Greetings, 0day kernel testing robot got the below dmesg and the first bad commit is git://git.cmpxchg.org/linux-mmotm.git master commit 486ad79630d0ba0b7205a8db9fe15ba392f5ee32 Author: Andrew Morton AuthorDate: Fri Apr 20 22:00:53 2018 +0000 Commit: Johannes Weiner CommitDate: Fri Apr 20 22:00:53 2018 +0000 origin GIT a9e5b73288cf1595ac2e05cf1acd1924ceea05fa commit a9e5b73288cf1595ac2e05cf1acd1924ceea05fa Author: David Howells Date: Fri Apr 20 13:35:02 2018 +0100 vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion In do_mount() when the MS_* flags are being converted to MNT_* flags, MS_RDONLY got accidentally convered to SB_RDONLY. Undo this change. Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags") Signed-off-by: David Howells Signed-off-by: Linus Torvalds commit 660625922b3d9fcb376e5870299bc5c1086e1d32 Author: David Howells Date: Wed Apr 18 09:38:34 2018 +0100 afs: Fix server record deletion AFS server records get removed from the net->fs_servers tree when they're deleted, but not from the net->fs_addresses{4,6} lists, which can lead to an oops in afs_find_server() when a server record has been removed, for instance during rmmod. Fix this by deleting the record from the by-address lists before posting it for RCU destruction. The reason this hasn't been noticed before is that the fileserver keeps probing the local cache manager, thereby keeping the service record alive, so the oops would only happen when a fileserver eventually gets bored and stops pinging or if the module gets rmmod'd and a call comes in from the fileserver during the window between the server records being destroyed and the socket being closed. The oops looks something like: BUG: unable to handle kernel NULL pointer dereference at 000000000000001c ... Workqueue: kafsd afs_process_async_call [kafs] RIP: 0010:afs_find_server+0x271/0x36f [kafs] ... Call Trace: afs_deliver_cb_init_call_back_state3+0x1f2/0x21f [kafs] afs_deliver_to_call+0x1ee/0x5e8 [kafs] afs_process_async_call+0x5b/0xd0 [kafs] process_one_work+0x2c2/0x504 worker_thread+0x1d4/0x2ac kthread+0x11f/0x127 ret_from_fork+0x24/0x30 Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells Signed-off-by: Linus Torvalds commit 16a34adb9392b2fe4195267475ab5b472e55292c Author: Al Viro Date: Thu Apr 19 22:03:08 2018 -0400 Don't leak MNT_INTERNAL away from internal mounts We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for their copies. As it is, creating a deep stack of bindings of /proc/*/ns/* somewhere in a new namespace and exiting yields a stack overflow. Cc: stable@kernel.org Reported-by: Alexander Aring Bisected-by: Kirill Tkhai Tested-by: Kirill Tkhai Tested-by: Alexander Aring Signed-off-by: Al Viro commit 1255fcb2a655f05e02f3a74675a6d6525f187afd Author: Ursula Braun Date: Thu Apr 19 15:56:40 2018 +0200 net/smc: fix shutdown in state SMC_LISTEN Calling shutdown with SHUT_RD and SHUT_RDWR for a listening SMC socket crashes, because commit 127f49705823 ("net/smc: release clcsock from tcp_listen_worker") releases the internal clcsock in smc_close_active() and sets smc->clcsock to NULL. For SHUT_RD the smc_close_active() call is removed. For SHUT_RDWR the kernel_sock_shutdown() call is omitted, since the clcsock is already released. Fixes: 127f49705823 ("net/smc: release clcsock from tcp_listen_worker") Signed-off-by: Ursula Braun Reported-by: Stephen Hemminger Signed-off-by: David S. Miller commit a60faa60da891e311e19fd3e88d611863f431130 Author: Vasundhara Volam Date: Thu Apr 19 03:16:16 2018 -0400 bnxt_en: Fix memory fault in bnxt_ethtool_init() In some firmware images, the length of BNX_DIR_TYPE_PKG_LOG nvram type could be greater than the fixed buffer length of 4096 bytes allocated by the driver. This was causing HWRM_NVM_READ to copy more data to the buffer than the allocated size, causing general protection fault. Fix the issue by allocating the exact buffer length returned by HWRM_NVM_FIND_DIR_ENTRY, instead of 4096. Move the kzalloc() call into the bnxt_get_pkgver() function. Fixes: 3ebf6f0a09a2 ("bnxt_en: Add installed-package firmware version reporting via Ethtool GDRVINFO") Signed-off-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller commit f4ee703ace847f299da00944d57db7ff91786d0b Author: Michael S. Tsirkin Date: Thu Apr 19 08:30:50 2018 +0300 virtio_net: sparse annotation fix offloads is a buffer in virtio format, should use the __virtio64 tag. Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller commit d7fad4c840f33a6bd333dd7fbb3006edbcf0017a Author: Michael S. Tsirkin Date: Thu Apr 19 08:30:49 2018 +0300 virtio_net: fix adding vids on big-endian Programming vids (adding or removing them) still passes guest-endian values in the DMA buffer. That's wrong if guest is big-endian and when virtio 1 is enabled. Note: this is on top of a previous patch: virtio_net: split out ctrl buffer Fixes: 9465a7a6f ("virtio_net: enable v1.0 support") Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller commit 12e571693837d6164bda61e316b1944972ee0d97 Author: Michael S. Tsirkin Date: Thu Apr 19 08:30:48 2018 +0300 virtio_net: split out ctrl buffer When sending control commands, virtio net sets up several buffers for DMA. The buffers are all part of the net device which means it's actually allocated by kvmalloc so it's in theory (on extreme memory pressure) possible to get a vmalloc'ed buffer which on some platforms means we can't DMA there. Fix up by moving the DMA buffers into a separate structure. Reported-by: Mikulas Patocka Suggested-by: Eric Dumazet Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller commit f4ea89110df237da6fbcaab76af431e85f07d904 Author: dann frazier Date: Wed Apr 18 21:55:41 2018 -0600 net: hns: Avoid action name truncation When longer interface names are used, the action names exposed in /proc/interrupts and /proc/irq/* maybe truncated. For example, when using the predictable name algorithm in systemd on a HiSilicon D05, I see: ubuntu@d05-3:~$ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' enahisic2i0-tx0 enahisic2i0-tx1 [...] enahisic2i0-tx8 enahisic2i0-tx9 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 Increase the max ring name length to allow for an interface name of IFNAMSIZE. After this change, I now see: $ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' enahisic2i0-tx0 enahisic2i0-tx1 enahisic2i0-tx2 [...] enahisic2i0-tx8 enahisic2i0-tx9 enahisic2i0-tx10 enahisic2i0-tx11 enahisic2i0-tx12 enahisic2i0-tx13 enahisic2i0-tx14 enahisic2i0-tx15 Signed-off-by: dann frazier Signed-off-by: David S. Miller commit ab913455dd59b81204b6a0d387a44697b0e0bd85 Author: Olivier Gayot Date: Wed Apr 18 22:03:06 2018 +0200 docs: ip-sysctl.txt: fix name of some ipv6 variables The name of the following proc/sysctl entries were incorrectly documented: /proc/sys/net/ipv6/conf//max_dst_opts_number /proc/sys/net/ipv6/conf//max_hbt_opts_number /proc/sys/net/ipv6/conf//max_dst_opts_length /proc/sys/net/ipv6/conf//max_hbt_length Their name was set to the name of the symbol in the .data field of the control table instead of their .proc name. Signed-off-by: Olivier Gayot Signed-off-by: David S. Miller commit 65ec0bd1c7c14522670a5294de35710fb577a7fd Author: Ronak Doshi Date: Wed Apr 18 12:48:04 2018 -0700 vmxnet3: fix incorrect dereference when rxvlan is disabled vmxnet3_get_hdr_len() is used to calculate the header length which in turn is used to calculate the gso_size for skb. When rxvlan offload is disabled, vlan tag is present in the header and the function references ip header from sizeof(ethhdr) and leads to incorrect pointer reference. This patch fixes this issue by taking sizeof(vlan_ethhdr) into account if vlan tag is present and correctly references the ip hdr. Signed-off-by: Ronak Doshi Acked-by: Guolin Yang Acked-by: Louis Luo Signed-off-by: David S. Miller commit f7e43672683b097bb074a8fe7af9bc600a23f231 Author: Cong Wang Date: Wed Apr 18 11:51:56 2018 -0700 llc: hold llc_sap before release_sock() syzbot reported we still access llc->sap in llc_backlog_rcv() after it is freed in llc_sap_remove_socket(): Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] llc_conn_service net/llc/llc_conn.c:400 [inline] llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75 llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2335 release_sock+0xa4/0x2b0 net/core/sock.c:2850 llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204 llc->sap is refcount'ed and llc_sap_remove_socket() is paired with llc_sap_add_socket(). This can be amended by holding its refcount before llc_sap_remove_socket() and releasing it after release_sock(). Reported-by: Signed-off-by: Cong Wang Signed-off-by: David S. Miller commit 02b94fc70ffe320a7799c35e09372809e40b7131 Author: Jonathan Corbet Date: Wed Apr 18 10:14:13 2018 -0600 MAINTAINERS: Direct networking documentation changes to netdev Networking docs changes go through the networking tree, so patch the MAINTAINERS file to direct authors to the right place. Signed-off-by: Jonathan Corbet Signed-off-by: David S. Miller commit f3335545b34315fc42cc03a83165bdd26d956584 Author: Colin Ian King Date: Wed Apr 18 16:55:05 2018 +0100 atm: iphase: fix spelling mistake: "Tansmit" -> "Transmit" Trivial fix to spelling mistake in message text. Signed-off-by: Colin Ian King Signed-off-by: David S. Miller commit 4ec7eb3ff6eb5c9af3a84288a8d808a857fbc22b Author: Pawel Dembicki Date: Wed Apr 18 16:03:24 2018 +0200 net: qmi_wwan: add Wistron Neweb D19Q1 This modem is embedded on dlink dwr-960 router. The oem configuration states: T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1435 ProdID=d191 Rev=ff.ff S: Manufacturer=Android S: Product=Android S: SerialNumber=0123456789ABCDEF C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us Tested on openwrt distribution Signed-off-by: Pawel Dembicki Acked-by: BjA,rn Mork Signed-off-by: David S. Miller commit 5e84b38b07e676fcd3ab6e296780b4f77a29d09f Author: Colin Ian King Date: Wed Apr 18 12:00:08 2018 +0100 net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN" Trivial fix to spelling mistake Signed-off-by: Colin Ian King Signed-off-by: David S. Miller commit 565020aaeebfa7c8b3ec077bee38f4c15acc9905 Author: Jose Abreu Date: Wed Apr 18 10:57:55 2018 +0100 net: stmmac: Disable ACS Feature for GMAC >= 4 ACS Feature is currently enabled for GMAC >= 4 but the llc_snap status is never checked in descriptor rx_status callback. This will cause stmmac to always strip packets even that ACS feature is already stripping them. Lets be safe and disable the ACS feature for GMAC >= 4 and always strip the packets for this GMAC version. Fixes: 477286b53f55 ("stmmac: add GMAC4 core support") Signed-off-by: Jose Abreu Cc: David S. Miller Cc: Joao Pinto Cc: Giuseppe Cavallaro Cc: Alexandre Torgue Signed-off-by: David S. Miller commit da42bb271305d68df6cbf99eed90542f1f1ee1c9 Author: Maxime Chevallier Date: Wed Apr 18 11:14:44 2018 +0200 net: mvpp2: Fix DMA address mask size PPv2 TX/RX descriptors uses 40bits DMA addresses, but 41 bits masks were used (GENMASK_ULL(40, 0)). This commit fixes that by using the correct mask. Fixes: e7c5359f2eed ("net: mvpp2: introduce PPv2.2 HW descriptors and adapt accessors") Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller commit bb9aaaa1849eed763c6b7f20227a8a03300d4421 Author: sunlianwen Date: Wed Apr 18 09:22:39 2018 +0800 net: change the comment of dev_mc_init The comment of dev_mc_init() is wrong. which use dev_mc_flush instead of dev_mc_init. Signed-off-by: Lianwen Sun commit b658912cb023cd6f8e46963d29779903d3c10538 Author: Jiri Kosina Date: Thu Apr 19 09:25:15 2018 +0200 HID: i2c-hid: fix inverted return value from i2c_hid_command() i2c_hid_command() returns non-zero in error cases (the actual errno). Error handling in for I2C_HID_QUIRK_RESEND_REPORT_DESCR case in i2c_hid_resume() had the check inverted; fix that. Fixes: 3e83eda467 ("HID: i2c-hid: Fix resume issue on Raydium touchscreen device") Reported-by: Dan Carpenter Signed-off-by: Jiri Kosina commit 56376c5864f8ff4ba7c78a80ae857eee3b1d23d8 Author: Michael Ellerman Date: Thu Apr 19 16:22:20 2018 +1000 powerpc/kvm: Fix lockups when running KVM guests on Power8 When running KVM guests on Power8 we can see a lockup where one CPU stops responding. This often leads to a message such as: watchdog: CPU 136 detected hard LOCKUP on other CPUs 72 Task dump for CPU 72: qemu-system-ppc R running task 10560 20917 20908 0x00040004 And then backtraces on other CPUs, such as: Task dump for CPU 48: ksmd R running task 10032 1519 2 0x00000804 Call Trace: ... --- interrupt: 901 at smp_call_function_many+0x3c8/0x460 LR = smp_call_function_many+0x37c/0x460 pmdp_invalidate+0x100/0x1b0 __split_huge_pmd+0x52c/0xdb0 try_to_unmap_one+0x764/0x8b0 rmap_walk_anon+0x15c/0x370 try_to_unmap+0xb4/0x170 split_huge_page_to_list+0x148/0xa30 try_to_merge_one_page+0xc8/0x990 try_to_merge_with_ksm_page+0x74/0xf0 ksm_scan_thread+0x10ec/0x1ac0 kthread+0x160/0x1a0 ret_from_kernel_thread+0x5c/0x78 This is caused by commit 8c1c7fb0b5ec ("powerpc/64s/idle: avoid sync for KVM state when waking from idle"), which added a check in pnv_powersave_wakeup() to see if the kvm_hstate.hwthread_state is already set to KVM_HWTHREAD_IN_KERNEL, and if so to skip the store and test of kvm_hstate.hwthread_req. The problem is that the primary does not set KVM_HWTHREAD_IN_KVM when entering the guest, so it can then come out to cede with KVM_HWTHREAD_IN_KERNEL set. It can then go idle in kvm_do_nap after setting hwthread_req to 1, but because hwthread_state is still KVM_HWTHREAD_IN_KERNEL we will skip the test of hwthread_req when we wake up from idle and won't go to kvm_start_guest. From there the thread will return somewhere garbage and crash. Fix it by skipping the store of hwthread_state, but not the test of hwthread_req, when coming out of idle. It's OK to skip the sync in that case because hwthread_req will have been set on the same thread, so there is no synchronisation required. Fixes: 8c1c7fb0b5ec ("powerpc/64s/idle: avoid sync for KVM state when waking from