Linux/linux f5d5827drivers/hid hid-ids.h hid-quirks.c, include/uapi/linux input-event-codes.h

Merge branch 'for-linus' of git://

Pull HID subsystem fixes from Jiri Kosina:

 - two device-specific quirks from Hans de Goede and Nic Soudée

 - reintroduction of (mistakenly remocved) ABS_RESERVED from Peter

* 'for-linus' of git://
  Input: restore EV_ABS ABS_RESERVED
  HID: quirks: fix devices
  HID: ite: Add USB id match for another ITE based keyboard rfkill key quirk

Linux/linux 9bb40f0drivers/video/backlight pwm_bl.c

Merge tag 'backlight-fixes-4.20' of 

Pull backlight fix from Lee Jones:
 "Fix brightness levels when !DT in pwm_bl driver"

* tag 'backlight-fixes-4.20' of 
  backlight: pwm_bl: Fix brightness levels for non-DT case.

Linux/linux 1dffab5. MAINTAINERS CREDITS, arch/arm/boot/dts imx7d-pico.dtsi imx7d-nitrogen7.dts

Merge tag 'armsoc-fixes' of git://

Pull ARM SoC fixes from Olof Johansson:
 "The usual batch; most of them are DT tweaks to fix misdescribed
  hardware. Beyond that:

   - A bugfix for MMP2 CPU detection, it's been there quite a while but
     makes sense to fix now anyway.

   - Some power management tweaks:
      + disabling of CPU idle power state on Marvell Armada 7K/8K
        (Macchiatobin et al)
      + Increase of minimum voltage on BananaPi M3
      + Tweak of power ramp time for DVFS on NXP/Freescale i.MX7SX

   - A couple of MAINTAINER updates:
      + MMP has a new volunteer to look after it
      + Mediatek adds a few keywords, IRC channel and wiki URL"

* tag 'armsoc-fixes' of git://
  ARM: dts: imx7d-nitrogen7: Fix the description of the Wifi clock
  ARM: imx: update the cpu power up timing setting on i.mx6sx
  Revert "arm64: dts: marvell: add CPU Idle power state support on Armada 7K/8K"
  ARM: dts: imx7d-pico: Describe the Wifi clock
  ARM: dts: realview: Fix some more duplicate regulator nodes

    [8 lines not shown]

Linux/linux d347d0cdrivers/video/backlight pwm_bl.c

backlight: pwm_bl: Fix brightness levels for non-DT case.

Commit '88ba95bedb79 ("backlight: pwm_bl: Compute brightness of LED
linearly to human eye")' allows the possibility to compute a default
brightness table when there isn't the brightness-levels property in the
DT. Unfortunately the changes made broke the pwm backlight for the
non-DT boards.

Usually, the non-DT boards don't pass the brightness levels via platform
data, instead, it sets the max_brightness in their platform data and the
driver calculates the level without a table. The offending patch assumed
that when there is no brightness levels table we should create one, but this
is clearly wrong for the non-DT case.

After this patch the code handles the DT and the non-DT case taking in
consideration also if max_brightness is set or not.

Fixes: 88ba95bedb79 ("backlight: pwm_bl: Compute brightness of LED linearly to human eye")
Reported-by: Robert Jarzmik <robert.jarzmik at>
Signed-off-by: Enric Balletbo i Serra <enric.balletbo at>
Tested-by: Robert Jarzmik <robert.jarzmik at>
Acked-by: Daniel Thompson <daniel.thompson at>
Signed-off-by: Lee Jones <lee.jones at>

Linux/linux 40e020c. Makefile

Linux 4.20-rc6
+1-11 files

Linux/linux d48f782arch/powerpc/net bpf_jit_comp64.c, drivers/net/ethernet/broadcom/bnxt bnxt.c

Merge git://

Pull networking fixes from David Miller:
 "A decent batch of fixes here. I'd say about half are for problems that
  have existed for a while, and half are for new regressions added in
  the 4.20 merge window.

   1) Fix 10G SFP phy module detection in mvpp2, from Baruch Siach.

   2) Revert bogus emac driver change, from Benjamin Herrenschmidt.

   3) Handle BPF exported data structure with pointers when building
      32-bit userland, from Daniel Borkmann.

   4) Memory leak fix in act_police, from Davide Caratti.

   5) Check RX checksum offload in RX descriptors properly in aquantia
      driver, from Dmitry Bogdanov.

   6) SKB unlink fix in various spots, from Edward Cree.

   7) ndo_dflt_fdb_dump() only works with ethernet, enforce this, from
      Eric Dumazet.

