Linux/linux 83beed7Documentation/devicetree/bindings/thermal exynos-thermal.txt thermal.txt

Merge branch 'fixes' of 

Pull thermal fixes from Eduardo Valentin:
 "A couple of fixes for the thermal subsystem"

* 'fixes' of git://
  dt-bindings: thermal: Remove "cooling-{min|max}-level" properties
  dt-bindings: thermal: remove no longer needed samsung thermal properties

Linux/linux 7e3cb16drivers/mmc/host renesas_sdhi_internal_dmac.c sdhci-pci-core.c

Merge tag 'mmc-v4.17-3' of git://

Pull MMC fixes from Ulf Hansson:
 "A couple of MMC host fixes:

   - sdhci-pci: Fixup tuning for AMD for eMMC HS200 mode

   - renesas_sdhi_internal_dmac: Avoid data corruption by limiting
     DMA RX"

* tag 'mmc-v4.17-3' of git://
  mmc: renesas_sdhi_internal_dmac: limit DMA RX for old SoCs
  mmc: sdhci-pci: Only do AMD tuning for HS200

Linux/linux 7768ee3drivers/md raid1.c md.c

Merge tag 'md/4.17-rc1' of git://

Pull MD fixes from Shaohua Li:
 "Three small fixes for MD:

   - md-cluster fix for faulty device from Guoqing

   - writehint fix for writebehind IO for raid1 from Mariusz

   - a live lock fix for interrupted recovery from Yufen"

* tag 'md/4.17-rc1' of git://
  raid1: copy write hint from master bio to behind bio
  md/raid1: exit sync request if MD_RECOVERY_INTR is set
  md-cluster: don't update recovery_offset for faulty device

Linux/linux 6606259fs/afs server.c

afs: Fix server record deletion

AFS server records get removed from the net->fs_servers tree when
they're deleted, but not from the net->fs_addresses{4,6} lists, which
can lead to an oops in afs_find_server() when a server record has been
removed, for instance during rmmod.

Fix this by deleting the record from the by-address lists before posting
it for RCU destruction.

The reason this hasn't been noticed before is that the fileserver keeps
probing the local cache manager, thereby keeping the service record
alive, so the oops would only happen when a fileserver eventually gets
bored and stops pinging or if the module gets rmmod'd and a call comes
in from the fileserver during the window between the server records
being destroyed and the socket being closed.

The oops looks something like:

  BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
  Workqueue: kafsd afs_process_async_call [kafs]
  RIP: 0010:afs_find_server+0x271/0x36f [kafs]
  Call Trace:

    [12 lines not shown]
+8-11 files

Linux/linux a9e5b73fs namespace.c

vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion

In do_mount() when the MS_* flags are being converted to MNT_* flags,
MS_RDONLY got accidentally convered to SB_RDONLY.

Undo this change.

Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock 
Signed-off-by: David Howells <dhowells at>
Signed-off-by: Linus Torvalds <torvalds at>
+1-11 files

Linux/linux a72db42drivers/net virtio_net.c, drivers/net/ethernet/broadcom/bnxt bnxt_ethtool.c

Merge git://

Pull networking fixes from David Miller:

 1) Unbalanced refcounting in TIPC, from Jon Maloy.

 2) Only allow TCP_MD5SIG to be set on sockets in close or listen state.
    Once the connection is established it makes no sense to change this.
    From Eric Dumazet.

 3) Missing attribute validation in neigh_dump_table(), also from Eric

 4) Fix address comparisons in SCTP, from Xin Long.

 5) Neigh proxy table clearing can deadlock, from Wolfgang Bumiller.

 6) Fix tunnel refcounting in l2tp, from Guillaume Nault.

 7) Fix double list insert in team driver, from Paolo Abeni.

 8) af_vsock.ko module was accidently made unremovable, from Stefan

 9) Fix reference to freed llc_sap object in llc stack, from Cong Wang.

    [26 lines not shown]

Linux/linux b9abdcfarch/s390/hypfs inode.c, fs super.c namespace.c

Merge branch 'for-linus' of git://

Pull vfs fixes from Al Viro:
 "Assorted fixes.

