Contents of /trunk/kernel-alx/patches-4.9/0149-4.9.50-all-fixes.patch
Parent Directory | Revision Log
Revision 3034 -
(show annotations)
(download)
Wed Dec 20 11:48:26 2017 UTC (6 years, 10 months ago) by niro
File size: 28989 byte(s)
Wed Dec 20 11:48:26 2017 UTC (6 years, 10 months ago) by niro
File size: 28989 byte(s)
-linux-4.9.50
1 | diff --git a/Makefile b/Makefile |
2 | index 1ebc553f5464..038d126a15fc 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -1,6 +1,6 @@ |
6 | VERSION = 4 |
7 | PATCHLEVEL = 9 |
8 | -SUBLEVEL = 49 |
9 | +SUBLEVEL = 50 |
10 | EXTRAVERSION = |
11 | NAME = Roaring Lionus |
12 | |
13 | diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c |
14 | index 0122ad1a6027..f7861dc83182 100644 |
15 | --- a/arch/arm/mm/fault.c |
16 | +++ b/arch/arm/mm/fault.c |
17 | @@ -314,8 +314,11 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) |
18 | * signal first. We do not need to release the mmap_sem because |
19 | * it would already be released in __lock_page_or_retry in |
20 | * mm/filemap.c. */ |
21 | - if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current)) |
22 | + if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current)) { |
23 | + if (!user_mode(regs)) |
24 | + goto no_context; |
25 | return 0; |
26 | + } |
27 | |
28 | /* |
29 | * Major/minor page fault accounting is only done on the |
30 | diff --git a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi |
31 | index 49a5d8ccae27..68e6f88bdcfe 100644 |
32 | --- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi |
33 | +++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi |
34 | @@ -170,6 +170,7 @@ |
35 | interrupt-controller; |
36 | reg = <0x1d00000 0x10000>, /* GICD */ |
37 | <0x1d40000 0x40000>; /* GICR */ |
38 | + interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_HIGH>; |
39 | }; |
40 | }; |
41 | |
42 | diff --git a/drivers/mtd/nand/mxc_nand.c b/drivers/mtd/nand/mxc_nand.c |
43 | index d7f724b24fd7..0c84ee80e5b6 100644 |
44 | --- a/drivers/mtd/nand/mxc_nand.c |
45 | +++ b/drivers/mtd/nand/mxc_nand.c |
46 | @@ -877,6 +877,8 @@ static void mxc_do_addr_cycle(struct mtd_info *mtd, int column, int page_addr) |
47 | } |
48 | } |
49 | |
50 | +#define MXC_V1_ECCBYTES 5 |
51 | + |
52 | static int mxc_v1_ooblayout_ecc(struct mtd_info *mtd, int section, |
53 | struct mtd_oob_region *oobregion) |
54 | { |
55 | @@ -886,7 +888,7 @@ static int mxc_v1_ooblayout_ecc(struct mtd_info *mtd, int section, |
56 | return -ERANGE; |
57 | |
58 | oobregion->offset = (section * 16) + 6; |
59 | - oobregion->length = nand_chip->ecc.bytes; |
60 | + oobregion->length = MXC_V1_ECCBYTES; |
61 | |
62 | return 0; |
63 | } |
64 | @@ -908,8 +910,7 @@ static int mxc_v1_ooblayout_free(struct mtd_info *mtd, int section, |
65 | oobregion->length = 4; |
66 | } |
67 | } else { |
68 | - oobregion->offset = ((section - 1) * 16) + |
69 | - nand_chip->ecc.bytes + 6; |
70 | + oobregion->offset = ((section - 1) * 16) + MXC_V1_ECCBYTES + 6; |
71 | if (section < nand_chip->ecc.steps) |
72 | oobregion->length = (section * 16) + 6 - |
73 | oobregion->offset; |
74 | diff --git a/drivers/mtd/nand/qcom_nandc.c b/drivers/mtd/nand/qcom_nandc.c |
75 | index 57d483ac5765..6f0fd1512ad2 100644 |
76 | --- a/drivers/mtd/nand/qcom_nandc.c |
77 | +++ b/drivers/mtd/nand/qcom_nandc.c |
78 | @@ -109,7 +109,11 @@ |
79 | #define READ_ADDR 0 |
80 | |
81 | /* NAND_DEV_CMD_VLD bits */ |
82 | -#define READ_START_VLD 0 |
83 | +#define READ_START_VLD BIT(0) |
84 | +#define READ_STOP_VLD BIT(1) |
85 | +#define WRITE_START_VLD BIT(2) |
86 | +#define ERASE_START_VLD BIT(3) |
87 | +#define SEQ_READ_START_VLD BIT(4) |
88 | |
89 | /* NAND_EBI2_ECC_BUF_CFG bits */ |
90 | #define NUM_STEPS 0 |
91 | @@ -148,6 +152,10 @@ |
92 | #define FETCH_ID 0xb |
93 | #define RESET_DEVICE 0xd |
94 | |
95 | +/* Default Value for NAND_DEV_CMD_VLD */ |
96 | +#define NAND_DEV_CMD_VLD_VAL (READ_START_VLD | WRITE_START_VLD | \ |
97 | + ERASE_START_VLD | SEQ_READ_START_VLD) |
98 | + |
99 | /* |
100 | * the NAND controller performs reads/writes with ECC in 516 byte chunks. |
101 | * the driver calls the chunks 'step' or 'codeword' interchangeably |
102 | @@ -672,8 +680,7 @@ static int nandc_param(struct qcom_nand_host *host) |
