Annotation of /trunk/kernel-alx/patches-4.14/0140-4.14.41-all-fixes.patch
Parent Directory | Revision Log
Revision 3238 -
(hide annotations)
(download)
Fri Nov 9 12:14:58 2018 UTC (5 years, 10 months ago) by niro
File size: 74198 byte(s)
Fri Nov 9 12:14:58 2018 UTC (5 years, 10 months ago) by niro
File size: 74198 byte(s)
-added up to patches-4.14.79
1 | niro | 3238 | diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt |
2 | index f3d0d316d5f1..e4fe6adc372b 100644 | ||
3 | --- a/Documentation/arm64/silicon-errata.txt | ||
4 | +++ b/Documentation/arm64/silicon-errata.txt | ||
5 | @@ -55,6 +55,7 @@ stable kernels. | ||
6 | | ARM | Cortex-A57 | #834220 | ARM64_ERRATUM_834220 | | ||
7 | | ARM | Cortex-A72 | #853709 | N/A | | ||
8 | | ARM | Cortex-A73 | #858921 | ARM64_ERRATUM_858921 | | ||
9 | +| ARM | Cortex-A55 | #1024718 | ARM64_ERRATUM_1024718 | | ||
10 | | ARM | MMU-500 | #841119,#826419 | N/A | | ||
11 | | | | | | | ||
12 | | Cavium | ThunderX ITS | #22375, #24313 | CAVIUM_ERRATUM_22375 | | ||
13 | diff --git a/Makefile b/Makefile | ||
14 | index 6eede39f898a..c23d0b0c6c45 100644 | ||
15 | --- a/Makefile | ||
16 | +++ b/Makefile | ||
17 | @@ -1,7 +1,7 @@ | ||
18 | # SPDX-License-Identifier: GPL-2.0 | ||
19 | VERSION = 4 | ||
20 | PATCHLEVEL = 14 | ||
21 | -SUBLEVEL = 40 | ||
22 | +SUBLEVEL = 41 | ||
23 | EXTRAVERSION = | ||
24 | NAME = Petit Gorille | ||
25 | |||
26 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig | ||
27 | index c2abb4e88ff2..2d5f7aca156d 100644 | ||
28 | --- a/arch/arm64/Kconfig | ||
29 | +++ b/arch/arm64/Kconfig | ||
30 | @@ -443,6 +443,20 @@ config ARM64_ERRATUM_843419 | ||
31 | |||
32 | If unsure, say Y. | ||
33 | |||
34 | +config ARM64_ERRATUM_1024718 | ||
35 | + bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update" | ||
36 | + default y | ||
37 | + help | ||
38 | + This option adds work around for Arm Cortex-A55 Erratum 1024718. | ||
39 | + | ||
40 | + Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect | ||
41 | + update of the hardware dirty bit when the DBM/AP bits are updated | ||
42 | + without a break-before-make. The work around is to disable the usage | ||
43 | + of hardware DBM locally on the affected cores. CPUs not affected by | ||
44 | + erratum will continue to use the feature. | ||
45 | + | ||
46 | + If unsure, say Y. | ||
47 | + | ||
48 | config CAVIUM_ERRATUM_22375 | ||
49 | bool "Cavium erratum 22375, 24313" | ||
50 | default y | ||
51 | diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h | ||
52 | index 463619dcadd4..25b2a4161c7a 100644 | ||
53 | --- a/arch/arm64/include/asm/assembler.h | ||
54 | +++ b/arch/arm64/include/asm/assembler.h | ||
55 | @@ -25,6 +25,7 @@ | ||
56 | |||
57 | #include <asm/asm-offsets.h> | ||
58 | #include <asm/cpufeature.h> | ||
59 | +#include <asm/cputype.h> | ||
60 | #include <asm/page.h> | ||
61 | #include <asm/pgtable-hwdef.h> | ||
62 | #include <asm/ptrace.h> | ||
63 | @@ -495,4 +496,43 @@ alternative_endif | ||
64 | and \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT) | ||
65 | .endm | ||
66 | |||
67 | +/* | ||
68 | + * Check the MIDR_EL1 of the current CPU for a given model and a range of | ||
69 | + * variant/revision. See asm/cputype.h for the macros used below. | ||
70 | + * | ||
71 | + * model: MIDR_CPU_MODEL of CPU | ||
72 | + * rv_min: Minimum of MIDR_CPU_VAR_REV() | ||
73 | + * rv_max: Maximum of MIDR_CPU_VAR_REV() | ||
74 | + * res: Result register. | ||
75 | + * tmp1, tmp2, tmp3: Temporary registers | ||
76 | + * | ||
77 | + * Corrupts: res, tmp1, tmp2, tmp3 | ||
78 | + * Returns: 0, if the CPU id doesn't match. Non-zero otherwise | ||
79 | + */ | ||
80 | + .macro cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3 | ||
81 | + mrs \res, midr_el1 | ||
82 | + mov_q \tmp1, (MIDR_REVISION_MASK | MIDR_VARIANT_MASK) | ||
83 | + mov_q \tmp2, MIDR_CPU_MODEL_MASK | ||
84 | + and \tmp3, \res, \tmp2 // Extract model | ||
85 | + and \tmp1, \res, \tmp1 // rev & variant | ||
86 | + mov_q \tmp2, \model | ||
87 | + cmp \tmp3, \tmp2 | ||
88 | + cset \res, eq | ||
89 | + cbz \res, .Ldone\@ // Model matches ? | ||
90 | + | ||
91 | + .if (\rv_min != 0) // Skip min check if rv_min == 0 | ||
92 | + mov_q \tmp3, \rv_min | ||
93 | + cmp \tmp1, \tmp3 | ||
94 | + cset \res, ge | ||
95 | + .endif // \rv_min != 0 | ||
96 | + /* Skip rv_max check if rv_min == rv_max && rv_min != 0 */ | ||
97 | + .if ((\rv_min != \rv_max) || \rv_min == 0) | ||
98 | + mov_q \tmp2, \rv_max | ||
99 | + cmp \tmp1, \tmp2 | ||
100 | + cset \tmp2, le | ||
101 | + and \res, \res, \tmp2 | ||
102 | + .endif | ||
103 | +.Ldone\@: | ||
104 | + .endm | ||
105 | + | ||
106 | #endif /* __ASM_ASSEMBLER_H */ | ||
107 | diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h | ||
108 | index be7bd19c87ec..30da0918d046 100644 | ||
109 | --- a/arch/arm64/include/asm/cputype.h | ||
110 | +++ b/arch/arm64/include/asm/cputype.h | ||
111 | @@ -78,6 +78,7 @@ | ||
112 | |||
113 | #define ARM_CPU_PART_AEM_V8 0xD0F | ||
114 | #define ARM_CPU_PART_FOUNDATION 0xD00 | ||
115 | +#define ARM_CPU_PART_CORTEX_A55 0xD05 | ||
116 | #define ARM_CPU_PART_CORTEX_A57 0xD07 | ||
117 | #define ARM_CPU_PART_CORTEX_A72 0xD08 | ||
118 | #define ARM_CPU_PART_CORTEX_A53 0xD03 | ||
119 | @@ -98,6 +99,7 @@ | ||
120 | #define QCOM_CPU_PART_KRYO 0x200 | ||
121 | |||
122 | #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) | ||
123 | +#define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) | ||
124 | #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) | ||
125 | #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) | ||
126 | #define MIDR_CORTEX_A73 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A73) | ||
127 | diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S | ||
128 | index 139320a7f7a2..e338165000e6 100644 | ||
129 | --- a/arch/arm64/mm/proc.S | ||
130 | +++ b/arch/arm64/mm/proc.S | ||
131 | @@ -438,6 +438,11 @@ ENTRY(__cpu_setup) | ||
132 | cbz x9, 2f | ||
133 | cmp x9, #2 | ||
134 | b.lt 1f | ||
135 | +#ifdef CONFIG_ARM64_ERRATUM_1024718 | ||
136 | + /* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */ | ||
137 | + cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4 | ||
138 | + cbnz x1, 1f | ||
139 | +#endif | ||
140 | orr x10, x10, #TCR_HD // hardware Dirty flag update | ||
141 | 1: orr x10, x10, #TCR_HA // hardware Access flag update | ||
142 | 2: | ||
143 | diff --git a/arch/powerpc/kvm/book3s_64_mmu_radix.c b/arch/powerpc/kvm/book3s_64_mmu_radix.c | ||
144 | index c5d7435455f1..27a41695fcfd 100644 | ||
145 | --- a/arch/powerpc/kvm/book3s_64_mmu_radix.c | ||
146 | +++ b/arch/powerpc/kvm/book3s_64_mmu_radix.c | ||
147 | @@ -19,6 +19,9 @@ | ||
148 | #include <asm/pgalloc.h> | ||
149 | #include <asm/pte-walk.h> | ||
150 | |||
151 | +static void mark_pages_dirty(struct kvm *kvm, struct kvm_memory_slot *memslot, | ||
152 | + unsigned long gfn, unsigned int order); | ||
153 | + | ||
154 | /* | ||
155 | * Supported radix tree geometry. | ||
156 | * Like p9, we support either 5 or 9 bits at the first (lowest) level, | ||
157 | @@ -195,6 +198,12 @@ static void kvmppc_pte_free(pte_t *ptep) | ||
158 | kmem_cache_free(kvm_pte_cache, ptep); | ||
159 | } | ||
160 | |||
161 | +/* Like pmd_huge() and pmd_large(), but works regardless of config options */ | ||
162 | +static inline int pmd_is_leaf(pmd_t pmd) | ||
163 | +{ | ||
164 | + return !!(pmd_val(pmd) & _PAGE_PTE); | ||
165 | +} | ||
166 | + | ||
167 | static int kvmppc_create_pte(struct kvm *kvm, pte_t pte, unsigned long gpa, | ||
168 | unsigned int level, unsigned long mmu_seq) | ||
169 | { | ||
170 | @@ -219,7 +228,7 @@ static int kvmppc_create_pte(struct kvm *kvm, pte_t pte, unsigned long gpa, | ||
171 | else | ||
172 | new_pmd = pmd_alloc_one(kvm->mm, gpa); | ||
173 | |||
174 | - if (level == 0 && !(pmd && pmd_present(*pmd))) | ||
175 | + if (level == 0 && !(pmd && pmd_present(*pmd) && !pmd_is_leaf(*pmd))) | ||
176 | new_ptep = kvmppc_pte_alloc(); | ||
177 | |||
178 | /* Check if we might have been invalidated; let the guest retry if so */ | ||
179 | @@ -244,12 +253,30 @@ static int kvmppc_create_pte(struct kvm *kvm, pte_t pte, unsigned long gpa, | ||
180 | new_pmd = NULL; | ||
181 | } | ||
182 | pmd = pmd_offset(pud, gpa); | ||
183 | - if (pmd_large(*pmd)) { | ||
184 | - /* Someone else has instantiated a large page here; retry */ | ||
185 | - ret = -EAGAIN; | ||
186 | - goto out_unlock; | ||
187 | - } | ||
188 | - if (level == 1 && !pmd_none(*pmd)) { | ||
189 | + if (pmd_is_leaf(*pmd)) { | ||
190 | + unsigned long lgpa = gpa & PMD_MASK; | ||
191 | + | ||
192 | + /* | ||
193 | + * If we raced with another CPU which has just put | ||
194 | + * a 2MB pte in after we saw a pte page, try again. | ||
195 | + */ | ||
196 | + if (level == 0 && !new_ptep) { | ||
197 | + ret = -EAGAIN; | ||
198 | + goto out_unlock; | ||
199 | + } | ||
200 | + /* Valid 2MB page here already, remove it */ | ||
201 | + old = kvmppc_radix_update_pte(kvm, pmdp_ptep(pmd), | ||
202 | + ~0UL, 0, lgpa, PMD_SHIFT); | ||
203 | + kvmppc_radix_tlbie_page(kvm, lgpa, PMD_SHIFT); | ||
204 | + if (old & _PAGE_DIRTY) { | ||
205 | + unsigned long gfn = lgpa >> PAGE_SHIFT; | ||
206 | + struct kvm_memory_slot *memslot; | ||
207 | + memslot = gfn_to_memslot(kvm, gfn); | ||
208 | + if (memslot) | ||
209 | + mark_pages_dirty(kvm, memslot, gfn, | ||
210 | + PMD_SHIFT - PAGE_SHIFT); | ||
211 | + } | ||
212 | + } else if (level == 1 && !pmd_none(*pmd)) { | ||
213 | /* | ||
214 | * There's a page table page here, but we wanted | ||
215 | * to install a large page. Tell the caller and let | ||
216 | @@ -412,28 +439,24 @@ int kvmppc_book3s_radix_page_fault(struct kvm_run *run, struct kvm_vcpu *vcpu, | ||
217 | } else { | ||
218 | page = pages[0]; | ||
219 | pfn = page_to_pfn(page); | ||
220 | - if (PageHuge(page)) { | ||
221 | - page = compound_head(page); | ||
222 | - pte_size <<= compound_order(page); | ||
223 | + if (PageCompound(page)) { | ||
224 | + pte_size <<= compound_order(compound_head(page)); | ||
225 | /* See if we can insert a 2MB large-page PTE here */ | ||
226 | if (pte_size >= PMD_SIZE && | ||
227 | - (gpa & PMD_MASK & PAGE_MASK) == | ||
228 | - (hva & PMD_MASK & PAGE_MASK)) { | ||
229 | + (gpa & (PMD_SIZE - PAGE_SIZE)) == | ||
230 | + (hva & (PMD_SIZE - PAGE_SIZE))) { | ||
231 | level = 1; | ||
232 | pfn &= ~((PMD_SIZE >> PAGE_SHIFT) - 1); | ||
233 | } | ||
234 | } | ||
235 | /* See if we can provide write access */ | ||
236 | if (writing) { | ||
237 | - /* | ||
238 | - * We assume gup_fast has set dirty on the host PTE. | ||
239 | - */ | ||
240 | pgflags |= _PAGE_WRITE; | ||
241 | } else { | ||
242 | local_irq_save(flags); | ||
243 | ptep = find_current_mm_pte(current->mm->pgd, | ||
244 | hva, NULL, NULL); | ||
245 | - if (ptep && pte_write(*ptep) && pte_dirty(*ptep)) | ||
246 | + if (ptep && pte_write(*ptep)) | ||
247 | pgflags |= _PAGE_WRITE; | ||
248 | local_irq_restore(flags); | ||
249 | } | ||
250 | @@ -459,18 +482,15 @@ int kvmppc_book3s_radix_page_fault(struct kvm_run *run, struct kvm_vcpu *vcpu, | ||
251 | pte = pfn_pte(pfn, __pgprot(pgflags)); | ||
252 | ret = kvmppc_create_pte(kvm, pte, gpa, level, mmu_seq); | ||
253 | } | ||
254 | - if (ret == 0 || ret == -EAGAIN) | ||
255 | - ret = RESUME_GUEST; | ||
256 | |||
257 | if (page) { | ||
258 | - /* | ||
259 | - * We drop pages[0] here, not page because page might | ||
260 | - * have been set to the head page of a compound, but | ||
261 | - * we have to drop the reference on the correct tail | ||
262 | - * page to match the get inside gup() | ||
263 | - */ | ||
264 | - put_page(pages[0]); | ||
265 | + if (!ret && (pgflags & _PAGE_WRITE)) | ||
266 | + set_page_dirty_lock(page); | ||
267 | + put_page(page); | ||
268 | } | ||
269 | + | ||
270 | + if (ret == 0 || ret == -EAGAIN) | ||
271 | + ret = RESUME_GUEST; | ||
272 | return ret; | ||
273 | } | ||
274 | |||
275 | @@ -676,7 +696,7 @@ void kvmppc_free_radix(struct kvm *kvm) | ||
276 | continue; | ||