  Some of that is only a matter with fault injection (broken handling of
  small allocation failure in various mount-related places), but the
  last one is a root-triggerable stack overflow, and combined with
  userns it gets really nasty ;-/"

* 'for-linus' of git://
  Don't leak MNT_INTERNAL away from internal mounts
  mm,vmscan: Allow preallocating memory for register_shrinker().
  rpc_pipefs: fix double-dput()
  orangefs_kill_sb(): deal with allocation failures
  jffs2_kill_sb(): deal with failed allocations
  hypfs_kill_super(): deal with failed allocations

Linux/linux 43f70c9fs/ecryptfs crypto.c file.c

Merge tag 'ecryptfs-4.17-rc2-fixes' of 

Pull eCryptfs fixes from Tyler Hicks:
 "Minor cleanups and a bug fix to completely ignore unencrypted
  filenames in the lower filesystem when filename encryption is enabled
  at the eCryptfs layer"

* tag 'ecryptfs-4.17-rc2-fixes' of 
  eCryptfs: don't pass up plaintext names when using filename encryption
  ecryptfs: fix spelling mistake: "cadidate" -> "candidate"
  ecryptfs: lookup: Don't check if mount_crypt_stat is NULL

Linux/linux 0d9cf33. MAINTAINERS, fs/ext2 file.c

Merge tag 'for_v4.17-rc2' of git://

 - isofs memory leak fix

 - two fsnotify fixes of event mask handling

 - udf fix of UTF-16 handling

 - couple other smaller cleanups

* tag 'for_v4.17-rc2' of git://
  udf: Fix leak of UTF-16 surrogates into encoded strings
  fs: ext2: Adding new return type vm_fault_t
  isofs: fix potential memory leak in mount option parsing
  MAINTAINERS: add an entry for FSNOTIFY infrastructure
  fsnotify: fix typo in a comment about mark->g_list
  fsnotify: fix ignore mask logic in send_to_group()
  isofs compress: Remove VLA usage
  fs: quota: Replace GFP_ATOMIC with GFP_KERNEL in dquot_init
  fanotify: fix logic of events on child

Linux/linux 4d18905drivers/hid wacom_wac.c hid-input.c, drivers/hid/i2c-hid i2c-hid.c

Merge branch 'for-linus' of git://

Pull HID updates from Jiri Kosina:

 - suspend/resume handling fix for Raydium I2C-connected touchscreen
   from Aaron Ma

 - protocol fixup for certain BT-connected Wacoms from Aaron Armstrong

 - battery level reporting fix on BT-connected mice from Dmitry Torokhov

 - hidraw race condition fix from Rodrigo Rivas Costa

* 'for-linus' of git://
  HID: i2c-hid: fix inverted return value from i2c_hid_command()
  HID: i2c-hid: Fix resume issue on Raydium touchscreen device
  HID: wacom: bluetooth: send exit report for recent Bluetooth devices
  HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device
  HID: input: fix battery level reporting on BT mice

Linux/linux 41e3befDocumentation/livepatch shadow-vars.txt, include/linux livepatch.h

Merge branch 'for-linus' of 

Pull livepatching fix from Jiri Kosina:
 "Shadow variable API list_head initialization fix from Petr Mladek"

* 'for-linus' of git://
  livepatch: Allow to call a custom callback when freeing shadow variables
  livepatch: Initialize shadow variables safely by a custom callback

Linux/linux 36e584ddrivers/xen/xen-pciback pci_stub.c conf_space_quirks.c, drivers/xen/xenbus xenbus_dev_frontend.c

Merge tag 'for-linus-4.17-rc2-tag' of 

Pull xen fixes from Juergen Gross:

 - some fixes of kmalloc() flags

 - one fix of the xenbus driver

 - an update of the pv sound driver interface needed for a driver which
   will go through the sound tree

* tag 'for-linus-4.17-rc2-tag' of git://
  xen: xenbus_dev_frontend: Really return response string
  xen/sndif: Sync up with the canonical definition in Xen
  xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_reg_add
  xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in xen_pcibk_config_quirks_init
  xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_device_alloc
  xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_init_device
  xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_probe

Linux/linux 854da23arch/mips/boot/dts/img boston.dts, arch/mips/include/asm uaccess.h io.h

Merge tag 'mips_fixes_4.17_1' of git://

Pull MIPS fixes from James Hogan:

 - io: Add barriers to read*() & write*()

 - dts: Fix boston PCI bus DTC warnings (4.17)

 - memset: Several corner case fixes (one 3.10, others longer)

* tag 'mips_fixes_4.17_1' of git://
  MIPS: uaccess: Add micromips clobbers to bzero invocation
  MIPS: memset.S: Fix clobber of v1 in last_fixup
  MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup
  MIPS: memset.S: EVA & fault support for small_memset
  MIPS: dts: Boston: Fix PCI bus dtc warnings:
  MIPS: io: Add barrier after register read in readX()
  MIPS: io: Prevent compiler reordering writeX()

Linux/linux d08de37arch/powerpc/kernel setup_64.c idle_book3s.S, arch/powerpc/lib feature-fixups.c

Merge tag 'powerpc-4.17-3' of git://

Pull powerpc fixes from Michael Ellerman:

 - Fix an off-by-one bug in our alternative asm patching which leads to
   incorrectly patched code. This bug lay dormant for nearly 10 years
   but we finally hit it due to a recent change.

 - Fix lockups when running KVM guests on Power8 due to a missing check
   when a thread that's running KVM comes out of idle.

 - Fix an out-of-spec behaviour in the XIVE code (P9 interrupt

 - Fix EEH handling of bridge MMIO windows.

 - Prevent crashes in our RFI fallback flush handler if firmware didn't
   tell us the size of the L1 cache (only seen on simulators).

Thanks to: Benjamin Herrenschmidt, Madhavan Srinivasan, Michael Neuling.

* tag 'powerpc-4.17-3' of git://
  powerpc/kvm: Fix lockups when running KVM guests on Power8
  powerpc/eeh: Fix enabling bridge MMIO windows
  powerpc/xive: Fix trying to "push" an already active pool VP

    [2 lines not shown]

Linux/linux c2d94c5arch/s390/configs debug_defconfig default_defconfig, arch/s390/kernel machine_kexec_file.c kexec_elf.c

Merge branch 'for-linus' of git://

Pull s390 fixes and kexec-file-load from Martin Schwidefsky:
 "After the common code kexec patches went in via Andrew we can now push
  the architecture parts to implement the kexec-file-load system call.

  Plus a few more bug fixes and cleanups, this includes an update to the
  default configurations"

* 'for-linus' of git://
  s390/signal: cleanup uapi struct sigaction
  s390: rename default_defconfig to debug_defconfig
  s390: remove gcov defconfig
  s390: update defconfig
  s390: add support for IBM z14 Model ZR1
  s390: remove couple of duplicate includes
  s390/boot: remove unused COMPILE_VERSION and ccflags-y
  s390/nospec: include cpu.h
  s390/decompressor: Ignore file vmlinux.bin.full
  s390/kexec_file: add generated files to .gitignore
  s390/Kconfig: Move kexec config options to "Processor type and features"
  s390/kexec_file: Add ELF loader
  s390/kexec_file: Add crash support to image loader
  s390/kexec_file: Add image loader
  s390/kexec_file: Add kexec_file_load system call

    [4 lines not shown]

Linux/linux 16a34adfs namespace.c

Don't leak MNT_INTERNAL away from internal mounts

We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for
their copies.  As it is, creating a deep stack of bindings of /proc/*/ns/*
somewhere in a new namespace and exiting yields a stack overflow.

Cc: stable at
Reported-by: Alexander Aring <aring at>
Bisected-by: Kirill Tkhai <ktkhai at>
Tested-by: Kirill Tkhai <ktkhai at>
Tested-by: Alexander Aring <aring at>
Signed-off-by: Al Viro <viro at>
+2-11 files

Linux/linux 1255fcbnet/smc af_smc.c

net/smc: fix shutdown in state SMC_LISTEN

Calling shutdown with SHUT_RD and SHUT_RDWR for a listening SMC socket
crashes, because
   commit 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
releases the internal clcsock in smc_close_active() and sets smc->clcsock
to NULL.
For SHUT_RD the smc_close_active() call is removed.
For SHUT_RDWR the kernel_sock_shutdown() call is omitted, since the
clcsock is already released.

