Linux/linux 1f07476arch/x86/pci fixup.c

Merge tag 'pci-v4.15-fixes-3' of git://

Pull PCI fix from Bjorn Helgaas:
 "Fix AMD regression due to not re-enabling the big window on resume
  (Christian König)"

* tag 'pci-v4.15-fixes-3' of git://
  x86/PCI: Enable AMD 64-bit window on resume
+20-121 files

Linux/linux a84a8abdrivers/net/ethernet/chelsio/cxgb4 cxgb4_tc_flower.c, drivers/net/ethernet/emulex/benet be_main.c

Merge git://

Pull networking fixes from David Miller:

 1) Fix divide by zero in mlx5, from Talut Batheesh.

 2) Guard against invalid GSO packets coming from untrusted guests and
    arriving in qdisc_pkt_len_init(), from Eric Dumazet.

 3) Similarly add such protection to the various protocol GSO handlers.
    From Willem de Bruijn.

 4) Fix regression added to IGMP source address checking for IGMPv3
    reports, from Felix Feitkau.

* git://
  tls: Correct length of scatterlist in tls_sw_sendpage
  be2net: restore properly promisc mode after queues reconfiguration
  net: igmp: fix source address check for IGMPv3 reports
  gso: validate gso_type in GSO handlers
  net: qdisc_pkt_len_init() should be more robust
  ibmvnic: Allocate and request vpd in init_resources
  ibmvnic: Revert to previous mtu when unsupported value requested
  ibmvnic: Modify buffer size and number of queues on failover
  rds: tcp: compute m_ack_seq as offset from ->write_seq

    [4 lines not shown]

Linux/linux 1995266fs/nfsd auth.c

nfsd: auth: Fix gid sorting when rootsquash enabled

Commit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility
group_info allocators") appears to break nfsd rootsquash in a pretty
major way.

It adds a call to groups_sort() inside the loop that copies/squashes
gids, which means the valid gids are sorted along with the following
garbage.  The net result is that the highest numbered valid gids are
replaced with any lower-valued garbage gids, possibly including 0.

We should sort only once, after filling in all the gids.

Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility ...")
Signed-off-by: Ben Hutchings <ben.hutchings at>
Acked-by: J. Bruce Fields <bfields at>
Signed-off-by: Linus Torvalds <torvalds at>
+3-31 files

Linux/linux 0afc0defs/orangefs waitqueue.c

orangefs: use list_for_each_entry_safe in purge_waiting_ops

set_op_state_purged can delete the op.

Signed-off-by: Martin Brandenburg <martin at>
Cc: stable at
Signed-off-by: Linus Torvalds <torvalds at>

Linux/linux a0ec1defs/orangefs devorangefs-req.c

orangefs: initialize op on loop restart in orangefs_devreq_read

In orangefs_devreq_read, there is a loop which picks an op off the list
of pending ops.  If the loop fails to find an op, there is nothing to
read, and it returns EAGAIN.  If the op has been given up on, the loop
is restarted via a goto.  The bug is that the variable which the found
op is written to is not reinitialized, so if there are no more eligible
ops on the list, the code runs again on the already handled op.

This is triggered by interrupting a process while the op is being copied
to the client-core.  It's a fairly small window, but it's there.

Signed-off-by: Martin Brandenburg <martin at>
Cc: stable at
Signed-off-by: Linus Torvalds <torvalds at>

Linux/linux 7a8c4ddnet/tls tls_sw.c

tls: Correct length of scatterlist in tls_sw_sendpage

The scatterlist is reused by both sendmsg and sendfile.
If a sendmsg of smaller number of pages is followed by a sendfile
of larger number of pages, the scatterlist may be too short, resulting
in a crash in gcm_encrypt.

Add sg_unmark_end to make the list the correct length.

tls_sw_sendmsg already calls sg_unmark_end correctly when it allocates
memory in alloc_sg, or in zerocopy_from_iter.

Signed-off-by: Dave Watson <davejwatson at>
Signed-off-by: David S. Miller <davem at>
+2-01 files

Linux/linux 52acf06drivers/net/ethernet/emulex/benet be_main.c

be2net: restore properly promisc mode after queues reconfiguration

The commit 622190669403 ("be2net: Request RSS capability of Rx interface
depending on number of Rx rings") modified be_update_queues() so the
IFACE (HW representation of the netdevice) is destroyed and then
re-created. This causes a regression because potential promiscuous mode
is not restored properly during be_open() because the driver thinks
that the HW has promiscuous mode already enabled.

Note that Lancer is not affected by this bug because RX-filter flags are
disabled during be_close() for this chipset.

