Contents of /trunk/kernel-alx-legacy/patches-4.9/0357-4.9.258-all-fixes.patch
Parent Directory | Revision Log
Revision 3659 -
(show annotations)
(download)
Mon Oct 24 14:07:37 2022 UTC (23 months ago) by niro
File size: 75830 byte(s)
Mon Oct 24 14:07:37 2022 UTC (23 months ago) by niro
File size: 75830 byte(s)
-linux-4.9.258
1 | diff --git a/Makefile b/Makefile |
2 | index e53096154f816..e5955f122ffd3 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -1,6 +1,6 @@ |
6 | VERSION = 4 |
7 | PATCHLEVEL = 9 |
8 | -SUBLEVEL = 257 |
9 | +SUBLEVEL = 258 |
10 | EXTRAVERSION = |
11 | NAME = Roaring Lionus |
12 | |
13 | @@ -762,6 +762,13 @@ ifdef CONFIG_FUNCTION_TRACER |
14 | ifndef CC_FLAGS_FTRACE |
15 | CC_FLAGS_FTRACE := -pg |
16 | endif |
17 | +ifdef CONFIG_FTRACE_MCOUNT_RECORD |
18 | + # gcc 5 supports generating the mcount tables directly |
19 | + ifeq ($(call cc-option-yn,-mrecord-mcount),y) |
20 | + CC_FLAGS_FTRACE += -mrecord-mcount |
21 | + export CC_USING_RECORD_MCOUNT := 1 |
22 | + endif |
23 | +endif |
24 | export CC_FLAGS_FTRACE |
25 | ifdef CONFIG_HAVE_FENTRY |
26 | CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY) |
27 | diff --git a/arch/arm/boot/dts/lpc32xx.dtsi b/arch/arm/boot/dts/lpc32xx.dtsi |
28 | index 2802c9565b6ca..976a75a4eb2c6 100644 |
29 | --- a/arch/arm/boot/dts/lpc32xx.dtsi |
30 | +++ b/arch/arm/boot/dts/lpc32xx.dtsi |
31 | @@ -323,9 +323,6 @@ |
32 | |
33 | clocks = <&xtal_32k>, <&xtal>; |
34 | clock-names = "xtal_32k", "xtal"; |
35 | - |
36 | - assigned-clocks = <&clk LPC32XX_CLK_HCLK_PLL>; |
37 | - assigned-clock-rates = <208000000>; |
38 | }; |
39 | }; |
40 | |
41 | diff --git a/arch/arm/xen/p2m.c b/arch/arm/xen/p2m.c |
42 | index 0ed01f2d5ee4b..02579e6569f0c 100644 |
43 | --- a/arch/arm/xen/p2m.c |
44 | +++ b/arch/arm/xen/p2m.c |
45 | @@ -93,8 +93,10 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops, |
46 | for (i = 0; i < count; i++) { |
47 | if (map_ops[i].status) |
48 | continue; |
49 | - set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, |
50 | - map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT); |
51 | + if (unlikely(!set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, |
52 | + map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) { |
53 | + return -ENOMEM; |
54 | + } |
55 | } |
56 | |
57 | return 0; |
58 | diff --git a/arch/h8300/kernel/asm-offsets.c b/arch/h8300/kernel/asm-offsets.c |
59 | index dc2d16ce8a0d5..3e33a9844d99a 100644 |
60 | --- a/arch/h8300/kernel/asm-offsets.c |
61 | +++ b/arch/h8300/kernel/asm-offsets.c |
62 | @@ -62,6 +62,9 @@ int main(void) |
63 | OFFSET(TI_FLAGS, thread_info, flags); |
64 | OFFSET(TI_CPU, thread_info, cpu); |
65 | OFFSET(TI_PRE, thread_info, preempt_count); |
66 | +#ifdef CONFIG_PREEMPTION |
67 | + DEFINE(TI_PRE_COUNT, offsetof(struct thread_info, preempt_count)); |
68 | +#endif |
69 | |
70 | return 0; |
71 | } |
72 | diff --git a/arch/x86/Makefile b/arch/x86/Makefile |
73 | index a95d414663b1e..9f0099c46c881 100644 |
74 | --- a/arch/x86/Makefile |
75 | +++ b/arch/x86/Makefile |
76 | @@ -61,6 +61,9 @@ endif |
77 | KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow |
78 | KBUILD_CFLAGS += $(call cc-option,-mno-avx,) |
79 | |
80 | +# Intel CET isn't enabled in the kernel |
81 | +KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none) |
82 | + |
83 | ifeq ($(CONFIG_X86_32),y) |
84 | BITS := 32 |
85 | UTS_MACHINE := i386 |
86 | @@ -137,9 +140,6 @@ else |
87 | KBUILD_CFLAGS += -mno-red-zone |
88 | KBUILD_CFLAGS += -mcmodel=kernel |
89 | |
90 | - # Intel CET isn't enabled in the kernel |
91 | - KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none) |
92 | - |
93 | # -funit-at-a-time shrinks the kernel .text considerably |
94 | # unfortunately it makes reading oopses harder. |
95 | KBUILD_CFLAGS += $(call cc-option,-funit-at-a-time) |
96 | diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c |
97 | index 37129db76d33e..fbf8508e558ac 100644 |
98 | --- a/arch/x86/xen/p2m.c |
99 | +++ b/arch/x86/xen/p2m.c |
100 | @@ -725,7 +725,8 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops, |
101 | unsigned long mfn, pfn; |
102 | |
103 | /* Do not add to override if the map failed. */ |
104 | - if (map_ops[i].status) |
105 | + if (map_ops[i].status != GNTST_okay || |
106 | + (kmap_ops && kmap_ops[i].status != GNTST_okay)) |
107 | continue; |
108 | |
109 | if (map_ops[i].flags & GNTMAP_contains_pte) { |
110 | @@ -763,17 +764,15 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops, |
111 | unsigned long mfn = __pfn_to_mfn(page_to_pfn(pages[i])); |
112 | unsigned long pfn = page_to_pfn(pages[i]); |
113 | |
114 | - if (mfn == INVALID_P2M_ENTRY || !(mfn & FOREIGN_FRAME_BIT)) { |
115 | + if (mfn != INVALID_P2M_ENTRY && (mfn & FOREIGN_FRAME_BIT)) |
116 | + set_phys_to_machine(pfn, INVALID_P2M_ENTRY); |
117 | + else |
118 | ret = -EINVAL; |
119 | - goto out; |
120 | - } |
121 | - |
122 | - set_phys_to_machine(pfn, INVALID_P2M_ENTRY); |
123 | } |
124 | if (kunmap_ops) |
125 | ret = HYPERVISOR_grant_table_op(GNTTABOP_unmap_grant_ref, |
126 | - kunmap_ops, count); |
127 | -out: |
128 | + kunmap_ops, count) ?: ret; |
129 | + |
130 | return ret; |
131 | } |
132 | EXPORT_SYMBOL_GPL(clear_foreign_p2m_mapping); |
133 | diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c |
134 | index 4f643a87f9c7d..2b739ba841b1a 100644 |
135 | --- a/drivers/block/xen-blkback/blkback.c |
136 | +++ b/drivers/block/xen-blkback/blkback.c |
137 | @@ -843,8 +843,11 @@ again: |
138 | pages[i]->page = persistent_gnt->page; |
139 | pages[i]->persistent_gnt = persistent_gnt; |
140 | } else { |
141 | - if (get_free_page(ring, &pages[i]->page)) |
142 | - goto out_of_memory; |
143 | + if (get_free_page(ring, &pages[i]->page)) { |
144 | + put_free_pages(ring, pages_to_gnt, segs_to_map); |
145 | + ret = -ENOMEM; |
146 | + goto out; |
147 | + } |
148 | addr = vaddr(pages[i]->page); |
149 | pages_to_gnt[segs_to_map] = pages[i]->page; |
150 | pages[i]->persistent_gnt = NULL; |
151 | @@ -860,10 +863,8 @@ again: |
152 | break; |
153 | } |
154 | |
155 | - if (segs_to_map) { |
156 | + if (segs_to_map) |
157 | ret = gnttab_map_refs(map, NULL, pages_to_gnt, segs_to_map); |
158 | - BUG_ON(ret); |
159 | - } |
160 | |
161 | /* |
162 | * Now swizzle the MFN in our domain with the MFN from the other domain |
163 | @@ -878,7 +879,7 @@ again: |
164 | pr_debug("invalid buffer -- could not remap it\n"); |
165 | put_free_pages(ring, &pages[seg_idx]->page, 1); |
166 | pages[seg_idx]->handle = BLKBACK_INVALID_HANDLE; |
167 | - ret |= 1; |
168 | + ret |= !ret; |
169 | goto next; |
170 | } |
171 | pages[seg_idx]->handle = map[new_map_idx].handle; |
172 | @@ -930,17 +931,18 @@ next: |
173 | } |
174 | segs_to_map = 0; |
175 | last_map = map_until; |
176 | - if (map_until != num) |
177 | + if (!ret && map_until != num) |
178 | goto again; |
179 | |
180 | - return ret; |
181 | - |
182 | -out_of_memory: |
183 | - pr_alert("%s: out of memory\n", __func__); |
184 | - put_free_pages(ring, pages_to_gnt, segs_to_map); |
185 | - for (i = last_map; i < num; i++) |
186 | +out: |
187 | + for (i = last_map; i < num; i++) { |
188 | + /* Don't zap current batch's valid persistent grants. */ |
189 | + if(i >= last_map + segs_to_map) |
190 | + pages[i]->persistent_gnt = NULL; |
191 | pages[i]->handle = BLKBACK_INVALID_HANDLE; |
192 | - return -ENOMEM; |
193 | + } |
194 | + |
195 | + return ret; |
196 | } |
197 | |
198 | static int xen_blkbk_map_seg(struct pending_req *pending_req) |
199 | diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c |
200 | index f4d75ffe3d8a8..7f01fb91ea668 100644 |
201 | --- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c |
202 | +++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c |
203 | @@ -518,7 +518,10 @@ static ssize_t iwl_dbgfs_os_device_timediff_read(struct file *file, |
204 | const size_t bufsz = sizeof(buf); |
205 | int pos = 0; |
206 | |
207 | + mutex_lock(&mvm->mutex); |
208 | iwl_mvm_get_sync_time(mvm, &curr_gp2, &curr_os); |
209 | + mutex_unlock(&mvm->mutex); |
210 | + |
211 | do_div(curr_os, NSEC_PER_USEC); |
212 | diff = curr_os - curr_gp2; |
213 | pos += scnprintf(buf + pos, bufsz - pos, "diff=%lld\n", diff); |
214 | diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c |
215 | index 6d38eec3f9d3c..a78aaf17116e9 100644 |
216 | --- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c |
217 | +++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c |
218 | @@ -1104,6 +1104,7 @@ static void iwl_mvm_reprobe_wk(struct work_struct *wk) |
219 | reprobe = container_of(wk, struct iwl_mvm_reprobe, work); |
220 | if (device_reprobe(reprobe->dev)) |
221 | dev_err(reprobe->dev, "reprobe failed!\n"); |
222 | + put_device(reprobe->dev); |
223 | kfree(reprobe); |
224 | module_put(THIS_MODULE); |
225 | } |
226 | @@ -1202,7 +1203,7 @@ void iwl_mvm_nic_restart(struct iwl_mvm *mvm, bool fw_error) |
227 | module_put(THIS_MODULE); |
228 | return; |
229 | } |
230 | - reprobe->dev = mvm->trans->dev; |
231 | + reprobe->dev = get_device(mvm->trans->dev); |
232 | INIT_WORK(&reprobe->work, iwl_mvm_reprobe_wk); |
233 | schedule_work(&reprobe->work); |
234 | } else if (mvm->cur_ucode == IWL_UCODE_REGULAR) { |
235 | diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c |
236 | index 174e45d78c46a..ff564198d2cef 100644 |
237 | --- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c |
238 | +++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c |
239 | @@ -676,6 +676,11 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) |
240 | struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); |
241 | struct iwl_txq *txq = &trans_pcie->txq[txq_id]; |
242 | |
243 | + if (!txq) { |
244 | + IWL_ERR(trans, "Trying to free a queue that wasn't allocated?\n"); |
245 | + return; |
246 | + } |
247 | + |
248 | spin_lock_bh(&txq->lock); |
249 | while (txq->write_ptr != txq->read_ptr) { |
250 | IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n", |
251 | diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c |
252 | index fd2ac6cd0c691..0024200c30ce4 100644 |
253 | --- a/drivers/net/xen-netback/netback.c |
254 | +++ b/drivers/net/xen-netback/netback.c |
255 | @@ -1328,13 +1328,11 @@ int xenvif_tx_action(struct xenvif_queue *queue, int budget) |
256 | return 0; |
257 | |
258 | gnttab_batch_copy(queue->tx_copy_ops, nr_cops); |
259 | - if (nr_mops != 0) { |
260 | + if (nr_mops != 0) |
261 | ret = gnttab_map_refs(queue->tx_map_ops, |
262 | NULL, |
263 | queue->pages_to_map, |
264 | nr_mops); |
265 | - BUG_ON(ret); |
266 | - } |
267 | |
268 | work_done = xenvif_tx_submit(queue); |
269 | |
270 | diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c |
271 | index f152246c7dfb7..ddfb1cfa2dd94 100644 |
272 | --- a/drivers/net/xen-netback/rx.c |
273 | +++ b/drivers/net/xen-netback/rx.c |
274 | @@ -38,10 +38,15 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue) |
275 | RING_IDX prod, cons; |
276 | struct sk_buff *skb; |
277 | int needed; |
278 | + unsigned long flags; |
279 | + |
280 | + spin_lock_irqsave(&queue->rx_queue.lock, flags); |
281 | |
282 | skb = skb_peek(&queue->rx_queue); |
283 | - if (!skb) |
284 | + if (!skb) { |
285 | + spin_unlock_irqrestore(&queue->rx_queue.lock, flags); |
286 | return false; |
287 | + } |
288 | |
289 | needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE); |
290 | if (skb_is_gso(skb)) |
291 | @@ -49,6 +54,8 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue) |
292 | if (skb->sw_hash) |
293 | needed++; |
