FreshBSD

nfsd: replace Jeff by Chuck as nfsd co-maintainer

Jeff's picking up more responsibilities elsewhere, and Chuck's agreed to
take over.

For now, as before, nothing's changing day-to-day, but I want to have a
co-maintainer if only for bus factor.

Acked-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: J. Bruce Fields <bfields at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>

Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fix from Rafael Wysocki:
 "Prevent PCI bridges in general (and PCIe ports in particular) from
  being put into low-power states during system-wide suspend transitions
  if there are any devices in D0 below them and refine the handling of
  PCI devices in D0 during suspend-to-idle cycles"

* tag 'pm-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PCI: PM: Skip devices in D0 for suspend-to-idle

Merge tag 'apparmor-pr-2019-06-18' of 
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor bug fixes from John Johansen:

 - fix PROFILE_MEDIATES for untrusted input

 - enforce nullbyte at end of tag string

 - reset pos on failure to unpack for various functions

* tag 'apparmor-pr-2019-06-18' of 
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: reset pos on failure to unpack for various functions
  apparmor: enforce nullbyte at end of tag string
  apparmor: fix PROFILE_MEDIATES for untrusted input

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input

Pull input updates from Dmitry Torokhov:
 "Just a few small fixups and switching a couple of Thinkpads to SMBus
  for touchpads as PS/2 emulation is not working well"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: synaptics - enable SMBus on ThinkPad E480 and E580
  Input: imx_keypad - make sure keyboard can always wake up system
  Input: iqs5xx - get axis info before calling input_mt_init_slots()
  Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
  Input: silead - add MSSL0017 to acpi_device_id
  Input: elantech - enable middle button support on 2 ThinkPads
  Input: elan_i2c - increment wakeup count if wake source

apparmor: fix PROFILE_MEDIATES for untrusted input

While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure
every profile has a policy.dfa it does not resize the policy.start[]
to have entries for every possible start value. Which means
PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately
commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not
take into account the start value usage.

The input string in profile_query_cb() is user controlled and is not
properly checked to be within the limited start[] entries, even worse
it can't be as userspace policy is allowed to make us of entries types
the kernel does not know about. This mean usespace can currently cause
the kernel to access memory up to 240 entries beyond the start array
bounds.

Cc: stable at vger.kernel.org
Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE")
Signed-off-by: John Johansen <john.johansen at canonical.com>

apparmor: enforce nullbyte at end of tag string

A packed AppArmor policy contains null-terminated tag strings that are read
by unpack_nameX(). However, unpack_nameX() uses string functions on them
without ensuring that they are actually null-terminated, potentially
leading to out-of-bounds accesses.

Make sure that the tag string is null-terminated before passing it to
strcmp().

Cc: stable at vger.kernel.org
Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
Signed-off-by: Jann Horn <jannh at google.com>
Signed-off-by: John Johansen <john.johansen at canonical.com>

apparmor: reset pos on failure to unpack for various functions

Each function that manipulates the aa_ext struct should reset it's "pos"
member on failure. This ensures that, on failure, no changes are made to
the state of the aa_ext struct.

There are paths were elements are optional and the error path is
used to indicate the optional element is not present. This means
instead of just aborting on error the unpack stream can become
unsynchronized on optional elements, if using one of the affected
functions.

Cc: stable at vger.kernel.org
Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
Signed-off-by: Mike Salvatore <mike.salvatore at canonical.com>
Signed-off-by: John Johansen <john.johansen at canonical.com>

Merge tag 'for-5.2-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:

 - regression where properties stored as xattrs are not properly
   persisted

 - a small readahead fix (the fstests testcase for that fix hangs on
   unpatched kernel, so we'd like get it merged to ease future testing)

 - fix a race during block group creation and deletion

* tag 'for-5.2-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  Btrfs: fix failure to persist compression property xattr deletion on fsync
  btrfs: start readahead also in seed devices
  Btrfs: fix race between block group removal and block group allocation

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Olof Johansson:
 "I've been bad at collecting fixes this release cycle, so this is a
  fairly large batch that's been trickling in for a while.

  It's the usual mix, more or less.

