5 years agoMerge tag 'apparmor-pr-2017-11-30' of git://
Linus Torvalds [Thu, 30 Nov 2017 23:56:41 +0000 (18:56 -0500)]
Merge tag 'apparmor-pr-2017-11-30' of git://git./linux/kernel/git/jj/linux-apparmor

Pull apparmor bugfix from John Johansen:
 "Fix oops in audit_signal_cb hook marked for stable"

* tag 'apparmor-pr-2017-11-30' of git://
  apparmor: fix oops in audit_signal_cb hook

5 years agoMerge tag 'acpi-4.15-rc2' of git://
Linus Torvalds [Thu, 30 Nov 2017 23:49:50 +0000 (18:49 -0500)]
Merge tag 'acpi-4.15-rc2' of git://git./linux/kernel/git/rafael/linux-pm

Pull ACPI fixes from Rafael Wysocki:
 "These fix a regression related to the ACPI EC handling during system
  suspend/resume on some platforms and prevent modalias from being
  exposed to user space for ACPI device object with "not functional and
  not present" status.


   - Fix an ACPI EC driver regression (from the 4.9 cycle) causing the
     driver's power management operations to be omitted during system
     suspend/resume on platforms where the EC instance from the ECDT
     table is used instead of the one from the DSDT (Lv Zheng).

   - Prevent modalias from being exposed to user space for ACPI device
     objects with _STA returning 0 (not present and not functional) to
     prevent driver modules from being loaded automatically for hardware
     that is not actually present on some platforms (Hans de Goede)"

* tag 'acpi-4.15-rc2' of git://
  ACPI / EC: Fix regression related to PM ops support in ECDT device
  ACPI / bus: Leave modalias empty for devices which are not present

5 years agoMerge tag 'pm-4.15-rc2' of git://
Linus Torvalds [Thu, 30 Nov 2017 23:45:55 +0000 (18:45 -0500)]
Merge tag 'pm-4.15-rc2' of git://git./linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:

 - add missing module information to the Mediatek cpufreq driver module
   (Jesse Chan)

 - fix config dependencies for the Loongson cpufreq driver (James Hogan)

 - fix two issues related to CPU offline in the cpupower utility
   (Abhishek Goel).

* tag 'pm-4.15-rc2' of git://
  cpufreq: mediatek: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
  cpufreq: Add Loongson machine dependencies
  cpupower : Fix cpupower working when cpu0 is offline
  cpupowerutils: bench - Fix cpu online check

5 years agoMerge branch 'for_linus' of git://
Linus Torvalds [Thu, 30 Nov 2017 23:38:47 +0000 (18:38 -0500)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jack/linux-fs

Pull quota & reiserfs changes from Jan Kara:

 - two error checking improvements for quota

 - remove bogus i_version increase for reiserfs

* 'for_linus' of git://
  quota: Check for register_shrinker() failure.
  quota: propagate error from __dquot_initialize
  reiserfs: remove unneeded i_version bump

5 years agoMerge tag 'for-linus' of git://
Linus Torvalds [Thu, 30 Nov 2017 16:15:19 +0000 (08:15 -0800)]
Merge tag 'for-linus' of git://git./virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:

 - x86 bugfixes: APIC, nested virtualization, IOAPIC

 - PPC bugfix: HPT guests on a POWER9 radix host

* tag 'for-linus' of git:// (26 commits)
  KVM: Let KVM_SET_SIGNAL_MASK work as advertised
  KVM: VMX: Fix vmx->nested freeing when no SMI handler
  KVM: VMX: Fix rflags cache during vCPU reset
  KVM: X86: Fix softlockup when get the current kvmclock
  KVM: lapic: Fixup LDR on load in x2apic
  KVM: lapic: Split out x2apic ldr calculation
  KVM: PPC: Book3S HV: Fix migration and HPT resizing of HPT guests on radix hosts
  KVM: vmx: use X86_CR4_UMIP and X86_FEATURE_UMIP
  KVM: x86: Fix CPUID function for word 6 (80000001_ECX)
  KVM: nVMX: Fix vmx_check_nested_events() return value in case an event was reinjected to L2
  KVM: x86: ioapic: Preserve read-only values in the redirection table
  KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered
  KVM: x86: ioapic: Remove redundant check for Remote IRR in ioapic_set_irq
  KVM: x86: ioapic: Don't fire level irq when Remote IRR set
  KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race
  KVM: x86: inject exceptions produced by x86_decode_insn
  KVM: x86: Allow suppressing prints on RDMSR/WRMSR of unhandled MSRs
  KVM: x86: fix em_fxstor() sleeping while in atomic
  KVM: nVMX: Fix mmu context after VMLAUNCH/VMRESUME failure
  KVM: nVMX: Validate the IA32_BNDCFGS on nested VM-entry

5 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 30 Nov 2017 16:13:36 +0000 (08:13 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux

Pull s390 fixes from Martin Schwidefsky:

 - SPDX identifiers are added to more of the s390 specific files.

 - The ELF_ET_DYN_BASE base patch from Kees is reverted, with the change
   some old 31-bit programs crash.

 - Bug fixes and cleanups.

* 'for-linus' of git:// (29 commits)
  s390/gs: add compat regset for the guarded storage broadcast control block
  s390: revert ELF_ET_DYN_BASE base changes
  s390: Remove redundant license text
  s390: crypto: Remove redundant license text
  s390: include: Remove redundant license text
  s390: kernel: Remove redundant license text
  s390: add SPDX identifiers to the remaining files
  s390: appldata: add SPDX identifiers to the remaining files
  s390: pci: add SPDX identifiers to the remaining files
  s390: mm: add SPDX identifiers to the remaining files
  s390: crypto: add SPDX identifiers to the remaining files
  s390: kernel: add SPDX identifiers to the remaining files
  s390: sthyi: add SPDX identifiers to the remaining files
  s390: drivers: Remove redundant license text
  s390: crypto: Remove redundant license text
  s390: virtio: add SPDX identifiers to the remaining files
  s390: scsi: zfcp_aux: add SPDX identifier
  s390: net: add SPDX identifiers to the remaining files
  s390: char: add SPDX identifiers to the remaining files
  s390: cio: add SPDX identifiers to the remaining files

5 years agoMerge branch 'acpi-ec' into acpi
Rafael J. Wysocki [Thu, 30 Nov 2017 12:37:29 +0000 (13:37 +0100)]
Merge branch 'acpi-ec' into acpi

* acpi-ec:
  ACPI / EC: Fix regression related to PM ops support in ECDT device

5 years agoMerge branch 'pm-tools'
Rafael J. Wysocki [Thu, 30 Nov 2017 12:29:56 +0000 (13:29 +0100)]
Merge branch 'pm-tools'

* pm-tools:
  cpupower : Fix cpupower working when cpu0 is offline
  cpupowerutils: bench - Fix cpu online check

5 years agoMerge branch 'akpm' (patches from Andrew)
Linus Torvalds [Thu, 30 Nov 2017 03:12:44 +0000 (19:12 -0800)]
Merge branch 'akpm' (patches from Andrew)

Mergr misc fixes from Andrew Morton:
 "28 fixes"

* emailed patches from Andrew Morton <>: (28 commits)
  fs/hugetlbfs/inode.c: change put_page/unlock_page order in hugetlbfs_fallocate()
  mm/hugetlb: fix NULL-pointer dereference on 5-level paging machine
  autofs: revert "autofs: fix AT_NO_AUTOMOUNT not being honored"
  autofs: revert "autofs: take more care to not update last_used on path walk"
  fs/fat/inode.c: fix sb_rdonly() change
  mm, memcg: fix mem_cgroup_swapout() for THPs
  mm: migrate: fix an incorrect call of prep_transhuge_page()
  kmemleak: add scheduling point to kmemleak_scan()
  scripts/bloat-o-meter: don't fail with division by 0
  fs/mbcache.c: make count_objects() more robust
  Revert "mm/page-writeback.c: print a warning if the vm dirtiness settings are illogical"
  mm/madvise.c: fix madvise() infinite loop under special circumstances
  exec: avoid RLIMIT_STACK races with prlimit()
  IB/core: disable memory registration of filesystem-dax vmas
  v4l2: disable filesystem-dax mapping support
  mm: fail get_vaddr_frames() for filesystem-dax mappings
  mm: introduce get_user_pages_longterm
  device-dax: implement ->split() to catch invalid munmap attempts
  mm, hugetlbfs: introduce ->split() to vm_operations_struct
  scripts/faddr2line: extend usage on generic arch

5 years agofs/hugetlbfs/inode.c: change put_page/unlock_page order in hugetlbfs_fallocate()
Nadav Amit [Thu, 30 Nov 2017 00:11:33 +0000 (16:11 -0800)]
fs/hugetlbfs/inode.c: change put_page/unlock_page order in hugetlbfs_fallocate()

hugetlfs_fallocate() currently performs put_page() before unlock_page().
This scenario opens a small time window, from the time the page is added
to the page cache, until it is unlocked, in which the page might be
removed from the page-cache by another core.  If the page is removed
during this time windows, it might cause a memory corruption, as the
wrong page will be unlocked.

It is arguable whether this scenario can happen in a real system, and
there are several mitigating factors.  The issue was found by code
inspection (actually grep), and not by actually triggering the flow.
Yet, since putting the page before unlocking is incorrect it should be
fixed, if only to prevent future breakage or someone copy-pasting this

Mike said:
 "I am of the opinion that this does not need to be sent to stable.
  Although the ordering is current code is incorrect, there is no way
  for this to be a problem with current locking. In addition, I verified
  that the perhaps bigger issue with sys_fadvise64(POSIX_FADV_DONTNEED)
  for hugetlbfs and other filesystems is addressed in 3a77d214807c ("mm:
  fadvise: avoid fadvise for fs without backing device")"

Fixes: 70c3547e36f5c ("hugetlbfs: add hugetlbfs_fallocate()")
Signed-off-by: Nadav Amit <>
Reviewed-by: Mike Kravetz <>
Acked-by: Michal Hocko <>
Cc: Eric Biggers <>
Cc: Mike Kravetz <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm/hugetlb: fix NULL-pointer dereference on 5-level paging machine
Kirill A. Shutemov [Thu, 30 Nov 2017 00:11:30 +0000 (16:11 -0800)]
mm/hugetlb: fix NULL-pointer dereference on 5-level paging machine

I made a mistake during converting hugetlb code to 5-level paging: in
huge_pte_alloc() we have to use p4d_alloc(), not p4d_offset().

Otherwise it leads to crash -- NULL-pointer dereference in pud_alloc()
if p4d table is not yet allocated.

It only can happen in 5-level paging mode.  In 4-level paging mode
p4d_offset() always returns pgd, so we are fine.

Fixes: c2febafc6773 ("mm: convert generic code to 5-level paging")
Signed-off-by: Kirill A. Shutemov <>
Acked-by: Vlastimil Babka <>
Acked-by: Michal Hocko <>
Cc: <> [4.11+]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoautofs: revert "autofs: fix AT_NO_AUTOMOUNT not being honored"
Ian Kent [Thu, 30 Nov 2017 00:11:26 +0000 (16:11 -0800)]
autofs: revert "autofs: fix AT_NO_AUTOMOUNT not being honored"

Commit 42f461482178 ("autofs: fix AT_NO_AUTOMOUNT not being honored")
allowed the fstatat(2) system call to properly honor the AT_NO_AUTOMOUNT
flag but introduced a semantic change.

In order to honor AT_NO_AUTOMOUNT a semantic change was made to the
negative dentry case for stat family system calls in follow_automount().

This changed the unconditional triggering of an automount in this case
to no longer be done and an error returned instead.

This has caused more problems than I expected so reverting the change is

In a discussion with Neil Brown it was concluded that the automount(8)
daemon can implement this change without kernel modifications.  So that
will be done instead and the autofs module documentation updated with a
description of the problem and what needs to be done by module users for
this specific case.

Fixes: 42f4614821 ("autofs: fix AT_NO_AUTOMOUNT not being honored")
Signed-off-by: Ian Kent <>
Cc: Neil Brown <>
Cc: Al Viro <>
Cc: David Howells <>
Cc: Colin Walters <>
Cc: Ondrej Holy <>
Cc: <> [4.11+]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoautofs: revert "autofs: take more care to not update last_used on path walk"
Ian Kent [Thu, 30 Nov 2017 00:11:23 +0000 (16:11 -0800)]
autofs: revert "autofs: take more care to not update last_used on path walk"

While commit 092a53452bb7 ("autofs: take more care to not update
last_used on path walk") helped (partially) resolve a problem where
automounts were not expiring due to aggressive accesses from user space
it has a side effect for very large environments.

