Contents of /trunk/kernel-alx-legacy/patches-4.9/0399-4.9.300-all-fixes.patch
Parent Directory
| 
Revision Log
Revision 3701 -
(show annotations)
(download)
Mon Oct 24 14:08:15 2022 UTC (18 months, 1 week ago) by niro
File size: 47247 byte(s)
Mon Oct 24 14:08:15 2022 UTC (18 months, 1 week ago) by niro
File size: 47247 byte(s)
-linux-4.9.300
| 1 | diff --git a/Makefile b/Makefile |
| 2 | index 99d37c23495ef..52e73f525a442 100644 |
| 3 | --- a/Makefile |
| 4 | +++ b/Makefile |
| 5 | @@ -1,6 +1,6 @@ |
| 6 | VERSION = 4 |
| 7 | PATCHLEVEL = 9 |
| 8 | -SUBLEVEL = 299 |
| 9 | +SUBLEVEL = 300 |
| 10 | EXTRAVERSION = |
| 11 | NAME = Roaring Lionus |
| 12 | |
| 13 | diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile |
| 14 | index d80fbf0884ffa..bc6c85788b84f 100644 |
| 15 | --- a/arch/powerpc/kernel/Makefile |
| 16 | +++ b/arch/powerpc/kernel/Makefile |
| 17 | @@ -14,6 +14,7 @@ CFLAGS_prom_init.o += -fPIC |
| 18 | CFLAGS_btext.o += -fPIC |
| 19 | endif |
| 20 | |
| 21 | +CFLAGS_setup_32.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
| 22 | CFLAGS_cputable.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
| 23 | CFLAGS_prom_init.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
| 24 | CFLAGS_btext.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
| 25 | diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile |
| 26 | index 309361e865233..3e3370d126aea 100644 |
| 27 | --- a/arch/powerpc/lib/Makefile |
| 28 | +++ b/arch/powerpc/lib/Makefile |
| 29 | @@ -9,6 +9,9 @@ ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC) |
| 30 | CFLAGS_REMOVE_code-patching.o = $(CC_FLAGS_FTRACE) |
| 31 | CFLAGS_REMOVE_feature-fixups.o = $(CC_FLAGS_FTRACE) |
| 32 | |
| 33 | +CFLAGS_code-patching.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
| 34 | +CFLAGS_feature-fixups.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) |
| 35 | + |
| 36 | obj-y += string.o alloc.o crtsavres.o code-patching.o \ |
| 37 | feature-fixups.o |
| 38 | |
| 39 | diff --git a/arch/s390/hypfs/hypfs_vm.c b/arch/s390/hypfs/hypfs_vm.c |
| 40 | index 012919d9833bb..9fed1308670dc 100644 |
| 41 | --- a/arch/s390/hypfs/hypfs_vm.c |
| 42 | +++ b/arch/s390/hypfs/hypfs_vm.c |
| 43 | @@ -19,6 +19,7 @@ |
| 44 | |
| 45 | static char local_guest[] = " "; |
| 46 | static char all_guests[] = "* "; |
| 47 | +static char *all_groups = all_guests; |
| 48 | static char *guest_query; |
| 49 | |
| 50 | struct diag2fc_data { |
| 51 | @@ -61,10 +62,11 @@ static int diag2fc(int size, char* query, void *addr) |
| 52 | |
| 53 | memcpy(parm_list.userid, query, NAME_LEN); |
| 54 | ASCEBC(parm_list.userid, NAME_LEN); |
| 55 | - parm_list.addr = (unsigned long) addr ; |
| 56 | + memcpy(parm_list.aci_grp, all_groups, NAME_LEN); |
| 57 | + ASCEBC(parm_list.aci_grp, NAME_LEN); |
| 58 | + parm_list.addr = (unsigned long)addr; |
| 59 | parm_list.size = size; |
| 60 | parm_list.fmt = 0x02; |
| 61 | - memset(parm_list.aci_grp, 0x40, NAME_LEN); |
| 62 | rc = -1; |
| 63 | |
| 64 | diag_stat_inc(DIAG_STAT_X2FC); |
| 65 | diff --git a/drivers/edac/altera_edac.c b/drivers/edac/altera_edac.c |
| 66 | index 6037efa94c9ba..6d10bbc65ad3f 100644 |
| 67 | --- a/drivers/edac/altera_edac.c |
| 68 | +++ b/drivers/edac/altera_edac.c |
| 69 | @@ -363,7 +363,7 @@ static int altr_sdram_probe(struct platform_device *pdev) |
| 70 | if (irq < 0) { |
| 71 | edac_printk(KERN_ERR, EDAC_MC, |
| 72 | "No irq %d in DT\n", irq); |
| 73 | - return -ENODEV; |
| 74 | + return irq; |
| 75 | } |
| 76 | |
| 77 | /* Arria10 has a 2nd IRQ */ |
| 78 | diff --git a/drivers/edac/xgene_edac.c b/drivers/edac/xgene_edac.c |
| 79 | index bf19b6e3bd129..771927d2b5ded 100644 |
| 80 | --- a/drivers/edac/xgene_edac.c |
| 81 | +++ b/drivers/edac/xgene_edac.c |
| 82 | @@ -1936,7 +1936,7 @@ static int xgene_edac_probe(struct platform_device *pdev) |
| 83 | irq = platform_get_irq(pdev, i); |
| 84 | if (irq < 0) { |
| 85 | dev_err(&pdev->dev, "No IRQ resource\n"); |
| 86 | - rc = -EINVAL; |
| 87 | + rc = irq; |
| 88 | goto out_err; |
| 89 | } |
| 90 | rc = devm_request_irq(&pdev->dev, irq, |
| 91 | diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c |
| 92 | index ce32f41fc28aa..94fded3daaa30 100644 |
| 93 | --- a/drivers/gpu/drm/msm/msm_drv.c |
| 94 | +++ b/drivers/gpu/drm/msm/msm_drv.c |
| 95 | @@ -297,7 +297,7 @@ static int msm_init_vram(struct drm_device *dev) |
| 96 | of_node_put(node); |
| 97 | if (ret) |
| 98 | return ret; |
| 99 | - size = r.end - r.start; |
| 100 | + size = r.end - r.start + 1; |
| 101 | DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start); |
| 102 | |
| 103 | /* if we have no IOMMU, then we need to use carveout allocator. |
| 104 | diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c |
| 105 | index f3c30b2a788e8..8bff14ae16b0e 100644 |
| 106 | --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c |
| 107 | +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c |
| 108 | @@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size) |
| 109 | *addr += bios->imaged_addr; |
| 110 | } |
| 111 | |
| 112 | - if (unlikely(*addr + size >= bios->size)) { |
| 113 | + if (unlikely(*addr + size > bios->size)) { |
| 114 | nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr); |
| 115 | return false; |
| 116 | } |
| 117 | diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c |
| 118 | index 1e9f029a328a6..d899ae5470fa2 100644 |
| 119 | --- a/drivers/hwmon/lm90.c |
| 120 | +++ b/drivers/hwmon/lm90.c |
| 121 | @@ -265,7 +265,7 @@ static const struct lm90_params lm90_params[] = { |
| 122 | .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT |
| 123 | | LM90_HAVE_BROKEN_ALERT, |
| 124 | .alert_alarms = 0x7c, |
| 125 | - .max_convrate = 8, |
| 126 | + .max_convrate = 7, |
| 127 | }, |
| 128 | [lm86] = { |
| 129 | .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT, |
| 130 | diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c |
| 131 | index a3279f303b499..45c809f3d24f4 100644 |
| 132 | --- a/drivers/iommu/amd_iommu_init.c |
| 133 | +++ b/drivers/iommu/amd_iommu_init.c |
| 134 | @@ -28,6 +28,7 @@ |
| 135 | #include <linux/amd-iommu.h> |
| 136 | #include <linux/export.h> |
| 137 | #include <linux/iommu.h> |
| 138 | +#include <linux/iopoll.h> |
| 139 | #include <asm/pci-direct.h> |
| 140 | #include <asm/iommu.h> |
| 141 | #include <asm/gart.h> |
| 142 | @@ -715,6 +716,7 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu) |
| 143 | status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); |
| 144 | if (status & (MMIO_STATUS_GALOG_RUN_MASK)) |
| 145 | break; |
| 146 | + udelay(10); |
| 147 | } |
| 148 | |
| 149 | if (i >= LOOP_TIMEOUT) |
| 150 | diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c |
| 151 | index 1df7f5da8411f..d412d942cbdaf 100644 |
| 152 | --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c |
| 153 | +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c |
| 154 | @@ -494,7 +494,9 @@ static void xgbe_stop_timers(struct xgbe_prv_data *pdata) |
| 155 | if (!channel->tx_ring) |
| 156 | break; |
| 157 | |
| 158 | + /* Deactivate the Tx timer */ |
| 159 | del_timer_sync(&channel->tx_timer); |
| 160 | + channel->tx_timer_active = 0; |
| 161 | } |
| 162 | } |
| 163 | |
| 164 | @@ -1966,6 +1968,14 @@ read_again: |
| 165 | buf2_len = xgbe_rx_buf2_len(rdata, packet, len); |
| 166 | len += buf2_len; |
| 167 | |
| 168 | + if (buf2_len > rdata->rx.buf.dma_len) { |
| 169 | + /* Hardware inconsistency within the descriptors |
