Contents of /trunk/kernel-alx-legacy/patches-4.9/0399-4.9.300-all-fixes.patch
Parent Directory | Revision Log
Revision 3701 -
(show annotations)
(download)
Mon Oct 24 14:08:15 2022 UTC (18 months, 1 week ago) by niro
File size: 47247 byte(s)
Mon Oct 24 14:08:15 2022 UTC (18 months, 1 week ago) by niro
File size: 47247 byte(s)
-linux-4.9.300
1 | diff --git a/Makefile b/Makefile |
2 | index 99d37c23495ef..52e73f525a442 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -1,6 +1,6 @@ |
6 | VERSION = 4 |
7 | PATCHLEVEL = 9 |
8 | -SUBLEVEL = 299 |
9 | +SUBLEVEL = 300 |
10 | EXTRAVERSION = |
11 | NAME = Roaring Lionus |
12 | |
13 | diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile |
14 | index d80fbf0884ffa..bc6c85788b84f 100644 |
15 | --- a/arch/powerpc/kernel/Makefile |
16 | +++ b/arch/powerpc/kernel/Makefile |
17 | @@ -14,6 +14,7 @@ CFLAGS_prom_init.o += -fPIC |
18 | CFLAGS_btext.o += -fPIC |
19 | endif |
20 | |
21 | +CFLAGS_setup_32.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
22 | CFLAGS_cputable.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
23 | CFLAGS_prom_init.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
24 | CFLAGS_btext.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
25 | diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile |
26 | index 309361e865233..3e3370d126aea 100644 |
27 | --- a/arch/powerpc/lib/Makefile |
28 | +++ b/arch/powerpc/lib/Makefile |
29 | @@ -9,6 +9,9 @@ ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC) |
30 | CFLAGS_REMOVE_code-patching.o = $(CC_FLAGS_FTRACE) |
31 | CFLAGS_REMOVE_feature-fixups.o = $(CC_FLAGS_FTRACE) |
32 | |
33 | +CFLAGS_code-patching.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
34 | +CFLAGS_feature-fixups.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
35 | + |
36 | obj-y += string.o alloc.o crtsavres.o code-patching.o \ |
37 | feature-fixups.o |
38 | |
39 | diff --git a/arch/s390/hypfs/hypfs_vm.c b/arch/s390/hypfs/hypfs_vm.c |
40 | index 012919d9833bb..9fed1308670dc 100644 |
41 | --- a/arch/s390/hypfs/hypfs_vm.c |
42 | +++ b/arch/s390/hypfs/hypfs_vm.c |
43 | @@ -19,6 +19,7 @@ |
44 | |
45 | static char local_guest[] = " "; |
46 | static char all_guests[] = "* "; |
47 | +static char *all_groups = all_guests; |
48 | static char *guest_query; |
49 | |
50 | struct diag2fc_data { |
51 | @@ -61,10 +62,11 @@ static int diag2fc(int size, char* query, void *addr) |
52 | |
53 | memcpy(parm_list.userid, query, NAME_LEN); |
54 | ASCEBC(parm_list.userid, NAME_LEN); |
55 | - parm_list.addr = (unsigned long) addr ; |
56 | + memcpy(parm_list.aci_grp, all_groups, NAME_LEN); |
57 | + ASCEBC(parm_list.aci_grp, NAME_LEN); |
58 | + parm_list.addr = (unsigned long)addr; |
59 | parm_list.size = size; |
60 | parm_list.fmt = 0x02; |
61 | - memset(parm_list.aci_grp, 0x40, NAME_LEN); |
62 | rc = -1; |
63 | |
64 | diag_stat_inc(DIAG_STAT_X2FC); |
65 | diff --git a/drivers/edac/altera_edac.c b/drivers/edac/altera_edac.c |
66 | index 6037efa94c9ba..6d10bbc65ad3f 100644 |
67 | --- a/drivers/edac/altera_edac.c |
68 | +++ b/drivers/edac/altera_edac.c |
69 | @@ -363,7 +363,7 @@ static int altr_sdram_probe(struct platform_device *pdev) |
70 | if (irq < 0) { |
71 | edac_printk(KERN_ERR, EDAC_MC, |
72 | "No irq %d in DT\n", irq); |
73 | - return -ENODEV; |
74 | + return irq; |
75 | } |
76 | |
77 | /* Arria10 has a 2nd IRQ */ |
78 | diff --git a/drivers/edac/xgene_edac.c b/drivers/edac/xgene_edac.c |
79 | index bf19b6e3bd129..771927d2b5ded 100644 |
80 | --- a/drivers/edac/xgene_edac.c |
81 | +++ b/drivers/edac/xgene_edac.c |
82 | @@ -1936,7 +1936,7 @@ static int xgene_edac_probe(struct platform_device *pdev) |
83 | irq = platform_get_irq(pdev, i); |
84 | if (irq < 0) { |
85 | dev_err(&pdev->dev, "No IRQ resource\n"); |
86 | - rc = -EINVAL; |
87 | + rc = irq; |
88 | goto out_err; |
89 | } |
90 | rc = devm_request_irq(&pdev->dev, irq, |
91 | diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c |
92 | index ce32f41fc28aa..94fded3daaa30 100644 |
93 | --- a/drivers/gpu/drm/msm/msm_drv.c |
94 | +++ b/drivers/gpu/drm/msm/msm_drv.c |
95 | @@ -297,7 +297,7 @@ static int msm_init_vram(struct drm_device *dev) |
96 | of_node_put(node); |
97 | if (ret) |
98 | return ret; |
99 | - size = r.end - r.start; |
100 | + size = r.end - r.start + 1; |
101 | DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start); |
102 | |
103 | /* if we have no IOMMU, then we need to use carveout allocator. |
104 | diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c |
105 | index f3c30b2a788e8..8bff14ae16b0e 100644 |
106 | --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c |
107 | +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c |
108 | @@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size) |
109 | *addr += bios->imaged_addr; |
110 | } |
111 | |
112 | - if (unlikely(*addr + size >= bios->size)) { |
113 | + if (unlikely(*addr + size > bios->size)) { |
114 | nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr); |
115 | return false; |
116 | } |
117 | diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c |
118 | index 1e9f029a328a6..d899ae5470fa2 100644 |
119 | --- a/drivers/hwmon/lm90.c |
120 | +++ b/drivers/hwmon/lm90.c |
121 | @@ -265,7 +265,7 @@ static const struct lm90_params lm90_params[] = { |
122 | .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT |
123 | | LM90_HAVE_BROKEN_ALERT, |
124 | .alert_alarms = 0x7c, |
125 | - .max_convrate = 8, |
126 | + .max_convrate = 7, |
127 | }, |
128 | [lm86] = { |
129 | .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT, |
130 | diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c |
131 | index a3279f303b499..45c809f3d24f4 100644 |
132 | --- a/drivers/iommu/amd_iommu_init.c |
133 | +++ b/drivers/iommu/amd_iommu_init.c |
134 | @@ -28,6 +28,7 @@ |
135 | #include <linux/amd-iommu.h> |
136 | #include <linux/export.h> |
137 | #include <linux/iommu.h> |
138 | +#include <linux/iopoll.h> |
139 | #include <asm/pci-direct.h> |
140 | #include <asm/iommu.h> |
141 | #include <asm/gart.h> |
142 | @@ -715,6 +716,7 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu) |
143 | status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); |
144 | if (status & (MMIO_STATUS_GALOG_RUN_MASK)) |
145 | break; |
146 | + udelay(10); |
147 | } |
148 | |
149 | if (i >= LOOP_TIMEOUT) |
150 | diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c |
151 | index 1df7f5da8411f..d412d942cbdaf 100644 |
152 | --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c |
153 | +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c |
154 | @@ -494,7 +494,9 @@ static void xgbe_stop_timers(struct xgbe_prv_data *pdata) |
155 | if (!channel->tx_ring) |
156 | break; |
157 | |
158 | + /* Deactivate the Tx timer */ |
159 | del_timer_sync(&channel->tx_timer); |
160 | + channel->tx_timer_active = 0; |
161 | } |
162 | } |
163 | |
164 | @@ -1966,6 +1968,14 @@ read_again: |
165 | buf2_len = xgbe_rx_buf2_len(rdata, packet, len); |
166 | len += buf2_len; |
167 | |
168 | + if (buf2_len > rdata->rx.buf.dma_len) { |
169 | + /* Hardware inconsistency within the descriptors |