103 | |
104 | /* configure CMD1 and VLD for ONFI param probing */ |
105 | nandc_set_reg(nandc, NAND_DEV_CMD_VLD, |
106 | - (nandc->vld & ~(1 << READ_START_VLD)) |
107 | - | 0 << READ_START_VLD); |
108 | + (nandc->vld & ~READ_START_VLD)); |
109 | nandc_set_reg(nandc, NAND_DEV_CMD1, |
110 | (nandc->cmd1 & ~(0xFF << READ_ADDR)) |
111 | | NAND_CMD_PARAM << READ_ADDR); |
112 | @@ -1893,7 +1900,7 @@ static int qcom_nand_host_setup(struct qcom_nand_host *host) |
113 | | wide_bus << WIDE_FLASH |
114 | | 1 << DEV0_CFG1_ECC_DISABLE; |
115 | |
116 | - host->ecc_bch_cfg = host->bch_enabled << ECC_CFG_ECC_DISABLE |
117 | + host->ecc_bch_cfg = !host->bch_enabled << ECC_CFG_ECC_DISABLE |
118 | | 0 << ECC_SW_RESET |
119 | | host->cw_data << ECC_NUM_DATA_BYTES |
120 | | 1 << ECC_FORCE_CLK_OPEN |
121 | @@ -1972,13 +1979,14 @@ static int qcom_nandc_setup(struct qcom_nand_controller *nandc) |
122 | { |
123 | /* kill onenand */ |
124 | nandc_write(nandc, SFLASHC_BURST_CFG, 0); |
125 | + nandc_write(nandc, NAND_DEV_CMD_VLD, NAND_DEV_CMD_VLD_VAL); |
126 | |
127 | /* enable ADM DMA */ |
128 | nandc_write(nandc, NAND_FLASH_CHIP_SELECT, DM_EN); |
129 | |
130 | /* save the original values of these registers */ |
131 | nandc->cmd1 = nandc_read(nandc, NAND_DEV_CMD1); |
132 | - nandc->vld = nandc_read(nandc, NAND_DEV_CMD_VLD); |
133 | + nandc->vld = NAND_DEV_CMD_VLD_VAL; |
134 | |
135 | return 0; |
136 | } |
137 | diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c |
138 | index 5a3f008d3480..eef1a68e5d95 100644 |
139 | --- a/drivers/nvme/host/fabrics.c |
140 | +++ b/drivers/nvme/host/fabrics.c |
141 | @@ -77,7 +77,7 @@ static struct nvmf_host *nvmf_host_default(void) |
142 | kref_init(&host->ref); |
143 | uuid_be_gen(&host->id); |
144 | snprintf(host->nqn, NVMF_NQN_SIZE, |
145 | - "nqn.2014-08.org.nvmexpress:NVMf:uuid:%pUb", &host->id); |
146 | + "nqn.2014-08.org.nvmexpress:uuid:%pUb", &host->id); |
147 | |
148 | mutex_lock(&nvmf_hosts_mutex); |
149 | list_add_tail(&host->list, &nvmf_hosts); |
150 | diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c |
151 | index 74ed5aae6cea..f6e111984ce2 100644 |
152 | --- a/fs/btrfs/super.c |
153 | +++ b/fs/btrfs/super.c |
154 | @@ -1834,6 +1834,8 @@ static int btrfs_remount(struct super_block *sb, int *flags, char *data) |
155 | goto restore; |
156 | } |
157 | |
158 | + btrfs_qgroup_rescan_resume(fs_info); |
159 | + |
160 | if (!fs_info->uuid_root) { |
161 | btrfs_info(fs_info, "creating UUID tree"); |
162 | ret = btrfs_create_uuid_tree(fs_info); |
163 | diff --git a/fs/nfs/file.c b/fs/nfs/file.c |
164 | index 84c1cb9237d0..1eec947c562d 100644 |
165 | --- a/fs/nfs/file.c |
166 | +++ b/fs/nfs/file.c |
167 | @@ -636,11 +636,11 @@ ssize_t nfs_file_write(struct kiocb *iocb, struct iov_iter *from) |
168 | if (result <= 0) |
169 | goto out; |
170 | |
171 | - result = generic_write_sync(iocb, result); |
172 | - if (result < 0) |
173 | - goto out; |
174 | written = result; |
175 | iocb->ki_pos += written; |
176 | + result = generic_write_sync(iocb, written); |
177 | + if (result < 0) |
178 | + goto out; |
179 | |
180 | /* Return error values */ |
181 | if (nfs_need_check_write(file, inode)) { |
182 | diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h |
183 | index 80bcc0befb07..52ea41bce038 100644 |
184 | --- a/fs/nfs/internal.h |
185 | +++ b/fs/nfs/internal.h |
186 | @@ -248,7 +248,6 @@ int nfs_iocounter_wait(struct nfs_lock_context *l_ctx); |
187 | extern const struct nfs_pageio_ops nfs_pgio_rw_ops; |
188 | struct nfs_pgio_header *nfs_pgio_header_alloc(const struct nfs_rw_ops *); |
189 | void nfs_pgio_header_free(struct nfs_pgio_header *); |
190 | -void nfs_pgio_data_destroy(struct nfs_pgio_header *); |
191 | int nfs_generic_pgio(struct nfs_pageio_descriptor *, struct nfs_pgio_header *); |
192 | int nfs_initiate_pgio(struct rpc_clnt *clnt, struct nfs_pgio_header *hdr, |
193 | struct rpc_cred *cred, const struct nfs_rpc_ops *rpc_ops, |
194 | diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c |
195 | index 142a74f3c59b..3d17fc82b9fe 100644 |
196 | --- a/fs/nfs/pagelist.c |
197 | +++ b/fs/nfs/pagelist.c |
198 | @@ -497,16 +497,6 @@ struct nfs_pgio_header *nfs_pgio_header_alloc(const struct nfs_rw_ops *ops) |