This change helps with the expire problem by making the expire more
aggressive but, for very large environments, that means more mount
requests from clients.  When there are a lot of clients that can mean
fairly significant server load increases.

It turns out I put the last_used in this position to solve this very
problem and failed to update my own thinking of the autofs expire
policy.  So the patch being reverted introduces a regression which
should be fixed.

Fixes: 092a53452b ("autofs: take more care to not update last_used on path walk")
Signed-off-by: Ian Kent <>
Reviewed-by: NeilBrown <>
Cc: Al Viro <>
Cc: <> [4.11+]
Cc: Colin Walters <>
Cc: David Howells <>
Cc: Ondrej Holy <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agofs/fat/inode.c: fix sb_rdonly() change
OGAWA Hirofumi [Thu, 30 Nov 2017 00:11:19 +0000 (16:11 -0800)]
fs/fat/inode.c: fix sb_rdonly() change

Commit bc98a42c1f7d ("VFS: Convert sb->s_flags & MS_RDONLY to
sb_rdonly(sb)") converted fat_remount():new_rdonly from a bool to an

However fat_remount() depends upon the compiler's conversion of a
non-zero integer into boolean `true'.

Fix it by switching `new_rdonly' back into a bool.

Fixes: bc98a42c1f7d0f8 ("VFS: Convert sb->s_flags & MS_RDONLY to sb_rdonly(sb)")
Signed-off-by: OGAWA Hirofumi <>
Cc: Joe Perches <>
Cc: David Howells <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm, memcg: fix mem_cgroup_swapout() for THPs
Shakeel Butt [Thu, 30 Nov 2017 00:11:15 +0000 (16:11 -0800)]
mm, memcg: fix mem_cgroup_swapout() for THPs

Commit d6810d730022 ("memcg, THP, swap: make mem_cgroup_swapout()
support THP") changed mem_cgroup_swapout() to support transparent huge
page (THP).

However the patch missed one location which should be changed for
correctly handling THPs.  The resulting bug will cause the memory
cgroups whose THPs were swapped out to become zombies on deletion.

Fixes: d6810d730022 ("memcg, THP, swap: make mem_cgroup_swapout() support THP")
Signed-off-by: Shakeel Butt <>
Acked-by: Johannes Weiner <>
Acked-by: Michal Hocko <>
Cc: Huang Ying <>
Cc: Vladimir Davydov <>
Cc: Greg Thelen <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: migrate: fix an incorrect call of prep_transhuge_page()
Zi Yan [Thu, 30 Nov 2017 00:11:12 +0000 (16:11 -0800)]
mm: migrate: fix an incorrect call of prep_transhuge_page()

In, Andrea reported that during
memory hotplug/hot remove prep_transhuge_page() is called incorrectly on
non-THP pages for migration, when THP is on but THP migration is not
enabled.  This leads to a bad state of target pages for migration.

By inspecting the code, if called on a non-THP, prep_transhuge_page()

 1) change the value of the mapping of (page + 2), since it is used for
    THP deferred list;

 2) change the lru value of (page + 1), since it is used for THP's dtor.

Both can lead to data corruption of these two pages.

Andrea said:
 "Pragmatically and from the point of view of the memory_hotplug subsys,
  the effect is a kernel crash when pages are being migrated during a
  memory hot remove offline and migration target pages are found in a
  bad state"

This patch fixes it by only calling prep_transhuge_page() when we are
certain that the target page is THP.

Fixes: 8135d8926c08 ("mm: memory_hotplug: memory hotremove supports thp migration")
Signed-off-by: Zi Yan <>
Reported-by: Andrea Reale <>
Cc: Naoya Horiguchi <>
Cc: Michal Hocko <>
Cc: "Jérôme Glisse" <>
Cc: <> [4.14]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agokmemleak: add scheduling point to kmemleak_scan()
Yisheng Xie [Thu, 30 Nov 2017 00:11:08 +0000 (16:11 -0800)]
kmemleak: add scheduling point to kmemleak_scan()

kmemleak_scan() will scan struct page for each node and it can be really
large and resulting in a soft lockup.  We have seen a soft lockup when
do scan while compile kernel:

  watchdog: BUG: soft lockup - CPU#53 stuck for 22s! [bash:10287]
  Call Trace:

Fix this by adding cond_resched every MAX_SCAN_SIZE.

Signed-off-by: Yisheng Xie <>
Suggested-by: Catalin Marinas <>
Acked-by: Catalin Marinas <>
Cc: Michal Hocko <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoscripts/bloat-o-meter: don't fail with division by 0
Andy Shevchenko [Thu, 30 Nov 2017 00:11:05 +0000 (16:11 -0800)]
scripts/bloat-o-meter: don't fail with division by 0

Under some circumstances it's possible to get a divider 0 which crashes
the script.

  Traceback (most recent call last):
    File "linux/scripts/bloat-o-meter", line 98, in <module>
      print_result("Function", "tTdDbBrR", 2)
    File "linux/scripts/bloat-o-meter", line 87, in print_result
      (otot, ntot, (ntot - otot)*100.0/otot))
  ZeroDivisionError: float division by zero

Hide this by checking the divider first.

Signed-off-by: Andy Shevchenko <>
Cc: Alexey Dobriyan <>
Cc: Vaneet Narang <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agofs/mbcache.c: make count_objects() more robust
Jiang Biao [Thu, 30 Nov 2017 00:11:01 +0000 (16:11 -0800)]
fs/mbcache.c: make count_objects() more robust

When running ltp stress test for 7*24 hours, vmscan occasionally emits
the following warning continuously:

  mb_cache_scan+0x0/0x3f0 negative objects to delete

Tracing shows the freeable(mb_cache_count returns) is -1, which causes
the continuous accumulation and overflow of total_scan.

This patch makes sure that mb_cache_count() cannot return a negative
value, which makes the mbcache shrinker more robust.

Signed-off-by: Jiang Biao <>
Cc: Al Viro <>
Cc: Minchan Kim <>
Cc: Michal Hocko <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoRevert "mm/page-writeback.c: print a warning if the vm dirtiness settings are illogical"
Michal Hocko [Thu, 30 Nov 2017 00:10:58 +0000 (16:10 -0800)]
Revert "mm/page-writeback.c: print a warning if the vm dirtiness settings are illogical"

This reverts commit 0f6d24f87856 ("mm/page-writeback.c: print a warning
if the vm dirtiness settings are illogical") because it causes false
positive warnings during OOM situations as noticed by Tetsuo Handa:

  Node 0 active_anon:3525940kB inactive_anon:8372kB active_file:216kB inactive_file:1872kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:2504kB dirty:52kB writeback:0kB shmem:8660kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 636928kB writeback_tmp:0kB unstable:0kB all_unreclaimable? yes
  Node 0 DMA free:14848kB min:284kB low:352kB high:420kB active_anon:992kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15988kB managed:15904kB mlocked:0kB kernel_stack:0kB pagetables:24kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
  lowmem_reserve[]: 0 2687 3645 3645
  Node 0 DMA32 free:53004kB min:49608kB low:62008kB high:74408kB active_anon:2712648kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129216kB managed:2773132kB mlocked:0kB kernel_stack:96kB pagetables:5096kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
  lowmem_reserve[]: 0 0 958 958
  Node 0 Normal free:17140kB min:17684kB low:22104kB high:26524kB active_anon:812300kB inactive_anon:8372kB active_file:1228kB inactive_file:1868kB unevictable:0kB writepending:52kB present:1048576kB managed:981224kB mlocked:0kB kernel_stack:3520kB pagetables:8552kB bounce:0kB free_pcp:120kB local_pcp:120kB free_cma:0kB
  lowmem_reserve[]: 0 0 0 0
  Out of memory: Kill process 8459 (a.out) score 999 or sacrifice child
  Killed process 8459 (a.out) total-vm:4180kB, anon-rss:88kB, file-rss:0kB, shmem-rss:0kB
  oom_reaper: reaped process 8459 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
  vm direct limit must be set greater than background limit.

The problem is that both thresh and bg_thresh will be 0 if
available_memory is less than 4 pages when evaluating

While this might be worked around the whole point of the warning is
dubious at best.  We do rely on admins to do sensible things when
changing tunable knobs.  Dirty memory writeback knobs are not any
special in that regards so revert the warning rather than adding more
hacks to work this around.

Debugged by Yafang Shao.

Fixes: 0f6d24f87856 ("mm/page-writeback.c: print a warning if the vm dirtiness settings are illogical")
Signed-off-by: Michal Hocko <>
Reported-by: Tetsuo Handa <>
Cc: Yafang Shao <>
Cc: Jan Kara <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm/madvise.c: fix madvise() infinite loop under special circumstances
chenjie [Thu, 30 Nov 2017 00:10:54 +0000 (16:10 -0800)]
mm/madvise.c: fix madvise() infinite loop under special circumstances

MADVISE_WILLNEED has always been a noop for DAX (formerly XIP) mappings.
Unfortunately madvise_willneed() doesn't communicate this information
properly to the generic madvise syscall implementation.  The calling
convention is quite subtle there.  madvise_vma() is supposed to either
return an error or update &prev otherwise the main loop will never
advance to the next vma and it will keep looping for ever without a way
to get out of the kernel.

It seems this has been broken since introduction.  Nobody has noticed
because nobody seems to be using MADVISE_WILLNEED on these DAX mappings.

[ rewrite changelog]
Fixes: fe77ba6f4f97 ("[PATCH] xip: madvice/fadvice: execute in place")
Signed-off-by: chenjie <>
Signed-off-by: guoxuenan <>
Acked-by: Michal Hocko <>
Cc: Minchan Kim <>
Cc: zhangyi (F) <>
Cc: Miao Xie <>
Cc: Mike Rapoport <>
Cc: Shaohua Li <>
Cc: Andrea Arcangeli <>
Cc: Mel Gorman <>
Cc: Kirill A. Shutemov <>
Cc: David Rientjes <>
Cc: Anshuman Khandual <>
Cc: Rik van Riel <>
Cc: Carsten Otte <>
Cc: Dan Williams <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoexec: avoid RLIMIT_STACK races with prlimit()
Kees Cook [Thu, 30 Nov 2017 00:10:51 +0000 (16:10 -0800)]
exec: avoid RLIMIT_STACK races with prlimit()

While the defense-in-depth RLIMIT_STACK limit on setuid processes was
protected against races from other threads calling setrlimit(), I missed
protecting it against races from external processes calling prlimit().
This adds locking around the change and makes sure that rlim_max is set

Fixes: 64701dee4178e ("exec: Use sane stack rlimit under secureexec")
Signed-off-by: Kees Cook <>
Reported-by: Ben Hutchings <>
Reported-by: Brad Spengler <>
Acked-by: Serge Hallyn <>
Cc: James Morris <>
Cc: Andy Lutomirski <>
Cc: Oleg Nesterov <>
Cc: Jiri Slaby <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoIB/core: disable memory registration of filesystem-dax vmas
Dan Williams [Thu, 30 Nov 2017 00:10:47 +0000 (16:10 -0800)]
IB/core: disable memory registration of filesystem-dax vmas

Until there is a solution to the dma-to-dax vs truncate problem it is
not safe to allow RDMA to create long standing memory registrations
against filesytem-dax vmas.

Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings")
Signed-off-by: Dan Williams <>
Reported-by: Christoph Hellwig <>
Reviewed-by: Christoph Hellwig <>
Acked-by: Jason Gunthorpe <>
Acked-by: Doug Ledford <>
Cc: Sean Hefty <>
Cc: Hal Rosenstock <>
Cc: Jeff Moyer <>
Cc: Ross Zwisler <>
Cc: Inki Dae <>
Cc: Jan Kara <>
Cc: Joonyoung Shim <>
Cc: Kyungmin Park <>
Cc: Mauro Carvalho Chehab <>
Cc: Mel Gorman <>
Cc: Seung-Woo Kim <>
Cc: Vlastimil Babka <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agov4l2: disable filesystem-dax mapping support
Dan Williams [Thu, 30 Nov 2017 00:10:43 +0000 (16:10 -0800)]
v4l2: disable filesystem-dax mapping support

V4L2 memory registrations are incompatible with filesystem-dax that
needs the ability to revoke dma access to a mapping at will, or
otherwise allow the kernel to wait for completion of DMA.  The
filesystem-dax implementation breaks the traditional solution of
truncate of active file backed mappings since there is no page-cache
page we can orphan to sustain ongoing DMA.