  Some of the bigger things fixed:

   - Voltage fix for MMC on TI DRA7 that sometimes would overvoltage
     cards

   - Regression fixes for D_CAN on am355x

   - i.MX6SX cpuidle fix to deal with wakeup latency (dropped uart
     chars)

   - DT fixes for some DRA7 variants that don't share the superset of
     blocks on the chip

  plus the usual mix of stuff: minor build/warning fixes, Kconfig
  dependencies, and some DT fixlets"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (28 

    [22 lines not shown]

Merge tag 'meminit-v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull stack init fix from Kees Cook:
 "This is a small update to the stack auto-initialization self-test code
  to deal with the Clang initialization pattern.

  It's been in linux-next for a couple weeks; I had waited a bit
  wondering if anything more substantial was going to show up, but
  nothing has, so I'm sending this now before it gets too late"

* tag 'meminit-v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  lib/test_stackinit: Handle Clang auto-initialization pattern

soc: ixp4xx: npe: Fix an IS_ERR() vs NULL check in probe

The devm_ioremap_resource() function doesn't return NULL, it returns
error pointers.

Fixes: 0b458d7b10f8 ("soc: ixp4xx: npe: Pass addresses as resources")
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Reviewed-by: Linus Walleij <linus.walleij at linaro.org>
Signed-off-by: Olof Johansson <olof at lixom.net>

ARM: ixp4xx: include irqs.h where needed

Multiple ixp4xx specific files require macros from irqs.h that
were moved out from mach/irqs.h, e.g.:

arch/arm/mach-ixp4xx/vulcan-pci.c:41:19: error: this function declaration is not a 
prototype [-Werror,-Wstrict-prototypes]
arch/arm/mach-ixp4xx/vulcan-pci.c:49:10: error: implicit declaration of function 
'IXP4XX_GPIO_IRQ' [-Werror,-Wimplicit-function-declaration]
                return IXP4XX_GPIO_IRQ(INTA);

Include this header in all files that failed to build because of
that.

Fixes: dc8ef8cd3a05 ("ARM: ixp4xx: Convert to SPARSE_IRQ")
Signed-off-by: Arnd Bergmann <arnd at arndb.de>
Signed-off-by: Olof Johansson <olof at lixom.net>

ARM: ixp4xx: mark ixp4xx_irq_setup as __init

Kbuild complains about ixp4xx_irq_setup not being __init
itself in some configurations:

WARNING: vmlinux.o(.text+0x85bae4): Section mismatch in reference from the function 
ixp4xx_irq_setup() to the function .init.text:set_handle_irq()
The function ixp4xx_irq_setup() references
the function __init set_handle_irq().
This is often because ixp4xx_irq_setup lacks a __init
annotation or the annotation of set_handle_irq is wrong.

I suspect it normally gets inlined, so we get no such warning,
but clang makes this obvious when the function is left out
of line.

Signed-off-by: Arnd Bergmann <arnd at arndb.de>
Signed-off-by: Olof Johansson <olof at lixom.net>

ARM: ixp4xx: don't select SERIAL_OF_PLATFORM

Platforms should not normally select all the device drivers, leave that
up to the user and the defconfig file.

In this case, we get a warning for randconfig builds:

WARNING: unmet direct dependencies detected for SERIAL_OF_PLATFORM
  Depends on [n]: TTY [=y] && HAS_IOMEM [=y] && SERIAL_8250 [=n] && OF [=y]
  Selected by [y]:
  - MACH_IXP4XX_OF [=y] && ARCH_IXP4XX [=y]

Fixes: 9540724ca29d ("ARM: ixp4xx: Add device tree boot support")
Signed-off-by: Arnd Bergmann <arnd at arndb.de>
Signed-off-by: Olof Johansson <olof at lixom.net>

firmware: trusted_foundations: add ARMv7 dependency

The "+sec" extension is invalid for older ARM architectures, but
the code can now be built on any ARM configuration:

/tmp/trusted_foundations-2d0882.s: Assembler messages:
/tmp/trusted_foundations-2d0882.s:194: Error: architectural extension `sec' is not allowed 
for the current base architecture
/tmp/trusted_foundations-2d0882.s:201: Error: selected processor does not support `smc #0' 
in ARM mode
/tmp/trusted_foundations-2d0882.s:213: Error: architectural extension `sec' is not allowed 
for the current base architecture
/tmp/trusted_foundations-2d0882.s:220: Error: selected processor does not support `smc #0' 
in ARM mode

Add a dependency on ARMv7 for the build.