277 | pmd = pmd_offset(pud, 0); | ||
278 | for (im = 0; im < PTRS_PER_PMD; ++im, ++pmd) { | ||
279 | - if (pmd_huge(*pmd)) { | ||
280 | + if (pmd_is_leaf(*pmd)) { | ||
281 | pmd_clear(pmd); | ||
282 | continue; | ||
283 | } | ||
284 | diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c | ||
285 | index e094dc90ff1b..377d1420bd02 100644 | ||
286 | --- a/arch/powerpc/kvm/book3s_hv.c | ||
287 | +++ b/arch/powerpc/kvm/book3s_hv.c | ||
288 | @@ -2847,7 +2847,7 @@ static noinline void kvmppc_run_core(struct kvmppc_vcore *vc) | ||
289 | */ | ||
290 | trace_hardirqs_on(); | ||
291 | |||
292 | - guest_enter(); | ||
293 | + guest_enter_irqoff(); | ||
294 | |||
295 | srcu_idx = srcu_read_lock(&vc->kvm->srcu); | ||
296 | |||
297 | @@ -2855,8 +2855,6 @@ static noinline void kvmppc_run_core(struct kvmppc_vcore *vc) | ||
298 | |||
299 | srcu_read_unlock(&vc->kvm->srcu, srcu_idx); | ||
300 | |||
301 | - guest_exit(); | ||
302 | - | ||
303 | trace_hardirqs_off(); | ||
304 | set_irq_happened(trap); | ||
305 | |||
306 | @@ -2890,6 +2888,7 @@ static noinline void kvmppc_run_core(struct kvmppc_vcore *vc) | ||
307 | kvmppc_set_host_core(pcpu); | ||
308 | |||
309 | local_irq_enable(); | ||
310 | + guest_exit(); | ||
311 | |||
312 | /* Let secondaries go back to the offline loop */ | ||
313 | for (i = 0; i < controlled_threads; ++i) { | ||
314 | @@ -3619,15 +3618,17 @@ static int kvmppc_hv_setup_htab_rma(struct kvm_vcpu *vcpu) | ||
315 | goto up_out; | ||
316 | |||
317 | psize = vma_kernel_pagesize(vma); | ||
318 | - porder = __ilog2(psize); | ||
319 | |||
320 | up_read(¤t->mm->mmap_sem); | ||
321 | |||
322 | /* We can handle 4k, 64k or 16M pages in the VRMA */ | ||
323 | - err = -EINVAL; | ||
324 | - if (!(psize == 0x1000 || psize == 0x10000 || | ||
325 | - psize == 0x1000000)) | ||
326 | - goto out_srcu; | ||
327 | + if (psize >= 0x1000000) | ||
328 | + psize = 0x1000000; | ||
329 | + else if (psize >= 0x10000) | ||
330 | + psize = 0x10000; | ||
331 | + else | ||
332 | + psize = 0x1000; | ||
333 | + porder = __ilog2(psize); | ||
334 | |||
335 | senc = slb_pgsize_encoding(psize); | ||
336 | kvm->arch.vrma_slb_v = senc | SLB_VSID_B_1T | | ||
337 | diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S | ||
338 | index 2b3194b9608f..663a398449b7 100644 | ||
339 | --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S | ||
340 | +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S | ||
341 | @@ -308,7 +308,6 @@ kvm_novcpu_exit: | ||
342 | stw r12, STACK_SLOT_TRAP(r1) | ||
343 | bl kvmhv_commence_exit | ||
344 | nop | ||
345 | - lwz r12, STACK_SLOT_TRAP(r1) | ||
346 | b kvmhv_switch_to_host | ||
347 | |||
348 | /* | ||
349 | @@ -1136,6 +1135,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) | ||
350 | |||
351 | secondary_too_late: | ||
352 | li r12, 0 | ||
353 | + stw r12, STACK_SLOT_TRAP(r1) | ||
354 | cmpdi r4, 0 | ||
355 | beq 11f | ||
356 | stw r12, VCPU_TRAP(r4) | ||
357 | @@ -1445,12 +1445,12 @@ mc_cont: | ||
358 | 1: | ||
359 | #endif /* CONFIG_KVM_XICS */ | ||
360 | |||
361 | + stw r12, STACK_SLOT_TRAP(r1) | ||
362 | mr r3, r12 | ||
363 | /* Increment exit count, poke other threads to exit */ | ||
364 | bl kvmhv_commence_exit | ||
365 | nop | ||
366 | ld r9, HSTATE_KVM_VCPU(r13) | ||
367 | - lwz r12, VCPU_TRAP(r9) | ||
368 | |||
369 | /* Stop others sending VCPU interrupts to this physical CPU */ | ||
370 | li r0, -1 | ||
371 | @@ -1816,6 +1816,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_POWER9_DD1) | ||
372 | * POWER7/POWER8 guest -> host partition switch code. | ||
373 | * We don't have to lock against tlbies but we do | ||
374 | * have to coordinate the hardware threads. | ||
375 | + * Here STACK_SLOT_TRAP(r1) contains the trap number. | ||
376 | */ | ||
377 | kvmhv_switch_to_host: | ||
378 | /* Secondary threads wait for primary to do partition switch */ | ||
379 | @@ -1868,11 +1869,11 @@ BEGIN_FTR_SECTION | ||
380 | END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) | ||
381 | |||
382 | /* If HMI, call kvmppc_realmode_hmi_handler() */ | ||
383 | + lwz r12, STACK_SLOT_TRAP(r1) | ||
384 | cmpwi r12, BOOK3S_INTERRUPT_HMI | ||
385 | bne 27f | ||
386 | bl kvmppc_realmode_hmi_handler | ||
387 | nop | ||
388 | - li r12, BOOK3S_INTERRUPT_HMI | ||
389 | /* | ||
390 | * At this point kvmppc_realmode_hmi_handler would have resync-ed | ||
391 | * the TB. Hence it is not required to subtract guest timebase | ||
392 | @@ -1950,6 +1951,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_TYPE_RADIX) | ||
393 | li r0, KVM_GUEST_MODE_NONE | ||
394 | stb r0, HSTATE_IN_GUEST(r13) | ||
395 | |||
396 | + lwz r12, STACK_SLOT_TRAP(r1) /* return trap # in r12 */ | ||
397 | ld r0, SFS+PPC_LR_STKOFF(r1) | ||
398 | addi r1, r1, SFS | ||
399 | mtlr r0 | ||
400 | diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c | ||
401 | index 589af1eec7c1..011a47b4587c 100644 | ||
402 | --- a/arch/x86/events/core.c | ||
403 | +++ b/arch/x86/events/core.c | ||
404 | @@ -27,6 +27,7 @@ | ||
405 | #include <linux/cpu.h> | ||
406 | #include <linux/bitops.h> | ||
407 | #include <linux/device.h> | ||
408 | +#include <linux/nospec.h> | ||
409 | |||
410 | #include <asm/apic.h> | ||
411 | #include <asm/stacktrace.h> | ||
412 | @@ -304,17 +305,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event) | ||
413 | |||
414 | config = attr->config; | ||
415 | |||
416 | - cache_type = (config >> 0) & 0xff; | ||
417 | + cache_type = (config >> 0) & 0xff; | ||
418 | if (cache_type >= PERF_COUNT_HW_CACHE_MAX) | ||
419 | return -EINVAL; | ||
420 | + cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX); | ||
421 | |||
422 | cache_op = (config >> 8) & 0xff; | ||
423 | if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX) | ||
424 | return -EINVAL; | ||
425 | + cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX); | ||
426 | |||
427 | cache_result = (config >> 16) & 0xff; | ||
428 | if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX) | ||
429 | return -EINVAL; | ||
430 | + cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX); | ||
431 | |||
432 | val = hw_cache_event_ids[cache_type][cache_op][cache_result]; | ||
433 | |||
434 | @@ -421,6 +425,8 @@ int x86_setup_perfctr(struct perf_event *event) | ||
435 | if (attr->config >= x86_pmu.max_events) | ||
436 | return -EINVAL; | ||
437 | |||
438 | + attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events); | ||
439 | + | ||
440 | /* | ||
441 | * The generic map: | ||
442 | */ | ||
443 | diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c | ||
444 | index 72db0664a53d..357e82dc0e2a 100644 | ||
445 | --- a/arch/x86/events/intel/cstate.c | ||
446 | +++ b/arch/x86/events/intel/cstate.c | ||
447 | @@ -91,6 +91,7 @@ | ||
448 | #include <linux/module.h> | ||
449 | #include <linux/slab.h> | ||
450 | #include <linux/perf_event.h> | ||
451 | +#include <linux/nospec.h> | ||
452 | #include <asm/cpu_device_id.h> | ||
453 | #include <asm/intel-family.h> | ||
454 | #include "../perf_event.h" | ||
455 | @@ -301,6 +302,7 @@ static int cstate_pmu_event_init(struct perf_event *event) | ||
456 | } else if (event->pmu == &cstate_pkg_pmu) { | ||
457 | if (cfg >= PERF_CSTATE_PKG_EVENT_MAX) | ||
458 | return -EINVAL; | ||
459 | + cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX); | ||
460 | if (!pkg_msr[cfg].attr) | ||
461 | return -EINVAL; | ||
462 | event->hw.event_base = pkg_msr[cfg].msr; | ||
463 | diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c | ||
464 | index 14efaa0e8684..81dd57280441 100644 | ||
465 | --- a/arch/x86/events/msr.c | ||
466 | +++ b/arch/x86/events/msr.c | ||
467 | @@ -1,5 +1,6 @@ | ||
468 | // SPDX-License-Identifier: GPL-2.0 | ||
469 | #include <linux/perf_event.h> | ||
470 | +#include <linux/nospec.h> | ||
471 | #include <asm/intel-family.h> | ||
472 | |||
473 | enum perf_msr_id { | ||
474 | @@ -145,9 +146,6 @@ static int msr_event_init(struct perf_event *event) | ||
475 | if (event->attr.type != event->pmu->type) | ||
476 | return -ENOENT; | ||
477 | |||
478 | - if (cfg >= PERF_MSR_EVENT_MAX) | ||
479 | - return -EINVAL; | ||
480 | - | ||
481 | /* unsupported modes and filters */ | ||
482 | if (event->attr.exclude_user || | ||
483 | event->attr.exclude_kernel || | ||
484 | @@ -158,6 +156,11 @@ static int msr_event_init(struct perf_event *event) | ||
485 | event->attr.sample_period) /* no sampling */ | ||
486 | return -EINVAL; | ||
487 | |||
488 | + if (cfg >= PERF_MSR_EVENT_MAX) | ||
489 | + return -EINVAL; | ||
490 | + | ||
491 | + cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX); | ||
492 | + | ||
493 | if (!msr[cfg].attr) | ||
494 | return -EINVAL; | ||
495 | |||
496 | diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c | ||
497 | index 8cfdb6484fd0..ab8993fe58cc 100644 | ||
498 | --- a/arch/x86/kvm/lapic.c | ||
499 | +++ b/arch/x86/kvm/lapic.c | ||
500 | @@ -1418,23 +1418,6 @@ static void start_sw_tscdeadline(struct kvm_lapic *apic) | ||
501 | local_irq_restore(flags); | ||
502 | } | ||
503 | |||
504 | -static void start_sw_period(struct kvm_lapic *apic) | ||
505 | -{ | ||
506 | - if (!apic->lapic_timer.period) | ||
507 | - return; | ||
508 | - | ||
509 | - if (apic_lvtt_oneshot(apic) && | ||
510 | - ktime_after(ktime_get(), | ||
511 | - apic->lapic_timer.target_expiration)) { | ||
512 | - apic_timer_expired(apic); | ||
513 | - return; | ||
514 | - } | ||
515 | - | ||
516 | - hrtimer_start(&apic->lapic_timer.timer, | ||
517 | - apic->lapic_timer.target_expiration, | ||
518 | - HRTIMER_MODE_ABS_PINNED); | ||
519 | -} | ||
520 | - | ||
521 | static bool set_target_expiration(struct kvm_lapic *apic) | ||
522 | { | ||
523 | ktime_t now; | ||
524 | @@ -1491,6 +1474,26 @@ static void advance_periodic_target_expiration(struct kvm_lapic *apic) | ||
525 | apic->lapic_timer.period); | ||
526 | } | ||
527 | |||
528 | +static void start_sw_period(struct kvm_lapic *apic) | ||
529 | +{ | ||
530 | + if (!apic->lapic_timer.period) | ||
531 | + return; | ||
532 | + | ||
533 | + if (ktime_after(ktime_get(), | ||
534 | + apic->lapic_timer.target_expiration)) { | ||
535 | + apic_timer_expired(apic); | ||
536 | + | ||
537 | + if (apic_lvtt_oneshot(apic)) | ||
538 | + return; | ||
539 | + | ||
540 | + advance_periodic_target_expiration(apic); | ||
541 | + } | ||
542 | + | ||
543 | + hrtimer_start(&apic->lapic_timer.timer, | ||
544 | + apic->lapic_timer.target_expiration, | ||
545 | + HRTIMER_MODE_ABS_PINNED); | ||
546 | +} | ||
547 | + | ||
548 | bool kvm_lapic_hv_timer_in_use(struct kvm_vcpu *vcpu) | ||
549 | { | ||
550 | if (!lapic_in_kernel(vcpu)) | ||
551 | diff --git a/crypto/af_alg.c b/crypto/af_alg.c | ||
552 | index 4e4640bb82b9..815ee1075574 100644 | ||
553 | --- a/crypto/af_alg.c | ||
554 | +++ b/crypto/af_alg.c | ||
555 | @@ -158,16 +158,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) | ||
556 | void *private; | ||
557 | int err; | ||
558 | |||
559 | - /* If caller uses non-allowed flag, return error. */ | ||
560 | - if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) | ||
561 | - return -EINVAL; | ||
562 | - | ||
563 | if (sock->state == SS_CONNECTED) | ||
564 | return -EINVAL; | ||
565 | |||
566 | if (addr_len < sizeof(*sa)) | ||
567 | return -EINVAL; | ||
568 | |||
569 | + /* If caller uses non-allowed flag, return error. */ | ||
570 | + if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) | ||
571 | + return -EINVAL; | ||
572 | + | ||
573 | sa->salg_type[sizeof(sa->salg_type) - 1] = 0; | ||
574 | sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0; | ||
575 | |||
576 | diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c | ||
577 | index c6fe2974b336..473f150d6b22 100644 | ||
578 | --- a/drivers/ata/libata-core.c | ||
579 | +++ b/drivers/ata/libata-core.c | ||
580 | @@ -4539,6 +4539,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { | ||
581 | ATA_HORKAGE_ZERO_AFTER_TRIM | | ||
582 | ATA_HORKAGE_NOLPM, }, | ||
583 | |||
584 | + /* Sandisk devices which are known to not handle LPM well */ | ||