Cc: Sathya Perla <sathya.perla at>
Cc: Ajit Khaparde <ajit.khaparde at>
Cc: Sriharsha Basavapatna <sriharsha.basavapatna at>
Cc: Somnath Kotur <somnath.kotur at>

Fixes: 622190669403 ("be2net: Request RSS capability of Rx interface depending on number 
of Rx rings")
Signed-off-by: Ivan Vecera <ivecera at>
Signed-off-by: David S. Miller <davem at>

Linux/linux ad23b75net/ipv4 igmp.c

net: igmp: fix source address check for IGMPv3 reports

Commit "net: igmp: Use correct source address on IGMPv3 reports"
introduced a check to validate the source address of locally generated
IGMPv3 packets.
Instead of checking the local interface address directly, it uses
inet_ifa_match(fl4->saddr, ifa), which checks if the address is on the
local subnet (or equal to the point-to-point address if used).

This breaks for point-to-point interfaces, so check against
ifa->ifa_local directly.

Cc: Kevin Cernekee <cernekee at>
Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
Reported-by: Sebastian Gottschall <s.gottschall at>
Signed-off-by: Felix Fietkau <nbd at>
Signed-off-by: David S. Miller <davem at>
+1-11 files

Linux/linux 121d57anet/ipv4 udp_offload.c tcp_offload.c, net/ipv6 udp_offload.c tcpv6_offload.c

gso: validate gso_type in GSO handlers

Validate gso_type during segmentation as SKB_GSO_DODGY sources
may pass packets where the gso_type does not match the contents.

Syzkaller was able to enter the SCTP gso handler with a packet of
gso_type SKB_GSO_TCPV4.

On entry of transport layer gso handlers, verify that the gso_type
matches the transport protocol.

Fixes: 90017accff61 ("sctp: Add GSO support")
Link:<001a1137452496ffc305617e5fe0 at>
Reported-by: syzbot+fee64147a25aecd48055 at
Signed-off-by: Willem de Bruijn <willemb at>
Acked-by: Jason Wang <jasowang at>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 7c68d1anet/core dev.c

net: qdisc_pkt_len_init() should be more robust

Without proper validation of DODGY packets, we might very well
feed qdisc_pkt_len_init() with invalid GSO packets.

tcp_hdrlen() might access out-of-bound data, so let's use
skb_header_pointer() and proper checks.

Whole story is described in commit d0c081b49137 ("flow_dissector:
properly cap thoff field")

We have the goal of validating DODGY packets earlier in the stack,
so we might very well revert this fix in the future.

Signed-off-by: Eric Dumazet <edumazet at>
Cc: Willem de Bruijn <willemb at>
Cc: Jason Wang <jasowang at>
Reported-by: syzbot+9da69ebac7dddd804552 at
Acked-by: Jason Wang <jasowang at>
Signed-off-by: David S. Miller <davem at>
+15-41 files

Linux/linux 18b0affdrivers/net/ethernet/ibm ibmvnic.c ibmvnic.h

Merge branch 'ibmvnic-reset-behavior-fixes'

John Allen says:

ibmvnic: Reset behavior fixes

This patchset fixes a number of issues related to ibmvnic reset uncovered
from testing new Power9 machines with Everglades adapters and the new
functionality to change mtu and other parameters in the driver.

Changes since v1:
-In patch 1/3, added the line to free the long term buffers before
allocating a new one. This change inadvertently uncovered the problem
that the number of queues can change after a failover as well. To fix
this, we check whether or not the number of queues has changed in
do_reset and if they have, we do a full release and init of the queues.
-In patch 1/3, added variables to the adapter struct to track how
many rx/tx pools have actually been allocated and modify the release
pools routines to use these values rather than the possibly incorrect
req_rx/tx_queues values.

Signed-off-by: David S. Miller <davem at>

Linux/linux 69d08dcdrivers/net/ethernet/ibm ibmvnic.c

ibmvnic: Allocate and request vpd in init_resources

In reset events in which our memory allocations need to be reallocated,
VPD data is being freed, but never reallocated. This can cause issues if
we later attempt to access that memory or reset and attempt to free the
memory. This patch moves the allocation of the VPD data to init_resources
so that it will be symmetrically freed during release resources.