Fixes: 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
Signed-off-by: Ursula Braun <ubraun at>
Reported-by: Stephen Hemminger <stephen at>
Signed-off-by: David S. Miller <davem at>
+4-61 files

Linux/linux a60faa6drivers/net/ethernet/broadcom/bnxt bnxt_ethtool.c bnxt_nvm_defs.h

bnxt_en: Fix memory fault in bnxt_ethtool_init()

In some firmware images, the length of BNX_DIR_TYPE_PKG_LOG nvram type
could be greater than the fixed buffer length of 4096 bytes allocated by
the driver.  This was causing HWRM_NVM_READ to copy more data to the buffer
than the allocated size, causing general protection fault.

Fix the issue by allocating the exact buffer length returned by
HWRM_NVM_FIND_DIR_ENTRY, instead of 4096.  Move the kzalloc() call
into the bnxt_get_pkgver() function.

Fixes: 3ebf6f0a09a2 ("bnxt_en: Add installed-package firmware version reporting via 
Ethtool GDRVINFO")
Signed-off-by: Vasundhara Volam <vasundhara-v.volam at>
Signed-off-by: Michael Chan <michael.chan at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 0df8bb0drivers/net virtio_net.c

Merge branch 'virtio-ctrl-buffer-fixes'

Michael S. Tsirkin says:

virtio: ctrl buffer fixes

Here are a couple of fixes related to the virtio control buffer.
Lightly tested on x86 only.

Signed-off-by: David S. Miller <davem at>
+39-291 files

Linux/linux 12e5716drivers/net virtio_net.c

virtio_net: split out ctrl buffer

When sending control commands, virtio net sets up several buffers for
DMA. The buffers are all part of the net device which means it's
actually allocated by kvmalloc so it's in theory (on extreme memory
pressure) possible to get a vmalloc'ed buffer which on some platforms
means we can't DMA there.

Fix up by moving the DMA buffers into a separate structure.

Reported-by: Mikulas Patocka <mpatocka at>
Suggested-by: Eric Dumazet <eric.dumazet at>
Signed-off-by: Michael S. Tsirkin <mst at>
Acked-by: Jason Wang <jasowang at>
Signed-off-by: David S. Miller <davem at>
+39-291 files

Linux/linux f4ee703drivers/net virtio_net.c

virtio_net: sparse annotation fix

offloads is a buffer in virtio format, should use
the __virtio64 tag.

Signed-off-by: Michael S. Tsirkin <mst at>
Acked-by: Jason Wang <jasowang at>
Signed-off-by: David S. Miller <davem at>

Linux/linux d7fad4cdrivers/net virtio_net.c

virtio_net: fix adding vids on big-endian

Programming vids (adding or removing them) still passes
guest-endian values in the DMA buffer. That's wrong
if guest is big-endian and when virtio 1 is enabled.

Note: this is on top of a previous patch:
        virtio_net: split out ctrl buffer

Fixes: 9465a7a6f ("virtio_net: enable v1.0 support")
Signed-off-by: Michael S. Tsirkin <mst at>
Acked-by: Jason Wang <jasowang at>
Signed-off-by: David S. Miller <davem at>

Linux/linux f4ea891drivers/net/ethernet/hisilicon/hns hnae.h

net: hns: Avoid action name truncation

When longer interface names are used, the action names exposed in
/proc/interrupts and /proc/irq/* maybe truncated. For example, when
using the predictable name algorithm in systemd on a HiSilicon D05,
I see:

  ubuntu at d05-3:~$  grep enahisic2i0-tx /proc/interrupts | sed 's/.* //'

Increase the max ring name length to allow for an interface name
of IFNAMSIZE. After this change, I now see:

  $ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //'

    [14 lines not shown]

Linux/linux ab91345Documentation/networking ip-sysctl.txt

docs: ip-sysctl.txt: fix name of some ipv6 variables

The name of the following proc/sysctl entries were incorrectly


Their name was set to the name of the symbol in the .data field of the
control table instead of their .proc name.

Signed-off-by: Olivier Gayot <olivier.gayot at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 65ec0bddrivers/net/vmxnet3 vmxnet3_drv.c vmxnet3_int.h

vmxnet3: fix incorrect dereference when rxvlan is disabled

vmxnet3_get_hdr_len() is used to calculate the header length which in
turn is used to calculate the gso_size for skb. When rxvlan offload is
disabled, vlan tag is present in the header and the function references
ip header from sizeof(ethhdr) and leads to incorrect pointer reference.