| 170 | + * that has resulted in a length underflow. |
| 171 | + */ |
| 172 | + error = 1; |
| 173 | + goto skip_data; |
| 174 | + } |
| 175 | + |
| 176 | if (!skb) { |
| 177 | skb = xgbe_create_skb(pdata, napi, rdata, |
| 178 | buf1_len); |
| 179 | @@ -1995,8 +2005,10 @@ skip_data: |
| 180 | if (!last || context_next) |
| 181 | goto read_again; |
| 182 | |
| 183 | - if (!skb) |
| 184 | + if (!skb || error) { |
| 185 | + dev_kfree_skb(skb); |
| 186 | goto next_packet; |
| 187 | + } |
| 188 | |
| 189 | /* Be sure we don't exceed the configured MTU */ |
| 190 | max_len = netdev->mtu + ETH_HLEN; |
| 191 | diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c |
| 192 | index 774b9db0c811f..0d3baa86cf176 100644 |
| 193 | --- a/drivers/net/macsec.c |
| 194 | +++ b/drivers/net/macsec.c |
| 195 | @@ -3230,6 +3230,15 @@ static int macsec_newlink(struct net *net, struct net_device *dev, |
| 196 | |
| 197 | macsec->real_dev = real_dev; |
| 198 | |
| 199 | + /* send_sci must be set to true when transmit sci explicitly is set */ |
| 200 | + if ((data && data[IFLA_MACSEC_SCI]) && |
| 201 | + (data && data[IFLA_MACSEC_INC_SCI])) { |
| 202 | + u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); |
| 203 | + |
| 204 | + if (!send_sci) |
| 205 | + return -EINVAL; |
| 206 | + } |
| 207 | + |
| 208 | if (data && data[IFLA_MACSEC_ICV_LEN]) |
| 209 | icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); |
| 210 | mtu = real_dev->mtu - icv_len - macsec_extra_len(true); |
| 211 | diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c |
| 212 | index 0cf5324d493e8..52ed3da64f01d 100644 |
| 213 | --- a/drivers/net/usb/ipheth.c |
| 214 | +++ b/drivers/net/usb/ipheth.c |
| 215 | @@ -173,7 +173,7 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone) |
| 216 | if (tx_buf == NULL) |
| 217 | goto free_rx_urb; |
| 218 | |
| 219 | - rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE, |
| 220 | + rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, |
| 221 | GFP_KERNEL, &rx_urb->transfer_dma); |
| 222 | if (rx_buf == NULL) |
| 223 | goto free_tx_buf; |
| 224 | @@ -198,7 +198,7 @@ error_nomem: |
| 225 | |
| 226 | static void ipheth_free_urbs(struct ipheth_device *iphone) |
| 227 | { |
| 228 | - usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf, |
| 229 | + usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf, |
| 230 | iphone->rx_urb->transfer_dma); |
| 231 | usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf, |
| 232 | iphone->tx_urb->transfer_dma); |
| 233 | @@ -371,7 +371,7 @@ static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags) |
| 234 | |
| 235 | usb_fill_bulk_urb(dev->rx_urb, udev, |
| 236 | usb_rcvbulkpipe(udev, dev->bulk_in), |
| 237 | - dev->rx_buf, IPHETH_BUF_SIZE, |
| 238 | + dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, |
| 239 | ipheth_rcvbulk_callback, |
| 240 | dev); |
| 241 | dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; |
| 242 | diff --git a/drivers/rtc/rtc-mc146818-lib.c b/drivers/rtc/rtc-mc146818-lib.c |
| 243 | index 18a6f15e313d8..86b8858917b62 100644 |
| 244 | --- a/drivers/rtc/rtc-mc146818-lib.c |
| 245 | +++ b/drivers/rtc/rtc-mc146818-lib.c |
| 246 | @@ -82,7 +82,7 @@ unsigned int mc146818_get_time(struct rtc_time *time) |
| 247 | time->tm_year += real_year - 72; |
| 248 | #endif |
| 249 | |
| 250 | - if (century > 20) |
| 251 | + if (century > 19) |
| 252 | time->tm_year += (century - 19) * 100; |
| 253 | |
| 254 | /* |
| 255 | diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c |
| 256 | index f7630cf581cd9..fd622021748f8 100644 |
| 257 | --- a/drivers/s390/scsi/zfcp_fc.c |
| 258 | +++ b/drivers/s390/scsi/zfcp_fc.c |
| 259 | @@ -518,6 +518,8 @@ static void zfcp_fc_adisc_handler(void *data) |
| 260 | goto out; |
| 261 | } |
| 262 | |
| 263 | + /* re-init to undo drop from zfcp_fc_adisc() */ |
| 264 | + port->d_id = ntoh24(adisc_resp->adisc_port_id); |
| 265 | /* port is good, unblock rport without going through erp */ |
| 266 | zfcp_scsi_schedule_rport_register(port); |
| 267 | out: |
| 268 | @@ -531,6 +533,7 @@ static int zfcp_fc_adisc(struct zfcp_port *port) |
| 269 | struct zfcp_fc_req *fc_req; |
| 270 | struct zfcp_adapter *adapter = port->adapter; |
| 271 | struct Scsi_Host *shost = adapter->scsi_host; |
| 272 | + u32 d_id; |
| 273 | int ret; |
| 274 | |
| 275 | fc_req = kmem_cache_zalloc(zfcp_fc_req_cache, GFP_ATOMIC); |
| 276 | @@ -555,7 +558,15 @@ static int zfcp_fc_adisc(struct zfcp_port *port) |
| 277 | fc_req->u.adisc.req.adisc_cmd = ELS_ADISC; |
| 278 | hton24(fc_req->u.adisc.req.adisc_port_id, fc_host_port_id(shost)); |
| 279 | |
| 280 | - ret = zfcp_fsf_send_els(adapter, port->d_id, &fc_req->ct_els, |
| 281 | + d_id = port->d_id; /* remember as destination for send els below */ |
| 282 | + /* |
| 283 | + * Force fresh GID_PN lookup on next port recovery. |
| 284 | + * Must happen after request setup and before sending request, |
| 285 | + * to prevent race with port->d_id re-init in zfcp_fc_adisc_handler(). |
| 286 | + */ |
| 287 | + port->d_id = 0; |
| 288 | + |
| 289 | + ret = zfcp_fsf_send_els(adapter, d_id, &fc_req->ct_els, |
| 290 | ZFCP_FC_CTELS_TMO); |
| 291 | if (ret) |
| 292 | kmem_cache_free(zfcp_fc_req_cache, fc_req); |
| 293 | diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c |
| 294 | index 68cc332bd6cba..b3dae8a4e5fc4 100644 |
| 295 | --- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c |
| 296 | +++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c |
| 297 | @@ -79,7 +79,7 @@ static int bnx2fc_bind_pcidev(struct bnx2fc_hba *hba); |
| 298 | static void bnx2fc_unbind_pcidev(struct bnx2fc_hba *hba); |
| 299 | static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, |
| 300 | struct device *parent, int npiv); |
| 301 | -static void bnx2fc_destroy_work(struct work_struct *work); |
| 302 | +static void bnx2fc_port_destroy(struct fcoe_port *port); |
| 303 | |
| 304 | static struct bnx2fc_hba *bnx2fc_hba_lookup(struct net_device *phys_dev); |
| 305 | static struct bnx2fc_interface *bnx2fc_interface_lookup(struct net_device |
| 306 | @@ -521,7 +521,8 @@ static int bnx2fc_l2_rcv_thread(void *arg) |
| 307 | |
| 308 | static void bnx2fc_recv_frame(struct sk_buff *skb) |
| 309 | { |
| 310 | - u32 fr_len; |
| 311 | + u64 crc_err; |
| 312 | + u32 fr_len, fr_crc; |
| 313 | struct fc_lport *lport; |
| 314 | struct fcoe_rcv_info *fr; |
| 315 | struct fc_stats *stats; |
| 316 | @@ -553,6 +554,11 @@ static void bnx2fc_recv_frame(struct sk_buff *skb) |
| 317 | skb_pull(skb, sizeof(struct fcoe_hdr)); |
| 318 | fr_len = skb->len - sizeof(struct fcoe_crc_eof); |
| 319 | |
| 320 | + stats = per_cpu_ptr(lport->stats, get_cpu()); |
| 321 | + stats->RxFrames++; |
| 322 | + stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; |
| 323 | + put_cpu(); |
| 324 | + |
| 325 | fp = (struct fc_frame *)skb; |
| 326 | fc_frame_init(fp); |
| 327 | fr_dev(fp) = lport; |
| 328 | @@ -604,16 +610,15 @@ static void bnx2fc_recv_frame(struct sk_buff *skb) |
| 329 | return; |
| 330 | } |
| 331 | |
| 332 | - stats = per_cpu_ptr(lport->stats, smp_processor_id()); |
| 333 | - stats->RxFrames++; |
| 334 | - stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; |
| 335 | + fr_crc = le32_to_cpu(fr_crc(fp)); |
| 336 | |
| 337 | - if (le32_to_cpu(fr_crc(fp)) != |
| 338 | - ~crc32(~0, skb->data, fr_len)) { |
| 339 | - if (stats->InvalidCRCCount < 5) |
| 340 | + if (unlikely(fr_crc != ~crc32(~0, skb->data, fr_len))) { |
| 341 | + stats = per_cpu_ptr(lport->stats, get_cpu()); |
