AgeCommit message (Collapse)AuthorFilesLines
2018-05-14Linux 4.17-rc5v4.17-rc5Linus Torvalds1-1/+1
2018-05-13Merge branch 'x86-pti-for-linus' of ↵Linus Torvalds14-78/+153
git:// Pull x86/pti updates from Thomas Gleixner: "A mixed bag of fixes and updates for the ghosts which are hunting us. The scheduler fixes have been pulled into that branch to avoid conflicts. - A set of fixes to address a khread_parkme() race which caused lost wakeups and loss of state. - A deadlock fix for stop_machine() solved by moving the wakeups outside of the stopper_lock held region. - A set of Spectre V1 array access restrictions. The possible problematic spots were discuvered by Dan Carpenters new checks in smatch. - Removal of an unused file which was forgotten when the rest of that functionality was removed" * 'x86-pti-for-linus' of git:// x86/vdso: Remove unused file perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] sched/core: Introduce set_special_state() kthread, sched/wait: Fix kthread_parkme() completion issue kthread, sched/wait: Fix kthread_parkme() wait-loop sched/fair: Fix the update of blocked load when newly idle stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock
2018-05-13Merge branch 'sched-urgent-for-linus' of ↵Linus Torvalds1-56/+1
git:// Pull scheduler fix from Thomas Gleixner: "Revert the new NUMA aware placement approach which turned out to create more problems than it solved" * 'sched-urgent-for-linus' of git:// Revert "sched/numa: Delay retrying placement for automatic NUMA balance after wake_affine()"
2018-05-13Merge branch 'perf-urgent-for-linus' of ↵Linus Torvalds7-6/+25
git:// Pull perf tooling fixes from Thomas Gleixner: "Another small set of perf tooling fixes and updates: - Revert "perf pmu: Fix pmu events parsing rule", as it broke Intel PT event description parsing (Arnaldo Carvalho de Melo) - Sync x86's cpufeatures.h and kvm UAPI headers with the kernel sources, suppressing the ABI drift warnings (Arnaldo Carvalho de Melo) - Remove duplicated entry for westmereep-dp in Intel's mapfile.csv (William Cohen) - Fix typo in 'perf bench numa' options description (Yisheng Xie)" * 'perf-urgent-for-linus' of git:// Revert "perf pmu: Fix pmu events parsing rule" tools headers kvm: Sync ARM UAPI headers with the kernel sources tools headers kvm: Sync uapi/linux/kvm.h with the kernel sources tools headers: Sync x86 cpufeatures.h with the kernel sources perf vendor events intel: Remove duplicated entry for westmereep-dp in mapfile.csv perf bench numa: Fix typo in options
2018-05-13Merge tag 'dma-mapping-4.17-5' of git:// Torvalds1-1/+1
Pull dma-mapping fix from Christoph Hellwig: "Just one little fix from Jean to avoid a harmless but very annoying warning, especially for the drm code" * tag 'dma-mapping-4.17-5' of git:// swiotlb: silent unwanted warning "buffer is full"
2018-05-13Merge tag '4.17-rc4-SMB3-Fixes' of git:// Torvalds4-43/+57
Pull cifs fixes from Steve French: "Some small SMB3 fixes for 4.17-rc5, some for stable" * tag '4.17-rc4-SMB3-Fixes' of git:// smb3: directory sync should not return an error cifs: smb2ops: Fix listxattr() when there are no EAs cifs: smbd: Enable signing with smbdirect cifs: Allocate validate negotiation request through kmalloc
2018-05-12Merge branch 'next' of ↵Linus Torvalds2-5/+12
git:// Pull thermal fixes from Zhang Rui: - fix NULL pointer dereference on module load/probe for int3403_thermal driver - fix an emergency shutdown issue on exynos thermal driver * 'next' of git:// thermal: exynos: Propagate error value from tmu_read() thermal: exynos: Reading temperature makes sense only when TMU is turned on thermal: int3403_thermal: Fix NULL pointer deref on module load / probe
2018-05-12Merge tag 'for-linus-20180511' of git:// Torvalds3-2/+23
Pull block fixes from Jens Axboe: "Just a few NVMe fixes this round - one fixing a use-after-free, one fixes the return value after controller reset, and the last one fixes an issue where some drives will spuriously EIO. We should get these into 4.17" * tag 'for-linus-20180511' of git:// nvme: add quirk to force medium priority for SQ creation nvme: Fix sync controller reset return nvme: fix use-after-free in nvme_free_ns_head
2018-05-12swiotlb: silent unwanted warning "buffer is full"Jean Delvare1-1/+1
If DMA_ATTR_NO_WARN is passed to swiotlb_alloc_buffer(), it should be passed further down to swiotlb_tbl_map_single(). Otherwise we escape half of the warnings but still log the other half. This is one of the multiple causes of spurious warnings reported at: Signed-off-by: Jean Delvare <> Fixes: 0176adb00406 ("swiotlb: refactor coherent buffer allocation") Cc: Christoph Hellwig <> Cc: Christian König <> Cc: Michel Dänzer <> Cc: Takashi Iwai <> Cc: # v4.16
2018-05-12Revert "sched/numa: Delay retrying placement for automatic NUMA balance ↵Mel Gorman1-56/+1
