1. 24 Jan, 2020 4 commits
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.5-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 3c45d751
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Some more powerpc fixes for 5.5:
         - Fix our hash MMU code to avoid having overlapping ids between user
           and kernel, which isn't as bad as it sounds but led to crashes on
           some machines.
         - A fix for the Power9 XIVE interrupt code, which could return the
           wrong interrupt state in obscure error conditions.
         - A minor Kconfig fix for the recently added CONFIG_PPC_UV code.
        Thanks to Aneesh Kumar K.V, Bharata B Rao, Cédric Le Goater, Frederic
      * tag 'powerpc-5.5-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm/hash: Fix sharing context ids between kernel & userspace
        powerpc/xive: Discard ESB load value when interrupt is invalid
        powerpc: Ultravisor: Fix the dependencies for CONFIG_PPC_UV
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-01-24' of git://anongit.freedesktop.org/drm/drm · 274adbff
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "This one has a core mst fix and two i915 fixes. amdgpu just enables
        some hw outside experimental.
        The panfrost fix is a little bigger than I'd like at this stage but it
        fixes a fairly fundamental problem with global shared buffers in that
        driver, and since it's confined to that driver and I've taken a look
        at it, I think it's fine to get into the tree now, so it can get
        stable propagated as well.
         - Fix SST branch device handling
         - enable renoir outside experimental
         - Avoid overflow with huge userptr objects
         - uAPI fix to correctly handle negative values in
           engine->uabi_class/instance (cc: stable)
         - Fix mapping of globally visible BO's (Boris)"
      * tag 'drm-fixes-2020-01-24' of git://anongit.freedesktop.org/drm/drm:
        drm/amdgpu: remove the experimental flag for renoir
        drm/panfrost: Add the panfrost_gem_mapping concept
        drm/i915: Align engine->uabi_class/instance with i915_drm.h
        drm/i915/userptr: fix size calculation
        drm/dp_mst: Handle SST-only branch device case
    • Christophe Leroy's avatar
      lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() · ab10ae1c
      Christophe Leroy authored
      The range passed to user_access_begin() by strncpy_from_user() and
      strnlen_user() starts at 'src' and goes up to the limit of userspace
      although reads will be limited by the 'count' param.
      On 32 bits powerpc (book3s/32) access has to be granted for each
      256Mbytes segment and the cost increases with the number of segments to
      Limit the range with 'count' param.
      Fixes: 594cc251
       ("make 'user_access_begin()' do 'access_ok()'")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.5-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 838a860a
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "A couple of MMC host fixes:
         - sdhci: Fix minimum clock rate for v3 controllers
         - sdhci-tegra: Fix SDR50 tuning override
         - sdhci_am654: Fixup tuning issues and support for CQHCI
         - sdhci_am654: Remove wrong write protect flag"
      * tag 'mmc-v5.5-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci: fix minimum clock rate for v3 controller
        mmc: tegra: fix SDR50 tuning override
        mmc: sdhci_am654: Fix Command Queuing in AM65x
        mmc: sdhci_am654: Reset Command and Data line after tuning
        mmc: sdhci_am654: Remove Inverted Write Protect flag
  2. 23 Jan, 2020 11 commits
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-5.5-2020-01-23' of... · 49412f66
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-5.5-2020-01-23' of git://people.freedesktop.org/~agd5f/linux
       into drm-fixes
      - remove the experimental flag from renoir
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200123191424.3849-1-alexander.deucher@amd.com
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2020-01-23' of... · b5293714
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2020-01-23' of git://anongit.freedesktop.org/drm/drm-intel
       into drm-fixes
      - Avoid overflow with huge userptr objects
      - uAPI fix to correctly handle negative values in
        engine->uabi_class/instance (cc: stable)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200123135045.GA12584@jlahtine-desk.ger.corp.intel.com
    • Linus Torvalds's avatar
      Merge tag 'xarray-5.5' of git://git.infradead.org/users/willy/linux-dax · 4703d911
      Linus Torvalds authored
      Pull XArray fixes from Matthew Wilcox:
       "Primarily bugfixes, mostly around handling index wrap-around
        A couple of doc fixes and adding missing APIs.
