Contents of /trunk/kernel-alx/patches-4.19/0173-4.19.74-all-fixes.patch
Parent Directory | Revision Log
Revision 3470 -
(show annotations)
(download)
Tue Oct 29 10:31:30 2019 UTC (4 years, 10 months ago) by niro
File size: 51036 byte(s)
Tue Oct 29 10:31:30 2019 UTC (4 years, 10 months ago) by niro
File size: 51036 byte(s)
-linux-4.19.74
1 | diff --git a/Makefile b/Makefile |
2 | index 9748fa3704bc..3509e0c6e5ae 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -1,7 +1,7 @@ |
6 | # SPDX-License-Identifier: GPL-2.0 |
7 | VERSION = 4 |
8 | PATCHLEVEL = 19 |
9 | -SUBLEVEL = 73 |
10 | +SUBLEVEL = 74 |
11 | EXTRAVERSION = |
12 | NAME = "People's Front" |
13 | |
14 | diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h |
15 | index 23bea99bf8d5..1ca9e37f7cc9 100644 |
16 | --- a/arch/powerpc/include/asm/uaccess.h |
17 | +++ b/arch/powerpc/include/asm/uaccess.h |
18 | @@ -306,6 +306,7 @@ extern unsigned long __copy_tofrom_user(void __user *to, |
19 | static inline unsigned long |
20 | raw_copy_in_user(void __user *to, const void __user *from, unsigned long n) |
21 | { |
22 | + barrier_nospec(); |
23 | return __copy_tofrom_user(to, from, n); |
24 | } |
25 | #endif /* __powerpc64__ */ |
26 | diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c |
27 | index fcb55b02990e..05ea466b9e40 100644 |
28 | --- a/arch/s390/kvm/interrupt.c |
29 | +++ b/arch/s390/kvm/interrupt.c |
30 | @@ -1879,6 +1879,16 @@ int s390int_to_s390irq(struct kvm_s390_interrupt *s390int, |
31 | case KVM_S390_MCHK: |
32 | irq->u.mchk.mcic = s390int->parm64; |
33 | break; |
34 | + case KVM_S390_INT_PFAULT_INIT: |
35 | + irq->u.ext.ext_params = s390int->parm; |
36 | + irq->u.ext.ext_params2 = s390int->parm64; |
37 | + break; |
38 | + case KVM_S390_RESTART: |
39 | + case KVM_S390_INT_CLOCK_COMP: |
40 | + case KVM_S390_INT_CPU_TIMER: |
41 | + break; |
42 | + default: |
43 | + return -EINVAL; |
44 | } |
45 | return 0; |
46 | } |
47 | diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c |
48 | index fc7de27960e7..e0551c948c59 100644 |
49 | --- a/arch/s390/kvm/kvm-s390.c |
50 | +++ b/arch/s390/kvm/kvm-s390.c |
51 | @@ -928,6 +928,8 @@ static int kvm_s390_vm_start_migration(struct kvm *kvm) |
52 | /* mark all the pages in active slots as dirty */ |
53 | for (slotnr = 0; slotnr < slots->used_slots; slotnr++) { |
54 | ms = slots->memslots + slotnr; |
55 | + if (!ms->dirty_bitmap) |
56 | + return -EINVAL; |
57 | /* |
58 | * The second half of the bitmap is only used on x86, |
59 | * and would be wasted otherwise, so we put it to good |
60 | @@ -3956,7 +3958,7 @@ long kvm_arch_vcpu_async_ioctl(struct file *filp, |
61 | } |
62 | case KVM_S390_INTERRUPT: { |
63 | struct kvm_s390_interrupt s390int; |
64 | - struct kvm_s390_irq s390irq; |
65 | + struct kvm_s390_irq s390irq = {}; |
66 | |
67 | if (copy_from_user(&s390int, argp, sizeof(s390int))) |
68 | return -EFAULT; |
69 | diff --git a/arch/x86/Makefile b/arch/x86/Makefile |
70 | index ce0d0424a53d..4833dd7e2cc0 100644 |
71 | --- a/arch/x86/Makefile |
72 | +++ b/arch/x86/Makefile |
73 | @@ -38,6 +38,7 @@ REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -DDISABLE_BRANCH_PROFILING \ |
74 | |
75 | REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding) |
76 | REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector) |
77 | +REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member) |
78 | REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4)) |
79 | export REALMODE_CFLAGS |
80 | |
81 | diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
82 | index 2938b4bcc968..e83f4f6bfdac 100644 |
83 | --- a/arch/x86/kvm/vmx.c |
84 | +++ b/arch/x86/kvm/vmx.c |
85 | @@ -8757,6 +8757,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) |
86 | u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO); |
87 | gva_t gva = 0; |
88 | struct vmcs12 *vmcs12; |
89 | + struct x86_exception e; |
90 | |
91 | if (!nested_vmx_check_permission(vcpu)) |
92 | return 1; |
93 | @@ -8798,8 +8799,10 @@ static int handle_vmread(struct kvm_vcpu *vcpu) |
94 | vmx_instruction_info, true, &gva)) |
95 | return 1; |
96 | /* _system ok, nested_vmx_check_permission has verified cpl=0 */ |
97 | - kvm_write_guest_virt_system(vcpu, gva, &field_value, |
98 | - (is_long_mode(vcpu) ? 8 : 4), NULL); |
99 | + if (kvm_write_guest_virt_system(vcpu, gva, &field_value, |
100 | + (is_long_mode(vcpu) ? 8 : 4), |
101 | + NULL)) |
102 | + kvm_inject_page_fault(vcpu, &e); |
103 | } |
104 | |
105 | nested_vmx_succeed(vcpu); |
106 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c |
107 | index cbc39751f36b..dbae8415cf4a 100644 |
108 | --- a/arch/x86/kvm/x86.c |
109 | +++ b/arch/x86/kvm/x86.c |
110 | @@ -5016,6 +5016,13 @@ int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val, |
111 | /* kvm_write_guest_virt_system can pull in tons of pages. */ |
112 | vcpu->arch.l1tf_flush_l1d = true; |
113 | |
114 | + /* |
115 | + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED |
116 | + * is returned, but our callers are not ready for that and they blindly |
117 | + * call kvm_inject_page_fault. Ensure that they at least do not leak |
118 | + * uninitialized kernel stack memory into cr2 and error code. |
119 | + */ |
120 | + memset(exception, 0, sizeof(*exception)); |
121 | return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, |
122 | PFERR_WRITE_MASK, exception); |
123 | } |
124 | diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile |
125 | index 8901a1f89cf5..10fb42da0007 100644 |
126 | --- a/arch/x86/purgatory/Makefile |
127 | +++ b/arch/x86/purgatory/Makefile |
128 | @@ -18,37 +18,40 @@ targets += purgatory.ro |
129 | KASAN_SANITIZE := n |
130 | KCOV_INSTRUMENT := n |
131 | |
132 | +# These are adjustments to the compiler flags used for objects that |
133 | +# make up the standalone purgatory.ro |
134 | + |
135 | +PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel |
136 | +PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss |
137 | + |
138 | # Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That |
139 | # in turn leaves some undefined symbols like __fentry__ in purgatory and not |
140 | # sure how to relocate those. |
141 | ifdef CONFIG_FUNCTION_TRACER |
142 | -CFLAGS_REMOVE_sha256.o += $(CC_FLAGS_FTRACE) |
143 | -CFLAGS_REMOVE_purgatory.o += $(CC_FLAGS_FTRACE) |
144 | -CFLAGS_REMOVE_string.o += $(CC_FLAGS_FTRACE) |
145 | -CFLAGS_REMOVE_kexec-purgatory.o += $(CC_FLAGS_FTRACE) |
146 | +PURGATORY_CFLAGS_REMOVE += $(CC_FLAGS_FTRACE) |
147 | endif |
148 | |
149 | ifdef CONFIG_STACKPROTECTOR |
150 | -CFLAGS_REMOVE_sha256.o += -fstack-protector |
151 | -CFLAGS_REMOVE_purgatory.o += -fstack-protector |
152 | -CFLAGS_REMOVE_string.o += -fstack-protector |
153 | -CFLAGS_REMOVE_kexec-purgatory.o += -fstack-protector |
154 | +PURGATORY_CFLAGS_REMOVE += -fstack-protector |
155 | endif |
156 | |
157 | ifdef CONFIG_STACKPROTECTOR_STRONG |
158 | -CFLAGS_REMOVE_sha256.o += -fstack-protector-strong |
159 | -CFLAGS_REMOVE_purgatory.o += -fstack-protector-strong |
160 | -CFLAGS_REMOVE_string.o += -fstack-protector-strong |
161 | -CFLAGS_REMOVE_kexec-purgatory.o += -fstack-protector-strong |
162 | +PURGATORY_CFLAGS_REMOVE += -fstack-protector-strong |
163 | endif |
164 | |
165 | ifdef CONFIG_RETPOLINE |
166 | -CFLAGS_REMOVE_sha256.o += $(RETPOLINE_CFLAGS) |
167 | -CFLAGS_REMOVE_purgatory.o += $(RETPOLINE_CFLAGS) |
168 | -CFLAGS_REMOVE_string.o += $(RETPOLINE_CFLAGS) |
