Annotation of /trunk/kernel-alx/patches-4.19/0173-4.19.74-all-fixes.patch
Parent Directory | Revision Log
Revision 3470 -
(hide annotations)
(download)
Tue Oct 29 10:31:30 2019 UTC (4 years, 10 months ago) by niro
File size: 51036 byte(s)
Tue Oct 29 10:31:30 2019 UTC (4 years, 10 months ago) by niro
File size: 51036 byte(s)
-linux-4.19.74
1 | niro | 3470 | diff --git a/Makefile b/Makefile |
2 | index 9748fa3704bc..3509e0c6e5ae 100644 | ||
3 | --- a/Makefile | ||
4 | +++ b/Makefile | ||
5 | @@ -1,7 +1,7 @@ | ||
6 | # SPDX-License-Identifier: GPL-2.0 | ||
7 | VERSION = 4 | ||
8 | PATCHLEVEL = 19 | ||
9 | -SUBLEVEL = 73 | ||
10 | +SUBLEVEL = 74 | ||
11 | EXTRAVERSION = | ||
12 | NAME = "People's Front" | ||
13 | |||
14 | diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h | ||
15 | index 23bea99bf8d5..1ca9e37f7cc9 100644 | ||
16 | --- a/arch/powerpc/include/asm/uaccess.h | ||
17 | +++ b/arch/powerpc/include/asm/uaccess.h | ||
18 | @@ -306,6 +306,7 @@ extern unsigned long __copy_tofrom_user(void __user *to, | ||
19 | static inline unsigned long | ||
20 | raw_copy_in_user(void __user *to, const void __user *from, unsigned long n) | ||
21 | { | ||
22 | + barrier_nospec(); | ||
23 | return __copy_tofrom_user(to, from, n); | ||
24 | } | ||
25 | #endif /* __powerpc64__ */ | ||
26 | diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c | ||
27 | index fcb55b02990e..05ea466b9e40 100644 | ||
28 | --- a/arch/s390/kvm/interrupt.c | ||
29 | +++ b/arch/s390/kvm/interrupt.c | ||
30 | @@ -1879,6 +1879,16 @@ int s390int_to_s390irq(struct kvm_s390_interrupt *s390int, | ||
31 | case KVM_S390_MCHK: | ||
32 | irq->u.mchk.mcic = s390int->parm64; | ||
33 | break; | ||
34 | + case KVM_S390_INT_PFAULT_INIT: | ||
35 | + irq->u.ext.ext_params = s390int->parm; | ||
36 | + irq->u.ext.ext_params2 = s390int->parm64; | ||
37 | + break; | ||
38 | + case KVM_S390_RESTART: | ||
39 | + case KVM_S390_INT_CLOCK_COMP: | ||
40 | + case KVM_S390_INT_CPU_TIMER: | ||
41 | + break; | ||
42 | + default: | ||
43 | + return -EINVAL; | ||
44 | } | ||
45 | return 0; | ||
46 | } | ||
47 | diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c | ||
48 | index fc7de27960e7..e0551c948c59 100644 | ||
49 | --- a/arch/s390/kvm/kvm-s390.c | ||
50 | +++ b/arch/s390/kvm/kvm-s390.c | ||
51 | @@ -928,6 +928,8 @@ static int kvm_s390_vm_start_migration(struct kvm *kvm) | ||
52 | /* mark all the pages in active slots as dirty */ | ||
53 | for (slotnr = 0; slotnr < slots->used_slots; slotnr++) { | ||
54 | ms = slots->memslots + slotnr; | ||
55 | + if (!ms->dirty_bitmap) | ||
56 | + return -EINVAL; | ||
57 | /* | ||
58 | * The second half of the bitmap is only used on x86, | ||
59 | * and would be wasted otherwise, so we put it to good | ||
60 | @@ -3956,7 +3958,7 @@ long kvm_arch_vcpu_async_ioctl(struct file *filp, | ||
61 | } | ||
62 | case KVM_S390_INTERRUPT: { | ||
63 | struct kvm_s390_interrupt s390int; | ||
64 | - struct kvm_s390_irq s390irq; | ||
65 | + struct kvm_s390_irq s390irq = {}; | ||
66 | |||
67 | if (copy_from_user(&s390int, argp, sizeof(s390int))) | ||
68 | return -EFAULT; | ||
69 | diff --git a/arch/x86/Makefile b/arch/x86/Makefile | ||
70 | index ce0d0424a53d..4833dd7e2cc0 100644 | ||
71 | --- a/arch/x86/Makefile | ||
72 | +++ b/arch/x86/Makefile | ||
73 | @@ -38,6 +38,7 @@ REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -DDISABLE_BRANCH_PROFILING \ | ||
74 | |||
75 | REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding) | ||
76 | REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector) | ||
77 | +REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member) | ||
78 | REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4)) | ||
79 | export REALMODE_CFLAGS | ||
80 | |||
81 | diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c | ||
82 | index 2938b4bcc968..e83f4f6bfdac 100644 | ||
83 | --- a/arch/x86/kvm/vmx.c | ||
84 | +++ b/arch/x86/kvm/vmx.c | ||
85 | @@ -8757,6 +8757,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) | ||
86 | u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO); | ||
87 | gva_t gva = 0; | ||
88 | struct vmcs12 *vmcs12; | ||
89 | + struct x86_exception e; | ||
90 | |||
91 | if (!nested_vmx_check_permission(vcpu)) | ||
92 | return 1; | ||
93 | @@ -8798,8 +8799,10 @@ static int handle_vmread(struct kvm_vcpu *vcpu) | ||
94 | vmx_instruction_info, true, &gva)) | ||
95 | return 1; | ||
96 | /* _system ok, nested_vmx_check_permission has verified cpl=0 */ | ||
97 | - kvm_write_guest_virt_system(vcpu, gva, &field_value, | ||
98 | - (is_long_mode(vcpu) ? 8 : 4), NULL); | ||
99 | + if (kvm_write_guest_virt_system(vcpu, gva, &field_value, | ||
100 | + (is_long_mode(vcpu) ? 8 : 4), | ||
101 | + NULL)) | ||
102 | + kvm_inject_page_fault(vcpu, &e); | ||
103 | } | ||
104 | |||
105 | nested_vmx_succeed(vcpu); | ||
106 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c | ||
107 | index cbc39751f36b..dbae8415cf4a 100644 | ||
108 | --- a/arch/x86/kvm/x86.c | ||
109 | +++ b/arch/x86/kvm/x86.c | ||
110 | @@ -5016,6 +5016,13 @@ int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val, | ||
111 | /* kvm_write_guest_virt_system can pull in tons of pages. */ | ||
112 | vcpu->arch.l1tf_flush_l1d = true; | ||
113 | |||
114 | + /* | ||
115 | + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED | ||
116 | + * is returned, but our callers are not ready for that and they blindly | ||
117 | + * call kvm_inject_page_fault. Ensure that they at least do not leak | ||
118 | + * uninitialized kernel stack memory into cr2 and error code. | ||
119 | + */ | ||
120 | + memset(exception, 0, sizeof(*exception)); | ||
121 | return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, | ||
122 | PFERR_WRITE_MASK, exception); | ||
123 | } | ||
124 | diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile | ||
125 | index 8901a1f89cf5..10fb42da0007 100644 | ||
126 | --- a/arch/x86/purgatory/Makefile | ||
127 | +++ b/arch/x86/purgatory/Makefile | ||
128 | @@ -18,37 +18,40 @@ targets += purgatory.ro | ||
129 | KASAN_SANITIZE := n | ||
130 | KCOV_INSTRUMENT := n | ||
131 | |||
132 | +# These are adjustments to the compiler flags used for objects that | ||
133 | +# make up the standalone purgatory.ro | ||
134 | + | ||
135 | +PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel | ||
136 | +PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss | ||
137 | + | ||
138 | # Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That | ||
139 | # in turn leaves some undefined symbols like __fentry__ in purgatory and not | ||
140 | # sure how to relocate those. | ||
141 | ifdef CONFIG_FUNCTION_TRACER | ||
142 | -CFLAGS_REMOVE_sha256.o += $(CC_FLAGS_FTRACE) | ||
143 | -CFLAGS_REMOVE_purgatory.o += $(CC_FLAGS_FTRACE) | ||
144 | -CFLAGS_REMOVE_string.o += $(CC_FLAGS_FTRACE) | ||
145 | -CFLAGS_REMOVE_kexec-purgatory.o += $(CC_FLAGS_FTRACE) | ||
146 | +PURGATORY_CFLAGS_REMOVE += $(CC_FLAGS_FTRACE) | ||
147 | endif | ||
148 | |||
149 | ifdef CONFIG_STACKPROTECTOR | ||
150 | -CFLAGS_REMOVE_sha256.o += -fstack-protector | ||
151 | -CFLAGS_REMOVE_purgatory.o += -fstack-protector | ||
152 | -CFLAGS_REMOVE_string.o += -fstack-protector | ||
153 | -CFLAGS_REMOVE_kexec-purgatory.o += -fstack-protector | ||
154 | +PURGATORY_CFLAGS_REMOVE += -fstack-protector | ||
155 | endif | ||
156 | |||
157 | ifdef CONFIG_STACKPROTECTOR_STRONG | ||
158 | -CFLAGS_REMOVE_sha256.o += -fstack-protector-strong | ||
159 | -CFLAGS_REMOVE_purgatory.o += -fstack-protector-strong | ||
160 | -CFLAGS_REMOVE_string.o += -fstack-protector-strong | ||
161 | -CFLAGS_REMOVE_kexec-purgatory.o += -fstack-protector-strong | ||
162 | +PURGATORY_CFLAGS_REMOVE += -fstack-protector-strong | ||
163 | endif | ||
164 | |||
165 | ifdef CONFIG_RETPOLINE | ||
166 | -CFLAGS_REMOVE_sha256.o += $(RETPOLINE_CFLAGS) | ||
167 | -CFLAGS_REMOVE_purgatory.o += $(RETPOLINE_CFLAGS) | ||
168 | -CFLAGS_REMOVE_string.o += $(RETPOLINE_CFLAGS) | ||
169 | -CFLAGS_REMOVE_kexec-purgatory.o += $(RETPOLINE_CFLAGS) | ||