585 | + { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, | ||
586 | + | ||
587 | /* devices that don't properly handle queued TRIM commands */ | ||
588 | { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | | ||
589 | ATA_HORKAGE_ZERO_AFTER_TRIM, }, | ||
590 | diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c | ||
591 | index 1ef67db03c8e..9c9a22958717 100644 | ||
592 | --- a/drivers/atm/zatm.c | ||
593 | +++ b/drivers/atm/zatm.c | ||
594 | @@ -28,6 +28,7 @@ | ||
595 | #include <asm/io.h> | ||
596 | #include <linux/atomic.h> | ||
597 | #include <linux/uaccess.h> | ||
598 | +#include <linux/nospec.h> | ||
599 | |||
600 | #include "uPD98401.h" | ||
601 | #include "uPD98402.h" | ||
602 | @@ -1458,6 +1459,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg) | ||
603 | return -EFAULT; | ||
604 | if (pool < 0 || pool > ZATM_LAST_POOL) | ||
605 | return -EINVAL; | ||
606 | + pool = array_index_nospec(pool, | ||
607 | + ZATM_LAST_POOL + 1); | ||
608 | spin_lock_irqsave(&zatm_dev->lock, flags); | ||
609 | info = zatm_dev->pool_info[pool]; | ||
610 | if (cmd == ZATM_GETPOOLZ) { | ||
611 | diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c | ||
612 | index e9dff868c028..7fcc4d7f4909 100644 | ||
613 | --- a/drivers/bluetooth/btusb.c | ||
614 | +++ b/drivers/bluetooth/btusb.c | ||
615 | @@ -235,6 +235,7 @@ static const struct usb_device_id blacklist_table[] = { | ||
616 | { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, | ||
617 | { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, | ||
618 | { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, | ||
619 | + { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, | ||
620 | { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, | ||
621 | { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, | ||
622 | { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, | ||
623 | @@ -267,7 +268,6 @@ static const struct usb_device_id blacklist_table[] = { | ||
624 | { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, | ||
625 | |||
626 | /* QCA ROME chipset */ | ||
627 | - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, | ||
628 | { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, | ||
629 | { USB_DEVICE(0x0cf3, 0xe009), .driver_info = BTUSB_QCA_ROME }, | ||
630 | { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, | ||
631 | @@ -395,6 +395,13 @@ static const struct dmi_system_id btusb_needs_reset_resume_table[] = { | ||
632 | DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 3060"), | ||
633 | }, | ||
634 | }, | ||
635 | + { | ||
636 | + /* Dell XPS 9360 (QCA ROME device 0cf3:e300) */ | ||
637 | + .matches = { | ||
638 | + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), | ||
639 | + DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9360"), | ||
640 | + }, | ||
641 | + }, | ||
642 | {} | ||
643 | }; | ||
644 | |||
645 | @@ -2895,6 +2902,12 @@ static int btusb_config_oob_wake(struct hci_dev *hdev) | ||
646 | } | ||
647 | #endif | ||
648 | |||
649 | +static void btusb_check_needs_reset_resume(struct usb_interface *intf) | ||
650 | +{ | ||
651 | + if (dmi_check_system(btusb_needs_reset_resume_table)) | ||
652 | + interface_to_usbdev(intf)->quirks |= USB_QUIRK_RESET_RESUME; | ||
653 | +} | ||
654 | + | ||
655 | static int btusb_probe(struct usb_interface *intf, | ||
656 | const struct usb_device_id *id) | ||
657 | { | ||
658 | @@ -3030,9 +3043,6 @@ static int btusb_probe(struct usb_interface *intf, | ||
659 | hdev->send = btusb_send_frame; | ||
660 | hdev->notify = btusb_notify; | ||
661 | |||
662 | - if (dmi_check_system(btusb_needs_reset_resume_table)) | ||
663 | - interface_to_usbdev(intf)->quirks |= USB_QUIRK_RESET_RESUME; | ||
664 | - | ||
665 | #ifdef CONFIG_PM | ||
666 | err = btusb_config_oob_wake(hdev); | ||
667 | if (err) | ||
668 | @@ -3119,6 +3129,7 @@ static int btusb_probe(struct usb_interface *intf, | ||
669 | if (id->driver_info & BTUSB_QCA_ROME) { | ||
670 | data->setup_on_usb = btusb_setup_qca; | ||
671 | hdev->set_bdaddr = btusb_set_bdaddr_ath3012; | ||
672 | + btusb_check_needs_reset_resume(intf); | ||
673 | } | ||
674 | |||
675 | #ifdef CONFIG_BT_HCIBTUSB_RTL | ||
676 | diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c | ||
677 | index bfc53995064a..f03fe916eb9d 100644 | ||
678 | --- a/drivers/gpio/gpio-aspeed.c | ||
679 | +++ b/drivers/gpio/gpio-aspeed.c | ||
680 | @@ -375,7 +375,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set) | ||
681 | if (set) | ||
682 | reg |= bit; | ||
683 | else | ||
684 | - reg &= bit; | ||
685 | + reg &= ~bit; | ||
686 | iowrite32(reg, addr); | ||
687 | |||
688 | spin_unlock_irqrestore(&gpio->lock, flags); | ||
689 | diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c | ||
690 | index b4c8b25453a6..68ea6e712bf9 100644 | ||
691 | --- a/drivers/gpio/gpiolib.c | ||
692 | +++ b/drivers/gpio/gpiolib.c | ||
693 | @@ -443,7 +443,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) | ||
694 | struct gpiohandle_request handlereq; | ||
695 | struct linehandle_state *lh; | ||
696 | struct file *file; | ||
697 | - int fd, i, ret; | ||
698 | + int fd, i, count = 0, ret; | ||
699 | |||
700 | if (copy_from_user(&handlereq, ip, sizeof(handlereq))) | ||
701 | return -EFAULT; | ||
702 | @@ -489,6 +489,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) | ||
703 | if (ret) | ||
704 | goto out_free_descs; | ||
705 | lh->descs[i] = desc; | ||
706 | + count = i; | ||
707 | |||
708 | if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) | ||
709 | set_bit(FLAG_ACTIVE_LOW, &desc->flags); | ||
710 | @@ -555,7 +556,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) | ||
711 | out_put_unused_fd: | ||
712 | put_unused_fd(fd); | ||
713 | out_free_descs: | ||
714 | - for (; i >= 0; i--) | ||
715 | + for (i = 0; i < count; i++) | ||
716 | gpiod_free(lh->descs[i]); | ||
717 | kfree(lh->label); | ||
718 | out_free_lh: | ||
719 | @@ -812,7 +813,7 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) | ||
720 | desc = &gdev->descs[offset]; | ||
721 | ret = gpiod_request(desc, le->label); | ||
722 | if (ret) | ||
723 | - goto out_free_desc; | ||
724 | + goto out_free_label; | ||
725 | le->desc = desc; | ||
726 | le->eflags = eflags; | ||
727 | |||
728 | diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c | ||
729 | index 2fd383d7253a..0d8a417e2cd6 100644 | ||
730 | --- a/drivers/gpu/drm/drm_atomic.c | ||
731 | +++ b/drivers/gpu/drm/drm_atomic.c | ||
732 | @@ -151,6 +151,8 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) | ||
733 | state->connectors[i].state); | ||
734 | state->connectors[i].ptr = NULL; | ||
735 | state->connectors[i].state = NULL; | ||
736 | + state->connectors[i].old_state = NULL; | ||
737 | + state->connectors[i].new_state = NULL; | ||
738 | drm_connector_put(connector); | ||
739 | } | ||
740 | |||
741 | @@ -172,6 +174,8 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) | ||
742 | state->crtcs[i].commit = NULL; | ||
743 | state->crtcs[i].ptr = NULL; | ||
744 | state->crtcs[i].state = NULL; | ||
745 | + state->crtcs[i].old_state = NULL; | ||
746 | + state->crtcs[i].new_state = NULL; | ||
747 | } | ||
748 | |||
749 | for (i = 0; i < config->num_total_plane; i++) { | ||
750 | @@ -184,6 +188,8 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) | ||
751 | state->planes[i].state); | ||
752 | state->planes[i].ptr = NULL; | ||
753 | state->planes[i].state = NULL; | ||
754 | + state->planes[i].old_state = NULL; | ||
755 | + state->planes[i].new_state = NULL; | ||
756 | } | ||
757 | |||
758 | for (i = 0; i < state->num_private_objs; i++) { | ||
759 | @@ -196,6 +202,8 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) | ||
760 | state->private_objs[i].state); | ||
761 | state->private_objs[i].ptr = NULL; | ||
762 | state->private_objs[i].state = NULL; | ||
763 | + state->private_objs[i].old_state = NULL; | ||
764 | + state->private_objs[i].new_state = NULL; | ||
765 | } | ||
766 | state->num_private_objs = 0; | ||
767 | |||
768 | diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c | ||
769 | index 8e215777c7f4..240308f1b6dd 100644 | ||
770 | --- a/drivers/gpu/drm/i915/intel_lvds.c | ||
771 | +++ b/drivers/gpu/drm/i915/intel_lvds.c | ||
772 | @@ -317,7 +317,8 @@ static void intel_enable_lvds(struct intel_encoder *encoder, | ||
773 | |||
774 | I915_WRITE(PP_CONTROL(0), I915_READ(PP_CONTROL(0)) | PANEL_POWER_ON); | ||
775 | POSTING_READ(lvds_encoder->reg); | ||
776 | - if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 1000)) | ||
777 | + | ||
778 | + if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 5000)) | ||
779 | DRM_ERROR("timed out waiting for panel to power on\n"); | ||
780 | |||
781 | intel_panel_enable_backlight(pipe_config, conn_state); | ||
782 | diff --git a/drivers/gpu/drm/nouveau/nv50_display.c b/drivers/gpu/drm/nouveau/nv50_display.c | ||
783 | index 6e196bc01118..a29474528e85 100644 | ||
784 | --- a/drivers/gpu/drm/nouveau/nv50_display.c | ||
785 | +++ b/drivers/gpu/drm/nouveau/nv50_display.c | ||
786 | @@ -3216,10 +3216,11 @@ nv50_mstm_destroy_connector(struct drm_dp_mst_topology_mgr *mgr, | ||
787 | |||
788 | drm_connector_unregister(&mstc->connector); | ||
789 | |||
790 | - drm_modeset_lock_all(drm->dev); | ||
791 | drm_fb_helper_remove_one_connector(&drm->fbcon->helper, &mstc->connector); | ||
792 | + | ||
793 | + drm_modeset_lock(&drm->dev->mode_config.connection_mutex, NULL); | ||
794 | mstc->port = NULL; | ||
795 | - drm_modeset_unlock_all(drm->dev); | ||
796 | + drm_modeset_unlock(&drm->dev->mode_config.connection_mutex); | ||
797 | |||
798 | drm_connector_unreference(&mstc->connector); | ||
799 | } | ||
800 | @@ -3229,9 +3230,7 @@ nv50_mstm_register_connector(struct drm_connector *connector) | ||
801 | { | ||
802 | struct nouveau_drm *drm = nouveau_drm(connector->dev); | ||
803 | |||
804 | - drm_modeset_lock_all(drm->dev); | ||
805 | drm_fb_helper_add_one_connector(&drm->fbcon->helper, connector); | ||
806 | - drm_modeset_unlock_all(drm->dev); | ||
807 | |||
808 | drm_connector_register(connector); | ||
809 | } | ||
810 | diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c | ||
811 | index 2968b3ebb895..77c56264c05b 100644 | ||
812 | --- a/drivers/gpu/drm/vc4/vc4_plane.c | ||
813 | +++ b/drivers/gpu/drm/vc4/vc4_plane.c | ||
814 | @@ -535,7 +535,7 @@ static int vc4_plane_mode_set(struct drm_plane *plane, | ||
815 | * the scl fields here. | ||
816 | */ | ||
817 | if (num_planes == 1) { | ||
818 | - scl0 = vc4_get_scl_field(state, 1); | ||
819 | + scl0 = vc4_get_scl_field(state, 0); | ||
820 | scl1 = scl0; | ||
821 | } else { | ||
822 | scl0 = vc4_get_scl_field(state, 1); | ||
823 | diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c | ||
824 | index 3cc2052f972c..cbc56372ff97 100644 | ||
825 | --- a/drivers/md/dm-integrity.c | ||
826 | +++ b/drivers/md/dm-integrity.c | ||
827 | @@ -2439,7 +2439,7 @@ static void dm_integrity_free_journal_scatterlist(struct dm_integrity_c *ic, str | ||
828 | unsigned i; | ||
829 | for (i = 0; i < ic->journal_sections; i++) | ||
830 | kvfree(sl[i]); | ||
831 | - kfree(sl); | ||
832 | + kvfree(sl); | ||
833 | } | ||
834 | |||
835 | static struct scatterlist **dm_integrity_alloc_journal_scatterlist(struct dm_integrity_c *ic, struct page_list *pl) | ||
836 | diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c | ||
837 | index 5590c559a8ca..53e320c92a8b 100644 | ||
838 | --- a/drivers/net/can/spi/hi311x.c | ||
839 | +++ b/drivers/net/can/spi/hi311x.c | ||
840 | @@ -91,6 +91,7 @@ | ||
841 | #define HI3110_STAT_BUSOFF BIT(2) | ||
842 | #define HI3110_STAT_ERRP BIT(3) | ||
843 | #define HI3110_STAT_ERRW BIT(4) | ||
844 | +#define HI3110_STAT_TXMTY BIT(7) | ||
845 | |||
846 | #define HI3110_BTR0_SJW_SHIFT 6 | ||
847 | #define HI3110_BTR0_BRP_SHIFT 0 | ||
848 | @@ -427,8 +428,10 @@ static int hi3110_get_berr_counter(const struct net_device *net, | ||
849 | struct hi3110_priv *priv = netdev_priv(net); | ||