If v4l2 wants to support long lived DMA mappings it needs to arrange to
hold a file lease or use some other mechanism so that the kernel can
coordinate revoking DMA access when the filesystem needs to truncate

Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings")
Signed-off-by: Dan Williams <>
Reported-by: Jan Kara <>
Reviewed-by: Jan Kara <>
Cc: Mauro Carvalho Chehab <>
Cc: Christoph Hellwig <>
Cc: Doug Ledford <>
Cc: Hal Rosenstock <>
Cc: Inki Dae <>
Cc: Jason Gunthorpe <>
Cc: Jeff Moyer <>
Cc: Joonyoung Shim <>
Cc: Kyungmin Park <>
Cc: Mel Gorman <>
Cc: Ross Zwisler <>
Cc: Sean Hefty <>
Cc: Seung-Woo Kim <>
Cc: Vlastimil Babka <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: fail get_vaddr_frames() for filesystem-dax mappings
Dan Williams [Thu, 30 Nov 2017 00:10:39 +0000 (16:10 -0800)]
mm: fail get_vaddr_frames() for filesystem-dax mappings

Until there is a solution to the dma-to-dax vs truncate problem it is
not safe to allow V4L2, Exynos, and other frame vector users to create
long standing / irrevocable memory registrations against filesytem-dax

[ add comment for vma_is_fsdax() check in get_vaddr_frames(), per Jan]
Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings")
Signed-off-by: Dan Williams <>
Reviewed-by: Jan Kara <>
Cc: Inki Dae <>
Cc: Seung-Woo Kim <>
Cc: Joonyoung Shim <>
Cc: Kyungmin Park <>
Cc: Mauro Carvalho Chehab <>
Cc: Mel Gorman <>
Cc: Vlastimil Babka <>
Cc: Christoph Hellwig <>
Cc: Doug Ledford <>
Cc: Hal Rosenstock <>
Cc: Jason Gunthorpe <>
Cc: Jeff Moyer <>
Cc: Ross Zwisler <>
Cc: Sean Hefty <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: introduce get_user_pages_longterm
Dan Williams [Thu, 30 Nov 2017 00:10:35 +0000 (16:10 -0800)]
mm: introduce get_user_pages_longterm

Patch series "introduce get_user_pages_longterm()", v2.

Here is a new get_user_pages api for cases where a driver intends to
keep an elevated page count indefinitely.  This is distinct from usages
like iov_iter_get_pages where the elevated page counts are transient.
The iov_iter_get_pages cases immediately turn around and submit the
pages to a device driver which will put_page when the i/o operation
completes (under kernel control).

In the longterm case userspace is responsible for dropping the page
reference at some undefined point in the future.  This is untenable for
filesystem-dax case where the filesystem is in control of the lifetime
of the block / page and needs reasonable limits on how long it can wait
for pages in a mapping to become idle.

Fixing filesystems to actually wait for dax pages to be idle before
blocks from a truncate/hole-punch operation are repurposed is saved for
a later patch series.

Also, allowing longterm registration of dax mappings is a future patch
series that introduces a "map with lease" semantic where the kernel can
revoke a lease and force userspace to drop its page references.

I have also tagged these for -stable to purposely break cases that might
assume that longterm memory registrations for filesystem-dax mappings
were supported by the kernel.  The behavior regression this policy
change implies is one of the reasons we maintain the "dax enabled.
Warning: EXPERIMENTAL, use at your own risk" notification when mounting
a filesystem in dax mode.

It is worth noting the device-dax interface does not suffer the same
constraints since it does not support file space management operations
like hole-punch.

This patch (of 4):

Until there is a solution to the dma-to-dax vs truncate problem it is
not safe to allow long standing memory registrations against
filesytem-dax vmas.  Device-dax vmas do not have this problem and are
explicitly allowed.

This is temporary until a "memory registration with layout-lease"
mechanism can be implemented for the affected sub-systems (RDMA and

[ use kcalloc()]
Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings")
Signed-off-by: Dan Williams <>
Suggested-by: Christoph Hellwig <>
Cc: Doug Ledford <>
Cc: Hal Rosenstock <>
Cc: Inki Dae <>
Cc: Jan Kara <>
Cc: Jason Gunthorpe <>
Cc: Jeff Moyer <>
Cc: Joonyoung Shim <>
Cc: Kyungmin Park <>
Cc: Mauro Carvalho Chehab <>
Cc: Mel Gorman <>
Cc: Ross Zwisler <>
Cc: Sean Hefty <>
Cc: Seung-Woo Kim <>
Cc: Vlastimil Babka <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agodevice-dax: implement ->split() to catch invalid munmap attempts
Dan Williams [Thu, 30 Nov 2017 00:10:32 +0000 (16:10 -0800)]
device-dax: implement ->split() to catch invalid munmap attempts

Similar to how device-dax enforces that the 'address', 'offset', and
'len' parameters to mmap() be aligned to the device's fundamental
alignment, the same constraints apply to munmap().  Implement ->split()
to fail munmap calls that violate the alignment constraint.

Otherwise, we later fail VM_BUG_ON checks in the unmap_page_range() path
with crash signatures of the form:

    vma ffff8800b60c8a88 start 00007f88c0000000 end 00007f88c0e00000
    next           (null) prev           (null) mm ffff8800b61150c0
    prot 8000000000000027 anon_vma           (null) vm_ops ffffffffa0091240
    pgoff 0 file ffff8800b638ef80 private_data           (null)
    flags: 0x380000fb(read|write|shared|mayread|maywrite|mayexec|mayshare|softdirty|mixedmap|hugepage)
    ------------[ cut here ]------------
    kernel BUG at mm/huge_memory.c:2014!
    RIP: 0010:__split_huge_pud+0x12a/0x180
    Call Trace:
     ? __vma_adjust+0x301/0x990
     ? __vma_rb_erase+0x11a/0x230

Fixes: dee410792419 ("/dev/dax, core: file operations and dax-mmap")
Signed-off-by: Dan Williams <>
Reported-by: Jeff Moyer <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm, hugetlbfs: introduce ->split() to vm_operations_struct
Dan Williams [Thu, 30 Nov 2017 00:10:28 +0000 (16:10 -0800)]
mm, hugetlbfs: introduce ->split() to vm_operations_struct

Patch series "device-dax: fix unaligned munmap handling"

When device-dax is operating in huge-page mode we want it to behave like
hugetlbfs and fail attempts to split vmas into unaligned ranges.  It
would be messy to teach the munmap path about device-dax alignment
constraints in the same (hstate) way that hugetlbfs communicates this
constraint.  Instead, these patches introduce a new ->split() vm

This patch (of 2):

The device-dax interface has similar constraints as hugetlbfs in that it
requires the munmap path to unmap in huge page aligned units.  Rather
than add more custom vma handling code in __split_vma() introduce a new
vm operation to perform this vma specific check.

Fixes: dee410792419 ("/dev/dax, core: file operations and dax-mmap")
Signed-off-by: Dan Williams <>
Cc: Jeff Moyer <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoscripts/faddr2line: extend usage on generic arch
Liu, Changcheng [Thu, 30 Nov 2017 00:10:25 +0000 (16:10 -0800)]
scripts/faddr2line: extend usage on generic arch

When cross-compiling, fadd2line should use the binary tool used for the
target system, rather than that of the host.

Signed-off-by: Liu Changcheng <>
Cc: Kate Stewart <>
Cc: NeilBrown <>
Cc: Thomas Gleixner <>
Cc: Greg Kroah-Hartman <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: replace pte_write with pte_access_permitted in fault + gup paths
Dan Williams [Thu, 30 Nov 2017 00:10:21 +0000 (16:10 -0800)]
mm: replace pte_write with pte_access_permitted in fault + gup paths

The 'access_permitted' helper is used in the gup-fast path and goes
beyond the simple _PAGE_RW check to also:

 - validate that the mapping is writable from a protection keys

 - validate that the pte has _PAGE_USER set since all fault paths where
   pte_write is must be referencing user-memory.

Signed-off-by: Dan Williams <>
Cc: Dave Hansen <>
Cc: Kirill A. Shutemov <>
Cc: "Jérôme Glisse" <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: replace pmd_write with pmd_access_permitted in fault + gup paths
Dan Williams [Thu, 30 Nov 2017 00:10:18 +0000 (16:10 -0800)]
mm: replace pmd_write with pmd_access_permitted in fault + gup paths

The 'access_permitted' helper is used in the gup-fast path and goes
beyond the simple _PAGE_RW check to also:

 - validate that the mapping is writable from a protection keys

 - validate that the pte has _PAGE_USER set since all fault paths where
   pmd_write is must be referencing user-memory.

Signed-off-by: Dan Williams <>
Cc: Dave Hansen <>
Cc: Kirill A. Shutemov <>
Cc: "Jérôme Glisse" <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: replace pud_write with pud_access_permitted in fault + gup paths
Dan Williams [Thu, 30 Nov 2017 00:10:14 +0000 (16:10 -0800)]
mm: replace pud_write with pud_access_permitted in fault + gup paths

The 'access_permitted' helper is used in the gup-fast path and goes
beyond the simple _PAGE_RW check to also:

 - validate that the mapping is writable from a protection keys

 - validate that the pte has _PAGE_USER set since all fault paths where
   pud_write is must be referencing user-memory.

[ fix powerpc compile error]
Signed-off-by: Dan Williams <>
Cc: Dave Hansen <>
Cc: "David S. Miller" <>
Cc: Kirill A. Shutemov <>
Cc: Martin Schwidefsky <>
Cc: Heiko Carstens <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: switch to 'define pmd_write' instead of __HAVE_ARCH_PMD_WRITE
Dan Williams [Thu, 30 Nov 2017 00:10:10 +0000 (16:10 -0800)]
mm: switch to 'define pmd_write' instead of __HAVE_ARCH_PMD_WRITE

In response to compile breakage introduced by a series that added the
pud_write helper to x86, Stephen notes:

    did you consider using the other paradigm:

    In arch include files:
    #define pud_write       pud_write
    static inline int pud_write(pud_t pud)

    Then in include/asm-generic/pgtable.h:

    #ifndef pud_write
    tatic inline int pud_write(pud_t pud)

    If you had, then the powerpc code would have worked ... ;-) and many
    of the other interfaces in include/asm-generic/pgtable.h are
    protected that way ...

Given that some architecture already define pmd_write() as a macro, it's
a net reduction to drop the definition of __HAVE_ARCH_PMD_WRITE.

Signed-off-by: Dan Williams <>
Suggested-by: Stephen Rothwell <>
Cc: Benjamin Herrenschmidt <>
Cc: "Aneesh Kumar K.V" <>
Cc: Oliver OHalloran <>
Cc: Chris Metcalf <>
Cc: Russell King <>
Cc: Ralf Baechle <>
Cc: "H. Peter Anvin" <>
Cc: Arnd Bergmann <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm: fix device-dax pud write-faults triggered by get_user_pages()
Dan Williams [Thu, 30 Nov 2017 00:10:06 +0000 (16:10 -0800)]
mm: fix device-dax pud write-faults triggered by get_user_pages()

Currently only get_user_pages_fast() can safely handle the writable gup
case due to its use of pud_access_permitted() to check whether the pud
entry is writable.  In the gup slow path pud_write() is used instead of
pud_access_permitted() and to date it has been unimplemented, just calls

    kernel BUG at ./include/linux/hugetlb.h:244!
    RIP: 0010:follow_devmap_pud+0x482/0x490
    Call Trace:
     ? nfs_start_io_direct+0x63/0x70

For now this just implements a simple check for the _PAGE_RW bit similar
to pmd_write.  However, this implies that the gup-slow-path check is
missing the extra checks that the gup-fast-path performs with
pud_access_permitted.  Later patches will align all checks to use the
'access_permitted' helper if the architecture provides it.

Note that the generic 'access_permitted' helper fallback is the simple
_PAGE_RW check on architectures that do not define the
'access_permitted' helper(s).