| 342 | + crc_err = (stats->InvalidCRCCount++); |
| 343 | + put_cpu(); |
| 344 | + if (crc_err < 5) |
| 345 | printk(KERN_WARNING PFX "dropping frame with " |
| 346 | "CRC error\n"); |
| 347 | - stats->InvalidCRCCount++; |
| 348 | kfree_skb(skb); |
| 349 | return; |
| 350 | } |
| 351 | @@ -884,9 +889,6 @@ static void bnx2fc_indicate_netevent(void *context, unsigned long event, |
| 352 | __bnx2fc_destroy(interface); |
| 353 | } |
| 354 | mutex_unlock(&bnx2fc_dev_lock); |
| 355 | - |
| 356 | - /* Ensure ALL destroy work has been completed before return */ |
| 357 | - flush_workqueue(bnx2fc_wq); |
| 358 | return; |
| 359 | |
| 360 | default: |
| 361 | @@ -1194,8 +1196,8 @@ static int bnx2fc_vport_destroy(struct fc_vport *vport) |
| 362 | mutex_unlock(&n_port->lp_mutex); |
| 363 | bnx2fc_free_vport(interface->hba, port->lport); |
| 364 | bnx2fc_port_shutdown(port->lport); |
| 365 | + bnx2fc_port_destroy(port); |
| 366 | bnx2fc_interface_put(interface); |
| 367 | - queue_work(bnx2fc_wq, &port->destroy_work); |
| 368 | return 0; |
| 369 | } |
| 370 | |
| 371 | @@ -1504,7 +1506,6 @@ static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, |
| 372 | port->lport = lport; |
| 373 | port->priv = interface; |
| 374 | port->get_netdev = bnx2fc_netdev; |
| 375 | - INIT_WORK(&port->destroy_work, bnx2fc_destroy_work); |
| 376 | |
| 377 | /* Configure fcoe_port */ |
| 378 | rc = bnx2fc_lport_config(lport); |
| 379 | @@ -1632,8 +1633,8 @@ static void __bnx2fc_destroy(struct bnx2fc_interface *interface) |
| 380 | bnx2fc_interface_cleanup(interface); |
| 381 | bnx2fc_stop(interface); |
| 382 | list_del(&interface->list); |
| 383 | + bnx2fc_port_destroy(port); |
| 384 | bnx2fc_interface_put(interface); |
| 385 | - queue_work(bnx2fc_wq, &port->destroy_work); |
| 386 | } |
| 387 | |
| 388 | /** |
| 389 | @@ -1674,15 +1675,12 @@ netdev_err: |
| 390 | return rc; |
| 391 | } |
| 392 | |
| 393 | -static void bnx2fc_destroy_work(struct work_struct *work) |
| 394 | +static void bnx2fc_port_destroy(struct fcoe_port *port) |
| 395 | { |
| 396 | - struct fcoe_port *port; |
| 397 | struct fc_lport *lport; |
| 398 | |
| 399 | - port = container_of(work, struct fcoe_port, destroy_work); |
| 400 | lport = port->lport; |
| 401 | - |
| 402 | - BNX2FC_HBA_DBG(lport, "Entered bnx2fc_destroy_work\n"); |
| 403 | + BNX2FC_HBA_DBG(lport, "Entered %s, destroying lport %p\n", __func__, lport); |
| 404 | |
| 405 | bnx2fc_if_destroy(lport); |
| 406 | } |
| 407 | @@ -2522,9 +2520,6 @@ static void bnx2fc_ulp_exit(struct cnic_dev *dev) |
| 408 | __bnx2fc_destroy(interface); |
| 409 | mutex_unlock(&bnx2fc_dev_lock); |
| 410 | |
| 411 | - /* Ensure ALL destroy work has been completed before return */ |
| 412 | - flush_workqueue(bnx2fc_wq); |
| 413 | - |
| 414 | bnx2fc_ulp_stop(hba); |
| 415 | /* unregister cnic device */ |
| 416 | if (test_and_clear_bit(BNX2FC_CNIC_REGISTERED, &hba->reg_with_cnic)) |
| 417 | diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c |
| 418 | index d521adf6ac245..40820904f76c0 100644 |
| 419 | --- a/drivers/spi/spi-bcm-qspi.c |
| 420 | +++ b/drivers/spi/spi-bcm-qspi.c |
| 421 | @@ -546,7 +546,7 @@ static void bcm_qspi_chip_select(struct bcm_qspi *qspi, int cs) |
| 422 | u32 rd = 0; |
| 423 | u32 wr = 0; |
| 424 | |
| 425 | - if (qspi->base[CHIP_SELECT]) { |
| 426 | + if (cs >= 0 && qspi->base[CHIP_SELECT]) { |
| 427 | rd = bcm_qspi_read(qspi, CHIP_SELECT, 0); |
| 428 | wr = (rd & ~0xff) | (1 << cs); |
| 429 | if (rd == wr) |
| 430 | diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c |
| 431 | index dd0bf25d45502..348f136d9e134 100644 |
| 432 | --- a/drivers/spi/spi-mt65xx.c |
| 433 | +++ b/drivers/spi/spi-mt65xx.c |
| 434 | @@ -440,7 +440,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) |
| 435 | else |
| 436 | mdata->state = MTK_SPI_IDLE; |
| 437 | |
| 438 | - if (!master->can_dma(master, master->cur_msg->spi, trans)) { |
| 439 | + if (!master->can_dma(master, NULL, trans)) { |
| 440 | if (trans->rx_buf) { |
| 441 | cnt = mdata->xfer_len / 4; |
| 442 | ioread32_rep(mdata->base + SPI_RX_DATA_REG, |
| 443 | diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c |
| 444 | index 1ab9bd4335421..67e5b587a1062 100644 |
| 445 | --- a/drivers/tty/n_gsm.c |
| 446 | +++ b/drivers/tty/n_gsm.c |
| 447 | @@ -329,6 +329,7 @@ static struct tty_driver *gsm_tty_driver; |
| 448 | #define GSM1_ESCAPE_BITS 0x20 |
| 449 | #define XON 0x11 |
| 450 | #define XOFF 0x13 |
| 451 | +#define ISO_IEC_646_MASK 0x7F |
| 452 | |
| 453 | static const struct tty_port_operations gsm_port_ops; |
| 454 | |
| 455 | @@ -547,7 +548,8 @@ static int gsm_stuff_frame(const u8 *input, u8 *output, int len) |
| 456 | int olen = 0; |
| 457 | while (len--) { |
| 458 | if (*input == GSM1_SOF || *input == GSM1_ESCAPE |
| 459 | - || *input == XON || *input == XOFF) { |
| 460 | + || (*input & ISO_IEC_646_MASK) == XON |
| 461 | + || (*input & ISO_IEC_646_MASK) == XOFF) { |
| 462 | *output++ = GSM1_ESCAPE; |
| 463 | *output++ = *input++ ^ GSM1_ESCAPE_BITS; |
| 464 | olen++; |
| 465 | diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c |
| 466 | index 550f2f0523d84..3973bbd5ee553 100644 |
| 467 | --- a/drivers/tty/serial/8250/8250_pci.c |
| 468 | +++ b/drivers/tty/serial/8250/8250_pci.c |
| 469 | @@ -5238,8 +5238,30 @@ static struct pci_device_id serial_pci_tbl[] = { |
| 470 | { PCI_VENDOR_ID_INTASHIELD, PCI_DEVICE_ID_INTASHIELD_IS400, |
| 471 | PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */ |
| 472 | pbn_b2_4_115200 }, |
| 473 | + /* Brainboxes Devices */ |
| 474 | /* |
| 475 | - * BrainBoxes UC-260 |
| 476 | + * Brainboxes UC-101 |
| 477 | + */ |
| 478 | + { PCI_VENDOR_ID_INTASHIELD, 0x0BA1, |
| 479 | + PCI_ANY_ID, PCI_ANY_ID, |
| 480 | + 0, 0, |
| 481 | + pbn_b2_2_115200 }, |
| 482 | + /* |
| 483 | + * Brainboxes UC-235/246 |
| 484 | + */ |
| 485 | + { PCI_VENDOR_ID_INTASHIELD, 0x0AA1, |
| 486 | + PCI_ANY_ID, PCI_ANY_ID, |
| 487 | + 0, 0, |
| 488 | + pbn_b2_1_115200 }, |
| 489 | + /* |
| 490 | + * Brainboxes UC-257 |
| 491 | + */ |
| 492 | + { PCI_VENDOR_ID_INTASHIELD, 0x0861, |
| 493 | + PCI_ANY_ID, PCI_ANY_ID, |
| 494 | + 0, 0, |
| 495 | + pbn_b2_2_115200 }, |
| 496 | + /* |
| 497 | + * Brainboxes UC-260/271/701/756 |
| 498 | */ |
| 499 | { PCI_VENDOR_ID_INTASHIELD, 0x0D21, |
| 500 | PCI_ANY_ID, PCI_ANY_ID, |
| 501 | @@ -5247,7 +5269,81 @@ static struct pci_device_id serial_pci_tbl[] = { |
| 502 | pbn_b2_4_115200 }, |
| 503 | { PCI_VENDOR_ID_INTASHIELD, 0x0E34, |
| 504 | PCI_ANY_ID, PCI_ANY_ID, |
| 505 | - PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, |
| 506 | + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, |
| 507 | + pbn_b2_4_115200 }, |
| 508 | + /* |
| 509 | + * Brainboxes UC-268 |
| 510 | + */ |
| 511 | + { PCI_VENDOR_ID_INTASHIELD, 0x0841, |
| 512 | + PCI_ANY_ID, PCI_ANY_ID, |
| 513 | + 0, 0, |
| 514 | + pbn_b2_4_115200 }, |
| 515 | + /* |
| 516 | + * Brainboxes UC-275/279 |
| 517 | + */ |
| 518 | + { PCI_VENDOR_ID_INTASHIELD, 0x0881, |
| 519 | + PCI_ANY_ID, PCI_ANY_ID, |
| 520 | + 0, 0, |
| 521 | + pbn_b2_8_115200 }, |
| 522 | + /* |
| 523 | + * Brainboxes UC-302 |
| 524 | + */ |
| 525 | + { PCI_VENDOR_ID_INTASHIELD, 0x08E1, |
| 526 | + PCI_ANY_ID, PCI_ANY_ID, |
| 527 | + 0, 0, |
| 528 | + pbn_b2_2_115200 }, |
| 529 | + /* |
| 530 | + * Brainboxes UC-310 |
| 531 | + */ |
| 532 | + { PCI_VENDOR_ID_INTASHIELD, 0x08C1, |
| 533 | + PCI_ANY_ID, PCI_ANY_ID, |
| 534 | + 0, 0, |
| 535 | + pbn_b2_2_115200 }, |
| 536 | + /* |