This patch fixes this issue by taking sizeof(vlan_ethhdr) into account
if vlan tag is present and correctly references the ip hdr.

Signed-off-by: Ronak Doshi <doshir at>
Acked-by: Guolin Yang <gyang at>
Acked-by: Louis Luo <llouis at>
Signed-off-by: David S. Miller <davem at>

Linux/linux f7e4367net/llc af_llc.c

llc: hold llc_sap before release_sock()

syzbot reported we still access llc->sap in llc_backlog_rcv()
after it is freed in llc_sap_remove_socket():

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
 llc_conn_service net/llc/llc_conn.c:400 [inline]
 llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
 llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
 sk_backlog_rcv include/net/sock.h:909 [inline]
 __release_sock+0x12f/0x3a0 net/core/sock.c:2335
 release_sock+0xa4/0x2b0 net/core/sock.c:2850
 llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204

llc->sap is refcount'ed and llc_sap_remove_socket() is paired
with llc_sap_add_socket(). This can be amended by holding its refcount
before llc_sap_remove_socket() and releasing it after release_sock().

    [4 lines not shown]
+7-01 files

Linux/linux 02b94fc. MAINTAINERS

MAINTAINERS: Direct networking documentation changes to netdev

Networking docs changes go through the networking tree, so patch the
MAINTAINERS file to direct authors to the right place.

Signed-off-by: Jonathan Corbet <corbet at>
Signed-off-by: David S. Miller <davem at>
+1-01 files

Linux/linux f333554drivers/atm iphase.c

atm: iphase: fix spelling mistake: "Tansmit" -> "Transmit"

Trivial fix to spelling mistake in message text.

Signed-off-by: Colin Ian King <colin.king at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 4ec7eb3drivers/net/usb qmi_wwan.c

net: qmi_wwan: add Wistron Neweb D19Q1

This modem is embedded on dlink dwr-960 router.
The oem configuration states:

T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1435 ProdID=d191 Rev=ff.ff
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=0123456789ABCDEF
C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms

    [14 lines not shown]

Linux/linux 5e84b38net/caif chnl_net.c

net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN"

Trivial fix to spelling mistake

Signed-off-by: Colin Ian King <colin.king at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 565020adrivers/net/ethernet/stmicro/stmmac stmmac_main.c dwmac4_core.c

net: stmmac: Disable ACS Feature for GMAC >= 4

ACS Feature is currently enabled for GMAC >= 4 but the llc_snap status
is never checked in descriptor rx_status callback. This will cause
stmmac to always strip packets even that ACS feature is already
stripping them.

Lets be safe and disable the ACS feature for GMAC >= 4 and always strip
the packets for this GMAC version.

Fixes: 477286b53f55 ("stmmac: add GMAC4 core support")
Signed-off-by: Jose Abreu <joabreu at>
Cc: David S. Miller <davem at>
Cc: Joao Pinto <jpinto at>
Cc: Giuseppe Cavallaro <peppe.cavallaro at>
Cc: Alexandre Torgue <alexandre.torgue at>
Signed-off-by: David S. Miller <davem at>

Linux/linux da42bb2drivers/net/ethernet/marvell mvpp2.c

net: mvpp2: Fix DMA address mask size

PPv2 TX/RX descriptors uses 40bits DMA addresses, but 41 bits masks were
used (GENMASK_ULL(40, 0)).

This commit fixes that by using the correct mask.

Fixes: e7c5359f2eed ("net: mvpp2: introduce PPv2.2 HW descriptors and adapt accessors")
Signed-off-by: Maxime Chevallier <maxime.chevallier at>
Signed-off-by: David S. Miller <davem at>

Linux/linux bb9aaaanet/core dev_addr_lists.c

net: change the comment of dev_mc_init

The comment of dev_mc_init() is wrong. which use dev_mc_flush
instead of dev_mc_init.

Signed-off-by: Lianwen Sun <sunlw.fnst at
Signed-off-by: David S. Miller <davem at>

Linux/linux 0cbc94ddrivers/mmc/host renesas_sdhi_internal_dmac.c

mmc: renesas_sdhi_internal_dmac: limit DMA RX for old SoCs

Early revisions of certain SoCs cannot do multiple DMA RX streams in
parallel. To avoid data corruption, only allow one DMA RX channel and
fall back to PIO, if needed.