850 | struct spi_device *spi = priv->spi; | ||
851 | |||
852 | + mutex_lock(&priv->hi3110_lock); | ||
853 | bec->txerr = hi3110_read(spi, HI3110_READ_TEC); | ||
854 | bec->rxerr = hi3110_read(spi, HI3110_READ_REC); | ||
855 | + mutex_unlock(&priv->hi3110_lock); | ||
856 | |||
857 | return 0; | ||
858 | } | ||
859 | @@ -735,10 +738,7 @@ static irqreturn_t hi3110_can_ist(int irq, void *dev_id) | ||
860 | } | ||
861 | } | ||
862 | |||
863 | - if (intf == 0) | ||
864 | - break; | ||
865 | - | ||
866 | - if (intf & HI3110_INT_TXCPLT) { | ||
867 | + if (priv->tx_len && statf & HI3110_STAT_TXMTY) { | ||
868 | net->stats.tx_packets++; | ||
869 | net->stats.tx_bytes += priv->tx_len - 1; | ||
870 | can_led_event(net, CAN_LED_EVENT_TX); | ||
871 | @@ -748,6 +748,9 @@ static irqreturn_t hi3110_can_ist(int irq, void *dev_id) | ||
872 | } | ||
873 | netif_wake_queue(net); | ||
874 | } | ||
875 | + | ||
876 | + if (intf == 0) | ||
877 | + break; | ||
878 | } | ||
879 | mutex_unlock(&priv->hi3110_lock); | ||
880 | return IRQ_HANDLED; | ||
881 | diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c | ||
882 | index 63587b8e6825..daed57d3d209 100644 | ||
883 | --- a/drivers/net/can/usb/kvaser_usb.c | ||
884 | +++ b/drivers/net/can/usb/kvaser_usb.c | ||
885 | @@ -1179,7 +1179,7 @@ static void kvaser_usb_rx_can_msg(const struct kvaser_usb *dev, | ||
886 | |||
887 | skb = alloc_can_skb(priv->netdev, &cf); | ||
888 | if (!skb) { | ||
889 | - stats->tx_dropped++; | ||
890 | + stats->rx_dropped++; | ||
891 | return; | ||
892 | } | ||
893 | |||
894 | diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h | ||
895 | index 044af553204c..7ef0a8e1c3e8 100644 | ||
896 | --- a/drivers/nvme/host/nvme.h | ||
897 | +++ b/drivers/nvme/host/nvme.h | ||
898 | @@ -80,6 +80,11 @@ enum nvme_quirks { | ||
899 | * Supports the LighNVM command set if indicated in vs[1]. | ||
900 | */ | ||
901 | NVME_QUIRK_LIGHTNVM = (1 << 6), | ||
902 | + | ||
903 | + /* | ||
904 | + * Set MEDIUM priority on SQ creation | ||
905 | + */ | ||
906 | + NVME_QUIRK_MEDIUM_PRIO_SQ = (1 << 7), | ||
907 | }; | ||
908 | |||
909 | /* | ||
910 | diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c | ||
911 | index cdd2fd509ddc..eab17405e815 100644 | ||
912 | --- a/drivers/nvme/host/pci.c | ||
913 | +++ b/drivers/nvme/host/pci.c | ||
914 | @@ -947,9 +947,18 @@ static int adapter_alloc_cq(struct nvme_dev *dev, u16 qid, | ||
915 | static int adapter_alloc_sq(struct nvme_dev *dev, u16 qid, | ||
916 | struct nvme_queue *nvmeq) | ||
917 | { | ||
918 | + struct nvme_ctrl *ctrl = &dev->ctrl; | ||
919 | struct nvme_command c; | ||
920 | int flags = NVME_QUEUE_PHYS_CONTIG; | ||
921 | |||
922 | + /* | ||
923 | + * Some drives have a bug that auto-enables WRRU if MEDIUM isn't | ||
924 | + * set. Since URGENT priority is zeroes, it makes all queues | ||
925 | + * URGENT. | ||
926 | + */ | ||
927 | + if (ctrl->quirks & NVME_QUIRK_MEDIUM_PRIO_SQ) | ||
928 | + flags |= NVME_SQ_PRIO_MEDIUM; | ||
929 | + | ||
930 | /* | ||
931 | * Note: we (ab)use the fact the the prp fields survive if no data | ||
932 | * is attached to the request. | ||
933 | @@ -2523,7 +2532,8 @@ static const struct pci_device_id nvme_id_table[] = { | ||
934 | .driver_data = NVME_QUIRK_STRIPE_SIZE | | ||
935 | NVME_QUIRK_DEALLOCATE_ZEROES, }, | ||
936 | { PCI_VDEVICE(INTEL, 0xf1a5), /* Intel 600P/P3100 */ | ||
937 | - .driver_data = NVME_QUIRK_NO_DEEPEST_PS }, | ||
938 | + .driver_data = NVME_QUIRK_NO_DEEPEST_PS | | ||
939 | + NVME_QUIRK_MEDIUM_PRIO_SQ }, | ||
940 | { PCI_VDEVICE(INTEL, 0x5845), /* Qemu emulated controller */ | ||
941 | .driver_data = NVME_QUIRK_IDENTIFY_CNS, }, | ||
942 | { PCI_DEVICE(0x1c58, 0x0003), /* HGST adapter */ | ||
943 | diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c | ||
944 | index 74f1c57ab93b..62a0677b32f1 100644 | ||
945 | --- a/drivers/pci/pci.c | ||
946 | +++ b/drivers/pci/pci.c | ||
947 | @@ -1892,7 +1892,7 @@ void pci_pme_active(struct pci_dev *dev, bool enable) | ||
948 | EXPORT_SYMBOL(pci_pme_active); | ||
949 | |||
950 | /** | ||
951 | - * pci_enable_wake - enable PCI device as wakeup event source | ||
952 | + * __pci_enable_wake - enable PCI device as wakeup event source | ||
953 | * @dev: PCI device affected | ||
954 | * @state: PCI state from which device will issue wakeup events | ||
955 | * @enable: True to enable event generation; false to disable | ||
956 | @@ -1910,7 +1910,7 @@ EXPORT_SYMBOL(pci_pme_active); | ||
957 | * Error code depending on the platform is returned if both the platform and | ||
958 | * the native mechanism fail to enable the generation of wake-up events | ||
959 | */ | ||
960 | -int pci_enable_wake(struct pci_dev *dev, pci_power_t state, bool enable) | ||
961 | +static int __pci_enable_wake(struct pci_dev *dev, pci_power_t state, bool enable) | ||
962 | { | ||
963 | int ret = 0; | ||
964 | |||
965 | @@ -1951,6 +1951,23 @@ int pci_enable_wake(struct pci_dev *dev, pci_power_t state, bool enable) | ||
966 | |||
967 | return ret; | ||
968 | } | ||
969 | + | ||
970 | +/** | ||
971 | + * pci_enable_wake - change wakeup settings for a PCI device | ||
972 | + * @pci_dev: Target device | ||
973 | + * @state: PCI state from which device will issue wakeup events | ||
974 | + * @enable: Whether or not to enable event generation | ||
975 | + * | ||
976 | + * If @enable is set, check device_may_wakeup() for the device before calling | ||
977 | + * __pci_enable_wake() for it. | ||
978 | + */ | ||
979 | +int pci_enable_wake(struct pci_dev *pci_dev, pci_power_t state, bool enable) | ||
980 | +{ | ||
981 | + if (enable && !device_may_wakeup(&pci_dev->dev)) | ||
982 | + return -EINVAL; | ||
983 | + | ||
984 | + return __pci_enable_wake(pci_dev, state, enable); | ||
985 | +} | ||
986 | EXPORT_SYMBOL(pci_enable_wake); | ||
987 | |||
988 | /** | ||
989 | @@ -1963,9 +1980,9 @@ EXPORT_SYMBOL(pci_enable_wake); | ||
990 | * should not be called twice in a row to enable wake-up due to PCI PM vs ACPI | ||
991 | * ordering constraints. | ||
992 | * | ||
993 | - * This function only returns error code if the device is not capable of | ||
994 | - * generating PME# from both D3_hot and D3_cold, and the platform is unable to | ||
995 | - * enable wake-up power for it. | ||
996 | + * This function only returns error code if the device is not allowed to wake | ||
997 | + * up the system from sleep or it is not capable of generating PME# from both | ||
998 | + * D3_hot and D3_cold and the platform is unable to enable wake-up power for it. | ||
999 | */ | ||
1000 | int pci_wake_from_d3(struct pci_dev *dev, bool enable) | ||
1001 | { | ||
1002 | @@ -2096,7 +2113,7 @@ int pci_finish_runtime_suspend(struct pci_dev *dev) | ||
1003 | |||
1004 | dev->runtime_d3cold = target_state == PCI_D3cold; | ||
1005 | |||
1006 | - pci_enable_wake(dev, target_state, pci_dev_run_wake(dev)); | ||
1007 | + __pci_enable_wake(dev, target_state, pci_dev_run_wake(dev)); | ||
1008 | |||
1009 | error = pci_set_power_state(dev, target_state); | ||
1010 | |||
1011 | @@ -2120,16 +2137,16 @@ bool pci_dev_run_wake(struct pci_dev *dev) | ||
1012 | { | ||
1013 | struct pci_bus *bus = dev->bus; | ||
1014 | |||
1015 | - if (device_can_wakeup(&dev->dev)) | ||
1016 | - return true; | ||
1017 | - | ||
1018 | if (!dev->pme_support) | ||
1019 | return false; | ||
1020 | |||
1021 | /* PME-capable in principle, but not from the target power state */ | ||
1022 | - if (!pci_pme_capable(dev, pci_target_state(dev, false))) | ||
1023 | + if (!pci_pme_capable(dev, pci_target_state(dev, true))) | ||
1024 | return false; | ||
1025 | |||
1026 | + if (device_can_wakeup(&dev->dev)) | ||
1027 | + return true; | ||
1028 | + | ||
1029 | while (bus->parent) { | ||
1030 | struct pci_dev *bridge = bus->self; | ||
1031 | |||
1032 | diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c | ||
1033 | index ed805c7c5ace..ac83f721db24 100644 | ||
1034 | --- a/drivers/thermal/samsung/exynos_tmu.c | ||
1035 | +++ b/drivers/thermal/samsung/exynos_tmu.c | ||
1036 | @@ -185,6 +185,7 @@ | ||
1037 | * @regulator: pointer to the TMU regulator structure. | ||
1038 | * @reg_conf: pointer to structure to register with core thermal. | ||
1039 | * @ntrip: number of supported trip points. | ||
1040 | + * @enabled: current status of TMU device | ||
1041 | * @tmu_initialize: SoC specific TMU initialization method | ||
1042 | * @tmu_control: SoC specific TMU control method | ||
1043 | * @tmu_read: SoC specific TMU temperature read method | ||
1044 | @@ -205,6 +206,7 @@ struct exynos_tmu_data { | ||
1045 | struct regulator *regulator; | ||
1046 | struct thermal_zone_device *tzd; | ||
1047 | unsigned int ntrip; | ||
1048 | + bool enabled; | ||
1049 | |||
1050 | int (*tmu_initialize)(struct platform_device *pdev); | ||
1051 | void (*tmu_control)(struct platform_device *pdev, bool on); | ||
1052 | @@ -398,6 +400,7 @@ static void exynos_tmu_control(struct platform_device *pdev, bool on) | ||
1053 | mutex_lock(&data->lock); | ||
1054 | clk_enable(data->clk); | ||
1055 | data->tmu_control(pdev, on); | ||
1056 | + data->enabled = on; | ||
1057 | clk_disable(data->clk); | ||
1058 | mutex_unlock(&data->lock); | ||
1059 | } | ||
1060 | @@ -889,19 +892,24 @@ static void exynos7_tmu_control(struct platform_device *pdev, bool on) | ||
1061 | static int exynos_get_temp(void *p, int *temp) | ||
1062 | { | ||
1063 | struct exynos_tmu_data *data = p; | ||
1064 | + int value, ret = 0; | ||
1065 | |||
1066 | - if (!data || !data->tmu_read) | ||
1067 | + if (!data || !data->tmu_read || !data->enabled) | ||
1068 | return -EINVAL; | ||
1069 | |||
1070 | mutex_lock(&data->lock); | ||
1071 | clk_enable(data->clk); | ||
1072 | |||
1073 | - *temp = code_to_temp(data, data->tmu_read(data)) * MCELSIUS; | ||
1074 | + value = data->tmu_read(data); | ||
1075 | + if (value < 0) | ||
1076 | + ret = value; | ||
1077 | + else | ||
1078 | + *temp = code_to_temp(data, value) * MCELSIUS; | ||
1079 | |||
1080 | clk_disable(data->clk); | ||
1081 | mutex_unlock(&data->lock); | ||
1082 | |||
1083 | - return 0; | ||
1084 | + return ret; | ||
1085 | } | ||
1086 | |||
1087 | #ifdef CONFIG_THERMAL_EMULATION | ||
1088 | diff --git a/fs/ceph/file.c b/fs/ceph/file.c | ||
1089 | index 0024d3e61bcd..6d653235e323 100644 | ||
1090 | --- a/fs/ceph/file.c | ||
1091 | +++ b/fs/ceph/file.c | ||
1092 | @@ -873,6 +873,11 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, | ||
1093 | size_t start = 0; | ||
1094 | ssize_t len; | ||
1095 | |||
1096 | + if (write) | ||
1097 | + size = min_t(u64, size, fsc->mount_options->wsize); | ||
1098 | + else | ||
1099 | + size = min_t(u64, size, fsc->mount_options->rsize); | ||
1100 | + | ||
1101 | vino = ceph_vino(inode); | ||
1102 | req = ceph_osdc_new_request(&fsc->client->osdc, &ci->i_layout, | ||
1103 | vino, pos, &size, 0, | ||
1104 | @@ -888,11 +893,6 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, | ||
1105 | break; | ||
1106 | } | ||
1107 | |||
1108 | - if (write) | ||
1109 | - size = min_t(u64, size, fsc->mount_options->wsize); | ||
1110 | - else | ||
1111 | - size = min_t(u64, size, fsc->mount_options->rsize); | ||
1112 | - | ||
1113 | len = size; | ||
1114 | pages = dio_get_pages_alloc(iter, len, &start, &num_pages); | ||
1115 | if (IS_ERR(pages)) { | ||
1116 | diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c | ||
1117 | index dbcd2e066066..490c5fc9e69c 100644 | ||
1118 | --- a/fs/cifs/cifsfs.c | ||
1119 | +++ b/fs/cifs/cifsfs.c | ||
1120 | @@ -1045,6 +1045,18 @@ ssize_t cifs_file_copychunk_range(unsigned int xid, | ||
1121 | return rc; | ||
1122 | } | ||
1123 | |||
1124 | +/* | ||
1125 | + * Directory operations under CIFS/SMB2/SMB3 are synchronous, so fsync() | ||
1126 | + * is a dummy operation. | ||
1127 | + */ | ||
1128 | +static int cifs_dir_fsync(struct file *file, loff_t start, loff_t end, int datasync) | ||
1129 | +{ | ||
1130 | + cifs_dbg(FYI, "Sync directory - name: %pD datasync: 0x%x\n", | ||
1131 | + file, datasync); | ||