after wake_affine()" This reverts commit 7347fc87dfe6b7315e74310ee1243dc222c68086. Srikar Dronamra pointed out that while the commit in question did show a performance improvement on ppc64, it did so at the cost of disabling active CPU migration by automatic NUMA balancing which was not the intent. The issue was that a serious flaw in the logic failed to ever active balance if SD_WAKE_AFFINE was disabled on scheduler domains. Even when it's enabled, the logic is still bizarre and against the original intent. Investigation showed that fixing the patch in either the way he suggested, using the correct comparison for jiffies values or introducing a new numa_migrate_deferred variable in task_struct all perform similarly to a revert with a mix of gains and losses depending on the workload, machine and socket count. The original intent of the commit was to handle a problem whereby wake_affine, idle balancing and automatic NUMA balancing disagree on the appropriate placement for a task. This was particularly true for cases where a single task was a massive waker of tasks but where wake_wide logic did not apply. This was particularly noticeable when a futex (a barrier) woke all worker threads and tried pulling the wakees to the waker nodes. In that specific case, it could be handled by tuning MPI or openMP appropriately, but the behavior is not illogical and was worth attempting to fix. However, the approach was wrong. Given that we're at rc4 and a fix is not obvious, it's better to play safe, revert this commit and retry later. Signed-off-by: Mel Gorman <> Signed-off-by: Peter Zijlstra (Intel) <> Reviewed-by: Srikar Dronamraju <> Cc: Linus Torvalds <> Cc: Thomas Gleixner <> Cc: Cc: Cc: Cc: Cc: Link: Signed-off-by: Ingo Molnar <>
2018-05-12Merge branch 'akpm' (patches from Andrew)Linus Torvalds17-87/+164
Merge misc fixes from Andrew Morton: "13 fixes" * emailed patches from Andrew Morton <>: rbtree: include rcu.h scripts/faddr2line: fix error when addr2line output contains discriminator ocfs2: take inode cluster lock before moving reflinked inode from orphan dir mm, oom: fix concurrent munlock and oom reaper unmap, v3 mm: migrate: fix double call of radix_tree_replace_slot() proc/kcore: don't bounds check against address 0 mm: don't show nr_indirectly_reclaimable in /proc/vmstat mm: sections are not offlined during memory hotremove z3fold: fix reclaim lock-ups init: fix false positives in W+X checking lib/find_bit_benchmark.c: avoid soft lockup in test_find_first_bit() KASAN: prohibit KASAN+STRUCTLEAK combination MAINTAINERS: update Shuah's email address
2018-05-12rbtree: include rcu.hSebastian Andrzej Siewior2-0/+2
Since commit c1adf20052d8 ("Introduce rb_replace_node_rcu()") rbtree_augmented.h uses RCU related data structures but does not include the header file. It works as long as it gets somehow included before that and fails otherwise. Link: Signed-off-by: Sebastian Andrzej Siewior <> Reviewed-by: Andrew Morton <> Cc: David Howells <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12scripts/faddr2line: fix error when addr2line output contains discriminatorChangbin Du1-1/+4
When addr2line output contains discriminator, the current awk script cannot parse it. This patch fixes it by extracting key words using regex which is more reliable. $ scripts/faddr2line vmlinux tlb_flush_mmu_free+0x26 tlb_flush_mmu_free+0x26/0x50: tlb_flush_mmu_free at mm/memory.c:258 (discriminator 3) scripts/faddr2line: eval: line 173: unexpected EOF while looking for matching `)' Link: Fixes: 6870c0165feaa5 ("scripts/faddr2line: show the code context") Signed-off-by: Changbin Du <> Cc: Thomas Gleixner <> Cc: Greg Kroah-Hartman <> Cc: Philippe Ombredanne <> Cc: NeilBrown <> Cc: Richard Weinberger <> Cc: Kate Stewart <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12ocfs2: take inode cluster lock before moving reflinked inode from orphan dirAshish Samant1-2/+12
While reflinking an inode, we create a new inode in orphan directory, then take EX lock on it, reflink the original inode to orphan inode and release EX lock. Once the lock is released another node could request it in EX mode from ocfs2_recover_orphans() which causes downconvert of the lock, on this node, to NL mode. Later we attempt to initialize security acl for the orphan inode and move it to the reflink destination. However, while doing this we dont take EX lock on the inode. This could potentially cause problems because we could be starting transaction, accessing journal and modifying metadata of the inode while holding NL lock and with another node holding EX lock on the inode. Fix this by taking orphan inode cluster lock in EX mode before initializing security and moving orphan inode to reflink destination. Use the __tracker variant while taking inode lock to avoid recursive locking in the ocfs2_init_security_and_acl() call chain. Link: Signed-off-by: Ashish Samant <> Reviewed-by: Joseph Qi <> Reviewed-by: Junxiao Bi <> Acked-by: Jun Piao <> Cc: Mark Fasheh <> Cc: Joel Becker <> Cc: Changwei Ge <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12mm, oom: fix concurrent munlock and oom reaper unmap, v3David Rientjes3-56/+71
