2 ++ 1 file changed, 2 insertions(+) commit 5717a09aeaf62d197deba1fc7ccd6bc45f3a9dcc Author: Aaron Ma Date: Sat Feb 3 11:49:22 2018 -0800 Input: synaptics - add Intertouch support on X1 Carbon 6th and X280 Synaptics devices reported it has Intertouch support, and it fails via PS/2 as following logs: psmouse serio2: Failed to reset mouse on synaptics-pt/serio0 psmouse serio2: Failed to enable mouse on synaptics-pt/serio0 Set these new devices to use SMBus to fix this issue, then they report SMBus version 3 is using, patch: https://patchwork.kernel.org/patch/9989547/ enabled SMBus ver 3 and makes synaptics devices work fine on SMBus mode. Signed-off-by: Aaron Ma Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov drivers/input/mouse/synaptics.c | 2 ++ 1 file changed, 2 insertions(+) commit 15e2cffec3aa0d47a8d75ae80e1b136bfb5dff30 Author: Edvard Holst Date: Sat Feb 3 11:46:15 2018 -0800 Input: synaptics - Lenovo Thinkpad X1 Carbon G5 (2017) with Elantech trackpoints should use RMI Lenovo use two different trackpoints in the fifth generation Thinkpad X1 Carbon. Both are accessible over SMBUS/RMI but the pnpIDs are missing. This patch is for the Elantech trackpoint specifically which also reports SMB version 3 so rmi_smbus needs to be updated in order to handle it. For the record, I was not the first one to come up with this patch as it has been floating around the internet for a while now. However, I have spent significant time with testing and my efforts to find the original author of the patch have been unsuccessful. Signed-off-by: Edvard Holst Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov drivers/input/mouse/synaptics.c | 1 + 1 file changed, 1 insertion(+) commit ab1f1786baa32bbe8eaa9d1463395a6da1bd7795 Merge: 2f3ab62 813477a Author: David S. Miller Date: Wed May 23 14:45:42 2018 -0400 Merge tag 'wireless-drivers-for-davem-2018-05-22' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.17 Hopefully the last fixes for 4.17. ssb is again causing problems so we had to revert a commit and fix it better. Also a small fix to bcma and some MAINTAINERS file updates. ssb * fix regression with all module PCI cards, for example using b43 and b44 drivers * try again fixing a MIPS linker error bcma * fix truncated info log messages ==================== Signed-off-by: David S. Miller commit 9b2071028f8def49971a3b213ab6efd02a7e56e8 Author: Dmitry Torokhov Date: Fri Aug 18 12:08:13 2017 -0700 Input: synaptics - Lenovo Carbon X1 Gen5 (2017) devices should use RMI The touchpad on Lenovo Carbon X1 Gen 5 (2017 - Kabylake) is accessible over SMBUS/RMI, so let's activate it by default. Cc: stable@vger.kernel.org Reviewed-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov drivers/input/mouse/synaptics.c | 1 + 1 file changed, 1 insertion(+) commit 2f3ab6221e4c87960347d65c7cab9bd917d1f637 Author: Jason Wang Date: Tue May 22 14:21:04 2018 +0800 tuntap: correctly set SOCKWQ_ASYNC_NOSPACE When link is down, writes to the device might fail with -EIO. Userspace needs an indication when the status is resolved. As a fix, tun_net_open() attempts to wake up writers - but that is only effective if SOCKWQ_ASYNC_NOSPACE has been set in the past. This is not the case of vhost_net which only poll for EPOLLOUT after it meets errors during sendmsg(). This patch fixes this by making sure SOCKWQ_ASYNC_NOSPACE is set when socket is not writable or device is down to guarantee EPOLLOUT will be raised in either tun_chr_poll() or tun_sock_write_space() after device is up. Cc: Hannes Frederic Sowa Cc: Eric Dumazet Fixes: 1bd4978a88ac2 ("tun: honor IFF_UP in tun_get_user()") Signed-off-by: Jason Wang Signed-off-by: David S. Miller drivers/net/tun.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) commit a43ad59a908055d288e524e559494805a6c7299e Merge: 419fc88 3d62b2a Author: David S. Miller Date: Wed May 23 13:36:19 2018 -0400 Merge branch 'virtio_net-mergeable-XDP' Jason Wang says: ==================== Fix several issues of virtio-net mergeable XDP Please review the patches that tries to fix several issues of virtio-net mergeable XDP. Changes from V1: - check against 1 before decreasing instead of resetting to 1 - typoe fixes ==================== Signed-off-by: David S. Miller commit 3d62b2a0db505bbf9ed0755f254e45d775f9807f Author: Jason Wang Date: Tue May 22 11:44:31 2018 +0800 virtio-net: fix leaking page for gso packet during mergeable XDP We need to drop refcnt to xdp_page if we see a gso packet. Otherwise it will be leaked. Fixing this by moving the check of gso packet above the linearizing logic. While at it, remove useless comment as well. Cc: John Fastabend Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous buffers") Signed-off-by: Jason Wang Signed-off-by: David S. Miller drivers/net/virtio_net.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) commit 850e088d5bbb333342fd4def08d0a4035f2b7126 Author: Jason Wang Date: Tue May 22 11:44:30 2018 +0800 virtio-net: correctly check num_buf during err path If we successfully linearize the packet, num_buf will be set to zero which may confuse error handling path which assumes num_buf is at least 1 and this can lead the code tries to pop the descriptor of next buffer. Fixing this by checking num_buf against 1 before decreasing. Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") Signed-off-by: Jason Wang Signed-off-by: David S. Miller drivers/net/virtio_net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5d458a13dd59d04b4d6658a6d5b94d42732b15ae Author: Jason Wang Date: Tue May 22 11:44:29 2018 +0800 virtio-net: correctly transmit XDP buff after linearizing We should not go for the error path after successfully transmitting a XDP buffer after linearizing. Since the error path may try to pop and drop next packet and increase the drop counters. Fixing this by simply drop the refcnt of original page and go for xmit path. Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous buffers") Cc: John Fastabend Acked-by: Michael S. Tsirkin Signed-off-by: Jason Wang Signed-off-by: David S. Miller drivers/net/virtio_net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6890418bbb780f0ee9cf124055afa79777f1b4f1 Author: Jason Wang Date: Tue May 22 11:44:28 2018 +0800 virtio-net: correctly redirect linearized packet After a linearized packet was redirected by XDP, we should not go for the err path which will try to pop buffers for the next packet and increase the drop counter. Fixing this by just drop the page refcnt for the original page. Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT") Reported-by: David Ahern Tested-by: David Ahern Acked-by: Michael S. Tsirkin Signed-off-by: Jason Wang Signed-off-by: David S. Miller drivers/net/virtio_net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 419fc888e5396968620bb8f85beb7ab55293f04f Merge: d7db318 fed4825 Author: David S. Miller Date: Wed May 23 11:50:05 2018 -0400 Merge tag 'mac80211-for-davem-2018-05-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== A handful of fixes: * hwsim radio dump wasn't working for the first radio * mesh was updating statistics incorrectly * a netlink message allocation was possibly too short * wiphy name limit was still too long * in certain cases regdb query could find a NULL pointer ==================== Signed-off-by: David S. Miller commit bee797529d7c1ea4e2803fda067d20edbc00bc3d Merge: 9ce8654 1179956 Author: Linus Torvalds Date: Wed May 23 08:20:49 2018 -0700 Merge tag 'mfd-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd Pull MFD fix from Lee Jones: "A single cros_ec_spi fix correcting the handling for long-running commands" * tag 'mfd-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: mfd: cros_ec: Retry commands when EC is known to be busy commit 9ce8654323d69273b4977f76f11c9e2d345ab130 Merge: a048a07 92d7223 Author: Linus Torvalds Date: Wed May 23 08:18:33 2018 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha Pull alpha fixes from Matt Turner: "A few small changes for alpha" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha: alpha: io: reorder barriers to guarantee writeX() and iowriteX() ordering #2 alpha: simplify get_arch_dma_ops alpha: use dma_direct_ops for jensen commit 6a93cea15ed38e2dba4a0552483d28b7a87a03bd Author: Thomas Hellstrom Date: Wed May 23 16:14:54 2018 +0200 drm/vmwgfx: Schedule an fb dirty update after resume We have had problems displaying fbdev after a resume and as a workaround we have had to call vmw_fb_refresh(). This has had a number of unwanted side-effects. The root of the problem was, however that the coalesced fbdev dirty region was not empty on the first dirty_mark() after a resume, so a flush was never scheduled. Fix this by force scheduling an fbdev flush after resume, and remove the workaround. Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul Reviewed-by: Deepak Rawat drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 5 ----- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 1 - drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 22 +++++++--------------- 3 files changed, 7 insertions(+), 21 deletions(-) commit f37230c0ad481091bc136788ff8b37dc86300c6d Author: Thomas Hellstrom Date: Wed May 23 16:13:20 2018 +0200 drm/vmwgfx: Fix host logging / guestinfo reading error paths The error paths were leaking opened channels. Fix by using dedicated error paths. Cc: Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul Reviewed-by: Sinclair Yeh drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 48 ++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 17 deletions(-) commit 938ae7259c908ad031da35d551da297640bb640c Author: Thomas Hellstrom Date: Wed May 23 16:11:24 2018 +0200 drm/vmwgfx: Fix 32-bit VMW_PORT_HB_[IN|OUT] macros Depending on whether the kernel is compiled with frame-pointer or not, the temporary memory location used for the bp parameter in these macros is referenced relative to the stack pointer or the frame pointer. Hence we can never reference that parameter when we've modified either the stack pointer or the frame pointer, because then the compiler would generate an incorrect stack reference. Fix this by pushing the temporary memory parameter on a known location on the stack before modifying the stack- and frame pointers. Cc: Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul Reviewed-by: Sinclair Yeh drivers/gpu/drm/vmwgfx/vmwgfx_msg.h | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) commit 1a2b80ecc7ad374e9ef6a3de6fdd032d94be2270 Author: Anders Roxell Date: Sat May 19 00:27:37 2018 +0200 selftests: net: reuseport_bpf_numa: don't fail if no numa support The reuseport_bpf_numa test case fails there's no numa support. The test shouldn't fail if there's no support it should be skipped. Fixes: 3c2c3c16aaf6 ("reuseport, bpf: add test case for bpf_get_numa_node_id") Signed-off-by: Anders Roxell Signed-off-by: Daniel Borkmann tools/testing/selftests/net/reuseport_bpf_numa.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a Author: Julian Anastasov Date: Sat May 19 18:22:35 2018 +0300 ipvs: fix buffer overflow with sync daemon and service syzkaller reports for buffer overflow for interface name when starting sync daemons [1] What we do is that we copy user structure into larger stack buffer but later we search NUL past the stack buffer. The same happens for sched_name when adding/editing virtual server. We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN being used as size in include/uapi/linux/ip_vs.h, so they include the space for NUL. As using strlcpy is wrong for unsafe source, replace it with strscpy and add checks to return EINVAL if source string is not NUL-terminated. The incomplete strlcpy fix comes from 2.6.13. For the netlink interface reduce the len parameter for IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME, so that we get proper EINVAL. [1] kernel BUG at lib/string.c:1052! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 0018:ffff8801c976f800 EFLAGS: 00010282 RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000 RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6 RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0 R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20 R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: strlen include/linux/string.h:270 [inline] strlcpy include/linux/string.h:293 [inline] do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x447369 RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369 RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000 R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0 R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001 Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800 Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon") Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows") Signed-off-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) commit 8ecc4979b1bd9c94168e6fc92960033b7a951336 Author: Dominik Brodowski Date: Tue May 22 11:05:39 2018 +0200 x86/speculation: Simplify the CPU bug detection logic Only CPUs which speculate can speculate. Therefore, it seems prudent to test for cpu_no_speculation first and only then determine whether a specific speculating CPU is susceptible to store bypass speculation. This is underlined by all CPUs currently listed in cpu_no_speculation were present in cpu_no_spec_store_bypass as well. Signed-off-by: Dominik Brodowski Signed-off-by: Thomas Gleixner Cc: bp@suse.de Cc: konrad.wilk@oracle.com Link: https://lkml.kernel.org/r/20180522090539.GA24668@light.dominikbrodowski.net arch/x86/kernel/cpu/common.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) commit 0aa48468d00959c8a37cd3ac727284f4f7359151 Author: Konrad Rzeszutek Wilk Date: Mon May 21 17:54:49 2018 -0400 KVM/VMX: Expose SSBD properly to guests The X86_FEATURE_SSBD is an synthetic CPU feature - that is it bit location has no relevance to the real CPUID 0x7.EBX[31] bit position. For that we need the new CPU feature name. Fixes: 52817587e706 ("x86/cpufeatures: Disentangle SSBD enumeration") Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Thomas Gleixner Cc: kvm@vger.kernel.org Cc: "Radim Krčmář" Cc: stable@vger.kernel.org Cc: "H. Peter Anvin" Cc: Paolo Bonzini Link: https://lkml.kernel.org/r/20180521215449.26423-2-konrad.wilk@oracle.com arch/x86/kvm/cpuid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1 Author: Pablo Neira Ayuso Date: Wed May 16 22:58:33 2018 +0200 netfilter: nft_limit: fix packet ratelimiting Credit calculations for the packet ratelimiting are not correct, as per the applied ratelimit of 25/second and burst 8, a total of 33 packets should have been accepted. This is true in iptables(33) but not in nftables (~65). For packet ratelimiting, use: div_u64(limit->nsecs, limit->rate) * limit->burst; to calculate credit, just like in iptables' xt_limit does. Moreover, use default burst in iptables, users are expecting similar behaviour. Signed-off-by: Pablo Neira Ayuso net/netfilter/nft_limit.c | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) commit 97a0549b15a0b466c47f6a0143a490a082c64b4e Author: Taehee Yoo Date: Thu May 17 22:49:49 2018 +0900 netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. But correct type is u8. so that sometimes incorrect value is dereferenced. Steps to reproduce: %nft add table ip filter %nft add chain ip filter input { type filter hook input priority 4\; } %nft add rule ip filter input nftrace set 0 %nft monitor Sometimes, we can see trace messages. trace id 16767227 ip filter input packet: iif "enp2s0" ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0 ip ecn not-ect ip trace id 16767227 ip filter input rule nftrace set 0 (verdict continue) trace id 16767227 ip filter input verdict continue trace id 16767227 ip filter input Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso net/netfilter/nft_meta.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) commit f0f59a2fab8e52b9d582b39da39f22230ca80aee Author: Sebastian Ott Date: Tue May 15 14:05:13 2018 +0200 s390/dasd: use blk_mq_rq_from_pdu for per request data Dasd uses completion_data from struct request to store per request private data - this is problematic since this member is part of a union which is also used by IO schedulers. Let the block layer maintain space for per request data behind each struct request. Fixes crashes on block layer timeouts like this one: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0000000000000000 TEID: 0000000000000483 Fault in home space mode while using kernel ASCE. AS:0000000001308007 R3:00000000fffc8007 S:00000000fffcc000 P:000000000000013d Oops: 0004 ilc:2 [#1] PREEMPT SMP Modules linked in: [...] CPU: 0 PID: 1480 Comm: kworker/0:2H Not tainted 4.17.0-rc4-00046-gaa3bcd43b5af #203 Hardware name: IBM 3906 M02 702 (LPAR) Workqueue: kblockd blk_mq_timeout_work Krnl PSW : 0000000067ac406b 00000000b6960308 (do_raw_spin_trylock+0x30/0x78) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000c00 0000000000000000 0000000000000000 0000000000000001 0000000000b9d3c8 0000000000000000 0000000000000001 00000000cf9639d8 0000000000000000 0700000000000000 0000000000000000 000000000099f09e 0000000000000000 000000000076e9d0 000000006247bb08 000000006247bae0 Krnl Code: 00000000001c159c: b90400c2 lgr %r12,%r2 00000000001c15a0: a7180000 lhi %r1,0 #00000000001c15a4: 583003a4 l %r3,932 >00000000001c15a8: ba132000 cs %r1,%r3,0(%r2) 00000000001c15ac: a7180001 lhi %r1,1 00000000001c15b0: a784000b brc 8,1c15c6 00000000001c15b4: c0e5004e72aa brasl %r14,b8fb08 00000000001c15ba: 1812 lr %r1,%r2 Call Trace: ([<0700000000000000>] 0x700000000000000) [<0000000000b9d3d2>] _raw_spin_lock_irqsave+0x7a/0xb8 [<000000000099f09e>] dasd_times_out+0x46/0x278 [<000000000076ea6e>] blk_mq_terminate_expired+0x9e/0x108 [<000000000077497a>] bt_for_each+0x102/0x130 [<0000000000774e54>] blk_mq_queue_tag_busy_iter+0x74/0xd8 [<000000000076fea0>] blk_mq_timeout_work+0x260/0x320 [<0000000000169dd4>] process_one_work+0x3bc/0x708 [<000000000016a382>] worker_thread+0x262/0x408 [<00000000001723a8>] kthread+0x160/0x178 [<0000000000b9e73a>] kernel_thread_starter+0x6/0xc [<0000000000b9e734>] kernel_thread_starter+0x0/0xc INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000000000b9d3cc>] _raw_spin_lock_irqsave+0x74/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops Signed-off-by: Sebastian Ott Reviewed-by: Stefan Haberland Signed-off-by: Martin Schwidefsky drivers/s390/block/dasd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 11799564fc7eedff50801950090773928f867996 Author: Brian Norris Date: Tue May 22 17:23:10 2018 -0700 mfd: cros_ec: Retry commands when EC is known to be busy Commit 001dde9400d5 ("mfd: cros ec: spi: Fix "in progress" error signaling") pointed out some bad code, but its analysis and conclusion was not 100% correct. It *is* correct that we should not propagate result==EC_RES_IN_PROGRESS for transport errors, because this has a special meaning -- that we should follow up with EC_CMD_GET_COMMS_STATUS until the EC is no longer busy. This is definitely the wrong thing for many commands, because among other problems, EC_CMD_GET_COMMS_STATUS doesn't actually retrieve any RX data from the EC, so commands that expected some data back will instead start processing junk. For such commands, the right answer is to either propagate the error (and return that error to the caller) or resend the original command (*not* EC_CMD_GET_COMMS_STATUS). Unfortunately, commit 001dde9400d5 forgets a crucial point: that for some long-running operations, the EC physically cannot respond to commands any more. For example, with EC_CMD_FLASH_ERASE, the EC may be re-flashing its own code regions, so it can't respond to SPI interrupts. Instead, the EC prepares us ahead of time for being busy for a "long" time, and fills its hardware buffer with EC_SPI_PAST_END. Thus, we expect to see several "transport" errors (or, messages filled with EC_SPI_PAST_END). So we should really translate that to a retryable error (-EAGAIN) and continue sending EC_CMD_GET_COMMS_STATUS until we get a ready status. IOW, it is actually important to treat some of these "junk" values as retryable errors. Together with commit 001dde9400d5, this resolves bugs like the following: 1. EC_CMD_FLASH_ERASE now works again (with commit 001dde9400d5, we would abort the first time we saw EC_SPI_PAST_END) 2. Before commit 001dde9400d5, transport errors (e.g., EC_SPI_RX_BAD_DATA) seen in other commands (e.g., EC_CMD_RTC_GET_VALUE) used to yield junk data in the RX buffer; they will now yield -EAGAIN return values, and tools like 'hwclock' will simply fail instead of retrieving and re-programming undefined time values Fixes: 001dde9400d5 ("mfd: cros ec: spi: Fix "in progress" error signaling") Signed-off-by: Brian Norris Signed-off-by: Lee Jones drivers/mfd/cros_ec_spi.c | 24 ++++++++++++++++++++---- drivers/platform/chrome/cros_ec_proto.c | 2 ++ 2 files changed, 22 insertions(+), 4 deletions(-) commit a30e7d1e37e8acc37c25420d93af218166cca3ae Author: Vincent Chen Date: Mon May 21 14:36:22 2018 +0800 nds32: Fix compiler warning, Wstringop-overflow, in vdso.c Getting a compiler warning, Wstringop-overflow, in arch/nds32/kernel/vdso.c when kernel is built by gcc-8. Declaring vdso_start and vdso_end as a pointer to fix this compiler warning. Signed-off-by: Vincent Chen Reviewed-by: Greentime Hu Signed-off-by: Greentime Hu arch/nds32/kernel/vdso.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit aaaaba57509526ce924f997d8690ee9e0c93945a Author: Vincent Chen Date: Mon May 14 18:56:35 2018 +0800 nds32: Disable local irq before calling cpu_dcache_wb_page in copy_user_highpage In order to ensure that all data in source page has been written back to memory before copy_page, the local irq shall be disabled before calling cpu_dcache_wb_page(). In addition, removing unneeded page invalidation for 'to' page. Signed-off-by: Vincent Chen Reviewed-by: Greentime Hu Signed-off-by: Greentime Hu arch/nds32/mm/cacheflush.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 5b9f95699b2166e06b7d7820c8173fdbff0ddf35 Author: Vincent Chen Date: Mon May 14 16:56:53 2018 +0800 nds32: Flush the cache of the page at vmaddr instead of kaddr in flush_anon_page According to Documentation/cachetlb.txt, the cache of the page at vmaddr shall be flushed in flush_anon_page instead of the cache of the page at page_address(page). Signed-off-by: Vincent Chen Reviewed-by: Greentime Hu Signed-off-by: Greentime Hu arch/nds32/mm/cacheflush.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit efcc4ea872edaeded28245d9b2ca8b9d8181b7cf Author: Vincent Chen Date: Tue Apr 24 15:08:46 2018 +0800 nds32: Correct flush_dcache_page function 1. Disable local irq before d-cache write-back and invalidate. The cpu_dcache_wbinval_page function is composed of d-cache write-back and invalidate. If the local irq is enabled when calling cpu_dcache_wbinval_page, the content of d-cache is possibly updated between write-back and invalidate. In this case, the updated data will be dropped due to the following d-cache invalidation. Therefore, we disable the local irq before calling cpu_dcache_wbinval_page. 2. Correct the data write-back for page aliasing case. Only the page whose (page->index << PAGE_SHIFT) is located at the same page color as page_address(page) needs to execute data write-back in flush_dcache_page function. Signed-off-by: Vincent Chen Reviewed-by: Greentime Hu Signed-off-by: Greentime Hu arch/nds32/mm/cacheflush.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) commit 1613de8a785d21b3aac73d2a2e640b66d514393b Author: Nickhu Date: Thu May 3 10:15:56 2018 +0800 nds32: Fix the unaligned access handler If the kernel config 'CONFIG_ALIGNMENT_TRAP' and the file '/proc/sys/nds32/unaligned_access/enable' are set, the kernel unaligned access handler does not handle correctly when the value of immediate field is negative. This commit fixes the unaligned access handler in kernel. Signed-off-by: Nickhu Reviewed-by: Greentime Hu Signed-off-by: Greentime Hu arch/nds32/mm/alignment.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit b3a75846a5cfbea137e2810b2bf9407141e70feb Author: Nickhu Date: Fri May 4 16:40:11 2018 +0800 nds32: Renaming the file for unaligned access Change the name of the file '/proc/sys/nds32/unaligned_acess' to '/proc/sys/nds32/unaligned_access' Signed-off-by: Nickhu Reviewed-by: Greentime Hu Signed-off-by: Greentime Hu arch/nds32/mm/alignment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit abb90a24eade1f612324de0e6920041ef64795cb Author: Greentime Hu Date: Mon Apr 30 15:02:27 2018 +0800 nds32: To fix a cache inconsistency issue by setting correct cacheability of NTC The nds32 architecture will use physical memory when interrupt or exception comes and it will use the setting of NTC0-4. The original implementation didn't consider the DRAM start address may start from 1GB, 2GB or 3GB to cause this issue. It will write the data to DRAM if it is running in physical address however kernel will read the data with virtaul address through data cache. In this case, the data of DRAM is latest. This fix will set the correct cacheability to let kernel write/read the latest data in cache instead of DRAM. Signed-off-by: Greentime Hu arch/nds32/include/asm/bitfield.h | 1 + arch/nds32/kernel/head.S | 28 +++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) commit 8769c223491a7fbb345021e7004cbdffe024eaf8 Author: Greentime Hu Date: Mon Apr 30 11:32:47 2018 +0800 nds32: To refine readability of INT_MASK_INITAIAL_VAL Refine readability of INT_MASK_INITAIAL_VAL with meaningful macro instead of magic number. Signed-off-by: Greentime Hu arch/nds32/include/asm/bitfield.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3ff2228dcea4e5c9b517375bd3aa9e3a1a3f29a0 Author: Greentime Hu Date: Mon Apr 30 11:21:18 2018 +0800 nds32: Fix the virtual address may map too much range by tlbop issue. We use tlbop to map virtual address in the first beginning, however it may map too much if DRAM size is not that big. We have to invalidate the mapping when the page table is created. Signed-off-by: Greentime Hu arch/nds32/kernel/setup.c | 3 +++ 1 file changed, 3 insertions(+) commit b3b112bb06eb26ce44af63d599aaf5fe54de0699 Author: Greentime Hu Date: Thu Apr 19 16:26:43 2018 +0800 nds32: Fix the allmodconfig build. To make sure CONFIG_CPU_LITTLE_ENDIAN is default y This way we can build kernel with CONFIG_CPU_LITTLE_ENDIAN=y. Build allmodconfig and allnoconfig are available too. It also fixes the endian mismatch issue because AFLAGS and LDFLAGS is not passed correctly. Signed-off-by: Vincent Ren-Wei Chen Signed-off-by: Greentime Hu arch/nds32/Kconfig.cpu | 5 +++-- arch/nds32/Makefile | 4 ++++ 2 files changed, 7 insertions(+), 2 deletions(-) commit c8c20f9c162da25ea0893d5c5ded3a89382a2b5e Author: Greentime Hu Date: Thu Apr 19 16:04:36 2018 +0800 nds32: Fix build failed because arch_trace_hardirqs_off is changed to trace_hardirqs_off. It broke the 'allmodconfig' build when CONFIG_TRACE_IRQFLAGS is enabled. Signed-off-by: Nick Chun-Ming Hu Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/kernel/ex-entry.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bb912671e36552e11352a6b749dcf68b0df6ad01 Author: Greentime Hu Date: Thu Apr 19 15:59:38 2018 +0800 nds32: Fix the unknown type u8 issue. It broke the 'allmodconfig' build. We need to include to make sure the type is defined before using it. Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/include/asm/io.h | 2 ++ 1 file changed, 2 insertions(+) commit e3f4624388731eb475ef7494b43440b3ad9269e1 Author: Greentime Hu Date: Thu Apr 19 15:45:45 2018 +0800 nds32: Fix the symbols undefined issue by exporting them. It broke the 'allmodconfig' build. LD vmlinux SYSMAP System.map Building modules, stage 2. MODPOST 5028 modules ERROR: "flush_dcache_page" [net/sunrpc/xprtrdma/rpcrdma.ko] undefined! ERROR: "empty_zero_page" [net/ceph/libceph.ko] undefined! ERROR: "save_stack_trace" [kernel/backtracetest.ko] undefined! ERROR: "clear_page" [fs/ocfs2/dlm/ocfs2_dlm.ko] undefined! ERROR: "copy_page" [fs/nilfs2/nilfs2.ko] undefined! ... Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/include/asm/Kbuild | 1 + arch/nds32/include/asm/page.h | 3 +++ arch/nds32/kernel/stacktrace.c | 2 ++ arch/nds32/lib/copy_page.S | 3 +++ arch/nds32/mm/cacheflush.c | 22 ++++++++++++++++++++++ arch/nds32/mm/init.c | 1 + 6 files changed, 32 insertions(+) commit 03969d0b3a3f6a7cd2c731eed1c4ccf76da88586 Author: Greentime Hu Date: Thu Apr 19 15:38:58 2018 +0800 nds32: Fix xfs_buf built failed by export invalidate_kernel_vmap_range and flush_kernel_vmap_range It broke the 'allmodconfig' build. fs/xfs/xfs_buf.c: In function 'xfs_buf_bio_end_io': fs/xfs/xfs_buf.c:1242:3: error: implicit declaration of function 'invalidate_kernel_vmap_range' [-Werror=implicit-function-declaration] invalidate_kernel_vmap_range(bp->b_addr, xfs_buf_vmap_len(bp)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/xfs/xfs_buf.c: In function 'xfs_buf_ioapply_map': fs/xfs/xfs_buf.c:1312:4: error: implicit declaration of function 'flush_kernel_vmap_range' [-Werror=implicit-function-declaration] flush_kernel_vmap_range(bp->b_addr, ^~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/include/asm/cacheflush.h | 2 ++ arch/nds32/mm/cacheflush.c | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) commit 8cedb78fdf82468020a2f3b24ef63ccd397662a2 Author: Greentime Hu Date: Thu Apr 19 11:33:01 2018 +0800 nds32: Fix drivers/gpu/drm/udl/udl_fb.c building error by defining PAGE_SHARED It broke the 'allmodconfig' build. drivers/gpu/drm/udl/udl_fb.c: In function 'udl_fb_mmap': drivers/gpu/drm/udl/udl_fb.c:183:52: error: 'PAGE_SHARED' undeclared (first use in this function) if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) ^~~~~~~~~~~ drivers/gpu/drm/udl/udl_fb.c:183:52: note: each undeclared identifier is reported only once for each function it appears in make[4]: *** [drivers/gpu/drm/udl/udl_fb.o] Error 1 Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/include/asm/pgtable.h | 1 + 1 file changed, 1 insertion(+) commit 81560e011a3420db03f7b021d1bc37a2242634f7 Author: Greentime Hu Date: Thu Apr 19 11:27:59 2018 +0800 nds32: Fix building error of crypto/xor.c by adding xor.h When I compiled with allmodconfig, it caused this building failed. crypto/xor.c:25:21: fatal error: asm/xor.h: No such file or directory #include ^ compilation terminated. Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/include/asm/Kbuild | 1 + 1 file changed, 1 insertion(+) commit 6ca4b262dbc94b3ed5fd4c8c1ad4d86616286779 Author: Greentime Hu Date: Thu Apr 19 11:17:35 2018 +0800 nds32: Fix building error when CONFIG_FREEZE is enabled. To include kernel/Kconfig.freezer to make sure the dependency between CONFIG_CGROUP_FREEZER and CONFIG_FREEZER It will cause building error when I make allmodconfig. kernel/cgroup/freezer.c: In function 'freezer_css_online': kernel/cgroup/freezer.c:116:15: error: 'system_freezing_cnt' undeclared (first use in this function) atomic_inc(&system_freezing_cnt); ^~~~~~~~~~~~~~~~~~~ kernel/cgroup/freezer.c:116:15: note: each undeclared identifier is reported only once for each function it appears in kernel/cgroup/freezer.c: In function 'freezer_css_offline': kernel/cgroup/freezer.c:137:15: error: 'system_freezing_cnt' undeclared (first use in this function) atomic_dec(&system_freezing_cnt); ^~~~~~~~~~~~~~~~~~~ kernel/cgroup/freezer.c: In function 'freezer_attach': kernel/cgroup/freezer.c:181:4: error: implicit declaration of function 'freeze_task' [-Werror=implicit-function-declaration] freeze_task(task); ^~~~~~~~~~~ kernel/cgroup/freezer.c: In function 'freezer_apply_state': kernel/cgroup/freezer.c:360:16: error: 'system_freezing_cnt' undeclared (first use in this function) atomic_inc(&system_freezing_cnt); ^~~~~~~~~~~~~~~~~~~ Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/Kconfig | 1 + 1 file changed, 1 insertion(+) commit aeaa7af744fadf5fa03bdea2d12ecc0fa2a41542 Author: Greentime Hu Date: Thu Apr 19 11:06:31 2018 +0800 nds32: lib: To use generic lib instead of libgcc to prevent the symbol undefined issue. We can use the generic lib to fix these error because the symbol of libgcc in toolchain is not exported. ERROR: "__ucmpdi2" [fs/xfs/xfs.ko] undefined! ERROR: "__ashrdi3" [fs/xfs/xfs.ko] undefined! ERROR: "__lshrdi3" [fs/xfs/xfs.ko] undefined! ERROR: "__ashldi3" [fs/ntfs/ntfs.ko] undefined! ... Signed-off-by: Greentime Hu Acked-by: Arnd Bergmann arch/nds32/Kconfig | 6 ++++++ arch/nds32/Makefile | 3 --- 2 files changed, 6 insertions(+), 3 deletions(-) commit 92d7223a74235054f2aa7227d207d9c57f84dca0 Author: Sinan Kaya Date: Mon Apr 16 18:16:56 2018 -0400 alpha: io: reorder barriers to guarantee writeX() and iowriteX() ordering #2 memory-barriers.txt has been updated with the following requirement. "When using writel(), a prior wmb() is not needed to guarantee that the cache coherent memory writes have completed before writing to the MMIO region." Current writeX() and iowriteX() implementations on alpha are not satisfying this requirement as the barrier is after the register write. Move mb() in writeX() and iowriteX() functions to guarantee that HW observes memory changes before performing register operations. Signed-off-by: Sinan Kaya Reported-by: Arnd Bergmann Signed-off-by: Matt Turner arch/alpha/kernel/io.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) commit f5e82fa26063e6fad10624ff600457d878fa6e41 Author: Christoph Hellwig Date: Wed May 9 16:04:52 2018 +0200 alpha: simplify get_arch_dma_ops Remove the dma_ops indirection. Signed-off-by: Christoph Hellwig Signed-off-by: Matt Turner arch/alpha/include/asm/dma-mapping.h | 4 ++-- arch/alpha/kernel/pci_iommu.c | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) commit 6db615431a21b6057f68ed87583a663ee69f7601 Author: Christoph Hellwig Date: Wed May 9 16:04:51 2018 +0200 alpha: use dma_direct_ops for jensen The generic dma_direct implementation does the same thing as the alpha pci-noop implementation, just with more bells and whistles. And unlike the current code it at least has a theoretical chance to actually compile. Signed-off-by: Christoph Hellwig Signed-off-by: Matt Turner arch/alpha/Kconfig | 1 + arch/alpha/include/asm/dma-mapping.h | 4 ++++ arch/alpha/kernel/pci-noop.c | 33 --------------------------------- 3 files changed, 5 insertions(+), 33 deletions(-) commit d7db318651d5430eb79eceef1e6aa9b084ae78e6 Author: Bo Chen Date: Mon May 21 14:44:49 2018 -0700 pcnet32: add an error handling path in pcnet32_probe_pci() Make sure to invoke pci_disable_device() when errors occur in pcnet32_probe_pci(). Signed-off-by: Bo Chen Signed-off-by: David S. Miller drivers/net/ethernet/amd/pcnet32.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit fdd13dd350dda1826579eb5c333d76b14513b812 Author: Shahed Shaikh Date: Mon May 21 12:31:47 2018 -0700 qed: Fix mask for physical address in ILT entry ILT entry requires 12 bit right shifted physical address. Existing mask for ILT entry of physical address i.e. ILT_ENTRY_PHY_ADDR_MASK is not sufficient to handle 64bit address because upper 8 bits of 64 bit address were getting masked which resulted in completer abort error on PCIe bus due to invalid address. Fix that mask to handle 64bit physical address. Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support") Signed-off-by: Shahed Shaikh Signed-off-by: Ariel Elior Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 66fb33254f45df4b049f487aff1cbde1ef919390 Author: Eric Dumazet Date: Mon May 21 10:51:53 2018 -0700 ipmr: properly check rhltable_init() return value commit 8fb472c09b9d ("ipmr: improve hash scalability") added a call to rhltable_init() without checking its return value. This problem was then later copied to IPv6 and factorized in commit 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table") kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 31552 Comm: syz-executor7 Not tainted 4.17.0-rc5+ #60 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:rht_key_hashfn include/linux/rhashtable.h:277 [inline] RIP: 0010:__rhashtable_lookup include/linux/rhashtable.h:630 [inline] RIP: 0010:rhltable_lookup include/linux/rhashtable.h:716 [inline] RIP: 0010:mr_mfc_find_parent+0x2ad/0xbb0 net/ipv4/ipmr_base.c:63 RSP: 0018:ffff8801826aef70 EFLAGS: 00010203 RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffc90001ea0000 RDX: 0000000000000079 RSI: ffffffff8661e859 RDI: 000000000000000c RBP: ffff8801826af1c0 R08: ffff8801b2212000 R09: ffffed003b5e46c2 R10: ffffed003b5e46c2 R11: ffff8801daf23613 R12: dffffc0000000000 R13: ffff8801826af198 R14: ffff8801cf8225c0 R15: ffff8801826af658 FS: 00007ff7fa732700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000003ffffff9c CR3: 00000001b0210000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6mr_cache_find_parent net/ipv6/ip6mr.c:981 [inline] ip6mr_mfc_delete+0x1fe/0x6b0 net/ipv6/ip6mr.c:1221 ip6_mroute_setsockopt+0x15c6/0x1d70 net/ipv6/ip6mr.c:1698 do_ipv6_setsockopt.isra.9+0x422/0x4660 net/ipv6/ipv6_sockglue.c:163 ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:922 rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1060 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 8fb472c09b9d ("ipmr: improve hash scalability") Fixes: 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table") Signed-off-by: Eric Dumazet Cc: Nikolay Aleksandrov Cc: Yuval Mintz Reported-by: syzbot Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller net/ipv4/ipmr_base.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 2677d20677314101293e6da0094ede7b5526d2b1 Author: Alexey Kodanev Date: Mon May 21 19:28:44 2018 +0300 dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() Syzbot reported the use-after-free in timer_is_static_object() [1]. This can happen because the structure for the rto timer (ccid2_hc_tx_sock) is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be called after that. The report [1] is similar to the one in commit 120e9dabaf55 ("dccp: defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same, delay freeing ccid2_hc_tx_sock structure, so that it is freed in dccp_sk_destruct(). [1] ================================================================== BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90 kernel/time/timer.c:607 Read of size 8 at addr ffff8801bebb5118 by task syz-executor2/25299 CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 timer_is_static_object+0x80/0x90 kernel/time/timer.c:607 debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508 debug_timer_activate kernel/time/timer.c:709 [inline] debug_activate kernel/time/timer.c:764 [inline] __mod_timer kernel/time/timer.c:1041 [inline] mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102 sk_reset_timer+0x22/0x60 net/core/sock.c:2742 ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 ... Allocated by task 25374: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151 dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44 __dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344 dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538 dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128 dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408 dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415 dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197 dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841 ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492 __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657 process_backlog+0x219/0x760 net/core/dev.c:5337 napi_poll net/core/dev.c:5735 [inline] net_rx_action+0x7b7/0x1930 net/core/dev.c:5801 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 Freed by task 25374: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190 dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286 dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801bebb4cc0 which belongs to the cache ccid2_hc_tx_sock of size 1240 The buggy address is located 1112 bytes inside of 1240-byte region [ffff8801bebb4cc0, ffff8801bebb5198) The buggy address belongs to the page: page:ffffea0006faed00 count:1 mapcount:0 mapping:ffff8801bebb41c0 index:0xffff8801bebb5240 compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffff8801bebb41c0 ffff8801bebb5240 0000000100000003 raw: ffff8801cdba3138 ffffea0007634120 ffff8801cdbaab40 0000000000000000 page dumped because: kasan: bad access detected ... ================================================================== Reported-by: syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com Signed-off-by: Alexey Kodanev Signed-off-by: David S. Miller net/dccp/proto.c | 2 -- 1 file changed, 2 deletions(-) commit 6009d1fe6ba3bb2dab55921da60465329cc1cd89 Author: Wenwen Wang Date: Mon May 21 01:58:07 2018 -0500 isdn: eicon: fix a missing-check bug In divasmain.c, the function divas_write() firstly invokes the function diva_xdi_open_adapter() to open the adapter that matches with the adapter number provided by the user, and then invokes the function diva_xdi_write() to perform the write operation using the matched adapter. The two functions diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c. In diva_xdi_open_adapter(), the user command is copied to the object 'msg' from the userspace pointer 'src' through the function pointer 'cp_fn', which eventually calls copy_from_user() to do the copy. Then, the adapter number 'msg.adapter' is used to find out a matched adapter from the 'adapter_queue'. A matched adapter will be returned if it is found. Otherwise, NULL is returned to indicate the failure of the verification on the adapter number. As mentioned above, if a matched adapter is returned, the function diva_xdi_write() is invoked to perform the write operation. In this function, the user command is copied once again from the userspace pointer 'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as both of them are from the 'buf' pointer in divas_write(). Similarly, the copy is achieved through the function pointer 'cp_fn', which finally calls copy_from_user(). After the successful copy, the corresponding command processing handler of the matched adapter is invoked to perform the write operation. It is obvious that there are two copies here from userspace, one is in diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of these two copies share the same source userspace pointer, i.e., the 'buf' pointer in divas_write(). Given that a malicious userspace process can race to change the content pointed by the 'buf' pointer, this can pose potential security issues. For example, in the first copy, the user provides a valid adapter number to pass the verification process and a valid adapter can be found. Then the user can modify the adapter number to an invalid number. This way, the user can bypass the verification process of the adapter number and inject inconsistent data. This patch reuses the data copied in diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the above issues can be avoided. Signed-off-by: Wenwen Wang Signed-off-by: David S. Miller drivers/isdn/hardware/eicon/diva.c | 22 +++++++++++++++------- drivers/isdn/hardware/eicon/diva.h | 5 +++-- drivers/isdn/hardware/eicon/divasmain.c | 18 +++++++++++------- 3 files changed, 29 insertions(+), 16 deletions(-) commit 1f508124e987fac97ac1765e3fbb83da36f47107 Author: Fabio Estevam Date: Sun May 20 13:55:19 2018 -0300 net: fec: Add a SPDX identifier Currently there is no license information in the header of this file. The MODULE_LICENSE field contains ("GPL"), which means GNU Public License v2 or later, so add a corresponding SPDX license identifier. Signed-off-by: Fabio Estevam Acked-by: Fugang Duan Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 1 + 1 file changed, 1 insertion(+) commit 9fcca5effcc02088a956f367b3c8d564c4b45450 Author: Fabio Estevam Date: Sun May 20 13:55:18 2018 -0300 net: fec: ptp: Switch to SPDX identifier Adopt the SPDX license identifier headers to ease license compliance management. Signed-off-by: Fabio Estevam Acked-by: Fugang Duan Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_ptp.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) commit 644fbdeacf1d3edd366e44b8ba214de9d1dd66a9 Author: Xin Long Date: Sun May 20 16:39:10 2018 +0800 sctp: fix the issue that flags are ignored when using kernel_connect Now sctp uses inet_dgram_connect as its proto_ops .connect, and the flags param can't be passed into its proto .connect where this flags is really needed. sctp works around it by getting flags from socket file in __sctp_connect. It works for connecting from userspace, as inherently the user sock has socket file and it passes f_flags as the flags param into the proto_ops .connect. However, the sock created by sock_create_kern doesn't have a socket file, and it passes the flags (like O_NONBLOCK) by using the flags param in kernel_connect, which calls proto_ops .connect later. So to fix it, this patch defines a new proto_ops .connect for sctp, sctp_inet_connect, which calls __sctp_connect() directly with this flags param. After this, the sctp's proto .connect can be removed. Note that sctp_inet_connect doesn't need to do some checks that are not needed for sctp, which makes thing better than with inet_dgram_connect. Suggested-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner Reviewed-by: Michal Kubecek Signed-off-by: David S. Miller include/net/sctp/sctp.h | 2 ++ net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 2 +- net/sctp/socket.c | 51 +++++++++++++++++++++++++++++++++---------------- 4 files changed, 39 insertions(+), 18 deletions(-) commit cc19846079a70abcfd91b5a0791a5f17d69458a5 Author: Peter Maydell Date: Tue May 22 17:11:20 2018 +0100 arm64: fault: Don't leak data in ESR context for user fault on kernel VA If userspace faults on a kernel address, handing them the raw ESR value on the sigframe as part of the delivered signal can leak data useful to attackers who are using information about the underlying hardware fault type (e.g. translation vs permission) as a mechanism to defeat KASLR. However there are also legitimate uses for the information provided in the ESR -- notably the GCC and LLVM sanitizers use this to report whether wild pointer accesses by the application are reads or writes (since a wild write is a more serious bug than a wild read), so we don't want to drop the ESR information entirely. For faulting addresses in the kernel, sanitize the ESR. We choose to present userspace with the illusion that there is nothing mapped in the kernel's part of the address space at all, by reporting all faults as level 0 translation faults taken to EL1. These fields are safe to pass through to userspace as they depend only on the instruction that userspace used to provoke the fault: EC IL (always) ISV CM WNR (for all data aborts) All the other fields in ESR except DFSC are architecturally RES0 for an L0 translation fault taken to EL1, so can be zeroed out without confusing userspace. The illusion is not entirely perfect, as there is a tiny wrinkle where we will report an alignment fault that was not due to the memory type (for instance a LDREX to an unaligned address) as a translation fault, whereas if you do this on real unmapped memory the alignment fault takes precedence. This is not likely to trip anybody up in practice, as the only users we know of for the ESR information who care about the behaviour for kernel addresses only really want to know about the WnR bit. Signed-off-by: Peter Maydell Signed-off-by: Will Deacon arch/arm64/mm/fault.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) commit c62ec4610c40bcc44f2d3d5ed1c312737279e2f3 Author: Rafael J. Wysocki Date: Tue May 22 13:02:17 2018 +0200 PM / core: Fix direct_complete handling for devices with no callbacks Commit 08810a4119aa (PM / core: Add NEVER_SKIP and SMART_PREPARE driver flags) inadvertently prevented the power.direct_complete flag from being set for devices without PM callbacks and with disabled runtime PM which also prevents power.direct_complete from being set for their parents. That led to problems including a resume crash on HP ZBook 14u. Restore the previous behavior by causing power.direct_complete to be set for those devices again, but do that in a more direct way to avoid overlooking that case in the future. Link: https://bugzilla.kernel.org/show_bug.cgi?id=199693 Fixes: 08810a4119aa (PM / core: Add NEVER_SKIP and SMART_PREPARE driver flags) Reported-by: Thomas Martitz Tested-by: Thomas Martitz Cc: 4.15+ # 4.15+ Signed-off-by: Rafael J. Wysocki Reviewed-by: Ulf Hansson Reviewed-by: Johan Hovold drivers/base/power/main.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 813477aa49aac5deba04eb4956360dde58a0e807 Author: Kalle Valo Date: Fri May 18 19:08:13 2018 +0300 MAINTAINERS: change Kalle as wcn36xx maintainer Eugene hasn't worked on wcn36xx for some time now. Signed-off-by: Kalle Valo MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b561290995b2704cfc92bea6996818a3be36c592 Author: Kalle Valo Date: Fri May 18 19:08:12 2018 +0300 MAINTAINERS: change Kalle as ath.ko maintainer Luis hasn't worked on ath.ko for some time now. Acked-by: Luis R. Rodriguez Signed-off-by: Kalle Valo MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c76700ab337a022cbd620d6e36ac6bd1342331dd Author: Kalle Valo Date: Fri May 18 19:08:11 2018 +0300 MAINTAINERS: update Kalle's email address I switched to use my codeaurora.org address. Signed-off-by: Kalle Valo MAINTAINERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f3c6a2cfa5d74fb527b95d842e0a949e95845cea Author: George Cherian Date: Wed May 16 00:00:19 2018 -0700 i2c: xlp9xx: Add MAINTAINERS entry The i2c XLP9xx driver is maintained by Cavium. Add George Cherian and Jan Glauber as the Maintainers. Signed-off-by: George Cherian Acked-by: Jan Glauber Signed-off-by: Wolfram Sang MAINTAINERS | 8 ++++++++ 1 file changed, 8 insertions(+) commit fed4825096cfbbfd654cb292ab6eb193911aef01 Author: Andrew Zaborowski Date: Tue May 22 02:43:56 2018 +0200 mac80211_hwsim: Fix radio dump for radio idx 0 Since 6335698e24ec11e1324b916177da6721df724dd8 the radio with idx of 0 will not get dumped in HWSIM_CMD_GET_RADIO because of the last_idx checks. Offset cb->args[0] by 1 similarly to what is done in nl80211.c. Fixes: 6335698e24ec ("mac80211_hwsim: add generation count for netlink dump operation") Signed-off-by: Andrew Zaborowski Signed-off-by: Johannes Berg drivers/net/wireless/mac80211_hwsim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 5247a77ced2d3396a32679c7480e8bcd5b26e471 Author: Haim Dreyfuss Date: Mon May 21 23:34:57 2018 +0300 cfg80211: fix NULL pointer derference when querying regdb Some drivers may call this function when regdb is not initialized yet, so we need to make sure regdb is valid before trying to access it. Make sure regdb is initialized before trying to access it in reg_query_regdb_wmm() and query_regdb(). Reported-by: Eric Biggers Signed-off-by: Haim Dreyfuss Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg net/wireless/reg.c | 3 +++ 1 file changed, 3 insertions(+) commit a048a07d7f4535baa4cbad6bc024f175317ab938 Author: Nicholas Piggin Date: Tue May 22 09:00:00 2018 +1000 powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit On some CPUs we can prevent a vulnerability related to store-to-load forwarding by preventing store forwarding between privilege domains, by inserting a barrier in kernel entry and exit paths. This is known to be the case on at least Power7, Power8 and Power9 powerpc CPUs. Barriers must be inserted generally before the first load after moving to a higher privilege, and after the last store before moving to a lower privilege, HV and PR privilege transitions must be protected. Barriers are added as patch sections, with all kernel/hypervisor entry points patched, and the exit points to lower privilge levels patched similarly to the RFI flush patching. Firmware advertisement is not implemented yet, so CPU flush types are hard coded. Thanks to Michal Suchánek for bug fixes and review. Signed-off-by: Nicholas Piggin Signed-off-by: Mauricio Faria de Oliveira Signed-off-by: Michael Neuling Signed-off-by: Michal Suchánek Signed-off-by: Michael Ellerman Signed-off-by: Linus Torvalds arch/powerpc/include/asm/exception-64s.h | 29 ++++++ arch/powerpc/include/asm/feature-fixups.h | 19 ++++ arch/powerpc/include/asm/security_features.h | 11 ++ arch/powerpc/kernel/exceptions-64s.S | 19 +++- arch/powerpc/kernel/security.c | 149 +++++++++++++++++++++++++++ arch/powerpc/kernel/vmlinux.lds.S | 14 +++ arch/powerpc/lib/feature-fixups.c | 115 +++++++++++++++++++++ arch/powerpc/platforms/powernv/setup.c | 1 + arch/powerpc/platforms/pseries/setup.c | 1 + 9 files changed, 356 insertions(+), 2 deletions(-) commit 35904d6e9683e8d0ea742d6889d93bea2e79888a Merge: 771c577 643ca19 Author: Dave Airlie Date: Tue May 22 10:54:50 2018 +1000 Merge branch 'drm/du/fixes' of git://linuxtv.org/pinchartl/media into drm-fixes Single regression fix for rcar-du lvds * 'drm/du/fixes' of git://linuxtv.org/pinchartl/media: drm: rcar-du: lvds: Fix crash in .atomic_check when disabling connector commit c85061e6e0ee07e131b929e6a17bb2e20d19b321 Merge: 5997aab a45b599 Author: Linus Torvalds Date: Mon May 21 17:39:32 2018 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two driver fixes (zfcp and target core), one information leak in sg and one build clean up" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() scsi: core: clean up generated file scsi_devinfo_tbl.c scsi: target: tcmu: fix error resetting qfull_time_out to default scsi: zfcp: fix infinite iteration on ERP ready list commit 5997aab0a11ea27ee8e520ecc551ed18fd3e8296 Merge: 3b78ce4 baf1056 Author: Linus Torvalds Date: Mon May 21 11:54:57 2018 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fixes from Al Viro: "Assorted fixes all over the place" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: aio: fix io_destroy(2) vs. lookup_ioctx() race ext2: fix a block leak nfsd: vfs_mkdir() might succeed leaving dentry negative unhashed cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed unfuck sysfs_mount() kernfs: deal with kernfs_fill_super() failures cramfs: Fix IS_ENABLED typo befs_lookup(): use d_splice_alias() affs_lookup: switch to d_splice_alias() affs_lookup(): close a race with affs_remove_link() fix breakage caused by d_find_alias() semantics change fs: don't scan the inode cache before SB_BORN is set do d_instantiate/unlock_new_inode combinations safely iov_iter: fix memory leak in pipe_get_pages_alloc() iov_iter: fix return type of __pipe_get_pages() commit eedffa28c9b00ca2dcb4d541b5a530f4c917052d Author: Jeff Layton Date: Mon May 21 14:35:03 2018 -0400 loop: clear wb_err in bd_inode when detaching backing file When a loop block device encounters a writeback error, that error will get propagated to the bd_inode's wb_err field. If we then detach the backing file from it, attach another and fsync it, we'll get back the writeback error that we had from the previous backing file. This is a bit of a grey area as POSIX doesn't cover loop devices, but it is somewhat counterintuitive. If we detach a backing file from the loopdev while there are still unreported errors, take it as a sign that we're no longer interested in the previous file, and clear out the wb_err in the loop blockdev. Reported-and-Tested-by: Theodore Y. Ts'o Signed-off-by: Jeff Layton Signed-off-by: Jens Axboe drivers/block/loop.c | 1 + 1 file changed, 1 insertion(+) commit baf10564fbb66ea222cae66fbff11c444590ffd9 Author: Al Viro Date: Sun May 20 16:46:23 2018 -0400 aio: fix io_destroy(2) vs. lookup_ioctx() race kill_ioctx() used to have an explicit RCU delay between removing the reference from ->ioctx_table and percpu_ref_kill() dropping the refcount. At some point that delay had been removed, on the theory that percpu_ref_kill() itself contained an RCU delay. Unfortunately, that was the wrong kind of RCU delay and it didn't care about rcu_read_lock() used by lookup_ioctx(). As the result, we could get ctx freed right under lookup_ioctx(). Tejun has fixed that in a6d7cff472e ("fs/aio: Add explicit RCU grace period when freeing kioctx"); however, that fix is not enough. Suppose io_destroy() from one thread races with e.g. io_setup() from another; CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2 has picked it (under rcu_read_lock()). Then CPU1 proceeds to drop the refcount, getting it to 0 and triggering a call of free_ioctx_users(), which proceeds to drop the secondary refcount and once that reaches zero calls free_ioctx_reqs(). That does INIT_RCU_WORK(&ctx->free_rwork, free_ioctx); queue_rcu_work(system_wq, &ctx->free_rwork); and schedules freeing the whole thing after RCU delay. In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the refcount from 0 to 1 and returned the reference to io_setup(). Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get freed until after percpu_ref_get(). Sure, we'd increment the counter before ctx can be freed. Now we are out of rcu_read_lock() and there's nothing to stop freeing of the whole thing. Unfortunately, CPU2 assumes that since it has grabbed the reference, ctx is *NOT* going away until it gets around to dropping that reference. The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss. It's not costlier than what we currently do in normal case, it's safe to call since freeing *is* delayed and it closes the race window - either lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx() fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see the object in question at all. Cc: stable@kernel.org Fixes: a6d7cff472e "fs/aio: Add explicit RCU grace period when freeing kioctx" Signed-off-by: Al Viro fs/aio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 5aa1437d2d9a068c0334bd7c9dafa8ec4f97f13b Author: Al Viro Date: Thu May 17 17:18:30 2018 -0400 ext2: fix a block leak open file, unlink it, then use ioctl(2) to make it immutable or append only. Now close it and watch the blocks *not* freed... Immutable/append-only checks belong in ->setattr(). Note: the bug is old and backport to anything prior to 737f2e93b972 ("ext2: convert to use the new truncate convention") will need these checks lifted into ext2_setattr(). Cc: stable@kernel.org Signed-off-by: Al Viro fs/ext2/inode.c | 10 ---------- 1 file changed, 10 deletions(-) commit 3819bb0d79f50b05910db5bdc6d9ef512184e3b1 Author: Al Viro Date: Fri May 11 17:03:19 2018 -0400 nfsd: vfs_mkdir() might succeed leaving dentry negative unhashed That can (and does, on some filesystems) happen - ->mkdir() (and thus vfs_mkdir()) can legitimately leave its argument negative and just unhash it, counting upon the lookup to pick the object we'd created next time we try to look at that name. Some vfs_mkdir() callers forget about that possibility... Acked-by: J. Bruce Fields Signed-off-by: Al Viro fs/nfsd/vfs.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) commit 9c3e9025a3f7ed25c99a0add8af65431c8043800 Author: Al Viro Date: Thu May 10 22:59:45 2018 -0400 cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed That can (and does, on some filesystems) happen - ->mkdir() (and thus vfs_mkdir()) can legitimately leave its argument negative and just unhash it, counting upon the lookup to pick the object we'd created next time we try to look at that name. Some vfs_mkdir() callers forget about that possibility... Signed-off-by: Al Viro fs/cachefiles/namei.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 7b745a4e4051e1bbce40e0b1c2cf636c70583aa4 Author: Al Viro Date: Mon May 14 00:03:34 2018 -0400 unfuck sysfs_mount() new_sb is left uninitialized in case of early failures in kernfs_mount_ns(), and while IS_ERR(root) is true in all such cases, using IS_ERR(root) || !new_sb is not a solution - IS_ERR(root) is true in some cases when new_sb is true. Make sure new_sb is initialized (and matches the reality) in all cases and fix the condition for dropping kobj reference - we want it done precisely in those situations where the reference has not been transferred into a new super_block instance. Signed-off-by: Al Viro fs/sysfs/mount.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 82382acec0c97b91830fff7130d0acce4ac4f3f3 Author: Al Viro Date: Tue Apr 3 00:22:29 2018 -0400 kernfs: deal with kernfs_fill_super() failures make sure that info->node is initialized early, so that kernfs_kill_sb() can list_del() it safely. Signed-off-by: Al Viro fs/kernfs/mount.c | 1 + 1 file changed, 1 insertion(+) commit 08a8f3086880325433d66b2dc9cdfb3f095adddf Author: Joe Perches Date: Sun May 13 15:05:47 2018 -0700 cramfs: Fix IS_ENABLED typo There's an extra C here... Fixes: 99c18ce580c6 ("cramfs: direct memory access support") Acked-by: Nicolas Pitre Signed-off-by: Joe Perches Signed-off-by: Al Viro fs/cramfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f4e4d434fe3f5eceea470bf821683677dabe39c4 Author: Al Viro Date: Mon Apr 30 19:02:02 2018 -0400 befs_lookup(): use d_splice_alias() RTFS(Documentation/filesystems/nfs/Exporting) if you try to make something exportable. Fixes: ac632f5b6301 "befs: add NFS export support" Signed-off-by: Al Viro fs/befs/linuxvfs.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) commit 87fbd639c02ec96d67738e40b6521fb070ed7168 Author: Al Viro Date: Sun May 6 12:20:40 2018 -0400 affs_lookup: switch to d_splice_alias() Making something exportable takes more than providing ->s_export_ops. In particular, ->lookup() *MUST* use d_splice_alias() instead of d_add(). Reading Documentation/filesystems/nfs/Exporting would've been a good idea; as it is, exporting AFFS is badly (and exploitably) broken. Partially-Fixes: ed4433d72394 "fs/affs: make affs exportable" Acked-by: David Sterba Signed-off-by: Al Viro fs/affs/namei.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) commit 30da870ce4a4e007c901858a96e9e394a1daa74a Author: Al Viro Date: Sun May 6 12:15:20 2018 -0400 affs_lookup(): close a race with affs_remove_link() we unlock the directory hash too early - if we are looking at secondary link and primary (in another directory) gets removed just as we unlock, we could have the old primary moved in place of the secondary, leaving us to look into freed entry (and leaving our dentry with ->d_fsdata pointing to a freed entry). Cc: stable@vger.kernel.org # 2.4.4+ Acked-by: David Sterba Signed-off-by: Al Viro fs/affs/namei.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit 3b78ce4a34b761c7fe13520de822984019ff1a8f Merge: 6741c4b af86ca4 Author: Linus Torvalds Date: Mon May 21 11:23:26 2018 -0700 Merge branch 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Merge speculative store buffer bypass fixes from Thomas Gleixner: - rework of the SPEC_CTRL MSR management to accomodate the new fancy SSBD (Speculative Store Bypass Disable) bit handling. - the CPU bug and sysfs infrastructure for the exciting new Speculative Store Bypass 'feature'. - support for disabling SSB via LS_CFG MSR on AMD CPUs including Hyperthread synchronization on ZEN. - PRCTL support for dynamic runtime control of SSB - SECCOMP integration to automatically disable SSB for sandboxed processes with a filter flag for opt-out. - KVM integration to allow guests fiddling with SSBD including the new software MSR VIRT_SPEC_CTRL to handle the LS_CFG based oddities on AMD. - BPF protection against SSB .. this is just the core and x86 side, other architecture support will come separately. * 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (49 commits) bpf: Prevent memory disambiguation attack x86/bugs: Rename SSBD_NO to SSB_NO KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG x86/bugs: Rework spec_ctrl base and mask logic x86/bugs: Remove x86_spec_ctrl_set() x86/bugs: Expose x86_spec_ctrl_base directly x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host} x86/speculation: Rework speculative_store_bypass_update() x86/speculation: Add virtualized speculative store bypass disable support x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL x86/speculation: Handle HT correctly on AMD x86/cpufeatures: Add FEATURE_ZEN x86/cpufeatures: Disentangle SSBD enumeration x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP KVM: SVM: Move spec control call after restore of GS x86/cpu: Make alternative_msr_write work for 32-bit code x86/bugs: Fix the parameters alignment and missing void x86/bugs: Make cpu_show_common() static ... commit f7068114d45ec55996b9040e98111afa56e010fe Author: Jens Axboe Date: Mon May 21 12:21:14 2018 -0600 sr: pass down correctly sized SCSI sense buffer We're casting the CDROM layer request_sense to the SCSI sense buffer, but the former is 64 bytes and the latter is 96 bytes. As we generally allocate these on the stack, we end up blowing up the stack. Fix this by wrapping the scsi_execute() call with a properly sized sense buffer, and copying back the bits for the CDROM layer. Cc: stable@vger.kernel.org Reported-by: Piotr Gabriel Kosinski Reported-by: Daniel Shapira Tested-by: Kees Cook Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Jens Axboe drivers/scsi/sr_ioctl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit 255845fc43a3aaf806852a1d3bc89bff1411ebe3 Author: Jason A. Donenfeld Date: Sat Apr 28 00:42:52 2018 +0200 arm64: export tishift functions to modules Otherwise modules that use these arithmetic operations will fail to link. We accomplish this with the usual EXPORT_SYMBOL, which on most architectures goes in the .S file but the ARM64 maintainers prefer that insead it goes into arm64ksyms. While we're at it, we also fix this up to use SPDX, and I personally choose to relicense this as GPL2||BSD so that these symbols don't need to be export_symbol_gpl, so all modules can use the routines, since these are important general purpose compiler-generated function calls. Signed-off-by: Jason A. Donenfeld Reported-by: PaX Team Cc: stable@vger.kernel.org Signed-off-by: Will Deacon arch/arm64/kernel/arm64ksyms.c | 8 ++++++++ arch/arm64/lib/tishift.S | 15 ++------------- 2 files changed, 10 insertions(+), 13 deletions(-) commit 32c3fa7cdf0c4a3eb8405fc3e13398de019e828b Author: Will Deacon Date: Mon May 21 17:44:57 2018 +0100 arm64: lse: Add early clobbers to some input/output asm operands For LSE atomics that read and write a register operand, we need to ensure that these operands are annotated as "early clobber" if the register is written before all of the input operands have been consumed. Failure to do so can result in the compiler allocating the same register to both operands, leading to splats such as: Unable to handle kernel paging request at virtual address 11111122222221 [...] x1 : 1111111122222222 x0 : 1111111122222221 Process swapper/0 (pid: 1, stack limit = 0x000000008209f908) Call trace: test_atomic64+0x1360/0x155c where x0 has been allocated as both the value to be stored and also the atomic_t pointer. This patch adds the missing clobbers. Cc: Cc: Dave Martin Cc: Robin Murphy Reported-by: Mark Salter Signed-off-by: Will Deacon arch/arm64/include/asm/atomic_lse.h | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) commit 6741c4bb389da103c0d79ad1961884628900bfe6 Merge: 5aef268 9a3a92c Author: Linus Torvalds Date: Mon May 21 08:58:00 2018 -0700 Merge tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips Pull MIPS fixes from James Hogan: - fix build with DEBUG_ZBOOT and MACH_JZ4770 (4.16) - include xilfpga FDT in fitImage and stop generating dtb.o (4.15) - fix software IO coherence on CM SMP systems (4.8) - ptrace: Fix PEEKUSR/POKEUSR to o32 FGRs (3.14) - ptrace: Expose FIR register through FP regset (3.13) - fix typo in KVM debugfs file name (3.10) * tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips: MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs MIPS: xilfpga: Actually include FDT in fitImage MIPS: xilfpga: Stop generating useless dtb.o KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" MIPS: ptrace: Expose FIR register through FP regset MIPS: Fix build with DEBUG_ZBOOT and MACH_JZ4770 MIPS: c-r4k: Fix data corruption related to cache coherence commit 5aef268ace7436d8a25d41ee3837ecadb0115917 Merge: 771c577 b80d0b9 Author: Linus Torvalds Date: Mon May 21 08:37:48 2018 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Fix refcounting bug for connections in on-packet scheduling mode of IPVS, from Julian Anastasov. 2) Set network header properly in AF_PACKET's packet_snd, from Willem de Bruijn. 3) Fix regressions in 3c59x by converting to generic DMA API. It was relying upon the hack that the PCI DMA interfaces would accept NULL for EISA devices. From Christoph Hellwig. 4) Remove RDMA devices before unregistering netdev in QEDE driver, from Michal Kalderon. 5) Use after free in TUN driver ptr_ring usage, from Jason Wang. 6) Properly check for missing netlink attributes in SMC_PNETID requests, from Eric Biggers. 7) Set DMA mask before performaing any DMA operations in vmxnet3 driver, from Regis Duchesne. 8) Fix mlx5 build with SMP=n, from Saeed Mahameed. 9) Classifier fixes in bcm_sf2 driver from Florian Fainelli. 10) Tuntap use after free during release, from Jason Wang. 11) Don't use stack memory in scatterlists in tls code, from Matt Mullins. 12) Not fully initialized flow key object in ipv4 routing code, from David Ahern. 13) Various packet headroom bug fixes in ip6_gre driver, from Petr Machata. 14) Remove queues from XPS maps using correct index, from Amritha Nambiar. 15) Fix use after free in sock_diag, from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (64 commits) net: ip6_gre: fix tunnel metadata device sharing. cxgb4: fix offset in collecting TX rate limit info net: sched: red: avoid hashing NULL child sock_diag: fix use-after-free read in __sk_free sh_eth: Change platform check to CONFIG_ARCH_RENESAS net: dsa: Do not register devlink for unused ports net: Fix a bug in removing queues from XPS map bpf: fix truncated jump targets on heavy expansions bpf: parse and verdict prog attach may race with bpf map update bpf: sockmap update rollback on error can incorrectly dec prog refcnt net: test tailroom before appending to linear skb net: ip6_gre: Fix ip6erspan hlen calculation net: ip6_gre: Split up ip6gre_changelink() net: ip6_gre: Split up ip6gre_newlink() net: ip6_gre: Split up ip6gre_tnl_change() net: ip6_gre: Split up ip6gre_tnl_link_config() net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit() net: ip6_gre: Request headroom in __gre6_xmit() selftests/bpf: check return value of fopen in test_verifier.c erspan: fix invalid erspan version. ... commit 136d769e0b3475d71350aa3648a116a6ee7a8f6c Author: Sudip Mukherjee Date: Sat May 19 22:29:36 2018 +0100 libata: blacklist Micron 500IT SSD with MU01 firmware While whitelisting Micron M500DC drives, the tweaked blacklist entry enabled queued TRIM from M500IT variants also. But these do not support queued TRIM. And while using those SSDs with the latest kernel we have seen errors and even the partition table getting corrupted. Some part from the dmesg: [ 6.727384] ata1.00: ATA-9: Micron_M500IT_MTFDDAK060MBD, MU01, max UDMA/133 [ 6.727390] ata1.00: 117231408 sectors, multi 16: LBA48 NCQ (depth 31/32), AA [ 6.741026] ata1.00: supports DRM functions and may not be fully accessible [ 6.759887] ata1.00: configured for UDMA/133 [ 6.762256] scsi 0:0:0:0: Direct-Access ATA Micron_M500IT_MT MU01 PQ: 0 ANSI: 5 and then for the error: [ 120.860334] ata1.00: exception Emask 0x1 SAct 0x7ffc0007 SErr 0x0 action 0x6 frozen [ 120.860338] ata1.00: irq_stat 0x40000008 [ 120.860342] ata1.00: failed command: SEND FPDMA QUEUED [ 120.860351] ata1.00: cmd 64/01:00:00:00:00/00:00:00:00:00/a0 tag 0 ncq dma 512 out res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x5 (timeout) [ 120.860353] ata1.00: status: { DRDY } [ 120.860543] ata1: hard resetting link [ 121.166128] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300) [ 121.166376] ata1.00: supports DRM functions and may not be fully accessible [ 121.186238] ata1.00: supports DRM functions and may not be fully accessible [ 121.204445] ata1.00: configured for UDMA/133 [ 121.204454] ata1.00: device reported invalid CHS sector 0 [ 121.204541] sd 0:0:0:0: [sda] tag#18 UNKNOWN(0x2003) Result: hostbyte=0x00 driverbyte=0x08 [ 121.204546] sd 0:0:0:0: [sda] tag#18 Sense Key : 0x5 [current] [ 121.204550] sd 0:0:0:0: [sda] tag#18 ASC=0x21 ASCQ=0x4 [ 121.204555] sd 0:0:0:0: [sda] tag#18 CDB: opcode=0x93 93 08 00 00 00 00 00 04 28 80 00 00 00 30 00 00 [ 121.204559] print_req_error: I/O error, dev sda, sector 272512 After few reboots with these errors, and the SSD is corrupted. After blacklisting it, the errors are not seen and the SSD does not get corrupted any more. Fixes: 243918be6393 ("libata: Do not blacklist Micron M500DC") Cc: Martin K. Petersen Cc: stable@vger.kernel.org Signed-off-by: Sudip Mukherjee Signed-off-by: Tejun Heo drivers/ata/libata-core.c | 2 ++ 1 file changed, 2 insertions(+) commit 3de06d5a1f05c11c94cbb68af14dbfa7fb81d78b Author: Corneliu Doban Date: Fri May 18 15:03:57 2018 -0700 mmc: sdhci-iproc: add SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus The SDHCI_QUIRK2_HOST_OFF_CARD_ON is needed for the driver to properly reset the host controller (reset all) on initialization after exiting deep sleep. Signed-off-by: Corneliu Doban Signed-off-by: Scott Branden Reviewed-by: Ray Jui Reviewed-by: Srinath Mannam Fixes: c833e92bbb60 ("mmc: sdhci-iproc: support standard byte register accesses") Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Ulf Hansson drivers/mmc/host/sdhci-iproc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5f651b870485ee60f5abbbd85195a6852978894a Author: Corneliu Doban Date: Fri May 18 15:03:56 2018 -0700 mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register When the host controller accepts only 32bit writes, the value of the 16bit TRANSFER_MODE register, that has the same 32bit address as the 16bit COMMAND register, needs to be saved and it will be written in a 32bit write together with the command as this will trigger the host to send the command on the SD interface. When sending the tuning command, TRANSFER_MODE is written and then sdhci_set_transfer_mode reads it back to clear AUTO_CMD12 bit and write it again resulting in wrong value to be written because the initial write value was saved in a shadow and the read-back returned a wrong value, from the register. Fix sdhci_iproc_readw to return the saved value of TRANSFER_MODE when a saved value exist. Same fix for read of BLOCK_SIZE and BLOCK_COUNT registers, that are saved for a different reason, although a scenario that will cause the mentioned problem on this registers is not probable. Fixes: b580c52d58d9 ("mmc: sdhci-iproc: add IPROC SDHCI driver") Signed-off-by: Corneliu Doban Signed-off-by: Scott Branden Cc: stable@vger.kernel.org # v4.1+ Signed-off-by: Ulf Hansson drivers/mmc/host/sdhci-iproc.