170 | + * that has resulted in a length underflow. |
171 | + */ |
172 | + error = 1; |
173 | + goto skip_data; |
174 | + } |
175 | + |
176 | if (!skb) { |
177 | skb = xgbe_create_skb(pdata, napi, rdata, |
178 | buf1_len); |
179 | @@ -1995,8 +2005,10 @@ skip_data: |
180 | if (!last || context_next) |
181 | goto read_again; |
182 | |
183 | - if (!skb) |
184 | + if (!skb || error) { |
185 | + dev_kfree_skb(skb); |
186 | goto next_packet; |
187 | + } |
188 | |
189 | /* Be sure we don't exceed the configured MTU */ |
190 | max_len = netdev->mtu + ETH_HLEN; |
191 | diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c |
192 | index 774b9db0c811f..0d3baa86cf176 100644 |
193 | --- a/drivers/net/macsec.c |
194 | +++ b/drivers/net/macsec.c |
195 | @@ -3230,6 +3230,15 @@ static int macsec_newlink(struct net *net, struct net_device *dev, |
196 | |
197 | macsec->real_dev = real_dev; |
198 | |
199 | + /* send_sci must be set to true when transmit sci explicitly is set */ |
200 | + if ((data && data[IFLA_MACSEC_SCI]) && |
201 | + (data && data[IFLA_MACSEC_INC_SCI])) { |
202 | + u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); |
203 | + |
204 | + if (!send_sci) |
205 | + return -EINVAL; |
206 | + } |
207 | + |
208 | if (data && data[IFLA_MACSEC_ICV_LEN]) |
209 | icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); |
210 | mtu = real_dev->mtu - icv_len - macsec_extra_len(true); |
211 | diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c |
212 | index 0cf5324d493e8..52ed3da64f01d 100644 |
213 | --- a/drivers/net/usb/ipheth.c |
214 | +++ b/drivers/net/usb/ipheth.c |
215 | @@ -173,7 +173,7 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone) |
216 | if (tx_buf == NULL) |
217 | goto free_rx_urb; |
218 | |
219 | - rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE, |
220 | + rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, |
221 | GFP_KERNEL, &rx_urb->transfer_dma); |
222 | if (rx_buf == NULL) |
223 | goto free_tx_buf; |
224 | @@ -198,7 +198,7 @@ error_nomem: |
225 | |
226 | static void ipheth_free_urbs(struct ipheth_device *iphone) |
227 | { |
228 | - usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf, |
229 | + usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf, |
230 | iphone->rx_urb->transfer_dma); |
231 | usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf, |
232 | iphone->tx_urb->transfer_dma); |
233 | @@ -371,7 +371,7 @@ static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags) |
234 | |
235 | usb_fill_bulk_urb(dev->rx_urb, udev, |
236 | usb_rcvbulkpipe(udev, dev->bulk_in), |
237 | - dev->rx_buf, IPHETH_BUF_SIZE, |
238 | + dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, |
239 | ipheth_rcvbulk_callback, |
240 | dev); |
241 | dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; |
242 | diff --git a/drivers/rtc/rtc-mc146818-lib.c b/drivers/rtc/rtc-mc146818-lib.c |
243 | index 18a6f15e313d8..86b8858917b62 100644 |
244 | --- a/drivers/rtc/rtc-mc146818-lib.c |
245 | +++ b/drivers/rtc/rtc-mc146818-lib.c |
246 | @@ -82,7 +82,7 @@ unsigned int mc146818_get_time(struct rtc_time *time) |
247 | time->tm_year += real_year - 72; |
248 | #endif |
249 | |
250 | - if (century > 20) |
251 | + if (century > 19) |
252 | time->tm_year += (century - 19) * 100; |
253 | |
254 | /* |
255 | diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c |
256 | index f7630cf581cd9..fd622021748f8 100644 |
257 | --- a/drivers/s390/scsi/zfcp_fc.c |
258 | +++ b/drivers/s390/scsi/zfcp_fc.c |
259 | @@ -518,6 +518,8 @@ static void zfcp_fc_adisc_handler(void *data) |
260 | goto out; |
261 | } |
262 | |
263 | + /* re-init to undo drop from zfcp_fc_adisc() */ |
264 | + port->d_id = ntoh24(adisc_resp->adisc_port_id); |
265 | /* port is good, unblock rport without going through erp */ |
266 | zfcp_scsi_schedule_rport_register(port); |
267 | out: |
268 | @@ -531,6 +533,7 @@ static int zfcp_fc_adisc(struct zfcp_port *port) |
269 | struct zfcp_fc_req *fc_req; |
270 | struct zfcp_adapter *adapter = port->adapter; |
271 | struct Scsi_Host *shost = adapter->scsi_host; |
272 | + u32 d_id; |
273 | int ret; |
274 | |
275 | fc_req = kmem_cache_zalloc(zfcp_fc_req_cache, GFP_ATOMIC); |
276 | @@ -555,7 +558,15 @@ static int zfcp_fc_adisc(struct zfcp_port *port) |
277 | fc_req->u.adisc.req.adisc_cmd = ELS_ADISC; |
278 | hton24(fc_req->u.adisc.req.adisc_port_id, fc_host_port_id(shost)); |
279 | |
280 | - ret = zfcp_fsf_send_els(adapter, port->d_id, &fc_req->ct_els, |
281 | + d_id = port->d_id; /* remember as destination for send els below */ |
282 | + /* |
283 | + * Force fresh GID_PN lookup on next port recovery. |
284 | + * Must happen after request setup and before sending request, |
285 | + * to prevent race with port->d_id re-init in zfcp_fc_adisc_handler(). |
286 | + */ |
287 | + port->d_id = 0; |
288 | + |
289 | + ret = zfcp_fsf_send_els(adapter, d_id, &fc_req->ct_els, |
290 | ZFCP_FC_CTELS_TMO); |
291 | if (ret) |
292 | kmem_cache_free(zfcp_fc_req_cache, fc_req); |
293 | diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c |
294 | index 68cc332bd6cba..b3dae8a4e5fc4 100644 |
295 | --- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c |
296 | +++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c |
297 | @@ -79,7 +79,7 @@ static int bnx2fc_bind_pcidev(struct bnx2fc_hba *hba); |
298 | static void bnx2fc_unbind_pcidev(struct bnx2fc_hba *hba); |
299 | static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, |
300 | struct device *parent, int npiv); |
301 | -static void bnx2fc_destroy_work(struct work_struct *work); |
302 | +static void bnx2fc_port_destroy(struct fcoe_port *port); |
303 | |
304 | static struct bnx2fc_hba *bnx2fc_hba_lookup(struct net_device *phys_dev); |
305 | static struct bnx2fc_interface *bnx2fc_interface_lookup(struct net_device |
306 | @@ -521,7 +521,8 @@ static int bnx2fc_l2_rcv_thread(void *arg) |
307 | |
308 | static void bnx2fc_recv_frame(struct sk_buff *skb) |
309 | { |
310 | - u32 fr_len; |
311 | + u64 crc_err; |
312 | + u32 fr_len, fr_crc; |
313 | struct fc_lport *lport; |
314 | struct fcoe_rcv_info *fr; |
315 | struct fc_stats *stats; |
316 | @@ -553,6 +554,11 @@ static void bnx2fc_recv_frame(struct sk_buff *skb) |
317 | skb_pull(skb, sizeof(struct fcoe_hdr)); |
318 | fr_len = skb->len - sizeof(struct fcoe_crc_eof); |
319 | |
320 | + stats = per_cpu_ptr(lport->stats, get_cpu()); |
321 | + stats->RxFrames++; |
322 | + stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; |
323 | + put_cpu(); |
324 | + |
325 | fp = (struct fc_frame *)skb; |
326 | fc_frame_init(fp); |
327 | fr_dev(fp) = lport; |
328 | @@ -604,16 +610,15 @@ static void bnx2fc_recv_frame(struct sk_buff *skb) |
329 | return; |
330 | } |
331 | |
332 | - stats = per_cpu_ptr(lport->stats, smp_processor_id()); |
333 | - stats->RxFrames++; |
334 | - stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; |
335 | + fr_crc = le32_to_cpu(fr_crc(fp)); |
336 | |
337 | - if (le32_to_cpu(fr_crc(fp)) != |
338 | - ~crc32(~0, skb->data, fr_len)) { |
339 | - if (stats->InvalidCRCCount < 5) |
340 | + if (unlikely(fr_crc != ~crc32(~0, skb->data, fr_len))) { |