Signed-off-by: John Allen <jallen at>
Reviewed-by: Nathan Fontenot <nfont at>
Signed-off-by: David S. Miller <davem at>

Linux/linux e791380drivers/net/ethernet/ibm ibmvnic.c

ibmvnic: Revert to previous mtu when unsupported value requested

If we request an unsupported mtu value, the vnic server will suggest a
different value. Currently we take the suggested value without question
and login with that value. However, the behavior doesn't seem completely
sane as attempting to change the mtu to some specific value will change
the mtu to some completely different value most of the time. This patch
fixes the issue by logging in with the previously used mtu value and
printing an error message saying that the given mtu is unsupported.

Signed-off-by: John Allen <jallen at>
Reviewed-by: Nathan Fontenot <nfont at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 896d869drivers/net/ethernet/ibm ibmvnic.c ibmvnic.h

ibmvnic: Modify buffer size and number of queues on failover

Using newer backing devices can cause the required padding at the end of
buffer as well as the number of queues to change after a failover.
Since we currently assume that these values never change, after a
failover to a backing device with different capabilities, we can get
errors from the vnic server, attempt to free long term buffers that are
no longer there, or not free long term buffers that should be freed.

This patch resolves the issue by checking whether any of these values
change, and if so perform the necessary re-allocations.

Signed-off-by: John Allen <jallen at>
Reviewed-by: Nathan Fontenot <nfont at>
Signed-off-by: David S. Miller <davem at>

Linux/linux b589513net/rds tcp.c tcp_send.c

rds: tcp: compute m_ack_seq as offset from ->write_seq

rds-tcp uses m_ack_seq to track the tcp ack# that indicates
that the peer has received a rds_message. The m_ack_seq is
used in rds_tcp_is_acked() to figure out when it is safe to
drop the rds_message from the RDS retransmit queue.

The m_ack_seq must be calculated as an offset from the right
edge of the in-flight tcp buffer, i.e., it should be based on
the ->write_seq, not the ->snd_nxt.

Signed-off-by: Sowmini Varadhan <sowmini.varadhan at>
Signed-off-by: David S. Miller <davem at>

Linux/linux ab18a9cdrivers/net/usb usbnet.c

usbnet: silence an unnecessary warning

That a kevent could not be scheduled is not an error.
Such handlers must be able to deal with multiple events anyway.
As the successful scheduling of a work is a debug event, make
the failure debug priority, too.

V2: coding style

Signed-off-by: Oliver Neukum <oneukum at>
Reported-by: Cristian Caravena <caravena at>
Signed-off-by: David S. Miller <davem at>

Linux/linux affee5edrivers/net/ethernet/chelsio/cxgb4 cxgb4_tc_flower.c

Merge branch 'cxgb4-tc-flower-offload-fixes'

Daniel Borkmann says:

pull-request: bpf 2018-01-18

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Fix a divide by zero due to wrong if (src_reg == 0) check in
   64-bit mode. Properly handle this in interpreter and mask it
   also generically in verifier to guard against similar checks
   in JITs, from Eric and Alexei.

2) Fix a bug in arm64 JIT when tail calls are involved and progs
   have different stack sizes, from Daniel.

3) Reject stores into BPF context that are not expected BPF_STX |
   BPF_MEM variant, from Daniel.

4) Mark dst reg as unknown on {s,u}bounds adjustments when the
   src reg has derived bounds from dead branches, from Daniel.

    [2 lines not shown]

Linux/linux 100d39adrivers/net/ethernet/chelsio/cxgb4 cxgb4_tc_flower.c

cxgb4: fix endianness for vlan value in cxgb4_tc_flower

Don't change endianness when assigning vlan value in cxgb4_tc_flower
code when processing flow match parameters. The value gets converted
to network order as part of filtering code in set_filter_wr.

Signed-off-by: Kumar Sanghvi <kumaras at>
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy at>
Signed-off-by: Ganesh Goudar <ganeshgr at>
Signed-off-by: David S. Miller <davem at>

Linux/linux d728f13drivers/net/ethernet/chelsio/cxgb4 cxgb4_tc_flower.c

cxgb4: set filter type to 1 for ETH_P_IPV6

For ethtype_key = ETH_P_IPV6, set filter type as 1 in cxgb4_tc_flower
code when processing flow match parameters.

Signed-off-by: Kumar Sanghvi <kumaras at>
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy at>
Signed-off-by: Ganesh Goudar <ganeshgr at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 7222708mm page_vma_mapped.c

mm, page_vma_mapped: Introduce pfn_in_hpage()

The new helper would check if the pfn belongs to the page. For huge
pages it checks if the PFN is within range covered by the huge page.

The helper is used in check_pte(). The original code the helper replaces
had two call to page_to_pfn(). page_to_pfn() is relatively costly.