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) commit 4c94238f37af87a2165c3fb491b4a8b50e90649c Author: Srinath Mannam Date: Fri May 18 15:03:55 2018 -0700 mmc: sdhci-iproc: remove hard coded mmc cap 1.8v Remove hard coded mmc cap 1.8v from platform data as it is board specific. The 1.8v DDR mmc caps can be enabled using DTS property for those boards that support it. Fixes: b17b4ab8ce38 ("mmc: sdhci-iproc: define MMC caps in platform data") Signed-off-by: Srinath Mannam Signed-off-by: Scott Branden Reviewed-by: Ray Jui Cc: stable@vger.kernel.org # v4.8+ Signed-off-by: Ulf Hansson drivers/mmc/host/sdhci-iproc.c | 1 - 1 file changed, 1 deletion(-) commit b25b750df99bcba29317d3f9d9f93c4ec58890e6 Author: Mathieu Malaterre Date: Wed May 16 21:20:20 2018 +0200 mmc: block: propagate correct returned value in mmc_rpmb_ioctl In commit 97548575bef3 ("mmc: block: Convert RPMB to a character device") a new function `mmc_rpmb_ioctl` was added. The final return is simply returning a value of `0` instead of propagating the correct return code. Discovered during a compilation with W=1, silence the following gcc warning drivers/mmc/core/block.c:2470:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] Signed-off-by: Mathieu Malaterre Reviewed-by: Shawn Lin Fixes: 97548575bef3 ("mmc: block: Convert RPMB to a character device") Cc: stable@vger.kernel.org # v4.15+ Signed-off-by: Ulf Hansson drivers/mmc/core/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 771c577c23bac90597c685971d7297ea00f99d11 Author: Linus Torvalds Date: Sun May 20 15:31:38 2018 -0700 Linux 4.17-rc6 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6fd5a36a46c0caf288f3acd90d608ffefa17f234 Merge: e5e03ad 8a92281 Author: Linus Torvalds Date: Sun May 20 12:44:07 2018 -0700 Merge branch 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc fixlets from Helge Deller: "Three small section mismatch fixes, one of them was found by 0-day test infrastructure" * 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Move ccio_cujo20_fixup() into init section parisc: Move setup_profiling_timer() out of init section parisc: Move find_pa_parent_type() out of init section commit e5e03ad9e0f04cb3f478b914a3bf9c8f77ee9e94 Merge: 132ce5d 02ee654 Author: Linus Torvalds Date: Sun May 20 12:04:27 2018 -0700 Merge tag 'for-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: "We've accumulated some fixes during the last week, some of them were in the works for a longer time but there are some newer ones too. Most of the fixes have a reproducer and fix user visible problems, also candidates for stable kernels. They IMHO qualify for a late rc, though I did not expect that many" * tag 'for-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: fix crash when trying to resume balance without the resume flag btrfs: Fix delalloc inodes invalidation during transaction abort btrfs: Split btrfs_del_delalloc_inode into 2 functions btrfs: fix reading stale metadata blocks after degraded raid1 mounts btrfs: property: Set incompat flag if lzo/zstd compression is set Btrfs: fix duplicate extents after fsync of file with prealloc extents Btrfs: fix xattr loss after power failure Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting commit 132ce5d43adfd9b5da27ad17cc28a01cd2310f0a Merge: 8a6bd2f 92d44a4 Author: Linus Torvalds Date: Sun May 20 11:50:27 2018 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: - Łukasz Stelmach spotted a couple of issues with the decompressor. - a couple of kdump fixes found while testing kdump - replace some perl with shell code - resolve SIGFPE breakage - kprobes fixes * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: fix kill( ,SIGFPE) breakage ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr ARM: 8770/1: kprobes: Prohibit probing on optimized_callback ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed ARM: replace unnecessary perl with sed and the shell $(( )) operator ARM: kexec: record parent context registers for non-crash CPUs ARM: kexec: fix kdump register saving on panic() ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel ARM: 8753/1: decompressor: add a missing parameter to the addruart macro commit 8a6bd2f40e96fb4d96749ab029c61f0df218b003 Merge: b9aad92 acf4602 Author: Linus Torvalds Date: Sun May 20 11:28:32 2018 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "An unfortunately larger set of fixes, but a large portion is selftests: - Fix the missing clusterid initializaiton for x2apic cluster management which caused boot failures due to IPIs being sent to the wrong cluster - Drop TX_COMPAT when a 64bit executable is exec()'ed from a compat task - Wrap access to __supported_pte_mask in __startup_64() where clang compile fails due to a non PC relative access being generated. - Two fixes for 5 level paging fallout in the decompressor: - Handle GOT correctly for paging_prepare() and cleanup_trampoline() - Fix the page table handling in cleanup_trampoline() to avoid page table corruption. - Stop special casing protection key 0 as this is inconsistent with the manpage and also inconsistent with the allocation map handling. - Override the protection key wen moving away from PROT_EXEC to prevent inaccessible memory. - Fix and update the protection key selftests to address breakage and to cover the above issue - Add a MOV SS self test" [ Part of the x86 fixes were in the earlier core pull due to dependencies ] * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (21 commits) x86/mm: Drop TS_COMPAT on 64-bit exec() syscall x86/apic/x2apic: Initialize cluster ID properly x86/boot/compressed/64: Fix moving page table out of trampoline memory x86/boot/compressed/64: Set up GOT for paging_prepare() and cleanup_trampoline() x86/pkeys: Do not special case protection key 0 x86/pkeys/selftests: Add a test for pkey 0 x86/pkeys/selftests: Save off 'prot' for allocations x86/pkeys/selftests: Fix pointer math x86/pkeys: Override pkey when moving away from PROT_EXEC x86/pkeys/selftests: Fix pkey exhaustion test off-by-one x86/pkeys/selftests: Add PROT_EXEC test x86/pkeys/selftests: Factor out "instruction page" x86/pkeys/selftests: Allow faults on unknown keys x86/pkeys/selftests: Avoid printf-in-signal deadlocks x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal x86/pkeys/selftests: Stop using assert() x86/pkeys/selftests: Give better unexpected fault error messages x86/selftests: Add mov_to_ss test x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI ... commit b9aad92236391f681083fa4045083d5b846b59e0 Merge: 441cab9 5596fe3 Author: Linus Torvalds Date: Sun May 20 11:25:54 2018 -0700 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull UP timer fix from Thomas Gleixner: "Work around the for_each_cpu() oddity on UP kernels in the tick broadcast code which causes boot failures because the CPU0 bit is always reported as set independent of the cpumask content" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: tick/broadcast: Use for_each_cpu() specially on UP kernels commit 441cab960d991897ec0e739dffee018bb2479c45 Merge: 74cce52 cd33d88 Author: Linus Torvalds Date: Sun May 20 11:23:34 2018 -0700 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixlets from Thomas Gleixner: "Three trivial fixlets for the scheduler: - move print_rt_rq() and print_dl_rq() declarations to the right place - make grub_reclaim() static - fix the bogus documentation reference in Kconfig" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/fair: Fix documentation file path sched/deadline: Make the grub_reclaim() function static sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h commit 74cce52f9f92b64febd7c84ed68f5a5607c779b6 Merge: 95bcce4 78ce241 Author: Linus Torvalds Date: Sun May 20 11:20:40 2018 -0700 Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull RAS fix from Thomas Gleixner: "Fix a regression in the new AMD SMCA code which issues an SMP function call from the early interrupt disabled region of CPU hotplug. To avoid that, use cached block addresses which can be used directly" * 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/MCE/AMD: Cache SMCA MISC block addresses commit 95bcce4d42400d136060daadc56e1564200c3713 Merge: 4b65f45 f3903c9 Author: Linus Torvalds Date: Sun May 20 11:18:42 2018 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf tooling fixes from Thomas Gleixner: - fix segfault when processing unknown threads in cs-etm - fix "perf test inet_pton" on s390 failing due to missing inline - display all available events on 'perf annotate --stdio' - add missing newline when parsing an empty BPF program * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf tools: Add missing newline when parsing empty BPF proggie perf cs-etm: Remove redundant space perf cs-etm: Support unknown_thread in cs_etm_auxtrace perf annotate: Display all available events on --stdio perf test: "probe libc's inet_pton" fails on s390 due to missing inline commit 4b65f455c787eeca1a6eb8cc8f590ade6cecb179 Merge: 056ad12 5a81764 Author: Linus Torvalds Date: Sun May 20 10:43:27 2018 -0700 Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fixes from Thomas Gleixner: "Two fixes to address shortcomings of the rwsem/percpu-rwsem lock debugging code which emits false positive warnings when the rwsem is anonymously locked and unlocked" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag commit 056ad121c26db1cfc8253222e2297fb7b7577fe8 Merge: 583dbad 4f74d72 Author: Linus Torvalds Date: Sun May 20 10:36:52 2018 -0700 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Thomas Gleixner: - Use explicitely sized type for the romimage pointer in the 32bit EFI protocol struct so a 64bit kernel does not expand it to 64bit. Ditto for the 64bit struct to avoid the reverse issue on 32bit kernels. - Handle randomized tex offset correctly in the ARM64 EFI stub to avoid unaligned data resulting in stack corruption and other hard to diagnose wreckage. * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: efi/libstub/arm64: Handle randomized TEXT_OFFSET efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode commit 583dbad34098fd2891dcc850744e7c80063dd8a4 Merge: 203ec2f 7dec80c Author: Linus Torvalds Date: Sun May 20 10:01:38 2018 -0700 Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull core fixes from Thomas Gleixner: - Unbreak the BPF compilation which got broken by the unconditional requirement of asm-goto, which is not supported by clang. - Prevent probing on exception masking instructions in uprobes and kprobes to avoid the issues of the delayed exceptions instead of having an ugly workaround. - Prevent a double free_page() in the error path of do_kexec_load() - A set of objtool updates addressing various issues mostly related to switch tables and the noreturn detection for recursive sibling calls - Header sync for tools. * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: objtool: Detect RIP-relative switch table references, part 2 objtool: Detect RIP-relative switch table references objtool: Support GCC 8 switch tables objtool: Support GCC 8's cold subfunctions objtool: Fix "noreturn" detection for recursive sibling calls objtool, kprobes/x86: Sync the latest header with tools/objtool/arch/x86/include/asm/insn.h x86/cpufeature: Guard asm_volatile_goto usage for BPF compilation uprobes/x86: Prohibit probing on MOV SS instruction kprobes/x86: Prohibit probing on exception masking instructions x86/kexec: Avoid double free_page() upon do_kexec_load() failure commit 643ca198aacc671f32ef7c0c2783f0b539070a36 Author: Laurent Pinchart Date: Fri Apr 27 22:40:21 2018 +0300 drm: rcar-du: lvds: Fix crash in .atomic_check when disabling connector The connector .atomic_check() handler can be called with a NULL crtc pointer in the connector state when the connector gets disabled explicitly (through performing a legacy mode set or setting the connector's CRTC_ID property to 0). This causes a crash as the crtc pointer is dereferenced without any check. Fix it by returning from the .atomic_check() handler when then crtc pointer is NULL, as there is no check to be performed when the connector gets disabled. Fixes: c6a27fa41fab ("drm: rcar-du: Convert LVDS encoder code to bridge driver") Signed-off-by: Laurent Pinchart Reviewed-by: Kieran Bingham drivers/gpu/drm/rcar-du/rcar_lvds.c | 3 +++ 1 file changed, 3 insertions(+) commit b80d0b93b991e551a32157e0d9d38fc5bc9348a7 Author: William Tu Date: Fri May 18 19:22:28 2018 -0700 net: ip6_gre: fix tunnel metadata device sharing. Currently ip6gre and ip6erspan share single metadata mode device, using 'collect_md_tun'. Thus, when doing: ip link add dev ip6gre11 type ip6gretap external ip link add dev ip6erspan12 type ip6erspan external RTNETLINK answers: File exists simply fails due to the 2nd tries to create the same collect_md_tun. The patch fixes it by adding a separate collect md tunnel device for the ip6erspan, 'collect_md_tun_erspan'. As a result, a couple of places need to refactor/split up in order to distinguish ip6gre and ip6erspan. First, move the collect_md check at ip6gre_tunnel_{unlink,link} and create separate function {ip6gre,ip6ersapn}_tunnel_{link_md,unlink_md}. Then before link/unlink, make sure the link_md/unlink_md is called. Finally, a separate ndo_uninit is created for ip6erspan. Tested it using the samples/bpf/test_tunnel_bpf.sh. Fixes: ef7baf5e083c ("ip6_gre: add ip6 erspan collect_md mode") Signed-off-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 101 +++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 79 insertions(+), 22 deletions(-) commit 203ec2fed17ade9582277570eb234be52085f8c5 Merge: 0b449a4 709f490 Author: Linus Torvalds Date: Sat May 19 19:56:15 2018 -0700 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "A handful of fixes. I've been queuing them up a bit too long so the list is longer than it otherwise would have been spread out across a few -rcs. In general, it's a scattering of fixes across several platforms, nothing truly serious enough to point out. There's a slightly larger batch of them for the Davinci platforms due to work to bring them back to life after some time, so there's a handful of regressions, some of them going back very far, others more recent. There's also a few patches fixing DT on Renesas platforms since they changed some bindings without remaining backwards compatible, splitting up describing LVDS as a proper bridge instead of having it as part of the display unit. We could push for them to be backwards compatible with old device trees, but it's likely to regress eventually if nobody's actually using said compatibility" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (36 commits) ARM: davinci: board-dm646x-evm: set VPIF capture card name ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF ARM: davinci: dm646x: fix timer interrupt generation ARM: keystone: fix platform_domain_notifier array overrun arm64: dts: exynos: Fix interrupt type for I2S1 device on Exynos5433 ARM: dts: imx51-zii-rdu1: fix touchscreen bindings firmware: arm_scmi: Use after free in scmi_create_protocol_device() ARM: dts: cygnus: fix irq type for arm global timer Revert "ARM: dts: logicpd-som-lv: Fix pinmux controller references" tee: check shm references are consistent in offset/size tee: shm: fix use-after-free via temporarily dropped reference ARM: dts: imx7s: Pass the 'fsl,sec-era' property ARM: dts: tegra20: Revert "Fix ULPI regression on Tegra20" ARM: dts: correct missing "compatible" entry for ti81xx SoCs ARM: OMAP1: ams-delta: fix deferred_fiq handler arm64: tegra: Make BCM89610 PHY interrupt as active low ARM: davinci: fix GPIO lookup for I2C ARM: dts: logicpd-som-lv: Fix pinmux controller references ARM: dts: logicpd-som-lv: Fix Audio Mute ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues ... commit 709f490d5b594b9548577d2285ffeaad8a278b10 Merge: a7be67b 9df50ba Author: Olof Johansson Date: Sat May 19 17:58:32 2018 -0700 Merge tag 'tegra-for-4.17-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into fixes arm64: tegra: Device tree fixes for v4.17 This contains a one-line update to the device tree of the Tegra186 P3310 processor module, fixing the polarity of the PHY interrupt. Originally, this was queued to go into v4.18, but the PHY ID matching patch has now found its way into v4.17-rc5, which means that the PHY driver will know how to identify the PHY on this board and try to use the interrupt. This will unfortunately cause networking to break on P3310, hence why I think this should go into v4.17. * tag 'tegra-for-4.17-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux: arm64: tegra: Make BCM89610 PHY interrupt as active low Signed-off-by: Olof Johansson commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 Author: Alexei Starovoitov Date: Tue May 15 09:27:05 2018 -0700 bpf: Prevent memory disambiguation attack Detect code patterns where malicious 'speculative store bypass' can be used and sanitize such patterns. 39: (bf) r3 = r10 40: (07) r3 += -216 41: (79) r8 = *(u64 *)(r7 +0) // slow read 42: (7a) *(u64 *)(r10 -72) = 0 // verifier inserts this instruction 43: (7b) *(u64 *)(r8 +0) = r3 // this store becomes slow due to r8 44: (79) r1 = *(u64 *)(r6 +0) // cpu speculatively executes this load 45: (71) r2 = *(u8 *)(r1 +0) // speculatively arbitrary 'load byte' // is now sanitized Above code after x86 JIT becomes: e5: mov %rbp,%rdx e8: add $0xffffffffffffff28,%rdx ef: mov 0x0(%r13),%r14 f3: movq $0x0,-0x48(%rbp) fb: mov %rdx,0x0(%r14) ff: mov 0x0(%rbx),%rdi 103: movzbq 0x0(%rdi),%rsi Signed-off-by: Alexei Starovoitov Signed-off-by: Thomas Gleixner include/linux/bpf_verifier.h | 1 + kernel/bpf/verifier.c | 59 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 57 insertions(+), 3 deletions(-) commit 92d44a42af81e850a038c38278ff4f434b2871df Author: Russell King Date: Fri Apr 13 00:22:47 2018 +0100 ARM: fix kill( ,SIGFPE) breakage Commit 7771c6645700 ("signal/arm: Document conflicts with SI_USER and SIGFPE") broke the siginfo structure for userspace triggered signals, causing the strace testsuite to regress. Fix this by eliminating the FPE_FIXME definition (which is at the root of the breakage) and use FPE_FLTINV instead for the case where the hardware appears to be reporting nonsense. Fixes: 7771c6645700 ("signal/arm: Document conflicts with SI_USER and SIGFPE") Suggested-by: Linus Torvalds Signed-off-by: Russell King arch/arm/include/uapi/asm/siginfo.h | 13 ------------- arch/arm/vfp/vfpmodule.c | 2 +- 2 files changed, 1 insertion(+), 14 deletions(-) commit 0b449a441dac919444face9e3b6ca6aaec30791d Merge: 423913a dbad41e Author: Linus Torvalds Date: Sat May 19 09:54:02 2018 -0700 Merge tag 'dmaengine-fix-4.17-rc6' of git://git.infradead.org/users/vkoul/slave-dma Pull dmaengine fix from Vinod Koul: - qcom bam runtime_pm fix - email update for Vinod * tag 'dmaengine-fix-4.17-rc6' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: qcom: bam_dma: check if the runtime pm enabled dmaengine: Update email address for Vinod commit 423913ad4ae5b3e8fb8983f70969fb522261ba26 Author: Linus Torvalds Date: Sat May 19 09:29:11 2018 -0700 mmap: relax file size limit for regular files Commit be83bbf80682 ("mmap: introduce sane default mmap limits") was introduced to catch problems in various ad-hoc character device drivers doing mmap and getting the size limits wrong. In the process, it used "known good" limits for the normal cases of mapping regular files and block device drivers. It turns out that the "s_maxbytes" limit was less "known good" than I thought. In particular, /proc doesn't set it, but exposes one regular file to mmap: /proc/vmcore. As a result, that file got limited to the default MAX_INT s_maxbytes value. This went unnoticed for a while, because apparently the only thing that needs it is the s390 kernel zfcpdump, but there might be other tools that use this too. Vasily suggested just changing s_maxbytes for all of /proc, which isn't wrong, but makes me nervous at this stage. So instead, just make the new mmap limit always be MAX_LFS_FILESIZE for regular files, which won't affect anything else. It wasn't the regular file case I was worried about. I'd really prefer for maxsize to have been per-inode, but that is not how things are today. Fixes: be83bbf80682 ("mmap: introduce sane default mmap limits") Reported-by: Vasily Gorbik Cc: Al Viro Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 78ce241099bb363b19dbd0245442e66c8de8f567 Author: Borislav Petkov Date: Thu May 17 10:46:26 2018 +0200 x86/MCE/AMD: Cache SMCA MISC block addresses ... into a global, two-dimensional array and service subsequent reads from that cache to avoid rdmsr_on_cpu() calls during CPU hotplug (IPIs with IRQs disabled). In addition, this fixes a KASAN slab-out-of-bounds read due to wrong usage of the bank->blocks pointer. Fixes: 27bd59502702 ("x86/mce/AMD: Get address from already initialized block") Reported-by: Johannes Hirte Tested-by: Johannes Hirte Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Cc: Yazen Ghannam Link: http://lkml.kernel.org/r/20180414004230.GA2033@probook arch/x86/kernel/cpu/mcheck/mce_amd.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) commit 0d73c3f8e7f6ee2aab1bb350f60c180f5ae21a2c Author: Masami Hiramatsu Date: Sun May 13 05:04:29 2018 +0100 ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions Since do_undefinstr() uses get_user to get the undefined instruction, it can be called before kprobes processes recursive check. This can cause an infinit recursive exception. Prohibit probing on get_user functions. Fixes: 24ba613c9d6c ("ARM kprobes: core code") Signed-off-by: Masami Hiramatsu Cc: stable@vger.kernel.org Signed-off-by: Russell King arch/arm/include/asm/assembler.h | 10 ++++++++++ arch/arm/lib/getuser.S | 10 ++++++++++ 2 files changed, 20 insertions(+) commit eb0146daefdde65665b7f076fbff7b49dade95b9 Author: Masami Hiramatsu Date: Sun May 13 05:04:16 2018 +0100 ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr Prohibit kprobes on do_undefinstr because kprobes on arm is implemented by undefined instruction. This means if we probe do_undefinstr(), it can cause infinit recursive exception. Fixes: 24ba613c9d6c ("ARM kprobes: core code") Signed-off-by: Masami Hiramatsu Cc: stable@vger.kernel.org Signed-off-by: Russell King arch/arm/kernel/traps.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 70948c05fdde0aac32f9667856a88725c192fa40 Author: Masami Hiramatsu Date: Sun May 13 05:04:10 2018 +0100 ARM: 8770/1: kprobes: Prohibit probing on optimized_callback Prohibit probing on optimized_callback() because it is called from kprobes itself. If we put a kprobes on it, that will cause a recursive call loop. Mark it NOKPROBE_SYMBOL. Fixes: 0dc016dbd820 ("ARM: kprobes: enable OPTPROBES for ARM 32") Signed-off-by: Masami Hiramatsu Cc: stable@vger.kernel.org Signed-off-by: Russell King arch/arm/probes/kprobes/opt-arm.c | 1 + 1 file changed, 1 insertion(+) commit 69af7e23a6870df2ea6fa79ca16493d59b3eebeb Author: Masami Hiramatsu Date: Sun May 13 05:03:54 2018 +0100 ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed Since get_kprobe_ctlblk() uses smp_processor_id() to access per-cpu variable, it hits smp_processor_id sanity check as below. [ 7.006928] BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1 [ 7.007859] caller is debug_smp_processor_id+0x20/0x24 [ 7.008438] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0-rc1-00192-g4eb17253e4b5 #1 [ 7.008890] Hardware name: Generic DT based system [ 7.009917] [] (unwind_backtrace) from [] (show_stack+0x20/0x24) [ 7.010473] [] (show_stack) from [] (dump_stack+0x84/0x98) [ 7.010990] [] (dump_stack) from [] (check_preemption_disabled+0x138/0x13c) [ 7.011592] [] (check_preemption_disabled) from [] (debug_smp_processor_id+0x20/0x24) [ 7.012214] [] (debug_smp_processor_id) from [] (optimized_callback+0x2c/0xe4) [ 7.013077] [] (optimized_callback) from [] (0xbf0021b0) To fix this issue, call get_kprobe_ctlblk() right after irq-disabled since that disables preemption. Fixes: 0dc016dbd820 ("ARM: kprobes: enable OPTPROBES for ARM 32") Signed-off-by: Masami Hiramatsu Cc: stable@vger.kernel.org Signed-off-by: Russell King arch/arm/probes/kprobes/opt-arm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 6cea14f55474ec71f1098228e0ae5dd2a8f22c0a Author: Russell King Date: Mon Apr 16 13:21:54 2018 +0100 ARM: replace unnecessary perl with sed and the shell $(( )) operator You can build a kernel in a cross compiling environment that doesn't have perl in the $PATH. Commit 429f7a062e3b broke that for 32 bit ARM. Fix it. As reported by Stephen Rothwell, it appears that the symbols can be either part of the BSS section or absolute symbols depending on the binutils version. When they're an absolute symbol, the $(( )) operator errors out and the build fails. Fix this as well. Fixes: 429f7a062e3b ("ARM: decompressor: fix BSS size calculation") Reported-by: Rob Landley Reported-by: Stephen Rothwell Acked-by: Rob Landley Signed-off-by: Russell King arch/arm/boot/compressed/Makefile | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 1c37963b1a1600b9686c4a99857ddcb6028be884 Author: Russell King Date: Wed Apr 11 19:35:19 2018 +0100 ARM: kexec: record parent context registers for non-crash CPUs How we got to machine_crash_nonpanic_core() (iow, from an IPI, etc) is not interesting for debugging a crash. The more interesting context is the parent context prior to the IPI being received. Record the parent context register state rather than the register state in machine_crash_nonpanic_core(), which is more relevant to the failing condition. Signed-off-by: Russell King arch/arm/kernel/machine_kexec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2d7b3c64431245c95b05a441669c074da10db943 Author: Russell King Date: Wed Apr 11 18:24:01 2018 +0100 ARM: kexec: fix kdump register saving on panic() When a panic() occurs, the kexec code uses smp_send_stop() to stop the other CPUs, but this results in the CPU register state not being saved, and gdb is unable to inspect the state of other CPUs. Commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump friendly version in panic path") addressed the issue on x86, but ignored other architectures. Address the issue on ARM by splitting out the crash stop implementation to crash_smp_send_stop() and adding the necessary protection. Signed-off-by: Russell King arch/arm/kernel/machine_kexec.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) commit f2ae9de019e4e2807d812ec4fe1df7c34788a0a0 Author: Łukasz Stelmach Date: Wed Apr 4 08:46:58 2018 +0100 ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel The hypervisor setup before __enter_kernel destroys the value sotred in r1. The value needs to be restored just before the jump. Fixes: 6b52f7bdb888 ("ARM: hyp-stub: Use r1 for the soft-restart address") Signed-off-by: Łukasz Stelmach Signed-off-by: Russell King arch/arm/boot/compressed/head.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit e07e3c33b9c0b5751ade624f44325c9bf2487ea6 Author: Łukasz Stelmach Date: Tue Apr 3 09:04:57 2018 +0100 ARM: 8753/1: decompressor: add a missing parameter to the addruart macro In commit 639da5ee374b ("ARM: add an extra temp register to the low level debugging addruart macro") an additional temporary register was added to the addruart macro, but the decompressor code wasn't updated. Fixes: 639da5ee374b ("ARM: add an extra temp register to the low level debugging addruart macro") Signed-off-by: Łukasz Stelmach Signed-off-by: Russell King arch/arm/boot/compressed/head.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) commit acf46020012ccbca1172e9c7aeab399c950d9212 Author: Dmitry Safonov Date: Fri May 18 00:35:10 2018 +0100 x86/mm: Drop TS_COMPAT on 64-bit exec() syscall The x86 mmap() code selects the mmap base for an allocation depending on the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and for 32bit mm->mmap_compat_base. exec() calls mmap() which in turn uses in_compat_syscall() to check whether the mapping is for a 32bit or a 64bit task. The decision is made on the following criteria: ia32 child->thread.status & TS_COMPAT x32 child->pt_regs.orig_ax & __X32_SYSCALL_BIT ia64 !ia32 && !x32 __set_personality_x32() was dropping TS_COMPAT flag, but set_personality_64bit() has kept compat syscall flag making in_compat_syscall() return true during the first exec() syscall. Which in result has user-visible effects, mentioned by Alexey: 1) It breaks ASAN $ gcc -fsanitize=address wrap.c -o wrap-asan $ ./wrap32 ./wrap-asan true ==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING. ==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range. ==1217==Process memory map follows: 0x000000400000-0x000000401000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x000000600000-0x000000601000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x000000601000-0x000000602000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x0000f7dbd000-0x0000f7de2000 /lib64/ld-2.27.so 0x0000f7fe2000-0x0000f7fe3000 /lib64/ld-2.27.so 0x0000f7fe3000-0x0000f7fe4000 /lib64/ld-2.27.so 0x0000f7fe4000-0x0000f7fe5000 0x7fed9abff000-0x7fed9af54000 0x7fed9af54000-0x7fed9af6b000 /lib64/libgcc_s.so.1 [snip] 2) It doesn't seem to be great for security if an attacker always knows that ld.so is going to be mapped into the first 4GB in this case (the same thing happens for PIEs as well). The testcase: $ cat wrap.c int main(int argc, char *argv[]) { execvp(argv[1], &argv[1]); return 127; } $ gcc wrap.c -o wrap $ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE AT_BASE: 0x7f63b8309000 AT_BASE: 0x7faec143c000 AT_BASE: 0x7fbdb25fa000 $ gcc -m32 wrap.c -o wrap32 $ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE AT_BASE: 0xf7eff000 AT_BASE: 0xf7cee000 AT_BASE: 0x7f8b9774e000 Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()") Fixes: ada26481dfe6 ("x86/mm: Make in_compat_syscall() work during exec") Reported-by: Alexey Izbyshev Bisected-by: Alexander Monakov Investigated-by: Andy Lutomirski Signed-off-by: Dmitry Safonov Signed-off-by: Thomas Gleixner Reviewed-by: Cyrill Gorcunov Cc: Borislav Petkov Cc: Alexander Monakov Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: stable@vger.kernel.org Cc: linux-mm@kvack.org Cc: Andy Lutomirski Cc: "H. Peter Anvin" Cc: Cyrill Gorcunov Cc: "Kirill A. Shutemov" Link: https://lkml.kernel.org/r/20180517233510.24996-1-dima@arista.com arch/x86/kernel/process_64.c | 1 + 1 file changed, 1 insertion(+) commit 7dec80ccbe310fb7e225bf21c48c672bb780ce7b Author: Josh Poimboeuf Date: Fri May 18 15:10:34 2018 -0500 objtool: Detect RIP-relative switch table references, part 2 With the following commit: fd35c88b7417 ("objtool: Support GCC 8 switch tables") I added a "can't find switch jump table" warning, to stop covering up silent failures if add_switch_table() can't find anything. That warning found yet another bug in the objtool switch table detection logic. For cases 1 and 2 (as described in the comments of find_switch_table()), the find_symbol_containing() check doesn't adjust the offset for RIP-relative switch jumps. Incidentally, this bug was already fixed for case 3 with: 6f5ec2993b1f ("objtool: Detect RIP-relative switch table references") However, that commit missed the fix for cases 1 and 2. The different cases are now starting to look more and more alike. So fix the bug by consolidating them into a single case, by checking the original dynamic jump instruction in the case 3 loop. This also simplifies the code and makes it more robust against future switch table detection issues -- of which I'm sure there will be many... Switch table detection has been the most fragile area of objtool, by far. I long for the day when we'll have a GCC plugin for annotating switch tables. Linus asked me to delay such a plugin due to the flakiness of the plugin infrastructure in older versions of GCC, so this rickety code is what we're stuck with for now. At least the code is now a little simpler than it was. Reported-by: kbuild test robot Signed-off-by: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/f400541613d45689086329432f3095119ffbc328.1526674218.git.jpoimboe@redhat.com Signed-off-by: Ingo Molnar tools/objtool/check.c | 37 ++++++++++++------------------------- 1 file changed, 12 insertions(+), 25 deletions(-) commit 4f74d72aa7067e75af92fbab077e6d7d0210be66 Author: Mark Rutland Date: Fri May 18 16:08:41 2018 +0200 efi/libstub/arm64: Handle randomized TEXT_OFFSET When CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET is an arbitrary multiple of PAGE_SIZE in the interval [0, 2MB). The EFI stub does not account for the potential misalignment of TEXT_OFFSET relative to EFI_KIMG_ALIGN, and produces a randomized physical offset which is always a round multiple of EFI_KIMG_ALIGN. This may result in statically allocated objects whose alignment exceeds PAGE_SIZE to appear misaligned in memory. This has been observed to result in spurious stack overflow reports and failure to make use of the IRQ stacks, and theoretically could result in a number of other issues. We can OR in the low bits of TEXT_OFFSET to ensure that we have the necessary offset (and hence preserve the misalignment of TEXT_OFFSET relative to EFI_KIMG_ALIGN), so let's do that. Reported-by: Kim Phillips Tested-by: Kim Phillips [ardb: clarify comment and commit log, drop unneeded parens] Signed-off-by: Mark Rutland Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Fixes: 6f26b3671184c36d ("arm64: kaslr: increase randomization granularity") Link: http://lkml.kernel.org/r/20180518140841.9731-2-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar drivers/firmware/efi/libstub/arm64-stub.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 73fcb1a370c76b202d406e95d9dabb76eaccf484 Merge: 10a2f87 66072c29 Author: Linus Torvalds Date: Fri May 18 21:24:26 2018 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "10 fixes" * emailed patches from Andrew Morton : hfsplus: stop workqueue when fill_super() failed mm: don't allow deferred pages with NEED_PER_CPU_KM MAINTAINERS: add Q: entry to kselftest for patchwork project radix tree: fix multi-order iteration race radix tree test suite: multi-order iteration race radix tree test suite: add item_delete_rcu() radix tree test suite: fix compilation issue radix tree test suite: fix mapshift build target include/linux/mm.h: add new inline function vmf_error() lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly commit 10a2f87485b9fb7bec1a50305d4a3ec74aa8058c Merge: f65cfec 54940fa Author: Linus Torvalds Date: Fri May 18 21:22:16 2018 -0700 Merge tag 'platform-drivers-x86-v4.17-3' of git://git.infradead.org/linux-platform-drivers-x86 Pull x86 platform driver fix from Darren Hart: "Remove the last of the "select DELL_SMBIOS" references in the Kconfig" * tag 'platform-drivers-x86-v4.17-3' of git://git.infradead.org/linux-platform-drivers-x86: platform/x86: DELL_WMI use depends on instead of select for DELL_SMBIOS commit f65cfecfa1181232cd7298243bcb3c535f09c4da Merge: 6d16db0 9a16060 Author: Linus Torvalds Date: Fri May 18 21:19:02 2018 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: - a modified revert of a patch that made new choices come out for a couple stm32 clk drivers that really always need to be there when that particular machine is compiled in - boot fix on i.MX for Stefan who noticed odd behavior from the critical flag patch that came in during the merge window * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: stm32: fix: stm32 clock drivers are not compiled by default clk: imx6ull: use OSC clock during AXI rate change commit 6d16db0093936c382f74ed3d076fc7d025671297 Merge: 2c71d33 22aac3e Author: Linus Torvalds Date: Fri May 18 18:02:01 2018 -0700 Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "A bunch of driver bugfixes and a MAINTAINERS addition" * 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: MAINTAINERS: add entry for STM32 I2C driver i2c: viperboard: return message count on master_xfer success i2c: pmcmsp: fix error return from master_xfer i2c: pmcmsp: return message count on master_xfer success i2c: designware: fix poll-after-enable regression eeprom: at24: fix retrieving the at24_chip_data structure i2c: core: ACPI: Log device not acking errors at dbg loglevel i2c: core: ACPI: Improve OpRegion read errors commit 66072c29328717072fd84aaff3e070e3f008ba77 Author: Tetsuo Handa Date: Fri May 18 16:09:16 2018 -0700 hfsplus: stop workqueue when fill_super() failed syzbot is reporting ODEBUG messages at hfsplus_fill_super() [1]. This is because hfsplus_fill_super() forgot to call cancel_delayed_work_sync(). As far as I can see, it is hfsplus_mark_mdb_dirty() from hfsplus_new_inode() in hfsplus_fill_super() that calls queue_delayed_work(). Therefore, I assume that hfsplus_new_inode() does not fail if queue_delayed_work() was called, and the out_put_hidden_dir label is the appropriate location to call cancel_delayed_work_sync(). [1] https://syzkaller.appspot.com/bug?id=a66f45e96fdbeb76b796bf46eb25ea878c42a6c9 Link: http://lkml.kernel.org/r/964a8b27-cd69-357c-fe78-76b066056201@I-love.SAKURA.ne.jp Signed-off-by: Tetsuo Handa Reported-by: syzbot Cc: Al Viro Cc: David Howells Cc: Ernesto A. Fernandez Cc: Vyacheslav Dubeyko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/super.c | 1 + 1 file changed, 1 insertion(+) commit ab1e8d8960b68f54af42b6484b5950bd13a4054b Author: Pavel Tatashin Date: Fri May 18 16:09:13 2018 -0700 mm: don't allow deferred pages with NEED_PER_CPU_KM It is unsafe to do virtual to physical translations before mm_init() is called if struct page is needed in order to determine the memory section number (see SECTION_IN_PAGE_FLAGS). This is because only in mm_init() we initialize struct pages for all the allocated memory when deferred struct pages are used. My recent fix in commit c9e97a1997 ("mm: initialize pages on demand during boot") exposed this problem, because it greatly reduced number of pages that are initialized before mm_init(), but the problem existed even before my fix, as Fengguang Wu found. Below is a more detailed explanation of the problem. We initialize struct pages in four places: 1. Early in boot a small set of struct pages is initialized to fill the first section, and lower zones. 2. During mm_init() we initialize "struct pages" for all the memory that is allocated, i.e reserved in memblock. 3. Using on-demand logic when pages are allocated after mm_init call (when memblock is finished) 4. After smp_init() when the rest free deferred pages are initialized. The problem occurs if we try to do va to phys translation of a memory between steps 1 and 2. Because we have not yet initialized struct pages for all the reserved pages, it is inherently unsafe to do va to phys if the translation itself requires access of "struct page" as in case of this combination: CONFIG_SPARSE && !CONFIG_SPARSE_VMEMMAP The following path exposes the problem: start_kernel() trap_init() setup_cpu_entry_areas() setup_cpu_entry_area(cpu) get_cpu_gdt_paddr(cpu) per_cpu_ptr_to_phys(addr) pcpu_addr_to_page(addr) virt_to_page(addr) pfn_to_page(__pa(addr) >> PAGE_SHIFT) We disable this path by not allowing NEED_PER_CPU_KM with deferred struct pages feature. The problems are discussed in these threads: http://lkml.kernel.org/r/20180418135300.inazvpxjxowogyge@wfg-t540p.sh.intel.com http://lkml.kernel.org/r/20180419013128.iurzouiqxvcnpbvz@wfg-t540p.sh.intel.com http://lkml.kernel.org/r/20180426202619.2768-1-pasha.tatashin@oracle.com Link: http://lkml.kernel.org/r/20180515175124.1770-1-pasha.tatashin@oracle.com Fixes: 3a80a7fa7989 ("mm: meminit: initialise a subset of struct pages if CONFIG_DEFERRED_STRUCT_PAGE_INIT is set") Signed-off-by: Pavel Tatashin Acked-by: Michal Hocko Reviewed-by: Andrew Morton Cc: Steven Sistare Cc: Daniel Jordan Cc: Mel Gorman Cc: Fengguang Wu Cc: Dennis Zhou Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/Kconfig | 1 + 1 file changed, 1 insertion(+) commit f3d8d3cfc1c00d1ebdb53ee96aa53aa822209003 Author: Shuah Khan (Samsung OSG) Date: Fri May 18 16:09:09 2018 -0700 MAINTAINERS: add Q: entry to kselftest for patchwork project A new patchwork project is created to track kselftest patches. Update the kselftest entry in the MAINTAINERS file adding 'Q:' entry: https://patchwork.kernel.org/project/linux-kselftest/list/ Link: http://lkml.kernel.org/r/20180515164427.12201-1-shuah@kernel.org Signed-off-by: Shuah Khan (Samsung OSG) Cc: David S. Miller Cc: Mauro Carvalho Chehab Cc: Greg Kroah-Hartman Cc: Linus Walleij Cc: Randy Dunlap Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds MAINTAINERS | 1 + 1 file changed, 1 insertion(+) commit 9f418224e8114156d995b98fa4e0f4fd21f685fe Author: Ross Zwisler Date: Fri May 18 16:09:06 2018 -0700 radix tree: fix multi-order iteration race Fix a race in the multi-order iteration code which causes the kernel to hit a GP fault. This was first seen with a production v4.15 based kernel (4.15.6-300.fc27.x86_64) utilizing a DAX workload which used order 9 PMD DAX entries. The race has to do with how we tear down multi-order sibling entries when we are removing an item from the tree. Remember for example that an order 2 entry looks like this: struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] where 'entry' is in some slot in the struct radix_tree_node, and the three slots following 'entry' contain sibling pointers which point back to 'entry.' When we delete 'entry' from the tree, we call : radix_tree_delete() radix_tree_delete_item() __radix_tree_delete() replace_slot() replace_slot() first removes the siblings in order from the first to the last, then at then replaces 'entry' with NULL. This means that for a brief period of time we end up with one or more of the siblings removed, so: struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] This causes an issue if you have a reader iterating over the slots in the tree via radix_tree_for_each_slot() while only under rcu_read_lock()/rcu_read_unlock() protection. This is a common case in mm/filemap.c. The issue is that when __radix_tree_next_slot() => skip_siblings() tries to skip over the sibling entries in the slots, it currently does so with an exact match on the slot directly preceding our current slot. Normally this works: V preceding slot struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] ^ current slot This lets you find the first sibling, and you skip them all in order. But in the case where one of the siblings is NULL, that slot is skipped and then our sibling detection is interrupted: V preceding slot struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] ^ current slot This means that the sibling pointers aren't recognized since they point all the way back to 'entry', so we think that they are normal internal radix tree pointers. This causes us to think we need to walk down to a struct radix_tree_node starting at the address of 'entry'. In a real running kernel this will crash the thread with a GP fault when you try and dereference the slots in your broken node starting at 'entry'. We fix this race by fixing the way that skip_siblings() detects sibling nodes. Instead of testing against the preceding slot we instead look for siblings via is_sibling_entry() which compares against the position of the struct radix_tree_node.slots[] array. This ensures that sibling entries are properly identified, even if they are no longer contiguous with the 'entry' they point to. Link: http://lkml.kernel.org/r/20180503192430.7582-6-ross.zwisler@linux.intel.com Fixes: 148deab223b2 ("radix-tree: improve multiorder iterators") Signed-off-by: Ross Zwisler Reported-by: CR, Sapthagirish Reviewed-by: Jan Kara Cc: Matthew Wilcox Cc: Christoph Hellwig Cc: Dan Williams Cc: Dave Chinner Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/radix-tree.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit fd8f58c40b703e47697c9f12bc16c31f14c161f1 Author: Ross Zwisler Date: Fri May 18 16:09:01 2018 -0700 radix tree test suite: multi-order iteration race Add a test which shows a race in the multi-order iteration code. This test reliably hits the race in under a second on my machine, and is the result of a real bug report against kernel a production v4.15 based kernel (4.15.6-300.fc27.x86_64). With a real kernel this issue is hit when using order 9 PMD DAX radix tree entries. The race has to do with how we tear down multi-order sibling entries when we are removing an item from the tree. Remember that an order 2 entry looks like this: struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] where 'entry' is in some slot in the struct radix_tree_node, and the three slots following 'entry' contain sibling pointers which point back to 'entry.' When we delete 'entry' from the tree, we call : radix_tree_delete() radix_tree_delete_item() __radix_tree_delete() replace_slot() replace_slot() first removes the siblings in order from the first to the last, then at then replaces 'entry' with NULL. This means that for a brief period of time we end up with one or more of the siblings removed, so: struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] This causes an issue if you have a reader iterating over the slots in the tree via radix_tree_for_each_slot() while only under rcu_read_lock()/rcu_read_unlock() protection. This is a common case in mm/filemap.c. The issue is that when __radix_tree_next_slot() => skip_siblings() tries to skip over the sibling entries in the slots, it currently does so with an exact match on the slot directly preceding our current slot. Normally this works: V preceding slot struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] ^ current slot This lets you find the first sibling, and you skip them all in order. But in the case where one of the siblings is NULL, that slot is skipped and then our sibling detection is interrupted: V preceding slot struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] ^ current slot This means that the sibling pointers aren't recognized since they point all the way back to 'entry', so we think that they are normal internal radix tree pointers. This causes us to think we need to walk down to a struct radix_tree_node starting at the address of 'entry'. In a real running kernel this will crash the thread with a GP fault when you try and dereference the slots in your broken node starting at 'entry'. In the radix tree test suite this will be caught by the address sanitizer: ==27063==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0008ae400 at pc 0x00000040ce4f bp 0x7fa89b8fcad0 sp 0x7fa89b8fcac0 READ of size 8 at 0x60c0008ae400 thread T3 #0 0x40ce4e in __radix_tree_next_slot /home/rzwisler/project/linux/tools/testing/radix-tree/radix-tree.c:1660 #1 0x4022cc in radix_tree_next_slot linux/../../../../include/linux/radix-tree.h:567 #2 0x4022cc in iterator_func /home/rzwisler/project/linux/tools/testing/radix-tree/multiorder.c:655 #3 0x7fa8a088d50a in start_thread (/lib64/libpthread.so.0+0x750a) #4 0x7fa8a03bd16e in clone (/lib64/libc.so.6+0xf516e) Link: http://lkml.kernel.org/r/20180503192430.7582-5-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Cc: Christoph Hellwig Cc: CR, Sapthagirish Cc: Dan Williams Cc: Dave Chinner Cc: Jan Kara Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds tools/testing/radix-tree/multiorder.c | 63 +++++++++++++++++++++++++++++++++++ tools/testing/radix-tree/test.h | 1 + 2 files changed, 64 insertions(+) commit 3e252fa7d4f711798e7a3f5ff2d7b62f0e2987ce Author: Ross Zwisler Date: Fri May 18 16:08:58 2018 -0700 radix tree test suite: add item_delete_rcu() Currently the lifetime of "struct item" entries in the radix tree are not controlled by RCU, but are instead deleted inline as they are removed from the tree. In the following patches we add a test which has threads iterating over items pulled from the tree and verifying them in an rcu_read_lock()/rcu_read_unlock() section. This means that though an item has been removed from the tree it could still be being worked on by other threads until the RCU grace period expires. So, we need to actually free the "struct item" structures at the end of the grace period, just as we do with "struct radix_tree_node" items. Link: http://lkml.kernel.org/r/20180503192430.7582-4-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Cc: Christoph Hellwig Cc: CR, Sapthagirish Cc: Dan Williams Cc: Dave Chinner Cc: Jan Kara Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds tools/testing/radix-tree/test.c | 19 +++++++++++++++++++ tools/testing/radix-tree/test.h | 2 ++ 2 files changed, 21 insertions(+) commit dcbbf25adb31410c95ce844f80d372ed38b68b24 Author: Ross Zwisler Date: Fri May 18 16:08:54 2018 -0700 radix tree test suite: fix compilation issue Pulled from a patch from Matthew Wilcox entitled "xarray: Add definition of struct xarray": > From: Matthew Wilcox > Signed-off-by: Matthew Wilcox https://patchwork.kernel.org/patch/10341249/ These defines fix this compilation error: In file included from ./linux/radix-tree.h:6:0, from ./linux/../../../../include/linux/idr.h:15, from ./linux/idr.h:1, from idr.c:4: ./linux/../../../../include/linux/idr.h: In function `idr_init_base': ./linux/../../../../include/linux/radix-tree.h:129:2: warning: implicit declaration of function `spin_lock_init'; did you mean `spinlock_t'? [-Wimplicit-function-declaration] spin_lock_init(&(root)->xa_lock); \ ^ ./linux/../../../../include/linux/idr.h:126:2: note: in expansion of macro `INIT_RADIX_TREE' INIT_RADIX_TREE(&idr->idr_rt, IDR_RT_MARKER); ^~~~~~~~~~~~~~~ by providing a spin_lock_init() wrapper for the v4.17-rc* version of the radix tree test suite. Link: http://lkml.kernel.org/r/20180503192430.7582-3-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Cc: Christoph Hellwig Cc: CR, Sapthagirish Cc: Dan Williams Cc: Dave Chinner Cc: Jan Kara Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds tools/include/linux/spinlock.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 8d9fa88edd5e360b71765feeadb915d4066c9684 Author: Ross Zwisler Date: Fri May 18 16:08:51 2018 -0700 radix tree test suite: fix mapshift build target Commit c6ce3e2fe3da ("radix tree test suite: Add config option for map shift") introduced a phony makefile target called 'mapshift' that ends up generating the file generated/map-shift.h. This phony target was then added as a dependency of the top level 'targets' build target, which is what is run when you go to tools/testing/radix-tree and just type 'make'. Unfortunately, this phony target doesn't actually work as a dependency, so you end up getting: $ make make: *** No rule to make target 'generated/map-shift.h', needed by 'main.o'. Stop. make: *** Waiting for unfinished jobs.... Fix this by making the file generated/map-shift.h our real makefile target, and add this a dependency of the top level build target. Link: http://lkml.kernel.org/r/20180503192430.7582-2-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Cc: Christoph Hellwig Cc: CR, Sapthagirish Cc: Dan Williams Cc: Dave Chinner Cc: Jan Kara Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds tools/testing/radix-tree/Makefile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit d97baf9470b0668904aa96865abe7db4000dc3ba Author: Souptick Joarder Date: Fri May 18 16:08:47 2018 -0700 include/linux/mm.h: add new inline function vmf_error() Many places in drivers/ file systems, error was handled in a common way like below: ret = (ret == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS; vmf_error() will replace this and return vm_fault_t type err. A lot of drivers and filesystems currently have a rather complex mapping of errno-to-VM_FAULT code. We have been able to eliminate a lot of it by just returning VM_FAULT codes directly from functions which are called exclusively from the fault handling path. Some functions can be called both from the fault handler and other context which are expecting an errno, so they have to continue to return an errno. Some users still need to choose different behaviour for different errnos, but vmf_error() captures the essential error translation that's common to all users, and those that need to handle additional errors can handle them first. Link: http://lkml.kernel.org/r/20180510174826.GA14268@jordon-HP-15-Notebook-PC Signed-off-by: Souptick Joarder Reviewed-by: Matthew Wilcox Reviewed-by: Andrew Morton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/mm.h | 7 +++++++ 1 file changed, 7 insertions(+) commit 1e3054b98c5415d5cb5f8824fc33b548ae5644c3 Author: Matthew Wilcox Date: Fri May 18 16:08:44 2018 -0700 lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly I had neglected to increment the error counter when the tests failed, which made the tests noisy when they fail, but not actually return an error code. Link: http://lkml.kernel.org/r/20180509114328.9887-1-mpe@ellerman.id.au Fixes: 3cc78125a081 ("lib/test_bitmap.c: add optimisation tests") Signed-off-by: Matthew Wilcox Signed-off-by: Michael Ellerman Reported-by: Michael Ellerman Tested-by: Michael Ellerman Reviewed-by: Kees Cook Cc: Yury Norov Cc: Andy Shevchenko Cc: Geert Uytterhoeven Cc: [4.13+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/test_bitmap.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) commit 54940fa60ad3728c592f62dadb558165495a6938 Author: Darren Hart Date: Sat May 12 12:10:07 2018 -0700 platform/x86: DELL_WMI use depends on instead of select for DELL_SMBIOS If DELL_WMI "select"s DELL_SMBIOS, the DELL_SMBIOS dependencies are ignored and it is still possible to end up with unmet direct dependencies. Change the select to a depends on. Tested-by: Randy Dunlap Signed-off-by: Darren Hart (VMware) drivers/platform/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a6837d26674afd2ccb789fe666b4aff7095dc3d2 Author: Anders Roxell Date: Fri May 18 20:23:24 2018 +0200 selftests: bpf: config: enable NET_SCH_INGRESS for xdp_meta.sh When running bpf's selftest test_xdp_meta.sh it fails: ./test_xdp_meta.sh Error: Specified qdisc not found. selftests: test_xdp_meta [FAILED] Need to enable CONFIG_NET_SCH_INGRESS and CONFIG_NET_CLS_ACT to get the test to pass. Fixes: 22c8852624fc ("bpf: improve selftests and add tests for meta pointer") Signed-off-by: Anders Roxell Signed-off-by: Daniel Borkmann tools/testing/selftests/bpf/config | 2 ++ 1 file changed, 2 insertions(+) commit 4855c92dbb7b3b85c23e88ab7ca04f99b9677b41 Author: Joe Jin Date: Thu May 17 12:33:28 2018 -0700 xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent When run raidconfig from Dom0 we found that the Xen DMA heap is reduced, but Dom Heap is increased by the same size. Tracing raidconfig we found that the related ioctl() in megaraid_sas will call dma_alloc_coherent() to apply memory. If the memory allocated by Dom0 is not in the DMA area, it will exchange memory with Xen to meet the requiment. Later drivers call dma_free_coherent() to free the memory, on xen_swiotlb_free_coherent() the check condition (dev_addr + size - 1 <= dma_mask) is always false, it prevents calling xen_destroy_contiguous_region() to return the memory to the Xen DMA heap. This issue introduced by commit 6810df88dcfc2 "xen-swiotlb: When doing coherent alloc/dealloc check before swizzling the MFNs.". Signed-off-by: Joe Jin Tested-by: John Sobecki Reviewed-by: Rzeszutek Wilk Cc: stable@vger.kernel.org Signed-off-by: Konrad Rzeszutek Wilk drivers/xen/swiotlb-xen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d775f26b295a0a303f7a73d7da46e04296484fe7 Author: Rahul Lakkireddy Date: Fri May 18 19:13:37 2018 +0530 cxgb4: fix offset in collecting TX rate limit info Correct the indirect register offsets in collecting TX rate limit info in UP CIM logs. Also, T5 doesn't support these indirect register offsets, so remove them from collection logic. Fixes: be6e36d916b1 ("cxgb4: collect TX rate limit info in UP CIM logs") Signed-off-by: Rahul Lakkireddy Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cudbg_entity.h | 28 ++++++++--------------- 1 file changed, 9 insertions(+), 19 deletions(-) commit 44a63b137f7b6e4c7bd6c9cc21615941cb36509d Author: Paolo Abeni Date: Fri May 18 14:51:44 2018 +0200 net: sched: red: avoid hashing NULL child Hangbin reported an Oops triggered by the syzkaller qdisc rules: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN PTI Modules linked in: sch_red CPU: 0 PID: 28699 Comm: syz-executor5 Not tainted 4.17.0-rc4.kcov #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:qdisc_hash_add+0x26/0xa0 RSP: 0018:ffff8800589cf470 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff824ad971 RDX: 0000000000000007 RSI: ffffc9000ce9f000 RDI: 000000000000003c RBP: 0000000000000001 R08: ffffed000b139ea2 R09: ffff8800589cf4f0 R10: ffff8800589cf50f R11: ffffed000b139ea2 R12: ffff880054019fc0 R13: ffff880054019fb4 R14: ffff88005c0af600 R15: ffff880054019fb0 FS: 00007fa6edcb1700(0000) GS:ffff88005ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000740 CR3: 000000000fc16000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: red_change+0x2d2/0xed0 [sch_red] qdisc_create+0x57e/0xef0 tc_modify_qdisc+0x47f/0x14e0 rtnetlink_rcv_msg+0x6a8/0x920 netlink_rcv_skb+0x2a2/0x3c0 netlink_unicast+0x511/0x740 netlink_sendmsg+0x825/0xc30 sock_sendmsg+0xc5/0x100 ___sys_sendmsg+0x778/0x8e0 __sys_sendmsg+0xf5/0x1b0 do_syscall_64+0xbd/0x3b0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x450869 RSP: 002b:00007fa6edcb0c48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fa6edcb16b4 RCX: 0000000000450869 RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000008778 R14: 0000000000702838 R15: 00007fa6edcb1700 Code: e9 0b fe ff ff 0f 1f 44 00 00 55 53 48 89 fb 89 f5 e8 3f 07 f3 fe 48 8d 7b 3c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 51 RIP: qdisc_hash_add+0x26/0xa0 RSP: ffff8800589cf470 When a red qdisc is updated with a 0 limit, the child qdisc is left unmodified, no additional scheduler is created in red_change(), the 'child' local variable is rightfully NULL and must not add it to the hash table. This change addresses the above issue moving qdisc_hash_add() right after the child qdisc creation. It additionally removes unneeded checks for noop_qdisc. Reported-by: Hangbin Liu Fixes: 49b499718fa1 ("net: sched: make default fifo qdiscs appear in the dump") Signed-off-by: Paolo Abeni Acked-by: Jiri Kosina Signed-off-by: David S. Miller net/sched/sch_red.c | 5 +++-- net/sched/sch_tbf.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) commit 9709020c86f6bf8439ca3effc58cfca49a5de192 Author: Eric Dumazet Date: Fri May 18 04:47:55 2018 -0700 sock_diag: fix use-after-free read in __sk_free We must not call sock_diag_has_destroy_listeners(sk) on a socket that has no reference on net structure. BUG: KASAN: use-after-free in sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline] BUG: KASAN: use-after-free in __sk_free+0x329/0x340 net/core/sock.c:1609 Read of size 8 at addr ffff88018a02e3a0 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.17.0-rc5+ #54 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline] __sk_free+0x329/0x340 net/core/sock.c:1609 sk_free+0x42/0x50 net/core/sock.c:1623 sock_put include/net/sock.h:1664 [inline] reqsk_free include/net/request_sock.h:116 [inline] reqsk_put include/net/request_sock.h:124 [inline] inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:672 [inline] reqsk_timer_handler+0xe27/0x10e0 net/ipv4/inet_connection_sock.c:739 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54 RSP: 0018:ffff8801d9ae7c38 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: 1ffff1003b35cf8a RCX: 0000000000000000 RDX: 1ffffffff11a30d0 RSI: 0000000000000001 RDI: ffffffff88d18680 RBP: ffff8801d9ae7c38 R08: ffffed003b5e46c3 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 R13: ffff8801d9ae7cf0 R14: ffffffff897bef20 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0xc2/0x440 arch/x86/kernel/process.c:354 arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:345 default_idle_call+0x6d/0x90 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x395/0x560 kernel/sched/idle.c:262 cpu_startup_entry+0x104/0x120 kernel/sched/idle.c:368 start_secondary+0x426/0x5b0 arch/x86/kernel/smpboot.c:269 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242 Allocated by task 4557: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 kmem_cache_zalloc include/linux/slab.h:691 [inline] net_alloc net/core/net_namespace.c:383 [inline] copy_net_ns+0x159/0x4c0 net/core/net_namespace.c:423 create_new_namespaces+0x69d/0x8f0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:206 ksys_unshare+0x708/0xf90 kernel/fork.c:2408 __do_sys_unshare kernel/fork.c:2476 [inline] __se_sys_unshare kernel/fork.c:2474 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2474 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 69: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 net_free net/core/net_namespace.c:399 [inline] net_drop_ns.part.14+0x11a/0x130 net/core/net_namespace.c:406 net_drop_ns net/core/net_namespace.c:405 [inline] cleanup_net+0x6a1/0xb20 net/core/net_namespace.c:541 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the object at ffff88018a02c140 which belongs to the cache net_namespace of size 8832 The buggy address is located 8800 bytes inside of 8832-byte region [ffff88018a02c140, ffff88018a02e3c0) The buggy address belongs to the page: page:ffffea0006280b00 count:1 mapcount:0 mapping:ffff88018a02c140 index:0x0 compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffff88018a02c140 0000000000000000 0000000100000001 raw: ffffea00062a1320 ffffea0006268020 ffff8801d9bdde40 0000000000000000 page dumped because: kasan: bad access detected Fixes: b922622ec6ef ("sock_diag: don't broadcast kernel sockets") Signed-off-by: Eric Dumazet Cc: Craig Gallek Reported-by: syzbot Signed-off-by: David S. Miller net/core/sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b16a960ddbf0d4fd6aaabee42d7ec4c4c3ec836d Author: Geert Uytterhoeven Date: Fri May 18 12:52:51 2018 +0200 sh_eth: Change platform check to CONFIG_ARCH_RENESAS Since commit 9b5ba0df4ea4f940 ("ARM: shmobile: Introduce ARCH_RENESAS") is CONFIG_ARCH_RENESAS a more appropriate platform check than the legacy CONFIG_ARCH_SHMOBILE, hence use the former. Renesas SuperH SH-Mobile SoCs are still covered by the CONFIG_CPU_SH4 check. This will allow to drop ARCH_SHMOBILE on ARM and ARM64 in the near future. Signed-off-by: Geert Uytterhoeven Acked-by: Arnd Bergmann Acked-by: Sergei Shtylyov Reviewed-by: Simon Horman Signed-off-by: David S. Miller drivers/net/ethernet/renesas/sh_eth.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2c71d338bef2cc8a2e5f8ebe70788eeff246fcd8 Merge: d315482 c1d2a31 Author: Linus Torvalds Date: Fri May 18 10:24:03 2018 -0700 Merge tag 'powerpc-4.17-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Just three commits. The two cxl ones are not fixes per se, but they modify code that was added this cycle so that it will work with a recent firmware change. And then a fix for a recent commit that added sleeps in the NVRAM code, which needs to be more careful and not sleep if eg. we're called in the panic() path. Thanks to Nicholas Piggin, Philippe Bergheaud, Christophe Lombard" * tag 'powerpc-4.17-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/powernv: Fix NVRAM sleep in invalid context when crashing cxl: Report the tunneled operations status cxl: Set the PBCQ Tunnel BAR register when enabling capi mode commit d3154821686531964735a17ee0466c832e69d6d5 Merge: 477e2c6 7b34c0f Author: Linus Torvalds Date: Fri May 18 10:21:03 2018 -0700 Merge tag 'acpi-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Fix an ACPICA regression introduced in this cycle and related to the handling of package objects loaded by the Load and loadTable AML operators that are not initialized properly after recent changes (Bob Moore)" * tag 'acpi-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPICA: Add deferred package support for the Load and loadTable operators commit 477e2c6f34a4c7c6dd9d796420979214c5b4ade7 Merge: 0e273f9 0cf442c Author: Linus Torvalds Date: Fri May 18 10:14:42 2018 -0700 Merge tag 'pm-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Fix Kconfig dependencies of the armada-37xx cpufreq driver (Miquel Raynal)" * tag 'pm-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: armada-37xx: driver relies on cpufreq-dt commit 0e273f9edcea9b6893aed90b4ccf8b400dd838ea Merge: 61c2ad9 c171654 Author: Linus Torvalds Date: Fri May 18 10:12:30 2018 -0700 Merge tag 'usb-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some USB driver fixes fro 4.17-rc6. They resolve some reported bugs in the musb driver, the xhci driver, and a number of small fixes for the usbip driver. All of these have been in linux-next with no reported issues" * tag 'usb-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usbip: usbip_host: fix bad unlock balance during stub_probe() usbip: usbip_host: fix NULL-ptr deref and use-after-free errors usbip: usbip_host: run rebind from exit when module is removed usbip: usbip_host: delete device from busid_table after rebind usbip: usbip_host: refine probe and disconnect debug msgs to be useful usb: musb: fix remote wakeup racing with suspend xhci: Fix USB3 NULL pointer dereference at logical disconnect. commit 61c2ad9a2e223962735b6ff6a5de85f1adcc892b Merge: 8ccaecd 1c1a2ee Author: Linus Torvalds Date: Fri May 18 10:10:43 2018 -0700 Merge tag 'for-linus-20180518' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "Single fix this time, from Coly, fixing a failure case when CONFIG_DEBUGFS isn't enabled" * tag 'for-linus-20180518' of git://git.kernel.dk/linux-block: bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n commit 8ccaecd014bcb52cd6651fb8be15dca6e6b9e04f Merge: 163ced6 bc519d9 Author: Linus Torvalds Date: Fri May 18 10:09:20 2018 -0700 Merge tag 'spi-fix-v4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A small collection of fixes accumilated since the merge window, all fairly small and driver specific" * tag 'spi-fix-v4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: bcm2835aux: ensure interrupts are enabled for shared handler spi: bcm-qspi: Always read and set BSPI_MAST_N_BOOT_CTRL spi: bcm-qspi: Avoid setting MSPI_CDRAM_PCS for spi-nor master spi: pxa2xx: Allow 64-bit DMA spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo() spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR spi: imx: Update MODULE_DESCRIPTION to "SPI Controller driver" commit 163ced613c37a504f8ed94676fd21c85183d8e8c Merge: d90eb18 9f825e7 Author: Linus Torvalds Date: Fri May 18 09:58:29 2018 -0700 Merge tag 'mtd/fixes-for-4.17-rc6' of git://git.infradead.org/linux-mtd Pull mtd fixes from Boris Brezillon: "NAND fixes: - Fix read path of the Marvell NAND driver - Make sure we don't pass a u64 to ndelay() CFI fix: - Fix the map_word_andequal() implementation" * tag 'mtd/fixes-for-4.17-rc6' of git://git.infradead.org/linux-mtd: mtd: rawnand: Fix return type of __DIVIDE() when called with 32-bit mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2 mtd: Fix comparison in map_word_andequal() commit d90eb183e3d1ee82563a5f46db7ddfd73dbfbff9 Merge: 3acf4e3 1827cad Author: Linus Torvalds Date: Fri May 18 09:24:52 2018 -0700 Merge tag 'drm-fixes-for-v4.17-rc6' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Pretty quiet week again: one vmwgfx regression fix, one core buffer overflow fix, one vc4 leak fix and three i915 fixes" * tag 'drm-fixes-for-v4.17-rc6' of git://people.freedesktop.org/~airlied/linux: drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful drm/vc4: Fix leak of the file_priv that stored the perfmon. drm/i915/execlists: Use rmb() to order CSB reads drm/i915/userptr: reject zero user_size drm: Match sysfs name in link removal to link creation commit 5447d78623da2eded06d4cd9469d1a71eba43bc4 Author: Florian Fainelli Date: Thu May 17 16:55:39 2018 -0700 net: dsa: Do not register devlink for unused ports Even if commit 1d27732f411d ("net: dsa: setup and teardown ports") indicated that registering a devlink instance for unused ports is not a problem, and this is true, this can be confusing nonetheless, so let's not do it. Fixes: 1d27732f411d ("net: dsa: setup and teardown ports") Reported-by: Jiri Pirko Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller net/dsa/dsa2.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 6358d49ac23995fdfe157cc8747ab0f274d3954b Author: Amritha Nambiar Date: Thu May 17 14:50:44 2018 -0700 net: Fix a bug in removing queues from XPS map While removing queues from the XPS map, the individual CPU ID alone was used to index the CPUs map, this should be changed to also factor in the traffic class mapping for the CPU-to-queue lookup. Fixes: 184c449f91fe ("net: Add support for XPS with QoS via traffic classes") Signed-off-by: Amritha Nambiar Acked-by: Alexander Duyck Signed-off-by: David S. Miller net/core/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a45b599ad808c3c982fdcdc12b0b8611c2f92824 Author: Alexander Potapenko Date: Fri May 18 16:23:18 2018 +0200 scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() This shall help avoid copying uninitialized memory to the userspace when calling ioctl(fd, SG_IO) with an empty command. Reported-by: syzbot+7d26fc1eea198488deab@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Alexander Potapenko Acked-by: Douglas Gilbert Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen drivers/scsi/sg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8a922814ccfed70d35a725f47c0bf12b50fd223c Author: Helge Deller Date: Fri May 18 16:16:34 2018 +0200 parisc: Move ccio_cujo20_fixup() into init section ccio_cujo20_fixup() is called by dino_probe() only, which is in init section already. Signed-off-by: Helge Deller drivers/parisc/ccio-dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 01f56832cfb6fcc204e7203f46841b6185ebd574 Author: Helge Deller Date: Fri May 18 16:12:12 2018 +0200 parisc: Move setup_profiling_timer() out of init section No other architecture has setup_profiling_timer() in the init section, thus on parisc we face this section mismatch warning: Reference from the function devm_device_add_group() to the function .init.text:setup_profiling_timer() Signed-off-by: Helge Deller arch/parisc/kernel/smp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 3faf5246f0cd2c1fe82a2c4ba5ad857fa6941909 Author: Helge Deller Date: Fri May 18 16:08:10 2018 +0200 parisc: Move find_pa_parent_type() out of init section The 0-DAY kernel test infrastructure reported that inet_put_port() may reference the find_pa_parent_type() function, so it can't be moved into the init section. Fixes: b86db40e1ecc ("parisc: Move various functions and strings to init section") Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 240da953fcc6a9008c92fae5b1f727ee5ed167ab Author: Konrad Rzeszutek Wilk Date: Wed May 16 23:18:09 2018 -0400 x86/bugs: Rename SSBD_NO to SSB_NO The "336996 Speculative Execution Side Channel Mitigations" from May defines this as SSB_NO, hence lets sync-up. Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Thomas Gleixner arch/x86/include/asm/msr-index.h | 2 +- arch/x86/kernel/cpu/common.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 1d6741d86429a294f51f2773c751c8f7662e7ca2 Author: Bob Copeland Date: Thu May 17 09:09:28 2018 -0400 mac80211: mesh: fix premature update of rc stats The mesh_neighbour_update() function, queued via beacon rx, can race with userspace creating the same station. If the station already exists by the time mesh_neighbour_update() is called, the function wrongly assumes rate control has been initialized and calls rate_control_rate_update(), which in turn calls into the driver. Updating the rate control before it has been initialized can cause a crash in some drivers, for example this firmware crash in ath10k due to sta->rx_nss being 0: [ 3078.088247] mesh0: Inserted STA 5c:e2:8c:f1:ab:ba [ 3078.258407] ath10k_pci 0000:0d:00.0: firmware crashed! (uuid d6ed5961-93cc-4d61-803f-5eda55bb8643) [ 3078.258421] ath10k_pci 0000:0d:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000 [ 3078.258426] ath10k_pci 0000:0d:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 0 testmode 0 [ 3078.258608] ath10k_pci 0000:0d:00.0: firmware ver 10.2.4.70.59-2 api 5 features no-p2p,raw-mode,mfp crc32 4159f498 [ 3078.258613] ath10k_pci 0000:0d:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 [ 3078.258617] ath10k_pci 0000:0d:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1 [ 3078.260627] ath10k_pci 0000:0d:00.0: firmware register dump: [ 3078.260640] ath10k_pci 0000:0d:00.0: [00]: 0x4100016C 0x000015B3 0x009A31BB 0x00955B31 [ 3078.260647] ath10k_pci 0000:0d:00.0: [04]: 0x009A31BB 0x00060130 0x00000008 0x00000007 [ 3078.260652] ath10k_pci 0000:0d:00.0: [08]: 0x00000000 0x00955B31 0x00000000 0x0040F89E [ 3078.260656] ath10k_pci 0000:0d:00.0: [12]: 0x00000009 0xFFFFFFFF 0x009580F5 0x00958117 [ 3078.260660] ath10k_pci 0000:0d:00.0: [16]: 0x00958080 0x0094085D 0x00000000 0x00000000 [ 3078.260664] ath10k_pci 0000:0d:00.0: [20]: 0x409A31BB 0x0040AA84 0x00000002 0x00000001 [ 3078.260669] ath10k_pci 0000:0d:00.0: [24]: 0x809A2B8D 0x0040AAE4 0x00000088 0xC09A31BB [ 3078.260673] ath10k_pci 0000:0d:00.0: [28]: 0x809898C8 0x0040AB04 0x0043F91C 0x009C6458 [ 3078.260677] ath10k_pci 0000:0d:00.0: [32]: 0x809B66AC 0x0040AB34 0x009C6458 0x0043F91C [ 3078.260686] ath10k_pci 0000:0d:00.0: [36]: 0x809B2824 0x0040ADA4 0x00400000 0x00416EB4 [ 3078.260692] ath10k_pci 0000:0d:00.0: [40]: 0x809C07D9 0x0040ADE4 0x0040AE08 0x00412028 [ 3078.260696] ath10k_pci 0000:0d:00.0: [44]: 0x809486FA 0x0040AE04 0x00000001 0x00000000 [ 3078.260700] ath10k_pci 0000:0d:00.0: [48]: 0x80948E2C 0x0040AEA4 0x0041F4F0 0x00412634 [ 3078.260704] ath10k_pci 0000:0d:00.0: [52]: 0x809BFC39 0x0040AEC4 0x0041F4F0 0x00000001 [ 3078.260709] ath10k_pci 0000:0d:00.0: [56]: 0x80940F18 0x0040AF14 0x00000010 0x00403AC0 [ 3078.284130] ath10k_pci 0000:0d:00.0: failed to to request monitor vdev 1 stop: -108 Fix this by checking whether the sta has already initialized rate control using the flag for that purpose. We can also drop the unnecessary insert parameter here. Signed-off-by: Bob Copeland Signed-off-by: Johannes Berg net/mac80211/mesh_plink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 1039d08100e58f016a814347baadb77bf8dd21ab Author: Dedy Lansky Date: Thu May 17 16:25:03 2018 +0300 nl80211: fix nlmsg allocation in cfg80211_ft_event Allocation size of nlmsg in cfg80211_ft_event is based on ric_ies_len and doesn't take into account ies_len. This leads to NL80211_CMD_FT_EVENT message construction failure in case ft_event contains large enough ies buffer. Add ies_len to the nlmsg allocation size. Signed-off-by: Dedy Lansky Signed-off-by: Johannes Berg net/wireless/nl80211.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 814596495dd2b9d4aab92d8f89cf19060d25d2ea Author: Eric Biggers Date: Mon May 14 20:09:24 2018 -0700 cfg80211: further limit wiphy names to 64 bytes wiphy names were recently limited to 128 bytes by commit a7cfebcb7594 ("cfg80211: limit wiphy names to 128 bytes"). As it turns out though, this isn't sufficient because dev_vprintk_emit() needs the syslog header string "SUBSYSTEM=ieee80211\0DEVICE=+ieee80211:$devname" to fit into 128 bytes. This triggered the "device/subsystem name too long" WARN when the device name was >= 90 bytes. As before, this was reproduced by syzbot by sending an HWSIM_CMD_NEW_RADIO command to the MAC80211_HWSIM generic netlink family. Fix it by further limiting wiphy names to 64 bytes. Reported-by: syzbot+e64565577af34b3768dc@syzkaller.appspotmail.com Fixes: a7cfebcb7594 ("cfg80211: limit wiphy names to 128 bytes") Signed-off-by: Eric Biggers Signed-off-by: Johannes Berg include/uapi/linux/nl80211.