199 | } |
200 | EXPORT_SYMBOL_GPL(nfs_pgio_header_alloc); |
201 | |
202 | -/* |
203 | - * nfs_pgio_header_free - Free a read or write header |
204 | - * @hdr: The header to free |
205 | - */ |
206 | -void nfs_pgio_header_free(struct nfs_pgio_header *hdr) |
207 | -{ |
208 | - hdr->rw_ops->rw_free_header(hdr); |
209 | -} |
210 | -EXPORT_SYMBOL_GPL(nfs_pgio_header_free); |
211 | - |
212 | /** |
213 | * nfs_pgio_data_destroy - make @hdr suitable for reuse |
214 | * |
215 | @@ -515,14 +505,24 @@ EXPORT_SYMBOL_GPL(nfs_pgio_header_free); |
216 | * |
217 | * @hdr: A header that has had nfs_generic_pgio called |
218 | */ |
219 | -void nfs_pgio_data_destroy(struct nfs_pgio_header *hdr) |
220 | +static void nfs_pgio_data_destroy(struct nfs_pgio_header *hdr) |
221 | { |
222 | if (hdr->args.context) |
223 | put_nfs_open_context(hdr->args.context); |
224 | if (hdr->page_array.pagevec != hdr->page_array.page_array) |
225 | kfree(hdr->page_array.pagevec); |
226 | } |
227 | -EXPORT_SYMBOL_GPL(nfs_pgio_data_destroy); |
228 | + |
229 | +/* |
230 | + * nfs_pgio_header_free - Free a read or write header |
231 | + * @hdr: The header to free |
232 | + */ |
233 | +void nfs_pgio_header_free(struct nfs_pgio_header *hdr) |
234 | +{ |
235 | + nfs_pgio_data_destroy(hdr); |
236 | + hdr->rw_ops->rw_free_header(hdr); |
237 | +} |
238 | +EXPORT_SYMBOL_GPL(nfs_pgio_header_free); |
239 | |
240 | /** |
241 | * nfs_pgio_rpcsetup - Set up arguments for a pageio call |
242 | @@ -636,7 +636,6 @@ EXPORT_SYMBOL_GPL(nfs_initiate_pgio); |
243 | static void nfs_pgio_error(struct nfs_pgio_header *hdr) |
244 | { |
245 | set_bit(NFS_IOHDR_REDO, &hdr->flags); |
246 | - nfs_pgio_data_destroy(hdr); |
247 | hdr->completion_ops->completion(hdr); |
248 | } |
249 | |
250 | @@ -647,7 +646,6 @@ static void nfs_pgio_error(struct nfs_pgio_header *hdr) |
251 | static void nfs_pgio_release(void *calldata) |
252 | { |
253 | struct nfs_pgio_header *hdr = calldata; |
254 | - nfs_pgio_data_destroy(hdr); |
255 | hdr->completion_ops->completion(hdr); |
256 | } |
257 | |
258 | diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c |
259 | index 415d7e69bc5e..b7a07ba8783a 100644 |
260 | --- a/fs/nfs/pnfs.c |
261 | +++ b/fs/nfs/pnfs.c |
262 | @@ -2145,7 +2145,6 @@ pnfs_write_through_mds(struct nfs_pageio_descriptor *desc, |
263 | nfs_pageio_reset_write_mds(desc); |
264 | mirror->pg_recoalesce = 1; |
265 | } |
266 | - nfs_pgio_data_destroy(hdr); |
267 | hdr->release(hdr); |
268 | } |
269 | |
270 | @@ -2257,7 +2256,6 @@ pnfs_read_through_mds(struct nfs_pageio_descriptor *desc, |
271 | nfs_pageio_reset_read_mds(desc); |
272 | mirror->pg_recoalesce = 1; |
273 | } |
274 | - nfs_pgio_data_destroy(hdr); |
275 | hdr->release(hdr); |
276 | } |
277 | |
278 | diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h |
279 | index 1455b25205a8..3ebed168e508 100644 |
280 | --- a/fs/xfs/xfs_linux.h |
281 | +++ b/fs/xfs/xfs_linux.h |
282 | @@ -363,7 +363,14 @@ static inline __uint64_t howmany_64(__uint64_t x, __uint32_t y) |
283 | #endif /* DEBUG */ |
284 | |
285 | #ifdef CONFIG_XFS_RT |
286 | -#define XFS_IS_REALTIME_INODE(ip) ((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) |
287 | + |
288 | +/* |
289 | + * make sure we ignore the inode flag if the filesystem doesn't have a |
290 | + * configured realtime device. |
291 | + */ |
292 | +#define XFS_IS_REALTIME_INODE(ip) \ |
293 | + (((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) && \ |
294 | + (ip)->i_mount->m_rtdev_targp) |
295 | #else |
296 | #define XFS_IS_REALTIME_INODE(ip) (0) |
297 | #endif |
298 | diff --git a/kernel/locking/locktorture.c b/kernel/locking/locktorture.c |
299 | index f8c5af52a131..d3de04b12f8c 100644 |
300 | --- a/kernel/locking/locktorture.c |
301 | +++ b/kernel/locking/locktorture.c |
302 | @@ -780,6 +780,10 @@ static void lock_torture_cleanup(void) |
303 | else |
304 | lock_torture_print_module_parms(cxt.cur_ops, |
305 | "End of test: SUCCESS"); |
306 | + |
307 | + kfree(cxt.lwsa); |
308 | + kfree(cxt.lrsa); |
309 | + |
310 | end: |
311 | torture_cleanup_end(); |
312 | } |
313 | @@ -924,6 +928,8 @@ static int __init lock_torture_init(void) |
314 | GFP_KERNEL); |
315 | if (reader_tasks == NULL) { |