| 537 | + * Brainboxes UC-313 |
| 538 | + */ |
| 539 | + { PCI_VENDOR_ID_INTASHIELD, 0x08A3, |
| 540 | + PCI_ANY_ID, PCI_ANY_ID, |
| 541 | + 0, 0, |
| 542 | + pbn_b2_2_115200 }, |
| 543 | + /* |
| 544 | + * Brainboxes UC-320/324 |
| 545 | + */ |
| 546 | + { PCI_VENDOR_ID_INTASHIELD, 0x0A61, |
| 547 | + PCI_ANY_ID, PCI_ANY_ID, |
| 548 | + 0, 0, |
| 549 | + pbn_b2_1_115200 }, |
| 550 | + /* |
| 551 | + * Brainboxes UC-346 |
| 552 | + */ |
| 553 | + { PCI_VENDOR_ID_INTASHIELD, 0x0B02, |
| 554 | + PCI_ANY_ID, PCI_ANY_ID, |
| 555 | + 0, 0, |
| 556 | + pbn_b2_4_115200 }, |
| 557 | + /* |
| 558 | + * Brainboxes UC-357 |
| 559 | + */ |
| 560 | + { PCI_VENDOR_ID_INTASHIELD, 0x0A81, |
| 561 | + PCI_ANY_ID, PCI_ANY_ID, |
| 562 | + 0, 0, |
| 563 | + pbn_b2_2_115200 }, |
| 564 | + { PCI_VENDOR_ID_INTASHIELD, 0x0A83, |
| 565 | + PCI_ANY_ID, PCI_ANY_ID, |
| 566 | + 0, 0, |
| 567 | + pbn_b2_2_115200 }, |
| 568 | + /* |
| 569 | + * Brainboxes UC-368 |
| 570 | + */ |
| 571 | + { PCI_VENDOR_ID_INTASHIELD, 0x0C41, |
| 572 | + PCI_ANY_ID, PCI_ANY_ID, |
| 573 | + 0, 0, |
| 574 | + pbn_b2_4_115200 }, |
| 575 | + /* |
| 576 | + * Brainboxes UC-420/431 |
| 577 | + */ |
| 578 | + { PCI_VENDOR_ID_INTASHIELD, 0x0921, |
| 579 | + PCI_ANY_ID, PCI_ANY_ID, |
| 580 | + 0, 0, |
| 581 | pbn_b2_4_115200 }, |
| 582 | /* |
| 583 | * Perle PCI-RAS cards |
| 584 | diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c |
| 585 | index f325019887b23..766941a6e1aa8 100644 |
| 586 | --- a/drivers/tty/serial/stm32-usart.c |
| 587 | +++ b/drivers/tty/serial/stm32-usart.c |
| 588 | @@ -389,7 +389,7 @@ static void stm32_start_tx(struct uart_port *port) |
| 589 | { |
| 590 | struct circ_buf *xmit = &port->state->xmit; |
| 591 | |
| 592 | - if (uart_circ_empty(xmit)) |
| 593 | + if (uart_circ_empty(xmit) && !port->x_char) |
| 594 | return; |
| 595 | |
| 596 | stm32_transmit_chars(port); |
| 597 | diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c |
| 598 | index 2246731d96b0e..a4b2313607995 100644 |
| 599 | --- a/drivers/usb/core/hcd.c |
| 600 | +++ b/drivers/usb/core/hcd.c |
| 601 | @@ -1668,6 +1668,13 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) |
| 602 | urb->hcpriv = NULL; |
| 603 | INIT_LIST_HEAD(&urb->urb_list); |
| 604 | atomic_dec(&urb->use_count); |
| 605 | + /* |
| 606 | + * Order the write of urb->use_count above before the read |
| 607 | + * of urb->reject below. Pairs with the memory barriers in |
| 608 | + * usb_kill_urb() and usb_poison_urb(). |
| 609 | + */ |
| 610 | + smp_mb__after_atomic(); |
| 611 | + |
| 612 | atomic_dec(&urb->dev->urbnum); |
| 613 | if (atomic_read(&urb->reject)) |
| 614 | wake_up(&usb_kill_urb_queue); |
| 615 | @@ -1777,6 +1784,13 @@ static void __usb_hcd_giveback_urb(struct urb *urb) |
| 616 | |
| 617 | usb_anchor_resume_wakeups(anchor); |
| 618 | atomic_dec(&urb->use_count); |
| 619 | + /* |
| 620 | + * Order the write of urb->use_count above before the read |
| 621 | + * of urb->reject below. Pairs with the memory barriers in |
| 622 | + * usb_kill_urb() and usb_poison_urb(). |
| 623 | + */ |
| 624 | + smp_mb__after_atomic(); |
| 625 | + |
| 626 | if (unlikely(atomic_read(&urb->reject))) |
| 627 | wake_up(&usb_kill_urb_queue); |
| 628 | usb_put_urb(urb); |
| 629 | diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c |
| 630 | index 6785ebc078047..ec8921d09e321 100644 |
| 631 | --- a/drivers/usb/core/urb.c |
| 632 | +++ b/drivers/usb/core/urb.c |
| 633 | @@ -684,6 +684,12 @@ void usb_kill_urb(struct urb *urb) |
| 634 | if (!(urb && urb->dev && urb->ep)) |
| 635 | return; |
| 636 | atomic_inc(&urb->reject); |
| 637 | + /* |
| 638 | + * Order the write of urb->reject above before the read |
| 639 | + * of urb->use_count below. Pairs with the barriers in |
| 640 | + * __usb_hcd_giveback_urb() and usb_hcd_submit_urb(). |
| 641 | + */ |
| 642 | + smp_mb__after_atomic(); |
| 643 | |
| 644 | usb_hcd_unlink_urb(urb, -ENOENT); |
| 645 | wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); |
| 646 | @@ -725,6 +731,12 @@ void usb_poison_urb(struct urb *urb) |
| 647 | if (!urb) |
| 648 | return; |
| 649 | atomic_inc(&urb->reject); |
| 650 | + /* |
| 651 | + * Order the write of urb->reject above before the read |
| 652 | + * of urb->use_count below. Pairs with the barriers in |
| 653 | + * __usb_hcd_giveback_urb() and usb_hcd_submit_urb(). |
| 654 | + */ |
| 655 | + smp_mb__after_atomic(); |
| 656 | |
| 657 | if (!urb->dev || !urb->ep) |
| 658 | return; |
| 659 | diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c |
| 660 | index 1c5745f7abea1..16142c321df8e 100644 |
| 661 | --- a/drivers/usb/gadget/function/f_sourcesink.c |
| 662 | +++ b/drivers/usb/gadget/function/f_sourcesink.c |
| 663 | @@ -587,6 +587,7 @@ static int source_sink_start_ep(struct f_sourcesink *ss, bool is_in, |
| 664 | |
| 665 | if (is_iso) { |
| 666 | switch (speed) { |
| 667 | + case USB_SPEED_SUPER_PLUS: |
| 668 | case USB_SPEED_SUPER: |
| 669 | size = ss->isoc_maxpacket * |
| 670 | (ss->isoc_mult + 1) * |
| 671 | diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h |
| 672 | index ec2b7f5c900c2..801351f360da6 100644 |
| 673 | --- a/drivers/usb/storage/unusual_devs.h |
| 674 | +++ b/drivers/usb/storage/unusual_devs.h |
| 675 | @@ -2308,6 +2308,16 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x9999, |
| 676 | USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, |
| 677 | US_FL_SCM_MULT_TARG ), |
| 678 | |
| 679 | +/* |
| 680 | + * Reported by DocMAX <mail@vacharakis.de> |
| 681 | + * and Thomas Weißschuh <linux@weissschuh.net> |
| 682 | + */ |
| 683 | +UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999, |
| 684 | + "VIA Labs, Inc.", |
| 685 | + "VL817 SATA Bridge", |
| 686 | + USB_SC_DEVICE, USB_PR_DEVICE, NULL, |
| 687 | + US_FL_IGNORE_UAS), |
| 688 | + |
| 689 | UNUSUAL_DEV( 0x2116, 0x0320, 0x0001, 0x0001, |
| 690 | "ST", |
| 691 | "2A", |
| 692 | diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c |
| 693 | index a0f20a048347c..c87558f120fb9 100644 |
| 694 | --- a/fs/ext4/inline.c |
| 695 | +++ b/fs/ext4/inline.c |
| 696 | @@ -1123,7 +1123,15 @@ static void ext4_restore_inline_data(handle_t *handle, struct inode *inode, |
| 697 | struct ext4_iloc *iloc, |
| 698 | void *buf, int inline_size) |
| 699 | { |
| 700 | - ext4_create_inline_data(handle, inode, inline_size); |
| 701 | + int ret; |
| 702 | + |
| 703 | + ret = ext4_create_inline_data(handle, inode, inline_size); |
| 704 | + if (ret) { |
| 705 | + ext4_msg(inode->i_sb, KERN_EMERG, |
| 706 | + "error restoring inline_data for inode -- potential data loss! (inode %lu, error %d)", |
| 707 | + inode->i_ino, ret); |
| 708 | + return; |
| 709 | + } |
| 710 | ext4_write_inline_data(inode, iloc, buf, 0, inline_size); |
| 711 | ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); |
| 712 | } |
| 713 | diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c |
| 714 | index d405b5a14073a..24e854dfb3c25 100644 |
| 715 | --- a/fs/nfs/dir.c |
| 716 | +++ b/fs/nfs/dir.c |
| 717 | @@ -1602,6 +1602,24 @@ out: |
| 718 | |
| 719 | no_open: |
| 720 | res = nfs_lookup(dir, dentry, lookup_flags); |
| 721 | + if (!res) { |
| 722 | + inode = d_inode(dentry); |
| 723 | + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && |
| 724 | + !S_ISDIR(inode->i_mode)) |
| 725 | + res = ERR_PTR(-ENOTDIR); |
| 726 | + else if (inode && S_ISREG(inode->i_mode)) |
| 727 | + res = ERR_PTR(-EOPENSTALE); |
| 728 | + } else if (!IS_ERR(res)) { |
| 729 | + inode = d_inode(res); |