Fixes: 4cb5d9eca143 ("firmware: Move Trusted Foundations support")
Signed-off-by: Arnd Bergmann <arnd at arndb.de>
Signed-off-by: Olof Johansson <olof at lixom.net>

Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull vfs fixes from Al Viro:
 "MS_MOVE regression fix + breakage in fsmount(2) (also introduced in
  this cycle, along with fsmount(2) itself).

  I'm still digging through the piles of mail, so there might be more
  fixes to follow, but these two are obvious and self-contained, so
  there's no point delaying those..."

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  fs/namespace: fix unprivileged mount propagation
  vfs: fsmount: add missing mntget()

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
 "Lots of bug fixes here:

   1) Out of bounds access in __bpf_skc_lookup, from Lorenz Bauer.

   2) Fix rate reporting in cfg80211_calculate_bitrate_he(), from John
      Crispin.

   3) Use after free in psock backlog workqueue, from John Fastabend.

   4) Fix source port matching in fdb peer flow rule of mlx5, from Raed
      Salem.

   5) Use atomic_inc_not_zero() in fl6_sock_lookup(), from Eric Dumazet.

   6) Network header needs to be set for packet redirect in nfp, from
      John Hurley.

   7) Fix udp zerocopy refcnt, from Willem de Bruijn.

   8) Don't assume linear buffers in vxlan and geneve error handlers,
      from Stefano Brivio.


    [35 lines not shown]

fs/namespace: fix unprivileged mount propagation

When propagating mounts across mount namespaces owned by different user
namespaces it is not possible anymore to move or umount the mount in the
less privileged mount namespace.

Here is a reproducer:

  sudo mount -t tmpfs tmpfs /mnt
  sudo --make-rshared /mnt

  # create unprivileged user + mount namespace and preserve propagation
  unshare -U -m --map-root --propagation=unchanged

  # now change back to the original mount namespace in another terminal:
  sudo mkdir /mnt/aaa
  sudo mount -t tmpfs tmpfs /mnt/aaa

  # now in the unprivileged user + mount namespace
  mount --move /mnt/aaa /opt

Unfortunately, this is a pretty big deal for userspace since this is
e.g. used to inject mounts into running unprivileged containers.
So this regression really needs to go away rather quickly.


    [13 lines not shown]

vfs: fsmount: add missing mntget()

sys_fsmount() needs to take a reference to the new mount when adding it
to the anonymous mount namespace.  Otherwise the filesystem can be
unmounted while it's still in use, as found by syzkaller.

Reported-by: Mark Rutland <mark.rutland at arm.com>
Reported-by: syzbot+99de05d099a170867f22 at syzkaller.appspotmail.com
Reported-by: syzbot+7008b8b8ba7df475fdc8 at syzkaller.appspotmail.com
Fixes: 93766fbd2696 ("vfs: syscall: Add fsmount() to create a mount for a superblock")
Signed-off-by: Eric Biggers <ebiggers at google.com>
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>

Merge branch 'tcp-fixes'

Eric Dumazet says:

====================
tcp: make sack processing more robust

Jonathan Looney brought to our attention multiple problems
in TCP stack at the sender side.

SACK processing can be abused by malicious peers to either
cause overflows, or increase of memory usage.

First two patches fix the immediate problems.

Since the malicious peers abuse senders by advertizing a very
small MSS in their SYN or SYNACK packet, the last two
patches add a new sysctl so that admins can chose a higher
limit for MSS clamping.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Merge tag 'riscv-for-v5.2/fixes-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Paul Walmsley:
 "This contains fixes, defconfig, and DT data changes for the v5.2-rc
  series.

  The fixes are relatively straightforward:

   - Addition of a TLB fence in the vmalloc_fault path, so the CPU
     doesn't enter an infinite page fault loop

   - Readdition of the pm_power_off export, so device drivers that
     reassign it can now be built as modules

   - A udelay() fix for RV32, fixing a miscomputation of the delay time

   - Removal of deprecated smp_mb__*() barriers

  This also adds initial DT data infrastructure for arch/riscv, along
  with initial data for the SiFive FU540-C000 SoC and the corresponding
  HiFive Unleashed board.