316 | VERBOSE_TOROUT_ERRSTRING("reader_tasks: Out of memory"); |
317 | + kfree(writer_tasks); |
318 | + writer_tasks = NULL; |
319 | firsterr = -ENOMEM; |
320 | goto unwind; |
321 | } |
322 | diff --git a/mm/memory.c b/mm/memory.c |
323 | index d064caff9d7d..1aa63e7dd790 100644 |
324 | --- a/mm/memory.c |
325 | +++ b/mm/memory.c |
326 | @@ -3596,6 +3596,11 @@ int handle_mm_fault(struct vm_area_struct *vma, unsigned long address, |
327 | /* do counter updates before entering really critical section. */ |
328 | check_sync_rss_stat(current); |
329 | |
330 | + if (!arch_vma_access_permitted(vma, flags & FAULT_FLAG_WRITE, |
331 | + flags & FAULT_FLAG_INSTRUCTION, |
332 | + flags & FAULT_FLAG_REMOTE)) |
333 | + return VM_FAULT_SIGSEGV; |
334 | + |
335 | /* |
336 | * Enable the memcg OOM handling for faults triggered in user |
337 | * space. Kernel faults are handled more gracefully. |
338 | @@ -3603,11 +3608,6 @@ int handle_mm_fault(struct vm_area_struct *vma, unsigned long address, |
339 | if (flags & FAULT_FLAG_USER) |
340 | mem_cgroup_oom_enable(); |
341 | |
342 | - if (!arch_vma_access_permitted(vma, flags & FAULT_FLAG_WRITE, |
343 | - flags & FAULT_FLAG_INSTRUCTION, |
344 | - flags & FAULT_FLAG_REMOTE)) |
345 | - return VM_FAULT_SIGSEGV; |
346 | - |
347 | if (unlikely(is_vm_hugetlb_page(vma))) |
348 | ret = hugetlb_fault(vma->vm_mm, vma, address, flags); |
349 | else |
350 | diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c |
351 | index 577f1c01454a..ffd09c1675d4 100644 |
352 | --- a/net/bluetooth/l2cap_core.c |
353 | +++ b/net/bluetooth/l2cap_core.c |
354 | @@ -58,7 +58,7 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, |
355 | u8 code, u8 ident, u16 dlen, void *data); |
356 | static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, |
357 | void *data); |
358 | -static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data); |
359 | +static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size); |
360 | static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); |
361 | |
362 | static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, |
363 | @@ -1473,7 +1473,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn) |
364 | |
365 | set_bit(CONF_REQ_SENT, &chan->conf_state); |
366 | l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, |
367 | - l2cap_build_conf_req(chan, buf), buf); |
368 | + l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); |
369 | chan->num_conf_req++; |
370 | } |
371 | |
372 | @@ -2977,12 +2977,15 @@ static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, |
373 | return len; |
374 | } |
375 | |
376 | -static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val) |
377 | +static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size) |
378 | { |
379 | struct l2cap_conf_opt *opt = *ptr; |
380 | |
381 | BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val); |
382 | |
383 | + if (size < L2CAP_CONF_OPT_SIZE + len) |
384 | + return; |
385 | + |
386 | opt->type = type; |
387 | opt->len = len; |
388 | |
389 | @@ -3007,7 +3010,7 @@ static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val) |
390 | *ptr += L2CAP_CONF_OPT_SIZE + len; |
391 | } |
392 | |
393 | -static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan) |
394 | +static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size) |
395 | { |
396 | struct l2cap_conf_efs efs; |
397 | |
398 | @@ -3035,7 +3038,7 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan) |
399 | } |
400 | |
401 | l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs), |
402 | - (unsigned long) &efs); |
403 | + (unsigned long) &efs, size); |
404 | } |
405 | |
406 | static void l2cap_ack_timeout(struct work_struct *work) |
407 | @@ -3181,11 +3184,12 @@ static inline void l2cap_txwin_setup(struct l2cap_chan *chan) |
408 | chan->ack_win = chan->tx_win; |
409 | } |
410 | |
411 | -static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data) |
412 | +static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) |
413 | { |
414 | struct l2cap_conf_req *req = data; |
415 | struct l2cap_conf_rfc rfc = { .mode = chan->mode }; |
416 | void *ptr = req->data; |
417 | + void *endptr = data + data_size; |
418 | u16 size; |
419 | |
420 | BT_DBG("chan %p", chan); |