341 | + stats = per_cpu_ptr(lport->stats, get_cpu()); |
342 | + crc_err = (stats->InvalidCRCCount++); |
343 | + put_cpu(); |
344 | + if (crc_err < 5) |
345 | printk(KERN_WARNING PFX "dropping frame with " |
346 | "CRC error\n"); |
347 | - stats->InvalidCRCCount++; |
348 | kfree_skb(skb); |
349 | return; |
350 | } |
351 | @@ -884,9 +889,6 @@ static void bnx2fc_indicate_netevent(void *context, unsigned long event, |
352 | __bnx2fc_destroy(interface); |
353 | } |
354 | mutex_unlock(&bnx2fc_dev_lock); |
355 | - |
356 | - /* Ensure ALL destroy work has been completed before return */ |
357 | - flush_workqueue(bnx2fc_wq); |
358 | return; |
359 | |
360 | default: |
361 | @@ -1194,8 +1196,8 @@ static int bnx2fc_vport_destroy(struct fc_vport *vport) |
362 | mutex_unlock(&n_port->lp_mutex); |
363 | bnx2fc_free_vport(interface->hba, port->lport); |
364 | bnx2fc_port_shutdown(port->lport); |
365 | + bnx2fc_port_destroy(port); |
366 | bnx2fc_interface_put(interface); |
367 | - queue_work(bnx2fc_wq, &port->destroy_work); |
368 | return 0; |
369 | } |
370 | |
371 | @@ -1504,7 +1506,6 @@ static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, |
372 | port->lport = lport; |
373 | port->priv = interface; |
374 | port->get_netdev = bnx2fc_netdev; |
375 | - INIT_WORK(&port->destroy_work, bnx2fc_destroy_work); |
376 | |
377 | /* Configure fcoe_port */ |
378 | rc = bnx2fc_lport_config(lport); |
379 | @@ -1632,8 +1633,8 @@ static void __bnx2fc_destroy(struct bnx2fc_interface *interface) |
380 | bnx2fc_interface_cleanup(interface); |
381 | bnx2fc_stop(interface); |
382 | list_del(&interface->list); |
383 | + bnx2fc_port_destroy(port); |
384 | bnx2fc_interface_put(interface); |
385 | - queue_work(bnx2fc_wq, &port->destroy_work); |
386 | } |
387 | |
388 | /** |
389 | @@ -1674,15 +1675,12 @@ netdev_err: |
390 | return rc; |
391 | } |
392 | |
393 | -static void bnx2fc_destroy_work(struct work_struct *work) |
394 | +static void bnx2fc_port_destroy(struct fcoe_port *port) |
395 | { |
396 | - struct fcoe_port *port; |
397 | struct fc_lport *lport; |
398 | |
399 | - port = container_of(work, struct fcoe_port, destroy_work); |
400 | lport = port->lport; |
401 | - |
402 | - BNX2FC_HBA_DBG(lport, "Entered bnx2fc_destroy_work\n"); |
403 | + BNX2FC_HBA_DBG(lport, "Entered %s, destroying lport %p\n", __func__, lport); |
404 | |
405 | bnx2fc_if_destroy(lport); |
406 | } |
407 | @@ -2522,9 +2520,6 @@ static void bnx2fc_ulp_exit(struct cnic_dev *dev) |
408 | __bnx2fc_destroy(interface); |
409 | mutex_unlock(&bnx2fc_dev_lock); |
410 | |
411 | - /* Ensure ALL destroy work has been completed before return */ |
412 | - flush_workqueue(bnx2fc_wq); |
413 | - |
414 | bnx2fc_ulp_stop(hba); |
415 | /* unregister cnic device */ |
416 | if (test_and_clear_bit(BNX2FC_CNIC_REGISTERED, &hba->reg_with_cnic)) |
417 | diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c |
418 | index d521adf6ac245..40820904f76c0 100644 |
419 | --- a/drivers/spi/spi-bcm-qspi.c |
420 | +++ b/drivers/spi/spi-bcm-qspi.c |
421 | @@ -546,7 +546,7 @@ static void bcm_qspi_chip_select(struct bcm_qspi *qspi, int cs) |
422 | u32 rd = 0; |
423 | u32 wr = 0; |
424 | |
425 | - if (qspi->base[CHIP_SELECT]) { |
426 | + if (cs >= 0 && qspi->base[CHIP_SELECT]) { |
427 | rd = bcm_qspi_read(qspi, CHIP_SELECT, 0); |
428 | wr = (rd & ~0xff) | (1 << cs); |
429 | if (rd == wr) |
430 | diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c |
431 | index dd0bf25d45502..348f136d9e134 100644 |
432 | --- a/drivers/spi/spi-mt65xx.c |
433 | +++ b/drivers/spi/spi-mt65xx.c |
434 | @@ -440,7 +440,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) |
435 | else |
436 | mdata->state = MTK_SPI_IDLE; |
437 | |
438 | - if (!master->can_dma(master, master->cur_msg->spi, trans)) { |
439 | + if (!master->can_dma(master, NULL, trans)) { |
440 | if (trans->rx_buf) { |
441 | cnt = mdata->xfer_len / 4; |
442 | ioread32_rep(mdata->base + SPI_RX_DATA_REG, |
443 | diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c |
444 | index 1ab9bd4335421..67e5b587a1062 100644 |
445 | --- a/drivers/tty/n_gsm.c |
446 | +++ b/drivers/tty/n_gsm.c |
447 | @@ -329,6 +329,7 @@ static struct tty_driver *gsm_tty_driver; |
448 | #define GSM1_ESCAPE_BITS 0x20 |
449 | #define XON 0x11 |
450 | #define XOFF 0x13 |
451 | +#define ISO_IEC_646_MASK 0x7F |
452 | |
453 | static const struct tty_port_operations gsm_port_ops; |
454 | |
455 | @@ -547,7 +548,8 @@ static int gsm_stuff_frame(const u8 *input, u8 *output, int len) |
456 | int olen = 0; |
457 | while (len--) { |
458 | if (*input == GSM1_SOF || *input == GSM1_ESCAPE |
459 | - || *input == XON || *input == XOFF) { |
460 | + || (*input & ISO_IEC_646_MASK) == XON |
461 | + || (*input & ISO_IEC_646_MASK) == XOFF) { |
462 | *output++ = GSM1_ESCAPE; |
463 | *output++ = *input++ ^ GSM1_ESCAPE_BITS; |
464 | olen++; |
465 | diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c |
466 | index 550f2f0523d84..3973bbd5ee553 100644 |
467 | --- a/drivers/tty/serial/8250/8250_pci.c |
468 | +++ b/drivers/tty/serial/8250/8250_pci.c |
469 | @@ -5238,8 +5238,30 @@ static struct pci_device_id serial_pci_tbl[] = { |
470 | { PCI_VENDOR_ID_INTASHIELD, PCI_DEVICE_ID_INTASHIELD_IS400, |
471 | PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */ |
472 | pbn_b2_4_115200 }, |
473 | + /* Brainboxes Devices */ |
474 | /* |
475 | - * BrainBoxes UC-260 |
476 | + * Brainboxes UC-101 |
477 | + */ |
478 | + { PCI_VENDOR_ID_INTASHIELD, 0x0BA1, |
479 | + PCI_ANY_ID, PCI_ANY_ID, |
480 | + 0, 0, |
481 | + pbn_b2_2_115200 }, |
482 | + /* |
483 | + * Brainboxes UC-235/246 |
484 | + */ |
485 | + { PCI_VENDOR_ID_INTASHIELD, 0x0AA1, |
486 | + PCI_ANY_ID, PCI_ANY_ID, |
487 | + 0, 0, |
488 | + pbn_b2_1_115200 }, |
489 | + /* |
490 | + * Brainboxes UC-257 |
491 | + */ |
492 | + { PCI_VENDOR_ID_INTASHIELD, 0x0861, |
493 | + PCI_ANY_ID, PCI_ANY_ID, |
494 | + 0, 0, |
495 | + pbn_b2_2_115200 }, |
496 | + /* |
497 | + * Brainboxes UC-260/271/701/756 |
498 | */ |
499 | { PCI_VENDOR_ID_INTASHIELD, 0x0D21, |
500 | PCI_ANY_ID, PCI_ANY_ID, |
501 | @@ -5247,7 +5269,81 @@ static struct pci_device_id serial_pci_tbl[] = { |
502 | pbn_b2_4_115200 }, |
503 | { PCI_VENDOR_ID_INTASHIELD, 0x0E34, |
504 | PCI_ANY_ID, PCI_ANY_ID, |
505 | - PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, |
506 | + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, |
507 | + pbn_b2_4_115200 }, |
508 | + /* |
509 | + * Brainboxes UC-268 |
510 | + */ |
511 | + { PCI_VENDOR_ID_INTASHIELD, 0x0841, |
512 | + PCI_ANY_ID, PCI_ANY_ID, |
513 | + 0, 0, |
514 | + pbn_b2_4_115200 }, |
515 | + /* |
516 | + * Brainboxes UC-275/279 |
517 | + */ |
518 | + { PCI_VENDOR_ID_INTASHIELD, 0x0881, |
519 | + PCI_ANY_ID, PCI_ANY_ID, |
520 | + 0, 0, |
521 | + pbn_b2_8_115200 }, |
522 | + /* |
523 | + * Brainboxes UC-302 |
524 | + */ |
525 | + { PCI_VENDOR_ID_INTASHIELD, 0x08E1, |
526 | + PCI_ANY_ID, PCI_ANY_ID, |
527 | + 0, 0, |
528 | + pbn_b2_2_115200 }, |
529 | + /* |
530 | + * Brainboxes UC-310 |
531 | + */ |
532 | + { PCI_VENDOR_ID_INTASHIELD, 0x08C1, |
533 | + PCI_ANY_ID, PCI_ANY_ID, |
534 | + 0, 0, |