   8) Fix FID leak in mlxsw driver, from Ido Schimmel.

    [52 lines not shown]

Linux/linux 8586ca8arch/x86 Makefile, arch/x86/entry/vdso Makefile

Merge branch 'x86-urgent-for-linus' of 

Pull x86 fixes from Ingo Molnar:
 "Three fixes: a boot parameter re-(re-)fix, a retpoline build artifact
  fix and an LLVM workaround"

* 'x86-urgent-for-linus' of git://
  x86/vdso: Drop implicit common-page-size linker flag
  x86/build: Fix compiler support check for CONFIG_RETPOLINE
  x86/boot: Clear RSDP address in boot_params for broken loaders

Linux/linux ebbd300arch/x86/entry entry_64.S, arch/x86/kernel/kprobes opt.c

Merge branch 'perf-urgent-for-linus' of 

Pull kprobes fixes from Ingo Molnar:
 "Two kprobes fixes: a blacklist fix and an instruction patching related
  corruption fix"

* 'perf-urgent-for-linus' of git://
  kprobes/x86: Blacklist non-attachable interrupt functions
  kprobes/x86: Fix instruction patching corruption when copying more than one RIP-relative 

Linux/linux 4b04e73arch/x86/boot/compressed eboot.c, arch/x86/platform/efi early_printk.c

Merge branch 'efi-urgent-for-linus' of 

Pull EFI fixes from Ingo Molnar:
 "Two fixes: a large-system fix and an earlyprintk fix with certain

* 'efi-urgent-for-linus' of git://
  x86/earlyprintk/efi: Fix infinite loop on some screen widths
  x86/efi: Allocate e820 buffer before calling efi_exit_boot_service

Linux/linux 35cc3cenet/sched cls_flower.c

net/sched: cls_flower: Reject duplicated rules also under skip_sw

Currently, duplicated rules are rejected only for skip_hw or "none",
hence allowing users to push duplicates into HW for no reason.

Use the flower tables to protect for that.

Signed-off-by: Or Gerlitz <ogerlitz at>
Signed-off-by: Paul Blakey <paulb at>
Reported-by: Chris Mi <chrism at>
Signed-off-by: David S. Miller <davem at>
+10-131 files

Linux/linux d4b60e9drivers/net/ethernet/broadcom/bnxt bnxt.c bnxt_ulp.c

Merge branch 'bnxt_en-Bug-fixes'

Michael Chan says:

bnxt_en: Bug fixes.

The first patch fixes a regression on CoS queue setup, introduced
recently by the 57500 new chip support patches.  The rest are
fixes related to ring and resource accounting on the new 57500 chips.

Signed-off-by: David S. Miller <davem at>

Linux/linux c0b8cdadrivers/net/ethernet/broadcom/bnxt bnxt.c

bnxt_en: Fix NQ/CP rings accounting on the new 57500 chips.

The new 57500 chips have introduced the NQ structure in addition to
the existing CP rings in all chips.  We need to introduce a new
bnxt_nq_rings_in_use().  On legacy chips, the 2 functions are the
same and one will just call the other.  On the new chips, they
refer to the 2 separate ring structures.  The new function is now
called to determine the resource (NQ or CP rings) associated with
MSIX that are in use.

On 57500 chips, the RDMA driver does not use the CP rings so
we don't need to do the subtraction adjustment.

Fixes: 41e8d7983752 ("bnxt_en: Modify the ring reservation functions for 57500 series 
Signed-off-by: Michael Chan <michael.chan at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 75720e6drivers/net/ethernet/broadcom/bnxt bnxt.c bnxt_ulp.c

bnxt_en: Keep track of reserved IRQs.

The new 57500 chips use 1 NQ per MSIX vector, whereas legacy chips use
1 CP ring per MSIX vector.  To better unify this, add a resv_irqs
field to struct bnxt_hw_resc.  On legacy chips, we initialize resv_irqs
with resv_cp_rings.  On new chips, we initialize it with the allocated
MSIX resources.

Signed-off-by: Michael Chan <michael.chan at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 804fba4drivers/net/ethernet/broadcom/bnxt bnxt.c

bnxt_en: Fix CNP CoS queue regression.

Recent changes to support the 57500 devices have created this
regression.  The bnxt_hwrm_queue_qportcfg() call was moved to be
called earlier before the RDMA support was determined, causing
the CoS queues configuration to be set before knowing whether RDMA
was supported or not.  Fix it by moving it to the right place right
after RDMA support is determined.