169 | -CFLAGS_REMOVE_kexec-purgatory.o += $(RETPOLINE_CFLAGS) |
170 | +PURGATORY_CFLAGS_REMOVE += $(RETPOLINE_CFLAGS) |
171 | endif |
172 | |
173 | +CFLAGS_REMOVE_purgatory.o += $(PURGATORY_CFLAGS_REMOVE) |
174 | +CFLAGS_purgatory.o += $(PURGATORY_CFLAGS) |
175 | + |
176 | +CFLAGS_REMOVE_sha256.o += $(PURGATORY_CFLAGS_REMOVE) |
177 | +CFLAGS_sha256.o += $(PURGATORY_CFLAGS) |
178 | + |
179 | +CFLAGS_REMOVE_string.o += $(PURGATORY_CFLAGS_REMOVE) |
180 | +CFLAGS_string.o += $(PURGATORY_CFLAGS) |
181 | + |
182 | $(obj)/purgatory.ro: $(PURGATORY_OBJS) FORCE |
183 | $(call if_changed,ld) |
184 | |
185 | diff --git a/drivers/base/core.c b/drivers/base/core.c |
186 | index e1a8d5c06f65..fcda6313e7de 100644 |
187 | --- a/drivers/base/core.c |
188 | +++ b/drivers/base/core.c |
189 | @@ -1648,12 +1648,63 @@ static inline struct kobject *get_glue_dir(struct device *dev) |
190 | */ |
191 | static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) |
192 | { |
193 | + unsigned int ref; |
194 | + |
195 | /* see if we live in a "glue" directory */ |
196 | if (!live_in_glue_dir(glue_dir, dev)) |
197 | return; |
198 | |
199 | mutex_lock(&gdp_mutex); |
200 | - if (!kobject_has_children(glue_dir)) |
201 | + /** |
202 | + * There is a race condition between removing glue directory |
203 | + * and adding a new device under the glue directory. |
204 | + * |
205 | + * CPU1: CPU2: |
206 | + * |
207 | + * device_add() |
208 | + * get_device_parent() |
209 | + * class_dir_create_and_add() |
210 | + * kobject_add_internal() |
211 | + * create_dir() // create glue_dir |
212 | + * |
213 | + * device_add() |
214 | + * get_device_parent() |
215 | + * kobject_get() // get glue_dir |
216 | + * |
217 | + * device_del() |
218 | + * cleanup_glue_dir() |
219 | + * kobject_del(glue_dir) |
220 | + * |
221 | + * kobject_add() |
222 | + * kobject_add_internal() |
223 | + * create_dir() // in glue_dir |
224 | + * sysfs_create_dir_ns() |
225 | + * kernfs_create_dir_ns(sd) |
226 | + * |
227 | + * sysfs_remove_dir() // glue_dir->sd=NULL |
228 | + * sysfs_put() // free glue_dir->sd |
229 | + * |
230 | + * // sd is freed |
231 | + * kernfs_new_node(sd) |
232 | + * kernfs_get(glue_dir) |
233 | + * kernfs_add_one() |
234 | + * kernfs_put() |
235 | + * |
236 | + * Before CPU1 remove last child device under glue dir, if CPU2 add |
237 | + * a new device under glue dir, the glue_dir kobject reference count |
238 | + * will be increase to 2 in kobject_get(k). And CPU2 has been called |
239 | + * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir() |
240 | + * and sysfs_put(). This result in glue_dir->sd is freed. |
241 | + * |
242 | + * Then the CPU2 will see a stale "empty" but still potentially used |
243 | + * glue dir around in kernfs_new_node(). |
244 | + * |
245 | + * In order to avoid this happening, we also should make sure that |
246 | + * kernfs_node for glue_dir is released in CPU1 only when refcount |
247 | + * for glue_dir kobj is 1. |
248 | + */ |
249 | + ref = kref_read(&glue_dir->kref); |
250 | + if (!kobject_has_children(glue_dir) && !--ref) |
251 | kobject_del(glue_dir); |
252 | kobject_put(glue_dir); |
253 | mutex_unlock(&gdp_mutex); |
254 | diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c |
255 | index 75cf605f54e5..09c83dc2ef67 100644 |
256 | --- a/drivers/bluetooth/btusb.c |
257 | +++ b/drivers/bluetooth/btusb.c |
258 | @@ -1139,10 +1139,6 @@ static int btusb_open(struct hci_dev *hdev) |
259 | } |
260 | |
261 | data->intf->needs_remote_wakeup = 1; |
262 | - /* device specific wakeup source enabled and required for USB |
263 | - * remote wakeup while host is suspended |
264 | - */ |
265 | - device_wakeup_enable(&data->udev->dev); |
266 | |
267 | if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) |
268 | goto done; |
269 | @@ -1206,7 +1202,6 @@ static int btusb_close(struct hci_dev *hdev) |
270 | goto failed; |
271 | |
272 | data->intf->needs_remote_wakeup = 0; |
273 | - device_wakeup_disable(&data->udev->dev); |
274 | usb_autopm_put_interface(data->intf); |
275 | |
276 | failed: |
277 | diff --git a/drivers/clk/rockchip/clk-mmc-phase.c b/drivers/clk/rockchip/clk-mmc-phase.c |
278 | index 026a26bb702d..dbec84238ecd 100644 |
279 | --- a/drivers/clk/rockchip/clk-mmc-phase.c |
280 | +++ b/drivers/clk/rockchip/clk-mmc-phase.c |
281 | @@ -61,10 +61,8 @@ static int rockchip_mmc_get_phase(struct clk_hw *hw) |
282 | u32 delay_num = 0; |
283 | |
284 | /* See the comment for rockchip_mmc_set_phase below */ |
285 | - if (!rate) { |
286 | - pr_err("%s: invalid clk rate\n", __func__); |
287 | + if (!rate) |
288 | return -EINVAL; |
289 | - } |
290 | |
291 | raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); |
292 | |
293 | diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c |
294 | index 41b288bdcdbf..064315edd289 100644 |
295 | --- a/drivers/crypto/talitos.c |
296 | +++ b/drivers/crypto/talitos.c |
297 | @@ -959,11 +959,13 @@ static void talitos_sg_unmap(struct device *dev, |
298 | |
299 | static void ipsec_esp_unmap(struct device *dev, |
300 | struct talitos_edesc *edesc, |
301 | - struct aead_request *areq) |
302 | + struct aead_request *areq, bool encrypt) |
303 | { |
304 | struct crypto_aead *aead = crypto_aead_reqtfm(areq); |
305 | struct talitos_ctx *ctx = crypto_aead_ctx(aead); |
306 | unsigned int ivsize = crypto_aead_ivsize(aead); |
307 | + unsigned int authsize = crypto_aead_authsize(aead); |
308 | + unsigned int cryptlen = areq->cryptlen - (encrypt ? 0 : authsize); |
309 | bool is_ipsec_esp = edesc->desc.hdr & DESC_HDR_TYPE_IPSEC_ESP; |
310 | struct talitos_ptr *civ_ptr = &edesc->desc.ptr[is_ipsec_esp ? 2 : 3]; |
311 | |
312 | @@ -972,7 +974,7 @@ static void ipsec_esp_unmap(struct device *dev, |
313 | DMA_FROM_DEVICE); |
314 | unmap_single_talitos_ptr(dev, civ_ptr, DMA_TO_DEVICE); |
315 | |
316 | - talitos_sg_unmap(dev, edesc, areq->src, areq->dst, areq->cryptlen, |
317 | + talitos_sg_unmap(dev, edesc, areq->src, areq->dst, cryptlen, |
318 | areq->assoclen); |
319 | |
320 | if (edesc->dma_len) |
321 | @@ -983,7 +985,7 @@ static void ipsec_esp_unmap(struct device *dev, |
322 | unsigned int dst_nents = edesc->dst_nents ? : 1; |
323 | |
324 | sg_pcopy_to_buffer(areq->dst, dst_nents, ctx->iv, ivsize, |
325 | - areq->assoclen + areq->cryptlen - ivsize); |
326 | + areq->assoclen + cryptlen - ivsize); |
327 | } |
328 | } |
329 | |
330 | @@ -1005,7 +1007,7 @@ static void ipsec_esp_encrypt_done(struct device *dev, |
331 | |
332 | edesc = container_of(desc, struct talitos_edesc, desc); |
333 | |
334 | - ipsec_esp_unmap(dev, edesc, areq); |
335 | + ipsec_esp_unmap(dev, edesc, areq, true); |
336 | |
337 | /* copy the generated ICV to dst */ |
338 | if (edesc->icv_ool) { |
339 | @@ -1039,7 +1041,7 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, |
340 | |
341 | edesc = container_of(desc, struct talitos_edesc, desc); |
342 | |
343 | - ipsec_esp_unmap(dev, edesc, req); |
344 | + ipsec_esp_unmap(dev, edesc, req, false); |
345 | |
346 | if (!err) { |
347 | char icvdata[SHA512_DIGEST_SIZE]; |
348 | @@ -1085,7 +1087,7 @@ static void ipsec_esp_decrypt_hwauth_done(struct device *dev, |
349 | |
350 | edesc = container_of(desc, struct talitos_edesc, desc); |
351 | |
352 | - ipsec_esp_unmap(dev, edesc, req); |
353 | + ipsec_esp_unmap(dev, edesc, req, false); |
354 | |
355 | /* check ICV auth status */ |
356 | if (!err && ((desc->hdr_lo & DESC_HDR_LO_ICCR1_MASK) != |
357 | @@ -1188,6 +1190,7 @@ static int talitos_sg_map(struct device *dev, struct scatterlist *src, |