535 | + pbn_b2_2_115200 }, |
536 | + /* |
537 | + * Brainboxes UC-313 |
538 | + */ |
539 | + { PCI_VENDOR_ID_INTASHIELD, 0x08A3, |
540 | + PCI_ANY_ID, PCI_ANY_ID, |
541 | + 0, 0, |
542 | + pbn_b2_2_115200 }, |
543 | + /* |
544 | + * Brainboxes UC-320/324 |
545 | + */ |
546 | + { PCI_VENDOR_ID_INTASHIELD, 0x0A61, |
547 | + PCI_ANY_ID, PCI_ANY_ID, |
548 | + 0, 0, |
549 | + pbn_b2_1_115200 }, |
550 | + /* |
551 | + * Brainboxes UC-346 |
552 | + */ |
553 | + { PCI_VENDOR_ID_INTASHIELD, 0x0B02, |
554 | + PCI_ANY_ID, PCI_ANY_ID, |
555 | + 0, 0, |
556 | + pbn_b2_4_115200 }, |
557 | + /* |
558 | + * Brainboxes UC-357 |
559 | + */ |
560 | + { PCI_VENDOR_ID_INTASHIELD, 0x0A81, |
561 | + PCI_ANY_ID, PCI_ANY_ID, |
562 | + 0, 0, |
563 | + pbn_b2_2_115200 }, |
564 | + { PCI_VENDOR_ID_INTASHIELD, 0x0A83, |
565 | + PCI_ANY_ID, PCI_ANY_ID, |
566 | + 0, 0, |
567 | + pbn_b2_2_115200 }, |
568 | + /* |
569 | + * Brainboxes UC-368 |
570 | + */ |
571 | + { PCI_VENDOR_ID_INTASHIELD, 0x0C41, |
572 | + PCI_ANY_ID, PCI_ANY_ID, |
573 | + 0, 0, |
574 | + pbn_b2_4_115200 }, |
575 | + /* |
576 | + * Brainboxes UC-420/431 |
577 | + */ |
578 | + { PCI_VENDOR_ID_INTASHIELD, 0x0921, |
579 | + PCI_ANY_ID, PCI_ANY_ID, |
580 | + 0, 0, |
581 | pbn_b2_4_115200 }, |
582 | /* |
583 | * Perle PCI-RAS cards |
584 | diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c |
585 | index f325019887b23..766941a6e1aa8 100644 |
586 | --- a/drivers/tty/serial/stm32-usart.c |
587 | +++ b/drivers/tty/serial/stm32-usart.c |
588 | @@ -389,7 +389,7 @@ static void stm32_start_tx(struct uart_port *port) |
589 | { |
590 | struct circ_buf *xmit = &port->state->xmit; |
591 | |
592 | - if (uart_circ_empty(xmit)) |
593 | + if (uart_circ_empty(xmit) && !port->x_char) |
594 | return; |
595 | |
596 | stm32_transmit_chars(port); |
597 | diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c |
598 | index 2246731d96b0e..a4b2313607995 100644 |
599 | --- a/drivers/usb/core/hcd.c |
600 | +++ b/drivers/usb/core/hcd.c |
601 | @@ -1668,6 +1668,13 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) |
602 | urb->hcpriv = NULL; |
603 | INIT_LIST_HEAD(&urb->urb_list); |
604 | atomic_dec(&urb->use_count); |
605 | + /* |
606 | + * Order the write of urb->use_count above before the read |
607 | + * of urb->reject below. Pairs with the memory barriers in |
608 | + * usb_kill_urb() and usb_poison_urb(). |
609 | + */ |
610 | + smp_mb__after_atomic(); |
611 | + |
612 | atomic_dec(&urb->dev->urbnum); |
613 | if (atomic_read(&urb->reject)) |
614 | wake_up(&usb_kill_urb_queue); |
615 | @@ -1777,6 +1784,13 @@ static void __usb_hcd_giveback_urb(struct urb *urb) |
616 | |
617 | usb_anchor_resume_wakeups(anchor); |
618 | atomic_dec(&urb->use_count); |
619 | + /* |
620 | + * Order the write of urb->use_count above before the read |
621 | + * of urb->reject below. Pairs with the memory barriers in |
622 | + * usb_kill_urb() and usb_poison_urb(). |
623 | + */ |
624 | + smp_mb__after_atomic(); |
625 | + |
626 | if (unlikely(atomic_read(&urb->reject))) |
627 | wake_up(&usb_kill_urb_queue); |
628 | usb_put_urb(urb); |
629 | diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c |
630 | index 6785ebc078047..ec8921d09e321 100644 |
631 | --- a/drivers/usb/core/urb.c |
632 | +++ b/drivers/usb/core/urb.c |
633 | @@ -684,6 +684,12 @@ void usb_kill_urb(struct urb *urb) |
634 | if (!(urb && urb->dev && urb->ep)) |
635 | return; |
636 | atomic_inc(&urb->reject); |
637 | + /* |
638 | + * Order the write of urb->reject above before the read |
639 | + * of urb->use_count below. Pairs with the barriers in |
640 | + * __usb_hcd_giveback_urb() and usb_hcd_submit_urb(). |
641 | + */ |
642 | + smp_mb__after_atomic(); |
643 | |
644 | usb_hcd_unlink_urb(urb, -ENOENT); |
645 | wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); |
646 | @@ -725,6 +731,12 @@ void usb_poison_urb(struct urb *urb) |
647 | if (!urb) |
648 | return; |
649 | atomic_inc(&urb->reject); |
650 | + /* |
651 | + * Order the write of urb->reject above before the read |
652 | + * of urb->use_count below. Pairs with the barriers in |
653 | + * __usb_hcd_giveback_urb() and usb_hcd_submit_urb(). |
654 | + */ |
655 | + smp_mb__after_atomic(); |
656 | |
657 | if (!urb->dev || !urb->ep) |
658 | return; |
659 | diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c |
660 | index 1c5745f7abea1..16142c321df8e 100644 |
661 | --- a/drivers/usb/gadget/function/f_sourcesink.c |
662 | +++ b/drivers/usb/gadget/function/f_sourcesink.c |
663 | @@ -587,6 +587,7 @@ static int source_sink_start_ep(struct f_sourcesink *ss, bool is_in, |
664 | |
665 | if (is_iso) { |
666 | switch (speed) { |
667 | + case USB_SPEED_SUPER_PLUS: |
668 | case USB_SPEED_SUPER: |
669 | size = ss->isoc_maxpacket * |
670 | (ss->isoc_mult + 1) * |
671 | diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h |
672 | index ec2b7f5c900c2..801351f360da6 100644 |
673 | --- a/drivers/usb/storage/unusual_devs.h |
674 | +++ b/drivers/usb/storage/unusual_devs.h |
675 | @@ -2308,6 +2308,16 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x9999, |
676 | USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, |
677 | US_FL_SCM_MULT_TARG ), |
678 | |
679 | +/* |
680 | + * Reported by DocMAX <mail@vacharakis.de> |
681 | + * and Thomas Weißschuh <linux@weissschuh.net> |
682 | + */ |
683 | +UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999, |
684 | + "VIA Labs, Inc.", |
685 | + "VL817 SATA Bridge", |
686 | + USB_SC_DEVICE, USB_PR_DEVICE, NULL, |
687 | + US_FL_IGNORE_UAS), |
688 | + |
689 | UNUSUAL_DEV( 0x2116, 0x0320, 0x0001, 0x0001, |
690 | "ST", |
691 | "2A", |
692 | diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c |
693 | index a0f20a048347c..c87558f120fb9 100644 |
694 | --- a/fs/ext4/inline.c |
695 | +++ b/fs/ext4/inline.c |
696 | @@ -1123,7 +1123,15 @@ static void ext4_restore_inline_data(handle_t *handle, struct inode *inode, |
697 | struct ext4_iloc *iloc, |
698 | void *buf, int inline_size) |
699 | { |
700 | - ext4_create_inline_data(handle, inode, inline_size); |
701 | + int ret; |
702 | + |
703 | + ret = ext4_create_inline_data(handle, inode, inline_size); |
704 | + if (ret) { |
705 | + ext4_msg(inode->i_sb, KERN_EMERG, |
706 | + "error restoring inline_data for inode -- potential data loss! (inode %lu, error %d)", |
707 | + inode->i_ino, ret); |
708 | + return; |
709 | + } |
710 | ext4_write_inline_data(inode, iloc, buf, 0, inline_size); |
711 | ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); |
712 | } |
713 | diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c |
714 | index d405b5a14073a..24e854dfb3c25 100644 |
715 | --- a/fs/nfs/dir.c |
716 | +++ b/fs/nfs/dir.c |
717 | @@ -1602,6 +1602,24 @@ out: |
718 | |
719 | no_open: |
720 | res = nfs_lookup(dir, dentry, lookup_flags); |
721 | + if (!res) { |
722 | + inode = d_inode(dentry); |
723 | + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && |
724 | + !S_ISDIR(inode->i_mode)) |
725 | + res = ERR_PTR(-ENOTDIR); |
726 | + else if (inode && S_ISREG(inode->i_mode)) |
727 | + res = ERR_PTR(-EOPENSTALE); |
728 | + } else if (!IS_ERR(res)) { |
729 | + inode = d_inode(res); |