Since exit_mmap() is done without the protection of mm->mmap_sem, it is possible for the oom reaper to concurrently operate on an mm until MMF_OOM_SKIP is set. This allows munlock_vma_pages_all() to concurrently run while the oom reaper is operating on a vma. Since munlock_vma_pages_range() depends on clearing VM_LOCKED from vm_flags before actually doing the munlock to determine if any other vmas are locking the same memory, the check for VM_LOCKED in the oom reaper is racy. This is especially noticeable on architectures such as powerpc where clearing a huge pmd requires serialize_against_pte_lookup(). If the pmd is zapped by the oom reaper during follow_page_mask() after the check for pmd_none() is bypassed, this ends up deferencing a NULL ptl or a kernel oops. Fix this by manually freeing all possible memory from the mm before doing the munlock and then setting MMF_OOM_SKIP. The oom reaper can not run on the mm anymore so the munlock is safe to do in exit_mmap(). It also matches the logic that the oom reaper currently uses for determining when to set MMF_OOM_SKIP itself, so there's no new risk of excessive oom killing. This issue fixes CVE-2018-1000200. Link: Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") Signed-off-by: David Rientjes <> Suggested-by: Tetsuo Handa <> Acked-by: Michal Hocko <> Cc: Andrea Arcangeli <> Cc: <> [4.14+] Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12mm: migrate: fix double call of radix_tree_replace_slot()Naoya Horiguchi1-3/+1
radix_tree_replace_slot() is called twice for head page, it's obviously a bug. Let's fix it. Link: Fixes: e71769ae5260 ("mm: enable thp migration for shmem thp") Signed-off-by: Naoya Horiguchi <> Reported-by: Matthew Wilcox <> Reviewed-by: Andrew Morton <> Cc: Michal Hocko <> Cc: "Kirill A. Shutemov" <> Cc: Zi Yan <> Cc: Vlastimil Babka <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12proc/kcore: don't bounds check against address 0Laura Abbott1-7/+16
The existing kcore code checks for bad addresses against __va(0) with the assumption that this is the lowest address on the system. This may not hold true on some systems (e.g. arm64) and produce overflows and crashes. Switch to using other functions to validate the address range. It's currently only seen on arm64 and it's not clear if anyone wants to use that particular combination on a stable release. So this is not urgent for stable. Link: Signed-off-by: Laura Abbott <> Tested-by: Dave Anderson <> Cc: Kees Cook <> Cc: Ard Biesheuvel <> Cc: Ingo Molnar <> Cc: Andi Kleen <> Cc: Alexey Dobriyan <>a Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12mm: don't show nr_indirectly_reclaimable in /proc/vmstatRoman Gushchin1-1/+5
Don't show nr_indirectly_reclaimable in /proc/vmstat, because there is no need to export this vm counter to userspace, and some changes are expected in reclaimable object accounting, which can alter this counter. Link: Signed-off-by: Roman Gushchin <> Acked-by: Vlastimil Babka <> Reviewed-by: Andrew Morton <> Cc: Matthew Wilcox <> Cc: Alexander Viro <> Cc: Michal Hocko <> Cc: Johannes Weiner <> Cc: David Rientjes <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12mm: sections are not offlined during memory hotremovePavel Tatashin1-1/+1
Memory hotplug and hotremove operate with per-block granularity. If the machine has a large amount of memory (more than 64G), the size of a memory block can span multiple sections. By mistake, during hotremove we set only the first section to offline state. The bug was discovered because kernel selftest started to fail: After commit, "mm/memory_hotplug: optimize probe routine". But, the bug is older than this commit. In this optimization we also added a check for sections to be in a proper state during hotplug operation. Link: Fixes: 2d070eab2e82 ("mm: consider zone which is not fully populated to have holes") Signed-off-by: Pavel Tatashin <> Acked-by: Michal Hocko <> Reviewed-by: Andrew Morton <> Cc: Vlastimil Babka <> Cc: Steven Sistare <> Cc: Daniel Jordan <> Cc: "Kirill A. Shutemov" <> Cc: <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12z3fold: fix reclaim lock-upsVitaly Wool1-12/+30
Do not try to optimize in-page object layout while the page is under reclaim. This fixes lock-ups on reclaim and improves reclaim performance at the same time. [ coding-style fixes] Link: Signed-off-by: Vitaly Wool <> Reported-by: Guenter Roeck <> Tested-by: Guenter Roeck <> Cc: <> Cc: Matthew Wilcox <> Cc: <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12init: fix false positives in W+X checkingJeffrey Hugo2-0/+12