358 | * fill in and submit ipsec_esp descriptor |
359 | */ |
360 | static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq, |
361 | + bool encrypt, |
362 | void (*callback)(struct device *dev, |
363 | struct talitos_desc *desc, |
364 | void *context, int error)) |
365 | @@ -1197,7 +1200,7 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq, |
366 | struct talitos_ctx *ctx = crypto_aead_ctx(aead); |
367 | struct device *dev = ctx->dev; |
368 | struct talitos_desc *desc = &edesc->desc; |
369 | - unsigned int cryptlen = areq->cryptlen; |
370 | + unsigned int cryptlen = areq->cryptlen - (encrypt ? 0 : authsize); |
371 | unsigned int ivsize = crypto_aead_ivsize(aead); |
372 | int tbl_off = 0; |
373 | int sg_count, ret; |
374 | @@ -1324,7 +1327,7 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq, |
375 | |
376 | ret = talitos_submit(dev, ctx->ch, desc, callback, areq); |
377 | if (ret != -EINPROGRESS) { |
378 | - ipsec_esp_unmap(dev, edesc, areq); |
379 | + ipsec_esp_unmap(dev, edesc, areq, encrypt); |
380 | kfree(edesc); |
381 | } |
382 | return ret; |
383 | @@ -1438,9 +1441,10 @@ static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv, |
384 | unsigned int authsize = crypto_aead_authsize(authenc); |
385 | struct talitos_ctx *ctx = crypto_aead_ctx(authenc); |
386 | unsigned int ivsize = crypto_aead_ivsize(authenc); |
387 | + unsigned int cryptlen = areq->cryptlen - (encrypt ? 0 : authsize); |
388 | |
389 | return talitos_edesc_alloc(ctx->dev, areq->src, areq->dst, |
390 | - iv, areq->assoclen, areq->cryptlen, |
391 | + iv, areq->assoclen, cryptlen, |
392 | authsize, ivsize, icv_stashing, |
393 | areq->base.flags, encrypt); |
394 | } |
395 | @@ -1459,7 +1463,7 @@ static int aead_encrypt(struct aead_request *req) |
396 | /* set encrypt */ |
397 | edesc->desc.hdr = ctx->desc_hdr_template | DESC_HDR_MODE0_ENCRYPT; |
398 | |
399 | - return ipsec_esp(edesc, req, ipsec_esp_encrypt_done); |
400 | + return ipsec_esp(edesc, req, true, ipsec_esp_encrypt_done); |
401 | } |
402 | |
403 | static int aead_decrypt(struct aead_request *req) |
404 | @@ -1471,14 +1475,13 @@ static int aead_decrypt(struct aead_request *req) |
405 | struct talitos_edesc *edesc; |
406 | void *icvdata; |
407 | |
408 | - req->cryptlen -= authsize; |
409 | - |
410 | /* allocate extended descriptor */ |
411 | edesc = aead_edesc_alloc(req, req->iv, 1, false); |
412 | if (IS_ERR(edesc)) |
413 | return PTR_ERR(edesc); |
414 | |
415 | - if ((priv->features & TALITOS_FTR_HW_AUTH_CHECK) && |
416 | + if ((edesc->desc.hdr & DESC_HDR_TYPE_IPSEC_ESP) && |
417 | + (priv->features & TALITOS_FTR_HW_AUTH_CHECK) && |
418 | ((!edesc->src_nents && !edesc->dst_nents) || |
419 | priv->features & TALITOS_FTR_SRC_LINK_TBL_LEN_INCLUDES_EXTENT)) { |
420 | |
421 | @@ -1489,7 +1492,8 @@ static int aead_decrypt(struct aead_request *req) |
422 | |
423 | /* reset integrity check result bits */ |
424 | |
425 | - return ipsec_esp(edesc, req, ipsec_esp_decrypt_hwauth_done); |
426 | + return ipsec_esp(edesc, req, false, |
427 | + ipsec_esp_decrypt_hwauth_done); |
428 | } |
429 | |
430 | /* Have to check the ICV with software */ |
431 | @@ -1505,7 +1509,7 @@ static int aead_decrypt(struct aead_request *req) |
432 | sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize, |
433 | req->assoclen + req->cryptlen - authsize); |
434 | |
435 | - return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done); |
436 | + return ipsec_esp(edesc, req, false, ipsec_esp_decrypt_swauth_done); |
437 | } |
438 | |
439 | static int ablkcipher_setkey(struct crypto_ablkcipher *cipher, |
440 | @@ -1538,6 +1542,18 @@ static int ablkcipher_setkey(struct crypto_ablkcipher *cipher, |
441 | return 0; |
442 | } |
443 | |
444 | +static int ablkcipher_aes_setkey(struct crypto_ablkcipher *cipher, |
445 | + const u8 *key, unsigned int keylen) |
446 | +{ |
447 | + if (keylen == AES_KEYSIZE_128 || keylen == AES_KEYSIZE_192 || |
448 | + keylen == AES_KEYSIZE_256) |
449 | + return ablkcipher_setkey(cipher, key, keylen); |
450 | + |
451 | + crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN); |
452 | + |
453 | + return -EINVAL; |
454 | +} |
455 | + |
456 | static void common_nonsnoop_unmap(struct device *dev, |
457 | struct talitos_edesc *edesc, |
458 | struct ablkcipher_request *areq) |
459 | @@ -1660,6 +1676,14 @@ static int ablkcipher_encrypt(struct ablkcipher_request *areq) |
460 | struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); |
461 | struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); |
462 | struct talitos_edesc *edesc; |
463 | + unsigned int blocksize = |
464 | + crypto_tfm_alg_blocksize(crypto_ablkcipher_tfm(cipher)); |
465 | + |
466 | + if (!areq->nbytes) |
467 | + return 0; |
468 | + |
469 | + if (areq->nbytes % blocksize) |
470 | + return -EINVAL; |
471 | |
472 | /* allocate extended descriptor */ |
473 | edesc = ablkcipher_edesc_alloc(areq, true); |
474 | @@ -1677,6 +1701,14 @@ static int ablkcipher_decrypt(struct ablkcipher_request *areq) |
475 | struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); |
476 | struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); |
477 | struct talitos_edesc *edesc; |
478 | + unsigned int blocksize = |
479 | + crypto_tfm_alg_blocksize(crypto_ablkcipher_tfm(cipher)); |
480 | + |
481 | + if (!areq->nbytes) |
482 | + return 0; |
483 | + |
484 | + if (areq->nbytes % blocksize) |
485 | + return -EINVAL; |
486 | |
487 | /* allocate extended descriptor */ |
488 | edesc = ablkcipher_edesc_alloc(areq, false); |
489 | @@ -2705,6 +2737,7 @@ static struct talitos_alg_template driver_algs[] = { |
490 | .min_keysize = AES_MIN_KEY_SIZE, |
491 | .max_keysize = AES_MAX_KEY_SIZE, |
492 | .ivsize = AES_BLOCK_SIZE, |
493 | + .setkey = ablkcipher_aes_setkey, |
494 | } |
495 | }, |
496 | .desc_hdr_template = DESC_HDR_TYPE_COMMON_NONSNOOP_NO_AFEU | |
497 | @@ -2715,13 +2748,13 @@ static struct talitos_alg_template driver_algs[] = { |
498 | .alg.crypto = { |
499 | .cra_name = "ctr(aes)", |
500 | .cra_driver_name = "ctr-aes-talitos", |
501 | - .cra_blocksize = AES_BLOCK_SIZE, |
502 | + .cra_blocksize = 1, |
503 | .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | |
504 | CRYPTO_ALG_ASYNC, |
505 | .cra_ablkcipher = { |
506 | .min_keysize = AES_MIN_KEY_SIZE, |
507 | .max_keysize = AES_MAX_KEY_SIZE, |
508 | - .ivsize = AES_BLOCK_SIZE, |
509 | + .setkey = ablkcipher_aes_setkey, |
510 | } |
511 | }, |
512 | .desc_hdr_template = DESC_HDR_TYPE_AESU_CTR_NONSNOOP | |
513 | diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c |
514 | index 7fa744793bc5..5e35a66ed0ae 100644 |
515 | --- a/drivers/firmware/ti_sci.c |
516 | +++ b/drivers/firmware/ti_sci.c |
517 | @@ -463,9 +463,9 @@ static int ti_sci_cmd_get_revision(struct ti_sci_info *info) |
518 | struct ti_sci_xfer *xfer; |
519 | int ret; |
520 | |
521 | - /* No need to setup flags since it is expected to respond */ |
522 | xfer = ti_sci_get_one_xfer(info, TI_SCI_MSG_VERSION, |
523 | - 0x0, sizeof(struct ti_sci_msg_hdr), |
524 | + TI_SCI_FLAG_REQ_ACK_ON_PROCESSED, |
525 | + sizeof(struct ti_sci_msg_hdr), |
526 | sizeof(*rev_info)); |
527 | if (IS_ERR(xfer)) { |
528 | ret = PTR_ERR(xfer); |
529 | @@ -593,9 +593,9 @@ static int ti_sci_get_device_state(const struct ti_sci_handle *handle, |
530 | info = handle_to_ti_sci_info(handle); |
531 | dev = info->dev; |
532 | |
533 | - /* Response is expected, so need of any flags */ |
