Annotation of /trunk/kernel-alx/patches-4.9/0199-4.9.100-all-fixes.patch
Parent Directory | Revision Log
Revision 3176 -
(hide annotations)
(download)
Wed Aug 8 14:17:30 2018 UTC (6 years, 1 month ago) by niro
File size: 40406 byte(s)
Wed Aug 8 14:17:30 2018 UTC (6 years, 1 month ago) by niro
File size: 40406 byte(s)
-linux-4.9.100
1 | niro | 3176 | diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt |
2 | index d11af52427b4..ac9489fad31b 100644 | ||
3 | --- a/Documentation/arm64/silicon-errata.txt | ||
4 | +++ b/Documentation/arm64/silicon-errata.txt | ||
5 | @@ -54,6 +54,7 @@ stable kernels. | ||
6 | | ARM | Cortex-A57 | #852523 | N/A | | ||
7 | | ARM | Cortex-A57 | #834220 | ARM64_ERRATUM_834220 | | ||
8 | | ARM | Cortex-A72 | #853709 | N/A | | ||
9 | +| ARM | Cortex-A55 | #1024718 | ARM64_ERRATUM_1024718 | | ||
10 | | ARM | MMU-500 | #841119,#826419 | N/A | | ||
11 | | | | | | | ||
12 | | Cavium | ThunderX ITS | #22375, #24313 | CAVIUM_ERRATUM_22375 | | ||
13 | diff --git a/Makefile b/Makefile | ||
14 | index d51e99f4a987..52a41396680c 100644 | ||
15 | --- a/Makefile | ||
16 | +++ b/Makefile | ||
17 | @@ -1,6 +1,6 @@ | ||
18 | VERSION = 4 | ||
19 | PATCHLEVEL = 9 | ||
20 | -SUBLEVEL = 99 | ||
21 | +SUBLEVEL = 100 | ||
22 | EXTRAVERSION = | ||
23 | NAME = Roaring Lionus | ||
24 | |||
25 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig | ||
26 | index 90e58bbbd858..d0df3611d1e2 100644 | ||
27 | --- a/arch/arm64/Kconfig | ||
28 | +++ b/arch/arm64/Kconfig | ||
29 | @@ -427,6 +427,20 @@ config ARM64_ERRATUM_843419 | ||
30 | |||
31 | If unsure, say Y. | ||
32 | |||
33 | +config ARM64_ERRATUM_1024718 | ||
34 | + bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update" | ||
35 | + default y | ||
36 | + help | ||
37 | + This option adds work around for Arm Cortex-A55 Erratum 1024718. | ||
38 | + | ||
39 | + Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect | ||
40 | + update of the hardware dirty bit when the DBM/AP bits are updated | ||
41 | + without a break-before-make. The work around is to disable the usage | ||
42 | + of hardware DBM locally on the affected cores. CPUs not affected by | ||
43 | + erratum will continue to use the feature. | ||
44 | + | ||
45 | + If unsure, say Y. | ||
46 | + | ||
47 | config CAVIUM_ERRATUM_22375 | ||
48 | bool "Cavium erratum 22375, 24313" | ||
49 | default y | ||
50 | diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h | ||
51 | index e60375ce0dd2..bfcfec3590f6 100644 | ||
52 | --- a/arch/arm64/include/asm/assembler.h | ||
53 | +++ b/arch/arm64/include/asm/assembler.h | ||
54 | @@ -25,6 +25,7 @@ | ||
55 | |||
56 | #include <asm/asm-offsets.h> | ||
57 | #include <asm/cpufeature.h> | ||
58 | +#include <asm/cputype.h> | ||
59 | #include <asm/page.h> | ||
60 | #include <asm/pgtable-hwdef.h> | ||
61 | #include <asm/ptrace.h> | ||
62 | @@ -435,4 +436,43 @@ alternative_endif | ||
63 | and \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT) | ||
64 | .endm | ||
65 | |||
66 | +/* | ||
67 | + * Check the MIDR_EL1 of the current CPU for a given model and a range of | ||
68 | + * variant/revision. See asm/cputype.h for the macros used below. | ||
69 | + * | ||
70 | + * model: MIDR_CPU_MODEL of CPU | ||
71 | + * rv_min: Minimum of MIDR_CPU_VAR_REV() | ||
72 | + * rv_max: Maximum of MIDR_CPU_VAR_REV() | ||
73 | + * res: Result register. | ||
74 | + * tmp1, tmp2, tmp3: Temporary registers | ||
75 | + * | ||
76 | + * Corrupts: res, tmp1, tmp2, tmp3 | ||
77 | + * Returns: 0, if the CPU id doesn't match. Non-zero otherwise | ||
78 | + */ | ||
79 | + .macro cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3 | ||
80 | + mrs \res, midr_el1 | ||
81 | + mov_q \tmp1, (MIDR_REVISION_MASK | MIDR_VARIANT_MASK) | ||
82 | + mov_q \tmp2, MIDR_CPU_MODEL_MASK | ||
83 | + and \tmp3, \res, \tmp2 // Extract model | ||
84 | + and \tmp1, \res, \tmp1 // rev & variant | ||
85 | + mov_q \tmp2, \model | ||
86 | + cmp \tmp3, \tmp2 | ||
87 | + cset \res, eq | ||
88 | + cbz \res, .Ldone\@ // Model matches ? | ||
89 | + | ||
90 | + .if (\rv_min != 0) // Skip min check if rv_min == 0 | ||
91 | + mov_q \tmp3, \rv_min | ||
92 | + cmp \tmp1, \tmp3 | ||
93 | + cset \res, ge | ||
94 | + .endif // \rv_min != 0 | ||
95 | + /* Skip rv_max check if rv_min == rv_max && rv_min != 0 */ | ||
96 | + .if ((\rv_min != \rv_max) || \rv_min == 0) | ||
97 | + mov_q \tmp2, \rv_max | ||
98 | + cmp \tmp1, \tmp2 | ||
99 | + cset \tmp2, le | ||
100 | + and \res, \res, \tmp2 | ||
101 | + .endif | ||
102 | +.Ldone\@: | ||
103 | + .endm | ||
104 | + | ||
105 | #endif /* __ASM_ASSEMBLER_H */ | ||
106 | diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h | ||
107 | index 9ee3038a6b98..39d1db68748d 100644 | ||
108 | --- a/arch/arm64/include/asm/cputype.h | ||
109 | +++ b/arch/arm64/include/asm/cputype.h | ||
110 | @@ -56,6 +56,9 @@ | ||
111 | (0xf << MIDR_ARCHITECTURE_SHIFT) | \ | ||
112 | ((partnum) << MIDR_PARTNUM_SHIFT)) | ||
113 | |||
114 | +#define MIDR_CPU_VAR_REV(var, rev) \ | ||
115 | + (((var) << MIDR_VARIANT_SHIFT) | (rev)) | ||
116 | + | ||
117 | #define MIDR_CPU_MODEL_MASK (MIDR_IMPLEMENTOR_MASK | MIDR_PARTNUM_MASK | \ | ||
118 | MIDR_ARCHITECTURE_MASK) | ||
119 | |||
120 | @@ -74,6 +77,7 @@ | ||
121 | |||
122 | #define ARM_CPU_PART_AEM_V8 0xD0F | ||