1132 | + | ||
1133 | + return 0; | ||
1134 | +} | ||
1135 | + | ||
1136 | static ssize_t cifs_copy_file_range(struct file *src_file, loff_t off, | ||
1137 | struct file *dst_file, loff_t destoff, | ||
1138 | size_t len, unsigned int flags) | ||
1139 | @@ -1173,6 +1185,7 @@ const struct file_operations cifs_dir_ops = { | ||
1140 | .copy_file_range = cifs_copy_file_range, | ||
1141 | .clone_file_range = cifs_clone_file_range, | ||
1142 | .llseek = generic_file_llseek, | ||
1143 | + .fsync = cifs_dir_fsync, | ||
1144 | }; | ||
1145 | |||
1146 | static void | ||
1147 | diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c | ||
1148 | index 8a7ef9378bf6..3244932f4d5c 100644 | ||
1149 | --- a/fs/fs-writeback.c | ||
1150 | +++ b/fs/fs-writeback.c | ||
1151 | @@ -1940,7 +1940,7 @@ void wb_workfn(struct work_struct *work) | ||
1152 | } | ||
1153 | |||
1154 | if (!list_empty(&wb->work_list)) | ||
1155 | - mod_delayed_work(bdi_wq, &wb->dwork, 0); | ||
1156 | + wb_wakeup(wb); | ||
1157 | else if (wb_has_dirty_io(wb) && dirty_writeback_interval) | ||
1158 | wb_wakeup_delayed(wb); | ||
1159 | |||
1160 | diff --git a/include/linux/oom.h b/include/linux/oom.h | ||
1161 | index 5bad038ac012..6adac113e96d 100644 | ||
1162 | --- a/include/linux/oom.h | ||
1163 | +++ b/include/linux/oom.h | ||
1164 | @@ -95,6 +95,8 @@ static inline int check_stable_address_space(struct mm_struct *mm) | ||
1165 | return 0; | ||
1166 | } | ||
1167 | |||
1168 | +void __oom_reap_task_mm(struct mm_struct *mm); | ||
1169 | + | ||
1170 | extern unsigned long oom_badness(struct task_struct *p, | ||
1171 | struct mem_cgroup *memcg, const nodemask_t *nodemask, | ||
1172 | unsigned long totalpages); | ||
1173 | diff --git a/include/linux/wait_bit.h b/include/linux/wait_bit.h | ||
1174 | index af0d495430d7..bc96d90bcafd 100644 | ||
1175 | --- a/include/linux/wait_bit.h | ||
1176 | +++ b/include/linux/wait_bit.h | ||
1177 | @@ -259,4 +259,21 @@ int wait_on_atomic_t(atomic_t *val, int (*action)(atomic_t *), unsigned mode) | ||
1178 | return out_of_line_wait_on_atomic_t(val, action, mode); | ||
1179 | } | ||
1180 | |||
1181 | +/** | ||
1182 | + * clear_and_wake_up_bit - clear a bit and wake up anyone waiting on that bit | ||
1183 | + * | ||
1184 | + * @bit: the bit of the word being waited on | ||
1185 | + * @word: the word being waited on, a kernel virtual address | ||
1186 | + * | ||
1187 | + * You can use this helper if bitflags are manipulated atomically rather than | ||
1188 | + * non-atomically under a lock. | ||
1189 | + */ | ||
1190 | +static inline void clear_and_wake_up_bit(int bit, void *word) | ||
1191 | +{ | ||
1192 | + clear_bit_unlock(bit, word); | ||
1193 | + /* See wake_up_bit() for which memory barrier you need to use. */ | ||
1194 | + smp_mb__after_atomic(); | ||
1195 | + wake_up_bit(word, bit); | ||
1196 | +} | ||
1197 | + | ||
1198 | #endif /* _LINUX_WAIT_BIT_H */ | ||
1199 | diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h | ||
1200 | index 1356fa6a7566..fb439db7fa45 100644 | ||
1201 | --- a/include/net/inet_timewait_sock.h | ||
1202 | +++ b/include/net/inet_timewait_sock.h | ||
1203 | @@ -43,6 +43,7 @@ struct inet_timewait_sock { | ||
1204 | #define tw_family __tw_common.skc_family | ||
1205 | #define tw_state __tw_common.skc_state | ||
1206 | #define tw_reuse __tw_common.skc_reuse | ||
1207 | +#define tw_reuseport __tw_common.skc_reuseport | ||
1208 | #define tw_ipv6only __tw_common.skc_ipv6only | ||
1209 | #define tw_bound_dev_if __tw_common.skc_bound_dev_if | ||
1210 | #define tw_node __tw_common.skc_nulls_node | ||
1211 | diff --git a/include/net/nexthop.h b/include/net/nexthop.h | ||
1212 | index 36bb794f5cd6..902ff382a6dc 100644 | ||
1213 | --- a/include/net/nexthop.h | ||
1214 | +++ b/include/net/nexthop.h | ||
1215 | @@ -7,7 +7,7 @@ | ||
1216 | |||
1217 | static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) | ||
1218 | { | ||
1219 | - return remaining >= sizeof(*rtnh) && | ||
1220 | + return remaining >= (int)sizeof(*rtnh) && | ||
1221 | rtnh->rtnh_len >= sizeof(*rtnh) && | ||
1222 | rtnh->rtnh_len <= remaining; | ||
1223 | } | ||
1224 | diff --git a/kernel/compat.c b/kernel/compat.c | ||
1225 | index 772e038d04d9..7e83733d4c95 100644 | ||
1226 | --- a/kernel/compat.c | ||
1227 | +++ b/kernel/compat.c | ||
1228 | @@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp) | ||
1229 | { | ||
1230 | struct compat_timex tx32; | ||
1231 | |||
1232 | + memset(txc, 0, sizeof(struct timex)); | ||
1233 | if (copy_from_user(&tx32, utp, sizeof(struct compat_timex))) | ||
1234 | return -EFAULT; | ||
1235 | |||
1236 | diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c | ||
1237 | index fa4f47a0a631..b23294e21e76 100644 | ||
1238 | --- a/kernel/events/callchain.c | ||
1239 | +++ b/kernel/events/callchain.c | ||
1240 | @@ -131,14 +131,8 @@ int get_callchain_buffers(int event_max_stack) | ||
1241 | goto exit; | ||
1242 | } | ||
1243 | |||
1244 | - if (count > 1) { | ||
1245 | - /* If the allocation failed, give up */ | ||
1246 | - if (!callchain_cpus_entries) | ||
1247 | - err = -ENOMEM; | ||
1248 | - goto exit; | ||
1249 | - } | ||
1250 | - | ||
1251 | - err = alloc_callchain_buffers(); | ||
1252 | + if (count == 1) | ||
1253 | + err = alloc_callchain_buffers(); | ||
1254 | exit: | ||
1255 | if (err) | ||
1256 | atomic_dec(&nr_callchain_events); | ||
1257 | diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c | ||
1258 | index f684d8e5fa2b..c573c7339223 100644 | ||
1259 | --- a/kernel/events/ring_buffer.c | ||
1260 | +++ b/kernel/events/ring_buffer.c | ||
1261 | @@ -14,6 +14,7 @@ | ||
1262 | #include <linux/slab.h> | ||
1263 | #include <linux/circ_buf.h> | ||
1264 | #include <linux/poll.h> | ||
1265 | +#include <linux/nospec.h> | ||
1266 | |||
1267 | #include "internal.h" | ||
1268 | |||
1269 | @@ -863,8 +864,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff) | ||
1270 | return NULL; | ||
1271 | |||
1272 | /* AUX space */ | ||
1273 | - if (pgoff >= rb->aux_pgoff) | ||
1274 | - return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]); | ||
1275 | + if (pgoff >= rb->aux_pgoff) { | ||
1276 | + int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages); | ||
1277 | + return virt_to_page(rb->aux_pages[aux_pgoff]); | ||
1278 | + } | ||
1279 | } | ||
1280 | |||
1281 | return __perf_mmap_to_page(rb, pgoff); | ||
1282 | diff --git a/kernel/sched/autogroup.c b/kernel/sched/autogroup.c | ||
1283 | index a43df5193538..1d179ab9ef8d 100644 | ||
1284 | --- a/kernel/sched/autogroup.c | ||
1285 | +++ b/kernel/sched/autogroup.c | ||
1286 | @@ -7,6 +7,7 @@ | ||
1287 | #include <linux/utsname.h> | ||
1288 | #include <linux/security.h> | ||
1289 | #include <linux/export.h> | ||
1290 | +#include <linux/nospec.h> | ||
1291 | |||
1292 | unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1; | ||
1293 | static struct autogroup autogroup_default; | ||
1294 | @@ -213,7 +214,7 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice) | ||
1295 | static unsigned long next = INITIAL_JIFFIES; | ||
1296 | struct autogroup *ag; | ||
1297 | unsigned long shares; | ||
1298 | - int err; | ||
1299 | + int err, idx; | ||
1300 | |||
1301 | if (nice < MIN_NICE || nice > MAX_NICE) | ||
1302 | return -EINVAL; | ||
1303 | @@ -231,7 +232,9 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice) | ||
1304 | |||
1305 | next = HZ / 10 + jiffies; | ||
1306 | ag = autogroup_task_get(p); | ||
1307 | - shares = scale_load(sched_prio_to_weight[nice + 20]); | ||
1308 | + | ||
1309 | + idx = array_index_nospec(nice + 20, 40); | ||
1310 | + shares = scale_load(sched_prio_to_weight[idx]); | ||
1311 | |||
1312 | down_write(&ag->lock); | ||
1313 | err = sched_group_set_shares(ag->tg, shares); | ||
1314 | diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c | ||
1315 | index d6717a3331a1..81eb7899c7c8 100644 | ||
1316 | --- a/kernel/sched/cpufreq_schedutil.c | ||
1317 | +++ b/kernel/sched/cpufreq_schedutil.c | ||
1318 | @@ -282,7 +282,8 @@ static void sugov_update_single(struct update_util_data *hook, u64 time, | ||
1319 | * Do not reduce the frequency if the CPU has not been idle | ||
1320 | * recently, as the reduction is likely to be premature then. | ||
1321 | */ | ||
1322 | - if (busy && next_f < sg_policy->next_freq) { | ||
1323 | + if (busy && next_f < sg_policy->next_freq && | ||
1324 | + sg_policy->next_freq != UINT_MAX) { | ||
1325 | next_f = sg_policy->next_freq; | ||
1326 | |||
1327 | /* Reset cached freq as next_freq has changed */ | ||
1328 | diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c | ||
1329 | index a764aec3c9a1..55008fa93097 100644 | ||
1330 | --- a/kernel/trace/trace_events_filter.c | ||
1331 | +++ b/kernel/trace/trace_events_filter.c | ||
1332 | @@ -338,6 +338,9 @@ static int regex_match_full(char *str, struct regex *r, int len) | ||
1333 | |||
1334 | static int regex_match_front(char *str, struct regex *r, int len) | ||
1335 | { | ||
1336 | + if (len < r->len) | ||
1337 | + return 0; | ||
1338 | + | ||
1339 | if (strncmp(str, r->pattern, r->len) == 0) | ||
1340 | return 1; | ||
1341 | return 0; | ||
1342 | diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c | ||
1343 | index 14d3af6a2953..7197ff9f0bbd 100644 | ||
1344 | --- a/kernel/trace/trace_uprobe.c | ||
1345 | +++ b/kernel/trace/trace_uprobe.c | ||
1346 | @@ -152,6 +152,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs, | ||
1347 | return; | ||
1348 | |||
1349 | ret = strncpy_from_user(dst, src, maxlen); | ||
1350 | + if (ret == maxlen) | ||
1351 | + dst[--ret] = '\0'; | ||
1352 | |||
1353 | if (ret < 0) { /* Failed to fetch string */ | ||
1354 | ((u8 *)get_rloc_data(dest))[0] = '\0'; | ||
1355 | diff --git a/mm/backing-dev.c b/mm/backing-dev.c | ||
1356 | index e19606bb41a0..dee049a0ec5b 100644 | ||
1357 | --- a/mm/backing-dev.c | ||
1358 | +++ b/mm/backing-dev.c | ||
1359 | @@ -381,7 +381,7 @@ static void wb_shutdown(struct bdi_writeback *wb) | ||
1360 | * the barrier provided by test_and_clear_bit() above. | ||
1361 | */ | ||
1362 | smp_wmb(); | ||
1363 | - clear_bit(WB_shutting_down, &wb->state); | ||
1364 | + clear_and_wake_up_bit(WB_shutting_down, &wb->state); | ||
1365 | } | ||
1366 | |||
1367 | static void wb_exit(struct bdi_writeback *wb) | ||
1368 | diff --git a/mm/memcontrol.c b/mm/memcontrol.c | ||
1369 | index 66e7efabf0a1..546cd481a2ca 100644 | ||
1370 | --- a/mm/memcontrol.c | ||
1371 | +++ b/mm/memcontrol.c | ||
1372 | @@ -4187,6 +4187,9 @@ static void free_mem_cgroup_per_node_info(struct mem_cgroup *memcg, int node) | ||
1373 | { | ||
1374 | struct mem_cgroup_per_node *pn = memcg->nodeinfo[node]; | ||
1375 | |||
1376 | + if (!pn) | ||
1377 | + return; | ||
1378 | + | ||
1379 | free_percpu(pn->lruvec_stat); | ||
1380 | kfree(pn); | ||
1381 | } | ||
1382 | diff --git a/mm/mmap.c b/mm/mmap.c | ||
1383 | index 0de87a376aaa..11f96fad5271 100644 | ||
1384 | --- a/mm/mmap.c | ||
1385 | +++ b/mm/mmap.c | ||
1386 | @@ -2982,6 +2982,32 @@ void exit_mmap(struct mm_struct *mm) | ||
1387 | /* mm's last user has gone, and its about to be pulled down */ | ||
1388 | mmu_notifier_release(mm); | ||
1389 | |||
1390 | + if (unlikely(mm_is_oom_victim(mm))) { | ||
1391 | + /* | ||
1392 | + * Manually reap the mm to free as much memory as possible. | ||
1393 | + * Then, as the oom reaper does, set MMF_OOM_SKIP to disregard | ||
1394 | + * this mm from further consideration. Taking mm->mmap_sem for | ||
1395 | + * write after setting MMF_OOM_SKIP will guarantee that the oom | ||
1396 | + * reaper will not run on this mm again after mmap_sem is | ||
1397 | + * dropped. | ||
1398 | + * | ||
1399 | + * Nothing can be holding mm->mmap_sem here and the above call | ||
1400 | + * to mmu_notifier_release(mm) ensures mmu notifier callbacks in | ||
1401 | + * __oom_reap_task_mm() will not block. | ||
1402 | + * | ||
1403 | + * This needs to be done before calling munlock_vma_pages_all(), | ||
1404 | + * which clears VM_LOCKED, otherwise the oom reaper cannot | ||