730 | + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && |
731 | + !S_ISDIR(inode->i_mode)) { |
732 | + dput(res); |
733 | + res = ERR_PTR(-ENOTDIR); |
734 | + } else if (inode && S_ISREG(inode->i_mode)) { |
735 | + dput(res); |
736 | + res = ERR_PTR(-EOPENSTALE); |
737 | + } |
738 | + } |
739 | if (switched) { |
740 | d_lookup_done(dentry); |
741 | if (!res) |
742 | diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c |
743 | index 524d98e3bcf5b..d9381ca0ac479 100644 |
744 | --- a/fs/nfsd/nfs4state.c |
745 | +++ b/fs/nfsd/nfs4state.c |
746 | @@ -3424,8 +3424,10 @@ nfsd4_setclientid_confirm(struct svc_rqst *rqstp, |
747 | status = nfserr_clid_inuse; |
748 | if (client_has_state(old) |
749 | && !same_creds(&unconf->cl_cred, |
750 | - &old->cl_cred)) |
751 | + &old->cl_cred)) { |
752 | + old = NULL; |
753 | goto out; |
754 | + } |
755 | status = mark_client_expired_locked(old); |
756 | if (status) { |
757 | old = NULL; |
758 | diff --git a/fs/udf/inode.c b/fs/udf/inode.c |
759 | index 50607673a6a92..fab5a9506bcf2 100644 |
760 | --- a/fs/udf/inode.c |
761 | +++ b/fs/udf/inode.c |
762 | @@ -259,10 +259,6 @@ int udf_expand_file_adinicb(struct inode *inode) |
763 | char *kaddr; |
764 | struct udf_inode_info *iinfo = UDF_I(inode); |
765 | int err; |
766 | - struct writeback_control udf_wbc = { |
767 | - .sync_mode = WB_SYNC_NONE, |
768 | - .nr_to_write = 1, |
769 | - }; |
770 | |
771 | WARN_ON_ONCE(!inode_is_locked(inode)); |
772 | if (!iinfo->i_lenAlloc) { |
773 | @@ -306,8 +302,10 @@ int udf_expand_file_adinicb(struct inode *inode) |
774 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; |
775 | /* from now on we have normal address_space methods */ |
776 | inode->i_data.a_ops = &udf_aops; |
777 | + set_page_dirty(page); |
778 | + unlock_page(page); |
779 | up_write(&iinfo->i_data_sem); |
780 | - err = inode->i_data.a_ops->writepage(page, &udf_wbc); |
781 | + err = filemap_fdatawrite(inode->i_mapping); |
782 | if (err) { |
783 | /* Restore everything back so that we don't lose data... */ |
784 | lock_page(page); |
785 | @@ -319,6 +317,7 @@ int udf_expand_file_adinicb(struct inode *inode) |
786 | unlock_page(page); |
787 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; |
788 | inode->i_data.a_ops = &udf_adinicb_aops; |
789 | + iinfo->i_lenAlloc = inode->i_size; |
790 | up_write(&iinfo->i_data_sem); |
791 | } |
792 | put_page(page); |
793 | diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h |
794 | index 2aacafe2bce58..a92fb5c5704f2 100644 |
795 | --- a/include/linux/netdevice.h |
796 | +++ b/include/linux/netdevice.h |
797 | @@ -2237,6 +2237,7 @@ struct packet_type { |
798 | struct net_device *); |
799 | bool (*id_match)(struct packet_type *ptype, |
800 | struct sock *sk); |
801 | + struct net *af_packet_net; |
802 | void *af_packet_priv; |
803 | struct list_head list; |
804 | }; |
805 | diff --git a/include/net/ip.h b/include/net/ip.h |
806 | index f987eaf999004..c762fd047ef4c 100644 |
807 | --- a/include/net/ip.h |
808 | +++ b/include/net/ip.h |
809 | @@ -377,19 +377,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, |
810 | { |
811 | struct iphdr *iph = ip_hdr(skb); |
812 | |
813 | + /* We had many attacks based on IPID, use the private |
814 | + * generator as much as we can. |
815 | + */ |
816 | + if (sk && inet_sk(sk)->inet_daddr) { |
817 | + iph->id = htons(inet_sk(sk)->inet_id); |
818 | + inet_sk(sk)->inet_id += segs; |
819 | + return; |
820 | + } |
821 | if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) { |
822 | - /* This is only to work around buggy Windows95/2000 |
823 | - * VJ compression implementations. If the ID field |
824 | - * does not change, they drop every other packet in |
825 | - * a TCP stream using header compression. |
826 | - */ |
827 | - if (sk && inet_sk(sk)->inet_daddr) { |
828 | - iph->id = htons(inet_sk(sk)->inet_id); |
829 | - inet_sk(sk)->inet_id += segs; |
830 | - } else { |
831 | - iph->id = 0; |
832 | - } |
833 | + iph->id = 0; |
834 | } else { |
835 | + /* Unfortunately we need the big hammer to get a suitable IPID */ |
836 | __ip_select_ident(net, iph, segs); |
837 | } |
838 | } |
839 | diff --git a/include/net/netfilter/nf_nat_l4proto.h b/include/net/netfilter/nf_nat_l4proto.h |
840 | index 12f4cc841b6ed..630f0f5c3fa35 100644 |
841 | --- a/include/net/netfilter/nf_nat_l4proto.h |
842 | +++ b/include/net/netfilter/nf_nat_l4proto.h |
843 | @@ -64,7 +64,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, |
844 | struct nf_conntrack_tuple *tuple, |
845 | const struct nf_nat_range *range, |
846 | enum nf_nat_manip_type maniptype, |
847 | - const struct nf_conn *ct, u16 *rover); |
848 | + const struct nf_conn *ct); |
849 | |
850 | int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[], |
851 | struct nf_nat_range *range); |
852 | diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c |
853 | index 1896386e16bbe..78e354b1c593b 100644 |
854 | --- a/kernel/power/wakelock.c |
855 | +++ b/kernel/power/wakelock.c |
856 | @@ -38,23 +38,19 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active) |
857 | { |
858 | struct rb_node *node; |
859 | struct wakelock *wl; |
860 | - char *str = buf; |
861 | - char *end = buf + PAGE_SIZE; |
862 | + int len = 0; |
863 | |
864 | mutex_lock(&wakelocks_lock); |
865 | |
866 | for (node = rb_first(&wakelocks_tree); node; node = rb_next(node)) { |
867 | wl = rb_entry(node, struct wakelock, node); |
868 | if (wl->ws.active == show_active) |
869 | - str += scnprintf(str, end - str, "%s ", wl->name); |
870 | + len += sysfs_emit_at(buf, len, "%s ", wl->name); |
871 | } |
872 | - if (str > buf) |
873 | - str--; |
874 | - |
875 | - str += scnprintf(str, end - str, "\n"); |
876 | + len += sysfs_emit_at(buf, len, "\n"); |
877 | |
878 | mutex_unlock(&wakelocks_lock); |
879 | - return (str - buf); |
880 | + return len; |
881 | } |
882 | |
883 | #if CONFIG_PM_WAKELOCKS_LIMIT > 0 |
884 | diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c |
885 | index 17cfd9f8e98e0..cff87c465bcb0 100644 |
886 | --- a/net/bluetooth/hci_event.c |
887 | +++ b/net/bluetooth/hci_event.c |
888 | @@ -4967,6 +4967,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) |
889 | struct hci_ev_le_advertising_info *ev = ptr; |
890 | s8 rssi; |
891 | |
892 | + if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) { |
893 | + bt_dev_err(hdev, "Malicious advertising data."); |
894 | + break; |
895 | + } |
896 | + |
897 | if (ev->length <= HCI_MAX_AD_LENGTH && |
898 | ev->data + ev->length <= skb_tail_pointer(skb)) { |
899 | rssi = ev->data[ev->length]; |
900 | @@ -4978,11 +4983,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) |
901 | } |
902 | |
903 | ptr += sizeof(*ev) + ev->length + 1; |
904 | - |
905 | - if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { |
906 | - bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); |
907 | - break; |
908 | - } |
909 | } |
910 | |
911 | hci_dev_unlock(hdev); |
912 | diff --git a/net/can/bcm.c b/net/can/bcm.c |
913 | index 369326715b9c6..bfb5072234687 100644 |
914 | --- a/net/can/bcm.c |
915 | +++ b/net/can/bcm.c |