170 | +PURGATORY_CFLAGS_REMOVE += $(RETPOLINE_CFLAGS) | ||
171 | endif | ||
172 | |||
173 | +CFLAGS_REMOVE_purgatory.o += $(PURGATORY_CFLAGS_REMOVE) | ||
174 | +CFLAGS_purgatory.o += $(PURGATORY_CFLAGS) | ||
175 | + | ||
176 | +CFLAGS_REMOVE_sha256.o += $(PURGATORY_CFLAGS_REMOVE) | ||
177 | +CFLAGS_sha256.o += $(PURGATORY_CFLAGS) | ||
178 | + | ||
179 | +CFLAGS_REMOVE_string.o += $(PURGATORY_CFLAGS_REMOVE) | ||
180 | +CFLAGS_string.o += $(PURGATORY_CFLAGS) | ||
181 | + | ||
182 | $(obj)/purgatory.ro: $(PURGATORY_OBJS) FORCE | ||
183 | $(call if_changed,ld) | ||
184 | |||
185 | diff --git a/drivers/base/core.c b/drivers/base/core.c | ||
186 | index e1a8d5c06f65..fcda6313e7de 100644 | ||
187 | --- a/drivers/base/core.c | ||
188 | +++ b/drivers/base/core.c | ||
189 | @@ -1648,12 +1648,63 @@ static inline struct kobject *get_glue_dir(struct device *dev) | ||
190 | */ | ||
191 | static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) | ||
192 | { | ||
193 | + unsigned int ref; | ||
194 | + | ||
195 | /* see if we live in a "glue" directory */ | ||
196 | if (!live_in_glue_dir(glue_dir, dev)) | ||
197 | return; | ||
198 | |||
199 | mutex_lock(&gdp_mutex); | ||
200 | - if (!kobject_has_children(glue_dir)) | ||
201 | + /** | ||
202 | + * There is a race condition between removing glue directory | ||
203 | + * and adding a new device under the glue directory. | ||
204 | + * | ||
205 | + * CPU1: CPU2: | ||
206 | + * | ||
207 | + * device_add() | ||
208 | + * get_device_parent() | ||
209 | + * class_dir_create_and_add() | ||
210 | + * kobject_add_internal() | ||
211 | + * create_dir() // create glue_dir | ||
212 | + * | ||
213 | + * device_add() | ||
214 | + * get_device_parent() | ||
215 | + * kobject_get() // get glue_dir | ||
216 | + * | ||
217 | + * device_del() | ||
218 | + * cleanup_glue_dir() | ||
219 | + * kobject_del(glue_dir) | ||
220 | + * | ||
221 | + * kobject_add() | ||
222 | + * kobject_add_internal() | ||
223 | + * create_dir() // in glue_dir | ||
224 | + * sysfs_create_dir_ns() | ||
225 | + * kernfs_create_dir_ns(sd) | ||
226 | + * | ||
227 | + * sysfs_remove_dir() // glue_dir->sd=NULL | ||
228 | + * sysfs_put() // free glue_dir->sd | ||
229 | + * | ||
230 | + * // sd is freed | ||
231 | + * kernfs_new_node(sd) | ||
232 | + * kernfs_get(glue_dir) | ||
233 | + * kernfs_add_one() | ||
234 | + * kernfs_put() | ||
235 | + * | ||
236 | + * Before CPU1 remove last child device under glue dir, if CPU2 add | ||
237 | + * a new device under glue dir, the glue_dir kobject reference count | ||
238 | + * will be increase to 2 in kobject_get(k). And CPU2 has been called | ||
239 | + * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir() | ||
240 | + * and sysfs_put(). This result in glue_dir->sd is freed. | ||
241 | + * | ||
242 | + * Then the CPU2 will see a stale "empty" but still potentially used | ||
243 | + * glue dir around in kernfs_new_node(). | ||
244 | + * | ||
245 | + * In order to avoid this happening, we also should make sure that | ||
246 | + * kernfs_node for glue_dir is released in CPU1 only when refcount | ||
247 | + * for glue_dir kobj is 1. | ||
248 | + */ | ||
249 | + ref = kref_read(&glue_dir->kref); | ||
250 | + if (!kobject_has_children(glue_dir) && !--ref) | ||
251 | kobject_del(glue_dir); | ||
252 | kobject_put(glue_dir); | ||
253 | mutex_unlock(&gdp_mutex); | ||
254 | diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c | ||
255 | index 75cf605f54e5..09c83dc2ef67 100644 | ||
256 | --- a/drivers/bluetooth/btusb.c | ||
257 | +++ b/drivers/bluetooth/btusb.c | ||
258 | @@ -1139,10 +1139,6 @@ static int btusb_open(struct hci_dev *hdev) | ||
259 | } | ||
260 | |||
261 | data->intf->needs_remote_wakeup = 1; | ||
262 | - /* device specific wakeup source enabled and required for USB | ||
263 | - * remote wakeup while host is suspended | ||
264 | - */ | ||
265 | - device_wakeup_enable(&data->udev->dev); | ||
266 | |||
267 | if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) | ||
268 | goto done; | ||
269 | @@ -1206,7 +1202,6 @@ static int btusb_close(struct hci_dev *hdev) | ||
270 | goto failed; | ||
271 | |||
272 | data->intf->needs_remote_wakeup = 0; | ||
273 | - device_wakeup_disable(&data->udev->dev); | ||
274 | usb_autopm_put_interface(data->intf); | ||
275 | |||
276 | failed: | ||
277 | diff --git a/drivers/clk/rockchip/clk-mmc-phase.c b/drivers/clk/rockchip/clk-mmc-phase.c | ||
278 | index 026a26bb702d..dbec84238ecd 100644 | ||
279 | --- a/drivers/clk/rockchip/clk-mmc-phase.c | ||
280 | +++ b/drivers/clk/rockchip/clk-mmc-phase.c | ||
281 | @@ -61,10 +61,8 @@ static int rockchip_mmc_get_phase(struct clk_hw *hw) | ||
282 | u32 delay_num = 0; | ||
283 | |||
284 | /* See the comment for rockchip_mmc_set_phase below */ | ||
285 | - if (!rate) { | ||
286 | - pr_err("%s: invalid clk rate\n", __func__); | ||
287 | + if (!rate) | ||
288 | return -EINVAL; | ||
289 | - } | ||
290 | |||
291 | raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); | ||
292 | |||
293 | diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c | ||
294 | index 41b288bdcdbf..064315edd289 100644 | ||
295 | --- a/drivers/crypto/talitos.c | ||
296 | +++ b/drivers/crypto/talitos.c | ||
297 | @@ -959,11 +959,13 @@ static void talitos_sg_unmap(struct device *dev, | ||
298 | |||
299 | static void ipsec_esp_unmap(struct device *dev, | ||
300 | struct talitos_edesc *edesc, | ||
301 | - struct aead_request *areq) | ||
302 | + struct aead_request *areq, bool encrypt) | ||
303 | { | ||
304 | struct crypto_aead *aead = crypto_aead_reqtfm(areq); | ||
305 | struct talitos_ctx *ctx = crypto_aead_ctx(aead); | ||
306 | unsigned int ivsize = crypto_aead_ivsize(aead); | ||
307 | + unsigned int authsize = crypto_aead_authsize(aead); | ||
308 | + unsigned int cryptlen = areq->cryptlen - (encrypt ? 0 : authsize); | ||
309 | bool is_ipsec_esp = edesc->desc.hdr & DESC_HDR_TYPE_IPSEC_ESP; | ||
310 | struct talitos_ptr *civ_ptr = &edesc->desc.ptr[is_ipsec_esp ? 2 : 3]; | ||
311 | |||
312 | @@ -972,7 +974,7 @@ static void ipsec_esp_unmap(struct device *dev, | ||
313 | DMA_FROM_DEVICE); | ||
314 | unmap_single_talitos_ptr(dev, civ_ptr, DMA_TO_DEVICE); | ||
315 | |||
316 | - talitos_sg_unmap(dev, edesc, areq->src, areq->dst, areq->cryptlen, | ||
317 | + talitos_sg_unmap(dev, edesc, areq->src, areq->dst, cryptlen, | ||
318 | areq->assoclen); | ||
319 | |||
320 | if (edesc->dma_len) | ||
321 | @@ -983,7 +985,7 @@ static void ipsec_esp_unmap(struct device *dev, | ||
322 | unsigned int dst_nents = edesc->dst_nents ? : 1; | ||
323 | |||
324 | sg_pcopy_to_buffer(areq->dst, dst_nents, ctx->iv, ivsize, | ||
325 | - areq->assoclen + areq->cryptlen - ivsize); | ||
326 | + areq->assoclen + cryptlen - ivsize); | ||
327 | } | ||
328 | } | ||
329 | |||
330 | @@ -1005,7 +1007,7 @@ static void ipsec_esp_encrypt_done(struct device *dev, | ||
331 | |||
332 | edesc = container_of(desc, struct talitos_edesc, desc); | ||
333 | |||
334 | - ipsec_esp_unmap(dev, edesc, areq); | ||
335 | + ipsec_esp_unmap(dev, edesc, areq, true); | ||
336 | |||
337 | /* copy the generated ICV to dst */ | ||
338 | if (edesc->icv_ool) { | ||
339 | @@ -1039,7 +1041,7 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, | ||
340 | |||
341 | edesc = container_of(desc, struct talitos_edesc, desc); | ||
342 | |||
343 | - ipsec_esp_unmap(dev, edesc, req); | ||
344 | + ipsec_esp_unmap(dev, edesc, req, false); | ||
345 | |||
346 | if (!err) { | ||
347 | char icvdata[SHA512_DIGEST_SIZE]; | ||
348 | @@ -1085,7 +1087,7 @@ static void ipsec_esp_decrypt_hwauth_done(struct device *dev, | ||
349 | |||
350 | edesc = container_of(desc, struct talitos_edesc, desc); | ||
351 | |||
352 | - ipsec_esp_unmap(dev, edesc, req); | ||
353 | + ipsec_esp_unmap(dev, edesc, req, false); | ||
354 | |||
355 | /* check ICV auth status */ | ||
356 | if (!err && ((desc->hdr_lo & DESC_HDR_LO_ICCR1_MASK) != | ||
357 | @@ -1188,6 +1190,7 @@ static int talitos_sg_map(struct device *dev, struct scatterlist *src, | ||