[ fix powerpc compile error]
Fixes: a00cc7d9dd93 ("mm, x86: add support for PUD-sized transparent hugepages")
Signed-off-by: Dan Williams <>
Reported-by: Stephen Rothwell <>
Acked-by: Thomas Gleixner <> [x86]
Cc: Kirill A. Shutemov <>
Cc: Catalin Marinas <>
Cc: "David S. Miller" <>
Cc: Dave Hansen <>
Cc: Will Deacon <>
Cc: "H. Peter Anvin" <>
Cc: Ingo Molnar <>
Cc: Arnd Bergmann <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm/cma: fix alloc_contig_range ret code/potential leak
Mike Kravetz [Thu, 30 Nov 2017 00:10:01 +0000 (16:10 -0800)]
mm/cma: fix alloc_contig_range ret code/potential leak

If the call __alloc_contig_migrate_range() in alloc_contig_range returns
-EBUSY, processing continues so that test_pages_isolated() is called
where there is a tracepoint to identify the busy pages.  However, it is
possible for busy pages to become available between the calls to these
two routines.  In this case, the range of pages may be allocated.
Unfortunately, the original return code (ret == -EBUSY) is still set and
returned to the caller.  Therefore, the caller believes the pages were
not allocated and they are leaked.

Update the comment to indicate that allocation is still possible even if
__alloc_contig_migrate_range returns -EBUSY.  Also, clear return code in
this case so that it is not accidentally used or returned to caller.

Fixes: 8ef5849fa8a2 ("mm/cma: always check which page caused allocation failure")
Signed-off-by: Mike Kravetz <>
Acked-by: Vlastimil Babka <>
Acked-by: Michal Hocko <>
Acked-by: Johannes Weiner <>
Acked-by: Joonsoo Kim <>
Cc: Michal Nazarewicz <>
Cc: Laura Abbott <>
Cc: Michal Hocko <>
Cc: Mel Gorman <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm, oom_reaper: gather each vma to prevent leaking TLB entry
Wang Nan [Thu, 30 Nov 2017 00:09:58 +0000 (16:09 -0800)]
mm, oom_reaper: gather each vma to prevent leaking TLB entry

tlb_gather_mmu(&tlb, mm, 0, -1) means gathering the whole virtual memory
space.  In this case, tlb->fullmm is true.  Some archs like arm64
doesn't flush TLB when tlb->fullmm is true:

  commit 5a7862e83000 ("arm64: tlbflush: avoid flushing when fullmm == 1").

Which causes leaking of tlb entries.

Will clarifies his patch:
 "Basically, we tag each address space with an ASID (PCID on x86) which
  is resident in the TLB. This means we can elide TLB invalidation when
  pulling down a full mm because we won't ever assign that ASID to
  another mm without doing TLB invalidation elsewhere (which actually
  just nukes the whole TLB).

  I think that means that we could potentially not fault on a kernel
  uaccess, because we could hit in the TLB"

There could be a window between complete_signal() sending IPI to other
cores and all threads sharing this mm are really kicked off from cores.
In this window, the oom reaper may calls tlb_flush_mmu_tlbonly() to
flush TLB then frees pages.  However, due to the above problem, the TLB
entries are not really flushed on arm64.  Other threads are possible to
access these pages through TLB entries.  Moreover, a copy_to_user() can
also write to these pages without generating page fault, causes
use-after-free bugs.

This patch gathers each vma instead of gathering full vm space.  In this
case tlb->fullmm is not true.  The behavior of oom reaper become similar
to munmapping before do_exit, which should be safe for all archs.

Fixes: aac453635549 ("mm, oom: introduce oom reaper")
Signed-off-by: Wang Nan <>
Acked-by: Michal Hocko <>
Acked-by: David Rientjes <>
Cc: Minchan Kim <>
Cc: Will Deacon <>
Cc: Bob Liu <>
Cc: Ingo Molnar <>
Cc: Roman Gushchin <>
Cc: Konstantin Khlebnikov <>
Cc: Andrea Arcangeli <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agomm, memory_hotplug: do not back off draining pcp free pages from kworker context
Michal Hocko [Thu, 30 Nov 2017 00:09:54 +0000 (16:09 -0800)]
mm, memory_hotplug: do not back off draining pcp free pages from kworker context

drain_all_pages backs off when called from a kworker context since
commit 0ccce3b92421 ("mm, page_alloc: drain per-cpu pages from workqueue
context") because the original IPI based pcp draining has been replaced
by a WQ based one and the check wanted to prevent from recursion and
inter workers dependencies.  This has made some sense at the time
because the system WQ has been used and one worker holding the lock
could be blocked while waiting for new workers to emerge which can be a
problem under OOM conditions.

Since then commit ce612879ddc7 ("mm: move pcp and lru-pcp draining into
single wq") has moved draining to a dedicated (mm_percpu_wq) WQ with a
rescuer so we shouldn't depend on any other WQ activity to make a
forward progress so calling drain_all_pages from a worker context is
safe as long as this doesn't happen from mm_percpu_wq itself which is
not the case because all workers are required to _not_ depend on any MM

Why is this a problem in the first place? ACPI driven memory hot-remove
(acpi_device_hotplug) is executed from the worker context.  We end up
calling __offline_pages to free all the pages and that requires both
lru_add_drain_all_cpuslocked and drain_all_pages to do their job
otherwise we can have dangling pages on pcp lists and fail the offline
operation (__test_page_isolated_in_pageblock would see a page with 0 ref
count but without PageBuddy set).

Fix the issue by removing the worker check in drain_all_pages.
lru_add_drain_all_cpuslocked doesn't have this restriction so it works
as expected.

Fixes: 0ccce3b924212 ("mm, page_alloc: drain per-cpu pages from workqueue context")
Signed-off-by: Michal Hocko <>
Cc: Mel Gorman <>
Cc: Tejun Heo <>
Cc: <> [4.11+]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
5 years agoMerge tag 'nfsd-4.15-1' of git://
Linus Torvalds [Wed, 29 Nov 2017 22:49:26 +0000 (14:49 -0800)]
Merge tag 'nfsd-4.15-1' of git://

Pull nfsd fixes from Bruce Fields:
 "I screwed up my merge window pull request; I only sent half of what I
  meant to.

  There were no new features, just bugfixes of various importance and
  some very minor cleanup, so I think it's all still appropriate for


   - Fixes from Trond for some races in the NFSv4 state code.

   - Fix from Naofumi Honda for a typo in the blocked lock notificiation

   - Fixes from Vasily Averin for some problems starting and stopping
     lockd especially in network namespaces"

* tag 'nfsd-4.15-1' of git:// (23 commits)
  lockd: fix "list_add double add" caused by legacy signal interface
  nlm_shutdown_hosts_net() cleanup
  race of nfsd inetaddr notifiers vs nn->nfsd_serv change
  race of lockd inetaddr notifiers vs nlmsvc_rqst change
  SUNRPC: make cache_detail structures const
  NFSD: make cache_detail structures const
  sunrpc: make the function arg as const
  nfsd: check for use of the closed special stateid
  nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat
  lockd: lost rollback of set_grace_period() in lockd_down_net()
  lockd: added cleanup checks in exit_net hook
  grace: replace BUG_ON by WARN_ONCE in exit_net hook
  nfsd: fix locking validator warning on nfs4_ol_stateid->st_mutex class
  lockd: remove net pointer from messages
  nfsd: remove net pointer from debug messages
  nfsd: Fix races with check_stateid_generation()
  nfsd: Ensure we check stateid validity in the seqid operation checks
  nfsd: Fix race in lock stateid creation
  nfsd4: move find_lock_stateid
  nfsd: Ensure we don't recognise lock stateids after freeing them

5 years agoMerge tag 'for-4.15-rc2-tag' of git://
Linus Torvalds [Wed, 29 Nov 2017 22:26:50 +0000 (14:26 -0800)]
Merge tag 'for-4.15-rc2-tag' of git://git./linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:
 "We've collected some fixes in since the pre-merge window freeze.

  There's technically only one regression fix for 4.15, but the rest
  seems important and candidates for stable.

   - fix missing flush bio puts in error cases (is serious, but rarely

   - fix reporting stat::st_blocks for buffered append writes

   - fix space cache invalidation

   - fix out of bound memory access when setting zlib level

   - fix potential memory corruption when fsync fails in the middle

   - fix crash in integrity checker

   - incremetnal send fix, path mixup for certain unlink/rename

   - pass flags to writeback so compressed writes can be throttled

   - error handling fixes"

* tag 'for-4.15-rc2-tag' of git://
  Btrfs: incremental send, fix wrong unlink path after renaming file
  btrfs: tree-checker: Fix false panic for sanity test
  Btrfs: fix list_add corruption and soft lockups in fsync
  btrfs: Fix wild memory access in compression level parser
  btrfs: fix deadlock when writing out space cache
  btrfs: clear space cache inode generation always
  Btrfs: fix reported number of inode blocks after buffered append writes
  Btrfs: move definition of the function btrfs_find_new_delalloc_bytes
  Btrfs: bail out gracefully rather than BUG_ON
  btrfs: dev_alloc_list is not protected by RCU, use normal list_del
  btrfs: add missing device::flush_bio puts
  btrfs: Fix transaction abort during failure in btrfs_rm_dev_item
  Btrfs: add write_flags for compression bio

5 years agoMerge tag 'microblaze-4.15-rc2' of git://
Linus Torvalds [Wed, 29 Nov 2017 22:19:22 +0000 (14:19 -0800)]
Merge tag 'microblaze-4.15-rc2' of git://

Pull Microblaze fix from Michal Simek:
 "Add missing header to mmu_context_mm.h"

* tag 'microblaze-4.15-rc2' of git://
  microblaze: add missing include to mmu_context_mm.h

5 years agoMerge git://
Linus Torvalds [Wed, 29 Nov 2017 22:17:30 +0000 (14:17 -0800)]
Merge git://git./linux/kernel/git/davem/sparc

Pull sparc fix from David Miller:
 "Sparc T4 and later cpu bootup regression fix"

* git://
  sparc64: Fix boot on T4 and later.

5 years agoMerge git://
Linus Torvalds [Wed, 29 Nov 2017 21:10:25 +0000 (13:10 -0800)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) The forcedeth conversion from pci_*() DMA interfaces to dma_*() ones
    missed one spot. From Zhu Yanjun.

 2) Missing CRYPTO_SHA256 Kconfig dep in cfg80211, from Johannes Berg.

 3) Fix checksum offloading in thunderx driver, from Sunil Goutham.

 4) Add SPDX to vm_sockets_diag.h, from Stephen Hemminger.

 5) Fix use after free of packet headers in TIPC, from Jon Maloy.

 6) "sizeof(ptr)" vs "sizeof(*ptr)" bug in i40e, from Gustavo A R Silva.

 7) Tunneling fixes in mlxsw driver, from Petr Machata.

 8) Fix crash in fanout_demux_rollover() of AF_PACKET, from Mike

 9) Fix race in AF_PACKET bind() vs. NETDEV_UP notifier, from Eric

10) Fix regression in sch_sfq.c due to one of the timer_setup()
    conversions. From Paolo Abeni.

11) SCTP does list_for_each_entry() using wrong struct member, fix from
    Xin Long.

12) Don't use big endian netlink attribute read for
    IFLA_BOND_AD_ACTOR_SYSTEM, it is in cpu endianness. Also from Xin

13) Fix mis-initialization of q->link.clock in CBQ scheduler, preventing
    adding filters there. From Jiri Pirko.

* git:// (67 commits)
  ethernet: dwmac-stm32: Fix copyright
  net: via: via-rhine: use %p to format void * address instead of %x
  net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit
  myri10ge: Update MAINTAINERS
  net: sched: cbq: create block for q->link.block
  atm: suni: remove extraneous space to fix indentation
  atm: lanai: use %p to format kernel addresses instead of %x
  VSOCK: Don't set sk_state to TCP_CLOSE before testing it
  atm: fore200e: use %pK to format kernel addresses instead of %x
  ambassador: fix incorrect indentation of assignment statement
  vxlan: use __be32 type for the param vni in __vxlan_fdb_delete
  bonding: use nla_get_u64 to extract the value for IFLA_BOND_AD_ACTOR_SYSTEM
  sctp: use right member as the param of list_for_each_entry
  sch_sfq: fix null pointer dereference at timer expiration
  cls_bpf: don't decrement net's refcount when offload fails
  net/packet: fix a race in packet_bind() and packet_notifier()
  packet: fix crash in fanout_demux_rollover()
  sctp: remove extern from stream sched
  sctp: force the params with right types for sctp csum apis
  sctp: force SCTP_ERROR_INV_STRM with __u32 when calling sctp_chunk_fail

5 years agosparc64: Fix boot on T4 and later.
David S. Miller [Wed, 29 Nov 2017 20:09:29 +0000 (15:09 -0500)]
sparc64: Fix boot on T4 and later.