Fixes: 98f04cf0f1fc ("bnxt_en: Check context memory requirements from firmware.")
Signed-off-by: Michael Chan <michael.chan at>
Signed-off-by: David S. Miller <davem at>

Linux/linux e30fbc3drivers/net/ethernet/broadcom/bnxt bnxt.c

bnxt_en: Fix _bnxt_get_max_rings() for 57500 chips.

The CP rings are accounted differently on the new 57500 chips.  There
must be enough CP rings for the sum of RX and TX rings on the new
chips.  The current logic may be over-estimating the RX and TX rings.

The output parameter max_cp should be the maximum NQs capped by
MSIX vectors available for networking in the context of 57500 chips.
The existing code which uses CMPL rings capped by the MSIX vectors
works most of the time but is not always correct.

Signed-off-by: Michael Chan <michael.chan at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 0844895. MAINTAINERS, drivers/gnss sirf.c

Merge tag 'char-misc-4.20-rc6' of 

Pull char/misc driver fixes from Greg KH:
 "Here are some small driver fixes for 4.20-rc6.

  There is a hyperv fix that for some reaon took forever to get into a
  shape that could be applied to the tree properly, but resolves a much
  reported issue. The others are some gnss patches, one a bugfix and the
  two others updates to the MAINTAINERS file to properly match the gnss
  files in the tree.

  All have been in linux-next for a while with no reported issues"

* tag 'char-misc-4.20-rc6' of 
  MAINTAINERS: exclude gnss from SIRFPRIMA2 regex matching
  MAINTAINERS: add gnss scm tree
  gnss: sirf: fix activation retry handling
  Drivers: hv: vmbus: Offload the handling of channels to two workqueues

Linux/linux 47dcb08drivers/staging/rtl8712 rtl871x_mlme.c mlme_linux.c, drivers/staging/rtl8723bs/core rtw_mlme_ext.c

Merge tag 'staging-4.20-rc6' of 

Pull staging fixes from Greg KH:
 "Here are two staging driver bugfixes for 4.20-rc6.

  One is a revert of a previously incorrect patch that was merged a
  while ago, and the other resolves a possible buffer overrun that was
  found by code inspection.

  Both of these have been in the linux-next tree with no reported

* tag 'staging-4.20-rc6' of git://
  Revert commit ef9209b642f "staging: rtl8723bs: Fix indenting errors and an off-by-one 
mistake in core/rtw_mlme_ext.c"
  staging: rtl8712: Fix possible buffer overrun

Linux/linux 0603a9aarch/arm64/boot/dts/marvell armada-ap806.dtsi armada-ap806-quad.dtsi

Merge tag 'mvebu-fixes-4.20-1' of git:// into fixes

mvebu fixes for 4.20

Adding CPU Idle state in the device tree for Armada 8040 seems to
breaks boot on some board, so let's revert it waiting for a better

* tag 'mvebu-fixes-4.20-1' of git://
  Revert "arm64: dts: marvell: add CPU Idle power state support on Armada 7K/8K"

Signed-off-by: Olof Johansson <olof at>

Linux/linux f53de38arch/arm/boot/dts sun8i-a83t-bananapi-m3.dts

Merge tag 'sunxi-fixes-for-4.20' of into fixes

Allwinner fixes for 4.20

One small fix for a regulator range on the Banana Pi M3

* tag 'sunxi-fixes-for-4.20' of
  ARM: dts: sun8i: a83t: bananapi-m3: increase vcc-pd voltage to 3.3V

Signed-off-by: Olof Johansson <olof at>

Linux/linux 69dcddearch/arm/boot/dts imx7d-pico.dtsi imx7d-nitrogen7.dts, arch/arm/mach-imx cpuidle-imx6sx.c

Merge tag 'imx-fixes-4.20-3' of 
git:// into fixes

i.MX fixes for 4.20, round 3:
 - A couple of fixes on imx7d-pico and imx7d-nitrogen7 boards to correct
   the description of the Wifi clock.
 - Change SW2ISO count to get a safer ARM LDO ramp-up time, so that
   different boards can be covered. This fixes the ARM LDO failure seen
   on some customer boards.

* tag 'imx-fixes-4.20-3' of git://
  ARM: dts: imx7d-nitrogen7: Fix the description of the Wifi clock
  ARM: imx: update the cpu power up timing setting on i.mx6sx
  ARM: dts: imx7d-pico: Describe the Wifi clock

Signed-off-by: Olof Johansson <olof at>

Linux/linux 822b768drivers/tty tty_port.c, drivers/tty/serial kgdboc.c

Merge tag 'tty-4.20-rc6' of git://

Pull tty driver fixes from Greg KH:
 "Here are three small tty driver fixes for 4.20-rc6

  Nothing major, just some bug fixes for reported issues. Full details
  are in the shortlog.