idle") Signed-off-by: Michael Ellerman commit 13a83eac373c49c0a081cbcd137e79210fe78acd Author: Michael Neuling Date: Wed Apr 11 13:37:58 2018 +1000 powerpc/eeh: Fix enabling bridge MMIO windows On boot we save the configuration space of PCIe bridges. We do this so when we get an EEH event and everything gets reset that we can restore them. Unfortunately we save this state before we've enabled the MMIO space on the bridges. Hence if we have to reset the bridge when we come back MMIO is not enabled and we end up taking an PE freeze when the driver starts accessing again. This patch forces the memory/MMIO and bus mastering on when restoring bridges on EEH. Ideally we'd do this correctly by saving the configuration space writes later, but that will have to come later in a larger EEH rewrite. For now we have this simple fix. The original bug can be triggered on a boston machine by doing: echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound On boston, this PHB has a PCIe switch on it. Without this patch, you'll see two EEH events, 1 expected and 1 the failure we are fixing here. The second EEH event causes the anything under the PHB to disappear (i.e. the i40e eth). With this patch, only 1 EEH event occurs and devices properly recover. Fixes: 652defed4875 ("powerpc/eeh: Check PCIe link after reset") Cc: stable@vger.kernel.org # v3.11+ Reported-by: Pridhiviraj Paidipeddi Signed-off-by: Michael Neuling Acked-by: Russell Currey Signed-off-by: Michael Ellerman commit 64e86fec54069266ba32be551d7b7f75e88ab60c Author: Subash Abhinov Kasiviswanathan Date: Tue Apr 17 17:40:00 2018 -0600 net: qualcomm: rmnet: Fix warning seen with fill_info When the last rmnet device attached to a real device is removed, the real device is unregistered from rmnet. As a result, the real device lookup fails resulting in a warning when the fill_info handler is called as part of the rmnet device unregistration. Fix this by returning the rmnet flags as 0 when no real device is present. WARNING: CPU: 0 PID: 1779 at net/core/rtnetlink.c:3254 rtmsg_ifinfo_build_skb+0xca/0x10d Modules linked in: CPU: 0 PID: 1779 Comm: ip Not tainted 4.16.0-11872-g7ce2367 #1 Stack: 7fe655f0 60371ea3 00000000 00000000 60282bc6 6006b116 7fe65600 60371ee8 7fe65660 6003a68c 00000000 900000000 Call Trace: [<6006b116>] ? printk+0x0/0x94 [<6001f375>] show_stack+0xfe/0x158 [<60371ea3>] ? dump_stack_print_info+0xe8/0xf1 [<60282bc6>] ? rtmsg_ifinfo_build_skb+0xca/0x10d [<6006b116>] ? printk+0x0/0x94 [<60371ee8>] dump_stack+0x2a/0x2c [<6003a68c>] __warn+0x10e/0x13e [<6003a82c>] warn_slowpath_null+0x48/0x4f [<60282bc6>] rtmsg_ifinfo_build_skb+0xca/0x10d [<60282c4d>] rtmsg_ifinfo_event.part.37+0x1e/0x43 [<60282c2f>] ? rtmsg_ifinfo_event.part.37+0x0/0x43 [<60282d03>] rtmsg_ifinfo+0x24/0x28 [<60264e86>] dev_close_many+0xba/0x119 [<60282cdf>] ? rtmsg_ifinfo+0x0/0x28 [<6027c225>] ? rtnl_is_locked+0x0/0x1c [<6026ca67>] rollback_registered_many+0x1ae/0x4ae [<600314be>] ? unblock_signals+0x0/0xae [<6026cdc0>] ? unregister_netdevice_queue+0x19/0xec [<6026ceec>] unregister_netdevice_many+0x21/0xa1 [<6027c765>] rtnl_delete_link+0x3e/0x4e [<60280ecb>] rtnl_dellink+0x262/0x29c [<6027c241>] ? rtnl_get_link+0x0/0x3e [<6027f867>] rtnetlink_rcv_msg+0x235/0x274 Fixes: be81a85f5f87 ("net: qualcomm: rmnet: Implement fill_info") Signed-off-by: Subash Abhinov Kasiviswanathan Signed-off-by: David S. Miller commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 Author: Matt Redfearn Date: Tue Apr 17 16:40:01 2018 +0100 MIPS: uaccess: Add micromips clobbers to bzero invocation The micromips implementation of bzero additionally clobbers registers t7 & t8. Specify this in the clobbers list when invoking bzero. Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.") Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: # 3.10+ Patchwork: https://patchwork.linux-mips.org/patch/19110/ Signed-off-by: James Hogan commit c96eebf07692e53bf4dd5987510d8b550e793598 Author: Matt Redfearn Date: Tue Apr 17 16:40:00 2018 +0100 MIPS: memset.S: Fix clobber of v1 in last_fixup The label .Llast_fixup\@ is jumped to on page fault within the final byte set loop of memset (on < MIPSR6 architectures). For some reason, in this fault handler, the v1 register is randomly set to a2 & STORMASK. This clobbers v1 for the calling function. This can be observed with the following test code: static int __init __attribute__((optimize("O0"))) test_clear_user(void) { register int t asm("v1"); char *test; int j, k; pr_info("\n\n\nTesting clear_user\n"); test = vmalloc(PAGE_SIZE); for (j = 256; j < 512; j++) { t = 0xa5a5a5a5; if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); } if (t != 0xa5a5a5a5) { pr_err("v1 was clobbered to 0x%x!\n", t); } } return 0; } late_initcall(test_clear_user); Which demonstrates that v1 is indeed clobbered (MIPS64): Testing clear_user v1 was clobbered to 0x1! v1 was clobbered to 0x2! v1 was clobbered to 0x3! v1 was clobbered to 0x4! v1 was clobbered to 0x5! v1 was clobbered to 0x6! v1 was clobbered to 0x7! Since the number of bytes that could not be set is already contained in a2, the andi placing a value in v1 is not necessary and actively harmful in clobbering v1. Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19109/ Signed-off-by: James Hogan commit 81c895072d29cd70eea5be1a8587cd6461c3715a Author: BjA,rn Mork Date: Tue Apr 17 22:46:38 2018 +0200 tun: fix vlan packet truncation Bogus trimming in tun_net_xmit() causes truncated vlan packets. skb->len is correct whether or not skb_vlan_tag_present() is true. There is no more reason to adjust the skb length on xmit in this driver than any other driver. tun_put_user() adds 4 bytes to the total for tagged packets because it transmits the tag inline to userspace. This is similar to a nic transmitting the tag inline on the wire. Reproducing the bug by sending any tagged packet through back-to-back connected tap interfaces: socat TUN,tun-type=tap,iff-up,tun-name=in TUN,tun-type=tap,iff-up,tun-name=out & ip link add link in name in.20 type vlan id 20 ip addr add 10.9.9.9/24 dev in.20 ip link set in.20 up tshark -nxxi in -f arp -c1 2>/dev/null & tshark -nxxi out -f arp -c1 2>/dev/null & ping -c 1 10.9.9.5 >/dev/null 2>&1 The output from the 'in' and 'out' interfaces are different when the bug is present: Capturing on 'in' 0000 ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14 ......v.v7...... 0010 08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a ..........v.v7.. 0020 0a 09 09 09 00 00 00 00 00 00 0a 09 09 05 .............. Capturing on 'out' 0000 ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14 ......v.v7...... 0010 08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a ..........v.v7.. 0020 0a 09 09 09 00 00 00 00 00 00 .......... Fixes: aff3d70a07ff ("tun: allow to attach ebpf socket filter") Cc: Jason Wang Signed-off-by: BjA,rn Mork Acked-by: Jason Wang Signed-off-by: David S. Miller commit 36a50a989ee8267588de520b8704b85f045a3220 Author: Tung Nguyen Date: Tue Apr 17 21:58:27 2018 +0200 tipc: fix infinite loop when dumping link monitor summary When configuring the number of used bearers to MAX_BEARER and issuing command "tipc link monitor summary", the command enters infinite loop in user space. This issue happens because function tipc_nl_node_dump_monitor() returns the wrong 'prev_bearer' value when all potential monitors have been scanned. The correct behavior is to always try to scan all monitors until either the netlink message is full, in which case we return the bearer identity of the affected monitor, or we continue through the whole bearer array until we can return MAX_BEARERS. This solution also caters for the case where there may be gaps in the bearer array. Signed-off-by: Tung Nguyen Signed-off-by: Jon Maloy Signed-off-by: David S. Miller commit be47e41d77fba5bc17e9fb5f1c99217bb6691989 Author: Jon Maloy Date: Tue Apr 17 21:25:42 2018 +0200 tipc: fix use-after-free in tipc_nametbl_stop When we delete a service item in tipc_nametbl_stop() we loop over all service ranges in the service's RB tree, and for each service range we loop over its pertaining publications while calling tipc_service_remove_publ() for each of them. However, tipc_service_remove_publ() has the side effect that it also removes the comprising service range item when there are no publications left. This leads to a "use-after-free" access when the inner loop continues to the next iteration, since the range item holding the list we are looping no longer exists. We fix this by moving the delete of the service range item outside the said function. Instead, we now let the two functions calling it test if the list is empty and perform the removal when that is the case. Reported-by: syzbot+d64b64afc55660106556@syzkaller.appspotmail.com Signed-off-by: Jon Maloy Signed-off-by: David S. Miller commit b32e56e5a87a1f9243db92bc7a5df0ffb4627cfb Author: Benjamin Herrenschmidt Date: Wed Apr 11 15:17:59 2018 +1000 powerpc/xive: Fix trying to "push" an already active pool VP When setting up a CPU, we "push" (activate) a pool VP for it. However it's an error to do so if it already has an active pool VP. This happens when doing soft CPU hotplug on powernv since we don't tear down the CPU on unplug. The HW flags the error which gets captured by the diagnostics. Fix this by making sure to "pull" out any already active pool first. Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller") Cc: stable@vger.kernel.org # v4.12+ Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman commit 44f06ba8297c7e9dfd0e49b40cbe119113cca094 Author: Jan Kara Date: Thu Apr 12 17:22:23 2018 +0200 udf: Fix leak of UTF-16 surrogates into encoded strings OSTA UDF specification does not mention whether the CS0 charset in case of two bytes per character encoding should be treated in UTF-16 or UCS-2. The sample code in the standard does not treat UTF-16 surrogates in any special way but on systems such as Windows which work in UTF-16 internally, filenames would be treated as being in UTF-16 effectively. In Linux it is more difficult to handle characters outside of Base Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte characters only. Just make sure we don't leak UTF-16 surrogates into the resulting string when loading names from the filesystem for now. CC: stable@vger.kernel.org # >= v4.6 Reported-by: Mingye Wang Signed-off-by: Jan Kara commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 Author: Eric Biggers Date: Tue Apr 17 12:07:06 2018 -0700 KEYS: DNS: limit the length of option strings Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full. This hit the WARN_ONCE() in set_precision() during the printk(), because printk() only supports a precision of up to 32767 bytes: precision 1000000 too large WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 Fix it by limiting option strings (combined name + value) to a much more reasonable 128 bytes. The exact limit is arbitrary, but currently the only recognized option is formatted as "dnserror=%lu" which fits well within this limit. Also ratelimit the printks. Reproducer: perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s This bug was found using syzkaller. Reported-by: Mark Rutland Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") Signed-off-by: Eric Biggers Signed-off-by: David S. Miller commit 89bda97b445bacab68e71507cc08ccacd6694474 Author: Bert Kenward Date: Tue Apr 17 13:32:39 2018 +0100 sfc: check RSS is active for filter insert For some firmware variants - specifically 'capture packed stream' - RSS filters are not valid. We must check if RSS is actually active rather than merely enabled. Fixes: 42356d9a137b ("sfc: support RSS spreading of ethtool ntuple filters") Signed-off-by: Bert Kenward Signed-off-by: David S. Miller commit 7ce2367254e84753bceb07327aaf5c953cfce117 Author: Toshiaki Makita Date: Tue Apr 17 18:46:14 2018 +0900 vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi Syzkaller spotted an old bug which leads to reading skb beyond tail by 4 bytes on vlan tagged packets. This is caused because skb_vlan_tagged_multi() did not check skb_headlen. BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline] BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline] BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline] BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 eth_type_vlan include/linux/if_vlan.h:283 [inline] skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] vlan_features_check include/linux/if_vlan.h:672 [inline] dflt_features_check net/core/dev.c:2949 [inline] netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084 __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43ffa9 RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0 R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 packet_alloc_skb net/packet/af_packet.c:2803 [inline] packet_snd net/packet/af_packet.c:2894 [inline] packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.") Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com Signed-off-by: Toshiaki Makita Signed-off-by: David S. Miller commit daf70d89f80c6e1772233da9e020114b1254e7e0 Author: Matt Redfearn Date: Tue Apr 17 15:52:21 2018 +0100 MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup The __clear_user function is defined to return the number of bytes that could not be cleared. From the underlying memset / bzero implementation this means setting register a2 to that number on return. Currently if a page fault is triggered within the memset_partial block, the value loaded into a2 on return is meaningless. The label .Lpartial_fixup\@ is jumped to on page fault. In order to work out how many bytes failed to copy, the exception handler should find how many bytes left in the partial block (andi a2, STORMASK), add that to the partial block end address (a2), and subtract the faulting address to get the remainder. Currently it incorrectly subtracts the partial block start address (t1), which has additionally been clobbered to generate a jump target in memset_partial. Fix this by adding the block end address instead. This issue was found with the following test code: int j, k; for (j = 0; j < 512; j++) { if ((k = clear_user(NULL, j)) != j) { pr_err("clear_user (NULL %d) returned %d\n", j, k); } } Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64). Suggested-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19108/ Signed-off-by: James Hogan commit 77ac725e0c5b27c925e514b999cd46d01eedafd1 Author: Nicolas Dechesne Date: Tue Apr 17 14:03:26 2018 +0200 net: qrtr: add MODULE_ALIAS_NETPROTO macro To ensure that qrtr can be loaded automatically, when needed, if it is compiled as module. Signed-off-by: Nicolas Dechesne Signed-off-by: David S. Miller commit 05e489b1596f0aa1025a1fa572676631cd9665da Author: Stefan Hajnoczi Date: Tue Apr 17 14:25:58 2018 +0800 VSOCK: make af_vsock.ko removable again Commit c1eef220c1760762753b602c382127bfccee226d ("vsock: always call vsock_init_tables()") introduced a module_init() function without a corresponding module_exit() function. Modules with an init function can only be removed if they also have an exit function. Therefore the vsock module was considered "permanent" and could not be removed. This patch adds an empty module_exit() function so that "rmmod vsock" works. No explicit cleanup is required because: 1. Transports call vsock_core_exit() upon exit and cannot be removed while sockets are still alive. 2. vsock_diag.ko does not perform any action that requires cleanup by vsock.ko. Fixes: c1eef220c176 ("vsock: always call vsock_init_tables()") Reported-by: Xiumei Mu Cc: Cong Wang Cc: Jorgen Hansen Signed-off-by: Stefan Hajnoczi Reviewed-by: Jorgen Hansen Signed-off-by: David S. Miller commit ebf04f331fa15a966262341a7dc6b1a0efd633e4 Author: Simon Gaiser Date: Thu Mar 15 04:08:03 2018 +0100 xen: xenbus_dev_frontend: Really return response string xenbus_command_reply() did not actually copy the response string and leaked stack content instead. Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc") Signed-off-by: Simon Gaiser Reviewed-by: Juergen Gross Signed-off-by: Boris Ostrovsky commit cd6e992b3aab072cc90839508aaf5573c8f7e066 Author: Oleksandr Andrushchenko Date: Thu Apr 12 20:26:27 2018 +0300 xen/sndif: Sync up with the canonical definition in Xen This is the sync up with the canonical definition of the sound protocol in Xen: 1. Protocol version was referenced in the protocol description, but missed its definition. Fixed by adding a constant for current protocol version. 2. Some of the request descriptions have "reserved" fields missed: fixed by adding corresponding entries. 3. Extend the size of the requests and responses to 64 octets. Bump protocol version to 2. 4. Add explicit back and front synchronization In order to provide explicit synchronization between backend and frontend the following changes are introduced in the protocol: - add new ring buffer for sending asynchronous events from backend to frontend to report number of bytes played by the frontend (XENSND_EVT_CUR_POS) - introduce trigger events for playback control: start/stop/pause/resume - add "req-" prefix to event-channel and ring-ref to unify naming of the Xen event channels for requests and events 5. Add explicit back and front parameter negotiation In order to provide explicit stream parameter negotiation between backend and frontend the following changes are introduced in the protocol: add XENSND_OP_HW_PARAM_QUERY request to read/update configuration space for the parameters given: request passes desired parameter's intervals/masks and the response to this request returns allowed min/max intervals/masks to be used. Signed-off-by: Oleksandr Andrushchenko Signed-off-by: Oleksandr Grytsov Reviewed-by: Konrad Rzeszutek Wilk Reviewed-by: Boris Ostrovsky Cc: Konrad Rzeszutek Wilk Cc: Takashi Iwai Signed-off-by: Boris Ostrovsky commit 3b2c77d000fe9f7d02e9e726e00dccf9f92b256f Author: Petr Mladek Date: Mon Apr 16 13:36:47 2018 +0200 livepatch: Allow to call a custom callback when freeing shadow variables We might need to do some actions before the shadow variable is freed. For example, we might need to remove it from a list or free some data that it points to. This is already possible now. The user can get the shadow variable by klp_shadow_get(), do the necessary actions, and then call klp_shadow_free(). This patch allows to do it a more elegant way. The user could implement the needed actions in a callback that is passed to klp_shadow_free() as a parameter. The callback usually does reverse operations to the constructor callback that can be called by klp_shadow_*alloc(). It is especially useful for klp_shadow_free_all(). There we need to do these extra actions for each found shadow variable with the given ID. Note that the memory used by the shadow variable itself is still released later by rcu callback. It is needed to protect internal structures that keep all shadow variables. But the destructor is called immediately. The shadow variable must not be access anyway after klp_shadow_free() is called. The user is responsible to protect this any suitable way. Be aware that the destructor is called under klp_shadow_lock. It is the same as for the contructor in klp_shadow_alloc(). Signed-off-by: Petr Mladek Acked-by: Josh Poimboeuf Acked-by: Miroslav Benes Signed-off-by: Jiri Kosina commit e91c2518a5d22a07642f35d85f39001ad379dae4 Author: Petr Mladek Date: Mon Apr 16 13:36:46 2018 +0200 livepatch: Initialize shadow variables safely by a custom callback The existing API allows to pass a sample data to initialize the shadow data. It works well when the data are position independent. But it fails miserably when we need to set a pointer to the shadow structure itself. Unfortunately, we might need to initialize the pointer surprisingly often because of struct list_head. It is even worse because the list might be hidden in other common structures, for example, struct mutex, struct wait_queue_head. For example, this was needed to fix races in ALSA sequencer. It required to add mutex into struct snd_seq_client. See commit b3defb791b26ea06 ("ALSA: seq: Make ioctls race-free") and commit d15d662e89fc667b9 ("ALSA: seq: Fix racy pool initializations") This patch makes the API more safe. A custom constructor function and data are passed to klp_shadow_*alloc() functions instead of the sample data. Note that ctor_data are no longer a template for shadow->data. It might point to any data that might be necessary when the constructor is called. Also note that the constructor is called under klp_shadow_lock. It is an internal spin_lock that synchronizes alloc() vs. get() operations, see klp_shadow_get_or_alloc(). On one hand, this adds a risk of ABBA deadlocks. On the other hand, it allows to do some operations safely. For example, we could add the new structure into an existing list. This must be done only once when the structure is allocated. Reported-by: Nicolai Stange Signed-off-by: Petr Mladek Acked-by: Josh Poimboeuf Acked-by: Miroslav Benes Signed-off-by: Jiri Kosina commit 9dfbf78e4114fcaf4ef61c49885c3ab5bad40d0b Author: Madhavan Srinivasan Date: Thu Jan 18 00:33:36 2018 +0530 powerpc/64s: Default l1d_size to 64K in RFI fallback flush If there is no d-cache-size property in the device tree, l1d_size could be zero. We don't actually expect that to happen, it's only been seen on mambo (simulator) in some configurations. A zero-size l1d_size leads to the loop in the asm wrapping around to 2^64-1, and then walking off the end of the fallback area and eventually causing a page fault which is fatal. Just default to 64K which is correct on some CPUs, and sane enough to not cause a crash on others. Fixes: aa8a5e0062ac9 ('powerpc/64s: Add support for RFI flush of L1-D cache') Signed-off-by: Madhavan Srinivasan [mpe: Rewrite comment and change log] Signed-off-by: Michael Ellerman commit fae764912153065ea55eda47f834e0764a54df94 Author: Martin Schwidefsky Date: Thu Apr 12 13:48:25 2018 +0200 s390/signal: cleanup uapi struct sigaction The struct sigaction for user space in arch/s390/include/uapi/asm/signal.h is ill defined. The kernel uses two structures 'struct sigaction' and 'struct old_sigaction', the correlation in the kernel for both 31 and 64 bit is as follows sys_sigaction -> struct old_sigaction sys_rt_sigaction -> struct sigaction The correlation of the (single) uapi definition for 'struct sigaction' under '#ifndef __KERNEL__': 31-bit: sys_sigaction -> uapi struct sigaction 31-bit: sys_rt_sigaction -> no structure available 64-bit: sys_sigaction -> no structure available 64-bit: sys_rt_sigaction -> uapi struct sigaction This is quite confusing. To make it a bit less confusing make the uapi definition of 'struct sigaction' usable for sys_rt_sigaction for both 31-bit and 64-bit. Signed-off-by: Martin Schwidefsky commit 5968a70d7af5f2abbd9d9f9c8e86da51f0a6b16d Author: Randy Dunlap Date: Mon Apr 16 12:32:55 2018 -0700 textsearch: fix kernel-doc warnings and add kernel-api section Make lib/textsearch.c usable as kernel-doc. Add textsearch() function family to kernel-api documentation. Fix kernel-doc warnings in : ../include/linux/textsearch.h:65: warning: Incorrect use of kernel-doc format: * get_next_block - fetch next block of data ../include/linux/textsearch.h:82: warning: Incorrect use of kernel-doc format: * finish - finalize/clean a series of get_next_block() calls Signed-off-by: Randy Dunlap Signed-off-by: David S. Miller commit c6404122cb18f1fbd2a6dc85ab687f6fa2e454cf Author: Eric Dumazet Date: Mon Apr 16 08:29:43 2018 -0700 tipc: fix possible crash in __tipc_nl_net_set() syzbot reported a crash in __tipc_nl_net_set() caused by NULL dereference. We need to check that both TIPC_NLA_NET_NODEID and TIPC_NLA_NET_NODEID_W1 are present. We also need to make sure userland provided u64 attributes. Fixes: d50ccc2d3909 ("tipc: add 128-bit node identifier") Signed-off-by: Eric Dumazet Cc: Jon Maloy Cc: Ying Xue Reported-by: syzbot Signed-off-by: David S. Miller commit ec518f21cb1a1b1f8a516499ea05c60299e04963 Author: Eric Dumazet Date: Mon Apr 16 08:29:42 2018 -0700 tipc: add policy for TIPC_NLA_NET_ADDR Before syzbot/KMSAN bites, add the missing policy for TIPC_NLA_NET_ADDR Fixes: 27c21416727a ("tipc: add net set to new netlink api") Signed-off-by: Eric Dumazet Cc: Jon Maloy Cc: Ying Xue Signed-off-by: David S. Miller commit 8a8158c85e1e774a44fbe81106fa41138580dfd1 Author: Matt Redfearn Date: Thu Mar 29 10:28:23 2018 +0100 MIPS: memset.S: EVA & fault support for small_memset The MIPS kernel memset / bzero implementation includes a small_memset branch which is used when the region to be set is smaller than a long (4 bytes on 32bit, 8 bytes on 64bit). The current small_memset implementation uses a simple store byte loop to write the destination. There are 2 issues with this implementation: 1. When EVA mode is active, user and kernel address spaces may overlap. Currently the use of the sb instruction means kernel mode addressing is always used and an intended write to userspace may actually overwrite some critical kernel data. 2. If the write triggers a page fault, for example by calling __clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS is triggered. Fix these issues by replacing the sb instruction with the EX() macro, which will emit EVA compatible instuctions as required. Additionally implement a fault fixup for small_memset which sets a2 to the number of bytes that could not be cleared (as defined by __clear_user). Reported-by: Chuanhua Lei Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/18975/ Signed-off-by: James Hogan commit e86281e700cca8a773f9a572fa406adf2784ba5c Author: Tyler Hicks Date: Wed Mar 28 23:41:52 2018 +0000 eCryptfs: don't pass up plaintext names when using filename encryption Both ecryptfs_filldir() and ecryptfs_readlink_lower() use ecryptfs_decode_and_decrypt_filename() to translate lower filenames to upper filenames. The function correctly passes up lower filenames, unchanged, when filename encryption isn't in use. However, it was also passing up lower filenames when the filename wasn't encrypted or when decryption failed. Since 88ae4ab9802e, eCryptfs refuses to lookup lower plaintext names when filename encryption is enabled so this resulted in a situation where userspace would see lower plaintext filenames in calls to getdents(2) but then not be able to lookup those filenames. An example of this can be seen when enabling filename encryption on an eCryptfs mount at the root directory of an Ext4 filesystem: $ ls -1i /lower 12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- 11 lost+found $ ls -1i /upper ls: cannot access '/upper/lost+found': No such file or directory ? lost+found 12 test With this change, the lower lost+found dentry is ignored: $ ls -1i /lower 12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- 11 lost+found $ ls -1i /upper 12 test Additionally, some potentially noisy error/info messages in the related code paths are turned into debug messages so that the logs can't be easily filled. Fixes: 88ae4ab9802e ("ecryptfs_lookup(): try either only encrypted or plaintext name") Reported-by: Guenter Roeck Cc: Al Viro Signed-off-by: Tyler Hicks commit e6f39e87b6439939a14cb7fdd94086a082b63b87 Author: Joerg Roedel Date: Mon Apr 16 11:43:57 2018 +0200 x86/ldt: Fix support_pte_mask filtering in map_ldt_struct() The |= operator will let us end up with an invalid PTE. Use the correct &= instead. [ The bug was also independently reported by Shuah Khan ] Fixes: fb43d6cb91ef ('x86/mm: Do not auto-massage page protections') Acked-by: Andy Lutomirski Acked-by: Dave Hansen Signed-off-by: Joerg Roedel Signed-off-by: Linus Torvalds commit 9783ccd0f2507cbe3c5ff1cb84bf6ae3a512d17d Author: Gao Feng Date: Mon Apr 16 10:16:45 2018 +0800 net: Fix one possible memleak in ip_setup_cork It would allocate memory in this function when the cork->opt is NULL. But the memory isn't freed if failed in the latter rt check, and return error directly. It causes the memleak if its caller is ip_make_skb which also doesn't free the cork->opt when meet a error. Now move the rt check ahead to avoid the memleak. Signed-off-by: Gao Feng Signed-off-by: David S. Miller commit d5edb7f8e7ab9fd5fd54a77d957b1733f117a813 Author: Paolo Bonzini Date: Tue Mar 27 22:46:11 2018 +0200 kvm: selftests: add vmx_tsc_adjust_test The test checks the behavior of setting MSR_IA32_TSC in a nested guest, and the TSC_OFFSET VMCS field in general. It also introduces the testing infrastructure for Intel nested virtualization. Signed-off-by: Paolo Bonzini commit dd259935e4eec844dc3e5b8a7cd951cd658b4fb6 Author: Paolo Bonzini Date: Fri Apr 13 11:38:35 2018 +0200 kvm: x86: move MSR_IA32_TSC handling to x86.c This is not specific to Intel/AMD anymore. The TSC offset is available in vcpu->arch.tsc_offset. Signed-off-by: Paolo Bonzini commit e79f245ddec17bbd89d73cd0169dba4be46c9b55 Author: KarimAllah Ahmed Date: Sat Apr 14 05:10:52 2018 +0200 X86/KVM: Properly update 'tsc_offset' to represent the running guest Update 'tsc_offset' on vmentry/vmexit of L2 guests to ensure that it always captures the TSC_OFFSET of the running guest whether it is the L1 or L2 guest. Cc: Paolo Bonzini Cc: Radim KrA?mA!A? Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Jim Mattson Suggested-by: Paolo Bonzini Signed-off-by: KarimAllah Ahmed [AMD changes, fix update_ia32_tsc_adjust_msr. - Paolo] Signed-off-by: Paolo Bonzini commit 5171b37d959641bbc619781caf62e61f7b940871 Author: Eric Dumazet Date: Sun Apr 15 17:52:04 2018 -0700 net: af_packet: fix race in PACKET_{R|T}X_RING In order to remove the race caught by syzbot [1], we need to lock the socket before using po->tp_version as this could change under us otherwise. This means lock_sock() and release_sock() must be done by packet_set_ring() callers. [1] : BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x449099 RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099 RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003 RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000 R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001 Local variable description: ----req_u@packet_setsockopt Variable was created at: packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller commit f23e0643cd0b53e68e283b6f26194d56c28a2eb1 Author: Thomas Falcon Date: Sun Apr 15 18:53:36 2018 -0500 ibmvnic: Clear pending interrupt after device reset Due to a firmware bug, the hypervisor can send an interrupt to a transmit or receive queue just prior to a partition migration, not allowing the device enough time to handle it and send an EOI. When the partition migrates, the interrupt is lost but an "EOI-pending" flag for the interrupt line is still set in firmware. No further interrupts will be sent until that flag is cleared, effectively freezing that queue. To workaround this, the driver will disable the hardware interrupt and send an H_EOI signal prior to re-enabling it. This will flush the pending EOI and allow the driver to continue operation. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller commit bffd168c3fc5cc7d2bad4c668fa90e7a9010db4b Author: Soheil Hassas Yeganeh Date: Sat Apr 14 20:44:46 2018 -0400 tcp: clear tp->packets_out when purging write queue Clear tp->packets_out when purging the write queue, otherwise tcp_rearm_rto() mistakenly assumes TCP write queue is not empty. This results in NULL pointer dereference. Also, remove the redundant `tp->packets_out = 0` from tcp_disconnect(), since tcp_disconnect() calls tcp_write_queue_purge(). Fixes: a27fd7a8ed38 (tcp: purge write queue upon RST) Reported-by: Subash Abhinov Kasiviswanathan Reported-by: Sami Farin Tested-by: Sami Farin Signed-off-by: Eric Dumazet Signed-off-by: Soheil Hassas Yeganeh Acked-by: Yuchung Cheng Acked-by: Neal Cardwell Signed-off-by: David S. Miller commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 Author: Paolo Abeni Date: Fri Apr 13 13:59:25 2018 +0200 team: avoid adding twice the same option to the event list When parsing the options provided by the user space, team_nl_cmd_options_set() insert them in a temporary list to send multiple events with a single message. While each option's attribute is correctly validated, the code does not check for duplicate entries before inserting into the event list. Exploiting the above, the syzbot was able to trigger the following splat: kernel BUG at lib/list_debug.c:31! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286 RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000 RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90 R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90 R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000 FS: 0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_add include/linux/list.h:60 [inline] list_add include/linux/list.h:79 [inline] team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571 genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599 genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448 genl_rcv+0x28/0x40 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x805/0x940 net/socket.c:2117 __sys_sendmsg+0x115/0x270 net/socket.c:2155 SYSC_sendmsg net/socket.c:2164 [inline] SyS_sendmsg+0x29/0x30 net/socket.c:2162 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4458b9 RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9 RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004 RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348 R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000 Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48 89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f 40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248 This changeset addresses the avoiding list_add() if the current option is already present in the event list. Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com Signed-off-by: Paolo Abeni Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") Signed-off-by: David S. Miller commit b8858581febb050688e276b956796bc4a78299ed Author: Michael Ellerman Date: Mon Apr 16 23:25:19 2018 +1000 powerpc/lib: Fix off-by-one in alternate feature patching When we patch an alternate feature section, we have to adjust any relative branches that branch out of the alternate section. But currently we have a bug if we have a branch that points to past the last instruction of the alternate section, eg: FTR_SECTION_ELSE 1: b 2f or 6,6,6 2: ALT_FTR_SECTION_END(...) nop This will result in a relative branch at 1 with a target that equals the end of the alternate section. That branch does not need adjusting when it's moved to the non-else location. Currently we do adjust it, resulting in a branch that goes off into the link-time location of the else section, which is junk. The fix is to not patch branches that have a target == end of the alternate section. Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section") Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections") Cc: stable@vger.kernel.org # v2.6.27+ Signed-off-by: Michael Ellerman commit de3d01fd8549ec0444fc917aab711b3f884930c5 Author: Jia-Ju Bai Date: Wed Apr 11 09:15:31 2018 +0800 xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_reg_add pcistub_reg_add() is never called in atomic context. pcistub_reg_add() is only called by pcistub_quirk_add, which is only set in DRIVER_ATTR(). Despite never getting called from atomic context, pcistub_reg_add() calls kzalloc() with GFP_ATOMIC, which does not sleep for allocation. GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL, which can sleep and improve the possibility of sucessful allocation. This is found by a static analysis tool named DCNS written by myself. And I also manually check it. Signed-off-by: Jia-Ju Bai Reviewed-by: Boris Ostrovsky Signed-off-by: Boris Ostrovsky commit 230d211472d2779253e5a8383353fc44783dd038 Author: Jia-Ju Bai Date: Mon Apr 9 23:04:25 2018 +0800 xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in xen_pcibk_config_quirks_init xen_pcibk_config_quirks_init() is never called in atomic context. The call chains ending up at xen_pcibk_config_quirks_init() are: [1] xen_pcibk_config_quirks_init() <- xen_pcibk_config_init_dev() <- pcistub_init_device() <- pcistub_seize() <- pcistub_probe() [2] xen_pcibk_config_quirks_init() <- xen_pcibk_config_init_dev() <- pcistub_init_device() <- pcistub_init_devices_late() <- xen_pcibk_init() pcistub_probe() is only set as ".probe" in struct pci_driver. xen_pcibk_init() is is only set as a parameter of module_init(). These functions are not called in atomic context. Despite never getting called from atomic context, xen_pcibk_config_quirks_init() calls kzalloc() with GFP_ATOMIC, which does not sleep for allocation. GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL, which can sleep and improve the possibility of sucessful allocation. Signed-off-by: Jia-Ju Bai Reviewed-by: Boris Ostrovsky Signed-off-by: Boris Ostrovsky commit 9eb5f15b47b69847bfceb94350bd68fbdbf829e3 Author: Jia-Ju Bai Date: Mon Apr 9 23:04:12 2018 +0800 xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_device_alloc pcistub_device_alloc() is never called in atomic context. The call chain ending up at pcistub_device_alloc() is: [1] pcistub_device_alloc() <- pcistub_seize() <- pcistub_probe() pcistub_probe() is only set as ".probe" in struct pci_driver. This function is not called in atomic context. Despite never getting called from atomic context, pcistub_device_alloc() calls kzalloc() with GFP_ATOMIC, which does not sleep for allocation. GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL, which can sleep and improve the possibility of sucessful allocation. Signed-off-by: Jia-Ju Bai Reviewed-by: Boris Ostrovsky Signed-off-by: Boris Ostrovsky commit bb52e3169cb7dd5a9deea39b94342fce36235a5b Author: Jia-Ju Bai Date: Mon Apr 9 23:03:53 2018 +0800 xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_init_device pcistub_init_device() is never called in atomic context. The call chain ending up at pcistub_init_device() is: [1] pcistub_init_device() <- pcistub_seize() <- pcistub_probe() [2] pcistub_init_device() <- pcistub_init_devices_late() <- xen_pcibk_init() pcistub_probe() is only set as ".probe" in struct pci_driver. xen_pcibk_init() is is only set as a parameter of module_init(). These functions are not called in atomic context. Despite never getting called from atomic context, pcistub_init_device() calls kzalloc() with GFP_ATOMIC, which does not sleep for allocation. GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL, which can sleep and improve the possibility of sucessful allocation. This is found by a static analysis tool named DCNS written by myself. And I also manually check it. Signed-off-by: Jia-Ju Bai Reviewed-by: Boris Ostrovsky Signed-off-by: Boris Ostrovsky commit cc5cd5079699c7831fdc58e74352736706c3df3c Author: Jia-Ju Bai Date: Mon Apr 9 23:03:36 2018 +0800 xen: xen-pciback: Replace GFP_ATOMIC with GFP_KERNEL in pcistub_probe pcistub_probe() is never called in atomic context. This function is only set as ".probe" in struct pci_driver. Despite never getting called from atomic context, pcistub_probe() calls kmalloc() with GFP_ATOMIC, which does not sleep for allocation. GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL, which can sleep and improve the possibility of sucessful allocation. This is found by a static analysis tool named DCNS written by myself. And I also manually check it. Signed-off-by: Jia-Ju Bai Reviewed-by: Boris Ostrovsky Signed-off-by: Boris Ostrovsky commit 982e05001c472066ab288e4269ad6cab48889f0d Author: Maxime Chevallier Date: Mon Apr 16 10:07:23 2018 +0200 net: mvpp2: Fix TCAM filter reserved range Marvell's PPv2 controller has a Packet Header parser, which uses a fixed-size TCAM array of filter entries. The mvpp2 driver reserves some ranges among the 256 TCAM entries to perform MAC and VID filtering. The rest of the TCAM ids are freely usable for other features, such as IPv4 proto matching. This commit fixes the MVPP2_PE_LAST_FREE_TID define that sets the end of the "free range", which included the MAC range. This could therefore allow some other features to use entries dedicated to MAC filtering, lowering the number of unicast/multicast addresses that could be allowed before switching to promiscuous mode. Fixes: 10fea26ce2aa ("net: mvpp2: Add support for unicast filtering") Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller commit bd28899dd34f9283c567f7eeb31bb546f10820b5 Author: Dan Carpenter Date: Mon Apr 16 13:17:50 2018 +0300 Revert "macsec: missing dev_put() on error in macsec_newlink()" This patch is just wrong, sorry. I was trying to fix a static checker warning and misread the code. The reference taken in macsec_newlink() is released in macsec_free_netdev() when the netdevice is destroyed. This reverts commit 5dcd8400884cc4a043a6d4617e042489e5d566a9. Reported-by: Laura Abbott Fixes: 5dcd8400884c ("macsec: missing dev_put() on error in macsec_newlink()") Signed-off-by: Dan Carpenter Acked-by: Sabrina Dubroca Signed-off-by: David S. Miller commit 2c2bf522ed8cbfaac666f7dc65cfd38de2b89f0f Author: Matt Redfearn Date: Fri Apr 13 09:50:44 2018 +0100 MIPS: dts: Boston: Fix PCI bus dtc warnings: dtc recently (v1.4.4-8-g756ffc4f52f6) added PCI bus checks. Fix the warnings now emitted: arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@10000000: missing bus-range for PCI bridge arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@12000000: missing bus-range for PCI bridge arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@14000000: missing bus-range for PCI bridge Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: Paul Burton Cc: Rob Herring Cc: Mark Rutland Cc: linux-mips@linux-mips.org Cc: devicetree@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19070/ Signed-off-by: James Hogan commit 49d23a851d62c03daebae2d245dcc9b07dbfa89f Author: Heiko Carstens Date: Thu Apr 12 11:01:07 2018 +0200 s390: rename default_defconfig to debug_defconfig The name debug_defconfig reflects what the config is actually good for and should be less confusing. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky commit cd7cf57f18be4196306997d4325b8ebf895ab318 Author: Heiko Carstens Date: Thu Apr 12 11:00:31 2018 +0200 s390: remove gcov defconfig This config is not needed anymore. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky commit de2011197d15746307e709687401397fe52bea83 Author: Martin Schwidefsky Date: Mon Nov 20 08:48:02 2017 +0100 s390: update defconfig Signed-off-by: Martin Schwidefsky commit 06856938112b84ff3c6b0594d017f59cfda2a43d Author: Souptick Joarder Date: Sun Apr 15 01:03:42 2018 +0530 fs: ext2: Adding new return type vm_fault_t Use new return type vm_fault_t for page_mkwrite, pfn_mkwrite and fault handler. Signed-off-by: Souptick Joarder Reviewed-by: Matthew Wilcox Signed-off-by: Jan Kara commit 4f34a5130a471f32f2fe7750769ab4057dc3eaa0 Author: Chengguang Xu Date: Sat Apr 14 20:16:06 2018 +0800 isofs: fix potential memory leak in mount option parsing When specifying string type mount option (e.g., iocharset) several times in a mount, current option parsing may cause memory leak. Hence, call kfree for previous one in this case. Meanwhile, check memory allocation result for it. Signed-off-by: Chengguang Xu Signed-off-by: Jan Kara commit d93605407af34eb0b7eb8aff6b1eae2cde3cdd22 Author: Ilya Dryomov Date: Fri Mar 23 06:14:47 2018 +0100 rbd: notrim map option Add an option to turn off discard and write zeroes offload support to avoid deprovisioning a fully provisioned image. When enabled, discard requests will fail with -EOPNOTSUPP, write zeroes requests will fall back to manually zeroing. Signed-off-by: Ilya Dryomov Tested-by: Hitoshi Kamei commit 420efbdf4d2358dc12913298ad44d041c6ac0ed6 Author: Ilya Dryomov Date: Mon Apr 16 09:32:18 2018 +0200 rbd: adjust queue limits for "fancy" striping In order to take full advantage of merging in ceph_file_to_extents(), allow object set sized I/Os. If the layout is not "fancy", an object set consists of just one object. Signed-off-by: Ilya Dryomov commit c6244b3b23771b258656445dcd212be759265b84 Author: Arnd Bergmann Date: Wed Apr 4 14:53:39 2018 +0200 rbd: avoid Wreturn-type warnings In some configurations gcc cannot see that rbd_assert(0) leads to an unreachable code path: drivers/block/rbd.c: In function 'rbd_img_is_write': drivers/block/rbd.c:1397:1: error: control reaches end of non-void function [-Werror=return-type] drivers/block/rbd.c: In function '__rbd_obj_handle_request': drivers/block/rbd.c:2499:1: error: control reaches end of non-void function [-Werror=return-type] drivers/block/rbd.c: In function 'rbd_obj_handle_write': drivers/block/rbd.c:2471:1: error: control reaches end of non-void function [-Werror=return-type] As the rbd_assert() here shows has no extra information beyond the verbose BUG(), we can simply use BUG() directly in its place. This is reliably detected as not returning on any architecture, since it doesn't depend on the unlikely() comparison that confused gcc. Fixes: 3da691bf4366 ("rbd: new request handling code") Signed-off-by: Arnd Bergmann Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit ffdeec7aa41aa61ca4ee68fddf4669df9ce661d1 Author: Yan, Zheng Date: Mon Mar 26 16:46:39 2018 +0800 ceph: always update atime/mtime/ctime for new inode For new inode, atime/mtime/ctime are uninitialized. Don't compare against them. Cc: stable@kernel.org Signed-off-by: "Yan, Zheng" Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 34f55d0b3a0a39c95134c0c89173893b846d4c80 Author: Dongsheng Yang Date: Mon Mar 26 10:22:55 2018 -0400 rbd: support timeout in rbd_wait_state_locked() currently, the rbd_wait_state_locked() will wait forever if we can't get our state locked. Example: rbd map --exclusive test1 --> /dev/rbd0 rbd map test1 --> /dev/rbd1 dd if=/dev/zero of=/dev/rbd1 bs=1M count=1 --> IO blocked To avoid this problem, this patch introduce a timeout design in rbd_wait_state_locked(). Then rbd_wait_state_locked() will return error when we reach a timeout. This patch allow user to set the lock_timeout in rbd mapping. Signed-off-by: Dongsheng Yang Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 2f18d46683cb3047c41229d57cf7c6e2ee48676f Author: Ilya Dryomov Date: Wed Apr 4 10:15:38 2018 +0200 rbd: refactor rbd_wait_state_locked() In preparation for lock_timeout option, make rbd_wait_state_locked() return error codes. Signed-off-by: Ilya Dryomov commit 451239eb3d397bd197a79cc3aab943da41ba0905 Author: Heiko Carstens Date: Fri Apr 13 14:04:24 2018 +0200 s390: add support for IBM z14 Model ZR1 Just add the new machine type number to the two places that matter. Cc: # v4.14+ Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky commit f43c426a581f04272a852f0486ae431acff6d87e Author: Vasily Gorbik Date: Fri Apr 13 10:57:27 2018 +0200 s390: remove couple of duplicate includes Removing couple of duplicate includes, found by "make includecheck". That leaves 1 duplicate include in arch/s390/kernel/entry.S, which is there for a reason (it includes generated asm/syscall_table.h twice). Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky commit c65bbb51c6e98a1956c08faab81941ec558ef0ba Author: Vasily Gorbik Date: Wed Apr 11 10:24:29 2018 +0200 s390/boot: remove unused COMPILE_VERSION and ccflags-y ccflags-y has no effect (no code is built in that directory, arch/s390/boot/compressed/Makefile defines its own KBUILD_CFLAGS). Removing ccflags-y together with COMPILE_VERSION. Reviewed-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky commit 232acdff21fb02f0ccd538cd29c9ee7e028b6101 Author: Sebastian Ott Date: Tue Apr 10 12:39:34 2018 +0200 s390/nospec: include cpu.h Fix the following sparse warnings: symbol 'cpu_show_spectre_v1' was not declared. Should it be static? symbol 'cpu_show_spectre_v2' was not declared. Should it be static? Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky commit 701e188c6560d6abeba508f530c4224b4e830fb5 Author: Thomas Richter Date: Thu Apr 12 08:42:48 2018 +0100 s390/decompressor: Ignore file vmlinux.bin.full Commit 81796a3c6a4a ("s390/decompressor: trim uncompressed image head during the build") introduced a new file named vmlinux.bin.full in directory arch/s390/boot/compressed. Add this file to the list of ignored files so it does not show up on git status. Signed-off-by: Thomas Richter Signed-off-by: Martin Schwidefsky commit de66b2429100c85b72db5c409526351d3ffc5faa Author: Heiko Carstens Date: Thu Apr 12 13:45:52 2018 +0200 s390/kexec_file: add generated files to .gitignore Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky commit bdea9f6f7a707301878573a5c35e39e4fe817378 Author: Philipp Rudo Date: Tue Mar 27 13:14:12 2018 +0200 s390/Kconfig: Move kexec config options to "Processor type and features" The config options for kexec are currently not under any menu directory. Up until now this was not a problem as standard kexec is always compiled in and thus does not create a menu entry. This changed when kexec_file_load was enabled. Its config option requires a menu entry which, when added beneath standard kexec option, appears on the main directory above "General Setup". Thus move the whole block further down such that the entry in now in "Processor type and features". While at it also update the help text for kexec file. Signed-off-by: Philipp Rudo Signed-off-by: Martin Schwidefsky commit 8be018827154666d1fe5904cb7a43b6706e01c87 Author: Philipp Rudo Date: Mon Sep 11 15:15:29 2017 +0200 s390/kexec_file: Add ELF loader Add an ELF loader for kexec_file. The main task here is to do proper sanity checks on the ELF file. Basically all other functionality was already implemented for the image loader. Signed-off-by: Philipp Rudo Signed-off-by: Martin Schwidefsky commit ee337f5469fd67f22d231e520ec4189ce0589d92 Author: Philipp Rudo Date: Tue Sep 5 11:55:23 2017 +0200 s390/kexec_file: Add crash support to image loader Add support to load a crash kernel to the image loader. This requires extending the purgatory. Signed-off-by: Philipp Rudo Reviewed-by: Martin Schwidefsky Signed-off-by: Martin Schwidefsky commit e49bb0a27fa3c6ec45cc13e2102a6ec13c4ae697 Author: Philipp Rudo Date: Wed Aug 30 14:03:38 2017 +0200 s390/kexec_file: Add image loader Add an image loader for kexec_file_load. For simplicity first skip crash support. The functions defined in machine_kexec_file will later be shared with the ELF loader. Signed-off-by: Philipp Rudo Reviewed-by: Martin Schwidefsky Signed-off-by: Martin Schwidefsky commit 71406883fd35794d573b3085433c41d0a3bf6c21 Author: Philipp Rudo Date: Mon Jun 19 10:45:33 2017 +0200 s390/kexec_file: Add kexec_file_load system call This patch adds the kexec_file_load system call to s390 as well as the arch specific functions common code requires to work. Loaders for the different file types will be added later. Signed-off-by: Philipp Rudo Signed-off-by: Martin Schwidefsky commit 840798a1f52994c172270893bd2ec6013cc92e40 Author: Philipp Rudo Date: Mon Aug 28 15:32:36 2017 +0200 s390/kexec_file: Add purgatory The common code expects the architecture to have a purgatory that runs between the two kernels. Add it now. For simplicity first skip crash support. Signed-off-by: Philipp Rudo Signed-off-by: Martin Schwidefsky commit 15ceb8c936d13d940ca9e53996fbd05a26ce96db Author: Philipp Rudo Date: Tue Jun 27 12:44:11 2017 +0200 s390/kexec_file: Prepare setup.h for kexec_file_load kexec_file_load needs to prepare the new kernels before they are loaded. For that it has to know the offsets in head.S, e.g. to register the new command line. Unfortunately there are no macros right now defining those offsets. Define them now. Signed-off-by: Philipp Rudo Signed-off-by: Martin Schwidefsky commit 760dd0eeaec1689430243ead14e5a429613d8c52 Author: Martin Schwidefsky Date: Tue Apr 3 11:08:52 2018 +0200 s390/smsgiucv: disable SMSG on module unload The module exit function of the smsgiucv module uses the incorrect CP command to disable SMSG messages. The correct command is "SET SMSG OFF". Use it. Signed-off-by: Martin Schwidefsky commit dccccd332d028f57358a8b64ca88e691fc8be5b7 Author: Vasily Gorbik Date: Fri Apr 13 18:22:14 2018 +0200 s390/sclp: avoid potential usage of uninitialized value sclp_early_printk could be used before .bss section is zeroed (i.e. from als.c during the decompressor phase), therefore values used by sclp_early_printk should be located in the .data section. Another reason for that is to avoid potential initrd corruption, if some code in future would use sclp_early_printk before initrd is moved from possibly overlapping with .bss section region to a safe location. Fixes: 0b0d1173d8ae ("s390/sclp: 32 bit event mask compatibility mode") Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky commit 8e04944f0ea8b838399049bdcda920ab36ae3b04 Author: Tetsuo Handa Date: Wed Apr 4 19:53:07 2018 +0900 mm,vmscan: Allow preallocating memory for register_shrinker(). syzbot is catching so many bugs triggered by commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()"). That commit expected that calling kill_sb() from deactivate_locked_super() without successful fill_super() is safe, but the reality was different; some callers assign attributes which are needed for kill_sb() after sget() succeeds. For example, [1] is a report where sb->s_mode (which seems to be either FMODE_READ | FMODE_EXCL | FMODE_WRITE or FMODE_READ | FMODE_EXCL) is not assigned unless sget() succeeds. But it does not worth complicate sget() so that register_shrinker() failure path can safely call kill_block_super() via kill_sb(). Making alloc_super() fail if memory allocation for register_shrinker() failed is much simpler. Let's avoid calling deactivate_locked_super() from sget_userns() by preallocating memory for the shrinker and making register_shrinker() in sget_userns() never fail. [1] https://syzkaller.appspot.com/bug?id=588996a25a2587be2e3a54e8646728fb9cae44e7 Signed-off-by: Tetsuo Handa Reported-by: syzbot Cc: Al Viro Cc: Michal Hocko Signed-off-by: Al Viro commit 4a3877c4cedd95543f8726b0a98743ed8db0c0fb Author: Al Viro Date: Tue Apr 3 01:15:46 2018 -0400 rpc_pipefs: fix double-dput() if we ever hit rpc_gssd_dummy_depopulate() dentry passed to it has refcount equal to 1. __rpc_rmpipe() drops it and dput() done after that hits an already freed dentry. Cc: stable@kernel.org Signed-off-by: Al Viro commit 659038428cb43a66e3eff71e2c845c9de3611a98 Author: Al Viro Date: Tue Apr 3 00:13:17 2018 -0400 orangefs_kill_sb(): deal with allocation failures orangefs_fill_sb() might've failed to allocate ORANGEFS_SB(s); don't oops in that case. Cc: stable@kernel.org Signed-off-by: Al Viro commit c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 Author: Al Viro Date: Mon Apr 2 23:56:44 2018 -0400 jffs2_kill_sb(): deal with failed allocations jffs2_fill_super() might fail to allocate jffs2_sb_info; jffs2_kill_sb() must survive that. Cc: stable@kernel.org Signed-off-by: Al Viro commit a24cd490739586a7d2da3549a1844e1d7c4f4fc4 Author: Al Viro Date: Mon Apr 2 23:50:31 2018 -0400 hypfs_kill_super(): deal with failed allocations hypfs_fill_super() might fail to allocate sbi; hypfs_kill_super() should not oops on that. Cc: stable@vger.kernel.org Signed-off-by: Al Viro commit c246fd333f84e6a0a8572f991637aa102f5e1865 Author: Wang Sheng-Hui Date: Sun Apr 15 16:07:12 2018 +0800 filter.txt: update 'tools/net/' to 'tools/bpf/' The tools are located at tootls/bpf/ instead of tools/net/. Update the filter.txt doc. Signed-off-by: Wang Sheng-Hui Signed-off-by: David S. Miller commit f993740ee05821307eca03d23d468895740450f8 Author: Edward Cree Date: Fri Apr 13 19:18:09 2018 +0100 sfc: limit ARFS workitems in flight per channel A misconfigured system (e.g. with all interrupts affinitised to all CPUs) may produce a storm of ARFS steering events. With the existing sfc ARFS implementation, that could create a backlog of workitems that grinds the system to a halt. To prevent this, limit the number of workitems that may be in flight for a given SFC device to 8 (EFX_RPS_MAX_IN_FLIGHT), and