        I had an oops live on stage at linux.conf.au this year, and it turned
        out to be a bug in xas_find() which I can't prove isn't triggerable in
        the current codebase. Then in looking for the bug, I spotted two more
        The bots have had a few days to chew on this with no problems
        reported, and it passes the test-suite (which now has more tests to
        make sure these problems don't come back)"
      * tag 'xarray-5.5' of git://git.infradead.org/users/willy/linux-dax:
        XArray: Add xa_for_each_range
        XArray: Fix xas_find returning too many entries
        XArray: Fix xa_find_after with multi-index entries
        XArray: Fix infinite loop with entry at ULONG_MAX
        XArray: Add wrappers for nested spinlocks
        XArray: Improve documentation of search marks
        XArray: Fix xas_pause at ULONG_MAX
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.5-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 34597c85
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Various tracing fixes:
         - Fix a function comparison warning for a xen trace event macro
         - Fix a double perf_event linking to a trace_uprobe_filter for
           multiple events
         - Fix suspicious RCU warnings in trace event code for using
           list_for_each_entry_rcu() when the "_rcu" portion wasn't needed.
         - Fix a bug in the histogram code when using the same variable
         - Fix a NULL pointer dereference when tracefs lockdown enabled and
           calling trace_set_default_clock()
         - A fix to a bug found with the double perf_event linking patch"
      * tag 'trace-v5.5-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing/uprobe: Fix to make trace_uprobe_filter alignment safe
        tracing: Do not set trace clock if tracefs lockdown is in effect
        tracing: Fix histogram code when expression has same var as value
        tracing: trigger: Replace unneeded RCU-list traversals
        tracing/uprobe: Fix double perf_event linking on multiprobe uprobe
        tracing: xen: Ordered comparison of function pointers
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.5-rc8' of https://github.com/ceph/ceph-client · fa0a4e3b
      Linus Torvalds authored
      Pull ceph fix from Ilya Dryomov:
       "A fix for a potential use-after-free from Jeff, marked for stable"
      * tag 'ceph-for-5.5-rc8' of https://github.com/ceph/ceph-client:
        ceph: hold extra reference to r_parent over life of request
    • Linus Torvalds's avatar
      Merge tag 'pm-5.5-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 3a83c8c8
      Linus Torvalds authored
      Pull power management fix from Rafael Wysocki:
       "Prevent the kernel from crashing during resume from hibernation if
        free pages contain leftover data from the restore kernel and
        init_on_free is set (Alexander Potapenko)"
      * tag 'pm-5.5-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM: hibernate: fix crashes with init_on_free=1
    • Linus Torvalds's avatar
      Merge tag 'pci-v5.5-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · a572582b
      Linus Torvalds authored
      Pull PCI fix from Bjorn Helgaas:
       "Mark ATS as broken on AMD Navi14 GPU rev 0xc5 (Alex Deucher)"
      * tag 'pci-v5.5-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken
    • Linus Torvalds's avatar
      readdir: make user_access_begin() use the real access range · 3c2659bd
      Linus Torvalds authored
      In commit 9f79b78e ("Convert filldir[64]() from __put_user() to
      unsafe_put_user()") I changed filldir to not do individual __put_user()
      accesses, but instead use unsafe_put_user() surrounded by the proper
      user_access_begin/end() pair.
      That make them enormously faster on modern x86, where the STAC/CLAC
      games make individual user accesses fairly heavy-weight.
      However, the user_access_begin() range was not really the exact right
      one, since filldir() has the unfortunate problem that it needs to not
      only fill out the new directory entry, it also needs to fix up the
      previous one to contain the proper file offset.
      It's unfortunate, but the "d_off" field in "struct dirent" is _not_ the
      file offset of the directory entry itself - it's the offset of the next
      one.  So we end up backfilling the offset in the previous entry as we
      walk along.
      But since x86 didn't really care about the exact range, and used to be
      the only architecture that did anything fancy in user_access_begin() to
      begin with, the filldir[64]() changes did something lazy, and even
      commented on it:
      	 * Note! This range-checks 'previous' (which may be NULL).
      	 * The real range was checked in getdents
      	if (!user_access_begin(dirent, sizeof(*dirent)))
      		goto efault;
      and it all worked fine.
      But now 32-bit ppc is starting to also implement user_access_begin(),
      and the fact that we faked the range to only be the (possibly not even
      valid) previous directory entry becomes a problem, because ppc32 will
      actually be using the range that is passed in for more than just "check
      that it's user space".
      This is a complete rewrite of Christophe's original patch.
      By saving off the record length of the previous entry instead of a
      pointer to it in the filldir data structures, we can simplify the range
      check and the writing of the previous entry d_off field.  No need for
      any conditionals in the user accesses themselves, although we retain the
      conditional EINTR checking for the "was this the first directory entry"
      signal handling latency logic.