  We also update the RV64 defconfig to include some core drivers for the
  FU540 in the build"

    [13 lines not shown]

Btrfs: fix failure to persist compression property xattr deletion on fsync

After the recent series of cleanups in the properties and xattrs modules
that landed in the 5.2 merge window, we ended up with a regression where
after deleting the compression xattr property through the setflags ioctl,
we don't set the BTRFS_INODE_COPY_EVERYTHING flag in the inode anymore.
As a consequence, if the inode was fsync'ed when it had the compression
property set, after deleting the compression property through the setflags
ioctl and fsync'ing again the inode, the log will still contain the
compression xattr, because the inode did not had that bit set, which
made the fsync not delete all xattrs from the log and copy all xattrs
from the subvolume tree to the log tree.

This regression happens due to the fact that that series of cleanups
made btrfs_set_prop() call the old function do_setxattr() (which is now
named btrfs_setxattr()), and not the old version of btrfs_setxattr(),
which is now called btrfs_setxattr_trans().

Fix this by setting the BTRFS_INODE_COPY_EVERYTHING bit in the current
btrfs_setxattr() function and remove it from everywhere else, including
its setup at btrfs_ioctl_setflags(). This is cleaner, avoids similar
regressions in the future, and centralizes the setup of the bit. After
all, the need to setup this bit should only be in the xattrs module,
since it is an implementation of xattrs.


    [4 lines not shown]

riscv: remove unused barrier defines

They were introduced in commit fab957c11efe ("RISC-V: Atomic and
Locking Code") long after commit 2e39465abc4b ("locking: Remove
deprecated smp_mb__() barriers") removed the remnants of all previous
instances from the tree.

Signed-off-by: Rolf Eike Beer <eb at emlix.com>
[paul.walmsley at sifive.com: stripped spurious mbox header from patch
 description; fixed commit references in patch header]
Signed-off-by: Paul Walmsley <paul.walmsley at sifive.com>

MAINTAINERS: Change QCOM repo location

This patch updates the Qualcomm SoC repo to a new location.

Signed-off-by: Andy Gross <agross at kernel.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson at linaro.org>
Signed-off-by: Olof Johansson <olof at lixom.net>

riscv: mm: synchronize MMU after pte change

Because RISC-V compliant implementations can cache invalid entries
in TLB, an SFENCE.VMA is necessary after changes to the page table.
This patch adds an SFENCE.vma for the vmalloc_fault path.

Signed-off-by: ShihPo Hung <shihpo.hung at sifive.com>
[paul.walmsley at sifive.com: reversed tab->whitespace conversion,
 wrapped comment lines]
Signed-off-by: Paul Walmsley <paul.walmsley at sifive.com>
Cc: Palmer Dabbelt <palmer at sifive.com>
Cc: Albert Ou <aou at eecs.berkeley.edu>
Cc: Paul Walmsley <paul.walmsley at sifive.com>
Cc: linux-riscv at lists.infradead.org
Cc: stable at vger.kernel.org

riscv: dts: add initial board data for the SiFive HiFive Unleashed

Add initial board data for the SiFive HiFive Unleashed A00.

Currently the data populated in this DT file describes the board
DRAM configuration and the external clock sources that supply the
PRCI.

Signed-off-by: Paul Walmsley <paul.walmsley at sifive.com>
Signed-off-by: Paul Walmsley <paul at pwsan.com>
Tested-by: Loys Ollivier <lollivier at baylibre.com>
Tested-by: Kevin Hilman <khilman at baylibre.com>
Cc: Rob Herring <robh+dt at kernel.org>
Cc: Mark Rutland <mark.rutland at arm.com>
Cc: Palmer Dabbelt <palmer at sifive.com>
Cc: Albert Ou <aou at eecs.berkeley.edu>
Cc: Antony Pavlov <antonynpavlov at gmail.com>
Cc: devicetree at vger.kernel.org
Cc: linux-riscv at lists.infradead.org
Cc: linux-kernel at vger.kernel.org

riscv: dts: add initial support for the SiFive FU540-C000 SoC

Add initial support for the SiFive FU540-C000 SoC.  This is a 28nm SoC
based around the SiFive U54-MC core complex and a TileLink
interconnect.