294 | |
295 | + spin_unlock_irqrestore(&queue->rx_queue.lock, flags); |
296 | + |
297 | do { |
298 | prod = queue->rx.sring->req_prod; |
299 | cons = queue->rx.req_cons; |
300 | diff --git a/drivers/remoteproc/qcom_q6v5_pil.c b/drivers/remoteproc/qcom_q6v5_pil.c |
301 | index 2e0caaaa766a3..72fc33bba99c1 100644 |
302 | --- a/drivers/remoteproc/qcom_q6v5_pil.c |
303 | +++ b/drivers/remoteproc/qcom_q6v5_pil.c |
304 | @@ -193,6 +193,12 @@ static int q6v5_load(struct rproc *rproc, const struct firmware *fw) |
305 | { |
306 | struct q6v5 *qproc = rproc->priv; |
307 | |
308 | + /* MBA is restricted to a maximum size of 1M */ |
309 | + if (fw->size > qproc->mba_size || fw->size > SZ_1M) { |
310 | + dev_err(qproc->dev, "MBA firmware load failed\n"); |
311 | + return -EINVAL; |
312 | + } |
313 | + |
314 | memcpy(qproc->mba_region, fw->data, fw->size); |
315 | |
316 | return 0; |
317 | diff --git a/drivers/scsi/qla2xxx/qla_tmpl.c b/drivers/scsi/qla2xxx/qla_tmpl.c |
318 | index 9c2c7fe612806..ba83c36b76bdf 100644 |
319 | --- a/drivers/scsi/qla2xxx/qla_tmpl.c |
320 | +++ b/drivers/scsi/qla2xxx/qla_tmpl.c |
321 | @@ -878,7 +878,8 @@ qla27xx_template_checksum(void *p, ulong size) |
322 | static inline int |
323 | qla27xx_verify_template_checksum(struct qla27xx_fwdt_template *tmp) |
324 | { |
325 | - return qla27xx_template_checksum(tmp, tmp->template_size) == 0; |
326 | + return qla27xx_template_checksum(tmp, |
327 | + le32_to_cpu(tmp->template_size)) == 0; |
328 | } |
329 | |
330 | static inline int |
331 | @@ -894,7 +895,7 @@ qla27xx_execute_fwdt_template(struct scsi_qla_host *vha) |
332 | ulong len; |
333 | |
334 | if (qla27xx_fwdt_template_valid(tmp)) { |
335 | - len = tmp->template_size; |
336 | + len = le32_to_cpu(tmp->template_size); |
337 | tmp = memcpy(vha->hw->fw_dump, tmp, len); |
338 | ql27xx_edit_template(vha, tmp); |
339 | qla27xx_walk_template(vha, tmp, tmp, &len); |
340 | @@ -910,7 +911,7 @@ qla27xx_fwdt_calculate_dump_size(struct scsi_qla_host *vha) |
341 | ulong len = 0; |
342 | |
343 | if (qla27xx_fwdt_template_valid(tmp)) { |
344 | - len = tmp->template_size; |
345 | + len = le32_to_cpu(tmp->template_size); |
346 | qla27xx_walk_template(vha, tmp, NULL, &len); |
347 | } |
348 | |
349 | @@ -922,7 +923,7 @@ qla27xx_fwdt_template_size(void *p) |
350 | { |
351 | struct qla27xx_fwdt_template *tmp = p; |
352 | |
353 | - return tmp->template_size; |
354 | + return le32_to_cpu(tmp->template_size); |
355 | } |
356 | |
357 | ulong |
358 | diff --git a/drivers/scsi/qla2xxx/qla_tmpl.h b/drivers/scsi/qla2xxx/qla_tmpl.h |
359 | index 141c1c5e73f42..2d3e1a8349b3b 100644 |
360 | --- a/drivers/scsi/qla2xxx/qla_tmpl.h |
361 | +++ b/drivers/scsi/qla2xxx/qla_tmpl.h |
362 | @@ -13,7 +13,7 @@ |
363 | struct __packed qla27xx_fwdt_template { |
364 | uint32_t template_type; |
365 | uint32_t entry_offset; |
366 | - uint32_t template_size; |
367 | + __le32 template_size; |
368 | uint32_t reserved_1; |
369 | |
370 | uint32_t entry_count; |
371 | diff --git a/drivers/usb/dwc3/ulpi.c b/drivers/usb/dwc3/ulpi.c |
372 | index bd86f84f37901..3862edf59f7de 100644 |
373 | --- a/drivers/usb/dwc3/ulpi.c |
374 | +++ b/drivers/usb/dwc3/ulpi.c |
375 | @@ -10,6 +10,8 @@ |
376 | * published by the Free Software Foundation. |
377 | */ |
378 | |
379 | +#include <linux/delay.h> |
380 | +#include <linux/time64.h> |
381 | #include <linux/ulpi/regs.h> |
382 | |
383 | #include "core.h" |
384 | @@ -20,12 +22,22 @@ |
385 | DWC3_GUSB2PHYACC_ADDR(ULPI_ACCESS_EXTENDED) | \ |
386 | DWC3_GUSB2PHYACC_EXTEND_ADDR(a) : DWC3_GUSB2PHYACC_ADDR(a)) |
387 | |
388 | -static int dwc3_ulpi_busyloop(struct dwc3 *dwc) |
389 | +#define DWC3_ULPI_BASE_DELAY DIV_ROUND_UP(NSEC_PER_SEC, 60000000L) |
390 | + |
391 | +static int dwc3_ulpi_busyloop(struct dwc3 *dwc, u8 addr, bool read) |
392 | { |
393 | - unsigned count = 1000; |
394 | + unsigned long ns = 5L * DWC3_ULPI_BASE_DELAY; |
395 | + unsigned int count = 1000; |
396 | u32 reg; |
397 | |
398 | + if (addr >= ULPI_EXT_VENDOR_SPECIFIC) |
399 | + ns += DWC3_ULPI_BASE_DELAY; |
400 | + |
401 | + if (read) |
402 | + ns += DWC3_ULPI_BASE_DELAY; |
403 | + |
404 | while (count--) { |
405 | + ndelay(ns); |
406 | reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYACC(0)); |
407 | if (!(reg & DWC3_GUSB2PHYACC_BUSY)) |
408 | return 0; |
409 | @@ -44,7 +56,7 @@ static int dwc3_ulpi_read(struct device *dev, u8 addr) |
410 | reg = DWC3_GUSB2PHYACC_NEWREGREQ | DWC3_ULPI_ADDR(addr); |
411 | dwc3_writel(dwc->regs, DWC3_GUSB2PHYACC(0), reg); |
412 | |
413 | - ret = dwc3_ulpi_busyloop(dwc); |
414 | + ret = dwc3_ulpi_busyloop(dwc, addr, true); |
415 | if (ret) |
416 | return ret; |
417 | |
418 | @@ -62,7 +74,7 @@ static int dwc3_ulpi_write(struct device *dev, u8 addr, u8 val) |
419 | reg |= DWC3_GUSB2PHYACC_WRITE | val; |
420 | dwc3_writel(dwc->regs, DWC3_GUSB2PHYACC(0), reg); |
421 | |
422 | - return dwc3_ulpi_busyloop(dwc); |
423 | + return dwc3_ulpi_busyloop(dwc, addr, false); |
424 | } |
425 | |
426 | static const struct ulpi_ops dwc3_ulpi_ops = { |
427 | diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c |
428 | index 910b5d40c6e9f..69d59102ff1be 100644 |
429 | --- a/drivers/xen/gntdev.c |
430 | +++ b/drivers/xen/gntdev.c |
431 | @@ -293,36 +293,47 @@ static int map_grant_pages(struct grant_map *map) |
432 | * to the kernel linear addresses of the struct pages. |
433 | * These ptes are completely different from the user ptes dealt |
434 | * with find_grant_ptes. |
435 | + * Note that GNTMAP_device_map isn't needed here: The |
436 | + * dev_bus_addr output field gets consumed only from ->map_ops, |
437 | + * and by not requesting it when mapping we also avoid needing |
438 | + * to mirror dev_bus_addr into ->unmap_ops (and holding an extra |
439 | + * reference to the page in the hypervisor). |
440 | */ |
441 | + unsigned int flags = (map->flags & ~GNTMAP_device_map) | |
442 | + GNTMAP_host_map; |
443 | + |
444 | for (i = 0; i < map->count; i++) { |
445 | unsigned long address = (unsigned long) |
446 | pfn_to_kaddr(page_to_pfn(map->pages[i])); |
447 | BUG_ON(PageHighMem(map->pages[i])); |
448 | |
449 | - gnttab_set_map_op(&map->kmap_ops[i], address, |
450 | - map->flags | GNTMAP_host_map, |
451 | + gnttab_set_map_op(&map->kmap_ops[i], address, flags, |
452 | map->grants[i].ref, |
453 | map->grants[i].domid); |
454 | gnttab_set_unmap_op(&map->kunmap_ops[i], address, |
455 | - map->flags | GNTMAP_host_map, -1); |
456 | + flags, -1); |
457 | } |
458 | } |
459 | |
460 | pr_debug("map %d+%d\n", map->index, map->count); |
461 | err = gnttab_map_refs(map->map_ops, use_ptemod ? map->kmap_ops : NULL, |
462 | map->pages, map->count); |
463 | - if (err) |
464 | - return err; |
465 | |
466 | for (i = 0; i < map->count; i++) { |
467 | - if (map->map_ops[i].status) { |
468 | + if (map->map_ops[i].status == GNTST_okay) |
469 | + map->unmap_ops[i].handle = map->map_ops[i].handle; |
470 | + else if (!err) |
471 | err = -EINVAL; |
472 | - continue; |
473 | - } |
474 | |
475 | - map->unmap_ops[i].handle = map->map_ops[i].handle; |
476 | - if (use_ptemod) |
477 | - map->kunmap_ops[i].handle = map->kmap_ops[i].handle; |
478 | + if (map->flags & GNTMAP_device_map) |
479 | + map->unmap_ops[i].dev_bus_addr = map->map_ops[i].dev_bus_addr; |
480 | + |
481 | + if (use_ptemod) { |
482 | + if (map->kmap_ops[i].status == GNTST_okay) |
483 | + map->kunmap_ops[i].handle = map->kmap_ops[i].handle; |
484 | + else if (!err) |
485 | + err = -EINVAL; |
486 | + } |
487 | } |
488 | return err; |
489 | } |
490 | diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c |
491 | index 3243d917651a3..4bba877ef5477 100644 |
492 | --- a/drivers/xen/xen-scsiback.c |
493 | +++ b/drivers/xen/xen-scsiback.c |
494 | @@ -423,12 +423,12 @@ static int scsiback_gnttab_data_map_batch(struct gnttab_map_grant_ref *map, |
495 | return 0; |
496 | |
497 | err = gnttab_map_refs(map, NULL, pg, cnt); |
498 | - BUG_ON(err); |
499 | for (i = 0; i < cnt; i++) { |
500 | if (unlikely(map[i].status != GNTST_okay)) { |
501 | pr_err("invalid buffer -- could not remap it\n"); |
502 | map[i].handle = SCSIBACK_INVALID_HANDLE; |
503 | - err = -ENOMEM; |
504 | + if (!err) |
505 | + err = -ENOMEM; |
506 | } else { |
507 | get_page(pg[i]); |
508 | } |
509 | diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c |
510 | index f978ae2bb846f..2de656ecc48bb 100644 |
511 | --- a/fs/fs-writeback.c |
512 | +++ b/fs/fs-writeback.c |
513 | @@ -1971,7 +1971,7 @@ void wb_workfn(struct work_struct *work) |
514 | struct bdi_writeback, dwork); |
515 | long pages_written; |
516 | |
517 | - set_worker_desc("flush-%s", dev_name(wb->bdi->dev)); |
518 | + set_worker_desc("flush-%s", bdi_dev_name(wb->bdi)); |
519 | current->flags |= PF_SWAPWRITE; |
520 | |
521 | if (likely(!current_is_workqueue_rescuer() || |
522 | diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c |
523 | index 299dbf59f28f8..3a583aa1fafeb 100644 |
524 | --- a/fs/overlayfs/copy_up.c |
525 | +++ b/fs/overlayfs/copy_up.c |
526 | @@ -92,6 +92,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new) |
527 | |
528 | if (ovl_is_private_xattr(name)) |
529 | continue; |
530 | + |
531 | + error = security_inode_copy_up_xattr(name); |
532 | + if (error < 0 && error != -EOPNOTSUPP) |
533 | + break; |
534 | + if (error == 1) { |
535 | + error = 0; |
536 | + continue; /* Discard */ |
537 | + } |
538 | retry: |
539 | size = vfs_getxattr(old, name, value, value_size); |
540 | if (size == -ERANGE) |
541 | @@ -115,13 +123,6 @@ retry: |
542 | goto retry; |
543 | } |
544 | |
545 | - error = security_inode_copy_up_xattr(name); |
546 | - if (error < 0 && error != -EOPNOTSUPP) |
547 | - break; |
548 | - if (error == 1) { |
549 | - error = 0; |
550 | - continue; /* Discard */ |
551 | - } |
552 | error = vfs_setxattr(new, name, value, size, 0); |
553 | if (error) |
554 | break; |
555 | diff --git a/fs/squashfs/export.c b/fs/squashfs/export.c |
556 | index 8073b6532cf04..d2a806416c3ab 100644 |
557 | --- a/fs/squashfs/export.c |
558 | +++ b/fs/squashfs/export.c |
559 | @@ -54,12 +54,17 @@ static long long squashfs_inode_lookup(struct super_block *sb, int ino_num) |
560 | struct squashfs_sb_info *msblk = sb->s_fs_info; |
561 | int blk = SQUASHFS_LOOKUP_BLOCK(ino_num - 1); |
562 | int offset = SQUASHFS_LOOKUP_BLOCK_OFFSET(ino_num - 1); |
563 | - u64 start = le64_to_cpu(msblk->inode_lookup_table[blk]); |
564 | + u64 start; |
565 | __le64 ino; |
566 | int err; |
567 | |
568 | TRACE("Entered squashfs_inode_lookup, inode_number = %d\n", ino_num); |
569 | |
570 | + if (ino_num == 0 || (ino_num - 1) >= msblk->inodes) |
571 | + return -EINVAL; |
572 | + |
573 | + start = le64_to_cpu(msblk->inode_lookup_table[blk]); |
574 | + |
575 | err = squashfs_read_metadata(sb, &ino, &start, &offset, sizeof(ino)); |
576 | if (err < 0) |
577 | return err; |
578 | @@ -124,7 +129,10 @@ __le64 *squashfs_read_inode_lookup_table(struct super_block *sb, |
579 | u64 lookup_table_start, u64 next_table, unsigned int inodes) |
580 | { |
581 | unsigned int length = SQUASHFS_LOOKUP_BLOCK_BYTES(inodes); |
582 | + unsigned int indexes = SQUASHFS_LOOKUP_BLOCKS(inodes); |
583 | + int n; |
584 | __le64 *table; |
585 | + u64 start, end; |
586 | |
587 | TRACE("In read_inode_lookup_table, length %d\n", length); |
588 | |
589 | @@ -134,20 +142,37 @@ __le64 *squashfs_read_inode_lookup_table(struct super_block *sb, |
590 | if (inodes == 0) |
591 | return ERR_PTR(-EINVAL); |
592 | |
593 | - /* length bytes should not extend into the next table - this check |