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cd33d8803bfa3f5e6e5d7a4bb03fc8cc32c40fb6 Author: Sebastian Andrzej Siewior Date: Tue May 15 18:53:28 2018 +0200 sched/fair: Fix documentation file path The 'tip' prefix probably referred to the -tip tree and is not required, remove it. Signed-off-by: Sebastian Andrzej Siewior Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Paul Turner Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180515165328.24899-1-bigeasy@linutronix.de Signed-off-by: Ingo Molnar init/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3febfc8a219a036633b57a34c6678e21b6a0580d Author: Mathieu Malaterre Date: Wed May 16 22:09:02 2018 +0200 sched/deadline: Make the grub_reclaim() function static Since the grub_reclaim() function can be made static, make it so. Silences the following GCC warning (W=1): kernel/sched/deadline.c:1120:5: warning: no previous prototype for ‘grub_reclaim’ [-Wmissing-prototypes] Signed-off-by: Mathieu Malaterre Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180516200902.959-1-malat@debian.org Signed-off-by: Ingo Molnar kernel/sched/deadline.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f6a3463063f42d9fb2c78f386437a822e0ad1792 Author: Mathieu Malaterre Date: Wed May 16 21:53:47 2018 +0200 sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h In the following commit: 6b55c9654fcc ("sched/debug: Move print_cfs_rq() declaration to kernel/sched/sched.h") the print_cfs_rq() prototype was added to , right next to the prototypes for print_cfs_stats(), print_rt_stats() and print_dl_stats(). Finish this previous commit and also move related prototypes for print_rt_rq() and print_dl_rq(). Remove existing extern declarations now that they not needed anymore. Silences the following GCC warning, triggered by W=1: kernel/sched/debug.c:573:6: warning: no previous prototype for ‘print_rt_rq’ [-Wmissing-prototypes] kernel/sched/debug.c:603:6: warning: no previous prototype for ‘print_dl_rq’ [-Wmissing-prototypes] Signed-off-by: Mathieu Malaterre Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Srikar Dronamraju Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180516195348.30426-1-malat@debian.org Signed-off-by: Ingo Molnar kernel/sched/deadline.c | 2 -- kernel/sched/rt.c | 2 -- kernel/sched/sched.h | 5 +++-- 3 files changed, 3 insertions(+), 6 deletions(-) commit 3ae180972564846e6d794e3615e1ab0a1e6c4ef9 Author: Ben Hutchings Date: Thu May 17 22:34:39 2018 +0100 ALSA: timer: Fix pause event notification Commit f65e0d299807 ("ALSA: timer: Call notifier in the same spinlock") combined the start/continue and stop/pause functions, and in doing so changed the event code for the pause case to SNDRV_TIMER_EVENT_CONTINUE. Change it back to SNDRV_TIMER_EVENT_PAUSE. Fixes: f65e0d299807 ("ALSA: timer: Call notifier in the same spinlock") Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai sound/core/timer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit faf37c44a105f3608115785f17cbbf3500f8bc71 Author: Michael Neuling Date: Fri May 18 11:37:42 2018 +1000 powerpc/64s: Clear PCR on boot Clear the PCR (Processor Compatibility Register) on boot to ensure we are not running in a compatibility mode. We've seen this cause problems when a crash (and kdump) occurs while running compat mode guests. The kdump kernel then runs with the PCR set and causes problems. The symptom in the kdump kernel (also seen in petitboot after fast-reboot) is early userspace programs taking sigills on newer instructions (seen in libc). Signed-off-by: Michael Neuling Cc: stable@vger.kernel.org Signed-off-by: Michael Ellerman arch/powerpc/kernel/cpu_setup_power.S | 6 ++++++ arch/powerpc/kernel/dt_cpu_ftrs.c | 1 + 2 files changed, 7 insertions(+) commit d8de7565735af5a95057c83eedb38e36cfaa04b5 Author: Philipp Rudo Date: Wed May 16 14:06:32 2018 +0200 s390/purgatory: Fix endless interrupt loop New compilers use the floating-point registers as spill registers when there is high register pressure. In the purgatory however, the afp control bit is not set. This leads to an exception whenever a floating-point instruction is used, which again causes an interrupt loop. Forbid the compiler to use floating-point instructions by adding -msoft-float to KBUILD_CFLAGS. Signed-off-by: Philipp Rudo Fixes: 840798a1f529 (s390/kexec_file: Add purgatory) Reviewed-by: Hendrik Brueckner Signed-off-by: Martin Schwidefsky arch/s390/purgatory/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6caf9fb3bda17df59de4ed6ed4950c43ca1361e3 Merge: 113f99c 050fad7 Author: David S. Miller Date: Thu May 17 23:33:52 2018 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2018-05-18 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix two bugs in sockmap, a use after free in sockmap's error path from sock_map_ctx_update_elem() where we mistakenly drop a reference we didn't take prior to that, and in the same function fix a race in bpf_prog_inc_not_zero() where we didn't use the progs from prior READ_ONCE(), from John. 2) Reject program expansions once we figure out that their jump target which crosses patchlet boundaries could otherwise get truncated in insn->off space, from Daniel. 3) Check the return value of fopen() in BPF selftest's test_verifier where we determine whether unpriv BPF is disabled, and iff we do fail there then just assume it is disabled. This fixes a segfault when used with older kernels, from Jesper. ==================== Signed-off-by: David S. Miller commit 1827cad96d624ec127853a71cb931c74024e57d6 Merge: bc91d18 b579f92 Author: Dave Airlie Date: Fri May 18 12:01:49 2018 +1000 Merge tag 'drm-intel-fixes-2018-05-17' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Userptr IOCTL zero size check (Matt) - Two hardware quirk fixes (Michel & Chris) * tag 'drm-intel-fixes-2018-05-17' of git://anongit.freedesktop.org/drm/drm-intel: drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk drm/i915/execlists: Use rmb() to order CSB reads drm/i915/userptr: reject zero user_size commit 050fad7c4534c13c8eb1d9c2ba66012e014773cb Author: Daniel Borkmann Date: Thu May 17 01:44:11 2018 +0200 bpf: fix truncated jump targets on heavy expansions Recently during testing, I ran into the following panic: [ 207.892422] Internal error: Accessing user space memory outside uaccess.h routines: 96000004 [#1] SMP [ 207.901637] Modules linked in: binfmt_misc [...] [ 207.966530] CPU: 45 PID: 2256 Comm: test_verifier Tainted: G W 4.17.0-rc3+ #7 [ 207.974956] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB18A 03/31/2017 [ 207.982428] pstate: 60400005 (nZCv daif +PAN -UAO) [ 207.987214] pc : bpf_skb_load_helper_8_no_cache+0x34/0xc0 [ 207.992603] lr : 0xffff000000bdb754 [ 207.996080] sp : ffff000013703ca0 [ 207.999384] x29: ffff000013703ca0 x28: 0000000000000001 [ 208.004688] x27: 0000000000000001 x26: 0000000000000000 [ 208.009992] x25: ffff000013703ce0 x24: ffff800fb4afcb00 [ 208.015295] x23: ffff00007d2f5038 x22: ffff00007d2f5000 [ 208.020599] x21: fffffffffeff2a6f x20: 000000000000000a [ 208.025903] x19: ffff000009578000 x18: 0000000000000a03 [ 208.031206] x17: 0000000000000000 x16: 0000000000000000 [ 208.036510] x15: 0000ffff9de83000 x14: 0000000000000000 [ 208.041813] x13: 0000000000000000 x12: 0000000000000000 [ 208.047116] x11: 0000000000000001 x10: ffff0000089e7f18 [ 208.052419] x9 : fffffffffeff2a6f x8 : 0000000000000000 [ 208.057723] x7 : 000000000000000a x6 : 00280c6160000000 [ 208.063026] x5 : 0000000000000018 x4 : 0000000000007db6 [ 208.068329] x3 : 000000000008647a x2 : 19868179b1484500 [ 208.073632] x1 : 0000000000000000 x0 : ffff000009578c08 [ 208.078938] Process test_verifier (pid: 2256, stack limit = 0x0000000049ca7974) [ 208.086235] Call trace: [ 208.088672] bpf_skb_load_helper_8_no_cache+0x34/0xc0 [ 208.093713] 0xffff000000bdb754 [ 208.096845] bpf_test_run+0x78/0xf8 [ 208.100324] bpf_prog_test_run_skb+0x148/0x230 [ 208.104758] sys_bpf+0x314/0x1198 [ 208.108064] el0_svc_naked+0x30/0x34 [ 208.111632] Code: 91302260 f9400001 f9001fa1 d2800001 (29500680) [ 208.117717] ---[ end trace 263cb8a59b5bf29f ]--- The program itself which caused this had a long jump over the whole instruction sequence where all of the inner instructions required heavy expansions into multiple BPF instructions. Additionally, I also had BPF hardening enabled which requires once more rewrites of all constant values in order to blind them. Each time we rewrite insns, bpf_adj_branches() would need to potentially adjust branch targets which cross the patchlet boundary to accommodate for the additional delta. Eventually that lead to the case where the target offset could not fit into insn->off's upper 0x7fff limit anymore where then offset wraps around becoming negative (in s16 universe), or vice versa depending on the jump direction. Therefore it becomes necessary to detect and reject any such occasions in a generic way for native eBPF and cBPF to eBPF migrations. For the latter we can simply check bounds in the bpf_convert_filter()'s BPF_EMIT_JMP helper macro and bail out once we surpass limits. The bpf_patch_insn_single() for native eBPF (and cBPF to eBPF in case of subsequent hardening) is a bit more complex in that we need to detect such truncations before hitting the bpf_prog_realloc(). Thus the latter is split into an extra pass to probe problematic offsets on the original program in order to fail early. With that in place and carefully tested I no longer hit the panic and the rewrites are rejected properly. The above example panic I've seen on bpf-next, though the issue itself is generic in that a guard against this issue in bpf seems more appropriate in this case. Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov kernel/bpf/core.c | 100 ++++++++++++++++++++++++++++++++++++++++-------------- net/core/filter.c | 11 ++++-- 2 files changed, 84 insertions(+), 27 deletions(-) commit 3acf4e395260e3bd30a6fa29ba7eada4bf7566ca Merge: 58ddfe6 3b03162 Author: Linus Torvalds Date: Thu May 17 15:58:12 2018 -0700 Merge tag 'hwmon-for-linus-v4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: "Two k10temp fixes: - fix race condition when accessing System Management Network registers - fix reading critical temperatures on F15h M60h and M70h Also add PCI ID's for the AMD Raven Ridge root bridge" * tag 'hwmon-for-linus-v4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (k10temp) Use API function to access System Management Network x86/amd_nb: Add support for Raven Ridge CPUs hwmon: (k10temp) Fix reading critical temperature register commit 9617456054a6160f5e11e892b713fade78aea2e9 Author: John Fastabend Date: Thu May 17 14:06:40 2018 -0700 bpf: parse and verdict prog attach may race with bpf map update In the sockmap design BPF programs (SK_SKB_STREAM_PARSER, SK_SKB_STREAM_VERDICT and SK_MSG_VERDICT) are attached to the sockmap map type and when a sock is added to the map the programs are used by the socket. However, sockmap updates from both userspace and BPF programs can happen concurrently with the attach and detach of these programs. To resolve this we use the bpf_prog_inc_not_zero and a READ_ONCE() primitive to ensure the program pointer is not refeched and possibly NULL'd before the refcnt increment. This happens inside a RCU critical section so although the pointer reference in the map object may be NULL (by a concurrent detach operation) the reference from READ_ONCE will not be free'd until after grace period. This ensures the object returned by READ_ONCE() is valid through the RCU criticl section and safe to use as long as we "know" it may be free'd shortly. Daniel spotted a case in the sock update API where instead of using the READ_ONCE() program reference we used the pointer from the original map, stab->bpf_{verdict|parse|txmsg}. The problem with this is the logic checks the object returned from the READ_ONCE() is not NULL and then tries to reference the object again but using the above map pointer, which may have already been NULL'd by a parallel detach operation. If this happened bpf_porg_inc_not_zero could dereference a NULL pointer. Fix this by using variable returned by READ_ONCE() that is checked for NULL. Fixes: 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add multi-map support") Reported-by: Daniel Borkmann Signed-off-by: John Fastabend Acked-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann kernel/bpf/sockmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit a593f70831b68740fb7db69e0556ca72dac8c7a8 Author: John Fastabend Date: Thu May 17 14:06:35 2018 -0700 bpf: sockmap update rollback on error can incorrectly dec prog refcnt If the user were to only attach one of the parse or verdict programs then it is possible a subsequent sockmap update could incorrectly decrement the refcnt on the program. This happens because in the rollback logic, after an error, we have to decrement the program reference count when its been incremented. However, we only increment the program reference count if the user has both a verdict and a parse program. The reason for this is because, at least at the moment, both are required for any one to be meaningful. The problem fixed here is in the rollback path we decrement the program refcnt even if only one existing. But we never incremented the refcnt in the first place creating an imbalance. This patch fixes the error path to handle this case. Fixes: 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add multi-map support") Reported-by: Daniel Borkmann Signed-off-by: John Fastabend Acked-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann kernel/bpf/sockmap.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 113f99c3358564a0647d444c2ae34e8b1abfd5b9 Author: Willem de Bruijn Date: Thu May 17 13:13:29 2018 -0400 net: test tailroom before appending to linear skb Device features may change during transmission. In particular with corking, a device may toggle scatter-gather in between allocating and writing to an skb. Do not unconditionally assume that !NETIF_F_SG at write time implies that the same held at alloc time and thus the skb has sufficient tailroom. This issue predates git history. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Eric Dumazet Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_output.c | 3 ++- net/ipv6/ip6_output.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 374edea4aaedb92964d35f68318c094b6d5c0f63 Merge: 02f99df 2d66503 Author: David S. Miller Date: Thu May 17 16:50:20 2018 -0400 Merge branch 'ip6_gre-Fixes-in-headroom-handling' Petr Machata says: ==================== net: ip6_gre: Fixes in headroom handling This series mends some problems in headroom management in ip6_gre module. The current code base has the following three closely-related problems: - ip6gretap tunnels neglect to ensure there's enough writable headroom before pushing GRE headers. - ip6erspan does this, but assumes that dev->needed_headroom is primed. But that doesn't happen until ip6_tnl_xmit() is called later. Thus for the first packet, ip6erspan actually behaves like ip6gretap above. - ip6erspan shares some of the code with ip6gretap, including calculations of needed header length. While there is custom ERSPAN-specific code for calculating the headroom, the computed values are overwritten by the ip6gretap code. The first two issues lead to a kernel panic in situations where a packet is mirrored from a veth device to the device in question. They are fixed, respectively, in patches #1 and #2, which include the full panic trace and a reproducer. The rest of the patchset deals with the last issue. In patches #3 to #6, several functions are split up into reusable parts. Finally in patch #7 these blocks are used to compose ERSPAN-specific callbacks where necessary to fix the hlen calculation. ==================== Signed-off-by: David S. Miller commit 2d665034f239412927b1e71329f20f001c92da09 Author: Petr Machata Date: Thu May 17 16:36:51 2018 +0200 net: ip6_gre: Fix ip6erspan hlen calculation Even though ip6erspan_tap_init() sets up hlen and tun_hlen according to what ERSPAN needs, it goes ahead to call ip6gre_tnl_link_config() which overwrites these settings with GRE-specific ones. Similarly for changelink callbacks, which are handled by ip6gre_changelink() calls ip6gre_tnl_change() calls ip6gre_tnl_link_config() as well. The difference ends up being 12 vs. 20 bytes, and this is generally not a problem, because a 12-byte request likely ends up allocating more and the extra 8 bytes are thus available. However correct it is not. So replace the newlink and changelink callbacks with an ERSPAN-specific ones, reusing the newly-introduced _common() functions. Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") Signed-off-by: Petr Machata Acked-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 65 insertions(+), 9 deletions(-) commit c8632fc30bb03aa0c3bd7bcce85355a10feb8149 Author: Petr Machata Date: Thu May 17 16:36:45 2018 +0200 net: ip6_gre: Split up ip6gre_changelink() Extract from ip6gre_changelink() a reusable function ip6gre_changelink_common(). This will allow introduction of ERSPAN-specific _changelink() function with not a lot of code duplication. Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") Signed-off-by: Petr Machata Acked-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) commit 7fa38a7c852ec99e3a7fc375eb2c21c50c2e46b8 Author: Petr Machata Date: Thu May 17 16:36:39 2018 +0200 net: ip6_gre: Split up ip6gre_newlink() Extract from ip6gre_newlink() a reusable function ip6gre_newlink_common(). The ip6gre_tnl_link_config() call needs to be made customizable for ERSPAN, thus reorder it with calls to ip6_tnl_change_mtu() and dev_hold(), and extract the whole tail to the caller, ip6gre_newlink(). Thus enable an ERSPAN-specific _newlink() function without a lot of duplicity. Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") Signed-off-by: Petr Machata Acked-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) commit a6465350ef495f5cbd76a3e505d25a01d648477e Author: Petr Machata Date: Thu May 17 16:36:33 2018 +0200 net: ip6_gre: Split up ip6gre_tnl_change() Split a reusable function ip6gre_tnl_copy_tnl_parm() from ip6gre_tnl_change(). This will allow ERSPAN-specific code to reuse the common parts while customizing the behavior for ERSPAN. Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") Signed-off-by: Petr Machata Acked-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit a483373ead61e6079bc8ebe27e2dfdb2e3c1559f Author: Petr Machata Date: Thu May 17 16:36:27 2018 +0200 net: ip6_gre: Split up ip6gre_tnl_link_config() The function ip6gre_tnl_link_config() is used for setting up configuration of both ip6gretap and ip6erspan tunnels. Split the function into the common part and the route-lookup part. The latter then takes the calculated header length as an argument. This split will allow the patches down the line to sneak in a custom header length computation for the ERSPAN tunnel. Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") Signed-off-by: Petr Machata Acked-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) commit 5691484df961aff897d824bcc26cd1a2aa036b5b Author: Petr Machata Date: Thu May 17 16:36:15 2018 +0200 net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit() dev->needed_headroom is not primed until ip6_tnl_xmit(), so it starts out zero. Thus the call to skb_cow_head() fails to actually make sure there's enough headroom to push the ERSPAN headers to. That can lead to the panic cited below. (Reproducer below that). Fix by requesting either needed_headroom if already primed, or just the bare minimum needed for the header otherwise. [ 190.703567] kernel BUG at net/core/skbuff.c:104! [ 190.708384] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 190.714007] Modules linked in: act_mirred cls_matchall ip6_gre ip6_tunnel tunnel6 gre sch_ingress vrf veth x86_pkg_temp_thermal mlx_platform nfsd e1000e leds_mlxcpld [ 190.728975] CPU: 1 PID: 959 Comm: kworker/1:2 Not tainted 4.17.0-rc4-net_master-custom-139 #10 [ 190.737647] Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2F"/"SA000874", BIOS 4.6.5 03/08/2016 [ 190.747006] Workqueue: ipv6_addrconf addrconf_dad_work [ 190.752222] RIP: 0010:skb_panic+0xc3/0x100 [ 190.756358] RSP: 0018:ffff8801d54072f0 EFLAGS: 00010282 [ 190.761629] RAX: 0000000000000085 RBX: ffff8801c1a8ecc0 RCX: 0000000000000000 [ 190.768830] RDX: 0000000000000085 RSI: dffffc0000000000 RDI: ffffed003aa80e54 [ 190.776025] RBP: ffff8801bd1ec5a0 R08: ffffed003aabce19 R09: ffffed003aabce19 [ 190.783226] R10: 0000000000000001 R11: ffffed003aabce18 R12: ffff8801bf695dbe [ 190.790418] R13: 0000000000000084 R14: 00000000000006c0 R15: ffff8801bf695dc8 [ 190.797621] FS: 0000000000000000(0000) GS:ffff8801d5400000(0000) knlGS:0000000000000000 [ 190.805786] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.811582] CR2: 000055fa929aced0 CR3: 0000000003228004 CR4: 00000000001606e0 [ 190.818790] Call Trace: [ 190.821264] [ 190.823314] ? ip6erspan_tunnel_xmit+0x5e4/0x1982 [ip6_gre] [ 190.828940] ? ip6erspan_tunnel_xmit+0x5e4/0x1982 [ip6_gre] [ 190.834562] skb_push+0x78/0x90 [ 190.837749] ip6erspan_tunnel_xmit+0x5e4/0x1982 [ip6_gre] [ 190.843219] ? ip6gre_tunnel_ioctl+0xd90/0xd90 [ip6_gre] [ 190.848577] ? debug_check_no_locks_freed+0x210/0x210 [ 190.853679] ? debug_check_no_locks_freed+0x210/0x210 [ 190.858783] ? print_irqtrace_events+0x120/0x120 [ 190.863451] ? sched_clock_cpu+0x18/0x210 [ 190.867496] ? cyc2ns_read_end+0x10/0x10 [ 190.871474] ? skb_network_protocol+0x76/0x200 [ 190.875977] dev_hard_start_xmit+0x137/0x770 [ 190.880317] ? do_raw_spin_trylock+0x6d/0xa0 [ 190.884624] sch_direct_xmit+0x2ef/0x5d0 [ 190.888589] ? pfifo_fast_dequeue+0x3fa/0x670 [ 190.892994] ? pfifo_fast_change_tx_queue_len+0x810/0x810 [ 190.898455] ? __lock_is_held+0xa0/0x160 [ 190.902422] __qdisc_run+0x39e/0xfc0 [ 190.906041] ? _raw_spin_unlock+0x29/0x40 [ 190.910090] ? pfifo_fast_enqueue+0x24b/0x3e0 [ 190.914501] ? sch_direct_xmit+0x5d0/0x5d0 [ 190.918658] ? pfifo_fast_dequeue+0x670/0x670 [ 190.923047] ? __dev_queue_xmit+0x172/0x1770 [ 190.927365] ? preempt_count_sub+0xf/0xd0 [ 190.931421] __dev_queue_xmit+0x410/0x1770 [ 190.935553] ? ___slab_alloc+0x605/0x930 [ 190.939524] ? print_irqtrace_events+0x120/0x120 [ 190.944186] ? memcpy+0x34/0x50 [ 190.947364] ? netdev_pick_tx+0x1c0/0x1c0 [ 190.951428] ? __skb_clone+0x2fd/0x3d0 [ 190.955218] ? __copy_skb_header+0x270/0x270 [ 190.959537] ? rcu_read_lock_sched_held+0x93/0xa0 [ 190.964282] ? kmem_cache_alloc+0x344/0x4d0 [ 190.968520] ? cyc2ns_read_end+0x10/0x10 [ 190.972495] ? skb_clone+0x123/0x230 [ 190.976112] ? skb_split+0x820/0x820 [ 190.979747] ? tcf_mirred+0x554/0x930 [act_mirred] [ 190.984582] tcf_mirred+0x554/0x930 [act_mirred] [ 190.989252] ? tcf_mirred_act_wants_ingress.part.2+0x10/0x10 [act_mirred] [ 190.996109] ? __lock_acquire+0x706/0x26e0 [ 191.000239] ? sched_clock_cpu+0x18/0x210 [ 191.004294] tcf_action_exec+0xcf/0x2a0 [ 191.008179] tcf_classify+0xfa/0x340 [ 191.011794] __netif_receive_skb_core+0x8e1/0x1c60 [ 191.016630] ? debug_check_no_locks_freed+0x210/0x210 [ 191.021732] ? nf_ingress+0x500/0x500 [ 191.025458] ? process_backlog+0x347/0x4b0 [ 191.029619] ? print_irqtrace_events+0x120/0x120 [ 191.034302] ? lock_acquire+0xd8/0x320 [ 191.038089] ? process_backlog+0x1b6/0x4b0 [ 191.042246] ? process_backlog+0xc2/0x4b0 [ 191.046303] process_backlog+0xc2/0x4b0 [ 191.050189] net_rx_action+0x5cc/0x980 [ 191.053991] ? napi_complete_done+0x2c0/0x2c0 [ 191.058386] ? mark_lock+0x13d/0xb40 [ 191.062001] ? clockevents_program_event+0x6b/0x1d0 [ 191.066922] ? print_irqtrace_events+0x120/0x120 [ 191.071593] ? __lock_is_held+0xa0/0x160 [ 191.075566] __do_softirq+0x1d4/0x9d2 [ 191.079282] ? ip6_finish_output2+0x524/0x1460 [ 191.083771] do_softirq_own_stack+0x2a/0x40 [ 191.087994] [ 191.090130] do_softirq.part.13+0x38/0x40 [ 191.094178] __local_bh_enable_ip+0x135/0x190 [ 191.098591] ip6_finish_output2+0x54d/0x1460 [ 191.102916] ? ip6_forward_finish+0x2f0/0x2f0 [ 191.107314] ? ip6_mtu+0x3c/0x2c0 [ 191.110674] ? ip6_finish_output+0x2f8/0x650 [ 191.114992] ? ip6_output+0x12a/0x500 [ 191.118696] ip6_output+0x12a/0x500 [ 191.122223] ? ip6_route_dev_notify+0x5b0/0x5b0 [ 191.126807] ? ip6_finish_output+0x650/0x650 [ 191.131120] ? ip6_fragment+0x1a60/0x1a60 [ 191.135182] ? icmp6_dst_alloc+0x26e/0x470 [ 191.139317] mld_sendpack+0x672/0x830 [ 191.143021] ? igmp6_mcf_seq_next+0x2f0/0x2f0 [ 191.147429] ? __local_bh_enable_ip+0x77/0x190 [ 191.151913] ipv6_mc_dad_complete+0x47/0x90 [ 191.156144] addrconf_dad_completed+0x561/0x720 [ 191.160731] ? addrconf_rs_timer+0x3a0/0x3a0 [ 191.165036] ? mark_held_locks+0xc9/0x140 [ 191.169095] ? __local_bh_enable_ip+0x77/0x190 [ 191.173570] ? addrconf_dad_work+0x50d/0xa20 [ 191.177886] ? addrconf_dad_work+0x529/0xa20 [ 191.182194] addrconf_dad_work+0x529/0xa20 [ 191.186342] ? addrconf_dad_completed+0x720/0x720 [ 191.191088] ? __lock_is_held+0xa0/0x160 [ 191.195059] ? process_one_work+0x45d/0xe20 [ 191.199302] ? process_one_work+0x51e/0xe20 [ 191.203531] ? rcu_read_lock_sched_held+0x93/0xa0 [ 191.208279] process_one_work+0x51e/0xe20 [ 191.212340] ? pwq_dec_nr_in_flight+0x200/0x200 [ 191.216912] ? get_lock_stats+0x4b/0xf0 [ 191.220788] ? preempt_count_sub+0xf/0xd0 [ 191.224844] ? worker_thread+0x219/0x860 [ 191.228823] ? do_raw_spin_trylock+0x6d/0xa0 [ 191.233142] worker_thread+0xeb/0x860 [ 191.236848] ? process_one_work+0xe20/0xe20 [ 191.241095] kthread+0x206/0x300 [ 191.244352] ? process_one_work+0xe20/0xe20 [ 191.248587] ? kthread_stop+0x570/0x570 [ 191.252459] ret_from_fork+0x3a/0x50 [ 191.256082] Code: 14 3e ff 8b 4b 78 55 4d 89 f9 41 56 41 55 48 c7 c7 a0 cf db 82 41 54 44 8b 44 24 2c 48 8b 54 24 30 48 8b 74 24 20 e8 16 94 13 ff <0f> 0b 48 c7 c7 60 8e 1f 85 48 83 c4 20 e8 55 ef a6 ff 89 74 24 [ 191.275327] RIP: skb_panic+0xc3/0x100 RSP: ffff8801d54072f0 [ 191.281024] ---[ end trace 7ea51094e099e006 ]--- [ 191.285724] Kernel panic - not syncing: Fatal exception in interrupt [ 191.292168] Kernel Offset: disabled [ 191.295697] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Reproducer: ip link add h1 type veth peer name swp1 ip link add h3 type veth peer name swp3 ip link set dev h1 up ip address add 192.0.2.1/28 dev h1 ip link add dev vh3 type vrf table 20 ip link set dev h3 master vh3 ip link set dev vh3 up ip link set dev h3 up ip link set dev swp3 up ip address add dev swp3 2001:db8:2::1/64 ip link set dev swp1 up tc qdisc add dev swp1 clsact ip link add name gt6 type ip6erspan \ local 2001:db8:2::1 remote 2001:db8:2::2 oseq okey 123 ip link set dev gt6 up sleep 1 tc filter add dev swp1 ingress pref 1000 matchall skip_hw \ action mirred egress mirror dev gt6 ping -I h1 192.0.2.2 Fixes: e41c7c68ea77 ("ip6erspan: make sure enough headroom at xmit.") Signed-off-by: Petr Machata Acked-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 01b8d064d58b4c1f0eff47f8fe8a8508cb3b3840 Author: Petr Machata Date: Thu May 17 16:36:10 2018 +0200 net: ip6_gre: Request headroom in __gre6_xmit() __gre6_xmit() pushes GRE headers before handing over to ip6_tnl_xmit() for generic IP-in-IP processing. However it doesn't make sure that there is enough headroom to push the header to. That can lead to the panic cited below. (Reproducer below that). Fix by requesting either needed_headroom if already primed, or just the bare minimum needed for the header otherwise. [ 158.576725] kernel BUG at net/core/skbuff.c:104! [ 158.581510] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 158.587174] Modules linked in: act_mirred cls_matchall ip6_gre ip6_tunnel tunnel6 gre sch_ingress vrf veth x86_pkg_temp_thermal mlx_platform nfsd e1000e leds_mlxcpld [ 158.602268] CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 4.17.0-rc4-net_master-custom-139 #10 [ 158.610938] Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2F"/"SA000874", BIOS 4.6.5 03/08/2016 [ 158.620426] RIP: 0010:skb_panic+0xc3/0x100 [ 158.624586] RSP: 0018:ffff8801d3f27110 EFLAGS: 00010286 [ 158.629882] RAX: 0000000000000082 RBX: ffff8801c02cc040 RCX: 0000000000000000 [ 158.637127] RDX: 0000000000000082 RSI: dffffc0000000000 RDI: ffffed003a7e4e18 [ 158.644366] RBP: ffff8801bfec8020 R08: ffffed003aabce19 R09: ffffed003aabce19 [ 158.651574] R10: 000000000000000b R11: ffffed003aabce18 R12: ffff8801c364de66 [ 158.658786] R13: 000000000000002c R14: 00000000000000c0 R15: ffff8801c364de68 [ 158.666007] FS: 0000000000000000(0000) GS:ffff8801d5400000(0000) knlGS:0000000000000000 [ 158.674212] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 158.680036] CR2: 00007f4b3702dcd0 CR3: 0000000003228002 CR4: 00000000001606e0 [ 158.687228] Call Trace: [ 158.689752] ? __gre6_xmit+0x246/0xd80 [ip6_gre] [ 158.694475] ? __gre6_xmit+0x246/0xd80 [ip6_gre] [ 158.699141] skb_push+0x78/0x90 [ 158.702344] __gre6_xmit+0x246/0xd80 [ip6_gre] [ 158.706872] ip6gre_tunnel_xmit+0x3bc/0x610 [ip6_gre] [ 158.711992] ? __gre6_xmit+0xd80/0xd80 [ip6_gre] [ 158.716668] ? debug_check_no_locks_freed+0x210/0x210 [ 158.721761] ? print_irqtrace_events+0x120/0x120 [ 158.726461] ? sched_clock_cpu+0x18/0x210 [ 158.730572] ? sched_clock_cpu+0x18/0x210 [ 158.734692] ? cyc2ns_read_end+0x10/0x10 [ 158.738705] ? skb_network_protocol+0x76/0x200 [ 158.743216] ? netif_skb_features+0x1b2/0x550 [ 158.747648] dev_hard_start_xmit+0x137/0x770 [ 158.752010] sch_direct_xmit+0x2ef/0x5d0 [ 158.755992] ? pfifo_fast_dequeue+0x3fa/0x670 [ 158.760460] ? pfifo_fast_change_tx_queue_len+0x810/0x810 [ 158.765975] ? __lock_is_held+0xa0/0x160 [ 158.770002] __qdisc_run+0x39e/0xfc0 [ 158.773673] ? _raw_spin_unlock+0x29/0x40 [ 158.777781] ? pfifo_fast_enqueue+0x24b/0x3e0 [ 158.782191] ? sch_direct_xmit+0x5d0/0x5d0 [ 158.786372] ? pfifo_fast_dequeue+0x670/0x670 [ 158.790818] ? __dev_queue_xmit+0x172/0x1770 [ 158.795195] ? preempt_count_sub+0xf/0xd0 [ 158.799313] __dev_queue_xmit+0x410/0x1770 [ 158.803512] ? ___slab_alloc+0x605/0x930 [ 158.807525] ? ___slab_alloc+0x605/0x930 [ 158.811540] ? memcpy+0x34/0x50 [ 158.814768] ? netdev_pick_tx+0x1c0/0x1c0 [ 158.818895] ? __skb_clone+0x2fd/0x3d0 [ 158.822712] ? __copy_skb_header+0x270/0x270 [ 158.827079] ? rcu_read_lock_sched_held+0x93/0xa0 [ 158.831903] ? kmem_cache_alloc+0x344/0x4d0 [ 158.836199] ? skb_clone+0x123/0x230 [ 158.839869] ? skb_split+0x820/0x820 [ 158.843521] ? tcf_mirred+0x554/0x930 [act_mirred] [ 158.848407] tcf_mirred+0x554/0x930 [act_mirred] [ 158.853104] ? tcf_mirred_act_wants_ingress.part.2+0x10/0x10 [act_mirred] [ 158.860005] ? __lock_acquire+0x706/0x26e0 [ 158.864162] ? mark_lock+0x13d/0xb40 [ 158.867832] tcf_action_exec+0xcf/0x2a0 [ 158.871736] tcf_classify+0xfa/0x340 [ 158.875402] __netif_receive_skb_core+0x8e1/0x1c60 [ 158.880334] ? nf_ingress+0x500/0x500 [ 158.884059] ? process_backlog+0x347/0x4b0 [ 158.888241] ? lock_acquire+0xd8/0x320 [ 158.892050] ? process_backlog+0x1b6/0x4b0 [ 158.896228] ? process_backlog+0xc2/0x4b0 [ 158.900291] process_backlog+0xc2/0x4b0 [ 158.904210] net_rx_action+0x5cc/0x980 [ 158.908047] ? napi_complete_done+0x2c0/0x2c0 [ 158.912525] ? rcu_read_unlock+0x80/0x80 [ 158.916534] ? __lock_is_held+0x34/0x160 [ 158.920541] __do_softirq+0x1d4/0x9d2 [ 158.924308] ? trace_event_raw_event_irq_handler_exit+0x140/0x140 [ 158.930515] run_ksoftirqd+0x1d/0x40 [ 158.934152] smpboot_thread_fn+0x32b/0x690 [ 158.938299] ? sort_range+0x20/0x20 [ 158.941842] ? preempt_count_sub+0xf/0xd0 [ 158.945940] ? schedule+0x5b/0x140 [ 158.949412] kthread+0x206/0x300 [ 158.952689] ? sort_range+0x20/0x20 [ 158.956249] ? kthread_stop+0x570/0x570 [ 158.960164] ret_from_fork+0x3a/0x50 [ 158.963823] Code: 14 3e ff 8b 4b 78 55 4d 89 f9 41 56 41 55 48 c7 c7 a0 cf db 82 41 54 44 8b 44 24 2c 48 8b 54 24 30 48 8b 74 24 20 e8 16 94 13 ff <0f> 0b 48 c7 c7 60 8e 1f 85 48 83 c4 20 e8 55 ef a6 ff 89 74 24 [ 158.983235] RIP: skb_panic+0xc3/0x100 RSP: ffff8801d3f27110 [ 158.988935] ---[ end trace 5af56ee845aa6cc8 ]--- [ 158.993641] Kernel panic - not syncing: Fatal exception in interrupt [ 159.000176] Kernel Offset: disabled [ 159.003767] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Reproducer: ip link add h1 type veth peer name swp1 ip link add h3 type veth peer name swp3 ip link set dev h1 up ip address add 192.0.2.1/28 dev h1 ip link add dev vh3 type vrf table 20 ip link set dev h3 master vh3 ip link set dev vh3 up ip link set dev h3 up ip link set dev swp3 up ip address add dev swp3 2001:db8:2::1/64 ip link set dev swp1 up tc qdisc add dev swp1 clsact ip link add name gt6 type ip6gretap \ local 2001:db8:2::1 remote 2001:db8:2::2 ip link set dev gt6 up sleep 1 tc filter add dev swp1 ingress pref 1000 matchall skip_hw \ action mirred egress mirror dev gt6 ping -I h1 192.0.2.2 Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Petr Machata Acked-by: William Tu Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 3 +++ 1 file changed, 3 insertions(+) commit deea81228ba1c6e77722f534a3d63c50e1757877 Author: Jesper Dangaard Brouer Date: Thu May 17 19:39:31 2018 +0200 selftests/bpf: check return value of fopen in test_verifier.c Commit 0a6748740368 ("selftests/bpf: Only run tests if !bpf_disabled") forgot to check return value of fopen. This caused some confusion, when running test_verifier (from tools/testing/selftests/bpf/) on an older kernel (< v4.4) as it will simply seqfault. This fix avoids the segfault and prints an error, but allow program to continue. Given the sysctl was introduced in 1be7f75d1668 ("bpf: enable non-root eBPF programs"), we know that the running kernel cannot support unpriv, thus continue with unpriv_disabled = true. Fixes: 0a6748740368 ("selftests/bpf: Only run tests if !bpf_disabled") Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann tools/testing/selftests/bpf/test_verifier.c | 5 +++++ 1 file changed, 5 insertions(+) commit 02f99df1875c11330cd0be69a40fa8ccd14749b2 Author: William Tu Date: Wed May 16 17:24:32 2018 -0700 erspan: fix invalid erspan version. ERSPAN only support version 1 and 2. When packets send to an erspan device which does not have proper version number set, drop the packet. In real case, we observe multicast packets sent to the erspan pernet device, erspan0, which does not have erspan version configured. Reported-by: Greg Rose Signed-off-by: William Tu Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 4 +++- net/ipv6/ip6_gre.c | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) commit fed71f7d98795ed0fa1d431910787f0f4a68324f Author: Thomas Gleixner Date: Thu May 17 14:36:39 2018 +0200 x86/apic/x2apic: Initialize cluster ID properly Rick bisected a regression on large systems which use the x2apic cluster mode for interrupt delivery to the commit wich reworked the cluster management. The problem is caused by a missing initialization of the clusterid field in the shared cluster data structures. So all structures end up with cluster ID 0 which only allows sharing between all CPUs which belong to cluster 0. All other CPUs with a cluster ID > 0 cannot share the data structure because they cannot find existing data with their cluster ID. This causes malfunction with IPIs because IPIs are sent to the wrong cluster and the caller waits for ever that the target CPU handles the IPI. Add the missing initialization when a upcoming CPU is the first in a cluster so that the later booting CPUs can find the data and share it for proper operation. Fixes: 023a611748fd ("x86/apic/x2apic: Simplify cluster management") Reported-by: Rick Warner Bisected-by: Rick Warner Signed-off-by: Thomas Gleixner Tested-by: Rick Warner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1805171418210.1947@nanos.tec.linutronix.de arch/x86/kernel/apic/x2apic_cluster.c | 1 + 1 file changed, 1 insertion(+) commit d13d170cba8a68b7f25b4a01193b7014b7bc7a72 Merge: 5a847a6 0718421 Author: David S. Miller Date: Thu May 17 14:57:20 2018 -0400 Merge branch 'ibmvnic-Fix-bugs-and-memory-leaks' Thomas Falcon says: ==================== ibmvnic: Fix bugs and memory leaks This is a small patch series fixing up some bugs and memory leaks in the ibmvnic driver. The first fix frees up previously allocated memory that should be freed in case of an error. The second fixes a reset case that was failing due to TX/RX queue IRQ's being erroneously disabled without being enabled again. The final patch fixes incorrect reallocated of statistics buffers during a device reset, resulting in loss of statistics information and a memory leak. ==================== Signed-off-by: David S. Miller commit 0718421389da3d4352f4538449e83316fbed4389 Author: Thomas Falcon Date: Wed May 16 15:49:05 2018 -0500 ibmvnic: Fix statistics buffers memory leak Move initialization of statistics buffers from ibmvnic_init function into ibmvnic_probe. In the current state, ibmvnic_init will be called again during a device reset, resulting in the allocation of new buffers without freeing the old ones. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller drivers/net/ethernet/ibm/ibmvnic.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) commit 134bbe7f21f4455c8be64f945b8b67094f768de0 Author: Thomas Falcon Date: Wed May 16 15:49:04 2018 -0500 ibmvnic: Fix non-fatal firmware error reset It is not necessary to disable interrupt lines here during a reset to handle a non-fatal firmware error. Move that call within the code block that handles the other cases that do require interrupts to be disabled and re-enabled. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller drivers/net/ethernet/ibm/ibmvnic.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 4cf2ddf3e329d4ec1e3edda3465a202b5665be0e Author: Thomas Falcon Date: Wed May 16 15:49:03 2018 -0500 ibmvnic: Free coherent DMA memory if FW map failed If the firmware map fails for whatever reason, remember to free up the memory after. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller drivers/net/ethernet/ibm/ibmvnic.c | 1 + 1 file changed, 1 insertion(+) commit 5a847a6e1477be5bd3f94cc1b7708d7d4a7cd94c Author: David Ahern Date: Wed May 16 13:36:40 2018 -0700 net/ipv4: Initialize proto and ports in flow struct Updating the FIB tracepoint for the recent change to allow rules using the protocol and ports exposed a few places where the entries in the flow struct are not initialized. For __fib_validate_source add the call to fib4_rules_early_flow_dissect since it is invoked for the input path. For netfilter, add the memset on the flow struct to avoid future problems like this. In ip_route_input_slow need to set the fields if the skb dissection does not happen. Fixes: bfff4862653b ("net: fib_rules: support for match on ip_proto, sport and dport") Signed-off-by: David Ahern Acked-by: Roopa Prabhu Signed-off-by: David S. Miller net/ipv4/fib_frontend.c | 8 +++++++- net/ipv4/netfilter/ipt_rpfilter.c | 2 +- net/ipv4/route.c | 7 ++++++- 3 files changed, 14 insertions(+), 3 deletions(-) commit 8ab6ffba14a466c7298cb3fd5066d774d2977ad1 Author: Matt Mullins Date: Wed May 16 10:48:40 2018 -0700 tls: don't use stack memory in a scatterlist scatterlist code expects virt_to_page() to work, which fails with CONFIG_VMAP_STACK=y. Fixes: c46234ebb4d1e ("tls: RX path for ktls") Signed-off-by: Matt Mullins Signed-off-by: David S. Miller include/net/tls.h | 3 +++ net/tls/tls_sw.c | 9 ++++----- 2 files changed, 7 insertions(+), 5 deletions(-) commit 58ddfe6c3af91d320cf5d0aba33143e7c1d8dc35 Merge: 7c9a0fc 633711e Author: Linus Torvalds Date: Thu May 17 10:23:36 2018 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: - ARM/ARM64 locking fixes - x86 fixes: PCID, UMIP, locking - improved support for recent Windows version that have a 2048 Hz APIC timer - rename KVM_HINTS_DEDICATED CPUID bit to KVM_HINTS_REALTIME - better behaved selftests * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: kvm: rename KVM_HINTS_DEDICATED to KVM_HINTS_REALTIME KVM: arm/arm64: VGIC/ITS save/restore: protect kvm_read_guest() calls KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock KVM: arm/arm64: VGIC/ITS: Promote irq_lock() in update_affinity KVM: arm/arm64: Properly protect VGIC locks from IRQs KVM: X86: Lower the default timer frequency limit to 200us KVM: vmx: update sec exec controls for UMIP iff emulating UMIP kvm: x86: Suppress CR3_PCID_INVD bit only when PCIDs are enabled KVM: selftests: exit with 0 status code when tests cannot be run KVM: hyperv: idr_find needs RCU protection x86: Delay skip of emulated hypercall instruction KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs commit e20ac8b11b0f06ebae63c56062123b62b0c64c2b Merge: 633711e f4a551b Author: Paolo Bonzini Date: Thu May 17 19:22:59 2018 +0200 Merge tag 'kvm-s390-master-4.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master KVM: s390: Fix vsie handling for transactional diagnostic block vsie (nested KVM) might reject a valid input. Fix it. commit 7c9a0fc79f6c5bd7e8e3198c97acf6363da3832f Merge: 3e9245c c99f080 Author: Linus Torvalds Date: Thu May 17 10:13:44 2018 -0700 Merge tag 'sound-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "We have a core fix in the compat code for covering a potential race (double references), but it's a very minor change. The rest are all small device-specific quirks, as well as a correction of the new UAC3 support code" * tag 'sound-4.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: usb-audio: Use Class Specific EP for UAC3 devices. ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup ALSA: usb: mixer: volume quirk for CM102-A+/102S+ ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist ALSA: control: fix a redundant-copy issue commit 633711e82878dc29083fc5d2605166755e25b57a Author: Michael S. Tsirkin Date: Thu May 17 17:54:24 2018 +0300 kvm: rename KVM_HINTS_DEDICATED to KVM_HINTS_REALTIME KVM_HINTS_DEDICATED seems to be somewhat confusing: Guest doesn't really care whether it's the only task running on a host CPU as long as it's not preempted. And there are more reasons for Guest to be preempted than host CPU sharing, for example, with memory overcommit it can get preempted on a memory access, post copy migration can cause preemption, etc. Let's call it KVM_HINTS_REALTIME which seems to better match what guests expect. Also, the flag most be set on all vCPUs - current guests assume this. Note so in the documentation. Signed-off-by: Michael S. Tsirkin Signed-off-by: Paolo Bonzini Documentation/virtual/kvm/cpuid.txt | 6 +++--- arch/x86/include/uapi/asm/kvm_para.h | 2 +- arch/x86/kernel/kvm.c | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) commit 3e9245c5fa3092de19b95f03817b02469bcf146c Merge: 305bb55 2e68adc Author: Linus Torvalds Date: Thu May 17 10:11:44 2018 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Martin Schwidefsky: - a fix for the vfio ccw translation code - update an incorrect email address in the MAINTAINERS file - fix a division by zero oops in the cpum_sf code found by trinity - two fixes for the error handling of the qdio code - several spectre related patches to convert all left-over indirect branches in the kernel to expoline branches - update defconfigs to avoid warnings due to the netfilter Kconfig changes - avoid several compiler warnings in the kexec_file code for s390 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/qdio: don't release memory in qdio_setup_irq() s390/qdio: fix access to uninitialized qdio_q fields s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero s390: use expoline thunks in the BPF JIT s390: extend expoline to BC instructions s390: remove indirect branch from do_softirq_own_stack s390: move spectre sysfs attribute code s390/kernel: use expoline for indirect branches s390/ftrace: use expoline for indirect branches s390/lib: use expoline for indirect branches s390/crc32-vx: use expoline for indirect branches s390: move expoline assembler macros to a header vfio: ccw: fix cleanup if cp_prefetch fails s390/kexec_file: add declaration of purgatory related globals s390: update defconfigs MAINTAINERS: update s390 zcrypt maintainers email address commit 305bb55212822f13ddbfcb7518d999c6369942ba Merge: 7f7ccc2 4152dc9 Author: Linus Torvalds Date: Thu May 17 10:02:19 2018 -0700 Merge tag 'selinux-pr-20180516' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull SELinux fixes from Paul Moore: "A small pull request to fix a few regressions in the SELinux/SCTP code with applications that call bind() with AF_UNSPEC/INADDR_ANY. The individual commit descriptions have more information, but the commits themselves should be self explanatory" * tag 'selinux-pr-20180516' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: correctly handle sa_family cases in selinux_sctp_bind_connect() selinux: fix address family in bind() and connect() to match address/port selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind() commit 7f7ccc2ccc2e70c6054685f5e3522efa81556830 Author: Willy Tarreau Date: Fri May 11 08:11:44 2018 +0200 proc: do not access cmdline nor environ from file-backed areas proc_pid_cmdline_read() and environ_read() directly access the target process' VM to retrieve the command line and environment. If this process remaps these areas onto a file via mmap(), the requesting process may experience various issues such as extra delays if the underlying device is slow to respond. Let's simply refuse to access file-backed areas in these functions. For this we add a new FOLL_ANON gup flag that is passed to all calls to access_remote_vm(). The code already takes care of such failures (including unmapped areas). Accesses via /proc/pid/mem were not changed though. This was assigned CVE-2018-1120. Note for stable backports: the patch may apply to kernels prior to 4.11 but silently miss one location; it must be checked that no call to access_remote_vm() keeps zero as the last argument. Reported-by: Qualys Security Advisory Cc: Linus Torvalds Cc: Andy Lutomirski Cc: Oleg Nesterov Cc: stable@vger.kernel.org Signed-off-by: Willy Tarreau Signed-off-by: Linus Torvalds fs/proc/base.c | 8 ++++---- include/linux/mm.h | 1 + mm/gup.c | 3 +++ 3 files changed, 8 insertions(+), 4 deletions(-) commit 1c1a2ee1b53b006754073eefc65d2b2cedb5264b Author: Coly Li Date: Thu May 17 23:33:26 2018 +0800 bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") returns the return value of debugfs_create_dir() to bcache_init(). When CONFIG_DEBUG_FS=n, bch_debug_init() always returns 1 and makes bcache_init() failedi. This patch makes bch_debug_init() always returns 0 if CONFIG_DEBUG_FS=n, so bcache can continue to work for the kernels which don't have debugfs enanbled. Changelog: v4: Add Acked-by from Kent Overstreet. v3: Use IS_ENABLED(CONFIG_DEBUG_FS) to replace #ifdef DEBUG_FS. v2: Remove a warning information v1: Initial version. Fixes: Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") Cc: stable@vger.kernel.org Signed-off-by: Coly Li Reported-by: Massimo B. Reported-by: Kai Krakow Tested-by: Kai Krakow Acked-by: Kent Overstreet Signed-off-by: Jens Axboe drivers/md/bcache/debug.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit bc226f07dcd3c9ef0b7f6236fe356ea4a9cb4769 Author: Tom Lendacky Date: Thu May 10 22:06:39 2018 +0200 KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD Expose the new virtualized architectural mechanism, VIRT_SSBD, for using speculative store bypass disable (SSBD) under SVM. This will allow guests to use SSBD on hardware that uses non-architectural mechanisms for enabling SSBD. [ tglx: Folded the migration fixup from Paolo Bonzini ] Signed-off-by: Tom Lendacky Signed-off-by: Thomas Gleixner arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kernel/cpu/common.c | 3 ++- arch/x86/kvm/cpuid.c | 11 +++++++++-- arch/x86/kvm/svm.c | 21 +++++++++++++++++++-- arch/x86/kvm/vmx.c | 18 +++++++++++++++--- arch/x86/kvm/x86.c | 13 ++++--------- 6 files changed, 50 insertions(+), 18 deletions(-) commit 47c61b3955cf712cadfc25635bf9bc174af030ea Author: Thomas Gleixner Date: Thu May 10 20:42:48 2018 +0200 x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG Add the necessary logic for supporting the emulated VIRT_SPEC_CTRL MSR to x86_virt_spec_ctrl(). If either X86_FEATURE_LS_CFG_SSBD or X86_FEATURE_VIRT_SPEC_CTRL is set then use the new guest_virt_spec_ctrl argument to check whether the state must be modified on the host. The update reuses speculative_store_bypass_update() so the ZEN-specific sibling coordination can be reused. Signed-off-by: Thomas Gleixner arch/x86/include/asm/spec-ctrl.h | 6 ++++++ arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) commit be6fcb5478e95bb1c91f489121238deb3abca46a Author: Thomas Gleixner Date: Sat May 12 20:10:00 2018 +0200 x86/bugs: Rework spec_ctrl base and mask logic x86_spec_ctrL_mask is intended to mask out bits from a MSR_SPEC_CTRL value which are not to be modified. However the implementation is not really used and the bitmask was inverted to make a check easier, which was removed in "x86/bugs: Remove x86_spec_ctrl_set()" Aside of that it is missing the STIBP bit if it is supported by the platform, so if the mask would be used in x86_virt_spec_ctrl() then it would prevent a guest from setting STIBP. Add the STIBP bit if supported and use the mask in x86_virt_spec_ctrl() to sanitize the value which is supplied by the guest. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) commit 4b59bdb569453a60b752b274ca61f009e37f4dae Author: Thomas Gleixner Date: Sat May 12 20:53:14 2018 +0200 x86/bugs: Remove x86_spec_ctrl_set() x86_spec_ctrl_set() is only used in bugs.c and the extra mask checks there provide no real value as both call sites can just write x86_spec_ctrl_base to MSR_SPEC_CTRL. x86_spec_ctrl_base is valid and does not need any extra masking or checking. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/nospec-branch.h | 2 -- arch/x86/kernel/cpu/bugs.c | 13 ++----------- 2 files changed, 2 insertions(+), 13 deletions(-) commit fa8ac4988249c38476f6ad678a4848a736373403 Author: Thomas Gleixner Date: Sat May 12 20:49:16 2018 +0200 x86/bugs: Expose x86_spec_ctrl_base directly x86_spec_ctrl_base is the system wide default value for the SPEC_CTRL MSR. x86_spec_ctrl_get_default() returns x86_spec_ctrl_base and was intended to prevent modification to that variable. Though the variable is read only after init and globaly visible already. Remove the function and export the variable instead. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/nospec-branch.h | 16 +++++----------- arch/x86/include/asm/spec-ctrl.h | 3 --- arch/x86/kernel/cpu/bugs.c | 11 +---------- 3 files changed, 6 insertions(+), 24 deletions(-) commit cc69b34989210f067b2c51d5539b5f96ebcc3a01 Author: Borislav Petkov Date: Sat May 12 00:14:51 2018 +0200 x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host} Function bodies are very similar and are going to grow more almost identical code. Add a bool arg to determine whether SPEC_CTRL is being set for the guest or restored to the host. No functional changes. Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/spec-ctrl.h | 33 +++++++++++++++++++--- arch/x86/kernel/cpu/bugs.c | 60 ++++++++++------------------------------ 2 files changed, 44 insertions(+), 49 deletions(-) commit 0270be3e34efb05a88bc4c422572ece038ef3608 Author: Thomas Gleixner Date: Thu May 10 20:31:44 2018 +0200 x86/speculation: Rework speculative_store_bypass_update() The upcoming support for the virtual SPEC_CTRL MSR on AMD needs to reuse speculative_store_bypass_update() to avoid code duplication. Add an argument for supplying a thread info (TIF) value and create a wrapper speculative_store_bypass_update_current() which is used at the existing call site. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/spec-ctrl.h | 7 ++++++- arch/x86/kernel/cpu/bugs.c | 2 +- arch/x86/kernel/process.c | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) commit 11fb0683493b2da112cd64c9dada221b52463bf7 Author: Tom Lendacky Date: Thu May 17 17:09:18 2018 +0200 x86/speculation: Add virtualized speculative store bypass disable support Some AMD processors only support a non-architectural means of enabling speculative store bypass disable (SSBD). To allow a simplified view of this to a guest, an architectural definition has been created through a new CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a hypervisor can virtualize the existence of this definition and provide an architectural method for using SSBD to a guest. Add the new CPUID feature, the new MSR and update the existing SSBD support to use this MSR when present. Signed-off-by: Tom Lendacky Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/msr-index.h | 2 ++ arch/x86/kernel/cpu/bugs.c | 4 +++- arch/x86/kernel/process.c | 13 ++++++++++++- 4 files changed, 18 insertions(+), 2 deletions(-) commit ccbcd2674472a978b48c91c1fbfb66c0ff959f24 Author: Thomas Gleixner Date: Wed May 9 23:01:01 2018 +0200 x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL AMD is proposing a VIRT_SPEC_CTRL MSR to handle the Speculative Store Bypass Disable via MSR_AMD64_LS_CFG so that guests do not have to care about the bit position of the SSBD bit and thus facilitate migration. Also, the sibling coordination on Family 17H CPUs can only be done on the host. Extend x86_spec_ctrl_set_guest() and x86_spec_ctrl_restore_host() with an extra argument for the VIRT_SPEC_CTRL MSR. Hand in 0 from VMX and in SVM add a new virt_spec_ctrl member to the CPU data structure which is going to be used in later patches for the actual implementation. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/spec-ctrl.h | 9 ++++++--- arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++++++++-- arch/x86/kvm/svm.c | 11 +++++++++-- arch/x86/kvm/vmx.c | 4 ++-- 4 files changed, 35 insertions(+), 9 deletions(-) commit 1f50ddb4f4189243c05926b842dc1a0332195f31 Author: Thomas Gleixner Date: Wed May 9 21:53:09 2018 +0200 x86/speculation: Handle HT correctly on AMD The AMD64_LS_CFG MSR is a per core MSR on Family 17H CPUs. That means when hyperthreading is enabled the SSBD bit toggle needs to take both cores into account. Otherwise the following situation can happen: CPU0 CPU1 disable SSB disable SSB enable SSB <- Enables it for the Core, i.e. for CPU0 as well So after the SSB enable on CPU1 the task on CPU0 runs with SSB enabled again. On Intel the SSBD control is per core as well, but the synchronization logic is implemented behind the per thread SPEC_CTRL MSR. It works like this: CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL i.e. if one of the threads enables a mitigation then this affects both and the mitigation is only disabled in the core when both threads disabled it. Add the necessary synchronization logic for AMD family 17H. Unfortunately that requires a spinlock to serialize the access to the MSR, but the locks are only shared between siblings. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/spec-ctrl.h | 6 ++ arch/x86/kernel/process.c | 125 +++++++++++++++++++++++++++++++++++++-- arch/x86/kernel/smpboot.c | 5 ++ 3 files changed, 130 insertions(+), 6 deletions(-) commit d1035d971829dcf80e8686ccde26f94b0a069472 Author: Thomas Gleixner Date: Thu May 10 16:26:00 2018 +0200 x86/cpufeatures: Add FEATURE_ZEN Add a ZEN feature bit so family-dependent static_cpu_has() optimizations can be built for ZEN. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kernel/cpu/amd.c | 1 + 2 files changed, 2 insertions(+) commit 52817587e706686fcdb27f14c1b000c92f266c96 Author: Thomas Gleixner Date: Thu May 10 20:21:36 2018 +0200 x86/cpufeatures: Disentangle SSBD enumeration The SSBD enumeration is similarly to the other bits magically shared between Intel and AMD though the mechanisms are different. Make X86_FEATURE_SSBD synthetic and set it depending on the vendor specific features or family dependent setup. Change the Intel bit to X86_FEATURE_SPEC_CTRL_SSBD to denote that SSBD is controlled via MSR_SPEC_CTRL and fix up the usage sites. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/cpufeatures.h | 7 +++---- arch/x86/kernel/cpu/amd.c | 7 +------ arch/x86/kernel/cpu/bugs.c | 10 +++++----- arch/x86/kernel/cpu/common.c | 3 +++ arch/x86/kernel/cpu/intel.c | 1 + arch/x86/kernel/process.c | 2 +- 6 files changed, 14 insertions(+), 16 deletions(-) commit 7eb8956a7fec3c1f0abc2a5517dada99ccc8a961 Author: Thomas Gleixner Date: Thu May 10 19:13:18 2018 +0200 x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS The availability of the SPEC_CTRL MSR is enumerated by a CPUID bit on Intel and implied by IBRS or STIBP support on AMD. That's just confusing and in case an AMD CPU has IBRS not supported because the underlying problem has been fixed but has another bit valid in the SPEC_CTRL MSR, the thing falls apart. Add a synthetic feature bit X86_FEATURE_MSR_SPEC_CTRL to denote the availability on both Intel and AMD. While at it replace the boot_cpu_has() checks with static_cpu_has() where possible. This prevents late microcode loading from exposing SPEC_CTRL, but late loading is already very limited as it does not reevaluate the mitigation options and other bits and pieces. Having static_cpu_has() is the simplest and least fragile solution. Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kernel/cpu/bugs.c | 18 +++++++++++------- arch/x86/kernel/cpu/common.c | 9 +++++++-- arch/x86/kernel/cpu/intel.c | 1 + 4 files changed, 20 insertions(+), 9 deletions(-) commit e7c587da125291db39ddf1f49b18e5970adbac17 Author: Borislav Petkov Date: Wed May 2 18:15:14 2018 +0200 x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP Intel and AMD have different CPUID bits hence for those use synthetic bits which get set on the respective vendor's in init_speculation_control(). So that debacles like what the commit message of c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload") talks about don't happen anymore. Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Konrad Rzeszutek Wilk Tested-by: Jörg Otte Cc: Linus Torvalds Cc: "Kirill A. Shutemov" Link: https://lkml.kernel.org/r/20180504161815.GG9257@pd.tnic arch/x86/include/asm/cpufeatures.h | 10 ++++++---- arch/x86/kernel/cpu/common.c | 14 ++++++++++---- arch/x86/kvm/cpuid.c | 10 +++++----- arch/x86/kvm/svm.c | 6 +++--- arch/x86/kvm/vmx.c | 9 ++------- 5 files changed, 26 insertions(+), 23 deletions(-) commit 15e6c22fd8e5a42c5ed6d487b7c9fe44c2517765 Author: Thomas Gleixner Date: Fri May 11 15:21:01 2018 +0200 KVM: SVM: Move spec control call after restore of GS svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current' to determine the host SSBD state of the thread. 'current' is GS based, but host GS is not yet restored and the access causes a triple fault. Move the call after the host GS restore. Fixes: 885f82bfbc6f x86/process: Allow runtime control of Speculative Store Bypass Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk Acked-by: Paolo Bonzini arch/x86/kvm/svm.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) commit c1d2a31397ec51f0370f6bd17b19b39152c263cb Author: Nicholas Piggin Date: Tue May 15 01:59:47 2018 +1000 powerpc/powernv: Fix NVRAM sleep in invalid context when crashing Similarly to opal_event_shutdown, opal_nvram_write can be called in the crash path with irqs disabled. Special case the delay to avoid sleeping in invalid context. Fixes: 3b8070335f75 ("powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops") Cc: stable@vger.kernel.org # v3.2 Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/opal-nvram.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) commit 22aac3eb0c465dd9ea7f06ee1ed8ad933890f2a3 Author: Pierre-Yves MORDRET Date: Fri May 11 10:22:39 2018 +0200 MAINTAINERS: add entry for STM32 I2C driver Add I2C/SMBUS Driver entry for STM32 family from ST Microelectronics. Signed-off-by: Pierre-Yves MORDRET Signed-off-by: Wolfram Sang MAINTAINERS | 6 ++++++ 1 file changed, 6 insertions(+) commit 8438ee76b004ef66d125ade64c91fc128047d244 Author: Michal Kubecek Date: Wed May 16 07:51:36 2018 +0200 Makefile: disable PIE before testing asm goto Since commit e501ce957a78 ("x86: Force asm-goto"), aarch64 build on distributions which enable PIE by default (e.g. openSUSE Tumbleweed) does not detect support for asm goto correctly. The problem is that ARM specific part of scripts/gcc-goto.sh fails with PIE even with recent gcc versions. Moving the asm goto detection up in Makefile put it before the place where we disable PIE. As a result, kernel is built without jump label support. Move the lines disabling PIE before the asm goto test to make it work. Fixes: e501ce957a78 ("x86: Force asm-goto") Reported-by: Andreas Faerber Signed-off-by: Michal Kubecek Acked-by: Peter Zijlstra (Intel) Signed-off-by: Masahiro Yamada Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit c64ba044ed57ea72cc1c7b14a8dcfb6ded5a759c Author: Nick Desaulniers Date: Thu Apr 26 14:28:07 2018 -0700 kbuild: gcov: enable -fno-tree-loop-im if supported Clang does not recognize this compiler option. Reported-by: Prasad Sodagudi Signed-off-by: Nick Desaulniers Signed-off-by: Masahiro Yamada Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 02ee654d3a04563c67bfe658a05384548b9bb105 Author: Anand Jain Date: Thu May 17 15:16:51 2018 +0800 btrfs: fix crash when trying to resume balance without the resume flag We set the BTRFS_BALANCE_RESUME flag in the btrfs_recover_balance() only, which isn't called during the remount. So when resuming from the paused balance we hit the bug: kernel: kernel BUG at fs/btrfs/volumes.c:3890! :: kernel: balance_kthread+0x51/0x60 [btrfs] kernel: kthread+0x111/0x130 :: kernel: RIP: btrfs_balance+0x12e1/0x1570 [btrfs] RSP: ffffba7d0090bde8 Reproducer: On a mounted filesystem: btrfs balance start --full-balance /btrfs btrfs balance pause /btrfs mount -o remount,ro /dev/sdb /btrfs mount -o remount,rw /dev/sdb /btrfs To fix this set the BTRFS_BALANCE_RESUME flag in btrfs_resume_balance_async(). CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Anand Jain Reviewed-by: David Sterba Signed-off-by: David Sterba fs/btrfs/volumes.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit fe816d0f1d4c31c4c31d42ca78a87660565fc800 Author: Nikolay Borisov Date: Fri Apr 27 12:21:53 2018 +0300 btrfs: Fix delalloc inodes invalidation during transaction abort When a transaction is aborted btrfs_cleanup_transaction is called to cleanup all the various in-flight bits and pieces which migth be active. One of those is delalloc inodes - inodes which have dirty pages which haven't been persisted yet. Currently the process of freeing such delalloc inodes in exceptional circumstances such as transaction abort boiled down to calling btrfs_invalidate_inodes whose sole job is to invalidate the dentries for all inodes related to a root. This is in fact wrong and insufficient since such delalloc inodes will likely have pending pages or ordered-extents and will be linked to the sb->s_inode_list. This means that unmounting a btrfs instance with an aborted transaction could potentially lead inodes/their pages visible to the system long after their superblock has been freed. This in turn leads to a "use-after-free" situation once page shrink is triggered. This situation could be simulated by running generic/019 which would cause such inodes to be left hanging, followed by generic/176 which causes memory pressure and page eviction which lead to touching the freed super block instance. This situation is additionally detected by the unmount code of VFS with the following message: "VFS: Busy inodes after unmount of Self-destruct in 5 seconds. Have a nice day..." Additionally btrfs hits WARN_ON(!RB_EMPTY_ROOT(&root->inode_tree)); in free_fs_root for the same reason. This patch aims to rectify the sitaution by doing the following: 1. Change btrfs_destroy_delalloc_inodes so that it calls invalidate_inode_pages2 for every inode on the delalloc list, this ensures that all the pages of the inode are released. This function boils down to calling btrfs_releasepage. During test I observed cases where inodes on the delalloc list were having an i_count of 0, so this necessitates using igrab to be sure we are working on a non-freed inode. 2. Since calling btrfs_releasepage might queue delayed iputs move the call out to btrfs_cleanup_transaction in btrfs_error_commit_super before calling run_delayed_iputs for the last time. This is necessary to ensure that delayed iputs are run. Note: this patch is tagged for 4.14 stable but the fix applies to older versions too but needs to be backported manually due to conflicts. CC: stable@vger.kernel.org # 4.14.x: 2b8773313494: btrfs: Split btrfs_del_delalloc_inode into 2 functions CC: stable@vger.kernel.org # 4.14.x Signed-off-by: Nikolay Borisov Reviewed-by: David Sterba [ add comment to igrab ] Signed-off-by: David Sterba fs/btrfs/disk-io.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) commit 2b8773313494ede83a26fb372466e634564002ed Author: Nikolay Borisov Date: Fri Apr 27 12:21:51 2018 +0300 btrfs: Split btrfs_del_delalloc_inode into 2 functions This is in preparation of fixing delalloc inodes leakage on transaction abort. Also export the new function. Signed-off-by: Nikolay Borisov Reviewed-by: David Sterba Reviewed-by: Anand Jain Signed-off-by: David Sterba fs/btrfs/ctree.h | 2 ++ fs/btrfs/inode.c | 13 ++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) commit 02a3307aa9c20b4f6626255b028f07f6cfa16feb Author: Liu Bo Date: Wed May 16 01:37:36 2018 +0800 btrfs: fix reading stale metadata blocks after degraded raid1 mounts If a btree block, aka. extent buffer, is not available in the extent buffer cache, it'll be read out from the disk instead, i.e. btrfs_search_slot() read_block_for_search() # hold parent and its lock, go to read child btrfs_release_path() read_tree_block() # read child Unfortunately, the parent lock got released before reading child, so commit 5bdd3536cbbe ("Btrfs: Fix block generation verification race") had used 0 as parent transid to read the child block. It forces read_tree_block() not to check if parent transid is different with the generation id of the child that it reads out from disk. A simple PoC is included in btrfs/124, 0. A two-disk raid1 btrfs, 1. Right after mkfs.btrfs, block A is allocated to be device tree's root. 2. Mount this filesystem and put it in use, after a while, device tree's root got COW but block A hasn't been allocated/overwritten yet. 3. Umount it and reload the btrfs module to remove both disks from the global @fs_devices list. 4. mount -odegraded dev1 and write some data, so now block A is allocated to be a leaf in checksum tree. Note that only dev1 has the latest metadata of this filesystem. 5. Umount it and mount it again normally (with both disks), since raid1 can pick up one disk by the writer task's pid, if btrfs_search_slot() needs to read block A, dev2 which does NOT have the latest metadata might be read for block A, then we got a stale block A. 6. As parent transid is not checked, block A is marked as uptodate and put into the extent buffer cache, so the future search won't bother to read disk again, which means it'll make changes on this stale one and make it dirty and flush it onto disk. To avoid the problem, parent transid needs to be passed to read_tree_block(). In order to get a valid parent transid, we need to hold the parent's lock until finishing reading child. This patch needs to be slightly adapted for stable kernels, the &first_key parameter added to read_tree_block() is from 4.16+ (581c1760415c4). The fix is to replace 0 by 'gen'. Fixes: 5bdd3536cbbe ("Btrfs: Fix block generation verification race") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Liu Bo Reviewed-by: Filipe Manana Reviewed-by: Qu Wenruo [ update changelog ] Signed-off-by: David Sterba fs/btrfs/ctree.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 1a63c198ddb810c790101d693c7071cca703b3c7 Author: Misono Tomohiro Date: Tue May 15 16:51:26 2018 +0900 btrfs: property: Set incompat flag if lzo/zstd compression is set Incompat flag of LZO/ZSTD compression should be set at: 1. mount time (-o compress/compress-force) 2. when defrag is done 3. when property is set Currently 3. is missing and this commit adds this. This could lead to a filesystem that uses ZSTD but is not marked as such. If a kernel without a ZSTD support encounteres a ZSTD compressed extent, it will handle that but this could be confusing to the user. Typically the filesystem is mounted with the ZSTD option, but the discrepancy can arise when a filesystem is never mounted with ZSTD and then the property on some file is set (and some new extents are written). A simple mount with -o compress=zstd will fix that up on an unpatched kernel. Same goes for LZO, but this has been around for a very long time (2.6.37) so it's unlikely that a pre-LZO kernel would be used. Fixes: 5c1aab1dd544 ("btrfs: Add zstd support") CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Tomohiro Misono Reviewed-by: Anand Jain Reviewed-by: David Sterba [ add user visible impact ] Signed-off-by: David Sterba fs/btrfs/props.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 31d11b83b96faaee4bb514d375a09489117c3e8d Author: Filipe Manana Date: Wed May 9 16:01:46 2018 +0100 Btrfs: fix duplicate extents after fsync of file with prealloc extents In commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), on fsync, we started to always log all prealloc extents beyond an inode's i_size in order to avoid losing them after a power failure. However under some cases this can lead to the log replay code to create duplicate extent items, with different lengths, in the extent tree. That happens because, as of that commit, we can now log extent items based on extent maps that are not on the "modified" list of extent maps of the inode's extent map tree. Logging extent items based on extent maps is used during the fast fsync path to save time and for this to work reliably it requires that the extent maps are not merged with other adjacent extent maps - having the extent maps in the list of modified extents gives such guarantee. Consider the following example, captured during a long run of fsstress, which illustrates this problem. We have inode 271, in the filesystem tree (root 5), for which all of the following operations and discussion apply to. A buffered write starts at offset 312391 with a length of 933471 bytes (end offset at 1245862). At this point we have, for this inode, the following extent maps with the their field values: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 376832, block_start 1106399232, block_len 376832, orig_block_len 376832 em C, start 417792, orig_start 417792, len 782336, block_start 18446744073709551613, block_len 0, orig_block_len 0 em D, start 1200128, orig_start 1200128, len 835584, block_start 1106776064, block_len 835584, orig_block_len 835584 em E, start 2035712, orig_start 2035712, len 245760, block_start 1107611648, block_len 245760, orig_block_len 245760 Extent map A corresponds to a hole and extent maps D and E correspond to preallocated extents. Extent map D ends where extent map E begins (1106776064 + 835584 = 1107611648), but these extent maps were not merged because they are in the inode's list of modified extent maps. An fsync against this inode is made, which triggers the fast path (BTRFS_INODE_NEEDS_FULL_SYNC is not set). This fsync triggers writeback of the data previously written using buffered IO, and when the respective ordered extent finishes, btrfs_drop_extents() is called against the (aligned) range 311296..1249279. This causes a split of extent map D at btrfs_drop_extent_cache(), replacing extent map D with a new extent map D', also added to the list of modified extents, with the following values: em D', start 1249280, orig_start of 1200128, block_start 1106825216 (= 1106776064 + 1249280 - 1200128), orig_block_len 835584, block_len 786432 (835584 - (1249280 - 1200128)) Then, during the fast fsync, btrfs_log_changed_extents() is called and extent maps D' and E are removed from the list of modified extents. The flag EXTENT_FLAG_LOGGING is also set on them. After the extents are logged clear_em_logging() is called on each of them, and that makes extent map E to be merged with extent map D' (try_merge_map()), resulting in D' being deleted and E adjusted to: em E, start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 A direct IO write at offset 1847296 and length of 360448 bytes (end offset at 2207744) starts, and at that moment the following extent maps exist for our inode: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em E (prealloc), start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 The dio write results in drop_extent_cache() being called twice. The first time for a range that starts at offset 1847296 and ends at offset 2035711 (length of 188416), which results in a double split of extent map E, replacing it with two new extent maps: em F, start 1249280, orig_start 1200128, block_start 1106825216, block_len 598016, orig_block_len 598016 em G, start 2035712, orig_start 1200128, block_start 1107611648, block_len 245760, orig_block_len 1032192 It also creates a new extent map that represents a part of the requested IO (through create_io_em()): em H, start 1847296, len 188416, block_start 1107423232, block_len 188416 The second call to drop_extent_cache() has a range with a start offset of 2035712 and end offset of 2207743 (length of 172032). This leads to replacing extent map G with a new extent map I with the following values: em I, start 2207744, orig_start 1200128, block_start 1107783680, block_len 73728, orig_block_len 1032192 It also creates a new extent map that represents the second part of the requested IO (through create_io_em()): em J, start 2035712, len 172032, block_start 1107611648, block_len 172032 The dio write set the inode's i_size to 2207744 bytes. After the dio write the inode has the following extent maps: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em F, start 1249280, orig_start 1200128, len 598016, block_start 1106825216, block_len 598016, orig_block_len 598016 em H, start 1847296, orig_start 1200128, len 188416, block_start 1107423232, block_len 188416, orig_block_len 835584 em J, start 2035712, orig_start 2035712, len 172032, block_start 1107611648, block_len 172032, orig_block_len 245760 em I, start 2207744, orig_start 1200128, len 73728, block_start 1107783680, block_len 73728, orig_block_len 1032192 Now do some change to the file, like adding a xattr for example and then fsync it again. This triggers a fast fsync path, and as of commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), we use the extent map I to log a file extent item because it's a prealloc extent and it starts at an offset matching the inode's i_size. However when we log it, we create a file extent item with a value for the disk byte location that is wrong, as can be seen from the following output of "btrfs inspect-internal dump-tree": item 1 key (271 EXTENT_DATA 2207744) itemoff 3782 itemsize 53 generation 22 type 2 (prealloc) prealloc data disk byte 1106776064 nr 1032192 prealloc data offset 1007616 nr 73728 Here the disk byte value corresponds to calculation based on some fields from the extent map I: 1106776064 = block_start (1107783680) - 1007616 (extent_offset) extent_offset = 2207744 (start) - 1200128 (orig_start) = 1007616 The disk byte value of 1106776064 clashes with disk byte values of the file extent items at offsets 1249280 and 1847296 in the fs tree: item 6 key (271 EXTENT_DATA 1249280) itemoff 3568 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1106776064 nr 835584 prealloc data offset 49152 nr 598016 item 7 key (271 EXTENT_DATA 1847296) itemoff 3515 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1106776064 nr 835584 extent data offset 647168 nr 188416 ram 835584 extent compression 0 (none) item 8 key (271 EXTENT_DATA 2035712) itemoff 3462 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1107611648 nr 245760 extent data offset 0 nr 172032 ram 245760 extent compression 0 (none) item 9 key (271 EXTENT_DATA 2207744) itemoff 3409 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1107611648 nr 245760 prealloc data offset 172032 nr 73728 Instead of the disk byte value of 1106776064, the value of 1107611648 should have been logged. Also the data offset value should have been 172032 and not 1007616. After a log replay we end up getting two extent items in the extent tree with different lengths, one of 835584, which is correct and existed before the log replay, and another one of 1032192 which is wrong and is based on the logged file extent item: item 12 key (1106776064 EXTENT_ITEM 835584) itemoff 3406 itemsize 53 refs 2 gen 15 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 2 item 13 key (1106776064 EXTENT_ITEM 1032192) itemoff 3353 itemsize 53 refs 1 gen 22 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 1 Obviously this leads to many problems and a filesystem check reports many errors: (...) checking extents Extent back ref already exists for 1106776064 parent 0 root 5 owner 271 offset 1200128 num_refs 1 extent item 1106776064 has multiple extent items ref mismatch on [1106776064 835584] extent item 2, found 3 Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 2 wanted 1 back 0x55b1d0ad7680 Backref 1106776064 root 5 owner 271 offset 1200128 num_refs 0 not found in extent tree Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 1 wanted 0 back 0x55b1d0ad4e70 Backref bytes do not match extent backref, bytenr=1106776064, ref bytes=835584, backref bytes=1032192 backpointer mismatch on [1106776064 835584] checking free space cache block group 1103101952 has wrong amount of free space failed to load free space cache for block group 1103101952 checking fs roots (...) So fix this by logging the prealloc extents beyond the inode's i_size based on searches in the subvolume tree instead of the extent maps. Fixes: 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay") CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba fs/btrfs/tree-log.c | 137 ++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 112 insertions(+), 25 deletions(-) commit 94c752f99954797da583a84c4907ff19e92550a4 Author: Paolo Abeni Date: Fri Apr 27 10:45:31 2018 +0200 netfilter: ebtables: handle string from userspace with care strlcpy() can't be safely used on a user-space provided string, as it can try to read beyond the buffer's end, if the latter is not NULL terminated. Leveraging the above, syzbot has been able to trigger the following splat: BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] BUG: KASAN: stack-out-of-bounds in ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] BUG: KASAN: stack-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504 CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 strlcpy include/linux/string.h:300 [inline] compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285 compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367 compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279 inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041 compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901 compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050 __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403 __do_compat_sys_setsockopt net/compat.c:416 [inline] __se_compat_sys_setsockopt net/compat.c:413 [inline] __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fb3cb9 RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000 RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x2fffc0000000000() raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Fix the issue replacing the unsafe function with strscpy() and taking care of possible errors. Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com Signed-off-by: Paolo Abeni Signed-off-by: Pablo Neira Ayuso net/bridge/netfilter/ebtables.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit b71534583f22d08c3e3563bf5100aeb5f5c9fbe5 Author: Taehee Yoo Date: Wed May 16 22:10:37 2018 +0900 netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump() In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced. But if family is ipv6, priv->helper6 should be dereferenced. Steps to reproduces: #test.nft table ip6 filter { ct helper ftp { type "ftp" protocol tcp } chain input { type filter hook input priority 4; ct helper set "ftp" } } %nft -f test.nft %nft list ruleset we can see the below messages: [ 916.286233] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 916.294777] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 916.302613] Modules linked in: nft_objref nf_conntrack_sip nf_conntrack_snmp nf_conntrack_broadcast nf_conntrack_ftp nft_ct nf_conntrack nf_tables nfnetlink [last unloaded: nfnetlink] [ 916.318758] CPU: 1 PID: 2093 Comm: nft Not tainted 4.17.0-rc4+ #181 [ 916.326772] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 [ 916.338773] RIP: 0010:strlen+0x1a/0x90 [ 916.342781] RSP: 0018:ffff88010ff0f2f8 EFLAGS: 00010292 [ 916.346773] RAX: dffffc0000000000 RBX: ffff880119b26ee8 RCX: ffff88010c150038 [ 916.354777] RDX: 0000000000000002 RSI: ffff880119b26ee8 RDI: 0000000000000010 [ 916.362773] RBP: 0000000000000010 R08: 0000000000007e88 R09: ffff88010c15003c [ 916.370773] R10: ffff88010c150037 R11: ffffed002182a007 R12: ffff88010ff04040 [ 916.378779] R13: 0000000000000010 R14: ffff880119b26f30 R15: ffff88010ff04110 [ 916.387265] FS: 00007f57a1997700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000 [ 916.394785] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 916.402778] CR2: 00007f57a0ac80f0 CR3: 000000010ff02000 CR4: 00000000001006e0 [ 916.410772] Call Trace: [ 916.414787] nft_ct_helper_obj_dump+0x94/0x200 [nft_ct] [ 916.418779] ? nft_ct_set_eval+0x560/0x560 [nft_ct] [ 916.426771] ? memset+0x1f/0x40 [ 916.426771] ? __nla_reserve+0x92/0xb0 [ 916.434774] ? memcpy+0x34/0x50 [ 916.434774] nf_tables_fill_obj_info+0x484/0x860 [nf_tables] [ 916.442773] ? __nft_release_basechain+0x600/0x600 [nf_tables] [ 916.450779] ? lock_acquire+0x193/0x380 [ 916.454771] ? lock_acquire+0x193/0x380 [ 916.458789] ? nf_tables_dump_obj+0x148/0xcb0 [nf_tables] [ 916.462777] nf_tables_dump_obj+0x5f0/0xcb0 [nf_tables] [ 916.470769] ? __alloc_skb+0x30b/0x500 [ 916.474779] netlink_dump+0x752/0xb50 [ 916.478775] __netlink_dump_start+0x4d3/0x750 [ 916.482784] nf_tables_getobj+0x27a/0x930 [nf_tables] [ 916.490774] ? nft_obj_notify+0x100/0x100 [nf_tables] [ 916.494772] ? nf_tables_getobj+0x930/0x930 [nf_tables] [ 916.502579] ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables] [ 916.506774] ? nft_obj_notify+0x100/0x100 [nf_tables] [ 916.514808] nfnetlink_rcv_msg+0x8ab/0xa86 [nfnetlink] [ 916.518771] ? nfnetlink_rcv_msg+0x550/0xa86 [nfnetlink] [ 916.526782] netlink_rcv_skb+0x23e/0x360 [ 916.530773] ? nfnetlink_bind+0x200/0x200 [nfnetlink] [ 916.534778] ? debug_check_no_locks_freed+0x280/0x280 [ 916.542770] ? netlink_ack+0x870/0x870 [ 916.546786] ? ns_capable_common+0xf4/0x130 [ 916.550765] nfnetlink_rcv+0x172/0x16c0 [nfnetlink] [ 916.554771] ? sched_clock_local+0xe2/0x150 [ 916.558774] ? sched_clock_cpu+0x144/0x180 [ 916.566575] ? lock_acquire+0x380/0x380 [ 916.570775] ? sched_clock_local+0xe2/0x150 [ 916.574765] ? nfnetlink_net_init+0x130/0x130 [nfnetlink] [ 916.578763] ? sched_clock_cpu+0x144/0x180 [ 916.582770] ? lock_acquire+0x193/0x380 [ 916.590771] ? lock_acquire+0x193/0x380 [ 916.594766] ? lock_acquire+0x380/0x380 [ 916.598760] ? netlink_deliver_tap+0x262/0xa60 [ 916.602766] ? lock_acquire+0x193/0x380 [ 916.606766] netlink_unicast+0x3ef/0x5a0 [ 916.610771] ? netlink_attachskb+0x630/0x630 [ 916.614763] netlink_sendmsg+0x72a/0xb00 [ 916.618769] ? netlink_unicast+0x5a0/0x5a0 [ 916.626766] ? _copy_from_user+0x92/0xc0 [ 916.630773] __sys_sendto+0x202/0x300 [ 916.634772] ? __ia32_sys_getpeername+0xb0/0xb0 [ 916.638759] ? lock_acquire+0x380/0x380 [ 916.642769] ? lock_acquire+0x193/0x380 [ 916.646761] ? finish_task_switch+0xf4/0x560 [ 916.650763] ? __schedule+0x582/0x19a0 [ 916.655301] ? __sched_text_start+0x8/0x8 [ 916.655301] ? up_read+0x1c/0x110 [ 916.655301] ? __do_page_fault+0x48b/0xaa0 [ 916.655301] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 916.655301] __x64_sys_sendto+0xdd/0x1b0 [ 916.655301] do_syscall_64+0x96/0x3d0 [ 916.655301] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 916.655301] RIP: 0033:0x7f57a0ff5e03 [ 916.655301] RSP: 002b:00007fff6367e0a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 916.655301] RAX: ffffffffffffffda RBX: 00007fff6367f1e0 RCX: 00007f57a0ff5e03 [ 916.655301] RDX: 0000000000000020 RSI: 00007fff6367e110 RDI: 0000000000000003 [ 916.655301] RBP: 00007fff6367e100 R08: 00007f57a0ce9160 R09: 000000000000000c [ 916.655301] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6367e110 [ 916.655301] R13: 0000000000000020 R14: 00007f57a153c610 R15: 0000562417258de0 [ 916.655301] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fa 53 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df 48 89 fd 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f [ 916.655301] RIP: strlen+0x1a/0x90 RSP: ffff88010ff0f2f8 [ 916.771929] ---[ end trace 1065e048e72479fe ]--- [ 916.777204] Kernel panic - not syncing: Fatal exception [ 916.778158] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Signed-off-by: Taehee Yoo Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nft_ct.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) commit dbad41e7bb5f4b9949ff5ea1d76c20711f326308 Author: Srinivas Kandagatla Date: Thu May 17 10:42:32 2018 +0100 dmaengine: qcom: bam_dma: check if the runtime pm enabled Disabling pm runtime at probe is not sufficient to get BAM working on remotely controller instances. pm_runtime_get_sync() would return -EACCES in such cases. So check if runtime pm is enabled before returning error from bam functions. Fixes: 5b4a68952a89 ("dmaengine: qcom: bam_dma: disable runtime pm on remote controlled") Signed-off-by: Srinivas Kandagatla Signed-off-by: Vinod Koul drivers/dma/qcom/bam_dma.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) commit f4a551b72358facbbe5714248dff78404272feee Author: David Hildenbrand Date: Wed May 9 16:12:17 2018 +0200 KVM: s390: vsie: fix < 8k check for the itdba By missing an "L", we might detect some addresses to be <8k, although they are not. e.g. for itdba = 100001fff !(gpa & ~0x1fffU) -> 1 !(gpa & ~0x1fffUL) -> 0 So we would report a SIE validity intercept although everything is fine. Fixes: 166ecb3 ("KVM: s390: vsie: support transactional execution") Reported-by: Dan Carpenter Reviewed-by: Christian Borntraeger Reviewed-by: Janosch Frank Reviewed-by: Cornelia Huck Signed-off-by: David Hildenbrand Signed-off-by: Janosch Frank Cc: stable@vger.kernel.org # v4.8+ Signed-off-by: Christian Borntraeger arch/s390/kvm/vsie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit df158189dbcc2e0ee29dc4b917d45ee5bf25a35e Author: Paul Mackerras Date: Thu May 17 14:47:59 2018 +1000 KVM: PPC: Book 3S HV: Do ptesync in radix guest exit path A radix guest can execute tlbie instructions to invalidate TLB entries. After a tlbie or a group of tlbies, it must then do the architected sequence eieio; tlbsync; ptesync to ensure that the TLB invalidation has been processed by all CPUs in the system before it can rely on no CPU using any translation that it just invalidated. In fact it is the ptesync which does the actual synchronization in this sequence, and hardware has a requirement that the ptesync must be executed on the same CPU thread as the tlbies which it is expected to order. Thus, if a vCPU gets moved from one physical CPU to another after it has done some tlbies but before it can get to do the ptesync, the ptesync will not have the desired effect when it is executed on the second physical CPU. To fix this, we do a ptesync in the exit path for radix guests. If there are any pending tlbies, this will wait for them to complete. If there aren't, then ptesync will just do the same as sync. Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 ++++++++ 1 file changed, 8 insertions(+) commit 9dc81d6b0f1e3c40bdf97671dd26a24f128e1182 Author: Benjamin Herrenschmidt Date: Thu May 10 13:06:42 2018 +1000 KVM: PPC: Book3S HV: XIVE: Resend re-routed interrupts on CPU priority change When a vcpu priority (CPPR) is set to a lower value (masking more interrupts), we stop processing interrupts already in the queue for the priorities that have now been masked. If those interrupts were previously re-routed to a different CPU, they might still be stuck until the older one that has them in its queue processes them. In the case of guest CPU unplug, that can be never. To address that without creating additional overhead for the normal interrupt processing path, this changes H_CPPR handling so that when such a priority change occurs, we scan the interrupt queue for that vCPU, and for any interrupt in there that has been re-routed, we replace it with a dummy and force a re-trigger. Signed-off-by: Benjamin Herrenschmidt Tested-by: Alexey Kardashevskiy Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_xive_template.c | 108 +++++++++++++++++++++++++++++--- 1 file changed, 101 insertions(+), 7 deletions(-) commit 7e3d9a1d0f2c681456a2e04b8ba9a2fb448fe515 Author: Nicholas Piggin Date: Wed May 9 12:20:15 2018 +1000 KVM: PPC: Book3S HV: Make radix clear pte when unmapping The current partition table unmap code clears the _PAGE_PRESENT bit out of the pte, which leaves pud_huge/pmd_huge true and does not clear pud_present/pmd_present. This can confuse subsequent page faults and possibly lead to the guest looping doing continual hypervisor page faults. Signed-off-by: Nicholas Piggin Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_64_mmu_radix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e2560b108fb1375b5fab196c1ec0d910bbe8a38b Author: Nicholas Piggin Date: Wed May 9 12:20:14 2018 +1000 KVM: PPC: Book3S HV: Make radix use correct tlbie sequence in kvmppc_radix_tlbie_page The standard eieio ; tlbsync ; ptesync must follow tlbie to ensure it is ordered with respect to subsequent operations. Signed-off-by: Nicholas Piggin Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_64_mmu_radix.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 57b8daa70a179bc23cc4240420ab6fbcdd7faf77 Author: Paul Mackerras Date: Fri Apr 20 22:51:11 2018 +1000 KVM: PPC: Book3S HV: Snapshot timebase offset on guest entry Currently, the HV KVM guest entry/exit code adds the timebase offset from the vcore struct to the timebase on guest entry, and subtracts it on guest exit. Which is fine, except that it is possible for userspace to change the offset using the SET_ONE_REG interface while the vcore is running, as there is only one timebase offset per vcore but potentially multiple VCPUs in the vcore. If that were to happen, KVM would subtract a different offset on guest exit from that which it had added on guest entry, leading to the timebase being out of sync between cores in the host, which then leads to bad things happening such as hangs and spurious watchdog timeouts. To fix this, we add a new field 'tb_offset_applied' to the vcore struct which stores the offset that is currently applied to the timebase. This value is set from the vcore tb_offset field on guest entry, and is what is subtracted from the timebase on guest exit. Since it is zero when the timebase offset is not applied, we can simplify the logic in kvmhv_start_timing and kvmhv_accumulate_time. In addition, we had secondary threads reading the timebase while running concurrently with code on the primary thread which would eventually add or subtract the timebase offset from the timebase. This occurred while saving or restoring the DEC register value on the secondary threads. Although no specific incorrect behaviour has been observed, this is a race which should be fixed. To fix it, we move the DEC saving code to just before we call kvmhv_commence_exit, and the DEC restoring code to after the point where we have waited for the primary thread to switch the MMU context and add the timebase offset. That way we are sure that the timebase contains the guest timebase value in both cases. Signed-off-by: Paul Mackerras arch/powerpc/include/asm/kvm_book3s.h | 1 + arch/powerpc/kernel/asm-offsets.c | 1 + arch/powerpc/kvm/book3s_hv.c | 1 + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 89 ++++++++++++++++----------------- 4 files changed, 47 insertions(+), 45 deletions(-) commit bc91d1810f70ed0b31df1c5ac879c43e35b9e330 Merge: 3d3aa96 91ba9f2 Author: Dave Airlie Date: Thu May 17 12:00:53 2018 +1000 Merge branch 'vmwgfx-fixes-4.17' of git://people.freedesktop.org/~thomash/linux into drm-fixes A single fix for a recent regression. * 'vmwgfx-fixes-4.17' of git://people.freedesktop.org/~thomash/linux: drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful commit 3d3aa969cbb4f0a5586798de7885309c6550af18 Merge: 76ef6b2 2b62072 Author: Dave Airlie Date: Thu May 17 12:00:17 2018 +1000 Merge tag 'drm-misc-fixes-2018-05-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes - core: Fix regression in dev node offsets (Haneen) - vc4: Fix memory leak on driver close (Eric) - dumb-buffers: Prevent overflow in DIV_ROUND_UP() (Dan) Cc: Haneen Mohammed Cc: Eric Anholt Cc: Dan Carpenter * tag 'drm-misc-fixes-2018-05-16' of git://anongit.freedesktop.org/drm/drm-misc: drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() drm/vc4: Fix leak of the file_priv that stored the perfmon. drm: Match sysfs name in link removal to link creation commit e6506eb241871d68647c53cb6d0a16299550ae97 Merge: 9d38cd0 45dd9b0 Author: Linus Torvalds Date: Wed May 16 16:45:23 2018 -0700 Merge tag 'trace-v4.17-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fix from Steven Rostedt: "Some of the ftrace internal events use a zero for a data size of a field event. This is increasingly important for the histogram trigger work that is being extended. While auditing trace events, I found that a couple of the xen events were used as just marking that a function was called, by creating a static array of size zero. This can play havoc with the tracing features if these events are used, because a zero size of a static array is denoted as a special nul terminated dynamic array (this is what the trace_marker code uses). But since the xen events have no size, they are not nul terminated, and unexpected results may occur. As trace events were never intended on being a marker to denote that a function was hit or not, especially since function tracing and kprobes can trivially do the same, the best course of action is to simply remove these events" * tag 'trace-v4.17-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} commit 1fba5868eed82766fb374c7d367166706f9269d5 Author: Marc Dionne Date: Wed May 16 11:04:23 2018 -0300 afs: Fix mounting of backup volumes In theory the AFS_VLSF_BACKVOL flag for a server in a vldb entry would indicate the presence of a backup volume on that server. In practice however, this flag is never set, and the presence of a backup volume is implied by the entry having AFS_VLF_BACKEXISTS set, for the server that hosts the read-write volume (has AFS_VLSF_RWVOL). Signed-off-by: Marc Dionne Signed-off-by: David Howells fs/afs/vlclient.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) commit 378831e4daec75fbba6d3612bcf3b4dd00ddbf08 Author: David Howells Date: Wed May 16 21:25:46 2018 +0100 afs: Fix directory permissions check Doing faccessat("/afs/some/directory", 0) triggers a BUG in the permissions check code. Fix this by just removing the BUG section. If no permissions are asked for, just return okay if the file exists. Also: (1) Split up the directory check so that it has separate if-statements rather than if-else-if (e.g. checking for MAY_EXEC shouldn't skip the check for MAY_READ and MAY_WRITE). (2) Check for MAY_CHDIR as MAY_EXEC. Without the main fix, the following BUG may occur: kernel BUG at fs/afs/security.c:386! invalid opcode: 0000 [#1] SMP PTI ... RIP: 0010:afs_permission+0x19d/0x1a0 [kafs] ... Call Trace: ? inode_permission+0xbe/0x180 ? do_faccessat+0xdc/0x270 ? do_syscall_64+0x60/0x1f0 ? entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 00d3b7a4533e ("[AFS]: Add security support.") Reported-by: Jonathan Billings Signed-off-by: David Howells fs/afs/security.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) commit 7063efd33bb15abc0160347f89eb5aba6b7d000e Author: Jason Wang Date: Wed May 16 20:39:33 2018 +0800 tuntap: fix use after free during release After commit b196d88aba8a ("tun: fix use after free for ptr_ring") we need clean up tx ring during release(). But unfortunately, it tries to do the cleanup blindly after socket were destroyed which will lead another use-after-free. Fix this by doing the cleanup before dropping the last reference of the socket in __tun_detach(). Reported-by: Andrei Vagin Acked-by: Andrei Vagin Fixes: b196d88aba8a ("tun: fix use after free for ptr_ring") Signed-off-by: Jason Wang Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit fee8fb952d1e1c1a60e2017878a16cf83c92c154 Merge: 5a4931ae 490068d Author: David S. Miller Date: Wed May 16 14:52:30 2018 -0400 Merge branch 'qed-LL2-fixes' Michal Kalderon says: ==================== qed: LL2 fixes This series fixes some issues in ll2 related to synchronization and resource freeing ==================== Signed-off-by: Ariel Elior Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller commit 490068deaef0c76e47bf89c457de899b7d3995c7 Author: Michal Kalderon Date: Wed May 16 14:44:40 2018 +0300 qed: Fix LL2 race during connection terminate Stress on qedi/qedr load unload lead to list_del corruption. This is due to ll2 connection terminate freeing resources without verifying that no more ll2 processing will occur. This patch unregisters the ll2 status block before terminating the connection to assure this race does not occur. Fixes: 1d6cff4fca4366 ("qed: Add iSCSI out of order packet handling") Signed-off-by: Ariel Elior Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_ll2.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) commit ffd2c0d12752a69e480366031ec7a7d723dd2510 Author: Michal Kalderon Date: Wed May 16 14:44:39 2018 +0300 qed: Fix possibility of list corruption during rmmod flows The ll2 flows of flushing the txq/rxq need to be synchronized with the regular fp processing. Caused list corruption during load/unload stress tests. Fixes: 0a7fb11c23c0f ("qed: Add Light L2 support") Signed-off-by: Ariel Elior Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_ll2.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit f9bcd60274a565751abef622f9018badd01a17c8 Author: Michal Kalderon Date: Wed May 16 14:44:38 2018 +0300 qed: LL2 flush isles when connection is closed Driver should free all pending isles once it gets a FLUSH cqe from FW. Part of iSCSI out of order flow. Fixes: 1d6cff4fca4366 ("qed: Add iSCSI out of order packet handling") Signed-off-by: Ariel Elior Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_ll2.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) commit 5a4931ae0193f8a4a97e8260fd0df1d705d83299 Author: Davide Caratti Date: Wed May 16 12:54:29 2018 +0200 net/sched: fix refcnt leak in the error path of tcf_vlan_init() Similarly to what was done with commit a52956dfc503 ("net sched actions: fix refcnt leak in skbmod"), fix the error path of tcf_vlan_init() to avoid refcnt leaks when wrong value of TCA_VLAN_PUSH_VLAN_PROTOCOL is given. Fixes: 5026c9b1bafc ("net sched: vlan action fix late binding") CC: Roman Mashak Signed-off-by: Davide Caratti Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/act_vlan.c | 2 ++ 1 file changed, 2 insertions(+) commit e49ac9679eeb30abeb462cb459cc3ea8c81fbd1f Author: Geert Uytterhoeven Date: Wed May 16 11:18:01 2018 +0200 net: 8390: ne: Fix accidentally removed RBTX4927 support The configuration settings for RBTX4927 were accidentally removed, leading to a silently broken network interface. Re-add the missing settings to fix this. Fixes: 8eb97ff5a4ec941d ("net: 8390: remove m32r specific bits") Signed-off-by: Geert Uytterhoeven Signed-off-by: David S. Miller drivers/net/ethernet/8390/ne.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit ac22bfb15c83636c28df2754456fb0a00c6e82da Merge: e1b505a 1942adf Author: David S. Miller Date: Wed May 16 14:11:23 2018 -0400 Merge branch 'dsa-bcm_sf2-CFP-fixes' Florian Fainelli says: ==================== net: dsa: bcm_sf2: CFP fixes This patch series fixes a number of usability issues with the SF2 Compact Field Processor code: - we would not be properly bound checking the location when we let the kernel automatically place rules with RX_CLS_LOC_ANY - when using IPv6 rules and user space specifies a location identifier we would be off by one in what the chain ID (within the Broadcom tag) indicates - it would be possible to delete one of the two slices of an IPv6 while leaving the other one programming leading to various problems ==================== Signed-off-by: David S. Miller commit 1942adf64214df370350aa46954ba27654456f68 Author: Florian Fainelli Date: Tue May 15 16:01:25 2018 -0700 net: dsa: bcm_sf2: Fix IPv6 rule half deletion It was possible to delete only one half of an IPv6, which would leave the second half still programmed and possibly in use. Instead of checking for the unused bitmap, we need to check the unique bitmap, and refuse any deletion that does not match that criteria. We also need to move that check from bcm_sf2_cfp_rule_del_one() into its caller: bcm_sf2_cfp_rule_del() otherwise we would not be able to delete second halves anymore that would not pass the first test. Fixes: ba0696c22e7c ("net: dsa: bcm_sf2: Add support for IPv6 CFP rules") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/dsa/bcm_sf2_cfp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) commit 6c05561c541843b2bec2189f680bed6d20afc25b Author: Florian Fainelli Date: Tue May 15 16:01:24 2018 -0700 net: dsa: bcm_sf2: Fix IPv6 rules and chain ID We had several issues that would make the programming of IPv6 rules both inconsistent and error prone: - the chain ID that we would be asking the hardware to put in the packet's Broadcom tag would be off by one, it would return one of the two indexes, but not the one user-space specified - when an user specified a particular location to insert a CFP rule at, we would not be returning the same index, which would be confusing if nothing else - finally, like IPv4, it would be possible to overflow the last entry by re-programming it Fix this by swapping the usage of rule_index[0] and rule_index[1] where relevant in order to return a consistent and correct user-space experience. Fixes: ba0696c22e7c ("net: dsa: bcm_sf2: Add support for IPv6 CFP rules") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/dsa/bcm_sf2_cfp.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) commit 43a5e00f38fe8933a1c716bfe5b30e97f749d94b Author: Florian Fainelli Date: Tue May 15 16:01:23 2018 -0700 net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule When we let the kernel pick up a rule location with RX_CLS_LOC_ANY, we would be able to overwrite the last rules because of a number of issues. The IPv4 code path would not be checking that rule_index is within bounds, and it would also only be allowed to pick up rules from range 0..126 instead of the full 0..127 range. This would lead us to allow overwriting the last rule when we let the kernel pick-up the location. Fixes: 3306145866b6 ("net: dsa: bcm_sf2: Move IPv4 CFP processing to specific functions") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/dsa/bcm_sf2_cfp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 9d38cd06c3e332093da2c486307395b302e2e31f Merge: 21b9f1c 85f4f12 Author: Linus Torvalds Date: Wed May 16 11:02:54 2018 -0700 Merge tag 'trace-v4.17-rc5-vsprintf' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull memory barrier for from Steven Rostedt: "The memory barrier usage in updating the random ptr hash for %p in vsprintf is incorrect. Instead of adding the read memory barrier into vsprintf() which will cause a slight degradation to a commonly used function in the kernel just to solve a very unlikely race condition that can only happen at boot up, change the code from using a variable branch to a static_branch. Not only does this solve the race condition, it actually will improve the performance of vsprintf() by removing the conditional branch that is only needed at boot" * tag 'trace-v4.17-rc5-vsprintf' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: vsprintf: Replace memory barrier with static_key for random_ptr_key update commit c171654caa875919be3c533d3518da8be5be966e Author: Shuah Khan (Samsung OSG) Date: Tue May 15 17:57:23 2018 -0600 usbip: usbip_host: fix bad unlock balance during stub_probe() stub_probe() calls put_busid_priv() in an error path when device isn't found in the busid_table. Fix it by making put_busid_priv() safe to be called with null struct bus_id_priv pointer. This problem happens when "usbip bind" is run without loading usbip_host driver and then running modprobe. The first failed bind attempt unbinds the device from the original driver and when usbip_host is modprobed, stub_probe() runs and doesn't find the device in its busid table and calls put_busid_priv(0 with null bus_id_priv pointer. usbip-host 3-10.2: 3-10.2 is not in match_busid table... skip! [ 367.359679] ===================================== [ 367.359681] WARNING: bad unlock balance detected! [ 367.359683] 4.17.0-rc4+ #5 Not tainted [ 367.359685] ------------------------------------- [ 367.359688] modprobe/2768 is trying to release lock ( [ 367.359689] ================================================================== [ 367.359696] BUG: KASAN: null-ptr-deref in print_unlock_imbalance_bug+0x99/0x110 [ 367.359699] Read of size 8 at addr 0000000000000058 by task modprobe/2768 [ 367.359705] CPU: 4 PID: 2768 Comm: modprobe Not tainted 4.17.0-rc4+ #5 Fixes: 22076557b07c ("usbip: usbip_host: fix NULL-ptr deref and use-after-free errors") in usb-linus Signed-off-by: Shuah Khan (Samsung OSG) Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/usb/usbip/stub_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit e1b505a60366399d735312ca38b0a6753a684123 Author: Markus Niebel Date: Tue May 15 10:18:56 2018 +0200 net: phy: micrel: add 125MHz reference clock workaround The micrel KSZ9031 phy has a optional clock pin (CLK125_NDO) which can be used as reference clock for the MAC unit. The clock signal must meet the RGMII requirements to ensure the correct data transmission between the MAC and the PHY. The KSZ9031 phy does not fulfill the duty cycle requirement if the phy is configured as slave. For a complete describtion look at the errata sheets: DS80000691D or DS80000692D. The errata sheet recommends to force the phy into master mode whenever there is a 1000Base-T link-up as work around. Only set the "micrel,force-master" property if you use the phy reference clock provided by CLK125_NDO pin as MAC reference clock in your application. Attenation, this workaround is only usable if the link partner can be configured to slave mode for 1000Base-T. Signed-off-by: Markus Niebel [m.felsch@pengutronix.de: fix dt-binding documentation] [m.felsch@pengutronix.de: use already existing result var for read/write] [m.felsch@pengutronix.de: add error handling] [m.felsch@pengutronix.de: add more comments] Signed-off-by: Marco Felsch Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller .../devicetree/bindings/net/micrel-ksz90x1.txt | 7 +++++ drivers/net/phy/micrel.c | 31 ++++++++++++++++++++++ 2 files changed, 38 insertions(+) commit 7f582b248d0a86bae5788c548d7bb5bca6f7691a Author: Eric Dumazet Date: Mon May 14 21:14:26 2018 -0700 tcp: purge write queue in tcp_connect_init() syzkaller found a reliable way to crash the host, hitting a BUG() in __tcp_retransmit_skb() Malicous MSG_FASTOPEN is the root cause. We need to purge write queue in tcp_connect_init() at the point we init snd_una/write_seq. This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE() kernel BUG at net/ipv4/tcp_output.c:2837! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837 RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206 RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49 RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005 RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2 R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80 FS: 0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923 tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488 tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573 tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)") Signed-off-by: Eric Dumazet Cc: Yuchung Cheng Cc: Neal Cardwell Reported-by: syzbot Acked-by: Neal Cardwell Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit e3ca34880652250f524022ad89e516f8ba9a805b Author: Saeed Mahameed Date: Mon May 14 15:38:10 2018 -0700 net/mlx5: Fix build break when CONFIG_SMP=n Avoid using the kernel's irq_descriptor and return IRQ vector affinity directly from the driver. This fixes the following build break when CONFIG_SMP=n include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’: include/linux/mlx5/driver.h:1299:13: error: ‘struct irq_desc’ has no member named ‘affinity_hint’ Fixes: 6082d9c9c94a ("net/mlx5: Fix mlx5_get_vector_affinity function") Signed-off-by: Saeed Mahameed CC: Randy Dunlap CC: Guenter Roeck CC: Thomas Gleixner Tested-by: Israel Rukshin Reported-by: kbuild test robot Reported-by: Randy Dunlap Tested-by: Randy Dunlap Acked-by: Thomas Gleixner Tested-by: Guenter Roeck Signed-off-by: David S. Miller include/linux/mlx5/driver.h | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) commit ab452c3ce7bacb27ffe2fc0144aecd0c399e1e24 Author: Keefe Liu Date: Mon May 14 19:38:09 2018 +0800 ipvlan: call netdevice notifier when master mac address changed When master device's mac has been changed, the commit 32c10bbfe914 ("ipvlan: always use the current L2 addr of the master") makes the IPVlan devices's mac changed also, but it doesn't do related works such as flush the IPVlan devices's arp table. Signed-off-by: Keefe Liu Signed-off-by: David S. Miller drivers/net/ipvlan/ipvlan_main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 2b6207291b7b277a5df9d1aab44b56815a292dba Author: Dan Carpenter Date: Wed May 16 17:00:26 2018 +0300 drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() There is a comment here which says that DIV_ROUND_UP() and that's where the problem comes from. Say you pick: args->bpp = UINT_MAX - 7; args->width = 4; args->height = 1; The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and because of how we picked args->width that means cpp < UINT_MAX / 4. I've fixed it by preventing the integer overflow in DIV_ROUND_UP(). I removed the check for !cpp because it's not possible after this change. I also changed all the 0xffffffffU references to U32_MAX. Signed-off-by: Dan Carpenter Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20180516140026.GA19340@mwanda drivers/gpu/drm/drm_dumb_buffers.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 85f4f12d51397f1648e1f4350f77e24039b82d61 Author: Steven Rostedt (VMware) Date: Tue May 15 22:24:52 2018 -0400 vsprintf: Replace memory barrier with static_key for random_ptr_key update Reviewing Tobin's patches for getting pointers out early before entropy has been established, I noticed that there's a lone smp_mb() in the code. As with most lone memory barriers, this one appears to be incorrectly used. We currently basically have this: get_random_bytes(&ptr_key, sizeof(ptr_key)); /* * have_filled_random_ptr_key==true is dependent on get_random_bytes(). * ptr_to_id() needs to see have_filled_random_ptr_key==true * after get_random_bytes() returns. */ smp_mb(); WRITE_ONCE(have_filled_random_ptr_key, true); And later we have: if (unlikely(!have_filled_random_ptr_key)) return string(buf, end, "(ptrval)", spec); /* Missing memory barrier here. */ hashval = (unsigned long)siphash_1u64((u64)ptr, &ptr_key); As the CPU can perform speculative loads, we could have a situation with the following: CPU0 CPU1 ---- ---- load ptr_key = 0 store ptr_key = random smp_mb() store have_filled_random_ptr_key load have_filled_random_ptr_key = true BAD BAD BAD! (you're so bad!) Because nothing prevents CPU1 from loading ptr_key before loading have_filled_random_ptr_key. But this race is very unlikely, but we can't keep an incorrect smp_mb() in place. Instead, replace the have_filled_random_ptr_key with a static_branch not_filled_random_ptr_key, that is initialized to true and changed to false when we get enough entropy. If the update happens in early boot, the static_key is updated immediately, otherwise it will have to wait till entropy is filled and this happens in an interrupt handler which can't enable a static_key, as that requires a preemptible context. In that case, a work_queue is used to enable it, as entropy already took too long to establish in the first place waiting a little more shouldn't hurt anything. The benefit of using the static key is that the unlikely branch in vsprintf() now becomes a nop. Link: http://lkml.kernel.org/r/20180515100558.21df515e@gandalf.local.home Cc: stable@vger.kernel.org Fixes: ad67b74d2469d ("printk: hash addresses printed with %p") Acked-by: Linus Torvalds Signed-off-by: Steven Rostedt (VMware) lib/vsprintf.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) commit 589bb62be316401603453c7d2d3c60ad8b9c3cf3 Author: Kirill A. Shutemov Date: Wed May 16 11:01:29 2018 +0300 x86/boot/compressed/64: Fix moving page table out of trampoline memory cleanup_trampoline() relocates the top-level page table out of trampoline memory. We use 'top_pgtable' as our new top-level page table. But if the 'top_pgtable' would be referenced from C in a usual way, the address of the table will be calculated relative to RIP. After kernel gets relocated, the address will be in the middle of decompression buffer and the page table may get overwritten. This leads to a crash. We calculate the address of other page tables relative to the relocation address. It makes them safe. We should do the same for 'top_pgtable'. Calculate the address of 'top_pgtable' in assembly and pass down to cleanup_trampoline(). Move the page table to .pgtable section where the rest of page tables are. The section is @nobits so we save 4k in kernel image. Signed-off-by: Kirill A. Shutemov Reviewed-by: Thomas Gleixner Cc: Hugh Dickins Cc: Linus Torvalds Cc: Peter Zijlstra Fixes: e9d0e6330eb8 ("x86/boot/compressed/64: Prepare new top-level page table for trampoline") Link: http://lkml.kernel.org/r/20180516080131.27913-3-kirill.shutemov@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/boot/compressed/head_64.S | 11 +++++++++++ arch/x86/boot/compressed/pgtable_64.c | 14 +++----------- 2 files changed, 14 insertions(+), 11 deletions(-) commit 5c9b0b1c49881c680d4a56b9d9e03dfb3160fd4d Author: Kirill A. Shutemov Date: Wed May 16 11:01:28 2018 +0300 x86/boot/compressed/64: Set up GOT for paging_prepare() and cleanup_trampoline() Eric and Hugh have reported instant reboot due to my recent changes in decompression code. The root cause is that I didn't realize that we need to adjust GOT to be able to run C code that early. The problem is only visible with an older toolchain. Binutils >= 2.24 is able to eliminate GOT references by replacing them with RIP-relative address loads: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=80d873266dec We need to adjust GOT two times: - before calling paging_prepare() using the initial load address - before calling C code from the relocated kernel Reported-by: Eric Dumazet Reported-by: Hugh Dickins Signed-off-by: Kirill A. Shutemov Reviewed-by: Thomas Gleixner Cc: Linus Torvalds Cc: Peter Zijlstra Fixes: 194a9749c73d ("x86/boot/compressed/64: Handle 5-level paging boot if kernel is above 4G") Link: http://lkml.kernel.org/r/20180516080131.27913-2-kirill.shutemov@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/boot/compressed/head_64.S | 68 ++++++++++++++++++++++++++++++-------- 1 file changed, 55 insertions(+), 13 deletions(-) commit 5a817641f68a6399a5fac8b7d2da67a73698ffed Author: Waiman Long Date: Tue May 15 17:49:51 2018 -0400 locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN The filesystem freezing code needs to transfer ownership of a rwsem embedded in a percpu-rwsem from the task that does the freezing to another one that does the thawing by calling percpu_rwsem_release() after freezing and percpu_rwsem_acquire() before thawing. However, the new rwsem debug code runs afoul with this scheme by warning that the task that releases the rwsem isn't the one that acquires it, as reported by Amir Goldstein: DEBUG_LOCKS_WARN_ON(sem->owner != get_current()) WARNING: CPU: 1 PID: 1401 at /home/amir/build/src/linux/kernel/locking/rwsem.c:133 up_write+0x59/0x79 Call Trace: percpu_up_write+0x1f/0x28 thaw_super_locked+0xdf/0x120 do_vfs_ioctl+0x270/0x5f1 ksys_ioctl+0x52/0x71 __x64_sys_ioctl+0x16/0x19 do_syscall_64+0x5d/0x167 entry_SYSCALL_64_after_hwframe+0x49/0xbe To work properly with the rwsem debug code, we need to annotate that the rwsem ownership is unknown during the tranfer period until a brave soul comes forward to acquire the ownership. During that period, optimistic spinning will be disabled. Reported-by: Amir Goldstein Tested-by: Amir Goldstein Signed-off-by: Waiman Long Acked-by: Peter Zijlstra Cc: Andrew Morton Cc: Davidlohr Bueso Cc: Jan Kara Cc: Linus Torvalds Cc: Matthew Wilcox Cc: Oleg Nesterov Cc: Paul E. McKenney Cc: Theodore Y. Ts'o Cc: Thomas Gleixner Cc: Will Deacon Cc: linux-fsdevel@vger.kernel.org Link: http://lkml.kernel.org/r/1526420991-21213-3-git-send-email-longman@redhat.com Signed-off-by: Ingo Molnar include/linux/percpu-rwsem.h | 6 +++++- include/linux/rwsem.h | 6 ++++++ kernel/locking/rwsem-xadd.c | 2 ++ 3 files changed, 13 insertions(+), 1 deletion(-) commit d7d760efad70c7a030725499bf9f342f04af24dd Author: Waiman Long Date: Tue May 15 17:49:50 2018 -0400 locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag There are use cases where a rwsem can be acquired by one task, but released by another task. In thess cases, optimistic spinning may need to be disabled. One example will be the filesystem freeze/thaw code where the task that freezes the filesystem will acquire a write lock on a rwsem and then un-owns it before returning to userspace. Later on, another task will come along, acquire the ownership, thaw the filesystem and release the rwsem. Bit 0 of the owner field was used to designate that it is a reader owned rwsem. It is now repurposed to mean that the owner of the rwsem is not known. If only bit 0 is set, the rwsem is reader owned. If bit 0 and other bits are set, it is writer owned with an unknown owner. One such value for the latter case is (-1L). So we can set owner to 1 for reader-owned, -1 for writer-owned. The owner is unknown in both cases. To handle transfer of rwsem ownership, the higher level code should set the owner field to -1 to indicate a write-locked rwsem with unknown owner. Optimistic spinning will be disabled in this case. Once the higher level code figures who the new owner is, it can then set the owner field accordingly. Tested-by: Amir Goldstein Signed-off-by: Waiman Long Acked-by: Peter Zijlstra Cc: Andrew Morton Cc: Davidlohr Bueso Cc: Jan Kara Cc: Linus Torvalds Cc: Matthew Wilcox Cc: Oleg Nesterov Cc: Paul E. McKenney Cc: Theodore Y. Ts'o Cc: Thomas Gleixner Cc: Will Deacon Cc: linux-fsdevel@vger.kernel.org Link: http://lkml.kernel.org/r/1526420991-21213-2-git-send-email-longman@redhat.com Signed-off-by: Ingo Molnar kernel/locking/rwsem-xadd.c | 17 +++++++---------- kernel/locking/rwsem.c | 2 -- kernel/locking/rwsem.h | 30 +++++++++++++++++++++--------- 3 files changed, 28 insertions(+), 21 deletions(-) commit b579f924a90f42fa561afd8201514fc216b71949 Author: Michel Thierry Date: Mon May 14 09:54:45 2018 -0700 drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk Factor in clear values wherever required while updating destination min/max. References: HSDES#1604444184 Signed-off-by: Michel Thierry Cc: mesa-dev@lists.freedesktop.org Cc: Mika Kuoppala Cc: Oscar Mateo Reviewed-by: Mika Kuoppala Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20180510200708.18097-1-michel.thierry@intel.com Cc: stable@vger.kernel.org Cc: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20180514165445.9198-1-michel.thierry@intel.com (backported from commit 0c79f9cb77eae28d48a4f9fc1b3341aacbbd260c) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/i915_reg.h | 3 +++ drivers/gpu/drm/i915/intel_engine_cs.c | 4 ++++ 2 files changed, 7 insertions(+) commit 91ba9f28a3de97761c2b5fd5df5d88421268e507 Author: Deepak Rawat Date: Tue May 15 15:39:09 2018 +0200 drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful SOU primary plane prepare_fb hook depends upon dmabuf_size to pin up BO (and not call a new vmw_dmabuf_init) when a new fb size is same as current fb. This was changed in a recent commit which is causing page_flip to fail on VM with low display memory and multi-mon failure when cycle monitors from secondary display. Cc: # 4.14, 4.16 Fixes: 20fb5a635a0c ("drm/vmwgfx: Unpin the screen object backup buffer when not used") Signed-off-by: Deepak Rawat Reviewed-by: Sinclair Yeh Signed-off-by: Thomas Hellstrom drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 2 ++ 1 file changed, 2 insertions(+) commit 8e907ed4882714fd13cfe670681fc6cb5284c780 Author: Lidong Chen Date: Tue May 8 16:50:16 2018 +0800 IB/umem: Use the correct mm during ib_umem_release User-space may invoke ibv_reg_mr and ibv_dereg_mr in different threads. If ibv_dereg_mr is called after the thread which invoked ibv_reg_mr has exited, get_pid_task will return NULL and ib_umem_release will not decrease mm->pinned_vm. Instead of using threads to locate the mm, use the overall tgid from the ib_ucontext struct instead. This matches the behavior of ODP and disassociate in handling the mm of the process that called ibv_reg_mr. Cc: Fixes: 87773dd56d54 ("IB: ib_umem_release() should decrement mm->pinned_vm from ib_umem_get") Signed-off-by: Lidong Chen Signed-off-by: Jason Gunthorpe drivers/infiniband/core/umem.c | 7 +------ include/rdma/ib_umem.h | 1 - 2 files changed, 1 insertion(+), 7 deletions(-) commit 9a160601f3fb6ffa196b87d1b5643646be486405 Author: Gabriel Fernandez Date: Thu May 3 08:40:09 2018 +0200 clk: stm32: fix: stm32 clock drivers are not compiled by default Clock driver is mandatory if the machine is selected. Then don't use 'bool' and 'depends on' commands, but 'def_bool' with the machine(s). Fixes: da32d3539fca ("clk: stm32: add configuration flags for each of the stm32 drivers") Signed-off-by: Gabriel Fernandez Acked-by: Alexandre TORGUE Signed-off-by: Stephen Boyd drivers/clk/Kconfig | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 2e5be528ab0182ad4b42b9feea3b80f85f37179b Author: Stefan Agner Date: Wed Apr 18 14:49:08 2018 +0200 clk: imx6ull: use OSC clock during AXI rate change On i.MX6 ULL using PLL3 seems to cause a freeze when setting the parent to IMX6UL_CLK_PLL3_USB_OTG. This only seems to appear since commit 6f9575e55632 ("clk: imx: Add CLK_IS_CRITICAL flag for busy divider and busy mux"), probably because the clock is now forced to be on. Fixes: 6f9575e55632("clk: imx: Add CLK_IS_CRITICAL flag for busy divider and busy mux") Signed-off-by: Stefan Agner Signed-off-by: Stephen Boyd drivers/clk/imx/clk-imx6ul.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a7be67b381ade36bf190601bdc5d6f44bae3cefe Merge: ae93870 bb7298a Author: Olof Johansson Date: Tue May 15 13:49:55 2018 -0700 Merge tag 'davinci-fixes-for-v4.17-part-2' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci into fixes Second set of fixes for TI DaVinci. They are needed for DM6467 EVM to work. The first patch fixes an issue with timer interrupt and the second two are needed for video driver to probe successfully. * tag 'davinci-fixes-for-v4.17-part-2' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci: ARM: davinci: board-dm646x-evm: set VPIF capture card name ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF ARM: davinci: dm646x: fix timer interrupt generation Signed-off-by: Olof Johansson commit 5596fe34495cf0f645f417eb928ef224df3e3cb4 Author: Dexuan Cui Date: Tue May 15 19:52:50 2018 +0000 tick/broadcast: Use for_each_cpu() specially on UP kernels for_each_cpu() unintuitively reports CPU0 as set independent of the actual cpumask content on UP kernels. This causes an unexpected PIT interrupt storm on a UP kernel running in an SMP virtual machine on Hyper-V, and as a result, the virtual machine can suffer from a strange random delay of 1~20 minutes during boot-up, and sometimes it can hang forever. Protect if by checking whether the cpumask is empty before entering the for_each_cpu() loop. [ tglx: Use !IS_ENABLED(CONFIG_SMP) instead of #ifdeffery ] Signed-off-by: Dexuan Cui Signed-off-by: Thomas Gleixner Cc: Josh Poulson Cc: "Michael Kelley (EOSG)" Cc: Peter Zijlstra Cc: Frederic Weisbecker Cc: stable@vger.kernel.org Cc: Rakib Mullick Cc: Jork Loeser Cc: Greg Kroah-Hartman Cc: Andrew Morton Cc: KY Srinivasan Cc: Linus Torvalds Cc: Alexey Dobriyan Cc: Dmitry Vyukov Link: https://lkml.kernel.org/r/KL1P15301MB000678289FE55BA365B3279ABF990@KL1P15301MB0006.APCP153.PROD.OUTLOOK.COM Link: https://lkml.kernel.org/r/KL1P15301MB0006FA63BC22BEB64902EAA0BF930@KL1P15301MB0006.APCP153.PROD.OUTLOOK.COM kernel/time/tick-broadcast.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit 21b9f1c7e319f654de3b2574fe8d4e4114c9143f Merge: eeba2df 4776cab Author: Linus Torvalds Date: Tue May 15 10:48:36 2018 -0700 Merge tag 'afs-fixes-20180514' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull AFS fixes from David Howells: "Here's a set of patches that fix a number of bugs in the in-kernel AFS client, including: - Fix directory locking to not use individual page locks for directory reading/scanning but rather to use a semaphore on the afs_vnode struct as the directory contents must be read in a single blob and data from different reads must not be mixed as the entire contents may be shuffled about between reads. - Fix address list parsing to handle port specifiers correctly. - Only give up callback records on a server if we actually talked to that server (we might not be able to access a server). - Fix some callback handling bugs, including refcounting, whole-volume callbacks and when callbacks actually get broken in response to a CB.CallBack op. - Fix some server/address rotation bugs, including giving up if we can't probe a server; giving up if a server says it doesn't have a volume, but there are more servers to try. - Fix the decoding of fetched statuses to be OpenAFS compatible. - Fix the handling of server lookups in Cache Manager ops (such as CB.InitCallBackState3) to use a UUID if possible and to handle no server being found. - Fix a bug in server lookup where not all addresses are compared. - Fix the non-encryption of calls that prevents some servers from being accessed (this also requires an AF_RXRPC patch that has already gone in through the net tree). There's also a patch that adds tracepoints to log Cache Manager ops that don't find a matching server, either by UUID or by address" * tag 'afs-fixes-20180514' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: afs: Fix the non-encryption of calls afs: Fix CB.CallBack handling afs: Fix whole-volume callback handling afs: Fix afs_find_server search loop afs: Fix the handling of an unfound server in CM operations afs: Add a tracepoint to record callbacks from unlisted servers afs: Fix the handling of CB.InitCallBackState3 to find the server by UUID afs: Fix VNOVOL handling in address rotation afs: Fix AFSFetchStatus decoder to provide OpenAFS compatibility afs: Fix server rotation's handling of fileserver probe failure afs: Fix refcounting in callback registration afs: Fix giving up callbacks on server destruction afs: Fix address list parsing afs: Fix directory page locking commit eeba2dfa6a0d1cf40056e3a00ec21206c640eeca Merge: ee4b65c 7d3af7d Author: Linus Torvalds Date: Tue May 15 10:15:48 2018 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two small driver fixes: aacraid to fix an unknown IU type on task management functions which causes a firmware fault and vmw_pvscsi to change a return code to retry the operation instead of causing an immediate error" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: aacraid: Correct hba_send to include iu_type scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts commit ee4b65c2e820161455d1ae1ccf7a219397f32ae6 Merge: 67b8d5c 76ef6b2 Author: Linus Torvalds Date: Tue May 15 09:58:01 2018 -0700 Merge tag 'drm-fixes-for-v4.17-rc6-urgent' of git://people.freedesktop.org/~airlied/linux Pull drm fix from Dave Airlie: "This fixes the mmap regression reported to me on irc by an i686 kernel user today, he's tested the fix works, and I've audited all the drm drivers for the bad mmap usage and since we use the mmap offset as a lookup in a table we aren't inclined to have anything bad in there" [ See commit be83bbf80682 ("mmap: introduce sane default mmap limits") for details and the note on why the GPU drivers were expected to be a special case. - Linus ] * tag 'drm-fixes-for-v4.17-rc6-urgent' of git://people.freedesktop.org/~airlied/linux: drm: set FMODE_UNSIGNED_OFFSET for drm files commit dd010bd7af6248b40ab31640a6e31fbebea5aa22 Author: Mika Westerberg Date: Tue May 15 16:04:25 2018 +0300 thunderbolt: Handle NULL boot ACL entries properly If the boot ACL entry is already NULL we should not fill in the upper two DWs with 0xfffffffff. Otherwise they are not shown as empty entries when the sysfs attribute is read. Fixes: 9aaa3b8b4c56 ("thunderbolt: Add support for preboot ACL") Signed-off-by: Mika Westerberg Acked-by: Yehezkel Bernat Signed-off-by: Greg Kroah-Hartman drivers/thunderbolt/icm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9f825e74d761c13b0cfaa5f65344d64ff970e252 Author: Geert Uytterhoeven Date: Mon May 14 12:49:37 2018 +0200 mtd: rawnand: Fix return type of __DIVIDE() when called with 32-bit The __DIVIDE() macro checks whether it is called with a 32-bit or 64-bit dividend, to select the appropriate divide-and-round-up routine. As the check uses the ternary operator, the result will always be promoted to a type that can hold both results, i.e. unsigned long long. When using this result in a division on a 32-bit system, this may lead to link errors like: ERROR: "__udivdi3" [drivers/mtd/nand/raw/nand.ko] undefined! Fix this by casting the result of the division to the type of the dividend. Fixes: 8878b126df769831 ("mtd: nand: add ->exec_op() implementation") Signed-off-by: Geert Uytterhoeven Signed-off-by: Boris Brezillon include/linux/mtd/rawnand.h | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) commit 711702b57cc3c50b84bd648de0f1ca0a378805be Author: Andre Przywara Date: Fri May 11 15:20:15 2018 +0100 KVM: arm/arm64: VGIC/ITS save/restore: protect kvm_read_guest() calls kvm_read_guest() will eventually look up in kvm_memslots(), which requires either to hold the kvm->slots_lock or to be inside a kvm->srcu critical section. In contrast to x86 and s390 we don't take the SRCU lock on every guest exit, so we have to do it individually for each kvm_read_guest() call. Use the newly introduced wrapper for that. Cc: Stable # 4.12+ Reported-by: Jan Glauber Signed-off-by: Andre Przywara Acked-by: Christoffer Dall Signed-off-by: Paolo Bonzini virt/kvm/arm/vgic/vgic-its.c | 4 ++-- virt/kvm/arm/vgic/vgic-v3.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit bf308242ab98b5d1648c3663e753556bef9bec01 Author: Andre Przywara Date: Fri May 11 15:20:14 2018 +0100 KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock kvm_read_guest() will eventually look up in kvm_memslots(), which requires either to hold the kvm->slots_lock or to be inside a kvm->srcu critical section. In contrast to x86 and s390 we don't take the SRCU lock on every guest exit, so we have to do it individually for each kvm_read_guest() call. Provide a wrapper which does that and use that everywhere. Note that ending the SRCU critical section before returning from the kvm_read_guest() wrapper is safe, because the data has been *copied*, so we don't need to rely on valid references to the memslot anymore. Cc: Stable # 4.8+ Reported-by: Jan Glauber Signed-off-by: Andre Przywara Acked-by: Christoffer Dall Signed-off-by: Paolo Bonzini arch/arm/include/asm/kvm_mmu.h | 16 ++++++++++++++++ arch/arm64/include/asm/kvm_mmu.h | 16 ++++++++++++++++ virt/kvm/arm/vgic/vgic-its.c | 15 ++++++++------- 3 files changed, 40 insertions(+), 7 deletions(-) commit 9c4188762f7fee032abf8451fd9865a9abfc5516 Author: Andre Przywara Date: Fri May 11 15:20:13 2018 +0100 KVM: arm/arm64: VGIC/ITS: Promote irq_lock() in update_affinity Apparently the development of update_affinity() overlapped with the promotion of irq_lock to be _irqsave, so the patch didn't convert this lock over. This will make lockdep complain. Fix this by disabling IRQs around the lock. Cc: stable@vger.kernel.org Fixes: 08c9fd042117 ("KVM: arm/arm64: vITS: Add a helper to update the affinity of an LPI") Reported-by: Jan Glauber Signed-off-by: Andre Przywara Acked-by: Christoffer Dall Signed-off-by: Paolo Bonzini virt/kvm/arm/vgic/vgic-its.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 388d4359680b56dba82fe2ffca05871e9fd2b73e Author: Andre Przywara Date: Fri May 11 15:20:12 2018 +0100 KVM: arm/arm64: Properly protect VGIC locks from IRQs As Jan reported [1], lockdep complains about the VGIC not being bullet proof. This seems to be due to two issues: - When commit 006df0f34930 ("KVM: arm/arm64: Support calling vgic_update_irq_pending from irq context") promoted irq_lock and ap_list_lock to _irqsave, we forgot two instances of irq_lock. lockdeps seems to pick those up. - If a lock is _irqsave, any other locks we take inside them should be _irqsafe as well. So the lpi_list_lock needs to be promoted also. This fixes both issues by simply making the remaining instances of those locks _irqsave. One irq_lock is addressed in a separate patch, to simplify backporting. [1] http://lists.infradead.org/pipermail/linux-arm-kernel/2018-May/575718.html Cc: stable@vger.kernel.org Fixes: 006df0f34930 ("KVM: arm/arm64: Support calling vgic_update_irq_pending from irq context") Reported-by: Jan Glauber Acked-by: Christoffer Dall Signed-off-by: Andre Przywara Signed-off-by: Paolo Bonzini virt/kvm/arm/vgic/vgic-debug.c | 5 +++-- virt/kvm/arm/vgic/vgic-its.c | 10 ++++++---- virt/kvm/arm/vgic/vgic.c | 22 ++++++++++++++-------- 3 files changed, 23 insertions(+), 14 deletions(-) commit 497a0790e2c604366b9e35dcb41310319e9bca13 Author: Philippe Bergheaud Date: Mon May 14 10:27:36 2018 +0200 cxl: Report the tunneled operations status Failure to synchronize the tunneled operations does not prevent the initialization of the cxl card. This patch reports the tunneled operations status via /sys. Signed-off-by: Philippe Bergheaud Signed-off-by: Michael Ellerman Documentation/ABI/testing/sysfs-class-cxl | 8 ++++++++ drivers/misc/cxl/cxl.h | 1 + drivers/misc/cxl/pci.c | 7 ++++++- drivers/misc/cxl/sysfs.c | 10 ++++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) commit 401dca8cbd14fc4b32d93499dcd12a1711a73ecc Author: Philippe Bergheaud Date: Mon May 14 10:27:35 2018 +0200 cxl: Set the PBCQ Tunnel BAR register when enabling capi mode Skiboot used to set the default Tunnel BAR register value when capi mode was enabled. This approach was ok for the cxl driver, but prevented other drivers from choosing different values. Skiboot versions > 5.11 will not set the default value any longer. This patch modifies the cxl driver to set/reset the Tunnel BAR register when entering/exiting the cxl mode, with pnv_pci_set_tunnel_bar(). That should work with old skiboot (since we are re-writing the value already set) and new skiboot. mpe: The tunnel support was only merged into Linux recently, in commit d6a90bb83b50 ("powerpc/powernv: Enable tunneled operations") (v4.17-rc1), so with new skiboot kernels between that commit and this will not work correctly. Fixes: d6a90bb83b50 ("powerpc/powernv: Enable tunneled operations") Signed-off-by: Philippe Bergheaud Reviewed-by: Christophe Lombard Acked-by: Frederic Barrat Signed-off-by: Michael Ellerman drivers/misc/cxl/pci.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 72cb0d893343cd33e6ab62cf26f2625d5d3532c9 Author: Eric Anholt Date: Mon Apr 9 13:58:13 2018 -0700 drm/vc4: Fix leak of the file_priv that stored the perfmon. Signed-off-by: Eric Anholt Fixes: 65101d8c9108 ("drm/vc4: Expose performance counters to userspace") Link: https://patchwork.freedesktop.org/patch/msgid/20180409205813.7077-1-eric@anholt.net Reviewed-by: Boris Brezillon Signed-off-by: Maarten Lankhorst drivers/gpu/drm/vc4/vc4_drv.c | 1 + 1 file changed, 1 insertion(+) commit 4c27625b7a67eb9006963ed2bcf8e53b259b43af Author: Wanpeng Li Date: Sat May 5 04:02:32 2018 -0700 KVM: X86: Lower the default timer frequency limit to 200us Anthoine reported: The period used by Windows change over time but it can be 1 milliseconds or less. I saw the limit_periodic_timer_frequency print so 500 microseconds is sometimes reached. As suggested by Paolo, lower the default timer frequency limit to a smaller interval of 200 us (5000 Hz) to leave some headroom. This is required due to Windows 10 changing the scheduler tick limit from 1024 Hz to 2048 Hz. Reported-by: Anthoine Bourgeois Suggested-by: Paolo Bonzini Reviewed-by: Darren Kenny Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Anthoine Bourgeois Cc: Darren Kenny Cc: Jan Kiszka Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini arch/x86/kvm/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c Author: Sekhar Nori Date: Fri May 11 20:51:36 2018 +0530 ARM: davinci: board-dm646x-evm: set VPIF capture card name VPIF capture driver expects card name to be set since it uses it without checking for NULL. The commit which introduced VPIF display and capture support added card name only for display, not for capture. Set it in platform data to probe driver successfully. While at it, also fix the display card name to something more appropriate. Fixes: 85609c1ccda6 ("DaVinci: DM646x - platform changes for vpif capture and display drivers") Signed-off-by: Sekhar Nori arch/arm/mach-davinci/board-dm646x-evm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 7d46899d57f8b61eb28701d9a4043b71e3392c26 Author: Sekhar Nori Date: Fri May 11 20:51:35 2018 +0530 ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF commit a16cb91ad9c4 ("[media] media: vpif: use a configurable i2c_adapter_id for vpif display") removed hardcoded I2C adaptor setting in VPIF driver, but missed updating platform data passed from DM646x board. Fix it. Fixes: a16cb91ad9c4 ("[media] media: vpif: use a configurable i2c_adapter_id for vpif display") Signed-off-by: Sekhar Nori arch/arm/mach-davinci/board-dm646x-evm.c | 2 ++ 1 file changed, 2 insertions(+) commit 73d4337ed9ceddef4b2f0e226634d5f985aa2d1c Author: Sekhar Nori Date: Fri May 11 20:51:34 2018 +0530 ARM: davinci: dm646x: fix timer interrupt generation commit b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt definition for DM646x") inadvertently removed priority setting for timer0_12 (bottom half of timer0). This timer is used as clockevent. When INTPRIn register setting for an interrupt is left at 0, it is mapped to FIQ by the AINTC causing the timer interrupt to not get generated. Fix it by including an entry for timer0_12 in interrupt priority map array. While at it, move the clockevent comment to the right place. Fixes: b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt definition for DM646x") Signed-off-by: Sekhar Nori arch/arm/mach-davinci/dm646x.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 22076557b07c12086eeb16b8ce2b0b735f7a27e7 Author: Shuah Khan (Samsung OSG) Date: Mon May 14 20:49:58 2018 -0600 usbip: usbip_host: fix NULL-ptr deref and use-after-free errors usbip_host updates device status without holding lock from stub probe, disconnect and rebind code paths. When multiple requests to import a device are received, these unprotected code paths step all over each other and drive fails with NULL-ptr deref and use-after-free errors. The driver uses a table lock to protect the busid array for adding and deleting busids to the table. However, the probe, disconnect and rebind paths get the busid table entry and update the status without holding the busid table lock. Add a new finer grain lock to protect the busid entry. This new lock will be held to search and update the busid entry fields from get_busid_idx(), add_match_busid() and del_match_busid(). match_busid_show() does the same to access the busid entry fields. get_busid_priv() changed to return the pointer to the busid entry holding the busid lock. stub_probe(), stub_disconnect() and stub_device_rebind() call put_busid_priv() to release the busid lock before returning. This changes fixes the unprotected code paths eliminating the race conditions in updating the busid entries. Reported-by: Jakub Jirasek Signed-off-by: Shuah Khan (Samsung OSG) Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/usb/usbip/stub.h | 2 ++ drivers/usb/usbip/stub_dev.c | 33 +++++++++++++++++++++++---------- drivers/usb/usbip/stub_main.c | 40 +++++++++++++++++++++++++++++++++++----- 3 files changed, 60 insertions(+), 15 deletions(-) commit 7510df3f29d44685bab7b1918b61a8ccd57126a9 Author: Shuah Khan (Samsung OSG) Date: Mon Apr 30 16:17:20 2018 -0600 usbip: usbip_host: run rebind from exit when module is removed After removing usbip_host module, devices it releases are left without a driver. For example, when a keyboard or a mass storage device are bound to usbip_host when it is removed, these devices are no longer bound to any driver. Fix it to run device_attach() from the module exit routine to restore the devices to their original drivers. This includes cleanup changes and moving device_attach() code to a common routine to be called from rebind_store() and usbip_host_exit(). Signed-off-by: Shuah Khan (Samsung OSG) Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/usb/usbip/stub_dev.c | 6 +---- drivers/usb/usbip/stub_main.c | 60 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 52 insertions(+), 14 deletions(-) commit 1e180f167d4e413afccbbb4a421b48b2de832549 Author: Shuah Khan (Samsung OSG) Date: Mon Apr 30 16:17:19 2018 -0600 usbip: usbip_host: delete device from busid_table after rebind Device is left in the busid_table after unbind and rebind. Rebind initiates usb bus scan and the original driver claims the device. After rescan the device should be deleted from the busid_table as it no longer belongs to usbip_host. Fix it to delete the device after device_attach() succeeds. Signed-off-by: Shuah Khan (Samsung OSG) Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/usb/usbip/stub_main.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 28b68acc4a88dcf91fd1dcf2577371dc9bf574cc Author: Shuah Khan Date: Wed Apr 11 18:13:30 2018 -0600 usbip: usbip_host: refine probe and disconnect debug msgs to be useful Refine probe and disconnect debug msgs to be useful and say what is in progress. Signed-off-by: Shuah Khan Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/usb/usbip/stub_dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 35cd67a0caf767aba472452865dcb4471fcce2b1 Author: Peter Rosin Date: Wed May 9 21:47:48 2018 +0200 i2c: viperboard: return message count on master_xfer success Returning zero is wrong in this case. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver") drivers/i2c/busses/i2c-viperboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b Author: Peter Rosin Date: Wed May 9 21:46:30 2018 +0200 i2c: pmcmsp: fix error return from master_xfer Returning -1 (-EPERM) is not appropriate here, go with -EIO. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") drivers/i2c/busses/i2c-pmcmsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit de9a8634f1cb4560a35696d472cc7f1383d9b866 Author: Peter Rosin Date: Wed May 9 21:46:29 2018 +0200 i2c: pmcmsp: return message count on master_xfer success Returning zero is wrong in this case. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") drivers/i2c/busses/i2c-pmcmsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f3903c9161f0d636a7b0ff03841628928457e64c Merge: 67b8d5c c23080a Author: Ingo Molnar Date: Tue May 15 08:20:45 2018 +0200 Merge tag 'perf-urgent-for-mingo-4.17-20180514' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Fix segfault when processing unknown threads in cs-etm (Leo Yan) - Fix "perf test inet_pton" on s390 failing due to missing inline (Thomas Richter) - Display all available events on 'perf annotate --stdio' (Jin Yao) - Add missing newline when parsing empty BPF proggie (Arnaldo Carvalho de Melo) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 2e68adcd2fb21b7188ba449f0fab3bee2910e500 Author: Julian Wiedmann Date: Wed May 2 08:28:34 2018 +0200 s390/qdio: don't release memory in qdio_setup_irq() Calling qdio_release_memory() on error is just plain wrong. It frees the main qdio_irq struct, when following code still uses it. Also, no other error path in qdio_establish() does this. So trust callers to clean up via qdio_free() if some step of the QDIO initialization fails. Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") Cc: #v2.6.27+ Signed-off-by: Julian Wiedmann Signed-off-by: Martin Schwidefsky drivers/s390/cio/qdio_setup.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) commit e521813468f786271a87e78e8644243bead48fad Author: Julian Wiedmann Date: Wed May 2 08:48:43 2018 +0200 s390/qdio: fix access to uninitialized qdio_q fields Ever since CQ/QAOB support was added, calling qdio_free() straight after qdio_alloc() results in qdio_release_memory() accessing uninitialized memory (ie. q->u.out.use_cq and q->u.out.aobs). Followed by a kmem_cache_free() on the random AOB addresses. For older kernels that don't have 6e30c549f6ca, the same applies if qdio_establish() fails in the DEV_STATE_ONLINE check. While initializing q->u.out.use_cq would be enough to fix this particular bug, the more future-proof change is to just zero-alloc the whole struct. Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") Cc: #v3.2+ Signed-off-by: Julian Wiedmann Signed-off-by: Martin Schwidefsky drivers/s390/cio/qdio_setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6f5ec2993b1f39aed12fa6fd56e8dc2272ee8a33 Author: Josh Poimboeuf Date: Mon May 14 08:53:24 2018 -0500 objtool: Detect RIP-relative switch table references Typically a switch table can be found by detecting a .rodata access followed an indirect jump: 1969: 4a 8b 0c e5 00 00 00 mov 0x0(,%r12,8),%rcx 1970: 00 196d: R_X86_64_32S .rodata+0x438 1971: e9 00 00 00 00 jmpq 1976 1972: R_X86_64_PC32 __x86_indirect_thunk_rcx-0x4 Randy Dunlap reported a case (seen with GCC 4.8) where the .rodata access uses RIP-relative addressing: 19bd: 48 8b 3d 00 00 00 00 mov 0x0(%rip),%rdi # 19c4 19c0: R_X86_64_PC32 .rodata+0x45c 19c4: e9 00 00 00 00 jmpq 19c9 19c5: R_X86_64_PC32 __x86_indirect_thunk_rdi-0x4 In this case the relocation addend needs to be adjusted accordingly in order to find the location of the switch table. The fix is for case 3 (as described in the comments), but also make the existing case 1 & 2 checks more precise by only adjusting the addend for R_X86_64_PC32 relocations. This fixes the following warnings: drivers/video/fbdev/omap2/omapfb/dss/dispc.o: warning: objtool: dispc_runtime_suspend()+0xbb8: sibling call from callable instruction with modified stack frame drivers/video/fbdev/omap2/omapfb/dss/dispc.o: warning: objtool: dispc_runtime_resume()+0xcc5: sibling call from callable instruction with modified stack frame Reported-by: Randy Dunlap Signed-off-by: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/b6098294fd67afb69af8c47c9883d7a68bf0f8ea.1526305958.git.jpoimboe@redhat.com Signed-off-by: Ingo Molnar tools/objtool/check.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) commit c99f0802e42fcd38e84ee4d306691805ebed204f Author: Jorge Sanjuan Date: Fri May 11 16:25:35 2018 +0100 ALSA: usb-audio: Use Class Specific EP for UAC3 devices. bmAtributes offset doesn't exist in the UAC3 CS_EP descriptor. Hence, checking for pitch control as if it was UAC2 doesn't make any sense. Use the defined UAC3 offsets instead. Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") Signed-off-by: Jorge Sanjuan Reviewed-by: Ruslan Bilovol Signed-off-by: Takashi Iwai sound/usb/stream.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 76ef6b28ea4f81c3d511866a9b31392caa833126 Author: Dave Airlie Date: Tue May 15 13:38:15 2018 +1000 drm: set FMODE_UNSIGNED_OFFSET for drm files Since we have the ttm and gem vma managers using a subset of the file address space for objects, and these start at 0x100000000 they will overflow the new mmap checks. I've checked all the mmap routines I could see for any bad behaviour but overall most people use GEM/TTM VMA managers even the legacy drivers have a hashtable. Reported-and-Tested-by: Arthur Marsh (amarsh04 on #radeon) Fixes: be83bbf8068 (mmap: introduce sane default mmap limits) Signed-off-by: Dave Airlie drivers/gpu/drm/drm_file.c | 1 + 1 file changed, 1 insertion(+) commit a406b0a0693eafc6f6b3a633d25749370bf40d8c Author: Randy Dunlap Date: Sun May 13 17:10:52 2018 -0700 scsi: core: clean up generated file scsi_devinfo_tbl.c "make clean" should remove the generated file "scsi_devinfo_tbl.c", so list it in the clean-files variable so that the file gets cleaned up. Fixes: 345e29608b4b ("scsi: scsi: Export blacklist flags to sysfs") Cc: Hannes Reinecke Signed-off-by: Randy Dunlap Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen drivers/scsi/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 125966db1fea12575ee21b2b3fc95a59032406f0 Author: Prasanna Kumar Kalever Date: Thu May 10 19:12:18 2018 +0530 scsi: target: tcmu: fix error resetting qfull_time_out to default Problem: $ cat /sys/kernel/config/target/core/user_0/block/attrib/qfull_time_out -1 $ echo "-1" > /sys/kernel/config/target/core/user_0/block/attrib/qfull_time_out -bash: echo: write error: Invalid argument Fix: This patch will help reset qfull_time_out to its default i.e. qfull_time_out=-1. Signed-off-by: Prasanna Kumar Kalever Acked-by: Mike Christie Signed-off-by: Martin K. Petersen drivers/target/target_core_user.c | 2 ++ 1 file changed, 2 insertions(+) commit f3002c1374fb2367c9d8dbb28852791ef90d2bac Author: hpreg@vmware.com Date: Mon May 14 08:14:49 2018 -0400 vmxnet3: use DMA memory barriers where required The gen bits must be read first from (resp. written last to) DMA memory. The proper way to enforce this on Linux is to call dma_rmb() (resp. dma_wmb()). Signed-off-by: Regis Duchesne Acked-by: Ronak Doshi Signed-off-by: David S. Miller drivers/net/vmxnet3/vmxnet3_drv.c | 22 ++++++++++++++++++++++ drivers/net/vmxnet3/vmxnet3_int.h | 4 ++-- 2 files changed, 24 insertions(+), 2 deletions(-) commit 61aeecea40afb2b89933e27cd4adb10fc2e75cfd Author: hpreg@vmware.com Date: Mon May 14 08:14:34 2018 -0400 vmxnet3: set the DMA mask before the first DMA map operation The DMA mask must be set before, not after, the first DMA map operation, or the first DMA map operation could in theory fail on some systems. Fixes: b0eb57cb97e78 ("VMXNET3: Add support for virtual IOMMU") Signed-off-by: Regis Duchesne Acked-by: Ronak Doshi Signed-off-by: David S. Miller drivers/net/vmxnet3/vmxnet3_drv.c | 50 +++++++++++++++++++-------------------- drivers/net/vmxnet3/vmxnet3_int.h | 8 ++++--- 2 files changed, 30 insertions(+), 28 deletions(-) commit 849a742c59a3d597473c0232f9c2506c69eeef14 Author: Kumar Sanghvi Date: Mon May 14 16:27:34 2018 +0530 cxgb4: Correct ntuple mask validation for hash filters Earlier code of doing bitwise AND with field width bits was wrong. Instead, simplify code to calculate ntuple_mask based on supplied fields and then compare with mask configured in hw - which is the correct and simpler way to validate ntuple mask. Fixes: 3eb8b62d5a26 ("cxgb4: add support to create hash-filters via tc-flower offload") Signed-off-by: Kumar Sanghvi Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 88 ++++++++--------------- 1 file changed, 30 insertions(+), 58 deletions(-) commit 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 Author: Maciej W. Rozycki Date: Mon May 14 16:49:43 2018 +0100 MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs Check the TIF_32BIT_FPREGS task setting of the tracee rather than the tracer in determining the layout of floating-point general registers in the floating-point context, correcting access to odd-numbered registers for o32 tracees where the setting disagrees between the two processes. Fixes: 597ce1723e0f ("MIPS: Support for 64-bit FP with O32 binaries") Signed-off-by: Maciej W. Rozycki Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 3.14+ Signed-off-by: James Hogan arch/mips/kernel/ptrace.c | 4 ++-- arch/mips/kernel/ptrace32.