Linux/linux 40e196aarch/mips/net ebpf_jit.c, drivers/net/dsa/b53 b53_common.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix suspend and resume in mt76x0u USB driver, from Stanislaw
    Gruszka.

 2) Missing memory barriers in xsk, from Magnus Karlsson.

 3) rhashtable fixes in mac80211 from Herbert Xu.

 4) 32-bit MIPS eBPF JIT fixes from Paul Burton.

 5) Fix for_each_netdev_feature() on big endian, from Hauke Mehrtens.

 6) GSO validation fixes from Willem de Bruijn.

 7) Endianness fix for dwmac4 timestamp handling, from Alexandre Torgue.

 8) More strict checks in tcp_v4_err(), from Eric Dumazet.

 9) af_alg_release should NULL out the sk after the sock_put(), from Mao
    Wenan.

10) Missing unlock in mac80211 mesh error path, from Wei Yongjun.

    [25 lines not shown]

Linux/linux 1765f5ddrivers/net/ethernet/marvell sky2.c

sky2: Increase D3 delay again

Another platform requires even longer delay to make the device work
correctly after S3.

So increase the delay to 300ms.

BugLink: https://bugs.launchpad.net/bugs/1798921

Signed-off-by: Kai-Heng Feng <kai.heng.feng at canonical.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 816db76drivers/vhost vhost.c

vhost: correctly check the return value of translate_desc() in log_used()

When fail, translate_desc() returns negative value, otherwise the
number of iovs. So we should fail when the return value is negative
instead of a blindly check against zero.

Detected by CoverityScan, CID# 1442593:  Control flow issues  (DEADCODE)

Fixes: cc5e71075947 ("vhost: log dirty page correctly")
Acked-by: Michael S. Tsirkin <mst at redhat.com>
Reported-by: Stephen Hemminger <stephen at networkplumber.org>
Signed-off-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 5cd856anet/netfilter nf_tables_api.c, net/netfilter/ipvs ip_vs_ctl.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for net:

1) Follow up patch to fix a compilation warning in a recent IPVS fix:
   098e13f5b21d ("ipvs: fix dependency on nf_defrag_ipv6").

2) Bogus ENOENT error on flush after rule deletion in the same batch,
   reported by Phil Sutter.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 1f43f40drivers/net/ethernet/ti netcp_core.c

net: netcp: Fix ethss driver probe issue

Recent commit below has introduced a bug in netcp driver that causes
the ethss driver probe failure and thus break the networking function
on K2 SoCs such as K2HK, K2L, K2E etc. This patch fixes the issue to
restore networking on the above SoCs.

Fixes: 21c328dcecfc ("net: ethernet: Convert to using %pOFn instead of device_node.name")
Signed-off-by: Murali Karicheri <m-karicheri2 at ti.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 4d96e13drivers/net/ethernet/hisilicon/hns hns_dsaf_main.c

net: hns: Fixes the missing put_device in positive leg for roce reset

This patch fixes the missing device reference release-after-use in
the positive leg of the roce reset API of the HNS DSAF.

Fixes: c969c6e7ab8c ("net: hns: Fix object reference leaks in hns_dsaf_roce_reset()")
Reported-by: John Garry <john.garry at huawei.com>
Signed-off-by: Salil Mehta <salil.mehta at huawei.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 92a8c29drivers/net/wireless/mediatek/mt76/mt76x0 usb.c

Merge tag 'wireless-drivers-for-davem-2019-02-18' of 
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers

Kalle Valo says:

====================
wireless-drivers fixes for 5.0

Hopefully the last set of fixes for 5.0, only fix this time.

mt76

* fix regression with resume on mt76x0u USB devices
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 8a7493edrivers/net/ethernet/stmicro/stmmac stmmac_ethtool.c

net: stmmac: Fix a race in EEE enable callback

We are saving the status of EEE even before we try to enable it. This
leads to a race with XMIT function that tries to arm EEE timer before we
set it up.

Fix this by only saving the EEE parameters after all operations are
performed with success.