  All of these have been in linux-next for a while with no reported

* tag 'tty-4.20-rc6' of git://
  kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
  tty: serial: 8250_mtk: always resume the device in probe.
  tty: do not set TTY_IO_ERROR flag if console port

Linux/linux 50a5528drivers/tty tty_io.c, drivers/usb/core usb.c hub.c

Merge tag 'usb-4.20-rc6' of git://

Pull USB fixes from Greg KH:
 "Here are some small USB fixes for 4.20-rc6

  The "largest" here are some xhci fixes for reported issues. Also here
  is a USB core fix, some quirk additions, and a usb-serial fix which
  required the export of one of the tty layer's functions to prevent
  code duplication. The tty maintainer agreed with this change.

  All of these have been in linux-next with no reported issues"

* tag 'usb-4.20-rc6' of git://
  xhci: Prevent U1/U2 link pm states if exit latency is too long
  xhci: workaround CSS timeout on AMD SNPS 3.0 xHC
  USB: check usb_get_extra_descriptor for proper size
  USB: serial: console: fix reported terminal settings
  usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
  USB: Fix invalid-free bug in port_over_current_notify()
  usb: appledisplay: Add 27" Apple Cinema Display

Linux/linux bc4caf1fs/cifs file.c dir.c

Merge tag '4.20-rc5-smb3-fixes' of git://

Pull cifs fixes from Steve French:
 "Three small fixes: a fix for smb3 direct i/o, a fix for CIFS DFS for
  stable and a minor cifs Kconfig fix"

* tag '4.20-rc5-smb3-fixes' of git://
  CIFS: Avoid returning EBUSY to upper layer VFS
  cifs: Fix separator when building path from dentry
  cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)

Linux/linux fa82dcbfs dax.c, include/linux dax.h

Merge tag 'dax-fixes-4.20-rc6' of 

Pull dax fixes from Dan Williams:
 "The last of the known regression fixes and fallout from the Xarray
  conversion of the filesystem-dax implementation.

  On the path to debugging why the dax memory-failure injection test
  started failing after the Xarray conversion a couple more fixes for
  the dax_lock_mapping_entry(), now called dax_lock_page(), surfaced.
  Those plus the bug that started the hunt are now addressed. These
  patches have appeared in a -next release with no issues reported.

  Note the touches to mm/memory-failure.c are just the conversion to the
  new function signature for dax_lock_page().


   - Fix the Xarray conversion of fsdax to properly handle
     dax_lock_mapping_entry() in the presense of pmd entries

   - Fix inode destruction racing a new lock request"

* tag 'dax-fixes-4.20-rc6' of git://
  dax: Fix unlock mismatch with updated API

    [2 lines not shown]

Linux/linux bd799ebdrivers/acpi/nfit core.c, drivers/nvdimm pfn_devs.c region_devs.c

Merge tag 'libnvdimm-fixes-4.20-rc6' of 

Pull libnvdimm fixes from Dan Williams:
 "A regression fix for the Address Range Scrub implementation, yes
  another one, and support for platforms that misalign persistent memory
  relative to the Linux memory hotplug section constraint. Longer term,
  support for sub-section memory hotplug would alleviate alignment
  waste, but until then this hack allows a 'struct page' memmap to be
  established for these misaligned memory regions.

  These have all appeared in a -next release, and thanks to Patrick for
  reporting and testing the alignment padding fix.


   - Unless and until the core mm handles memory hotplug units smaller
     than a section (128M), persistent memory namespaces must be padded
     to section alignment.

     The libnvdimm core already handled section collision with "System
     RAM", but some configurations overlap independent "Persistent
     Memory" ranges within a section, so additional padding injection is
     added for that case.

    [14 lines not shown]

Linux/linux bd5122cdrivers/net/ethernet/mellanox/mlx4 en_ethtool.c

net/mlx4_core: Correctly set PFC param if global pause is turned off.

rx_ppp and tx_ppp can be set between 0 and 255, so don't clamp to 1.