      Fixes: 9f79b78e ("Convert filldir[64]() from __put_user() to unsafe_put_user()")
      Link: https://lore.kernel.org/lkml/a02d3426f93f7eb04960a4d9140902d278cab0bb.1579697910.git.christophe.leroy@c-s.fr/
      Link: https://lore.kernel.org/lkml/408c90c4068b00ea8f1c41cca45b84ec23d4946b.1579783936.git.christophe.leroy@c-s.fr/
      Reported-and-tested-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Linus Torvalds's avatar
      readdir: be more conservative with directory entry names · 2c6b7bcd
      Linus Torvalds authored
      Commit 8a23eb80
       ("Make filldir[64]() verify the directory entry
      filename is valid") added some minimal validity checks on the directory
      entries passed to filldir[64]().  But they really were pretty minimal.
      This fleshes out at least the name length check: we used to disallow
      zero-length names, but really, negative lengths or oevr-long names
      aren't ok either.  Both could happen if there is some filesystem
      corruption going on.
      Now, most filesystems tend to use just an "unsigned char" or similar for
      the length of a directory entry name, so even with a corrupt filesystem
      you should never see anything odd like that.  But since we then use the
      name length to create the directory entry record length, let's make sure
      it actually is half-way sensible.
      Note how POSIX states that the size of a path component is limited by
      NAME_MAX, but we actually use PATH_MAX for the check here.  That's
      because while NAME_MAX is generally the correct maximum name length
      (it's 255, for the same old "name length is usually just a byte on
      disk"), there's nothing in the VFS layer that really cares.
      So the real limitation at a VFS layer is the total pathname length you
      can pass as a filename: PATH_MAX.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Alex Deucher's avatar
      drm/amdgpu: remove the experimental flag for renoir · 23fe1390
      Alex Deucher authored
      Should work properly with the latest sbios on 5.5 and newer
      Reviewed-by: default avatarHawking Zhang <Hawking.Zhang@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
    • Aneesh Kumar K.V's avatar
      powerpc/mm/hash: Fix sharing context ids between kernel & userspace · 5d2e5dd5
      Aneesh Kumar K.V authored
      Commit 0034d395 ("powerpc/mm/hash64: Map all the kernel regions in
      the same 0xc range") has a bug in the definition of MIN_USER_CONTEXT.
      The result is that the context id used for the vmemmap and the lowest
      context id handed out to userspace are the same. The context id is
      essentially the process identifier as far as the first stage of the
      MMU translation is concerned.
      This can result in multiple SLB entries with the same VSID (Virtual
      Segment ID), accessible to the kernel and some random userspace
      process that happens to get the overlapping id, which is not expected
        07 c00c000008000000 40066bdea7000500  1T  ESID=   c00c00  VSID=      66bdea7 LLP:100
        12 0002000008000000 40066bdea7000d80  1T  ESID=      200  VSID=      66bdea7 LLP:100
      Even though the user process and the kernel use the same VSID, the
      permissions in the hash page table prevent the user process from
      reading or writing to any kernel mappings.
      It can also lead to SLB entries with different base page size
      encodings (LLP), eg:
        05 c00c000008000000 00006bde0053b500 256M ESID=c00c00000  VSID=    6bde0053b LLP:100
        09 0000000008000000 00006bde0053bc80 256M ESID=        0  VSID=    6bde0053b LLP:  0
      Such SLB entries can result in machine checks, eg. as seen on a G5:
        Oops: Machine check, sig: 7 [#1]
        BE PAGE SIZE=64K MU-Hash SMP NR_CPUS=4 NUMA Power Mac
        NIP: c00000000026f248 LR: c000000000295e58 CTR: 0000000000000000
        REGS: c0000000erfd3d70 TRAP: 0200 Tainted: G M (5.5.0-rcl-gcc-8.2.0-00010-g228b667d8ea1)
        MSR: 9000000000109032 <SF,HV,EE,ME,IR,DR,RI> CR: 24282048 XER: 00000000
        DAR: c00c000000612c80 DSISR: 00000400 IRQMASK: 0
        NIP [c00000000026f248] .kmem_cache_free+0x58/0x140
        LR  [c088000008295e58] .putname 8x88/0xa
        Call Trace:
      This happens with 256MB segments and 64K pages, as the duplicate VSID
      is hit with the first vmemmap segment and the first user segment, and
      older 32-bit userspace maps things in the first user segment.
      On other CPUs a machine check is not seen. Instead the userspace
      process can get stuck continuously faulting, with the fault never
      properly serviced, due to the kernel not understanding that there is
      already a HPTE for the address but with inaccessible permissions.