This file is expected to grow as more device drivers are added to the
kernel.

This patch includes a fix to the QSPI memory map due to a
documentation bug, found by ShihPo Hung <shihpo.hung at sifive.com>, adds
entries for the I2C controller, and merges all DT changes that
formerly were made dynamically by the riscv-pk BBL proxy kernel.

Signed-off-by: Paul Walmsley <paul.walmsley at sifive.com>
Signed-off-by: Paul Walmsley <paul at pwsan.com>
Tested-by: Loys Ollivier <lollivier at baylibre.com>
Tested-by: Kevin Hilman <khilman at baylibre.com>
Cc: Rob Herring <robh+dt at kernel.org>
Cc: Mark Rutland <mark.rutland at arm.com>
Cc: Palmer Dabbelt <palmer at sifive.com>
Cc: Albert Ou <aou at eecs.berkeley.edu>
Cc: ShihPo Hung <shihpo.hung at sifive.com>
Cc: devicetree at vger.kernel.org
Cc: linux-riscv at lists.infradead.org
Cc: linux-kernel at vger.kernel.org

dt-bindings: riscv: convert cpu binding to json-schema

At Rob's request, we're starting to migrate our DT binding
documentation to json-schema YAML format.  Start by converting our cpu
binding documentation.  While doing so, document more properties and
nodes.  This includes adding binding documentation support for the E51
and U54 CPU cores ("harts") that are present on this SoC.  These cores
are described in:

    https://static.dev.sifive.com/FU540-C000-v1.0.pdf

This cpus.yaml file is intended to be a starting point and to
evolve over time.  It passes dt-doc-validate as of the yaml-bindings
commit 4c79d42e9216.

This patch was originally based on the ARM json-schema binding
documentation as added by commit 672951cbd1b7 ("dt-bindings: arm: Convert
cpu binding to json-schema").

Signed-off-by: Paul Walmsley <paul.walmsley at sifive.com>
Signed-off-by: Paul Walmsley <paul at pwsan.com>
Reviewed-by: Rob Herring <robh at kernel.org>
Cc: Mark Rutland <mark.rutland at arm.com>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi at arm.com>
Cc: devicetree at vger.kernel.org

    [2 lines not shown]

dt-bindings: riscv: sifive: add YAML documentation for the SiFive FU540

Add YAML DT binding documentation for the SiFive FU540 SoC.  This
SoC is documented at:

    https://static.dev.sifive.com/FU540-C000-v1.0.pdf

Passes dt-doc-validate, as of yaml-bindings commit 4c79d42e9216.

Signed-off-by: Paul Walmsley <paul.walmsley at sifive.com>
Signed-off-by: Paul Walmsley <paul at pwsan.com>
Reviewed-by: Rob Herring <robh at kernel.org>
Cc: Rob Herring <robh+dt at kernel.org>
Cc: Mark Rutland <mark.rutland at arm.com>
Cc: Palmer Dabbelt <palmer at sifive.com>
Cc: Albert Ou <aou at eecs.berkeley.edu>
Cc: devicetree at vger.kernel.org
Cc: linux-riscv at lists.infradead.org
Cc: linux-kernel at vger.kernel.org

arch: riscv: add support for building DTB files from DT source data

Similar to ARM64, add support for building DTB files from DT source
data for RISC-V boards.

This patch starts with the infrastructure needed for SiFive boards.
Boards from other vendors would add support here in a similar form.

Signed-off-by: Paul Walmsley <paul.walmsley at sifive.com>
Signed-off-by: Paul Walmsley <paul at pwsan.com>
Tested-by: Loys Ollivier <lollivier at baylibre.com>
Tested-by: Kevin Hilman <khilman at baylibre.com>
Cc: Palmer Dabbelt <palmer at sifive.com>
Cc: Albert Ou <aou at eecs.berkeley.edu>

lapb: fixed leak of control-blocks.

lapb_register calls lapb_create_cb, which initializes the control-
block's ref-count to one, and __lapb_insert_cb, which increments it when
adding the new block to the list of blocks.

lapb_unregister calls __lapb_remove_cb, which decrements the ref-count
when removing control-block from the list of blocks, and calls lapb_put
itself to decrement the ref-count before returning.