358 | * fill in and submit ipsec_esp descriptor | ||
359 | */ | ||
360 | static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq, | ||
361 | + bool encrypt, | ||
362 | void (*callback)(struct device *dev, | ||
363 | struct talitos_desc *desc, | ||
364 | void *context, int error)) | ||
365 | @@ -1197,7 +1200,7 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq, | ||
366 | struct talitos_ctx *ctx = crypto_aead_ctx(aead); | ||
367 | struct device *dev = ctx->dev; | ||
368 | struct talitos_desc *desc = &edesc->desc; | ||
369 | - unsigned int cryptlen = areq->cryptlen; | ||
370 | + unsigned int cryptlen = areq->cryptlen - (encrypt ? 0 : authsize); | ||
371 | unsigned int ivsize = crypto_aead_ivsize(aead); | ||
372 | int tbl_off = 0; | ||
373 | int sg_count, ret; | ||
374 | @@ -1324,7 +1327,7 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq, | ||
375 | |||
376 | ret = talitos_submit(dev, ctx->ch, desc, callback, areq); | ||
377 | if (ret != -EINPROGRESS) { | ||
378 | - ipsec_esp_unmap(dev, edesc, areq); | ||
379 | + ipsec_esp_unmap(dev, edesc, areq, encrypt); | ||
380 | kfree(edesc); | ||
381 | } | ||
382 | return ret; | ||
383 | @@ -1438,9 +1441,10 @@ static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv, | ||
384 | unsigned int authsize = crypto_aead_authsize(authenc); | ||
385 | struct talitos_ctx *ctx = crypto_aead_ctx(authenc); | ||
386 | unsigned int ivsize = crypto_aead_ivsize(authenc); | ||
387 | + unsigned int cryptlen = areq->cryptlen - (encrypt ? 0 : authsize); | ||
388 | |||
389 | return talitos_edesc_alloc(ctx->dev, areq->src, areq->dst, | ||
390 | - iv, areq->assoclen, areq->cryptlen, | ||
391 | + iv, areq->assoclen, cryptlen, | ||
392 | authsize, ivsize, icv_stashing, | ||
393 | areq->base.flags, encrypt); | ||
394 | } | ||
395 | @@ -1459,7 +1463,7 @@ static int aead_encrypt(struct aead_request *req) | ||
396 | /* set encrypt */ | ||
397 | edesc->desc.hdr = ctx->desc_hdr_template | DESC_HDR_MODE0_ENCRYPT; | ||
398 | |||
399 | - return ipsec_esp(edesc, req, ipsec_esp_encrypt_done); | ||
400 | + return ipsec_esp(edesc, req, true, ipsec_esp_encrypt_done); | ||
401 | } | ||
402 | |||
403 | static int aead_decrypt(struct aead_request *req) | ||
404 | @@ -1471,14 +1475,13 @@ static int aead_decrypt(struct aead_request *req) | ||
405 | struct talitos_edesc *edesc; | ||
406 | void *icvdata; | ||
407 | |||
408 | - req->cryptlen -= authsize; | ||
409 | - | ||
410 | /* allocate extended descriptor */ | ||
411 | edesc = aead_edesc_alloc(req, req->iv, 1, false); | ||
412 | if (IS_ERR(edesc)) | ||
413 | return PTR_ERR(edesc); | ||
414 | |||
415 | - if ((priv->features & TALITOS_FTR_HW_AUTH_CHECK) && | ||
416 | + if ((edesc->desc.hdr & DESC_HDR_TYPE_IPSEC_ESP) && | ||
417 | + (priv->features & TALITOS_FTR_HW_AUTH_CHECK) && | ||
418 | ((!edesc->src_nents && !edesc->dst_nents) || | ||
419 | priv->features & TALITOS_FTR_SRC_LINK_TBL_LEN_INCLUDES_EXTENT)) { | ||
420 | |||
421 | @@ -1489,7 +1492,8 @@ static int aead_decrypt(struct aead_request *req) | ||
422 | |||
423 | /* reset integrity check result bits */ | ||
424 | |||
425 | - return ipsec_esp(edesc, req, ipsec_esp_decrypt_hwauth_done); | ||
426 | + return ipsec_esp(edesc, req, false, | ||
427 | + ipsec_esp_decrypt_hwauth_done); | ||
428 | } | ||
429 | |||
430 | /* Have to check the ICV with software */ | ||
431 | @@ -1505,7 +1509,7 @@ static int aead_decrypt(struct aead_request *req) | ||
432 | sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize, | ||
433 | req->assoclen + req->cryptlen - authsize); | ||
434 | |||
435 | - return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done); | ||
436 | + return ipsec_esp(edesc, req, false, ipsec_esp_decrypt_swauth_done); | ||
437 | } | ||
438 | |||
439 | static int ablkcipher_setkey(struct crypto_ablkcipher *cipher, | ||
440 | @@ -1538,6 +1542,18 @@ static int ablkcipher_setkey(struct crypto_ablkcipher *cipher, | ||
441 | return 0; | ||
442 | } | ||
443 | |||
444 | +static int ablkcipher_aes_setkey(struct crypto_ablkcipher *cipher, | ||
445 | + const u8 *key, unsigned int keylen) | ||
446 | +{ | ||
447 | + if (keylen == AES_KEYSIZE_128 || keylen == AES_KEYSIZE_192 || | ||
448 | + keylen == AES_KEYSIZE_256) | ||
449 | + return ablkcipher_setkey(cipher, key, keylen); | ||
450 | + | ||
451 | + crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN); | ||
452 | + | ||
453 | + return -EINVAL; | ||
454 | +} | ||
455 | + | ||
456 | static void common_nonsnoop_unmap(struct device *dev, | ||
457 | struct talitos_edesc *edesc, | ||
458 | struct ablkcipher_request *areq) | ||
459 | @@ -1660,6 +1676,14 @@ static int ablkcipher_encrypt(struct ablkcipher_request *areq) | ||
460 | struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); | ||
461 | struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); | ||
462 | struct talitos_edesc *edesc; | ||
463 | + unsigned int blocksize = | ||
464 | + crypto_tfm_alg_blocksize(crypto_ablkcipher_tfm(cipher)); | ||
465 | + | ||
466 | + if (!areq->nbytes) | ||
467 | + return 0; | ||
468 | + | ||
469 | + if (areq->nbytes % blocksize) | ||
470 | + return -EINVAL; | ||
471 | |||
472 | /* allocate extended descriptor */ | ||
473 | edesc = ablkcipher_edesc_alloc(areq, true); | ||
474 | @@ -1677,6 +1701,14 @@ static int ablkcipher_decrypt(struct ablkcipher_request *areq) | ||
475 | struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); | ||
476 | struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); | ||
477 | struct talitos_edesc *edesc; | ||
478 | + unsigned int blocksize = | ||
479 | + crypto_tfm_alg_blocksize(crypto_ablkcipher_tfm(cipher)); | ||
480 | + | ||
481 | + if (!areq->nbytes) | ||
482 | + return 0; | ||
483 | + | ||
484 | + if (areq->nbytes % blocksize) | ||
485 | + return -EINVAL; | ||
486 | |||
487 | /* allocate extended descriptor */ | ||
488 | edesc = ablkcipher_edesc_alloc(areq, false); | ||
489 | @@ -2705,6 +2737,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
490 | .min_keysize = AES_MIN_KEY_SIZE, | ||
491 | .max_keysize = AES_MAX_KEY_SIZE, | ||
492 | .ivsize = AES_BLOCK_SIZE, | ||
493 | + .setkey = ablkcipher_aes_setkey, | ||
494 | } | ||
495 | }, | ||
496 | .desc_hdr_template = DESC_HDR_TYPE_COMMON_NONSNOOP_NO_AFEU | | ||
497 | @@ -2715,13 +2748,13 @@ static struct talitos_alg_template driver_algs[] = { | ||
498 | .alg.crypto = { | ||
499 | .cra_name = "ctr(aes)", | ||
500 | .cra_driver_name = "ctr-aes-talitos", | ||
501 | - .cra_blocksize = AES_BLOCK_SIZE, | ||
502 | + .cra_blocksize = 1, | ||
503 | .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | | ||
504 | CRYPTO_ALG_ASYNC, | ||
505 | .cra_ablkcipher = { | ||
506 | .min_keysize = AES_MIN_KEY_SIZE, | ||
507 | .max_keysize = AES_MAX_KEY_SIZE, | ||
508 | - .ivsize = AES_BLOCK_SIZE, | ||
509 | + .setkey = ablkcipher_aes_setkey, | ||
510 | } | ||
511 | }, | ||
512 | .desc_hdr_template = DESC_HDR_TYPE_AESU_CTR_NONSNOOP | | ||
513 | diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c | ||
514 | index 7fa744793bc5..5e35a66ed0ae 100644 | ||
515 | --- a/drivers/firmware/ti_sci.c | ||
516 | +++ b/drivers/firmware/ti_sci.c | ||
517 | @@ -463,9 +463,9 @@ static int ti_sci_cmd_get_revision(struct ti_sci_info *info) | ||
518 | struct ti_sci_xfer *xfer; | ||
519 | int ret; | ||
520 | |||
521 | - /* No need to setup flags since it is expected to respond */ | ||
522 | xfer = ti_sci_get_one_xfer(info, TI_SCI_MSG_VERSION, | ||
523 | - 0x0, sizeof(struct ti_sci_msg_hdr), | ||
524 | + TI_SCI_FLAG_REQ_ACK_ON_PROCESSED, | ||
525 | + sizeof(struct ti_sci_msg_hdr), | ||
526 | sizeof(*rev_info)); | ||
527 | if (IS_ERR(xfer)) { | ||
528 | ret = PTR_ERR(xfer); | ||
529 | @@ -593,9 +593,9 @@ static int ti_sci_get_device_state(const struct ti_sci_handle *handle, | ||
530 | info = handle_to_ti_sci_info(handle); | ||
531 | dev = info->dev; | ||
532 | |||
533 | - /* Response is expected, so need of any flags */ | ||
