This is the start of the stable review cycle for the 3.10.108 release, which will also be the last release in the 3.10 branch. All patches will be posted as a response to this one. If anyone has any issue with these being applied, please let me know. If anyone thinks some important patches are missing and should be added prior to the release, please report them quickly with their respective mainline commit IDs. Responses should be made by Sat Nov 4 22:10:41 CET 2017. Anything received after that time might be too late. If someone wants a bit more time for a deeper review, please let me know. The whole patch series can be found in one patch at : https://kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.10.108-rc1.gz The shortlog and diffstat are appended below. Thanks, Willy =============== Adam Borowski (1): vt: fix unchecked __put_user() in tioclinux ioctls Al Viro (3): Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket leak in O_DIRECT readv past the EOF Alexander Potapenko (3): sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() sctp: fully initialize the IPv6 address in sctp_v6_to_addr() net/packet: check length in getsockopt() called with PACKET_HDRLEN Andreas Gruenbacher (1): direct-io: Prevent NULL pointer access in submit_page_section Andrew Gabbasov (1): usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Anssi Hannula (1): net: xilinx_emaclite: fix receive buffer overflow Anton Blanchard (1): powerpc: Fix emulation of mfocrf in emulate_step() Arend van Spriel (1): brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() Arnd Bergmann (7): wext: handle NULL extra data in iwe_stream_add_point better x86/io: Add "memory" clobber to insb/insw/insl/outsb/outsw/outsl [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze() [media] ir-core: fix gcc-7 warning on bool arithmetic staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read qlge: avoid memcpy buffer overflow IB/qib: fix false-postive maybe-uninitialized warning Baohong Liu (1): tracing: Apply trace_clock changes to instance max buffer Benjamin Block (1): scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path Bo Yan (1): tracing: Erase irqsoff trace with empty write Cheah Kok Cheong (1): Staging: comedi: comedi_fops: Avoid orphaned proc entry Chris Brandt (2): usb: r8a66597-hcd: select a different endpoint on timeout usb: r8a66597-hcd: decrease timeout Christoph Paasch (1): net: Set sk_prot_creator when cloning sockets to the right proto Christophe JAILLET (1): serial: efm32: Fix parity management in 'efm32_uart_console_get_options()' Dan Carpenter (10): libata: array underflow in ata_find_dev() sctp: potential read out of bounds in sctp_ulpevent_type_enabled() drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR() xfrm: NULL dereference on allocation failure xfrm: Oops on error in pfkey_msg2xfrm_state() cpufreq: s3c2416: double free on driver init error path KEYS: Fix an error code in request_master_key() scsi: qla2xxx: Fix an integer overflow in sysfs code scsi: scsi_dh_emc: return success in clariion_std_inquiry() Darrick J. Wong (1): ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets David Howells (2): rxrpc: Fix several cases where a padded len isn't checked in ticket decode KEYS: don't let add_key() update an uninstantiated key Eric Biggers (5): KEYS: fix dereferencing NULL payload with nonzero length FS-Cache: fix dereference of NULL user_key_payload KEYS: prevent creating a different user's keyrings KEYS: encrypted: fix dereference of NULL user_key_payload lib/digsig: fix dereference of NULL user_key_payload Eric Dumazet (6): net: reduce skb_warn_bad_offload() noise