| 730 | + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && |
| 731 | + !S_ISDIR(inode->i_mode)) { |
| 732 | + dput(res); |
| 733 | + res = ERR_PTR(-ENOTDIR); |
| 734 | + } else if (inode && S_ISREG(inode->i_mode)) { |
| 735 | + dput(res); |
| 736 | + res = ERR_PTR(-EOPENSTALE); |
| 737 | + } |
| 738 | + } |
| 739 | if (switched) { |
| 740 | d_lookup_done(dentry); |
| 741 | if (!res) |
| 742 | diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c |
| 743 | index 524d98e3bcf5b..d9381ca0ac479 100644 |
| 744 | --- a/fs/nfsd/nfs4state.c |
| 745 | +++ b/fs/nfsd/nfs4state.c |
| 746 | @@ -3424,8 +3424,10 @@ nfsd4_setclientid_confirm(struct svc_rqst *rqstp, |
| 747 | status = nfserr_clid_inuse; |
| 748 | if (client_has_state(old) |
| 749 | && !same_creds(&unconf->cl_cred, |
| 750 | - &old->cl_cred)) |
| 751 | + &old->cl_cred)) { |
| 752 | + old = NULL; |
| 753 | goto out; |
| 754 | + } |
| 755 | status = mark_client_expired_locked(old); |
| 756 | if (status) { |
| 757 | old = NULL; |
| 758 | diff --git a/fs/udf/inode.c b/fs/udf/inode.c |
| 759 | index 50607673a6a92..fab5a9506bcf2 100644 |
| 760 | --- a/fs/udf/inode.c |
| 761 | +++ b/fs/udf/inode.c |
| 762 | @@ -259,10 +259,6 @@ int udf_expand_file_adinicb(struct inode *inode) |
| 763 | char *kaddr; |
| 764 | struct udf_inode_info *iinfo = UDF_I(inode); |
| 765 | int err; |
| 766 | - struct writeback_control udf_wbc = { |
| 767 | - .sync_mode = WB_SYNC_NONE, |
| 768 | - .nr_to_write = 1, |
| 769 | - }; |
| 770 | |
| 771 | WARN_ON_ONCE(!inode_is_locked(inode)); |
| 772 | if (!iinfo->i_lenAlloc) { |
| 773 | @@ -306,8 +302,10 @@ int udf_expand_file_adinicb(struct inode *inode) |
| 774 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; |
| 775 | /* from now on we have normal address_space methods */ |
| 776 | inode->i_data.a_ops = &udf_aops; |
| 777 | + set_page_dirty(page); |
| 778 | + unlock_page(page); |
| 779 | up_write(&iinfo->i_data_sem); |
| 780 | - err = inode->i_data.a_ops->writepage(page, &udf_wbc); |
| 781 | + err = filemap_fdatawrite(inode->i_mapping); |
| 782 | if (err) { |
| 783 | /* Restore everything back so that we don't lose data... */ |
| 784 | lock_page(page); |
| 785 | @@ -319,6 +317,7 @@ int udf_expand_file_adinicb(struct inode *inode) |
| 786 | unlock_page(page); |
| 787 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; |
| 788 | inode->i_data.a_ops = &udf_adinicb_aops; |
| 789 | + iinfo->i_lenAlloc = inode->i_size; |
| 790 | up_write(&iinfo->i_data_sem); |
| 791 | } |
| 792 | put_page(page); |
| 793 | diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h |
| 794 | index 2aacafe2bce58..a92fb5c5704f2 100644 |
| 795 | --- a/include/linux/netdevice.h |
| 796 | +++ b/include/linux/netdevice.h |
| 797 | @@ -2237,6 +2237,7 @@ struct packet_type { |
| 798 | struct net_device *); |
| 799 | bool (*id_match)(struct packet_type *ptype, |
| 800 | struct sock *sk); |
| 801 | + struct net *af_packet_net; |
| 802 | void *af_packet_priv; |
| 803 | struct list_head list; |
| 804 | }; |
| 805 | diff --git a/include/net/ip.h b/include/net/ip.h |
| 806 | index f987eaf999004..c762fd047ef4c 100644 |
| 807 | --- a/include/net/ip.h |
| 808 | +++ b/include/net/ip.h |
| 809 | @@ -377,19 +377,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, |
| 810 | { |
| 811 | struct iphdr *iph = ip_hdr(skb); |
| 812 | |
| 813 | + /* We had many attacks based on IPID, use the private |
| 814 | + * generator as much as we can. |
| 815 | + */ |
| 816 | + if (sk && inet_sk(sk)->inet_daddr) { |
| 817 | + iph->id = htons(inet_sk(sk)->inet_id); |
| 818 | + inet_sk(sk)->inet_id += segs; |
| 819 | + return; |
| 820 | + } |
| 821 | if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) { |
| 822 | - /* This is only to work around buggy Windows95/2000 |
| 823 | - * VJ compression implementations. If the ID field |
| 824 | - * does not change, they drop every other packet in |
| 825 | - * a TCP stream using header compression. |
| 826 | - */ |
| 827 | - if (sk && inet_sk(sk)->inet_daddr) { |
| 828 | - iph->id = htons(inet_sk(sk)->inet_id); |
| 829 | - inet_sk(sk)->inet_id += segs; |
| 830 | - } else { |
| 831 | - iph->id = 0; |
| 832 | - } |
| 833 | + iph->id = 0; |
| 834 | } else { |
| 835 | + /* Unfortunately we need the big hammer to get a suitable IPID */ |
| 836 | __ip_select_ident(net, iph, segs); |
| 837 | } |
| 838 | } |
| 839 | diff --git a/include/net/netfilter/nf_nat_l4proto.h b/include/net/netfilter/nf_nat_l4proto.h |
| 840 | index 12f4cc841b6ed..630f0f5c3fa35 100644 |
| 841 | --- a/include/net/netfilter/nf_nat_l4proto.h |
| 842 | +++ b/include/net/netfilter/nf_nat_l4proto.h |
| 843 | @@ -64,7 +64,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 844 | struct nf_conntrack_tuple *tuple, |
| 845 | const struct nf_nat_range *range, |
| 846 | enum nf_nat_manip_type maniptype, |
| 847 | - const struct nf_conn *ct, u16 *rover); |
| 848 | + const struct nf_conn *ct); |
| 849 | |
| 850 | int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[], |
| 851 | struct nf_nat_range *range); |
| 852 | diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c |
| 853 | index 1896386e16bbe..78e354b1c593b 100644 |
| 854 | --- a/kernel/power/wakelock.c |
| 855 | +++ b/kernel/power/wakelock.c |
| 856 | @@ -38,23 +38,19 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active) |
| 857 | { |
| 858 | struct rb_node *node; |
| 859 | struct wakelock *wl; |
| 860 | - char *str = buf; |
| 861 | - char *end = buf + PAGE_SIZE; |
| 862 | + int len = 0; |
| 863 | |
| 864 | mutex_lock(&wakelocks_lock); |
| 865 | |
| 866 | for (node = rb_first(&wakelocks_tree); node; node = rb_next(node)) { |
| 867 | wl = rb_entry(node, struct wakelock, node); |
| 868 | if (wl->ws.active == show_active) |
| 869 | - str += scnprintf(str, end - str, "%s ", wl->name); |
| 870 | + len += sysfs_emit_at(buf, len, "%s ", wl->name); |
| 871 | } |
| 872 | - if (str > buf) |
| 873 | - str--; |
| 874 | - |
| 875 | - str += scnprintf(str, end - str, "\n"); |
| 876 | + len += sysfs_emit_at(buf, len, "\n"); |
| 877 | |
| 878 | mutex_unlock(&wakelocks_lock); |
| 879 | - return (str - buf); |
| 880 | + return len; |
| 881 | } |
| 882 | |
| 883 | #if CONFIG_PM_WAKELOCKS_LIMIT > 0 |
| 884 | diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c |
| 885 | index 17cfd9f8e98e0..cff87c465bcb0 100644 |
| 886 | --- a/net/bluetooth/hci_event.c |
| 887 | +++ b/net/bluetooth/hci_event.c |
| 888 | @@ -4967,6 +4967,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) |
| 889 | struct hci_ev_le_advertising_info *ev = ptr; |
| 890 | s8 rssi; |
| 891 | |
| 892 | + if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) { |
| 893 | + bt_dev_err(hdev, "Malicious advertising data."); |
| 894 | + break; |
| 895 | + } |
| 896 | + |
| 897 | if (ev->length <= HCI_MAX_AD_LENGTH && |
| 898 | ev->data + ev->length <= skb_tail_pointer(skb)) { |
| 899 | rssi = ev->data[ev->length]; |
| 900 | @@ -4978,11 +4983,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) |
| 901 | } |
| 902 | |
| 903 | ptr += sizeof(*ev) + ev->length + 1; |
| 904 | - |
| 905 | - if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { |
| 906 | - bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); |
| 907 | - break; |
| 908 | - } |
| 909 | } |
| 910 | |
| 911 | hci_dev_unlock(hdev); |
| 912 | diff --git a/net/can/bcm.c b/net/can/bcm.c |
| 913 | index 369326715b9c6..bfb5072234687 100644 |
| 914 | --- a/net/can/bcm.c |
| 915 | +++ b/net/can/bcm.c |