Fixes: 6e8814ceb7e8 ("net/mlx4_en: Fix mixed PFC and Global pause user control requests")
Signed-off-by: Tarick Bedeir <tarick at>
Reviewed-by: Eran Ben Elisha <eranbe at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 6ec067edrivers/thermal armada_thermal.c, drivers/thermal/broadcom bcm2835_thermal.c brcmstb_thermal.c

Merge branch 'fixes' of 

Pull thermal SoC fixes from Eduardo Valentin:
 "Fixes for armada and broadcom thermal drivers"

* 'fixes' of git://
  thermal: broadcom: constify thermal_zone_of_device_ops structure
  thermal: armada: constify thermal_zone_of_device_ops structure
  thermal: bcm2835: Switch to SPDX identifier
  thermal: armada: fix legacy resource fixup
  thermal: armada: fix legacy validity test sense

Linux/linux 8214bdfinclude/uapi/asm-generic unistd.h

Merge tag 'asm-generic-4.20' of 

Pull asm-generic fix from Arnd Bergmann:
 "Multiple people reported a bug I introduced in asm-generic/unistd.h in
  4.20, this is the obvious bugfix to get glibc and others to correctly
  build again on new architectures that no longer provide the old
  fstatat64() family of system calls"

* tag 'asm-generic-4.20' of 
  asm-generic: unistd.h: fixup broken macro include.

Linux/linux 570c913Documentation/devicetree/bindings/clock clock-bindings.txt, arch/arm64/boot/dts/qcom sdm845-mtp.dts

Merge tag 'clk-fixes-for-linus' of git://

Pull clk fixes from Stephen Boyd:
 "A few clk driver fixes this time:

   - Introduce protected-clock DT binding to fix breakage on qcom
     sdm845-mtp boards where the qspi clks introduced this merge window
     cause the firmware on those boards to take down the system if we
     try to read the clk registers

   - Fix a couple off-by-one errors found by Dan Carpenter

   - Handle failure in zynq fixed factor clk driver to avoid using
     uninitialized data"

* tag 'clk-fixes-for-linus' of git://
  clk: zynqmp: Off by one in zynqmp_is_valid_clock()
  clk: mmp: Off by one in mmp_clk_add()
  clk: mvebu: Off by one bugs in cp110_of_clk_get()
  arm64: dts: qcom: sdm845-mtp: Mark protected gcc clocks
  clk: qcom: Support 'protected-clocks' property
  dt-bindings: clk: Introduce 'protected-clocks' property
  clk: zynqmp: handle fixed factor param query error

Linux/linux f896adcfs iomap.c splice.c, fs/xfs xfs_bmap_util.c xfs_qm_bhv.c

Merge tag 'xfs-4.20-fixes-3' of git://

Pull xfs fixes from Darrick Wong:
 "Here are hopefully the last set of fixes for 4.20.

  There's a fix for a longstanding statfs reporting problem with project
  quotas, a correction for page cache invalidation behaviors when
  fallocating near EOF, and a fix for a broken metadata verifier return

  Finally, the most important fix is to the pipe splicing code (aka the
  generic copy_file_range fallback) to avoid pointless short directio
  reads by only asking the filesystem for as much data as there are
  available pages in the pipe buffer. Our previous fix (simulated short
  directio reads because the number of pages didn't match the length of
  the read requested) caused subtle problems on overlayfs, so that part
  is reverted.

  Anyhow, this series passes fstests -g all on xfs and overlay+xfs, and
  has passed 17 billion fsx operations problem-free since I started


   - Fix broken project quota inode counts

    [16 lines not shown]

Linux/linux 356ff8ainclude/linux gfp.h, mm mempolicy.c huge_memory.c

Revert "mm, thp: consolidate THP gfp handling into alloc_hugepage_direct_gfpmask"

This reverts commit 89c83fb539f95491be80cdd5158e6f0ce329e317.

This should have been done as part of 2f0799a0ffc0 ("mm, thp: restore
node-local hugepage allocations").  The movement of the thp allocation
policy from alloc_pages_vma() to alloc_hugepage_direct_gfpmask() was
intended to only set __GFP_THISNODE for mempolicies that are not
MPOL_BIND whereas the revert could set this regardless of mempolicy.

While the check for MPOL_BIND between alloc_hugepage_direct_gfpmask()
and alloc_pages_vma() was racy, that has since been removed since the
revert.  What is left is the possibility to use __GFP_THISNODE in
policy_node() when it is unexpected because the special handling for
hugepages in alloc_pages_vma()  was removed as part of the consolidation.

Secondly, prior to 89c83fb539f9, alloc_pages_vma() implemented a somewhat
different policy for hugepage allocations, which were allocated through
alloc_hugepage_vma().  For hugepage allocations, if the allocating
process's node is in the set of allowed nodes, allocate with
__GFP_THISNODE for that node (for MPOL_PREFERRED, use that node with
__GFP_THISNODE instead).  This was changed for shmem_alloc_hugepage() to
allow fallback to other nodes in 89c83fb539f9 as it did for new_page() in
mm/mempolicy.c which is functionally different behavior and removes the
requirement to only allocate hugepages locally.