534 | xfer = ti_sci_get_one_xfer(info, TI_SCI_MSG_GET_DEVICE_STATE, |
535 | - 0, sizeof(*req), sizeof(*resp)); |
536 | + TI_SCI_FLAG_REQ_ACK_ON_PROCESSED, |
537 | + sizeof(*req), sizeof(*resp)); |
538 | if (IS_ERR(xfer)) { |
539 | ret = PTR_ERR(xfer); |
540 | dev_err(dev, "Message alloc failed(%d)\n", ret); |
541 | diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c |
542 | index c5e009f61021..cf2604e63599 100644 |
543 | --- a/drivers/gpio/gpiolib-acpi.c |
544 | +++ b/drivers/gpio/gpiolib-acpi.c |
545 | @@ -10,6 +10,7 @@ |
546 | * published by the Free Software Foundation. |
547 | */ |
548 | |
549 | +#include <linux/dmi.h> |
550 | #include <linux/errno.h> |
551 | #include <linux/gpio.h> |
552 | #include <linux/gpio/consumer.h> |
553 | @@ -23,6 +24,11 @@ |
554 | |
555 | #include "gpiolib.h" |
556 | |
557 | +static int run_edge_events_on_boot = -1; |
558 | +module_param(run_edge_events_on_boot, int, 0444); |
559 | +MODULE_PARM_DESC(run_edge_events_on_boot, |
560 | + "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto"); |
561 | + |
562 | /** |
563 | * struct acpi_gpio_event - ACPI GPIO event handler data |
564 | * |
565 | @@ -174,10 +180,13 @@ static void acpi_gpiochip_request_irq(struct acpi_gpio_chip *acpi_gpio, |
566 | event->irq_requested = true; |
567 | |
568 | /* Make sure we trigger the initial state of edge-triggered IRQs */ |
569 | - value = gpiod_get_raw_value_cansleep(event->desc); |
570 | - if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) || |
571 | - ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0)) |
572 | - event->handler(event->irq, event); |
573 | + if (run_edge_events_on_boot && |
574 | + (event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) { |
575 | + value = gpiod_get_raw_value_cansleep(event->desc); |
576 | + if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) || |
577 | + ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0)) |
578 | + event->handler(event->irq, event); |
579 | + } |
580 | } |
581 | |
582 | static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio) |
583 | @@ -1253,3 +1262,28 @@ static int acpi_gpio_handle_deferred_request_irqs(void) |
584 | } |
585 | /* We must use _sync so that this runs after the first deferred_probe run */ |
586 | late_initcall_sync(acpi_gpio_handle_deferred_request_irqs); |
587 | + |
588 | +static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = { |
589 | + { |
590 | + .matches = { |
591 | + DMI_MATCH(DMI_SYS_VENDOR, "MINIX"), |
592 | + DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"), |
593 | + } |
594 | + }, |
595 | + {} /* Terminating entry */ |
596 | +}; |
597 | + |
598 | +static int acpi_gpio_setup_params(void) |
599 | +{ |
600 | + if (run_edge_events_on_boot < 0) { |
601 | + if (dmi_check_system(run_edge_events_on_boot_blacklist)) |
602 | + run_edge_events_on_boot = 0; |
603 | + else |
604 | + run_edge_events_on_boot = 1; |
605 | + } |
606 | + |
607 | + return 0; |
608 | +} |
609 | + |
610 | +/* Directly after dmi_setup() which runs as core_initcall() */ |
611 | +postcore_initcall(acpi_gpio_setup_params); |
612 | diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c |
613 | index 53395852f012..3289b53a7ba1 100644 |
614 | --- a/drivers/gpio/gpiolib.c |
615 | +++ b/drivers/gpio/gpiolib.c |
616 | @@ -524,6 +524,14 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) |
617 | if (lflags & ~GPIOHANDLE_REQUEST_VALID_FLAGS) |
618 | return -EINVAL; |
619 | |
620 | + /* |
621 | + * Do not allow both INPUT & OUTPUT flags to be set as they are |
622 | + * contradictory. |
623 | + */ |
624 | + if ((lflags & GPIOHANDLE_REQUEST_INPUT) && |
625 | + (lflags & GPIOHANDLE_REQUEST_OUTPUT)) |
626 | + return -EINVAL; |
627 | + |
628 | /* |
629 | * Do not allow OPEN_SOURCE & OPEN_DRAIN flags in a single request. If |
630 | * the hardware actually supports enabling both at the same time the |
631 | @@ -916,7 +924,9 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) |
632 | } |
633 | |
634 | /* This is just wrong: we don't look for events on output lines */ |
635 | - if (lflags & GPIOHANDLE_REQUEST_OUTPUT) { |
636 | + if ((lflags & GPIOHANDLE_REQUEST_OUTPUT) || |
637 | + (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) || |
638 | + (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE)) { |
639 | ret = -EINVAL; |
640 | goto out_free_label; |
641 | } |
642 | @@ -930,10 +940,6 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) |
643 | |
644 | if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) |
645 | set_bit(FLAG_ACTIVE_LOW, &desc->flags); |
646 | - if (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) |
647 | - set_bit(FLAG_OPEN_DRAIN, &desc->flags); |
648 | - if (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE) |
649 | - set_bit(FLAG_OPEN_SOURCE, &desc->flags); |
650 | |
651 | ret = gpiod_direction_input(desc); |
652 | if (ret) |
653 | diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c |
654 | index b44bed554211..cc354b491774 100644 |
655 | --- a/drivers/gpu/drm/drm_panel_orientation_quirks.c |
656 | +++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c |
657 | @@ -82,6 +82,12 @@ static const struct drm_dmi_panel_orientation_data itworks_tw891 = { |
658 | .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, |
659 | }; |
660 | |
661 | +static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = { |
662 | + .width = 720, |
663 | + .height = 1280, |
664 | + .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, |
665 | +}; |
666 | + |
667 | static const struct drm_dmi_panel_orientation_data lcd800x1280_rightside_up = { |
668 | .width = 800, |
669 | .height = 1280, |
670 | @@ -109,6 +115,12 @@ static const struct dmi_system_id orientation_data[] = { |
671 | DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"), |
672 | }, |
673 | .driver_data = (void *)&gpd_micropc, |
674 | + }, { /* GPD MicroPC (later BIOS versions with proper DMI strings) */ |
675 | + .matches = { |
676 | + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"), |
677 | + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "MicroPC"), |
678 | + }, |
679 | + .driver_data = (void *)&lcd720x1280_rightside_up, |
680 | }, { /* |
681 | * GPD Pocket, note that the the DMI data is less generic then |
682 | * it seems, devices with a board-vendor of "AMI Corporation" |
683 | diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c |
684 | index f6389479fccb..947bc6d62302 100644 |
685 | --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c |
686 | +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c |
687 | @@ -566,12 +566,15 @@ static int mtk_drm_probe(struct platform_device *pdev) |
688 | comp = devm_kzalloc(dev, sizeof(*comp), GFP_KERNEL); |
689 | if (!comp) { |
690 | ret = -ENOMEM; |
691 | + of_node_put(node); |
692 | goto err_node; |
693 | } |
694 | |
695 | ret = mtk_ddp_comp_init(dev, node, comp, comp_id, NULL); |
696 | - if (ret) |
697 | + if (ret) { |
698 | + of_node_put(node); |
699 | goto err_node; |
700 | + } |
701 | |
702 | private->ddp_comp[comp_id] = comp; |
703 | } |
704 | diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c |
705 | index 12c80dfcff59..c7daae53fa1f 100644 |
706 | --- a/drivers/gpu/drm/meson/meson_plane.c |
707 | +++ b/drivers/gpu/drm/meson/meson_plane.c |
708 | @@ -120,6 +120,13 @@ static void meson_plane_atomic_update(struct drm_plane *plane, |
709 | priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | |
710 | OSD_COLOR_MATRIX_32_ARGB; |
711 | break; |
712 | + case DRM_FORMAT_XBGR8888: |
713 | + /* For XRGB, replace the pixel's alpha by 0xFF */ |
714 | + writel_bits_relaxed(OSD_REPLACE_EN, OSD_REPLACE_EN, |
715 | + priv->io_base + _REG(VIU_OSD1_CTRL_STAT2)); |
716 | + priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | |
717 | + OSD_COLOR_MATRIX_32_ABGR; |
718 | + break; |
719 | case DRM_FORMAT_ARGB8888: |
720 | /* For ARGB, use the pixel's alpha */ |
721 | writel_bits_relaxed(OSD_REPLACE_EN, 0, |
722 | @@ -127,6 +134,13 @@ static void meson_plane_atomic_update(struct drm_plane *plane, |
723 | priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | |
724 | OSD_COLOR_MATRIX_32_ARGB; |
725 | break; |
726 | + case DRM_FORMAT_ABGR8888: |
727 | + /* For ARGB, use the pixel's alpha */ |
728 | + writel_bits_relaxed(OSD_REPLACE_EN, 0, |
729 | + priv->io_base + _REG(VIU_OSD1_CTRL_STAT2)); |
730 | + priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | |
731 | + OSD_COLOR_MATRIX_32_ABGR; |
732 | + break; |
733 | case DRM_FORMAT_RGB888: |
734 | priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_24 | |
735 | OSD_COLOR_MATRIX_24_RGB; |
736 | @@ -196,7 +210,9 @@ static const struct drm_plane_funcs meson_plane_funcs = { |
737 | |
738 | static const uint32_t supported_drm_formats[] = { |
739 | DRM_FORMAT_ARGB8888, |
740 | + DRM_FORMAT_ABGR8888, |
741 | DRM_FORMAT_XRGB8888, |
742 | + DRM_FORMAT_XBGR8888, |
743 | DRM_FORMAT_RGB888, |
744 | DRM_FORMAT_RGB565, |
745 | }; |
746 | diff --git a/drivers/iio/adc/stm32-dfsdm-adc.c b/drivers/iio/adc/stm32-dfsdm-adc.c |
747 | index 15a115210108..f5586dd6414d 100644 |
748 | --- a/drivers/iio/adc/stm32-dfsdm-adc.c |
749 | +++ b/drivers/iio/adc/stm32-dfsdm-adc.c |
750 | @@ -981,11 +981,11 @@ static int stm32_dfsdm_adc_chan_init_one(struct iio_dev *indio_dev, |
751 | ch->info_mask_shared_by_all = BIT(IIO_CHAN_INFO_OVERSAMPLING_RATIO); |
752 | |
753 | if (adc->dev_data->type == DFSDM_AUDIO) { |
754 | - ch->scan_type.sign = 's'; |
755 | ch->ext_info = dfsdm_adc_audio_ext_info; |
756 | } else { |
757 | - ch->scan_type.sign = 'u'; |
758 | + ch->scan_type.shift = 8; |
759 | } |
760 | + ch->scan_type.sign = 's'; |
761 | ch->scan_type.realbits = 24; |
762 | ch->scan_type.storagebits = 32; |
763 | |
764 | diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c |
765 | index ef5560b848ab..21786a442368 100644 |
766 | --- a/drivers/isdn/capi/capi.c |
767 | +++ b/drivers/isdn/capi/capi.c |
768 | @@ -688,6 +688,9 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos |
769 | if (!cdev->ap.applid) |
770 | return -ENODEV; |
771 | |
772 | + if (count < CAPIMSG_BASELEN) |
773 | + return -EINVAL; |
774 | + |
775 | skb = alloc_skb(count, GFP_USER); |
776 | if (!skb) |
777 | return -ENOMEM; |
778 | @@ -698,7 +701,8 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos |
779 | } |
780 | mlen = CAPIMSG_LEN(skb->data); |
781 | if (CAPIMSG_CMD(skb->data) == CAPI_DATA_B3_REQ) { |
782 | - if ((size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) { |
783 | + if (count < CAPI_DATA_B3_REQ_LEN || |
784 | + (size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) { |
785 | kfree_skb(skb); |
786 | return -EINVAL; |
787 | } |
788 | @@ -711,6 +715,10 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos |
789 | CAPIMSG_SETAPPID(skb->data, cdev->ap.applid); |
790 | |
791 | if (CAPIMSG_CMD(skb->data) == CAPI_DISCONNECT_B3_RESP) { |
792 | + if (count < CAPI_DISCONNECT_B3_RESP_LEN) { |
793 | + kfree_skb(skb); |
794 | + return -EINVAL; |
795 | + } |
796 | mutex_lock(&cdev->lock); |
797 | capincci_free(cdev, CAPIMSG_NCCI(skb->data)); |
798 | mutex_unlock(&cdev->lock); |
799 | diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c |
800 | index dce5b7e44e7a..ab5a8778c4b2 100644 |
801 | --- a/drivers/mtd/nand/raw/mtk_nand.c |
802 | +++ b/drivers/mtd/nand/raw/mtk_nand.c |
803 | @@ -863,19 +863,21 @@ static int mtk_nfc_write_oob_std(struct mtd_info *mtd, struct nand_chip *chip, |
804 | return mtk_nfc_write_page_raw(mtd, chip, NULL, 1, page); |
805 | } |
806 | |
807 | -static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 sectors) |
808 | +static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 start, |
809 | + u32 sectors) |
810 | { |
811 | struct nand_chip *chip = mtd_to_nand(mtd); |
812 | struct mtk_nfc *nfc = nand_get_controller_data(chip); |
813 | struct mtk_nfc_nand_chip *mtk_nand = to_mtk_nand(chip); |
814 | struct mtk_ecc_stats stats; |
815 | + u32 reg_size = mtk_nand->fdm.reg_size; |
816 | int rc, i; |
817 | |
818 | rc = nfi_readl(nfc, NFI_STA) & STA_EMP_PAGE; |
819 | if (rc) { |
820 | memset(buf, 0xff, sectors * chip->ecc.size); |
821 | for (i = 0; i < sectors; i++) |
822 | - memset(oob_ptr(chip, i), 0xff, mtk_nand->fdm.reg_size); |
823 | + memset(oob_ptr(chip, start + i), 0xff, reg_size); |
824 | return 0; |
825 | } |
826 | |
827 | @@ -895,7 +897,7 @@ static int mtk_nfc_read_subpage(struct mtd_info *mtd, struct nand_chip *chip, |
828 | u32 spare = mtk_nand->spare_per_sector; |
829 | u32 column, sectors, start, end, reg; |
830 | dma_addr_t addr; |
831 | - int bitflips; |
832 | + int bitflips = 0; |
833 | size_t len; |
834 | u8 *buf; |
835 | int rc; |
836 | @@ -962,14 +964,11 @@ static int mtk_nfc_read_subpage(struct mtd_info *mtd, struct nand_chip *chip, |
837 | if (rc < 0) { |
838 | dev_err(nfc->dev, "subpage done timeout\n"); |
839 | bitflips = -EIO; |
840 | - } else { |
841 | - bitflips = 0; |
842 | - if (!raw) { |
843 | - rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE); |
844 | - bitflips = rc < 0 ? -ETIMEDOUT : |
845 | - mtk_nfc_update_ecc_stats(mtd, buf, sectors); |
846 | - mtk_nfc_read_fdm(chip, start, sectors); |
847 | - } |
848 | + } else if (!raw) { |
849 | + rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE); |
850 | + bitflips = rc < 0 ? -ETIMEDOUT : |
851 | + mtk_nfc_update_ecc_stats(mtd, buf, start, sectors); |
852 | + mtk_nfc_read_fdm(chip, start, sectors); |
853 | } |
854 | |
855 | dma_unmap_single(nfc->dev, addr, len, DMA_FROM_DEVICE); |
856 | diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
857 | index 410d5d3aa393..85280765d793 100644 |
858 | --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
859 | +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
860 | @@ -34,6 +34,7 @@ |
861 | #include <net/tc_act/tc_mirred.h> |
862 | #include <net/vxlan.h> |
863 | #include <net/mpls.h> |
864 | +#include <net/xfrm.h> |
865 | |
866 | #include "ixgbe.h" |
867 | #include "ixgbe_common.h" |
868 | @@ -2625,7 +2626,7 @@ adjust_by_size: |
869 | /* 16K ints/sec to 9.2K ints/sec */ |
870 | avg_wire_size *= 15; |
871 | avg_wire_size += 11452; |
872 | - } else if (avg_wire_size <= 1980) { |
873 | + } else if (avg_wire_size < 1968) { |
874 | /* 9.2K ints/sec to 8K ints/sec */ |
875 | avg_wire_size *= 5; |
876 | avg_wire_size += 22420; |
877 | @@ -2658,6 +2659,8 @@ adjust_by_size: |
878 | case IXGBE_LINK_SPEED_2_5GB_FULL: |
879 | case IXGBE_LINK_SPEED_1GB_FULL: |
880 | case IXGBE_LINK_SPEED_10_FULL: |
881 | + if (avg_wire_size > 8064) |
882 | + avg_wire_size = 8064; |
883 | itr += DIV_ROUND_UP(avg_wire_size, |
884 | IXGBE_ITR_ADAPTIVE_MIN_INC * 64) * |
885 | IXGBE_ITR_ADAPTIVE_MIN_INC; |
886 | @@ -8599,7 +8602,8 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb, |
887 | #endif /* IXGBE_FCOE */ |
888 | |
889 | #ifdef CONFIG_XFRM_OFFLOAD |
890 | - if (skb->sp && !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) |