load_module() creates W+X mappings via __vmalloc_node_range() (from layout_and_allocate()->move_module()->module_alloc()) by using PAGE_KERNEL_EXEC. These mappings are later cleaned up via "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). This is a problem because call_rcu_sched() queues work, which can be run after debug_checkwx() is run, resulting in a race condition. If hit, the race results in a nasty splat about insecure W+X mappings, which results in a poor user experience as these are not the mappings that debug_checkwx() is intended to catch. This issue is observed on multiple arm64 platforms, and has been artificially triggered on an x86 platform. Address the race by flushing the queued work before running the arch-defined mark_rodata_ro() which then calls debug_checkwx(). Link: Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") Signed-off-by: Jeffrey Hugo <> Reported-by: Timur Tabi <> Reported-by: Jan Glauber <> Acked-by: Kees Cook <> Acked-by: Ingo Molnar <> Acked-by: Will Deacon <> Acked-by: Laura Abbott <> Cc: Mark Rutland <> Cc: Ard Biesheuvel <> Cc: Catalin Marinas <> Cc: Stephen Smalley <> Cc: Thomas Gleixner <> Cc: Peter Zijlstra <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12lib/find_bit_benchmark.c: avoid soft lockup in test_find_first_bit()Yury Norov1-1/+6
test_find_first_bit() is intentionally sub-optimal, and may cause soft lockup due to long time of run on some systems. So decrease length of bitmap to traverse to avoid lockup. With the change below, time of test execution doesn't exceed 0.2 seconds on my testing system. Link: Fixes: 4441fca0a27f5 ("lib: test module for find_*_bit() functions") Signed-off-by: Yury Norov <> Reviewed-by: Andrew Morton <> Reported-by: Fengguang Wu <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12KASAN: prohibit KASAN+STRUCTLEAK combinationDmitry Vyukov1-0/+4
Currently STRUCTLEAK inserts initialization out of live scope of variables from KASAN point of view. This leads to KASAN false positive reports. Prohibit this combination for now. Link: Signed-off-by: Dmitry Vyukov <> Acked-by: Kees Cook <> Cc: Fengguang Wu <> Cc: Sergey Senozhatsky <> Cc: Andrey Ryabinin <> Cc: Dennis Zhou <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12MAINTAINERS: update Shuah's email addressShuah Khan (Samsung OSG)1-3/+0
Update email address in MAINTAINERS file due to IT infrastructure changes at Samsung. Link: Signed-off-by: Shuah Khan (Samsung OSG) <> Cc: Mauro Carvalho Chehab <> Cc: David S. Miller <> Cc: Greg Kroah-Hartman <> Cc: Linus Walleij <> Cc: Randy Dunlap <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2018-05-12Merge git:// Torvalds106-291/+714
Pull networking fixes from David Miller: 1) Verify lengths of keys provided by the user is AF_KEY, from Kevin Easton. 2) Add device ID for BCM89610 PHY. Thanks to Bhadram Varka. 3) Add Spectre guards to some ATM code, courtesy of Gustavo A. R. Silva. 4) Fix infinite loop in NSH protocol code. To Eric Dumazet we are most grateful for this fix. 5) Line up /proc/net/netlink headers properly. This fix from YU Bo, we do appreciate. 6) Use after free in TLS code. Once again we are blessed by the honorable Eric Dumazet with this fix. 7) Fix regression in TLS code causing stalls on partial TLS records. This fix is bestowed upon us by Andrew Tomt. 8) Deal with too small MTUs properly in LLC code, another great gift from Eric Dumazet. 9) Handle cached route flushing properly wrt. MTU locking in ipv4, to Hangbin Liu we give thanks for this. 10) Fix regression in SO_BINDTODEVIC handling wrt. UDP socket demux. Paolo Abeni, he gave us this. 11) Range check coalescing parameters in mlx4 driver, thank you Moshe Shemesh. 12) Some ipv6 ICMP error handling fixes in rxrpc, from our good brother David Howells. 13) Fix kexec on mlx5 by freeing IRQs in shutdown path. Daniel Juergens, you're the best! 14) Don't send bonding RLB updates to invalid MAC addresses. Debabrata Benerjee saved us! 15) Uh oh, we were leaking in udp_sendmsg and ping_v4_sendmsg. The ship is now water tight, thanks to Andrey Ignatov. 16) IPSEC memory leak in ixgbe from Colin Ian King, man we've got holes everywhere! 17) Fix error path in tcf_proto_create, Jiri Pirko what would we do without you! * git:// (92 commits) net sched actions: fix refcnt leak in skbmod net: sched: fix error path in tcf_proto_create() when modules are not configured net sched actions: fix invalid pointer dereferencing if skbedit flags missing ixgbe: fix memory leak on ipsec allocation ixgbevf: fix ixgbevf_xmit_frame()'s return type ixgbe: return error on unsupported SFP module when resetting ice: Set rq_last_status when cleaning rq ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()' bonding: send learning packets for vlans on slave bonding: do not allow rlb updates to invalid mac net/mlx5e: Err if asked to offload TC match on frag being first net/mlx5: E-Switch, Include VF RDMA stats in vport statistics net/mlx5: Free IRQs in shutdown path rxrpc: Trace UDP transmission failure rxrpc: Add a tracepoint to log ICMP/ICMP6 and error messages rxrpc: Fix the min security level for kernel calls rxrpc: Fix error reception on AF_INET6 sockets rxrpc: Fix missing start of call timeout qed: fix spelling mistake: "taskelt" -> "tasklet" ...