534 | xfer = ti_sci_get_one_xfer(info, TI_SCI_MSG_GET_DEVICE_STATE, | ||
535 | - 0, sizeof(*req), sizeof(*resp)); | ||
536 | + TI_SCI_FLAG_REQ_ACK_ON_PROCESSED, | ||
537 | + sizeof(*req), sizeof(*resp)); | ||
538 | if (IS_ERR(xfer)) { | ||
539 | ret = PTR_ERR(xfer); | ||
540 | dev_err(dev, "Message alloc failed(%d)\n", ret); | ||
541 | diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c | ||
542 | index c5e009f61021..cf2604e63599 100644 | ||
543 | --- a/drivers/gpio/gpiolib-acpi.c | ||
544 | +++ b/drivers/gpio/gpiolib-acpi.c | ||
545 | @@ -10,6 +10,7 @@ | ||
546 | * published by the Free Software Foundation. | ||
547 | */ | ||
548 | |||
549 | +#include <linux/dmi.h> | ||
550 | #include <linux/errno.h> | ||
551 | #include <linux/gpio.h> | ||
552 | #include <linux/gpio/consumer.h> | ||
553 | @@ -23,6 +24,11 @@ | ||
554 | |||
555 | #include "gpiolib.h" | ||
556 | |||
557 | +static int run_edge_events_on_boot = -1; | ||
558 | +module_param(run_edge_events_on_boot, int, 0444); | ||
559 | +MODULE_PARM_DESC(run_edge_events_on_boot, | ||
560 | + "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto"); | ||
561 | + | ||
562 | /** | ||
563 | * struct acpi_gpio_event - ACPI GPIO event handler data | ||
564 | * | ||
565 | @@ -174,10 +180,13 @@ static void acpi_gpiochip_request_irq(struct acpi_gpio_chip *acpi_gpio, | ||
566 | event->irq_requested = true; | ||
567 | |||
568 | /* Make sure we trigger the initial state of edge-triggered IRQs */ | ||
569 | - value = gpiod_get_raw_value_cansleep(event->desc); | ||
570 | - if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) || | ||
571 | - ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0)) | ||
572 | - event->handler(event->irq, event); | ||
573 | + if (run_edge_events_on_boot && | ||
574 | + (event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) { | ||
575 | + value = gpiod_get_raw_value_cansleep(event->desc); | ||
576 | + if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) || | ||
577 | + ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0)) | ||
578 | + event->handler(event->irq, event); | ||
579 | + } | ||
580 | } | ||
581 | |||
582 | static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio) | ||
583 | @@ -1253,3 +1262,28 @@ static int acpi_gpio_handle_deferred_request_irqs(void) | ||
584 | } | ||
585 | /* We must use _sync so that this runs after the first deferred_probe run */ | ||
586 | late_initcall_sync(acpi_gpio_handle_deferred_request_irqs); | ||
587 | + | ||
588 | +static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = { | ||
589 | + { | ||
590 | + .matches = { | ||
591 | + DMI_MATCH(DMI_SYS_VENDOR, "MINIX"), | ||
592 | + DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"), | ||
593 | + } | ||
594 | + }, | ||
595 | + {} /* Terminating entry */ | ||
596 | +}; | ||
597 | + | ||
598 | +static int acpi_gpio_setup_params(void) | ||
599 | +{ | ||
600 | + if (run_edge_events_on_boot < 0) { | ||
601 | + if (dmi_check_system(run_edge_events_on_boot_blacklist)) | ||
602 | + run_edge_events_on_boot = 0; | ||
603 | + else | ||
604 | + run_edge_events_on_boot = 1; | ||
605 | + } | ||
606 | + | ||
607 | + return 0; | ||
608 | +} | ||
609 | + | ||
610 | +/* Directly after dmi_setup() which runs as core_initcall() */ | ||
611 | +postcore_initcall(acpi_gpio_setup_params); | ||
612 | diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c | ||
613 | index 53395852f012..3289b53a7ba1 100644 | ||
614 | --- a/drivers/gpio/gpiolib.c | ||
615 | +++ b/drivers/gpio/gpiolib.c | ||
616 | @@ -524,6 +524,14 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) | ||
617 | if (lflags & ~GPIOHANDLE_REQUEST_VALID_FLAGS) | ||
618 | return -EINVAL; | ||
619 | |||
620 | + /* | ||
621 | + * Do not allow both INPUT & OUTPUT flags to be set as they are | ||
622 | + * contradictory. | ||
623 | + */ | ||
624 | + if ((lflags & GPIOHANDLE_REQUEST_INPUT) && | ||
625 | + (lflags & GPIOHANDLE_REQUEST_OUTPUT)) | ||
626 | + return -EINVAL; | ||
627 | + | ||
628 | /* | ||
629 | * Do not allow OPEN_SOURCE & OPEN_DRAIN flags in a single request. If | ||
630 | * the hardware actually supports enabling both at the same time the | ||
631 | @@ -916,7 +924,9 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) | ||
632 | } | ||
633 | |||
634 | /* This is just wrong: we don't look for events on output lines */ | ||
635 | - if (lflags & GPIOHANDLE_REQUEST_OUTPUT) { | ||
636 | + if ((lflags & GPIOHANDLE_REQUEST_OUTPUT) || | ||
637 | + (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) || | ||
638 | + (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE)) { | ||
639 | ret = -EINVAL; | ||
640 | goto out_free_label; | ||
641 | } | ||
642 | @@ -930,10 +940,6 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) | ||
643 | |||
644 | if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) | ||
645 | set_bit(FLAG_ACTIVE_LOW, &desc->flags); | ||
646 | - if (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) | ||
647 | - set_bit(FLAG_OPEN_DRAIN, &desc->flags); | ||
648 | - if (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE) | ||
649 | - set_bit(FLAG_OPEN_SOURCE, &desc->flags); | ||
650 | |||
651 | ret = gpiod_direction_input(desc); | ||
652 | if (ret) | ||
653 | diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c | ||
654 | index b44bed554211..cc354b491774 100644 | ||
655 | --- a/drivers/gpu/drm/drm_panel_orientation_quirks.c | ||
656 | +++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c | ||
657 | @@ -82,6 +82,12 @@ static const struct drm_dmi_panel_orientation_data itworks_tw891 = { | ||
658 | .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, | ||
659 | }; | ||
660 | |||
661 | +static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = { | ||
662 | + .width = 720, | ||
663 | + .height = 1280, | ||
664 | + .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, | ||
665 | +}; | ||
666 | + | ||
667 | static const struct drm_dmi_panel_orientation_data lcd800x1280_rightside_up = { | ||
668 | .width = 800, | ||
669 | .height = 1280, | ||
670 | @@ -109,6 +115,12 @@ static const struct dmi_system_id orientation_data[] = { | ||
671 | DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"), | ||
672 | }, | ||
673 | .driver_data = (void *)&gpd_micropc, | ||
674 | + }, { /* GPD MicroPC (later BIOS versions with proper DMI strings) */ | ||
675 | + .matches = { | ||
676 | + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"), | ||
677 | + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "MicroPC"), | ||
678 | + }, | ||
679 | + .driver_data = (void *)&lcd720x1280_rightside_up, | ||
680 | }, { /* | ||
681 | * GPD Pocket, note that the the DMI data is less generic then | ||
682 | * it seems, devices with a board-vendor of "AMI Corporation" | ||
683 | diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c | ||
684 | index f6389479fccb..947bc6d62302 100644 | ||
685 | --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c | ||
686 | +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c | ||
687 | @@ -566,12 +566,15 @@ static int mtk_drm_probe(struct platform_device *pdev) | ||
688 | comp = devm_kzalloc(dev, sizeof(*comp), GFP_KERNEL); | ||
689 | if (!comp) { | ||
690 | ret = -ENOMEM; | ||
691 | + of_node_put(node); | ||
692 | goto err_node; | ||
693 | } | ||
694 | |||
695 | ret = mtk_ddp_comp_init(dev, node, comp, comp_id, NULL); | ||
696 | - if (ret) | ||
697 | + if (ret) { | ||
698 | + of_node_put(node); | ||
699 | goto err_node; | ||
700 | + } | ||
701 | |||
702 | private->ddp_comp[comp_id] = comp; | ||
703 | } | ||
704 | diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c | ||
705 | index 12c80dfcff59..c7daae53fa1f 100644 | ||
706 | --- a/drivers/gpu/drm/meson/meson_plane.c | ||
707 | +++ b/drivers/gpu/drm/meson/meson_plane.c | ||
708 | @@ -120,6 +120,13 @@ static void meson_plane_atomic_update(struct drm_plane *plane, | ||
709 | priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | | ||
710 | OSD_COLOR_MATRIX_32_ARGB; | ||