916 | @@ -761,21 +761,21 @@ static struct bcm_op *bcm_find_op(struct list_head *ops, |
917 | static void bcm_remove_op(struct bcm_op *op) |
918 | { |
919 | if (op->tsklet.func) { |
920 | - while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) || |
921 | - test_bit(TASKLET_STATE_RUN, &op->tsklet.state) || |
922 | - hrtimer_active(&op->timer)) { |
923 | - hrtimer_cancel(&op->timer); |
924 | + do { |
925 | tasklet_kill(&op->tsklet); |
926 | - } |
927 | + hrtimer_cancel(&op->timer); |
928 | + } while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) || |
929 | + test_bit(TASKLET_STATE_RUN, &op->tsklet.state) || |
930 | + hrtimer_active(&op->timer)); |
931 | } |
932 | |
933 | if (op->thrtsklet.func) { |
934 | - while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) || |
935 | - test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) || |
936 | - hrtimer_active(&op->thrtimer)) { |
937 | - hrtimer_cancel(&op->thrtimer); |
938 | + do { |
939 | tasklet_kill(&op->thrtsklet); |
940 | - } |
941 | + hrtimer_cancel(&op->thrtimer); |
942 | + } while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) || |
943 | + test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) || |
944 | + hrtimer_active(&op->thrtimer)); |
945 | } |
946 | |
947 | if ((op->frames) && (op->frames != &op->sframe)) |
948 | diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c |
949 | index 14d09345f00d9..913b7c366cd4c 100644 |
950 | --- a/net/core/net-procfs.c |
951 | +++ b/net/core/net-procfs.c |
952 | @@ -208,12 +208,23 @@ static const struct file_operations softnet_seq_fops = { |
953 | .release = seq_release, |
954 | }; |
955 | |
956 | -static void *ptype_get_idx(loff_t pos) |
957 | +static void *ptype_get_idx(struct seq_file *seq, loff_t pos) |
958 | { |
959 | + struct list_head *ptype_list = NULL; |
960 | struct packet_type *pt = NULL; |
961 | + struct net_device *dev; |
962 | loff_t i = 0; |
963 | int t; |
964 | |
965 | + for_each_netdev_rcu(seq_file_net(seq), dev) { |
966 | + ptype_list = &dev->ptype_all; |
967 | + list_for_each_entry_rcu(pt, ptype_list, list) { |
968 | + if (i == pos) |
969 | + return pt; |
970 | + ++i; |
971 | + } |
972 | + } |
973 | + |
974 | list_for_each_entry_rcu(pt, &ptype_all, list) { |
975 | if (i == pos) |
976 | return pt; |
977 | @@ -234,22 +245,40 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos) |
978 | __acquires(RCU) |
979 | { |
980 | rcu_read_lock(); |
981 | - return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN; |
982 | + return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; |
983 | } |
984 | |
985 | static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) |
986 | { |
987 | + struct net_device *dev; |
988 | struct packet_type *pt; |
989 | struct list_head *nxt; |
990 | int hash; |
991 | |
992 | ++*pos; |
993 | if (v == SEQ_START_TOKEN) |
994 | - return ptype_get_idx(0); |
995 | + return ptype_get_idx(seq, 0); |
996 | |
997 | pt = v; |
998 | nxt = pt->list.next; |
999 | + if (pt->dev) { |
1000 | + if (nxt != &pt->dev->ptype_all) |
1001 | + goto found; |
1002 | + |
1003 | + dev = pt->dev; |
1004 | + for_each_netdev_continue_rcu(seq_file_net(seq), dev) { |
1005 | + if (!list_empty(&dev->ptype_all)) { |
1006 | + nxt = dev->ptype_all.next; |
1007 | + goto found; |
1008 | + } |
1009 | + } |
1010 | + |
1011 | + nxt = ptype_all.next; |
1012 | + goto ptype_all; |
1013 | + } |
1014 | + |
1015 | if (pt->type == htons(ETH_P_ALL)) { |
1016 | +ptype_all: |
1017 | if (nxt != &ptype_all) |
1018 | goto found; |
1019 | hash = 0; |
1020 | @@ -278,7 +307,8 @@ static int ptype_seq_show(struct seq_file *seq, void *v) |
1021 | |
1022 | if (v == SEQ_START_TOKEN) |
1023 | seq_puts(seq, "Type Device Function\n"); |
1024 | - else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) { |
1025 | + else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && |
1026 | + (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) { |
1027 | if (pt->type == htons(ETH_P_ALL)) |
1028 | seq_puts(seq, "ALL "); |
1029 | else |
1030 | diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c |
1031 | index 012143f313a87..d5cad076daf50 100644 |
1032 | --- a/net/core/rtnetlink.c |
1033 | +++ b/net/core/rtnetlink.c |
1034 | @@ -2454,9 +2454,9 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh) |
1035 | { |
1036 | struct net *net = sock_net(skb->sk); |
1037 | const struct rtnl_link_ops *ops; |
1038 | - const struct rtnl_link_ops *m_ops = NULL; |
1039 | + const struct rtnl_link_ops *m_ops; |
1040 | struct net_device *dev; |
1041 | - struct net_device *master_dev = NULL; |
1042 | + struct net_device *master_dev; |
1043 | struct ifinfomsg *ifm; |
1044 | char kind[MODULE_NAME_LEN]; |
1045 | char ifname[IFNAMSIZ]; |
1046 | @@ -2487,6 +2487,8 @@ replay: |
1047 | dev = NULL; |
1048 | } |
1049 | |
1050 | + master_dev = NULL; |
1051 | + m_ops = NULL; |
1052 | if (dev) { |
1053 | master_dev = netdev_master_upper_dev_get(dev); |
1054 | if (master_dev) |
1055 | diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c |
1056 | index 936371340dc37..c24a1945392a5 100644 |
1057 | --- a/net/ieee802154/nl802154.c |
1058 | +++ b/net/ieee802154/nl802154.c |
1059 | @@ -1474,7 +1474,7 @@ static int nl802154_send_key(struct sk_buff *msg, u32 cmd, u32 portid, |
1060 | |
1061 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
1062 | if (!hdr) |
1063 | - return -1; |
1064 | + return -ENOBUFS; |
1065 | |
1066 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
1067 | goto nla_put_failure; |
1068 | @@ -1665,7 +1665,7 @@ static int nl802154_send_device(struct sk_buff *msg, u32 cmd, u32 portid, |
1069 | |
1070 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
1071 | if (!hdr) |
1072 | - return -1; |
1073 | + return -ENOBUFS; |
1074 | |
1075 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
1076 | goto nla_put_failure; |
1077 | @@ -1843,7 +1843,7 @@ static int nl802154_send_devkey(struct sk_buff *msg, u32 cmd, u32 portid, |
1078 | |
1079 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
1080 | if (!hdr) |
1081 | - return -1; |
1082 | + return -ENOBUFS; |
1083 | |
1084 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
1085 | goto nla_put_failure; |
1086 | @@ -2020,7 +2020,7 @@ static int nl802154_send_seclevel(struct sk_buff *msg, u32 cmd, u32 portid, |
1087 | |
1088 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
1089 | if (!hdr) |
1090 | - return -1; |
1091 | + return -ENOBUFS; |
1092 | |
1093 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
1094 | goto nla_put_failure; |
1095 | diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c |
1096 | index 589fd0904e0de..bd53136c28262 100644 |
1097 | --- a/net/ipv4/ip_output.c |
1098 | +++ b/net/ipv4/ip_output.c |
1099 | @@ -159,12 +159,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, |
1100 | iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); |
1101 | iph->saddr = saddr; |
1102 | iph->protocol = sk->sk_protocol; |
1103 | - if (ip_dont_fragment(sk, &rt->dst)) { |
1104 | + /* Do not bother generating IPID for small packets (eg SYNACK) */ |
1105 | + if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) { |