return EBUSY from our ndo_rx_flow_steer method if the limit is reached. Given this limit, also store the workitems in an array of slots within the struct efx_nic, rather than dynamically allocating for each request. The limit should not negatively impact performance, because it is only likely to be hit in cases where ARFS will be ineffective anyway. Signed-off-by: Edward Cree Signed-off-by: David S. Miller commit a7f80189e41c96c0c6210e9198a31859c91eb3e5 Author: Edward Cree Date: Fri Apr 13 19:17:49 2018 +0100 sfc: pass the correctly bogus filter_id to rps_may_expire_flow() When we inserted an ARFS filter for ndo_rx_flow_steer(), we didn't know what the filter ID would be, so we just returned 0. Thus, we must also pass 0 as the filter ID when calling rps_may_expire_flow() for it, and rely on the flow_id to identify what we're talking about. Fixes: 3af0f34290f6 ("sfc: replace asynchronous filter operations") Signed-off-by: Edward Cree Signed-off-by: David S. Miller commit 494bef4c2a087876e75f3e95f7f63b06d6a65921 Author: Edward Cree Date: Fri Apr 13 19:17:22 2018 +0100 sfc: insert ARFS filters with replace_equal=true Necessary to allow redirecting a flow when the application moves. Fixes: 3af0f34290f6 ("sfc: replace asynchronous filter operations") Signed-off-by: Edward Cree Signed-off-by: David S. Miller commit c7cd882469fc5042a5c84122b4062d7f53076db7 Author: Helge Deller Date: Fri Apr 13 21:54:37 2018 +0200 parisc: Fix missing binfmt_elf32.o build error Commit 71d577db01a5 ("parisc: Switch to generic COMPAT_BINFMT_ELF") removed the binfmt_elf32.c source file, but missed to drop the object file from the list of object files the Makefile, which then results in a build error. Fixes: 71d577db01a5 ("parisc: Switch to generic COMPAT_BINFMT_ELF") Reported-by: Guenter Roeck Tested-by: Guenter Roeck Signed-off-by: Helge Deller commit a1cc7034e33d12dc17d13fbcd7d597d552889097 Author: Sinan Kaya Date: Thu Apr 12 22:30:44 2018 -0400 MIPS: io: Add barrier after register read in readX() While a barrier is present in the writeX() functions before the register write, a similar barrier is missing in the readX() functions after the register read. This could allow memory accesses following readX() to observe stale data. Signed-off-by: Sinan Kaya Reported-by: Arnd Bergmann Cc: Ralf Baechle Cc: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/19069/ [jhogan@kernel.org: Tidy commit message] Signed-off-by: James Hogan commit f726214d9b23e5fce8c11937577a289a3202498f Author: Guillaume Nault Date: Thu Apr 12 20:50:35 2018 +0200 l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file Use l2tp_tunnel_get_nth() instead of l2tp_tunnel_find_nth(), to be safe against concurrent tunnel deletion. Use the same mechanism as in l2tp_ppp.c for dropping the reference taken by l2tp_tunnel_get_nth(). That is, drop the reference just before looking up the next tunnel. In case of error, drop the last accessed tunnel in l2tp_dfs_seq_stop(). That was the last use of l2tp_tunnel_find_nth(). Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller commit 0e0c3fee3a59a387aeecc4fca6f3a2e9615a5443 Author: Guillaume Nault Date: Thu Apr 12 20:50:34 2018 +0200 l2tp: hold reference on tunnels printed in pppol2tp proc file Use l2tp_tunnel_get_nth() instead of l2tp_tunnel_find_nth(), to be safe against concurrent tunnel deletion. Unlike sessions, we can't drop the reference held on tunnels in pppol2tp_seq_show(). Tunnels are reused across several calls to pppol2tp_seq_start() when iterating over sessions. These iterations need the tunnel for accessing the next session. Therefore the only safe moment for dropping the reference is just before searching for the next tunnel. Normally, the last invocation of pppol2tp_next_tunnel() doesn't find any new tunnel, so it drops the last tunnel without taking any new reference. However, in case of error, pppol2tp_seq_stop() is called directly, so we have to drop the reference there. Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller commit 5846c131c39b6d0add36ec19dc8650700690f930 Author: Guillaume Nault Date: Thu Apr 12 20:50:33 2018 +0200 l2tp: hold reference on tunnels in netlink dumps l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned tunnel, therefore it can be freed whenever the caller uses it. This patch defines l2tp_tunnel_get_nth() which works similarly, but also takes a reference on the returned tunnel. The caller then has to drop it after it stops using the tunnel. Convert netlink dumps to make them safe against concurrent tunnel deletion. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller commit 9267c430c6b6f4c0120e3c6bb847313d633f02a6 Author: Jason Wang Date: Fri Apr 13 14:58:25 2018 +0800 virtio-net: add missing virtqueue kick when flushing packets We tends to batch submitting packets during XDP_TX. This requires to kick virtqueue after a batch, we tried to do it through xdp_do_flush_map() which only makes sense for devmap not XDP_TX. So explicitly kick the virtqueue in this case. Reported-by: Kimitoshi Takahashi Tested-by: Kimitoshi Takahashi Cc: Daniel Borkmann Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT") Signed-off-by: Jason Wang Signed-off-by: David S. Miller commit 96348e49366c6e2a5a2e62ba0350f66ef5d67ea7 Author: Amir Goldstein Date: Thu Apr 5 16:18:05 2018 +0300 MAINTAINERS: add an entry for FSNOTIFY infrastructure There is alreay an entry for all the backends, but those entries do not cover all the fsnotify files. Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara commit 8e984f8667ff4225092af734eef28a3d7bae8626 Author: Amir Goldstein Date: Thu Apr 5 16:18:04 2018 +0300 fsnotify: fix typo in a comment about mark->g_list Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara commit 92183a42898dc400b89da35685d1814ac6acd3d8 Author: Amir Goldstein Date: Thu Apr 5 16:18:03 2018 +0300 fsnotify: fix ignore mask logic in send_to_group() The ignore mask logic in send_to_group() does not match the logic in fanotify_should_send_event(). In the latter, a vfsmount mark ignore mask precedes an inode mark mask and in the former, it does not. That difference may cause events to be sent to fanotify backend for no reason. Fix the logic in send_to_group() to match that of fanotify_should_send_event(). Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara commit 2290482379278e0254e6edfdb681d88359143fd1 Author: Richard Cochran Date: Mon Apr 9 00:03:14 2018 -0700 net: dsa: mv88e6xxx: Fix receive time stamp race condition. The DSA stack passes received PTP frames to this driver via mv88e6xxx_port_rxtstamp() for deferred delivery. The driver then queues the frame and kicks the worker thread. The work callback reads out the latched receive time stamp and then works through the queue, delivering any non-matching frames without a time stamp. If a new frame arrives after the worker thread has read out the time stamp register but enters the queue before the worker finishes processing the queue, that frame will be delivered without a time stamp. This patch fixes the race by moving the queue onto a list on the stack before reading out the latched time stamp value. Fixes: c6fe0ad2c3499 ("net: dsa: mv88e6xxx: add rx/tx timestamping support") Signed-off-by: Richard Cochran Signed-off-by: David S. Miller commit 53b76cdf7e8fecec1d09e38aad2f8579882591a8 Author: Wolfgang Bumiller Date: Thu Apr 12 10:46:55 2018 +0200 net: fix deadlock while clearing neighbor proxy table When coming from ndisc_netdev_event() in net/ipv6/ndisc.c, neigh_ifdown() is called with &nd_tbl, locking this while clearing the proxy neighbor entries when eg. deleting an interface. Calling the table's pndisc_destructor() with the lock still held, however, can cause a deadlock: When a multicast listener is available an IGMP packet of type ICMPV6_MGM_REDUCTION may be sent out. When reaching ip6_finish_output2(), if no neighbor entry for the target address is found, __neigh_create() is called with &nd_tbl, which it'll want to lock. Move the elements into their own list, then unlock the table and perform the destruction. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289 Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().") Signed-off-by: Wolfgang Bumiller Signed-off-by: David S. Miller commit 1071ec9d453a38023579714b64a951a2fb982071 Author: Xin Long Date: Thu Apr 12 14:24:31 2018 +0800 sctp: do not check port in sctp_inet6_cmp_addr pf->cmp_addr() is called before binding a v6 address to the sock. It should not check ports, like in sctp_inet_cmp_addr. But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr, sctp_v6_cmp_addr where it also compares the ports. This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr"). This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr, but do the proper check for both v6 addrs and v4mapped addrs. v1->v2: - define __sctp_v6_cmp_addr to do the common address comparison used for both pf and af v6 cmp_addr. Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr") Reported-by: Jianwen Ji Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller commit cf2cbadc20f5651c3dde9f5ac2ee52fb43aa4ddd Author: Pieter Jansen van Vuuren Date: Wed Apr 11 16:47:38 2018 -0700 nfp: flower: split and limit cmsg skb lists Introduce a second skb list for handling control messages and limit the number of allowed messages. Some control messages are considered more crucial than others, resulting in the need for a second skb list. By splitting the list into a separate high and low priority list we can ensure that messages on the high list get added to the head of the list that gets processed, this however has no functional impact. Previously there was no limit on the number of messages allowed on the queue, this could result in the queue growing boundlessly and eventually the host running out of memory. Fixes: b985f870a5f0 ("nfp: process control messages in workqueue in flower app") Signed-off-by: Pieter Jansen van Vuuren Reviewed-by: Jakub Kicinski Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 0b1a989ef5a751b5992842d1934e22de861a848e Author: Pieter Jansen van Vuuren Date: Wed Apr 11 16:47:37 2018 -0700 nfp: flower: move route ack control messages out of the workqueue Previously we processed the route ack control messages in the workqueue, this unnecessarily loads the workqueue. We can deal with these messages sooner as we know we are going to drop them. Fixes: 8e6a9046b66a ("nfp: flower vxlan neighbour offload") Signed-off-by: Pieter Jansen van Vuuren Reviewed-by: Jakub Kicinski Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit bc05f9bcd8cb62f935625850e535da183b4a07c0 Author: Jakub Kicinski Date: Wed Apr 11 16:47:36 2018 -0700 nfp: print a message when mutex wait is interrupted When waiting for an NFP mutex is interrupted print a message to make root causing later error messages easier. Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller commit 5496295aefe86995e41398b0f76de601308fc3f5 Author: Jakub Kicinski Date: Wed Apr 11 16:47:35 2018 -0700 nfp: ignore signals when communicating with management FW We currently allow signals to interrupt the wait for management FW commands. Exiting the wait should not cause trouble, the FW will just finish executing the command in the background and new commands will wait for the old one to finish. However, this may not be what users expect (Ctrl-C not actually stopping the command). Moreover some systems routinely request link information with signals pending (Ubuntu 14.04 runs a landscape-sysinfo python tool from MOTD) worrying users with errors like these: nfp 0000:04:00.0: nfp_nsp: Error -512 waiting for code 0x0007 to start nfp 0000:04:00.0: nfp: reading port table failed -512 Make the wait for management FW responses non-interruptible. Fixes: 1a64821c6af7 ("nfp: add support for service processor access") Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller commit 335b929b28aeb5bfc0698adb21deaf685b2982d1 Author: Jon Maloy Date: Thu Apr 12 01:15:48 2018 +0200 tipc: fix missing initializer in tipc_sendmsg() The stack variable 'dnode' in __tipc_sendmsg() may theoretically end up tipc_node_get_mtu() as an unitilalized variable. We fix this by intializing the variable at declaration. We also add a default else clause to the two conditional ones already there, so that we never end up in the named function if the given address type is illegal. Reported-by: syzbot+b0975ce9355b347c1546@syzkaller.appspotmail.com Signed-off-by: Jon Maloy Signed-off-by: David S. Miller commit 9d0c75bf6e03d9bf80c55b0f677dc9b982958fd5 Author: Doron Roberts-Kedes Date: Wed Apr 11 15:05:16 2018 -0700 strparser: Fix incorrect strp->need_bytes value. strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates that the remainder of the message has been received. However, do_strp_work does not reset strp->need_bytes to 0. If do_strp_work completes a partial message, the value of strp->need_bytes will continue to reflect the needed bytes of the previous message, causing future invocations of strp_data_ready to return early if strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes to 0 in __strp_recv on handing a full message to the upper layer solves this problem. __strp_recv also calculates strp->need_bytes using stm->accum_len before stm->accum_len has been incremented by cand_len. This can cause strp->need_bytes to be equal to the full length of the message instead of the full length minus the accumulated length. This, in turn, causes strp_data_ready to return early, even when there is sufficient data to complete the partial message. Incrementing stm->accum_len before using it to calculate strp->need_bytes solves this problem. Found while testing net/tls_sw recv path. Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages") Signed-off-by: Doron Roberts-Kedes Signed-off-by: David S. Miller commit 5ff9c1a3dd92d2d8eeea6bb15b3502cfcc0e26fa Author: Anders Roxell Date: Wed Apr 11 17:17:34 2018 +0200 selftests: net: add in_netns.sh to TEST_PROGS Script in_netns.sh isn't installed. -------------------- running psock_fanout test -------------------- ./run_afpackettests: line 12: ./in_netns.sh: No such file or directory [FAIL] -------------------- running psock_tpacket test -------------------- ./run_afpackettests: line 22: ./in_netns.sh: No such file or directory [FAIL] In current code added in_netns.sh to be installed. Fixes: cc30c93fa020 ("selftests/net: ignore background traffic in psock_fanout") Signed-off-by: Anders Roxell Signed-off-by: David S. Miller commit ebc701b796a67a5785399dcbc83d90e3b5f1e02f Author: Nathan Fontenot Date: Wed Apr 11 10:09:38 2018 -0500 ibmvnic: Do not notify peers on parameter change resets When attempting to change the driver parameters, such as the MTU value or number of queues, do not call netdev_notify_peers(). Doing so will deadlock on the rtnl_lock. Signed-off-by: Nathan Fontenot Signed-off-by: David S. Miller commit 64d92aa2c9fe490ceffc440d7648ce369cd6cc3c Author: Nathan Fontenot Date: Wed Apr 11 10:09:32 2018 -0500 ibmvnic: Handle all login error conditions There is a bug in handling the possible return codes from sending the login CRQ. The current code treats any non-success return value, minus failure to send the crq and a timeout waiting for a login response, as a need to re-send the login CRQ. This can put the drive in an infinite loop of trying to login when getting return values other that a partial success such as a return code of aborted. For these scenarios the login will not ever succeed at this point and the driver would need to be reset again. To resolve this loop trying to login is updated to only retry the login if the driver gets a return code of a partial success. Other return codes are treated as an error and the driver returns an error from ibmvnic_login(). To avoid infinite looping in the partial success return cases, the number of retries is capped at the maximum number of supported queues. This value was chosen because the driver does a renegotiation of capabilities which sets the number of queues possible and allows the driver to attempt a login for possible value for the number of queues supported. Signed-off-by: Nathan Fontenot Signed-off-by: David S. Miller commit 7dd07c143a4b54d050e748bee4b4b9e94a7b1744 Author: Eric Dumazet Date: Wed Apr 11 14:46:00 2018 -0700 net: validate attribute sizes in neigh_dump_table() Since neigh_dump_table() calls nlmsg_parse() without giving policy constraints, attributes can have arbirary size that we must validate Reported by syzbot/KMSAN : BUG: KMSAN: uninit-value in neigh_master_filtered net/core/neighbour.c:2292 [inline] BUG: KMSAN: uninit-value in neigh_dump_table net/core/neighbour.c:2348 [inline] BUG: KMSAN: uninit-value in neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438 CPU: 1 PID: 3575 Comm: syzkaller268891 Not tainted 4.16.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 neigh_master_filtered net/core/neighbour.c:2292 [inline] neigh_dump_table net/core/neighbour.c:2348 [inline] neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438 netlink_dump+0x9ad/0x1540 net/netlink/af_netlink.c:2225 __netlink_dump_start+0x1167/0x12a0 net/netlink/af_netlink.c:2322 netlink_dump_start include/linux/netlink.h:214 [inline] rtnetlink_rcv_msg+0x1435/0x1560 net/core/rtnetlink.c:4598 netlink_rcv_skb+0x355/0x5f0 net/netlink/af_netlink.c:2447 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4653 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x1672/0x1750 net/netlink/af_netlink.c:1337 netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43fed9 RSP: 002b:00007ffddbee2798 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9 RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401800 R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Fixes: 21fdd092acc7 ("net: Add support for filtering neigh dump by master device") Signed-off-by: Eric Dumazet Cc: David Ahern Reported-by: syzbot Acked-by: David Ahern Signed-off-by: David S. Miller commit 7212303268918b9a203aebeacfdbd83b5e87b20d Author: Eric Dumazet Date: Wed Apr 11 14:36:28 2018 -0700 tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1] I believe this was caused by a TCP_MD5SIG being set on live flow. This is highly unexpected, since TCP option space is limited. For instance, presence of TCP MD5 option automatically disables TCP TimeStamp option at SYN/SYNACK time, which we can not do once flow has been established. Really, adding/deleting an MD5 key only makes sense on sockets in CLOSE or LISTEN state. [1] BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720 CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720 tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline] tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184 tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453 tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x2d6/0x680 net/core/sock.c:2271 release_sock+0x97/0x2a0 net/core/sock.c:2786 tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 SyS_sendto+0x8a/0xb0 net/socket.c:1715 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x448fe9 RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9 RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004 RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010 R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000 R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624 __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline] tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline] tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469 tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x2d6/0x680 net/core/sock.c:2271 release_sock+0x97/0x2a0 net/core/sock.c:2786 tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 SyS_sendto+0x8a/0xb0 net/socket.c:1715 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") Signed-off-by: Eric Dumazet Reported-by: syzbot Acked-by: Yuchung Cheng Signed-off-by: David S. Miller commit c3317f4db831b7564ff8d1670326456a7fbbbcb3 Author: Jon Maloy Date: Wed Apr 11 22:52:09 2018 +0200 tipc: fix unbalanced reference counter When a topology subscription is created, we may encounter (or KASAN may provoke) a failure to create a corresponding service instance in the binding table. Instead of letting the tipc_nametbl_subscribe() report the failure back to the caller, the function just makes a warning printout and returns, without incrementing the subscription reference counter as expected by the caller. This makes the caller believe that the subscription was successful, so it will at a later moment try to unsubscribe the item. This involves a sub_put() call. Since the reference counter never was incremented in the first place, we get a premature delete of the subscription item, followed by a "use-after-free" warning. We fix this by adding a return value to tipc_nametbl_subscribe() and make the caller aware of the failure to subscribe. This bug seems to always have been around, but this fix only applies back to the commit shown below. Given the low risk of this happening we believe this to be sufficient. Fixes: commit 218527fe27ad ("tipc: replace name table service range array with rb tree") Reported-by: syzbot+aa245f26d42b8305d157@syzkaller.appspotmail.com Signed-off-by: Jon Maloy Signed-off-by: David S. Miller commit 1c2734b31d72316e3faaad88c0c9c46fa92a4b20 Author: Raghuram Chary J Date: Wed Apr 11 20:36:36 2018 +0530 lan78xx: PHY DSP registers initialization to address EEE link drop issues with long cables The patch is to configure DSP registers of PHY device to handle Gbe-EEE failures with >40m cable length. Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") Signed-off-by: Raghuram Chary J Signed-off-by: David S. Miller commit 9a4381618262157586051f5ba0db42df3c6ab4b5 Author: Laura Abbott Date: Tue Apr 10 18:04:29 2018 -0700 mISDN: Remove VLAs There's an ongoing effort to remove VLAs[1] from the kernel to eventually turn on -Wvla. Remove the VLAs from the mISDN code by switching to using kstrdup in one place and using an upper bound in another. Signed-off-by: Laura Abbott Signed-off-by: David S. Miller commit b16520f7493d06d8ef6d4255bdfcf7a803d7874a Author: Kees Cook Date: Tue Apr 10 17:52:34 2018 -0700 net/tls: Remove VLA usage In the quest to remove VLAs from the kernel[1], this replaces the VLA size with the only possible size used in the code, and adds a mechanism to double-check future IV sizes. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Signed-off-by: Kees Cook Acked-by: Dave Watson Signed-off-by: David S. Miller commit 08ea556e14b56e9a49b19abd8e39f0c9e05582f2 Author: Kees Cook Date: Tue Apr 10 15:26:43 2018 -0700 ibmvnic: Define vnic_login_client_data name field as unsized array The "name" field of struct vnic_login_client_data is a char array of undefined length. This should be written as "char name[]" so the compiler can make better decisions about the field (for example, not assuming it's a single character). This was noticed while trying to tighten the CONFIG_FORTIFY_SOURCE checking. Signed-off-by: Kees Cook Signed-off-by: David S. Miller commit f6b7aeee8f167409195fbf1364d02988fecad1d0 Author: Sinan Kaya Date: Tue Apr 3 08:55:03 2018 -0400 MIPS: io: Prevent compiler reordering writeX() writeX() has strong ordering semantics with respect to memory updates. In the absence of a write barrier or a compiler barrier, the compiler can reorder register and memory update instructions. This breaks the writeX() API. Signed-off-by: Sinan Kaya Cc: Arnd Bergmann Cc: Ralf Baechle Cc: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/18997/ [jhogan@kernel.org: Tidy commit message] Signed-off-by: James Hogan commit 4e1acd7b31a03f24cc6108d37d005e6b1d48c5d3 Author: Peng Hao Date: Fri Apr 13 08:36:30 2018 +0800 kvm: selftests: add -std=gnu99 cflags lib/kvm_util.c: In function a??kvm_memcmp_hva_gvaa??: lib/kvm_util.c:332:2: error: a??fora?? loop initial declarations are only allowed in C99 mode So add -std=gnu99 to CFLAGS Signed-off-by: Peng Hao Signed-off-by: Paolo Bonzini commit f0f4cf5b306620282db0c59ff963012e1973e025 Author: Krish Sadhukhan Date: Wed Apr 11 01:10:16 2018 -0400 x86: Add check for APIC access address for vmentry of L2 guests According to the sub-section titled 'VM-Execution Control Fields' in the section titled 'Basic VM-Entry Checks' in Intel SDM vol. 3C, the following vmentry check must be enforced: If the 'virtualize APIC-accesses' VM-execution control is 1, the APIC-access address must satisfy the following checks: - Bits 11:0 of the address must be 0. - The address should not set any bits beyond the processor's physical-address width. This patch adds the necessary check to conform to this rule. If the check fails, we cause the L2 VMENTRY to fail which is what the associated unit test (following patch) expects. Reviewed-by: Mihai Carabas Reviewed-by: Konrad Rzeszutek Wilk Reviewed-by: Jim Mattson Reviewed-by: Wanpeng Li Signed-off-by: Krish Sadhukhan Signed-off-by: Paolo Bonzini commit 3e83eda467050f13fa69d888993458b76e733de9 Author: Aaron Ma Date: Mon Apr 9 15:41:31 2018 +0800 HID: i2c-hid: Fix resume issue on Raydium touchscreen device When Rayd touchscreen resumed from S3, it issues too many errors like: i2c_hid i2c-RAYD0001:00: i2c_hid_get_input: incomplete report (58/5442) And all the report data are corrupted, touchscreen is unresponsive. Fix this by re-sending report description command after resume. Add device ID as a quirk. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma Signed-off-by: Jiri Kosina commit 619d3a2922ce623ca2eca443cc936810d328317c Author: Aaron Armstrong Skomra Date: Wed Apr 4 14:24:11 2018 -0700 HID: wacom: bluetooth: send exit report for recent Bluetooth devices The code path for recent Bluetooth devices omits an exit report which resets all the values of the device. Fixes: 4922cd26f0 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") Cc: # 4.11 Signed-off-by: Aaron Armstrong Skomra Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina commit 2698d82e519413c6ad287e6f14b29e0373ed37f8 Author: hu huajun Date: Wed Apr 11 15:16:40 2018 +0800 KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update In arch/x86/kvm/trace.h, this function is declared as host_irq the first input, and vcpu_id the second, instead of otherwise. Signed-off-by: hu huajun Signed-off-by: Paolo Bonzini commit 8e9b29b61851ba452e33373743fadb52778e9075 Author: KarimAllah Ahmed Date: Wed Apr 11 11:16:03 2018 +0200 X86/KVM: Do not allow DISABLE_EXITS_MWAIT when LAPIC ARAT is not available If the processor does not have an "Always Running APIC Timer" (aka ARAT), we should not give guests direct access to MWAIT. The LAPIC timer would stop ticking in deep C-states, so any host deadlines would not wakeup the host kernel. The host kernel intel_idle driver handles this by switching to broadcast mode when ARAT is not available and MWAIT is issued with a deep C-state that would stop the LAPIC timer. When MWAIT is passed through, we can not tell when MWAIT is issued. So just disable this capability when LAPIC ARAT is not available. I am not even sure if there are any CPUs with VMX support but no LAPIC ARAT or not. Cc: Paolo Bonzini Cc: Radim KrA?mA!A? Reported-by: Wanpeng Li Signed-off-by: KarimAllah Ahmed Signed-off-by: Paolo Bonzini commit 5ac7c2fd6e7102532104907c0df94abca826ec5c Author: Kyle Spiers Date: Tue Apr 10 17:02:29 2018 -0700 isofs compress: Remove VLA usage As part of the effort to remove VLAs from the kernel[1], this changes the allocation of the bhs and pages arrays from being on the stack to being kcalloc()ed. This also allows for the removal of the explicit zeroing of bhs. https://lkml.org/lkml/2018/3/7/621 Signed-off-by: Kyle Spiers Signed-off-by: Jan Kara commit 4d5f26ee310237552a36aa14ceee96d6659153cd Author: Colin Ian King Date: Tue Apr 10 13:38:56 2018 +0100 kvm: selftests: fix spelling mistake: "divisable" and "divisible" Trivial fix to spelling mistakes in comment and message text Signed-off-by: Colin Ian King Signed-off-by: Paolo Bonzini commit 386c6ddbda180676b7d9fc375d54a7bdd353d39e Author: KarimAllah