    [15 lines not shown]

Linux/linux 5b3279edrivers/net/ethernet/ibm/emac emac.h

Revert "net/ibm/emac: wrong bit is used for STA control"

This reverts commit 624ca9c33c8a853a4a589836e310d776620f4ab9.

This commit is completely bogus. The STACR register has two formats, old
and new, depending on the version of the IP block used. There's a pair of
device-tree properties that can be used to specify the format used:


What this commit did was to change the bit definition used with the old
parts to match the new parts. This of course breaks the driver on all
the old ones.

Instead, the author should have set the appropriate properties in the
device-tree for the variant used on his board.

Signed-off-by: Benjamin Herrenschmidt <benh at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 66033f4net/ipv6 ip6_output.c

ipv6: Check available headroom in ip6_xmit() even without options

Even if we send an IPv6 packet without options, MAX_HEADER might not be
enough to account for the additional headroom required by alignment of
hardware headers.

On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().

Those would be enough to append our 14 bytes header, but we're going to
align that to 16 bytes, and write 2 bytes out of the allocated slab in

KASan says:

[  264.967848] ==================================================================
[  264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
[  264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
[  264.967870]
[  264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
[  264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
[  264.967887] Call Trace:
[  264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)

    [39 lines not shown]
+21-211 files

Linux/linux e6ac64dinclude/net neighbour.h

neighbour: Avoid writing before skb->head in neigh_hh_output()

While skb_push() makes the kernel panic if the skb headroom is less than
the unaligned hardware header size, it will proceed normally in case we
copy more than that because of alignment, and we'll silently corrupt
adjacent slabs.

In the case fixed by the previous patch,
"ipv6: Check available headroom in ip6_xmit() even without options", we
end up in neigh_hh_output() with 14 bytes headroom, 14 bytes hardware
header and write 16 bytes, starting 2 bytes before the allocated buffer.

Always check we're not writing before skb->head and, if the headroom is
not enough, warn and drop the packet.

 - instead of panicking with BUG_ON(), WARN_ON_ONCE() and drop the packet
   (Eric Dumazet)
 - if we avoid the panic, though, we need to explicitly check the headroom
   before the memcpy(), otherwise we'll have corrupted slabs on a running
   kernel, after we warn
 - use __skb_push() instead of skb_push(), as the headroom check is
   already implemented here explicitly (Eric Dumazet)

Signed-off-by: Stefano Brivio <sbrivio at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 8b78903include/net neighbour.h, net/ipv6 ip6_output.c

Merge branch 'skb-headroom-slab-out-of-bounds'

Stefano Brivio says:

Fix slab out-of-bounds on insufficient headroom for IPv6 packets

Patch 1/2 fixes a slab out-of-bounds occurring with short SCTP packets over
IPv4 over L2TP over IPv6 on a configuration with relatively low HEADER_MAX.

Patch 2/2 makes sure we avoid writing before the allocated buffer in
neigh_hh_output() in case the headroom is enough for the unaligned hardware
header size, but not enough for the aligned one, and that we warn if we hit
this condition.

Signed-off-by: David S. Miller <davem at>

Linux/linux f9bfe4enet/ipv4 tcp_output.c

tcp: lack of available data can also cause TSO defer

tcp_tso_should_defer() can return true in three different cases :

 1) We are cwnd-limited
 2) We are rwnd-limited
 3) We are application limited.

Neal pointed out that my recent fix went too far, since
it assumed that if we were not in 1) case, we must be rwnd-limited

Fix this by properly populating the is_cwnd_limited and
is_rwnd_limited booleans.

After this change, we can finally move the silly check for FIN
flag only for the application-limited case.

The same move for EOR bit will be handled in net-next,
since commit 1c09f7d073b1 ("tcp: do not try to defer skbs
with eor mark (MSG_EOR)") is scheduled for linux-4.21

Tested by running 200 concurrent netperf -t TCP_RR -- -r 60000,100
and checking none of them was rwnd_limited in the chrono_stat
output from "ss -ti" command.