594 | - * also traps instances where lookup_table_start is incorrectly larger |
595 | - * than the next table start |
596 | + /* |
597 | + * The computed size of the lookup table (length bytes) should exactly |
598 | + * match the table start and end points |
599 | */ |
600 | - if (lookup_table_start + length > next_table) |
601 | + if (length != (next_table - lookup_table_start)) |
602 | return ERR_PTR(-EINVAL); |
603 | |
604 | table = squashfs_read_table(sb, lookup_table_start, length); |
605 | + if (IS_ERR(table)) |
606 | + return table; |
607 | |
608 | /* |
609 | - * table[0] points to the first inode lookup table metadata block, |
610 | - * this should be less than lookup_table_start |
611 | + * table0], table[1], ... table[indexes - 1] store the locations |
612 | + * of the compressed inode lookup blocks. Each entry should be |
613 | + * less than the next (i.e. table[0] < table[1]), and the difference |
614 | + * between them should be SQUASHFS_METADATA_SIZE or less. |
615 | + * table[indexes - 1] should be less than lookup_table_start, and |
616 | + * again the difference should be SQUASHFS_METADATA_SIZE or less |
617 | */ |
618 | - if (!IS_ERR(table) && le64_to_cpu(table[0]) >= lookup_table_start) { |
619 | + for (n = 0; n < (indexes - 1); n++) { |
620 | + start = le64_to_cpu(table[n]); |
621 | + end = le64_to_cpu(table[n + 1]); |
622 | + |
623 | + if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { |
624 | + kfree(table); |
625 | + return ERR_PTR(-EINVAL); |
626 | + } |
627 | + } |
628 | + |
629 | + start = le64_to_cpu(table[indexes - 1]); |
630 | + if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) { |
631 | kfree(table); |
632 | return ERR_PTR(-EINVAL); |
633 | } |
634 | diff --git a/fs/squashfs/id.c b/fs/squashfs/id.c |
635 | index d38ea3dab9515..8ccc0e3f6ea5a 100644 |
636 | --- a/fs/squashfs/id.c |
637 | +++ b/fs/squashfs/id.c |
638 | @@ -48,10 +48,15 @@ int squashfs_get_id(struct super_block *sb, unsigned int index, |
639 | struct squashfs_sb_info *msblk = sb->s_fs_info; |
640 | int block = SQUASHFS_ID_BLOCK(index); |
641 | int offset = SQUASHFS_ID_BLOCK_OFFSET(index); |
642 | - u64 start_block = le64_to_cpu(msblk->id_table[block]); |
643 | + u64 start_block; |
644 | __le32 disk_id; |
645 | int err; |
646 | |
647 | + if (index >= msblk->ids) |
648 | + return -EINVAL; |
649 | + |
650 | + start_block = le64_to_cpu(msblk->id_table[block]); |
651 | + |
652 | err = squashfs_read_metadata(sb, &disk_id, &start_block, &offset, |
653 | sizeof(disk_id)); |
654 | if (err < 0) |
655 | @@ -69,7 +74,10 @@ __le64 *squashfs_read_id_index_table(struct super_block *sb, |
656 | u64 id_table_start, u64 next_table, unsigned short no_ids) |
657 | { |
658 | unsigned int length = SQUASHFS_ID_BLOCK_BYTES(no_ids); |
659 | + unsigned int indexes = SQUASHFS_ID_BLOCKS(no_ids); |
660 | + int n; |
661 | __le64 *table; |
662 | + u64 start, end; |
663 | |
664 | TRACE("In read_id_index_table, length %d\n", length); |
665 | |
666 | @@ -80,20 +88,36 @@ __le64 *squashfs_read_id_index_table(struct super_block *sb, |
667 | return ERR_PTR(-EINVAL); |
668 | |
669 | /* |
670 | - * length bytes should not extend into the next table - this check |
671 | - * also traps instances where id_table_start is incorrectly larger |
672 | - * than the next table start |
673 | + * The computed size of the index table (length bytes) should exactly |
674 | + * match the table start and end points |
675 | */ |
676 | - if (id_table_start + length > next_table) |
677 | + if (length != (next_table - id_table_start)) |
678 | return ERR_PTR(-EINVAL); |
679 | |
680 | table = squashfs_read_table(sb, id_table_start, length); |
681 | + if (IS_ERR(table)) |
682 | + return table; |
683 | |
684 | /* |
685 | - * table[0] points to the first id lookup table metadata block, this |
686 | - * should be less than id_table_start |
687 | + * table[0], table[1], ... table[indexes - 1] store the locations |
688 | + * of the compressed id blocks. Each entry should be less than |
689 | + * the next (i.e. table[0] < table[1]), and the difference between them |
690 | + * should be SQUASHFS_METADATA_SIZE or less. table[indexes - 1] |
691 | + * should be less than id_table_start, and again the difference |
692 | + * should be SQUASHFS_METADATA_SIZE or less |
693 | */ |
694 | - if (!IS_ERR(table) && le64_to_cpu(table[0]) >= id_table_start) { |
695 | + for (n = 0; n < (indexes - 1); n++) { |
696 | + start = le64_to_cpu(table[n]); |
697 | + end = le64_to_cpu(table[n + 1]); |
698 | + |
699 | + if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { |
700 | + kfree(table); |
701 | + return ERR_PTR(-EINVAL); |
702 | + } |
703 | + } |
704 | + |
705 | + start = le64_to_cpu(table[indexes - 1]); |
706 | + if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) { |
707 | kfree(table); |
708 | return ERR_PTR(-EINVAL); |
709 | } |
710 | diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h |
711 | index ef69c31947bf8..5234c19a0eabc 100644 |
712 | --- a/fs/squashfs/squashfs_fs_sb.h |
713 | +++ b/fs/squashfs/squashfs_fs_sb.h |
714 | @@ -77,5 +77,6 @@ struct squashfs_sb_info { |
715 | unsigned int inodes; |
716 | unsigned int fragments; |
717 | int xattr_ids; |
718 | + unsigned int ids; |
719 | }; |
720 | #endif |
721 | diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c |
722 | index 1516bb779b8d4..5abc9d03397c1 100644 |
723 | --- a/fs/squashfs/super.c |
724 | +++ b/fs/squashfs/super.c |
725 | @@ -176,6 +176,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) |
726 | msblk->directory_table = le64_to_cpu(sblk->directory_table_start); |
727 | msblk->inodes = le32_to_cpu(sblk->inodes); |
728 | msblk->fragments = le32_to_cpu(sblk->fragments); |
729 | + msblk->ids = le16_to_cpu(sblk->no_ids); |
730 | flags = le16_to_cpu(sblk->flags); |
731 | |
732 | TRACE("Found valid superblock on %pg\n", sb->s_bdev); |
733 | @@ -187,7 +188,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) |
734 | TRACE("Block size %d\n", msblk->block_size); |
735 | TRACE("Number of inodes %d\n", msblk->inodes); |
736 | TRACE("Number of fragments %d\n", msblk->fragments); |
737 | - TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids)); |
738 | + TRACE("Number of ids %d\n", msblk->ids); |
739 | TRACE("sblk->inode_table_start %llx\n", msblk->inode_table); |
740 | TRACE("sblk->directory_table_start %llx\n", msblk->directory_table); |
741 | TRACE("sblk->fragment_table_start %llx\n", |
742 | @@ -244,8 +245,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) |
743 | allocate_id_index_table: |
744 | /* Allocate and read id index table */ |
745 | msblk->id_table = squashfs_read_id_index_table(sb, |
746 | - le64_to_cpu(sblk->id_table_start), next_table, |
747 | - le16_to_cpu(sblk->no_ids)); |
748 | + le64_to_cpu(sblk->id_table_start), next_table, msblk->ids); |
749 | if (IS_ERR(msblk->id_table)) { |
750 | ERROR("unable to read id index table\n"); |
751 | err = PTR_ERR(msblk->id_table); |
752 | diff --git a/fs/squashfs/xattr.h b/fs/squashfs/xattr.h |
753 | index afe70f815e3de..86b0a0073e51f 100644 |
754 | --- a/fs/squashfs/xattr.h |
755 | +++ b/fs/squashfs/xattr.h |
756 | @@ -30,8 +30,16 @@ extern int squashfs_xattr_lookup(struct super_block *, unsigned int, int *, |
757 | static inline __le64 *squashfs_read_xattr_id_table(struct super_block *sb, |
758 | u64 start, u64 *xattr_table_start, int *xattr_ids) |
759 | { |
760 | + struct squashfs_xattr_id_table *id_table; |
761 | + |
762 | + id_table = squashfs_read_table(sb, start, sizeof(*id_table)); |
763 | + if (IS_ERR(id_table)) |
764 | + return (__le64 *) id_table; |
765 | + |
766 | + *xattr_table_start = le64_to_cpu(id_table->xattr_table_start); |
767 | + kfree(id_table); |
768 | + |
769 | ERROR("Xattrs in filesystem, these will be ignored\n"); |
770 | - *xattr_table_start = start; |
771 | return ERR_PTR(-ENOTSUPP); |
772 | } |
773 | |
774 | diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c |
775 | index c89607d690c48..3a655d879600c 100644 |
776 | --- a/fs/squashfs/xattr_id.c |
777 | +++ b/fs/squashfs/xattr_id.c |
778 | @@ -44,10 +44,15 @@ int squashfs_xattr_lookup(struct super_block *sb, unsigned int index, |
779 | struct squashfs_sb_info *msblk = sb->s_fs_info; |
780 | int block = SQUASHFS_XATTR_BLOCK(index); |
781 | int offset = SQUASHFS_XATTR_BLOCK_OFFSET(index); |
782 | - u64 start_block = le64_to_cpu(msblk->xattr_id_table[block]); |
783 | + u64 start_block; |
784 | struct squashfs_xattr_id id; |
785 | int err; |
786 | |
787 | + if (index >= msblk->xattr_ids) |
788 | + return -EINVAL; |
789 | + |
790 | + start_block = le64_to_cpu(msblk->xattr_id_table[block]); |
791 | + |
792 | err = squashfs_read_metadata(sb, &id, &start_block, &offset, |
793 | sizeof(id)); |
794 | if (err < 0) |
795 | @@ -63,13 +68,17 @@ int squashfs_xattr_lookup(struct super_block *sb, unsigned int index, |
796 | /* |
797 | * Read uncompressed xattr id lookup table indexes from disk into memory |
798 | */ |
799 | -__le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 start, |
800 | +__le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, |
801 | u64 *xattr_table_start, int *xattr_ids) |
802 | { |
803 | - unsigned int len; |
804 | + struct squashfs_sb_info *msblk = sb->s_fs_info; |
805 | + unsigned int len, indexes; |
806 | struct squashfs_xattr_id_table *id_table; |
807 | + __le64 *table; |
808 | + u64 start, end; |
809 | + int n; |
810 | |
811 | - id_table = squashfs_read_table(sb, start, sizeof(*id_table)); |
812 | + id_table = squashfs_read_table(sb, table_start, sizeof(*id_table)); |
813 | if (IS_ERR(id_table)) |
814 | return (__le64 *) id_table; |
815 | |
816 | @@ -83,13 +92,52 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 start, |
817 | if (*xattr_ids == 0) |
818 | return ERR_PTR(-EINVAL); |
819 | |
820 | - /* xattr_table should be less than start */ |
821 | - if (*xattr_table_start >= start) |
822 | + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); |
823 | + indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids); |
824 | + |
825 | + /* |
826 | + * The computed size of the index table (len bytes) should exactly |
827 | + * match the table start and end points |
828 | + */ |
829 | + start = table_start + sizeof(*id_table); |
830 | + end = msblk->bytes_used; |
831 | + |
832 | + if (len != (end - start)) |
833 | return ERR_PTR(-EINVAL); |
834 | |
835 | - len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); |
836 | + table = squashfs_read_table(sb, start, len); |
837 | + if (IS_ERR(table)) |
838 | + return table; |
839 | + |
840 | + /* table[0], table[1], ... table[indexes - 1] store the locations |
841 | + * of the compressed xattr id blocks. Each entry should be less than |
842 | + * the next (i.e. table[0] < table[1]), and the difference between them |
843 | + * should be SQUASHFS_METADATA_SIZE or less. table[indexes - 1] |
844 | + * should be less than table_start, and again the difference |
845 | + * shouls be SQUASHFS_METADATA_SIZE or less. |
846 | + * |
847 | + * Finally xattr_table_start should be less than table[0]. |
848 | + */ |
849 | + for (n = 0; n < (indexes - 1); n++) { |
850 | + start = le64_to_cpu(table[n]); |
851 | + end = le64_to_cpu(table[n + 1]); |
852 | + |
853 | + if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { |
854 | + kfree(table); |
855 | + return ERR_PTR(-EINVAL); |
856 | + } |
857 | + } |
858 | + |
859 | + start = le64_to_cpu(table[indexes - 1]); |