Ahmed Date: Tue Apr 10 14:15:46 2018 +0200 X86/VMX: Disable VMX preemption timer if MWAIT is not intercepted The VMX-preemption timer is used by KVM as a way to set deadlines for the guest (i.e. timer emulation). That was safe till very recently when capability KVM_X86_DISABLE_EXITS_MWAIT to disable intercepting MWAIT was introduced. According to Intel SDM 25.5.1: """ The VMX-preemption timer operates in the C-states C0, C1, and C2; it also operates in the shutdown and wait-for-SIPI states. If the timer counts down to zero in any state other than the wait-for SIPI state, the logical processor transitions to the C0 C-state and causes a VM exit; the timer does not cause a VM exit if it counts down to zero in the wait-for-SIPI state. The timer is not decremented in C-states deeper than C2. """ Now once the guest issues the MWAIT with a c-state deeper than C2 the preemption timer will never wake it up again since it stopped ticking! Usually this is compensated by other activities in the system that would wake the core from the deep C-state (and cause a VMExit). For example, if the host itself is ticking or it received interrupts, etc! So disable the VMX-preemption timer if MWAIT is exposed to the guest! Cc: Paolo Bonzini Cc: Radim KrA?mA!A? Cc: kvm@vger.kernel.org Signed-off-by: KarimAllah Ahmed Fixes: 4d5422cea3b61f158d58924cbb43feada456ba5c Signed-off-by: Paolo Bonzini commit 1aa3b3e0cbdb32439f04842e88fc7557a0777660 Author: Jia-Ju Bai Date: Mon Apr 9 22:31:19 2018 +0800 fs: quota: Replace GFP_ATOMIC with GFP_KERNEL in dquot_init dquot_init() is never called in atomic context. This function is only set as a parameter of fs_initcall(). Despite never getting called from atomic context, dquot_init() calls __get_free_pages() with GFP_ATOMIC, which waits busily for allocation. GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL, to avoid busy waiting and improve the possibility of sucessful allocation. This is found by a static analysis tool named DCNS written by myself. And I also manually check it. Signed-off-by: Jia-Ju Bai Signed-off-by: Jan Kara commit 54a307ba8d3cd00a3902337ffaae28f436eeb1a4 Author: Amir Goldstein Date: Wed Apr 4 23:42:18 2018 +0300 fanotify: fix logic of events on child When event on child inodes are sent to the parent inode mark and parent inode mark was not marked with FAN_EVENT_ON_CHILD, the event will not be delivered to the listener process. However, if the same process also has a mount mark, the event to the parent inode will be delivered regadless of the mount mark mask. This behavior is incorrect in the case where the mount mark mask does not contain the specific event type. For example, the process adds a mark on a directory with mask FAN_MODIFY (without FAN_EVENT_ON_CHILD) and a mount mark with mask FAN_CLOSE_NOWRITE (without FAN_ONDIR). A modify event on a file inside that directory (and inside that mount) should not create a FAN_MODIFY event, because neither of the marks requested to get that event on the file. Fixes: 1968f5eed54c ("fanotify: use both marks when possible") Cc: stable Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 Author: Rodrigo Rivas Costa Date: Fri Apr 6 01:09:36 2018 +0200 HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device and then disconnecting the device, or unloading the driver, can cause a NULL pointer dereference. When a hidraw device is destroyed it sets 0 to `dev->exist`. Most functions check 'dev->exist' before doing its work, but `hidraw_get_report()` was missing that check. Cc: stable@vger.kernel.org Signed-off-by: Rodrigo Rivas Costa Signed-off-by: Jiri Kosina commit 2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 Author: Dmitry Torokhov Date: Tue Apr 3 10:52:20 2018 -0700 HID: input: fix battery level reporting on BT mice The commit 581c4484769e ("HID: input: map digitizer battery usage") assumed that devices having input (qas opposed to feature) report for battery strength would report the data on their own, without the need to be polled by the kernel; unfortunately it is not so. Many wireless mice do not send unsolicited reports with battery strength data and have to be polled explicitly. As a complication, stylus devices on digitizers are not normally connected to the base and thus can not be polled - the base can only determine battery strength in the stylus when it is in proximity. To solve this issue, we add a special flag that tells the kernel to avoid polling the device (and expect unsolicited reports) and set it when report field with physical usage of digitizer stylus (HID_DG_STYLUS). Unless this flag is set, and we have not seen the unsolicited reports, the kernel will attempt to poll the device when userspace attempts to read "capacity" and "state" attributes of power_supply object corresponding to the devices battery. Fixes: 581c4484769e ("HID: input: map digitizer battery usage") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198095 Cc: stable@vger.kernel.org Reported-and-tested-by: Martin van Es Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina commit 0136c741ff40e03323419feec05fcd594f36a463 Author: Anson Huang Date: Wed Mar 28 11:22:38 2018 +0800 clocksource/drivers/imx-tpm: Add different counter width support Different TPM modules have different width counters which is 16-bit or 32-bit, the counter width can be read from TPM_PARAM register bit[23:16], this patch adds dynamic check for counter width to support both 16-bit and 32-bit TPM modules. Signed-off-by: Anson Huang Signed-off-by: Daniel Lezcano commit 506a7be93ff773d5d4cf75a59f342865605b4910 Author: Anson Huang Date: Wed Mar 28 11:22:37 2018 +0800 clocksource/drivers/imx-tpm: Correct some registers operation flow According to i.MX7ULP reference manual, TPM_SC_CPWMS can ONLY be written when counter is disabled, TPM_SC_TOF is write-1-clear, TPM_C0SC_CHF is also write-1-clear, correct these registers initialization flow; Signed-off-by: Anson Huang Signed-off-by: Daniel Lezcano commit 16328e7bd428937f557a984d8b3378387c17a930 Author: Anson Huang Date: Wed Mar 28 11:22:36 2018 +0800 clocksource/drivers/imx-tpm: Fix typo of clock name The clock name should be ipg instead of igp. Signed-off-by: Anson Huang Signed-off-by: Daniel Lezcano commit cc01456a0d9a3cbfec85cf23f2ce53323e8fc973 Author: Anson Huang Date: Wed Mar 28 11:22:35 2018 +0800 dt-bindings: timer: tpm: fix typo of clock name The clock name should be ipg instead of igp. Signed-off-by: Anson Huang Reviewed-by: Rob Herring Signed-off-by: Daniel Lezcano commit 1c00289ecd12471ba9733e61aaf1d39883a77b16 Author: Tomer Maimon Date: Thu Mar 8 17:24:58 2018 +0200 clocksource/drivers/npcm: Add NPCM7xx timer driver Add Nuvoton BMC NPCM7xx timer driver. The clocksource Enable 24-bit TIMER0 and TIMER1 counters, while TIMER0 serve as clockevent and TIMER1 serve as clocksource. Signed-off-by: Tomer Maimon Reviewed-by: Brendan Higgins Signed-off-by: Daniel Lezcano commit ff2969c479d97c6221a9835ee0ab4c44513badc6 Author: Tomer Maimon Date: Thu Mar 8 17:24:57 2018 +0200 dt-binding: timer: document NPCM7xx timer DT bindings Added device tree binding documentation for Nuvoton NPCM7xx timer. Signed-off-by: Tomer Maimon Acked-by: Rob Herring Reviewed-by: Brendan Higgins Signed-off-by: Daniel Lezcano commit f62fd7a77717350e850f3c4a5373fe8e64871025 Author: Colin Ian King Date: Fri Mar 2 09:07:08 2018 +0000 ecryptfs: fix spelling mistake: "cadidate" -> "candidate" Trivial fix to spelling mistake in debug message text. Signed-off-by: Colin Ian King Signed-off-by: Tyler Hicks commit ab13a9218c9883d1f51940b9e720c63ef54a2c07 Author: Guenter Roeck Date: Thu Jan 18 18:40:25 2018 -0800 ecryptfs: lookup: Don't check if mount_crypt_stat is NULL mount_crypt_stat is assigned to &ecryptfs_superblock_to_private(ecryptfs_dentry->d_sb)->mount_crypt_stat, and mount_crypt_stat is not the first object in struct ecryptfs_sb_info. mount_crypt_stat is therefore never NULL. At the same time, no crash in ecryptfs_lookup() has been reported, and the lookup functions in other file systems don't check if d_sb is NULL either. Given that, remove the NULL check. Signed-off-by: Guenter Roeck Signed-off-by: Tyler Hicks 60cc43fc88 Linux 4.17-rc1 486ad79630 origin 37ee4b8879 pci: test for unexpectedly disabled bridges +------------------------------------------+-----------+------------+------------+ | | v4.17-rc1 | 486ad79630 | mmotm/v4.1 | +------------------------------------------+-----------+------------+------------+ | boot_successes | 81 | 4 | 0 | | boot_failures | 0 | 11 | 11 | | BUG:unable_to_handle_kernel | 0 | 11 | 11 | | Oops:#[##] | 0 | 11 | 11 | | RIP:llc_ui_release | 0 | 11 | 11 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 11 | 11 | +------------------------------------------+-----------+------------+------------+ [main] Setsockopt(101 c 1b24000 a) on fd 177 [3:5:240] [main] Setsockopt(1 2c 1b24000 4) on fd 178 [5:2:0] [main] Setsockopt(29 8 1b24000 4) on fd 180 [10:1:0] [main] Setsockopt(1 20 1b24000 4) on fd 181 [26:2:125] [main] Setsockopt(11 1 1b24000 4) on fd 183 [2:2:17] [ 15.532543] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 [ 15.534143] PGD 800000001734b067 P4D 800000001734b067 PUD 17350067 PMD 0 [ 15.535516] Oops: 0002 [#1] PTI [ 15.536165] Modules linked in: [ 15.536798] CPU: 0 PID: 363 Comm: trinity-main Not tainted 4.17.0-rc1-00001-g486ad79 #2 [ 15.538396] RIP: 0010:llc_ui_release+0x3a/0xd0 [ 15.539293] RSP: 0018:ffffc9000015bd70 EFLAGS: 00010202 [ 15.540345] RAX: 0000000000000001 RBX: ffff88001fa60008 RCX: 0000000000000006 [ 15.541802] RDX: 0000000000000006 RSI: ffff88001fdda660 RDI: ffff88001fa60008 [ 15.543139] RBP: ffffc9000015bd80 R08: 0000000000000000 R09: 0000000000000000 [ 15.544725] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 15.546287] R13: ffff88001fa61730 R14: ffff88001e130a60 R15: ffff880019bdb3f0 [ 15.547962] FS: 00007f2221bb1700(0000) GS:ffffffff82034000(0000) knlGS:0000000000000000 [ 15.549848] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 15.551186] CR2: 0000000000000004 CR3: 000000001734e000 CR4: 00000000000006b0 [ 15.552671] DR0: 0000000002232000 DR1: 0000000000000000 DR2: 0000000000000000 [ 15.554105] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 [ 15.555534] Call Trace: [ 15.556049] sock_release+0x14/0x60 [ 15.556767] sock_close+0xd/0x20 [ 15.557427] __fput+0xba/0x1f0 [ 15.558058] ____fput+0x9/0x10 [ 15.558682] task_work_run+0x73/0xa0 [ 15.559416] do_exit+0x231/0xab0 [ 15.560079] do_group_exit+0x3f/0xc0 [ 15.560810] __x64_sys_exit_group+0x13/0x20 [ 15.561656] do_syscall_64+0x58/0x2f0 [ 15.562407] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 15.563360] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 15.564471] RIP: 0033:0x7f2221696408 [ 15.565264] RSP: 002b:00007ffe5c544c48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 15.566924] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2221696408 [ 15.568485] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 15.570046] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffffa0 [ 15.571603] R10: 00007ffe5c5449e0 R11: 0000000000000206 R12: 0000000000000004 [ 15.573160] R13: 00007ffe5c544e30 R14: 0000000000000000 R15: 0000000000000000 [ 15.574720] Code: 7b ff 43 78 0f 88 a5 6f 14 00 31 f6 48 89 df e8 ad 33 fb ff 48 89 df e8 55 94 ff ff 85 c0 0f 84 84 00 00 00 4c 8b a3 d8 04 00 00 <41> ff 44 24 04 0f 88 7f 6f 14 00 48 8b 43 58 f6 c4 01 74 58 48 [ 15.578679] RIP: llc_ui_release+0x3a/0xd0 RSP: ffffc9000015bd70 [ 15.579874] CR2: 0000000000000004 [ 15.580553] ---[ end trace 0dd8fdc6b7182234 ]--- [ 15.581491] Kernel panic - not syncing: Fatal exception # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD git bisect start b309e20d9dc7223f34a55a1a5e573a9b69da3783 60cc43fc888428bb2f18f08997432d426a243338 -- git bisect bad 74f5796964d2f308c4f065084c2d805101782b2a # 09:08 B 0 11 26 0 Merge 'stm32/stm32-next' into devel-catchup-201805030716 git bisect bad da0bab875e8538bd9db5761ec03e431f83fb0019 # 09:16 B 0 11 26 0 Merge 'sailus-media/for-4.18-3' into devel-catchup-201805030716 git bisect bad ae6b372217655a323c42fddd040be9c27f22dfc3 # 09:26 B 0 2 17 0 Merge 'pinctrl/for-next' into devel-catchup-201805030716 git bisect good 7d12e09a3344e90e00c6a8258cc8c64d4a277daa # 09:42 G 11 0 0 0 0day base guard for 'devel-catchup-201805030716' git bisect bad 23bd6b85a69b1067ebe776b655424eec21932afe # 09:54 B 0 7 21 0 Merge 'linux-review/Roman-Gushchin/mm-introduce-memory-min/20180503-064145' into devel-catchup-201805030716 git bisect bad aacc1db1cf5776722a20162c7a33b05ebe68ca89 # 10:01 B 0 11 25 0 prctl: don't compile some of prctl functions when CRUI disabled git bisect bad 0e6521e40b9f94fea176cee6038b63e3c7c687d1 # 10:11 B 0 6 20 0 block: restore /proc/partitions to not display non-partitionable removable devices git bisect bad 4edeafbad56d4b28e9e7e50c6ccd744c139597fc # 10:21 B 0 5 19 0 fs, elf: don't complain MAP_FIXED_NOREPLACE unless -EEXIST error git bisect bad f138cdd1d1c3aca9a49cf341bcfacc994deecd00 # 10:43 B 0 11 25 0 mm: enable thp migration for shmem thp git bisect bad e72831147e882465861aae379241e116ddc01f2c # 10:52 B 0 11 25 0 fork: unconditionally clear stack on fork git bisect bad 059df5489edd250efd0048c95c2b9be42459818f # 11:03 B 0 11 25 0 I need old gcc git bisect bad 486ad79630d0ba0b7205a8db9fe15ba392f5ee32 # 11:13 B 0 11 25 0 origin # first bad commit: [486ad79630d0ba0b7205a8db9fe15ba392f5ee32] origin git bisect good 60cc43fc888428bb2f18f08997432d426a243338 # 11:16 G 31 0 0 0 Linux 4.17-rc1 # extra tests with debug options git bisect bad 486ad79630d0ba0b7205a8db9fe15ba392f5ee32 # 11:28 B 0 11 25 0 origin # extra tests on HEAD of linux-devel/devel-catchup-201805030716 git bisect bad b309e20d9dc7223f34a55a1a5e573a9b69da3783 # 11:28 B 0 13 31 0 0day head guard for 'devel-catchup-201805030716' # extra tests on tree/branch mmotm/master git bisect bad 37ee4b887928911dc6d2dd39a869330511068919 # 11:47 B 0 9 23 0 pci: test for unexpectedly disabled bridges --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/lkp Intel Corporation