Signed-off-by: Jose Abreu <joabreu at synopsys.com>
Fixes: d765955d2ae0 ("stmmac: add the Energy Efficient Ethernet support")
Cc: Joao Pinto <jpinto at synopsys.com>
Cc: David S. Miller <davem at davemloft.net>
Cc: Giuseppe Cavallaro <peppe.cavallaro at st.com>
Cc: Alexandre Torgue <alexandre.torgue at st.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 8be3daddrivers/net/ethernet/qlogic/qed qed_iwarp.c

qed: Fix iWARP syn packet mac address validation.

The ll2 forwards all syn packets to the driver without validating the mac
address. Add validation check in the driver's iWARP listener flow and drop
the packet if it isn't intended for the device.

Signed-off-by: Ariel Elior <ariel.elior at marvell.com>
Signed-off-by: Michal Kalderon <michal.kalderon at marvell.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 9addc92drivers/net/ethernet/qlogic/qed qed_iwarp.c qed_iwarp.h

qed: Fix iWARP buffer size provided for syn packet processing.

The assumption that the maximum size of a syn packet is 128 bytes
is wrong. Tunneling headers were not accounted for.
Allocate buffers large enough for mtu.

Signed-off-by: Ariel Elior <ariel.elior at marvell.com>
Signed-off-by: Michal Kalderon <michal.kalderon at marvell.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 694d790drivers/net/ethernet/qlogic/qed qed_iwarp.c qed_iwarp.h

Merge branch 'qed-iWARP'

Michal Kalderon says:

====================
qed: iWARP - fix some syn related issues.

This series fixes two bugs related to iWARP syn processing flow.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux b5372fefs binfmt_script.c

exec: load_script: Do not exec truncated interpreter path

Commit 8099b047ecc4 ("exec: load_script: don't blindly truncate
shebang string") was trying to protect against a confused exec of a
truncated interpreter path. However, it was overeager and also refused
to truncate arguments as well, which broke userspace, and it was
reverted. This attempts the protection again, but allows arguments to
remain truncated. In an effort to improve readability, helper functions
and comments have been added.

Co-developed-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Kees Cook <keescook at chromium.org>
Cc: Andrew Morton <akpm at linux-foundation.org>
Cc: Oleg Nesterov <oleg at redhat.com>
Cc: Samuel Dionne-Riel <samuel at dionne-riel.com>
Cc: Richard Weinberger <richard.weinberger at gmail.com>
Cc: Graham Christensen <graham at grahamc.com>
Cc: Michal Hocko <mhocko at suse.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
DeltaFile
+48-9fs/binfmt_script.c
+48-91 files

Linux/linux 8e29d23drivers/net/usb r8152.c

r8152: Add support for MAC address pass through on RTL8153-BD

RTL8153-BD is used in Dell DA300 type-C dongle.
It should be added to the whitelist of devices to activate MAC address
pass through.

Per confirming with Realtek all devices containing RTL8153-BD should
activate MAC pass through and there won't use pass through bit on efuse
like in RTL8153-AD.

Signed-off-by: David Chen <david.chen7 at dell.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux f2ffff0net/mac80211 mesh_pathtbl.c

mac80211: mesh: fix missing unlock on error in table_path_del()

spin_lock_bh() is used in table_path_del() but rcu_read_unlock()
is used for unlocking. Fix it by using spin_unlock_bh() instead
of rcu_read_unlock() in the error handling case.

Fixes: b4c3fbe63601 ("mac80211: Use linked list instead of rhashtable walk for mesh 
tables")
Acked-by: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: Wei Yongjun <weiyongjun1 at huawei.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 21d2cb4drivers/net/ethernet/mellanox/mlx4 en_netdev.c

net/mlx4_en: fix spelling mistake: "quiting" -> "quitting"

There is a spelling mistake in a en_err error message. Fix it.

Signed-off-by: Colin Ian King <colin.king at canonical.com>
Reviewed-by: Tariq Toukan <tariqt at mellanox.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 9060cb7crypto af_alg.c

net: crypto set sk to NULL when af_alg_release.

KASAN has found use-after-free in sockfs_setattr.
The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()
and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
that crypto module forgets to set the sk to NULL after af_alg_release.