2018-05-11Merge tag 'nfs-for-4.17-2' of git:// Torvalds6-22/+17
Pull NFS client fixes from Anna Schumaker: "These patches fix both a possible corruption during NFSoRDMA MR recovery, and a sunrpc tracepoint crash. Additionally, Trond has a new email address to put in the MAINTAINERS file" * tag 'nfs-for-4.17-2' of git:// Change Trond's email address in MAINTAINERS sunrpc: Fix latency trace point crashes xprtrdma: Fix list corruption / DMAR errors during MR recovery
2018-05-11net sched actions: fix refcnt leak in skbmodRoman Mashak1-1/+4
When application fails to pass flags in netlink TLV when replacing existing skbmod action, the kernel will leak refcnt: $ tc actions get action skbmod index 1 total acts 0 action order 0: skbmod pipe set smac 00:11:22:33:44:55 index 1 ref 1 bind 0 For example, at this point a buggy application replaces the action with index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags, however refcnt gets bumped: $ tc actions get actions skbmod index 1 total acts 0 action order 0: skbmod pipe set smac 00:11:22:33:44:55 index 1 ref 2 bind 0 $ Tha patch fixes this by calling tcf_idr_release() on existing actions. Fixes: 86da71b57383d ("net_sched: Introduce skbmod action") Signed-off-by: Roman Mashak <> Acked-by: Cong Wang <> Signed-off-by: David S. Miller <>
2018-05-11Merge tag 'ceph-for-4.17-rc5' of git:// Torvalds4-90/+158
Pull ceph fixes from Ilya Dryomov: "These patches fix two long-standing bugs in the DIO code path, one of which is a crash trivially triggerable with splice()" * tag 'ceph-for-4.17-rc5' of git:// ceph: fix iov_iter issues in ceph_direct_read_write() libceph: add osd_req_op_extent_osd_data_bvecs() ceph: fix rsize/wsize capping in ceph_direct_read_write()
2018-05-11net: sched: fix error path in tcf_proto_create() when modules are not configuredJiri Pirko1-1/+1
In case modules are not configured, error out when tp->ops is null and prevent later null pointer dereference. Fixes: 33a48927c193 ("sched: push TC filter protocol creation into a separate function") Signed-off-by: Jiri Pirko <> Acked-by: Cong Wang <> Signed-off-by: David S. Miller <>
2018-05-11Merge tag 'sh-for-4.17-fixes' of git:// Torvalds6-85/+19
Pull arch/sh fixes from Rich Felker: "Fixes for critical regressions and a build failure. The regressions were introduced in 4.15 and 4.17-rc1 and prevented booting on affected systems" * tag 'sh-for-4.17-fixes' of git:// sh: switch to NO_BOOTMEM sh: mm: Fix unprotected access to struct device sh: fix build failure for J2 cpu with SMP disabled
2018-05-11Merge tag 'arm64-fixes' of ↵Linus Torvalds3-1/+10
git:// Pull arm64 fixes from Will Deacon: "There's a small memblock accounting problem when freeing the initrd and a Spectre-v2 mitigation for NVIDIA Denver CPUs which just requires a match on the CPU ID register. Summary: - Mitigate Spectre-v2 for NVIDIA Denver CPUs - Free memblocks corresponding to freed initrd area" * tag 'arm64-fixes' of git:// arm64: capabilities: Add NVIDIA Denver CPU to bp_harden list arm64: Add MIDR encoding for NVIDIA CPUs arm64: To remove initrd reserved area entry from memblock
2018-05-11Merge tag 'powerpc-4.17-5' of ↵Linus Torvalds3-17/+26
git:// Pull powerpc fixes from Michael Ellerman: "One fix for an actual regression, the change to the SYSCALL_DEFINE wrapper broke FTRACE_SYSCALLS for us due to a name mismatch. There's also another commit to the same code to make sure we match all our syscalls with various prefixes. And then just one minor build fix, and the removal of an unused variable that was removed and then snuck back in due to some rebasing. Thanks to: Naveen N. Rao" * tag 'powerpc-4.17-5' of git:// powerpc/pseries: Fix CONFIG_NUMA=n build powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix powerpc/trace/syscalls: Update syscall name matching logic powerpc/64: Remove unused paca->soft_enabled
2018-05-11Merge tag 'trace-v4.17-rc4' of ↵Linus Torvalds1-0/+3
git:// Pull tracing fix from Steven Rostedt: "Working on some new updates to trace filtering, I noticed that the regex_match_front() test was updated to be limited to the size of the pattern instead of the full test string. But as the test string is not guaranteed to be nul terminated, it still needs to consider the size of the test string" * tag 'trace-v4.17-rc4' of git:// tracing: Fix regex_match_front() to not over compare the test string
2018-05-11Merge branch '10GbE' of ↵David S. Miller4-3/+6
git:// Jeff Kirsher says: ==================== Intel Wired LAN Driver Updates 2018-05-11 This series contains fixes to the ice, ixgbe and ixgbevf drivers. Jeff Shaw provides a fix to ensure rq_last_status gets set, whether or not the hardware responds with an error in the ice driver. Emil adds a check for unsupported module during the reset routine for ixgbe. Luc Van Oostenryck fixes ixgbevf_xmit_frame() where it was not using the correct return value (int). Colin Ian King fixes a potential resource leak in ixgbe, where we were not freeing ipsec in our cleanup path. ==================== Signed-off-by: David S. Miller <>