| 916 | @@ -761,21 +761,21 @@ static struct bcm_op *bcm_find_op(struct list_head *ops, |
| 917 | static void bcm_remove_op(struct bcm_op *op) |
| 918 | { |
| 919 | if (op->tsklet.func) { |
| 920 | - while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) || |
| 921 | - test_bit(TASKLET_STATE_RUN, &op->tsklet.state) || |
| 922 | - hrtimer_active(&op->timer)) { |
| 923 | - hrtimer_cancel(&op->timer); |
| 924 | + do { |
| 925 | tasklet_kill(&op->tsklet); |
| 926 | - } |
| 927 | + hrtimer_cancel(&op->timer); |
| 928 | + } while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) || |
| 929 | + test_bit(TASKLET_STATE_RUN, &op->tsklet.state) || |
| 930 | + hrtimer_active(&op->timer)); |
| 931 | } |
| 932 | |
| 933 | if (op->thrtsklet.func) { |
| 934 | - while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) || |
| 935 | - test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) || |
| 936 | - hrtimer_active(&op->thrtimer)) { |
| 937 | - hrtimer_cancel(&op->thrtimer); |
| 938 | + do { |
| 939 | tasklet_kill(&op->thrtsklet); |
| 940 | - } |
| 941 | + hrtimer_cancel(&op->thrtimer); |
| 942 | + } while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) || |
| 943 | + test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) || |
| 944 | + hrtimer_active(&op->thrtimer)); |
| 945 | } |
| 946 | |
| 947 | if ((op->frames) && (op->frames != &op->sframe)) |
| 948 | diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c |
| 949 | index 14d09345f00d9..913b7c366cd4c 100644 |
| 950 | --- a/net/core/net-procfs.c |
| 951 | +++ b/net/core/net-procfs.c |
| 952 | @@ -208,12 +208,23 @@ static const struct file_operations softnet_seq_fops = { |
| 953 | .release = seq_release, |
| 954 | }; |
| 955 | |
| 956 | -static void *ptype_get_idx(loff_t pos) |
| 957 | +static void *ptype_get_idx(struct seq_file *seq, loff_t pos) |
| 958 | { |
| 959 | + struct list_head *ptype_list = NULL; |
| 960 | struct packet_type *pt = NULL; |
| 961 | + struct net_device *dev; |
| 962 | loff_t i = 0; |
| 963 | int t; |
| 964 | |
| 965 | + for_each_netdev_rcu(seq_file_net(seq), dev) { |
| 966 | + ptype_list = &dev->ptype_all; |
| 967 | + list_for_each_entry_rcu(pt, ptype_list, list) { |
| 968 | + if (i == pos) |
| 969 | + return pt; |
| 970 | + ++i; |
| 971 | + } |
| 972 | + } |
| 973 | + |
| 974 | list_for_each_entry_rcu(pt, &ptype_all, list) { |
| 975 | if (i == pos) |
| 976 | return pt; |
| 977 | @@ -234,22 +245,40 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos) |
| 978 | __acquires(RCU) |
| 979 | { |
| 980 | rcu_read_lock(); |
| 981 | - return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN; |
| 982 | + return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; |
| 983 | } |
| 984 | |
| 985 | static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) |
| 986 | { |
| 987 | + struct net_device *dev; |
| 988 | struct packet_type *pt; |
| 989 | struct list_head *nxt; |
| 990 | int hash; |
| 991 | |
| 992 | ++*pos; |
| 993 | if (v == SEQ_START_TOKEN) |
| 994 | - return ptype_get_idx(0); |
| 995 | + return ptype_get_idx(seq, 0); |
| 996 | |
| 997 | pt = v; |
| 998 | nxt = pt->list.next; |
| 999 | + if (pt->dev) { |
| 1000 | + if (nxt != &pt->dev->ptype_all) |
| 1001 | + goto found; |
| 1002 | + |
| 1003 | + dev = pt->dev; |
| 1004 | + for_each_netdev_continue_rcu(seq_file_net(seq), dev) { |
| 1005 | + if (!list_empty(&dev->ptype_all)) { |
| 1006 | + nxt = dev->ptype_all.next; |
| 1007 | + goto found; |
| 1008 | + } |
| 1009 | + } |
| 1010 | + |
| 1011 | + nxt = ptype_all.next; |
| 1012 | + goto ptype_all; |
| 1013 | + } |
| 1014 | + |
| 1015 | if (pt->type == htons(ETH_P_ALL)) { |
| 1016 | +ptype_all: |
| 1017 | if (nxt != &ptype_all) |
| 1018 | goto found; |
| 1019 | hash = 0; |
| 1020 | @@ -278,7 +307,8 @@ static int ptype_seq_show(struct seq_file *seq, void *v) |
| 1021 | |
| 1022 | if (v == SEQ_START_TOKEN) |
| 1023 | seq_puts(seq, "Type Device Function\n"); |
| 1024 | - else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) { |
| 1025 | + else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && |
| 1026 | + (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) { |
| 1027 | if (pt->type == htons(ETH_P_ALL)) |
| 1028 | seq_puts(seq, "ALL "); |
| 1029 | else |
| 1030 | diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c |
| 1031 | index 012143f313a87..d5cad076daf50 100644 |
| 1032 | --- a/net/core/rtnetlink.c |
| 1033 | +++ b/net/core/rtnetlink.c |
| 1034 | @@ -2454,9 +2454,9 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh) |
| 1035 | { |
| 1036 | struct net *net = sock_net(skb->sk); |
| 1037 | const struct rtnl_link_ops *ops; |
| 1038 | - const struct rtnl_link_ops *m_ops = NULL; |
| 1039 | + const struct rtnl_link_ops *m_ops; |
| 1040 | struct net_device *dev; |
| 1041 | - struct net_device *master_dev = NULL; |
| 1042 | + struct net_device *master_dev; |
| 1043 | struct ifinfomsg *ifm; |
| 1044 | char kind[MODULE_NAME_LEN]; |
| 1045 | char ifname[IFNAMSIZ]; |
| 1046 | @@ -2487,6 +2487,8 @@ replay: |
| 1047 | dev = NULL; |
| 1048 | } |
| 1049 | |
| 1050 | + master_dev = NULL; |
| 1051 | + m_ops = NULL; |
| 1052 | if (dev) { |
| 1053 | master_dev = netdev_master_upper_dev_get(dev); |
| 1054 | if (master_dev) |
| 1055 | diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c |
| 1056 | index 936371340dc37..c24a1945392a5 100644 |
| 1057 | --- a/net/ieee802154/nl802154.c |
| 1058 | +++ b/net/ieee802154/nl802154.c |
| 1059 | @@ -1474,7 +1474,7 @@ static int nl802154_send_key(struct sk_buff *msg, u32 cmd, u32 portid, |
| 1060 | |
| 1061 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
| 1062 | if (!hdr) |
| 1063 | - return -1; |
| 1064 | + return -ENOBUFS; |
| 1065 | |
| 1066 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
| 1067 | goto nla_put_failure; |
| 1068 | @@ -1665,7 +1665,7 @@ static int nl802154_send_device(struct sk_buff *msg, u32 cmd, u32 portid, |
| 1069 | |
| 1070 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
| 1071 | if (!hdr) |
| 1072 | - return -1; |
| 1073 | + return -ENOBUFS; |
| 1074 | |
| 1075 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
| 1076 | goto nla_put_failure; |
| 1077 | @@ -1843,7 +1843,7 @@ static int nl802154_send_devkey(struct sk_buff *msg, u32 cmd, u32 portid, |
| 1078 | |
| 1079 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
| 1080 | if (!hdr) |
| 1081 | - return -1; |
| 1082 | + return -ENOBUFS; |
| 1083 | |
| 1084 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
| 1085 | goto nla_put_failure; |
| 1086 | @@ -2020,7 +2020,7 @@ static int nl802154_send_seclevel(struct sk_buff *msg, u32 cmd, u32 portid, |
| 1087 | |
| 1088 | hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); |
| 1089 | if (!hdr) |
| 1090 | - return -1; |
| 1091 | + return -ENOBUFS; |
| 1092 | |
| 1093 | if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) |
| 1094 | goto nla_put_failure; |
| 1095 | diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c |
| 1096 | index 589fd0904e0de..bd53136c28262 100644 |
| 1097 | --- a/net/ipv4/ip_output.c |
| 1098 | +++ b/net/ipv4/ip_output.c |
| 1099 | @@ -159,12 +159,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, |
| 1100 | iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); |
| 1101 | iph->saddr = saddr; |
| 1102 | iph->protocol = sk->sk_protocol; |
| 1103 | - if (ip_dont_fragment(sk, &rt->dst)) { |
| 1104 | + /* Do not bother generating IPID for small packets (eg SYNACK) */ |
| 1105 | + if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) { |