KASAN report details as below:
BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186

CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Call Trace:
 dump_stack+0xca/0x13e
 print_address_description+0x79/0x330
 ? vprintk_func+0x5e/0xf0
 kasan_report+0x18a/0x2e0
 ? sockfs_setattr+0x120/0x150
 sockfs_setattr+0x120/0x150
 ? sock_register+0x2d0/0x2d0
 notify_change+0x90c/0xd40
 ? chown_common+0x2ef/0x510
 chown_common+0x2ef/0x510

    [71 lines not shown]
DeltaFile
+3-1crypto/af_alg.c
+3-11 files

Linux/linux 301e361drivers/mailbox bcm-flexrm-mailbox.c mailbox.c

Merge tag 'mailbox-fixes-v5.0-rc7' of 
git://git.linaro.org/landing-teams/working/fujitsu/integration

Pull mailbox fixes from Jassi Brar:

 - API: Fix build breakge by exporting the function mbox_flush

 - BRCM: Fix FlexRM ring flush timeout issue

* tag 'mailbox-fixes-v5.0-rc7' of 
git://git.linaro.org/landing-teams/working/fujitsu/integration:
  mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue
  mailbox: Export mbox_flush()

Linux/linux 3ddc14earch/arm Kconfig, arch/arm/include/asm irq.h

Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm

Pull ARM fixes from Russell King:
 "A few ARM fixes:

   - Dietmar Eggemann noticed an issue with IRQ migration during CPU
     hotplug stress testing.

   - Mathieu Desnoyers noticed that a previous fix broke optimised
     kprobes.

   - Robin Murphy noticed a case where we were not clearing the dma_ops"

* tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
  ARM: 8835/1: dma-mapping: Clear DMA ops on teardown
  ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction
  ARM: 8824/1: fix a migrating irq bug when hotplug cpu

Linux/linux 10f4902kernel/trace trace_kprobe.c trace.c

Merge tag 'trace-v5.0-rc4-3' of 
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull tracing fixes from Steven Rostedt:
 "Two more tracing fixes

   - Have kprobes not use copy_from_user() to access kernel addresses,
     because kprobes can legitimately poke at bad kernel memory, which
     will fault. Copy from user code should never fault in kernel space.
     Using probe_mem_read() can handle kernel address space faulting.

   - Put back the entries counter in the tracing output that was
     accidentally removed"

* tag 'trace-v5.0-rc4-3' of 
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing: Fix number of entries in trace header
  kprobe: Do not use uaccess functions to access kernel memory that can fault

Linux/linux d7bf31adrivers/mailbox bcm-flexrm-mailbox.c

mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue

RING_CONTROL reg was not written due to wrong address, hence all
the subsequent ring flush was timing out.

Fixes: a371c10ea4b3 ("mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence")

Signed-off-by: Rayagonda Kokatanur <rayagonda.kokatanur at broadcom.com>
Signed-off-by: Ray Jui <ray.jui at broadcom.com>
Reviewed-by: Scott Branden <scott.branden at broadcom.com>
Signed-off-by: Jassi Brar <jaswinder.singh at linaro.org>

Linux/linux 4f05577drivers/mailbox mailbox.c

mailbox: Export mbox_flush()

The mbox_flush() function can be used by drivers that are built as
modules, so the function needs to be exported.

Reported-by: Mark Brown <broonie at kernel.org>
Signed-off-by: Thierry Reding <treding at nvidia.com>
Signed-off-by: Jassi Brar <jaswinder.singh at linaro.org>

Linux/linux a3b22b9. Makefile

Linux 5.0-rc7
DeltaFile
+1-1Makefile
+1-11 files

Linux/linux 3bed3ccnet/core skbuff.c

net: Do not allocate page fragments that are not skb aligned

This patch addresses the fact that there are drivers, specifically tun,
that will call into the network page fragment allocators with buffer sizes
that are not cache aligned. Doing this could result in data alignment
and DMA performance issues as these fragment pools are also shared with the
skb allocator and any other devices that will use napi_alloc_frags or
netdev_alloc_frags.

Fixes: ffde7328a36d ("net: Split netdev_alloc_frag into __alloc_page_frag and add 
__napi_alloc_frag")
Reported-by: Jann Horn <jannh at google.com>
Signed-off-by: Alexander Duyck <alexander.h.duyck at linux.intel.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
DeltaFile
+4-0net/core/skbuff.c
+4-01 files

Linux/linux 8644772mm page_alloc.c

mm: Use fixed constant in page_frag_alloc instead of size + 1

This patch replaces the size + 1 value introduced with the recent fix for 1
byte allocs with a constant value.