421 | @@ -3210,7 +3214,7 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data) |
422 | |
423 | done: |
424 | if (chan->imtu != L2CAP_DEFAULT_MTU) |
425 | - l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu); |
426 | + l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr); |
427 | |
428 | switch (chan->mode) { |
429 | case L2CAP_MODE_BASIC: |
430 | @@ -3229,7 +3233,7 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data) |
431 | rfc.max_pdu_size = 0; |
432 | |
433 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), |
434 | - (unsigned long) &rfc); |
435 | + (unsigned long) &rfc, endptr - ptr); |
436 | break; |
437 | |
438 | case L2CAP_MODE_ERTM: |
439 | @@ -3249,21 +3253,21 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data) |
440 | L2CAP_DEFAULT_TX_WINDOW); |
441 | |
442 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), |
443 | - (unsigned long) &rfc); |
444 | + (unsigned long) &rfc, endptr - ptr); |
445 | |
446 | if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) |
447 | - l2cap_add_opt_efs(&ptr, chan); |
448 | + l2cap_add_opt_efs(&ptr, chan, endptr - ptr); |
449 | |
450 | if (test_bit(FLAG_EXT_CTRL, &chan->flags)) |
451 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, |
452 | - chan->tx_win); |
453 | + chan->tx_win, endptr - ptr); |
454 | |
455 | if (chan->conn->feat_mask & L2CAP_FEAT_FCS) |
456 | if (chan->fcs == L2CAP_FCS_NONE || |
457 | test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { |
458 | chan->fcs = L2CAP_FCS_NONE; |
459 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, |
460 | - chan->fcs); |
461 | + chan->fcs, endptr - ptr); |
462 | } |
463 | break; |
464 | |
465 | @@ -3281,17 +3285,17 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data) |
466 | rfc.max_pdu_size = cpu_to_le16(size); |
467 | |
468 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), |
469 | - (unsigned long) &rfc); |
470 | + (unsigned long) &rfc, endptr - ptr); |
471 | |
472 | if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) |
473 | - l2cap_add_opt_efs(&ptr, chan); |
474 | + l2cap_add_opt_efs(&ptr, chan, endptr - ptr); |
475 | |
476 | if (chan->conn->feat_mask & L2CAP_FEAT_FCS) |
477 | if (chan->fcs == L2CAP_FCS_NONE || |
478 | test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { |
479 | chan->fcs = L2CAP_FCS_NONE; |
480 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, |
481 | - chan->fcs); |
482 | + chan->fcs, endptr - ptr); |
483 | } |
484 | break; |
485 | } |
486 | @@ -3302,10 +3306,11 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data) |
487 | return ptr - data; |
488 | } |
489 | |
490 | -static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
491 | +static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) |
492 | { |
493 | struct l2cap_conf_rsp *rsp = data; |
494 | void *ptr = rsp->data; |
495 | + void *endptr = data + data_size; |
496 | void *req = chan->conf_req; |
497 | int len = chan->conf_len; |
498 | int type, hint, olen; |
499 | @@ -3407,7 +3412,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
500 | return -ECONNREFUSED; |
501 | |
502 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), |
503 | - (unsigned long) &rfc); |
504 | + (unsigned long) &rfc, endptr - ptr); |
505 | } |
506 | |
507 | if (result == L2CAP_CONF_SUCCESS) { |
508 | @@ -3420,7 +3425,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
509 | chan->omtu = mtu; |
510 | set_bit(CONF_MTU_DONE, &chan->conf_state); |
511 | } |
512 | - l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu); |
513 | + l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr); |
514 | |
515 | if (remote_efs) { |
516 | if (chan->local_stype != L2CAP_SERV_NOTRAFIC && |
517 | @@ -3434,7 +3439,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
518 | |
519 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, |
520 | sizeof(efs), |
521 | - (unsigned long) &efs); |
522 | + (unsigned long) &efs, endptr - ptr); |
523 | } else { |
524 | /* Send PENDING Conf Rsp */ |
525 | result = L2CAP_CONF_PENDING; |
526 | @@ -3467,7 +3472,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
527 | set_bit(CONF_MODE_DONE, &chan->conf_state); |
528 | |
529 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, |