123 | #define ARM_CPU_PART_FOUNDATION 0xD00 | ||
124 | +#define ARM_CPU_PART_CORTEX_A55 0xD05 | ||
125 | #define ARM_CPU_PART_CORTEX_A57 0xD07 | ||
126 | #define ARM_CPU_PART_CORTEX_A72 0xD08 | ||
127 | #define ARM_CPU_PART_CORTEX_A53 0xD03 | ||
128 | @@ -89,6 +93,7 @@ | ||
129 | #define BRCM_CPU_PART_VULCAN 0x516 | ||
130 | |||
131 | #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) | ||
132 | +#define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) | ||
133 | #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) | ||
134 | #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) | ||
135 | #define MIDR_CORTEX_A73 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A73) | ||
136 | diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S | ||
137 | index 619da1cbd32b..66cce2138f95 100644 | ||
138 | --- a/arch/arm64/mm/proc.S | ||
139 | +++ b/arch/arm64/mm/proc.S | ||
140 | @@ -425,6 +425,11 @@ ENTRY(__cpu_setup) | ||
141 | cbz x9, 2f | ||
142 | cmp x9, #2 | ||
143 | b.lt 1f | ||
144 | +#ifdef CONFIG_ARM64_ERRATUM_1024718 | ||
145 | + /* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */ | ||
146 | + cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4 | ||
147 | + cbnz x1, 1f | ||
148 | +#endif | ||
149 | orr x10, x10, #TCR_HD // hardware Dirty flag update | ||
150 | 1: orr x10, x10, #TCR_HA // hardware Access flag update | ||
151 | 2: | ||
152 | diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S | ||
153 | index 55fbc0c78721..79a180cf4c94 100644 | ||
154 | --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S | ||
155 | +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S | ||
156 | @@ -299,7 +299,6 @@ kvm_novcpu_exit: | ||
157 | stw r12, STACK_SLOT_TRAP(r1) | ||
158 | bl kvmhv_commence_exit | ||
159 | nop | ||
160 | - lwz r12, STACK_SLOT_TRAP(r1) | ||
161 | b kvmhv_switch_to_host | ||
162 | |||
163 | /* | ||
164 | @@ -1023,6 +1022,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) | ||
165 | |||
166 | secondary_too_late: | ||
167 | li r12, 0 | ||
168 | + stw r12, STACK_SLOT_TRAP(r1) | ||
169 | cmpdi r4, 0 | ||
170 | beq 11f | ||
171 | stw r12, VCPU_TRAP(r4) | ||
172 | @@ -1266,12 +1266,12 @@ mc_cont: | ||
173 | bl kvmhv_accumulate_time | ||
174 | #endif | ||
175 | |||
176 | + stw r12, STACK_SLOT_TRAP(r1) | ||
177 | mr r3, r12 | ||
178 | /* Increment exit count, poke other threads to exit */ | ||
179 | bl kvmhv_commence_exit | ||
180 | nop | ||
181 | ld r9, HSTATE_KVM_VCPU(r13) | ||
182 | - lwz r12, VCPU_TRAP(r9) | ||
183 | |||
184 | /* Stop others sending VCPU interrupts to this physical CPU */ | ||
185 | li r0, -1 | ||
186 | @@ -1549,6 +1549,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) | ||
187 | * POWER7/POWER8 guest -> host partition switch code. | ||
188 | * We don't have to lock against tlbies but we do | ||
189 | * have to coordinate the hardware threads. | ||
190 | + * Here STACK_SLOT_TRAP(r1) contains the trap number. | ||
191 | */ | ||
192 | kvmhv_switch_to_host: | ||
193 | /* Secondary threads wait for primary to do partition switch */ | ||
194 | @@ -1599,11 +1600,11 @@ BEGIN_FTR_SECTION | ||
195 | END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) | ||
196 | |||
197 | /* If HMI, call kvmppc_realmode_hmi_handler() */ | ||
198 | + lwz r12, STACK_SLOT_TRAP(r1) | ||
199 | cmpwi r12, BOOK3S_INTERRUPT_HMI | ||
200 | bne 27f | ||
201 | bl kvmppc_realmode_hmi_handler | ||
202 | nop | ||
203 | - li r12, BOOK3S_INTERRUPT_HMI | ||
204 | /* | ||
205 | * At this point kvmppc_realmode_hmi_handler would have resync-ed | ||
206 | * the TB. Hence it is not required to subtract guest timebase | ||
207 | @@ -1678,6 +1679,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) | ||
208 | li r0, KVM_GUEST_MODE_NONE | ||
209 | stb r0, HSTATE_IN_GUEST(r13) | ||
210 | |||
211 | + lwz r12, STACK_SLOT_TRAP(r1) /* return trap # in r12 */ | ||
212 | ld r0, SFS+PPC_LR_STKOFF(r1) | ||
213 | addi r1, r1, SFS | ||
214 | mtlr r0 | ||
215 | diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c | ||
216 | index f73796db8758..02e547f9ca3f 100644 | ||
217 | --- a/arch/x86/events/core.c | ||
218 | +++ b/arch/x86/events/core.c | ||
219 | @@ -26,6 +26,7 @@ | ||
220 | #include <linux/cpu.h> | ||
221 | #include <linux/bitops.h> | ||
222 | #include <linux/device.h> | ||
223 | +#include <linux/nospec.h> | ||
224 | |||
225 | #include <asm/apic.h> | ||
226 | #include <asm/stacktrace.h> | ||
227 | @@ -303,17 +304,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event) | ||
228 | |||
229 | config = attr->config; | ||
230 | |||
231 | - cache_type = (config >> 0) & 0xff; | ||
232 | + cache_type = (config >> 0) & 0xff; | ||
233 | if (cache_type >= PERF_COUNT_HW_CACHE_MAX) | ||
234 | return -EINVAL; | ||
235 | + cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX); | ||
236 | |||
237 | cache_op = (config >> 8) & 0xff; | ||
238 | if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX) | ||
239 | return -EINVAL; | ||
240 | + cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX); | ||
241 | |||
242 | cache_result = (config >> 16) & 0xff; | ||
243 | if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX) | ||
244 | return -EINVAL; | ||
245 | + cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX); | ||
246 | |||
247 | val = hw_cache_event_ids[cache_type][cache_op][cache_result]; | ||