      On machines with 1T segments we've not seen the bug hit other than by
      deliberately exercising it. That seems to be just a matter of luck
      though, due to the typical layout of the user virtual address space
      and the ranges of vmemmap that are typically populated.
      To fix it we add 2 to MIN_USER_CONTEXT. This ensures the lowest
      context given to userspace doesn't overlap with the VMEMMAP context,
      or with the context for INVALID_REGION_ID.
      Fixes: 0034d395
       ("powerpc/mm/hash64: Map all the kernel regions in the same 0xc range")
      Cc: stable@vger.kernel.org # v5.2+
      Reported-by: default avatarChristian Marillat <marillat@debian.org>
      Reported-by: default avatarRomain Dolbeau <romain@dolbeau.org>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      [mpe: Account for INVALID_REGION_ID, mostly rewrite change log]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20200123102547.11623-1-mpe@ellerman.id.au
  3. 22 Jan, 2020 13 commits
  4. 21 Jan, 2020 5 commits
  5. 20 Jan, 2020 5 commits
    • Masami Ichikawa's avatar
      tracing: Do not set trace clock if tracefs lockdown is in effect · bf24daac
      Masami Ichikawa authored
      When trace_clock option is not set and unstable clcok detected,
      tracing_set_default_clock() sets trace_clock(ThinkPad A285 is one of
      case). In that case, if lockdown is in effect, null pointer
      dereference error happens in ring_buffer_set_clock().
      Link: http://lkml.kernel.org/r/20200116131236.3866925-1-masami256@gmail.com
      Cc: stable@vger.kernel.org
      Fixes: 17911ff3 ("tracing: Add locked_down checks to the open calls of files created for tracefs")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1788488
      Signed-off-by: default avatarMasami Ichikawa <masami256@gmail.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    • Steven Rostedt (VMware)'s avatar
      tracing: Fix histogram code when expression has same var as value · 8bcebc77
      Steven Rostedt (VMware) authored
      While working on a tool to convert SQL syntex into the histogram language of
      the kernel, I discovered the following bug:
       # echo 'first u64 start_time u64 end_time pid_t pid u64 delta' >> synthetic_events
       # echo 'hist:keys=pid:start=common_timestamp' > events/sched/sched_waking/trigger
       # echo 'hist:keys=next_pid:delta=common_timestamp-$start,start2=$start:onmatch(sched.sched_waking).trace(first,$start2,common_timestamp,next_pid,$delta)' > events/sched/sched_switch/trigger
      Would not display any histograms in the sched_switch histogram side.
      But if I were to swap the location of
        "delta=common_timestamp-$start" with "start2=$start"
      Such that the last line had:
       # echo 'hist:keys=next_pid:start2=$start,delta=common_timestamp-$start:onmatch(sched.sched_waking).trace(first,$start2,common_timestamp,next_pid,$delta)' > events/sched/sched_switch/trigger
      The histogram works as expected.
      What I found out is that the expressions clear out the value once it is
      resolved. As the variables are resolved in the order listed, when
      The $start is cleared. When it gets to "start2=$start", it errors out with
      "unresolved symbol" (which is silent as this happens at the location of the
      trace), and the histogram is dropped.
      When processing the histogram for variable references, instead of adding a
      new reference for a variable used twice, use the same reference. That way,
      not only is it more efficient, but the order will no longer matter in
      processing of the variables.
      From Tom Zanussi:
       "Just to clarify some more about what the problem was is that without
        your patch, we would have two separate references to the same variable,
        and during resolve_var_refs(), they'd both want to be resolved
        separately, so in this case, since the first reference to start wasn't
        part of an expression, it wouldn't get the read-once flag set, so would
        be read normally, and then the second reference would do the read-once
        read and also be read but using read-once.  So everything worked and
        you didn't see a problem:
         from: start2=$start,delta=common_timestamp-$start
        In the second case, when you switched them around, the first reference
        would be resolved by doing the read-once, and following that the second
        reference would try to resolve and see that the variable had already
        been read, so failed as unset, which caused it to short-circuit out and
        not do the trigger action to generate the synthetic event:
         to: delta=common_timestamp-$start,start2=$start
        With your patch, we only have the single resolution which happens
        correctly the one time it's resolved, so this can't happen."