Although current GCC is able to optimize code to have one call, it's
better to do this explicitly.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov at>
Signed-off-by: Linus Torvalds <torvalds at>

Linux/linux 0d665e7include/linux swapops.h, mm page_vma_mapped.c

mm, page_vma_mapped: Drop faulty pointer arithmetics in check_pte()

Tetsuo reported random crashes under memory pressure on 32-bit x86
system and tracked down to change that introduced

The root cause of the issue is the faulty pointer math in check_pte().
As ->pte may point to an arbitrary page we have to check that they are
belong to the section before doing math. Otherwise it may lead to weird

It wasn't noticed until now as mem_map[] is virtually contiguous on
flatmem or vmemmap sparsemem. Pointer arithmetic just works against all
'struct page' pointers. But with classic sparsemem, it doesn't because
each section memap is allocated separately and so consecutive pfns
crossing two sections might have struct pages at completely unrelated

Let's restructure code a bit and replace pointer arithmetic with
operations on pfns.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov at>
Reported-and-tested-by: Tetsuo Handa <penguin-kernel at>
Acked-by: Michal Hocko <mhocko at>
Fixes: ace71a19cec5 ("mm: introduce page_vma_mapped_walk()")

    [2 lines not shown]

Linux/linux e58edaadrivers/net/ethernet/mellanox/mlx5/core en_rx_am.c

net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare

Helmut reported a bug about division by zero while
running traffic and doing physical cable pull test.

When the cable unplugged the ppms become zero, so when
dividing the current ppms by the previous ppms in the
next dim iteration there is division by zero.

This patch prevent this division for both ppms and epms.

Fixes: c3164d2fc48f ("net/mlx5e: Added BW check for DIM decision mechanism")
Reported-by: Helmut Grauer <helmut.grauer at>
Signed-off-by: Talat Batheesh <talatb at>
Signed-off-by: Saeed Mahameed <saeedm at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 0c5b9b5. Makefile

Linux 4.15-rc9
+1-11 files

Linux/linux 5515114arch/x86/entry entry_64.S, arch/x86/include/asm nospec-branch.h

Merge branch 'x86-pti-for-linus' of git://

Pull x86 pti fixes from Thomas Gleixner:
 "A small set of fixes for the meltdown/spectre mitigations:

   - Make kprobes aware of retpolines to prevent probes in the retpoline

   - Make the machine check exception speculation protected. MCE used to
     issue an indirect call directly from the ASM entry code. Convert
     that to a direct call into a C-function and issue the indirect call
     from there so the compiler can add the retpoline protection,

   - Make the vmexit_fill_RSB() assembly less stupid

   - Fix a typo in the PTI documentation"

* 'x86-pti-for-linus' of git://
  x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
  x86/pti: Document fix wrong index
  kprobes/x86: Disable optimizing on the function jumps to indirect thunk
  kprobes/x86: Blacklist indirect thunk functions for kprobes
  retpoline: Introduce start/end markers of indirect thunk
  x86/mce: Make machine check speculation protected

Linux/linux 319f1e0arch/x86/kernel process.c

Merge branch 'x86-urgent-for-linus' of 

Pull x86 kexec fix from Thomas Gleixner:
 "A single fix for the WBINVD issue introduced by the SME support which
  causes kexec fails on non AMD/SME capable CPUs. Issue WBINVD only when
  the CPU has SME and avoid doing so in a loop"

[ Side note: this patch fixes the problem, but it isn't entirely clear
  why it is required. The wbinvd should just work regardless, but there
  seems to be some system - as opposed to CPU - issue, since the wbinvd
  causes more problems later in the shutdown sequence, but wbinvd
  instructions while the system is still active are not problematic.

  Possibly some SMI or pending machine check issue on the affected system ]

* 'x86-urgent-for-linus' of git://
  x86/mm: Rework wbinvd, hlt operation in stop_this_cpu()

Linux/linux 66f8162kernel/irq matrix.c

Merge branch 'irq-urgent-for-linus' of 

Pull irq fix from Thomas Gleixner:
 "A single fix for the new matrix allocator to prevent vector exhaustion
  by certain network drivers which allocate gazillions of unused vectors
  which cannot be put into reservation mode due to MSI and the lack of
  MSI entry masking.