711 | break; | ||
712 | + case DRM_FORMAT_XBGR8888: | ||
713 | + /* For XRGB, replace the pixel's alpha by 0xFF */ | ||
714 | + writel_bits_relaxed(OSD_REPLACE_EN, OSD_REPLACE_EN, | ||
715 | + priv->io_base + _REG(VIU_OSD1_CTRL_STAT2)); | ||
716 | + priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | | ||
717 | + OSD_COLOR_MATRIX_32_ABGR; | ||
718 | + break; | ||
719 | case DRM_FORMAT_ARGB8888: | ||
720 | /* For ARGB, use the pixel's alpha */ | ||
721 | writel_bits_relaxed(OSD_REPLACE_EN, 0, | ||
722 | @@ -127,6 +134,13 @@ static void meson_plane_atomic_update(struct drm_plane *plane, | ||
723 | priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | | ||
724 | OSD_COLOR_MATRIX_32_ARGB; | ||
725 | break; | ||
726 | + case DRM_FORMAT_ABGR8888: | ||
727 | + /* For ARGB, use the pixel's alpha */ | ||
728 | + writel_bits_relaxed(OSD_REPLACE_EN, 0, | ||
729 | + priv->io_base + _REG(VIU_OSD1_CTRL_STAT2)); | ||
730 | + priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | | ||
731 | + OSD_COLOR_MATRIX_32_ABGR; | ||
732 | + break; | ||
733 | case DRM_FORMAT_RGB888: | ||
734 | priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_24 | | ||
735 | OSD_COLOR_MATRIX_24_RGB; | ||
736 | @@ -196,7 +210,9 @@ static const struct drm_plane_funcs meson_plane_funcs = { | ||
737 | |||
738 | static const uint32_t supported_drm_formats[] = { | ||
739 | DRM_FORMAT_ARGB8888, | ||
740 | + DRM_FORMAT_ABGR8888, | ||
741 | DRM_FORMAT_XRGB8888, | ||
742 | + DRM_FORMAT_XBGR8888, | ||
743 | DRM_FORMAT_RGB888, | ||
744 | DRM_FORMAT_RGB565, | ||
745 | }; | ||
746 | diff --git a/drivers/iio/adc/stm32-dfsdm-adc.c b/drivers/iio/adc/stm32-dfsdm-adc.c | ||
747 | index 15a115210108..f5586dd6414d 100644 | ||
748 | --- a/drivers/iio/adc/stm32-dfsdm-adc.c | ||
749 | +++ b/drivers/iio/adc/stm32-dfsdm-adc.c | ||
750 | @@ -981,11 +981,11 @@ static int stm32_dfsdm_adc_chan_init_one(struct iio_dev *indio_dev, | ||
751 | ch->info_mask_shared_by_all = BIT(IIO_CHAN_INFO_OVERSAMPLING_RATIO); | ||
752 | |||
753 | if (adc->dev_data->type == DFSDM_AUDIO) { | ||
754 | - ch->scan_type.sign = 's'; | ||
755 | ch->ext_info = dfsdm_adc_audio_ext_info; | ||
756 | } else { | ||
757 | - ch->scan_type.sign = 'u'; | ||
758 | + ch->scan_type.shift = 8; | ||
759 | } | ||
760 | + ch->scan_type.sign = 's'; | ||
761 | ch->scan_type.realbits = 24; | ||
762 | ch->scan_type.storagebits = 32; | ||
763 | |||
764 | diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c | ||
765 | index ef5560b848ab..21786a442368 100644 | ||
766 | --- a/drivers/isdn/capi/capi.c | ||
767 | +++ b/drivers/isdn/capi/capi.c | ||
768 | @@ -688,6 +688,9 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos | ||
769 | if (!cdev->ap.applid) | ||
770 | return -ENODEV; | ||
771 | |||
772 | + if (count < CAPIMSG_BASELEN) | ||
773 | + return -EINVAL; | ||
774 | + | ||
775 | skb = alloc_skb(count, GFP_USER); | ||
776 | if (!skb) | ||
777 | return -ENOMEM; | ||
778 | @@ -698,7 +701,8 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos | ||
779 | } | ||
780 | mlen = CAPIMSG_LEN(skb->data); | ||
781 | if (CAPIMSG_CMD(skb->data) == CAPI_DATA_B3_REQ) { | ||
782 | - if ((size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) { | ||
783 | + if (count < CAPI_DATA_B3_REQ_LEN || | ||
784 | + (size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) { | ||
785 | kfree_skb(skb); | ||
786 | return -EINVAL; | ||
787 | } | ||
788 | @@ -711,6 +715,10 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos | ||
789 | CAPIMSG_SETAPPID(skb->data, cdev->ap.applid); | ||
790 | |||
791 | if (CAPIMSG_CMD(skb->data) == CAPI_DISCONNECT_B3_RESP) { | ||
792 | + if (count < CAPI_DISCONNECT_B3_RESP_LEN) { | ||
793 | + kfree_skb(skb); | ||
794 | + return -EINVAL; | ||
795 | + } | ||
796 | mutex_lock(&cdev->lock); | ||
797 | capincci_free(cdev, CAPIMSG_NCCI(skb->data)); | ||
798 | mutex_unlock(&cdev->lock); | ||
799 | diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c | ||
800 | index dce5b7e44e7a..ab5a8778c4b2 100644 | ||
801 | --- a/drivers/mtd/nand/raw/mtk_nand.c | ||
802 | +++ b/drivers/mtd/nand/raw/mtk_nand.c | ||
803 | @@ -863,19 +863,21 @@ static int mtk_nfc_write_oob_std(struct mtd_info *mtd, struct nand_chip *chip, | ||
804 | return mtk_nfc_write_page_raw(mtd, chip, NULL, 1, page); | ||
805 | } | ||
806 | |||
807 | -static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 sectors) | ||
808 | +static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 start, | ||
809 | + u32 sectors) | ||
810 | { | ||
811 | struct nand_chip *chip = mtd_to_nand(mtd); | ||
812 | struct mtk_nfc *nfc = nand_get_controller_data(chip); | ||
813 | struct mtk_nfc_nand_chip *mtk_nand = to_mtk_nand(chip); | ||
814 | struct mtk_ecc_stats stats; | ||
815 | + u32 reg_size = mtk_nand->fdm.reg_size; | ||
816 | int rc, i; | ||
817 | |||
818 | rc = nfi_readl(nfc, NFI_STA) & STA_EMP_PAGE; | ||
819 | if (rc) { | ||
820 | memset(buf, 0xff, sectors * chip->ecc.size); | ||
821 | for (i = 0; i < sectors; i++) | ||
822 | - memset(oob_ptr(chip, i), 0xff, mtk_nand->fdm.reg_size); | ||
823 | + memset(oob_ptr(chip, start + i), 0xff, reg_size); | ||
824 | return 0; | ||
825 | } | ||
826 | |||
827 | @@ -895,7 +897,7 @@ static int mtk_nfc_read_subpage(struct mtd_info *mtd, struct nand_chip *chip, | ||
828 | u32 spare = mtk_nand->spare_per_sector; | ||
829 | u32 column, sectors, start, end, reg; | ||
830 | dma_addr_t addr; | ||
831 | - int bitflips; | ||
832 | + int bitflips = 0; | ||
833 | size_t len; | ||
834 | u8 *buf; | ||
835 | int rc; | ||
836 | @@ -962,14 +964,11 @@ static int mtk_nfc_read_subpage(struct mtd_info *mtd, struct nand_chip *chip, | ||
837 | if (rc < 0) { | ||
838 | dev_err(nfc->dev, "subpage done timeout\n"); | ||
839 | bitflips = -EIO; | ||
840 | - } else { | ||
841 | - bitflips = 0; | ||
842 | - if (!raw) { | ||
843 | - rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE); | ||
844 | - bitflips = rc < 0 ? -ETIMEDOUT : | ||
845 | - mtk_nfc_update_ecc_stats(mtd, buf, sectors); | ||
846 | - mtk_nfc_read_fdm(chip, start, sectors); | ||
847 | - } | ||
848 | + } else if (!raw) { | ||
849 | + rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE); | ||
850 | + bitflips = rc < 0 ? -ETIMEDOUT : | ||
851 | + mtk_nfc_update_ecc_stats(mtd, buf, start, sectors); | ||
852 | + mtk_nfc_read_fdm(chip, start, sectors); | ||
853 | } | ||
854 | |||
855 | dma_unmap_single(nfc->dev, addr, len, DMA_FROM_DEVICE); | ||
856 | diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | ||
857 | index 410d5d3aa393..85280765d793 100644 | ||
858 | --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | ||
859 | +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | ||
860 | @@ -34,6 +34,7 @@ | ||
861 | #include <net/tc_act/tc_mirred.h> | ||
862 | #include <net/vxlan.h> | ||
863 | #include <net/mpls.h> | ||
864 | +#include <net/xfrm.h> | ||
865 | |||
866 | #include "ixgbe.h" | ||
867 | #include "ixgbe_common.h" | ||
868 | @@ -2625,7 +2626,7 @@ adjust_by_size: | ||
869 | /* 16K ints/sec to 9.2K ints/sec */ | ||
870 | avg_wire_size *= 15; | ||
871 | avg_wire_size += 11452; | ||
872 | - } else if (avg_wire_size <= 1980) { | ||
873 | + } else if (avg_wire_size < 1968) { | ||
874 | /* 9.2K ints/sec to 8K ints/sec */ | ||
875 | avg_wire_size *= 5; | ||
876 | avg_wire_size += 22420; | ||
877 | @@ -2658,6 +2659,8 @@ adjust_by_size: | ||
878 | case IXGBE_LINK_SPEED_2_5GB_FULL: | ||
879 | case IXGBE_LINK_SPEED_1GB_FULL: | ||
880 | case IXGBE_LINK_SPEED_10_FULL: | ||
881 | + if (avg_wire_size > 8064) | ||
882 | + avg_wire_size = 8064; | ||
883 | itr += DIV_ROUND_UP(avg_wire_size, | ||
884 | IXGBE_ITR_ADAPTIVE_MIN_INC * 64) * | ||
885 | IXGBE_ITR_ADAPTIVE_MIN_INC; | ||
886 | @@ -8599,7 +8602,8 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb, | ||
887 | #endif /* IXGBE_FCOE */ | ||
888 | |||
889 | #ifdef CONFIG_XFRM_OFFLOAD | ||
890 | - if (skb->sp && !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) | ||
891 | + if (xfrm_offload(skb) && | ||