However, lapb_unregister also calls __lapb_devtostruct to look up the
right control-block for the given net_device, and __lapb_devtostruct
also bumps the ref-count, which means that when lapb_unregister returns
the ref-count is still 1 and the control-block is leaked.

Call lapb_put after __lapb_devtostruct to fix leak.

Reported-by: syzbot+afb980676c836b4a0afa at syzkaller.appspotmail.com
Signed-off-by: Jeremy Sowden <jeremy at azazel.net>
Signed-off-by: David S. Miller <davem at davemloft.net>

tipc: purge deferredq list for each grp member in tipc_group_delete

Syzbot reported a memleak caused by grp members' deferredq list not
purged when the grp is be deleted.

The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in
tipc_group_filter_msg() and the skb will stay in deferredq.

So fix it by calling __skb_queue_purge for each member's deferredq
in tipc_group_delete() when a tipc sk leaves the grp.

Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast")
Reported-by: syzbot+78fbe679c8ca8d264a8d at syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin at gmail.com>
Acked-by: Ying Xue <ying.xue at windriver.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

ax25: fix inconsistent lock state in ax25_destroy_timer

Before thread in process context uses bh_lock_sock()
we must disable bh.

sysbot reported :

WARNING: inconsistent lock state
5.2.0-rc3+ #32 Not tainted

inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
blkid/26581 [HC0[0]:SC1[1]:HE1:SE0] takes:
00000000e0da85ee (slock-AF_AX25){+.?.}, at: spin_lock include/linux/spinlock.h:338 
[inline]
00000000e0da85ee (slock-AF_AX25){+.?.}, at: ax25_destroy_timer+0x53/0xc0 
net/ax25/af_ax25.c:275
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
  __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
  _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
  spin_lock include/linux/spinlock.h:338 [inline]
  ax25_rt_autobind+0x3ca/0x720 net/ax25/ax25_route.c:429
  ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1221
  __sys_connect+0x264/0x330 net/socket.c:1834
  __do_sys_connect net/socket.c:1845 [inline]

    [75 lines not shown]

neigh: fix use-after-free read in pneigh_get_next

Nine years ago, I added RCU handling to neighbours, not pneighbours.
(pneigh are not commonly used)

Unfortunately I missed that /proc dump operations would use a
common entry and exit point : neigh_seq_start() and neigh_seq_stop()

We need to read_lock(tbl->lock) or risk use-after-free while
iterating the pneigh structures.

We might later convert pneigh to RCU and revert this patch.

sysbot reported :

BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825

CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317

    [118 lines not shown]

tcp: fix compile error if !CONFIG_SYSCTL

tcp_tx_skb_cache_key and tcp_rx_skb_cache_key must be available
even if CONFIG_SYSCTL is not set.

Fixes: 0b7d7f6b2208 ("tcp: add tcp_tx_skb_cache sysctl")
Fixes: ede61ca474a0 ("tcp: add tcp_rx_skb_cache sysctl")
Signed-off-by: Eric Dumazet <edumazet at google.com>
Reported-by: Willem de Bruijn <willemb at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

hv_sock: Suppress bogus "may be used uninitialized" warnings

gcc 8.2.0 may report these bogus warnings under some condition:

warning: ‘vnew’ may be used uninitialized in this function
warning: ‘hvs_new’ may be used uninitialized in this function

Actually, the 2 pointers are only initialized and used if the variable
"conn_from_host" is true. The code is not buggy here.

Signed-off-by: Dexuan Cui <decui at microsoft.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

be2net: Fix number of Rx queues used for flow hashing

Number of Rx queues used for flow hashing returned by the driver is
incorrect and this bug prevents user to use the last Rx queue in
indirection table.

Let's say we have a NIC with 6 combined queues:

[root at sm-03 ~]# ethtool -l enp4s0f0
Channel parameters for enp4s0f0:
Pre-set maximums:
RX:             5
TX:             5
Other:          0
Combined:       6
Current hardware settings:
RX:             0
TX:             0
Other:          0
Combined:       6

Default indirection table maps all (6) queues equally but the driver
reports only 5 rings available.