net: skb_needs_check() accepts CHECKSUM_NONE for tx net: prevent sign extension in dev_get_stats() netfilter: xt_TCPMSS: add more sanity tests on tcph->doff net: ping: do not abuse udp_poll() ipv6: fix typo in fib6_net_exit() Feras Daoud (1): IB/ipoib: rtnl_unlock can not come after free_netdev Florian Fainelli (1): net: korina: Fix NAPI versus resources freeing Gao Feng (1): net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev Haozhong Zhang (1): KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Helge Deller (1): mm: fix overflow check in expand_upwards() Horia Geantă (1): crypto: caam - fix signals handling Ian Abbott (1): staging: comedi: fix clean-up of comedi_class in comedi_init() Ilya Matveychikov (1): lib/cmdline.c: fix get_options() overflow while parsing ranges James Hogan (1): MIPS: Fix mips_atomic_set() retry condition James Morse (1): ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal Jan Kara (4): ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize ext4: fix SEEK_HOLE ext4: avoid deadlock when expanding inode size udf: Fix deadlock between writeback and udf_setsize() Jason Yan (1): md: fix super_offset endianness in super_1_rdev_size_change Jerry Lee (1): ext4: fix overflow caused by missing cast in ext4_resize_fs() Jin Yao (1): perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target Joerg Roedel (1): iommu/amd: Finish TLB flush in amd_iommu_unmap() Johan Hovold (2): serial: ifx6x60: fix use-after-free on module unload USB: serial: console: fix use-after-free after failed setup Johannes Thumshirn (1): scsi: qla2xxx: don't disable a not previously enabled PCI device Josh Poimboeuf (1): mm/page_alloc: Remove kernel address exposure in free_reserved_area() Julian Anastasov (1): ipvs: SNAT packet replies only for NATed connections Kazuya Mizuguchi (1): usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Kees Cook (1): fs/exec.c: account for argv/envp pointers Konstantin Khlebnikov (1): ext4: keep existing extra fields when inode expands Krzysztof Kozlowski (1): PM / Domains: Fix unsafe iteration over modified list of device links Laura Abbott (1): x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init() Leon Romanovsky (1): net/mlx4: Remove BUG_ON from ICM allocation routine Liping Zhang (2): netfilter: invoke synchronize_rcu after set the _hook_ to NULL netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister Maciej W. Rozycki (4): MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' MIPS: Actually decode JALX in `__compute_return_epc_for_insn' MIPS: Fix unaligned PC interpretation in `compute_return_epc' MIPS: math-emu: Prevent wrong ISA mode instruction emulation Mahesh Bandewar (1): ipv4: initialize fib_trie prior to register_netdev_notifier call. Majd Dibbiny (1): net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs Marcin Nowakowski (1): kernel/extable.c: mark core_kernel_text notrace Martin Hicks (1): crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD Mateusz Jurczyk (1): fuse: initialize the flock flag in fuse_file on allocation Michael Ellerman (1): powerpc/64: Fix atomic64_inc_not_zero() to return an int Michael Thalmeier (1): usb: chipidea: debug: check before accessing ci_role Naveen N. Rao (1): powerpc/kprobes: Pause function_graph tracing during jprobes handling Neal Cardwell (4): tcp: introduce tcp_rto_delta_us() helper for xmit timer fix tcp: enable xmit timer fix by having TLP use time when RTO should fire tcp: fix xmit timer to only be reset if data ACKed/SACKed tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP NeilBrown (1): md/bitmap: disable bitmap_resize for file-backed bitmaps. Nicholas