2018-05-11Merge tag 'rxrpc-fixes-20180510' of ↵David S. Miller11-48/+209
git:// David Howells says: ==================== rxrpc: Fixes Here are three fixes for AF_RXRPC and two tracepoints that were useful for finding them: (1) Fix missing start of expect-Rx-by timeout on initial packet transmission so that calls will time out if the peer doesn't respond. (2) Fix error reception on AF_INET6 sockets by using the correct family of sockopts on the UDP transport socket. (3) Fix setting the minimum security level on kernel calls so that they can be encrypted. (4) Add a tracepoint to log ICMP/ICMP6 and other error reports from the transport socket. (5) Add a tracepoint to log UDP sendmsg failure so that we can find out if transmission failure occurred on the UDP socket. ==================== Signed-off-by: David S. Miller <>
2018-05-11net sched actions: fix invalid pointer dereferencing if skbedit flags missingRoman Mashak1-1/+2
When application fails to pass flags in netlink TLV for a new skbedit action, the kernel results in the following oops: [ 8.307732] BUG: unable to handle kernel paging request at 0000000000021130 [ 8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0 [ 8.310595] Oops: 0000 [#1] SMP PTI [ 8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw [ 8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357 [ 8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140 [ 8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246 [ 8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000 [ 8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100 [ 8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122 [ 8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000 [ 8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000 [ 8.325590] FS: 00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000 [ 8.327001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0 [ 8.329289] Call Trace: [ 8.329735] tcf_skbedit_init+0xa7/0xb0 [ 8.330423] tcf_action_init_1+0x362/0x410 [ 8.331139] ? try_to_wake_up+0x44/0x430 [ 8.331817] tcf_action_init+0x103/0x190 [ 8.332511] tc_ctl_action+0x11a/0x220 [ 8.333174] rtnetlink_rcv_msg+0x23d/0x2e0 [ 8.333902] ? _cond_resched+0x16/0x40 [ 8.334569] ? __kmalloc_node_track_caller+0x5b/0x2c0 [ 8.335440] ? rtnl_calcit.isra.31+0xf0/0xf0 [ 8.336178] netlink_rcv_skb+0xdb/0x110 [ 8.336855] netlink_unicast+0x167/0x220 [ 8.337550] netlink_sendmsg+0x2a7/0x390 [ 8.338258] sock_sendmsg+0x30/0x40 [ 8.338865] ___sys_sendmsg+0x2c5/0x2e0 [ 8.339531] ? pagecache_get_page+0x27/0x210 [ 8.340271] ? filemap_fault+0xa2/0x630 [ 8.340943] ? page_add_file_rmap+0x108/0x200 [ 8.341732] ? alloc_set_pte+0x2aa/0x530 [ 8.342573] ? finish_fault+0x4e/0x70 [ 8.343332] ? __handle_mm_fault+0xbc1/0x10d0 [ 8.344337] ? __sys_sendmsg+0x53/0x80 [ 8.345040] __sys_sendmsg+0x53/0x80 [ 8.345678] do_syscall_64+0x4f/0x100 [ 8.346339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 8.347206] RIP: 0033:0x7f591191da67 [ 8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67 [ 8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003 [ 8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000 [ 8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 [ 8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0 [ 8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00 00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30 74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c [ 8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840 [ 8.359770] CR2: 0000000000021130 [ 8.360438] ---[ end trace 60c66be45dfc14f0 ]--- The caller calls action's ->init() and passes pointer to "struct tc_action *a", which later may be initialized to point at the existing action, otherwise "struct tc_action *a" is still invalid, and therefore dereferencing it is an error as happens in tcf_idr_release, where refcnt is decremented. So in case of missing flags tcf_idr_release must be called only for existing actions. v2: - prepare patch for net tree Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding") Signed-off-by: Roman Mashak <> Acked-by: Cong Wang <> Signed-off-by: David S. Miller <>
2018-05-11nvme: add quirk to force medium priority for SQ creationJens Axboe2-1/+16
Some P3100 drives have a bug where they think WRRU (weighted round robin) is always enabled, even though the host doesn't set it. Since they think it's enabled, they also look at the submission queue creation priority. We used to set that to MEDIUM by default, but that was removed in commit 81c1cd98351b. This causes various issues on that drive. Add a quirk to still set MEDIUM priority for that controller. Fixes: 81c1cd98351b ("nvme/pci: Don't set reserved SQ create flags") Cc: Signed-off-by: Jens Axboe <> Signed-off-by: Keith Busch <>
2018-05-11Merge tag 'for-linus-4.17-rc5-tag' of ↵Linus Torvalds1-0/+13
git:// Pull xen fix from Juergen Gross: "One fix for the kernel running as a fully virtualized guest using PV drivers on old Xen hypervisor versions" * tag 'for-linus-4.17-rc5-tag' of git:// x86/xen: Reset VCPU0 info pointer after shared_info remap