891 | + if (xfrm_offload(skb) && |
892 | + !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) |
893 | goto out_drop; |
894 | #endif |
895 | tso = ixgbe_tso(tx_ring, first, &hdr_len, &ipsec_tx); |
896 | diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c |
897 | index 2e8056d48f4a..723611ac9102 100644 |
898 | --- a/drivers/net/phy/phylink.c |
899 | +++ b/drivers/net/phy/phylink.c |
900 | @@ -380,8 +380,8 @@ static void phylink_get_fixed_state(struct phylink *pl, struct phylink_link_stat |
901 | * Local device Link partner |
902 | * Pause AsymDir Pause AsymDir Result |
903 | * 1 X 1 X TX+RX |
904 | - * 0 1 1 1 RX |
905 | - * 1 1 0 1 TX |
906 | + * 0 1 1 1 TX |
907 | + * 1 1 0 1 RX |
908 | */ |
909 | static void phylink_resolve_flow(struct phylink *pl, |
910 | struct phylink_link_state *state) |
911 | @@ -402,7 +402,7 @@ static void phylink_resolve_flow(struct phylink *pl, |
912 | new_pause = MLO_PAUSE_TX | MLO_PAUSE_RX; |
913 | else if (pause & MLO_PAUSE_ASYM) |
914 | new_pause = state->pause & MLO_PAUSE_SYM ? |
915 | - MLO_PAUSE_RX : MLO_PAUSE_TX; |
916 | + MLO_PAUSE_TX : MLO_PAUSE_RX; |
917 | } else { |
918 | new_pause = pl->link_config.pause & MLO_PAUSE_TXRX_MASK; |
919 | } |
920 | diff --git a/drivers/net/tun.c b/drivers/net/tun.c |
921 | index 5fa7047ea361..e1ac1c57089f 100644 |
922 | --- a/drivers/net/tun.c |
923 | +++ b/drivers/net/tun.c |
924 | @@ -801,7 +801,8 @@ static void tun_detach_all(struct net_device *dev) |
925 | } |
926 | |
927 | static int tun_attach(struct tun_struct *tun, struct file *file, |
928 | - bool skip_filter, bool napi, bool napi_frags) |
929 | + bool skip_filter, bool napi, bool napi_frags, |
930 | + bool publish_tun) |
931 | { |
932 | struct tun_file *tfile = file->private_data; |
933 | struct net_device *dev = tun->dev; |
934 | @@ -881,7 +882,8 @@ static int tun_attach(struct tun_struct *tun, struct file *file, |
935 | * initialized tfile; otherwise we risk using half-initialized |
936 | * object. |
937 | */ |
938 | - rcu_assign_pointer(tfile->tun, tun); |
939 | + if (publish_tun) |
940 | + rcu_assign_pointer(tfile->tun, tun); |
941 | rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile); |
942 | tun->numqueues++; |
943 | tun_set_real_num_queues(tun); |
944 | @@ -2553,7 +2555,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) |
945 | |
946 | err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER, |
947 | ifr->ifr_flags & IFF_NAPI, |
948 | - ifr->ifr_flags & IFF_NAPI_FRAGS); |
949 | + ifr->ifr_flags & IFF_NAPI_FRAGS, true); |
950 | if (err < 0) |
951 | return err; |
952 | |
953 | @@ -2652,13 +2654,17 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) |
954 | |
955 | INIT_LIST_HEAD(&tun->disabled); |
956 | err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI, |
957 | - ifr->ifr_flags & IFF_NAPI_FRAGS); |
958 | + ifr->ifr_flags & IFF_NAPI_FRAGS, false); |
959 | if (err < 0) |
960 | goto err_free_flow; |
961 | |
962 | err = register_netdevice(tun->dev); |
963 | if (err < 0) |
964 | goto err_detach; |
965 | + /* free_netdev() won't check refcnt, to aovid race |
966 | + * with dev_put() we need publish tun after registration. |
967 | + */ |
968 | + rcu_assign_pointer(tfile->tun, tun); |
969 | } |
970 | |
971 | netif_carrier_on(tun->dev); |
972 | @@ -2802,7 +2808,7 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr) |
973 | if (ret < 0) |
974 | goto unlock; |
975 | ret = tun_attach(tun, file, false, tun->flags & IFF_NAPI, |
976 | - tun->flags & IFF_NAPI_FRAGS); |
977 | + tun->flags & IFF_NAPI_FRAGS, true); |
978 | } else if (ifr->ifr_flags & IFF_DETACH_QUEUE) { |
979 | tun = rtnl_dereference(tfile->tun); |
980 | if (!tun || !(tun->flags & IFF_MULTI_QUEUE) || tfile->detached) |
981 | diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c |
982 | index 5c42cf81a08b..85fba64c3fcf 100644 |
983 | --- a/drivers/net/usb/cdc_ether.c |
984 | +++ b/drivers/net/usb/cdc_ether.c |
985 | @@ -221,9 +221,16 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) |
986 | goto bad_desc; |
987 | } |
988 | skip: |
989 | - if ( rndis && |
990 | - header.usb_cdc_acm_descriptor && |
991 | - header.usb_cdc_acm_descriptor->bmCapabilities) { |
992 | + /* Communcation class functions with bmCapabilities are not |
993 | + * RNDIS. But some Wireless class RNDIS functions use |
994 | + * bmCapabilities for their own purpose. The failsafe is |
995 | + * therefore applied only to Communication class RNDIS |
996 | + * functions. The rndis test is redundant, but a cheap |
997 | + * optimization. |
998 | + */ |
999 | + if (rndis && is_rndis(&intf->cur_altsetting->desc) && |
1000 | + header.usb_cdc_acm_descriptor && |
1001 | + header.usb_cdc_acm_descriptor->bmCapabilities) { |
1002 | dev_dbg(&intf->dev, |
1003 | "ACM capabilities %02x, not really RNDIS?\n", |
1004 | header.usb_cdc_acm_descriptor->bmCapabilities); |
1005 | diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c |
1006 | index f360690396dd..14e56bee0548 100644 |
1007 | --- a/drivers/net/wireless/rsi/rsi_91x_usb.c |
1008 | +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c |
1009 | @@ -643,7 +643,6 @@ fail_rx: |
1010 | kfree(rsi_dev->tx_buffer); |
1011 | |
1012 | fail_eps: |
1013 | - kfree(rsi_dev); |
1014 | |
1015 | return status; |
1016 | } |
1017 | diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c |
1018 | index 99de51e87f7f..d32eba11c000 100644 |
1019 | --- a/drivers/nvmem/core.c |
1020 | +++ b/drivers/nvmem/core.c |
1021 | @@ -415,10 +415,17 @@ static int nvmem_setup_compat(struct nvmem_device *nvmem, |
1022 | if (!config->base_dev) |
1023 | return -EINVAL; |
1024 | |
1025 | - if (nvmem->read_only) |
1026 | - nvmem->eeprom = bin_attr_ro_root_nvmem; |
1027 | - else |
1028 | - nvmem->eeprom = bin_attr_rw_root_nvmem; |
1029 | + if (nvmem->read_only) { |
1030 | + if (config->root_only) |
1031 | + nvmem->eeprom = bin_attr_ro_root_nvmem; |
1032 | + else |
1033 | + nvmem->eeprom = bin_attr_ro_nvmem; |
1034 | + } else { |
1035 | + if (config->root_only) |
1036 | + nvmem->eeprom = bin_attr_rw_root_nvmem; |
1037 | + else |
1038 | + nvmem->eeprom = bin_attr_rw_nvmem; |
1039 | + } |
1040 | nvmem->eeprom.attr.name = "eeprom"; |
1041 | nvmem->eeprom.size = nvmem->size; |
1042 | #ifdef CONFIG_DEBUG_LOCK_ALLOC |
1043 | diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c |
1044 | index 956ee7527d2c..ec317bcb1bca 100644 |
1045 | --- a/drivers/pci/pci-driver.c |
1046 | +++ b/drivers/pci/pci-driver.c |
1047 | @@ -399,7 +399,8 @@ void __weak pcibios_free_irq(struct pci_dev *dev) |
1048 | #ifdef CONFIG_PCI_IOV |
1049 | static inline bool pci_device_can_probe(struct pci_dev *pdev) |
1050 | { |
1051 | - return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe); |
1052 | + return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe || |
1053 | + pdev->driver_override); |
1054 | } |
1055 | #else |
1056 | static inline bool pci_device_can_probe(struct pci_dev *pdev) |
1057 | diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c |
1058 | index b1d804376237..6a61028cbb3c 100644 |
1059 | --- a/drivers/platform/x86/pmc_atom.c |
1060 | +++ b/drivers/platform/x86/pmc_atom.c |
1061 | @@ -421,6 +421,14 @@ static const struct dmi_system_id critclk_systems[] = { |
1062 | DMI_MATCH(DMI_BOARD_NAME, "CB3163"), |
1063 | }, |
1064 | }, |
1065 | + { |
1066 | + /* pmc_plt_clk* - are used for ethernet controllers */ |
1067 | + .ident = "Beckhoff CB4063", |
1068 | + .matches = { |
1069 | + DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), |