860 | + if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) { |
861 | + kfree(table); |
862 | + return ERR_PTR(-EINVAL); |
863 | + } |
864 | |
865 | - TRACE("In read_xattr_index_table, length %d\n", len); |
866 | + if (*xattr_table_start >= le64_to_cpu(table[0])) { |
867 | + kfree(table); |
868 | + return ERR_PTR(-EINVAL); |
869 | + } |
870 | |
871 | - return squashfs_read_table(sb, start + sizeof(*id_table), len); |
872 | + return table; |
873 | } |
874 | diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h |
875 | index 63f17b106a4a6..57db558c9a616 100644 |
876 | --- a/include/linux/backing-dev.h |
877 | +++ b/include/linux/backing-dev.h |
878 | @@ -12,6 +12,7 @@ |
879 | #include <linux/fs.h> |
880 | #include <linux/sched.h> |
881 | #include <linux/blkdev.h> |
882 | +#include <linux/device.h> |
883 | #include <linux/writeback.h> |
884 | #include <linux/blk-cgroup.h> |
885 | #include <linux/backing-dev-defs.h> |
886 | @@ -517,4 +518,13 @@ static inline int bdi_rw_congested(struct backing_dev_info *bdi) |
887 | (1 << WB_async_congested)); |
888 | } |
889 | |
890 | +extern const char *bdi_unknown_name; |
891 | + |
892 | +static inline const char *bdi_dev_name(struct backing_dev_info *bdi) |
893 | +{ |
894 | + if (!bdi || !bdi->dev) |
895 | + return bdi_unknown_name; |
896 | + return dev_name(bdi->dev); |
897 | +} |
898 | + |
899 | #endif /* _LINUX_BACKING_DEV_H */ |
900 | diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h |
901 | index b3d34d3e0e7ef..9b8b014d13af1 100644 |
902 | --- a/include/linux/ftrace.h |
903 | +++ b/include/linux/ftrace.h |
904 | @@ -783,7 +783,9 @@ typedef int (*trace_func_graph_ent_t)(struct ftrace_graph_ent *); /* entry */ |
905 | #ifdef CONFIG_FUNCTION_GRAPH_TRACER |
906 | |
907 | /* for init task */ |
908 | -#define INIT_FTRACE_GRAPH .ret_stack = NULL, |
909 | +#define INIT_FTRACE_GRAPH \ |
910 | + .ret_stack = NULL, \ |
911 | + .tracing_graph_pause = ATOMIC_INIT(0), |
912 | |
913 | /* |
914 | * Stack of return addresses for functions |
915 | diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h |
916 | index 8b35bdbdc214c..fd77f8303ab9a 100644 |
917 | --- a/include/linux/memcontrol.h |
918 | +++ b/include/linux/memcontrol.h |
919 | @@ -490,9 +490,21 @@ bool mem_cgroup_oom_synchronize(bool wait); |
920 | extern int do_swap_account; |
921 | #endif |
922 | |
923 | -void lock_page_memcg(struct page *page); |
924 | +struct mem_cgroup *lock_page_memcg(struct page *page); |
925 | +void __unlock_page_memcg(struct mem_cgroup *memcg); |
926 | void unlock_page_memcg(struct page *page); |
927 | |
928 | +static inline void __mem_cgroup_update_page_stat(struct page *page, |
929 | + struct mem_cgroup *memcg, |
930 | + enum mem_cgroup_stat_index idx, |
931 | + int val) |
932 | +{ |
933 | + VM_BUG_ON(!(rcu_read_lock_held() || PageLocked(page))); |
934 | + |
935 | + if (memcg && memcg->stat) |
936 | + this_cpu_add(memcg->stat->count[idx], val); |
937 | +} |
938 | + |
939 | /** |
940 | * mem_cgroup_update_page_stat - update page state statistics |
941 | * @page: the page |
942 | @@ -508,13 +520,12 @@ void unlock_page_memcg(struct page *page); |
943 | * mem_cgroup_update_page_stat(page, state, -1); |
944 | * unlock_page(page) or unlock_page_memcg(page) |
945 | */ |
946 | + |
947 | static inline void mem_cgroup_update_page_stat(struct page *page, |
948 | enum mem_cgroup_stat_index idx, int val) |
949 | { |
950 | - VM_BUG_ON(!(rcu_read_lock_held() || PageLocked(page))); |
951 | |
952 | - if (page->mem_cgroup) |
953 | - this_cpu_add(page->mem_cgroup->stat->count[idx], val); |
954 | + __mem_cgroup_update_page_stat(page, page->mem_cgroup, idx, val); |
955 | } |
956 | |
957 | static inline void mem_cgroup_inc_page_stat(struct page *page, |
958 | @@ -709,7 +720,12 @@ mem_cgroup_print_oom_info(struct mem_cgroup *memcg, struct task_struct *p) |
959 | { |
960 | } |
961 | |
962 | -static inline void lock_page_memcg(struct page *page) |
963 | +static inline struct mem_cgroup *lock_page_memcg(struct page *page) |
964 | +{ |
965 | + return NULL; |
966 | +} |
967 | + |
968 | +static inline void __unlock_page_memcg(struct mem_cgroup *memcg) |
969 | { |
970 | } |
971 | |
972 | @@ -745,6 +761,13 @@ static inline void mem_cgroup_update_page_stat(struct page *page, |
973 | { |
974 | } |
975 | |
976 | +static inline void __mem_cgroup_update_page_stat(struct page *page, |
977 | + struct mem_cgroup *memcg, |
978 | + enum mem_cgroup_stat_index idx, |
979 | + int nr) |
980 | +{ |
981 | +} |
982 | + |
983 | static inline void mem_cgroup_inc_page_stat(struct page *page, |
984 | enum mem_cgroup_stat_index idx) |
985 | { |
986 | diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h |
987 | index 4d1b1056ac972..2aacafe2bce58 100644 |
988 | --- a/include/linux/netdevice.h |
989 | +++ b/include/linux/netdevice.h |
990 | @@ -3701,6 +3701,7 @@ static inline void netif_tx_disable(struct net_device *dev) |
991 | |
992 | local_bh_disable(); |
993 | cpu = smp_processor_id(); |
994 | + spin_lock(&dev->tx_global_lock); |
995 | for (i = 0; i < dev->num_tx_queues; i++) { |
996 | struct netdev_queue *txq = netdev_get_tx_queue(dev, i); |
997 | |
998 | @@ -3708,6 +3709,7 @@ static inline void netif_tx_disable(struct net_device *dev) |
999 | netif_tx_stop_queue(txq); |
1000 | __netif_tx_unlock(txq); |
1001 | } |
1002 | + spin_unlock(&dev->tx_global_lock); |
1003 | local_bh_enable(); |
1004 | } |
1005 | |
1006 | diff --git a/include/linux/string.h b/include/linux/string.h |
1007 | index 42eed573ebb63..66a91f5a34499 100644 |
1008 | --- a/include/linux/string.h |
1009 | +++ b/include/linux/string.h |
1010 | @@ -29,6 +29,10 @@ size_t strlcpy(char *, const char *, size_t); |
1011 | #ifndef __HAVE_ARCH_STRSCPY |
1012 | ssize_t strscpy(char *, const char *, size_t); |
1013 | #endif |
1014 | + |
1015 | +/* Wraps calls to strscpy()/memset(), no arch specific code required */ |
1016 | +ssize_t strscpy_pad(char *dest, const char *src, size_t count); |
1017 | + |
1018 | #ifndef __HAVE_ARCH_STRCAT |
1019 | extern char * strcat(char *, const char *); |
1020 | #endif |
1021 | diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h |
1022 | index 56c48c884a242..bf0db32b40aa0 100644 |
1023 | --- a/include/linux/sunrpc/xdr.h |
1024 | +++ b/include/linux/sunrpc/xdr.h |
1025 | @@ -23,8 +23,7 @@ |
1026 | #define XDR_QUADLEN(l) (((l) + 3) >> 2) |
1027 | |
1028 | /* |
1029 | - * Generic opaque `network object.' At the kernel level, this type |
1030 | - * is used only by lockd. |
1031 | + * Generic opaque `network object.' |
1032 | */ |
1033 | #define XDR_MAX_NETOBJ 1024 |
1034 | struct xdr_netobj { |
1035 | diff --git a/include/trace/events/writeback.h b/include/trace/events/writeback.h |
1036 | index ec964a924cd2f..49a72adc7135c 100644 |
1037 | --- a/include/trace/events/writeback.h |
1038 | +++ b/include/trace/events/writeback.h |
1039 | @@ -65,8 +65,9 @@ TRACE_EVENT(writeback_dirty_page, |
1040 | ), |
1041 | |
1042 | TP_fast_assign( |
1043 | - strncpy(__entry->name, |
1044 | - mapping ? dev_name(inode_to_bdi(mapping->host)->dev) : "(unknown)", 32); |
1045 | + strscpy_pad(__entry->name, |
1046 | + bdi_dev_name(mapping ? inode_to_bdi(mapping->host) : |
1047 | + NULL), 32); |
1048 | __entry->ino = mapping ? mapping->host->i_ino : 0; |
1049 | __entry->index = page->index; |
1050 | ), |
1051 | @@ -95,8 +96,7 @@ DECLARE_EVENT_CLASS(writeback_dirty_inode_template, |
1052 | struct backing_dev_info *bdi = inode_to_bdi(inode); |
1053 | |
1054 | /* may be called for files on pseudo FSes w/ unregistered bdi */ |
1055 | - strncpy(__entry->name, |
1056 | - bdi->dev ? dev_name(bdi->dev) : "(unknown)", 32); |
1057 | + strscpy_pad(__entry->name, bdi_dev_name(bdi), 32); |
1058 | __entry->ino = inode->i_ino; |
1059 | __entry->state = inode->i_state; |
1060 | __entry->flags = flags; |
1061 | @@ -175,8 +175,8 @@ DECLARE_EVENT_CLASS(writeback_write_inode_template, |
1062 | ), |
1063 | |
1064 | TP_fast_assign( |
1065 | - strncpy(__entry->name, |
1066 | - dev_name(inode_to_bdi(inode)->dev), 32); |
1067 | + strscpy_pad(__entry->name, |
1068 | + bdi_dev_name(inode_to_bdi(inode)), 32); |
1069 | __entry->ino = inode->i_ino; |
1070 | __entry->sync_mode = wbc->sync_mode; |
1071 | __entry->cgroup_ino = __trace_wbc_assign_cgroup(wbc); |
1072 | @@ -219,8 +219,7 @@ DECLARE_EVENT_CLASS(writeback_work_class, |
1073 | __field(unsigned int, cgroup_ino) |
1074 | ), |
1075 | TP_fast_assign( |
1076 | - strncpy(__entry->name, |
1077 | - wb->bdi->dev ? dev_name(wb->bdi->dev) : "(unknown)", 32); |
1078 | + strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32); |
1079 | __entry->nr_pages = work->nr_pages; |
1080 | __entry->sb_dev = work->sb ? work->sb->s_dev : 0; |
1081 | __entry->sync_mode = work->sync_mode; |
1082 | @@ -273,7 +272,7 @@ DECLARE_EVENT_CLASS(writeback_class, |
1083 | __field(unsigned int, cgroup_ino) |
1084 | ), |
1085 | TP_fast_assign( |
1086 | - strncpy(__entry->name, dev_name(wb->bdi->dev), 32); |
1087 | + strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32); |
1088 | __entry->cgroup_ino = __trace_wb_assign_cgroup(wb); |
1089 | ), |
1090 | TP_printk("bdi %s: cgroup_ino=%u", |
1091 | @@ -296,7 +295,7 @@ TRACE_EVENT(writeback_bdi_register, |
1092 | __array(char, name, 32) |
1093 | ), |
1094 | TP_fast_assign( |
1095 | - strncpy(__entry->name, dev_name(bdi->dev), 32); |
1096 | + strscpy_pad(__entry->name, bdi_dev_name(bdi), 32); |
1097 | ), |
1098 | TP_printk("bdi %s", |
1099 | __entry->name |
1100 | @@ -321,7 +320,7 @@ DECLARE_EVENT_CLASS(wbc_class, |
1101 | ), |
1102 | |
1103 | TP_fast_assign( |
1104 | - strncpy(__entry->name, dev_name(bdi->dev), 32); |
1105 | + strscpy_pad(__entry->name, bdi_dev_name(bdi), 32); |
1106 | __entry->nr_to_write = wbc->nr_to_write; |
1107 | __entry->pages_skipped = wbc->pages_skipped; |
1108 | __entry->sync_mode = wbc->sync_mode; |
1109 | @@ -372,7 +371,7 @@ TRACE_EVENT(writeback_queue_io, |
1110 | __field(unsigned int, cgroup_ino) |
1111 | ), |
1112 | TP_fast_assign( |
1113 | - strncpy(__entry->name, dev_name(wb->bdi->dev), 32); |
1114 | + strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32); |
1115 | __entry->older = dirtied_before; |
1116 | __entry->age = (jiffies - dirtied_before) * 1000 / HZ; |
1117 | __entry->moved = moved; |
1118 | @@ -457,7 +456,7 @@ TRACE_EVENT(bdi_dirty_ratelimit, |
1119 | ), |
1120 | |
1121 | TP_fast_assign( |
1122 | - strlcpy(__entry->bdi, dev_name(wb->bdi->dev), 32); |
1123 | + strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32); |
1124 | __entry->write_bw = KBps(wb->write_bandwidth); |
1125 | __entry->avg_write_bw = KBps(wb->avg_write_bandwidth); |
1126 | __entry->dirty_rate = KBps(dirty_rate); |
1127 | @@ -522,7 +521,7 @@ TRACE_EVENT(balance_dirty_pages, |
1128 | |
1129 | TP_fast_assign( |
1130 | unsigned long freerun = (thresh + bg_thresh) / 2; |
1131 | - strlcpy(__entry->bdi, dev_name(wb->bdi->dev), 32); |
1132 | + strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32); |
1133 | |
1134 | __entry->limit = global_wb_domain.dirty_limit; |
1135 | __entry->setpoint = (global_wb_domain.dirty_limit + |
1136 | @@ -582,8 +581,8 @@ TRACE_EVENT(writeback_sb_inodes_requeue, |
1137 | ), |
1138 | |
1139 | TP_fast_assign( |
1140 | - strncpy(__entry->name, |
1141 | - dev_name(inode_to_bdi(inode)->dev), 32); |
1142 | + strscpy_pad(__entry->name, |
1143 | + bdi_dev_name(inode_to_bdi(inode)), 32); |
1144 | __entry->ino = inode->i_ino; |
1145 | __entry->state = inode->i_state; |
1146 | __entry->dirtied_when = inode->dirtied_when; |