The idea here is to reduce code overhead as the previous logic would have
to read size into a register, then increment it, and write it back to
whatever field was being used. By using a constant we can avoid those
memory reads and arithmetic operations in favor of just encoding the
maximum value into the operation itself.

Fixes: 2c2ade81741c ("mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte 
allocs")
Signed-off-by: Alexander Duyck <alexander.h.duyck at linux.intel.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
DeltaFile
+4-4mm/page_alloc.c
+4-41 files

Linux/linux 254a1a2mm page_alloc.c, net/core skbuff.c

Merge branch 'netdev-page_frag_alloc-fixes'

Alexander Duyck says:

====================
Address recent issues found in netdev page_frag_alloc usage

This patch set addresses a couple of issues that I had pointed out to Jann
Horn in response to a recent patch submission.

The first issue is that I wanted to avoid the need to read/modify/write the
size value in order to generate the value for pagecnt_bias. Instead we can
just use a fixed constant which reduces the need for memory read operations
and the overall number of instructions to update the pagecnt bias values.

The other, and more important issue is, that apparently we were letting tun
access the napi_alloc_cache indirectly through netdev_alloc_frag and as a
result letting it create unaligned accesses via unaligned allocations. In
order to prevent this I have added a call to SKB_DATA_ALIGN for the fragsz
field so that we will keep the offset in the napi_alloc_cache
SMP_CACHE_BYTES aligned.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux e09c6a4net/ipv4 tcp_ipv4.c tcp.c

Merge branch 'tcp-fix-possible-crash-in-tcp_v4_err'

Eric Dumazet says:

====================
tcp: fix possible crash in tcp_v4_err()

soukjin bae reported a crash in tcp_v4_err() that we
root caused to a missing initialization.

Second patch adds a sanity check in tcp_v4_err() to avoid
future potential problems. Ignoring an ICMP message
is probably better than crashing a machine.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 04c0311net/ipv4 tcp.c

tcp: clear icsk_backoff in tcp_write_queue_purge()

soukjin bae reported a crash in tcp_v4_err() handling
ICMP_DEST_UNREACH after tcp_write_queue_head(sk)
returned a NULL pointer.

Current logic should have prevented this :

  if (seq != tp->snd_una  || !icsk->icsk_retransmits ||
      !icsk->icsk_backoff || fastopen)
      break;

Problem is the write queue might have been purged
and icsk_backoff has not been cleared.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Reported-by: soukjin bae <soukjin.bae at samsung.com>
Acked-by: Neal Cardwell <ncardwell at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
DeltaFile
+1-1net/ipv4/tcp.c
+1-11 files

Linux/linux 2c4cc97net/ipv4 tcp_ipv4.c

tcp: tcp_v4_err() should be more careful

ICMP handlers are not very often stressed, we should
make them more resilient to bugs that might surface in
the future.

If there is no packet in retransmit queue, we should
avoid a NULL deref.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Reported-by: soukjin bae <soukjin.bae at samsung.com>
Acked-by: Neal Cardwell <ncardwell at google.com>
Acked-by: Soheil Hassas Yeganeh <soheil at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux e928b5ddrivers/net/ethernet/marvell mv643xx_eth.c

net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()

If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe()
leaves clk enabled.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 97dc47adrivers/net/usb qmi_wwan.c

qmi_wwan: apply SET_DTR quirk to Sierra WP7607

The 1199:68C0 USB ID is reused by Sierra WP7607 which requires the DTR
quirk to be detected. Apply QMI_QUIRK_SET_DTR unconditionally as
already done for other IDs shared between different devices.

Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
Acked-by: Bjørn Mork <bjorn at mork.no>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 4012e7ddrivers/net/ethernet/stmicro/stmmac dwmac4_descs.c

net: stmmac: handle endianness in dwmac4_get_timestamp

GMAC IP is little-endian and used on several kind of CPU (big or little
endian). Main callbacks functions of the stmmac drivers take care about
it. It was not the case for dwmac4_get_timestamp function.

Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4")
Signed-off-by: Alexandre Torgue <alexandre.torgue at st.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 31a1b8dDocumentation/networking msg_zerocopy.rst

doc: Mention MSG_ZEROCOPY implementation for UDP

MSG_ZEROCOPY implementation for UDP was merged in v5.0,
6e360f733113 ("Merge branch 'udp-msg_zerocopy'").

Signed-off-by: Petr Vorel <pvorel at suse.cz>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 2894604drivers/net/ethernet/mellanox/mlxsw spectrum.c

mlxsw: __mlxsw_sp_port_headroom_set(): Fix a use of local variable

The function-local variable "delay" enters the loop interpreted as delay
in bits. However, inside the loop it gets overwritten by the result of
mlxsw_sp_pg_buf_delay_get(), and thus leaves the loop as quantity in
cells. Thus on second and further loop iterations, the headroom for a
given priority is configured with a wrong size.

Fix by introducing a loop-local variable, delay_cells. Rename thres to
thres_cells for consistency.

Fixes: f417f04da589 ("mlxsw: spectrum: Refactor port buffer configuration")
Signed-off-by: Petr Machata <petrm at mellanox.com>
Acked-by: Jiri Pirko <jiri at mellanox.com>
Signed-off-by: Ido Schimmel <idosch at mellanox.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 2fee036arch/arm64/include/asm memory.h, drivers/firmware/efi efi.c

Merge branch 'efi-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull EFI fixes from Ingo Molnar:
 "This tree reverts a GICv3 commit (which was broken) and fixes it in
  another way, by adding a memblock build-time entries quirk for ARM64"

* 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  efi/arm: Revert "Defer persistent reservations until after paging_init()"
  arm64, mm, efi: Account for GICv3 LPI tables in static memblock reserve table

Linux/linux 8d33316arch/x86/ia32 ia32_aout.c, arch/x86/include/asm intel-family.h

Merge branch 'x86-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Ingo Molnar:
 "Three changes:

   - An UV fix/quirk to pull UV BIOS calls into the efi_runtime_lock
     locking regime. (This done by aliasing __efi_uv_runtime_lock to
     efi_runtime_lock, which should make the quirk nature obvious and
     maintain the general policy that the EFI lock (name...) isn't
     exposed to drivers.)

   - Our version of MAGA: Make a.out Great Again.

   - Add a new Intel model name enumerator to an upstream header to help
     reduce dependencies going forward"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
  x86/CPU: Add Icelake model number
  x86/a.out: Clear the dump structure initially

Linux/linux dd6f29darch/x86/events perf_event.h core.c, arch/x86/events/intel core.c

Merge branch 'perf-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull perf fixes from Ingo Molnar:
 "Two fixes on the kernel side: fix an over-eager condition that failed
  larger perf ring-buffer sizes, plus fix crashes in the Intel BTS code
  for a corner case, found by fuzzing"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/core: Fix impossible ring-buffer sizes warning
  perf/x86: Add check_period PMU callback

Linux/linux c5f1ac5arch/powerpc/include/asm/book3s/64 pgtable.h

Merge tag 'powerpc-5.0-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fix from Michael Ellerman:
 "Just one fix, for pgd/pud_present() which were broken on big endian
  since v4.20, leading to possible data corruption.

  Thanks to: Aneesh Kumar K.V., Erhard F., Jan Kara"

* tag 'powerpc-5.0-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/64s: Fix possible corruption on big endian due to pgd/pud_present()

Linux/linux 0513ebcarch/csky/include/asm pgtable.h processor.h, arch/csky/kernel dumpstack.c ptrace.c

Merge tag 'csky-for-linus-5.0-rc6' of git://github.com/c-sky/csky-linux

Pull arch/csky fixes from Guo Ren:
 "Here are some fixup patches for 5.0-rc6"

* tag 'csky-for-linus-5.0-rc6' of git://github.com/c-sky/csky-linux:
  csky: Fixup dead loop in show_stack
  csky: Fixup io-range page attribute for mmap("/dev/mem")
  csky: coding convention: Use task_stack_page
  csky: Fixup wrong pt_regs size
  csky: Fixup _PAGE_GLOBAL bit for 610 tlb entry