248 | |||
249 | @@ -420,6 +424,8 @@ int x86_setup_perfctr(struct perf_event *event) | ||
250 | if (attr->config >= x86_pmu.max_events) | ||
251 | return -EINVAL; | ||
252 | |||
253 | + attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events); | ||
254 | + | ||
255 | /* | ||
256 | * The generic map: | ||
257 | */ | ||
258 | diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c | ||
259 | index 1076c9a77292..47d526c700a1 100644 | ||
260 | --- a/arch/x86/events/intel/cstate.c | ||
261 | +++ b/arch/x86/events/intel/cstate.c | ||
262 | @@ -90,6 +90,7 @@ | ||
263 | #include <linux/module.h> | ||
264 | #include <linux/slab.h> | ||
265 | #include <linux/perf_event.h> | ||
266 | +#include <linux/nospec.h> | ||
267 | #include <asm/cpu_device_id.h> | ||
268 | #include <asm/intel-family.h> | ||
269 | #include "../perf_event.h" | ||
270 | @@ -300,6 +301,7 @@ static int cstate_pmu_event_init(struct perf_event *event) | ||
271 | } else if (event->pmu == &cstate_pkg_pmu) { | ||
272 | if (cfg >= PERF_CSTATE_PKG_EVENT_MAX) | ||
273 | return -EINVAL; | ||
274 | + cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX); | ||
275 | if (!pkg_msr[cfg].attr) | ||
276 | return -EINVAL; | ||
277 | event->hw.event_base = pkg_msr[cfg].msr; | ||
278 | diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c | ||
279 | index 4bb3ec69e8ea..be0b1968d60a 100644 | ||
280 | --- a/arch/x86/events/msr.c | ||
281 | +++ b/arch/x86/events/msr.c | ||
282 | @@ -1,4 +1,5 @@ | ||
283 | #include <linux/perf_event.h> | ||
284 | +#include <linux/nospec.h> | ||
285 | #include <asm/intel-family.h> | ||
286 | |||
287 | enum perf_msr_id { | ||
288 | @@ -136,9 +137,6 @@ static int msr_event_init(struct perf_event *event) | ||
289 | if (event->attr.type != event->pmu->type) | ||
290 | return -ENOENT; | ||
291 | |||
292 | - if (cfg >= PERF_MSR_EVENT_MAX) | ||
293 | - return -EINVAL; | ||
294 | - | ||
295 | /* unsupported modes and filters */ | ||
296 | if (event->attr.exclude_user || | ||
297 | event->attr.exclude_kernel || | ||
298 | @@ -149,6 +147,11 @@ static int msr_event_init(struct perf_event *event) | ||
299 | event->attr.sample_period) /* no sampling */ | ||
300 | return -EINVAL; | ||
301 | |||
302 | + if (cfg >= PERF_MSR_EVENT_MAX) | ||
303 | + return -EINVAL; | ||
304 | + | ||
305 | + cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX); | ||
306 | + | ||
307 | if (!msr[cfg].attr) | ||
308 | return -EINVAL; | ||
309 | |||
310 | diff --git a/crypto/af_alg.c b/crypto/af_alg.c | ||
311 | index ca50eeb13097..b5953f1d1a18 100644 | ||
312 | --- a/crypto/af_alg.c | ||
313 | +++ b/crypto/af_alg.c | ||
314 | @@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) | ||
315 | void *private; | ||
316 | int err; | ||
317 | |||
318 | - /* If caller uses non-allowed flag, return error. */ | ||
319 | - if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) | ||
320 | - return -EINVAL; | ||
321 | - | ||
322 | if (sock->state == SS_CONNECTED) | ||
323 | return -EINVAL; | ||
324 | |||
325 | if (addr_len != sizeof(*sa)) | ||
326 | return -EINVAL; | ||
327 | |||
328 | + /* If caller uses non-allowed flag, return error. */ | ||
329 | + if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) | ||
330 | + return -EINVAL; | ||
331 | + | ||
332 | sa->salg_type[sizeof(sa->salg_type) - 1] = 0; | ||
333 | sa->salg_name[sizeof(sa->salg_name) - 1] = 0; | ||
334 | |||
335 | diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c | ||
336 | index e08c09fa5da0..4fe3ec122bf0 100644 | ||
337 | --- a/drivers/ata/libata-core.c | ||
338 | +++ b/drivers/ata/libata-core.c | ||
339 | @@ -4422,6 +4422,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { | ||
340 | ATA_HORKAGE_ZERO_AFTER_TRIM | | ||
341 | ATA_HORKAGE_NOLPM, }, | ||
342 | |||
343 | + /* Sandisk devices which are known to not handle LPM well */ | ||
344 | + { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, | ||
345 | + | ||
346 | /* devices that don't properly handle queued TRIM commands */ | ||
347 | { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | | ||
348 | ATA_HORKAGE_ZERO_AFTER_TRIM, }, | ||
349 | diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c | ||
350 | index d3dc95484161..81bfeec67b77 100644 | ||
351 | --- a/drivers/atm/zatm.c | ||
352 | +++ b/drivers/atm/zatm.c | ||
353 | @@ -23,6 +23,7 @@ | ||
354 | #include <linux/bitops.h> | ||
355 | #include <linux/wait.h> | ||
356 | #include <linux/slab.h> | ||
357 | +#include <linux/nospec.h> | ||
358 | #include <asm/byteorder.h> | ||
359 | #include <asm/string.h> | ||
360 | #include <asm/io.h> | ||
361 | @@ -1458,6 +1459,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg) | ||
362 | return -EFAULT; | ||
363 | if (pool < 0 || pool > ZATM_LAST_POOL) | ||
364 | return -EINVAL; | ||
365 | + pool = array_index_nospec(pool, | ||
366 | + ZATM_LAST_POOL + 1); | ||
367 | spin_lock_irqsave(&zatm_dev->lock, flags); | ||
368 | info = zatm_dev->pool_info[pool]; | ||
369 | if (cmd == ZATM_GETPOOLZ) { | ||
370 | diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c | ||
371 | index f8ba5c714df5..3257647d4f74 100644 | ||
372 | --- a/drivers/bluetooth/btusb.c | ||
373 | +++ b/drivers/bluetooth/btusb.c | ||
374 | @@ -217,6 +217,7 @@ static const struct usb_device_id blacklist_table[] = { | ||