892 | + !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) | ||
893 | goto out_drop; | ||
894 | #endif | ||
895 | tso = ixgbe_tso(tx_ring, first, &hdr_len, &ipsec_tx); | ||
896 | diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c | ||
897 | index 2e8056d48f4a..723611ac9102 100644 | ||
898 | --- a/drivers/net/phy/phylink.c | ||
899 | +++ b/drivers/net/phy/phylink.c | ||
900 | @@ -380,8 +380,8 @@ static void phylink_get_fixed_state(struct phylink *pl, struct phylink_link_stat | ||
901 | * Local device Link partner | ||
902 | * Pause AsymDir Pause AsymDir Result | ||
903 | * 1 X 1 X TX+RX | ||
904 | - * 0 1 1 1 RX | ||
905 | - * 1 1 0 1 TX | ||
906 | + * 0 1 1 1 TX | ||
907 | + * 1 1 0 1 RX | ||
908 | */ | ||
909 | static void phylink_resolve_flow(struct phylink *pl, | ||
910 | struct phylink_link_state *state) | ||
911 | @@ -402,7 +402,7 @@ static void phylink_resolve_flow(struct phylink *pl, | ||
912 | new_pause = MLO_PAUSE_TX | MLO_PAUSE_RX; | ||
913 | else if (pause & MLO_PAUSE_ASYM) | ||
914 | new_pause = state->pause & MLO_PAUSE_SYM ? | ||
915 | - MLO_PAUSE_RX : MLO_PAUSE_TX; | ||
916 | + MLO_PAUSE_TX : MLO_PAUSE_RX; | ||
917 | } else { | ||
918 | new_pause = pl->link_config.pause & MLO_PAUSE_TXRX_MASK; | ||
919 | } | ||
920 | diff --git a/drivers/net/tun.c b/drivers/net/tun.c | ||
921 | index 5fa7047ea361..e1ac1c57089f 100644 | ||
922 | --- a/drivers/net/tun.c | ||
923 | +++ b/drivers/net/tun.c | ||
924 | @@ -801,7 +801,8 @@ static void tun_detach_all(struct net_device *dev) | ||
925 | } | ||
926 | |||
927 | static int tun_attach(struct tun_struct *tun, struct file *file, | ||
928 | - bool skip_filter, bool napi, bool napi_frags) | ||
929 | + bool skip_filter, bool napi, bool napi_frags, | ||
930 | + bool publish_tun) | ||
931 | { | ||
932 | struct tun_file *tfile = file->private_data; | ||
933 | struct net_device *dev = tun->dev; | ||
934 | @@ -881,7 +882,8 @@ static int tun_attach(struct tun_struct *tun, struct file *file, | ||
935 | * initialized tfile; otherwise we risk using half-initialized | ||
936 | * object. | ||
937 | */ | ||
938 | - rcu_assign_pointer(tfile->tun, tun); | ||
939 | + if (publish_tun) | ||
940 | + rcu_assign_pointer(tfile->tun, tun); | ||
941 | rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile); | ||
942 | tun->numqueues++; | ||
943 | tun_set_real_num_queues(tun); | ||
944 | @@ -2553,7 +2555,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) | ||
945 | |||
946 | err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER, | ||
947 | ifr->ifr_flags & IFF_NAPI, | ||
948 | - ifr->ifr_flags & IFF_NAPI_FRAGS); | ||
949 | + ifr->ifr_flags & IFF_NAPI_FRAGS, true); | ||
950 | if (err < 0) | ||
951 | return err; | ||
952 | |||
953 | @@ -2652,13 +2654,17 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) | ||
954 | |||
955 | INIT_LIST_HEAD(&tun->disabled); | ||
956 | err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI, | ||
957 | - ifr->ifr_flags & IFF_NAPI_FRAGS); | ||
958 | + ifr->ifr_flags & IFF_NAPI_FRAGS, false); | ||
959 | if (err < 0) | ||
960 | goto err_free_flow; | ||
961 | |||
962 | err = register_netdevice(tun->dev); | ||
963 | if (err < 0) | ||
964 | goto err_detach; | ||
965 | + /* free_netdev() won't check refcnt, to aovid race | ||
966 | + * with dev_put() we need publish tun after registration. | ||
967 | + */ | ||
968 | + rcu_assign_pointer(tfile->tun, tun); | ||
969 | } | ||
970 | |||
971 | netif_carrier_on(tun->dev); | ||
972 | @@ -2802,7 +2808,7 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr) | ||
973 | if (ret < 0) | ||
974 | goto unlock; | ||
975 | ret = tun_attach(tun, file, false, tun->flags & IFF_NAPI, | ||
976 | - tun->flags & IFF_NAPI_FRAGS); | ||
977 | + tun->flags & IFF_NAPI_FRAGS, true); | ||
978 | } else if (ifr->ifr_flags & IFF_DETACH_QUEUE) { | ||
979 | tun = rtnl_dereference(tfile->tun); | ||
980 | if (!tun || !(tun->flags & IFF_MULTI_QUEUE) || tfile->detached) | ||
981 | diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c | ||
982 | index 5c42cf81a08b..85fba64c3fcf 100644 | ||
983 | --- a/drivers/net/usb/cdc_ether.c | ||
984 | +++ b/drivers/net/usb/cdc_ether.c | ||
985 | @@ -221,9 +221,16 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) | ||
986 | goto bad_desc; | ||
987 | } | ||
988 | skip: | ||
989 | - if ( rndis && | ||
990 | - header.usb_cdc_acm_descriptor && | ||
991 | - header.usb_cdc_acm_descriptor->bmCapabilities) { | ||
992 | + /* Communcation class functions with bmCapabilities are not | ||
993 | + * RNDIS. But some Wireless class RNDIS functions use | ||
994 | + * bmCapabilities for their own purpose. The failsafe is | ||
995 | + * therefore applied only to Communication class RNDIS | ||
996 | + * functions. The rndis test is redundant, but a cheap | ||
997 | + * optimization. | ||
998 | + */ | ||
999 | + if (rndis && is_rndis(&intf->cur_altsetting->desc) && | ||
1000 | + header.usb_cdc_acm_descriptor && | ||
1001 | + header.usb_cdc_acm_descriptor->bmCapabilities) { | ||
1002 | dev_dbg(&intf->dev, | ||
1003 | "ACM capabilities %02x, not really RNDIS?\n", | ||
1004 | header.usb_cdc_acm_descriptor->bmCapabilities); | ||
1005 | diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c | ||
1006 | index f360690396dd..14e56bee0548 100644 | ||
1007 | --- a/drivers/net/wireless/rsi/rsi_91x_usb.c | ||
1008 | +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c | ||
1009 | @@ -643,7 +643,6 @@ fail_rx: | ||
1010 | kfree(rsi_dev->tx_buffer); | ||
1011 | |||
1012 | fail_eps: | ||
1013 | - kfree(rsi_dev); | ||
1014 | |||
1015 | return status; | ||
1016 | } | ||
1017 | diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c | ||
1018 | index 99de51e87f7f..d32eba11c000 100644 | ||
1019 | --- a/drivers/nvmem/core.c | ||
1020 | +++ b/drivers/nvmem/core.c | ||
1021 | @@ -415,10 +415,17 @@ static int nvmem_setup_compat(struct nvmem_device *nvmem, | ||
1022 | if (!config->base_dev) | ||
1023 | return -EINVAL; | ||
1024 | |||
1025 | - if (nvmem->read_only) | ||
1026 | - nvmem->eeprom = bin_attr_ro_root_nvmem; | ||
1027 | - else | ||
1028 | - nvmem->eeprom = bin_attr_rw_root_nvmem; | ||
1029 | + if (nvmem->read_only) { | ||
1030 | + if (config->root_only) | ||
1031 | + nvmem->eeprom = bin_attr_ro_root_nvmem; | ||
1032 | + else | ||
1033 | + nvmem->eeprom = bin_attr_ro_nvmem; | ||
1034 | + } else { | ||
1035 | + if (config->root_only) | ||
1036 | + nvmem->eeprom = bin_attr_rw_root_nvmem; | ||
1037 | + else | ||
1038 | + nvmem->eeprom = bin_attr_rw_nvmem; | ||
1039 | + } | ||
1040 | nvmem->eeprom.attr.name = "eeprom"; | ||
1041 | nvmem->eeprom.size = nvmem->size; | ||
1042 | #ifdef CONFIG_DEBUG_LOCK_ALLOC | ||
1043 | diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c | ||
1044 | index 956ee7527d2c..ec317bcb1bca 100644 | ||
1045 | --- a/drivers/pci/pci-driver.c | ||
1046 | +++ b/drivers/pci/pci-driver.c | ||
1047 | @@ -399,7 +399,8 @@ void __weak pcibios_free_irq(struct pci_dev *dev) | ||
1048 | #ifdef CONFIG_PCI_IOV | ||
1049 | static inline bool pci_device_can_probe(struct pci_dev *pdev) | ||
1050 | { | ||
1051 | - return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe); | ||
1052 | + return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe || | ||
1053 | + pdev->driver_override); | ||
1054 | } | ||
1055 | #else | ||
1056 | static inline bool pci_device_can_probe(struct pci_dev *pdev) | ||
1057 | diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c | ||
1058 | index b1d804376237..6a61028cbb3c 100644 | ||
1059 | --- a/drivers/platform/x86/pmc_atom.c | ||
1060 | +++ b/drivers/platform/x86/pmc_atom.c | ||
1061 | @@ -421,6 +421,14 @@ static const struct dmi_system_id critclk_systems[] = { | ||
1062 | DMI_MATCH(DMI_BOARD_NAME, "CB3163"), | ||
1063 | }, | ||
1064 | }, | ||
1065 | + { | ||
1066 | + /* pmc_plt_clk* - are used for ethernet controllers */ | ||
1067 | + .ident = "Beckhoff CB4063", | ||
1068 | + .matches = { | ||
1069 | + DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), | ||