[root at sm-03 ~]# ethtool -x enp4s0f0

    [26 lines not shown]

net: handle 802.1P vlan 0 packets properly

When stack receives pkt: [802.1P vlan 0][802.1AD vlan 100][IPv4],
vlan_do_receive() returns false if it does not find vlan_dev. Later
__netif_receive_skb_core() fails to find packet type handler for
skb->protocol 801.1AD and drops the packet.

801.1P header with vlan id 0 should be handled as untagged packets.
This patch fixes it by checking if vlan_id is 0 and processes next vlan
header.

Signed-off-by: Govindarajulu Varadarajan <gvaradar at cisco.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Merge tag 'omap-for-v5.2/fixes-rc4' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes

Fixes for omap variants

Three fixes mostly for dra7 SoC variants that have some devices disabled
compared to the base SoC. These got broken by the change of making devices
probe with ti-sysc interconnect target module and went unnnoticed for a
while. And there is no clkcel bit for timer12 unlike timer1. Also included
is a GPIO direction fix for phytec SDIO card detection.

* tag 'omap-for-v5.2/fixes-rc4' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
  ARM: dts: am335x phytec boards: Fix cd-gpios active level
  ARM: dts: dra72x: Disable usb4_tm target module
  ARM: dts: Drop bogus CLKSEL for timer12 on dra7

Signed-off-by: Olof Johansson <olof at lixom.net>

Merge tag 'davinci-fixes-for-v5.2' of 
git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci into fixes

DaVinci fixes for v5.2 kernel.

This addresses an issue with probe of IO expander on DA850 EVM. There is
also a WARN_ON() fix on DA850 and DA830 devices.

* tag 'davinci-fixes-for-v5.2' of 
git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci:
  ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
  ARM: davinci: da850-evm: call regulator_has_full_constraints()

Signed-off-by: Olof Johansson <olof at lixom.net>

Merge tag 'mvebu-fixes-5.2-1' of git://git.infradead.org/linux-mvebu into fixes

mvebu fixes for 5.2 (part 1)

Fixing defconfig allowing to use Ethernet again on Armada 38x based
boards

* tag 'mvebu-fixes-5.2-1' of git://git.infradead.org/linux-mvebu:
  ARM: mvebu_v7_defconfig: fix Ethernet on Clearfog

Signed-off-by: Olof Johansson <olof at lixom.net>

Merge tag 'am654-fixes-for-v5.2' of 
git://git.kernel.org/pub/scm/linux/kernel/git/kristo/linux into fixes

Texas Instruments AM65x fixes for v5.2

- Fix up a Kbuild warning when SOC_TI is not set

* tag 'am654-fixes-for-v5.2' of 
git://git.kernel.org/pub/scm/linux/kernel/git/kristo/linux:
  arm64: arch_k3: Fix kconfig dependency warning

Signed-off-by: Olof Johansson <olof at lixom.net>

Merge tag 'arm-soc/for-5.2/devicetree-fixes' of https://github.com/Broadcom/stblinux into 
fixes

This pull request contains Broadcom ARM-based SoCs Device Tree fixes for
5.2-rc1, please pull the following:

- Florian fixes the remaining Broadcom DTS files to have a valid
device_type = "memory" property which was missed during the removal of
skeleton.dtsi

* tag 'arm-soc/for-5.2/devicetree-fixes' of https://github.com/Broadcom/stblinux:
  ARM: dts: bcm: Add missing device_type = "memory" property

Signed-off-by: Olof Johansson <olof at lixom.net>

Merge tag 'omap-for-v5.2/fixes-rc2' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes

Fixes for omap variants for dra7 mmc voltage and boot issues

This series contains dra7 mmc voltage fixes, and fixes to the recent
changes to probe devices with device tree data insteas of legacy
platform data:

- Two fixes for dra7 mmc that needs 1.8V mode disabled as in case of a
  reset, the bootrom will try to access the mmc card at 3.3V potentially
  damaging the card