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 947bc875116042d5375446aa29bc1073c2d38977 Author: Alexandre Belloni Date: Wed Apr 25 23:10:36 2018 +0200 MIPS: xilfpga: Actually include FDT in fitImage Commit b35565bb16a5 ("MIPS: generic: Add support for MIPSfpga") added and its.S file for xilfpga but forgot to add it to arch/mips/generic/Platform so it is never used. Fixes: b35565bb16a5 ("MIPS: generic: Add support for MIPSfpga") Signed-off-by: Alexandre Belloni Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 4.15+ Patchwork: https://patchwork.linux-mips.org/patch/19245/ Signed-off-by: James Hogan arch/mips/generic/Platform | 1 + 1 file changed, 1 insertion(+) commit a5a92abbce56c41ff121db41a33b9c0a0ff39365 Author: Alexandre Belloni Date: Wed Apr 25 23:10:35 2018 +0200 MIPS: xilfpga: Stop generating useless dtb.o A dtb.o is generated from nexys4ddr.dts but this is never used since it has been moved to mips/generic with commit b35565bb16a5 ("MIPS: generic: Add support for MIPSfpga"). Fixes: b35565bb16a5 ("MIPS: generic: Add support for MIPSfpga") Signed-off-by: Alexandre Belloni Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 4.15+ Patchwork: https://patchwork.linux-mips.org/patch/19244/ Signed-off-by: James Hogan arch/mips/boot/dts/xilfpga/Makefile | 2 -- 1 file changed, 2 deletions(-) commit ba3696e94d9d590d9a7e55f68e81c25dba515191 Author: Colin Ian King Date: Mon May 14 18:23:50 2018 +0100 KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" Trivial fix to spelling mistake in debugfs_entries text. Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM") Signed-off-by: Colin Ian King Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kernel-janitors@vger.kernel.org Cc: # 3.10+ Signed-off-by: James Hogan arch/mips/kvm/mips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 71e909c0cdad28a1df1fa14442929e68615dee45 Author: Maciej W. Rozycki Date: Mon Apr 30 15:56:47 2018 +0100 MIPS: ptrace: Expose FIR register through FP regset Correct commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") and expose the FIR register using the unused 4 bytes at the end of the NT_PRFPREG regset. Without that register included clients cannot use the PTRACE_GETREGSET request to retrieve the complete FPU register set and have to resort to one of the older interfaces, either PTRACE_PEEKUSR or PTRACE_GETFPREGS, to retrieve the missing piece of data. Also the register is irreversibly missing from core dumps. This register is architecturally hardwired and read-only so the write path does not matter. Ignore data supplied on writes then. Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") Signed-off-by: James Hogan Signed-off-by: Maciej W. Rozycki Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 3.13+ Patchwork: https://patchwork.linux-mips.org/patch/19273/ Signed-off-by: James Hogan arch/mips/kernel/ptrace.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) commit c60128ce97674fd05adb8b5ae79eb6745a03192e Author: Paul Cercueil Date: Wed Mar 28 17:38:12 2018 +0200 MIPS: Fix build with DEBUG_ZBOOT and MACH_JZ4770 The debug definitions were missing for MACH_JZ4770, resulting in a build failure when DEBUG_ZBOOT was set. Since the UART addresses are the same across all Ingenic SoCs, we just use a #ifdef CONFIG_MACH_INGENIC instead of checking for individual Ingenic SoCs. Additionally, I added a #define for the UART0 address in-code and dropped the include, for the reason that this include file is slowly being phased out as the whole platform is being moved to devicetree. Fixes: 9be5f3e92ed5 ("MIPS: ingenic: Initial JZ4770 support") Signed-off-by: Paul Cercueil Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 4.16 Patchwork: https://patchwork.linux-mips.org/patch/18957/ Signed-off-by: James Hogan arch/mips/boot/compressed/uart-16550.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 55a2aa08b3af519a9693f99cdf7fa6d8b62d9f65 Author: NeilBrown Date: Fri Apr 27 09:28:34 2018 +1000 MIPS: c-r4k: Fix data corruption related to cache coherence When DMA will be performed to a MIPS32 1004K CPS, the L1-cache for the range needs to be flushed and invalidated first. The code currently takes one of two approaches. 1/ If the range is less than the size of the dcache, then HIT type requests flush/invalidate cache lines for the particular addresses. HIT-type requests a globalised by the CPS so this is safe on SMP. 2/ If the range is larger than the size of dcache, then INDEX type requests flush/invalidate the whole cache. INDEX type requests affect the local cache only. CPS does not propagate them in any way. So this invalidation is not safe on SMP CPS systems. Data corruption due to '2' can quite easily be demonstrated by repeatedly "echo 3 > /proc/sys/vm/drop_caches" and then sha1sum a file that is several times the size of available memory. Dropping caches means that large contiguous extents (large than dcache) are more likely. This was not a problem before Linux-4.8 because option 2 was never used if CONFIG_MIPS_CPS was defined. The commit which removed that apparently didn't appreciate the full consequence of the change. We could, in theory, globalize the INDEX based flush by sending an IPI to other cores. These cache invalidation routines can be called with interrupts disabled and synchronous IPI require interrupts to be enabled. Asynchronous IPI may not trigger writeback soon enough. So we cannot use IPI in practice. We can already test if IPI would be needed for an INDEX operation with r4k_op_needs_ipi(R4K_INDEX). If this is true then we mustn't try the INDEX approach as we cannot use IPI. If this is false (e.g. when there is only one core and hence one L1 cache) then it is safe to use the INDEX approach without IPI. This patch avoids options 2 if r4k_op_needs_ipi(R4K_INDEX), and so eliminates the corruption. Fixes: c00ab4896ed5 ("MIPS: Remove cpu_has_safe_index_cacheops") Signed-off-by: NeilBrown Cc: Ralf Baechle Cc: Paul Burton Cc: linux-mips@linux-mips.org Cc: # 4.8+ Patchwork: https://patchwork.linux-mips.org/patch/19259/ Signed-off-by: James Hogan arch/mips/mm/c-r4k.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 45dd9b0666a162f8e4be76096716670cf1741f0e Author: Steven Rostedt (VMware) Date: Wed May 9 14:36:09 2018 -0400 tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} Doing an audit of trace events, I discovered two trace events in the xen subsystem that use a hack to create zero data size trace events. This is not what trace events are for. Trace events add memory footprint overhead, and if all you need to do is see if a function is hit or not, simply make that function noinline and use function tracer filtering. Worse yet, the hack used was: __array(char, x, 0) Which creates a static string of zero in length. There's assumptions about such constructs in ftrace that this is a dynamic string that is nul terminated. This is not the case with these tracepoints and can cause problems in various parts of ftrace. Nuke the trace events! Link: http://lkml.kernel.org/r/20180509144605.5a220327@gandalf.local.home Cc: stable@vger.kernel.org Fixes: 95a7d76897c1e ("xen/mmu: Use Xen specific TLB flush instead of the generic one.") Reviewed-by: Juergen Gross Signed-off-by: Steven Rostedt (VMware) arch/x86/xen/mmu.c | 4 +--- arch/x86/xen/mmu_pv.c | 4 +--- include/trace/events/xen.h | 16 ---------------- 3 files changed, 2 insertions(+), 22 deletions(-) commit d49baa7e12ee70c0a7b821d088a770c94c02e494 Author: Eric Biggers Date: Sun May 13 17:01:30 2018 -0700 net/smc: check for missing nlattrs in SMC_PNETID messages It's possible to crash the kernel in several different ways by sending messages to the SMC_PNETID generic netlink family that are missing the expected attributes: - Missing SMC_PNETID_NAME => null pointer dereference when comparing names. - Missing SMC_PNETID_ETHNAME => null pointer dereference accessing smc_pnetentry::ndev. - Missing SMC_PNETID_IBNAME => null pointer dereference accessing smc_pnetentry::smcibdev. - Missing SMC_PNETID_IBPORT => out of bounds array access to smc_ib_device::pattr[-1]. Fix it by validating that all expected attributes are present and that SMC_PNETID_IBPORT is nonzero. Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com Fixes: 6812baabf24d ("smc: establish pnet table management") Cc: # v4.11+ Signed-off-by: Eric Biggers Signed-off-by: David S. Miller net/smc/smc_pnet.c | 71 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 31 deletions(-) commit 57f6f99fdad9984801cde05c1db68fe39b474a10 Author: Tarick Bedeir Date: Sun May 13 16:38:45 2018 -0700 net/mlx4_core: Fix error handling in mlx4_init_port_info. Avoid exiting the function with a lingering sysfs file (if the first call to device_create_file() fails while the second succeeds), and avoid calling devlink_port_unregister() twice. In other words, either mlx4_init_port_info() succeeds and returns zero, or it fails, returns non-zero, and requires no cleanup. Fixes: 096335b3f983 ("mlx4_core: Allow dynamic MTU configuration for IB ports") Signed-off-by: Tarick Bedeir Reviewed-by: Leon Romanovsky Reviewed-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 0cf442c6bcf572e04f5690340d5b8e62afcee2ca Author: Miquel Raynal Date: Tue Apr 24 17:45:06 2018 +0200 cpufreq: armada-37xx: driver relies on cpufreq-dt Armada-37xx driver registers a cpufreq-dt driver. Not having CONFIG_CPUFREQ_DT selected leads to a silent abort during the probe. Prevent that situation by having the former depending on the latter. Fixes: 92ce45fb875d7 (cpufreq: Add DVFS support for Armada 37xx) Cc: 4.16+ # 4.16+ Signed-off-by: Miquel Raynal Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki drivers/cpufreq/Kconfig.arm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7b34c0fb1b51a6377752fc971e57577eeb102d60 Author: Bob Moore Date: Tue May 8 14:06:15 2018 -0700 ACPICA: Add deferred package support for the Load and loadTable operators Completes the support and fixes a regression introduced in version 20180209. The regression caused package objects that were loaded by the Load and loadTable operators. This created an error message like the following: [ 0.251922] ACPI Error: No pointer back to namespace node in package 00000000fd2a44cd (20180313/dsargs-303) Link: https://bugzilla.kernel.org/show_bug.cgi?id=199413 Fixes: 5a8361f7ecce (ACPICA: Integrate package handling with module-level code) Signed-off-by: Bob Moore Signed-off-by: Erik Schmauss Signed-off-by: Rafael J. Wysocki drivers/acpi/acpica/acnamesp.h | 4 +++ drivers/acpi/acpica/exconfig.c | 14 ++++++++ drivers/acpi/acpica/nsinit.c | 76 +++++++++++++++++++++++++++++++----------- 3 files changed, 74 insertions(+), 20 deletions(-) commit 4152dc91b5932e7fe49a5afed62a068b2f31d196 Author: Alexey Kodanev Date: Fri May 11 20:15:13 2018 +0300 selinux: correctly handle sa_family cases in selinux_sctp_bind_connect() Allow to pass the socket address structure with AF_UNSPEC family for compatibility purposes. selinux_socket_bind() will further check it for INADDR_ANY and selinux_socket_connect_helper() should return EINVAL. For a bad address family return EINVAL instead of AFNOSUPPORT error, i.e. what is expected from SCTP protocol in such case. Fixes: d452930fd3b9 ("selinux: Add SCTP support") Suggested-by: Paul Moore Signed-off-by: Alexey Kodanev Signed-off-by: Paul Moore security/selinux/hooks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 88b7d370bb4b1280717ebdacd6748456f9ba484f Author: Alexey Kodanev Date: Fri May 11 20:15:12 2018 +0300 selinux: fix address family in bind() and connect() to match address/port Since sctp_bindx() and sctp_connectx() can have multiple addresses, sk_family can differ from sa_family. Therefore, selinux_socket_bind() and selinux_socket_connect_helper(), which process sockaddr structure (address and port), should use the address family from that structure too, and not from the socket one. The initialization of the data for the audit record is moved above, in selinux_socket_bind(), so that there is no duplicate changes and code. Fixes: d452930fd3b9 ("selinux: Add SCTP support") Suggested-by: Paul Moore Signed-off-by: Alexey Kodanev Signed-off-by: Paul Moore security/selinux/hooks.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) commit 0f8db8cc73df60b3de9a5eebd8f117b56eff5b03 Author: Alexey Kodanev Date: Fri May 11 20:15:11 2018 +0300 selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind() Commit d452930fd3b9 ("selinux: Add SCTP support") breaks compatibility with the old programs that can pass sockaddr_in structure with AF_UNSPEC and INADDR_ANY to bind(). As a result, bind() returns EAFNOSUPPORT error. This was found with LTP/asapi_01 test. Similar to commit 29c486df6a20 ("net: ipv4: relax AF_INET check in bind()"), which relaxed AF_INET check for compatibility, add AF_UNSPEC case to AF_INET and make sure that the address is INADDR_ANY. Fixes: d452930fd3b9 ("selinux: Add SCTP support") Signed-off-by: Alexey Kodanev Signed-off-by: Paul Moore security/selinux/hooks.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) commit b196d88aba8ac72b775137854121097f4c4c6862 Author: Jason Wang Date: Fri May 11 10:49:25 2018 +0800 tun: fix use after free for ptr_ring We used to initialize ptr_ring during TUNSETIFF, this is because its size depends on the tx_queue_len of netdevice. And we try to clean it up when socket were detached from netdevice. A race were spotted when trying to do uninit during a read which will lead a use after free for pointer ring. Solving this by always initialize a zero size ptr_ring in open() and do resizing during TUNSETIFF, and then we can safely do cleanup during close(). With this, there's no need for the workaround that was introduced by commit 4df0bfc79904 ("tun: fix a memory leak for tfile->tx_array"). Reported-by: syzbot+e8b902c3c3fadf0a9dba@syzkaller.appspotmail.com Cc: Eric Dumazet Cc: Cong Wang Cc: Michael S. Tsirkin Fixes: 1576d9860599 ("tun: switch to use skb array for tx") Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/net/tun.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) commit ae93870f73d373953d3e2eb090828cf64816568e Merge: 99ffa8b e691436 Author: Olof Johansson Date: Mon May 14 09:27:33 2018 -0700 Merge tag 'reset-fixes-for-4.17' of git://git.pengutronix.de/pza/linux into fixes Reset controller fixes for v4.17 Fix the USB3 reset (offset 0x200c, bit 5) on Uniphier LD20. It was incorrectly labeled as GIO reset. This reset line is not yet used in uniphier-ld20.dtsi. * tag 'reset-fixes-for-4.17' of git://git.pengutronix.de/pza/linux: reset: uniphier: fix USB clock line for LD20 Signed-off-by: Olof Johansson commit 99ffa8b0e7ee13410dd60498129ba1b52ce26f80 Merge: 9954b80 f43194c Author: Olof Johansson Date: Mon May 14 09:25:14 2018 -0700 Merge tag 'mvebu-fixes-4.17-1' of git://git.infradead.org/linux-mvebu into fixes mvebu fixes for 4.17 (part 1) Declare missing clocks needed for network on Armada 8040 base boards (such as the McBin) * tag 'mvebu-fixes-4.17-1' of git://git.infradead.org/linux-mvebu: ARM64: dts: marvell: armada-cp110: Add mg_core_clk for ethernet node ARM64: dts: marvell: armada-cp110: Add clocks for the xmdio node Signed-off-by: Olof Johansson commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa Author: Russell King Date: Thu May 10 14:24:20 2018 +0100 ARM: keystone: fix platform_domain_notifier array overrun platform_domain_notifier contains a variable sized array, which the pm_clk_notify() notifier treats as a NULL terminated array: for (con_id = clknb->con_ids; *con_id; con_id++) pm_clk_add(dev, *con_id); Omitting the initialiser for con_ids means that the array is zero sized, and there is no NULL terminator. This leads to pm_clk_notify() overrunning into what ever structure follows, which may not be NULL. This leads to an oops: Unable to handle kernel NULL pointer dereference at virtual address 0000008c pgd = c0003000 [0000008c] *pgd=80000800004003c, *pmd=00000000c Internal error: Oops: 206 [#1] PREEMPT SMP ARM Modules linked in:c CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9 Hardware name: Keystone PC is at strlen+0x0/0x34 LR is at kstrdup+0x18/0x54 pc : [] lr : [] psr: 20000013 sp : eec73dc0 ip : eed780c0 fp : 00000001 r10: 00000000 r9 : 00000000 r8 : eed71e10 r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4 r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 00003000 DAC: fffffffd Process swapper/0 (pid: 1, stack limit = 0xeec72210) Stack: (0xeec73dc0 to 0xeec74000) ... [] (strlen) from [] (kstrdup+0x18/0x54) [] (kstrdup) from [] (__pm_clk_add+0x58/0x120) [] (__pm_clk_add) from [] (pm_clk_notify+0x64/0xa8) [] (pm_clk_notify) from [] (notifier_call_chain+0x44/0x84) [] (notifier_call_chain) from [] (__blocking_notifier_call_chain+0x48/0x60) [] (__blocking_notifier_call_chain) from [] (blocking_notifier_call_chain+0x18/0x20) [] (blocking_notifier_call_chain) from [] (device_add+0x36c/0x534) [] (device_add) from [] (of_platform_device_create_pdata+0x70/0xa4) [] (of_platform_device_create_pdata) from [] (of_platform_bus_create+0xf0/0x1ec) [] (of_platform_bus_create) from [] (of_platform_populate+0x5c/0xac) [] (of_platform_populate) from [] (of_platform_default_populate_init+0x8c/0xa8) [] (of_platform_default_populate_init) from [] (do_one_initcall+0x3c/0x164) [] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d0) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xf0) [] (kernel_init) from [] (ret_from_fork+0x14/0x3c) Exception stack(0xeec73fb0 to 0xeec73ff8) 3fa0: 00000000 00000000 00000000 00000000 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000) ---[ end trace cafa8f148e262e80 ]--- Fix this by adding the necessary initialiser. Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management") Signed-off-by: Russell King Acked-by: Santosh Shilimkar Signed-off-by: Olof Johansson arch/arm/mach-keystone/pm_domain.c | 1 + 1 file changed, 1 insertion(+) commit 76936e9a6df17b89481bd2655c8684291afbe656 Author: François Cami Date: Sun May 13 20:11:15 2018 +0200 libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q. Without this patch the drive errors out regularly: [ 1.090154] ata1.00: ATA-8: SAMSUNG SSD PM830 mSATA 256GB, CXM13D1Q, max UDMA/133 (...) [ 345.154996] ata1.00: exception Emask 0x40 SAct 0x0 SErr 0xc0800 action 0x6 [ 345.155006] ata1.00: irq_stat 0x40000001 [ 345.155013] ata1: SError: { HostInt CommWake 10B8B } [ 345.155018] ata1.00: failed command: SET FEATURES [ 345.155032] ata1.00: cmd ef/05:e1:00:00:00/00:00:00:00:00/40 tag 7 res 51/04:e1:00:00:00/00:00:00:00:00/40 Emask 0x41 (internal error) [ 345.155038] ata1.00: status: { DRDY ERR } [ 345.155042] ata1.00: error: { ABRT } [ 345.155051] ata1: hard resetting link [ 345.465661] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [ 345.466955] ata1.00: configured for UDMA/133 [ 345.467085] ata1: EH complete Signed-off-by: François Cami Acked-by: Hans de Goede Signed-off-by: Tejun Heo drivers/ata/libata-core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit ebc3dd688cd988754a304147753b13e58de1b5a1 Author: Daniel Glöckner Date: Mon May 14 09:40:05 2018 -0500 usb: musb: fix remote wakeup racing with suspend It has been observed that writing 0xF2 to the power register while it reads as 0xF4 results in the register having the value 0xF0, i.e. clearing RESUME and setting SUSPENDM in one go does not work. It might also violate the USB spec to transition directly from resume to suspend, especially when not taking T_DRSMDN into account. But this is what happens when a remote wakeup occurs between SetPortFeature USB_PORT_FEAT_SUSPEND on the root hub and musb_bus_suspend being called. This commit returns -EBUSY when musb_bus_suspend is called while remote wakeup is signalled and thus avoids to reset the RESUME bit. Ignoring this error when musb_port_suspend is called from musb_hub_control is ok. Signed-off-by: Daniel Glöckner Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman drivers/usb/musb/musb_host.c | 5 ++++- drivers/usb/musb/musb_host.h | 7 +++++-- drivers/usb/musb/musb_virthub.c | 25 +++++++++++++++---------- 3 files changed, 24 insertions(+), 13 deletions(-) commit 9a8fca62aacc1599fea8e813d01e1955513e4fad Author: Filipe Manana Date: Fri May 11 16:42:42 2018 +0100 Btrfs: fix xattr loss after power failure If a file has xattrs, we fsync it, to ensure we clear the flags BTRFS_INODE_NEEDS_FULL_SYNC and BTRFS_INODE_COPY_EVERYTHING from its inode, the current transaction commits and then we fsync it (without either of those bits being set in its inode), we end up not logging all its xattrs. This results in deleting all xattrs when replying the log after a power failure. Trivial reproducer $ mkfs.btrfs -f /dev/sdb $ mount /dev/sdb /mnt $ touch /mnt/foobar $ setfattr -n user.xa -v qwerty /mnt/foobar $ xfs_io -c "fsync" /mnt/foobar $ sync $ xfs_io -c "pwrite -S 0xab 0 64K" /mnt/foobar $ xfs_io -c "fsync" /mnt/foobar $ mount /dev/sdb /mnt $ getfattr --absolute-names --dump /mnt/foobar $ So fix this by making sure all xattrs are logged if we log a file's inode item and neither the flags BTRFS_INODE_NEEDS_FULL_SYNC nor BTRFS_INODE_COPY_EVERYTHING were set in the inode. Fixes: 36283bf777d9 ("Btrfs: fix fsync xattr loss in the fast fsync path") Cc: # 4.2+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba fs/btrfs/tree-log.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2 Author: Robbie Ko Date: Mon May 14 10:51:34 2018 +0800 Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting [BUG] btrfs incremental send BUG happens when creating a snapshot of snapshot that is being used by send. [REASON] The problem can happen if while we are doing a send one of the snapshots used (parent or send) is snapshotted, because snapshoting implies COWing the root of the source subvolume/snapshot. 1. When doing an incremental send, the send process will get the commit roots from the parent and send snapshots, and add references to them through extent_buffer_get(). 2. When a snapshot/subvolume is snapshotted, its root node is COWed (transaction.c:create_pending_snapshot()). 3. COWing releases the space used by the node immediately, through: __btrfs_cow_block() --btrfs_free_tree_block() ----btrfs_add_free_space(bytenr of node) 4. Because send doesn't hold a transaction open, it's possible that the transaction used to create the snapshot commits, switches the commit root and the old space used by the previous root node gets assigned to some other node allocation. Allocation of a new node will use the existing extent buffer found in memory, which we previously got a reference through extent_buffer_get(), and allow the extent buffer's content (pages) to be modified: btrfs_alloc_tree_block --btrfs_reserve_extent ----find_free_extent (get bytenr of old node) --btrfs_init_new_buffer (use bytenr of old node) ----btrfs_find_create_tree_block ------alloc_extent_buffer --------find_extent_buffer (get old node) 5. So send can access invalid memory content and have unpredictable behaviour. [FIX] So we fix the problem by copying the commit roots of the send and parent snapshots and use those copies. CallTrace looks like this: ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:1861! invalid opcode: 0000 [#1] SMP CPU: 6 PID: 24235 Comm: btrfs Tainted: P O 3.10.105 #23721 ffff88046652d680 ti: ffff88041b720000 task.ti: ffff88041b720000 RIP: 0010:[] read_node_slot+0x108/0x110 [btrfs] RSP: 0018:ffff88041b723b68 EFLAGS: 00010246 RAX: ffff88043ca6b000 RBX: ffff88041b723c50 RCX: ffff880000000000 RDX: 000000000000004c RSI: ffff880314b133f8 RDI: ffff880458b24000 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88041b723c66 R10: 0000000000000001 R11: 0000000000001000 R12: ffff8803f3e48890 R13: ffff8803f3e48880 R14: ffff880466351800 R15: 0000000000000001 FS: 00007f8c321dc8c0(0000) GS:ffff88047fcc0000(0000) CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 R2: 00007efd1006d000 CR3: 0000000213a24000 CR4: 00000000003407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff88041b723c50 ffff8803f3e48880 ffff8803f3e48890 ffff8803f3e48880 ffff880466351800 0000000000000001 ffffffffa08dd9d7 ffff88041b723c50 ffff8803f3e48880 ffff88041b723c66 ffffffffa08dde85 a9ff88042d2c4400 Call Trace: [] ? tree_move_down.isra.33+0x27/0x50 [btrfs] [] ? tree_advance+0xb5/0xc0 [btrfs] [] ? btrfs_compare_trees+0x2d4/0x760 [btrfs] [] ? finish_inode_if_needed+0x870/0x870 [btrfs] [] ? btrfs_ioctl_send+0xeda/0x1050 [btrfs] [] ? btrfs_ioctl+0x1e3d/0x33f0 [btrfs] [] ? handle_pte_fault+0x373/0x990 [] ? atomic_notifier_call_chain+0x16/0x20 [] ? set_task_cpu+0xb6/0x1d0 [] ? handle_mm_fault+0x143/0x2a0 [] ? __do_page_fault+0x1d0/0x500 [] ? check_preempt_curr+0x57/0x90 [] ? do_vfs_ioctl+0x4aa/0x990 [] ? do_fork+0x113/0x3b0 [] ? trace_hardirqs_off_thunk+0x3a/0x6c [] ? SyS_ioctl+0x88/0xa0 [] ? system_call_fastpath+0x16/0x1b ---[ end trace 29576629ee80b2e1 ]--- Fixes: 7069830a9e38 ("Btrfs: add btrfs_compare_trees function") CC: stable@vger.kernel.org # 3.6+ Signed-off-by: Robbie Ko Reviewed-by: Filipe Manana Signed-off-by: David Sterba fs/btrfs/ctree.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) commit 4776cab43fd3111618112737a257dc3ef368eddd Author: David Howells Date: Thu May 10 23:10:40 2018 +0100 afs: Fix the non-encryption of calls Some AFS servers refuse to accept unencrypted traffic, so can't be accessed with kAFS. Set the AF_RXRPC security level to encrypt client calls to deal with this. Note that incoming service calls are set by the remote client and so aren't affected by this. This requires an AF_RXRPC patch to pass the value set by setsockopt to calls begun by the kernel. Signed-off-by: David Howells fs/afs/rxrpc.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 428edade4e6c70e5b51fcd4188d944fbb744d84c Author: David Howells Date: Sat May 12 00:28:58 2018 +0100 afs: Fix CB.CallBack handling The handling of CB.CallBack messages sent by the fileserver to the client is broken in that they are currently being processed after the reply has been transmitted. This is not what the fileserver expects, however. It holds up change visibility until the reply comes so as to maintain cache coherency, and so expects the client to have to refetch the state on the affected files. Fix CB.CallBack handling to perform the callback break before sending the reply. The fileserver is free to hold up status fetches issued by other threads on the same client that occur in reponse to the callback until any pending changes have been committed. Fixes: d001648ec7cf ("rxrpc: Don't expose skbs to in-kernel users [ver #2]") Signed-off-by: David Howells fs/afs/cmservice.c | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) commit 68251f0a6818f3be19b1471f36c956ca97c1427d Author: David Howells Date: Sat May 12 22:31:33 2018 +0100 afs: Fix whole-volume callback handling It's possible for an AFS file server to issue a whole-volume notification that callbacks on all the vnodes in the file have been broken. This is done for R/O and backup volumes (which don't have per-file callbacks) and for things like a volume being taken offline. Fix callback handling to detect whole-volume notifications, to track it across operations and to check it during inode validation. Fixes: c435ee34551e ("afs: Overhaul the callback handling") Signed-off-by: David Howells fs/afs/callback.c | 28 +++++++++++++++++++++------- fs/afs/dir.c | 18 +++++++++--------- fs/afs/file.c | 2 +- fs/afs/flock.c | 6 +++--- fs/afs/fsclient.c | 2 +- fs/afs/inode.c | 13 ++++++++----- fs/afs/internal.h | 15 +++++++++++++++ fs/afs/security.c | 7 +++---- fs/afs/super.c | 2 +- fs/afs/write.c | 2 +- 10 files changed, 63 insertions(+), 32 deletions(-) commit f9c1bba3d392843f046d2ee27b4dfcec989d8a4b Author: Marc Dionne Date: Fri May 11 21:35:06 2018 -0300 afs: Fix afs_find_server search loop The code that looks up servers by addresses makes the assumption that the list of addresses for a server is sorted. It exits the loop if it finds that the target address is larger than the current candidate. As the list is not currently sorted, this can lead to a failure to find a matching server, which can cause callbacks from that server to be ignored. Remove the early exit case so that the complete list is searched. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: Marc Dionne Signed-off-by: David Howells fs/afs/server.c | 13 ------------- 1 file changed, 13 deletions(-) commit a86b06d1ccd218a6a50d6a3a88fbd2abcd0eaa94 Author: David Howells Date: Fri May 11 23:45:40 2018 +0100 afs: Fix the handling of an unfound server in CM operations If the client cache manager operations that need the server record (CB.Callback, CB.InitCallBackState, and CB.InitCallBackState3) can't find the server record, they abort the call from the file server with RX_CALL_DEAD when they should return okay. Fixes: c35eccb1f614 ("[AFS]: Implement the CB.InitCallBackState3 operation.") Signed-off-by: David Howells fs/afs/cmservice.c | 34 ++++++++++++---------------------- fs/afs/rxrpc.c | 5 ----- 2 files changed, 12 insertions(+), 27 deletions(-) commit 3709a399c15e4273d9a94b123374f12e5664318c Author: David Howells Date: Fri May 11 22:59:42 2018 +0100 afs: Add a tracepoint to record callbacks from unlisted servers Add a tracepoint to record callbacks from servers for which we don't have a record. Signed-off-by: David Howells fs/afs/cmservice.c | 12 +++++++++--- include/trace/events/afs.h | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 3 deletions(-) commit 001ab5a67ee5d191c64aebf4b4ef8c7a0dcfd2bc Author: David Howells Date: Fri May 11 23:21:35 2018 +0100 afs: Fix the handling of CB.InitCallBackState3 to find the server by UUID Fix the handling of the CB.InitCallBackState3 service call to find the record of a server that we're using by looking it up by the UUID passed as the parameter rather than by its address (of which it might have many, and which may change). Fixes: c35eccb1f614 ("[AFS]: Implement the CB.InitCallBackState3 operation.") Signed-off-by: David Howells fs/afs/cmservice.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 3d9fa91161387ee629e7a07c47934d119910c8ae Author: David Howells Date: Fri May 11 22:55:59 2018 +0100 afs: Fix VNOVOL handling in address rotation If a volume location record lists multiple file servers for a volume, then it's possible that due to a misconfiguration or a changing configuration that one of the file servers doesn't know about it yet and will abort VNOVOL. Currently, the rotation algorithm will stop with EREMOTEIO. Fix this by moving on to try the next server if VNOVOL is returned. Once all the servers have been tried and the record rechecked, the algorithm will stop with EREMOTEIO or ENOMEDIUM. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Reported-by: Marc Dionne Signed-off-by: David Howells fs/afs/rotate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 684b0f68cf1c1cf4a40834818653491c5cad4435 Author: David Howells Date: Thu May 10 21:51:47 2018 +0100 afs: Fix AFSFetchStatus decoder to provide OpenAFS compatibility The OpenAFS server's RXAFS_InlineBulkStatus implementation has a bug whereby if an error occurs on one of the vnodes being queried, then the errorCode field is set correctly in the corresponding status, but the interfaceVersion field is left unset. Fix kAFS to deal with this by evaluating the AFSFetchStatus blob against the following cases when called from FS.InlineBulkStatus delivery: (1) If InterfaceVersion == 0 then: (a) If errorCode != 0 then it indicates the abort code for the corresponding vnode. (b) If errorCode == 0 then the status record is invalid. (2) If InterfaceVersion == 1 then: (a) If errorCode != 0 then it indicates the abort code for the corresponding vnode. (b) If errorCode == 0 then the status record is valid and can be parsed. (3) If InterfaceVersion is anything else then the status record is invalid. Fixes: dd9fbcb8e103 ("afs: Rearrange status mapping") Reported-by: Jeffrey Altman Signed-off-by: David Howells fs/afs/fsclient.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) commit 90d617633368ab97a2c7571c6e66dad54f39228d Author: Boris Brezillon Date: Wed May 9 09:13:58 2018 +0200 mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2 The code is doing monolithic reads for all chunks except the last one which is wrong since a monolithic read will issue the READ0+ADDRS+READ_START sequence. It not only takes longer because it forces the NAND chip to reload the page content into its internal cache, but by doing that we also reset the column pointer to 0, which means we'll always read the first chunk instead of moving to the next one. Rework the code to do a monolithic read only for the first chunk, then switch to naked reads for all intermediate chunks and finally issue a last naked read for the last chunk. Fixes: 02f26ecf8c77 mtd: nand: add reworked Marvell NAND controller driver Cc: stable@vger.kernel.org Reported-by: Chris Packham Signed-off-by: Boris Brezillon Tested-by: Chris Packham Acked-by: Miquel Raynal drivers/mtd/nand/raw/marvell_nand.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit ea739a287f4f16d6250bea779a1026ead79695f2 Author: Ben Hutchings Date: Thu May 10 19:20:54 2018 +0100 mtd: Fix comparison in map_word_andequal() Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") changed map_word_andequal() into a macro, but also changed the right hand side of the comparison from val3 to val2. Change it back to use val3 on the right hand side. Thankfully this did not cause a regression because all callers currently pass the same argument for val2 and val3. Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") Signed-off-by: Ben Hutchings Signed-off-by: Boris Brezillon include/linux/mtd/map.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ec5a3b4b507efca903d848518dcf2ebf7b04b466 Author: David Howells Date: Thu May 10 14:22:38 2018 +0100 afs: Fix server rotation's handling of fileserver probe failure The server rotation algorithm just gives up if it fails to probe a fileserver. Fix this by rotating to the next fileserver instead. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells fs/afs/rotate.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) commit d4a96bec7a7362834ef5c31d7b2cc9bf36eb0570 Author: David Howells Date: Thu May 10 08:43:04 2018 +0100 afs: Fix refcounting in callback registration The refcounting on afs_cb_interest struct objects in afs_register_server_cb_interest() is wrong as it uses the server list entry's call back interest pointer without regard for the fact that it might be replaced at any time and the object thrown away. Fix this by: (1) Put a lock on the afs_server_list struct that can be used to mediate access to the callback interest pointers in the servers array. (2) Keep a ref on the callback interest that we get from the entry. (3) Dropping the old reference held by vnode->cb_interest if we replace the pointer. Fixes: c435ee34551e ("afs: Overhaul the callback handling") Signed-off-by: David Howells fs/afs/callback.c | 56 +++++++++++++++++++++++++++++++++++++--------------- fs/afs/internal.h | 7 +++++-- fs/afs/rotate.c | 4 ++-- fs/afs/server_list.c | 7 +++++-- 4 files changed, 52 insertions(+), 22 deletions(-) commit f2686b09269ec1a6f23028b5675d87c3b4579a4c Author: David Howells Date: Thu May 10 14:12:50 2018 +0100 afs: Fix giving up callbacks on server destruction When a server record is destroyed, we want to send a message to the server telling it that we're giving up all the callbacks it has promised us. Apply two fixes to this: (1) Only send the FS.GiveUpAllCallBacks message if we actually got a callback from that server. We assume this to be the case if we performed at least one successful FS operation on that server. (2) Send it to the address last used for that server rather than always picking the first address in the list (which might be unreachable). Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells fs/afs/internal.h | 1 + fs/afs/rxrpc.c | 6 +++++- fs/afs/server.c | 8 +++++--- 3 files changed, 11 insertions(+), 4 deletions(-) commit 01fd79e6de74a447c5657913a335d9ce6508cdb1 Author: David Howells Date: Wed May 9 22:03:18 2018 +0100 afs: Fix address list parsing The parsing of port specifiers in the address list obtained from the DNS resolution upcall doesn't work as in4_pton() and in6_pton() will fail on encountering an unexpected delimiter (in this case, the '+' marking the port number). However, in*_pton() can't be given multiple specifiers. Fix this by finding the delimiter in advance and not relying on in*_pton() to find the end of the address for us. Fixes: 8b2a464ced77 ("afs: Add an address list concept") Signed-off-by: David Howells fs/afs/addr_list.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) commit b61f7dcf4eb2653e870c9079b02d11a0834cfe39 Author: David Howells Date: Fri Apr 27 20:46:22 2018 +0100 afs: Fix directory page locking The afs directory loading code (primarily afs_read_dir()) locks all the pages that hold a directory's content blob to defend against getdents/getdents races and getdents/lookup races where the competitors issue conflicting reads on the same data. As the reads will complete consecutively, they may retrieve different versions of the data and one may overwrite the data that the other is busy parsing. Fix this by not locking the pages at all, but rather by turning the validation lock into an rwsem and getting an exclusive lock on it whilst reading the data or validating the attributes and a shared lock whilst parsing the data. Sharing the attribute validation lock should be fine as the data fetch will retrieve the attributes also. The individual page locks aren't needed at all as the only place they're being used is to serialise data loading. Without this patch, the: if (!test_bit(AFS_VNODE_DIR_VALID, &dvnode->flags)) { ... } part of afs_read_dir() may be skipped, leaving the pages unlocked when we hit the success: clause - in which case we try to unlock the not-locked pages, leading to the following oops: page:ffffe38b405b4300 count:3 mapcount:0 mapping:ffff98156c83a978 index:0x0 flags: 0xfffe000001004(referenced|private) raw: 000fffe000001004 ffff98156c83a978 0000000000000000 00000003ffffffff raw: dead000000000100 dead000000000200 0000000000000001 ffff98156b27c000 page dumped because: VM_BUG_ON_PAGE(!PageLocked(page)) page->mem_cgroup:ffff98156b27c000 ------------[ cut here ]------------ kernel BUG at mm/filemap.c:1205! ... RIP: 0010:unlock_page+0x43/0x50 ... Call Trace: afs_dir_iterate+0x789/0x8f0 [kafs] ? _cond_resched+0x15/0x30 ? kmem_cache_alloc_trace+0x166/0x1d0 ? afs_do_lookup+0x69/0x490 [kafs] ? afs_do_lookup+0x101/0x490 [kafs] ? key_default_cmp+0x20/0x20 ? request_key+0x3c/0x80 ? afs_lookup+0xf1/0x340 [kafs] ? __lookup_slow+0x97/0x150 ? lookup_slow+0x35/0x50 ? walk_component+0x1bf/0x490 ? path_lookupat.isra.52+0x75/0x200 ? filename_lookup.part.66+0xa0/0x170 ? afs_end_vnode_operation+0x41/0x60 [kafs] ? __check_object_size+0x9c/0x171 ? strncpy_from_user+0x4a/0x170 ? vfs_statx+0x73/0xe0 ? __do_sys_newlstat+0x39/0x70 ? __x64_sys_getdents+0xc9/0x140 ? __x64_sys_getdents+0x140/0x140 ? do_syscall_64+0x5b/0x160 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: f3ddee8dc4e2 ("afs: Fix directory handling") Reported-by: Marc Dionne Signed-off-by: David Howells fs/afs/dir.c | 36 +++++++++++++++++------------------- fs/afs/inode.c | 6 +++--- fs/afs/internal.h | 2 +- fs/afs/super.c | 2 +- 4 files changed, 22 insertions(+), 24 deletions(-) commit cd078bf95df29d827daca0274a9a13821c11eedb Author: Chris Wilson Date: Fri May 11 13:11:45 2018 +0100 drm/i915/execlists: Use rmb() to order CSB reads We assume that the CSB is written using the normal ringbuffer coherency protocols, as outlined in kernel/events/ring_buffer.c: * (HW) (DRIVER) * * if (LOAD ->data_tail) { LOAD ->data_head * (A) smp_rmb() (C) * STORE $data LOAD $data * smp_wmb() (B) smp_mb() (D) * STORE ->data_head STORE ->data_tail * } So we assume that the HW fulfils its ordering requirements (B), and so we should use a complimentary rmb (C) to ensure that our read of its WRITE pointer is completed before we start accessing the data. The final mb (D) is implied by the uncached mmio we perform to inform the HW of our READ pointer. References: https://bugs.freedesktop.org/show_bug.cgi?id=105064 References: https://bugs.freedesktop.org/show_bug.cgi?id=105888 References: https://bugs.freedesktop.org/show_bug.cgi?id=106185 Fixes: 767a983ab255 ("drm/i915/execlists: Read the context-status HEAD from the HWSP") References: 61bf9719fa17 ("drm/i915/cnl: Use mmio access to context status buffer") Suggested-by: Mika Kuoppala Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Cc: Michał Winiarski Cc: Rafael Antognolli Cc: Michel Thierry Cc: Timo Aaltonen Tested-by: Timo Aaltonen Acked-by: Michel Thierry Acked-by: Mika Kuoppala Link: https://patchwork.freedesktop.org/patch/msgid/20180511121147.31915-1-chris@chris-wilson.co.uk (cherry picked from commit 77dfedb5be03779f9a5d83e323a1b36e32090105) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/intel_lrc.c | 1 + 1 file changed, 1 insertion(+) commit 20943f984967477c906522112d2b6b5a29f94684 Author: Matthew Auld Date: Wed May 2 20:50:21 2018 +0100 drm/i915/userptr: reject zero user_size Operating on a zero sized GEM userptr object will lead to explosions. Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl") Testcase: igt/gem_userptr_blits/input-checking Signed-off-by: Matthew Auld Cc: Chris Wilson Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20180502195021.30900-1-matthew.auld@intel.com (cherry picked from commit c11c7bfd213495784b22ef82a69b6489f8d0092f) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/i915_gem_userptr.c | 3 +++ 1 file changed, 3 insertions(+) commit 2fa9d1cfaf0e02f8abef0757002bff12dfcfa4e6 Author: Dave Hansen Date: Wed May 9 10:13:58 2018 -0700 x86/pkeys: Do not special case protection key 0 mm_pkey_is_allocated() treats pkey 0 as unallocated. That is inconsistent with the manpages, and also inconsistent with mm->context.pkey_allocation_map. Stop special casing it and only disallow values that are actually bad (< 0). The end-user visible effect of this is that you can now use mprotect_pkey() to set pkey=0. This is a bit nicer than what Ram proposed[1] because it is simpler and removes special-casing for pkey 0. On the other hand, it does allow applications to pkey_free() pkey-0, but that's just a silly thing to do, so we are not going to protect against it. The scenario that could happen is similar to what happens if you free any other pkey that is in use: it might get reallocated later and used to protect some other data. The most likely scenario is that pkey-0 comes back from pkey_alloc(), an access-disable or write-disable bit is set in PKRU for it, and the next stack access will SIGSEGV. It's not horribly different from if you mprotect()'d your stack or heap to be unreadable or unwritable, which is generally very foolish, but also not explicitly prevented by the kernel. 1. http://lkml.kernel.org/r/1522112702-27853-1-git-send-email-linuxram@us.ibm.com Signed-off-by: Dave Hansen Cc: Andrew Morton p Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Fixes: 58ab9a088dda ("x86/pkeys: Check against max pkey to avoid overflows") Link: http://lkml.kernel.org/r/20180509171358.47FD785E@viggo.jf.intel.com Signed-off-by: Ingo Molnar arch/x86/include/asm/mmu_context.h | 2 +- arch/x86/include/asm/pkeys.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) commit 3488a600d90bcaf061b104dbcfbdc8d99b398312 Author: Dave Hansen Date: Wed May 9 10:13:56 2018 -0700 x86/pkeys/selftests: Add a test for pkey 0 Protection key 0 is the default key for all memory and will not normally come back from pkey_alloc(). But, you might still want pass it to mprotect_pkey(). This check ensures that you can use pkey 0. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171356.9E40B254@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) commit acb25d761d6f2f64e785ccefc71e54f244f1eda4 Author: Dave Hansen Date: Wed May 9 10:13:54 2018 -0700 x86/pkeys/selftests: Save off 'prot' for allocations This makes it possible to to tell what 'prot' a given allocation is supposed to have. That way, if we want to change just the pkey, we know what 'prot' to pass to mprotect_pkey(). Also, keep a record of the most recent allocation so the tests can easily find it. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171354.AA23E228@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) commit 3d64f4ed15c3c53dba4c514bf59c334464dee373 Author: Dave Hansen Date: Wed May 9 10:13:52 2018 -0700 x86/pkeys/selftests: Fix pointer math We dump out the entire area of the siginfo where the si_pkey_ptr is supposed to be. But, we do some math on the poitner, which is a u32. We intended to do byte math, not u32 math on the pointer. Cast it over to a u8* so it works. Also, move this block of code to below th si_code check. It doesn't hurt anything, but the si_pkey field is gibberish for other signal types. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171352.9BE09819@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) commit 0a0b152083cfc44ec1bb599b57b7aab41327f998 Author: Dave Hansen Date: Wed May 9 10:13:51 2018 -0700 x86/pkeys: Override pkey when moving away from PROT_EXEC I got a bug report that the following code (roughly) was causing a SIGSEGV: mprotect(ptr, size, PROT_EXEC); mprotect(ptr, size, PROT_NONE); mprotect(ptr, size, PROT_READ); *ptr = 100; The problem is hit when the mprotect(PROT_EXEC) is implicitly assigned a protection key to the VMA, and made that key ACCESS_DENY|WRITE_DENY. The PROT_NONE mprotect() failed to remove the protection key, and the PROT_NONE-> PROT_READ left the PTE usable, but the pkey still in place and left the memory inaccessible. To fix this, we ensure that we always "override" the pkee at mprotect() if the VMA does not have execute-only permissions, but the VMA has the execute-only pkey. We had a check for PROT_READ/WRITE, but it did not work for PROT_NONE. This entirely removes the PROT_* checks, which ensures that PROT_NONE now works. Reported-by: Shakeel Butt Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Fixes: 62b5f7d013f ("mm/core, x86/mm/pkeys: Add execute-only protection keys support") Link: http://lkml.kernel.org/r/20180509171351.084C5A71@viggo.jf.intel.com Signed-off-by: Ingo Molnar arch/x86/include/asm/pkeys.h | 12 +++++++++++- arch/x86/mm/pkeys.c | 21 +++++++++++---------- 2 files changed, 22 insertions(+), 11 deletions(-) commit f50b4878329ab61d8e05796f655adeb6f5fb57c6 Author: Dave Hansen Date: Wed May 9 10:13:50 2018 -0700 x86/pkeys/selftests: Fix pkey exhaustion test off-by-one In our "exhaust all pkeys" test, we make sure that there is the expected number available. Turns out that the test did not cover the execute-only key, but discussed it anyway. It did *not* discuss the test-allocated key. Now that we have a test for the mprotect(PROT_EXEC) case, this off-by-one issue showed itself. Correct the off-by- one and add the explanation for the case we missed. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171350.E1656B95@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) commit 6af17cf89e99b64cf1f660bf848755442ab2f047 Author: Dave Hansen Date: Wed May 9 10:13:48 2018 -0700 x86/pkeys/selftests: Add PROT_EXEC test Under the covers, implement executable-only memory with protection keys when userspace calls mprotect(PROT_EXEC). But, we did not have a selftest for that. Now we do. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171348.9EEE4BEF@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 44 +++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) commit 3fcd2b2d928904cbf30b01e2c5e4f1dd2f9ab262 Author: Dave Hansen Date: Wed May 9 10:13:47 2018 -0700 x86/pkeys/selftests: Factor out "instruction page" We currently have an execute-only test, but it is for the explicit mprotect_pkey() interface. We will soon add a test for the implicit mprotect(PROT_EXEC) enterface. We need this code in both tests. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171347.C64AB733@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) commit 7e7fd67ca39335a49619729821efb7cbdd674eb0 Author: Dave Hansen Date: Wed May 9 10:13:46 2018 -0700 x86/pkeys/selftests: Allow faults on unknown keys The exec-only pkey is allocated inside the kernel and userspace is not told what it is. So, allow PK faults to occur that have an unknown key. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171345.7FC7DA00@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit caf9eb6b4c82fc6cbd03697052ff22d97b0c377b Author: Dave Hansen Date: Wed May 9 10:13:44 2018 -0700 x86/pkeys/selftests: Avoid printf-in-signal deadlocks printf() and friends are unusable in signal handlers. They deadlock. The pkey selftest does not do any normal printing in signal handlers, only extra debugging. So, just print the format string so we get *some* output when debugging. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171344.C53FD2F3@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/pkey-helpers.h | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) commit a50093d60464dd51d1ae0c2267b0abe9e1de77f3 Author: Dave Hansen Date: Wed May 9 10:13:42 2018 -0700 x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal There is some noisy debug code at the end of the signal handler. It was disabled by an early, unconditional "return". However, that return also hid a dprint_in_signal=0, which kept dprint_in_signal=1 and effectively locked us into permanent dprint_in_signal=1 behavior. Remove the return and the dead code, fixing dprint_in_signal. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171342.846B9B2E@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 16 ---------------- 1 file changed, 16 deletions(-) commit 86b9eea230edf4c67d4d4a70fba9b74505867a25 Author: Dave Hansen Date: Wed May 9 10:13:40 2018 -0700 x86/pkeys/selftests: Stop using assert() If we use assert(), the program "crashes". That can be scary to users, so stop doing it. Just exit with a >0 exit code instead. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171340.E63EF7DA@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 55556b0b2016806b2e16a20b62d143383983a34a Author: Dave Hansen Date: Wed May 9 10:13:38 2018 -0700 x86/pkeys/selftests: Give better unexpected fault error messages do_not_expect_pk_fault() is a helper that we call when we do not expect a PK fault to have occurred. But, it is a function, which means that it obscures the line numbers from pkey_assert(). It also gives no details. Replace it with an implementation that gives nice line numbers and also lets callers pass in a more descriptive message about what happened that caused the unexpected fault. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171338.55D13B64@viggo.jf.intel.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) commit 59c2a7226fc5130032021c99f05ad5c0a56551cd Author: Andy Lutomirski Date: Tue May 8 10:28:35 2018 -0700 x86/selftests: Add mov_to_ss test This exercises a nasty corner case of the x86 ISA. Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org Signed-off-by: Ingo Molnar tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/mov_ss_trap.c | 285 ++++++++++++++++++++++++++++++ 2 files changed, 286 insertions(+), 1 deletion(-) commit 73bb4d6cd192b8629c5125aaada9892d9fc986b6 Author: Ingo Molnar Date: Mon May 14 10:59:08 2018 +0200 x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI Fix this warning: mpx-mini-test.c:422:0: warning: "SEGV_BNDERR" redefined Cc: Dave Hansen Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: akpm@linux-foundation.org Cc: dave.hansen@intel.com Cc: linux-mm@kvack.org Cc: linuxram@us.ibm.com Cc: mpe@ellerman.id.au Cc: shakeelb@google.com Cc: shuah@kernel.org Link: http://lkml.kernel.org/r/20180514085908.GA12798@gmail.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/mpx-mini-test.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 0fb96620dce351608aa82eed5942e2f58b07beda Author: Ingo Molnar Date: Mon May 14 10:56:23 2018 +0200 x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI Ubuntu 18.04 started exporting pkeys details in header files, resulting in build failures and warnings in the pkeys self-tests: protection_keys.c:232:0: warning: "SEGV_BNDERR" redefined protection_keys.c:387:5: error: conflicting types for ‘pkey_get’ protection_keys.c:409:5: error: conflicting types for ‘pkey_set’ ... Fix these namespace conflicts and double definitions, plus also clean up the ABI definitions to make it all a bit more readable ... Cc: Dave Hansen Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: akpm@linux-foundation.org Cc: dave.hansen@intel.com Cc: linux-mm@kvack.org Cc: linuxram@us.ibm.com Cc: mpe@ellerman.id.au Cc: shakeelb@google.com Cc: shuah@kernel.org Link: http://lkml.kernel.org/r/20180514085623.GB7094@gmail.com Signed-off-by: Ingo Molnar tools/testing/selftests/x86/protection_keys.c | 67 ++++++++++++++++----------- 1 file changed, 41 insertions(+), 26 deletions(-) commit 4a09f0210c8b1221aae8afda8bd3a603fece0986 Author: Alexander Potapenko Date: Wed May 9 11:18:22 2018 +0200 x86/boot/64/clang: Use fixup_pointer() to access '__supported_pte_mask' Clang builds with defconfig started crashing after the following commit: fb43d6cb91ef ("x86/mm: Do not auto-massage page protections") This was caused by introducing a new global access in __startup_64(). Code in __startup_64() can be relocated during execution, but the compiler doesn't have to generate PC-relative relocations when accessing globals from that function. Clang actually does not generate them, which leads to boot-time crashes. To work around this problem, every global pointer must be adjusted using fixup_pointer(). Signed-off-by: Alexander Potapenko Reviewed-by: Dave Hansen Acked-by: Thomas Gleixner Cc: Linus Torvalds Cc: Peter Zijlstra Cc: dvyukov@google.com Cc: kirill.shutemov@linux.intel.com Cc: linux-mm@kvack.org Cc: md@google.com Cc: mka@chromium.org Fixes: fb43d6cb91ef ("x86/mm: Do not auto-massage page protections") Link: http://lkml.kernel.org/r/20180509091822.191810-1-glider@google.com Signed-off-by: Ingo Molnar arch/x86/kernel/head64.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit 2278446e2b7cd33ad894b32e7eb63afc7db6c86e Author: Mathias Nyman Date: Mon May 14 11:57:23 2018 +0300 xhci: Fix USB3 NULL pointer dereference at logical disconnect. Hub driver will try to disable a USB3 device twice at logical disconnect, racing with xhci_free_dev() callback from the first port disable. This can be triggered with "udisksctl power-off --block-device " or by writing "1" to the "remove" sysfs file for a USB3 device in 4.17-rc4. USB3 devices don't have a similar disabled link state as USB2 devices, and use a U3 suspended link state instead. In this state the port is still enabled and connected. hub_port_connect() first disconnects the device, then later it notices that device is still enabled (due to U3 states) it will try to disable the port again (set to U3). The xhci_free_dev() called during device disable is async, so checking for existing xhci->devs[i] when setting link state to U3 the second time was successful, even if device was being freed. The regression was caused by, and whole thing revealed by, Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned. and causes a NULL pointer dereference the second time we try to set U3. Fix this by checking xhci->devs[i]->udev exists before setting link state. The original patch went to stable so this fix needs to be applied there as well. Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") Cc: Reported-by: Jordan Glover Tested-by: Jordan Glover Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-hub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5f2b745f5e1304f438f9b2cd03ebc8120b6e0d3b Author: Jim Mattson Date: Sun May 13 17:33:57 2018 -0400 x86/cpu: Make alternative_msr_write work for 32-bit code Cast val and (val >> 32) to (u32), so that they fit in a general-purpose register in both 32-bit and 64-bit code. [ tglx: Made it u32 instead of uintptr_t ] Fixes: c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload") Signed-off-by: Jim Mattson Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Thomas Gleixner Acked-by: Linus Torvalds arch/x86/include/asm/nospec-branch.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit fd35c88b74170d9335530d9abf271d5d73eb5401 Author: Josh Poimboeuf Date: Thu May 10 17:48:49 2018 -0500 objtool: Support GCC 8 switch tables With GCC 8, some issues were found with the objtool switch table detection. 1) In the .rodata section, immediately after the switch table, there can be another object which contains a pointer to the function which had the switch statement. In this case objtool wrongly considers the function pointer to be part of the switch table. Fix it by: a) making sure there are no pointers to the beginning of the function; and b) making sure there are no gaps in the switch table. Only the former was needed, the latter adds additional protection for future optimizations. 2) In find_switch_table(), case 1 and case 2 are missing the check to ensure that the .rodata switch table data is anonymous, i.e. that it isn't already associated with an ELF symbol. Fix it by adding the same find_symbol_containing() check which is used for case 3. This fixes the following warnings with GCC 8: drivers/block/virtio_blk.o: warning: objtool: virtio_queue_rq()+0x0: stack state mismatch: cfa1=7+8 cfa2=7+72 net/ipv6/icmp.o: warning: objtool: icmpv6_rcv()+0x0: stack state mismatch: cfa1=7+8 cfa2=7+64 drivers/usb/core/quirks.o: warning: objtool: quirks_param_set()+0x0: stack state mismatch: cfa1=7+8 cfa2=7+48 drivers/mtd/nand/raw/nand_hynix.o: warning: objtool: hynix_nand_decode_id()+0x0: stack state mismatch: cfa1=7+8 cfa2=7+24 drivers/mtd/nand/raw/nand_samsung.o: warning: objtool: samsung_nand_decode_id()+0x0: stack state mismatch: cfa1=7+8 cfa2=7+32 drivers/gpu/drm/nouveau/nvkm/subdev/top/gk104.o: warning: objtool: gk104_top_oneinit()+0x0: stack state mismatch: cfa1=7+8 cfa2=7+64 Reported-by: Arnd Bergmann Reported-by: kbuild test robot Signed-off-by: Josh Poimboeuf Acked-by: Peter Zijlstra (Intel) Cc: David Laight Cc: Greg KH Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Randy Dunlap Cc: Thomas Gleixner Cc: damian Link: http://lkml.kernel.org/r/20180510224849.xwi34d6tzheb5wgw@treble Signed-off-by: Ingo Molnar tools/objtool/check.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) commit 13810435b9a7014fb92eb715f77da488f3b65b99 Author: Josh Poimboeuf Date: Wed May 9 22:39:15 2018 -0500 objtool: Support GCC 8's cold subfunctions GCC 8 moves a lot of unlikely code out of line to "cold" subfunctions in .text.unlikely. Properly detect the new subfunctions and treat them as extensions of the original functions. This fixes a bunch of warnings like: kernel/cgroup/cgroup.o: warning: objtool: parse_cgroup_root_flags()+0x33: sibling call from callable instruction with modified stack frame kernel/cgroup/cgroup.o: warning: objtool: cgroup_addrm_files()+0x290: sibling call from callable instruction with modified stack frame kernel/cgroup/cgroup.o: warning: objtool: cgroup_apply_control_enable()+0x25b: sibling call from callable instruction with modified stack frame kernel/cgroup/cgroup.o: warning: objtool: rebind_subsystems()+0x325: sibling call from callable instruction with modified stack frame Reported-and-tested-by: damian Reported-by: Arnd Bergmann Signed-off-by: Josh Poimboeuf Acked-by: Peter Zijlstra (Intel) Cc: David Laight Cc: Greg KH Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Randy Dunlap Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/0965e7fcfc5f31a276f0c7f298ff770c19b68706.1525923412.git.jpoimboe@redhat.com Signed-off-by: Ingo Molnar tools/objtool/check.c | 93 ++++++++++++++++++++++++++++----------------------- tools/objtool/elf.c | 42 +++++++++++++++++++++-- tools/objtool/elf.h | 2 ++ 3 files changed, 93 insertions(+), 44 deletions(-) commit 0afd0d9e0e7879d666c1df2fa1bea4d8716909fe Author: Josh Poimboeuf Date: Wed May 9 22:39:14 2018 -0500 objtool: Fix "noreturn" detection for recursive sibling calls Objtool has some crude logic for detecting static "noreturn" functions (aka "dead ends"). This is necessary for being able to correctly follow GCC code flow when such functions are called. It's remotely possible for two functions to call each other via sibling calls. If they don't have RET instructions, objtool's noreturn detection logic goes into a recursive loop: drivers/char/ipmi/ipmi_ssif.o: warning: objtool: return_hosed_msg()+0x0: infinite recursion (objtool bug!) drivers/char/ipmi/ipmi_ssif.o: warning: objtool: deliver_recv_msg()+0x0: infinite recursion (objtool bug!) Instead of reporting an error in this case, consider the functions to be non-dead-ends. Reported-and-tested-by: Randy Dunlap Signed-off-by: Josh Poimboeuf Acked-by: Peter Zijlstra (Intel) Cc: Arnd Bergmann Cc: David Laight Cc: Greg KH Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: damian Link: http://lkml.kernel.org/r/7cc156408c5781a1f62085d352ced1fe39fe2f91.1525923412.git.jpoimboe@redhat.com Signed-off-by: Ingo Molnar tools/objtool/check.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit 4fe875e4bd3cae85ae6f6eaf77f63fabe613b66e Author: Ingo Molnar Date: Mon May 14 10:15:54 2018 +0200 objtool, kprobes/x86: Sync the latest header with tools/objtool/arch/x86/include/asm/insn.h The following commit: ee6a7354a362: kprobes/x86: Prohibit probing on exception masking instructions Modified , adding the insn_masking_exception() function. Sync the tooling version of the header to it, to fix this warning: Warning: synced file at 'tools/objtool/arch/x86/include/asm/insn.h' differs from latest kernel version at 'arch/x86/include/asm/insn.h' Cc: Peter Zijlstra Cc: Josh Poimboeuf Cc: Masami Hiramatsu Cc: Thomas Gleixner Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Oleg Nesterov Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Signed-off-by: Ingo Molnar tools/objtool/arch/x86/include/asm/insn.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) commit 115c93e5000b6ae6921348172e0124eb09f0a584 Merge: 16145ff 6d3299a Author: Olof Johansson Date: Mon May 14 01:05:30 2018 -0700 Merge tag 'imx-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes i.MX fixes for 4.17: - Add missing 'fsl,sec-era' property for i.MX7S device tree CAAM node, as the era information is used in various places inside CAAM driver. - There are a few errors in imx51-zii-rdu1 device tree touchscreen node. Fix them to get touchscreen actually work. * tag 'imx-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imx51-zii-rdu1: fix touchscreen bindings ARM: dts: imx7s: Pass the 'fsl,sec-era' property Signed-off-by: Olof Johansson commit 16145fff375011ac7e82930aeb4dfa3b23a52ebe Merge: 602a424 31c6085 Author: Olof Johansson Date: Mon May 14 01:05:00 2018 -0700 Merge tag 'scmi-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into fixes SCMI fix for v4.17 A single patch to ensure that the scmi device is not used for setting up scmi handle after it's freed(fixes use after free). * tag 'scmi-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scmi: Use after free in scmi_create_protocol_device() Signed-off-by: Olof Johansson commit 602a42420ef791c896f01cd0e6f91e6b44d9067d Merge: 51dff16 41bd6ad Author: Olof Johansson Date: Mon May 14 01:03:47 2018 -0700 Merge tag 'omap-for-v17/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Fixes for omap variants for v4.17 This series of patches contains one BUG fix for trace if CONFIG_DEBUG_PREEMPT is enabled and a regression fix for omap1 FIQ handling on ams-delta. Then there's a dts fix for missing SoC compatible on ti81xx board dts files that did matter until we added the clkctrl clocks and without that some clocks are now not found. Then there are two logicpd-som-lv specific dts fixes that fix misconfigured pins for WLAN and audio. Turns out we had to revert the third one because it caused another regression for USB. * tag 'omap-for-v17/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: Revert "ARM: dts: logicpd-som-lv: Fix pinmux controller references" ARM: dts: correct missing "compatible" entry for ti81xx SoCs ARM: OMAP1: ams-delta: fix deferred_fiq handler ARM: dts: logicpd-som-lv: Fix pinmux controller references ARM: dts: logicpd-som-lv: Fix Audio Mute ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace Signed-off-by: Olof Johansson commit 51dff16576b377f6cde47a6b4dd33ec02a7d3b84 Merge: c1c6fe6 675c721 Author: Olof Johansson Date: Mon May 14 01:03:01 2018 -0700 Merge tag 'arm-soc/for-4.17/devicetree-fixes' of https://github.com/Broadcom/stblinux into fixes This pull request contains Broadcom ARM-basec SoCs Device Tree fixes for 4.17, please pull the following: - Clement fixes in an incorrect trigger type for the ARM global timers on the Cygnus platforms * tag 'arm-soc/for-4.17/devicetree-fixes' of https://github.com/Broadcom/stblinux: ARM: dts: cygnus: fix irq type for arm global timer Signed-off-by: Olof Johansson commit c1c6fe6c66c193023865a312af06df5216b82ac8 Merge: 0d463d8 ab9d3db Author: Olof Johansson Date: Mon May 14 01:02:11 2018 -0700 Merge tag 'tee-drv-fixes-for-4.17' of git://git.linaro.org/people/jens.wiklander/linux-tee into fixes Small fixes for tee subsystem * Fixes for use-after-free via temporarily dropped reference * Checks that passed shm references are consistent in offset/size with regards to the shm object * tag 'tee-drv-fixes-for-4.17' of git://git.linaro.org/people/jens.wiklander/linux-tee: tee: check shm references are consistent in offset/size tee: shm: fix use-after-free via temporarily dropped reference Signed-off-by: Olof Johansson commit 0d463d8449010347b2bd8723cf32298bd07cfc57 Author: Marek Szyprowski Date: Sun May 6 16:55:24 2018 +0200 arm64: dts: exynos: Fix interrupt type for I2S1 device on Exynos5433 All interrupts from SoC internal modules are level triggered, so fix incorrect trigger type for I2S1 device on Exynos5433 SoCs. This fixes following kernel warning: WARNING: CPU: 2 PID: 1 at drivers/irqchip/irq-gic.c:1016 gic_irq_domain_translate+0xb0/0xb8 Modules linked in: CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.16.0-rc7-next-20180329 #646 Hardware name: Samsung TM2 board (DT) pstate: 20000005 (nzCv daif -PAN -UAO) pc : gic_irq_domain_translate+0xb0/0xb8 lr : irq_create_fwspec_mapping+0x64/0x328 sp : ffff0000098b38d0 ... Call trace: gic_irq_domain_translate+0xb0/0xb8 irq_create_of_mapping+0x78/0xa0 of_irq_get+0x6c/0xa0 of_irq_to_resource+0x38/0x108 of_irq_to_resource_table+0x50/0x78 of_device_alloc+0x118/0x1b8 of_platform_device_create_pdata+0x54/0xe0 of_platform_bus_create+0x118/0x340 of_platform_bus_create+0x17c/0x340 of_platform_populate+0x74/0xd8 of_platform_default_populate_init+0xb0/0xcc do_one_initcall+0x50/0x158 kernel_init_freeable+0x184/0x22c kernel_init+0x10/0x108 ret_from_fork+0x10/0x18 ---[ end trace 6decb2b3078d73f0 ]--- Fixes: d8d579c316e8 ("ARM: dts: exynos: Add I2S1 device node to exynos5433") Signed-off-by: Marek Szyprowski Signed-off-by: Krzysztof Kozlowski Signed-off-by: Olof Johansson arch/arm64/boot/dts/exynos/exynos5433.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 0e68f92f24a009e8948ccb75cf96b40509dc13a2 Merge: 8ee7424 9bf4e37 Author: Olof Johansson Date: Mon May 14 01:00:17 2018 -0700 Merge tag 'tegra-for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into fixes ARM: tegra: Device tree fixes for v4.17 This contains a single revert for a patch that was merged in v4.17-rc1 and that turns out to cause a regression on some boards. Further, the original issue that the patch was supposed to fix seems to have disappeared. * tag 'tegra-for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux: ARM: dts: tegra20: Revert "Fix ULPI regression on Tegra20" Signed-off-by: Olof Johansson commit 8ee742488a87d4b68de69b4f59a4fb95c084dbb2 Merge: 1e61f54 9411ac0 Author: Olof Johansson Date: Mon May 14 00:59:02 2018 -0700 Merge tag 'davinci-fixes-for-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci into fixes DaVinci fixes for v4.17 * W=1 warning fixes in device-tree files * GPIO look-up fixes for legacy boot on several platforms * tag 'davinci-fixes-for-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci: ARM: davinci: fix GPIO lookup for I2C ARM: davinci: board-dm355-evm: fix broken networking ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD ARM: dts: da850: fix W=1 warnings with pinmux node ARM: dts: da850-lcdk: add unit name for memory node ARM: dts: da850: get rid of skeleton.dtsi Signed-off-by: Olof Johansson commit 1e61f54716d646eaf79238f491af17406842796b Merge: bd37d15 edb0c3a Author: Olof Johansson Date: Mon May 14 00:58:07 2018 -0700 Merge tag 'renesas-fixes-for-v4.17' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into fixes Renesas ARM Based SoC Fixes for v4.17 Fix LVDS output on Gen2 boards Laurent Pincart says "This patch series fixes LVDS output support on the Lager, Koelsh, Porter and Gose boards that broke in v4.17-rc1 due to the combination of the R-Car DU LVDS driver rework and the DT move of all on-SoC peripherals to a /soc node. We could handle the problem in the R-Car DU LVDS DT backward compatibility code, but that fix would only be used for v4.17 as in v4.18 the Gen2 DT will move to the new LVDS DT bindings. I thus propose merging these three patches in v4.17 already to fix the problem as this is the simplest solution." * tag 'renesas-fixes-for-v4.17' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas: ARM: dts: r8a7793: Convert to new LVDS DT bindings ARM: dts: r8a7791: Convert to new LVDS DT bindings ARM: dts: r8a7790: Convert to new LVDS DT bindings Signed-off-by: Olof Johansson commit bd37d1560b6ce1ade34bc35e6157bfb538eed73e Merge: 67b8d5c 8b82b66 Author: Olof Johansson Date: Mon May 14 00:57:39 2018 -0700 Merge tag 'uniphier-fixes-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-uniphier into fixes UniPhier ARM SoC fixes for v4.17 - Fix input delay parameter of eMMC PHY - Weaken drive-strength of ethernet PHY pins of LD20 reference board * tag 'uniphier-fixes-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-uniphier: arm64: dts: uniphier: stabilize ethernet of LD20 reference board arm64: dts: uniphier: fix input delay value for legacy mode of eMMC Signed-off-by: Olof Johansson commit d9f92772e8ec388d070752ee8f187ef8fa18621f Author: Eric Dumazet Date: Sat May 12 02:49:30 2018 -0700 xfrm6: avoid potential infinite loop in _decode_session6() syzbot found a way to trigger an infinitie loop by overflowing @offset variable that has been forced to use u16 for some very obscure reason in the past. We probably want to look at NEXTHDR_FRAGMENT handling which looks wrong, in a separate patch. In net-next, we shall try to use skb_header_pointer() instead of pskb_may_pull(). watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553] Modules linked in: irq event stamp: 13885653 hardirqs last enabled at (13885652): [] restore_regs_and_return_to_kernel+0x0/0x2b hardirqs last disabled at (13885653): [] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625 softirqs last enabled at (13614028): [] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline] softirqs last enabled at (13614028): [] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825 softirqs last disabled at (13614032): [] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942 CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101 RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006 RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277 RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8 R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8 FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150 __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372 icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551 icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43 ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305 NF_HOOK include/linux/netfilter.h:288 [inline] ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:450 [inline] ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:288 [inline] ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711 netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785 napi_frags_finish net/core/dev.c:5226 [inline] napi_gro_frags+0x631/0xc40 net/core/dev.c:5299 tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951 tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996 call_write_iter include/linux/fs.h:1784 [inline] do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680 do_iter_write+0x185/0x5f0 fs/read_write.c:959 vfs_writev+0x1c7/0x330 fs/read_write.c:1004 do_writev+0x112/0x2f0 fs/read_write.c:1039 __do_sys_writev fs/read_write.c:1112 [inline] __se_sys_writev fs/read_write.c:1109 [inline] __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Cc: Steffen Klassert Cc: Nicolas Dichtel Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com Signed-off-by: Steffen Klassert net/ipv6/xfrm6_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 0b3225ab9407f557a8e20f23f37aa7236c10a9b1 Author: Ard Biesheuvel Date: Fri May 4 07:59:58 2018 +0200 efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode Mixed mode allows a kernel built for x86_64 to interact with 32-bit EFI firmware, but requires us to define all struct definitions carefully when it comes to pointer sizes. 