375 | { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, | ||
376 | { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, | ||
377 | { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, | ||
378 | + { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, | ||
379 | { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, | ||
380 | { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, | ||
381 | { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, | ||
382 | @@ -249,7 +250,6 @@ static const struct usb_device_id blacklist_table[] = { | ||
383 | { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, | ||
384 | |||
385 | /* QCA ROME chipset */ | ||
386 | - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, | ||
387 | { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, | ||
388 | { USB_DEVICE(0x0cf3, 0xe009), .driver_info = BTUSB_QCA_ROME }, | ||
389 | { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, | ||
390 | diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c | ||
391 | index 03a5925a423c..a9daf7121e6e 100644 | ||
392 | --- a/drivers/gpio/gpio-aspeed.c | ||
393 | +++ b/drivers/gpio/gpio-aspeed.c | ||
394 | @@ -256,7 +256,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set) | ||
395 | if (set) | ||
396 | reg |= bit; | ||
397 | else | ||
398 | - reg &= bit; | ||
399 | + reg &= ~bit; | ||
400 | iowrite32(reg, addr); | ||
401 | |||
402 | spin_unlock_irqrestore(&gpio->lock, flags); | ||
403 | diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c | ||
404 | index 4f54ff45e09e..56b24198741c 100644 | ||
405 | --- a/drivers/gpio/gpiolib.c | ||
406 | +++ b/drivers/gpio/gpiolib.c | ||
407 | @@ -425,7 +425,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) | ||
408 | struct gpiohandle_request handlereq; | ||
409 | struct linehandle_state *lh; | ||
410 | struct file *file; | ||
411 | - int fd, i, ret; | ||
412 | + int fd, i, count = 0, ret; | ||
413 | |||
414 | if (copy_from_user(&handlereq, ip, sizeof(handlereq))) | ||
415 | return -EFAULT; | ||
416 | @@ -471,6 +471,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) | ||
417 | if (ret) | ||
418 | goto out_free_descs; | ||
419 | lh->descs[i] = desc; | ||
420 | + count = i; | ||
421 | |||
422 | if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) | ||
423 | set_bit(FLAG_ACTIVE_LOW, &desc->flags); | ||
424 | @@ -537,7 +538,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) | ||
425 | out_put_unused_fd: | ||
426 | put_unused_fd(fd); | ||
427 | out_free_descs: | ||
428 | - for (; i >= 0; i--) | ||
429 | + for (i = 0; i < count; i++) | ||
430 | gpiod_free(lh->descs[i]); | ||
431 | kfree(lh->label); | ||
432 | out_free_lh: | ||
433 | @@ -794,7 +795,7 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) | ||
434 | desc = &gdev->descs[offset]; | ||
435 | ret = gpiod_request(desc, le->label); | ||
436 | if (ret) | ||
437 | - goto out_free_desc; | ||
438 | + goto out_free_label; | ||
439 | le->desc = desc; | ||
440 | le->eflags = eflags; | ||
441 | |||
442 | diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c | ||
443 | index e1d47d51ea47..3517c0ed984a 100644 | ||
444 | --- a/drivers/gpu/drm/i915/intel_lvds.c | ||
445 | +++ b/drivers/gpu/drm/i915/intel_lvds.c | ||
446 | @@ -321,7 +321,8 @@ static void intel_enable_lvds(struct intel_encoder *encoder, | ||
447 | |||
448 | I915_WRITE(PP_CONTROL(0), I915_READ(PP_CONTROL(0)) | PANEL_POWER_ON); | ||
449 | POSTING_READ(lvds_encoder->reg); | ||
450 | - if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 1000)) | ||
451 | + | ||
452 | + if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 5000)) | ||
453 | DRM_ERROR("timed out waiting for panel to power on\n"); | ||
454 | |||
455 | intel_panel_enable_backlight(intel_connector); | ||
456 | diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c | ||
457 | index 881bf489478b..75056553b06c 100644 | ||
458 | --- a/drivers/gpu/drm/vc4/vc4_plane.c | ||
459 | +++ b/drivers/gpu/drm/vc4/vc4_plane.c | ||
460 | @@ -533,7 +533,7 @@ static int vc4_plane_mode_set(struct drm_plane *plane, | ||
461 | * the scl fields here. | ||
462 | */ | ||
463 | if (num_planes == 1) { | ||
464 | - scl0 = vc4_get_scl_field(state, 1); | ||
465 | + scl0 = vc4_get_scl_field(state, 0); | ||
466 | scl1 = scl0; | ||
467 | } else { | ||
468 | scl0 = vc4_get_scl_field(state, 1); | ||
469 | diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c | ||
470 | index 760ef603a468..15f4bdf89fe1 100644 | ||
471 | --- a/drivers/infiniband/core/device.c | ||
472 | +++ b/drivers/infiniband/core/device.c | ||
473 | @@ -999,8 +999,7 @@ static int __init ib_core_init(void) | ||
474 | return -ENOMEM; | ||
475 | |||
476 | ib_comp_wq = alloc_workqueue("ib-comp-wq", | ||
477 | - WQ_UNBOUND | WQ_HIGHPRI | WQ_MEM_RECLAIM, | ||
478 | - WQ_UNBOUND_MAX_ACTIVE); | ||
479 | + WQ_HIGHPRI | WQ_MEM_RECLAIM | WQ_SYSFS, 0); | ||
480 | if (!ib_comp_wq) { | ||
481 | ret = -ENOMEM; | ||
482 | goto err; | ||
483 | diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c | ||
484 | index c9d61a6dfb7a..3a75352f632b 100644 | ||
485 | --- a/drivers/net/can/usb/kvaser_usb.c | ||
486 | +++ b/drivers/net/can/usb/kvaser_usb.c | ||
487 | @@ -1179,7 +1179,7 @@ static void kvaser_usb_rx_can_msg(const struct kvaser_usb *dev, | ||
488 | |||
489 | skb = alloc_can_skb(priv->netdev, &cf); | ||