2018-05-11ixgbe: fix memory leak on ipsec allocationColin Ian King1-1/+1
The error clean up path kfree's adapter->ipsec and should be instead kfree'ing ipsec. Fix this. Also, the err1 error exit path does not need to kfree ipsec because this failure path was for the failed allocation of ipsec. Detected by CoverityScan, CID#146424 ("Resource Leak") Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA") Signed-off-by: Colin Ian King <> Acked-by: Shannon Nelson <> Tested-by: Andrew Bowers <> Signed-off-by: Jeff Kirsher <>
2018-05-11ixgbevf: fix ixgbevf_xmit_frame()'s return typeLuc Van Oostenryck1-1/+1
The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, but the implementation in this driver returns an 'int'. Fix this by returning 'netdev_tx_t' in this driver too. Signed-off-by: Luc Van Oostenryck <> Tested-by: Andrew Bowers <> Signed-off-by: Jeff Kirsher <>
2018-05-11ixgbe: return error on unsupported SFP module when resettingEmil Tantilov1-0/+3
Add check for unsupported module and return the error code. This fixes a Coverity hit due to unused return status from setup_sfp. Signed-off-by: Emil Tantilov <> Tested-by: Andrew Bowers <> Signed-off-by: Jeff Kirsher <>
2018-05-11ice: Set rq_last_status when cleaning rqJeff Shaw1-1/+1
Prior to this commit, the rq_last_status was only set when hardware responded with an error. This leads to rq_last_status being invalid in the future when hardware eventually responds without error. This commit resolves the issue by unconditionally setting rq_last_status with the value returned in the descriptor. Fixes: 940b61af02f4 ("ice: Initialize PF and setup miscellaneous interrupt") Signed-off-by: Jeff Shaw <> Signed-off-by: Anirudh Venkataramanan <> Tested-by: Tony Brelinski <> Signed-off-by: Jeff Kirsher <>
2018-05-11Change Trond's email address in MAINTAINERSTrond Myklebust1-1/+1
Signed-off-by: Trond Myklebust <>
2018-05-11sh: switch to NO_BOOTMEMRob Herring4-82/+7
Commit 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") inadvertently switched the DT unflattening allocations from memblock to bootmem which doesn't work because the unflattening happens before bootmem is initialized. Swapping the order of bootmem init and unflattening could also fix this, but removing bootmem is desired. So enable NO_BOOTMEM on SH like other architectures have done. Fixes: 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") Reported-by: Rich Felker <> Cc: Yoshinori Sato <> Signed-off-by: Rob Herring <> Signed-off-by: Rich Felker <>
2018-05-11mmap: introduce sane default mmap limitsLinus Torvalds1-0/+32
The internal VM "mmap()" interfaces are based on the mmap target doing everything using page indexes rather than byte offsets, because traditionally (ie 32-bit) we had the situation that the byte offset didn't fit in a register. So while the mmap virtual address was limited by the word size of the architecture, the backing store was not. So we're basically passing "pgoff" around as a page index, in order to be able to describe backing store locations that are much bigger than the word size (think files larger than 4GB etc). But while this all makes a ton of sense conceptually, we've been dogged by various drivers that don't really understand this, and internally work with byte offsets, and then try to work with the page index by turning it into a byte offset with "pgoff << PAGE_SHIFT". Which obviously can overflow. Adding the size of the mapping to it to get the byte offset of the end of the backing store just exacerbates the problem, and if you then use this overflow-prone value to check various limits of your device driver mmap capability, you're just setting yourself up for problems. The correct thing for drivers to do is to do their limit math in page indices, the way the interface is designed. Because the generic mmap code _does_ test that the index doesn't overflow, since that's what the mmap code really cares about. HOWEVER. Finding and fixing various random drivers is a sisyphean task, so let's just see if we can just make the core mmap() code do the limiting for us. Realistically, the only "big" backing stores we need to care about are regular files and block devices, both of which are known to do this properly, and which have nice well-defined limits for how much data they can access. So let's special-case just those two known cases, and then limit other random mmap users to a backing store that still fits in "unsigned long". Realistically, that's not much of a limit at all on 64-bit, and on 32-bit architectures the only worry might be the GPU drivers, which can have big physical address spaces. To make it possible for drivers like that to say that they are 64-bit clean, this patch does repurpose the "FMODE_UNSIGNED_OFFSET" bit in the file flags to allow drivers to mark their file descriptors as safe in the full 64-bit mmap address space. [ The timing for doing this is less than optimal, and this should really go in a merge window. But realistically, this needs wide testing more than it needs anything else, and being main-line is the only way to do that. So the earlier the better, even if it's outside the proper development cycle - Linus ] Cc: Kees Cook <> Cc: Dan Carpenter <> Cc: Al Viro <> Cc: Willy Tarreau <> Cc: Dave Airlie <> Signed-off-by: Linus Torvalds <>