1147 | @@ -656,8 +655,8 @@ DECLARE_EVENT_CLASS(writeback_single_inode_template, |
1148 | ), |
1149 | |
1150 | TP_fast_assign( |
1151 | - strncpy(__entry->name, |
1152 | - dev_name(inode_to_bdi(inode)->dev), 32); |
1153 | + strscpy_pad(__entry->name, |
1154 | + bdi_dev_name(inode_to_bdi(inode)), 32); |
1155 | __entry->ino = inode->i_ino; |
1156 | __entry->state = inode->i_state; |
1157 | __entry->dirtied_when = inode->dirtied_when; |
1158 | diff --git a/include/xen/grant_table.h b/include/xen/grant_table.h |
1159 | index 34b1379f9777d..f9d8aac170fbc 100644 |
1160 | --- a/include/xen/grant_table.h |
1161 | +++ b/include/xen/grant_table.h |
1162 | @@ -157,6 +157,7 @@ gnttab_set_map_op(struct gnttab_map_grant_ref *map, phys_addr_t addr, |
1163 | map->flags = flags; |
1164 | map->ref = ref; |
1165 | map->dom = domid; |
1166 | + map->status = 1; /* arbitrary positive value */ |
1167 | } |
1168 | |
1169 | static inline void |
1170 | diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c |
1171 | index a2a232dec2363..2fdf6f96f9762 100644 |
1172 | --- a/kernel/bpf/stackmap.c |
1173 | +++ b/kernel/bpf/stackmap.c |
1174 | @@ -70,6 +70,8 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) |
1175 | |
1176 | /* hash table size must be power of 2 */ |
1177 | n_buckets = roundup_pow_of_two(attr->max_entries); |
1178 | + if (!n_buckets) |
1179 | + return ERR_PTR(-E2BIG); |
1180 | |
1181 | cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); |
1182 | if (cost >= U32_MAX - PAGE_SIZE) |
1183 | diff --git a/kernel/futex.c b/kernel/futex.c |
1184 | index 83db5787c67ef..b65dbb5d60bb1 100644 |
1185 | --- a/kernel/futex.c |
1186 | +++ b/kernel/futex.c |
1187 | @@ -1019,6 +1019,39 @@ static void exit_pi_state_list(struct task_struct *curr) |
1188 | * [10] There is no transient state which leaves owner and user space |
1189 | * TID out of sync. Except one error case where the kernel is denied |
1190 | * write access to the user address, see fixup_pi_state_owner(). |
1191 | + * |
1192 | + * |
1193 | + * Serialization and lifetime rules: |
1194 | + * |
1195 | + * hb->lock: |
1196 | + * |
1197 | + * hb -> futex_q, relation |
1198 | + * futex_q -> pi_state, relation |
1199 | + * |
1200 | + * (cannot be raw because hb can contain arbitrary amount |
1201 | + * of futex_q's) |
1202 | + * |
1203 | + * pi_mutex->wait_lock: |
1204 | + * |
1205 | + * {uval, pi_state} |
1206 | + * |
1207 | + * (and pi_mutex 'obviously') |
1208 | + * |
1209 | + * p->pi_lock: |
1210 | + * |
1211 | + * p->pi_state_list -> pi_state->list, relation |
1212 | + * |
1213 | + * pi_state->refcount: |
1214 | + * |
1215 | + * pi_state lifetime |
1216 | + * |
1217 | + * |
1218 | + * Lock order: |
1219 | + * |
1220 | + * hb->lock |
1221 | + * pi_mutex->wait_lock |
1222 | + * p->pi_lock |
1223 | + * |
1224 | */ |
1225 | |
1226 | /* |
1227 | @@ -1026,10 +1059,12 @@ static void exit_pi_state_list(struct task_struct *curr) |
1228 | * the pi_state against the user space value. If correct, attach to |
1229 | * it. |
1230 | */ |
1231 | -static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state, |
1232 | +static int attach_to_pi_state(u32 __user *uaddr, u32 uval, |
1233 | + struct futex_pi_state *pi_state, |
1234 | struct futex_pi_state **ps) |
1235 | { |
1236 | pid_t pid = uval & FUTEX_TID_MASK; |
1237 | + int ret, uval2; |
1238 | |
1239 | /* |
1240 | * Userspace might have messed up non-PI and PI futexes [3] |
1241 | @@ -1037,8 +1072,33 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state, |
1242 | if (unlikely(!pi_state)) |
1243 | return -EINVAL; |
1244 | |
1245 | + /* |
1246 | + * We get here with hb->lock held, and having found a |
1247 | + * futex_top_waiter(). This means that futex_lock_pi() of said futex_q |
1248 | + * has dropped the hb->lock in between queue_me() and unqueue_me_pi(), |
1249 | + * which in turn means that futex_lock_pi() still has a reference on |
1250 | + * our pi_state. |
1251 | + */ |
1252 | WARN_ON(!atomic_read(&pi_state->refcount)); |
1253 | |
1254 | + /* |
1255 | + * Now that we have a pi_state, we can acquire wait_lock |
1256 | + * and do the state validation. |
1257 | + */ |
1258 | + raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); |
1259 | + |
1260 | + /* |
1261 | + * Since {uval, pi_state} is serialized by wait_lock, and our current |
1262 | + * uval was read without holding it, it can have changed. Verify it |
1263 | + * still is what we expect it to be, otherwise retry the entire |
1264 | + * operation. |
1265 | + */ |
1266 | + if (get_futex_value_locked(&uval2, uaddr)) |
1267 | + goto out_efault; |
1268 | + |
1269 | + if (uval != uval2) |
1270 | + goto out_eagain; |
1271 | + |
1272 | /* |
1273 | * Handle the owner died case: |
1274 | */ |
1275 | @@ -1054,11 +1114,11 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state, |
1276 | * is not 0. Inconsistent state. [5] |
1277 | */ |
1278 | if (pid) |
1279 | - return -EINVAL; |
1280 | + goto out_einval; |
1281 | /* |
1282 | * Take a ref on the state and return success. [4] |
1283 | */ |
1284 | - goto out_state; |
1285 | + goto out_attach; |
1286 | } |
1287 | |
1288 | /* |
1289 | @@ -1070,14 +1130,14 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state, |
1290 | * Take a ref on the state and return success. [6] |
1291 | */ |
1292 | if (!pid) |
1293 | - goto out_state; |
1294 | + goto out_attach; |
1295 | } else { |
1296 | /* |
1297 | * If the owner died bit is not set, then the pi_state |
1298 | * must have an owner. [7] |
1299 | */ |
1300 | if (!pi_state->owner) |
1301 | - return -EINVAL; |
1302 | + goto out_einval; |
1303 | } |
1304 | |
1305 | /* |
1306 | @@ -1086,11 +1146,29 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state, |
1307 | * user space TID. [9/10] |
1308 | */ |
1309 | if (pid != task_pid_vnr(pi_state->owner)) |
1310 | - return -EINVAL; |
1311 | -out_state: |
1312 | + goto out_einval; |
1313 | + |
1314 | +out_attach: |
1315 | atomic_inc(&pi_state->refcount); |
1316 | + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); |
1317 | *ps = pi_state; |
1318 | return 0; |
1319 | + |
1320 | +out_einval: |
1321 | + ret = -EINVAL; |
1322 | + goto out_error; |
1323 | + |
1324 | +out_eagain: |
1325 | + ret = -EAGAIN; |
1326 | + goto out_error; |
1327 | + |
1328 | +out_efault: |
1329 | + ret = -EFAULT; |
1330 | + goto out_error; |
1331 | + |
1332 | +out_error: |
1333 | + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); |
1334 | + return ret; |
1335 | } |
1336 | |
1337 | /** |
1338 | @@ -1123,11 +1201,67 @@ static void wait_for_owner_exiting(int ret, struct task_struct *exiting) |
1339 | put_task_struct(exiting); |
1340 | } |
1341 | |
1342 | +static int handle_exit_race(u32 __user *uaddr, u32 uval, |
1343 | + struct task_struct *tsk) |
1344 | +{ |
1345 | + u32 uval2; |
1346 | + |
1347 | + /* |
1348 | + * If the futex exit state is not yet FUTEX_STATE_DEAD, wait |
1349 | + * for it to finish. |
1350 | + */ |
1351 | + if (tsk && tsk->futex_state != FUTEX_STATE_DEAD) |
1352 | + return -EAGAIN; |
1353 | + |
1354 | + /* |
1355 | + * Reread the user space value to handle the following situation: |
1356 | + * |
1357 | + * CPU0 CPU1 |
1358 | + * |
1359 | + * sys_exit() sys_futex() |
1360 | + * do_exit() futex_lock_pi() |
1361 | + * futex_lock_pi_atomic() |
1362 | + * exit_signals(tsk) No waiters: |
1363 | + * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID |
1364 | + * mm_release(tsk) Set waiter bit |
1365 | + * exit_robust_list(tsk) { *uaddr = 0x80000PID; |
1366 | + * Set owner died attach_to_pi_owner() { |
1367 | + * *uaddr = 0xC0000000; tsk = get_task(PID); |
1368 | + * } if (!tsk->flags & PF_EXITING) { |
1369 | + * ... attach(); |
1370 | + * tsk->futex_state = } else { |
1371 | + * FUTEX_STATE_DEAD; if (tsk->futex_state != |
1372 | + * FUTEX_STATE_DEAD) |
1373 | + * return -EAGAIN; |
1374 | + * return -ESRCH; <--- FAIL |
1375 | + * } |
1376 | + * |
1377 | + * Returning ESRCH unconditionally is wrong here because the |
1378 | + * user space value has been changed by the exiting task. |
1379 | + * |
1380 | + * The same logic applies to the case where the exiting task is |
1381 | + * already gone. |
1382 | + */ |
1383 | + if (get_futex_value_locked(&uval2, uaddr)) |
1384 | + return -EFAULT; |
1385 | + |
1386 | + /* If the user space value has changed, try again. */ |
1387 | + if (uval2 != uval) |
1388 | + return -EAGAIN; |
1389 | + |
1390 | + /* |
1391 | + * The exiting task did not have a robust list, the robust list was |
1392 | + * corrupted or the user space value in *uaddr is simply bogus. |
1393 | + * Give up and tell user space. |
1394 | + */ |
1395 | + return -ESRCH; |
1396 | +} |
1397 | + |
1398 | /* |
1399 | * Lookup the task for the TID provided from user space and attach to |
1400 | * it after doing proper sanity checks. |
1401 | */ |
1402 | -static int attach_to_pi_owner(u32 uval, union futex_key *key, |
1403 | +static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key, |
1404 | struct futex_pi_state **ps, |
1405 | struct task_struct **exiting) |
1406 | { |
1407 | @@ -1138,12 +1272,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key, |
1408 | /* |
1409 | * We are the first waiter - try to look up the real owner and attach |
1410 | * the new pi_state to it, but bail out when TID = 0 [1] |
1411 | + * |
1412 | + * The !pid check is paranoid. None of the call sites should end up |
1413 | + * with pid == 0, but better safe than sorry. Let the caller retry |
1414 | */ |
1415 | if (!pid) |
1416 | - return -ESRCH; |
1417 | + return -EAGAIN; |
1418 | p = futex_find_get_task(pid); |
1419 | if (!p) |
1420 | - return -ESRCH; |
1421 | + return handle_exit_race(uaddr, uval, NULL); |
1422 | |
1423 | if (unlikely(p->flags & PF_KTHREAD)) { |
1424 | put_task_struct(p); |
1425 | @@ -1162,7 +1299,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key, |
1426 | * FUTEX_STATE_DEAD, we know that the task has finished |
1427 | * the cleanup: |
1428 | */ |
1429 | - int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN; |
1430 | + int ret = handle_exit_race(uaddr, uval, p); |
1431 | |
1432 | raw_spin_unlock_irq(&p->pi_lock); |
1433 | /* |
1434 | @@ -1183,6 +1320,9 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key, |
1435 | |
1436 | /* |
1437 | * No existing pi state. First waiter. [2] |
1438 | + * |
1439 | + * This creates pi_state, we have hb->lock held, this means nothing can |
1440 | + * observe this state, wait_lock is irrelevant. |
1441 | */ |
1442 | pi_state = alloc_pi_state(); |
1443 | |
1444 | @@ -1207,7 +1347,8 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key, |
1445 | return 0; |
1446 | } |
1447 | |
1448 | -static int lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, |
1449 | +static int lookup_pi_state(u32 __user *uaddr, u32 uval, |
1450 | + struct futex_hash_bucket *hb, |
1451 | union futex_key *key, struct futex_pi_state **ps, |
1452 | struct task_struct **exiting) |
1453 | { |
1454 | @@ -1218,13 +1359,13 @@ static int lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, |
1455 | * attach to the pi_state when the validation succeeds. |
1456 | */ |
1457 | if (match) |
1458 | - return attach_to_pi_state(uval, match->pi_state, ps); |
1459 | + return attach_to_pi_state(uaddr, uval, match->pi_state, ps); |
1460 | |
1461 | /* |
1462 | * We are the first waiter - try to look up the owner based on |
1463 | * @uval and attach to it. |
1464 | */ |
1465 | - return attach_to_pi_owner(uval, key, ps, exiting); |