490 | if (!skb) { | ||
491 | - stats->tx_dropped++; | ||
492 | + stats->rx_dropped++; | ||
493 | return; | ||
494 | } | ||
495 | |||
496 | diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c | ||
497 | index ad1186dd6132..a45810b43f70 100644 | ||
498 | --- a/drivers/thermal/samsung/exynos_tmu.c | ||
499 | +++ b/drivers/thermal/samsung/exynos_tmu.c | ||
500 | @@ -185,6 +185,7 @@ | ||
501 | * @regulator: pointer to the TMU regulator structure. | ||
502 | * @reg_conf: pointer to structure to register with core thermal. | ||
503 | * @ntrip: number of supported trip points. | ||
504 | + * @enabled: current status of TMU device | ||
505 | * @tmu_initialize: SoC specific TMU initialization method | ||
506 | * @tmu_control: SoC specific TMU control method | ||
507 | * @tmu_read: SoC specific TMU temperature read method | ||
508 | @@ -205,6 +206,7 @@ struct exynos_tmu_data { | ||
509 | struct regulator *regulator; | ||
510 | struct thermal_zone_device *tzd; | ||
511 | unsigned int ntrip; | ||
512 | + bool enabled; | ||
513 | |||
514 | int (*tmu_initialize)(struct platform_device *pdev); | ||
515 | void (*tmu_control)(struct platform_device *pdev, bool on); | ||
516 | @@ -398,6 +400,7 @@ static void exynos_tmu_control(struct platform_device *pdev, bool on) | ||
517 | mutex_lock(&data->lock); | ||
518 | clk_enable(data->clk); | ||
519 | data->tmu_control(pdev, on); | ||
520 | + data->enabled = on; | ||
521 | clk_disable(data->clk); | ||
522 | mutex_unlock(&data->lock); | ||
523 | } | ||
524 | @@ -889,19 +892,24 @@ static void exynos7_tmu_control(struct platform_device *pdev, bool on) | ||
525 | static int exynos_get_temp(void *p, int *temp) | ||
526 | { | ||
527 | struct exynos_tmu_data *data = p; | ||
528 | + int value, ret = 0; | ||
529 | |||
530 | - if (!data || !data->tmu_read) | ||
531 | + if (!data || !data->tmu_read || !data->enabled) | ||
532 | return -EINVAL; | ||
533 | |||
534 | mutex_lock(&data->lock); | ||
535 | clk_enable(data->clk); | ||
536 | |||
537 | - *temp = code_to_temp(data, data->tmu_read(data)) * MCELSIUS; | ||
538 | + value = data->tmu_read(data); | ||
539 | + if (value < 0) | ||
540 | + ret = value; | ||
541 | + else | ||
542 | + *temp = code_to_temp(data, value) * MCELSIUS; | ||
543 | |||
544 | clk_disable(data->clk); | ||
545 | mutex_unlock(&data->lock); | ||
546 | |||
547 | - return 0; | ||
548 | + return ret; | ||
549 | } | ||
550 | |||
551 | #ifdef CONFIG_THERMAL_EMULATION | ||
552 | diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c | ||
553 | index 99432b59c5cb..ae354ac67da1 100644 | ||
554 | --- a/fs/f2fs/data.c | ||
555 | +++ b/fs/f2fs/data.c | ||
556 | @@ -844,7 +844,7 @@ static int __get_data_block(struct inode *inode, sector_t iblock, | ||
557 | if (!ret) { | ||
558 | map_bh(bh, inode->i_sb, map.m_pblk); | ||
559 | bh->b_state = (bh->b_state & ~F2FS_MAP_FLAGS) | map.m_flags; | ||
560 | - bh->b_size = map.m_len << inode->i_blkbits; | ||
561 | + bh->b_size = (u64)map.m_len << inode->i_blkbits; | ||
562 | } | ||
563 | return ret; | ||
564 | } | ||
565 | diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c | ||
566 | index 3d8b35f28a9b..f3aea1b8702c 100644 | ||
567 | --- a/fs/fs-writeback.c | ||
568 | +++ b/fs/fs-writeback.c | ||
569 | @@ -1942,7 +1942,7 @@ void wb_workfn(struct work_struct *work) | ||
570 | } | ||
571 | |||
572 | if (!list_empty(&wb->work_list)) | ||
573 | - mod_delayed_work(bdi_wq, &wb->dwork, 0); | ||
574 | + wb_wakeup(wb); | ||
575 | else if (wb_has_dirty_io(wb) && dirty_writeback_interval) | ||
576 | wb_wakeup_delayed(wb); | ||
577 | |||
578 | diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h | ||
579 | index c9b3eb70f340..567017b5fc9e 100644 | ||
580 | --- a/include/net/inet_timewait_sock.h | ||
581 | +++ b/include/net/inet_timewait_sock.h | ||
582 | @@ -55,6 +55,7 @@ struct inet_timewait_sock { | ||
583 | #define tw_family __tw_common.skc_family | ||
584 | #define tw_state __tw_common.skc_state | ||
585 | #define tw_reuse __tw_common.skc_reuse | ||
586 | +#define tw_reuseport __tw_common.skc_reuseport | ||
587 | #define tw_ipv6only __tw_common.skc_ipv6only | ||
588 | #define tw_bound_dev_if __tw_common.skc_bound_dev_if | ||
589 | #define tw_node __tw_common.skc_nulls_node | ||
590 | diff --git a/include/net/nexthop.h b/include/net/nexthop.h | ||
591 | index 3334dbfa5aa4..7fc78663ec9d 100644 | ||
592 | --- a/include/net/nexthop.h | ||
593 | +++ b/include/net/nexthop.h | ||
594 | @@ -6,7 +6,7 @@ | ||
595 | |||
596 | static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) | ||
597 | { | ||
598 | - return remaining >= sizeof(*rtnh) && | ||
599 | + return remaining >= (int)sizeof(*rtnh) && | ||
600 | rtnh->rtnh_len >= sizeof(*rtnh) && | ||
601 | rtnh->rtnh_len <= remaining; | ||
602 | } | ||
603 | diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c | ||
604 | index 04988d6466bf..c265f1c3ae50 100644 | ||
605 | --- a/kernel/events/callchain.c | ||
606 | +++ b/kernel/events/callchain.c | ||
607 | @@ -129,14 +129,8 @@ int get_callchain_buffers(int event_max_stack) | ||
608 | goto exit; | ||
609 | } | ||
610 | |||
611 | - if (count > 1) { | ||
612 | - /* If the allocation failed, give up */ | ||
613 | - if (!callchain_cpus_entries) | ||
614 | - err = -ENOMEM; | ||
615 | - goto exit; | ||
616 | - } | ||
617 | - | ||