    [7 lines not shown]
+24-111 files

Linux/linux 5f17979drivers/s390/virtio virtio_ccw.c, drivers/vhost vsock.c

Merge tag 'for_linus' of git://

Pull vhost/virtio fixes from Michael Tsirkin:
 "A couple of last-minute fixes"

* tag 'for_linus' of git://
  vhost/vsock: fix use-after-free in network stack callers
  virtio/s390: fix race in ccw_io_helper()
  virtio/s390: avoid race on vcdev->config
  vhost/vsock: fix reset orphans race with close timeout

Linux/linux b8bf469arch/arm64/kernel hibernate.c

Merge tag 'arm64-fixes' of git://

Pull arm64 fix from Catalin Marinas:
 "Avoid sending IPIs with interrupts disabled"

* tag 'arm64-fixes' of git://
  arm64: hibernate: Avoid sending cross-calling with interrupts disabled

Linux/linux 1cdc362kernel stackleak.c, scripts/gcc-plugins stackleak_plugin.c

Merge tag 'gcc-plugins-v4.20-rc6' of 

Pull gcc stackleak plugin fixes from Kees Cook:

 - Remove tracing for inserted stack depth marking function (Anders

 - Move gcc-plugin pass location to avoid objtool warnings (Alexander

* tag 'gcc-plugins-v4.20-rc6' of git://
  stackleak: Register the 'stackleak_cleanup' pass before the '*free_cfg' pass
  stackleak: Mark stackleak_track_stack() as notrace

Linux/linux 52ab2eccrypto cfb.c pcbc.c

Merge branch 'linus' of git://

Pull crypto fixes from Herbert Xu:

 - Disable the new crypto stats interface as it's still being changed

 - Fix potential uses-after-free in cbc/cfb/pcbc.

* 'linus' of git://
  crypto: user - Disable statistics interface
  crypto: do not free algorithm before using

Linux/linux 7b24f6cdrivers/pci/pcie aspm.c

Merge tag 'pci-v4.20-fixes-3' of git://

Pull PCI fixes from Bjorn Helgaas:
 "Revert ASPM change that caused a regression"

* tag 'pci-v4.20-fixes-3' of git://
  Revert "PCI/ASPM: Do not initialize link state when aspm_disabled is set"

Linux/linux 1b4e5adnet/ipv6 seg6_iptunnel.c

ipv6: sr: properly initialize flowi6 prior passing to ip6_route_output

In 'seg6_output', stack variable 'struct flowi6 fl6' was missing

Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with 
Signed-off-by: Shmulik Ladkani <shmulik.ladkani at>
Signed-off-by: David S. Miller <davem at>

Linux/linux 0b43a29block bfq-iosched.c bfq-iosched.h, drivers/nvme/host core.c

Merge tag 'for-linus-20181207' of git://

Pull block fixes from Jens Axboe:
 "Let's try this again...

  We're finally happy with the DM livelock issue, and it's also passed
  overnight testing and the corruption regression test. The end result
  is much nicer now too, which is great.

  Outside of that fix, there's a pull request for NVMe with two small
  fixes, and a regression fix for BFQ from this merge window. The BFQ
  fix looks bigger than it is, it's 90% comment updates"

* tag 'for-linus-20181207' of git://
  blk-mq: punt failed direct issue to dispatch list
  nvmet-rdma: fix response use after free
  nvme: validate controller state before rescheduling keep alive
  block, bfq: fix decrement of num_active_groups

Linux/linux 52f842cdrivers/i2c/busses i2c-uniphier-f.c i2c-axxia.c

Merge branch 'i2c/for-current-fixed' of 

Pull i2c fixes from Wolfram Sang:
 "A set of driver bugfixes for the I2C subsystem"

* 'i2c/for-current-fixed' of git://
  i2c: uniphier-f: fix violation of tLOW requirement for Fast-mode
  i2c: uniphier: fix violation of tLOW requirement for Fast-mode
  i2c: uniphier-f: fill TX-FIFO only in IRQ handler for repeated START
  i2c: uniphier-f: fix timeout error after reading 8 bytes
  i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node
  i2c: axxia: properly handle master timeout
  i2c: rcar: check bus state before reinitializing
  i2c: nvidia-gpu: limit reads also for combined messages
  i2c: nvidia-gpu: adhere to I2C fault codes

Linux/linux c431b42drivers/dma imx-sdma.c, drivers/dma/dw core.c

Merge tag 'dmaengine-fix-4.20-rc6' of git://

Pull dmaengine fixes from Vinod Koul:
 "Another pull request for dmaengine. We got bunch of fixes early this
  week and all are tagged to stable. Hope this is last fix for this

   - Fix imx-sdma handling of channel terminations, this involves
     reverting two commits and implement async termination

   - Fix cppi dma channel deletion from pending list on stop

   - Fix FIFO size for dw controller in Intel Merrifield"

* tag 'dmaengine-fix-4.20-rc6' of git://
  dmaengine: dw: Fix FIFO size for Intel Merrifield
  dmaengine: cppi41: delete channel from pending list when stop channel
  dmaengine: imx-sdma: use GFP_NOWAIT for dma descriptor allocations
  dmaengine: imx-sdma: implement channel termination via worker
  Revert "dmaengine: imx-sdma: alloclate bd memory from dma pool"
  Revert "dmaengine: imx-sdma: Use GFP_NOWAIT for dma allocations"

Linux/linux ac3e233arch/x86/entry/vdso Makefile

x86/vdso: Drop implicit common-page-size linker flag

GNU linker's -z common-page-size's default value is based on the target
architecture. arch/x86/entry/vdso/Makefile sets it to the architecture
default, which is implicit and redundant. Drop it.