- Two regression fixes for am335x d_can. We must allow devices with no
  control registers for ti-sysc interconnect target module driver for
  at least d_can, and we remove the incorrect control registers for
  d_can. And we must configure the osc clock for d_can as otherwise
  register access may fail depending on the bootloader version

- Four regression fixes for dra7 variant dts files to tag rtc and usb4
  as disabled for dra71x and dra76x. These SoC variants do not have
  these devices, and got accidentally enabled when the L4 interconnect
  got defined in the dra7-l4.dtsi for the dra7 SoC family

* tag 'omap-for-v5.2/fixes-rc2' of 

    [11 lines not shown]

Merge tag 'imx-fixes-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux 
into fixes

i.MX fixes for 5.2:
 - A build fix for soc-imx8 driver which needs SOC_BUS support.  To
   avoid dealing with the dependency for every single i.MX SoC bus
   driver, we selects at from architecture level.
 - A fix on i.MX SCU firmware driver to ensure SCU irq is enabled only
   after IPC is ready.
 - A regression fix on cpuidle-imx6sx driver, which causes some
   characters loss on serial communication.

* tag 'imx-fixes-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
  ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX
  firmware: imx: SCU irq should ONLY be enabled after SCU IPC is ready
  arm64: imx: Fix build error without CONFIG_SOC_BUS

Signed-off-by: Olof Johansson <olof at lixom.net>

Merge tag 'arm-soc/for-5.2/maintainers' of https://github.com/Broadcom/stblinux into fixes

This pull request contains MAINTAINERS file update for Broadcom
ARM/ARM64 SoCs, please pull the following:

- Stefan updates his email address under the BCM2835 entry

* tag 'arm-soc/for-5.2/maintainers' of https://github.com/Broadcom/stblinux:
  MAINTAINERS: Update Stefan Wahren email address

Signed-off-by: Olof Johansson <olof at lixom.net>

Merge tag 'arm-soc/for-5.2/drivers-fixes' of https://github.com/Broadcom/stblinux into 
fixes

This pull request contains Broadcom ARM/ARM64/MIPS SoCs device drivers
fixes for 5.2-rc1, please pull the following:

- Florian fixes the biuctrl driver not to create an error condition/path
  upon unsupported CPU and also fixes the biuctrl driver writes to used
  a data barrier which is necessary given the HW block design

* tag 'arm-soc/for-5.2/drivers-fixes' of https://github.com/Broadcom/stblinux:
  soc: bcm: brcmstb: biuctrl: Register writes require a barrier
  soc: brcmstb: Fix error path for unsupported CPUs

Signed-off-by: Olof Johansson <olof at lixom.net>

Linux 5.2-rc5

Merge branch 'x86-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Thomas Gleixner:
 "The accumulated fixes from this and last week:

   - Fix vmalloc TLB flush and map range calculations which lead to
     stale TLBs, spurious faults and other hard to diagnose issues.

   - Use fault_in_pages_writable() for prefaulting the user stack in the
     FPU code as it's less fragile than the current solution

   - Use the PF_KTHREAD flag when checking for a kernel thread instead
     of current->mm as the latter can give the wrong answer due to
     use_mm()

   - Compute the vmemmap size correctly for KASLR and 5-Level paging.
     Otherwise this can end up with a way too small vmemmap area.

   - Make KASAN and 5-level paging work again by making sure that all
     invalid bits are masked out when computing the P4D offset. This
     worked before but got broken recently when the LDT remap area was
     moved.

   - Prevent a NULL pointer dereference in the resource control code

    [29 lines not shown]

Merge branch 'timers-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull timer fixes from Thomas Gleixner:
 "A set of small fixes:

   - Repair the ktime_get_coarse() functions so they actually deliver
     what they are supposed to: tick granular time stamps. The current
     code missed to add the accumulated nanoseconds part of the
     timekeeper so the resulting granularity was 1 second.

   - Prevent the tracer from infinitely recursing into time getter
     functions in the arm architectured timer by marking these functions
     notrace

   - Fix a trivial compiler warning caused by wrong qualifier ordering"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  timekeeping: Repair ktime_get_coarse*() granularity
  clocksource/drivers/arm_arch_timer: Don't trace count reader functions
  clocksource/drivers/timer-ti-dm: Change to new style declaration