If we don't put the NG4fls.o object into the same part of
the link as the generic sparc64 objects for fls() and __fls()
then the relocation in the branch we use for patching will
not fit.

Move NG4fls.o into lib-y to fix this problem.

Fixes: 46ad8d2d22c1 ("sparc64: Use sparc optimized fls and __fls for T4 and above")
Signed-off-by: David S. Miller <>
Reported-by: Anatoly Pugachev <>
Tested-by: Anatoly Pugachev <>
5 years agovsprintf: don't use 'restricted_pointer()' when not restricting
Linus Torvalds [Wed, 29 Nov 2017 19:28:09 +0000 (11:28 -0800)]
vsprintf: don't use 'restricted_pointer()' when not restricting

Instead, just fall back on the new '%p' behavior which hashes the

Otherwise, '%pK' - that was intended to mark a pointer as restricted -
just ends up leaking pointers that a normal '%p' wouldn't leak.  Which
just make the whole thing pointless.

I suspect we should actually get rid of '%pK' entirely, and make it just
work as '%p' regardless, but this is the minimal obvious fix.  People
who actually use 'kptr_restrict' should weigh in on which behavior they

Cc: Tobin Harding <>
Cc: Kees Cook <>
Signed-off-by: Linus Torvalds <>
5 years agokallsyms: take advantage of the new '%px' format
Linus Torvalds [Wed, 29 Nov 2017 18:30:13 +0000 (10:30 -0800)]
kallsyms: take advantage of the new '%px' format

The conditional kallsym hex printing used a special fixed-width '%lx'
output (KALLSYM_FMT) in preparation for the hashing of %p, but that
series ended up adding a %px specifier to help with the conversions.

Use it, and avoid the "print pointer as an unsigned long" code.

Signed-off-by: Linus Torvalds <>
5 years agoMerge tag 'printk-hash-pointer-4.15-rc2' of git://
Linus Torvalds [Wed, 29 Nov 2017 18:19:29 +0000 (10:19 -0800)]
Merge tag 'printk-hash-pointer-4.15-rc2' of git://

Pull printk pointer hashing update from Tobin Harding:
 "Here is the patch set that implements hashing of printk specifier %p.

  First we have two clean up patches then we do the hashing. Hashing is
  done via the SipHash algorithm. The next patch adds printk specifier
  %px for printing pointers when we _really_ want to see the address i.e
  %px is functionally equivalent to %lx. Final patch in the set fixes
  KASAN since we break it by hashing %p.

  For the record here is the justification for the series:

    Currently there exist approximately 14 000 places in the Kernel
    where addresses are being printed using an unadorned %p. This
    potentially leaks sensitive information about the Kernel layout in
    memory. Many of these calls are stale, instead of fixing every call
    we hash the address by default before printing. We then add %px to
    provide a way to print the actual address. Although this is
    achievable using %lx, using %px will assist us if we ever want to
    change pointer printing behaviour. %px is more uniquely grep'able
    (there are already >50 000 uses of %lx).

    The added advantage of hashing %p is that security is now opt-out,
    if you _really_ want the address you have to work a little harder
    and use %px.

  This will of course break some users, forcing code printing needed
  addresses to be updated"

[ I do expect this to be an annoyance, and a number of %px users to be
  added for debuggability. But nobody is willing to audit existing %p
  users for information leaks, and a number of places really only use
  the pointer as an object identifier rather than really 'I need the

  IOW - sorry for the inconvenience, but it's the least inconvenient of
  the options.    - Linus ]

* tag 'printk-hash-pointer-4.15-rc2' of git://
  kasan: use %px to print addresses instead of %p
  vsprintf: add printk specifier %px
  printk: hash addresses printed with %p
  vsprintf: refactor %pK code out of pointer()
  docs: correct documentation for %pK

5 years agoRevert "mm, thp: Do not make pmd/pud dirty without a reason"
Linus Torvalds [Wed, 29 Nov 2017 17:01:01 +0000 (09:01 -0800)]
Revert "mm, thp: Do not make pmd/pud dirty without a reason"

This reverts commit 152e93af3cfe2d29d8136cc0a02a8612507136ee.

It was a nice cleanup in theory, but as Nicolai Stange points out, we do
need to make the page dirty for the copy-on-write case even when we
didn't end up making it writable, since the dirty bit is what we use to
check that we've gone through a COW cycle.

Reported-by: Michal Hocko <>
Acked-by: Kirill A. Shutemov <>
Signed-off-by: Linus Torvalds <>
5 years agoquota: Check for register_shrinker() failure.
Tetsuo Handa [Wed, 29 Nov 2017 13:34:50 +0000 (22:34 +0900)]
quota: Check for register_shrinker() failure.

register_shrinker() might return -ENOMEM error since Linux 3.12.
Call panic() as with other failure checks in this function if
register_shrinker() failed.

Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work")
Signed-off-by: Tetsuo Handa <>
Cc: Jan Kara <>
Cc: Michal Hocko <>
Reviewed-by: Michal Hocko <>
Signed-off-by: Jan Kara <>
5 years agoethernet: dwmac-stm32: Fix copyright
Benjamin Gaignard [Wed, 29 Nov 2017 14:20:00 +0000 (15:20 +0100)]
ethernet: dwmac-stm32: Fix copyright

Uniformize STMicroelectronics copyrights header

Signed-off-by: Benjamin Gaignard <>
CC: Alexandre Torgue <>
Acked-by: Alexandre TORGUE <>
Signed-off-by: David S. Miller <>
5 years agonet: via: via-rhine: use %p to format void * address instead of %x
Colin Ian King [Wed, 29 Nov 2017 14:11:49 +0000 (14:11 +0000)]
net: via: via-rhine: use %p to format void * address instead of %x

Don't use %x and casting to print out an address, instead use %p
and remove the casting.  Cleans up smatch warnings:

drivers/net/ethernet/via/via-rhine.c:998 rhine_init_one_common()
warn: argument 4 to %lx specifier is cast from pointer

Signed-off-by: Colin Ian King <>
Signed-off-by: David S. Miller <>
5 years agonet: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit
Geert Uytterhoeven [Wed, 29 Nov 2017 10:01:09 +0000 (11:01 +0100)]
net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit

On 64-bit (e.g. powerpc64/allmodconfig):

    drivers/net/ethernet/xilinx/ll_temac_main.c: In function 'temac_start_xmit_done':
    drivers/net/ethernet/xilinx/ll_temac_main.c:633:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
dev_kfree_skb_irq((struct sk_buff *)cur_p->app4);

cdmac_bd.app4 is u32, so it is too small to hold a kernel pointer.

Note that several other fields in struct cdmac_bd are also too small to
hold physical addresses on 64-bit platforms.

Signed-off-by: Geert Uytterhoeven <>
Signed-off-by: David S. Miller <>
5 years agomyri10ge: Update MAINTAINERS
Hyong-Youb Kim [Wed, 29 Nov 2017 05:03:50 +0000 (00:03 -0500)]
myri10ge: Update MAINTAINERS

Change the maintainer to Chris Lee who has access to Myricom hardware
and can test/review. Update the website URL.

Signed-off-by: Hyong-Youb Kim <>
Signed-off-by: David S. Miller <>
5 years agokasan: use %px to print addresses instead of %p
Tobin C. Harding [Wed, 1 Nov 2017 04:32:22 +0000 (15:32 +1100)]
kasan: use %px to print addresses instead of %p

Pointers printed with %p are now hashed by default. Kasan needs the
actual address. We can use the new printk specifier %px for this

Use %px instead of %p to print addresses.

Signed-off-by: Tobin C. Harding <>
5 years agovsprintf: add printk specifier %px
Tobin C. Harding [Wed, 22 Nov 2017 23:59:45 +0000 (10:59 +1100)]
vsprintf: add printk specifier %px

printk specifier %p now hashes all addresses before printing. Sometimes
we need to see the actual unmodified address. This can be achieved using
%lx but then we face the risk that if in future we want to change the
way the Kernel handles printing of pointers we will have to grep through
the already existent 50 000 %lx call sites. Let's add specifier %px as a
clear, opt-in, way to print a pointer and maintain some level of
isolation from all the other hex integer output within the Kernel.

Add printk specifier %px to print the actual unmodified address.

Signed-off-by: Tobin C. Harding <>
5 years agoprintk: hash addresses printed with %p
Tobin C. Harding [Wed, 1 Nov 2017 04:32:23 +0000 (15:32 +1100)]
printk: hash addresses printed with %p

Currently there exist approximately 14 000 places in the kernel where
addresses are being printed using an unadorned %p. This potentially
leaks sensitive information regarding the Kernel layout in memory. Many
of these calls are stale, instead of fixing every call lets hash the
address by default before printing. This will of course break some
users, forcing code printing needed addresses to be updated.

Code that _really_ needs the address will soon be able to use the new
printk specifier %px to print the address.

For what it's worth, usage of unadorned %p can be broken down as
follows (thanks to Joe Perches).

$ git grep -E '%p[^A-Za-z0-9]' | cut -f1 -d"/" | sort | uniq -c
   1084 arch
     20 block
     10 crypto
     32 Documentation
   8121 drivers
   1221 fs
    143 include
    101 kernel
     69 lib
    100 mm
   1510 net
     40 samples
      7 scripts
     11 security
    166 sound
    152 tools
      2 virt

Add function ptr_to_id() to map an address to a 32 bit unique
identifier. Hash any unadorned usage of specifier %p and any malformed

Signed-off-by: Tobin C. Harding <>
5 years agovsprintf: refactor %pK code out of pointer()
Tobin C. Harding [Wed, 22 Nov 2017 23:56:39 +0000 (10:56 +1100)]
vsprintf: refactor %pK code out of pointer()

Currently code to handle %pK is all within the switch statement in
pointer(). This is the wrong level of abstraction. Each of the other switch
clauses call a helper function, pK should do the same.

Refactor code out of pointer() to new function restricted_pointer().

Signed-off-by: Tobin C. Harding <>
5 years agodocs: correct documentation for %pK
Tobin C. Harding [Wed, 22 Nov 2017 23:55:24 +0000 (10:55 +1100)]
docs: correct documentation for %pK

Current documentation indicates that %pK prints a leading '0x'. This is
not the case.

Correct documentation for printk specifier %pK.

Signed-off-by: Tobin C. Harding <>
5 years agoMerge branch 'linus' of git://
Linus Torvalds [Wed, 29 Nov 2017 00:22:10 +0000 (16:22 -0800)]
Merge branch 'linus' of git://git./linux/kernel/git/herbert/crypto-2.6

Pull crypto fixes from Herbert Xu:

 - avoid potential bogus alignment for some AEAD operations

 - fix crash in algif_aead

 - avoid sleeping in softirq context with async af_alg

* 'linus' of git://
  crypto: skcipher - Fix skcipher_walk_aead_common
  crypto: af_alg - remove locking in async callback
  crypto: algif_aead - skip SGL entries with NULL page

5 years agonet: sched: cbq: create block for q->link.block
Jiri Pirko [Mon, 27 Nov 2017 17:37:21 +0000 (18:37 +0100)]
net: sched: cbq: create block for q->link.block

q->link.block is not initialized, that leads to EINVAL when one tries to
add filter there. So initialize it properly.