Fixes: 2aae950b21e4 ("x86_64: Add vDSO for x86-64 with gettimeofday/clock_gettime/getcpu")
Reported-by: Dmitry Golovin <dima at>
Reported-by: Bill Wendling <morbo at>
Suggested-by: Dmitry Golovin <dima at>
Suggested-by: Rui Ueyama <ruiu at>
Signed-off-by: Nick Desaulniers <ndesaulniers at>
Signed-off-by: Borislav Petkov <bp at>
Acked-by: Andy Lutomirski <luto at>
Cc: Andi Kleen <andi at>
Cc: Fangrui Song <maskray at>
Cc: "H. Peter Anvin" <hpa at>
Cc: Ingo Molnar <mingo at>
Cc: Thomas Gleixner <tglx at>
Cc: x86-ml <x86 at>
Link: at

Linux/linux b4aecf7arch/arm64/kernel hibernate.c

arm64: hibernate: Avoid sending cross-calling with interrupts disabled

Since commit 3b8c9f1cdfc50 ("arm64: IPI each CPU after invalidating the
I-cache for kernel mappings"), a call to flush_icache_range() will use
an IPI to cross-call other online CPUs so that any stale instructions
are flushed from their pipelines. This triggers a WARN during the
hibernation resume path, where flush_icache_range() is called with
interrupts disabled and is therefore prone to deadlock:

  | Disabling non-boot CPUs ...
  | CPU1: shutdown
  | psci: CPU1 killed.
  | CPU2: shutdown
  | psci: CPU2 killed.
  | CPU3: shutdown
  | psci: CPU3 killed.
  | WARNING: CPU: 0 PID: 1 at ../kernel/smp.c:416 smp_call_function_many+0xd4/0x350
  | Modules linked in:
  | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.20.0-rc4 #1

Since all secondary CPUs have been taken offline prior to invalidating
the I-cache, there's actually no need for an IPI and we can simply call
__flush_icache_range() instead.

Cc: <stable at>

    [7 lines not shown]

Linux/linux 8b878eedrivers/nvme/host core.c, drivers/nvme/target rdma.c

Merge branch 'nvme-4.20' of git:// into for-linus

Pull NVMe fixes from Christoph.

* 'nvme-4.20' of git://
  nvmet-rdma: fix response use after free
  nvme: validate controller state before rescheduling keep alive

Linux/linux c616cbeblock blk-mq.c

blk-mq: punt failed direct issue to dispatch list

After the direct dispatch corruption fix, we permanently disallow direct
dispatch of non read/write requests. This works fine off the normal IO
path, as they will be retried like any other failed direct dispatch
request. But for the blk_insert_cloned_request() that only DM uses to
bypass the bottom level scheduler, we always first attempt direct
dispatch. For some types of requests, that's now a permanent failure,
and no amount of retrying will make that succeed. This results in a

Instead of making special cases for what we can direct issue, and now
having to deal with DM solving the livelock while still retaining a BUSY
condition feedback loop, always just add a request that has been through
->queue_rq() to the hardware queue dispatch list. These are safe to use
as no merging can take place there. Additionally, if requests do have
prepped data from drivers, we aren't dependent on them not sharing space
in the request structure to safely add them to the IO scheduler lists.

This basically reverts ffe81d45322c and is based on a patch from Ming,
but with the list insert case covered as well.

Fixes: ffe81d45322c ("blk-mq: fix corruption with direct issue")
Cc: stable at
Suggested-by: Ming Lei <ming.lei at>

    [4 lines not shown]
+5-281 files

Linux/linux d7dcdf9drivers/nvme/target rdma.c

nvmet-rdma: fix response use after free

nvmet_rdma_release_rsp() may free the response before using it at error

Fixes: 8407879 ("nvmet-rdma: fix possible bogus dereference under heavy load")
Signed-off-by: Israel Rukshin <israelr at>
Reviewed-by: Sagi Grimberg <sagi at>
Reviewed-by: Max Gurtovoy <maxg at>
Signed-off-by: Christoph Hellwig <hch at>