1466 | + return attach_to_pi_owner(uaddr, uval, key, ps, exiting); |
1467 | } |
1468 | |
1469 | static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval) |
1470 | @@ -1237,7 +1378,7 @@ static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval) |
1471 | if (unlikely(cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))) |
1472 | return -EFAULT; |
1473 | |
1474 | - /*If user space value changed, let the caller retry */ |
1475 | + /* If user space value changed, let the caller retry */ |
1476 | return curval != uval ? -EAGAIN : 0; |
1477 | } |
1478 | |
1479 | @@ -1301,7 +1442,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb, |
1480 | */ |
1481 | match = futex_top_waiter(hb, key); |
1482 | if (match) |
1483 | - return attach_to_pi_state(uval, match->pi_state, ps); |
1484 | + return attach_to_pi_state(uaddr, uval, match->pi_state, ps); |
1485 | |
1486 | /* |
1487 | * No waiter and user TID is 0. We are here because the |
1488 | @@ -1340,7 +1481,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb, |
1489 | * attach to the owner. If that fails, no harm done, we only |
1490 | * set the FUTEX_WAITERS bit in the user space variable. |
1491 | */ |
1492 | - return attach_to_pi_owner(uval, key, ps, exiting); |
1493 | + return attach_to_pi_owner(uaddr, newval, key, ps, exiting); |
1494 | } |
1495 | |
1496 | /** |
1497 | @@ -1441,6 +1582,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this, |
1498 | |
1499 | if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) { |
1500 | ret = -EFAULT; |
1501 | + |
1502 | } else if (curval != uval) { |
1503 | /* |
1504 | * If a unconditional UNLOCK_PI operation (user space did not |
1505 | @@ -1977,7 +2119,7 @@ retry_private: |
1506 | * If that call succeeds then we have pi_state and an |
1507 | * initial refcount on it. |
1508 | */ |
1509 | - ret = lookup_pi_state(ret, hb2, &key2, |
1510 | + ret = lookup_pi_state(uaddr2, ret, hb2, &key2, |
1511 | &pi_state, &exiting); |
1512 | } |
1513 | |
1514 | @@ -2282,7 +2424,6 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, |
1515 | int err = 0; |
1516 | |
1517 | oldowner = pi_state->owner; |
1518 | - |
1519 | /* Owner died? */ |
1520 | if (!pi_state->owner) |
1521 | newtid |= FUTEX_OWNER_DIED; |
1522 | @@ -2305,11 +2446,10 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, |
1523 | * because we can fault here. Imagine swapped out pages or a fork |
1524 | * that marked all the anonymous memory readonly for cow. |
1525 | * |
1526 | - * Modifying pi_state _before_ the user space value would |
1527 | - * leave the pi_state in an inconsistent state when we fault |
1528 | - * here, because we need to drop the hash bucket lock to |
1529 | - * handle the fault. This might be observed in the PID check |
1530 | - * in lookup_pi_state. |
1531 | + * Modifying pi_state _before_ the user space value would leave the |
1532 | + * pi_state in an inconsistent state when we fault here, because we |
1533 | + * need to drop the locks to handle the fault. This might be observed |
1534 | + * in the PID check in lookup_pi_state. |
1535 | */ |
1536 | retry: |
1537 | if (!argowner) { |
1538 | @@ -2322,7 +2462,7 @@ retry: |
1539 | } |
1540 | |
1541 | if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) { |
1542 | - /* We got the lock after all, nothing to fix. */ |
1543 | + /* We got the lock. pi_state is correct. Tell caller. */ |
1544 | return 1; |
1545 | } |
1546 | |
1547 | @@ -2364,24 +2504,29 @@ retry: |
1548 | */ |
1549 | pi_state_update_owner(pi_state, newowner); |
1550 | |
1551 | - return 0; |
1552 | + return argowner == current; |
1553 | |
1554 | /* |
1555 | - * To handle the page fault we need to drop the hash bucket |
1556 | - * lock here. That gives the other task (either the highest priority |
1557 | - * waiter itself or the task which stole the rtmutex) the |
1558 | - * chance to try the fixup of the pi_state. So once we are |
1559 | - * back from handling the fault we need to check the pi_state |
1560 | - * after reacquiring the hash bucket lock and before trying to |
1561 | - * do another fixup. When the fixup has been done already we |
1562 | - * simply return. |
1563 | + * To handle the page fault we need to drop the locks here. That gives |
1564 | + * the other task (either the highest priority waiter itself or the |
1565 | + * task which stole the rtmutex) the chance to try the fixup of the |
1566 | + * pi_state. So once we are back from handling the fault we need to |
1567 | + * check the pi_state after reacquiring the locks and before trying to |
1568 | + * do another fixup. When the fixup has been done already we simply |
1569 | + * return. |
1570 | + * |
1571 | + * Note: we hold both hb->lock and pi_mutex->wait_lock. We can safely |
1572 | + * drop hb->lock since the caller owns the hb -> futex_q relation. |
1573 | + * Dropping the pi_mutex->wait_lock requires the state revalidate. |
1574 | */ |
1575 | handle_fault: |
1576 | + raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); |
1577 | spin_unlock(q->lock_ptr); |
1578 | |
1579 | err = fault_in_user_writeable(uaddr); |
1580 | |
1581 | spin_lock(q->lock_ptr); |
1582 | + raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); |
1583 | |
1584 | /* |
1585 | * Check if someone else fixed it for us: |
1586 | @@ -2447,8 +2592,6 @@ static long futex_wait_restart(struct restart_block *restart); |
1587 | */ |
1588 | static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) |
1589 | { |
1590 | - int ret = 0; |
1591 | - |
1592 | if (locked) { |
1593 | /* |
1594 | * Got the lock. We might not be the anticipated owner if we |
1595 | @@ -2459,8 +2602,8 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) |
1596 | * stable state, anything else needs more attention. |
1597 | */ |
1598 | if (q->pi_state->owner != current) |
1599 | - ret = fixup_pi_state_owner(uaddr, q, current); |
1600 | - goto out; |
1601 | + return fixup_pi_state_owner(uaddr, q, current); |
1602 | + return 1; |
1603 | } |
1604 | |
1605 | /* |
1606 | @@ -2471,10 +2614,8 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) |
1607 | * Another speculative read; pi_state->owner == current is unstable |
1608 | * but needs our attention. |
1609 | */ |
1610 | - if (q->pi_state->owner == current) { |
1611 | - ret = fixup_pi_state_owner(uaddr, q, NULL); |
1612 | - goto out; |
1613 | - } |
1614 | + if (q->pi_state->owner == current) |
1615 | + return fixup_pi_state_owner(uaddr, q, NULL); |
1616 | |
1617 | /* |
1618 | * Paranoia check. If we did not take the lock, then we should not be |
1619 | @@ -2483,8 +2624,7 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) |
1620 | if (WARN_ON_ONCE(rt_mutex_owner(&q->pi_state->pi_mutex) == current)) |
1621 | return fixup_pi_state_owner(uaddr, q, current); |
1622 | |
1623 | -out: |
1624 | - return ret ? ret : locked; |
1625 | + return 0; |
1626 | } |
1627 | |
1628 | /** |
1629 | @@ -3106,6 +3246,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, |
1630 | */ |
1631 | put_pi_state(q.pi_state); |
1632 | spin_unlock(q.lock_ptr); |
1633 | + /* |
1634 | + * Adjust the return value. It's either -EFAULT or |
1635 | + * success (1) but the caller expects 0 for success. |
1636 | + */ |
1637 | + ret = ret < 0 ? ret : 0; |
1638 | } |
1639 | } else { |
1640 | struct rt_mutex *pi_mutex; |
1641 | diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c |
1642 | index 16ca877745f62..ce49b62b08346 100644 |
1643 | --- a/kernel/trace/ftrace.c |
1644 | +++ b/kernel/trace/ftrace.c |
1645 | @@ -5803,7 +5803,6 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) |
1646 | } |
1647 | |
1648 | if (t->ret_stack == NULL) { |
1649 | - atomic_set(&t->tracing_graph_pause, 0); |
1650 | atomic_set(&t->trace_overrun, 0); |
1651 | t->curr_ret_stack = -1; |
1652 | /* Make sure the tasks see the -1 first: */ |
1653 | @@ -6015,7 +6014,6 @@ static DEFINE_PER_CPU(struct ftrace_ret_stack *, idle_ret_stack); |
1654 | static void |
1655 | graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack) |
1656 | { |
1657 | - atomic_set(&t->tracing_graph_pause, 0); |
1658 | atomic_set(&t->trace_overrun, 0); |
1659 | t->ftrace_timestamp = 0; |
1660 | /* make curr_ret_stack visible before we add the ret_stack */ |
1661 | diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c |
1662 | index 005929d13c7db..b87ab105fa22b 100644 |
1663 | --- a/kernel/trace/trace.c |
1664 | +++ b/kernel/trace/trace.c |
1665 | @@ -2090,7 +2090,7 @@ trace_event_buffer_lock_reserve(struct ring_buffer **current_rb, |
1666 | (entry = this_cpu_read(trace_buffered_event))) { |
1667 | /* Try to use the per cpu buffer first */ |
1668 | val = this_cpu_inc_return(trace_buffered_event_cnt); |
1669 | - if (val == 1) { |
1670 | + if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) { |
1671 | trace_event_setup(entry, type, flags, pc); |
1672 | entry->array[0] = len; |
1673 | return entry; |
1674 | diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c |
1675 | index 5bf072e437c41..1499b2c2799c7 100644 |
1676 | --- a/kernel/trace/trace_events.c |
1677 | +++ b/kernel/trace/trace_events.c |
1678 | @@ -1105,7 +1105,8 @@ system_enable_read(struct file *filp, char __user *ubuf, size_t cnt, |
1679 | mutex_lock(&event_mutex); |
1680 | list_for_each_entry(file, &tr->events, list) { |
1681 | call = file->event_call; |
1682 | - if (!trace_event_name(call) || !call->class || !call->class->reg) |
1683 | + if ((call->flags & TRACE_EVENT_FL_IGNORE_ENABLE) || |
1684 | + !trace_event_name(call) || !call->class || !call->class->reg) |
1685 | continue; |
1686 | |
1687 | if (system && strcmp(call->class->system, system->name) != 0) |
1688 | diff --git a/lib/string.c b/lib/string.c |
1689 | index d099762a9bd60..8fe13371aed7a 100644 |
1690 | --- a/lib/string.c |
1691 | +++ b/lib/string.c |
1692 | @@ -157,11 +157,9 @@ EXPORT_SYMBOL(strlcpy); |
1693 | * @src: Where to copy the string from |
1694 | * @count: Size of destination buffer |
1695 | * |
1696 | - * Copy the string, or as much of it as fits, into the dest buffer. |
1697 | - * The routine returns the number of characters copied (not including |
1698 | - * the trailing NUL) or -E2BIG if the destination buffer wasn't big enough. |
1699 | - * The behavior is undefined if the string buffers overlap. |
1700 | - * The destination buffer is always NUL terminated, unless it's zero-sized. |
1701 | + * Copy the string, or as much of it as fits, into the dest buffer. The |
1702 | + * behavior is undefined if the string buffers overlap. The destination |
1703 | + * buffer is always NUL terminated, unless it's zero-sized. |
1704 | * |
1705 | * Preferred to strlcpy() since the API doesn't require reading memory |
1706 | * from the src string beyond the specified "count" bytes, and since |
1707 | @@ -171,8 +169,10 @@ EXPORT_SYMBOL(strlcpy); |
1708 | * |
1709 | * Preferred to strncpy() since it always returns a valid string, and |
1710 | * doesn't unnecessarily force the tail of the destination buffer to be |
1711 | - * zeroed. If the zeroing is desired, it's likely cleaner to use strscpy() |
1712 | - * with an overflow test, then just memset() the tail of the dest buffer. |
1713 | + * zeroed. If zeroing is desired please use strscpy_pad(). |
1714 | + * |
1715 | + * Return: The number of characters copied (not including the trailing |
1716 | + * %NUL) or -E2BIG if the destination buffer wasn't big enough. |
1717 | */ |
1718 | ssize_t strscpy(char *dest, const char *src, size_t count) |
1719 | { |