  The fix/workaround is to spread the vectors across CPUs by searching
  the supplied target CPU mask for the CPU with the smallest number of
  allocated vectors"

* 'irq-urgent-for-linus' of git://
  irq/matrix: Spread interrupts on allocation
+14-61 files

Linux/linux d517bb7arch/alpha/kernel sys_sio.c, arch/alpha/lib ev6-memset.S

Merge branch 'for-linus' of git://

Pull alpha fixes from Matt Turner:
 "A build fix and a regression fix"

* 'for-linus' of git://
  alpha/PCI: Fix noname IRQ level detection
  alpha: extend memset16 to EV6 optimised routines

Linux/linux 91cfc88arch/x86/mm mem_encrypt.c

x86: Use __nostackprotect for sme_encrypt_kernel

Commit bacf6b499e11 ("x86/mm: Use a struct to reduce parameters for SME
PGD mapping") moved some parameters into a structure.

The structure was large enough to trigger the stack protection canary in
sme_encrypt_kernel which doesn't work this early, causing reboots.

Mark sme_encrypt_kernel appropriately to not use the canary.

Fixes: bacf6b499e11 ("x86/mm: Use a struct to reduce parameters for SME PGD mapping")
Signed-off-by: Laura Abbott <labbott at>
Cc: Tom Lendacky <thomas.lendacky at>
Cc: Ingo Molnar <mingo at>
Signed-off-by: Linus Torvalds <torvalds at>

Linux/linux 86be899arch/alpha/kernel sys_sio.c

alpha/PCI: Fix noname IRQ level detection

The conversion of the alpha architecture PCI host bridge legacy IRQ
mapping/swizzling to the new PCI host bridge map/swizzle hooks carried
out through:

commit 0e4c2eeb758a ("alpha/PCI: Replace pci_fixup_irqs() call with
host bridge IRQ mapping hooks")

implies that IRQ for devices are now allocated through pci_assign_irq()
function in pci_device_probe() that is called when a driver matching a
device is found in order to probe the device through the device driver.

Alpha noname platforms required IRQ level programming to be executed
in sio_fixup_irq_levels(), that is called in noname_init_pci(), a
platform hook called within a subsys_initcall.

In noname_init_pci(), present IRQs are detected through
sio_collect_irq_levels() that check the struct pci_dev->irq number
to detect if an IRQ has been allocated for the device.

By the time sio_collect_irq_levels() is called, some devices may still
have not a matching driver loaded to match them (eg loadable module)
therefore their IRQ allocation is still pending - which means that
sio_collect_irq_levels() does not programme the correct IRQ level for

    [19 lines not shown]

Linux/linux 24b6124Documentation/virtual/kvm api.txt, arch/powerpc/include/uapi/asm kvm.h

Merge tag 'for-linus' of git://

Pull KVM fixes from Radim Krčmář:
   - fix incorrect huge page mappings on systems using the contiguous
     hint for hugetlbfs
   - support alternative GICv4 init sequence
   - correctly implement the ARM SMCC for HVC and SMC handling

   - add KVM IOCTL for reporting vulnerability and workaround status

   - provide userspace interface for branch prediction changes in

   - use correct macros for bits"

* tag 'for-linus' of git://
  KVM: s390: wire up bpb feature
  KVM: PPC: Book3S: Provide information about hardware/firmware CVE workarounds
  KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in 
  arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls

    [2 lines not shown]

Linux/linux e6252e7arch/mips Kconfig.debug Kconfig, arch/mips/lib multi3.c libgcc.h

Merge tag 'mips_fixes_4.15_2' of git://

Pull MIPS fixes from James Hogan:
 "Some final MIPS fixes for 4.15, including important build fixes and a

   - Add myself as MIPS co-maintainer.

   - Fix various all*config build failures (particularly as a result of
     switching the default MIPS platform to the "generic" platform).

   - Fix GCC7 build failures (duplicate const and questionable calls to
     missing __multi3 intrinsic on mips64r6).

   - Fix warnings when CPU Idle is enabled (4.14).

   - Fix AR7 serial output (since 3.17).

   - Fix ralink platform_get_irq error checking (since 3.12)"

* tag 'mips_fixes_4.15_2' of git://
  MAINTAINERS: Add James as MIPS co-maintainer
  MIPS: Fix undefined reference to physical_memsize
  MIPS: Implement __multi3 for GCC7 MIPS64r6 builds
  MIPS: mm: Fix duplicate "const" on insn_table_MM

    [8 lines not shown]

Linux/linux 35b3fdearch/s390/include/asm kvm_host.h, arch/s390/include/uapi/asm kvm.h

KVM: s390: wire up bpb feature

The new firmware interfaces for branch prediction behaviour changes
are transparently available for the guest. Nevertheless, there is
new state attached that should be migrated and properly resetted.
Provide a mechanism for handling reset, migration and VSIE.