1070 | + DMI_MATCH(DMI_BOARD_NAME, "CB4063"), | ||
1071 | + }, | ||
1072 | + }, | ||
1073 | { | ||
1074 | /* pmc_plt_clk* - are used for ethernet controllers */ | ||
1075 | .ident = "Beckhoff CB6263", | ||
1076 | diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c | ||
1077 | index 08c5afa06aee..e561eb475339 100644 | ||
1078 | --- a/fs/btrfs/tree-log.c | ||
1079 | +++ b/fs/btrfs/tree-log.c | ||
1080 | @@ -5107,7 +5107,7 @@ again: | ||
1081 | BTRFS_I(other_inode), | ||
1082 | LOG_OTHER_INODE, 0, LLONG_MAX, | ||
1083 | ctx); | ||
1084 | - iput(other_inode); | ||
1085 | + btrfs_add_delayed_iput(other_inode); | ||
1086 | if (err) | ||
1087 | goto out_unlock; | ||
1088 | else | ||
1089 | @@ -5519,7 +5519,7 @@ process_leaf: | ||
1090 | } | ||
1091 | |||
1092 | if (btrfs_inode_in_log(BTRFS_I(di_inode), trans->transid)) { | ||
1093 | - iput(di_inode); | ||
1094 | + btrfs_add_delayed_iput(di_inode); | ||
1095 | break; | ||
1096 | } | ||
1097 | |||
1098 | @@ -5531,7 +5531,7 @@ process_leaf: | ||
1099 | if (!ret && | ||
1100 | btrfs_must_commit_transaction(trans, BTRFS_I(di_inode))) | ||
1101 | ret = 1; | ||
1102 | - iput(di_inode); | ||
1103 | + btrfs_add_delayed_iput(di_inode); | ||
1104 | if (ret) | ||
1105 | goto next_dir_inode; | ||
1106 | if (ctx->log_new_dentries) { | ||
1107 | @@ -5678,7 +5678,7 @@ static int btrfs_log_all_parents(struct btrfs_trans_handle *trans, | ||
1108 | if (!ret && ctx && ctx->log_new_dentries) | ||
1109 | ret = log_new_dir_dentries(trans, root, | ||
1110 | BTRFS_I(dir_inode), ctx); | ||
1111 | - iput(dir_inode); | ||
1112 | + btrfs_add_delayed_iput(dir_inode); | ||
1113 | if (ret) | ||
1114 | goto out; | ||
1115 | } | ||
1116 | diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c | ||
1117 | index bf416e512743..f15ac37956e7 100644 | ||
1118 | --- a/fs/ubifs/tnc.c | ||
1119 | +++ b/fs/ubifs/tnc.c | ||
1120 | @@ -1165,8 +1165,8 @@ static struct ubifs_znode *dirty_cow_bottom_up(struct ubifs_info *c, | ||
1121 | * o exact match, i.e. the found zero-level znode contains key @key, then %1 | ||
1122 | * is returned and slot number of the matched branch is stored in @n; | ||
1123 | * o not exact match, which means that zero-level znode does not contain | ||
1124 | - * @key, then %0 is returned and slot number of the closest branch is stored | ||
1125 | - * in @n; | ||
1126 | + * @key, then %0 is returned and slot number of the closest branch or %-1 | ||
1127 | + * is stored in @n; In this case calling tnc_next() is mandatory. | ||
1128 | * o @key is so small that it is even less than the lowest key of the | ||
1129 | * leftmost zero-level node, then %0 is returned and %0 is stored in @n. | ||
1130 | * | ||
1131 | @@ -1883,13 +1883,19 @@ int ubifs_tnc_lookup_nm(struct ubifs_info *c, const union ubifs_key *key, | ||
1132 | |||
1133 | static int search_dh_cookie(struct ubifs_info *c, const union ubifs_key *key, | ||
1134 | struct ubifs_dent_node *dent, uint32_t cookie, | ||
1135 | - struct ubifs_znode **zn, int *n) | ||
1136 | + struct ubifs_znode **zn, int *n, int exact) | ||
1137 | { | ||
1138 | int err; | ||
1139 | struct ubifs_znode *znode = *zn; | ||
1140 | struct ubifs_zbranch *zbr; | ||
1141 | union ubifs_key *dkey; | ||
1142 | |||
1143 | + if (!exact) { | ||
1144 | + err = tnc_next(c, &znode, n); | ||
1145 | + if (err) | ||
1146 | + return err; | ||
1147 | + } | ||
1148 | + | ||
1149 | for (;;) { | ||
1150 | zbr = &znode->zbranch[*n]; | ||
1151 | dkey = &zbr->key; | ||
1152 | @@ -1931,7 +1937,7 @@ static int do_lookup_dh(struct ubifs_info *c, const union ubifs_key *key, | ||
1153 | if (unlikely(err < 0)) | ||
1154 | goto out_unlock; | ||
1155 | |||
1156 | - err = search_dh_cookie(c, key, dent, cookie, &znode, &n); | ||
1157 | + err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err); | ||
1158 | |||
1159 | out_unlock: | ||
1160 | mutex_unlock(&c->tnc_mutex); | ||
1161 | @@ -2718,7 +2724,7 @@ int ubifs_tnc_remove_dh(struct ubifs_info *c, const union ubifs_key *key, | ||
1162 | if (unlikely(err < 0)) | ||
1163 | goto out_free; | ||
1164 | |||
1165 | - err = search_dh_cookie(c, key, dent, cookie, &znode, &n); | ||
1166 | + err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err); | ||
1167 | if (err) | ||
1168 | goto out_free; | ||
1169 | } | ||
1170 | diff --git a/include/uapi/linux/isdn/capicmd.h b/include/uapi/linux/isdn/capicmd.h | ||
1171 | index 4941628a4fb9..5ec88e7548a9 100644 | ||
1172 | --- a/include/uapi/linux/isdn/capicmd.h | ||
1173 | +++ b/include/uapi/linux/isdn/capicmd.h | ||
1174 | @@ -16,6 +16,7 @@ | ||
1175 | #define CAPI_MSG_BASELEN 8 | ||
1176 | #define CAPI_DATA_B3_REQ_LEN (CAPI_MSG_BASELEN+4+4+2+2+2) | ||
1177 | #define CAPI_DATA_B3_RESP_LEN (CAPI_MSG_BASELEN+4+2) | ||
1178 | +#define CAPI_DISCONNECT_B3_RESP_LEN (CAPI_MSG_BASELEN+4) | ||
1179 | |||
1180 | /*----- CAPI commands -----*/ | ||
1181 | #define CAPI_ALERT 0x01 | ||
1182 | diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c | ||
1183 | index 95414ad3506a..98c04ca5fa43 100644 | ||
1184 | --- a/kernel/irq/resend.c | ||
1185 | +++ b/kernel/irq/resend.c | ||
1186 | @@ -36,6 +36,8 @@ static void resend_irqs(unsigned long arg) | ||
1187 | irq = find_first_bit(irqs_resend, nr_irqs); | ||
1188 | clear_bit(irq, irqs_resend); | ||
1189 | desc = irq_to_desc(irq); | ||
1190 | + if (!desc) | ||
1191 | + continue; | ||
1192 | local_irq_disable(); | ||
1193 | desc->handle_irq(desc); | ||
1194 | local_irq_enable(); | ||
1195 | diff --git a/kernel/module.c b/kernel/module.c | ||
1196 | index 0d86fc73d63d..8257110bf599 100644 | ||
1197 | --- a/kernel/module.c | ||
1198 | +++ b/kernel/module.c | ||
1199 | @@ -1884,7 +1884,7 @@ static void mod_sysfs_teardown(struct module *mod) | ||
1200 | mod_sysfs_fini(mod); | ||
1201 | } | ||
1202 | |||
1203 | -#ifdef CONFIG_STRICT_MODULE_RWX | ||
1204 | +#ifdef CONFIG_ARCH_HAS_STRICT_MODULE_RWX | ||
1205 | /* | ||
1206 | * LKM RO/NX protection: protect module's text/ro-data | ||
1207 | * from modification and any data from execution. | ||
1208 | @@ -1907,6 +1907,7 @@ static void frob_text(const struct module_layout *layout, | ||
1209 | layout->text_size >> PAGE_SHIFT); | ||
1210 | } | ||
1211 | |||
1212 | +#ifdef CONFIG_STRICT_MODULE_RWX | ||
1213 | static void frob_rodata(const struct module_layout *layout, | ||
1214 | int (*set_memory)(unsigned long start, int num_pages)) | ||
1215 | { | ||
1216 | @@ -1956,13 +1957,9 @@ void module_enable_ro(const struct module *mod, bool after_init) | ||
1217 | return; | ||
1218 | |||
1219 | frob_text(&mod->core_layout, set_memory_ro); | ||
1220 | - frob_text(&mod->core_layout, set_memory_x); | ||
1221 | |||
1222 | frob_rodata(&mod->core_layout, set_memory_ro); | ||
1223 | - | ||
1224 | frob_text(&mod->init_layout, set_memory_ro); | ||
1225 | - frob_text(&mod->init_layout, set_memory_x); | ||
1226 | - | ||
1227 | frob_rodata(&mod->init_layout, set_memory_ro); | ||
1228 | |||
1229 | if (after_init) | ||
1230 | @@ -2043,11 +2040,23 @@ static void disable_ro_nx(const struct module_layout *layout) | ||
1231 | frob_writable_data(layout, set_memory_x); | ||
1232 | } | ||
1233 | |||
1234 | -#else | ||
1235 | +#else /* !CONFIG_STRICT_MODULE_RWX */ | ||
1236 | static void disable_ro_nx(const struct module_layout *layout) { } | ||
1237 | static void module_enable_nx(const struct module *mod) { } | ||
1238 | static void module_disable_nx(const struct module *mod) { } | ||
1239 | -#endif | ||
1240 | +#endif /* CONFIG_STRICT_MODULE_RWX */ | ||
1241 | + | ||
1242 | +static void module_enable_x(const struct module *mod) | ||
1243 | +{ | ||
1244 | + frob_text(&mod->core_layout, set_memory_x); | ||
1245 | + frob_text(&mod->init_layout, set_memory_x); | ||
1246 | +} | ||
1247 | +#else /* !CONFIG_ARCH_HAS_STRICT_MODULE_RWX */ | ||
1248 | +static void disable_ro_nx(const struct module_layout *layout) { } | ||
1249 | +static void module_enable_nx(const struct module *mod) { } | ||