'struct efi_pci_io_protocol_32' currently uses a 'void *' for the 'romimage' field, which will be interpreted as a 64-bit field on such kernels, potentially resulting in bogus memory references and subsequent crashes. Tested-by: Hans de Goede Signed-off-by: Ard Biesheuvel Cc: Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20180504060003.19618-13-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar arch/x86/boot/compressed/eboot.c | 6 ++++-- include/linux/efi.h | 8 ++++---- 2 files changed, 8 insertions(+), 6 deletions(-) commit 9d6b4bfb59a036d0da6406295481cdb3a5f4ffba Merge: 4f6b15c 3597683 Author: David S. Miller Date: Sun May 13 21:07:02 2018 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2018-05-14 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix nfp to allow zero-length BPF capabilities, meaning the nfp capability parsing loop will otherwise exit early if the last capability is zero length and therefore driver will fail to probe with an error such as: nfp: BPF capabilities left after parsing, parsed:92 total length:100 nfp: invalid BPF capabilities at offset:92 Fix from Jakub. 2) libbpf's bpf_object__open() may return IS_ERR_OR_NULL() and not just an error. Fix libbpf's bpf_prog_load_xattr() to handle that case as well, also from Jakub. ==================== Signed-off-by: David S. Miller commit 4f6b15c3a604c0addf1607c5482c46a0a5123066 Merge: 91dfd02 f0dfd7a Author: David S. Miller Date: Sun May 13 20:28:47 2018 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter/IPVS fixes for net The following patchset contains Netfilter/IPVS fixes for your net tree, they are: 1) Fix handling of simultaneous open TCP connection in conntrack, from Jozsef Kadlecsik. 2) Insufficient sanitify check of xtables extension names, from Florian Westphal. 3) Skip unnecessary synchronize_rcu() call when transaction log is already empty, from Florian Westphal. 4) Incorrect destination mac validation in ebt_stp, from Stephen Hemminger. 5) xtables module reference counter leak in nft_compat, from Florian Westphal. 6) Incorrect connection reference counting logic in IPVS one-packet scheduler, from Julian Anastasov. 7) Wrong stats for 32-bits CPU in IPVS, also from Julian. 8) Calm down sparse error in netfilter core, also from Florian. 9) Use nla_strlcpy to fix compilation warning in nfnetlink_acct and nfnetlink_cthelper, again from Florian. 10) Missing module alias in icmp and icmp6 xtables extensions, from Florian Westphal. 11) Base chain statistics in nf_tables may be unset/null, from Florian. 12) Fix handling of large matchinfo size in nft_compat, this includes one preparation for before this fix. From Florian. 13) Fix bogus EBUSY error when deleting chains due to incorrect reference counting from the preparation phase of the two-phase commit protocol. ==================== Signed-off-by: David S. Miller commit 91dfd02b23006e7cc557bcb3a40aeb740f66fb52 Author: Michal Kalderon Date: Sun May 13 20:54:06 2018 +0300 qede: Fix ref-cnt usage count Rebooting while qedr is loaded with a VLAN interface present results in unregister_netdevice waiting for the usage count to become free. The fix is that rdma devices should be removed before unregistering the netdevice, to assure all references to ndev are decreased. Fixes: cee9fbd8e2e9 ("qede: Add qedr framework") Signed-off-by: Ariel Elior Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qede/qede_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 55c82617c3e82210b7471e9334e8fc5df6a9961f Author: Christoph Hellwig Date: Sat May 12 12:16:50 2018 +0200 3c59x: convert to generic DMA API This driver supports EISA devices in addition to PCI devices, and relied on the legacy behavior of the pci_dma* shims to pass on a NULL pointer to the DMA API, and the DMA API being able to handle that. When the NULL forwarding broke the EISA support got broken. Fix this by converting to the DMA API instead of the legacy PCI shims. Fixes: 4167b2ad ("PCI: Remove NULL device handling from PCI DMA API") Reported-by: tedheadster Tested-by: tedheadster Signed-off-by: Christoph Hellwig Signed-off-by: David S. Miller drivers/net/ethernet/3com/3c59x.c | 104 +++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 53 deletions(-) commit b84bbaf7a6c8cca24f8acf25a2c8e46913a947ba Author: Willem de Bruijn Date: Fri May 11 13:24:25 2018 -0400 packet: in packet_snd start writing at link layer allocation Packet sockets allow construction of packets shorter than dev->hard_header_len to accommodate protocols with variable length link layer headers. These packets are padded to dev->hard_header_len, because some device drivers interpret that as a minimum packet size. packet_snd reserves dev->hard_header_len bytes on allocation. SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that link layer headers are stored in the reserved range. SOCK_RAW sockets do the same in tpacket_snd, but not in packet_snd. Syzbot was able to send a zero byte packet to a device with massive 116B link layer header, causing padding to cross over into skb_shinfo. Fix this by writing from the start of the llheader reserved range also in the case of packet_snd/SOCK_RAW. Update skb_set_network_header to the new offset. This also corrects it for SOCK_DGRAM, where it incorrectly double counted reserve due to the skb_push in dev_hard_header. Fixes: 9ed988cd5915 ("packet: validate variable length ll headers") Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller net/packet/af_packet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 67b8d5c7081221efa252e111cd52532ec6d4266f Author: Linus Torvalds Date: Sun May 13 16:15:17 2018 -0700 Linux 4.17-rc5 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f0dfd7a2b35b02030949100247d851b793cb275f Author: Colin Ian King Date: Wed May 9 13:22:56 2018 +0100 netfilter: nf_tables: fix memory leak on error exit return Currently the -EBUSY error return path is not free'ing resources allocated earlier, leaving a memory leak. Fix this by exiting via the error exit label err5 that performs the necessary resource clean up. Detected by CoverityScan, CID#1432975 ("Resource leak") Fixes: 9744a6fcefcb ("netfilter: nf_tables: check if same extensions are set when adding elements") Signed-off-by: Colin Ian King Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit b1ae32dbab50ed19cfc16d225b0fb0114fb13025 Author: Alexei Starovoitov Date: Sun May 13 12:32:22 2018 -0700 x86/cpufeature: Guard asm_volatile_goto usage for BPF compilation Workaround for the sake of BPF compilation which utilizes kernel headers, but clang does not support ASM GOTO and fails the build. Fixes: d0266046ad54 ("x86: Remove FAST_FEATURE_TESTS") Suggested-by: Thomas Gleixner Signed-off-by: Alexei Starovoitov Signed-off-by: Thomas Gleixner Cc: daniel@iogearbox.net Cc: peterz@infradead.org Cc: netdev@vger.kernel.org Cc: bp@alien8.de Cc: yhs@fb.com Cc: kernel-team@fb.com Cc: torvalds@linux-foundation.org Cc: davem@davemloft.net Link: https://lkml.kernel.org/r/20180513193222.1997938-1-ast@kernel.org arch/x86/include/asm/cpufeature.h | 15 +++++++++++++++ samples/bpf/Makefile | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) commit b127125d9db23e4856156a7c909a3c8e18b69f99 Author: Al Viro Date: Wed Apr 25 10:28:38 2018 -0400 fix breakage caused by d_find_alias() semantics change "VFS: don't keep disconnected dentries on d_anon" had a non-trivial side-effect - d_unhashed() now returns true for those dentries, making d_find_alias() skip them altogether. For most of its callers that's fine - we really want a connected alias there. However, there is a codepath where we relied upon picking such aliases if nothing else could be found - selinux delayed initialization of contexts for inodes on already mounted filesystems used to rely upon that. Cc: stable@kernel.org # f1ee616214cb "VFS: don't keep disconnected dentries on d_anon" Signed-off-by: Al Viro security/selinux/hooks.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) commit 66e1c94db3cd4e094de66a6be68c3ab6d17e0c52 Merge: 86a4ac4 e0f6d1a Author: Linus Torvalds Date: Sun May 13 10:53:08 2018 -0700 Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86/pti updates from Thomas Gleixner: "A mixed bag of fixes and updates for the ghosts which are hunting us. The scheduler fixes have been pulled into that branch to avoid conflicts. - A set of fixes to address a khread_parkme() race which caused lost wakeups and loss of state. - A deadlock fix for stop_machine() solved by moving the wakeups outside of the stopper_lock held region. - A set of Spectre V1 array access restrictions. The possible problematic spots were discuvered by Dan Carpenters new checks in smatch. - Removal of an unused file which was forgotten when the rest of that functionality was removed" * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/vdso: Remove unused file perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] sched/core: Introduce set_special_state() kthread, sched/wait: Fix kthread_parkme() completion issue kthread, sched/wait: Fix kthread_parkme() wait-loop sched/fair: Fix the update of blocked load when newly idle stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock commit 13ebe18c94f5b0665c01ae7fad2717ae959f4212 Author: Masami Hiramatsu Date: Wed May 9 21:58:45 2018 +0900 uprobes/x86: Prohibit probing on MOV SS instruction Since MOV SS and POP SS instructions will delay the exceptions until the next instruction is executed, single-stepping on it by uprobes must be prohibited. uprobe already rejects probing on POP SS (0x1f), but allows probing on MOV SS (0x8e and reg == 2). This checks the target instruction and if it is MOV SS or POP SS, returns -ENOTSUPP to reject probing. Signed-off-by: Masami Hiramatsu Signed-off-by: Thomas Gleixner Acked-by: Oleg Nesterov Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Link: https://lkml.kernel.org/r/152587072544.17316.5950935243917346341.stgit@devbox arch/x86/kernel/uprobes.c | 4 ++++ 1 file changed, 4 insertions(+) commit ee6a7354a3629f9b65bc18dbe393503e9440d6f5 Author: Masami Hiramatsu Date: Wed May 9 21:58:15 2018 +0900 kprobes/x86: Prohibit probing on exception masking instructions Since MOV SS and POP SS instructions will delay the exceptions until the next instruction is executed, single-stepping on it by kprobes must be prohibited. However, kprobes usually executes those instructions directly on trampoline buffer (a.k.a. kprobe-booster), except for the kprobes which has post_handler. Thus if kprobe user probes MOV SS with post_handler, it will do single-stepping on the MOV SS. This means it is safe that if it is used via ftrace or perf/bpf since those don't use the post_handler. Anyway, since the stack switching is a rare case, it is safer just rejecting kprobes on such instructions. Signed-off-by: Masami Hiramatsu Signed-off-by: Thomas Gleixner Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Oleg Nesterov Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Link: https://lkml.kernel.org/r/152587069574.17316.3311695234863248641.stgit@devbox arch/x86/include/asm/insn.h | 18 ++++++++++++++++++ arch/x86/kernel/kprobes/core.c | 4 ++++ 2 files changed, 22 insertions(+) commit a466ef76b815b86748d9870ef2a430af7b39c710 Author: Tetsuo Handa Date: Wed May 9 19:42:20 2018 +0900 x86/kexec: Avoid double free_page() upon do_kexec_load() failure >From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Wed, 9 May 2018 12:12:39 +0900 Subject: [PATCH v3] x86/kexec: avoid double free_page() upon do_kexec_load() failure. syzbot is reporting crashes after memory allocation failure inside do_kexec_load() [1]. This is because free_transition_pgtable() is called by both init_transition_pgtable() and machine_kexec_cleanup() when memory allocation failed inside init_transition_pgtable(). Regarding 32bit code, machine_kexec_free_page_tables() is called by both machine_kexec_alloc_page_tables() and machine_kexec_cleanup() when memory allocation failed inside machine_kexec_alloc_page_tables(). Fix this by leaving the error handling to machine_kexec_cleanup() (and optionally setting NULL after free_page()). [1] https://syzkaller.appspot.com/bug?id=91e52396168cf2bdd572fe1e1bc0bc645c1c6b40 Fixes: f5deb79679af6eb4 ("x86: kexec: Use one page table in x86_64 machine_kexec") Fixes: 92be3d6bdf2cb349 ("kexec/i386: allocate page table pages dynamically") Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Thomas Gleixner Acked-by: Baoquan He Cc: thomas.lendacky@amd.com Cc: prudo@linux.vnet.ibm.com Cc: Huang Ying Cc: syzkaller-bugs@googlegroups.com Cc: takahiro.akashi@linaro.org Cc: H. Peter Anvin Cc: akpm@linux-foundation.org Cc: dyoung@redhat.com Cc: kirill.shutemov@linux.intel.com Link: https://lkml.kernel.org/r/201805091942.DGG12448.tMFVFSJFQOOLHO@I-love.SAKURA.ne.jp arch/x86/kernel/machine_kexec_32.c | 6 +++++- arch/x86/kernel/machine_kexec_64.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit 86a4ac433b927a610c09aa6cfb1926d94a6b37b7 Merge: baeda71 789ba28 Author: Linus Torvalds Date: Sun May 13 10:46:53 2018 -0700 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Thomas Gleixner: "Revert the new NUMA aware placement approach which turned out to create more problems than it solved" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: Revert "sched/numa: Delay retrying placement for automatic NUMA balance after wake_affine()" commit baeda7131f54e71e916c43d7a88cb68fcace37da Merge: 0503fd6 49cf4a4b Author: Linus Torvalds Date: Sun May 13 10:44:32 2018 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf tooling fixes from Thomas Gleixner: "Another small set of perf tooling fixes and updates: - Revert "perf pmu: Fix pmu events parsing rule", as it broke Intel PT event description parsing (Arnaldo Carvalho de Melo) - Sync x86's cpufeatures.h and kvm UAPI headers with the kernel sources, suppressing the ABI drift warnings (Arnaldo Carvalho de Melo) - Remove duplicated entry for westmereep-dp in Intel's mapfile.csv (William Cohen) - Fix typo in 'perf bench numa' options description (Yisheng Xie)" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: Revert "perf pmu: Fix pmu events parsing rule" tools headers kvm: Sync ARM UAPI headers with the kernel sources tools headers kvm: Sync uapi/linux/kvm.h with the kernel sources tools headers: Sync x86 cpufeatures.h with the kernel sources perf vendor events intel: Remove duplicated entry for westmereep-dp in mapfile.csv perf bench numa: Fix typo in options commit 0503fd658d47503a9bad67aced45c46b1ecfaace Merge: ccda3c4 05e13bb Author: Linus Torvalds Date: Sun May 13 10:28:53 2018 -0700 Merge tag 'dma-mapping-4.17-5' of git://git.infradead.org/users/hch/dma-mapping Pull dma-mapping fix from Christoph Hellwig: "Just one little fix from Jean to avoid a harmless but very annoying warning, especially for the drm code" * tag 'dma-mapping-4.17-5' of git://git.infradead.org/users/hch/dma-mapping: swiotlb: silent unwanted warning "buffer is full" commit 2f0d520a1a73555ac51c19cd494493f60b4c1cea Author: Jeremy Soller Date: Mon May 7 09:28:45 2018 -0600 ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup This adds support for the P950ER, which has the same required fixup as the P950HR, but has a different PCI ID. Signed-off-by: Jeremy Soller Cc: Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) commit 21493316a3c4598f308d5a9fa31cc74639c4caff Author: Federico Cuello Date: Wed May 9 00:13:38 2018 +0200 ALSA: usb: mixer: volume quirk for CM102-A+/102S+ Currently it's not possible to set volume lower than 26% (it just mutes). Also fixes this warning: Warning! Unlikely big volume range (=9472), cval->res is probably wrong. [13] FU [PCM Playback Volume] ch = 2, val = -9473/-1/1 , and volume works fine for full range. Signed-off-by: Federico Cuello Cc: Signed-off-by: Takashi Iwai sound/usb/mixer.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit 3b031622f598481970400519bd5abc2a16708282 Author: Guenter Roeck Date: Fri May 4 13:01:33 2018 -0700 hwmon: (k10temp) Use API function to access System Management Network The SMN (System Management Network) on Family 17h AMD CPUs is also accessed from other drivers, specifically EDAC. Accessing it directly is racy. On top of that, accessing the SMN through root bridge 00:00 is wrong on multi-die CPUs and may result in reading the temperature from the wrong die. Use available API functions to fix the problem. For this to work, add dependency on AMD_NB. Also change the Raven Ridge PCI device ID to point to Data Fabric Function 3, since this ID is used by the API functions to find the CPU node. Cc: stable@vger.kernel.org # v4.16+ Tested-by: Gabriel Craciunescu Signed-off-by: Guenter Roeck drivers/hwmon/Kconfig | 2 +- drivers/hwmon/k10temp.c | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) commit f9bc6b2dd9cf025f827f471769e1d88b527bfb91 Author: Guenter Roeck Date: Fri May 4 13:01:32 2018 -0700 x86/amd_nb: Add support for Raven Ridge CPUs Add Raven Ridge root bridge and data fabric PCI IDs. This is required for amd_pci_dev_to_node_id() and amd_smn_read(). Cc: stable@vger.kernel.org # v4.16+ Tested-by: Gabriel Craciunescu Acked-by: Thomas Gleixner Signed-off-by: Guenter Roeck arch/x86/kernel/amd_nb.c | 6 ++++++ 1 file changed, 6 insertions(+) commit c8beccc19b92f5172994c0732db689c08f4f98e5 Author: Hans de Goede Date: Tue May 8 09:27:46 2018 +0200 ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist Power-saving is causing loud plops on the Lenovo C50 All in one, add it to the blacklist. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1572975 Signed-off-by: Hans de Goede Cc: Signed-off-by: Takashi Iwai sound/pci/hda/hda_intel.c | 2 ++ 1 file changed, 2 insertions(+) commit 3f12888dfae2a48741c4caa9214885b3aaf350f9 Author: Wenwen Wang Date: Sat May 5 13:38:03 2018 -0500 ALSA: control: fix a redundant-copy issue In snd_ctl_elem_add_compat(), the fields of the struct 'data' need to be copied from the corresponding fields of the struct 'data32' in userspace. This is achieved by invoking copy_from_user() and get_user() functions. The problem here is that the 'type' field is copied twice. One is by copy_from_user() and one is by get_user(). Given that the 'type' field is not used between the two copies, the second copy is *completely* redundant and should be removed for better performance and cleanup. Also, these two copies can cause inconsistent data: as the struct 'data32' resides in userspace and a malicious userspace process can race to change the 'type' field between the two copies to cause inconsistent data. Depending on how the data is used in the future, such an inconsistency may cause potential security risks. For above reasons, we should take out the second copy. Signed-off-by: Wenwen Wang Cc: Signed-off-by: Takashi Iwai sound/core/control_compat.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit ccda3c4b77777f66aeb3c531352bb40d59501c59 Merge: 427fbe8 6e70c26 Author: Linus Torvalds Date: Sat May 12 18:49:53 2018 -0700 Merge tag '4.17-rc4-SMB3-Fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Some small SMB3 fixes for 4.17-rc5, some for stable" * tag '4.17-rc4-SMB3-Fixes' of git://git.samba.org/sfrench/cifs-2.6: smb3: directory sync should not return an error cifs: smb2ops: Fix listxattr() when there are no EAs cifs: smbd: Enable signing with smbdirect cifs: Allocate validate negotiation request through kmalloc commit 427fbe89261d8f11cd20b5a4ba94e977061f69d6 Merge: 0d4cafd 60abce9 Author: Linus Torvalds Date: Sat May 12 10:58:57 2018 -0700 Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux Pull thermal fixes from Zhang Rui: - fix NULL pointer dereference on module load/probe for int3403_thermal driver - fix an emergency shutdown issue on exynos thermal driver * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux: thermal: exynos: Propagate error value from tmu_read() thermal: exynos: Reading temperature makes sense only when TMU is turned on thermal: int3403_thermal: Fix NULL pointer deref on module load / probe commit 0d4cafd12f4c67a3cce83fd0dd2e416080900615 Merge: f0ab773 9abd68e Author: Linus Torvalds Date: Sat May 12 10:55:48 2018 -0700 Merge tag 'for-linus-20180511' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Just a few NVMe fixes this round - one fixing a use-after-free, one fixes the return value after controller reset, and the last one fixes an issue where some drives will spuriously EIO. We should get these into 4.17" * tag 'for-linus-20180511' of git://git.kernel.dk/linux-block: nvme: add quirk to force medium priority for SQ creation nvme: Fix sync controller reset return nvme: fix use-after-free in nvme_free_ns_head commit 16116dac23396e73c01eeee97b102e4833a4b205 Author: Marek Lindner Date: Sat May 12 00:23:07 2018 +0800 batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs A translation table TVLV changset sent with an OGM consists of a number of headers (one per VLAN) plus the changeset itself (addition and/or deletion of entries). The per-VLAN headers are used by OGM recipients for consistency checks. Said consistency check might determine that a full translation table request is needed to restore consistency. If the TT sender adds per-VLAN headers of empty VLANs into the OGM, recipients are led to believe to have reached an inconsistent state and thus request a full table update. The full table does not contain empty VLANs (due to missing entries) the cycle restarts when the next OGM is issued. Consequently, when the translation table TVLV headers are composed, empty VLANs are to be excluded. Fixes: 21a57f6e7a3b ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich net/batman-adv/translation-table.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) commit 7072337e52b3e9d5460500d8dc9cbc1ba2db084c Author: Linus Lüssing Date: Thu May 10 19:44:28 2018 +0200 batman-adv: Fix TT sync flags for intermediate TT responses The previous TT sync fix so far only fixed TT responses issued by the target node directly. So far, TT responses issued by intermediate nodes still lead to the wrong flags being added, leading to CRC mismatches. This behaviour was observed at Freifunk Hannover in a 800 nodes setup where a considerable amount of nodes were still infected with 'WI' TT flags even with (most) nodes having the previous TT sync fix applied. I was able to reproduce the issue with intermediate TT responses in a four node test setup and this patch fixes this issue by ensuring to use the per originator instead of the summarized, OR'd ones. Fixes: e9c00136a475 ("batman-adv: fix tt_global_entries flags update") Reported-by: Leonardo Mörlein Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich net/batman-adv/translation-table.c | 61 +++++++++++++++++++++++++++++++------- 1 file changed, 51 insertions(+), 10 deletions(-) commit 05e13bb57e6f181d7605f8608181c7e6fb7f591d Author: Jean Delvare Date: Sat May 12 11:57:37 2018 +0200 swiotlb: silent unwanted warning "buffer is full" If DMA_ATTR_NO_WARN is passed to swiotlb_alloc_buffer(), it should be passed further down to swiotlb_tbl_map_single(). Otherwise we escape half of the warnings but still log the other half. This is one of the multiple causes of spurious warnings reported at: https://bugs.freedesktop.org/show_bug.cgi?id=104082 Signed-off-by: Jean Delvare Fixes: 0176adb00406 ("swiotlb: refactor coherent buffer allocation") Cc: Christoph Hellwig Cc: Christian König Cc: Michel Dänzer Cc: Takashi Iwai Cc: stable@vger.kernel.org # v4.16 lib/swiotlb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ffed645e3be0e32f8e9ab068d257aee8d0fe8eec Author: Konrad Rzeszutek Wilk Date: Fri May 11 16:50:35 2018 -0400 x86/bugs: Fix the parameters alignment and missing void Fixes: 7bb4d366c ("x86/bugs: Make cpu_show_common() static") Fixes: 24f7fc83b ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation") Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Thomas Gleixner arch/x86/kernel/cpu/bugs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ebd27d3317c6521a9511f779ea96dc943c4e8003 Author: Rafał Miłecki Date: Fri May 11 11:17:15 2018 +0200 ssb: make SSB_PCICORE_HOSTMODE depend on SSB = y SSB_PCICORE_HOSTMODE protects MIPS specific code that calls not exported symbols pcibios_enable_device and register_pci_controller. This code is supposed to be compiled only with ssb builtin. This fixes: ERROR: "pcibios_enable_device" [drivers/ssb/ssb.ko] undefined! ERROR: "register_pci_controller" [drivers/ssb/ssb.ko] undefined! make[1]: *** [scripts/Makefile.modpost:92: __modpost] Error 1 Reported-by: Matt Redfearn Signed-off-by: Rafał Miłecki Reviewed-by: Larry Finger Signed-off-by: Kalle Valo drivers/ssb/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 36910d82a80c1c0c61e505c6d3ecaa901ee13a26 Author: Rafał Miłecki Date: Fri May 11 11:17:14 2018 +0200 Revert "ssb: Prevent build of PCI host features in module" This reverts commit 882164a4a928bcaa53280940436ca476e6b1db8e. Above commit added "SSB = y" dependency to the wrong symbol SSB_DRIVER_PCICORE_POSSIBLE and prevented SSB_DRIVER_PCICORE from being selected when needed. PCI core driver for core running in clienthost mode is important for bus initialization. It's perfectly valid scenario to have ssb built as module and use it with buses on PCI cards. This fixes regression that affected all *module* users with PCI cards. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1572349 Signed-off-by: Rafał Miłecki Signed-off-by: Kalle Valo drivers/ssb/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 361de091a4b97aa9081d304d742f80d486ab7125 Author: Rafał Miłecki Date: Tue May 8 11:31:04 2018 +0200 bcma: fix buffer size caused crash in bcma_core_mips_print_irq() Used buffer wasn't big enough to hold whole strings. Example output of this function is: [ 0.180892] bcma: bus0: core 0x0800, irq: 2(S)* 3 4 5 6 D I [ 0.180948] bcma: bus0: core 0x0812, irq: 2(S) 3* 4 5 6 D I [ 0.180998] bcma: bus0: core 0x082d, irq: 2(S) 3 4* 5 6 D I [ 0.181046] bcma: bus0: core 0x082c, irq: 2(S) 3 4 5 6 D I* which means we need to store up to 24 chars. Fixes: 758f7e06063a8 ("bcma: Use bcma_debug and not pr_cont in MIPS driver") Signed-off-by: Rafał Miłecki Cc: stable@vger.kernel.org # v4.15+ Signed-off-by: Kalle Valo drivers/bcma/driver_mips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 789ba28013ce23dbf5e9f5f014f4233b35523bf3 Author: Mel Gorman Date: Wed May 9 17:31:15 2018 +0100 Revert "sched/numa: Delay retrying placement for automatic NUMA balance after wake_affine()" This reverts commit 7347fc87dfe6b7315e74310ee1243dc222c68086. Srikar Dronamra pointed out that while the commit in question did show a performance improvement on ppc64, it did so at the cost of disabling active CPU migration by automatic NUMA balancing which was not the intent. The issue was that a serious flaw in the logic failed to ever active balance if SD_WAKE_AFFINE was disabled on scheduler domains. Even when it's enabled, the logic is still bizarre and against the original intent. Investigation showed that fixing the patch in either the way he suggested, using the correct comparison for jiffies values or introducing a new numa_migrate_deferred variable in task_struct all perform similarly to a revert with a mix of gains and losses depending on the workload, machine and socket count. The original intent of the commit was to handle a problem whereby wake_affine, idle balancing and automatic NUMA balancing disagree on the appropriate placement for a task. This was particularly true for cases where a single task was a massive waker of tasks but where wake_wide logic did not apply. This was particularly noticeable when a futex (a barrier) woke all worker threads and tried pulling the wakees to the waker nodes. In that specific case, it could be handled by tuning MPI or openMP appropriately, but the behavior is not illogical and was worth attempting to fix. However, the approach was wrong. Given that we're at rc4 and a fix is not obvious, it's better to play safe, revert this commit and retry later. Signed-off-by: Mel Gorman Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Srikar Dronamraju Cc: Linus Torvalds Cc: Thomas Gleixner Cc: efault@gmx.de Cc: ggherdovich@suse.cz Cc: hpa@zytor.com Cc: matt@codeblueprint.co.uk Cc: mpe@ellerman.id.au Link: http://lkml.kernel.org/r/20180509163115.6fnnyeg4vdm2ct4v@techsingularity.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 57 +---------------------------------------------------- 1 file changed, 1 insertion(+), 56 deletions(-) commit f0ab773f5c96c29a5227234c4b5a820f5591b74d Merge: 4bc8719 2075b16 Author: Linus Torvalds Date: Fri May 11 18:04:12 2018 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "13 fixes" * emailed patches from Andrew Morton : rbtree: include rcu.h scripts/faddr2line: fix error when addr2line output contains discriminator ocfs2: take inode cluster lock before moving reflinked inode from orphan dir mm, oom: fix concurrent munlock and oom reaper unmap, v3 mm: migrate: fix double call of radix_tree_replace_slot() proc/kcore: don't bounds check against address 0 mm: don't show nr_indirectly_reclaimable in /proc/vmstat mm: sections are not offlined during memory hotremove z3fold: fix reclaim lock-ups init: fix false positives in W+X checking lib/find_bit_benchmark.c: avoid soft lockup in test_find_first_bit() KASAN: prohibit KASAN+STRUCTLEAK combination MAINTAINERS: update Shuah's email address commit 2075b16e32c26e4031b9fd3cbe26c54676a8fcb5 Author: Sebastian Andrzej Siewior Date: Fri May 11 16:02:14 2018 -0700 rbtree: include rcu.h Since commit c1adf20052d8 ("Introduce rb_replace_node_rcu()") rbtree_augmented.h uses RCU related data structures but does not include the header file. It works as long as it gets somehow included before that and fails otherwise. Link: http://lkml.kernel.org/r/20180504103159.19938-1-bigeasy@linutronix.de Signed-off-by: Sebastian Andrzej Siewior Reviewed-by: Andrew Morton Cc: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/rbtree_augmented.h | 1 + include/linux/rbtree_latch.h | 1 + 2 files changed, 2 insertions(+) commit 78eb0c6356cda285c6ee6e29bea0c0188368103e Author: Changbin Du Date: Fri May 11 16:02:11 2018 -0700 scripts/faddr2line: fix error when addr2line output contains discriminator When addr2line output contains discriminator, the current awk script cannot parse it. This patch fixes it by extracting key words using regex which is more reliable. $ scripts/faddr2line vmlinux tlb_flush_mmu_free+0x26 tlb_flush_mmu_free+0x26/0x50: tlb_flush_mmu_free at mm/memory.c:258 (discriminator 3) scripts/faddr2line: eval: line 173: unexpected EOF while looking for matching `)' Link: http://lkml.kernel.org/r/1525323379-25193-1-git-send-email-changbin.du@intel.com Fixes: 6870c0165feaa5 ("scripts/faddr2line: show the code context") Signed-off-by: Changbin Du Cc: Thomas Gleixner Cc: Greg Kroah-Hartman Cc: Philippe Ombredanne Cc: NeilBrown Cc: Richard Weinberger Cc: Kate Stewart Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds scripts/faddr2line | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit e4383029201470523c3ffe339bd7d57e9b4a7d65 Author: Ashish Samant Date: Fri May 11 16:02:07 2018 -0700 ocfs2: take inode cluster lock before moving reflinked inode from orphan dir While reflinking an inode, we create a new inode in orphan directory, then take EX lock on it, reflink the original inode to orphan inode and release EX lock. Once the lock is released another node could request it in EX mode from ocfs2_recover_orphans() which causes downconvert of the lock, on this node, to NL mode. Later we attempt to initialize security acl for the orphan inode and move it to the reflink destination. However, while doing this we dont take EX lock on the inode. This could potentially cause problems because we could be starting transaction, accessing journal and modifying metadata of the inode while holding NL lock and with another node holding EX lock on the inode. Fix this by taking orphan inode cluster lock in EX mode before initializing security and moving orphan inode to reflink destination. Use the __tracker variant while taking inode lock to avoid recursive locking in the ocfs2_init_security_and_acl() call chain. Link: http://lkml.kernel.org/r/1523475107-7639-1-git-send-email-ashish.samant@oracle.com Signed-off-by: Ashish Samant Reviewed-by: Joseph Qi Reviewed-by: Junxiao Bi Acked-by: Jun Piao Cc: Mark Fasheh Cc: Joel Becker Cc: Changwei Ge Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/refcounttree.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) commit 27ae357fa82be5ab73b2ef8d39dcb8ca2563483a Author: David Rientjes Date: Fri May 11 16:02:04 2018 -0700 mm, oom: fix concurrent munlock and oom reaper unmap, v3 Since exit_mmap() is done without the protection of mm->mmap_sem, it is possible for the oom reaper to concurrently operate on an mm until MMF_OOM_SKIP is set. This allows munlock_vma_pages_all() to concurrently run while the oom reaper is operating on a vma. Since munlock_vma_pages_range() depends on clearing VM_LOCKED from vm_flags before actually doing the munlock to determine if any other vmas are locking the same memory, the check for VM_LOCKED in the oom reaper is racy. This is especially noticeable on architectures such as powerpc where clearing a huge pmd requires serialize_against_pte_lookup(). If the pmd is zapped by the oom reaper during follow_page_mask() after the check for pmd_none() is bypassed, this ends up deferencing a NULL ptl or a kernel oops. Fix this by manually freeing all possible memory from the mm before doing the munlock and then setting MMF_OOM_SKIP. The oom reaper can not run on the mm anymore so the munlock is safe to do in exit_mmap(). It also matches the logic that the oom reaper currently uses for determining when to set MMF_OOM_SKIP itself, so there's no new risk of excessive oom killing. This issue fixes CVE-2018-1000200. Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1804241526320.238665@chino.kir.corp.google.com Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") Signed-off-by: David Rientjes Suggested-by: Tetsuo Handa Acked-by: Michal Hocko Cc: Andrea Arcangeli Cc: [4.14+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/oom.h | 2 ++ mm/mmap.c | 44 +++++++++++++++++------------ mm/oom_kill.c | 81 ++++++++++++++++++++++++++++------------------------- 3 files changed, 71 insertions(+), 56 deletions(-) commit 013567be19761e2d14fc2a2676fe7686ac54c9ac Author: Naoya Horiguchi Date: Fri May 11 16:02:00 2018 -0700 mm: migrate: fix double call of radix_tree_replace_slot() radix_tree_replace_slot() is called twice for head page, it's obviously a bug. Let's fix it. Link: http://lkml.kernel.org/r/20180423072101.GA12157@hori1.linux.bs1.fc.nec.co.jp Fixes: e71769ae5260 ("mm: enable thp migration for shmem thp") Signed-off-by: Naoya Horiguchi Reported-by: Matthew Wilcox Reviewed-by: Andrew Morton Cc: Michal Hocko Cc: "Kirill A. Shutemov" Cc: Zi Yan Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/migrate.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 3955333df9a50e8783d115613a397ae55d905080 Author: Laura Abbott Date: Fri May 11 16:01:57 2018 -0700 proc/kcore: don't bounds check against address 0 The existing kcore code checks for bad addresses against __va(0) with the assumption that this is the lowest address on the system. This may not hold true on some systems (e.g. arm64) and produce overflows and crashes. Switch to using other functions to validate the address range. It's currently only seen on arm64 and it's not clear if anyone wants to use that particular combination on a stable release. So this is not urgent for stable. Link: http://lkml.kernel.org/r/20180501201143.15121-1-labbott@redhat.com Signed-off-by: Laura Abbott Tested-by: Dave Anderson Cc: Kees Cook Cc: Ard Biesheuvel Cc: Ingo Molnar Cc: Andi Kleen Cc: Alexey Dobriyan a Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/proc/kcore.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) commit 7aaf7727235870f497eb928f728f7773d6df3b40 Author: Roman Gushchin Date: Fri May 11 16:01:53 2018 -0700 mm: don't show nr_indirectly_reclaimable in /proc/vmstat Don't show nr_indirectly_reclaimable in /proc/vmstat, because there is no need to export this vm counter to userspace, and some changes are expected in reclaimable object accounting, which can alter this counter. Link: http://lkml.kernel.org/r/20180425191422.9159-1-guro@fb.com Signed-off-by: Roman Gushchin Acked-by: Vlastimil Babka Reviewed-by: Andrew Morton Cc: Matthew Wilcox Cc: Alexander Viro Cc: Michal Hocko Cc: Johannes Weiner Cc: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/vmstat.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 27227c733852f71008e9bf165950bb2edaed3a90 Author: Pavel Tatashin Date: Fri May 11 16:01:50 2018 -0700 mm: sections are not offlined during memory hotremove Memory hotplug and hotremove operate with per-block granularity. If the machine has a large amount of memory (more than 64G), the size of a memory block can span multiple sections. By mistake, during hotremove we set only the first section to offline state. The bug was discovered because kernel selftest started to fail: https://lkml.kernel.org/r/20180423011247.GK5563@yexl-desktop After commit, "mm/memory_hotplug: optimize probe routine". But, the bug is older than this commit. In this optimization we also added a check for sections to be in a proper state during hotplug operation. Link: http://lkml.kernel.org/r/20180427145257.15222-1-pasha.tatashin@oracle.com Fixes: 2d070eab2e82 ("mm: consider zone which is not fully populated to have holes") Signed-off-by: Pavel Tatashin Acked-by: Michal Hocko Reviewed-by: Andrew Morton Cc: Vlastimil Babka Cc: Steven Sistare Cc: Daniel Jordan Cc: "Kirill A. Shutemov" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/sparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6098d7e136692f9c6e23ae362c62ec822343e4d5 Author: Vitaly Wool Date: Fri May 11 16:01:46 2018 -0700 z3fold: fix reclaim lock-ups Do not try to optimize in-page object layout while the page is under reclaim. This fixes lock-ups on reclaim and improves reclaim performance at the same time. [akpm@linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/20180430125800.444cae9706489f412ad12621@gmail.com Signed-off-by: Vitaly Wool Reported-by: Guenter Roeck Tested-by: Guenter Roeck Cc: Cc: Matthew Wilcox Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/z3fold.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) commit ae646f0b9ca135b87bc73ff606ef996c3029780a Author: Jeffrey Hugo Date: Fri May 11 16:01:42 2018 -0700 init: fix false positives in W+X checking load_module() creates W+X mappings via __vmalloc_node_range() (from layout_and_allocate()->move_module()->module_alloc()) by using PAGE_KERNEL_EXEC. These mappings are later cleaned up via "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). This is a problem because call_rcu_sched() queues work, which can be run after debug_checkwx() is run, resulting in a race condition. If hit, the race results in a nasty splat about insecure W+X mappings, which results in a poor user experience as these are not the mappings that debug_checkwx() is intended to catch. This issue is observed on multiple arm64 platforms, and has been artificially triggered on an x86 platform. Address the race by flushing the queued work before running the arch-defined mark_rodata_ro() which then calls debug_checkwx(). Link: http://lkml.kernel.org/r/1525103946-29526-1-git-send-email-jhugo@codeaurora.org Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") Signed-off-by: Jeffrey Hugo Reported-by: Timur Tabi Reported-by: Jan Glauber Acked-by: Kees Cook Acked-by: Ingo Molnar Acked-by: Will Deacon Acked-by: Laura Abbott Cc: Mark Rutland Cc: Ard Biesheuvel Cc: Catalin Marinas Cc: Stephen Smalley Cc: Thomas Gleixner Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds init/main.c | 7 +++++++ kernel/module.c | 5 +++++ 2 files changed, 12 insertions(+) commit 4ba281d5bd9907355e6b79fb72049c9ed50cc670 Author: Yury Norov Date: Fri May 11 16:01:39 2018 -0700 lib/find_bit_benchmark.c: avoid soft lockup in test_find_first_bit() test_find_first_bit() is intentionally sub-optimal, and may cause soft lockup due to long time of run on some systems. So decrease length of bitmap to traverse to avoid lockup. With the change below, time of test execution doesn't exceed 0.2 seconds on my testing system. Link: http://lkml.kernel.org/r/20180420171949.15710-1-ynorov@caviumnetworks.com Fixes: 4441fca0a27f5 ("lib: test module for find_*_bit() functions") Signed-off-by: Yury Norov Reviewed-by: Andrew Morton Reported-by: Fengguang Wu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/find_bit_benchmark.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit c9cf87ea6a4725bc586cc5776c3fb6042a264b7d Author: Dmitry Vyukov Date: Fri May 11 16:01:35 2018 -0700 KASAN: prohibit KASAN+STRUCTLEAK combination Currently STRUCTLEAK inserts initialization out of live scope of variables from KASAN point of view. This leads to KASAN false positive reports. Prohibit this combination for now. Link: http://lkml.kernel.org/r/20180419172451.104700-1-dvyukov@google.com Signed-off-by: Dmitry Vyukov Acked-by: Kees Cook Cc: Fengguang Wu Cc: Sergey Senozhatsky Cc: Andrey Ryabinin Cc: Dennis Zhou Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds arch/Kconfig | 4 ++++ 1 file changed, 4 insertions(+) commit 1d1c8e5f0d95c2c97f29122741aed7d0dfb2b391 Author: Shuah Khan (Samsung OSG) Date: Fri May 11 16:01:32 2018 -0700 MAINTAINERS: update Shuah's email address Update email address in MAINTAINERS file due to IT infrastructure changes at Samsung. Link: http://lkml.kernel.org/r/20180501212815.25911-1-shuah@kernel.org Signed-off-by: Shuah Khan (Samsung OSG) Cc: Mauro Carvalho Chehab Cc: David S. Miller Cc: Greg Kroah-Hartman Cc: Linus Walleij Cc: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds MAINTAINERS | 3 --- 1 file changed, 3 deletions(-) commit 4bc871984f7cb5b2dec3ae64b570cb02f9ce2227 Merge: a1f45ef a52956d Author: Linus Torvalds Date: Fri May 11 14:14:46 2018 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Verify lengths of keys provided by the user is AF_KEY, from Kevin Easton. 2) Add device ID for BCM89610 PHY. Thanks to Bhadram Varka. 3) Add Spectre guards to some ATM code, courtesy of Gustavo A. R. Silva. 4) Fix infinite loop in NSH protocol code. To Eric Dumazet we are most grateful for this fix. 5) Line up /proc/net/netlink headers properly. This fix from YU Bo, we do appreciate. 6) Use after free in TLS code. Once again we are blessed by the honorable Eric Dumazet with this fix. 7) Fix regression in TLS code causing stalls on partial TLS records. This fix is bestowed upon us by Andrew Tomt. 8) Deal with too small MTUs properly in LLC code, another great gift from Eric Dumazet. 9) Handle cached route flushing properly wrt. MTU locking in ipv4, to Hangbin Liu we give thanks for this. 10) Fix regression in SO_BINDTODEVIC handling wrt. UDP socket demux. Paolo Abeni, he gave us this. 11) Range check coalescing parameters in mlx4 driver, thank you Moshe Shemesh. 12) Some ipv6 ICMP error handling fixes in rxrpc, from our good brother David Howells. 13) Fix kexec on mlx5 by freeing IRQs in shutdown path. Daniel Juergens, you're the best! 14) Don't send bonding RLB updates to invalid MAC addresses. Debabrata Benerjee saved us! 15) Uh oh, we were leaking in udp_sendmsg and ping_v4_sendmsg. The ship is now water tight, thanks to Andrey Ignatov. 16) IPSEC memory leak in ixgbe from Colin Ian King, man we've got holes everywhere! 17) Fix error path in tcf_proto_create, Jiri Pirko what would we do without you! * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (92 commits) net sched actions: fix refcnt leak in skbmod net: sched: fix error path in tcf_proto_create() when modules are not configured net sched actions: fix invalid pointer dereferencing if skbedit flags missing ixgbe: fix memory leak on ipsec allocation ixgbevf: fix ixgbevf_xmit_frame()'s return type ixgbe: return error on unsupported SFP module when resetting ice: Set rq_last_status when cleaning rq ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()' bonding: send learning packets for vlans on slave bonding: do not allow rlb updates to invalid mac net/mlx5e: Err if asked to offload TC match on frag being first net/mlx5: E-Switch, Include VF RDMA stats in vport statistics net/mlx5: Free IRQs in shutdown path rxrpc: Trace UDP transmission failure rxrpc: Add a tracepoint to log ICMP/ICMP6 and error messages rxrpc: Fix the min security level for kernel calls rxrpc: Fix error reception on AF_INET6 sockets rxrpc: Fix missing start of call timeout qed: fix spelling mistake: "taskelt" -> "tasklet" ... commit a1f45efbb90cce436bde335f8ce78538634951c8 Merge: ac42803 04ac6fd Author: Linus Torvalds Date: Fri May 11 13:56:43 2018 -0700 Merge tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs Pull NFS client fixes from Anna Schumaker: "These patches fix both a possible corruption during NFSoRDMA MR recovery, and a sunrpc tracepoint crash. Additionally, Trond has a new email address to put in the MAINTAINERS file" * tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs: Change Trond's email address in MAINTAINERS sunrpc: Fix latency trace point crashes xprtrdma: Fix list corruption / DMAR errors during MR recovery commit a52956dfc503f8cc5cfe6454959b7049fddb4413 Author: Roman Mashak Date: Fri May 11 14:35:33 2018 -0400 net sched actions: fix refcnt leak in skbmod When application fails to pass flags in netlink TLV when replacing existing skbmod action, the kernel will leak refcnt: $ tc actions get action skbmod index 1 total acts 0 action order 0: skbmod pipe set smac 00:11:22:33:44:55 index 1 ref 1 bind 0 For example, at this point a buggy application replaces the action with index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags, however refcnt gets bumped: $ tc actions get actions skbmod index 1 total acts 0 action order 0: skbmod pipe set smac 00:11:22:33:44:55 index 1 ref 2 bind 0 $ Tha patch fixes this by calling tcf_idr_release() on existing actions. Fixes: 86da71b57383d ("net_sched: Introduce skbmod action") Signed-off-by: Roman Mashak Acked-by: Cong Wang Signed-off-by: David S. Miller net/sched/act_skbmod.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit ac42803695e73d5d32b1976aee837d9672382a2a Merge: 3f5f859 fc21854 Author: Linus Torvalds Date: Fri May 11 13:36:06 2018 -0700 Merge tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "These patches fix two long-standing bugs in the DIO code path, one of which is a crash trivially triggerable with splice()" * tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client: ceph: fix iov_iter issues in ceph_direct_read_write() libceph: add osd_req_op_extent_osd_data_bvecs() ceph: fix rsize/wsize capping in ceph_direct_read_write() commit d68d75fdc34b0253c2bded7ed18cd60eb5a9599b Author: Jiri Pirko Date: Fri May 11 17:45:32 2018 +0200 net: sched: fix error path in tcf_proto_create() when modules are not configured In case modules are not configured, error out when tp->ops is null and prevent later null pointer dereference. Fixes: 33a48927c193 ("sched: push TC filter protocol creation into a separate function") Signed-off-by: Jiri Pirko Acked-by: Cong Wang Signed-off-by: David S. Miller net/sched/cls_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3f5f8596ed0aeeb0d707ef9375161c4ee0caf611 Merge: 7404bc2 ac21fc2 Author: Linus Torvalds Date: Fri May 11 13:14:24 2018 -0700 Merge tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh Pull arch/sh fixes from Rich Felker: "Fixes for critical regressions and a build failure. The regressions were introduced in 4.15 and 4.17-rc1 and prevented booting on affected systems" * tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh: sh: switch to NO_BOOTMEM sh: mm: Fix unprotected access to struct device sh: fix build failure for J2 cpu with SMP disabled commit 7404bc27731f7213c8a747e8f392cd0e0a27ec63 Merge: 5c6b546 0583a4e Author: Linus Torvalds Date: Fri May 11 13:09:04 2018 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "There's a small memblock accounting problem when freeing the initrd and a Spectre-v2 mitigation for NVIDIA Denver CPUs which just requires a match on the CPU ID register. Summary: - Mitigate Spectre-v2 for NVIDIA Denver CPUs - Free memblocks corresponding to freed initrd area" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: capabilities: Add NVIDIA Denver CPU to bp_harden list arm64: Add MIDR encoding for NVIDIA CPUs arm64: To remove initrd reserved area entry from memblock commit 5c6b54600dd390a355a0e91ffd7998382908e178 Merge: c110a8b 6c0a8f6 Author: Linus Torvalds Date: Fri May 11 13:07:22 2018 -0700 Merge tag 'powerpc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "One fix for an actual regression, the change to the SYSCALL_DEFINE wrapper broke FTRACE_SYSCALLS for us due to a name mismatch. There's also another commit to the same code to make sure we match all our syscalls with various prefixes. And then just one minor build fix, and the removal of an unused variable that was removed and then snuck back in due to some rebasing. Thanks to: Naveen N. Rao" * tag 'powerpc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/pseries: Fix CONFIG_NUMA=n build powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix powerpc/trace/syscalls: Update syscall name matching logic powerpc/64: Remove unused paca->soft_enabled commit c110a8b792533fc1180188b91b856bb2b3390f8b Merge: 84c3a09 dc432c3 Author: Linus Torvalds Date: Fri May 11 13:04:35 2018 -0700 Merge tag 'trace-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fix from Steven Rostedt: "Working on some new updates to trace filtering, I noticed that the regex_match_front() test was updated to be limited to the size of the pattern instead of the full test string. But as the test string is not guaranteed to be nul terminated, it still needs to consider the size of the test string" * tag 'trace-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing: Fix regex_match_front() to not over compare the test string commit f4d641a2288504d7761e715a922fc675ddc2e594 Merge: f010089 c89ebb9 Author: David S. Miller Date: Fri May 11 15:57:23 2018 -0400 Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue Jeff Kirsher says: ==================== Intel Wired LAN Driver Updates 2018-05-11 This series contains fixes to the ice, ixgbe and ixgbevf drivers. Jeff Shaw provides a fix to ensure rq_last_status gets set, whether or not the hardware responds with an error in the ice driver. Emil adds a check for unsupported module during the reset routine for ixgbe. Luc Van Oostenryck fixes ixgbevf_xmit_frame() where it was not using the correct return value (int). Colin Ian King fixes a potential resource leak in ixgbe, where we were not freeing ipsec in our cleanup path. ==================== Signed-off-by: David S. Miller commit f01008916f1a4b7e238bf124d13d5c509e8cc362 Merge: af5d018 6b47fe1 Author: David S. Miller Date: Fri May 11 15:55:57 2018 -0400 Merge tag 'rxrpc-fixes-20180510' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs David Howells says: ==================== rxrpc: Fixes Here are three fixes for AF_RXRPC and two tracepoints that were useful for finding them: (1) Fix missing start of expect-Rx-by timeout on initial packet transmission so that calls will time out if the peer doesn't respond. (2) Fix error reception on AF_INET6 sockets by using the correct family of sockopts on the UDP transport socket. (3) Fix setting the minimum security level on kernel calls so that they can be encrypted. (4) Add a tracepoint to log ICMP/ICMP6 and other error reports from the transport socket. (5) Add a tracepoint to log UDP sendmsg failure so that we can find out if transmission failure occurred on the UDP socket. ==================== Signed-off-by: David S. Miller commit af5d01842fe1fbfb9f5e1c1d957ba02ab6f4569a Author: Roman Mashak Date: Fri May 11 10:55:09 2018 -0400 net sched actions: fix invalid pointer dereferencing if skbedit flags missing When application fails to pass flags in netlink TLV for a new skbedit action, the kernel results in the following oops: [ 8.307732] BUG: unable to handle kernel paging request at 0000000000021130 [ 8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0 [ 8.310595] Oops: 0000 [#1] SMP PTI [ 8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw [ 8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357 [ 8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140 [ 8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246 [ 8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000 [ 8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100 [ 8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122 [ 8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000 [ 8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000 [ 8.325590] FS: 00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000 [ 8.327001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0 [ 8.329289] Call Trace: [ 8.329735] tcf_skbedit_init+0xa7/0xb0 [ 8.330423] tcf_action_init_1+0x362/0x410 [ 8.331139] ? try_to_wake_up+0x44/0x430 [ 8.331817] tcf_action_init+0x103/0x190 [ 8.332511] tc_ctl_action+0x11a/0x220 [ 8.333174] rtnetlink_rcv_msg+0x23d/0x2e0 [ 8.333902] ? _cond_resched+0x16/0x40 [ 8.334569] ? __kmalloc_node_track_caller+0x5b/0x2c0 [ 8.335440] ? rtnl_calcit.isra.31+0xf0/0xf0 [ 8.336178] netlink_rcv_skb+0xdb/0x110 [ 8.336855] netlink_unicast+0x167/0x220 [ 8.337550] netlink_sendmsg+0x2a7/0x390 [ 8.338258] sock_sendmsg+0x30/0x40 [ 8.338865] ___sys_sendmsg+0x2c5/0x2e0 [ 8.339531] ? pagecache_get_page+0x27/0x210 [ 8.340271] ? filemap_fault+0xa2/0x630 [ 8.340943] ? page_add_file_rmap+0x108/0x200 [ 8.341732] ? alloc_set_pte+0x2aa/0x530 [ 8.342573] ? finish_fault+0x4e/0x70 [ 8.343332] ? __handle_mm_fault+0xbc1/0x10d0 [ 8.344337] ? __sys_sendmsg+0x53/0x80 [ 8.345040] __sys_sendmsg+0x53/0x80 [ 8.345678] do_syscall_64+0x4f/0x100 [ 8.346339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 8.347206] RIP: 0033:0x7f591191da67 [ 8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67 [ 8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003 [ 8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000 [ 8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 [ 8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0 [ 8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00 00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30 74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c [ 8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840 [ 8.359770] CR2: 0000000000021130 [ 8.360438] ---[ end trace 60c66be45dfc14f0 ]--- The caller calls action's ->init() and passes pointer to "struct tc_action *a", which later may be initialized to point at the existing action, otherwise "struct tc_action *a" is still invalid, and therefore dereferencing it is an error as happens in tcf_idr_release, where refcnt is decremented. So in case of missing flags tcf_idr_release must be called only for existing actions. v2: - prepare patch for net tree Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding") Signed-off-by: Roman Mashak Acked-by: Cong Wang Signed-off-by: David S. Miller net/sched/act_skbedit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 79f546a696bff2590169fb5684e23d65f4d9f591 Author: Dave Chinner Date: Fri May 11 11:20:57 2018 +1000 fs: don't scan the inode cache before SB_BORN is set We recently had an oops reported on a 4.14 kernel in xfs_reclaim_inodes_count() where sb->s_fs_info pointed to garbage and so the m_perag_tree lookup walked into lala land. It produces an oops down this path during the failed mount: radix_tree_gang_lookup_tag+0xc4/0x130 xfs_perag_get_tag+0x37/0xf0 xfs_reclaim_inodes_count+0x32/0x40 xfs_fs_nr_cached_objects+0x11/0x20 super_cache_count+0x35/0xc0 shrink_slab.part.66+0xb1/0x370 shrink_node+0x7e/0x1a0 try_to_free_pages+0x199/0x470 __alloc_pages_slowpath+0x3a1/0xd20 __alloc_pages_nodemask+0x1c3/0x200 cache_grow_begin+0x20b/0x2e0 fallback_alloc+0x160/0x200 kmem_cache_alloc+0x111/0x4e0 The problem is that the superblock shrinker is running before the filesystem structures it depends on have been fully set up. i.e. the shrinker is registered in sget(), before ->fill_super() has been called, and the shrinker can call into the filesystem before fill_super() does it's setup work. Essentially we are exposed to both use-after-free and use-before-initialisation bugs here. To fix this, add a check for the SB_BORN flag in super_cache_count. In general, this flag is not set until ->fs_mount() completes successfully, so we know that it is set after the filesystem setup has completed. This matches the trylock_super() behaviour which will not let super_cache_scan() run if SB_BORN is not set, and hence will not allow the superblock shrinker from entering the filesystem while it is being set up or after it has failed setup and is being torn down. Cc: stable@kernel.org Signed-Off-By: Dave Chinner Signed-off-by: Al Viro fs/super.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) commit 9abd68ef454c824bfd18629033367b4382b5f390 Author: Jens Axboe Date: Tue May 8 10:25:15 2018 -0600 nvme: add quirk to force medium priority for SQ creation Some P3100 drives have a bug where they think WRRU (weighted round robin) is always enabled, even though the host doesn't set it. Since they think it's enabled, they also look at the submission queue creation priority. We used to set that to MEDIUM by default, but that was removed in commit 81c1cd98351b. This causes various issues on that drive. Add a quirk to still set MEDIUM priority for that controller. Fixes: 81c1cd98351b ("nvme/pci: Don't set reserved SQ create flags") Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Keith Busch drivers/nvme/host/nvme.h | 5 +++++ drivers/nvme/host/pci.c | 12 +++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) commit 1e2e547a93a00ebc21582c06ca3c6cfea2a309ee Author: Al Viro Date: Fri May 4 08:23:01 2018 -0400 do d_instantiate/unlock_new_inode combinations safely For anything NFS-exported we do _not_ want to unlock new inode before it has grown an alias; original set of fixes got the ordering right, but missed the nasty complication in case of lockdep being enabled - unlock_new_inode() does lockdep_annotate_inode_mutex_key(inode) which can only be done before anyone gets a chance to touch ->i_mutex. Unfortunately, flipping the order and doing unlock_new_inode() before d_instantiate() opens a window when mkdir can race with open-by-fhandle on a guessed fhandle, leading to multiple aliases for a directory inode and all the breakage that follows from that. Correct solution: a new primitive (d_instantiate_new()) combining these two in the right order - lockdep annotate, then d_instantiate(), then the rest of unlock_new_inode(). All combinations of d_instantiate() with unlock_new_inode() should be converted to that. Cc: stable@kernel.org # 2.6.29 and later Tested-by: Mike Marshall Reviewed-by: Andreas Dilger Signed-off-by: Al Viro fs/btrfs/inode.c | 16 ++++------------ fs/dcache.c | 22 ++++++++++++++++++++++ fs/ecryptfs/inode.c | 3 +-- fs/ext2/namei.c | 6 ++---- fs/ext4/namei.c | 6 ++---- fs/f2fs/namei.c | 12 ++++-------- fs/jffs2/dir.c | 12 ++++-------- fs/jfs/namei.c | 12 ++++-------- fs/nilfs2/namei.c | 6 ++---- fs/orangefs/namei.c | 9 +++------ fs/reiserfs/namei.c | 12 ++++-------- fs/udf/namei.c | 6 ++---- fs/ufs/namei.c | 6 ++---- include/linux/dcache.h | 1 + 14 files changed, 57 insertions(+), 72 deletions(-) commit 84c3a0979c4c29711807747280dfecbb54b8af7c Merge: be83bbf d1ecfa9 Author: Linus Torvalds Date: Fri May 11 12:30:34 2018 -0700 Merge tag 'for-linus-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fix from Juergen Gross: "One fix for the kernel running as a fully virtualized guest using PV drivers on old Xen hypervisor versions" * tag 'for-linus-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: x86/xen: Reset VCPU0 info pointer after shared_info remap commit c89ebb968f04c71e16e86c91caeacb045dc8f908 Author: Colin Ian King Date: Wed May 9 14:58:48 2018 +0100 ixgbe: fix memory leak on ipsec allocation The error clean up path kfree's adapter->ipsec and should be instead kfree'ing ipsec. Fix this. Also, the err1 error exit path does not need to kfree ipsec because this failure path was for the failed allocation of ipsec. Detected by CoverityScan, CID#146424 ("Resource Leak") Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA") Signed-off-by: Colin Ian King Acked-by: Shannon Nelson Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cf12aab67a2fb29342d833a6333a322aaccca2d0 Author: Luc Van Oostenryck Date: Tue Apr 24 15:16:48 2018 +0200 ixgbevf: fix ixgbevf_xmit_frame()'s return type The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, but the implementation in this driver returns an 'int'. Fix this by returning 'netdev_tx_t' in this driver too. Signed-off-by: Luc Van Oostenryck Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bbb2707623f3ccc48695da2433f06d7c38193451 Author: Emil Tantilov Date: Thu Apr 19 17:06:57 2018 -0700 ixgbe: return error on unsupported SFP module when resetting Add check for unsupported module and return the error code. This fixes a Coverity hit due to unused return status from setup_sfp. Signed-off-by: Emil Tantilov Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 +++ 1 file changed, 3 insertions(+) commit ea3beca422742ca7e8502496e2806421d5e9d6fd Author: Jeff Shaw Date: Wed Apr 18 11:23:27 2018 -0700 ice: Set rq_last_status when cleaning rq Prior to this commit, the rq_last_status was only set when hardware responded with an error. This leads to rq_last_status being invalid in the future when hardware eventually responds without error. This commit resolves the issue by unconditionally setting rq_last_status with the value returned in the descriptor. Fixes: 940b61af02f4 ("ice: Initialize PF and setup miscellaneous interrupt") Signed-off-by: Jeff Shaw Signed-off-by: Anirudh Venkataramanan Tested-by: Tony Brelinski Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/ice/ice_controlq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 04ac6fdba1afffad664377a324b017e63ac08bd8 Author: Trond Myklebust Date: Fri May 11 14:13:57 2018 -0400 Change Trond's email address in MAINTAINERS Signed-off-by: Trond Myklebust MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ac21fc2dcb405cf250ad3f1228f64f64930d9211 Author: Rob Herring Date: Fri May 11 08:45:59 2018 -0500 sh: switch to NO_BOOTMEM Commit 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") inadvertently switched the DT unflattening allocations from memblock to bootmem which doesn't work because the unflattening happens before bootmem is initialized. Swapping the order of bootmem init and unflattening could also fix this, but removing bootmem is desired. So enable NO_BOOTMEM on SH like other architectures have done. Fixes: 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") Reported-by: Rich Felker Cc: Yoshinori Sato Signed-off-by: Rob Herring Signed-off-by: Rich Felker arch/sh/Kconfig | 1 + arch/sh/kernel/setup.c | 1 - arch/sh/mm/init.c | 68 +++++--------------------------------------------- arch/sh/mm/numa.c | 19 -------------- 4 files changed, 7 insertions(+), 82 deletions(-) commit be83bbf806822b1b89e0a0f23cd87cddc409e429 Author: Linus Torvalds Date: Fri May 11 09:52:01 2018 -0700 mmap: introduce sane default mmap limits The internal VM "mmap()" interfaces are based on the mmap target doing everything using page indexes rather than byte offsets, because traditionally (ie 32-bit) we had the situation that the byte offset didn't fit in a register. So while the mmap virtual address was limited by the word size of the architecture, the backing store was not. So we're basically passing "pgoff" around as a page index, in order to be able to describe backing store locations that are much bigger than the word size (think files larger than 4GB etc). But while this all makes a ton of sense conceptually, we've been dogged by various drivers that don't really understand this, and internally work with byte offsets, and then try to work with the page index by turning it into a byte offset with "pgoff << PAGE_SHIFT". Which obviously can overflow. Adding the size of the mapping to it to get the byte offset of the end of the backing store just exacerbates the problem, and if you then use this overflow-prone value to check various limits of your device driver mmap capability, you're just setting yourself up for problems. The correct thing for drivers to do is to do their limit math in page indices, the way the interface is designed. Because the generic mmap code _does_ test that the index doesn't overflow, since that's what the mmap code really cares about. HOWEVER. Finding and fixing various random drivers is a sisyphean task, so let's just see if we can just make the core mmap() code do the limiting for us. Realistically, the only "big" backing stores we need to care about are regular files and block devices, both of which are known to do this properly, and which have nice well-defined limits for how much data they can access. So let's special-case just those two known cases, and then limit other random mmap users to a backing store that still fits in "unsigned long". Realistically, that's not much of a limit at all on 64-bit, and on 32-bit architectures the only worry might be the GPU drivers, which can have big physical address spaces. To make it possible for drivers like that to say that they are 64-bit clean, this patch does repurpose the "FMODE_UNSIGNED_OFFSET" bit in the file flags to allow drivers to mark their file descriptors as safe in the full 64-bit mmap address space. [ The timing for doing this is less than optimal, and this should really go in a merge window. But realistically, this needs wide testing more than it needs anything else, and being main-line is the only way to do that. So the earlier the better, even if it's outside the proper development cycle - Linus ] Cc: Kees Cook Cc: Dan Carpenter Cc: Al Viro Cc: Willy Tarreau Cc: Dave Airlie Signed-off-by: Linus Torvalds mm/mmap.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) commit 4e50d9ebaeaa3c6761d2b513ef7039510c8cf213 Author: Charles Machalow Date: Thu May 10 16:01:38 2018 -0700 nvme: Fix sync controller reset return If a controller reset is requested while the device has no namespaces, we were incorrectly returning ENETRESET. This patch adds the check for ADMIN_ONLY controller state to indicate a successful reset. Fixes: 8000d1fdb0 ("nvme-rdma: fix sysfs invoked reset_ctrl error flow ") Cc: Signed-off-by: Charles Machalow [changelog] Signed-off-by: Keith Busch drivers/nvme/host/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 41e3e1082367221e99a59c8968a583706123ae04 Merge: e03dc5d ef05037 Author: Linus Torvalds Date: Fri May 11 09:49:02 2018 -0700 Merge tag 'pm-4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix two PCI power management regressions from the 4.13 cycle and one cpufreq schedutil governor bug introduced during the 4.12 cycle, drop a stale comment from the schedutil code and fix two mistakes in docs. Specifics: - Restore device_may_wakeup() check in pci_enable_wake() removed inadvertently during the 4.13 cycle to prevent systems from drawing excessive power when suspended or off, among other things (Rafael Wysocki). - Fix pci_dev_run_wake() to properly handle devices that only can signal PME# when in the D3cold power state (Kai Heng Feng). - Fix the schedutil cpufreq governor to avoid using UINT_MAX as the new CPU frequency in some cases due to a missing check (Rafael Wysocki). - Remove a stale comment regarding worker kthreads from the schedutil cpufreq governor (Juri Lelli). - Fix a copy-paste mistake in the intel_pstate driver documentation (Juri Lelli). - Fix a typo in the system sleep states documentation (Jonathan Neuschäfer)" * tag 'pm-4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PCI / PM: Check device_may_wakeup() in pci_enable_wake() PCI / PM: Always check PME wakeup capability for runtime wakeup support cpufreq: schedutil: Avoid using invalid next_freq cpufreq: schedutil: remove stale comment PM: docs: intel_pstate: fix Active Mode w/o HWP paragraph PM: docs: sleep-states: Fix a typo ("includig") commit e03dc5d3d427ed0114258ba00b16277e705e2c0d Merge: ca30093 3057fce Author: Linus Torvalds Date: Fri May 11 09:46:14 2018 -0700 Merge tag 'mtd/fixes-for-4.17-rc5' of git://git.infradead.org/linux-mtd Pull mtd fixes from Boris Brezillon: - make nand_soft_waitrdy() wait tWB before polling the status REG - fix BCH write in the the Marvell NAND controller driver - fix wrong picosec to msec conversion in the Marvell NAND controller driver - fix DMA handling in the TI OneNAND controllre driver * tag 'mtd/fixes-for-4.17-rc5' of git://git.infradead.org/linux-mtd: mtd: rawnand: Make sure we wait tWB before polling the STATUS reg mtd: rawnand: marvell: fix command xtype in BCH write hook mtd: rawnand: marvell: pass ms delay to wait_op mtd: onenand: omap2: Disable DMA for HIGHMEM buffers commit 5ae4bbf76928b401fe467e837073d939300adbf0 Merge: 1b97013 f85900c Author: David S. Miller Date: Fri May 11 12:26:29 2018 -0400 Merge tag 'mlx5-fixes-2018-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== Mellanox, mlx5 fixes 2018-05-10 the following series includes some fixes for mlx5 core driver. Please pull and let me know if there's any problem. For -stable v4.5 ("net/mlx5: E-Switch, Include VF RDMA stats in vport statistics") For -stable v4.10 ("net/mlx5e: Err if asked to offload TC match on frag being first") ==================== Signed-off-by: David S. Miller commit ca30093dd7ff8fd3423c68db1f70f72a88542cb9 Merge: 0a0b987 72777fe Author: Linus Torvalds Date: Fri May 11 09:18:02 2018 -0700 Merge tag 'drm-fixes-for-v4.17-rc5' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "nouveau, amdgpu, i915, vc4, omap, exynos and atomic fixes. As last week seemed a bit slow, we got a few more fixes this week. The main stuff is two weeks of fixes for amdgpu, some missing bits of vega12 atom firmware support were added, and some power management fixes. Nouveau got two regression fixes for an DP MST deadlock and a random oops fix. i915 got an LVDS panel timeout fix 2 WARN fixes. exynos fixed a pagefault issue in the mixer driver. vc4 has an oops fix. omap had a bunch of uninit var and error-checking fixes. Two atomic modesetting state fixes. One minor agp cleanup patch" * tag 'drm-fixes-for-v4.17-rc5' of git://people.freedesktop.org/~airlied/linux: (30 commits) drm/amd/pp: Fix performance drop on Fiji drm/nouveau: Fix deadlock in nv50_mstm_register_connector() drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client agp: uninorth: make two functions static drm/amd/pp: Refine the output of pp_power_profile_mode on VI drm/amdgpu: Switch to interruptable wait to recover from ring hang. drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages drm/amd/display: Use kvzalloc for potentially large allocations drm/amd/display: Don't return ddc result and read_bytes in same return value drm/amd/display: Add get_firmware_info_v3_2 for VG12 drm/amd: Add BIOS smu_info v3_3 required struct def. drm/amd/display: Add VG12 ASIC IDs drm/vc4: Fix scaling of uni-planar formats drm/exynos: hdmi: avoid duplicating drm_bridge_attach drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log drm/i915: Correctly populate user mode h/vdisplay with pipe src size during readout drm/i915: Adjust eDP's logical vco in a reliable place. drm/bridge/sii8620: add Kconfig dependency on extcon drm/omap: handle alloc failures in omap_connector drm/omap: add missing linefeeds to prints ... commit 1b97013bfb11d66f041de691de6f0fec748ce016 Author: Andrey Ignatov Date: Thu May 10 10:59:34 2018 -0700 ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Fix more memory leaks in ip_cmsg_send() callers. Part of them were fixed earlier in 919483096bfe. * udp_sendmsg one was there since the beginning when linux sources were first added to git; * ping_v4_sendmsg one was copy/pasted in c319b4d76b9e. Whenever return happens in udp_sendmsg() or ping_v4_sendmsg() IP options have to be freed if they were allocated previously. Add label so that future callers (if any) can use it instead of kfree() before return that is easy to forget. Fixes: c319b4d76b9e (net: ipv4: add IPPROTO_ICMP socket kind) Signed-off-by: Andrey Ignatov Signed-off-by: David S. Miller net/ipv4/ping.c | 7 +++++-- net/ipv4/udp.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 8ccc113172e4c1ebef45c2433f3c32ed6ae1b9c9 Author: Christophe JAILLET Date: Thu May 10 13:26:16 2018 +0200 mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()' Resources are not freed in the reverse order of the allocation. Labels are also mixed-up. Fix it and reorder code and labels in the error handling path of 'mlxsw_core_bus_device_register()' Fixes: ef3116e5403e ("mlxsw: spectrum: Register KVD resources with devlink") Signed-off-by: Christophe JAILLET Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 89dd2e752c7beb773c36e623773d50d5f34da711 Merge: ca3943c 21706ee Author: David S. Miller Date: Fri May 11 11:50:41 2018 -0400 Merge branch 'bonding-bug-fixes-and-regressions' Debabrata Banerjee says: ==================== bonding: bug fixes and regressions Fixes to bonding driver for balance-alb mode, suitable for stable. ==================== Signed-off-by: David S. Miller commit 21706ee8a47d3ede7fdae0be6d7c0a0e31a83229 Author: Debabrata Banerjee Date: Wed May 9 19:32:11 2018 -0400 bonding: send learning packets for vlans on slave There was a regression at some point from the intended functionality of commit f60c3704e87d ("bonding: Fix alb mode to only use first level vlans.") Given the return value vlan_get_encap_level() we need to store the nest level of the bond device, and then compare the vlan's encap level to this. Without this, this check always fails and learning packets are never sent. In addition, this same commit caused a regression in the behavior of balance_alb, which requires learning packets be sent for all interfaces using the slave's mac in order to load balance properly. For vlan's that have not set a user mac, we can send after checking one bit. Otherwise we need send the set mac, albeit defeating rx load balancing for that vlan. Signed-off-by: Debabrata Banerjee Signed-off-by: David S. Miller drivers/net/bonding/bond_alb.c | 13 ++++++++----- drivers/net/bonding/bond_main.c | 2 ++ include/net/bonding.h | 1 + 3 files changed, 11 insertions(+), 5 deletions(-) commit 4fa8667ca3989ce14cf66301fa251544fbddbdd0 Author: Debabrata Banerjee Date: Wed May 9 19:32:10 2018 -0400 bonding: do not allow rlb updates to invalid mac Make sure multicast, broadcast, and zero mac's cannot be the output of rlb updates, which should all be directed arps. Receive load balancing will be collapsed if any of these happen, as the switch will broadcast. Signed-off-by: Debabrata Banerjee Signed-off-by: David S. Miller drivers/net/bonding/bond_alb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c23080a6e4e853cff2834436e3cf33eae7723900 Author: Arnaldo Carvalho de Melo Date: Thu May 3 15:59:58 2018 -0300 perf tools: Add missing newline when parsing empty BPF proggie This is not specific to BPF but was found when parsing a .c BPF proggie that while valid, had no events attached to tracepoints, kprobes, etc: Very minimal file that perf's BPF code can compile: # cat empty.c char _license[] __attribute__((section("license"), used)) = "GPL"; int _version __attribute__((section("version"), used)) = LINUX_VERSION_CODE; # Before this patch: # perf trace -e empty.c WARNING: event parser found nothinginvalid or unsupported event: 'empty.c' Run 'perf list' for a list of valid events Usage: perf trace [] [] or: perf trace [] -- [] or: perf trace record [] [] or: perf trace record [] -- [] -e, --event event/syscall selector. use 'perf list' to list available events # After: # perf trace -e empty.c WARNING: event parser found nothing invalid or unsupported event: 'empty.c' Run 'perf list' for a list of valid events Usage: perf trace [] [] or: perf trace [] -- [] or: perf trace record [] [] or: perf trace record [] -- [] -e, --event event/syscall selector. use 'perf list' to list available events # Cc: Adrian Hunter Cc: David Ahern Cc: Jiri Olsa Cc: Namhyung Kim Cc: Wang Nan Link: https://lkml.kernel.org/n/tip-8ysughiz00h6mjpcot04qyjj@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/parse-events.