Signed-off-by: Christian Borntraeger <borntraeger at>
Reviewed-by: David Hildenbrand <david at>
Reviewed-by: Cornelia Huck <cohuck at>
[Changed capability number to 152. - Radim]
Signed-off-by: Radim Krčmář <rkrcmar at>

Linux/linux 29d24e3Documentation/virtual/kvm api.txt, arch/powerpc/include/uapi/asm kvm.h

Merge tag 'kvm-ppc-cve-4.15-2' of 

Add PPC KVM ioctl to report vulnerability and workaround status to userspace.

Linux/linux 8dd903ddrivers/scsi/libsas sas_scsi_host.c

Merge tag 'scsi-fixes' of git://

Pull SCSI fix from James Bottomley:
 "One fix for SAS attached SATA CD-ROMs. It turns out that the libata
  handling of CD devices relies on the SCSI error handler, so disable
  async aborts (which don't start the error handler) for these devices"

* tag 'scsi-fixes' of git://
  scsi: libsas: Disable asynchronous aborts for SATA devices

Linux/linux 1cf5561drivers/md dm-integrity.c dm-crypt.c, drivers/md/persistent-data dm-btree.c

Merge tag 'for-4.15/dm-fixes-2' of 

Pull device mapper fixes from Mike Snitzer:
 "All fixes marked for stable:

   - Fix DM thinp btree corruption seen when inserting a new key/value
     pair into a full root node.

   - Fix DM thinp btree removal deadlock due to artificially low number
     of allowed concurrent locks allowed.

   - Fix possible DM crypt corruption if kernel keyring service is used.
     Only affects ciphers using following IVs: essiv, lmk and tcw.

   - Two DM crypt device initialization error checking fixes.

   - Fix DM integrity to allow use of async ciphers that require DMA"

* tag 'for-4.15/dm-fixes-2' of 
  dm crypt: fix error return code in crypt_ctr()
  dm crypt: wipe kernel key copy after IV initialization
  dm integrity: don't store cipher request on the stack
  dm crypt: fix crash by adding missing check for auth key size

    [2 lines not shown]

Linux/linux ec835f8kernel/trace trace_events.c ring_buffer.c

Merge tag 'trace-v4.15-rc4-3' of 

Pull tracing fixes from Steven Rostedt:
 "Two more small fixes

   - The conversion of enums into their actual numbers to display in the
     event format file had an off-by-one bug, that could cause an enum
     not to be converted, and break user space parsing tools.

   - A fix to a previous fix to bring back the context recursion checks.
     The interrupt case checks for NMI, IRQ and softirq, but the softirq
     returned the same number regardless if it was set or not, although
     the logic would force it to be set if it were hit"

* tag 'trace-v4.15-rc4-3' of 
  tracing: Fix converting enum's from the map in trace_event_eval_update()
  ring-buffer: Fix duplicate results in mapping context to bits in recursive lock

Linux/linux 672bb0fdrivers/input/misc twl4030-vibra.c, drivers/input/mouse alps.c alps.h

Merge branch 'for-linus' of git://

Pull input fixes from Dmitry Torokhov:

 - a fix for use-after-free in Synaptics RMI4 driver

 - correction to multitouch contact tracking on certain ALPS touchpads
   (which got broken when we tried to fix the 2-finger scrolling)

 - touchpad on Lenovo T640p is switched over to SMbus/RMI

 - a few device node refcount fixes

* 'for-linus' of git://
  Input: synaptics-rmi4 - prevent UAF reported by KASAN
  Input: ALPS - fix multi-touch decoding on SS4 plus touchpads
  Input: synaptics - Lenovo Thinkpad T460p devices should use RMI
  Input: of_touchscreen - add MODULE_LICENSE
  Input: 88pm860x-ts - fix child-node lookup
  Input: twl6040-vibra - fix child-node lookup
  Input: twl4030-vibra - fix sibling-node lookup

Linux/linux 9bdbaebdrivers/i2c i2c-core-smbus.c i2c-core-base.c

Merge branch 'i2c/for-current-fixed' of 

Pull i2c fixes from Wolfram Sang:
 "Two bugfixes for the I2C core: Lixing Wang fixed a refcounting problem
  with DT nodes. Jeremy Compostella fixed a buffer overflow possibility
  when using a 'don't use' ioctl interface directly"

* 'i2c/for-current-fixed' of git://
  i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
  i2c: core: decrease reference count of device node in i2c_unregister_device

Linux/linux 9f77a11drivers/ata libata-core.c

Merge branch 'for-4.15-fixes' of git://

Pull libata fixlet from Tejun Heo:
 "This just adds one more entry for liteon optical drives to the device
  blacklist for large IOs.