Bellinger (1): target: Avoid mappedlun symlink creation during lun shutdown Oliver O'Halloran (1): powerpc/asm: Mark cr0 as clobbered in mftb() Pan Bian (1): team: fix memory leaks Paolo Bonzini (1): kvm: async_pf: fix rcu_irq_enter() with irqs enabled Prabhakar Lad (1): media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Radim Krčmář (1): KVM: x86: zero base3 of unusable segments Russell King (1): net: phy: fix marvell phy status reading Sabrina Dubroca (2): ipv6: fix memory leak with multiple tables during netns destruction ip6_gre: fix endianness errors in ip6gre_err Shaohua Li (1): md/raid10: submit bio directly to replacement disk Srinivas Dasari (2): cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES cfg80211: Check if PMKID attribute is of expected size Stefan Mätje (1): can: esd_usb2: Fix can_dlc value for received RTR, frames Steffen Maier (4): scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled scsi: zfcp: fix missing trace records for early returns in TMF eh handlers scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response Stephan Mueller (1): crypto: AF_ALG - remove SGL terminator indicator when chaining Takashi Iwai (2): ALSA: seq: Fix use-after-free at creating a port ALSA: core: Fix unexpected error at replacing user TLV Tejun Heo (2): workqueue: restore WQ_UNBOUND/max_active==1 to be ordered workqueue: implicit ordered attribute should be overridable Tomasz Wilczyński (1): cpufreq: conservative: Allow down_threshold to take values from 1 to 10 Tony Lindgren (1): mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode Vladis Dronov (2): xfrm: policy: check policy direction value nl80211: check for the required netlink attributes presence WANG Cong (2): tcp: reset sk_rx_dst in tcp_disconnect() ipv6: avoid unregistering inet6_dev for loopback Wei Wang (1): tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 Willem de Bruijn (2): udp: consistently apply ufo or fragmentation packet: fix tp_reserve race in packet_set_ring Xin Long (1): sctp: fix the check for _sctp_walk_params and _sctp_walk_errors Yoshihiro Shimoda (5): usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle usb: renesas_usbhs: fix the sequence in xfer_work() usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction Yuchung Cheng (2): tcp: disallow cwnd undo when switching congestion control tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states satoru takeuchi (1): btrfs: prevent to set invalid default subvolid arch/mips/include/asm/branch.h | 5 +- arch/mips/kernel/branch.c | 8 ++- arch/mips/kernel/syscall.c | 2 +- arch/mips/math-emu/cp1emu.c | 38 +++++++++++++ arch/powerpc/include/asm/atomic.h | 4 +- arch/powerpc/include/asm/reg.h | 2 +- arch/powerpc/kernel/kprobes.c | 11 ++++ arch/powerpc/lib/sstep.c | 13 +++++ arch/x86/include/asm/io.h | 4 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kvm/vmx.c | 2 +- arch/x86/kvm/x86.c | 2 + arch/x86/mm/numa_32.c | 1 + crypto/algif_skcipher.c | 4 +- drivers/acpi/apei/ghes.c | 1 + drivers/ata/libata-scsi.c | 6 +- drivers/base/power/domain.c | 4 +- drivers/cpufreq/cpufreq_conservative.c | 4 +- drivers/cpufreq/s3c2416-cpufreq.c | 1 - drivers/crypto/caam/caamhash.c | 2 +- drivers/crypto/caam/key_gen.c | 2 +- drivers/crypto/talitos.c | 7 ++- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 2 + drivers/infiniband/hw/qib/qib_iba7322.c | 2 +- drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 4 +- drivers/iommu/amd_iommu.c | 1 + drivers/md/bitmap.c | 5 ++ drivers/md/md.c | 2 +- drivers/md/raid10.c | 19 ++++++- drivers/media/platform/davinci/vpfe_capture.c | 22 +------- drivers/media/rc/imon.c | 2 +- drivers/media/usb/pvrusb2/pvrusb2-eeprom.c | 13 ++--- drivers/mfd/omap-usb-tll.c | 2 +- drivers/misc/c2port/c2port-duramar2150.c | 4 +- drivers/net/can/usb/esd_usb2.c | 2 +- drivers/net/ethernet/korina.c | 8 +-- drivers/net/ethernet/mellanox/mlx4/icm.c | 7 ++- drivers/net/ethernet/mellanox/mlx4/main.c | 2 - drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 2 +- drivers/net/ethernet/xilinx/xilinx_emaclite.c | 10 +++- drivers/net/phy/marvell.c | 2 - drivers/net/team/team.c | 8 ++- .