530 | - sizeof(rfc), (unsigned long) &rfc); |
531 | + sizeof(rfc), (unsigned long) &rfc, endptr - ptr); |
532 | |
533 | if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { |
534 | chan->remote_id = efs.id; |
535 | @@ -3481,7 +3486,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
536 | le32_to_cpu(efs.sdu_itime); |
537 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, |
538 | sizeof(efs), |
539 | - (unsigned long) &efs); |
540 | + (unsigned long) &efs, endptr - ptr); |
541 | } |
542 | break; |
543 | |
544 | @@ -3495,7 +3500,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
545 | set_bit(CONF_MODE_DONE, &chan->conf_state); |
546 | |
547 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), |
548 | - (unsigned long) &rfc); |
549 | + (unsigned long) &rfc, endptr - ptr); |
550 | |
551 | break; |
552 | |
553 | @@ -3517,10 +3522,11 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) |
554 | } |
555 | |
556 | static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, |
557 | - void *data, u16 *result) |
558 | + void *data, size_t size, u16 *result) |
559 | { |
560 | struct l2cap_conf_req *req = data; |
561 | void *ptr = req->data; |
562 | + void *endptr = data + size; |
563 | int type, olen; |
564 | unsigned long val; |
565 | struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; |
566 | @@ -3538,13 +3544,13 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, |
567 | chan->imtu = L2CAP_DEFAULT_MIN_MTU; |
568 | } else |
569 | chan->imtu = val; |
570 | - l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu); |
571 | + l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr); |
572 | break; |
573 | |
574 | case L2CAP_CONF_FLUSH_TO: |
575 | chan->flush_to = val; |
576 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, |
577 | - 2, chan->flush_to); |
578 | + 2, chan->flush_to, endptr - ptr); |
579 | break; |
580 | |
581 | case L2CAP_CONF_RFC: |
582 | @@ -3558,13 +3564,13 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, |
583 | chan->fcs = 0; |
584 | |
585 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, |
586 | - sizeof(rfc), (unsigned long) &rfc); |
587 | + sizeof(rfc), (unsigned long) &rfc, endptr - ptr); |
588 | break; |
589 | |
590 | case L2CAP_CONF_EWS: |
591 | chan->ack_win = min_t(u16, val, chan->ack_win); |
592 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, |
593 | - chan->tx_win); |
594 | + chan->tx_win, endptr - ptr); |
595 | break; |
596 | |
597 | case L2CAP_CONF_EFS: |
598 | @@ -3577,7 +3583,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, |
599 | return -ECONNREFUSED; |
600 | |
601 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), |
602 | - (unsigned long) &efs); |
603 | + (unsigned long) &efs, endptr - ptr); |
604 | break; |
605 | |
606 | case L2CAP_CONF_FCS: |
607 | @@ -3682,7 +3688,7 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) |
608 | return; |
609 | |
610 | l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, |
611 | - l2cap_build_conf_req(chan, buf), buf); |
612 | + l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); |
613 | chan->num_conf_req++; |
614 | } |
615 | |
616 | @@ -3890,7 +3896,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, |
617 | u8 buf[128]; |
618 | set_bit(CONF_REQ_SENT, &chan->conf_state); |
619 | l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, |
620 | - l2cap_build_conf_req(chan, buf), buf); |
621 | + l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); |
622 | chan->num_conf_req++; |
623 | } |
624 | |
625 | @@ -3968,7 +3974,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, |
626 | break; |
627 | |
628 | l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, |
629 | - l2cap_build_conf_req(chan, req), req); |
630 | + l2cap_build_conf_req(chan, req, sizeof(req)), req); |
631 | chan->num_conf_req++; |
632 | break; |
633 | |
634 | @@ -4080,7 +4086,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, |
635 | } |
636 | |
637 | /* Complete config. */ |
638 | - len = l2cap_parse_conf_req(chan, rsp); |
639 | + len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp)); |
640 | if (len < 0) { |
641 | l2cap_send_disconn_req(chan, ECONNRESET); |
642 | goto unlock; |