  The change is very low risk"

* 'for-4.15-fixes' of git://
  libata: apply MAX_SEC_1024 to all LITEON EP1 series devices

Linux/linux 8b335c7kernel/cgroup cgroup.c

Merge branch 'for-4.15-fixes' of git://

Pull cgroup fix from Tejun Heo:
 "cgroup.threads should be delegatable (ie. a container should be able
  to write to it from inside) but was missing the flag.

  The change is very low risk"

* 'for-4.15-fixes' of git://
  cgroup: make cgroup.threads delegatable

Linux/linux a2c9c1ckernel workqueue.c

Merge branch 'for-4.15-fixes' of git://

Pull workqueue fixlet from Tejun Heo:
 "One patch to add touch_nmi_watchdog() while dumping workqueue debug
  messages to avoid triggering the lockup detector spuriously.

  The change is very low risk"

* 'for-4.15-fixes' of git://
  workqueue: avoid hard lockups in show_workqueue_state()
+13-01 files

Linux/linux 6ec8765arch/arm/boot/dts kirkwood-openblocks_a7.dts da850-lcdk.dts, arch/arm64/boot/dts/marvell armada-cp110-master.dtsi armada-cp110-slave.dtsi

Merge tag 'armsoc-fixes' of git://

Pull ARM SoC fixes from Arnd Bergmann:
 "We have various small DT fixes, and one important regression fix:

  The recent device tree bugfixes that were intended to address issues
  that 'dtc' started warning about in 4.15 fixed various USB PHY device
  nodes, but it turns out that we had code that depended on those nodes
  being incorrect and the probe failing with a particular error code.
  With the workaround we can also deal with correct device nodes.

  The DT fixes include:

   - Allwinner A10 and A20 had the display pipeline set up incorrectly
     (introduced in v4.15)

   - The Altera PMU lacked an interrupt-parent (never worked)

   - Pin muxing on the Openblocks A7 (never worked)

   - Clocks might get set up wrong on Armada 7K/8K (4.15 regression)

  We now have additional device tree patches to address all the
  remaining warnings introduced in 4.15, but decided to queue them for
  4.16 instead, to avoid risking another regression like the USB PHY

    [10 lines not shown]

Linux/linux 4917d5darch/powerpc Kconfig, arch/powerpc/include/asm hvcall.h

Merge tag 'powerpc-4.15-8' of git://

Pull powerpc fixes from Michael Ellerman:
 "More than we'd like after rc8, but nothing very alarming either, just
  tying up loose ends before the release:

  Since we changed powernv to use cpufreq_get() from show_cpuinfo(), we
  see warnings with PREEMPT enabled. But the preempt_disable() in
  show_cpuinfo() doesn't actually prevent CPU hotplug as it suggests, so
  remove it.

  Two updates to the recently merged RFI flush code. Wire up the generic
  sysfs file to report the status, and add a debugfs file to allow
  enabling/disabling it at runtime.

  Two updates to xmon, one to add the RFI flush related fields to the
  paca dump, and another to not use hashed pointers in the paca dump.

  And one minor fix to add a missing include of linux/types.h in
  asm/hvcall.h, not seen to break the build in upstream, but correct

  Thanks to: Benjamin Herrenschmidt, Michal Suchanek, Nicholas Piggin"

* tag 'powerpc-4.15-8' of git://

    [6 lines not shown]

Linux/linux 9abc937drivers/gpu/drm/i915 intel_display.c intel_sprite.c, drivers/gpu/drm/nouveau/nvkm/subdev/mmu vmmmcp77.c mcp77.c

Merge tag 'drm-fixes-for-v4.15-rc9' of git://

Pull drm fixes from Dave Airlie:
 "Nouveau, i915, vmwgfx and sun4i regression fixes.

  The i915 change fixes a display corruption problem introduced in 4.15,
  the nouveau changes are for regressions in 4.15, one of the vmwgfx
  fixes goes back a little further, the other is a 4.15 regression fix,
  the 3 sun4i changes fix blank HDMI output on those devices"

* tag 'drm-fixes-for-v4.15-rc9' of git://
  drm/nouveau/mmu/mcp77: fix regressions in stolen memory handling
  drm/nouveau/bar/gk20a: Avoid bar teardown during init
  drm/nouveau/drm/nouveau: Pass the proper arguments to nvif_object_map_handle()
  drm/vmwgfx: fix memory corruption with legacy/sou connectors
  drm/vmwgfx: Fix a boot time warning
  drm/i915: Fix deadlock in i830_disable_pipe()
  drm/i915: Redo plane sanitation during readout
  drm/i915: Add .get_hw_state() method for planes
  drm/sun4i: hdmi: Add missing rate halving check in sun4i_tmds_determine_rate
  drm/sun4i: hdmi: Fix incorrect assignment in sun4i_tmds_determine_rate
  drm/sun4i: hdmi: Check for unset best_parent in sun4i_tmds_determine_rate