618 | - err = alloc_callchain_buffers(); | ||
619 | + if (count == 1) | ||
620 | + err = alloc_callchain_buffers(); | ||
621 | exit: | ||
622 | if (err) | ||
623 | atomic_dec(&nr_callchain_events); | ||
624 | diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c | ||
625 | index 257fa460b846..017f7933a37d 100644 | ||
626 | --- a/kernel/events/ring_buffer.c | ||
627 | +++ b/kernel/events/ring_buffer.c | ||
628 | @@ -14,6 +14,7 @@ | ||
629 | #include <linux/slab.h> | ||
630 | #include <linux/circ_buf.h> | ||
631 | #include <linux/poll.h> | ||
632 | +#include <linux/nospec.h> | ||
633 | |||
634 | #include "internal.h" | ||
635 | |||
636 | @@ -844,8 +845,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff) | ||
637 | return NULL; | ||
638 | |||
639 | /* AUX space */ | ||
640 | - if (pgoff >= rb->aux_pgoff) | ||
641 | - return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]); | ||
642 | + if (pgoff >= rb->aux_pgoff) { | ||
643 | + int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages); | ||
644 | + return virt_to_page(rb->aux_pages[aux_pgoff]); | ||
645 | + } | ||
646 | } | ||
647 | |||
648 | return __perf_mmap_to_page(rb, pgoff); | ||
649 | diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c | ||
650 | index 0193f58c45f0..e35a411bea4b 100644 | ||
651 | --- a/kernel/trace/trace_events_filter.c | ||
652 | +++ b/kernel/trace/trace_events_filter.c | ||
653 | @@ -322,6 +322,9 @@ static int regex_match_full(char *str, struct regex *r, int len) | ||
654 | |||
655 | static int regex_match_front(char *str, struct regex *r, int len) | ||
656 | { | ||
657 | + if (len < r->len) | ||
658 | + return 0; | ||
659 | + | ||
660 | if (strncmp(str, r->pattern, r->len) == 0) | ||
661 | return 1; | ||
662 | return 0; | ||
663 | diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c | ||
664 | index 0913693caf6e..788262984818 100644 | ||
665 | --- a/kernel/trace/trace_uprobe.c | ||
666 | +++ b/kernel/trace/trace_uprobe.c | ||
667 | @@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs, | ||
668 | return; | ||
669 | |||
670 | ret = strncpy_from_user(dst, src, maxlen); | ||
671 | + if (ret == maxlen) | ||
672 | + dst[--ret] = '\0'; | ||
673 | |||
674 | if (ret < 0) { /* Failed to fetch string */ | ||
675 | ((u8 *)get_rloc_data(dest))[0] = '\0'; | ||
676 | diff --git a/net/atm/lec.c b/net/atm/lec.c | ||
677 | index 5d2693826afb..1e84c5226c84 100644 | ||
678 | --- a/net/atm/lec.c | ||
679 | +++ b/net/atm/lec.c | ||
680 | @@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 }; | ||
681 | #include <linux/module.h> | ||
682 | #include <linux/init.h> | ||
683 | |||
684 | +/* Hardening for Spectre-v1 */ | ||
685 | +#include <linux/nospec.h> | ||
686 | + | ||
687 | #include "lec.h" | ||
688 | #include "lec_arpc.h" | ||
689 | #include "resources.h" | ||
690 | @@ -697,8 +700,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) | ||
691 | bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); | ||
692 | if (bytes_left != 0) | ||
693 | pr_info("copy from user failed for %d bytes\n", bytes_left); | ||
694 | - if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || | ||
695 | - !dev_lec[ioc_data.dev_num]) | ||
696 | + if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) | ||
697 | + return -EINVAL; | ||
698 | + ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); | ||
699 | + if (!dev_lec[ioc_data.dev_num]) | ||
700 | return -EINVAL; | ||
701 | vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); | ||
702 | if (!vpriv) | ||
703 | diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c | ||
704 | index c0548d268e1a..e3e6a3e2ca22 100644 | ||
705 | --- a/net/core/dev_addr_lists.c | ||
706 | +++ b/net/core/dev_addr_lists.c | ||
707 | @@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list, | ||
708 | return -EINVAL; | ||
709 | |||
710 | list_for_each_entry(ha, &list->list, list) { | ||
711 | - if (!memcmp(ha->addr, addr, addr_len) && | ||
712 | - ha->type == addr_type) { | ||
713 | + if (ha->type == addr_type && | ||
714 | + !memcmp(ha->addr, addr, addr_len)) { | ||
715 | if (global) { | ||
716 | /* check if addr is already used as global */ | ||
717 | if (ha->global_use) | ||
718 | diff --git a/net/core/skbuff.c b/net/core/skbuff.c | ||
719 | index fb422dfec848..a40ccc184b83 100644 | ||
720 | --- a/net/core/skbuff.c | ||
721 | +++ b/net/core/skbuff.c | ||
722 | @@ -903,6 +903,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) | ||
723 | n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; | ||
724 | n->cloned = 1; | ||
725 | n->nohdr = 0; | ||
726 | + n->peeked = 0; | ||
727 | n->destructor = NULL; | ||
728 | C(tail); | ||
729 | C(end); | ||
730 | diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c | ||
731 | index 8c7799cdd3cf..6697b180e122 100644 | ||
732 | --- a/net/dccp/ipv4.c | ||
733 | +++ b/net/dccp/ipv4.c | ||
734 | @@ -620,6 +620,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) | ||
735 | ireq = inet_rsk(req); | ||
736 | sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); | ||
737 | sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); | ||
738 | + ireq->ir_mark = inet_request_mark(sk, skb); | ||
739 | ireq->ireq_family = AF_INET; | ||
740 | ireq->ir_iif = sk->sk_bound_dev_if; | ||
741 | |||
742 | diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c | ||