| 1106 | iph->frag_off = htons(IP_DF); |
| 1107 | iph->id = 0; |
| 1108 | } else { |
| 1109 | iph->frag_off = 0; |
| 1110 | - __ip_select_ident(net, iph, 1); |
| 1111 | + /* TCP packets here are SYNACK with fat IPv4/TCP options. |
| 1112 | + * Avoid using the hashed IP ident generator. |
| 1113 | + */ |
| 1114 | + if (sk->sk_protocol == IPPROTO_TCP) |
| 1115 | + iph->id = (__force __be16)prandom_u32(); |
| 1116 | + else |
| 1117 | + __ip_select_ident(net, iph, 1); |
| 1118 | } |
| 1119 | |
| 1120 | if (opt && opt->opt.optlen) { |
| 1121 | diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c |
| 1122 | index af75c0a8238ef..88ad1b6b38029 100644 |
| 1123 | --- a/net/ipv4/raw.c |
| 1124 | +++ b/net/ipv4/raw.c |
| 1125 | @@ -706,6 +706,7 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) |
| 1126 | int ret = -EINVAL; |
| 1127 | int chk_addr_ret; |
| 1128 | |
| 1129 | + lock_sock(sk); |
| 1130 | if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in)) |
| 1131 | goto out; |
| 1132 | chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr); |
| 1133 | @@ -718,7 +719,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) |
| 1134 | inet->inet_saddr = 0; /* Use device */ |
| 1135 | sk_dst_reset(sk); |
| 1136 | ret = 0; |
| 1137 | -out: return ret; |
| 1138 | +out: |
| 1139 | + release_sock(sk); |
| 1140 | + return ret; |
| 1141 | } |
| 1142 | |
| 1143 | /* |
| 1144 | diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c |
| 1145 | index 4e18ce5b939ac..322171a344c09 100644 |
| 1146 | --- a/net/ipv6/ip6_tunnel.c |
| 1147 | +++ b/net/ipv6/ip6_tunnel.c |
| 1148 | @@ -1007,12 +1007,12 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t, |
| 1149 | ldev = dev_get_by_index_rcu(net, p->link); |
| 1150 | |
| 1151 | if (unlikely(!ipv6_chk_addr(net, laddr, ldev, 0))) |
| 1152 | - pr_warn("%s xmit: Local address not yet configured!\n", |
| 1153 | - p->name); |
| 1154 | + pr_warn_ratelimited("%s xmit: Local address not yet configured!\n", |
| 1155 | + p->name); |
| 1156 | else if (!ipv6_addr_is_multicast(raddr) && |
| 1157 | unlikely(ipv6_chk_addr(net, raddr, NULL, 0))) |
| 1158 | - pr_warn("%s xmit: Routing loop! Remote address found on this node!\n", |
| 1159 | - p->name); |
| 1160 | + pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n", |
| 1161 | + p->name); |
| 1162 | else |
| 1163 | ret = 1; |
| 1164 | rcu_read_unlock(); |
| 1165 | diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c |
| 1166 | index 7d7466dbf6633..a4f709a3cbacc 100644 |
| 1167 | --- a/net/netfilter/nf_nat_proto_common.c |
| 1168 | +++ b/net/netfilter/nf_nat_proto_common.c |
| 1169 | @@ -38,12 +38,12 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1170 | struct nf_conntrack_tuple *tuple, |
| 1171 | const struct nf_nat_range *range, |
| 1172 | enum nf_nat_manip_type maniptype, |
| 1173 | - const struct nf_conn *ct, |
| 1174 | - u16 *rover) |
| 1175 | + const struct nf_conn *ct) |
| 1176 | { |
| 1177 | - unsigned int range_size, min, max, i; |
| 1178 | + unsigned int range_size, min, max, i, attempts; |
| 1179 | __be16 *portptr; |
| 1180 | - u_int16_t off; |
| 1181 | + u16 off; |
| 1182 | + static const unsigned int max_attempts = 128; |
| 1183 | |
| 1184 | if (maniptype == NF_NAT_MANIP_SRC) |
| 1185 | portptr = &tuple->src.u.all; |
| 1186 | @@ -84,17 +84,31 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1187 | } else if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { |
| 1188 | off = prandom_u32(); |
| 1189 | } else { |
| 1190 | - off = *rover; |
| 1191 | + off = prandom_u32(); |
| 1192 | } |
| 1193 | |
| 1194 | - for (i = 0; ; ++off) { |
| 1195 | + attempts = range_size; |
| 1196 | + if (attempts > max_attempts) |
| 1197 | + attempts = max_attempts; |
| 1198 | + |
| 1199 | + /* We are in softirq; doing a search of the entire range risks |
| 1200 | + * soft lockup when all tuples are already used. |
| 1201 | + * |
| 1202 | + * If we can't find any free port from first offset, pick a new |
| 1203 | + * one and try again, with ever smaller search window. |
| 1204 | + */ |
| 1205 | +another_round: |
| 1206 | + for (i = 0; i < attempts; i++, off++) { |
| 1207 | *portptr = htons(min + off % range_size); |
| 1208 | - if (++i != range_size && nf_nat_used_tuple(tuple, ct)) |
| 1209 | - continue; |
| 1210 | - if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) |
| 1211 | - *rover = off; |
| 1212 | - return; |
| 1213 | + if (!nf_nat_used_tuple(tuple, ct)) |
| 1214 | + return; |
| 1215 | } |
| 1216 | + |
| 1217 | + if (attempts >= range_size || attempts < 16) |
| 1218 | + return; |
| 1219 | + attempts /= 2; |
| 1220 | + off = prandom_u32(); |
| 1221 | + goto another_round; |
| 1222 | } |
| 1223 | EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple); |
| 1224 | |
| 1225 | diff --git a/net/netfilter/nf_nat_proto_dccp.c b/net/netfilter/nf_nat_proto_dccp.c |
| 1226 | index 15c47b246d0d0..e7d27c0833932 100644 |
| 1227 | --- a/net/netfilter/nf_nat_proto_dccp.c |
| 1228 | +++ b/net/netfilter/nf_nat_proto_dccp.c |
| 1229 | @@ -20,8 +20,6 @@ |
| 1230 | #include <net/netfilter/nf_nat_l3proto.h> |
| 1231 | #include <net/netfilter/nf_nat_l4proto.h> |
| 1232 | |
| 1233 | -static u_int16_t dccp_port_rover; |
| 1234 | - |
| 1235 | static void |
| 1236 | dccp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1237 | struct nf_conntrack_tuple *tuple, |
| 1238 | @@ -29,8 +27,7 @@ dccp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1239 | enum nf_nat_manip_type maniptype, |
| 1240 | const struct nf_conn *ct) |
| 1241 | { |
| 1242 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
| 1243 | - &dccp_port_rover); |
| 1244 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
| 1245 | } |
| 1246 | |
| 1247 | static bool |
| 1248 | diff --git a/net/netfilter/nf_nat_proto_sctp.c b/net/netfilter/nf_nat_proto_sctp.c |
| 1249 | index cbc7ade1487b2..b839373716e84 100644 |
| 1250 | --- a/net/netfilter/nf_nat_proto_sctp.c |
| 1251 | +++ b/net/netfilter/nf_nat_proto_sctp.c |
| 1252 | @@ -14,8 +14,6 @@ |
| 1253 | |
| 1254 | #include <net/netfilter/nf_nat_l4proto.h> |
| 1255 | |
| 1256 | -static u_int16_t nf_sctp_port_rover; |
| 1257 | - |
| 1258 | static void |
| 1259 | sctp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1260 | struct nf_conntrack_tuple *tuple, |
| 1261 | @@ -23,8 +21,7 @@ sctp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1262 | enum nf_nat_manip_type maniptype, |
| 1263 | const struct nf_conn *ct) |
| 1264 | { |
| 1265 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
| 1266 | - &nf_sctp_port_rover); |
| 1267 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
| 1268 | } |
| 1269 | |
| 1270 | static bool |
| 1271 | diff --git a/net/netfilter/nf_nat_proto_tcp.c b/net/netfilter/nf_nat_proto_tcp.c |
| 1272 | index 4f8820fc51480..882e79c6df734 100644 |
| 1273 | --- a/net/netfilter/nf_nat_proto_tcp.c |
| 1274 | +++ b/net/netfilter/nf_nat_proto_tcp.c |
| 1275 | @@ -18,8 +18,6 @@ |
| 1276 | #include <net/netfilter/nf_nat_l4proto.h> |
| 1277 | #include <net/netfilter/nf_nat_core.h> |
| 1278 | |
| 1279 | -static u16 tcp_port_rover; |
| 1280 | - |
| 1281 | static void |
| 1282 | tcp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1283 | struct nf_conntrack_tuple *tuple, |
| 1284 | @@ -27,8 +25,7 @@ tcp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1285 | enum nf_nat_manip_type maniptype, |
| 1286 | const struct nf_conn *ct) |
| 1287 | { |
| 1288 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