1720 | @@ -259,6 +259,39 @@ char *stpcpy(char *__restrict__ dest, const char *__restrict__ src) |
1721 | } |
1722 | EXPORT_SYMBOL(stpcpy); |
1723 | |
1724 | +/** |
1725 | + * strscpy_pad() - Copy a C-string into a sized buffer |
1726 | + * @dest: Where to copy the string to |
1727 | + * @src: Where to copy the string from |
1728 | + * @count: Size of destination buffer |
1729 | + * |
1730 | + * Copy the string, or as much of it as fits, into the dest buffer. The |
1731 | + * behavior is undefined if the string buffers overlap. The destination |
1732 | + * buffer is always %NUL terminated, unless it's zero-sized. |
1733 | + * |
1734 | + * If the source string is shorter than the destination buffer, zeros |
1735 | + * the tail of the destination buffer. |
1736 | + * |
1737 | + * For full explanation of why you may want to consider using the |
1738 | + * 'strscpy' functions please see the function docstring for strscpy(). |
1739 | + * |
1740 | + * Return: The number of characters copied (not including the trailing |
1741 | + * %NUL) or -E2BIG if the destination buffer wasn't big enough. |
1742 | + */ |
1743 | +ssize_t strscpy_pad(char *dest, const char *src, size_t count) |
1744 | +{ |
1745 | + ssize_t written; |
1746 | + |
1747 | + written = strscpy(dest, src, count); |
1748 | + if (written < 0 || written == count - 1) |
1749 | + return written; |
1750 | + |
1751 | + memset(dest + written + 1, 0, count - written - 1); |
1752 | + |
1753 | + return written; |
1754 | +} |
1755 | +EXPORT_SYMBOL(strscpy_pad); |
1756 | + |
1757 | #ifndef __HAVE_ARCH_STRCAT |
1758 | /** |
1759 | * strcat - Append one %NUL-terminated string to another |
1760 | diff --git a/mm/backing-dev.c b/mm/backing-dev.c |
1761 | index 113b7d3170799..aad61d0175a1c 100644 |
1762 | --- a/mm/backing-dev.c |
1763 | +++ b/mm/backing-dev.c |
1764 | @@ -21,6 +21,7 @@ struct backing_dev_info noop_backing_dev_info = { |
1765 | EXPORT_SYMBOL_GPL(noop_backing_dev_info); |
1766 | |
1767 | static struct class *bdi_class; |
1768 | +const char *bdi_unknown_name = "(unknown)"; |
1769 | |
1770 | /* |
1771 | * bdi_lock protects updates to bdi_list. bdi_list has RCU reader side |
1772 | diff --git a/mm/memblock.c b/mm/memblock.c |
1773 | index 42b98af6a4158..e43065b13c08c 100644 |
1774 | --- a/mm/memblock.c |
1775 | +++ b/mm/memblock.c |
1776 | @@ -186,14 +186,6 @@ __memblock_find_range_top_down(phys_addr_t start, phys_addr_t end, |
1777 | * |
1778 | * Find @size free area aligned to @align in the specified range and node. |
1779 | * |
1780 | - * When allocation direction is bottom-up, the @start should be greater |
1781 | - * than the end of the kernel image. Otherwise, it will be trimmed. The |
1782 | - * reason is that we want the bottom-up allocation just near the kernel |
1783 | - * image so it is highly likely that the allocated memory and the kernel |
1784 | - * will reside in the same node. |
1785 | - * |
1786 | - * If bottom-up allocation failed, will try to allocate memory top-down. |
1787 | - * |
1788 | * RETURNS: |
1789 | * Found address on success, 0 on failure. |
1790 | */ |
1791 | @@ -201,8 +193,6 @@ phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size, |
1792 | phys_addr_t align, phys_addr_t start, |
1793 | phys_addr_t end, int nid, ulong flags) |
1794 | { |
1795 | - phys_addr_t kernel_end, ret; |
1796 | - |
1797 | /* pump up @end */ |
1798 | if (end == MEMBLOCK_ALLOC_ACCESSIBLE) |
1799 | end = memblock.current_limit; |
1800 | @@ -210,39 +200,13 @@ phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size, |
1801 | /* avoid allocating the first page */ |
1802 | start = max_t(phys_addr_t, start, PAGE_SIZE); |
1803 | end = max(start, end); |
1804 | - kernel_end = __pa_symbol(_end); |
1805 | - |
1806 | - /* |
1807 | - * try bottom-up allocation only when bottom-up mode |
1808 | - * is set and @end is above the kernel image. |
1809 | - */ |
1810 | - if (memblock_bottom_up() && end > kernel_end) { |
1811 | - phys_addr_t bottom_up_start; |
1812 | - |
1813 | - /* make sure we will allocate above the kernel */ |
1814 | - bottom_up_start = max(start, kernel_end); |
1815 | |
1816 | - /* ok, try bottom-up allocation first */ |
1817 | - ret = __memblock_find_range_bottom_up(bottom_up_start, end, |
1818 | - size, align, nid, flags); |
1819 | - if (ret) |
1820 | - return ret; |
1821 | - |
1822 | - /* |
1823 | - * we always limit bottom-up allocation above the kernel, |
1824 | - * but top-down allocation doesn't have the limit, so |
1825 | - * retrying top-down allocation may succeed when bottom-up |
1826 | - * allocation failed. |
1827 | - * |
1828 | - * bottom-up allocation is expected to be fail very rarely, |
1829 | - * so we use WARN_ONCE() here to see the stack trace if |
1830 | - * fail happens. |
1831 | - */ |
1832 | - WARN_ONCE(1, "memblock: bottom-up allocation failed, memory hotunplug may be affected\n"); |
1833 | - } |
1834 | - |
1835 | - return __memblock_find_range_top_down(start, end, size, align, nid, |
1836 | - flags); |
1837 | + if (memblock_bottom_up()) |
1838 | + return __memblock_find_range_bottom_up(start, end, size, align, |
1839 | + nid, flags); |
1840 | + else |
1841 | + return __memblock_find_range_top_down(start, end, size, align, |
1842 | + nid, flags); |
1843 | } |
1844 | |
1845 | /** |
1846 | diff --git a/mm/memcontrol.c b/mm/memcontrol.c |
1847 | index d4232744c59f1..27b0b4f03fcdc 100644 |
1848 | --- a/mm/memcontrol.c |
1849 | +++ b/mm/memcontrol.c |
1850 | @@ -1638,9 +1638,13 @@ cleanup: |
1851 | * @page: the page |
1852 | * |
1853 | * This function protects unlocked LRU pages from being moved to |
1854 | - * another cgroup and stabilizes their page->mem_cgroup binding. |
1855 | + * another cgroup. |
1856 | + * |
1857 | + * It ensures lifetime of the returned memcg. Caller is responsible |
1858 | + * for the lifetime of the page; __unlock_page_memcg() is available |
1859 | + * when @page might get freed inside the locked section. |
1860 | */ |
1861 | -void lock_page_memcg(struct page *page) |
1862 | +struct mem_cgroup *lock_page_memcg(struct page *page) |
1863 | { |
1864 | struct mem_cgroup *memcg; |
1865 | unsigned long flags; |
1866 | @@ -1649,18 +1653,24 @@ void lock_page_memcg(struct page *page) |
1867 | * The RCU lock is held throughout the transaction. The fast |
1868 | * path can get away without acquiring the memcg->move_lock |
1869 | * because page moving starts with an RCU grace period. |
1870 | - */ |
1871 | + * |
1872 | + * The RCU lock also protects the memcg from being freed when |
1873 | + * the page state that is going to change is the only thing |
1874 | + * preventing the page itself from being freed. E.g. writeback |
1875 | + * doesn't hold a page reference and relies on PG_writeback to |
1876 | + * keep off truncation, migration and so forth. |
1877 | + */ |
1878 | rcu_read_lock(); |
1879 | |
1880 | if (mem_cgroup_disabled()) |
1881 | - return; |
1882 | + return NULL; |
1883 | again: |
1884 | memcg = page->mem_cgroup; |
1885 | if (unlikely(!memcg)) |
1886 | - return; |
1887 | + return NULL; |
1888 | |
1889 | if (atomic_read(&memcg->moving_account) <= 0) |
1890 | - return; |
1891 | + return memcg; |
1892 | |
1893 | spin_lock_irqsave(&memcg->move_lock, flags); |
1894 | if (memcg != page->mem_cgroup) { |
1895 | @@ -1676,18 +1686,18 @@ again: |
1896 | memcg->move_lock_task = current; |
1897 | memcg->move_lock_flags = flags; |
1898 | |
1899 | - return; |
1900 | + return memcg; |
1901 | } |
1902 | EXPORT_SYMBOL(lock_page_memcg); |
1903 | |
1904 | /** |
1905 | - * unlock_page_memcg - unlock a page->mem_cgroup binding |
1906 | - * @page: the page |
1907 | + * __unlock_page_memcg - unlock and unpin a memcg |
1908 | + * @memcg: the memcg |
1909 | + * |
1910 | + * Unlock and unpin a memcg returned by lock_page_memcg(). |
1911 | */ |
1912 | -void unlock_page_memcg(struct page *page) |
1913 | +void __unlock_page_memcg(struct mem_cgroup *memcg) |
1914 | { |
1915 | - struct mem_cgroup *memcg = page->mem_cgroup; |
1916 | - |
1917 | if (memcg && memcg->move_lock_task == current) { |
1918 | unsigned long flags = memcg->move_lock_flags; |
1919 | |
1920 | @@ -1699,6 +1709,15 @@ void unlock_page_memcg(struct page *page) |
1921 | |
1922 | rcu_read_unlock(); |
1923 | } |
1924 | + |
1925 | +/** |
1926 | + * unlock_page_memcg - unlock a page->mem_cgroup binding |
1927 | + * @page: the page |
1928 | + */ |
1929 | +void unlock_page_memcg(struct page *page) |
1930 | +{ |
1931 | + __unlock_page_memcg(page->mem_cgroup); |
1932 | +} |
1933 | EXPORT_SYMBOL(unlock_page_memcg); |
1934 | |
1935 | /* |
1936 | diff --git a/mm/page-writeback.c b/mm/page-writeback.c |
1937 | index 462c778b9fb55..498c924f2fcd6 100644 |
1938 | --- a/mm/page-writeback.c |
1939 | +++ b/mm/page-writeback.c |
1940 | @@ -2717,9 +2717,10 @@ EXPORT_SYMBOL(clear_page_dirty_for_io); |
1941 | int test_clear_page_writeback(struct page *page) |
1942 | { |
1943 | struct address_space *mapping = page_mapping(page); |
1944 | + struct mem_cgroup *memcg; |
1945 | int ret; |
1946 | |
1947 | - lock_page_memcg(page); |
1948 | + memcg = lock_page_memcg(page); |
1949 | if (mapping && mapping_use_writeback_tags(mapping)) { |
1950 | struct inode *inode = mapping->host; |
1951 | struct backing_dev_info *bdi = inode_to_bdi(inode); |
1952 | @@ -2747,13 +2748,20 @@ int test_clear_page_writeback(struct page *page) |
1953 | } else { |
1954 | ret = TestClearPageWriteback(page); |
1955 | } |
1956 | + /* |
1957 | + * NOTE: Page might be free now! Writeback doesn't hold a page |
1958 | + * reference on its own, it relies on truncation to wait for |
1959 | + * the clearing of PG_writeback. The below can only access |
1960 | + * page state that is static across allocation cycles. |
1961 | + */ |
1962 | if (ret) { |
1963 | - mem_cgroup_dec_page_stat(page, MEM_CGROUP_STAT_WRITEBACK); |
1964 | + __mem_cgroup_update_page_stat(page, memcg, |
1965 | + MEM_CGROUP_STAT_WRITEBACK, -1); |
1966 | dec_node_page_state(page, NR_WRITEBACK); |
1967 | dec_zone_page_state(page, NR_ZONE_WRITE_PENDING); |
1968 | inc_node_page_state(page, NR_WRITTEN); |
1969 | } |
1970 | - unlock_page_memcg(page); |
1971 | + __unlock_page_memcg(memcg); |
1972 | return ret; |
1973 | } |
1974 | |
1975 | diff --git a/net/key/af_key.c b/net/key/af_key.c |
1976 | index 76a008b1cbe5f..adc93329e6aac 100644 |
1977 | --- a/net/key/af_key.c |
1978 | +++ b/net/key/af_key.c |
1979 | @@ -2933,7 +2933,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t) |
1980 | break; |
1981 | if (!aalg->pfkey_supported) |
1982 | continue; |
1983 | - if (aalg_tmpl_set(t, aalg) && aalg->available) |
1984 | + if (aalg_tmpl_set(t, aalg)) |
1985 | sz += sizeof(struct sadb_comb); |
1986 | } |
1987 | return sz + sizeof(struct sadb_prop); |
1988 | @@ -2951,7 +2951,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) |
1989 | if (!ealg->pfkey_supported) |
1990 | continue; |
1991 | |
1992 | - if (!(ealg_tmpl_set(t, ealg) && ealg->available)) |
1993 | + if (!(ealg_tmpl_set(t, ealg))) |
1994 | continue; |
1995 | |
1996 | for (k = 1; ; k++) { |
1997 | @@ -2962,7 +2962,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) |
1998 | if (!aalg->pfkey_supported) |
1999 | continue; |
2000 | |
2001 | - if (aalg_tmpl_set(t, aalg) && aalg->available) |
2002 | + if (aalg_tmpl_set(t, aalg)) |
2003 | sz += sizeof(struct sadb_comb); |
2004 | } |
2005 | } |
2006 | diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c |
2007 | index d507d0fc7858a..ddd90a3820d39 100644 |