743 | index 28e8252cc5ea..6cbcf399d22b 100644 | ||
744 | --- a/net/dccp/ipv6.c | ||
745 | +++ b/net/dccp/ipv6.c | ||
746 | @@ -349,6 +349,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | ||
747 | ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; | ||
748 | ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; | ||
749 | ireq->ireq_family = AF_INET6; | ||
750 | + ireq->ir_mark = inet_request_mark(sk, skb); | ||
751 | |||
752 | if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || | ||
753 | np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || | ||
754 | diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c | ||
755 | index ddcd56c08d14..a6b34ac3139e 100644 | ||
756 | --- a/net/ipv4/inet_timewait_sock.c | ||
757 | +++ b/net/ipv4/inet_timewait_sock.c | ||
758 | @@ -182,6 +182,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, | ||
759 | tw->tw_dport = inet->inet_dport; | ||
760 | tw->tw_family = sk->sk_family; | ||
761 | tw->tw_reuse = sk->sk_reuse; | ||
762 | + tw->tw_reuseport = sk->sk_reuseport; | ||
763 | tw->tw_hash = sk->sk_hash; | ||
764 | tw->tw_ipv6only = 0; | ||
765 | tw->tw_transparent = inet->transparent; | ||
766 | diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c | ||
767 | index 0fc5dad02fe8..6f501c9deaae 100644 | ||
768 | --- a/net/ipv4/tcp.c | ||
769 | +++ b/net/ipv4/tcp.c | ||
770 | @@ -2523,7 +2523,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, | ||
771 | case TCP_REPAIR_QUEUE: | ||
772 | if (!tp->repair) | ||
773 | err = -EPERM; | ||
774 | - else if (val < TCP_QUEUES_NR) | ||
775 | + else if ((unsigned int)val < TCP_QUEUES_NR) | ||
776 | tp->repair_queue = val; | ||
777 | else | ||
778 | err = -EINVAL; | ||
779 | diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c | ||
780 | index 63e6d08388ab..cc306defcc19 100644 | ||
781 | --- a/net/kcm/kcmsock.c | ||
782 | +++ b/net/kcm/kcmsock.c | ||
783 | @@ -1424,6 +1424,7 @@ static int kcm_attach(struct socket *sock, struct socket *csock, | ||
784 | */ | ||
785 | if (csk->sk_user_data) { | ||
786 | write_unlock_bh(&csk->sk_callback_lock); | ||
787 | + strp_stop(&psock->strp); | ||
788 | strp_done(&psock->strp); | ||
789 | kmem_cache_free(kcm_psockp, psock); | ||
790 | err = -EALREADY; | ||
791 | diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c | ||
792 | index 74d119512d96..c5f2350a2b50 100644 | ||
793 | --- a/net/netfilter/ipvs/ip_vs_ctl.c | ||
794 | +++ b/net/netfilter/ipvs/ip_vs_ctl.c | ||
795 | @@ -2393,11 +2393,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) | ||
796 | strlcpy(cfg.mcast_ifn, dm->mcast_ifn, | ||
797 | sizeof(cfg.mcast_ifn)); | ||
798 | cfg.syncid = dm->syncid; | ||
799 | - rtnl_lock(); | ||
800 | - mutex_lock(&ipvs->sync_mutex); | ||
801 | ret = start_sync_thread(ipvs, &cfg, dm->state); | ||
802 | - mutex_unlock(&ipvs->sync_mutex); | ||
803 | - rtnl_unlock(); | ||
804 | } else { | ||
805 | mutex_lock(&ipvs->sync_mutex); | ||
806 | ret = stop_sync_thread(ipvs, dm->state); | ||
807 | @@ -3495,12 +3491,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) | ||
808 | if (ipvs->mixed_address_family_dests > 0) | ||
809 | return -EINVAL; | ||
810 | |||
811 | - rtnl_lock(); | ||
812 | - mutex_lock(&ipvs->sync_mutex); | ||
813 | ret = start_sync_thread(ipvs, &c, | ||
814 | nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE])); | ||
815 | - mutex_unlock(&ipvs->sync_mutex); | ||
816 | - rtnl_unlock(); | ||
817 | return ret; | ||
818 | } | ||
819 | |||
820 | diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c | ||
821 | index 9350530c16c1..5fbf4b232592 100644 | ||
822 | --- a/net/netfilter/ipvs/ip_vs_sync.c | ||
823 | +++ b/net/netfilter/ipvs/ip_vs_sync.c | ||
824 | @@ -48,6 +48,7 @@ | ||
825 | #include <linux/kthread.h> | ||
826 | #include <linux/wait.h> | ||
827 | #include <linux/kernel.h> | ||
828 | +#include <linux/sched.h> | ||
829 | |||
830 | #include <asm/unaligned.h> /* Used for ntoh_seq and hton_seq */ | ||
831 | |||
832 | @@ -1359,15 +1360,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val) | ||
833 | /* | ||
834 | * Specifiy default interface for outgoing multicasts | ||
835 | */ | ||
836 | -static int set_mcast_if(struct sock *sk, char *ifname) | ||
837 | +static int set_mcast_if(struct sock *sk, struct net_device *dev) | ||
838 | { | ||
839 | - struct net_device *dev; | ||
840 | struct inet_sock *inet = inet_sk(sk); | ||
841 | - struct net *net = sock_net(sk); | ||
842 | - | ||
843 | - dev = __dev_get_by_name(net, ifname); | ||
844 | - if (!dev) | ||
845 | - return -ENODEV; | ||
846 | |||
847 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) | ||
848 | return -EINVAL; | ||
849 | @@ -1395,19 +1390,14 @@ static int set_mcast_if(struct sock *sk, char *ifname) | ||
850 | * in the in_addr structure passed in as a parameter. | ||
851 | */ | ||
852 | static int | ||
853 | -join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) | ||
854 | +join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev) | ||
855 | { | ||
856 | - struct net *net = sock_net(sk); | ||
857 | struct ip_mreqn mreq; | ||
858 | - struct net_device *dev; | ||
859 | int ret; | ||
860 | |||
861 | memset(&mreq, 0, sizeof(mreq)); | ||
862 | memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr)); | ||
863 | |||
864 | - dev = __dev_get_by_name(net, ifname); | ||