1106 | iph->frag_off = htons(IP_DF); |
1107 | iph->id = 0; |
1108 | } else { |
1109 | iph->frag_off = 0; |
1110 | - __ip_select_ident(net, iph, 1); |
1111 | + /* TCP packets here are SYNACK with fat IPv4/TCP options. |
1112 | + * Avoid using the hashed IP ident generator. |
1113 | + */ |
1114 | + if (sk->sk_protocol == IPPROTO_TCP) |
1115 | + iph->id = (__force __be16)prandom_u32(); |
1116 | + else |
1117 | + __ip_select_ident(net, iph, 1); |
1118 | } |
1119 | |
1120 | if (opt && opt->opt.optlen) { |
1121 | diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c |
1122 | index af75c0a8238ef..88ad1b6b38029 100644 |
1123 | --- a/net/ipv4/raw.c |
1124 | +++ b/net/ipv4/raw.c |
1125 | @@ -706,6 +706,7 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) |
1126 | int ret = -EINVAL; |
1127 | int chk_addr_ret; |
1128 | |
1129 | + lock_sock(sk); |
1130 | if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in)) |
1131 | goto out; |
1132 | chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr); |
1133 | @@ -718,7 +719,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) |
1134 | inet->inet_saddr = 0; /* Use device */ |
1135 | sk_dst_reset(sk); |
1136 | ret = 0; |
1137 | -out: return ret; |
1138 | +out: |
1139 | + release_sock(sk); |
1140 | + return ret; |
1141 | } |
1142 | |
1143 | /* |
1144 | diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c |
1145 | index 4e18ce5b939ac..322171a344c09 100644 |
1146 | --- a/net/ipv6/ip6_tunnel.c |
1147 | +++ b/net/ipv6/ip6_tunnel.c |
1148 | @@ -1007,12 +1007,12 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t, |
1149 | ldev = dev_get_by_index_rcu(net, p->link); |
1150 | |
1151 | if (unlikely(!ipv6_chk_addr(net, laddr, ldev, 0))) |
1152 | - pr_warn("%s xmit: Local address not yet configured!\n", |
1153 | - p->name); |
1154 | + pr_warn_ratelimited("%s xmit: Local address not yet configured!\n", |
1155 | + p->name); |
1156 | else if (!ipv6_addr_is_multicast(raddr) && |
1157 | unlikely(ipv6_chk_addr(net, raddr, NULL, 0))) |
1158 | - pr_warn("%s xmit: Routing loop! Remote address found on this node!\n", |
1159 | - p->name); |
1160 | + pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n", |
1161 | + p->name); |
1162 | else |
1163 | ret = 1; |
1164 | rcu_read_unlock(); |
1165 | diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c |
1166 | index 7d7466dbf6633..a4f709a3cbacc 100644 |
1167 | --- a/net/netfilter/nf_nat_proto_common.c |
1168 | +++ b/net/netfilter/nf_nat_proto_common.c |
1169 | @@ -38,12 +38,12 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1170 | struct nf_conntrack_tuple *tuple, |
1171 | const struct nf_nat_range *range, |
1172 | enum nf_nat_manip_type maniptype, |
1173 | - const struct nf_conn *ct, |
1174 | - u16 *rover) |
1175 | + const struct nf_conn *ct) |
1176 | { |
1177 | - unsigned int range_size, min, max, i; |
1178 | + unsigned int range_size, min, max, i, attempts; |
1179 | __be16 *portptr; |
1180 | - u_int16_t off; |
1181 | + u16 off; |
1182 | + static const unsigned int max_attempts = 128; |
1183 | |
1184 | if (maniptype == NF_NAT_MANIP_SRC) |
1185 | portptr = &tuple->src.u.all; |
1186 | @@ -84,17 +84,31 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1187 | } else if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { |
1188 | off = prandom_u32(); |
1189 | } else { |
1190 | - off = *rover; |
1191 | + off = prandom_u32(); |
1192 | } |
1193 | |
1194 | - for (i = 0; ; ++off) { |
1195 | + attempts = range_size; |
1196 | + if (attempts > max_attempts) |
1197 | + attempts = max_attempts; |
1198 | + |
1199 | + /* We are in softirq; doing a search of the entire range risks |
1200 | + * soft lockup when all tuples are already used. |
1201 | + * |
1202 | + * If we can't find any free port from first offset, pick a new |
1203 | + * one and try again, with ever smaller search window. |
1204 | + */ |
1205 | +another_round: |
1206 | + for (i = 0; i < attempts; i++, off++) { |
1207 | *portptr = htons(min + off % range_size); |
1208 | - if (++i != range_size && nf_nat_used_tuple(tuple, ct)) |
1209 | - continue; |
1210 | - if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) |
1211 | - *rover = off; |
1212 | - return; |
1213 | + if (!nf_nat_used_tuple(tuple, ct)) |
1214 | + return; |
1215 | } |
1216 | + |
1217 | + if (attempts >= range_size || attempts < 16) |
1218 | + return; |
1219 | + attempts /= 2; |
1220 | + off = prandom_u32(); |
1221 | + goto another_round; |
1222 | } |
1223 | EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple); |
1224 | |
1225 | diff --git a/net/netfilter/nf_nat_proto_dccp.c b/net/netfilter/nf_nat_proto_dccp.c |
1226 | index 15c47b246d0d0..e7d27c0833932 100644 |
1227 | --- a/net/netfilter/nf_nat_proto_dccp.c |
1228 | +++ b/net/netfilter/nf_nat_proto_dccp.c |
1229 | @@ -20,8 +20,6 @@ |
1230 | #include <net/netfilter/nf_nat_l3proto.h> |
1231 | #include <net/netfilter/nf_nat_l4proto.h> |
1232 | |
1233 | -static u_int16_t dccp_port_rover; |
1234 | - |
1235 | static void |
1236 | dccp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1237 | struct nf_conntrack_tuple *tuple, |
1238 | @@ -29,8 +27,7 @@ dccp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1239 | enum nf_nat_manip_type maniptype, |
1240 | const struct nf_conn *ct) |
1241 | { |
1242 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
1243 | - &dccp_port_rover); |
1244 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
1245 | } |
1246 | |
1247 | static bool |
1248 | diff --git a/net/netfilter/nf_nat_proto_sctp.c b/net/netfilter/nf_nat_proto_sctp.c |
1249 | index cbc7ade1487b2..b839373716e84 100644 |
1250 | --- a/net/netfilter/nf_nat_proto_sctp.c |
1251 | +++ b/net/netfilter/nf_nat_proto_sctp.c |
1252 | @@ -14,8 +14,6 @@ |
1253 | |
1254 | #include <net/netfilter/nf_nat_l4proto.h> |
1255 | |
1256 | -static u_int16_t nf_sctp_port_rover; |
1257 | - |
1258 | static void |
1259 | sctp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1260 | struct nf_conntrack_tuple *tuple, |
1261 | @@ -23,8 +21,7 @@ sctp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1262 | enum nf_nat_manip_type maniptype, |
1263 | const struct nf_conn *ct) |
1264 | { |
1265 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
1266 | - &nf_sctp_port_rover); |
1267 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
1268 | } |
1269 | |
1270 | static bool |
1271 | diff --git a/net/netfilter/nf_nat_proto_tcp.c b/net/netfilter/nf_nat_proto_tcp.c |
1272 | index 4f8820fc51480..882e79c6df734 100644 |
1273 | --- a/net/netfilter/nf_nat_proto_tcp.c |
1274 | +++ b/net/netfilter/nf_nat_proto_tcp.c |
1275 | @@ -18,8 +18,6 @@ |
1276 | #include <net/netfilter/nf_nat_l4proto.h> |
1277 | #include <net/netfilter/nf_nat_core.h> |
1278 | |
1279 | -static u16 tcp_port_rover; |
1280 | - |
1281 | static void |
1282 | tcp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1283 | struct nf_conntrack_tuple *tuple, |
1284 | @@ -27,8 +25,7 @@ tcp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1285 | enum nf_nat_manip_type maniptype, |
1286 | const struct nf_conn *ct) |
1287 | { |
1288 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