643 | @@ -4114,7 +4120,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, |
644 | if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) { |
645 | u8 buf[64]; |
646 | l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, |
647 | - l2cap_build_conf_req(chan, buf), buf); |
648 | + l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); |
649 | chan->num_conf_req++; |
650 | } |
651 | |
652 | @@ -4174,7 +4180,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, |
653 | char buf[64]; |
654 | |
655 | len = l2cap_parse_conf_rsp(chan, rsp->data, len, |
656 | - buf, &result); |
657 | + buf, sizeof(buf), &result); |
658 | if (len < 0) { |
659 | l2cap_send_disconn_req(chan, ECONNRESET); |
660 | goto done; |
661 | @@ -4204,7 +4210,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, |
662 | /* throw out any old stored conf requests */ |
663 | result = L2CAP_CONF_SUCCESS; |
664 | len = l2cap_parse_conf_rsp(chan, rsp->data, len, |
665 | - req, &result); |
666 | + req, sizeof(req), &result); |
667 | if (len < 0) { |
668 | l2cap_send_disconn_req(chan, ECONNRESET); |
669 | goto done; |
670 | @@ -4781,7 +4787,7 @@ static void l2cap_do_create(struct l2cap_chan *chan, int result, |
671 | set_bit(CONF_REQ_SENT, &chan->conf_state); |
672 | l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn), |
673 | L2CAP_CONF_REQ, |
674 | - l2cap_build_conf_req(chan, buf), buf); |
675 | + l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); |
676 | chan->num_conf_req++; |
677 | } |
678 | } |
679 | @@ -7457,7 +7463,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) |
680 | set_bit(CONF_REQ_SENT, &chan->conf_state); |
681 | l2cap_send_cmd(conn, l2cap_get_ident(conn), |
682 | L2CAP_CONF_REQ, |
683 | - l2cap_build_conf_req(chan, buf), |
684 | + l2cap_build_conf_req(chan, buf, sizeof(buf)), |
685 | buf); |
686 | chan->num_conf_req++; |
687 | } |
688 | diff --git a/sound/isa/msnd/msnd_midi.c b/sound/isa/msnd/msnd_midi.c |
689 | index ffc67fd80c23..58e59cd3c95c 100644 |
690 | --- a/sound/isa/msnd/msnd_midi.c |
691 | +++ b/sound/isa/msnd/msnd_midi.c |
692 | @@ -120,24 +120,24 @@ void snd_msndmidi_input_read(void *mpuv) |
693 | unsigned long flags; |
694 | struct snd_msndmidi *mpu = mpuv; |
695 | void *pwMIDQData = mpu->dev->mappedbase + MIDQ_DATA_BUFF; |
696 | + u16 head, tail, size; |
697 | |
698 | spin_lock_irqsave(&mpu->input_lock, flags); |
699 | - while (readw(mpu->dev->MIDQ + JQS_wTail) != |
700 | - readw(mpu->dev->MIDQ + JQS_wHead)) { |
701 | - u16 wTmp, val; |
702 | - val = readw(pwMIDQData + 2 * readw(mpu->dev->MIDQ + JQS_wHead)); |
703 | - |
704 | - if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER, |
705 | - &mpu->mode)) |
706 | - snd_rawmidi_receive(mpu->substream_input, |
707 | - (unsigned char *)&val, 1); |
708 | - |
709 | - wTmp = readw(mpu->dev->MIDQ + JQS_wHead) + 1; |
710 | - if (wTmp > readw(mpu->dev->MIDQ + JQS_wSize)) |
711 | - writew(0, mpu->dev->MIDQ + JQS_wHead); |
712 | - else |
713 | - writew(wTmp, mpu->dev->MIDQ + JQS_wHead); |
714 | + head = readw(mpu->dev->MIDQ + JQS_wHead); |
715 | + tail = readw(mpu->dev->MIDQ + JQS_wTail); |
716 | + size = readw(mpu->dev->MIDQ + JQS_wSize); |
717 | + if (head > size || tail > size) |
718 | + goto out; |
719 | + while (head != tail) { |
720 | + unsigned char val = readw(pwMIDQData + 2 * head); |
721 | + |
722 | + if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER, &mpu->mode)) |
723 | + snd_rawmidi_receive(mpu->substream_input, &val, 1); |
724 | + if (++head > size) |
725 | + head = 0; |
726 | + writew(head, mpu->dev->MIDQ + JQS_wHead); |
727 | } |
728 | + out: |
729 | spin_unlock_irqrestore(&mpu->input_lock, flags); |
730 | } |
731 | EXPORT_SYMBOL(snd_msndmidi_input_read); |
732 | diff --git a/sound/isa/msnd/msnd_pinnacle.c b/sound/isa/msnd/msnd_pinnacle.c |
733 | index 4c072666115d..a31ea6c22d19 100644 |
734 | --- a/sound/isa/msnd/msnd_pinnacle.c |
735 | +++ b/sound/isa/msnd/msnd_pinnacle.c |
736 | @@ -170,23 +170,24 @@ static irqreturn_t snd_msnd_interrupt(int irq, void *dev_id) |
737 | { |
738 | struct snd_msnd *chip = dev_id; |
739 | void *pwDSPQData = chip->mappedbase + DSPQ_DATA_BUFF; |
740 | + u16 head, tail, size; |
741 | |
742 | /* Send ack to DSP */ |
743 | /* inb(chip->io + HP_RXL); */ |