Linux/linux d342740fs/proc array.c, include/linux compiler-gcc.h

Merge branch 'akpm' (patches from Andrew)

Merge misc fixes from Andrew Morton:
 "6 fixes"

* emailed patches from Andrew Morton <akpm at>:
  sparse doesn't support struct randomization
  proc: fix coredump vs read /proc/*/stat race
  scripts/gdb/linux/ fix get_thread_info
  scripts/decodecode: fix decoding for AArch64 (arm64) instructions
  mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages
  mm/memory.c: release locked page in do_swap_page()

Linux/linux 4b664e7arch/ia64/include/asm atomic.h

ia64: Rewrite atomic_add and atomic_sub

Force __builtin_constant_p to evaluate whether the argument to atomic_add
& atomic_sub is constant in the front-end before optimisations which
can lead GCC to output a call to __bad_increment_for_ia64_fetch_and_add().

See GCC bugzilla 83653.

Signed-off-by: Jakub Jelinek <jakub at>
Signed-off-by: Matthew Wilcox <mawilcox at>
Signed-off-by: Tony Luck <tony.luck at>
Signed-off-by: Linus Torvalds <torvalds at>

Linux/linux 883d50fscripts/gdb/linux

scripts/gdb/linux/ fix get_thread_info

Since kernel 4.9, the thread_info has been moved into task_struct, no
longer locates at the bottom of kernel stack.

See commits c65eacbe290b ("sched/core: Allow putting thread_info into
task_struct") and 15f4eae70d36 ("x86: Move thread_info into

Before fix:
  (gdb) set $current = $lx_current()
  (gdb) p $lx_thread_info($current)
  $1 = {flags = 1470918301}
  (gdb) p $current.thread_info
  $2 = {flags = 2147483648}

After fix:
  (gdb) p $lx_thread_info($current)
  $1 = {flags = 2147483648}
  (gdb) p $current.thread_info
  $2 = {flags = 2147483648}

Link: at
Fixes: 15f4eae70d36 ("x86: Move thread_info into task_struct")
Signed-off-by: Xi Kangjie <imxikangjie at>

    [5 lines not shown]

Linux/linux be9fa66scripts decodecode

scripts/decodecode: fix decoding for AArch64 (arm64) instructions

There are a couple of problems with the decodecode script and arm64:

1. AArch64 objdump refuses to disassemble .4byte directives as instructions,
   insisting that they are data values and displaying them as:

        a94153f3       .word  0xa94153f3            <-- trapping instruction

   This is resolved by using the .inst directive instead.

2. Disassembly of branch instructions attempts to provide the target as
   an offset from a symbol, e.g.:

   0:   34000082       cbz    w2, 10 <.text+0x10>

  however this falls foul of the grep -v, which matches lines containing
  ".text" and ends up removing all branch instructions from the dump.

This patch resolves both issues by using the .inst directive for 4-byte
quantities on arm64 and stripping the resulting binaries (as is done on
arm already) to remove the mapping symbols.

Link: at
Signed-off-by: Will Deacon <will.deacon at>

    [4 lines not shown]
+8-01 files

Linux/linux a3d6c97include/linux compiler-gcc.h

sparse doesn't support struct randomization

Without this patch, I drown in a sea of unknown attribute warnings

Link: at
Signed-off-by: Matthew Wilcox <mawilcox at>
Acked-by: Kees Cook <keescook at>
Cc: Ingo Molnar <mingo at>
Cc: Josh Poimboeuf <jpoimboe at>
Signed-off-by: Andrew Morton <akpm at>
Signed-off-by: Linus Torvalds <torvalds at>

Linux/linux 8bb2ee1fs/proc array.c

proc: fix coredump vs read /proc/*/stat race

do_task_stat() accesses IP and SP of a task without bumping reference
count of a stack (which became an entity with independent lifetime at
some point).

Steps to reproduce:

    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>
    #include <sys/time.h>
    #include <sys/resource.h>
    #include <unistd.h>
    #include <sys/wait.h>

    int main(void)
        setrlimit(RLIMIT_CORE, &(struct rlimit){});

        while (1) {
               char buf[64];
               char buf2[4096];
               pid_t pid;

    [52 lines not shown]
+5-21 files