1070 | + DMI_MATCH(DMI_BOARD_NAME, "CB4063"), |
1071 | + }, |
1072 | + }, |
1073 | { |
1074 | /* pmc_plt_clk* - are used for ethernet controllers */ |
1075 | .ident = "Beckhoff CB6263", |
1076 | diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c |
1077 | index 08c5afa06aee..e561eb475339 100644 |
1078 | --- a/fs/btrfs/tree-log.c |
1079 | +++ b/fs/btrfs/tree-log.c |
1080 | @@ -5107,7 +5107,7 @@ again: |
1081 | BTRFS_I(other_inode), |
1082 | LOG_OTHER_INODE, 0, LLONG_MAX, |
1083 | ctx); |
1084 | - iput(other_inode); |
1085 | + btrfs_add_delayed_iput(other_inode); |
1086 | if (err) |
1087 | goto out_unlock; |
1088 | else |
1089 | @@ -5519,7 +5519,7 @@ process_leaf: |
1090 | } |
1091 | |
1092 | if (btrfs_inode_in_log(BTRFS_I(di_inode), trans->transid)) { |
1093 | - iput(di_inode); |
1094 | + btrfs_add_delayed_iput(di_inode); |
1095 | break; |
1096 | } |
1097 | |
1098 | @@ -5531,7 +5531,7 @@ process_leaf: |
1099 | if (!ret && |
1100 | btrfs_must_commit_transaction(trans, BTRFS_I(di_inode))) |
1101 | ret = 1; |
1102 | - iput(di_inode); |
1103 | + btrfs_add_delayed_iput(di_inode); |
1104 | if (ret) |
1105 | goto next_dir_inode; |
1106 | if (ctx->log_new_dentries) { |
1107 | @@ -5678,7 +5678,7 @@ static int btrfs_log_all_parents(struct btrfs_trans_handle *trans, |
1108 | if (!ret && ctx && ctx->log_new_dentries) |
1109 | ret = log_new_dir_dentries(trans, root, |
1110 | BTRFS_I(dir_inode), ctx); |
1111 | - iput(dir_inode); |
1112 | + btrfs_add_delayed_iput(dir_inode); |
1113 | if (ret) |
1114 | goto out; |
1115 | } |
1116 | diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c |
1117 | index bf416e512743..f15ac37956e7 100644 |
1118 | --- a/fs/ubifs/tnc.c |
1119 | +++ b/fs/ubifs/tnc.c |
1120 | @@ -1165,8 +1165,8 @@ static struct ubifs_znode *dirty_cow_bottom_up(struct ubifs_info *c, |
1121 | * o exact match, i.e. the found zero-level znode contains key @key, then %1 |
1122 | * is returned and slot number of the matched branch is stored in @n; |
1123 | * o not exact match, which means that zero-level znode does not contain |
1124 | - * @key, then %0 is returned and slot number of the closest branch is stored |
1125 | - * in @n; |
1126 | + * @key, then %0 is returned and slot number of the closest branch or %-1 |
1127 | + * is stored in @n; In this case calling tnc_next() is mandatory. |
1128 | * o @key is so small that it is even less than the lowest key of the |
1129 | * leftmost zero-level node, then %0 is returned and %0 is stored in @n. |
1130 | * |
1131 | @@ -1883,13 +1883,19 @@ int ubifs_tnc_lookup_nm(struct ubifs_info *c, const union ubifs_key *key, |
1132 | |
1133 | static int search_dh_cookie(struct ubifs_info *c, const union ubifs_key *key, |
1134 | struct ubifs_dent_node *dent, uint32_t cookie, |
1135 | - struct ubifs_znode **zn, int *n) |
1136 | + struct ubifs_znode **zn, int *n, int exact) |
1137 | { |
1138 | int err; |
1139 | struct ubifs_znode *znode = *zn; |
1140 | struct ubifs_zbranch *zbr; |
1141 | union ubifs_key *dkey; |
1142 | |
1143 | + if (!exact) { |
1144 | + err = tnc_next(c, &znode, n); |
1145 | + if (err) |
1146 | + return err; |
1147 | + } |
1148 | + |
1149 | for (;;) { |
1150 | zbr = &znode->zbranch[*n]; |
1151 | dkey = &zbr->key; |
1152 | @@ -1931,7 +1937,7 @@ static int do_lookup_dh(struct ubifs_info *c, const union ubifs_key *key, |
1153 | if (unlikely(err < 0)) |
1154 | goto out_unlock; |
1155 | |
1156 | - err = search_dh_cookie(c, key, dent, cookie, &znode, &n); |
1157 | + err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err); |
1158 | |
1159 | out_unlock: |
1160 | mutex_unlock(&c->tnc_mutex); |
1161 | @@ -2718,7 +2724,7 @@ int ubifs_tnc_remove_dh(struct ubifs_info *c, const union ubifs_key *key, |
1162 | if (unlikely(err < 0)) |
1163 | goto out_free; |
1164 | |
1165 | - err = search_dh_cookie(c, key, dent, cookie, &znode, &n); |
1166 | + err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err); |
1167 | if (err) |
1168 | goto out_free; |
1169 | } |
1170 | diff --git a/include/uapi/linux/isdn/capicmd.h b/include/uapi/linux/isdn/capicmd.h |
1171 | index 4941628a4fb9..5ec88e7548a9 100644 |
1172 | --- a/include/uapi/linux/isdn/capicmd.h |
1173 | +++ b/include/uapi/linux/isdn/capicmd.h |
1174 | @@ -16,6 +16,7 @@ |
1175 | #define CAPI_MSG_BASELEN 8 |
1176 | #define CAPI_DATA_B3_REQ_LEN (CAPI_MSG_BASELEN+4+4+2+2+2) |
1177 | #define CAPI_DATA_B3_RESP_LEN (CAPI_MSG_BASELEN+4+2) |
1178 | +#define CAPI_DISCONNECT_B3_RESP_LEN (CAPI_MSG_BASELEN+4) |
1179 | |
1180 | /*----- CAPI commands -----*/ |
1181 | #define CAPI_ALERT 0x01 |
1182 | diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c |
1183 | index 95414ad3506a..98c04ca5fa43 100644 |
1184 | --- a/kernel/irq/resend.c |
1185 | +++ b/kernel/irq/resend.c |
1186 | @@ -36,6 +36,8 @@ static void resend_irqs(unsigned long arg) |
1187 | irq = find_first_bit(irqs_resend, nr_irqs); |
1188 | clear_bit(irq, irqs_resend); |
1189 | desc = irq_to_desc(irq); |
1190 | + if (!desc) |
1191 | + continue; |
1192 | local_irq_disable(); |
1193 | desc->handle_irq(desc); |
1194 | local_irq_enable(); |
1195 | diff --git a/kernel/module.c b/kernel/module.c |
1196 | index 0d86fc73d63d..8257110bf599 100644 |
1197 | --- a/kernel/module.c |
1198 | +++ b/kernel/module.c |
1199 | @@ -1884,7 +1884,7 @@ static void mod_sysfs_teardown(struct module *mod) |
1200 | mod_sysfs_fini(mod); |
1201 | } |
1202 | |
1203 | -#ifdef CONFIG_STRICT_MODULE_RWX |
1204 | +#ifdef CONFIG_ARCH_HAS_STRICT_MODULE_RWX |
1205 | /* |
1206 | * LKM RO/NX protection: protect module's text/ro-data |
1207 | * from modification and any data from execution. |
1208 | @@ -1907,6 +1907,7 @@ static void frob_text(const struct module_layout *layout, |
1209 | layout->text_size >> PAGE_SHIFT); |
1210 | } |
1211 | |
1212 | +#ifdef CONFIG_STRICT_MODULE_RWX |
1213 | static void frob_rodata(const struct module_layout *layout, |
1214 | int (*set_memory)(unsigned long start, int num_pages)) |
1215 | { |
1216 | @@ -1956,13 +1957,9 @@ void module_enable_ro(const struct module *mod, bool after_init) |
1217 | return; |
1218 | |
1219 | frob_text(&mod->core_layout, set_memory_ro); |
1220 | - frob_text(&mod->core_layout, set_memory_x); |
1221 | |
1222 | frob_rodata(&mod->core_layout, set_memory_ro); |
1223 | - |
1224 | frob_text(&mod->init_layout, set_memory_ro); |
1225 | - frob_text(&mod->init_layout, set_memory_x); |
1226 | - |
1227 | frob_rodata(&mod->init_layout, set_memory_ro); |
1228 | |
1229 | if (after_init) |
1230 | @@ -2043,11 +2040,23 @@ static void disable_ro_nx(const struct module_layout *layout) |
1231 | frob_writable_data(layout, set_memory_x); |
1232 | } |
1233 | |
1234 | -#else |
1235 | +#else /* !CONFIG_STRICT_MODULE_RWX */ |
1236 | static void disable_ro_nx(const struct module_layout *layout) { } |
1237 | static void module_enable_nx(const struct module *mod) { } |
1238 | static void module_disable_nx(const struct module *mod) { } |
1239 | -#endif |
1240 | +#endif /* CONFIG_STRICT_MODULE_RWX */ |
1241 | + |
1242 | +static void module_enable_x(const struct module *mod) |
1243 | +{ |
1244 | + frob_text(&mod->core_layout, set_memory_x); |
1245 | + frob_text(&mod->init_layout, set_memory_x); |
1246 | +} |
1247 | +#else /* !CONFIG_ARCH_HAS_STRICT_MODULE_RWX */ |
1248 | +static void disable_ro_nx(const struct module_layout *layout) { } |
1249 | +static void module_enable_nx(const struct module *mod) { } |