1405 | + * reliably test it. | ||
1406 | + */ | ||
1407 | + mutex_lock(&oom_lock); | ||
1408 | + __oom_reap_task_mm(mm); | ||
1409 | + mutex_unlock(&oom_lock); | ||
1410 | + | ||
1411 | + set_bit(MMF_OOM_SKIP, &mm->flags); | ||
1412 | + down_write(&mm->mmap_sem); | ||
1413 | + up_write(&mm->mmap_sem); | ||
1414 | + } | ||
1415 | + | ||
1416 | if (mm->locked_vm) { | ||
1417 | vma = mm->mmap; | ||
1418 | while (vma) { | ||
1419 | @@ -3003,24 +3029,6 @@ void exit_mmap(struct mm_struct *mm) | ||
1420 | /* update_hiwater_rss(mm) here? but nobody should be looking */ | ||
1421 | /* Use -1 here to ensure all VMAs in the mm are unmapped */ | ||
1422 | unmap_vmas(&tlb, vma, 0, -1); | ||
1423 | - | ||
1424 | - if (unlikely(mm_is_oom_victim(mm))) { | ||
1425 | - /* | ||
1426 | - * Wait for oom_reap_task() to stop working on this | ||
1427 | - * mm. Because MMF_OOM_SKIP is already set before | ||
1428 | - * calling down_read(), oom_reap_task() will not run | ||
1429 | - * on this "mm" post up_write(). | ||
1430 | - * | ||
1431 | - * mm_is_oom_victim() cannot be set from under us | ||
1432 | - * either because victim->mm is already set to NULL | ||
1433 | - * under task_lock before calling mmput and oom_mm is | ||
1434 | - * set not NULL by the OOM killer only if victim->mm | ||
1435 | - * is found not NULL while holding the task_lock. | ||
1436 | - */ | ||
1437 | - set_bit(MMF_OOM_SKIP, &mm->flags); | ||
1438 | - down_write(&mm->mmap_sem); | ||
1439 | - up_write(&mm->mmap_sem); | ||
1440 | - } | ||
1441 | free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, USER_PGTABLES_CEILING); | ||
1442 | tlb_finish_mmu(&tlb, 0, -1); | ||
1443 | |||
1444 | diff --git a/mm/oom_kill.c b/mm/oom_kill.c | ||
1445 | index 10aed8d8c080..58977f634ced 100644 | ||
1446 | --- a/mm/oom_kill.c | ||
1447 | +++ b/mm/oom_kill.c | ||
1448 | @@ -456,7 +456,6 @@ bool process_shares_mm(struct task_struct *p, struct mm_struct *mm) | ||
1449 | return false; | ||
1450 | } | ||
1451 | |||
1452 | - | ||
1453 | #ifdef CONFIG_MMU | ||
1454 | /* | ||
1455 | * OOM Reaper kernel thread which tries to reap the memory used by the OOM | ||
1456 | @@ -467,16 +466,51 @@ static DECLARE_WAIT_QUEUE_HEAD(oom_reaper_wait); | ||
1457 | static struct task_struct *oom_reaper_list; | ||
1458 | static DEFINE_SPINLOCK(oom_reaper_lock); | ||
1459 | |||
1460 | -static bool __oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) | ||
1461 | +void __oom_reap_task_mm(struct mm_struct *mm) | ||
1462 | { | ||
1463 | - struct mmu_gather tlb; | ||
1464 | struct vm_area_struct *vma; | ||
1465 | + | ||
1466 | + /* | ||
1467 | + * Tell all users of get_user/copy_from_user etc... that the content | ||
1468 | + * is no longer stable. No barriers really needed because unmapping | ||
1469 | + * should imply barriers already and the reader would hit a page fault | ||
1470 | + * if it stumbled over a reaped memory. | ||
1471 | + */ | ||
1472 | + set_bit(MMF_UNSTABLE, &mm->flags); | ||
1473 | + | ||
1474 | + for (vma = mm->mmap ; vma; vma = vma->vm_next) { | ||
1475 | + if (!can_madv_dontneed_vma(vma)) | ||
1476 | + continue; | ||
1477 | + | ||
1478 | + /* | ||
1479 | + * Only anonymous pages have a good chance to be dropped | ||
1480 | + * without additional steps which we cannot afford as we | ||
1481 | + * are OOM already. | ||
1482 | + * | ||
1483 | + * We do not even care about fs backed pages because all | ||
1484 | + * which are reclaimable have already been reclaimed and | ||
1485 | + * we do not want to block exit_mmap by keeping mm ref | ||
1486 | + * count elevated without a good reason. | ||
1487 | + */ | ||
1488 | + if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { | ||
1489 | + struct mmu_gather tlb; | ||
1490 | + | ||
1491 | + tlb_gather_mmu(&tlb, mm, vma->vm_start, vma->vm_end); | ||
1492 | + unmap_page_range(&tlb, vma, vma->vm_start, vma->vm_end, | ||
1493 | + NULL); | ||
1494 | + tlb_finish_mmu(&tlb, vma->vm_start, vma->vm_end); | ||
1495 | + } | ||
1496 | + } | ||
1497 | +} | ||
1498 | + | ||
1499 | +static bool oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) | ||
1500 | +{ | ||
1501 | bool ret = true; | ||
1502 | |||
1503 | /* | ||
1504 | * We have to make sure to not race with the victim exit path | ||
1505 | * and cause premature new oom victim selection: | ||
1506 | - * __oom_reap_task_mm exit_mm | ||
1507 | + * oom_reap_task_mm exit_mm | ||
1508 | * mmget_not_zero | ||
1509 | * mmput | ||
1510 | * atomic_dec_and_test | ||
1511 | @@ -524,35 +558,8 @@ static bool __oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) | ||
1512 | |||
1513 | trace_start_task_reaping(tsk->pid); | ||
1514 | |||
1515 | - /* | ||
1516 | - * Tell all users of get_user/copy_from_user etc... that the content | ||
1517 | - * is no longer stable. No barriers really needed because unmapping | ||
1518 | - * should imply barriers already and the reader would hit a page fault | ||
1519 | - * if it stumbled over a reaped memory. | ||
1520 | - */ | ||
1521 | - set_bit(MMF_UNSTABLE, &mm->flags); | ||
1522 | - | ||
1523 | - for (vma = mm->mmap ; vma; vma = vma->vm_next) { | ||
1524 | - if (!can_madv_dontneed_vma(vma)) | ||
1525 | - continue; | ||
1526 | + __oom_reap_task_mm(mm); | ||
1527 | |||
1528 | - /* | ||
1529 | - * Only anonymous pages have a good chance to be dropped | ||
1530 | - * without additional steps which we cannot afford as we | ||
1531 | - * are OOM already. | ||
1532 | - * | ||
1533 | - * We do not even care about fs backed pages because all | ||
1534 | - * which are reclaimable have already been reclaimed and | ||
1535 | - * we do not want to block exit_mmap by keeping mm ref | ||
1536 | - * count elevated without a good reason. | ||
1537 | - */ | ||
1538 | - if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { | ||
1539 | - tlb_gather_mmu(&tlb, mm, vma->vm_start, vma->vm_end); | ||
1540 | - unmap_page_range(&tlb, vma, vma->vm_start, vma->vm_end, | ||
1541 | - NULL); | ||
1542 | - tlb_finish_mmu(&tlb, vma->vm_start, vma->vm_end); | ||
1543 | - } | ||
1544 | - } | ||
1545 | pr_info("oom_reaper: reaped process %d (%s), now anon-rss:%lukB, file-rss:%lukB, shmem-rss:%lukB\n", | ||
1546 | task_pid_nr(tsk), tsk->comm, | ||
1547 | K(get_mm_counter(mm, MM_ANONPAGES)), | ||
1548 | @@ -573,13 +580,12 @@ static void oom_reap_task(struct task_struct *tsk) | ||
1549 | struct mm_struct *mm = tsk->signal->oom_mm; | ||
1550 | |||
1551 | /* Retry the down_read_trylock(mmap_sem) a few times */ | ||
1552 | - while (attempts++ < MAX_OOM_REAP_RETRIES && !__oom_reap_task_mm(tsk, mm)) | ||
1553 | + while (attempts++ < MAX_OOM_REAP_RETRIES && !oom_reap_task_mm(tsk, mm)) | ||
1554 | schedule_timeout_idle(HZ/10); | ||
1555 | |||
1556 | if (attempts <= MAX_OOM_REAP_RETRIES) | ||
1557 | goto done; | ||
1558 | |||
1559 | - | ||
1560 | pr_info("oom_reaper: unable to reap pid:%d (%s)\n", | ||
1561 | task_pid_nr(tsk), tsk->comm); | ||
1562 | debug_show_all_locks(); | ||
1563 | diff --git a/mm/sparse.c b/mm/sparse.c | ||
1564 | index 30e56a100ee8..76ed2f4a8a3e 100644 | ||
1565 | --- a/mm/sparse.c | ||
1566 | +++ b/mm/sparse.c | ||
1567 | @@ -661,7 +661,7 @@ void offline_mem_sections(unsigned long start_pfn, unsigned long end_pfn) | ||
1568 | unsigned long pfn; | ||
1569 | |||
1570 | for (pfn = start_pfn; pfn < end_pfn; pfn += PAGES_PER_SECTION) { | ||
1571 | - unsigned long section_nr = pfn_to_section_nr(start_pfn); | ||
1572 | + unsigned long section_nr = pfn_to_section_nr(pfn); | ||
1573 | struct mem_section *ms; | ||
1574 | |||
1575 | /* | ||
1576 | diff --git a/mm/z3fold.c b/mm/z3fold.c | ||
1577 | index 39e19125d6a0..ddfb20cfd9af 100644 | ||
1578 | --- a/mm/z3fold.c | ||
1579 | +++ b/mm/z3fold.c | ||
1580 | @@ -144,7 +144,8 @@ enum z3fold_page_flags { | ||
1581 | PAGE_HEADLESS = 0, | ||
1582 | MIDDLE_CHUNK_MAPPED, | ||
1583 | NEEDS_COMPACTING, | ||
1584 | - PAGE_STALE | ||
1585 | + PAGE_STALE, | ||
1586 | + UNDER_RECLAIM | ||
1587 | }; | ||
1588 | |||
1589 | /***************** | ||
1590 | @@ -173,6 +174,7 @@ static struct z3fold_header *init_z3fold_page(struct page *page, | ||
1591 | clear_bit(MIDDLE_CHUNK_MAPPED, &page->private); | ||
1592 | clear_bit(NEEDS_COMPACTING, &page->private); | ||
1593 | clear_bit(PAGE_STALE, &page->private); | ||
1594 | + clear_bit(UNDER_RECLAIM, &page->private); | ||
1595 | |||
1596 | spin_lock_init(&zhdr->page_lock); | ||
1597 | kref_init(&zhdr->refcount); | ||
1598 | @@ -748,6 +750,10 @@ static void z3fold_free(struct z3fold_pool *pool, unsigned long handle) | ||
1599 | atomic64_dec(&pool->pages_nr); | ||
1600 | return; | ||
1601 | } | ||
1602 | + if (test_bit(UNDER_RECLAIM, &page->private)) { | ||
1603 | + z3fold_page_unlock(zhdr); | ||
1604 | + return; | ||
1605 | + } | ||
1606 | if (test_and_set_bit(NEEDS_COMPACTING, &page->private)) { | ||
1607 | z3fold_page_unlock(zhdr); | ||
1608 | return; | ||
1609 | @@ -832,6 +838,8 @@ static int z3fold_reclaim_page(struct z3fold_pool *pool, unsigned int retries) | ||
1610 | kref_get(&zhdr->refcount); | ||
1611 | list_del_init(&zhdr->buddy); | ||
1612 | zhdr->cpu = -1; | ||
1613 | + set_bit(UNDER_RECLAIM, &page->private); | ||
1614 | + break; | ||
1615 | } | ||
1616 | |||
1617 | list_del_init(&page->lru); | ||
1618 | @@ -879,25 +887,35 @@ static int z3fold_reclaim_page(struct z3fold_pool *pool, unsigned int retries) | ||
1619 | goto next; | ||
1620 | } | ||
1621 | next: | ||
1622 | - spin_lock(&pool->lock); | ||
1623 | if (test_bit(PAGE_HEADLESS, &page->private)) { | ||
1624 | if (ret == 0) { | ||
1625 | - spin_unlock(&pool->lock); | ||
1626 | free_z3fold_page(page); | ||
1627 | return 0; | ||
1628 | } | ||
1629 | - } else if (kref_put(&zhdr->refcount, release_z3fold_page)) { | ||
1630 | - atomic64_dec(&pool->pages_nr); | ||
1631 | + spin_lock(&pool->lock); | ||
1632 | + list_add(&page->lru, &pool->lru); | ||
1633 | + spin_unlock(&pool->lock); | ||
1634 | + } else { | ||
1635 | + z3fold_page_lock(zhdr); | ||
1636 | + clear_bit(UNDER_RECLAIM, &page->private); | ||
1637 | + if (kref_put(&zhdr->refcount, | ||
1638 | + release_z3fold_page_locked)) { | ||
1639 | + atomic64_dec(&pool->pages_nr); | ||
1640 | + return 0; | ||
1641 | + } | ||
1642 | + /* | ||
1643 | + * if we are here, the page is still not completely | ||
1644 | + * free. Take the global pool lock then to be able | ||
1645 | + * to add it back to the lru list | ||
1646 | + */ | ||
1647 | + spin_lock(&pool->lock); | ||
1648 | + list_add(&page->lru, &pool->lru); | ||
1649 | spin_unlock(&pool->lock); | ||
1650 | - return 0; | ||
1651 | + z3fold_page_unlock(zhdr); | ||
1652 | } | ||
1653 | |||
1654 | - /* | ||
1655 | - * Add to the beginning of LRU. | ||
1656 | - * Pool lock has to be kept here to ensure the page has | ||
1657 | - * not already been released | ||
1658 | - */ | ||
1659 | - list_add(&page->lru, &pool->lru); | ||
1660 | + /* We started off locked to we need to lock the pool back */ | ||
1661 | + spin_lock(&pool->lock); | ||
1662 | } | ||
1663 | spin_unlock(&pool->lock); | ||
1664 | return -EAGAIN; | ||
1665 | diff --git a/net/atm/lec.c b/net/atm/lec.c | ||
1666 | index a3d93a1bb133..5741b6474dd9 100644 | ||
1667 | --- a/net/atm/lec.c | ||
1668 | +++ b/net/atm/lec.c | ||
1669 | @@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 }; | ||
1670 | #include <linux/module.h> | ||
1671 | #include <linux/init.h> | ||
1672 | |||
1673 | +/* Hardening for Spectre-v1 */ | ||
1674 | +#include <linux/nospec.h> | ||
1675 | + | ||
1676 | #include "lec.h" | ||
1677 | #include "lec_arpc.h" | ||
1678 | #include "resources.h" | ||
1679 | @@ -687,8 +690,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) | ||
1680 | bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); | ||
1681 | if (bytes_left != 0) | ||
1682 | pr_info("copy from user failed for %d bytes\n", bytes_left); | ||
1683 | - if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || | ||
1684 | - !dev_lec[ioc_data.dev_num]) | ||