Signed-off-by: Wolfram Sang <wsa+renesas at>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh at>
Tested-by: Nguyen Viet Dung <dung.nguyen.aj at>
Reviewed-by: Simon Horman <horms+renesas at>
Cc: stable at
Signed-off-by: Ulf Hansson <ulf.hansson at>

Linux/linux b658912drivers/hid/i2c-hid i2c-hid.c

HID: i2c-hid: fix inverted return value from i2c_hid_command()

i2c_hid_command() returns non-zero in error cases (the actual
errno). Error handling in for I2C_HID_QUIRK_RESEND_REPORT_DESCR
case in i2c_hid_resume() had the check inverted; fix that.

Fixes: 3e83eda467 ("HID: i2c-hid: Fix resume issue on Raydium touchscreen device")
Reported-by: Dan Carpenter <dan.carpenter at>
Signed-off-by: Jiri Kosina <jkosina at>

Linux/linux 56376c5arch/powerpc/kernel idle_book3s.S

powerpc/kvm: Fix lockups when running KVM guests on Power8

When running KVM guests on Power8 we can see a lockup where one CPU
stops responding. This often leads to a message such as:

  watchdog: CPU 136 detected hard LOCKUP on other CPUs 72
  Task dump for CPU 72:
  qemu-system-ppc R  running task    10560 20917  20908 0x00040004

And then backtraces on other CPUs, such as:

  Task dump for CPU 48:
  ksmd            R  running task    10032  1519      2 0x00000804
  Call Trace:
    --- interrupt: 901 at smp_call_function_many+0x3c8/0x460
        LR = smp_call_function_many+0x37c/0x460

    [25 lines not shown]

Linux/linux 13a83eaarch/powerpc/kernel eeh_pe.c

powerpc/eeh: Fix enabling bridge MMIO windows

On boot we save the configuration space of PCIe bridges. We do this so
when we get an EEH event and everything gets reset that we can restore

Unfortunately we save this state before we've enabled the MMIO space
on the bridges. Hence if we have to reset the bridge when we come back
MMIO is not enabled and we end up taking an PE freeze when the driver
starts accessing again.

This patch forces the memory/MMIO and bus mastering on when restoring
bridges on EEH. Ideally we'd do this correctly by saving the
configuration space writes later, but that will have to come later in
a larger EEH rewrite. For now we have this simple fix.

The original bug can be triggered on a boston machine by doing:
  echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound
On boston, this PHB has a PCIe switch on it.  Without this patch,
you'll see two EEH events, 1 expected and 1 the failure we are fixing
here. The second EEH event causes the anything under the PHB to
disappear (i.e. the i40e eth).

With this patch, only 1 EEH event occurs and devices properly recover.

    [6 lines not shown]

Linux/linux 64e86fedrivers/net/ethernet/qualcomm/rmnet rmnet_config.c

net: qualcomm: rmnet: Fix warning seen with fill_info

When the last rmnet device attached to a real device is removed, the
real device is unregistered from rmnet. As a result, the real device
lookup fails resulting in a warning when the fill_info handler is
called as part of the rmnet device unregistration.

Fix this by returning the rmnet flags as 0 when no real device is

WARNING: CPU: 0 PID: 1779 at net/core/rtnetlink.c:3254
Modules linked in:
CPU: 0 PID: 1779 Comm: ip Not tainted 4.16.0-11872-g7ce2367 #1
 7fe655f0 60371ea3 00000000 00000000
 60282bc6 6006b116 7fe65600 60371ee8
 7fe65660 6003a68c 00000000 900000000
Call Trace:
 [<6006b116>] ? printk+0x0/0x94
 [<6001f375>] show_stack+0xfe/0x158
 [<60371ea3>] ? dump_stack_print_info+0xe8/0xf1
 [<60282bc6>] ? rtmsg_ifinfo_build_skb+0xca/0x10d
 [<6006b116>] ? printk+0x0/0x94
 [<60371ee8>] dump_stack+0x2a/0x2c

    [21 lines not shown]

Linux/linux b3d7e55arch/mips/include/asm uaccess.h

MIPS: uaccess: Add micromips clobbers to bzero invocation

The micromips implementation of bzero additionally clobbers registers t7
& t8. Specify this in the clobbers list when invoking bzero.

Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.")
Reported-by: James Hogan <jhogan at>
Signed-off-by: Matt Redfearn <matt.redfearn at>
Cc: Ralf Baechle <ralf at>
Cc: linux-mips at
Cc: <stable at> # 3.10+
Signed-off-by: James Hogan <jhogan at>

Linux/linux c96eebfarch/mips/lib memset.S

MIPS: memset.S: Fix clobber of v1 in last_fixup

The label .Llast_fixup\@ is jumped to on page fault within the final
byte set loop of memset (on < MIPSR6 architectures). For some reason, in
this fault handler, the v1 register is randomly set to a2 & STORMASK.
This clobbers v1 for the calling function. This can be observed with the
following test code:

static int __init __attribute__((optimize("O0"))) test_clear_user(void)
  register int t asm("v1");
  char *test;
  int j, k;

  pr_info("\n\n\nTesting clear_user\n");
  test = vmalloc(PAGE_SIZE);

  for (j = 256; j < 512; j++) {
    t = 0xa5a5a5a5;
    if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) {
        pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k);
    if (t != 0xa5a5a5a5) {
       pr_err("v1 was clobbered to 0x%x!\n", t);

    [28 lines not shown]

Linux/linux 87ef120drivers/block rbd.c, fs/ceph inode.c

Merge tag 'ceph-for-4.17-rc2' of git://

Pull ceph fixes from Ilya Dryomov:
 "A couple of follow-up patches for -rc1 changes in rbd, support for a
  timeout on waiting for the acquisition of exclusive lock and a fix for
  uninitialized memory access in CephFS, marked for stable"

* tag 'ceph-for-4.17-rc2' of git://
  rbd: notrim map option
  rbd: adjust queue limits for "fancy" striping
  rbd: avoid Wreturn-type warnings
  ceph: always update atime/mtime/ctime for new inode
  rbd: support timeout in rbd_wait_state_locked()
  rbd: refactor rbd_wait_state_locked()

Linux/linux 81c8950drivers/net tun.c

tun: fix vlan packet truncation

Bogus trimming in tun_net_xmit() causes truncated vlan packets.

skb->len is correct whether or not skb_vlan_tag_present() is true. There
is no more reason to adjust the skb length on xmit in this driver than
any other driver. tun_put_user() adds 4 bytes to the total for tagged
packets because it transmits the tag inline to userspace.  This is
similar to a nic transmitting the tag inline on the wire.

Reproducing the bug by sending any tagged packet through back-to-back
connected tap interfaces:

 socat TUN,tun-type=tap,iff-up,tun-name=in TUN,tun-type=tap,iff-up,tun-name=out &
 ip link add link in name in.20 type vlan id 20
 ip addr add dev in.20
 ip link set in.20 up
 tshark -nxxi in -f arp -c1 2>/dev/null &
 tshark -nxxi out -f arp -c1 2>/dev/null &
 ping -c 1 >/dev/null 2>&1

The output from the 'in' and 'out' interfaces are different when the
bug is present:

 Capturing on 'in'

    [14 lines not shown]
+1-61 files

Linux/linux 36a50a9net/tipc node.c monitor.c

tipc: fix infinite loop when dumping link monitor summary

When configuring the number of used bearers to MAX_BEARER and issuing
command "tipc link monitor summary", the command enters infinite loop
in user space.

This issue happens because function tipc_nl_node_dump_monitor() returns
the wrong 'prev_bearer' value when all potential monitors have been

The correct behavior is to always try to scan all monitors until either
the netlink message is full, in which case we return the bearer identity
of the affected monitor, or we continue through the whole bearer array
until we can return MAX_BEARERS. This solution also caters for the case
where there may be gaps in the bearer array.

Signed-off-by: Tung Nguyen <tung.q.nguyen at>
Signed-off-by: Jon Maloy <jon.maloy at>
Signed-off-by: David S. Miller <davem at>

Linux/linux be47e41net/tipc name_table.c

tipc: fix use-after-free in tipc_nametbl_stop

When we delete a service item in tipc_nametbl_stop() we loop over
all service ranges in the service's RB tree, and for each service
range we loop over its pertaining publications while calling
tipc_service_remove_publ() for each of them.