2008 | --- a/net/netfilter/nf_conntrack_core.c |
2009 | +++ b/net/netfilter/nf_conntrack_core.c |
2010 | @@ -903,7 +903,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, |
2011 | * Let nf_ct_resolve_clash() deal with this later. |
2012 | */ |
2013 | if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, |
2014 | - &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) |
2015 | + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) && |
2016 | + nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) |
2017 | continue; |
2018 | |
2019 | NF_CT_STAT_INC_ATOMIC(net, found); |
2020 | diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c |
2021 | index 79d7ad621a80f..03c8bd854e56a 100644 |
2022 | --- a/net/netfilter/xt_recent.c |
2023 | +++ b/net/netfilter/xt_recent.c |
2024 | @@ -155,7 +155,8 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e) |
2025 | /* |
2026 | * Drop entries with timestamps older then 'time'. |
2027 | */ |
2028 | -static void recent_entry_reap(struct recent_table *t, unsigned long time) |
2029 | +static void recent_entry_reap(struct recent_table *t, unsigned long time, |
2030 | + struct recent_entry *working, bool update) |
2031 | { |
2032 | struct recent_entry *e; |
2033 | |
2034 | @@ -164,6 +165,12 @@ static void recent_entry_reap(struct recent_table *t, unsigned long time) |
2035 | */ |
2036 | e = list_entry(t->lru_list.next, struct recent_entry, lru_list); |
2037 | |
2038 | + /* |
2039 | + * Do not reap the entry which are going to be updated. |
2040 | + */ |
2041 | + if (e == working && update) |
2042 | + return; |
2043 | + |
2044 | /* |
2045 | * The last time stamp is the most recent. |
2046 | */ |
2047 | @@ -306,7 +313,8 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) |
2048 | |
2049 | /* info->seconds must be non-zero */ |
2050 | if (info->check_set & XT_RECENT_REAP) |
2051 | - recent_entry_reap(t, time); |
2052 | + recent_entry_reap(t, time, e, |
2053 | + info->check_set & XT_RECENT_UPDATE && ret); |
2054 | } |
2055 | |
2056 | if (info->check_set & XT_RECENT_SET || |
2057 | diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c |
2058 | index 591d378d1a188..1d00f49dfe48d 100644 |
2059 | --- a/net/sunrpc/auth_gss/auth_gss.c |
2060 | +++ b/net/sunrpc/auth_gss/auth_gss.c |
2061 | @@ -53,6 +53,7 @@ |
2062 | #include <asm/uaccess.h> |
2063 | #include <linux/hashtable.h> |
2064 | |
2065 | +#include "auth_gss_internal.h" |
2066 | #include "../netns.h" |
2067 | |
2068 | static const struct rpc_authops authgss_ops; |
2069 | @@ -147,35 +148,6 @@ gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx) |
2070 | clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags); |
2071 | } |
2072 | |
2073 | -static const void * |
2074 | -simple_get_bytes(const void *p, const void *end, void *res, size_t len) |
2075 | -{ |
2076 | - const void *q = (const void *)((const char *)p + len); |
2077 | - if (unlikely(q > end || q < p)) |
2078 | - return ERR_PTR(-EFAULT); |
2079 | - memcpy(res, p, len); |
2080 | - return q; |
2081 | -} |
2082 | - |
2083 | -static inline const void * |
2084 | -simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest) |
2085 | -{ |
2086 | - const void *q; |
2087 | - unsigned int len; |
2088 | - |
2089 | - p = simple_get_bytes(p, end, &len, sizeof(len)); |
2090 | - if (IS_ERR(p)) |
2091 | - return p; |
2092 | - q = (const void *)((const char *)p + len); |
2093 | - if (unlikely(q > end || q < p)) |
2094 | - return ERR_PTR(-EFAULT); |
2095 | - dest->data = kmemdup(p, len, GFP_NOFS); |
2096 | - if (unlikely(dest->data == NULL)) |
2097 | - return ERR_PTR(-ENOMEM); |
2098 | - dest->len = len; |
2099 | - return q; |
2100 | -} |
2101 | - |
2102 | static struct gss_cl_ctx * |
2103 | gss_cred_get_ctx(struct rpc_cred *cred) |
2104 | { |
2105 | diff --git a/net/sunrpc/auth_gss/auth_gss_internal.h b/net/sunrpc/auth_gss/auth_gss_internal.h |
2106 | new file mode 100644 |
2107 | index 0000000000000..f6d9631bd9d00 |
2108 | --- /dev/null |
2109 | +++ b/net/sunrpc/auth_gss/auth_gss_internal.h |
2110 | @@ -0,0 +1,45 @@ |
2111 | +// SPDX-License-Identifier: BSD-3-Clause |
2112 | +/* |
2113 | + * linux/net/sunrpc/auth_gss/auth_gss_internal.h |
2114 | + * |
2115 | + * Internal definitions for RPCSEC_GSS client authentication |
2116 | + * |
2117 | + * Copyright (c) 2000 The Regents of the University of Michigan. |
2118 | + * All rights reserved. |
2119 | + * |
2120 | + */ |
2121 | +#include <linux/err.h> |
2122 | +#include <linux/string.h> |
2123 | +#include <linux/sunrpc/xdr.h> |
2124 | + |
2125 | +static inline const void * |
2126 | +simple_get_bytes(const void *p, const void *end, void *res, size_t len) |
2127 | +{ |
2128 | + const void *q = (const void *)((const char *)p + len); |
2129 | + if (unlikely(q > end || q < p)) |
2130 | + return ERR_PTR(-EFAULT); |
2131 | + memcpy(res, p, len); |
2132 | + return q; |
2133 | +} |
2134 | + |
2135 | +static inline const void * |
2136 | +simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest) |
2137 | +{ |
2138 | + const void *q; |
2139 | + unsigned int len; |
2140 | + |
2141 | + p = simple_get_bytes(p, end, &len, sizeof(len)); |
2142 | + if (IS_ERR(p)) |
2143 | + return p; |
2144 | + q = (const void *)((const char *)p + len); |
2145 | + if (unlikely(q > end || q < p)) |
2146 | + return ERR_PTR(-EFAULT); |
2147 | + if (len) { |
2148 | + dest->data = kmemdup(p, len, GFP_NOFS); |
2149 | + if (unlikely(dest->data == NULL)) |
2150 | + return ERR_PTR(-ENOMEM); |
2151 | + } else |
2152 | + dest->data = NULL; |
2153 | + dest->len = len; |
2154 | + return q; |
2155 | +} |
2156 | diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c |
2157 | index 60595835317af..ea2f6022b3d5d 100644 |
2158 | --- a/net/sunrpc/auth_gss/gss_krb5_mech.c |
2159 | +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c |
2160 | @@ -46,6 +46,8 @@ |
2161 | #include <linux/sunrpc/xdr.h> |
2162 | #include <linux/sunrpc/gss_krb5_enctypes.h> |
2163 | |
2164 | +#include "auth_gss_internal.h" |
2165 | + |
2166 | #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) |
2167 | # define RPCDBG_FACILITY RPCDBG_AUTH |
2168 | #endif |
2169 | @@ -187,35 +189,6 @@ get_gss_krb5_enctype(int etype) |
2170 | return NULL; |
2171 | } |
2172 | |
2173 | -static const void * |
2174 | -simple_get_bytes(const void *p, const void *end, void *res, int len) |
2175 | -{ |
2176 | - const void *q = (const void *)((const char *)p + len); |
2177 | - if (unlikely(q > end || q < p)) |
2178 | - return ERR_PTR(-EFAULT); |
2179 | - memcpy(res, p, len); |
2180 | - return q; |
2181 | -} |
2182 | - |
2183 | -static const void * |
2184 | -simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) |
2185 | -{ |
2186 | - const void *q; |
2187 | - unsigned int len; |
2188 | - |
2189 | - p = simple_get_bytes(p, end, &len, sizeof(len)); |
2190 | - if (IS_ERR(p)) |
2191 | - return p; |
2192 | - q = (const void *)((const char *)p + len); |
2193 | - if (unlikely(q > end || q < p)) |
2194 | - return ERR_PTR(-EFAULT); |
2195 | - res->data = kmemdup(p, len, GFP_NOFS); |
2196 | - if (unlikely(res->data == NULL)) |
2197 | - return ERR_PTR(-ENOMEM); |
2198 | - res->len = len; |
2199 | - return q; |
2200 | -} |
2201 | - |
2202 | static inline const void * |
2203 | get_key(const void *p, const void *end, |
2204 | struct krb5_ctx *ctx, struct crypto_skcipher **res) |
2205 | diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c |
2206 | index 3a2543b9701a9..bd3a5ef8e59b9 100644 |
2207 | --- a/net/vmw_vsock/af_vsock.c |
2208 | +++ b/net/vmw_vsock/af_vsock.c |
2209 | @@ -830,10 +830,12 @@ static int vsock_shutdown(struct socket *sock, int mode) |
2210 | */ |
2211 | |
2212 | sk = sock->sk; |
2213 | + |
2214 | + lock_sock(sk); |
2215 | if (sock->state == SS_UNCONNECTED) { |
2216 | err = -ENOTCONN; |
2217 | if (sk->sk_type == SOCK_STREAM) |
2218 | - return err; |
2219 | + goto out; |
2220 | } else { |
2221 | sock->state = SS_DISCONNECTING; |
2222 | err = 0; |
2223 | @@ -842,10 +844,8 @@ static int vsock_shutdown(struct socket *sock, int mode) |
2224 | /* Receive and send shutdowns are treated alike. */ |
2225 | mode = mode & (RCV_SHUTDOWN | SEND_SHUTDOWN); |
2226 | if (mode) { |
2227 | - lock_sock(sk); |
2228 | sk->sk_shutdown |= mode; |
2229 | sk->sk_state_change(sk); |
2230 | - release_sock(sk); |
2231 | |
2232 | if (sk->sk_type == SOCK_STREAM) { |
2233 | sock_reset_flag(sk, SOCK_DONE); |
2234 | @@ -853,6 +853,8 @@ static int vsock_shutdown(struct socket *sock, int mode) |
2235 | } |
2236 | } |
2237 | |
2238 | +out: |
2239 | + release_sock(sk); |
2240 | return err; |
2241 | } |
2242 | |
2243 | @@ -1121,7 +1123,6 @@ static void vsock_connect_timeout(struct work_struct *work) |
2244 | { |
2245 | struct sock *sk; |
2246 | struct vsock_sock *vsk; |
2247 | - int cancel = 0; |
2248 | |
2249 | vsk = container_of(work, struct vsock_sock, connect_work.work); |
2250 | sk = sk_vsock(vsk); |
2251 | @@ -1132,11 +1133,9 @@ static void vsock_connect_timeout(struct work_struct *work) |
2252 | sk->sk_state = SS_UNCONNECTED; |
2253 | sk->sk_err = ETIMEDOUT; |
2254 | sk->sk_error_report(sk); |
2255 | - cancel = 1; |
2256 | + vsock_transport_cancel_pkt(vsk); |
2257 | } |
2258 | release_sock(sk); |
2259 | - if (cancel) |
2260 | - vsock_transport_cancel_pkt(vsk); |
2261 | |
2262 | sock_put(sk); |
2263 | } |
2264 | diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c |
2265 | index aa9d1c7780c3d..5f7bcc7da460d 100644 |
2266 | --- a/net/vmw_vsock/virtio_transport_common.c |
2267 | +++ b/net/vmw_vsock/virtio_transport_common.c |
2268 | @@ -959,10 +959,10 @@ void virtio_transport_recv_pkt(struct virtio_vsock_pkt *pkt) |
2269 | |
2270 | vsk = vsock_sk(sk); |
2271 | |
2272 | - space_available = virtio_transport_space_update(sk, pkt); |
2273 | - |
2274 | lock_sock(sk); |
2275 | |
2276 | + space_available = virtio_transport_space_update(sk, pkt); |
2277 | + |
2278 | /* Update CID in case it has changed after a transport reset event */ |
2279 | vsk->local_addr.svm_cid = dst.svm_cid; |
2280 | |
2281 | diff --git a/scripts/Makefile.build b/scripts/Makefile.build |
2282 | index 6228a83156ea1..f8ee4e33a085f 100644 |
2283 | --- a/scripts/Makefile.build |
2284 | +++ b/scripts/Makefile.build |
2285 | @@ -222,6 +222,8 @@ cmd_modversions_c = \ |
2286 | endif |
2287 | |
2288 | ifdef CONFIG_FTRACE_MCOUNT_RECORD |
2289 | +ifndef CC_USING_RECORD_MCOUNT |
2290 | +# compiler will not generate __mcount_loc use recordmcount or recordmcount.pl |
2291 | ifdef BUILD_C_RECORDMCOUNT |
2292 | ifeq ("$(origin RECORDMCOUNT_WARN)", "command line") |
2293 | RECORDMCOUNT_FLAGS = -w |
2294 | @@ -250,6 +252,7 @@ cmd_record_mcount = \ |
2295 | "$(CC_FLAGS_FTRACE)" ]; then \ |
2296 | $(sub_cmd_record_mcount) \ |
2297 | fi; |
2298 | +endif # CC_USING_RECORD_MCOUNT |
2299 | endif |
2300 | |
2301 | ifdef CONFIG_STACK_VALIDATION |
2302 | diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c |
2303 | index 5bddabb3de7c3..db859b595dba1 100644 |
2304 | --- a/virt/kvm/kvm_main.c |
2305 | +++ b/virt/kvm/kvm_main.c |
2306 | @@ -382,9 +382,8 @@ static void kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn, |
2307 | */ |
2308 | kvm->mmu_notifier_count++; |
2309 | need_tlb_flush = kvm_unmap_hva_range(kvm, start, end); |
2310 | - need_tlb_flush |= kvm->tlbs_dirty; |
2311 | /* we've to flush the tlb before the pages can be freed */ |
2312 | - if (need_tlb_flush) |
2313 | + if (need_tlb_flush || kvm->tlbs_dirty) |
2314 | kvm_flush_remote_tlbs(kvm); |
2315 | |
2316 | spin_unlock(&kvm->mmu_lock); |