This can be reproduced by:
$ tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 rate 1000Mbit bandwidth 1000Mbit
$ tc filter add dev eth0 parent 1: protocol ip prio 100 u32 match ip protocol 0 0x00 flowid 1:1

Reported-by: Jaroslav Aster <>
Reported-by: Ivan Vecera <>
Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
Signed-off-by: Jiri Pirko <>
Acked-by: Eelco Chaudron <>
Reviewed-by: Ivan Vecera <>
Signed-off-by: David S. Miller <>
5 years agoatm: suni: remove extraneous space to fix indentation
Colin Ian King [Mon, 27 Nov 2017 13:47:22 +0000 (13:47 +0000)]
atm: suni: remove extraneous space to fix indentation

Remove a leading space, fixes indentation

Signed-off-by: Colin Ian King <>
Signed-off-by: David S. Miller <>
5 years agoatm: lanai: use %p to format kernel addresses instead of %x
Colin Ian King [Mon, 27 Nov 2017 13:39:32 +0000 (13:39 +0000)]
atm: lanai: use %p to format kernel addresses instead of %x

Don't use %x and casting to print out a kernel address, instead use %p
and remove the casting.  Cleans up smatch warnings:

drivers/atm/lanai.c:1589 service_buffer_allocate() warn: argument 2 to
%08lX specifier is cast from pointer
drivers/atm/lanai.c:2221 lanai_dev_open() warn: argument 4 to %lx
specifier is cast from pointer

Signed-off-by: Colin Ian King <>
Signed-off-by: David S. Miller <>
5 years agoVSOCK: Don't set sk_state to TCP_CLOSE before testing it
Jorgen Hansen [Mon, 27 Nov 2017 13:29:32 +0000 (05:29 -0800)]
VSOCK: Don't set sk_state to TCP_CLOSE before testing it

A recent commit (3b4477d2dcf2) converted the sk_state to use
TCP constants. In that change, vmci_transport_handle_detach
was changed such that sk->sk_state was set to TCP_CLOSE before
we test whether it is TCP_SYN_SENT. This change moves the
sk_state change back to the original locations in that function.

Signed-off-by: Jorgen Hansen <>
Reviewed-by: Stefan Hajnoczi <>
Signed-off-by: David S. Miller <>
5 years agoatm: fore200e: use %pK to format kernel addresses instead of %x
Colin Ian King [Mon, 27 Nov 2017 13:24:15 +0000 (13:24 +0000)]
atm: fore200e: use %pK to format kernel addresses instead of %x

Don't use %x and casting to print out a kernel address, instead use the
%pK and remove the casting.  Cleans up smatch warning:

drivers/atm/fore200e.c:3093 fore200e_proc_read() warn: argument 3 to %08x
specifier is cast from pointer

Signed-off-by: Colin Ian King <>
Signed-off-by: David S. Miller <>
5 years agoambassador: fix incorrect indentation of assignment statement
Colin Ian King [Mon, 27 Nov 2017 13:06:10 +0000 (13:06 +0000)]
ambassador: fix incorrect indentation of assignment statement

Remove one extraneous level of indentation on assignment statement.

Signed-off-by: Colin Ian King <>
Signed-off-by: David S. Miller <>
5 years agovxlan: use __be32 type for the param vni in __vxlan_fdb_delete
Xin Long [Sun, 26 Nov 2017 13:19:05 +0000 (21:19 +0800)]
vxlan: use __be32 type for the param vni in __vxlan_fdb_delete

All callers of __vxlan_fdb_delete pass vni with __be32 type, and
this param should be declared as __be32 type.

Fixes: 3ad7a4b141eb ("vxlan: support fdb and learning in COLLECT_METADATA mode")
Signed-off-by: Xin Long <>
Signed-off-by: David S. Miller <>
5 years agobonding: use nla_get_u64 to extract the value for IFLA_BOND_AD_ACTOR_SYSTEM
Xin Long [Sun, 26 Nov 2017 13:12:09 +0000 (21:12 +0800)]
bonding: use nla_get_u64 to extract the value for IFLA_BOND_AD_ACTOR_SYSTEM

bond_opt_initval expects a u64 type param, it's better to use
nla_get_u64 to extract the value here, to eliminate a sparse
endianness mismatch warning.

Fixes: 171a42c38c6e ("bonding: add netlink support for sys prio, actor sys mac, and port key")
Signed-off-by: Xin Long <>
Signed-off-by: David S. Miller <>
5 years agosctp: use right member as the param of list_for_each_entry
Xin Long [Sun, 26 Nov 2017 12:56:07 +0000 (20:56 +0800)]
sctp: use right member as the param of list_for_each_entry

Commit d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues
when migrating a sock") made a mistake that using 'list' as the param of
list_for_each_entry to traverse the retransmit, sacked and abandoned
queues, while chunks are using 'transmitted_list' to link into these

It could cause NULL dereference panic if there are chunks in any of these
queues when peeling off one asoc.

So use the chunk member 'transmitted_list' instead in this patch.

Fixes: d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues when migrating a sock")
Signed-off-by: Xin Long <>
Acked-by: Marcelo Ricardo Leitner <>
Acked-by: Neil Horman <>
Signed-off-by: David S. Miller <>
5 years agosch_sfq: fix null pointer dereference at timer expiration
Paolo Abeni [Tue, 28 Nov 2017 13:28:39 +0000 (14:28 +0100)]
sch_sfq: fix null pointer dereference at timer expiration

While converting sch_sfq to use timer_setup(), the commit cdeabbb88134
("net: sched: Convert timers to use timer_setup()") forgot to
initialize the 'sch' field. As a result, the timer callback tries to
dereference a NULL pointer, and the kernel does oops.

Fix it initializing such field at qdisc creation time.

Fixes: cdeabbb88134 ("net: sched: Convert timers to use timer_setup()")
Signed-off-by: Paolo Abeni <>
Acked-by: Cong Wang <>
Acked-by: Kees Cook <>
Signed-off-by: David S. Miller <>
5 years agocls_bpf: don't decrement net's refcount when offload fails
Jakub Kicinski [Mon, 27 Nov 2017 19:11:41 +0000 (11:11 -0800)]
cls_bpf: don't decrement net's refcount when offload fails

When cls_bpf offload was added it seemed like a good idea to
call cls_bpf_delete_prog() instead of extending the error
handling path, since the software state is fully initialized
at that point.  This handling of errors without jumping to
the end of the function is error prone, as proven by later
commit missing that extra call to __cls_bpf_delete_prog().

__cls_bpf_delete_prog() is now expected to be invoked with
a reference on exts->net or the field zeroed out.  The call
on the offload's error patch does not fullfil this requirement,
leading to each error stealing a reference on net namespace.

Create a function undoing what cls_bpf_set_parms() did and
use it from __cls_bpf_delete_prog() and the error path.

Fixes: aae2c35ec892 ("cls_bpf: use tcf_exts_get_net() before call_rcu()")
Signed-off-by: Jakub Kicinski <>
Reviewed-by: Simon Horman <>
Acked-by: Daniel Borkmann <>
Acked-by: Cong Wang <>
Signed-off-by: David S. Miller <>
5 years agoMerge tag 'drm-for-v4.15-part2-fixes' of git://
Linus Torvalds [Tue, 28 Nov 2017 18:01:15 +0000 (10:01 -0800)]
Merge tag 'drm-for-v4.15-part2-fixes' of git://

Pull drm fixes from Dave Airlie:

 - TTM regression fix for some virt gpus (bochs vga)

 - a few i915 stable fixes

 - one vc4 fix

 - one uapi fix

* tag 'drm-for-v4.15-part2-fixes' of git://
  drm/ttm: don't attempt to use hugepages if dma32 requested (v2)
  drm/vblank: Pass crtc_id to page_flip_ioctl.
  drm/i915: Fix init_clock_gating for resume
  drm/i915: Mark the userptr invalidate workqueue as WQ_MEM_RECLAIM
  drm/i915: Clear breadcrumb node when cancelling signaling
  drm/i915/gvt: ensure -ve return value is handled correctly
  drm/i915: Re-register PMIC bus access notifier on runtime resume
  drm/i915: Fix false-positive assert_rpm_wakelock_held in i915_pmic_bus_access_notifier v2
  drm/edid: Don't send non-zero YQ in AVI infoframe for HDMI 1.x sinks
  drm/vc4: Account for interrupts in flight

5 years agoRevert "ALSA: usb-audio: Fix potential zero-division at parsing FU"
Takashi Iwai [Mon, 27 Nov 2017 09:59:40 +0000 (10:59 +0100)]
Revert "ALSA: usb-audio: Fix potential zero-division at parsing FU"

The commit 8428a8ebde2d ("ALSA: usb-audio: Fix potential zero-division
at parsing FU") is utterly bogus and breaks the case with csize=1
instead of fixing anything.  Just take it back again.

Reported-by: Jörg Otte <>
Fixes: 8428a8ebde2d ("ALSA: usb-audio: Fix potential zero-division at parsing FU"
Signed-off-by: Takashi Iwai <>
Signed-off-by: Linus Torvalds <>
5 years agos390/gs: add compat regset for the guarded storage broadcast control block
Martin Schwidefsky [Tue, 28 Nov 2017 16:20:53 +0000 (17:20 +0100)]
s390/gs: add compat regset for the guarded storage broadcast control block

git commit e525f8a6e696210d15f8b8277d4da12fc4add299
"s390/gs: add regset for the guarded storage broadcast control block"
added the missing regset to the s390_regsets array but failed to add it
to the s390_compat_regsets array.

Fixes: e525f8a6e696 ("add compat regset for the guarded storage broadcast control block")
Signed-off-by: Martin Schwidefsky <>
5 years agoBtrfs: incremental send, fix wrong unlink path after renaming file
Filipe Manana [Fri, 17 Nov 2017 01:54:00 +0000 (01:54 +0000)]
Btrfs: incremental send, fix wrong unlink path after renaming file

Under some circumstances, an incremental send operation can issue wrong
paths for unlink commands related to files that have multiple hard links
and some (or all) of those links were renamed between the parent and send
snapshots. Consider the following example:

Parent snapshot

 .                                                      (ino 256)
 |---- a/                                               (ino 257)
 |     |---- b/                                         (ino 259)
 |     |     |---- c/                                   (ino 260)
 |     |     |---- f2                                   (ino 261)
 |     |
 |     |---- f2l1                                       (ino 261)
 |---- d/                                               (ino 262)
       |---- f1l1_2                                     (ino 258)
       |---- f2l2                                       (ino 261)
       |---- f1_2                                       (ino 258)

Send snapshot

 .                                                      (ino 256)
 |---- a/                                               (ino 257)
 |     |---- f2l1/                                      (ino 263)
 |             |---- b2/                                (ino 259)
 |                   |---- c/                           (ino 260)
 |                   |     |---- d3                     (ino 262)
 |                   |           |---- f1l1_2           (ino 258)
 |                   |           |---- f2l2_2           (ino 261)
 |                   |           |---- f1_2             (ino 258)
 |                   |
 |                   |---- f2                           (ino 261)
 |                   |---- f1l2                         (ino 258)
 |---- d                                                (ino 261)

When computing the incremental send stream the following steps happen:

1) When processing inode 261, a rename operation is issued that renames
   inode 262, which currently as a path of "d", to an orphan name of
   "o262-7-0". This is done because in the send snapshot, inode 261 has
   of its hard links with a path of "d" as well.

2) Two link operations are issued that create the new hard links for
   inode 261, whose names are "d" and "f2l2_2", at paths "/" and
   "o262-7-0/" respectively.

3) Still while processing inode 261, unlink operations are issued to
   remove the old hard links of inode 261, with names "f2l1" and "f2l2",
   at paths "a/" and "d/". However path "d/" does not correspond anymore
   to the directory inode 262 but corresponds instead to a hard link of
   inode 261 (link command issued in the previous step). This makes the
   receiver fail with a ENOTDIR error when attempting the unlink

The problem happens because before sending the unlink operation, we failed
to detect that inode 262 was one of ancestors for inode 261 in the parent
snapshot, and therefore we didn't recompute the path for inode 262 before
issuing the unlink operation for the link named "f2l2" of inode 262. The
detection failed because the function "is_ancestor()" only follows the
first hard link it finds for an inode instead of all of its hard links
(as it was originally created for being used with directories only, for
which only one hard link exists). So fix this by making "is_ancestor()"
follow all hard links of the input inode.

A test case for fstests follows soon.

Signed-off-by: Filipe Manana <>
Signed-off-by: David Sterba <>
5 years agonet/packet: fix a race in packet_bind() and packet_notifier()
Eric Dumazet [Tue, 28 Nov 2017 16:03:30 +0000 (08:03 -0800)]
net/packet: fix a race in packet_bind() and packet_notifier()

syzbot reported crashes [1] and provided a C repro easing bug hunting.

When/if packet_do_bind() calls __unregister_prot_hook() and releases
po->bind_lock, another thread can run packet_notifier() and process an
NETDEV_UP event.