| 1289 | - &tcp_port_rover); |
| 1290 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
| 1291 | } |
| 1292 | |
| 1293 | static bool |
| 1294 | diff --git a/net/netfilter/nf_nat_proto_udp.c b/net/netfilter/nf_nat_proto_udp.c |
| 1295 | index b1e627227b6e2..ed91bdd8857c1 100644 |
| 1296 | --- a/net/netfilter/nf_nat_proto_udp.c |
| 1297 | +++ b/net/netfilter/nf_nat_proto_udp.c |
| 1298 | @@ -17,8 +17,6 @@ |
| 1299 | #include <net/netfilter/nf_nat_l3proto.h> |
| 1300 | #include <net/netfilter/nf_nat_l4proto.h> |
| 1301 | |
| 1302 | -static u16 udp_port_rover; |
| 1303 | - |
| 1304 | static void |
| 1305 | udp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1306 | struct nf_conntrack_tuple *tuple, |
| 1307 | @@ -26,8 +24,7 @@ udp_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1308 | enum nf_nat_manip_type maniptype, |
| 1309 | const struct nf_conn *ct) |
| 1310 | { |
| 1311 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
| 1312 | - &udp_port_rover); |
| 1313 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
| 1314 | } |
| 1315 | |
| 1316 | static bool |
| 1317 | diff --git a/net/netfilter/nf_nat_proto_udplite.c b/net/netfilter/nf_nat_proto_udplite.c |
| 1318 | index 58340c97bd836..8be265378de99 100644 |
| 1319 | --- a/net/netfilter/nf_nat_proto_udplite.c |
| 1320 | +++ b/net/netfilter/nf_nat_proto_udplite.c |
| 1321 | @@ -17,8 +17,6 @@ |
| 1322 | #include <net/netfilter/nf_nat_l3proto.h> |
| 1323 | #include <net/netfilter/nf_nat_l4proto.h> |
| 1324 | |
| 1325 | -static u16 udplite_port_rover; |
| 1326 | - |
| 1327 | static void |
| 1328 | udplite_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1329 | struct nf_conntrack_tuple *tuple, |
| 1330 | @@ -26,8 +24,7 @@ udplite_unique_tuple(const struct nf_nat_l3proto *l3proto, |
| 1331 | enum nf_nat_manip_type maniptype, |
| 1332 | const struct nf_conn *ct) |
| 1333 | { |
| 1334 | - nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, |
| 1335 | - &udplite_port_rover); |
| 1336 | + nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct); |
| 1337 | } |
| 1338 | |
| 1339 | static bool |
| 1340 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
| 1341 | index 370d0a4af1f97..8e62b05efe297 100644 |
| 1342 | --- a/net/packet/af_packet.c |
| 1343 | +++ b/net/packet/af_packet.c |
| 1344 | @@ -1705,6 +1705,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
| 1345 | match->prot_hook.dev = po->prot_hook.dev; |
| 1346 | match->prot_hook.func = packet_rcv_fanout; |
| 1347 | match->prot_hook.af_packet_priv = match; |
| 1348 | + match->prot_hook.af_packet_net = read_pnet(&match->net); |
| 1349 | match->prot_hook.id_match = match_fanout_group; |
| 1350 | list_add(&match->list, &fanout_list); |
| 1351 | } |
| 1352 | @@ -1718,7 +1719,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
| 1353 | err = -ENOSPC; |
| 1354 | if (atomic_read(&match->sk_ref) < PACKET_FANOUT_MAX) { |
| 1355 | __dev_remove_pack(&po->prot_hook); |
| 1356 | - po->fanout = match; |
| 1357 | + |
| 1358 | + /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */ |
| 1359 | + WRITE_ONCE(po->fanout, match); |
| 1360 | + |
| 1361 | po->rollover = rollover; |
| 1362 | rollover = NULL; |
| 1363 | atomic_inc(&match->sk_ref); |
| 1364 | @@ -3310,6 +3314,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, |
| 1365 | po->prot_hook.func = packet_rcv_spkt; |
| 1366 | |
| 1367 | po->prot_hook.af_packet_priv = sk; |
| 1368 | + po->prot_hook.af_packet_net = sock_net(sk); |
| 1369 | |
| 1370 | if (proto) { |
| 1371 | po->prot_hook.type = proto; |
| 1372 | @@ -3893,7 +3898,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv |
| 1373 | } |
| 1374 | case PACKET_FANOUT_DATA: |
| 1375 | { |
| 1376 | - if (!po->fanout) |
| 1377 | + /* Paired with the WRITE_ONCE() in fanout_add() */ |
| 1378 | + if (!READ_ONCE(po->fanout)) |
| 1379 | return -EINVAL; |
| 1380 | |
| 1381 | return fanout_set_data(po, optval, optlen); |
| 1382 | diff --git a/sound/soc/fsl/pcm030-audio-fabric.c b/sound/soc/fsl/pcm030-audio-fabric.c |
| 1383 | index ec731223cab3d..72d4548994842 100644 |
| 1384 | --- a/sound/soc/fsl/pcm030-audio-fabric.c |
| 1385 | +++ b/sound/soc/fsl/pcm030-audio-fabric.c |
| 1386 | @@ -90,16 +90,21 @@ static int pcm030_fabric_probe(struct platform_device *op) |
| 1387 | dev_err(&op->dev, "platform_device_alloc() failed\n"); |
| 1388 | |
| 1389 | ret = platform_device_add(pdata->codec_device); |
| 1390 | - if (ret) |
| 1391 | + if (ret) { |
| 1392 | dev_err(&op->dev, "platform_device_add() failed: %d\n", ret); |
| 1393 | + platform_device_put(pdata->codec_device); |
| 1394 | + } |
| 1395 | |
| 1396 | ret = snd_soc_register_card(card); |
| 1397 | - if (ret) |
| 1398 | + if (ret) { |
| 1399 | dev_err(&op->dev, "snd_soc_register_card() failed: %d\n", ret); |
| 1400 | + platform_device_del(pdata->codec_device); |
| 1401 | + platform_device_put(pdata->codec_device); |
| 1402 | + } |
| 1403 | |
| 1404 | platform_set_drvdata(op, pdata); |
| 1405 | - |
| 1406 | return ret; |
| 1407 | + |
| 1408 | } |
| 1409 | |
| 1410 | static int pcm030_fabric_remove(struct platform_device *op) |
| 1411 | diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c |
| 1412 | index 90acdf4d90ed6..4da6f66ea3a21 100644 |
| 1413 | --- a/sound/soc/soc-ops.c |
| 1414 | +++ b/sound/soc/soc-ops.c |
| 1415 | @@ -327,13 +327,27 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, |
| 1416 | if (sign_bit) |
| 1417 | mask = BIT(sign_bit + 1) - 1; |
| 1418 | |
| 1419 | - val = ((ucontrol->value.integer.value[0] + min) & mask); |
| 1420 | + val = ucontrol->value.integer.value[0]; |
| 1421 | + if (mc->platform_max && val > mc->platform_max) |
| 1422 | + return -EINVAL; |
| 1423 | + if (val > max - min) |
| 1424 | + return -EINVAL; |
| 1425 | + if (val < 0) |
| 1426 | + return -EINVAL; |
| 1427 | + val = (val + min) & mask; |
| 1428 | if (invert) |
| 1429 | val = max - val; |
| 1430 | val_mask = mask << shift; |
| 1431 | val = val << shift; |
| 1432 | if (snd_soc_volsw_is_stereo(mc)) { |
| 1433 | - val2 = ((ucontrol->value.integer.value[1] + min) & mask); |
| 1434 | + val2 = ucontrol->value.integer.value[1]; |
| 1435 | + if (mc->platform_max && val2 > mc->platform_max) |
| 1436 | + return -EINVAL; |
| 1437 | + if (val2 > max - min) |
| 1438 | + return -EINVAL; |
| 1439 | + if (val2 < 0) |
| 1440 | + return -EINVAL; |
| 1441 | + val2 = (val2 + min) & mask; |
| 1442 | if (invert) |
| 1443 | val2 = max - val2; |
| 1444 | if (reg == reg2) { |
| 1445 | @@ -427,8 +441,15 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol, |
| 1446 | int err = 0; |
| 1447 | unsigned int val, val_mask, val2 = 0; |
| 1448 | |
| 1449 | + val = ucontrol->value.integer.value[0]; |
| 1450 | + if (mc->platform_max && val > mc->platform_max) |
| 1451 | + return -EINVAL; |
| 1452 | + if (val > max - min) |
| 1453 | + return -EINVAL; |
| 1454 | + if (val < 0) |
| 1455 | + return -EINVAL; |
| 1456 | val_mask = mask << shift; |
| 1457 | - val = (ucontrol->value.integer.value[0] + min) & mask; |
| 1458 | + val = (val + min) & mask; |
| 1459 | val = val << shift; |
| 1460 | |
| 1461 | err = snd_soc_component_update_bits(component, reg, val_mask, val); |
| 1462 | @@ -894,6 +915,8 @@ int snd_soc_put_xr_sx(struct snd_kcontrol *kcontrol, |
| 1463 | unsigned int i, regval, regmask; |
| 1464 | int err; |
| 1465 | |
| 1466 | + if (val < mc->min || val > mc->max) |
| 1467 | + return -EINVAL; |
| 1468 | if (invert) |
| 1469 | val = max - val; |
| 1470 | val &= mask; |