1250 | +static void module_disable_nx(const struct module *mod) { } | ||
1251 | +static void module_enable_x(const struct module *mod) { } | ||
1252 | +#endif /* CONFIG_ARCH_HAS_STRICT_MODULE_RWX */ | ||
1253 | |||
1254 | #ifdef CONFIG_LIVEPATCH | ||
1255 | /* | ||
1256 | @@ -3604,6 +3613,7 @@ static int complete_formation(struct module *mod, struct load_info *info) | ||
1257 | |||
1258 | module_enable_ro(mod, false); | ||
1259 | module_enable_nx(mod); | ||
1260 | + module_enable_x(mod); | ||
1261 | |||
1262 | /* Mark state as coming so strong_try_module_get() ignores us, | ||
1263 | * but kallsyms etc. can see us. */ | ||
1264 | diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c | ||
1265 | index 6d9f48bd374a..55198818e3e5 100644 | ||
1266 | --- a/net/bridge/br_mdb.c | ||
1267 | +++ b/net/bridge/br_mdb.c | ||
1268 | @@ -419,7 +419,7 @@ static int nlmsg_populate_rtr_fill(struct sk_buff *skb, | ||
1269 | struct nlmsghdr *nlh; | ||
1270 | struct nlattr *nest; | ||
1271 | |||
1272 | - nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), NLM_F_MULTI); | ||
1273 | + nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), 0); | ||
1274 | if (!nlh) | ||
1275 | return -EMSGSIZE; | ||
1276 | |||
1277 | diff --git a/net/core/dev.c b/net/core/dev.c | ||
1278 | index e4b4cb40da00..ddd8aab20adf 100644 | ||
1279 | --- a/net/core/dev.c | ||
1280 | +++ b/net/core/dev.c | ||
1281 | @@ -8562,6 +8562,8 @@ int register_netdevice(struct net_device *dev) | ||
1282 | ret = notifier_to_errno(ret); | ||
1283 | if (ret) { | ||
1284 | rollback_registered(dev); | ||
1285 | + rcu_barrier(); | ||
1286 | + | ||
1287 | dev->reg_state = NETREG_UNREGISTERED; | ||
1288 | } | ||
1289 | /* | ||
1290 | diff --git a/net/core/skbuff.c b/net/core/skbuff.c | ||
1291 | index 9b9f696281a9..0629ca89ab74 100644 | ||
1292 | --- a/net/core/skbuff.c | ||
1293 | +++ b/net/core/skbuff.c | ||
1294 | @@ -3530,6 +3530,25 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, | ||
1295 | int pos; | ||
1296 | int dummy; | ||
1297 | |||
1298 | + if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) && | ||
1299 | + (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) { | ||
1300 | + /* gso_size is untrusted, and we have a frag_list with a linear | ||
1301 | + * non head_frag head. | ||
1302 | + * | ||
1303 | + * (we assume checking the first list_skb member suffices; | ||
1304 | + * i.e if either of the list_skb members have non head_frag | ||
1305 | + * head, then the first one has too). | ||
1306 | + * | ||
1307 | + * If head_skb's headlen does not fit requested gso_size, it | ||
1308 | + * means that the frag_list members do NOT terminate on exact | ||
1309 | + * gso_size boundaries. Hence we cannot perform skb_frag_t page | ||
1310 | + * sharing. Therefore we must fallback to copying the frag_list | ||
1311 | + * skbs; we do so by disabling SG. | ||
1312 | + */ | ||
1313 | + if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) | ||
1314 | + features &= ~NETIF_F_SG; | ||
1315 | + } | ||
1316 | + | ||
1317 | __skb_push(head_skb, doffset); | ||
1318 | proto = skb_network_protocol(head_skb, &dummy); | ||
1319 | if (unlikely(!proto)) | ||
1320 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c | ||
1321 | index 4a8869d39662..14a6a489937c 100644 | ||
1322 | --- a/net/ipv4/tcp_input.c | ||
1323 | +++ b/net/ipv4/tcp_input.c | ||
1324 | @@ -260,7 +260,7 @@ static void tcp_ecn_accept_cwr(struct sock *sk, const struct sk_buff *skb) | ||
1325 | |||
1326 | static void tcp_ecn_withdraw_cwr(struct tcp_sock *tp) | ||
1327 | { | ||
1328 | - tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR; | ||
1329 | + tp->ecn_flags &= ~TCP_ECN_QUEUE_CWR; | ||
1330 | } | ||
1331 | |||
1332 | static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb) | ||
1333 | diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c | ||
1334 | index 4c04bccc7417..5c9be8594483 100644 | ||
1335 | --- a/net/ipv6/ping.c | ||
1336 | +++ b/net/ipv6/ping.c | ||
1337 | @@ -228,7 +228,7 @@ static int __net_init ping_v6_proc_init_net(struct net *net) | ||
1338 | return 0; | ||
1339 | } | ||
1340 | |||
1341 | -static void __net_init ping_v6_proc_exit_net(struct net *net) | ||
1342 | +static void __net_exit ping_v6_proc_exit_net(struct net *net) | ||
1343 | { | ||
1344 | remove_proc_entry("icmp6", net->proc_net); | ||
1345 | } | ||
1346 | diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c | ||
1347 | index 77b289da7763..875f521bce0d 100644 | ||
1348 | --- a/net/sched/sch_generic.c | ||
1349 | +++ b/net/sched/sch_generic.c | ||
1350 | @@ -49,6 +49,8 @@ EXPORT_SYMBOL(default_qdisc_ops); | ||
1351 | * - updates to tree and tree walking are only done under the rtnl mutex. | ||
1352 | */ | ||
1353 | |||
1354 | +#define SKB_XOFF_MAGIC ((struct sk_buff *)1UL) | ||
1355 | + | ||
1356 | static inline struct sk_buff *__skb_dequeue_bad_txq(struct Qdisc *q) | ||
1357 | { | ||
1358 | const struct netdev_queue *txq = q->dev_queue; | ||
1359 | @@ -74,7 +76,7 @@ static inline struct sk_buff *__skb_dequeue_bad_txq(struct Qdisc *q) | ||
1360 | q->q.qlen--; | ||
1361 | } | ||
1362 | } else { | ||
1363 | - skb = NULL; | ||
1364 | + skb = SKB_XOFF_MAGIC; | ||
1365 | } | ||
1366 | } | ||
1367 | |||
1368 | @@ -272,8 +274,11 @@ validate: | ||
1369 | return skb; | ||
1370 | |||
1371 | skb = qdisc_dequeue_skb_bad_txq(q); | ||
1372 | - if (unlikely(skb)) | ||
1373 | + if (unlikely(skb)) { | ||
1374 | + if (skb == SKB_XOFF_MAGIC) | ||
1375 | + return NULL; | ||
1376 | goto bulk; | ||
1377 | + } | ||
1378 | skb = q->dequeue(q); | ||
1379 | if (skb) { | ||
1380 | bulk: | ||
1381 | diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c | ||
1382 | index c3a8388dcdf6..a80fe8aa8527 100644 | ||
1383 | --- a/net/sched/sch_hhf.c | ||
1384 | +++ b/net/sched/sch_hhf.c | ||
1385 | @@ -529,7 +529,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt, | ||
1386 | new_hhf_non_hh_weight = nla_get_u32(tb[TCA_HHF_NON_HH_WEIGHT]); | ||
1387 | |||
1388 | non_hh_quantum = (u64)new_quantum * new_hhf_non_hh_weight; | ||
1389 | - if (non_hh_quantum > INT_MAX) | ||
1390 | + if (non_hh_quantum == 0 || non_hh_quantum > INT_MAX) | ||
1391 | return -EINVAL; | ||
1392 | |||
1393 | sch_tree_lock(sch); | ||
1394 | diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c | ||
1395 | index d97b2b4b7a8b..6d36f74ad295 100644 | ||
1396 | --- a/net/sctp/protocol.c | ||
1397 | +++ b/net/sctp/protocol.c | ||
1398 | @@ -1350,7 +1350,7 @@ static int __net_init sctp_ctrlsock_init(struct net *net) | ||
1399 | return status; | ||
1400 | } | ||
1401 | |||
1402 | -static void __net_init sctp_ctrlsock_exit(struct net *net) | ||
1403 | +static void __net_exit sctp_ctrlsock_exit(struct net *net) | ||
1404 | { | ||
1405 | /* Free the control endpoint. */ | ||
1406 | inet_ctl_sock_destroy(net->sctp.ctl_sock); | ||
1407 | diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c | ||
1408 | index 28adac31f0ff..de8a82bc6b42 100644 | ||
1409 | --- a/net/sctp/sm_sideeffect.c | ||
1410 | +++ b/net/sctp/sm_sideeffect.c | ||
1411 | @@ -562,7 +562,7 @@ static void sctp_do_8_2_transport_strike(struct sctp_cmd_seq *commands, | ||
1412 | if (net->sctp.pf_enable && | ||
1413 | (transport->state == SCTP_ACTIVE) && | ||
1414 | (transport->error_count < transport->pathmaxrxt) && | ||
1415 | - (transport->error_count > asoc->pf_retrans)) { | ||
1416 | + (transport->error_count > transport->pf_retrans)) { | ||
1417 | |||
1418 | sctp_assoc_control_transport(asoc, transport, | ||
1419 | SCTP_TRANSPORT_PF, | ||
1420 | diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c | ||
1421 | index 3cfeb9df64b0..e0a3dd424d8c 100644 | ||
1422 | --- a/net/tipc/name_distr.c | ||
1423 | +++ b/net/tipc/name_distr.c | ||
1424 | @@ -221,7 +221,8 @@ static void tipc_publ_purge(struct net *net, struct publication *publ, u32 addr) | ||
1425 | publ->key); | ||
1426 | } | ||
1427 | |||
1428 | - kfree_rcu(p, rcu); | ||
1429 | + if (p) | ||
1430 | + kfree_rcu(p, rcu); | ||
1431 | } | ||
1432 | |||
1433 | /** |