      Link: https://lore.kernel.org/r/20200116154216.58ca08eb@gandalf.local.home
      Cc: stable@vger.kernel.org
      Fixes: 067fe038
       ("tracing: Add variable reference handling to hist triggers")
      Reviewed-by: default avatarTom Zanuss <zanussi@kernel.org>
      Tested-by: default avatarTom Zanussi <zanussi@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    • Linus Torvalds's avatar
      Merge tag 'fixes_for_v5.5-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · d96d875e
      Linus Torvalds authored
      Pull reiserfs fix from Jan Kara:
       "A fixup of a recently merged reiserfs fix which has caused problem
        when xattrs were not compiled in"
      * tag 'fixes_for_v5.5-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr
    • Michał Mirosław's avatar
      mmc: sdhci: fix minimum clock rate for v3 controller · 2a187d03
      Michał Mirosław authored
      For SDHCIv3+ with programmable clock mode, minimal clock frequency is
      still base clock / max(divider). Minimal programmable clock frequency is
      always greater than minimal divided clock frequency. Without this patch,
      SDHCI uses out-of-spec initial frequency when multiplier is big enough:
      mmc1: mmc_rescan_try_freq: trying to init card at 468750 Hz
      [for 480 MHz source clock divided by 1024]
      The code in sdhci_calc_clk() already chooses a correct SDCLK clock mode.
      Fixes: c3ed3877 ("mmc: sdhci: add support for programmable clock mode")
      Cc: <stable@vger.kernel.org> # 4f6aa326
      : mmc: tegra: Only advertise UHS modes if IO regulator is present
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMichał Mirosław <mirq-linux@rere.qmqm.pl>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Link: https://lore.kernel.org/r/ffb489519a446caffe7a0a05c4b9372bd52397bb.1579082031.git.mirq-linux@rere.qmqm.pl
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
    • Linus Torvalds's avatar
      Linux 5.5-rc7 · def9d278
      Linus Torvalds authored
  6. 19 Jan, 2020 2 commits
    • Linus Torvalds's avatar
      Merge tag 'riscv/for-v5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 7008ee12
      Linus Torvalds authored
      Pull RISC-V fixes from Paul Walmsley:
       "Three fixes for RISC-V:
         - Don't free and reuse memory containing the code that CPUs parked at
           boot reside in.
         - Fix rv64 build problems for ubsan and some modules by adding
           logical and arithmetic shift helpers for 128-bit values. These are
           from libgcc and are similar to what's present for ARM64.
         - Fix vDSO builds to clean up their own temporary files"
      * tag 'riscv/for-v5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: Less inefficient gcc tishift helpers (and export their symbols)
        riscv: delete temporary files
        riscv: make sure the cores stay looping in .Lsecondary_park
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 11a82729
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       1) Fix non-blocking connect() in x25, from Martin Schiller.
       2) Fix spurious decryption errors in kTLS, from Jakub Kicinski.
       3) Netfilter use-after-free in mtype_destroy(), from Cong Wang.
       4) Limit size of TSO packets properly in lan78xx driver, from Eric
       5) r8152 probe needs an endpoint sanity check, from Johan Hovold.
       6) Prevent looping in tcp_bpf_unhash() during sockmap/tls free, from
          John Fastabend.
       7) hns3 needs short frames padded on transmit, from Yunsheng Lin.
       8) Fix netfilter ICMP header corruption, from Eyal Birger.
       9) Fix soft lockup when low on memory in hns3, from Yonglong Liu.
      10) Fix NTUPLE firmware command failures in bnxt_en, from Michael Chan.
      11) Fix memory leak in act_ctinfo, from Eric Dumazet.
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (91 commits)
        cxgb4: reject overlapped queues in TC-MQPRIO offload
        cxgb4: fix Tx multi channel port rate limit
        net: sched: act_ctinfo: fix memory leak
        bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.
        bnxt_en: Fix ipv6 RFS filter matching logic.
        bnxt_en: Fix NTUPLE firmware command failures.
        net: systemport: Fixed queue mapping in internal ring map
        net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
        net: dsa: sja1105: Don't error out on disabled ports with no phy-mode
        net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset
        net: hns: fix soft lockup when there is not enough memory
        net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()
        net/sched: act_ife: initalize ife->metalist earlier
        netfilter: nat: fix ICMP header corruption on ICMP errors
        net: wan: lapbether.c: Use built-in RCU list checking
        netfilter: nf_tables: fix flowtable list del corruption
        netfilter: nf_tables: fix memory leak in nf_tables_parse_netdev_hooks()
        netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
        netfilter: nft_tunnel: ERSPAN_VERSION must not be null
        netfilter: nft_tunnel: fix null-attribute check