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d Author: Steven Rostedt (VMware) Date: Wed May 9 11:59:32 2018 -0400 tracing: Fix regex_match_front() to not over compare the test string The regex match function regex_match_front() in the tracing filter logic, was fixed to test just the pattern length from testing the entire test string. That is, it went from strncmp(str, r->pattern, len) to strcmp(str, r->pattern, r->len). The issue is that str is not guaranteed to be nul terminated, and if r->len is greater than the length of str, it can access more memory than is allocated. The solution is to add a simple test if (len < r->len) return 0. Cc: stable@vger.kernel.org Fixes: 285caad415f45 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching") Signed-off-by: Steven Rostedt (VMware) kernel/trace/trace_events_filter.c | 3 +++ 1 file changed, 3 insertions(+) commit 3a0887997d6731e1005ba09c93aa5c2898c78931 Author: Leo Yan Date: Thu May 10 12:02:00 2018 +0800 perf cs-etm: Remove redundant space There have two spaces ahead function name cs_etm__set_pid_tid_cpu(), so remove one space and correct indentation. Signed-off-by: Leo Yan Acked-by: Mathieu Poirier Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: linux-arm-kernel@lists.infradead.org Link: http://lkml.kernel.org/r/1525924920-4381-2-git-send-email-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/cs-etm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 46d53620044f7b574c0f3216f8b4f2ce3559ce31 Author: Leo Yan Date: Thu May 10 12:01:59 2018 +0800 perf cs-etm: Support unknown_thread in cs_etm_auxtrace CoreSight doesn't allocate thread structure for unknown_thread in ETM auxtrace, so unknown_thread is NULL pointer. If the perf data doesn't contain valid tid and then cs_etm__mem_access() uses unknown_thread instead as thread handler, this results in a segmentation fault when thread__find_addr_map() accesses the thread handler. This commit creates a new thread data which is used by unknown_thread, so CoreSight tracing can roll back to use unknown_thread if perf data doesn't include valid thread info. This commit also releases thread data for initialization failure case and for normal auxtrace free flow. Signed-off-by: Leo Yan Acked-by: Mathieu Poirier Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: linux-arm-kernel@lists.infradead.org Link: http://lkml.kernel.org/r/1525924920-4381-1-git-send-email-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/cs-etm.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) commit ef050374e1eedec45bd260e0ac9eb98f699267d2 Merge: 9773950 cfcadfa 13610c9 Author: Rafael J. Wysocki Date: Fri May 11 15:17:18 2018 +0200 Merge branches 'pm-pci' and 'pm-docs' * pm-pci: PCI / PM: Check device_may_wakeup() in pci_enable_wake() PCI / PM: Always check PME wakeup capability for runtime wakeup support * pm-docs: PM: docs: intel_pstate: fix Active Mode w/o HWP paragraph PM: docs: sleep-states: Fix a typo ("includig") commit 7f6df440b8623c441c42d070bf592e2d2c1fa9bb Author: Haneen Mohammed Date: Fri May 11 07:15:42 2018 +0300 drm: Match sysfs name in link removal to link creation This patch matches the sysfs name used in the unlinking with the linking function. Otherwise, remove_compat_control_link() fails to remove sysfs created by create_compat_control_link() in drm_dev_register(). Fixes: 6449b088dd51 ("drm: Add fake controlD* symlinks for backwards compat") Cc: Dave Airlie Cc: Alex Deucher Cc: Emil Velikov Cc: David Herrmann Cc: Greg Kroah-Hartman Cc: Daniel Vetter Cc: Gustavo Padovan Cc: Maarten Lankhorst Cc: Sean Paul Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Cc: # v4.10+ Signed-off-by: Haneen Mohammed [seanpaul added Fixes and Cc tags] Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20180511041542.GA4253@haneen-vb drivers/gpu/drm/drm_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 64f7a11586ab9262f00b8b6eceef6d8154921bd8 Author: Sean Christopherson Date: Mon Apr 30 10:01:06 2018 -0700 KVM: vmx: update sec exec controls for UMIP iff emulating UMIP Update SECONDARY_EXEC_DESC for UMIP emulation if and only UMIP is actually being emulated. Skipping the VMCS update eliminates unnecessary VMREAD/VMWRITE when UMIP is supported in hardware, and on platforms that don't have SECONDARY_VM_EXEC_CONTROL. The latter case resolves a bug where KVM would fill the kernel log with warnings due to failed VMWRITEs on older platforms. Fixes: 0367f205a3b7 ("KVM: vmx: add support for emulating UMIP") Cc: stable@vger.kernel.org #4.16 Reported-by: Paolo Zeppegno Suggested-by: Paolo Bonzini Suggested-by: Radim KrÄmář Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini arch/x86/kvm/vmx.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) commit c19986fea873f3c745122bf79013a872a190f212 Author: Junaid Shahid Date: Fri May 4 11:37:13 2018 -0700 kvm: x86: Suppress CR3_PCID_INVD bit only when PCIDs are enabled If the PCIDE bit is not set in CR4, then the MSb of CR3 is a reserved bit. If the guest tries to set it, that should cause a #GP fault. So mask out the bit only when the PCIDE bit is set. Signed-off-by: Junaid Shahid Signed-off-by: Paolo Bonzini arch/x86/kvm/x86.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit bcb2b94ae01009db26d1ad0811975405149b14f0 Author: Paolo Bonzini Date: Wed Apr 18 18:26:45 2018 +0200 KVM: selftests: exit with 0 status code when tests cannot be run Right now, skipped tests are returning a failure exit code if /dev/kvm does not exists. Consistently return a zero status code so that various scripts over the interwebs do not complain. Also return a zero status code if the KVM_CAP_SYNC_REGS capability is not present, and hardcode in the test the register kinds that are covered (rather than just using whatever value of KVM_SYNC_X86_VALID_FIELDS is provided by the kernel headers). Signed-off-by: Paolo Bonzini tools/testing/selftests/kvm/Makefile | 2 +- tools/testing/selftests/kvm/include/test_util.h | 1 + tools/testing/selftests/kvm/lib/kvm_util.c | 16 ++++----- tools/testing/selftests/kvm/sync_regs_test.c | 40 ++++++++++++++++++----- tools/testing/selftests/kvm/vmx_tsc_adjust_test.c | 4 +-- 5 files changed, 43 insertions(+), 20 deletions(-) commit 452a68d0ef341c4d544757e02154788227b2a08b Author: Paolo Bonzini Date: Mon May 7 19:24:34 2018 +0200 KVM: hyperv: idr_find needs RCU protection Even though the eventfd is released after the KVM SRCU grace period elapses, the conn_to_evt data structure itself is not; it uses RCU internally, instead. Fix the read-side critical section to happen under rcu_read_lock/unlock; the result is still protected by vcpu->kvm->srcu. Reviewed-by: Roman Kagan Signed-off-by: Paolo Bonzini arch/x86/kvm/hyperv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 6356ee0c9602004e0a3b4b2dad68ee2ee9385b17 Author: Marian Rotariu Date: Mon Apr 30 12:23:01 2018 +0300 x86: Delay skip of emulated hypercall instruction The IP increment should be done after the hypercall emulation, after calling the various handlers. In this way, these handlers can accurately identify the the IP of the VMCALL if they need it. This patch keeps the same functionality for the Hyper-V handler which does not use the return code of the standard kvm_skip_emulated_instruction() call. Signed-off-by: Marian Rotariu [Hyper-V hypercalls also need kvm_skip_emulated_instruction() - Paolo] Signed-off-by: Paolo Bonzini arch/x86/kvm/hyperv.c | 2 +- arch/x86/kvm/x86.c | 19 +++++++++++-------- 2 files changed, 12 insertions(+), 9 deletions(-) commit ddc9cfb79c1096a0855839631c091aa7e9602052 Author: Wanpeng Li Date: Thu Apr 26 17:55:03 2018 -0700 KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs Our virtual machines make use of device assignment by configuring 12 NVMe disks for high I/O performance. Each NVMe device has 129 MSI-X Table entries: Capabilities: [50] MSI-X: Enable+ Count=129 Masked-Vector table: BAR=0 offset=00002000 The windows virtual machines fail to boot since they will map the number of MSI-table entries that the NVMe hardware reported to the bus to msi routing table, this will exceed the 1024. This patch extends MAX_IRQ_ROUTES to 4096 for all archs, in the future this might be extended again if needed. Reviewed-by: Cornelia Huck Cc: Paolo Bonzini Cc: Radim KrÄmář Cc: Cornelia Huck Cc: Christian Borntraeger Signed-off-by: Wanpeng Li Signed-off-by: Tonny Lu Signed-off-by: Paolo Bonzini include/linux/kvm_host.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) commit 6d3299aef7df7225ecff653feedafb5d1646998b Author: Nikita Yushchenko Date: Mon May 7 16:53:09 2018 +0300 ARM: dts: imx51-zii-rdu1: fix touchscreen bindings This fixes errors in RDU1 device tree that cause touch screens not working. Fixes: ceef0396f367 ("ARM: dts: imx: add ZII RDU1 board") Signed-off-by: Nikita Yushchenko Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo arch/arm/boot/dts/imx51-zii-rdu1.dts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 60abce9f43d812dfec6687a10ca30be380f6f97a Merge: 13b86f5 c8da6cd Author: Zhang Rui Date: Fri May 11 09:37:21 2018 +0800 Merge branch 'thermal-soc' into next commit 0a0b98734479aa5b3c671d5190e86273372cab95 Author: Jann Horn Date: Fri May 11 02:19:01 2018 +0200 compat: fix 4-byte infoleak via uninitialized struct field Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts") removed the memset() in compat_get_timex(). Since then, the compat adjtimex syscall can invoke do_adjtimex() with an uninitialized ->tai. If do_adjtimex() doesn't write to ->tai (e.g. because the arguments are invalid), compat_put_timex() then copies the uninitialized ->tai field to userspace. Fix it by adding the memset() back. Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts") Signed-off-by: Jann Horn Acked-by: Kees Cook Acked-by: Al Viro Signed-off-by: Linus Torvalds kernel/compat.c | 1 + 1 file changed, 1 insertion(+) commit 72777fe79768ec30ac2163d26de68a89edc9849f Merge: 7c2b134 7fc6311 Author: Dave Airlie Date: Fri May 11 10:37:07 2018 +1000 Merge branch 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux into drm-fixes Single amdgpu regression fix * 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux: drm/amd/pp: Fix performance drop on Fiji commit 6e70c267e68d77679534dcf4aaf84e66f2cf1425 Author: Steve French Date: Thu May 10 10:59:37 2018 -0500 smb3: directory sync should not return an error As with NFS, which ignores sync on directory handles, fsync on a directory handle is a noop for CIFS/SMB3. Do not return an error on it. It breaks some database apps otherwise. Signed-off-by: Steve French CC: Stable Reviewed-by: Ronnie Sahlberg Reviewed-by: Pavel Shilovsky fs/cifs/cifsfs.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) commit f85900c3e13fdb61f040c9feecbcda601e0cdcfb Author: Roi Dayan Date: Thu Mar 22 18:51:37 2018 +0200 net/mlx5e: Err if asked to offload TC match on frag being first The HW doesn't support matching on frag first/later, return error if we are asked to offload that. Fixes: 3f7d0eb42d59 ("net/mlx5e: Offload TC matching on packets being IP fragments") Signed-off-by: Roi Dayan Reviewed-by: Or Gerlitz Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 4 ++++ 1 file changed, 4 insertions(+) commit 88d725bbb43cd63a40c8ef70dd373f1d38ead2e3 Author: Adi Nissim Date: Wed Apr 25 11:21:32 2018 +0300 net/mlx5: E-Switch, Include VF RDMA stats in vport statistics The host side reporting of VF vport statistics didn't include the VF RDMA traffic. Fixes: 3b751a2a418a ("net/mlx5: E-Switch, Introduce get vf statistics") Signed-off-by: Adi Nissim Reported-by: Ariel Almog Reviewed-by: Or Gerlitz Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 1ef903bf795be01c91c10c93a0f9d9d6f2f7921b Author: Daniel Jurgens Date: Mon Mar 26 13:35:29 2018 -0500 net/mlx5: Free IRQs in shutdown path Some platforms require IRQs to be free'd in the shutdown path. Otherwise they will fail to be reallocated after a kexec. Fixes: 8812c24d28f4 ("net/mlx5: Add fast unload support in shutdown flow") Signed-off-by: Daniel Jurgens Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/eq.c | 28 ++++++++++++++++++++++ drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 +++++++ .../net/ethernet/mellanox/mlx5/core/mlx5_core.h | 2 ++ 3 files changed, 38 insertions(+) commit 6b47fe1d1ca3aec3a1a8623439c22fbf51016cd8 Author: David Howells Date: Thu May 10 23:26:01 2018 +0100 rxrpc: Trace UDP transmission failure Add a tracepoint to log transmission failure from the UDP transport socket being used by AF_RXRPC. Signed-off-by: David Howells include/trace/events/rxrpc.h | 55 ++++++++++++++++++++++++++++++++++++++++++++ net/rxrpc/conn_event.c | 11 ++++++--- net/rxrpc/local_event.c | 3 ++- net/rxrpc/output.c | 23 ++++++++++++++++-- net/rxrpc/rxkad.c | 6 +++-- 5 files changed, 90 insertions(+), 8 deletions(-) commit 494337c918403db5743af0348d963cafb9b20cee Author: David Howells Date: Thu May 10 23:26:01 2018 +0100 rxrpc: Add a tracepoint to log ICMP/ICMP6 and error messages Add a tracepoint to log received ICMP/ICMP6 events and other error messages. Signed-off-by: David Howells include/trace/events/rxrpc.h | 30 +++++++++++++++++++++++++++++ net/rxrpc/peer_event.c | 46 ++++++++++++++++++++++---------------------- 2 files changed, 53 insertions(+), 23 deletions(-) commit 93864fc3ffcc4bf70e96cfb5cc6e941630419ad0 Author: David Howells Date: Thu May 10 23:26:01 2018 +0100 rxrpc: Fix the min security level for kernel calls Fix the kernel call initiation to set the minimum security level for kernel initiated calls (such as from kAFS) from the sockopt value. Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info") Signed-off-by: David Howells net/rxrpc/af_rxrpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f2aeed3a591ff29a82495eeaa92ac4780bad7487 Author: David Howells Date: Thu May 10 23:26:00 2018 +0100 rxrpc: Fix error reception on AF_INET6 sockets AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket it just opened for communications with the outside world, regardless of the type of socket. Unfortunately, this doesn't work with an AF_INET6 socket. Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the socket is of the AF_INET6 family. Without this, kAFS server and address rotation doesn't work correctly because the algorithm doesn't detect received network errors. Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") Signed-off-by: David Howells net/rxrpc/local_object.c | 57 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 15 deletions(-) commit c54e43d752c7187595c8c62a231e0b0d53c7fded Author: David Howells Date: Thu May 10 23:26:00 2018 +0100 rxrpc: Fix missing start of call timeout The expect_rx_by call timeout is supposed to be set when a call is started to indicate that we need to receive a packet by that point. This is currently put back every time we receive a packet, but it isn't started when we first send a packet. Without this, the call may wait forever if the server doesn't deign to reply. Fix this by setting the timeout upon a successful UDP sendmsg call for the first DATA packet. The timeout is initiated only for initial transmission and not for subsequent retries as we don't want the retry mechanism to extend the timeout indefinitely. Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") Reported-by: Marc Dionne Signed-off-by: David Howells net/rxrpc/ar-internal.h | 1 + net/rxrpc/input.c | 2 +- net/rxrpc/output.c | 11 +++++++++++ net/rxrpc/sendmsg.c | 10 ++++++++++ 4 files changed, 23 insertions(+), 1 deletion(-) commit 3597683c9da602b0440c5f742d64fa5da79cc026 Author: Jakub Kicinski Date: Thu May 10 10:09:34 2018 -0700 tools: bpf: handle NULL return in bpf_prog_load_xattr() bpf_object__open() can return error pointer as well as NULL. Fix error handling in bpf_prog_load_xattr() (and indirectly bpf_prog_load()). Fixes: 6f6d33f3b3d0 ("bpf: selftests add sockmap tests") Signed-off-by: Jakub Kicinski Reviewed-by: Quentin Monnet Signed-off-by: Daniel Borkmann tools/lib/bpf/libbpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ca3943c4aaff083bc25419f04e549e293590258e Merge: 2fdae03 32bee8f Author: David S. Miller Date: Thu May 10 17:57:11 2018 -0400 Merge tag 'linux-can-fixes-for-4.17-20180510' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== this is a pull request for net/master consisting of 2 patches. Both patches are from Lukas Wunner and fix two problems found in the hi311x CAN driver under high load situations. ==================== Signed-off-by: David S. Miller commit 2fdae0349f587ffde4d1010c65fb543569bab787 Author: Colin Ian King Date: Thu May 10 15:03:27 2018 +0100 qed: fix spelling mistake: "taskelt" -> "tasklet" Trivial fix to spelling mistake in DP_VERBOSE message text Signed-off-by: Colin Ian King Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6910e25de2257e2c82c7a2d126e3463cd8e50810 Author: Xin Long Date: Thu May 10 17:34:13 2018 +0800 sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg In Commit 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too"), it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later in recvmsg. However, it also added sctp_chunk_put in fail_mark err path, which is only triggered before holding the chunk. syzbot reported a use-after-free crash happened on this err path, where it shouldn't call sctp_chunk_put. This patch simply removes this call. Fixes: 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too") Reported-by: syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/ulpevent.c | 1 - 1 file changed, 1 deletion(-) commit a577d868b768a3baf16cdd4841ab8cfb165521d6 Author: Christophe JAILLET Date: Thu May 10 09:06:04 2018 +0200 net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()' If an error occurs, 'mlx4_en_destroy_netdev()' is called. It then calls 'mlx4_en_free_resources()' which does the needed resources cleanup. So, doing some explicit kfree in the error handling path would lead to some double kfree. Simplify code to avoid such a case. Fixes: 67f8b1dcb9ee ("net/mlx4_en: Refactor the XDP forwarding rings scheme") Signed-off-by: Christophe JAILLET Reviewed-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) commit 97f3efb64323beb0690576e9d74e94998ad6e82a Author: Stephen Hemminger Date: Wed May 9 14:09:04 2018 -0700 hv_netvsc: set master device The hyper-v transparent bonding should have used master_dev_link. The netvsc device should look like a master bond device not like the upper side of a tunnel. This makes the semantics the same so that userspace applications looking at network devices see the correct master relationshipship. Fixes: 0c195567a8f6 ("netvsc: transparent VF management") Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller drivers/net/hyperv/netvsc_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit b2a9643855c320353723a08b9ee4a3bbd0301c1a Merge: 09c8b97 914eac2 Author: David S. Miller Date: Thu May 10 17:34:50 2018 -0400 Merge tag 'mac80211-for-davem-2018-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== We only have a few fixes this time: * WMM element validation * SAE timeout * add-BA timeout * docbook parsing * a few memory leaks in error paths ==================== Signed-off-by: David S. Miller commit 09c8b9718a7af674036643fa2e0dbb2f09aba75e Author: Eric Dumazet Date: Wed May 9 09:50:22 2018 -0700 tipc: fix one byte leak in tipc_sk_set_orig_addr() sysbot/KMSAN reported an uninit-value in recvmsg() that I tracked down to tipc_sk_set_orig_addr(), missing srcaddr->member.scope initialization. This patches moves srcaddr->sock.scope init to follow fields order and ease future verifications. BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:226 CPU: 0 PID: 4549 Comm: syz-executor287 Not tainted 4.17.0-rc3+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copy_to_user include/linux/uaccess.h:184 [inline] move_addr_to_user+0x32e/0x530 net/socket.c:226 ___sys_recvmsg+0x4e2/0x810 net/socket.c:2285 __sys_recvmsg net/socket.c:2328 [inline] __do_sys_recvmsg net/socket.c:2338 [inline] __se_sys_recvmsg net/socket.c:2335 [inline] __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335 do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4455e9 RSP: 002b:00007fe3bd36ddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 00000000004455e9 RDX: 0000000000002002 RSI: 0000000020000400 RDI: 0000000000000003 RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff98ce4b6f R14: 00007fe3bd36e9c0 R15: 0000000000000003 Local variable description: ----addr@___sys_recvmsg Variable was created at: ___sys_recvmsg+0xd5/0x810 net/socket.c:2246 __sys_recvmsg net/socket.c:2328 [inline] __do_sys_recvmsg net/socket.c:2338 [inline] __se_sys_recvmsg net/socket.c:2335 [inline] __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335 Byte 19 of 32 is uninitialized Fixes: 31c82a2d9d51 ("tipc: add second source address to recvmsg()/recvfrom()") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Jon Maloy Cc: Ying Xue Acked-by: Jon Maloy Signed-off-by: David S. Miller net/tipc/socket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit f7017cafcdd7574680fc7faabcb73f91172a14ab Author: Davide Caratti Date: Wed May 9 18:45:42 2018 +0200 tc-testing: fix tdc tests for 'bpf' action - correct a typo in the value of 'matchPattern' of test 282d, potentially causing false negative - allow errors when 'teardown' executes '$TC action flush action bpf' in test 282d, to fix false positive when it is run with act_bpf unloaded - correct the value of 'matchPattern' in test e939, causing false positive in case the BPF JIT is enabled Fixes: 440ea4ae1828 ("tc-testing: add selftests for 'bpf' action") Signed-off-by: Davide Caratti Acked-by: Lucas Bates Signed-off-by: David S. Miller tools/testing/selftests/tc-testing/tc-tests/actions/bpf.json | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) commit 7bb4d366cba992904bffa4820d24e70a3de93e76 Author: Jiri Kosina Date: Thu May 10 22:47:32 2018 +0200 x86/bugs: Make cpu_show_common() static cpu_show_common() is not used outside of arch/x86/kernel/cpu/bugs.c, so make it static. Signed-off-by: Jiri Kosina Signed-off-by: Thomas Gleixner arch/x86/kernel/cpu/bugs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d66d8ff3d21667b41eddbe86b35ab411e40d8c5f Author: Jiri Kosina Date: Thu May 10 22:47:18 2018 +0200 x86/bugs: Fix __ssb_select_mitigation() return type __ssb_select_mitigation() returns one of the members of enum ssb_mitigation, not ssb_mitigation_cmd; fix the prototype to reflect that. Fixes: 24f7fc83b9204 ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation") Signed-off-by: Jiri Kosina Signed-off-by: Thomas Gleixner arch/x86/kernel/cpu/bugs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6ad4e91c6d796b38a7f0e724db1de28eeb122bad Author: Moshe Shemesh Date: Wed May 9 18:35:13 2018 +0300 net/mlx4_en: Verify coalescing parameters are in range Add check of coalescing parameters received through ethtool are within range of values supported by the HW. Driver gets the coalescing rx/tx-usecs and rx/tx-frames as set by the users through ethtool. The ethtool support up to 32 bit value for each. However, mlx4 modify cq limits the coalescing time parameter and coalescing frames parameters to 16 bits. Return out of range error if user tries to set these parameters to higher values. Change type of sample-interval and adaptive_rx_coal parameters in mlx4 driver to u32 as the ethtool holds them as u32 and these parameters are not limited due to mlx4 HW. Fixes: c27a02cd94d6 ('mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC') Signed-off-by: Moshe Shemesh Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 ++++++++++++++++ drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 +++++-- 2 files changed, 21 insertions(+), 2 deletions(-) commit aca06eafd09f48ca4d97f3c0b2a12c8d631116f0 Author: Ganesh Goudar Date: Wed May 9 19:00:35 2018 +0530 cxgb4: copy mbox log size to PF0-3 adap instances copy mbox size to adapter instances of PF0-3 to avoid mbox log overflow. This fixes the possible protection fault. Fixes: baf5086840ab ("cxgb4: restructure VF mgmt code") Signed-off-by: Casey Leedom Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 2b928749f9ba781085442d1f8832f057cbf458a1 Author: Ganesh Goudar Date: Wed May 9 18:40:09 2018 +0530 cxgb4: zero the HMA memory firmware expects HMA memory to be zeroed, use __GFP_ZERO for HMA memory allocation. Fixes: 8b4e6b3ca2ed ("cxgb4: Add HMA support") Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 69678bcd4d2dedbc3e8fcd6d7d99f283d83c531a Author: Paolo Abeni Date: Wed May 9 12:42:34 2018 +0200 udp: fix SO_BINDTODEVICE Damir reported a breakage of SO_BINDTODEVICE for UDP sockets. In absence of VRF devices, after commit fb74c27735f0 ("net: ipv4: add second dif to udp socket lookups") the dif mismatch isn't fatal anymore for UDP socket lookup with non null sk_bound_dev_if, breaking SO_BINDTODEVICE semantics. This changeset addresses the issue making the dif match mandatory again in the above scenario. Reported-by: Damir Mansurov Fixes: fb74c27735f0 ("net: ipv4: add second dif to udp socket lookups") Fixes: 1801b570dd2a ("net: ipv6: add second dif to udp socket lookups") Signed-off-by: Paolo Abeni Acked-by: David Ahern Signed-off-by: David S. Miller net/ipv4/udp.c | 4 ++-- net/ipv6/udp.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 0e8411e426e277f55bd21e287ec89fab6f8eacae Author: Hangbin Liu Date: Wed May 9 18:06:44 2018 +0800 ipv4: reset fnhe_mtu_locked after cache route flushed After route cache is flushed via ipv4_sysctl_rtcache_flush(), we forget to reset fnhe_mtu_locked in rt_bind_exception(). When pmtu is updated in __ip_rt_update_pmtu(), it will return directly since the pmtu is still locked. e.g. + ip netns exec client ping 10.10.1.1 -c 1 -s 1400 -M do PING 10.10.1.1 (10.10.1.1) 1400(1428) bytes of data. >From 10.10.0.254 icmp_seq=1 Frag needed and DF set (mtu = 0) Signed-off-by: David S. Miller net/ipv4/route.c | 1 + 1 file changed, 1 insertion(+) commit 55be9f25be1ca5bda75c39808fc77e42691bc07f Author: Mohammed Gamal Date: Wed May 9 10:17:34 2018 +0200 hv_netvsc: Fix net device attach on older Windows hosts On older windows hosts the net_device instance is returned to the caller of rndis_filter_device_add() without having the presence bit set first. This would cause any subsequent calls to network device operations (e.g. MTU change, channel change) to fail after the device is detached once, returning -ENODEV. Instead of returning the device instabce, we take the exit path where we call netif_device_attach() Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic") Signed-off-by: Mohammed Gamal Reviewed-by: Stephen Hemminger Signed-off-by: David S. Miller drivers/net/hyperv/rndis_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit df13c59b54a9f8d3e20a2fb565d54eee8dac8768 Author: Pieter Jansen van Vuuren Date: Wed May 9 00:18:58 2018 -0700 nfp: flower: remove headroom from max MTU calculation Since commit 29a5dcae2790 ("nfp: flower: offload phys port MTU change") we take encapsulation headroom into account when calculating the max allowed MTU. This is unnecessary as the max MTU advertised by firmware should have already accounted for encap headroom. Subtracting headroom twice brings the max MTU below what's necessary for some deployments. Fixes: 29a5dcae2790 ("nfp: flower: offload phys port MTU change") Signed-off-by: Pieter Jansen van Vuuren Reviewed-by: John Hurley Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/flower/main.c | 19 ------------------- 1 file changed, 19 deletions(-) commit 680a284635808594b8ac34939a7513dd4320e907 Author: Colin Ian King Date: Wed May 9 10:48:33 2018 +0100 net/9p: fix spelling mistake: "suspsend" -> "suspend" Trivial fix to spelling mistake in dev_warn message text Signed-off-by: Colin Ian King Signed-off-by: David S. Miller net/9p/trans_xen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 39a2d5cbaa8ce03bdd8eb9d3891d7a1b3f5fff96 Author: Colin Ian King Date: Tue May 8 23:24:28 2018 +0100 sctp: fix spelling mistake: "max_retans" -> "max_retrans" Trivial fix to spelling mistake in error string Signed-off-by: Colin Ian King Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/sm_make_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9af5573f3ae1b5ad7340b2f77bba81b066a426d7 Author: Colin Ian King Date: Tue May 8 23:01:51 2018 +0100 firestream: fix spelling mistake: "reseverd" -> "reserved" Trivial fix to spelling mistake in res_strings string array Signed-off-by: Colin Ian King Signed-off-by: David S. Miller drivers/atm/firestream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3ff519e6c9e005e41a1fc8e861f9f23fe9a3fc13 Merge: 94f6a80 090477e Author: David S. Miller Date: Thu May 10 15:22:36 2018 -0400 Merge branch 'qed-rdma-fixes' Michal Kalderon says: ==================== qed*: Rdma fixes This patch series include two fixes for bugs related to rdma. The first has to do with loading the driver over an iWARP device. The second fixes a previous commit that added proper link indication for iWARP / RoCE. ==================== Signed-off-by: Michal Kalderon Signed-off-by: Sudarsana Kalluru commit 090477e4acb31c5dd674940c7c01d4f16bd1ac41 Author: Michal Kalderon Date: Tue May 8 21:29:19 2018 +0300 qede: Fix gfp flags sent to rdma event node allocation A previous commit 4609adc27175 ("qede: Fix qedr link update") added a flow that could allocate rdma event objects from an interrupt path (link notification). Therefore the kzalloc call should be done with GFP_ATOMIC. fixes: 4609adc27175 ("qede: Fix qedr link update") Signed-off-by: Michal Kalderon Signed-off-by: Sudarsana Kalluru Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qede/qede_rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit af6858ee423a309d93054c361c61099b8eb12bbf Author: Michal Kalderon Date: Tue May 8 21:29:18 2018 +0300 qed: Fix l2 initializations over iWARP personality If qede driver was loaded on a device configured for iWARP the l2 mutex wouldn't be allocated, and some l2 related resources wouldn't be freed. fixes: c851a9dc4359 ("qed: Introduce iWARP personality") Signed-off-by: Michal Kalderon Signed-off-by: Sudarsana Kalluru Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_l2.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 94d7dbf108813ea45a91e27e9a8bd231d5a23fa7 Merge: 008464a 28700a3 Author: Linus Torvalds Date: Thu May 10 11:42:01 2018 -0700 Merge tag 'for-4.17/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - a stable fix for DM integrity to use kvfree - fix for a 4.17-rc1 change to dm-bufio's buffer alignment - fixes for a few sparse warnings - remove VLA usage in DM mirror target - improve DM thinp Documentation for the "read_only" feature * tag 'for-4.17/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm thin: update Documentation to clarify when "read_only" is valid dm mirror: remove VLA usage dm: fix some sparse warnings and whitespace in dax methods dm cache background tracker: fix sparse warning dm bufio: fix buffer alignment dm integrity: use kvfree for kvmalloc'd memory commit 04d2600ab669b2d44dd7920cc8a1b95c8144084c Author: Jin Yao Date: Wed May 9 23:57:15 2018 +0800 perf annotate: Display all available events on --stdio When we perform the following command lines: $ perf record -e "{cycles,branches}" ./div $ perf annotate main --stdio The output shows only the first event, "cycles" and the displaying format is not correct. Percent | Source code & Disassembly of div for cycles (44550 samples) ----------------------------------------------------------------------------------- : : : : Disassembly of section .text: : : 00000000004004b0
: : main(): : : return i; : } : : int main(void) : { 0.00 : 4004b0: push %rbx : int i; : int flag; : volatile double x = 1212121212, y = 121212; : : s_randseed = time(0); 0.00 : 4004b1: xor %edi,%edi : srand(s_randseed); 0.00 : 4004b3: mov $0x77359400,%ebx : : return i; : } The issue is that the value of the 'nr_percent' variable is hardcoded to 1. This patch fixes it. With this patch, the output is: Percent | Source code & Disassembly of div for cycles (44550 samples) ----------------------------------------------------------------------------------- : : : : Disassembly of section .text: : : 00000000004004b0
: : main(): : : return i; : } : : int main(void) : { 0.00 0.00 : 4004b0: push %rbx : int i; : int flag; : volatile double x = 1212121212, y = 121212; : : s_randseed = time(0); 0.00 0.00 : 4004b1: xor %edi,%edi : srand(s_randseed); 0.00 0.00 : 4004b3: mov $0x77359400,%ebx : : return i; : } Signed-off-by: Jin Yao Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Fixes: f681d593d1ce ("perf annotate: Remove disasm__calc_percent() from disasm_line__print()") Link: http://lkml.kernel.org/r/1525881435-4092-1-git-send-email-yao.jin@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/annotate.c | 3 +++ 1 file changed, 3 insertions(+) commit f8207b987fdc3768257704579bf29a717b4ea520 Author: Thomas Richter Date: Thu May 3 08:58:37 2018 +0200 perf test: "probe libc's inet_pton" fails on s390 due to missing inline perf test "probe libc's inet_pton & backtrace it with ping" fails on 4.17.0rc3 on s/390. It turned out that function __inet_pton is reported as inline: [root@s8360047 perf]# ./perf script -i /tmp/perf.data.111 ping 12457 [000] 1584.478959: probe_libc:inet_pton: (3ffb5a347e8) 1347e8 __inet_pton (inlined) f19d7 gaih_inet.constprop.5 (/usr/lib64/libc-2.24.so) f4c3f __GI_getaddrinfo (inlined) 410b main (/usr/bin/ping) Allow __inet_pton listed as inline. Signed-off-by: Thomas Richter Cc: Heiko Carstens Cc: Hendrik Brueckner Cc: Martin Schwidefsky Link: http://lkml.kernel.org/r/20180503065837.71043-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/tests/shell/record+probe_libc_inet_pton.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 49cf4a4b3f5a8b02556dd4f45c5cee598d4fc799 Merge: 75bc37f 4a35a90 Author: Ingo Molnar Date: Thu May 10 20:09:00 2018 +0200 Merge tag 'perf-urgent-for-mingo-4.17-20180507' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: . Revert "perf pmu: Fix pmu events parsing rule", as it broke Intel PT event description parsing (Arnaldo Carvalho de Melo) . Sync x86's cpufeatures.h and kvm UAPI headers with the kernel sources, suppressing the ABI drift warnings (Arnaldo Carvalho de Melo) - Remove duplicated entry for westmereep-dp in Intel's mapfile.csv (William Cohen) - Fix typo in 'perf bench numa' options description (Yisheng Xie) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 32bee8f48fa048a3198109de50e51c092507ff52 Author: Lukas Wunner Date: Wed May 9 14:43:43 2018 +0200 can: hi311x: Work around TX complete interrupt erratum When sending packets as fast as possible using "cangen -g 0 -i -x", the HI-3110 occasionally latches the interrupt pin high on completion of a packet, but doesn't set the TXCPLT bit in the INTF register. The INTF register contains 0x00 as if no interrupt has occurred. Even waiting for a few milliseconds after the interrupt doesn't help. Work around this apparent erratum by instead checking the TXMTY bit in the STATF register ("TX FIFO empty"). We know that we've queued up a packet for transmission if priv->tx_len is nonzero. If the TX FIFO is empty, transmission of that packet must have completed. Note that this is congruent with our handling of received packets, which likewise gleans from the STATF register whether a packet is waiting in the RX FIFO, instead of looking at the INTF register. Cc: Mathias Duckeck Cc: Akshay Bhat Cc: Casey Fitzpatrick Cc: stable@vger.kernel.org # v4.12+ Signed-off-by: Lukas Wunner Acked-by: Akshay Bhat Signed-off-by: Marc Kleine-Budde drivers/net/can/spi/hi311x.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit 5cec9425b41dcf834c3d48776900d6acb7e96f38 Author: Lukas Wunner Date: Wed May 9 14:38:43 2018 +0200 can: hi311x: Acquire SPI lock on ->do_get_berr_counter hi3110_get_berr_counter() may run concurrently to the rest of the driver but neglects to acquire the lock protecting access to the SPI device. As a result, it and the rest of the driver may clobber each other's tx and rx buffers. We became aware of this issue because transmission of packets with "cangen -g 0 -i -x" frequently hung. It turns out that agetty executes ->do_get_berr_counter every few seconds via the following call stack: CPU: 2 PID: 1605 Comm: agetty [<7f3f7500>] (hi3110_get_berr_counter [hi311x]) [<7f130204>] (can_fill_info [can_dev]) [<80693bc0>] (rtnl_fill_ifinfo) [<806949ec>] (rtnl_dump_ifinfo) [<806b4834>] (netlink_dump) [<806b4bc8>] (netlink_recvmsg) [<8065f180>] (sock_recvmsg) [<80660f90>] (___sys_recvmsg) [<80661e7c>] (__sys_recvmsg) [<80661ec0>] (SyS_recvmsg) [<80108b20>] (ret_fast_syscall+0x0/0x1c) agetty listens to netlink messages in order to update the login prompt when IP addresses change (if /etc/issue contains \4 or \6 escape codes): https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=e36deb6424e8 It's a useful feature, though it seems questionable that it causes CAN bit error statistics to be queried. Be that as it may, if hi3110_get_berr_counter() is invoked while a frame is sent by hi3110_hw_tx(), bogus SPI transfers like the following may occur: => 12 00 (hi3110_get_berr_counter() wanted to transmit EC 00 to query the transmit error counter, but the first byte was overwritten by hi3110_hw_tx_frame()) => EA 00 3E 80 01 FB (hi3110_hw_tx_frame() wanted to transmit a frame, but the first byte was overwritten by hi3110_get_berr_counter() because it wanted to query the receive error counter) This sequence hangs the transmission because the driver believes it has sent a frame and waits for the interrupt signaling completion, but in reality the chip has never sent away the frame since the commands it received were malformed. Fix by acquiring the SPI lock in hi3110_get_berr_counter(). I've scrutinized the entire driver for further unlocked SPI accesses but found no others. Cc: Mathias Duckeck Cc: Akshay Bhat Cc: Casey Fitzpatrick Cc: Stef Walter Cc: Karel Zak Cc: stable@vger.kernel.org # v4.12+ Signed-off-by: Lukas Wunner Reviewed-by: Akshay Bhat Signed-off-by: Marc Kleine-Budde drivers/net/can/spi/hi311x.c | 2 ++ 1 file changed, 2 insertions(+) commit 28700a36232ba61fb6ac59466821546cb25aec69 Author: Mike Snitzer Date: Thu May 10 11:18:49 2018 -0400 dm thin: update Documentation to clarify when "read_only" is valid Due to user confusion, clarify that it doesn't make sense to try to create a thin-pool with "read_only" mode enabled. Signed-off-by: Mike Snitzer Documentation/device-mapper/thin-provisioning.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit cfcadfaad7251d8b640713724b388164d75465b2 Author: Rafael J. Wysocki Date: Wed May 9 00:18:32 2018 +0200 PCI / PM: Check device_may_wakeup() in pci_enable_wake() Commit 0847684cfc5f0 (PCI / PM: Simplify device wakeup settings code) went too far and dropped the device_may_wakeup() check from pci_enable_wake() which causes wakeup to be enabled during system suspend, hibernation or shutdown for some PCI devices that are not allowed by user space to wake up the system from sleep (or power off). As a result of this, excessive power is drawn by some of the affected systems while in sleep states or off. Restore the device_may_wakeup() check in pci_enable_wake(), but make sure that the PCI bus type's runtime suspend callback will not call device_may_wakeup() which is about system wakeup from sleep and not about device wakeup from runtime suspend. Fixes: 0847684cfc5f0 (PCI / PM: Simplify device wakeup settings code) Reported-by: Joseph Salisbury Cc: 4.13+ # 4.13+ Signed-off-by: Rafael J. Wysocki Acked-by: Bjorn Helgaas drivers/pci/pci.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) commit 8ba0f9bd3bdea1058c2b2676bec7905724418e40 Author: Sven Eckelmann Date: Wed May 9 21:07:40 2018 +0200 batman-adv: Avoid race in TT TVLV allocator helper The functions batadv_tt_prepare_tvlv_local_data and batadv_tt_prepare_tvlv_global_data are responsible for preparing a buffer which can be used to store the TVLV container for TT and add the VLAN information to it. This will be done in three phases: 1. count the number of VLANs and their entries 2. allocate the buffer using the counters from the previous step and limits from the caller (parameter tt_len) 3. insert the VLAN information to the buffer The step 1 and 3 operate on a list which contains the VLANs. The access to these lists must be protected with an appropriate lock or otherwise they might operate on on different entries. This could for example happen when another context is adding VLAN entries to this list. This could lead to a buffer overflow in these functions when enough entries were added between step 1 and 3 to the VLAN lists that the buffer room for the entries (*tt_change) is smaller then the now required extra buffer for new VLAN entries. Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann Acked-by: Antonio Quartulli Signed-off-by: Simon Wunderlich net/batman-adv/translation-table.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 7fc6311b174091e3283c28381e58bed3d12b6591 Author: Rex Zhu Date: Thu May 10 19:51:09 2018 +0800 drm/amd/pp: Fix performance drop on Fiji The performance drop if the default TDP more than 256 Watt Reviewed-by: Alex Deucher Reviewed-by: Junwei Zhang Signed-off-by: Rex Zhu Signed-off-by: Alex Deucher drivers/gpu/drm/amd/powerplay/hwmgr/smu7_powertune.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 94f6a80c0c11828cb7b3d79294459dd8d761ca89 Author: Ying Xue Date: Tue May 8 21:44:06 2018 +0800 tipc: eliminate KMSAN uninit-value in strcmp complaint When we get link properties through netlink interface with tipc_nl_node_get_link(), we don't validate TIPC_NLA_LINK_NAME attribute at all, instead we directly use it. As a consequence, KMSAN detected the TIPC_NLA_LINK_NAME attribute was an uninitialized value, and then posted the following complaint: ================================================================== BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329 CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 strcmp+0xf7/0x160 lib/string.c:329 tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881 genl_family_rcv_msg net/netlink/genetlink.c:599 [inline] genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447 genl_rcv+0x63/0x80 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337 netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x445589 RSP: 002b:00007fb7ee66cdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445589 RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003 RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffa2bf3f3f R14: 00007fb7ee66d9c0 R15: 0000000000000001 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 ================================================================== To quiet the complaint, TIPC_NLA_LINK_NAME attribute has been validated in tipc_nl_node_get_link() before it's used. Reported-by: syzbot+df0257c92ffd4fcc58cd@syzkaller.appspotmail.com Signed-off-by: Ying Xue Signed-off-by: David S. Miller net/tipc/node.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) commit 4a026da91caaa36004a53a844dd00959370ea8fc Author: Sun Lianwen Date: Tue May 8 09:49:38 2018 +0800 net/9p: correct some comment errors in 9p file system code There are follow comment errors: 1 The function name is wrong in p9_release_pages() comment. 2 The function name and variable name is wrong in p9_poll_workfn() comment. 3 There is no variable dm_mr and lkey in struct p9_trans_rdma. 4 The function name is wrong in rdma_create_trans() comment. 5 There is no variable initialized in struct virtio_chan. 6 The variable name is wrong in p9_virtio_zc_request() comment. Signed-off-by: Sun Lianwen Reviewed-by: Randy Dunlap Reviewed-by: Randy Dunlap Signed-off-by: David S. Miller net/9p/trans_common.c | 2 +- net/9p/trans_fd.c | 4 ++-- net/9p/trans_rdma.c | 4 +--- net/9p/trans_virtio.c | 5 ++--- 4 files changed, 6 insertions(+), 9 deletions(-) commit 06cb616b1bca7080824acfedb3d4c898e7a64836 Author: Alexander Monakov Date: Sat Apr 28 16:56:06 2018 +0300 i2c: designware: fix poll-after-enable regression Not all revisions of DW I2C controller implement the enable status register. On platforms where that's the case (e.g. BG2CD and SPEAr ARM SoCs), waiting for enable will time out as reading the unimplemented register yields zero. It was observed that reading the IC_ENABLE_STATUS register once suffices to avoid getting it stuck on Bay Trail hardware, so replace polling with one dummy read of the register. Fixes: fba4adbbf670 ("i2c: designware: must wait for enable") Signed-off-by: Alexander Monakov Tested-by: Ben Gardner Acked-by: Jarkko Nikula Signed-off-by: Wolfram Sang Cc: stable@kernel.org drivers/i2c/busses/i2c-designware-master.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit fc218544fbc800d1c91348ec834cacfb257348f7 Author: Ilya Dryomov Date: Fri May 4 16:57:31 2018 +0200 ceph: fix iov_iter issues in ceph_direct_read_write() dio_get_pagev_size() and dio_get_pages_alloc() introduced in commit b5b98989dc7e ("ceph: combine as many iovec as possile into one OSD request") assume that the passed iov_iter is ITER_IOVEC. This isn't the case with splice where it ends up poking into the guts of ITER_BVEC or ITER_PIPE iterators, causing lockups and crashes easily reproduced with generic/095. Rather than trying to figure out gap alignment and stuff pages into a page vector, add a helper for going from iov_iter to a bio_vec array and make use of the new CEPH_OSD_DATA_TYPE_BVECS code. Fixes: b5b98989dc7e ("ceph: combine as many iovec as possile into one OSD request") Link: http://tracker.ceph.com/issues/18130 Signed-off-by: Ilya Dryomov Reviewed-by: Jeff Layton Reviewed-by: "Yan, Zheng" Tested-by: Luis Henriques fs/ceph/file.c | 195 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 117 insertions(+), 78 deletions(-) commit 0010f7052d6cb71c4b120238e28cd3fa413913d1 Author: Ilya Dryomov Date: Fri May 4 16:57:30 2018 +0200 libceph: add osd_req_op_extent_osd_data_bvecs() ... and store num_bvecs for client code's convenience. Signed-off-by: Ilya Dryomov Reviewed-by: Jeff Layton Reviewed-by: "Yan, Zheng" drivers/block/rbd.c | 4 +++- include/linux/ceph/osd_client.h | 12 ++++++++++-- net/ceph/osd_client.c | 27 +++++++++++++++++++++++---- 3 files changed, 36 insertions(+), 7 deletions(-) commit 3a15b38fd2efc1d648cb33186bf71e9138c93491 Author: Ilya Dryomov Date: Thu May 3 16:10:09 2018 +0200 ceph: fix rsize/wsize capping in ceph_direct_read_write() rsize/wsize cap should be applied before ceph_osdc_new_request() is called. Otherwise, if the size is limited by the cap instead of the stripe unit, ceph_osdc_new_request() would setup an extent op that is bigger than what dio_get_pages_alloc() would pin and add to the page vector, triggering asserts in the messenger. Cc: stable@vger.kernel.org Fixes: 95cca2b44e54 ("ceph: limit osd write size") Signed-off-by: Ilya Dryomov Reviewed-by: "Yan, Zheng" fs/ceph/file.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 3057fcef385348fe85173f1b0c824d89f1176f72 Author: Boris Brezillon Date: Fri May 4 21:24:31 2018 +0200 mtd: rawnand: Make sure we wait tWB before polling the STATUS reg NAND chips require a bit of time to take the NAND operation into account and set the BUSY bit in the STATUS reg. Make sure we don't poll the STATUS reg too early in nand_soft_waitrdy(). Fixes: 8878b126df76 ("mtd: nand: add ->exec_op() implementation") Cc: Signed-off-by: Boris Brezillon Acked-by: Miquel Raynal drivers/mtd/nand/raw/nand_base.c | 5 +++++ 1 file changed, 5 insertions(+) commit 7c2b134110a6af3bfe574efdb23ee04c047dc311 Merge: 5c0e0b4 352672d Author: Dave Airlie Date: Thu May 10 13:48:52 2018 +1000 Merge branch 'linux-4.17' of git://github.com/skeggsb/linux into drm-fixes Two nouveau crasher/deadlock fixes. * 'linux-4.17' of git://github.com/skeggsb/linux: drm/nouveau: Fix deadlock in nv50_mstm_register_connector() drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client commit 352672db857290ab5b0e2b6a99c414f92bee024c Author: Lyude Paul Date: Wed May 2 19:38:48 2018 -0400 drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Currently; we're grabbing all of the modesetting locks before adding MST connectors to fbdev. This isn't actually necessary, and causes a deadlock as well: ====================================================== WARNING: possible circular locking dependency detected 4.17.0-rc3Lyude-Test+ #1 Tainted: G O ------------------------------------------------------ kworker/1:0/18 is trying to acquire lock: 00000000c832f62d (&helper->lock){+.+.}, at: drm_fb_helper_add_one_connector+0x2a/0x60 [drm_kms_helper] but task is already holding lock: 00000000942e28e2 (crtc_ww_class_mutex){+.+.}, at: drm_modeset_backoff+0x8e/0x1c0 [drm] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (crtc_ww_class_mutex){+.+.}: ww_mutex_lock+0x43/0x80 drm_modeset_lock+0x71/0x130 [drm] drm_helper_probe_single_connector_modes+0x7d/0x6b0 [drm_kms_helper] drm_setup_crtcs+0x15e/0xc90 [drm_kms_helper] __drm_fb_helper_initial_config_and_unlock+0x29/0x480 [drm_kms_helper] nouveau_fbcon_init+0x138/0x1a0 [nouveau] nouveau_drm_load+0x173/0x7e0 [nouveau] drm_dev_register+0x134/0x1c0 [drm] drm_get_pci_dev+0x8e/0x160 [drm] nouveau_drm_probe+0x1a9/0x230 [nouveau] pci_device_probe+0xcd/0x150 driver_probe_device+0x30b/0x480 __driver_attach+0xbc/0xe0 bus_for_each_dev+0x67/0x90 bus_add_driver+0x164/0x260 driver_register+0x57/0xc0 do_one_initcall+0x4d/0x323 do_init_module+0x5b/0x1f8 load_module+0x20e5/0x2ac0 __do_sys_finit_module+0xb7/0xd0 do_syscall_64+0x60/0x1b0 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (crtc_ww_class_acquire){+.+.}: drm_helper_probe_single_connector_modes+0x58/0x6b0 [drm_kms_helper] drm_setup_crtcs+0x15e/0xc90 [drm_kms_helper] __drm_fb_helper_initial_config_and_unlock+0x29/0x480 [drm_kms_helper] nouveau_fbcon_init+0x138/0x1a0 [nouveau] nouveau_drm_load+0x173/0x7e0 [nouveau] drm_dev_register+0x134/0x1c0 [drm] drm_get_pci_dev+0x8e/0x160 [drm] nouveau_drm_probe+0x1a9/0x230 [nouveau] pci_device_probe+0xcd/0x150 driver_probe_device+0x30b/0x480 __driver_attach+0xbc/0xe0 bus_for_each_dev+0x67/0x90 bus_add_driver+0x164/0x260 driver_register+0x57/0xc0 do_one_initcall+0x4d/0x323 do_init_module+0x5b/0x1f8 load_module+0x20e5/0x2ac0 __do_sys_finit_module+0xb7/0xd0 do_syscall_64+0x60/0x1b0 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&dev->mode_config.mutex){+.+.}: drm_setup_crtcs+0x10c/0xc90 [drm_kms_helper] __drm_fb_helper_initial_config_and_unlock+0x29/0x480 [drm_kms_helper] nouveau_fbcon_init+0x138/0x1a0 [nouveau] nouveau_drm_load+0x173/0x7e0 [nouveau] drm_dev_register+0x134/0x1c0 [drm] drm_get_pci_dev+0x8e/0x160 [drm] nouveau_drm_probe+0x1a9/0x230 [nouveau] pci_device_probe+0xcd/0x150 driver_probe_device+0x30b/0x480 __driver_attach+0xbc/0xe0 bus_for_each_dev+0x67/0x90 bus_add_driver+0x164/0x260 driver_register+0x57/0xc0 do_one_initcall+0x4d/0x323 do_init_module+0x5b/0x1f8 load_module+0x20e5/0x2ac0 __do_sys_finit_module+0xb7/0xd0 do_syscall_64+0x60/0x1b0 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&helper->lock){+.+.}: __mutex_lock+0x70/0x9d0 drm_fb_helper_add_one_connector+0x2a/0x60 [drm_kms_helper] nv50_mstm_register_connector+0x2c/0x50 [nouveau] drm_dp_add_port+0x2f5/0x420 [drm_kms_helper] drm_dp_send_link_address+0x155/0x1e0 [drm_kms_helper] drm_dp_add_port+0x33f/0x420 [drm_kms_helper] drm_dp_send_link_address+0x155/0x1e0 [drm_kms_helper] drm_dp_check_and_send_link_address+0x87/0xd0 [drm_kms_helper] drm_dp_mst_link_probe_work+0x4d/0x80 [drm_kms_helper] process_one_work+0x20d/0x650 worker_thread+0x3a/0x390 kthread+0x11e/0x140 ret_from_fork+0x3a/0x50 other info that might help us debug this: Chain exists of: &helper->lock --> crtc_ww_class_acquire --> crtc_ww_class_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(crtc_ww_class_mutex); lock(crtc_ww_class_acquire); lock(crtc_ww_class_mutex); lock(&helper->lock); *** DEADLOCK *** 5 locks held by kworker/1:0/18: #0: 000000004a05cd50 ((wq_completion)"events_long"){+.+.}, at: process_one_work+0x187/0x650 #1: 00000000601c11d1 ((work_completion)(&mgr->work)){+.+.}, at: process_one_work+0x187/0x650 #2: 00000000586ca0df (&dev->mode_config.mutex){+.+.}, at: drm_modeset_lock_all+0x3a/0x1b0 [drm] #3: 00000000d3ca0ffa (crtc_ww_class_acquire){+.+.}, at: drm_modeset_lock_all+0x44/0x1b0 [drm] #4: 00000000942e28e2 (crtc_ww_class_mutex){+.+.}, at: drm_modeset_backoff+0x8e/0x1c0 [drm] stack backtrace: CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G O 4.17.0-rc3Lyude-Test+ #1 Hardware name: Gateway FX6840/FX6840, BIOS P01-A3 05/17/2010 Workqueue: events_long drm_dp_mst_link_probe_work [drm_kms_helper] Call Trace: dump_stack+0x85/0xcb print_circular_bug.isra.38+0x1ce/0x1db __lock_acquire+0x128f/0x1350 ? lock_acquire+0x9f/0x200 ? lock_acquire+0x9f/0x200 ? __ww_mutex_lock.constprop.13+0x8f/0x1000 lock_acquire+0x9f/0x200 ? drm_fb_helper_add_one_connector+0x2a/0x60 [drm_kms_helper] ? drm_fb_helper_add_one_connector+0x2a/0x60 [drm_kms_helper] __mutex_lock+0x70/0x9d0 ? drm_fb_helper_add_one_connector+0x2a/0x60 [drm_kms_helper] ? ww_mutex_lock+0x43/0x80 ? _cond_resched+0x15/0x30 ? ww_mutex_lock+0x43/0x80 ? drm_modeset_lock+0xb2/0x130 [drm] ? drm_fb_helper_add_one_connector+0x2a/0x60 [drm_kms_helper] drm_fb_helper_add_one_connector+0x2a/0x60 [drm_kms_helper] nv50_mstm_register_connector+0x2c/0x50 [nouveau] drm_dp_add_port+0x2f5/0x420 [drm_kms_helper] ? mark_held_locks+0x50/0x80 ? kfree+0xcf/0x2a0 ? drm_dp_check_mstb_guid+0xd6/0x120 [drm_kms_helper] ? trace_hardirqs_on_caller+0xed/0x180 ? drm_dp_check_mstb_guid+0xd6/0x120 [drm_kms_helper] drm_dp_send_link_address+0x155/0x1e0 [drm_kms_helper] drm_dp_add_port+0x33f/0x420 [drm_kms_helper] ? nouveau_connector_aux_xfer+0x7c/0xb0 [nouveau] ? find_held_lock+0x2d/0x90 ? drm_dp_dpcd_access+0xd9/0xf0 [drm_kms_helper] ? __mutex_unlock_slowpath+0x3b/0x280 ? drm_dp_dpcd_access+0xd9/0xf0 [drm_kms_helper] drm_dp_send_link_address+0x155/0x1e0 [drm_kms_helper] drm_dp_check_and_send_link_address+0x87/0xd0 [drm_kms_helper] drm_dp_mst_link_probe_work+0x4d/0x80 [drm_kms_helper] process_one_work+0x20d/0x650 worker_thread+0x3a/0x390 ? process_one_work+0x650/0x650 kthread+0x11e/0x140 ? kthread_create_worker_on_cpu+0x50/0x50 ret_from_fork+0x3a/0x50 Taking example from i915, the only time we need to hold any modesetting locks is when changing the port on the mstc, and in that case we only need to hold the connection mutex. Signed-off-by: Lyude Paul Cc: Karol Herbst Cc: stable@vger.kernel.org Signed-off-by: Lyude Paul Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/nv50_display.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 0d5a03c3d9254813ca76d7886ff9ed76a0aea545 Author: Ben Skeggs Date: Tue May 8 20:39:47 2018 +1000 drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client Potentially responsible for some random OOPSes. Signed-off-by: Ben Skeggs Cc: stable@vger.kernel.org [v4.15+] drivers/gpu/drm/nouveau/nouveau_bo.c | 1 - drivers/gpu/drm/nouveau/nouveau_bo.h | 2 -- drivers/gpu/drm/nouveau/nouveau_ttm.c | 6 +++--- 3 files changed, 3 insertions(+), 6 deletions(-) commit 5c0e0b45c4936295d6333dd7961d0b89b15b070d Merge: 44ef02c 639f790 Author: Dave Airlie Date: Thu May 10 11:28:46 2018 +1000 Merge branch 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux into drm-fixes A little bigger than normal since this is two weeks of fixes. - Atom firmware table updates for vega12 - Fix fallout from huge page support - Fix up smu7 power profile interface to be consistent with vega - Misc other fixes * 'drm-fixes-4.17' of git://people.freedesktop.org/~agd5f/linux: drm/amd/pp: Refine the output of pp_power_profile_mode on VI drm/amdgpu: Switch to interruptable wait to recover from ring hang. drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages drm/amd/display: Use kvzalloc for potentially large allocations drm/amd/display: Don't return ddc result and read_bytes in same return value drm/amd/display: Add get_firmware_info_v3_2 for VG12 drm/amd: Add BIOS smu_info v3_3 required struct def. drm/amd/display: Add VG12 ASIC IDs commit 44ef02c241e7c99af77b408d52af708aa159e968 Merge: 03a0a3e 9a0e980 Author: Dave Airlie Date: Thu May 10 11:28:27 2018 +1000 Merge tag 'drm-misc-fixes-2018-05-09' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes atomic: Clear state pointers on clear (Ville) vc4: Fix oops in dpi disable (Eric) omap: Various error-checking + uninitialized var fixes (Tomi) Cc: Ville Syrjälä Cc: Eric Anholt Cc: Tomi Valkeinen * tag 'drm-misc-fixes-2018-05-09' of git://anongit.freedesktop.org/drm/drm-misc: drm/vc4: Fix scaling of uni-planar formats drm/bridge/sii8620: add Kconfig dependency on extcon drm/omap: handle alloc failures in omap_connector drm/omap: add missing linefeeds to prints drm/omap: handle error if scale coefs are not found drm/omap: check return value from soc_device_match drm/omap: fix possible NULL ref issue in tiler_reserve_2d drm/omap: fix uninitialized ret variable drm/omap: silence unititialized variable warning drm/vc4: Fix oops dereferencing DPI's connector since panel_bridge. drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() commit 03a0a3e572dc05f266672e0e72c7f47aee96db8d Merge: 87bf742 e8f48f9 Author: Dave Airlie Date: Thu May 10 11:27:47 2018 +1000 Merge tag 'drm-intel-fixes-2018-05-09' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Increase LVDS panel timeout to 5s to avoid spurious *ERROR* - Fix 2 WARNS: BIOS framebuffer related (FDO #105992) and eDP cdclk mismatch * tag 'drm-intel-fixes-2018-05-09' of git://anongit.freedesktop.org/drm/drm-intel: drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log drm/i915: Correctly populate user mode h/vdisplay with pipe src size during readout drm/i915: Adjust eDP's logical vco in a reliable place. commit 87bf742b080f4f23e5005e24db4c99c23715a780 Merge: dec60f3 6f2db7d Author: Dave Airlie Date: Thu May 10 11:27:04 2018 +1000 Merge tag 'exynos-drm-fixes-for-v4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes Fixup pagefault issue of mixer driver - it makes sure to check shadow register for interlace scan. - it corrects chroma_addr[1], height and vertical position values. And trivial cleanup - it just removes duplicated drm_bridge_attach. * tag 'exynos-drm-fixes-for-v4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos: drm/exynos: hdmi: avoid duplicating drm_bridge_attach drm/exynos: mixer: avoid Oops in vp_video_buffer() drm/exynos/mixer: fix synchronization check in interlaced mode commit dec60f3a9b7251f2657d743d96ba9a83dca02351 Author: Mathieu Malaterre Date: Sat May 5 21:54:05 2018 +0200 agp: uninorth: make two functions static Both ‘uninorth_remove_memory’ and ‘null_cache_flush’ can be made static. So make them. Silence the following gcc warning (W=1): drivers/char/agp/uninorth-agp.c:198:5: warning: no previous prototype for ‘uninorth_remove_memory’ [-Wmissing-prototypes] and drivers/char/agp/uninorth-agp.c:473:6: warning: no previous prototype for ‘null_cache_flush’ [-Wmissing-prototypes] Signed-off-by: Mathieu Malaterre Signed-off-by: Dave Airlie drivers/char/agp/uninorth-agp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 008464a9360e31b14677457dcd976fbf9dd58e2e Merge: 036db8b 070b963 Author: Linus Torvalds Date: Wed May 9 10:49:52 2018 -1000 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid Pull HID fixes from Jiri Kosina: - quirk for Toshiba Click Mini L9W-B, from Hans de Goede - intel-ish-hid and wacom error handling (device freeing) path fixes from Arvind Yadav - memory corruption fix in intel-ish-hid driver from Hans de Goede - a few new device ID additions to hid-lenovo from Peter Ganzhorn * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: i2c-hid: Add RESEND_REPORT_DESCR quirk for Toshiba Click Mini L9W-B HID: intel-ish-hid: use put_device() instead of kfree() HID: intel_ish-hid: Stop using a static local buffer in get_report() HID: intel_ish-hid: Move header size check to inside the loop HID: wacom: Release device resource data obtained by devres_alloc() HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice commit 639f790223e62339b9cb7319ea3fae9e02c39bdb Author: Rex Zhu Date: Mon May 7 14:23:04 2018 +0800 drm/amd/pp: Refine the output of pp_power_profile_mode on VI In order to keep consist with Vega, the output format of the pp_power_profile_mode would be < “*” for current profile>:"detail settings" and remove the "CURRENT" mode line. for example: NUM MODE_NAME SCLK_UP_HYST SCLK_DOWN_HYST SCLK_ACTIVE_LEVEL MCLK_UP_HYST MCLK_DOWN_HYST MCLK_ACTIVE_LEVEL 0 3D_FULL_SCREEN: 0 100 30 0 100 10 1 POWER_SAVING: 10 0 30 - - - 2 VIDEO: - - - 10 16 31 3 VR: 0 11 50 0 100 10 4 COMPUTE: 0 5 30 - - - 5 CUSTOM *: 0 5 30 0 100 10 NUM MODE_NAME SCLK_UP_HYST SCLK_DOWN_HYST SCLK_ACTIVE_LEVEL MCLK_UP_HYST MCLK_DOWN_HYST MCLK_ACTIVE_LEVEL 0 3D_FULL_SCREEN: 0 100 30 0 100 10 1 POWER_SAVING *: 10 0 30 0 100 10 2 VIDEO: - - - 10 16 31 3 VR: 0 11 50 0 100 10 4 COMPUTE: 0 5 30 - - - 5 CUSTOM: - - - - - - Reviewed-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Rex Zhu Signed-off-by: Alex Deucher drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 52 +++++++++++------------- drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.h | 1 - 2 files changed, 23 insertions(+), 30 deletions(-) commit e6a5b9f9aee145c2f2c24431d84edfbb0d49eea5 Author: Andrey Grodzovsky Date: Mon Apr 30 10:04:42 2018 -0400 drm/amdgpu: Switch to interruptable wait to recover from ring hang. v2: Use dma_fence_wait instead of dma_fence_wait_timeout(...,MAX_SCHEDULE_TIMEOUT) Avoid printing error message for ERESTARTSYS Originally-by: David Panariti Signed-off-by: Andrey Grodzovsky Reviewed-by: Christian König Signed-off-by: Alex Deucher drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit da291320baec914f0bb4e65a9dccb86bd6c728f2 Author: Michel Dänzer Date: Wed Apr 25 17:32:10 2018 +0200 drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages GFP_TRANSHUGE tries very hard to allocate huge pages, which can result in long delays with high memory pressure. I have observed firefox freezing for up to around a minute due to this while restic was taking a full system backup. Since we don't really need huge pages, use GFP_TRANSHUGE_LIGHT | __GFP_NORETRY instead, in order to fail quickly when there are no huge pages available. Set __GFP_KSWAPD_RECLAIM as well, in order for huge pages to be freed up in the background if necessary. With these changes, I'm no longer seeing freezes during a restic backup. Cc: stable@vger.kernel.org Reviewed-by: Christian König Signed-off-by: Michel Dänzer Signed-off-by: Alex Deucher drivers/gpu/drm/ttm/ttm_page_alloc.c | 11 ++++++++--- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 3 ++- 2 files changed, 10 insertions(+), 4 deletions(-) commit bd4caed47a19f25fe8674344ea06d469c27ac314 Author: Michel Dänzer Date: Tue Apr 17 12:25:22 2018 +0200 drm/amd/display: Use kvzalloc for potentially large allocations Allocating up to 32 physically contiguous pages can easily fail (and has failed for me), and isn't necessary anyway. Reviewed-by: Harry Wentland Signed-off-by: Michel Dänzer Signed-off-by: Alex Deucher drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 14 ++--- .../drm/amd/display/modules/color/color_gamma.c | 72 ++++++++++++---------- 2 files changed, 45 insertions(+), 41 deletions(-) commit 018d82e5f02ef3583411bcaa4e00c69786f46f19 Author: Harry Wentland Date: Tue Apr 24 10:49:20 2018 -0400 drm/amd/display: Don't return ddc result and read_bytes in same return value The two ranges overlap. Signed-off-by: Harry Wentland Acked-by: Alex Deucher Signed-off-by: Alex Deucher .../drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 20 ++++++++++++-------- drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c | 10 +++++++--- drivers/gpu/drm/amd/display/dc/inc/dc_link_ddc.h | 5 +++-- 3 files changed, 22 insertions(+), 13 deletions(-) commit 6e65fb862064663ad3a08f964af1e8f3f2abf688 Author: Harry Wentland Date: Fri Apr 20 10:56:18 2018 -0400 drm/amd/display: Add get_firmware_info_v3_2 for VG12 Signed-off-by: Harry Wentland Acked-by: Alex Deucher Signed-off-by: Alex Deucher drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 86 +++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) commit 60a5205fb5f3da3907b8b53561571a790e7b1e70 Author: Jerry (Fangzhi) Zuo Date: Mon Mar 5 14:59:57 2018 -0500 drm/amd: Add BIOS smu_info v3_3 required struct def. Signed-off-by: Jerry (Fangzhi) Zuo Reviewed-by: Harry Wentland Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher drivers/gpu/drm/amd/include/atomfirmware.h | 170 ++++++++++++++++++++++++++++- 1 file changed, 168 insertions(+), 2 deletions(-) commit c5191133405ac317d20d23c8510416e18842031d Author: Harry Wentland Date: Fri Apr 20 11:05:07 2018 -0400 drm/amd/display: Add VG12 ASIC IDs Signed-off-by: Harry Wentland Acked-by: Alex Deucher Signed-off-by: Alex Deucher drivers/gpu/drm/amd/display/include/dal_asic_id.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit dd0792699c4058e63c0715d9a7c2d40226fcdddc Author: Borislav Petkov Date: Tue May 8 15:43:45 2018 +0200 Documentation/spec_ctrl: Do some minor cleanups Fix some typos, improve formulations, end sentences with a fullstop. Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Documentation/userspace-api/spec_ctrl.rst | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) commit e96f46ee8587607a828f783daa6eb5b44d25004d Author: Konrad Rzeszutek Wilk Date: Wed May 9 21:41:38 2018 +0200 proc: Use underscores for SSBD in 'status' The style for the 'status' file is CamelCase or this. _. Fixes: fae1fa0fc ("proc: Provide details on speculation flaw mitigations") Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Thomas Gleixner fs/proc/array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9f65fb29374ee37856dbad847b4e121aab72b510 Author: Konrad Rzeszutek Wilk Date: Wed May 9 21:41:38 2018 +0200 x86/bugs: Rename _RDS to _SSBD Intel collateral will reference the SSB mitigation bit in IA32_SPEC_CTL[2] as SSBD (Speculative Store Bypass Disable). Hence changing it. It is unclear yet what the MSR_IA32_ARCH_CAPABILITIES (0x10a) Bit(4) name is going to be. Following the rename it would be SSBD_NO but that rolls out to Speculative Store Bypass Disable No. Also fixed the missing space in X86_FEATURE_AMD_SSBD. [ tglx: Fixup x86_amd_rds_enable() and rds_tif_to_amd_ls_cfg() as well ] Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Thomas Gleixner arch/x86/include/asm/cpufeatures.h | 4 ++-- arch/x86/include/asm/msr-index.h | 10 +++++----- arch/x86/include/asm/spec-ctrl.h | 12 ++++++------ arch/x86/include/asm/thread_info.h | 6 +++--- arch/x86/kernel/cpu/amd.c | 14 +++++++------- arch/x86/kernel/cpu/bugs.c | 36 ++++++++++++++++++------------------ arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/process.c | 8 ++++---- arch/x86/kvm/cpuid.c | 2 +- arch/x86/kvm/vmx.c | 6 +++--- 11 files changed, 51 insertions(+), 51 deletions(-) commit ae2cd7fb478b8da707906ee1706ae1379968a8f9 Author: Paulo Alcantara Date: Fri May 4 11:25:26 2018 -0300 cifs: smb2ops: Fix listxattr() when there are no EAs As per listxattr(2): On success, a nonnegative number is returned indicating the size of the extended attribute name list. On failure, -1 is returned and errno is set appropriately. In SMB1, when the server returns an empty EA list through a listxattr(), it will correctly return 0 as there are no EAs for the given file. However, in SMB2+, it returns -ENODATA in listxattr() which is wrong since the request and response were sent successfully, although there's no actual EA for the given file. This patch fixes listxattr() for SMB2+ by returning 0 in cifs_listxattr() when the server returns an empty list of EAs. Signed-off-by: Paulo Alcantara Reviewed-by: Aurelien Aptel Signed-off-by: Steve French fs/cifs/smb2ops.c | 6 ++++++ 1 file changed, 6 insertions(+) commit f7c439668a291ca94f358e44d3a3e9f2a2524b8a Author: Long Li Date: Wed Apr 25 11:30:05 2018 -0700 cifs: smbd: Enable signing with smbdirect Now signing is supported with RDMA transport. Remove the code that disabled it. Signed-off-by: Long Li Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg fs/cifs/connect.c | 8 -------- fs/cifs/smb2pdu.c | 5 ----- 2 files changed, 13 deletions(-) commit 2796d303e3c5ec213c578ed3a66872205c126eb8 Author: Long Li Date: Wed Apr 25 11:30:04 2018 -0700 cifs: Allocate validate negotiation request through kmalloc The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will return an invalid DMA address for a buffer on stack. Even worse, this incorrect address can't be detected by ib_dma_mapping_error. Sending data from this address to hardware will not fail, but the remote peer will get junk data. Fix this by allocating the request on the heap in smb3_validate_negotiate. Changes in v2: Removed duplicated code on freeing buffers on function exit. (Thanks to Parav Pandit ) Fixed typo in the patch title. Changes in v3: Added "Fixes" to the patch. Changed several sizeof() to use *pointer in place of struct. Changes in v4: Added detailed comments on the failure through RDMA. Allocate request buffer using GPF_NOFS. Fixed possible memory leak. Changes in v5: Removed variable ret for checking return value. Changed to use pneg_inbuf->Dialects[0] to calculate unused space in pneg_inbuf. Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks") Signed-off-by: Long Li Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg Reviewed-by: Tom Talpey fs/cifs/smb2pdu.c | 68 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 30 deletions(-) commit 26aeb9daa02cd37178321cf915efd3d5eb8b0511 Author: Jakub Kicinski Date: Tue May 8 19:42:40 2018 -0700 nfp: bpf: allow zero-length capabilities Some BPF capabilities carry no value, they simply indicate feature is present. Our capability parsing loop will exit early if last capability is zero-length because it's looking for more than 8 bytes of data (8B is our TLV header length). Allow the last capability to be zero-length. This bug would lead to driver failing to probe with the following error if the last capability FW advertises is zero-length: nfp: BPF capabilities left after parsing, parsed:92 total length:100 nfp: invalid BPF capabilities at offset:92 Note the "parsed" and "length" values are 8 apart. No shipping FW runs into this issue, but we can't guarantee that will remain the case. Fixes: 77a844ee650c ("nfp: bpf: prepare for parsing BPF FW capabilities") Signed-off-by: Jakub Kicinski Reviewed-by: Quentin Monnet Signed-off-by: Daniel Borkmann drivers/net/ethernet/netronome/nfp/bpf/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4c0330208f6bfe5285bae239fdb2a7ec1ce1f78d Merge: 7781eda 76aa3de Author: Wolfram Sang Date: Wed May 9 17:40:44 2018 +0200 Merge tag 'at24-4.17-rc5-fixes-for-wolfram' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into i2c/for-current Single bug-fix for a regression introduced during the 4.17 merge window. commit 76aa3de7095f15af7300012cb29ea8ab93eec348 Author: Bartosz Golaszewski Date: Mon May 7 12:08:37 2018 +0200 eeprom: at24: fix retrieving the at24_chip_data structure Commit feb2f19b1e8f ("eeprom: at24: move platform data processing into a separate routine") introduced a bug where we incorrectly retireve the at24_chip_data structure. Remove the unnecessary ampersand operator. Fixes: feb2f19b1e8f ("eeprom: at24: move platform data processing into a separate routine") Reported-by: Vadim Pasternak Signed-off-by: Bartosz Golaszewski drivers/misc/eeprom/at24.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9d569b1cf7a2a385770835df15f77dde587b58a3 Merge: 6da6c0d 76974ef Author: Greg Kroah-Hartman Date: Wed May 9 17:08:29 2018 +0200 Merge tag 'iio-fixes-for-4.17a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: First round of IIO fixes for the 4.17 cycle. * core - fix up some issues with overflow etc around wrong types for some fo the kfifo handling functions. Seems unlikely this would be triggered in reality but the fixes are simple so let's tidy them up. Second patch deals with checking the userspace value passed for length for potential overflow. * ad7793 - Catch up with changes to the ad_sigma_delta core and use read_raw / write_raw iwth IIO_CHAN_INFO_SAMP_FEW to handle sampling frequency control. * at91-sama5d2 - Channel config for differential channels was completely broken. - Missing Kconfig dependency for buffer support. * hid-sensor - Fix an issue with powering up after resume due to wrong reference counting. * stm32-dfsdm - Fix an issue with second writes of the oversampling settings failing. - Fix an issue with the sample rate being set to half of requested value when particular clock source is used. commit 3d69191086fc87f202c79eb8873b9c82c2bb065a Author: Christophe Jaillet Date: Tue May 8 07:44:27 2018 +0200 iw_cxgb4: Fix an error handling path in 'c4iw_get_dma_mr()' The error handling path of 'c4iw_get_dma_mr()' does not free resources in the correct order. If an error occures, it can leak 'mhp->wr_waitp'. Fixes: a3f12da0e99a ("iw_cxgb4: allocate wait object for each memory object") Signed-off-by: Christophe JAILLET Signed-off-by: Doug Ledford drivers/infiniband/hw/cxgb4/mem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 43731753c4b7d832775cf6b2301dd0447a5a1851 Author: Andrew Boyer Date: Mon May 7 13:23:38 2018 -0400 RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint The current code sets an affinity hint with a cpumask_t stored on the stack. This value can then be accessed through /proc/irq/*/affinity_hint/, causing a segfault or returning corrupt data. Move the cpumask_t into struct i40iw_msix_vector so it is available later. Backtrace: BUG: unable to handle kernel paging request at ffffb16e600e7c90 IP: irq_affinity_hint_proc_show+0x60/0xf0 PGD 17c0c6d067 PUD 17c0c6e067 PMD 15d4a0e067 PTE 0 Oops: 0000 [#1] SMP Modules linked in: ... CPU: 3 PID: 172543 Comm: grep Tainted: G OE ... #1 Hardware name: ... task: ffff9a5caee08000 task.stack: ffffb16e659d8000 RIP: 0010:irq_affinity_hint_proc_show+0x60/0xf0 RSP: 0018:ffffb16e659dbd20 EFLAGS: 00010086 RAX: 0000000000000246 RBX: ffffb16e659dbd20 RCX: 0000000000000000 RDX: ffffb16e600e7c90 RSI: 0000000000000003 RDI: 0000000000000046 RBP: ffffb16e659dbd88 R08: 0000000000000038 R09: 0000000000000001 R10: 0000000070803079 R11: 0000000000000000 R12: ffff9a59d1d97a00 R13: ffff9a5da47a6cd8 R14: ffff9a5da47a6c00 R15: ffff9a59d1d97a00 FS: 00007f946c31d740(0000) GS:ffff9a5dc1800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffb16e600e7c90 CR3: 00000016a4339000 CR4: 00000000007406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: seq_read+0x12d/0x430 ? sched_clock_cpu+0x11/0xb0 proc_reg_read+0x48/0x70 __vfs_read+0x37/0x140 ? security_file_permission+0xa0/0xc0 vfs_read+0x96/0x140 SyS_read+0x58/0xc0 do_syscall_64+0x5a/0x190 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x7f946bbc97e0 RSP: 002b:00007ffdd0c4ae08 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000096b000 RCX: 00007f946bbc97e0 RDX: 000000000096b000 RSI: 00007f946a2f0000 RDI: 0000000000000004 RBP: 0000000000001000 R08: 00007f946a2ef011 R09: 000000000000000a R10: 0000000000001000 R11: 0000000000000246 R12: 00007f946a2f0000 R13: 0000000000000004 R14: 0000000000000000 R15: 00007f946a2f0000 Code: b9 08 00 00 00 49 89 c6 48 89 df 31 c0 4d 8d ae d8 00 00 00 f3 48 ab 4c 89 ef e8 6c 9a 56 00 49 8b 96 30 01 00 00 48 85 d2 74 3f <48> 8b 0a 48 89 4d 98 48 8b 4a 08 48 89 4d a0 48 8b 4a 10 48 89 RIP: irq_affinity_hint_proc_show+0x60/0xf0 RSP: ffffb16e659dbd20 CR2: ffffb16e600e7c90 Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") Signed-off-by: Andrew Boyer Reviewed-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw.h | 1 + drivers/infiniband/hw/i40iw/i40iw_main.c | 7 +++---- 2 files changed, 4 insertions(+), 4 deletions(-) commit 9f7b16afab9b47de471f4ef6a0c6c337f0a53566 Author: Andrew Boyer Date: Mon May 7 13:23:37 2018 -0400 RDMA/i40iw: Avoid reference leaks when processing the AEQ In this switch there is a reference held on the QP. 