This calls register_prot_hook() and hooks again the socket right before
first thread is able to grab again po->bind_lock.

Fixes this issue by temporarily setting po->num to 0, as suggested by
David Miller.

dev_remove_pack: ffff8801bf16fa80 not found
------------[ cut here ]------------
kernel BUG at net/core/dev.c:7945!  ( BUG_ON(!list_empty(&dev->ptype_all)); )
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
device syz0 entered promiscuous mode
CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cc57a500 task.stack: ffff8801cc588000
RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945
RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293
RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2
RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810
device syz0 entered promiscuous mode
RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8
R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0
FS:  0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106
 tun_detach drivers/net/tun.c:670 [inline]
 tun_chr_close+0x49/0x60 drivers/net/tun.c:2845
 __fput+0x333/0x7f0 fs/file_table.c:210
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ae0 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 SYSC_exit_group kernel/exit.c:979 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:977
RIP: 0033:0x44ad19

Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind")
Signed-off-by: Eric Dumazet <>
Reported-by: syzbot <>
Cc: Francesco Ruggeri <>
Signed-off-by: David S. Miller <>
5 years agopacket: fix crash in fanout_demux_rollover()
Mike Maloney [Tue, 28 Nov 2017 15:44:29 +0000 (10:44 -0500)]
packet: fix crash in fanout_demux_rollover()

syzkaller found a race condition fanout_demux_rollover() while removing
a packet socket from a fanout group.

po->rollover is read and operated on during packet_rcv_fanout(), via
fanout_demux_rollover(), but the pointer is currently cleared before the
synchronization in packet_release().   It is safer to delay the cleanup
until after synchronize_net() has been called, ensuring all calls to
packet_rcv_fanout() for this socket have finished.

To further simplify synchronization around the rollover structure, set
po->rollover in fanout_add() only if there are no errors.  This removes
the need for rcu in the struct and in the call to
packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...).

Crashing stack trace:
 fanout_demux_rollover+0xb6/0x4d0 net/packet/af_packet.c:1392
 packet_rcv_fanout+0x649/0x7c8 net/packet/af_packet.c:1487
 dev_queue_xmit_nit+0x835/0xc10 net/core/dev.c:1953
 xmit_one net/core/dev.c:2975 [inline]
 dev_hard_start_xmit+0x16b/0xac0 net/core/dev.c:2995
 __dev_queue_xmit+0x17a4/0x2050 net/core/dev.c:3476
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3509
 neigh_connected_output+0x489/0x720 net/core/neighbour.c:1379
 neigh_output include/net/neighbour.h:482 [inline]
 ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163
 dst_output include/net/dst.h:459 [inline]
 NF_HOOK.constprop.35+0xff/0x630 include/linux/netfilter.h:250
 mld_sendpack+0x6a8/0xcc0 net/ipv6/mcast.c:1660
 mld_send_initial_cr.part.24+0x103/0x150 net/ipv6/mcast.c:2072
 mld_send_initial_cr net/ipv6/mcast.c:2056 [inline]
 ipv6_mc_dad_complete+0x99/0x130 net/ipv6/mcast.c:2079
 addrconf_dad_completed+0x595/0x970 net/ipv6/addrconf.c:4039
 addrconf_dad_work+0xac9/0x1160 net/ipv6/addrconf.c:3971
 process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2113
 worker_thread+0x223/0x1990 kernel/workqueue.c:2247
 kthread+0x35e/0x430 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Fixes: 509c7a1ecc860 ("packet: avoid panic in packet_getsockopt()")
Reported-by: syzbot <>
Signed-off-by: Mike Maloney <>
Reviewed-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
5 years agoMerge branch 'sctp-fix-sparse-errors'
David S. Miller [Tue, 28 Nov 2017 16:00:14 +0000 (11:00 -0500)]
Merge branch 'sctp-fix-sparse-errors'

Xin Long says:

sctp: fix some other sparse errors

After the last fixes for sparse errors, there are still three sparse
errors in sctp codes, two of them are type cast, and the other one
is using extern.

Signed-off-by: David S. Miller <>
5 years agosctp: remove extern from stream sched
Xin Long [Sun, 26 Nov 2017 12:16:08 +0000 (20:16 +0800)]
sctp: remove extern from stream sched

Now each stream sched ops is defined in different .c file and
added into the global ops in another .c file, it uses extern
to make this work.

However extern is not good coding style to get them in and
even make C=2 reports errors for this.

This patch adds sctp_sched_ops_xxx_init for each stream sched
ops in their .c file, then get them into the global ops by
calling them when initializing sctp module.

Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
Fixes: ac1ed8b82cd6 ("sctp: introduce round robin stream scheduler")
Signed-off-by: Xin Long <>
Acked-by: Marcelo Ricardo Leitner <>
Signed-off-by: David S. Miller <>
5 years agosctp: force the params with right types for sctp csum apis
Xin Long [Sun, 26 Nov 2017 12:16:07 +0000 (20:16 +0800)]
sctp: force the params with right types for sctp csum apis

Now sctp_csum_xxx doesn't really match the param types of these common
csum apis. As sctp_csum_xxx is defined in sctp/checksum.h, many sparse
errors occur when make C=2 not only with M=net/sctp but also with other
modules that include this header file.

This patch is to force them fit in csum apis with the right types.

Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code")
Signed-off-by: Xin Long <>
Acked-by: Marcelo Ricardo Leitner <>
Signed-off-by: David S. Miller <>
5 years agosctp: force SCTP_ERROR_INV_STRM with __u32 when calling sctp_chunk_fail
Xin Long [Sun, 26 Nov 2017 12:16:06 +0000 (20:16 +0800)]
sctp: force SCTP_ERROR_INV_STRM with __u32 when calling sctp_chunk_fail

This patch is to force SCTP_ERROR_INV_STRM with right type to
fit in sctp_chunk_fail to avoid the sparse error.

Signed-off-by: Xin Long <>
Acked-by: Marcelo Ricardo Leitner <>
Signed-off-by: David S. Miller <>
5 years agolmc: Use memdup_user() as a cleanup
Vasyl Gomonovych [Wed, 22 Nov 2017 15:29:57 +0000 (16:29 +0100)]
lmc: Use memdup_user() as a cleanup

Fix coccicheck warning which recommends to use memdup_user():
drivers/net/wan/lmc/lmc_main.c:497:27-34: WARNING opportunity for memdup_user
Generated by: scripts/coccinelle/memdup_user/memdup_user.cocci

Signed-off-by: Vasyl Gomonovych <>
Signed-off-by: David S. Miller <>
5 years agobnxt_en: Fix an error handling path in 'bnxt_get_module_eeprom()'
Christophe JAILLET [Tue, 21 Nov 2017 19:46:49 +0000 (20:46 +0100)]
bnxt_en: Fix an error handling path in 'bnxt_get_module_eeprom()'

Error code returned by 'bnxt_read_sfp_module_eeprom_info()' is handled a
few lines above when reading the A0 portion of the EEPROM.
The same should be done when reading the A2 portion of the EEPROM.

In order to correctly propagate an error, update 'rc' in this 2nd call as
well, otherwise 0 (success) is returned.

Signed-off-by: Christophe JAILLET <>
Signed-off-by: David S. Miller <>
5 years agonet: phy: marvell10g: fix the PHY id mask
Antoine Tenart [Tue, 28 Nov 2017 13:26:30 +0000 (14:26 +0100)]
net: phy: marvell10g: fix the PHY id mask

The Marvell 10G PHY driver supports different hardware revisions, which
have their bits 3..0 differing. To get the correct revision number these
bits should be ignored. This patch fixes this by using the already
defined MARVELL_PHY_ID_MASK (0xfffffff0) instead of the custom
0xffffffff mask.

Fixes: 20b2af32ff3f ("net: phy: add Marvell Alaska X 88X3310 10Gigabit PHY support")
Suggested-by: Yan Markman <>
Signed-off-by: Antoine Tenart <>
Reviewed-by: Andrew Lunn <>
Signed-off-by: David S. Miller <>
5 years agoMerge branch 'mvpp2-fixes'
David S. Miller [Tue, 28 Nov 2017 15:09:52 +0000 (10:09 -0500)]
Merge branch 'mvpp2-fixes'

Antoine Tenart says:

net: mvpp2: set of fixes

This series fixes various issues with the Marvell PPv2 driver. The
patches are sent together to avoid any possible conflict. The series is
based on today's net tree.

Signed-off-by: David S. Miller <>
5 years agonet: mvpp2: check ethtool sets the Tx ring size is to a valid min value
Antoine Tenart [Tue, 28 Nov 2017 13:19:51 +0000 (14:19 +0100)]
net: mvpp2: check ethtool sets the Tx ring size is to a valid min value

This patch fixes the Tx ring size checks when using ethtool, by adding
an extra check in the PPv2 check_ringparam_valid helper. The Tx ring
size cannot be set to a value smaller than the minimum number of
descriptors needed for TSO.

Fixes: 1d17db08c056 ("net: mvpp2: limit TSO segments and use stop/wake thresholds")
Suggested-by: Yan Markman <>
Signed-off-by: Antoine Tenart <>
Signed-off-by: David S. Miller <>
5 years agonet: mvpp2: do not disable GMAC padding
Yan Markman [Tue, 28 Nov 2017 13:19:50 +0000 (14:19 +0100)]
net: mvpp2: do not disable GMAC padding

Short fragmented packets may never be sent by the hardware when padding
is disabled. This patch stop modifying the GMAC padding bits, to leave
them to their reset value (disabled).

Fixes: 3919357fb0bb ("net: mvpp2: initialize the GMAC when using a port")
Signed-off-by: Yan Markman <>
[Antoine: commit message]
Signed-off-by: Antoine Tenart <>
Signed-off-by: David S. Miller <>
5 years agonet: mvpp2: cleanup probed ports in the probe error path
Antoine Tenart [Tue, 28 Nov 2017 13:19:49 +0000 (14:19 +0100)]
net: mvpp2: cleanup probed ports in the probe error path

This patches fixes the probe error path by cleaning up probed ports, to
avoid leaving registered net devices when the driver failed to probe.

Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
Signed-off-by: Antoine Tenart <>
Signed-off-by: David S. Miller <>
5 years agonet: mvpp2: fix the txq_init error path
Antoine Tenart [Tue, 28 Nov 2017 13:19:48 +0000 (14:19 +0100)]
net: mvpp2: fix the txq_init error path

When an allocation in the txq_init path fails, the allocated buffers
end-up being freed twice: in the txq_init error path, and in txq_deinit.
This lead to issues as txq_deinit would work on already freed memory

    kernel BUG at mm/slub.c:3915!
    Internal error: Oops - BUG: 0 [#1] PREEMPT SMP

This patch fixes this by removing the txq_init own error path, as the
txq_deinit function is always called on errors. This was introduced by
TSO as way more buffers are allocated.

Fixes: 186cd4d4e414 ("net: mvpp2: software tso support")
Signed-off-by: Antoine Tenart <>
Signed-off-by: David S. Miller <>
5 years agoquota: propagate error from __dquot_initialize
Chao Yu [Tue, 28 Nov 2017 15:01:44 +0000 (23:01 +0800)]
quota: propagate error from __dquot_initialize

In commit 6184fc0b8dd7 ("quota: Propagate error from ->acquire_dquot()"),
we have propagated error from __dquot_initialize to caller, but we forgot
to handle such error in add_dquot_ref(), so, currently, during quota
accounting information initialization flow, if we failed for some of
inodes, we just ignore such error, and do account for others, which is
not a good implementation.

In this patch, we choose to let user be aware of such error, so after
turning on quota successfully, we can make sure all inodes disk usage
can be accounted, which will be more reasonable.

Suggested-by: Jan Kara <>
Signed-off-by: Chao Yu <>
Signed-off-by: Jan Kara <>
5 years agoMerge branch 'mlxsw-GRE-offloading-fixes'
David S. Miller [Tue, 28 Nov 2017 14:55:48 +0000 (09:55 -0500)]
Merge branch 'mlxsw-GRE-offloading-fixes'

Jiri Pirko says:

mlxsw: GRE offloading fixes

Petr says:

This patchset fixes a couple bugs in offloading GRE tunnels in mlxsw

Patch #1 fixes a problem that local routes pointing at a GRE tunnel
device are offloaded even if that netdevice is down.