1250 | +static void module_disable_nx(const struct module *mod) { } |
1251 | +static void module_enable_x(const struct module *mod) { } |
1252 | +#endif /* CONFIG_ARCH_HAS_STRICT_MODULE_RWX */ |
1253 | |
1254 | #ifdef CONFIG_LIVEPATCH |
1255 | /* |
1256 | @@ -3604,6 +3613,7 @@ static int complete_formation(struct module *mod, struct load_info *info) |
1257 | |
1258 | module_enable_ro(mod, false); |
1259 | module_enable_nx(mod); |
1260 | + module_enable_x(mod); |
1261 | |
1262 | /* Mark state as coming so strong_try_module_get() ignores us, |
1263 | * but kallsyms etc. can see us. */ |
1264 | diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c |
1265 | index 6d9f48bd374a..55198818e3e5 100644 |
1266 | --- a/net/bridge/br_mdb.c |
1267 | +++ b/net/bridge/br_mdb.c |
1268 | @@ -419,7 +419,7 @@ static int nlmsg_populate_rtr_fill(struct sk_buff *skb, |
1269 | struct nlmsghdr *nlh; |
1270 | struct nlattr *nest; |
1271 | |
1272 | - nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), NLM_F_MULTI); |
1273 | + nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), 0); |
1274 | if (!nlh) |
1275 | return -EMSGSIZE; |
1276 | |
1277 | diff --git a/net/core/dev.c b/net/core/dev.c |
1278 | index e4b4cb40da00..ddd8aab20adf 100644 |
1279 | --- a/net/core/dev.c |
1280 | +++ b/net/core/dev.c |
1281 | @@ -8562,6 +8562,8 @@ int register_netdevice(struct net_device *dev) |
1282 | ret = notifier_to_errno(ret); |
1283 | if (ret) { |
1284 | rollback_registered(dev); |
1285 | + rcu_barrier(); |
1286 | + |
1287 | dev->reg_state = NETREG_UNREGISTERED; |
1288 | } |
1289 | /* |
1290 | diff --git a/net/core/skbuff.c b/net/core/skbuff.c |
1291 | index 9b9f696281a9..0629ca89ab74 100644 |
1292 | --- a/net/core/skbuff.c |
1293 | +++ b/net/core/skbuff.c |
1294 | @@ -3530,6 +3530,25 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, |
1295 | int pos; |
1296 | int dummy; |
1297 | |
1298 | + if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) && |
1299 | + (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) { |
1300 | + /* gso_size is untrusted, and we have a frag_list with a linear |
1301 | + * non head_frag head. |
1302 | + * |
1303 | + * (we assume checking the first list_skb member suffices; |
1304 | + * i.e if either of the list_skb members have non head_frag |
1305 | + * head, then the first one has too). |
1306 | + * |
1307 | + * If head_skb's headlen does not fit requested gso_size, it |
1308 | + * means that the frag_list members do NOT terminate on exact |
1309 | + * gso_size boundaries. Hence we cannot perform skb_frag_t page |
1310 | + * sharing. Therefore we must fallback to copying the frag_list |
1311 | + * skbs; we do so by disabling SG. |
1312 | + */ |
1313 | + if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) |
1314 | + features &= ~NETIF_F_SG; |
1315 | + } |
1316 | + |
1317 | __skb_push(head_skb, doffset); |
1318 | proto = skb_network_protocol(head_skb, &dummy); |
1319 | if (unlikely(!proto)) |
1320 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c |
1321 | index 4a8869d39662..14a6a489937c 100644 |
1322 | --- a/net/ipv4/tcp_input.c |
1323 | +++ b/net/ipv4/tcp_input.c |
1324 | @@ -260,7 +260,7 @@ static void tcp_ecn_accept_cwr(struct sock *sk, const struct sk_buff *skb) |
1325 | |
1326 | static void tcp_ecn_withdraw_cwr(struct tcp_sock *tp) |
1327 | { |
1328 | - tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR; |
1329 | + tp->ecn_flags &= ~TCP_ECN_QUEUE_CWR; |
1330 | } |
1331 | |
1332 | static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb) |
1333 | diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c |
1334 | index 4c04bccc7417..5c9be8594483 100644 |
1335 | --- a/net/ipv6/ping.c |
1336 | +++ b/net/ipv6/ping.c |
1337 | @@ -228,7 +228,7 @@ static int __net_init ping_v6_proc_init_net(struct net *net) |
1338 | return 0; |
1339 | } |
1340 | |
1341 | -static void __net_init ping_v6_proc_exit_net(struct net *net) |
1342 | +static void __net_exit ping_v6_proc_exit_net(struct net *net) |
1343 | { |
1344 | remove_proc_entry("icmp6", net->proc_net); |
1345 | } |
1346 | diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c |
1347 | index 77b289da7763..875f521bce0d 100644 |
1348 | --- a/net/sched/sch_generic.c |
1349 | +++ b/net/sched/sch_generic.c |
1350 | @@ -49,6 +49,8 @@ EXPORT_SYMBOL(default_qdisc_ops); |
1351 | * - updates to tree and tree walking are only done under the rtnl mutex. |
1352 | */ |
1353 | |
1354 | +#define SKB_XOFF_MAGIC ((struct sk_buff *)1UL) |
1355 | + |
1356 | static inline struct sk_buff *__skb_dequeue_bad_txq(struct Qdisc *q) |
1357 | { |
1358 | const struct netdev_queue *txq = q->dev_queue; |
1359 | @@ -74,7 +76,7 @@ static inline struct sk_buff *__skb_dequeue_bad_txq(struct Qdisc *q) |
1360 | q->q.qlen--; |
1361 | } |
1362 | } else { |
1363 | - skb = NULL; |
1364 | + skb = SKB_XOFF_MAGIC; |
1365 | } |
1366 | } |
1367 | |
1368 | @@ -272,8 +274,11 @@ validate: |
1369 | return skb; |
1370 | |
1371 | skb = qdisc_dequeue_skb_bad_txq(q); |
1372 | - if (unlikely(skb)) |
1373 | + if (unlikely(skb)) { |
1374 | + if (skb == SKB_XOFF_MAGIC) |
1375 | + return NULL; |
1376 | goto bulk; |
1377 | + } |
1378 | skb = q->dequeue(q); |
1379 | if (skb) { |
1380 | bulk: |
1381 | diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c |
1382 | index c3a8388dcdf6..a80fe8aa8527 100644 |
1383 | --- a/net/sched/sch_hhf.c |
1384 | +++ b/net/sched/sch_hhf.c |
1385 | @@ -529,7 +529,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt, |
1386 | new_hhf_non_hh_weight = nla_get_u32(tb[TCA_HHF_NON_HH_WEIGHT]); |
1387 | |
1388 | non_hh_quantum = (u64)new_quantum * new_hhf_non_hh_weight; |
1389 | - if (non_hh_quantum > INT_MAX) |
1390 | + if (non_hh_quantum == 0 || non_hh_quantum > INT_MAX) |
1391 | return -EINVAL; |
1392 | |
1393 | sch_tree_lock(sch); |
1394 | diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c |
1395 | index d97b2b4b7a8b..6d36f74ad295 100644 |
1396 | --- a/net/sctp/protocol.c |
1397 | +++ b/net/sctp/protocol.c |
1398 | @@ -1350,7 +1350,7 @@ static int __net_init sctp_ctrlsock_init(struct net *net) |
1399 | return status; |
1400 | } |
1401 | |
1402 | -static void __net_init sctp_ctrlsock_exit(struct net *net) |
1403 | +static void __net_exit sctp_ctrlsock_exit(struct net *net) |
1404 | { |
1405 | /* Free the control endpoint. */ |
1406 | inet_ctl_sock_destroy(net->sctp.ctl_sock); |
1407 | diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c |
1408 | index 28adac31f0ff..de8a82bc6b42 100644 |
1409 | --- a/net/sctp/sm_sideeffect.c |
1410 | +++ b/net/sctp/sm_sideeffect.c |
1411 | @@ -562,7 +562,7 @@ static void sctp_do_8_2_transport_strike(struct sctp_cmd_seq *commands, |
1412 | if (net->sctp.pf_enable && |
1413 | (transport->state == SCTP_ACTIVE) && |
1414 | (transport->error_count < transport->pathmaxrxt) && |
1415 | - (transport->error_count > asoc->pf_retrans)) { |
1416 | + (transport->error_count > transport->pf_retrans)) { |
1417 | |
1418 | sctp_assoc_control_transport(asoc, transport, |
1419 | SCTP_TRANSPORT_PF, |
1420 | diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c |
1421 | index 3cfeb9df64b0..e0a3dd424d8c 100644 |
1422 | --- a/net/tipc/name_distr.c |
1423 | +++ b/net/tipc/name_distr.c |
1424 | @@ -221,7 +221,8 @@ static void tipc_publ_purge(struct net *net, struct publication *publ, u32 addr) |
1425 | publ->key); |
1426 | } |
1427 | |
1428 | - kfree_rcu(p, rcu); |
1429 | + if (p) |
1430 | + kfree_rcu(p, rcu); |
1431 | } |
1432 | |
1433 | /** |