1289 | - &tcp_port_rover); |
1290 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
1291 | } |
1292 | |
1293 | static bool |
1294 | diff --git a/net/netfilter/nf_nat_proto_udp.c b/net/netfilter/nf_nat_proto_udp.c |
1295 | index b1e627227b6e2..ed91bdd8857c1 100644 |
1296 | --- a/net/netfilter/nf_nat_proto_udp.c |
1297 | +++ b/net/netfilter/nf_nat_proto_udp.c |
1298 | @@ -17,8 +17,6 @@ |
1299 | #include <net/netfilter/nf_nat_l3proto.h> |
1300 | #include <net/netfilter/nf_nat_l4proto.h> |
1301 | |
1302 | -static u16 udp_port_rover; |
1303 | - |
1304 | static void |
1305 | udp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1306 | struct nf_conntrack_tuple *tuple, |
1307 | @@ -26,8 +24,7 @@ udp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1308 | enum nf_nat_manip_type maniptype, |
1309 | const struct nf_conn *ct) |
1310 | { |
1311 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
1312 | - &udp_port_rover); |
1313 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
1314 | } |
1315 | |
1316 | static bool |
1317 | diff --git a/net/netfilter/nf_nat_proto_udplite.c b/net/netfilter/nf_nat_proto_udplite.c |
1318 | index 58340c97bd836..8be265378de99 100644 |
1319 | --- a/net/netfilter/nf_nat_proto_udplite.c |
1320 | +++ b/net/netfilter/nf_nat_proto_udplite.c |
1321 | @@ -17,8 +17,6 @@ |
1322 | #include <net/netfilter/nf_nat_l3proto.h> |
1323 | #include <net/netfilter/nf_nat_l4proto.h> |
1324 | |
1325 | -static u16 udplite_port_rover; |
1326 | - |
1327 | static void |
1328 | udplite_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1329 | struct nf_conntrack_tuple *tuple, |
1330 | @@ -26,8 +24,7 @@ udplite_unique_tuple(const struct nf_nat_l3proto *l3proto, |
1331 | enum nf_nat_manip_type maniptype, |
1332 | const struct nf_conn *ct) |
1333 | { |
1334 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
1335 | - &udplite_port_rover); |
1336 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
1337 | } |
1338 | |
1339 | static bool |
1340 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
1341 | index 370d0a4af1f97..8e62b05efe297 100644 |
1342 | --- a/net/packet/af_packet.c |
1343 | +++ b/net/packet/af_packet.c |
1344 | @@ -1705,6 +1705,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
1345 | match->prot_hook.dev = po->prot_hook.dev; |
1346 | match->prot_hook.func = packet_rcv_fanout; |
1347 | match->prot_hook.af_packet_priv = match; |
1348 | + match->prot_hook.af_packet_net = read_pnet(&match->net); |
1349 | match->prot_hook.id_match = match_fanout_group; |
1350 | list_add(&match->list, &fanout_list); |
1351 | } |
1352 | @@ -1718,7 +1719,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
1353 | err = -ENOSPC; |
1354 | if (atomic_read(&match->sk_ref) < PACKET_FANOUT_MAX) { |
1355 | __dev_remove_pack(&po->prot_hook); |
1356 | - po->fanout = match; |
1357 | + |
1358 | + /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */ |
1359 | + WRITE_ONCE(po->fanout, match); |
1360 | + |
1361 | po->rollover = rollover; |
1362 | rollover = NULL; |
1363 | atomic_inc(&match->sk_ref); |
1364 | @@ -3310,6 +3314,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, |
1365 | po->prot_hook.func = packet_rcv_spkt; |
1366 | |
1367 | po->prot_hook.af_packet_priv = sk; |
1368 | + po->prot_hook.af_packet_net = sock_net(sk); |
1369 | |
1370 | if (proto) { |
1371 | po->prot_hook.type = proto; |
1372 | @@ -3893,7 +3898,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv |
1373 | } |
1374 | case PACKET_FANOUT_DATA: |
1375 | { |
1376 | - if (!po->fanout) |
1377 | + /* Paired with the WRITE_ONCE() in fanout_add() */ |
1378 | + if (!READ_ONCE(po->fanout)) |
1379 | return -EINVAL; |
1380 | |
1381 | return fanout_set_data(po, optval, optlen); |
1382 | diff --git a/sound/soc/fsl/pcm030-audio-fabric.c b/sound/soc/fsl/pcm030-audio-fabric.c |
1383 | index ec731223cab3d..72d4548994842 100644 |
1384 | --- a/sound/soc/fsl/pcm030-audio-fabric.c |
1385 | +++ b/sound/soc/fsl/pcm030-audio-fabric.c |
1386 | @@ -90,16 +90,21 @@ static int pcm030_fabric_probe(struct platform_device *op) |
1387 | dev_err(&op->dev, "platform_device_alloc() failed\n"); |
1388 | |
1389 | ret = platform_device_add(pdata->codec_device); |
1390 | - if (ret) |
1391 | + if (ret) { |
1392 | dev_err(&op->dev, "platform_device_add() failed: %d\n", ret); |
1393 | + platform_device_put(pdata->codec_device); |
1394 | + } |
1395 | |
1396 | ret = snd_soc_register_card(card); |
1397 | - if (ret) |
1398 | + if (ret) { |
1399 | dev_err(&op->dev, "snd_soc_register_card() failed: %d\n", ret); |
1400 | + platform_device_del(pdata->codec_device); |
1401 | + platform_device_put(pdata->codec_device); |
1402 | + } |
1403 | |
1404 | platform_set_drvdata(op, pdata); |
1405 | - |
1406 | return ret; |
1407 | + |
1408 | } |
1409 | |
1410 | static int pcm030_fabric_remove(struct platform_device *op) |
1411 | diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c |
1412 | index 90acdf4d90ed6..4da6f66ea3a21 100644 |
1413 | --- a/sound/soc/soc-ops.c |
1414 | +++ b/sound/soc/soc-ops.c |
1415 | @@ -327,13 +327,27 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, |
1416 | if (sign_bit) |
1417 | mask = BIT(sign_bit + 1) - 1; |
1418 | |
1419 | - val = ((ucontrol->value.integer.value[0] + min) & mask); |
1420 | + val = ucontrol->value.integer.value[0]; |
1421 | + if (mc->platform_max && val > mc->platform_max) |
1422 | + return -EINVAL; |
1423 | + if (val > max - min) |
1424 | + return -EINVAL; |
1425 | + if (val < 0) |
1426 | + return -EINVAL; |
1427 | + val = (val + min) & mask; |
1428 | if (invert) |
1429 | val = max - val; |
1430 | val_mask = mask << shift; |
1431 | val = val << shift; |
1432 | if (snd_soc_volsw_is_stereo(mc)) { |
1433 | - val2 = ((ucontrol->value.integer.value[1] + min) & mask); |
1434 | + val2 = ucontrol->value.integer.value[1]; |
1435 | + if (mc->platform_max && val2 > mc->platform_max) |
1436 | + return -EINVAL; |
1437 | + if (val2 > max - min) |
1438 | + return -EINVAL; |
1439 | + if (val2 < 0) |
1440 | + return -EINVAL; |
1441 | + val2 = (val2 + min) & mask; |
1442 | if (invert) |
1443 | val2 = max - val2; |
1444 | if (reg == reg2) { |
1445 | @@ -427,8 +441,15 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol, |
1446 | int err = 0; |
1447 | unsigned int val, val_mask, val2 = 0; |
1448 | |
1449 | + val = ucontrol->value.integer.value[0]; |
1450 | + if (mc->platform_max && val > mc->platform_max) |
1451 | + return -EINVAL; |
1452 | + if (val > max - min) |
1453 | + return -EINVAL; |
1454 | + if (val < 0) |
1455 | + return -EINVAL; |
1456 | val_mask = mask << shift; |
1457 | - val = (ucontrol->value.integer.value[0] + min) & mask; |
1458 | + val = (val + min) & mask; |
1459 | val = val << shift; |
1460 | |
1461 | err = snd_soc_component_update_bits(component, reg, val_mask, val); |
1462 | @@ -894,6 +915,8 @@ int snd_soc_put_xr_sx(struct snd_kcontrol *kcontrol, |
1463 | unsigned int i, regval, regmask; |
1464 | int err; |
1465 | |
1466 | + if (val < mc->min || val > mc->max) |
1467 | + return -EINVAL; |
1468 | if (invert) |
1469 | val = max - val; |
1470 | val &= mask; |