1685 | + if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) | ||
1686 | + return -EINVAL; | ||
1687 | + ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); | ||
1688 | + if (!dev_lec[ioc_data.dev_num]) | ||
1689 | return -EINVAL; | ||
1690 | vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); | ||
1691 | if (!vpriv) | ||
1692 | diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c | ||
1693 | index 014a73b46064..2800c4c4978c 100644 | ||
1694 | --- a/net/bridge/netfilter/ebtables.c | ||
1695 | +++ b/net/bridge/netfilter/ebtables.c | ||
1696 | @@ -1819,13 +1819,14 @@ static int compat_table_info(const struct ebt_table_info *info, | ||
1697 | { | ||
1698 | unsigned int size = info->entries_size; | ||
1699 | const void *entries = info->entries; | ||
1700 | - int ret; | ||
1701 | |||
1702 | newinfo->entries_size = size; | ||
1703 | - | ||
1704 | - ret = xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries); | ||
1705 | - if (ret) | ||
1706 | - return ret; | ||
1707 | + if (info->nentries) { | ||
1708 | + int ret = xt_compat_init_offsets(NFPROTO_BRIDGE, | ||
1709 | + info->nentries); | ||
1710 | + if (ret) | ||
1711 | + return ret; | ||
1712 | + } | ||
1713 | |||
1714 | return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info, | ||
1715 | entries, newinfo); | ||
1716 | diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c | ||
1717 | index c0548d268e1a..e3e6a3e2ca22 100644 | ||
1718 | --- a/net/core/dev_addr_lists.c | ||
1719 | +++ b/net/core/dev_addr_lists.c | ||
1720 | @@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list, | ||
1721 | return -EINVAL; | ||
1722 | |||
1723 | list_for_each_entry(ha, &list->list, list) { | ||
1724 | - if (!memcmp(ha->addr, addr, addr_len) && | ||
1725 | - ha->type == addr_type) { | ||
1726 | + if (ha->type == addr_type && | ||
1727 | + !memcmp(ha->addr, addr, addr_len)) { | ||
1728 | if (global) { | ||
1729 | /* check if addr is already used as global */ | ||
1730 | if (ha->global_use) | ||
1731 | diff --git a/net/core/skbuff.c b/net/core/skbuff.c | ||
1732 | index 564beb7e6d1c..ef734ad1d852 100644 | ||
1733 | --- a/net/core/skbuff.c | ||
1734 | +++ b/net/core/skbuff.c | ||
1735 | @@ -857,6 +857,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) | ||
1736 | n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; | ||
1737 | n->cloned = 1; | ||
1738 | n->nohdr = 0; | ||
1739 | + n->peeked = 0; | ||
1740 | n->destructor = NULL; | ||
1741 | C(tail); | ||
1742 | C(end); | ||
1743 | diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c | ||
1744 | index e65fcb45c3f6..b08feb219b44 100644 | ||
1745 | --- a/net/dccp/ipv4.c | ||
1746 | +++ b/net/dccp/ipv4.c | ||
1747 | @@ -614,6 +614,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) | ||
1748 | ireq = inet_rsk(req); | ||
1749 | sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); | ||
1750 | sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); | ||
1751 | + ireq->ir_mark = inet_request_mark(sk, skb); | ||
1752 | ireq->ireq_family = AF_INET; | ||
1753 | ireq->ir_iif = sk->sk_bound_dev_if; | ||
1754 | |||
1755 | diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c | ||
1756 | index 5df7857fc0f3..6344f1b18a6a 100644 | ||
1757 | --- a/net/dccp/ipv6.c | ||
1758 | +++ b/net/dccp/ipv6.c | ||
1759 | @@ -351,6 +351,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | ||
1760 | ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; | ||
1761 | ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; | ||
1762 | ireq->ireq_family = AF_INET6; | ||
1763 | + ireq->ir_mark = inet_request_mark(sk, skb); | ||
1764 | |||
1765 | if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || | ||
1766 | np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || | ||
1767 | diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c | ||
1768 | index d451b9f19b59..2341c1401681 100644 | ||
1769 | --- a/net/ipv4/inet_timewait_sock.c | ||
1770 | +++ b/net/ipv4/inet_timewait_sock.c | ||
1771 | @@ -179,6 +179,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, | ||
1772 | tw->tw_dport = inet->inet_dport; | ||
1773 | tw->tw_family = sk->sk_family; | ||
1774 | tw->tw_reuse = sk->sk_reuse; | ||
1775 | + tw->tw_reuseport = sk->sk_reuseport; | ||
1776 | tw->tw_hash = sk->sk_hash; | ||
1777 | tw->tw_ipv6only = 0; | ||
1778 | tw->tw_transparent = inet->transparent; | ||
1779 | diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c | ||
1780 | index b20c8ac64081..64007ce87273 100644 | ||
1781 | --- a/net/ipv4/inetpeer.c | ||
1782 | +++ b/net/ipv4/inetpeer.c | ||
1783 | @@ -210,6 +210,7 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base, | ||
1784 | p = kmem_cache_alloc(peer_cachep, GFP_ATOMIC); | ||
1785 | if (p) { | ||
1786 | p->daddr = *daddr; | ||
1787 | + p->dtime = (__u32)jiffies; | ||
1788 | refcount_set(&p->refcnt, 2); | ||
1789 | atomic_set(&p->rid, 0); | ||
1790 | p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; | ||
1791 | diff --git a/net/ipv4/route.c b/net/ipv4/route.c | ||
1792 | index 9ff06c5051ae..5ea559f8c456 100644 | ||
1793 | --- a/net/ipv4/route.c | ||
1794 | +++ b/net/ipv4/route.c | ||
1795 | @@ -2288,13 +2288,14 @@ struct rtable *ip_route_output_key_hash(struct net *net, struct flowi4 *fl4, | ||
1796 | const struct sk_buff *skb) | ||
1797 | { | ||
1798 | __u8 tos = RT_FL_TOS(fl4); | ||
1799 | - struct fib_result res; | ||
1800 | + struct fib_result res = { | ||
1801 | + .type = RTN_UNSPEC, | ||
1802 | + .fi = NULL, | ||
1803 | + .table = NULL, | ||
1804 | + .tclassid = 0, | ||
1805 | + }; | ||
1806 | struct rtable *rth; | ||
1807 | |||
1808 | - res.tclassid = 0; | ||
1809 | - res.fi = NULL; | ||
1810 | - res.table = NULL; | ||
1811 | - | ||
1812 | fl4->flowi4_iif = LOOPBACK_IFINDEX; | ||
1813 | fl4->flowi4_tos = tos & IPTOS_RT_MASK; | ||
1814 | fl4->flowi4_scope = ((tos & RTO_ONLINK) ? | ||
1815 | diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c | ||
1816 | index d023f879e7bb..b694fbf44a35 100644 | ||
1817 | --- a/net/ipv4/tcp.c | ||
1818 | +++ b/net/ipv4/tcp.c | ||
1819 | @@ -2601,7 +2601,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, | ||
1820 | case TCP_REPAIR_QUEUE: | ||
1821 | if (!tp->repair) | ||
1822 | err = -EPERM; | ||
1823 | - else if (val < TCP_QUEUES_NR) | ||
1824 | + else if ((unsigned int)val < TCP_QUEUES_NR) | ||
1825 | tp->repair_queue = val; | ||
1826 | else | ||
1827 | err = -EINVAL; | ||
1828 | diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c | ||
1829 | index 9db49805b7be..01a4ff3df60b 100644 | ||
1830 | --- a/net/kcm/kcmsock.c | ||
1831 | +++ b/net/kcm/kcmsock.c | ||
1832 | @@ -1425,6 +1425,7 @@ static int kcm_attach(struct socket *sock, struct socket *csock, | ||
1833 | */ | ||
1834 | if (csk->sk_user_data) { | ||
1835 | write_unlock_bh(&csk->sk_callback_lock); | ||
1836 | + strp_stop(&psock->strp); | ||
1837 | strp_done(&psock->strp); | ||
1838 | kmem_cache_free(kcm_psockp, psock); | ||
1839 | err = -EALREADY; | ||
1840 | diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c | ||
1841 | index b3245f9a37d1..e8f1556fa446 100644 | ||
1842 | --- a/net/netfilter/ipvs/ip_vs_ctl.c | ||
1843 | +++ b/net/netfilter/ipvs/ip_vs_ctl.c | ||
1844 | @@ -2387,11 +2387,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) | ||
1845 | strlcpy(cfg.mcast_ifn, dm->mcast_ifn, | ||
1846 | sizeof(cfg.mcast_ifn)); | ||
1847 | cfg.syncid = dm->syncid; | ||
1848 | - rtnl_lock(); | ||
1849 | - mutex_lock(&ipvs->sync_mutex); | ||
1850 | ret = start_sync_thread(ipvs, &cfg, dm->state); | ||
1851 | - mutex_unlock(&ipvs->sync_mutex); | ||
1852 | - rtnl_unlock(); | ||
1853 | } else { | ||
1854 | mutex_lock(&ipvs->sync_mutex); | ||
1855 | ret = stop_sync_thread(ipvs, dm->state); | ||
1856 | @@ -3484,12 +3480,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) | ||
1857 | if (ipvs->mixed_address_family_dests > 0) | ||
1858 | return -EINVAL; | ||
1859 | |||
1860 | - rtnl_lock(); | ||
1861 | - mutex_lock(&ipvs->sync_mutex); | ||
1862 | ret = start_sync_thread(ipvs, &c, | ||
1863 | nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE])); | ||
1864 | - mutex_unlock(&ipvs->sync_mutex); | ||
1865 | - rtnl_unlock(); | ||
1866 | return ret; | ||
1867 | } | ||
1868 | |||
1869 | diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c | ||
1870 | index 13f740875507..5e07f7a6794e 100644 | ||
1871 | --- a/net/netfilter/ipvs/ip_vs_sync.c | ||
1872 | +++ b/net/netfilter/ipvs/ip_vs_sync.c | ||
1873 | @@ -49,6 +49,7 @@ | ||
1874 | #include <linux/kthread.h> | ||
1875 | #include <linux/wait.h> | ||
1876 | #include <linux/kernel.h> | ||
1877 | +#include <linux/sched/signal.h> | ||
1878 | |||
1879 | #include <asm/unaligned.h> /* Used for ntoh_seq and hton_seq */ | ||
1880 | |||
1881 | @@ -1360,15 +1361,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val) | ||
1882 | /* | ||
1883 | * Specifiy default interface for outgoing multicasts | ||
1884 | */ | ||
1885 | -static int set_mcast_if(struct sock *sk, char *ifname) | ||
1886 | +static int set_mcast_if(struct sock *sk, struct net_device *dev) | ||
1887 | { | ||
1888 | - struct net_device *dev; | ||
1889 | struct inet_sock *inet = inet_sk(sk); | ||
1890 | - struct net *net = sock_net(sk); | ||
1891 | - | ||
1892 | - dev = __dev_get_by_name(net, ifname); | ||
1893 | - if (!dev) | ||
1894 | - return -ENODEV; | ||
1895 | |||
1896 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) | ||
1897 | return -EINVAL; | ||
1898 | @@ -1396,19 +1391,14 @@ static int set_mcast_if(struct sock *sk, char *ifname) | ||
1899 | * in the in_addr structure passed in as a parameter. | ||
1900 | */ | ||
1901 | static int | ||
1902 | -join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) | ||
1903 | +join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev) | ||
1904 | { | ||
1905 | - struct net *net = sock_net(sk); | ||
1906 | struct ip_mreqn mreq; | ||
1907 | - struct net_device *dev; | ||
1908 | int ret; | ||
1909 | |||
1910 | memset(&mreq, 0, sizeof(mreq)); | ||
1911 | memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr)); | ||
1912 | |||
1913 | - dev = __dev_get_by_name(net, ifname); | ||
1914 | - if (!dev) | ||
1915 | - return -ENODEV; | ||
1916 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) | ||
1917 | return -EINVAL; | ||
1918 | |||
1919 | @@ -1423,15 +1413,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) | ||
1920 | |||
1921 | #ifdef CONFIG_IP_VS_IPV6 | ||
1922 | static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, | ||
1923 | - char *ifname) | ||
1924 | + struct net_device *dev) | ||
1925 | { | ||
1926 | - struct net *net = sock_net(sk); | ||
1927 | - struct net_device *dev; | ||
1928 | int ret; | ||
1929 | |||
1930 | - dev = __dev_get_by_name(net, ifname); | ||
1931 | - if (!dev) | ||
1932 | - return -ENODEV; | ||
1933 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) | ||
1934 | return -EINVAL; | ||
1935 | |||
1936 | @@ -1443,24 +1428,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, | ||
1937 | } | ||
1938 | #endif | ||
1939 | |||
1940 | -static int bind_mcastif_addr(struct socket *sock, char *ifname) | ||
1941 | +static int bind_mcastif_addr(struct socket *sock, struct net_device *dev) | ||
1942 | { | ||
1943 | - struct net *net = sock_net(sock->sk); | ||
1944 | - struct net_device *dev; | ||
1945 | __be32 addr; | ||
1946 | struct sockaddr_in sin; | ||
1947 | |||
1948 | - dev = __dev_get_by_name(net, ifname); | ||
1949 | - if (!dev) | ||
1950 | - return -ENODEV; | ||
1951 | - | ||
1952 | addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE); | ||
1953 | if (!addr) | ||
1954 | pr_err("You probably need to specify IP address on " | ||
1955 | "multicast interface.\n"); | ||
1956 | |||
1957 | IP_VS_DBG(7, "binding socket with (%s) %pI4\n", | ||
1958 | - ifname, &addr); | ||
1959 | + dev->name, &addr); | ||
1960 | |||
1961 | /* Now bind the socket with the address of multicast interface */ | ||
1962 | sin.sin_family = AF_INET; | ||