744 | |
745 | /* Evaluate queued DSP messages */ |
746 | - while (readw(chip->DSPQ + JQS_wTail) != readw(chip->DSPQ + JQS_wHead)) { |
747 | - u16 wTmp; |
748 | - |
749 | - snd_msnd_eval_dsp_msg(chip, |
750 | - readw(pwDSPQData + 2 * readw(chip->DSPQ + JQS_wHead))); |
751 | - |
752 | - wTmp = readw(chip->DSPQ + JQS_wHead) + 1; |
753 | - if (wTmp > readw(chip->DSPQ + JQS_wSize)) |
754 | - writew(0, chip->DSPQ + JQS_wHead); |
755 | - else |
756 | - writew(wTmp, chip->DSPQ + JQS_wHead); |
757 | + head = readw(chip->DSPQ + JQS_wHead); |
758 | + tail = readw(chip->DSPQ + JQS_wTail); |
759 | + size = readw(chip->DSPQ + JQS_wSize); |
760 | + if (head > size || tail > size) |
761 | + goto out; |
762 | + while (head != tail) { |
763 | + snd_msnd_eval_dsp_msg(chip, readw(pwDSPQData + 2 * head)); |
764 | + if (++head > size) |
765 | + head = 0; |
766 | + writew(head, chip->DSPQ + JQS_wHead); |
767 | } |
768 | + out: |
769 | /* Send ack to DSP */ |
770 | inb(chip->io + HP_RXL); |
771 | return IRQ_HANDLED; |
772 | diff --git a/tools/testing/selftests/x86/fsgsbase.c b/tools/testing/selftests/x86/fsgsbase.c |
773 | index 5b2b4b3c634c..9b4610c6d3fb 100644 |
774 | --- a/tools/testing/selftests/x86/fsgsbase.c |
775 | +++ b/tools/testing/selftests/x86/fsgsbase.c |
776 | @@ -285,9 +285,12 @@ static void *threadproc(void *ctx) |
777 | } |
778 | } |
779 | |
780 | -static void set_gs_and_switch_to(unsigned long local, unsigned long remote) |
781 | +static void set_gs_and_switch_to(unsigned long local, |
782 | + unsigned short force_sel, |
783 | + unsigned long remote) |
784 | { |
785 | unsigned long base; |
786 | + unsigned short sel_pre_sched, sel_post_sched; |
787 | |
788 | bool hard_zero = false; |
789 | if (local == HARD_ZERO) { |
790 | @@ -297,6 +300,8 @@ static void set_gs_and_switch_to(unsigned long local, unsigned long remote) |
791 | |
792 | printf("[RUN]\tARCH_SET_GS(0x%lx)%s, then schedule to 0x%lx\n", |
793 | local, hard_zero ? " and clear gs" : "", remote); |
794 | + if (force_sel) |
795 | + printf("\tBefore schedule, set selector to 0x%hx\n", force_sel); |
796 | if (syscall(SYS_arch_prctl, ARCH_SET_GS, local) != 0) |
797 | err(1, "ARCH_SET_GS"); |
798 | if (hard_zero) |
799 | @@ -307,18 +312,35 @@ static void set_gs_and_switch_to(unsigned long local, unsigned long remote) |
800 | printf("[FAIL]\tGSBASE wasn't set as expected\n"); |
801 | } |
802 | |
803 | + if (force_sel) { |
804 | + asm volatile ("mov %0, %%gs" : : "rm" (force_sel)); |
805 | + sel_pre_sched = force_sel; |
806 | + local = read_base(GS); |
807 | + |
808 | + /* |
809 | + * Signal delivery seems to mess up weird selectors. Put it |
810 | + * back. |
811 | + */ |
812 | + asm volatile ("mov %0, %%gs" : : "rm" (force_sel)); |
813 | + } else { |
814 | + asm volatile ("mov %%gs, %0" : "=rm" (sel_pre_sched)); |
815 | + } |
816 | + |
817 | remote_base = remote; |
818 | ftx = 1; |
819 | syscall(SYS_futex, &ftx, FUTEX_WAKE, 0, NULL, NULL, 0); |
820 | while (ftx != 0) |
821 | syscall(SYS_futex, &ftx, FUTEX_WAIT, 1, NULL, NULL, 0); |
822 | |
823 | + asm volatile ("mov %%gs, %0" : "=rm" (sel_post_sched)); |
824 | base = read_base(GS); |
825 | - if (base == local) { |
826 | - printf("[OK]\tGSBASE remained 0x%lx\n", local); |
827 | + if (base == local && sel_pre_sched == sel_post_sched) { |
828 | + printf("[OK]\tGS/BASE remained 0x%hx/0x%lx\n", |
829 | + sel_pre_sched, local); |
830 | } else { |
831 | nerrs++; |
832 | - printf("[FAIL]\tGSBASE changed to 0x%lx\n", base); |
833 | + printf("[FAIL]\tGS/BASE changed from 0x%hx/0x%lx to 0x%hx/0x%lx\n", |
834 | + sel_pre_sched, local, sel_post_sched, base); |
835 | } |
836 | } |
837 | |
838 | @@ -381,8 +403,15 @@ int main() |
839 | |
840 | for (int local = 0; local < 4; local++) { |
841 | for (int remote = 0; remote < 4; remote++) { |
842 | - set_gs_and_switch_to(bases_with_hard_zero[local], |
843 | - bases_with_hard_zero[remote]); |
844 | + for (unsigned short s = 0; s < 5; s++) { |
845 | + unsigned short sel = s; |
846 | + if (s == 4) |
847 | + asm ("mov %%ss, %0" : "=rm" (sel)); |
848 | + set_gs_and_switch_to( |
849 | + bases_with_hard_zero[local], |
850 | + sel, |
851 | + bases_with_hard_zero[remote]); |
852 | + } |
853 | } |
854 | } |
855 |