However, tipc_service_remove_publ() has the side effect that it also
removes the comprising service range item when there are no publications
left. This leads to a "use-after-free" access when the inner loop
continues to the next iteration, since the range item holding the list
we are looping no longer exists.

We fix this by moving the delete of the service range item outside
the said function. Instead, we now let the two functions calling it
test if the list is empty and perform the removal when that is the

Reported-by: syzbot+d64b64afc55660106556 at
Signed-off-by: Jon Maloy <jon.maloy at>
Signed-off-by: David S. Miller <davem at>
+17-121 files

Linux/linux b32e56earch/powerpc/sysdev/xive native.c

powerpc/xive: Fix trying to "push" an already active pool VP

When setting up a CPU, we "push" (activate) a pool VP for it.

However it's an error to do so if it already has an active
pool VP.

This happens when doing soft CPU hotplug on powernv since we
don't tear down the CPU on unplug. The HW flags the error which
gets captured by the diagnostics.

Fix this by making sure to "pull" out any already active pool

Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller")
Cc: stable at # v4.12+
Signed-off-by: Benjamin Herrenschmidt <benh at>
Signed-off-by: Michael Ellerman <mpe at>

Linux/linux 44f06bafs/udf unicode.c

udf: Fix leak of UTF-16 surrogates into encoded strings

OSTA UDF specification does not mention whether the CS0 charset in case
of two bytes per character encoding should be treated in UTF-16 or
UCS-2. The sample code in the standard does not treat UTF-16 surrogates
in any special way but on systems such as Windows which work in UTF-16
internally, filenames would be treated as being in UTF-16 effectively.
In Linux it is more difficult to handle characters outside of Base
Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte
characters only. Just make sure we don't leak UTF-16 surrogates into the
resulting string when loading names from the filesystem for now.

CC: stable at # >= v4.6
Reported-by: Mingye Wang <arthur200126 at>
Signed-off-by: Jan Kara <jack at>
+6-01 files

Linux/linux e04907dDocumentation/devicetree/bindings/thermal thermal.txt

dt-bindings: thermal: Remove "cooling-{min|max}-level" properties

The "cooling-min-level" and "cooling-max-level" properties are not
parsed by any part of kernel currently and the max cooling state of a
CPU cooling device is found by referring to the cpufreq table instead.

Remove the unused bindings.

Signed-off-by: Viresh Kumar <viresh.kumar at>
Reviewed-by: Rob Herring <robh at>
Signed-off-by: Eduardo Valentin <edubezval at>

Linux/linux 8b8b590Documentation/devicetree/bindings/thermal exynos-thermal.txt

dt-bindings: thermal: remove no longer needed samsung thermal properties

Remove documentation for longer needed samsung thermal properties.

Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie at>
Reviewed-by: Rob Herring <robh at>
Signed-off-by: Eduardo Valentin <edubezval at>

Linux/linux 9c438d7net/dns_resolver dns_key.c

KEYS: DNS: limit the length of option strings

Adding a dns_resolver key whose payload contains a very long option name
resulted in that string being printed in full.  This hit the WARN_ONCE()
in set_precision() during the printk(), because printk() only supports a
precision of up to 32767 bytes:

    precision 1000000 too large
    WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0

Fix it by limiting option strings (combined name + value) to a much more
reasonable 128 bytes.  The exact limit is arbitrary, but currently the
only recognized option is formatted as "dnserror=%lu" which fits well
within this limit.

Also ratelimit the printks.


    perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s

This bug was found using syzkaller.

Reported-by: Mark Rutland <mark.rutland at>
Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached 

    [3 lines not shown]

Linux/linux 89bda97drivers/net/ethernet/sfc ef10.c

sfc: check RSS is active for filter insert

For some firmware variants - specifically 'capture packed stream' - RSS
filters are not valid. We must check if RSS is actually active rather
than merely enabled.

Fixes: 42356d9a137b ("sfc: support RSS spreading of ethtool ntuple filters")
Signed-off-by: Bert Kenward <bkenward at>
Signed-off-by: David S. Miller <davem at>