'continue' will grab the next event without releasing the reference, causing a leak. Change it to 'break' to drop the reference before grabbing the next event. Fixes: 4e9042e647ff ("i40iw: add hw and utils files") Signed-off-by: Andrew Boyer Reviewed-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_hw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a75895b1ebd944a7873cbf76d30de8720955f8b3 Author: Andrew Boyer Date: Mon May 7 13:23:36 2018 -0400 RDMA/i40iw: Avoid panic when objects are being created and destroyed A panic occurs when there is a newly-registered element on the QP/CQ MR list waiting to be attached, but a different MR is deregistered. The current code only checks for whether the list is empty, not whether the element being deregistered is actually on the list. Fix the panic by adding a boolean to track if the object is on the list. Fixes: d37498417947 ("i40iw: add files for iwarp interface") Signed-off-by: Andrew Boyer Reviewed-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_verbs.c | 11 +++++++++-- drivers/infiniband/hw/i40iw/i40iw_verbs.h | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) commit a0403be8af338c319b5176c1d2975d94a930a0bf Author: oulijun Date: Fri May 4 10:57:13 2018 +0800 RDMA/hns: Fix the bug with NULL pointer When the last QP of eight QPs is not exist in hns_roce_v1_mr_free_work_fn function, the print for qpn of hr_qp may introduce a calltrace for NULL pointer. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 79d442071a733057e4d9f28c90fbdb4f39d9fc23 Author: oulijun Date: Fri May 4 10:57:12 2018 +0800 RDMA/hns: Set NULL for __internal_mr This patch mainly configure value for __internal_mr of mr_free_pd. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 + 1 file changed, 1 insertion(+) commit 85e0274dc66430b0d0fad7ad01cbc0e0cbebf6dc Author: oulijun Date: Fri May 4 10:57:11 2018 +0800 RDMA/hns: Enable inner_pa_vld filed of mpt When enabled inner_pa_vld field of mpt, The pa0 and pa1 will be valid and the hardware will use it directly and not use base address of pbl. As a result, it can reduce the delay. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 ++ 1 file changed, 2 insertions(+) commit 90e7a4d5066240b75cdfd1bf8944ca36622153b1 Author: oulijun Date: Fri May 4 10:57:10 2018 +0800 RDMA/hns: Set desc_dma_addr for zero when free cmq desc In order to avoid illegal use for desc_dma_addr of ring, it needs to set it zero when free cmq desc. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 ++ 1 file changed, 2 insertions(+) commit 778cc5a8b75eee62d330059a2655b515cda43278 Author: oulijun Date: Fri May 4 10:57:09 2018 +0800 RDMA/hns: Fix the bug with rq sge When received multiply rq sge, it should tag the invalid lkey for the last non-zero length sge when have some sges' length are zero. This patch fixes it. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 391bd5fc7de54a5cb866e8897d60ee1d76b8840a Author: oulijun Date: Fri May 4 10:57:08 2018 +0800 RDMA/hns: Not support qp transition from reset to reset for hip06 Because hip06 hardware is not support for qp transition from reset to reset state, it need to return errno when qp transited from reset to reset. This patch fixes it. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_qp.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 2349fdd483ea933b223f3eca53ed42835383d316 Author: oulijun Date: Fri May 4 10:57:07 2018 +0800 RDMA/hns: Add return operation when configured global param fail When configure global param function run fail, it should directly return and the initial flow will stop. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 + 1 file changed, 1 insertion(+) commit ad18e20ba2887e221e903d311f4c9a1586eacffb Author: oulijun Date: Fri May 4 10:57:06 2018 +0800 RDMA/hns: Update convert function of endian format Because the sys_image_guid of ib_device_attr structure is __be64, it need to use cpu_to_be64 for converting. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f97a62c39423575c62649721657e5cc04f67c0ac Author: oulijun Date: Fri May 4 10:57:05 2018 +0800 RDMA/hns: Load the RoCE dirver automatically To enable the linux-kernel system to load the hns-roce-hw-v2 driver automatically when hns-roce-hw-v2 is plugged in pci bus, it need to create a MODULE_DEVICE_TABLE for expose the pci_table of hns-roce-hw-v2 to user. Signed-off-by: Lijun Ou Reported-by: Zhou Wang Tested-by: Xiaojun Tan Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 ++ 1 file changed, 2 insertions(+) commit 3a39bbecc88fa9a99a80de588c8f1fe16aba3446 Author: oulijun Date: Fri May 4 10:57:04 2018 +0800 RDMA/hns: Bugfix for rq record db for kernel When used rq record db for kernel, it needs to set the rdb_en of hr_qp to 1 and configures the dma address of record rq db of qp context. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_qp.c | 1 + 1 file changed, 1 insertion(+) commit ecaaf1e26a37ddf7cba4e425cf68ae7ce1869bc0 Author: oulijun Date: Fri May 4 10:57:03 2018 +0800 RDMA/hns: Add rq inline flags judgement It needs to set the rqie field of qp context by configured rq inline flags. Besides, it need to decide whether posting inline rqwqe by judged rq inline flags. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) commit 1661d3b0e2183ce90f6611641c350a5aa02aaa80 Author: Alexandru Moise <00moses.alexander00@gmail.com> Date: Tue May 8 11:02:02 2018 +0200 nvmet,rxe: defer ip datagram sending to tasklet This addresses 3 separate problems: 1. When using NVME over Fabrics we may end up sending IP packets in interrupt context, we should defer this work to a tasklet. [ 50.939957] WARNING: CPU: 3 PID: 0 at kernel/softirq.c:161 __local_bh_enable_ip+0x1f/0xa0 [ 50.942602] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G W 4.17.0-rc3-ARCH+ #104 [ 50.945466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 [ 50.948163] RIP: 0010:__local_bh_enable_ip+0x1f/0xa0 [ 50.949631] RSP: 0018:ffff88009c183900 EFLAGS: 00010006 [ 50.951029] RAX: 0000000080010403 RBX: 0000000000000200 RCX: 0000000000000001 [ 50.952636] RDX: 0000000000000000 RSI: 0000000000000200 RDI: ffffffff817e04ec [ 50.954278] RBP: ffff88009c183910 R08: 0000000000000001 R09: 0000000000000614 [ 50.956000] R10: ffffea00021d5500 R11: 0000000000000001 R12: ffffffff817e04ec [ 50.957779] R13: 0000000000000000 R14: ffff88009566f400 R15: ffff8800956c7000 [ 50.959402] FS: 0000000000000000(0000) GS:ffff88009c180000(0000) knlGS:0000000000000000 [ 50.961552] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 50.963798] CR2: 000055c4ec0ccac0 CR3: 0000000002209001 CR4: 00000000000606e0 [ 50.966121] Call Trace: [ 50.966845] [ 50.967497] __dev_queue_xmit+0x62d/0x690 [ 50.968722] dev_queue_xmit+0x10/0x20 [ 50.969894] neigh_resolve_output+0x173/0x190 [ 50.971244] ip_finish_output2+0x2b8/0x370 [ 50.972527] ip_finish_output+0x1d2/0x220 [ 50.973785] ? ip_finish_output+0x1d2/0x220 [ 50.975010] ip_output+0xd4/0x100 [ 50.975903] ip_local_out+0x3b/0x50 [ 50.976823] rxe_send+0x74/0x120 [ 50.977702] rxe_requester+0xe3b/0x10b0 [ 50.978881] ? ip_local_deliver_finish+0xd1/0xe0 [ 50.980260] rxe_do_task+0x85/0x100 [ 50.981386] rxe_run_task+0x2f/0x40 [ 50.982470] rxe_post_send+0x51a/0x550 [ 50.983591] nvmet_rdma_queue_response+0x10a/0x170 [ 50.985024] __nvmet_req_complete+0x95/0xa0 [ 50.986287] nvmet_req_complete+0x15/0x60 [ 50.987469] nvmet_bio_done+0x2d/0x40 [ 50.988564] bio_endio+0x12c/0x140 [ 50.989654] blk_update_request+0x185/0x2a0 [ 50.990947] blk_mq_end_request+0x1e/0x80 [ 50.991997] nvme_complete_rq+0x1cc/0x1e0 [ 50.993171] nvme_pci_complete_rq+0x117/0x120 [ 50.994355] __blk_mq_complete_request+0x15e/0x180 [ 50.995988] blk_mq_complete_request+0x6f/0xa0 [ 50.997304] nvme_process_cq+0xe0/0x1b0 [ 50.998494] nvme_irq+0x28/0x50 [ 50.999572] __handle_irq_event_percpu+0xa2/0x1c0 [ 51.000986] handle_irq_event_percpu+0x32/0x80 [ 51.002356] handle_irq_event+0x3c/0x60 [ 51.003463] handle_edge_irq+0x1c9/0x200 [ 51.004473] handle_irq+0x23/0x30 [ 51.005363] do_IRQ+0x46/0xd0 [ 51.006182] common_interrupt+0xf/0xf [ 51.007129] 2. Work must always be offloaded to tasklet for rxe_post_send_kernel() when using NVMEoF in order to solve lock ordering between neigh->ha_lock seqlock and the nvme queue lock: [ 77.833783] Possible interrupt unsafe locking scenario: [ 77.833783] [ 77.835831] CPU0 CPU1 [ 77.837129] ---- ---- [ 77.838313] lock(&(&n->ha_lock)->seqcount); [ 77.839550] local_irq_disable(); [ 77.841377] lock(&(&nvmeq->q_lock)->rlock); [ 77.843222] lock(&(&n->ha_lock)->seqcount); [ 77.845178] [ 77.846298] lock(&(&nvmeq->q_lock)->rlock); [ 77.847986] [ 77.847986] *** DEADLOCK *** 3. Same goes for the lock ordering between sch->q.lock and nvme queue lock: [ 47.634271] Possible interrupt unsafe locking scenario: [ 47.634271] [ 47.636452] CPU0 CPU1 [ 47.637861] ---- ---- [ 47.639285] lock(&(&sch->q.lock)->rlock); [ 47.640654] local_irq_disable(); [ 47.642451] lock(&(&nvmeq->q_lock)->rlock); [ 47.644521] lock(&(&sch->q.lock)->rlock); [ 47.646480] [ 47.647263] lock(&(&nvmeq->q_lock)->rlock); [ 47.648492] [ 47.648492] *** DEADLOCK *** Using NVMEoF after this patch seems to finally be stable, without it, rxe eventually deadlocks the whole system and causes RCU stalls. Signed-off-by: Alexandru Moise <00moses.alexander00@gmail.com> Reviewed-by: Zhu Yanjun Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_verbs.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) commit eeb1af4f53fa74fd41d288b113eebcdfca4d311c Author: Mustafa Ismail Date: Mon May 7 12:52:18 2018 -0500 i40iw: Use correct address in dst_neigh_lookup for IPv6 Use of incorrect structure address for IPv6 neighbor lookup causes connections to IPv6 addresses to fail. Fix this by using correct address in call to dst_neigh_lookup. Fixes: f27b4746f378 ("i40iw: add connection management code") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5a7189d529cd146cd5838af97b32fcac4122b471 Author: Mustafa Ismail Date: Mon May 7 12:52:17 2018 -0500 i40iw: Fix memory leak in error path of create QP If i40iw_allocate_dma_mem fails when creating a QP, the memory allocated for the QP structure using kzalloc is not freed because iwqp->allocated_buffer is used to free the memory and it is not setup until later. Fix this by setting iwqp->allocated_buffer before allocating the dma memory. Fixes: d37498417947 ("i40iw: add files for iwarp interface") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 37da2a03c036538a5a79766d74bfcf5b873e5cad Author: Daria Velikovsky Date: Mon May 7 10:20:02 2018 +0300 RDMA/mlx5: Use proper spec flow label type Flow label is defined as u32 in the in ipv6 flow spec, but used internally in the flow specs parsing as u8. That was causing loss of part of flow_label value. Fixes: 2d1e697e9b716 ('IB/mlx5: Add support to match inner packet fields') Reviewed-by: Maor Gottlieb Signed-off-by: Daria Velikovsky Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 18b0362e87dfa09e355093b897b9db854e360d28 Author: Yishai Hadas Date: Mon May 7 10:20:01 2018 +0300 RDMA/mlx5: Don't assume that medium blueFlame register exists User can leave system without medium BlueFlames registers, however the code assumed that at least one such register exists. This patch fixes that assumption. Fixes: c1be5232d21d ("IB/mlx5: Fix micro UAR allocator") Reported-by: Rohit Zambre Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/qp.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) commit f9e76ca3771bf23d2142a81a88ddd8f31f5c4c03 Author: Michael J. Ruhl Date: Wed May 2 06:42:51 2018 -0700 IB/hfi1: Use after free race condition in send context error path A pio send egress error can occur when the PSM library attempts to to send a bad packet. That issue is still being investigated. The pio error interrupt handler then attempts to progress the recovery of the errored pio send context. Code inspection reveals that the handling lacks the necessary locking if that recovery interleaves with a PSM close of the "context" object contains the pio send context. The lack of the locking can cause the recovery to access the already freed pio send context object and incorrectly deduce that the pio send context is actually a kernel pio send context as shown by the NULL deref stack below: [] _dev_info+0x6c/0x90 [] sc_restart+0x70/0x1f0 [hfi1] [] ? __schedule+0x424/0x9b0 [] sc_halted+0x15/0x20 [hfi1] [] process_one_work+0x17a/0x440 [] worker_thread+0x126/0x3c0 [] ? manage_workers.isra.24+0x2a0/0x2a0 [] kthread+0xcf/0xe0 [] ? insert_kthread_work+0x40/0x40 [] ret_from_fork+0x58/0x90 [] ? insert_kthread_work+0x40/0x40 This is the best case scenario and other scenarios can corrupt the already freed memory. Fix by adding the necessary locking in the pio send context error handler. Cc: # 4.9.x Reviewed-by: Mike Marciniszyn Reviewed-by: Dennis Dalessandro Signed-off-by: Michael J. Ruhl Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/chip.c | 4 ++++ 1 file changed, 4 insertions(+) commit 0583a4ef05987f7e0f3a7bdd3365e5dc36ca306d Author: David Gilhooley Date: Tue May 8 15:49:43 2018 -0700 arm64: capabilities: Add NVIDIA Denver CPU to bp_harden list The NVIDIA Denver CPU also needs a PSCI call to harden the branch predictor. Signed-off-by: David Gilhooley Signed-off-by: Will Deacon arch/arm64/kernel/cpu_errata.c | 1 + 1 file changed, 1 insertion(+) commit 1b06bd8dd95f7a19ab33fdf0f477c94950822ab3 Author: David Gilhooley Date: Tue May 8 15:49:42 2018 -0700 arm64: Add MIDR encoding for NVIDIA CPUs This patch adds the MIDR encodings for NVIDIA as well as the Denver and Carmel CPUs used in Tegra SoCs. Signed-off-by: David Gilhooley Signed-off-by: Will Deacon arch/arm64/include/asm/cputype.h | 6 ++++++ 1 file changed, 6 insertions(+) commit 27f70620faf02a897123eb36b9e614e8d540f751 Author: Leon Romanovsky Date: Thu May 3 21:37:46 2018 +0300 MAINTAINERS: Remove bouncing @mellanox.com addresses Delete non-existent @mellanox.com addresses from MAINTAINERS file. Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford MAINTAINERS | 6 ------ 1 file changed, 6 deletions(-) commit 9533b292a7acc62c294ebcbd9e1f9f9d52adb10b Author: Greg Thelen Date: Thu May 3 20:29:19 2018 -0700 IB: remove redundant INFINIBAND kconfig dependencies INFINIBAND_ADDR_TRANS depends on INFINIBAND. So there's no need for options which depend INFINIBAND_ADDR_TRANS to also depend on INFINIBAND. Remove the unnecessary INFINIBAND depends. Signed-off-by: Greg Thelen Signed-off-by: Doug Ledford drivers/infiniband/ulp/srpt/Kconfig | 2 +- drivers/nvme/host/Kconfig | 2 +- drivers/nvme/target/Kconfig | 2 +- drivers/staging/lustre/lnet/Kconfig | 2 +- fs/cifs/Kconfig | 2 +- net/9p/Kconfig | 2 +- net/rds/Kconfig | 2 +- net/sunrpc/Kconfig | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) commit 070b9637dd8fa85c3ba7ecc60fe57fa4da9c2d1d Author: Hans de Goede Date: Thu May 3 11:32:33 2018 +0200 HID: i2c-hid: Add RESEND_REPORT_DESCR quirk for Toshiba Click Mini L9W-B The 0457:10fb touchscreen found on the Toshiba Click Mini L9W-B needs to have a report-decriptors command send to it on resume in order for the touchscreen to start generating events again on resume. Signed-off-by: Hans de Goede Acked-by: Benjamin Tissoires Signed-off-by: Jiri Kosina drivers/hid/hid-ids.h | 1 + drivers/hid/i2c-hid/i2c-hid.c | 2 ++ 2 files changed, 3 insertions(+) commit 8feaec33b9868582654cd3d5355225dcb79aeca6 Author: Kai Heng Feng Date: Mon May 7 14:11:20 2018 +0800 PCI / PM: Always check PME wakeup capability for runtime wakeup support USB controller ASM1042 stops working after commit de3ef1eb1cd0 (PM / core: Drop run_wake flag from struct dev_pm_info). The device in question is not power managed by platform firmware, furthermore, it only supports PME# from D3cold: Capabilities: [78] Power Management version 3 Flags: PMEClk- DSI- D1- D2- AuxCurrent=55mA PME(D0-,D1-,D2-,D3hot-,D3cold+) Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME- Before commit de3ef1eb1cd0, the device never gets runtime suspended. After that commit, the device gets runtime suspended to D3hot, which can not generate any PME#. usb_hcd_pci_probe() unconditionally calls device_wakeup_enable(), hence device_can_wakeup() in pci_dev_run_wake() always returns true. So pci_dev_run_wake() needs to check PME wakeup capability as its first condition. In addition, change wakeup flag passed to pci_target_state() from false to true, because we want to find the deepest state different from D3cold that the device can still generate PME#. In this case, it's D0 for the device in question. Fixes: de3ef1eb1cd0 (PM / core: Drop run_wake flag from struct dev_pm_info) Signed-off-by: Kai-Heng Feng Cc: 4.13+ # 4.13+ Acked-by: Bjorn Helgaas Signed-off-by: Rafael J. Wysocki drivers/pci/pci.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 97739501f207efe33145b918817f305b822987f8 Author: Rafael J. Wysocki Date: Wed May 9 11:44:56 2018 +0200 cpufreq: schedutil: Avoid using invalid next_freq If the next_freq field of struct sugov_policy is set to UINT_MAX, it shouldn't be used for updating the CPU frequency (this is a special "invalid" value), but after commit b7eaf1aab9f8 (cpufreq: schedutil: Avoid reducing frequency of busy CPUs prematurely) it may be passed as the new frequency to sugov_update_commit() in sugov_update_single(). Fix that by adding an extra check for the special UINT_MAX value of next_freq to sugov_update_single(). Fixes: b7eaf1aab9f8 (cpufreq: schedutil: Avoid reducing frequency of busy CPUs prematurely) Reported-by: Viresh Kumar Cc: 4.12+ # 4.12+ Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki kernel/sched/cpufreq_schedutil.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a744490f12707d9f0b205272b29adf5bdb3ba193 Author: Juri Lelli Date: Wed May 9 10:40:51 2018 +0200 cpufreq: schedutil: remove stale comment After commit 794a56ebd9a57 (sched/cpufreq: Change the worker kthread to SCHED_DEADLINE) schedutil kthreads are "ignored" for a clock frequency selection point of view, so the potential corner case for RT tasks is not possible at all now. Remove the stale comment mentioning it. Signed-off-by: Juri Lelli Signed-off-by: Rafael J. Wysocki kernel/sched/cpufreq_schedutil.c | 13 ------------- 1 file changed, 13 deletions(-) commit 13610c93488b3c290f393c76744b308445921094 Author: Juri Lelli Date: Tue May 8 17:12:09 2018 +0200 PM: docs: intel_pstate: fix Active Mode w/o HWP paragraph P-state selection algorithm (powersave or performance) is selected by echoing the desired choice to scaling_governor sysfs attribute and not to scaling_cur_freq (as currently stated). Fix it. Signed-off-by: Juri Lelli Reviewed-by: Srinivas Pandruvada Signed-off-by: Rafael J. Wysocki Documentation/admin-guide/pm/intel_pstate.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c72a0ded8d4ac9d99c04200035bbfcc82e15842c Author: Jonathan Neuschäfer Date: Wed Apr 25 12:07:03 2018 +0200 PM: docs: sleep-states: Fix a typo ("includig") Fix a typo in admin-guide/pm/sleep-states.rst. Signed-off-by: Jonathan Neuschäfer Signed-off-by: Rafael J. Wysocki Documentation/admin-guide/pm/sleep-states.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bb7b40aecbf778c0c83a5bd62b0f03ca9f49a618 Author: Pablo Neira Ayuso Date: Tue May 8 02:43:57 2018 +0200 netfilter: nf_tables: bogus EBUSY in chain deletions When removing a rule that jumps to chain and such chain in the same batch, this bogusly hits EBUSY. Add activate and deactivate operations to expression that can be called from the preparation and the commit/abort phases. Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_tables.h | 5 +++++ net/netfilter/nf_tables_api.c | 46 +++++++++++++++++++++++++++++++++++---- net/netfilter/nft_immediate.c | 15 ++++++++++--- 3 files changed, 59 insertions(+), 7 deletions(-) commit 732a8049f365f514d0607e03938491bf6cb0d620 Author: Florian Westphal Date: Mon May 7 15:22:36 2018 +0200 netfilter: nft_compat: fix handling of large matchinfo size currently matchinfo gets stored in the expression, but some xt matches are very large. To handle those we either need to switch nft core to kvmalloc and increase size limit, or allocate the info blob of large matches separately. This does the latter, this limits the scope of the changes to nft_compat. I picked a threshold of 192, this allows most matches to work as before and handle only few ones via separate alloation (cgroup, u32, sctp, rt). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nft_compat.c | 64 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) commit 8bdf164744b2c7f63561846c01cff3db597f282d Author: Florian Westphal Date: Mon May 7 15:22:35 2018 +0200 netfilter: nft_compat: prepare for indirect info storage Next patch will make it possible for *info to be stored in a separate allocation instead of the expr private area. This removes the 'expr priv area is info blob' assumption from the match init/destroy/eval functions. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nft_compat.c | 47 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 11 deletions(-) commit 9a0e9802217291e54c4dd1fc5462f189a4be14ec Author: Boris Brezillon Date: Mon May 7 14:13:03 2018 +0200 drm/vc4: Fix scaling of uni-planar formats When using uni-planar formats (like RGB), the scaling parameters are stored in plane 0, not plane 1. Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.") Cc: stable@vger.kernel.org Signed-off-by: Boris Brezillon Reviewed-by: Eric Anholt Link: https://patchwork.freedesktop.org/patch/msgid/20180507121303.5610-1-boris.brezillon@bootlin.com drivers/gpu/drm/vc4/vc4_plane.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3148dedfe79e422f448a10250d3e2cdf8b7ee617 Author: Heiner Kallweit Date: Mon May 7 21:11:21 2018 +0200 r8169: fix powering up RTL8168h Since commit a92a08499b1f "r8169: improve runtime pm in general and suspend unused ports" interfaces w/o link are runtime-suspended after 10s. On systems where drivers take longer to load this can lead to the situation that the interface is runtime-suspended already when it's initially brought up. This shouldn't be a problem because rtl_open() resumes MAC/PHY. However with at least one chip version the interface doesn't properly come up, as reported here: https://bugzilla.kernel.org/show_bug.cgi?id=199549 The vendor driver uses a delay to give certain chip versions some time to resume before starting the PHY configuration. So let's do the same. I don't know which chip versions may be affected, therefore apply this delay always. This patch was reported to fix the issue for RTL8168h. I was able to reproduce the issue on an Asus H310I-Plus which also uses a RTL8168h. Also in my case the patch fixed the issue. Reported-by: Slava Kardakov Tested-by: Slava Kardakov Signed-off-by: Heiner Kallweit Signed-off-by: David S. Miller drivers/net/ethernet/realtek/r8169.c | 3 +++ 1 file changed, 3 insertions(+) commit 6f2db7dc901a1b89fbc50f7b38f0f7ee17205703 Author: Peter Rosin Date: Wed May 2 09:40:25 2018 +0200 drm/exynos: hdmi: avoid duplicating drm_bridge_attach drm_bridge_attach takes care of these assignments, so there is no need to open-code them a second time. Signed-off-by: Peter Rosin Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_hdmi.c | 2 -- 1 file changed, 2 deletions(-) commit 322579dcc865b94b47345ad1b6002ad167f85405 Author: Tejun Heo Date: Tue May 8 14:21:56 2018 -0700 libata: Blacklist some Sandisk SSDs for NCQ Sandisk SSDs SD7SN6S256G and SD8SN8U256G are regularly locking up regularly under sustained moderate load with NCQ enabled. Blacklist for now. Signed-off-by: Tejun Heo Reported-by: Dave Jones Cc: stable@vger.kernel.org drivers/ata/libata-core.c | 4 ++++ 1 file changed, 4 insertions(+) commit 31c6085562a03124d3f6a5c43dd9888ac44495a5 Author: Dan Carpenter Date: Fri Apr 27 17:06:49 2018 +0300 firmware: arm_scmi: Use after free in scmi_create_protocol_device() We need to return here instead of setting up the freed sdev device as a transport. Fixes: 907b6d14911d ("firmware: arm_scmi: add per-protocol channels support using idr objects") Signed-off-by: Dan Carpenter Signed-off-by: Sudeep Holla drivers/firmware/arm_scmi/driver.c | 1 + 1 file changed, 1 insertion(+) commit 036db8bd96374c66424f270f3370ddaf0adf7506 Merge: 93a0d34 0d74d87 Author: Linus Torvalds Date: Tue May 8 05:40:17 2018 -1000 Merge branch 'for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata Pull libata fixes from Tejun Heo: "An earlier commit to add reset control for embedded ahci controllers affected some of the hardware specific drivers and got reverted for now. Other than that, just per-device workarounds and trivial changes" * 'for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: driver core: add __printf verification to __ata_ehi_pushv_desc ata: fix spelling mistake: "directon" -> "direction" libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs libata: Apply NOLPM quirk for SAMSUNG MZMPC128HBFU-000MV SSD ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI libahci: Allow drivers to override stop_engine Revert "ata: ahci-platform: add reset control support" commit 93a0d34024ad9951a7ce86a306c8d3414b1b1d88 Merge: 89240c6 c41eb2c Author: Linus Torvalds Date: Tue May 8 05:37:17 2018 -1000 Merge tag 'pinctrl-v4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Here are three pin control fixes. The Intel fixes are the most serious and important things I had queued since it affects a large portion of deployed Chromebooks. - Two major fixes for the Intel Cherryview and Sunrisepoint pin controllers, adjusting numberspaces so that they get aligned with various messed-up numbers encoded into the BIOS. - A fix for the Meson driver GPIO pin range" * tag 'pinctrl-v4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: sunrisepoint: Align GPIO number space with Windows pinctrl: cherryview: Associate IRQ descriptors to irqdomain pinctrl: meson-axg: fix the range of aobus bank commit 89240c675ed12fe540093fc70c13ae8ff227e8e5 Merge: f142f08 e026646 Author: Linus Torvalds Date: Tue May 8 05:35:12 2018 -1000 Merge tag 'gpio-v4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "Sorry for lagging behind on sending the first batch of GPIO fixes for this cycle. Just too busy conferencing and the weather was too nice. Here it is anyway: some real important polishing on the error path facing userspace (tagged for stable as well) and some normal driver fixes. - Fix proper IRQ unmasking in the Aspeed driver. - Do not free unrequested descriptors on the errorpath when creating line handles from the userspace chardev requested GPIO lines. - Also fix the errorpath in the linehandle creation function. - Fix the get/set multiple GPIO lines for a few of the funky industrial GPIO cards on the ISA bus" * tag 'gpio-v4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: pcie-idio-24: Fix off-by-one error in get_multiple loop gpio: pcie-idio-24: Fix port memory offset for get_multiple/set_multiple callbacks gpio: pci-idio-16: Fix port memory offset for get_multiple callback gpio: fix error path in lineevent_create gpioib: do not free unrequested descriptors gpio: fix aspeed_gpio unmask irq commit 42f02130f980ac81efddb7968f50fd9ed06df26b Merge: 2dabf9f 7a25ac2 Author: David S. Miller Date: Tue May 8 10:19:53 2018 -0400 Merge tag 'linux-can-fixes-for-4.17-20180508' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2018-05-08 this is a pull request for 7 patches for net/master. The first patch is by Jakob Unterwurzacher and increases the severity of bus-off messages in the generic CAN device infrastructure. The next two patches are by Uwe Kleine-König and fix the endianess detection in the flexcan driver. Jimmy Assarsson's patch for the kvaser driver corrects the stats counter for dropped tx-messages. Geert Uytterhoeven provides one patch and Sergei Shtylyov two patches for the rcan_canfd device tree binding description. ==================== Signed-off-by: David S. Miller commit 2dabf9f281bc42ce1836c02b6588585d6c52b67d Merge: 2c5d5b1 f18fa5d Author: David S. Miller Date: Tue May 8 10:17:22 2018 -0400 Merge branch 'ieee802154-for-davem-2018-05-08' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan Stefan Schmidt says: ==================== pull-request: ieee802154 2018-05-08 An update from ieee802154 for your *net* tree. Two fixes for the mcr20a driver, which was being added in the 4.17 merge window, by Gustavo and myself. The atusb driver got a change to GFP_KERNEL where no GFP_ATOMIC is needed by Jia-Ju. The last and most important fix is from Alex to get IPv6 reassembly working again for the ieee802154 6lowpan adaptation. This got broken in 4.16 so please queue this one also up for the 4.16 stable tree. ==================== Signed-off-by: David S. Miller commit 4bbaf2584b86b0772413edeac22ff448f36351b1 Author: Hendrik Brueckner Date: Thu May 3 15:56:15 2018 +0200 s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero Correct a trinity finding for the perf_event_open() system call with a perf event attribute structure that uses a frequency but has the sampling frequency set to zero. This causes a FP divide exception during the sample rate initialization for the hardware sampling facility. Fixes: 8c069ff4bd606 ("s390/perf: add support for the CPU-Measurement Sampling Facility") Cc: stable@vger.kernel.org # 3.14+ Reviewed-by: Heiko Carstens Signed-off-by: Hendrik Brueckner Signed-off-by: Martin Schwidefsky arch/s390/kernel/perf_cpum_sf.c | 4 ++++ 1 file changed, 4 insertions(+) commit e8f48f96db7e482995743f461b3e8a5c1a102533 Author: Florent Flament Date: Thu Apr 19 19:07:00 2018 +0300 drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Fix `[drm:intel_enable_lvds] *ERROR* timed out waiting for panel to power on` in kernel log at boot time. Toshiba Satellite Z930 laptops needs between 1 and 2 seconds to power on its screen during Intel i915 DRM initialization. This currently results in a `[drm:intel_enable_lvds] *ERROR* timed out waiting for panel to power on` message appearing in the kernel log during boot time and when stopping the machine. This change increases the timeout of the `intel_enable_lvds` function from 1 to 5 seconds, letting enough time for the Satellite 930 LCD screen to power on, and suppressing the error message from the kernel log. This patch has been successfully tested on Linux 4.14 running on a Toshiba Satellite Z930. [vsyrjala: bump the timeout from 2 to 5 seconds to match the DP code and properly cover the max hw timeout of ~4 seconds, and drop the comment about the specific machine since this is not a particulary surprising issue, nor specific to that one machine] Signed-off-by: Florent Flament Cc: stable@vger.kernel.org Cc: Pavel Petrovic Cc: Sérgio M. Basto Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103414 References: https://bugzilla.kernel.org/show_bug.cgi?id=57591 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20180419160700.19828-1-ville.syrjala@linux.intel.com Reviewed-by: Jani Nikula (cherry picked from commit 280b54ade5914d3b4abe4f0ebe083ddbd4603246) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/intel_lvds.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 660d88e74cf6e16252e366616f158d84dc9dc6a3 Author: Ville Syrjälä Date: Thu Apr 26 19:30:15 2018 +0300 drm/i915: Correctly populate user mode h/vdisplay with pipe src size during readout During state readout we first read out the pipe src size, store that information in the user mode h/vdisplay, but later on we overwrite that with the actual crtc timings. That makes our read out crtc state inconsistent with itself when the BIOS has enabled the panel fitter to scale the pipe contents. Let's preserve the pipe src size based information in the user mode to make things consistent again. This fixes a problem introduced by commit a2936e3d9a9c ("drm/i915: Use drm_mode_get_hv_timing() to populate plane clip rectangle") where the inconsistent state is now leading the plane clipping code to report a failure on account the plane dst coordinates not matching the user mode size. Previously we did the plane clipping based on the pipe src size instead and thus never noticed the inconsistency. The failure manifests as a WARN: [ 0.762117] [drm:intel_dump_pipe_config [i915]] requested mode: [ 0.762142] [drm:drm_mode_debug_printmodeline [drm]] Modeline 0:"1366x768" 60 72143 1366 1414 1446 1526 768 771 777 784 0x40 0xa ... [ 0.762327] [drm:intel_dump_pipe_config [i915]] port clock: 72143, pipe src size: 1024x768, pixel rate 72143 ... [ 0.764666] [drm:drm_atomic_helper_check_plane_state [drm_kms_helper]] Plane must cover entire CRTC [ 0.764690] [drm:drm_rect_debug_print [drm]] dst: 1024x768+0+0 [ 0.764711] [drm:drm_rect_debug_print [drm]] clip: 1366x768+0+0 [ 0.764713] ------------[ cut here ]------------ [ 0.764714] Could not determine valid watermarks for inherited state [ 0.764792] WARNING: CPU: 4 PID: 159 at drivers/gpu/drm/i915/intel_display.c:14584 intel_modeset_init+0x3ce/0x19d0 [i915] ... Cc: FadeMind Cc: Dave Jones Cc: Daniel Vetter Reported-by: FadeMind Reported-by: Dave Jones Tested-by: Dave Jones References: https://lists.freedesktop.org/archives/intel-gfx/2018-April/163186.html Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105992 Fixes: a2936e3d9a9c ("drm/i915: Use drm_mode_get_hv_timing() to populate plane clip rectangle") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20180426163015.14232-1-ville.syrjala@linux.intel.com Reviewed-by: Chris Wilson Tested-by: Larry Finger Tested-by: FadeMind (cherry picked from commit bd4cd03c81010dcd4e6f0e02e4c15f44aefe12d1) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/intel_display.c | 2 ++ 1 file changed, 2 insertions(+) commit 9d219554d9bf59875b4e571a0392d620e8954879 Author: Rodrigo Vivi Date: Wed May 2 10:52:55 2018 -0700 drm/i915: Adjust eDP's logical vco in a reliable place. On intel_dp_compute_config() we were calculating the needed vco for eDP on gen9 and we stashing it in intel_atomic_state.cdclk.logical.vco However few moments later on intel_modeset_checks() we fully replace entire intel_atomic_state.cdclk.logical with dev_priv->cdclk.logical fully overwriting the logical desired vco for eDP on gen9. So, with wrong VCO value we end up with wrong desired cdclk, but also it will raise a lot of WARNs: On gen9, when we read CDCLK_CTL to verify if we configured properly the desired frequency the CD Frequency Select bits [27:26] == 10b can mean 337.5 or 308.57 MHz depending on the VCO. So if we have wrong VCO value stashed we will believe the frequency selection didn't stick and start to raise WARNs of cdclk mismatch. [ 42.857519] [drm:intel_dump_cdclk_state [i915]] Changing CDCLK to 308571 kHz, VCO 8640000 kHz, ref 24000 kHz, bypass 24000 kHz, voltage level 0 [ 42.897269] cdclk state doesn't match! [ 42.901052] WARNING: CPU: 5 PID: 1116 at drivers/gpu/drm/i915/intel_cdclk.c:2084 intel_set_cdclk+0x5d/0x110 [i915] [ 42.938004] RIP: 0010:intel_set_cdclk+0x5d/0x110 [i915] [ 43.155253] WARNING: CPU: 5 PID: 1116 at drivers/gpu/drm/i915/intel_cdclk.c:2084 intel_set_cdclk+0x5d/0x110 [i915] [ 43.170277] [drm:intel_dump_cdclk_state [i915]] [hw state] 337500 kHz, VCO 8100000 kHz, ref 24000 kHz, bypass 24000 kHz, voltage level 0 [ 43.182566] [drm:intel_dump_cdclk_state [i915]] [sw state] 308571 kHz, VCO 8640000 kHz, ref 24000 kHz, bypass 24000 kHz, voltage level 0 v2: Move the entire eDP's vco logical adjustment to inside the skl_modeset_calc_cdclk as suggested by Ville. Cc: Ville Syrjälä Signed-off-by: Rodrigo Vivi Reviewed-by: Ville Syrjälä Fixes: bb0f4aab0e76 ("drm/i915: Track full cdclk state for the logical and actual cdclk frequencies") Cc: # v4.12+ Link: https://patchwork.freedesktop.org/patch/msgid/20180502175255.5344-1-rodrigo.vivi@intel.com (cherry picked from commit 3297234a05ab1e90091b0574db4c397ef0e90d5f) Signed-off-by: Joonas Lahtinen drivers/gpu/drm/i915/intel_cdclk.c | 41 ++++++++++++++++++++++++++++++++++---- drivers/gpu/drm/i915/intel_dp.c | 20 ------------------- 2 files changed, 37 insertions(+), 24 deletions(-) commit 009240940e84c1c089af88b454f7e804a4c5bd1b Author: Florian Westphal Date: Sun May 6 00:47:20 2018 +0200 netfilter: nf_tables: don't assume chain stats are set when jumplabel is set nft_chain_stats_replace() and all other spots assume ->stats can be NULL, but nft_update_chain_stats does not. It must do this check, just because the jump label is set doesn't mean all basechains have stats assigned. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_core.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) commit a44f6d82a471aa52fe218e43105fbe3c458fc5a6 Author: Florian Westphal Date: Sun May 6 00:46:16 2018 +0200 netfilter: x_tables: add module alias for icmp matches The icmp matches are implemented in ip_tables and ip6_tables, respectively, so for normal iptables they are always available: those modules are loaded once iptables calls getsockopt() to fetch available module revisions. In iptables-over-nftables case probing occurs via nfnetlink, so these modules might not be loaded. Add aliases so modprobe can load these when icmp/icmp6 is requested. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/ipv4/netfilter/ip_tables.c | 1 + net/ipv6/netfilter/ip6_tables.c | 1 + 2 files changed, 2 insertions(+) commit 4e09fc873d92398001e267f7b60c36c963f825b3 Author: Florian Westphal Date: Sun May 6 00:45:43 2018 +0200 netfilter: prefer nla_strlcpy for dealing with NLA_STRING attributes fixes these warnings: 'nfnl_cthelper_create' at net/netfilter/nfnetlink_cthelper.c:237:2, 'nfnl_cthelper_new' at net/netfilter/nfnetlink_cthelper.c:450:9: ./include/linux/string.h:246:9: warning: '__builtin_strncpy' specified bound 16 equals destination size [-Wstringop-truncation] return __builtin_strncpy(p, q, size); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Moreover, strncpy assumes null-terminated source buffers, but thats not the case here. Unlike strlcpy, nla_strlcpy *does* pad the destination buffer while also considering nla attribute size. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 +- net/netfilter/nfnetlink_cthelper.c | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) commit 25fd386e0bc065849db7400f579e82863ea44838 Author: Florian Westphal Date: Fri May 4 18:16:06 2018 +0200 netfilter: core: add missing __rcu annotation removes following sparse error: net/netfilter/core.c:598:30: warning: incorrect type in argument 1 (different address spaces) net/netfilter/core.c:598:30: expected struct nf_hook_entries **e net/netfilter/core.c:598:30: got struct nf_hook_entries [noderef] ** Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit d5e032fc5697b6c0d6b4958bcacb981a08f8174e Author: Julian Anastasov Date: Thu May 3 22:02:18 2018 +0300 ipvs: fix stats update from local clients Local clients are not properly synchronized on 32-bit CPUs when updating stats (3.10+). Now it is possible estimation_timer (timer), a stats reader, to interrupt the local client in the middle of write_seqcount_{begin,end} sequence leading to loop (DEADLOCK). The same interrupt can happen from received packet (SoftIRQ) which updates the same per-CPU stats. Fix it by disabling BH while updating stats. Found with debug: WARNING: inconsistent lock state 4.17.0-rc2-00105-g35cb6d7-dirty #2 Not tainted -------------------------------- inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage. ftp/2545 [HC0[0]:SC0[0]:HE1:SE1] takes: 86845479 (&syncp->seq#6){+.+-}, at: ip_vs_schedule+0x1c5/0x59e [ip_vs] {IN-SOFTIRQ-R} state was registered at: lock_acquire+0x44/0x5b estimation_timer+0x1b3/0x341 [ip_vs] call_timer_fn+0x54/0xcd run_timer_softirq+0x10c/0x12b __do_softirq+0xc1/0x1a9 do_softirq_own_stack+0x1d/0x23 irq_exit+0x4a/0x64 smp_apic_timer_interrupt+0x63/0x71 apic_timer_interrupt+0x3a/0x40 default_idle+0xa/0xc arch_cpu_idle+0x9/0xb default_idle_call+0x21/0x23 do_idle+0xa0/0x167 cpu_startup_entry+0x19/0x1b start_secondary+0x133/0x182 startup_32_smp+0x164/0x168 irq event stamp: 42213 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&syncp->seq#6); lock(&syncp->seq#6); *** DEADLOCK *** Fixes: ac69269a45e8 ("ipvs: do not disable bh for long time") Signed-off-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_core.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit a050d345cef0dc6249263540da1e902bba617e43 Author: Julian Anastasov Date: Thu May 3 22:01:40 2018 +0300 ipvs: fix refcount usage for conns in ops mode Connections in One-packet scheduling mode (-o, --ops) are removed with refcnt=0 because they are not hashed in conn table. To avoid refcount_dec reporting this as error, change them to be removed with refcount_dec_if_one as all other connections. refcount_t hit zero at ip_vs_conn_put+0x31/0x40 [ip_vs] in sh[15519], uid/euid: 497/497 WARNING: CPU: 0 PID: 15519 at ../kernel/panic.c:657 refcount_error_report+0x94/0x9e Modules linked in: ip_vs_rr cirrus ttm sb_edac edac_core drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc mousedev drm aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse evdev input_leds led_class intel_agp fb_sys_fops syscopyarea sysfillrect intel_rapl_perf mac_hid intel_gtt serio_raw sysimgblt agpgart i2c_piix4 i2c_core ata_generic pata_acpi floppy cfg80211 rfkill button loop macvlan ip_vs nf_conntrack libcrc32c crc32c_generic ip_tables x_tables ipv6 crc_ccitt autofs4 ext4 crc16 mbcache jbd2 fscrypto ata_piix libata atkbd libps2 scsi_mod crc32c_intel i8042 rtc_cmos serio af_packet dm_mod dax fuse xen_netfront xen_blkfront CPU: 0 PID: 15519 Comm: sh Tainted: G W 4.15.17 #1-NixOS Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006 RIP: 0010:refcount_error_report+0x94/0x9e RSP: 0000:ffffa344dde039c8 EFLAGS: 00010296 RAX: 0000000000000057 RBX: ffffffff92f20e06 RCX: 0000000000000006 RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffffa344dde165c0 RBP: ffffa344dde03b08 R08: 0000000000000218 R09: 0000000000000004 R10: ffffffff93006a80 R11: 0000000000000001 R12: ffffa344d68cd100 R13: 00000000000001f1 R14: ffffffff92f12fb0 R15: 0000000000000004 FS: 00007fc9d2040fc0(0000) GS:ffffa344dde00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000262a000 CR3: 0000000016a0c004 CR4: 00000000001606f0 Call Trace: ex_handler_refcount+0x4e/0x80 fixup_exception+0x33/0x40 do_trap+0x83/0x140 do_error_trap+0x83/0xf0 ? ip_vs_conn_drop_conntrack+0x120/0x1a5 [ip_vs] ? ip_finish_output2+0x29c/0x390 ? ip_finish_output2+0x1a2/0x390 invalid_op+0x1b/0x40 RIP: 0010:ip_vs_conn_put+0x31/0x40 [ip_vs] RSP: 0000:ffffa344dde03bb8 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffffa344df31cf00 RCX: ffffa344d7450198 RDX: 0000000000000003 RSI: 00000000fffffe01 RDI: ffffa344d7450140 RBP: 0000000000000002 R08: 0000000000000476 R09: 0000000000000000 R10: ffffa344dde03b28 R11: ffffa344df200000 R12: ffffa344d7d09000 R13: ffffa344def3a980 R14: ffffffffc04f6e20 R15: 0000000000000008 ip_vs_in.part.29.constprop.36+0x34f/0x640 [ip_vs] ? ip_vs_conn_out_get+0xe0/0xe0 [ip_vs] ip_vs_remote_request4+0x47/0xa0 [ip_vs] ? ip_vs_in.part.29.constprop.36+0x640/0x640 [ip_vs] nf_hook_slow+0x43/0xc0 ip_local_deliver+0xac/0xc0 ? ip_rcv_finish+0x400/0x400 ip_rcv+0x26c/0x380 __netif_receive_skb_core+0x3a0/0xb10 ? inet_gro_receive+0x23c/0x2b0 ? netif_receive_skb_internal+0x24/0xb0 netif_receive_skb_internal+0x24/0xb0 napi_gro_receive+0xb8/0xe0 xennet_poll+0x676/0xb40 [xen_netfront] net_rx_action+0x139/0x3a0 __do_softirq+0xde/0x2b4 irq_exit+0xae/0xb0 xen_evtchn_do_upcall+0x2c/0x40 xen_hvm_callback_vector+0x7d/0x90 RIP: 0033:0x7fc9d11c91f9 RSP: 002b:00007ffebe8a2ea0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff0c RAX: 00000000ffffffff RBX: 0000000002609808 RCX: 0000000000000054 RDX: 0000000000000001 RSI: 0000000002605440 RDI: 00000000025f940e RBP: 00000000025f940e R08: 000000000260213d R09: 1999999999999999 R10: 000000000262a808 R11: 00000000025f942d R12: 00000000025f940e R13: 00007fc9d1301e20 R14: 00000000025f9408 R15: 00007fc9d1302720 Code: 48 8b 95 80 00 00 00 41 55 49 8d 8c 24 e0 05 00 00 45 8b 84 24 38 04 00 00 41 89 c1 48 89 de 48 c7 c7 a8 2f f2 92 e8 7c fa ff ff <0f> 0b 58 5b 5d 41 5c 41 5d c3 0f 1f 44 00 00 55 48 89 e5 41 56 Reported-by: Net Filter Fixes: b54ab92b84b6 ("netfilter: refcounter conversions") Signed-off-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_conn.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) commit b8e9dc1c75714ceb53615743e1036f76e00f5a17 Author: Florian Westphal Date: Wed May 2 14:07:42 2018 +0200 netfilter: nf_tables: nft_compat: fix refcount leak on xt module Taehee Yoo reported following bug: iptables-compat -I OUTPUT -m cpu --cpu 0 iptables-compat -F lsmod |grep xt_cpu xt_cpu 16384 1 Quote: "When above command is given, a netlink message has two expressions that are the cpu compat and the nft_counter. The nft_expr_type_get() in the nf_tables_expr_parse() successes first expression then, calls select_ops callback. (allocates memory and holds module) But, second nft_expr_type_get() in the nf_tables_expr_parse() returns -EAGAIN because of request_module(). In that point, by the 'goto err1', the 'module_put(info[i].ops->type->owner)' is called. There is no release routine." The core problem is that unlike all other expression, nft_compat select_ops has side effects. 1. it allocates dynamic memory which holds an nft ops struct. In all other expressions, ops has static storage duration. 2. It grabs references to the xt module that it is supposed to invoke. Depending on where things go wrong, error unwinding doesn't always do the right thing. In the above scenario, a new nft_compat_expr is created and xt_cpu module gets loaded with a refcount of 1. Due to to -EAGAIN, the netlink messages get re-parsed. When that happens, nft_compat finds that xt_cpu is already present and increments module refcount again. This fixes the problem by making select_ops to have no visible side effects and removes all extra module_get/put. When select_ops creates a new nft_compat expression, the new expression has a refcount of 0, and the xt module gets its refcount incremented. When error happens, the next call finds existing entry, but will no longer increase the reference count -- the presence of existing nft_xt means we already hold a module reference. Because nft_xt_put is only called from nft_compat destroy hook, it will never see the initial zero reference count. ->destroy can only be called after ->init(), and that will increase the refcount. Lastly, we now free nft_xt struct with kfree_rcu. Else, we get use-after free in nf_tables_rule_destroy: while (expr != nft_expr_last(rule) && expr->ops) { nf_tables_expr_destroy(ctx, expr); expr = nft_expr_next(expr); // here nft_expr_next() dereferences expr->ops. This is safe for all users, as ops have static storage duration. In nft_compat case however, its ->destroy callback can free the memory that hold the ops structure. Tested-by: Taehee Yoo Reported-by: Taehee Yoo Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nft_compat.c | 92 +++++++++++++++++++++++++++++----------------- 1 file changed, 58 insertions(+), 34 deletions(-) commit a4995684a949cc1d28fbf09900c47c34b9427ecf Author: Stephen Hemminger Date: Fri Apr 27 11:16:09 2018 -0700 netfilter: bridge: stp fix reference to uninitialized data The destination mac (destmac) is only valid if EBT_DESTMAC flag is set. Fix by changing the order of the comparison to look for the flag first. Reported-by: syzbot+5c06e318fc558cc27823@syzkaller.appspotmail.com Signed-off-by: Stephen Hemminger Signed-off-by: Pablo Neira Ayuso net/bridge/netfilter/ebt_stp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 7a25ac2f71a409e77dd5c85cf3cbe1cbf2ae77f3 Author: Sergei Shtylyov Date: Fri Apr 27 21:53:33 2018 +0300 DT: net: can: rcar_canfd: document R8A77980 bindings Document the R-Car V3H (R8A77980) SoC support in the R-Car CAN-FD bindings. Signed-off-by: Sergei Shtylyov Reviewed-by: Simon Horman Signed-off-by: Marc Kleine-Budde Documentation/devicetree/bindings/net/can/rcar_canfd.txt | 1 + 1 file changed, 1 insertion(+) commit 0a4fe40efb04686529d998716d1680429d0b586b Author: Sergei Shtylyov Date: Thu Apr 26 22:41:14 2018 +0300 DT: net: can: rcar_canfd: document R8A77970 bindings Document the R-Car V3M (R8A77970) SoC support in the R-Car CAN-FD bindings. Signed-off-by: Sergei Shtylyov Reviewed-by: Ramesh Shanmugasundaram Reviewed-by: Simon Horman Signed-off-by: Marc Kleine-Budde Documentation/devicetree/bindings/net/can/rcar_canfd.txt | 1 + 1 file changed, 1 insertion(+) commit 1469c5f033a287dc25d113ea65c498c0603fbaa1 Author: Geert Uytterhoeven Date: Thu May 3 15:02:33 2018 +0200 dt-bindings: can: rcar_can: Fix R8A7796 SoC name R8A7796 is R-Car M3-W. Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Marc Kleine-Budde Documentation/devicetree/bindings/net/can/rcar_canfd.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89 Author: Jimmy Assarsson Date: Fri Apr 20 14:38:46 2018 +0200 can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Increase rx_dropped, if alloc_can_skb() fails, not tx_dropped. Signed-off-by: Jimmy Assarsson Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/usb/kvaser_usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9a62dcf486c10daf5366f29df1c799f69b1510f9 Author: Uwe Kleine-König Date: Wed Apr 25 16:50:40 2018 +0200 arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25's flexcan Commit d50f4630c2e1 ("arm: dts: Remove p1010-flexcan compatible from imx series dts") removed the fallback compatible "fsl,p1010-flexcan" from the imx device trees. As the flexcan cores on i.MX25, i.MX35 and i.MX53 are identical, introduce the first as fallback for the two latter ones. Fixes: d50f4630c2e1 ("arm: dts: Remove p1010-flexcan compatible from imx series dts") Signed-off-by: Uwe Kleine-König Cc: linux-stable # >= v4.16 Signed-off-by: Marc Kleine-Budde arch/arm/boot/dts/imx35.dtsi | 4 ++-- arch/arm/boot/dts/imx53.dtsi | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 0e030a373df3b8792b8991740fc31fe0629c6e58 Author: Uwe Kleine-König Date: Wed Apr 25 16:50:39 2018 +0200 can: flexcan: fix endianess detection In commit 88462d2a7830 ("can: flexcan: Remodel FlexCAN register r/w APIs for big endian FlexCAN controllers.") the following logic was implemented: if the dt property "big-endian" is given or the device is compatible to "fsl,p1010-flexcan": use big-endian mode; else use little-endian mode; This relies on commit d50f4630c2e1 ("arm: dts: Remove p1010-flexcan compatible from imx series dts") which was applied a few commits later. Without this commit (or an old device tree used for booting a new kernel) the flexcan devices on i.MX25, i.MX28, i.MX35 and i.MX53 match the 'the device is compatible to "fsl,p1010-flexcan"' test and so are switched erroneously to big endian mode. Instead of the check above put a quirk in devtype data and rely on of_match_device yielding the most compatible match Fixes: 88462d2a7830 ("can: flexcan: Remodel FlexCAN register r/w APIs for big endian FlexCAN controllers.") Signed-off-by: Uwe Kleine-König Tested-by: Gavin Schenk Cc: linux-stable # >= v4.16 Signed-off-by: Marc Kleine-Budde drivers/net/can/flexcan.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) commit 71c23a821c6bcacba71a094efe49ee689605906b Author: Jakob Unterwurzacher Date: Wed Apr 18 16:10:03 2018 +0200 can: dev: increase bus-off message severity bus-off is usually caused by hardware malfunction or configuration error (baud rate mismatch) and causes a complete loss of communication. Increase the "bus-off" message's severity from netdev_dbg() to netdev_info() to make it visible to the user. A can interface going into bus-off is similar in severity to ethernet's "Link is Down" message, which is also printed at info level. It is debatable whether the the "restarted" message should also be changed to netdev_info() to make the interface state changes comprehensible from the kernel log. I have chosen to keep the "restarted" message at dbg for now as the "bus-off" message should be enough for the user to notice and investigate the problem. Signed-off-by: Jakob Unterwurzacher Cc: linux-can@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Marc Kleine-Budde drivers/net/can/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6c0a8f6b5a45ac892a763b6299bd3c5324fc5e02 Author: Michael Ellerman Date: Tue May 8 14:59:56 2018 +1000 powerpc/pseries: Fix CONFIG_NUMA=n build The build is failing with CONFIG_NUMA=n and some compiler versions: arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_online_cpu': hotplug-cpu.c:(.text+0x12c): undefined reference to `timed_topology_update' arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_cpu_remove': hotplug-cpu.c:(.text+0x400): undefined reference to `timed_topology_update' Fix it by moving the empty version of timed_topology_update() into the existing #ifdef block, which has the right guard of SPLPAR && NUMA. Fixes: cee5405da402 ("powerpc/hotplug: Improve responsiveness of hotplug change") Signed-off-by: Michael Ellerman arch/powerpc/include/asm/topology.h | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) commit 2c5d5b13c6eb79f5677e206b8aad59b3a2097f60 Author: Eric Dumazet Date: Mon May 7 09:02:25 2018 -0700 llc: better deal with too small mtu syzbot loves to set very small mtu on devices, since it brings joy. We must make llc_ui_sendmsg() fool proof. usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446612139802320068)! kernel BUG at mm/usercopy.c:100! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 17464 Comm: syz-executor1 Not tainted 4.17.0-rc3+ #36 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:usercopy_abort+0xbb/0xbd mm/usercopy.c:88 RSP: 0018:ffff8801868bf800 EFLAGS: 00010282 RAX: 000000000000006c RBX: ffffffff87d2fb00 RCX: 0000000000000000 RDX: 000000000000006c RSI: ffffffff81610731 RDI: ffffed0030d17ef6 RBP: ffff8801868bf858 R08: ffff88018daa4200 R09: ffffed003b5c4fb0 R10: ffffed003b5c4fb0 R11: ffff8801dae27d87 R12: ffffffff87d2f8e0 R13: ffffffff87d2f7a0 R14: ffffffff87d2f7a0 R15: ffffffff87d2f7a0 FS: 00007f56a14ac700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2bc21000 CR3: 00000001abeb1000 CR4: 00000000001426f0 DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000030602 Call Trace: check_bogus_address mm/usercopy.c:153 [inline] __check_object_size+0x5d9/0x5d9 mm/usercopy.c:256 check_object_size include/linux/thread_info.h:108 [inline] check_copy_size include/linux/thread_info.h:139 [inline] copy_from_iter_full include/linux/uio.h:121 [inline] memcpy_from_msg include/linux/skbuff.h:3305 [inline] llc_ui_sendmsg+0x4b1/0x1530 net/llc/af_llc.c:941 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 __do_sys_sendto net/socket.c:1801 [inline] __se_sys_sendto net/socket.c:1797 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:00007f56a14abc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f56a14ac6d4 RCX: 0000000000455979 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000018 RBP: 000000000072bea0 R08: 00000000200012c0 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000548 R14: 00000000006fbf60 R15: 0000000000000000 Code: 55 c0 e8 c0 55 bb ff ff 75 c8 48 8b 55 c0 4d 89 f9 ff 75 d0 4d 89 e8 48 89 d9 4c 89 e6 41 56 48 c7 c7 80 fa d2 87 e8 a0 0b a3 ff <0f> 0b e8 95 55 bb ff e8 c0 a8 f7 ff 8b 95 14 ff ff ff 4d 89 e8 RIP: usercopy_abort+0xbb/0xbd mm/usercopy.c:88 RSP: ffff8801868bf800 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller net/llc/af_llc.c | 3 +++ 1 file changed, 3 insertions(+) commit 895b61760bec60e0b5dbfc4d9e2c8e6299da8f81 Merge: a9f71d0 a09bd81 Author: David S. Miller Date: Tue May 8 00:06:45 2018 -0400 Merge branch 'Aquantia-various-patches-2018-05' Igor Russkikh says: ==================== Aquantia various patches 2018-05 These are two patches covering issues found during test cycles: First is that driver should declare valid vlan_features Second fix is about correct allocation of MSI interrupts on some systems. ==================== Signed-off-by: David S. Miller commit a09bd81b5413d1b4d705c6c5303b5d311069da22 Author: Igor Russkikh Date: Mon May 7 16:10:39 2018 +0300 net: aquantia: Limit number of vectors to actually allocated irqs Driver should use pci_alloc_irq_vectors return value to correct number of allocated vectors and napi instances. Otherwise it'll panic later in pci_irq_vector. Driver also should allow more than one MSI vectors to be allocated. Error return path from pci_alloc_irq_vectors is also fixed to revert resources in a correct sequence when error happens. Reported-by: Long, Nicholas Fixes: 23ee07a ("net: aquantia: Cleanup pci functions module") Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 1 + drivers/net/ethernet/aquantia/atlantic/aq_nic.h | 1 + drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 20 ++++++++++---------- 3 files changed, 12 insertions(+), 10 deletions(-) commit 8c61ab7f111a2b29d051348b9cb9a39804ebf1f8 Author: Igor Russkikh Date: Mon May 7 16:10:38 2018 +0300 net: aquantia: driver should correctly declare vlan_features bits In particular, not reporting SG forced skbs to be linear for vlan interfaces over atlantic NIC. With this fix it is possible to enable SG feature on device and therefore optimize performance. Reported-by: Ma Yuying Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 ++ 1 file changed, 2 insertions(+) commit a9f71d0de68db84de610b09cb72e8eb0f621d0e1 Author: Georg Hofmann Date: Mon May 7 14:03:18 2018 +0200 trivial: fix inconsistent help texts This patch removes "experimental" from the help text where depends on CONFIG_EXPERIMENTAL was already removed. Signed-off-by: Georg Hofmann Signed-off-by: David S. Miller net/ipv6/Kconfig | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) commit 5ed3fde21331407a319e966a0582195988b4f4f0 Author: Steffen Klassert Date: Mon May 7 12:39:30 2018 +0200 MAINTAINERS: Update the 3c59x network driver entry Replace my old E-Mail address with a working one. While at it, change the maintainance status to 'Odd Fixes'. I'm still around with some knowledge, but don't actively maintain it anymore. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller MAINTAINERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit fa89adba1941e4f3b213399b81732a5c12fd9131 Author: Jens Remus Date: Thu May 3 13:52:47 2018 +0200 scsi: zfcp: fix infinite iteration on ERP ready list zfcp_erp_adapter_reopen() schedules blocking of all of the adapter's rports via zfcp_scsi_schedule_rports_block() and enqueues a reopen adapter ERP action via zfcp_erp_action_enqueue(). Both are separately processed asynchronously and concurrently. Blocking of rports is done in a kworker by zfcp_scsi_rport_work(). It calls zfcp_scsi_rport_block(), which then traces a DBF REC "scpdely" via zfcp_dbf_rec_trig(). zfcp_dbf_rec_trig() acquires the DBF REC spin lock and then iterates with list_for_each() over the adapter's ERP ready list without holding the ERP lock. This opens a race window in which the current list entry can be moved to another list, causing list_for_each() to iterate forever on the wrong list, as the erp_ready_head is never encountered as terminal condition. Meanwhile the ERP action can be processed in the ERP thread by zfcp_erp_thread(). It calls zfcp_erp_strategy(), which acquires the ERP lock and then calls zfcp_erp_action_to_running() to move the ERP action from the ready to the running list. zfcp_erp_action_to_running() can move the ERP action using list_move() just during the aforementioned race window. It then traces a REC RUN "erator1" via zfcp_dbf_rec_run(). zfcp_dbf_rec_run() tries to acquire the DBF REC spin lock. If this is held by the infinitely looping kworker, it effectively spins forever. Example Sequence Diagram: Process ERP Thread rport_work ------------------- ------------------- ------------------- zfcp_erp_adapter_reopen() zfcp_erp_adapter_block() zfcp_scsi_schedule_rports_block() lock ERP zfcp_scsi_rport_work() zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER) list_add_tail() on ready !(rport_task==RPORT_ADD) wake_up() ERP thread zfcp_scsi_rport_block() zfcp_dbf_rec_trig() zfcp_erp_strategy() zfcp_dbf_rec_trig() unlock ERP lock DBF REC zfcp_erp_wait() lock ERP | zfcp_erp_action_to_running() | list_for_each() ready | list_move() current entry | ready to running | zfcp_dbf_rec_run() endless loop over running | zfcp_dbf_rec_run_lvl() | lock DBF REC spins forever Any adapter recovery can trigger this, such as setting the device offline or reboot. V4.9 commit 4eeaa4f3f1d6 ("zfcp: close window with unblocked rport during rport gone") introduced additional tracing of (un)blocking of rports. It missed that the adapter->erp_lock must be held when calling zfcp_dbf_rec_trig(). This fix uses the approach formerly introduced by commit aa0fec62391c ("[SCSI] zfcp: Fix sparse warning by providing new entry in dbf") that got later removed by commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions."). Introduce zfcp_dbf_rec_trig_lock(), a wrapper for zfcp_dbf_rec_trig() that acquires and releases the adapter->erp_lock for read. Reported-by: Sebastian Ott Signed-off-by: Jens Remus Fixes: 4eeaa4f3f1d6 ("zfcp: close window with unblocked rport during rport gone") Cc: # 2.6.32+ Reviewed-by: Benjamin Block Signed-off-by: Steffen Maier Signed-off-by: Martin K. Petersen drivers/s390/scsi/zfcp_dbf.c | 23 ++++++++++++++++++++++- drivers/s390/scsi/zfcp_ext.h | 5 ++++- drivers/s390/scsi/zfcp_scsi.c | 14 +++++++------- 3 files changed, 33 insertions(+), 9 deletions(-) commit 1822f638e8af1f5e277e61d2245ffa826c22a4a4 Merge: 080324c b4331a6 Author: David S. Miller Date: Mon May 7 23:51:30 2018 -0400 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2018-05-07 1) Always verify length of provided sadb_key to fix a slab-out-of-bounds read in pfkey_add. From Kevin Easton. 2) Make sure that all states are really deleted before we check that the state lists are empty. Otherwise we trigger a warning. 3) Fix MTU handling of the VTI6 interfaces on interfamily tunnels. From Stefano Brivio. ==================== Signed-off-by: David S. Miller commit 080324c36ade319f57e505633ab54f6f53289b45 Author: Andre Tomt Date: Mon May 7 04:24:39 2018 +0200 net/tls: Fix connection stall on partial tls record In the case of writing a partial tls record we forgot to clear the ctx->in_tcp_sendpages flag, causing some connections to stall. Fixes: c212d2c7fc47 ("net/tls: Don't recursively call push_record during tls_write_space callbacks") Signed-off-by: Andre Tomt Signed-off-by: David S. Miller net/tls/tls_main.c | 1 + 1 file changed, 1 insertion(+) commit 53bc017f72b3b7f7f1bad3043c2d6dd87331ea44 Author: Wolfram Sang Date: Sun May 6 13:23:52 2018 +0200 net: flow_dissector: fix typo 'can by' to 'can be' Signed-off-by: Wolfram Sang Signed-off-by: David S. Miller include/net/flow_dissector.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9255bacd57a5a247be91ce2b81ff09e15a0b8822 Author: Andrew Lunn Date: Sat May 5 20:58:22 2018 +0200 net: dsa: mv88e6xxx: Fix PHY interrupts by parameterising PHY base address Most of the mv88e6xxx switches have the PHYs at address 0, 1, 2, ... The 6341 however has the PHYs at 0x10, 0x11, 0x12. Add a parameter to the info structure for this base address. Testing of 6f88284f3bd7 ("net: dsa: mv88e6xxx: Add MDIO interrupts for internal PHYs") was performed on the 6341. So it works only on the 6341. Use this base information to correctly set the interrupt. Fixes: 6f88284f3bd7 ("net: dsa: mv88e6xxx: Add MDIO interrupts for internal PHYs") Signed-off-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/dsa/mv88e6xxx/chip.c | 26 ++++++++++++++++++++++++++ drivers/net/dsa/mv88e6xxx/chip.h | 1 + drivers/net/dsa/mv88e6xxx/global2.c | 2 +- 3 files changed, 28 insertions(+), 1 deletion(-) commit 98f0a39529e553bb45c0a7d775d2cc2afe9ed91d Author: Eric Dumazet Date: Sat May 5 08:35:04 2018 -0700 tls: fix use after free in tls_sk_proto_close syzbot reported a use-after-free in tls_sk_proto_close Add a boolean value to cleanup a bit this function. BUG: KASAN: use-after-free in tls_sk_proto_close+0x8ab/0x9c0 net/tls/tls_main.c:297 Read of size 1 at addr ffff8801ae40a858 by task syz-executor363/4503 CPU: 0 PID: 4503 Comm: syz-executor363 Not tainted 4.17.0-rc3+ #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 tls_sk_proto_close+0x8ab/0x9c0 net/tls/tls_main.c:297 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2469 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4457b9 RSP: 002b:00007fdf4d766da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004457b9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac38 R13: 3692738801137283 R14: 6bf92c39443c4c1d R15: 0000000000000006 Allocated by task 4498: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] create_ctx net/tls/tls_main.c:521 [inline] tls_init+0x1f9/0xb00 net/tls/tls_main.c:633 tcp_set_ulp+0x1bc/0x520 net/ipv4/tcp_ulp.c:153 do_tcp_setsockopt.isra.39+0x44a/0x2600 net/ipv4/tcp.c:2588 tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2893 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4503: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 tls_sw_free_resources+0x2a3/0x360 net/tls/tls_sw.c:1037 tls_sk_proto_close+0x67c/0x9c0 net/tls/tls_main.c:288 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2469 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801ae40a800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 88 bytes inside of 256-byte region [ffff8801ae40a800, ffff8801ae40a900) The buggy address belongs to the page: page:ffffea0006b90280 count:1 mapcount:0 mapping:ffff8801ae40a080 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801ae40a080 0000000000000000 000000010000000c raw: ffffea0006bea9e0 ffffea0006bc94a0 ffff8801da8007c0 0000000000000000 page dumped because: kasan: bad access detected Fixes: dd0bed1665d6 ("tls: support for Inline tls record") Signed-off-by: Eric Dumazet Cc: Atul Gupta Cc: Steve Wise Cc: Ilya Lesokhin Cc: Aviad Yehezkel Cc: Dave Watson Reported-by: syzbot Signed-off-by: David S. Miller net/tls/tls_main.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) commit 59d8d4434f429b4fa8a346fd889058bda427a837 Author: Xin Long Date: Sat May 5 14:59:47 2018 +0800 sctp: delay the authentication for the duplicated cookie-echo chunk Now sctp only delays the authentication for the normal cookie-echo chunk by setting chunk->auth_chunk in sctp_endpoint_bh_rcv(). But for the duplicated one with auth, in sctp_assoc_bh_rcv(), it does authentication first based on the old asoc, which will definitely fail due to the different auth info in the old asoc. The duplicated cookie-echo chunk will create a new asoc with the auth info from this chunk, and the authentication should also be done with the new asoc's auth info for all of the collision 'A', 'B' and 'D'. Otherwise, the duplicated cookie-echo chunk with auth will never pass the authentication and create the new connection. This issue exists since very beginning, and this fix is to make sctp_assoc_bh_rcv() follow the way sctp_endpoint_bh_rcv() does for the normal cookie-echo chunk to delay the authentication. While at it, remove the unused params from sctp_sf_authenticate() and define sctp_auth_chunk_verify() used for all the places that do the delayed authentication. v1->v2: fix the typo in changelog as Marcelo noticed. Acked-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/associola.c | 30 ++++++++++++++++- net/sctp/sm_statefuns.c | 86 ++++++++++++++++++++++++++----------------------- 2 files changed, 75 insertions(+), 41 deletions(-) commit a86b74d363708d0b04305f356fd3429c7b560a64 Author: Moritz Fischer Date: Fri May 4 10:18:34 2018 -0700 net: nixge: Address compiler warnings about signedness Fixes the following warnings: warning: pointer targets in passing argument 1 of ‘is_valid_ether_addr’ differ in signedness [-Wpointer-sign] if (mac_addr && is_valid_ether_addr(mac_addr)) { ^~~~~~~~ expected ‘const u8 * {aka const unsigned char *}’ but argument is of type ‘const char *’ static inline bool is_valid_ether_addr(const u8 *addr) ^~~~~~~~~~~~~~~~~~~ warning: pointer targets in passing argument 2 of ‘ether_addr_copy’ differ in signedness [-Wpointer-sign] ether_addr_copy(ndev->dev_addr, mac_addr); ^~~~~~~~ expected ‘const u8 * {aka const unsigned char *}’ but argument is of type ‘const char *’ static inline void ether_addr_copy(u8 *dst, const u8 *src) Signed-off-by: Moritz Fischer Signed-off-by: David S. Miller drivers/net/ethernet/ni/nixge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit abcd3d6fc640aff48b17900734eff134f27fdf2a Author: Moritz Fischer Date: Fri May 4 10:18:33 2018 -0700 net: nixge: Fix error path for obtaining mac address Fix issue where nixge_get_nvmem_address() returns a non-NULL return value on a failed nvmem_cell_get() that causes an invalid access when error value encoded in pointer is dereferenced. Furthermore ensure that buffer allocated by nvmem_cell_read() actually gets kfreed() if the function succeeds. Fixes commit 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev") Reported-by: Alex Williams Signed-off-by: Moritz Fischer Signed-off-by: David S. Miller drivers/net/ethernet/ni/nixge.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 1751eb42ddb56b1e0a28ade5c5f19b7961a6f0c2 Author: Anders Roxell Date: Fri May 4 18:47:25 2018 +0200 selftests: net: use TEST_PROGS_EXTENDED When a script file that isn't generated uses the variable TEST_GEN_PROGS_EXTENDED and a 'make -C tools/testing/selftests clean' is performed the script file gets removed and git shows the file as deleted. For script files that isn't generated TEST_PROGS_EXTENDED should be used. Fixes: 9faedd643fd9 ("selftests: net: add in_netns.sh TEST_GEN_PROGS_EXTENDED") Signed-off-by: Anders Roxell Signed-off-by: David S. Miller tools/testing/selftests/net/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4a35a9027f64d588d2fd9436dda4126e8d5647d7 Author: Arnaldo Carvalho de Melo Date: Mon May 7 15:27:01 2018 -0300 Revert "perf pmu: Fix pmu events parsing rule" As reported by Adrian Hunter, this breaks intel_pt event parsing: # perf record -e intel_pt//u uname event syntax error: 'intel_pt//u' \___ parser error Run 'perf list' for a list of valid events Usage: perf record [] [] or: perf record [] -- [] -e, --event event selector. use 'perf list' to list available events # This reverts commit 9a4a931ce847f4aaa12edf11b2e050e18bf45910. Reported-by: Adrian Hunter Cc: Alexander Shishkin Cc: Andi Kleen Cc: David Ahern Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Wang Nan Link: https://lkml.kernel.org/n/tip-ye1o2mji7x68xotiot1tn1gp@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/parse-events.y | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit de5cb6eb514ebe241e3edeb290cb41deb380b81d Author: Martin Schwidefsky Date: Mon Apr 23 14:31:36 2018 +0200 s390: use expoline thunks in the BPF JIT The BPF JIT need safe guarding against spectre v2 in the sk_load_xxx assembler stubs and the indirect branches generated by the JIT itself need to be converted to expolines. Signed-off-by: Martin Schwidefsky arch/s390/net/bpf_jit.S | 16 ++++++----- arch/s390/net/bpf_jit_comp.c | 63 ++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 71 insertions(+), 8 deletions(-) commit 6deaa3bbca804b2a3627fd685f75de64da7be535 Author: Martin Schwidefsky Date: Tue Apr 24 15:32:08 2018 +0200 s390: extend expoline to BC instructions The BPF JIT uses a 'b (%r)' instruction in the definition of the sk_load_word and sk_load_half functions. Add support for branch-on-condition instructions contained in the thunk code of an expoline. Signed-off-by: Martin Schwidefsky arch/s390/include/asm/nospec-insn.h | 57 +++++++++++++++++++++++++++++++++++++ arch/s390/kernel/nospec-branch.c | 25 ++++++++++++---- 2 files changed, 77 insertions(+), 5 deletions(-) commit 9f18fff63cfd6f559daa1eaae60640372c65f84b Author: Martin Schwidefsky Date: Tue Apr 24 11:18:49 2018 +0200 s390: remove indirect branch from do_softirq_own_stack The inline assembly to call __do_softirq on the irq stack uses an indirect branch. This can be replaced with a normal relative branch. Cc: stable@vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner Signed-off-by: Martin Schwidefsky arch/s390/kernel/irq.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 4253b0e0627ee3461e64c2495c616f1c8f6b127b Author: Martin Schwidefsky Date: Tue Apr 24 08:23:54 2018 +0200 s390: move spectre sysfs attribute code The nospec-branch.c file is compiled without the gcc options to generate expoline thunks. The return branch of the sysfs show functions cpu_show_spectre_v1 and cpu_show_spectre_v2 is an indirect branch as well. These need to be compiled with expolines. Move the sysfs functions for spectre reporting to a separate file and loose an '.' for one of the messages. Cc: stable@vger.kernel.org # 4.16 Fixes: d424986f1d ("s390: add sysfs attributes for spectre") Signed-off-by: Martin Schwidefsky arch/s390/kernel/Makefile | 1 + arch/s390/kernel/nospec-branch.c | 19 ------------------- arch/s390/kernel/nospec-sysfs.c | 21 +++++++++++++++++++++ 3 files changed, 22 insertions(+), 19 deletions(-) commit c50c84c3ac4d5db683904bdb3257798b6ef980ae Author: Martin Schwidefsky Date: Wed Apr 25 18:41:30 2018 +0200 s390/kernel: use expoline for indirect branches The assember code in arch/s390/kernel uses a few more indirect branches which need to be done with execute trampolines for CONFIG_EXPOLINE=y. Cc: stable@vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner Signed-off-by: Martin Schwidefsky arch/s390/kernel/base.S | 24 ++++++++++++++---------- arch/s390/kernel/reipl.S | 7 +++++-- arch/s390/kernel/swsusp.S | 10 ++++++---- 3 files changed, 25 insertions(+), 16 deletions(-) commit 23a4d7fd34856da8218c4cfc23dba7a6ec0a423a Author: Martin Schwidefsky