1963 | @@ -1493,7 +1472,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen, | ||
1964 | /* | ||
1965 | * Set up sending multicast socket over UDP | ||
1966 | */ | ||
1967 | -static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
1968 | +static int make_send_sock(struct netns_ipvs *ipvs, int id, | ||
1969 | + struct net_device *dev, struct socket **sock_ret) | ||
1970 | { | ||
1971 | /* multicast addr */ | ||
1972 | union ipvs_sockaddr mcast_addr; | ||
1973 | @@ -1505,9 +1485,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
1974 | IPPROTO_UDP, &sock); | ||
1975 | if (result < 0) { | ||
1976 | pr_err("Error during creation of socket; terminating\n"); | ||
1977 | - return ERR_PTR(result); | ||
1978 | + goto error; | ||
1979 | } | ||
1980 | - result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn); | ||
1981 | + *sock_ret = sock; | ||
1982 | + result = set_mcast_if(sock->sk, dev); | ||
1983 | if (result < 0) { | ||
1984 | pr_err("Error setting outbound mcast interface\n"); | ||
1985 | goto error; | ||
1986 | @@ -1522,7 +1503,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
1987 | set_sock_size(sock->sk, 1, result); | ||
1988 | |||
1989 | if (AF_INET == ipvs->mcfg.mcast_af) | ||
1990 | - result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn); | ||
1991 | + result = bind_mcastif_addr(sock, dev); | ||
1992 | else | ||
1993 | result = 0; | ||
1994 | if (result < 0) { | ||
1995 | @@ -1538,19 +1519,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
1996 | goto error; | ||
1997 | } | ||
1998 | |||
1999 | - return sock; | ||
2000 | + return 0; | ||
2001 | |||
2002 | error: | ||
2003 | - sock_release(sock); | ||
2004 | - return ERR_PTR(result); | ||
2005 | + return result; | ||
2006 | } | ||
2007 | |||
2008 | |||
2009 | /* | ||
2010 | * Set up receiving multicast socket over UDP | ||
2011 | */ | ||
2012 | -static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
2013 | - int ifindex) | ||
2014 | +static int make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
2015 | + struct net_device *dev, struct socket **sock_ret) | ||
2016 | { | ||
2017 | /* multicast addr */ | ||
2018 | union ipvs_sockaddr mcast_addr; | ||
2019 | @@ -1562,8 +1542,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
2020 | IPPROTO_UDP, &sock); | ||
2021 | if (result < 0) { | ||
2022 | pr_err("Error during creation of socket; terminating\n"); | ||
2023 | - return ERR_PTR(result); | ||
2024 | + goto error; | ||
2025 | } | ||
2026 | + *sock_ret = sock; | ||
2027 | /* it is equivalent to the REUSEADDR option in user-space */ | ||
2028 | sock->sk->sk_reuse = SK_CAN_REUSE; | ||
2029 | result = sysctl_sync_sock_size(ipvs); | ||
2030 | @@ -1571,7 +1552,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
2031 | set_sock_size(sock->sk, 0, result); | ||
2032 | |||
2033 | get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id); | ||
2034 | - sock->sk->sk_bound_dev_if = ifindex; | ||
2035 | + sock->sk->sk_bound_dev_if = dev->ifindex; | ||
2036 | result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen); | ||
2037 | if (result < 0) { | ||
2038 | pr_err("Error binding to the multicast addr\n"); | ||
2039 | @@ -1582,21 +1563,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
2040 | #ifdef CONFIG_IP_VS_IPV6 | ||
2041 | if (ipvs->bcfg.mcast_af == AF_INET6) | ||
2042 | result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr, | ||
2043 | - ipvs->bcfg.mcast_ifn); | ||
2044 | + dev); | ||
2045 | else | ||
2046 | #endif | ||
2047 | result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr, | ||
2048 | - ipvs->bcfg.mcast_ifn); | ||
2049 | + dev); | ||
2050 | if (result < 0) { | ||
2051 | pr_err("Error joining to the multicast group\n"); | ||
2052 | goto error; | ||
2053 | } | ||
2054 | |||
2055 | - return sock; | ||
2056 | + return 0; | ||
2057 | |||
2058 | error: | ||
2059 | - sock_release(sock); | ||
2060 | - return ERR_PTR(result); | ||
2061 | + return result; | ||
2062 | } | ||
2063 | |||
2064 | |||
2065 | @@ -1781,13 +1761,12 @@ static int sync_thread_backup(void *data) | ||
2066 | int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
2067 | int state) | ||
2068 | { | ||
2069 | - struct ip_vs_sync_thread_data *tinfo; | ||
2070 | + struct ip_vs_sync_thread_data *tinfo = NULL; | ||
2071 | struct task_struct **array = NULL, *task; | ||
2072 | - struct socket *sock; | ||
2073 | struct net_device *dev; | ||
2074 | char *name; | ||
2075 | int (*threadfn)(void *data); | ||
2076 | - int id, count, hlen; | ||
2077 | + int id = 0, count, hlen; | ||
2078 | int result = -ENOMEM; | ||
2079 | u16 mtu, min_mtu; | ||
2080 | |||
2081 | @@ -1795,6 +1774,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
2082 | IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %zd bytes\n", | ||
2083 | sizeof(struct ip_vs_sync_conn_v0)); | ||
2084 | |||
2085 | + /* Do not hold one mutex and then to block on another */ | ||
2086 | + for (;;) { | ||
2087 | + rtnl_lock(); | ||
2088 | + if (mutex_trylock(&ipvs->sync_mutex)) | ||
2089 | + break; | ||
2090 | + rtnl_unlock(); | ||
2091 | + mutex_lock(&ipvs->sync_mutex); | ||
2092 | + if (rtnl_trylock()) | ||
2093 | + break; | ||
2094 | + mutex_unlock(&ipvs->sync_mutex); | ||
2095 | + } | ||
2096 | + | ||
2097 | if (!ipvs->sync_state) { | ||
2098 | count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX); | ||
2099 | ipvs->threads_mask = count - 1; | ||
2100 | @@ -1813,7 +1804,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
2101 | dev = __dev_get_by_name(ipvs->net, c->mcast_ifn); | ||
2102 | if (!dev) { | ||
2103 | pr_err("Unknown mcast interface: %s\n", c->mcast_ifn); | ||
2104 | - return -ENODEV; | ||
2105 | + result = -ENODEV; | ||
2106 | + goto out_early; | ||
2107 | } | ||
2108 | hlen = (AF_INET6 == c->mcast_af) ? | ||
2109 | sizeof(struct ipv6hdr) + sizeof(struct udphdr) : | ||
2110 | @@ -1830,26 +1822,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
2111 | c->sync_maxlen = mtu - hlen; | ||
2112 | |||
2113 | if (state == IP_VS_STATE_MASTER) { | ||
2114 | + result = -EEXIST; | ||
2115 | if (ipvs->ms) | ||
2116 | - return -EEXIST; | ||
2117 | + goto out_early; | ||
2118 | |||
2119 | ipvs->mcfg = *c; | ||
2120 | name = "ipvs-m:%d:%d"; | ||
2121 | threadfn = sync_thread_master; | ||
2122 | } else if (state == IP_VS_STATE_BACKUP) { | ||
2123 | + result = -EEXIST; | ||
2124 | if (ipvs->backup_threads) | ||
2125 | - return -EEXIST; | ||
2126 | + goto out_early; | ||
2127 | |||
2128 | ipvs->bcfg = *c; | ||
2129 | name = "ipvs-b:%d:%d"; | ||
2130 | threadfn = sync_thread_backup; | ||
2131 | } else { | ||
2132 | - return -EINVAL; | ||
2133 | + result = -EINVAL; | ||
2134 | + goto out_early; | ||
2135 | } | ||
2136 | |||
2137 | if (state == IP_VS_STATE_MASTER) { | ||
2138 | struct ipvs_master_sync_state *ms; | ||
2139 | |||
2140 | + result = -ENOMEM; | ||
2141 | ipvs->ms = kcalloc(count, sizeof(ipvs->ms[0]), GFP_KERNEL); | ||
2142 | if (!ipvs->ms) | ||
2143 | goto out; | ||
2144 | @@ -1865,39 +1861,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
2145 | } else { | ||
2146 | array = kcalloc(count, sizeof(struct task_struct *), | ||
2147 | GFP_KERNEL); | ||
2148 | + result = -ENOMEM; | ||
2149 | if (!array) | ||
2150 | goto out; | ||
2151 | } | ||
2152 | |||
2153 | - tinfo = NULL; | ||
2154 | for (id = 0; id < count; id++) { | ||
2155 | - if (state == IP_VS_STATE_MASTER) | ||
2156 | - sock = make_send_sock(ipvs, id); | ||
2157 | - else | ||
2158 | - sock = make_receive_sock(ipvs, id, dev->ifindex); | ||
2159 | - if (IS_ERR(sock)) { | ||
2160 | - result = PTR_ERR(sock); | ||
2161 | - goto outtinfo; | ||
2162 | - } | ||
2163 | + result = -ENOMEM; | ||
2164 | tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); | ||
2165 | if (!tinfo) | ||
2166 | - goto outsocket; | ||
2167 | + goto out; | ||
2168 | tinfo->ipvs = ipvs; | ||
2169 | - tinfo->sock = sock; | ||
2170 | + tinfo->sock = NULL; | ||
2171 | if (state == IP_VS_STATE_BACKUP) { | ||
2172 | tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen, | ||
2173 | GFP_KERNEL); | ||
2174 | if (!tinfo->buf) | ||
2175 | - goto outtinfo; | ||
2176 | + goto out; | ||
2177 | } else { | ||
2178 | tinfo->buf = NULL; | ||
2179 | } | ||
2180 | tinfo->id = id; | ||
2181 | + if (state == IP_VS_STATE_MASTER) | ||
2182 | + result = make_send_sock(ipvs, id, dev, &tinfo->sock); | ||
2183 | + else | ||
2184 | + result = make_receive_sock(ipvs, id, dev, &tinfo->sock); | ||
2185 | + if (result < 0) | ||
2186 | + goto out; | ||
2187 | |||
2188 | task = kthread_run(threadfn, tinfo, name, ipvs->gen, id); | ||
2189 | if (IS_ERR(task)) { | ||
2190 | result = PTR_ERR(task); | ||
2191 | - goto outtinfo; | ||
2192 | + goto out; | ||
2193 | } | ||
2194 | tinfo = NULL; | ||
2195 | if (state == IP_VS_STATE_MASTER) | ||
2196 | @@ -1914,20 +1909,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
2197 | ipvs->sync_state |= state; | ||
2198 | spin_unlock_bh(&ipvs->sync_buff_lock); | ||
2199 | |||
2200 | + mutex_unlock(&ipvs->sync_mutex); | ||
2201 | + rtnl_unlock(); | ||
2202 | + | ||
2203 | /* increase the module use count */ | ||
2204 | ip_vs_use_count_inc(); | ||
2205 | |||
2206 | return 0; | ||
2207 | |||
2208 | -outsocket: | ||
2209 | - sock_release(sock); | ||
2210 | - | ||
2211 | -outtinfo: | ||
2212 | - if (tinfo) { | ||
2213 | - sock_release(tinfo->sock); | ||
2214 | - kfree(tinfo->buf); | ||
2215 | - kfree(tinfo); | ||
2216 | - } | ||
2217 | +out: | ||
2218 | + /* We do not need RTNL lock anymore, release it here so that | ||
2219 | + * sock_release below and in the kthreads can use rtnl_lock | ||
2220 | + * to leave the mcast group. | ||
2221 | + */ | ||
2222 | + rtnl_unlock(); | ||
2223 | count = id; | ||
2224 | while (count-- > 0) { | ||
2225 | if (state == IP_VS_STATE_MASTER) | ||
2226 | @@ -1935,13 +1930,23 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
2227 | else | ||
2228 | kthread_stop(array[count]); | ||
2229 | } | ||
2230 | - kfree(array); | ||
2231 | - | ||
2232 | -out: | ||
2233 | if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) { | ||
2234 | kfree(ipvs->ms); | ||
2235 | ipvs->ms = NULL; | ||
2236 | } | ||
2237 | + mutex_unlock(&ipvs->sync_mutex); | ||
2238 | + if (tinfo) { | ||
2239 | + if (tinfo->sock) | ||
2240 | + sock_release(tinfo->sock); | ||
2241 | + kfree(tinfo->buf); | ||
2242 | + kfree(tinfo); | ||
2243 | + } | ||
2244 | + kfree(array); | ||
2245 | + return result; | ||
2246 | + | ||
2247 | +out_early: | ||
2248 | + mutex_unlock(&ipvs->sync_mutex); | ||
2249 | + rtnl_unlock(); | ||
2250 | return result; | ||
2251 | } | ||
2252 | |||
2253 | diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c | ||
2254 | index 1b86eccf94b6..b3932846f6c4 100644 | ||
2255 | --- a/net/netlink/af_netlink.c | ||
2256 | +++ b/net/netlink/af_netlink.c | ||
2257 | @@ -1813,6 +1813,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) | ||
2258 | |||
2259 | if (msg->msg_namelen) { | ||
2260 | err = -EINVAL; | ||
2261 | + if (msg->msg_namelen < sizeof(struct sockaddr_nl)) | ||
2262 | + goto out; | ||
2263 | if (addr->nl_family != AF_NETLINK) | ||
2264 | goto out; | ||
2265 | dst_portid = addr->nl_pid; | ||
2266 | diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c | ||
2267 | index 41bd496531d4..00192a996be0 100644 | ||
2268 | --- a/net/rfkill/rfkill-gpio.c | ||
2269 | +++ b/net/rfkill/rfkill-gpio.c | ||
2270 | @@ -137,13 +137,18 @@ static int rfkill_gpio_probe(struct platform_device *pdev) | ||
2271 | |||
2272 | ret = rfkill_register(rfkill->rfkill_dev); | ||
2273 | if (ret < 0) | ||
2274 | - return ret; | ||
2275 | + goto err_destroy; | ||
2276 | |||
2277 | platform_set_drvdata(pdev, rfkill); | ||
2278 | |||
2279 | dev_info(&pdev->dev, "%s device registered.\n", rfkill->name); | ||
2280 | |||
2281 | return 0; | ||
2282 | + | ||
2283 | +err_destroy: | ||
2284 | + rfkill_destroy(rfkill->rfkill_dev); | ||
2285 | + | ||
2286 | + return ret; | ||
2287 | } | ||
2288 | |||
2289 | static int rfkill_gpio_remove(struct platform_device *pdev) |