2018-05-11nvme: Fix sync controller reset returnCharles Machalow1-1/+2
If a controller reset is requested while the device has no namespaces, we were incorrectly returning ENETRESET. This patch adds the check for ADMIN_ONLY controller state to indicate a successful reset. Fixes: 8000d1fdb0 ("nvme-rdma: fix sysfs invoked reset_ctrl error flow ") Cc: <> Signed-off-by: Charles Machalow <> [changelog] Signed-off-by: Keith Busch <>
2018-05-11Merge tag 'pm-4.17-rc5' of ↵Linus Torvalds4-26/+31
git:// Pull power management fixes from Rafael Wysocki: "These fix two PCI power management regressions from the 4.13 cycle and one cpufreq schedutil governor bug introduced during the 4.12 cycle, drop a stale comment from the schedutil code and fix two mistakes in docs. Specifics: - Restore device_may_wakeup() check in pci_enable_wake() removed inadvertently during the 4.13 cycle to prevent systems from drawing excessive power when suspended or off, among other things (Rafael Wysocki). - Fix pci_dev_run_wake() to properly handle devices that only can signal PME# when in the D3cold power state (Kai Heng Feng). - Fix the schedutil cpufreq governor to avoid using UINT_MAX as the new CPU frequency in some cases due to a missing check (Rafael Wysocki). - Remove a stale comment regarding worker kthreads from the schedutil cpufreq governor (Juri Lelli). - Fix a copy-paste mistake in the intel_pstate driver documentation (Juri Lelli). - Fix a typo in the system sleep states documentation (Jonathan Neuschäfer)" * tag 'pm-4.17-rc5' of git:// PCI / PM: Check device_may_wakeup() in pci_enable_wake() PCI / PM: Always check PME wakeup capability for runtime wakeup support cpufreq: schedutil: Avoid using invalid next_freq cpufreq: schedutil: remove stale comment PM: docs: intel_pstate: fix Active Mode w/o HWP paragraph PM: docs: sleep-states: Fix a typo ("includig")
2018-05-11Merge tag 'mtd/fixes-for-4.17-rc5' of git:// Torvalds3-70/+52
Pull mtd fixes from Boris Brezillon: - make nand_soft_waitrdy() wait tWB before polling the status REG - fix BCH write in the the Marvell NAND controller driver - fix wrong picosec to msec conversion in the Marvell NAND controller driver - fix DMA handling in the TI OneNAND controllre driver * tag 'mtd/fixes-for-4.17-rc5' of git:// mtd: rawnand: Make sure we wait tWB before polling the STATUS reg mtd: rawnand: marvell: fix command xtype in BCH write hook mtd: rawnand: marvell: pass ms delay to wait_op mtd: onenand: omap2: Disable DMA for HIGHMEM buffers
2018-05-11Merge tag 'mlx5-fixes-2018-05-10' of ↵David S. Miller5-1/+52
git:// Saeed Mahameed says: ==================== Mellanox, mlx5 fixes 2018-05-10 the following series includes some fixes for mlx5 core driver. Please pull and let me know if there's any problem. For -stable v4.5 ("net/mlx5: E-Switch, Include VF RDMA stats in vport statistics") For -stable v4.10 ("net/mlx5e: Err if asked to offload TC match on frag being first") ==================== Signed-off-by: David S. Miller <>
2018-05-11Merge tag 'drm-fixes-for-v4.17-rc5' of ↵Linus Torvalds37-158/+501
git:// Pull drm fixes from Dave Airlie: "nouveau, amdgpu, i915, vc4, omap, exynos and atomic fixes. As last week seemed a bit slow, we got a few more fixes this week. The main stuff is two weeks of fixes for amdgpu, some missing bits of vega12 atom firmware support were added, and some power management fixes. Nouveau got two regression fixes for an DP MST deadlock and a random oops fix. i915 got an LVDS panel timeout fix 2 WARN fixes. exynos fixed a pagefault issue in the mixer driver. vc4 has an oops fix. omap had a bunch of uninit var and error-checking fixes. Two atomic modesetting state fixes. One minor agp cleanup patch" * tag 'drm-fixes-for-v4.17-rc5' of git:// (30 commits) drm/amd/pp: Fix performance drop on Fiji drm/nouveau: Fix deadlock in nv50_mstm_register_connector() drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client agp: uninorth: make two functions static drm/amd/pp: Refine the output of pp_power_profile_mode on VI drm/amdgpu: Switch to interruptable wait to recover from ring hang. drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages drm/amd/display: Use kvzalloc for potentially large allocations drm/amd/display: Don't return ddc result and read_bytes in same return value drm/amd/display: Add get_firmware_info_v3_2 for VG12 drm/amd: Add BIOS smu_info v3_3 required struct def. drm/amd/display: Add VG12 ASIC IDs drm/vc4: Fix scaling of uni-planar formats drm/exynos: hdmi: avoid duplicating drm_bridge_attach drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log drm/i915: Correctly populate user mode h/vdisplay with pipe src size during readout drm/i915: Adjust eDP's logical vco in a reliable place. drm/bridge/sii8620: add Kconfig dependency on extcon drm/omap: handle alloc failures in omap_connector drm/omap: add missing linefeeds to prints ...