Linux/linux 1653c2fdrivers/i2c/busses i2c-bcm2835.c i2c-cadence.c

Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux

Pull i2c fixes from Wolfram Sang:
 "Two more driver bugfixes"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: bcm2835: Clear current buffer pointers and counts after a transfer
  i2c: cadence: Fix the hold bit setting

Linux/linux b8c82b6drivers/input/keyboard qt2160.c cap11xx.c, drivers/input/misc apanel.c pwm-vibra.c

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input

Pull input fixes from Dmitry Torokhov:

 - tweaks to Elan drivers (both PS/2 and I2C) to support new devices.
   Also revert of one of IDs as that device should really be driven by
   i2c-hid + hid-multitouch

 - a few drivers have been switched to set_brightness_blocking() call
   because they either were sleeping the their set_brightness()
   implementation or used workqueue but were not canceling it on unbind.

 - ps2-gpio and matrix_keypad needed to [properly] flush their works to
   avoid potential use-after-free on unbind.

 - other miscellaneous fixes.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
  Input: st-keyscan - fix potential zalloc NULL dereference
  Input: apanel - switch to using brightness_set_blocking()
  Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
  Input: qt2160 - switch to using brightness_set_blocking()
  Input: matrix_keypad - use flush_delayed_work()
  Input: ps2-gpio - flush TX work when closing port

    [6 lines not shown]

Linux/linux ed0a0ecarch/arm64/kvm reset.c sys_regs.c, virt/kvm/arm psci.c

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "A somewhat bigger ARM update, and the usual smattering of x86 bug
  fixes"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  kvm: vmx: Fix entry number check for add_atomic_switch_msr()
  KVM: x86: Recompute PID.ON when clearing PID.SN
  KVM: nVMX: Restore a preemption timer consistency check
  x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available
  KVM: arm64: Forbid kprobing of the VHE world-switch code
  KVM: arm64: Relax the restriction on using stage2 PUD huge mapping
  arm: KVM: Add missing kvm_stage2_has_pmd() helper
  KVM: arm/arm64: vgic: Always initialize the group of private IRQs
  arm/arm64: KVM: Don't panic on failure to properly reset system registers
  arm/arm64: KVM: Allow a VCPU to fully reset itself
  KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded
  arm64: KVM: Don't generate UNDEF when LORegion feature is present
  KVM: arm/arm64: vgic: Make vgic_cpu->ap_list_lock a raw_spinlock
  KVM: arm/arm64: vgic: Make vgic_dist->lpi_list_lock a raw_spinlock
  KVM: arm/arm64: vgic: Make vgic_irq->irq_lock a raw_spinlock

Linux/linux 7ad222bdrivers/input/mouse elan_i2c_core.c

Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK

This adds ELAN0617 to the ACPI table to support Elan touchpad found in
Lenovo V330-15ISK.

Signed-off-by: Mauro Ciancio <mauro at acadeu.com>
Cc: stable at vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>

Linux/linux 6e1077farch/mips/net ebpf_jit.c, include/linux skbuff.h

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Alexei Starovoitov says:

====================
pull-request: bpf 2019-02-16

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) fix lockdep false positive in bpf_get_stackid(), from Alexei.

2) several AF_XDP fixes, from Bjorn, Magnus, Davidlohr.

3) fix narrow load from struct bpf_sock, from Martin.

4) mips JIT fixes, from Paul.

5) gso handling fix in bpf helpers, from Willem.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 2439d37drivers/input/keyboard st-keyscan.c

Input: st-keyscan - fix potential zalloc NULL dereference

This patch fixes the following static checker warning:

drivers/input/keyboard/st-keyscan.c:156 keyscan_probe()
error: potential zalloc NULL dereference: 'keypad_data->input_dev'

Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Gabriel Fernandez <gabriel.fernandez at st.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>

Linux/linux 1cd48dcdrivers/input/misc apanel.c

Input: apanel - switch to using brightness_set_blocking()

Now that LEDs core allows "blocking" flavor of "set brightness" method we
can use it and get rid of private work item. As a bonus, we are no longer
forgetting to cancel it when we unbind the driver.