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 5 ++ drivers/s390/scsi/zfcp_dbf.c | 21 +++++-- drivers/s390/scsi/zfcp_dbf.h | 6 +- drivers/s390/scsi/zfcp_fc.h | 6 +- drivers/s390/scsi/zfcp_fsf.c | 3 +- drivers/s390/scsi/zfcp_scsi.c | 8 ++- drivers/scsi/device_handler/scsi_dh_emc.c | 2 +- drivers/scsi/qla2xxx/qla_attr.c | 8 +-- drivers/scsi/qla2xxx/qla_os.c | 8 +-- drivers/staging/comedi/comedi_fops.c | 7 ++- drivers/staging/iio/resolver/ad2s1210.c | 2 +- drivers/target/target_core_fabric_configfs.c | 5 ++ drivers/target/target_core_tpg.c | 3 + drivers/tty/serial/efm32-uart.c | 11 +++- drivers/tty/serial/ifx6x60.c | 2 +- drivers/tty/vt/vt.c | 6 +- drivers/usb/chipidea/debug.c | 3 +- drivers/usb/gadget/composite.c | 5 ++ drivers/usb/host/r8a66597-hcd.c | 6 +- drivers/usb/renesas_usbhs/common.c | 4 +- drivers/usb/renesas_usbhs/fifo.c | 50 +++++++++++++++-- drivers/usb/renesas_usbhs/pipe.c | 13 +++++ drivers/usb/renesas_usbhs/pipe.h | 4 ++ drivers/usb/serial/console.c | 1 + fs/btrfs/ioctl.c | 4 ++ fs/direct-io.c | 3 + fs/exec.c | 28 ++++++++-- fs/ext4/file.c | 57 +++++++------------ fs/ext4/inode.c | 7 +-- fs/ext4/resize.c | 3 +- fs/ext4/xattr.c | 19 +++++-- fs/fscache/object-list.c | 7 +++ fs/fuse/file.c | 2 +- fs/udf/inode.c | 4 +- include/linux/key.h | 2 + include/linux/workqueue.h | 4 +- include/net/ipv6.h | 1 + include/net/iw_handler.h | 3 +- include/net/sctp/sctp.h | 4 ++ include/net/sctp/ulpevent.h | 6 +- include/net/tcp.h | 10 ++++ include/target/target_core_base.h | 1 + kernel/extable.c | 2 +- kernel/trace/trace.c | 12 +++- kernel/workqueue.c | 23 ++++++-- lib/cmdline.c | 6 +- lib/digsig.c | 6 ++ mm/mmap.c | 2 +- mm/page_alloc.c | 4 +- net/8021q/vlan.c | 3 +- net/bluetooth/bnep/core.c | 4 ++ net/bluetooth/cmtp/core.c | 3 + net/core/dev.c | 21 ++++--- net/core/sock.c | 2 + net/ipv4/af_inet.c | 2 +- net/ipv4/fib_frontend.c | 9 +-- net/ipv4/ip_output.c | 7 ++- net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 + net/ipv4/tcp.c | 6 ++ net/ipv4/tcp_cong.c | 1 + net/ipv4/tcp_input.c | 36 ++++++------ net/ipv4/tcp_output.c | 26 ++------- net/ipv4/udp.c | 2 +- net/ipv6/addrconf.c | 3 +- net/ipv6/ip6_fib.c | 25 +++++++-- net/ipv6/ip6_gre.c | 4 +- net/ipv6/ip6_output.c | 7 ++- net/ipv6/raw.c | 2 +- net/key/af_key.c | 17 ++++-- net/netfilter/ipvs/ip_vs_core.c | 19 +++++-- net/netfilter/nf_conntrack_ecache.c | 2 + net/netfilter/nf_conntrack_extend.c | 13 ++++- net/netfilter/nf_conntrack_netlink.c | 1 + net/netfilter/nf_nat_core.c | 2 + net/netfilter/nfnetlink_cttimeout.c | 1 + net/netfilter/xt_TCPMSS.c | 6 +- net/packet/af_packet.c | 15 +++-- net/rxrpc/ar-key.c | 64 ++++++++++++---------- net/sctp/ipv6.c | 2 + net/wireless/nl80211.c | 10 +++- net/xfrm/xfrm_policy.c | 6 ++ security/keys/encrypted-keys/encrypted.c | 9 ++- security/keys/internal.h | 2 +- security/keys/key.c | 12 ++++ security/keys/keyctl.c | 4 +- security/keys/keyring.c | 23 +++++--- security/keys/process_keys.c | 8 ++- sound/core/control.c | 2 +- sound/core/seq/seq_clientmgr.c | 6 +- sound/core/seq/seq_ports.c | 7 ++- tools/perf/ui/browser.c | 2 +- 133 files changed, 720 insertions(+), 330 deletions(-) -- 2.8.0.rc2.1.gbe9624a