Patch #2 detects that as a result of moving a GRE netdevice to a
different VRF, two tunnels now have a conflict of local addresses,
something that the mlxsw driver can't offload.

Patch #3 fixes a FIB abort caused by forming a route pointing at a
GRE tunnel that is eligible for offloading but already onloaded.

Patch #4 fixes a problem that next hops migrated to a new RIF kept the
old RIF reference, which went dangling shortly afterwards.

Signed-off-by: David S. Miller <>
5 years agomlxsw: spectrum_router: Update nexthop RIF on update
Petr Machata [Tue, 28 Nov 2017 12:17:14 +0000 (13:17 +0100)]
mlxsw: spectrum_router: Update nexthop RIF on update

The function mlxsw_sp_nexthop_rif_update() walks the list of nexthops
associated with a RIF, and updates the corresponding entries in the
switch. It is used in particular when a tunnel underlay netdevice moves
to a different VRF, and all the nexthops are migrated over to a new RIF.
The problem is that each nexthop holds a reference to its RIF, and that
is not updated. So after the old RIF is gone, further activity on these
nexthops (such as downing the underlay netdevice) dereferences a
dangling pointer.

Fix the issue by updating rif of impacted nexthops before calling

Fixes: 0c5f1cd5ba8c ("mlxsw: spectrum_router: Generalize __mlxsw_sp_ipip_entry_update_tunnel()")
Signed-off-by: Petr Machata <>
Reviewed-by: Ido Schimmel <>
Signed-off-by: Jiri Pirko <>
Signed-off-by: David S. Miller <>
5 years agomlxsw: spectrum_router: Handle encap to demoted tunnels
Petr Machata [Tue, 28 Nov 2017 12:17:13 +0000 (13:17 +0100)]
mlxsw: spectrum_router: Handle encap to demoted tunnels

Some tunnels that are offloadable on their own can nonetheless be
demoted to slow path if their local address is in conflict with that of
another tunnel. When a route is formed for such a tunnel,
mlxsw_sp_nexthop_ipip_init() fails to find the corresponding IPIP entry,
and that triggers a FIB abort.

Resolve the problem by not assuming that a tunnel for which
mlxsw_sp_ipip_ops.can_offload() holds also automatically has an IPIP

Fixes: af641713e97d ("mlxsw: spectrum_router: Onload conflicting tunnels")
Signed-off-by: Petr Machata <>
Reviewed-by: Ido Schimmel <>
Signed-off-by: Jiri Pirko <>
Signed-off-by: David S. Miller <>
5 years agomlxsw: spectrum_router: Demote tunnels on VRF migration
Petr Machata [Tue, 28 Nov 2017 12:17:12 +0000 (13:17 +0100)]
mlxsw: spectrum_router: Demote tunnels on VRF migration

The mlxsw driver currently doesn't offload GRE tunnels if they have the
same local address and use the same underlay VRF. When such a situation
arises, the tunnels in conflict are demoted to slow path.

However, the current code only verifies this condition on tunnel
creation and tunnel change, not when a tunnel is moved to a different
VRF. When the tunnel has no bound device, underlay and overlay are the
same. Thus moving a tunnel moves the underlay as well, and that can
cause local address conflict.

So modify mlxsw_sp_netdevice_ipip_ol_vrf_event() to check if there are
any conflicting tunnels, and demote them if yes.

Fixes: af641713e97d ("mlxsw: spectrum_router: Onload conflicting tunnels")
Signed-off-by: Petr Machata <>
Reviewed-by: Ido Schimmel <>
Signed-off-by: Jiri Pirko <>
Signed-off-by: David S. Miller <>
5 years agomlxsw: spectrum_router: Offload decap only for up tunnels
Petr Machata [Tue, 28 Nov 2017 12:17:11 +0000 (13:17 +0100)]
mlxsw: spectrum_router: Offload decap only for up tunnels

When a new local route is added, an IPIP entry is looked up to determine
whether the route should be offloaded as a tunnel decap or as a trap.
That decision should take into account whether the tunnel netdevice in
question is actually IFF_UP, and only install a decap offload if it is.

Fixes: 0063587d3587 ("mlxsw: spectrum: Support decap-only IP-in-IP tunnels")
Signed-off-by: Petr Machata <>
Reviewed-by: Ido Schimmel <>
Signed-off-by: Jiri Pirko <>
Signed-off-by: David S. Miller <>
5 years agoMerge branch '40GbE' of git://
David S. Miller [Tue, 28 Nov 2017 14:52:04 +0000 (09:52 -0500)]
Merge branch '40GbE' of git://git./linux/kernel/git/jkirsher/net-queue

Jeff Kirsher says:

Intel Wired LAN Driver Updates 2017-11-27

This series contains updates to e1000, e1000e and i40e.

Gustavo A. R. Silva fixes a sizeof() issue where we were taking the size of
the pointer (which is always the size of the pointer).

Sasha does a follow up fix to a previous fix for buffer overrun, to resolve
community feedback from David Laight and the use of magic numbers.

Amritha fixes the reporting of error codes for when adding a cloud filter

Ahmad Fatoum brushes the dust off the e1000 driver to fix a code comment
and debug message which was incorrect about what the code was really doing.

Signed-off-by: David S. Miller <>
5 years agobtrfs: tree-checker: Fix false panic for sanity test
Qu Wenruo [Wed, 8 Nov 2017 00:54:24 +0000 (08:54 +0800)]
btrfs: tree-checker: Fix false panic for sanity test

If we run btrfs with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y, it will
instantly cause kernel panic like:

assertion failed: 0, file: fs/btrfs/disk-io.c, line: 3853
Call Trace:
 btrfs_mark_buffer_dirty+0x187/0x1f0 [btrfs]
 setup_items_for_insert+0x385/0x650 [btrfs]
 __btrfs_drop_extents+0x129a/0x1870 [btrfs]

Btrfs will call btrfs_check_leaf() in btrfs_mark_buffer_dirty() to check
if the leaf is valid with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y.

However quite some btrfs_mark_buffer_dirty() callers(*) don't really
initialize its item data but only initialize its item pointers, leaving
item data uninitialized.

This makes tree-checker catch uninitialized data as error, causing
such panic.

*: These callers include but not limited to

Add a new parameter @check_item_data to btrfs_check_leaf().
With @check_item_data set to false, item data check will be skipped and
fallback to old btrfs_check_leaf() behavior.

So we can still get early warning if we screw up item pointers, and
avoid false panic.

Cc: Filipe Manana <>
Reported-by: Lakshmipathi.G <>
Signed-off-by: Qu Wenruo <>
Reviewed-by: Liu Bo <>
Reviewed-by: David Sterba <>
Signed-off-by: David Sterba <>
5 years agoproc: don't report kernel addresses in /proc/<pid>/stack
Linus Torvalds [Tue, 28 Nov 2017 00:45:56 +0000 (16:45 -0800)]
proc: don't report kernel addresses in /proc/<pid>/stack

This just changes the file to report them as zero, although maybe even
that could be removed.  I checked, and at least procps doesn't actually
seem to parse the 'stack' file at all.

And since the file doesn't necessarily even exist (it requires
CONFIG_STACKTRACE), possibly other tools don't really use it either.

That said, in case somebody parses it with tools, just having that zero
there should keep such tools happy.

Signed-off-by: Linus Torvalds <>
5 years agoapparmor: fix oops in audit_signal_cb hook
John Johansen [Wed, 22 Nov 2017 15:33:38 +0000 (07:33 -0800)]
apparmor: fix oops in audit_signal_cb hook

The apparmor_audit_data struct ordering got messed up during a merge
conflict, resulting in the signal integer and peer pointer being in
a union instead of a struct.

For most of the 4.13 and 4.14 life cycle, this was hidden by
commit 651e28c5537a ("apparmor: add base infastructure for socket
mediation") which fixed the apparmor_audit_data struct when its data
was added. When that commit was reverted in -rc7 the signal audit bug
was exposed, and unfortunately it never showed up in any of the
testing until after 4.14 was released. Shaun Khan, Zephaniah
E. Loss-Cutler-Hull filed nearly simultaneous bug reports (with
different oopes, the smaller of which is included below).

Full credit goes to Tetsuo Handa for jumping on this as well and
noticing the audit data struct problem and reporting it.

[   76.178568] BUG: unable to handle kernel paging request at
[   76.178579] IP: audit_signal_cb+0x6c/0xe0
[   76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0
[   76.178586] Oops: 0000 [#1] PREEMPT SMP
[   76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb
btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables
xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack
iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw
iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher
nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel
[   76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted
4.14.0-f1-dirty #135
[   76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio
9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
[   76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000
[   76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0
[   76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292
[   76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX:
[   76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI:
[   76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09:
[   76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12:
[   76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15:
[   76.178646] FS:  00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000)
[   76.178648] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4:
[   76.178652] Call Trace:
[   76.178660]  common_lsm_audit+0x1da/0x780
[   76.178665]  ? d_absolute_path+0x60/0x90
[   76.178669]  ? aa_check_perms+0xcd/0xe0
[   76.178672]  aa_check_perms+0xcd/0xe0
[   76.178675]  profile_signal_perm.part.0+0x90/0xa0
[   76.178679]  aa_may_signal+0x16e/0x1b0
[   76.178686]  apparmor_task_kill+0x51/0x120
[   76.178690]  security_task_kill+0x44/0x60
[   76.178695]  group_send_sig_info+0x25/0x60
[   76.178699]  kill_pid_info+0x36/0x60
[   76.178703]  SYSC_kill+0xdb/0x180
[   76.178707]  ? preempt_count_sub+0x92/0xd0
[   76.178712]  ? _raw_write_unlock_irq+0x13/0x30
[   76.178716]  ? task_work_run+0x6a/0x90
[   76.178720]  ? exit_to_usermode_loop+0x80/0xa0
[   76.178723]  entry_SYSCALL_64_fastpath+0x13/0x94
[   76.178727] RIP: 0033:0x7f8b0e58b767
[   76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX:
[   76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX:
[   76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
[   76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09:
[   76.178739] R10: 000000000000022d R11: 0000000000000206 R12:
[   76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15:
[   76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b
42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd
00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
[   76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08
[   76.178796] CR2: ffffffff0eee3bc0
[   76.178799] ---[ end trace 514af9529297f1a3 ]---

Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals")
Reported-by: Zephaniah E. Loss-Cutler-Hull <>
Reported-by: Shuah Khan <>
Suggested-by: Tetsuo Handa <>
Tested-by: Ivan Kozik <>
Tested-by: Zephaniah E. Loss-Cutler-Hull <>
Tested-by: Christian Boltz <>
Tested-by: Shuah Khan <>
Signed-off-by: John Johansen <>
5 years agoe1000: Fix off-by-one in debug message
Ahmad Fatoum [Sat, 18 Nov 2017 20:53:58 +0000 (21:53 +0100)]
e1000: Fix off-by-one in debug message

Signed-off-by: Ahmad Fatoum <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>
5 years agoi40e: Fix reporting incorrect error codes
Amritha Nambiar [Fri, 17 Nov 2017 23:35:57 +0000 (15:35 -0800)]
i40e: Fix reporting incorrect error codes

Adding cloud filters could fail for a number of reasons,
unsupported filter fields for example, which fails during
validation of fields itself. This will not result in admin
command errors and converting the admin queue status to posix
error code using i40e_aq_rc_to_posix would result in incorrect
error values. If the failure was due to AQ error itself,
reporting that correctly is handled in the inner function.

Signed-off-by: Amritha Nambiar <>
Tested-by: Andrew Bowers <>
Signed-off-by: Jeff Kirsher <>
5 years agoe1000e: fix the use of magic numbers for buffer overrun issue
Sasha Neftin [Mon, 6 Nov 2017 06:31:59 +0000 (08:31 +0200)]
e1000e: fix the use of magic numbers for buffer overrun issue

This is a follow on to commit b10effb92e27 ("fix buffer overrun while the
 I219 is processing DMA transactions") to address David Laights concerns
about the use of "magic" numbers.  So define masks as well as add
additional code comments to give a better understanding of what needs to
be done to avoid a buffer overrun.

Signed-off-by: Sasha Neftin <>
Reviewed-by: Alexander H Duyck <>
Reviewed-by: Dima Ruinskiy <>
Reviewed-by: Raanan Avargil <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>