Reviewed-by: Sven Van Asbroeck <TheSven73 at gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>

Linux/linux a580076arch/powerpc/include/asm/book3s/64 pgtable.h

powerpc/64s: Fix possible corruption on big endian due to pgd/pud_present()

In v4.20 we changed our pgd/pud_present() to check for _PAGE_PRESENT
rather than just checking that the value is non-zero, e.g.:

  static inline int pgd_present(pgd_t pgd)
  {
 -       return !pgd_none(pgd);
 +       return (pgd_raw(pgd) & cpu_to_be64(_PAGE_PRESENT));
  }

Unfortunately this is broken on big endian, as the result of the
bitwise & is truncated to int, which is always zero because
_PAGE_PRESENT is 0x8000000000000000ul. This means pgd_present() and
pud_present() are always false at compile time, and the compiler
elides the subsequent code.

Remarkably with that bug present we are still able to boot and run
with few noticeable effects. However under some work loads we are able
to trigger a warning in the ext4 code:

  WARNING: CPU: 11 PID: 29593 at fs/ext4/inode.c:3927 .ext4_set_page_dirty+0x70/0xb0
  CPU: 11 PID: 29593 Comm: debugedit Not tainted 4.20.0-rc1 #1
  ...
  NIP .ext4_set_page_dirty+0x70/0xb0

    [21 lines not shown]

Linux/linux 64c0133arch/arm/boot/dts omap5-cm-t54.dts omap4-droid4-xt894.dts, arch/arm/mach-omap2 omap-wakeupgen.c cpuidle44xx.c

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Arnd Bergmann:
 "This week is a much smaller update, containing fixes only for TI OMAP,
  NXP i.MX and Rockchips platforms:

  omap:
   - omap4 had problems with lost timer interrupts
   - another IRQ handling issue with OMAP5
   - A workaround for a regression in the pwm-omap-dmtimer driver

  NXP i.MX:
   - eMMC was broken on the new imx8mq-evk board

  Rockchip:
   - a fix for new dtc graph warnings and a regulator fix for rock64
   - USB support broke on rk3328-rock64"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
  arm64: dts: imx8mq: Fix boot from eMMC
  ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
  ARM: dts: Configure clock parent for pwm vibra
  bus: ti-sysc: Fix timer handling with drop pm_runtime_irq_safe()
  arm64: dts: rockchip: enable usb-host regulators at boot on rk3328-rock64

    [4 lines not shown]

Linux/linux 88fe73cfs/nfsd nfsctl.c, net/sunrpc/auth_gss gss_krb5_seqnum.c

Merge tag 'nfsd-5.0-2' of git://linux-nfs.org/~bfields/linux

Pull more nfsd fixes from Bruce Fields:
 "Two small fixes, one for crashes using nfs/krb5 with older enctypes,
  one that could prevent clients from reclaiming state after a kernel
  upgrade"

* tag 'nfsd-5.0-2' of git://linux-nfs.org/~bfields/linux:
  sunrpc: fix 4 more call sites that were using stack memory with a scatterlist
  Revert "nfsd4: return default lease period"

Linux/linux 55638c5fs/nfs write.c, net/sunrpc debugfs.c

Merge tag 'nfs-for-5.0-4' of git://git.linux-nfs.org/projects/anna/linux-nfs

Pull more NFS client fixes from Anna Schumaker:
 "Three fixes this time.

  Nicolas's is for xprtrdma completion vector allocation on single-core
  systems. Greg's adds an error check when allocating a debugfs dentry.
  And Ben's is an additional fix for nfs_page_async_flush() to prevent
  pages from accidentally getting truncated.

  Summary:

   - Make sure Send CQ is allocated on an existing compvec

   - Properly check debugfs dentry before using it

   - Don't use page_file_mapping() after removing a page"

* tag 'nfs-for-5.0-4' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  NFS: Don't use page_file_mapping after removing the page
  rpc: properly check debugfs dentry before using it
  xprtrdma: Make sure Send CQ is allocated on an existing compvec

Linux/linux 9a7dcdedrivers/auxdisplay ht16k33.c

Merge tag 'auxdisplay-for-linus-v5.0-rc7' of git://github.com/ojeda/linux

Pull auxdisplay fix from Miguel Ojeda:
 "Fix potential user-after-free on ht16k33 module unload. Reported by
  Sven Van Asbroeck"

* tag 'auxdisplay-for-linus-v5.0-rc7' of git://github.com/ojeda/linux:
  auxdisplay: ht16k33: fix potential user-after-free on module unload