865 | - if (!dev) | ||
866 | - return -ENODEV; | ||
867 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) | ||
868 | return -EINVAL; | ||
869 | |||
870 | @@ -1422,15 +1412,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) | ||
871 | |||
872 | #ifdef CONFIG_IP_VS_IPV6 | ||
873 | static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, | ||
874 | - char *ifname) | ||
875 | + struct net_device *dev) | ||
876 | { | ||
877 | - struct net *net = sock_net(sk); | ||
878 | - struct net_device *dev; | ||
879 | int ret; | ||
880 | |||
881 | - dev = __dev_get_by_name(net, ifname); | ||
882 | - if (!dev) | ||
883 | - return -ENODEV; | ||
884 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) | ||
885 | return -EINVAL; | ||
886 | |||
887 | @@ -1442,24 +1427,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, | ||
888 | } | ||
889 | #endif | ||
890 | |||
891 | -static int bind_mcastif_addr(struct socket *sock, char *ifname) | ||
892 | +static int bind_mcastif_addr(struct socket *sock, struct net_device *dev) | ||
893 | { | ||
894 | - struct net *net = sock_net(sock->sk); | ||
895 | - struct net_device *dev; | ||
896 | __be32 addr; | ||
897 | struct sockaddr_in sin; | ||
898 | |||
899 | - dev = __dev_get_by_name(net, ifname); | ||
900 | - if (!dev) | ||
901 | - return -ENODEV; | ||
902 | - | ||
903 | addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE); | ||
904 | if (!addr) | ||
905 | pr_err("You probably need to specify IP address on " | ||
906 | "multicast interface.\n"); | ||
907 | |||
908 | IP_VS_DBG(7, "binding socket with (%s) %pI4\n", | ||
909 | - ifname, &addr); | ||
910 | + dev->name, &addr); | ||
911 | |||
912 | /* Now bind the socket with the address of multicast interface */ | ||
913 | sin.sin_family = AF_INET; | ||
914 | @@ -1492,7 +1471,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen, | ||
915 | /* | ||
916 | * Set up sending multicast socket over UDP | ||
917 | */ | ||
918 | -static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
919 | +static int make_send_sock(struct netns_ipvs *ipvs, int id, | ||
920 | + struct net_device *dev, struct socket **sock_ret) | ||
921 | { | ||
922 | /* multicast addr */ | ||
923 | union ipvs_sockaddr mcast_addr; | ||
924 | @@ -1504,9 +1484,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
925 | IPPROTO_UDP, &sock); | ||
926 | if (result < 0) { | ||
927 | pr_err("Error during creation of socket; terminating\n"); | ||
928 | - return ERR_PTR(result); | ||
929 | + goto error; | ||
930 | } | ||
931 | - result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn); | ||
932 | + *sock_ret = sock; | ||
933 | + result = set_mcast_if(sock->sk, dev); | ||
934 | if (result < 0) { | ||
935 | pr_err("Error setting outbound mcast interface\n"); | ||
936 | goto error; | ||
937 | @@ -1521,7 +1502,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
938 | set_sock_size(sock->sk, 1, result); | ||
939 | |||
940 | if (AF_INET == ipvs->mcfg.mcast_af) | ||
941 | - result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn); | ||
942 | + result = bind_mcastif_addr(sock, dev); | ||
943 | else | ||
944 | result = 0; | ||
945 | if (result < 0) { | ||
946 | @@ -1537,19 +1518,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) | ||
947 | goto error; | ||
948 | } | ||
949 | |||
950 | - return sock; | ||
951 | + return 0; | ||
952 | |||
953 | error: | ||
954 | - sock_release(sock); | ||
955 | - return ERR_PTR(result); | ||
956 | + return result; | ||
957 | } | ||
958 | |||
959 | |||
960 | /* | ||
961 | * Set up receiving multicast socket over UDP | ||
962 | */ | ||
963 | -static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
964 | - int ifindex) | ||
965 | +static int make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
966 | + struct net_device *dev, struct socket **sock_ret) | ||
967 | { | ||
968 | /* multicast addr */ | ||
969 | union ipvs_sockaddr mcast_addr; | ||
970 | @@ -1561,8 +1541,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
971 | IPPROTO_UDP, &sock); | ||
972 | if (result < 0) { | ||
973 | pr_err("Error during creation of socket; terminating\n"); | ||
974 | - return ERR_PTR(result); | ||
975 | + goto error; | ||
976 | } | ||
977 | + *sock_ret = sock; | ||
978 | /* it is equivalent to the REUSEADDR option in user-space */ | ||
979 | sock->sk->sk_reuse = SK_CAN_REUSE; | ||
980 | result = sysctl_sync_sock_size(ipvs); | ||
981 | @@ -1570,7 +1551,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
982 | set_sock_size(sock->sk, 0, result); | ||
983 | |||
984 | get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id); | ||
985 | - sock->sk->sk_bound_dev_if = ifindex; | ||
986 | + sock->sk->sk_bound_dev_if = dev->ifindex; | ||
987 | result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen); | ||
988 | if (result < 0) { | ||
989 | pr_err("Error binding to the multicast addr\n"); | ||
990 | @@ -1581,21 +1562,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, | ||
991 | #ifdef CONFIG_IP_VS_IPV6 | ||
992 | if (ipvs->bcfg.mcast_af == AF_INET6) | ||
993 | result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr, | ||
994 | - ipvs->bcfg.mcast_ifn); | ||
995 | + dev); | ||
996 | else | ||
997 | #endif | ||
998 | result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr, | ||
999 | - ipvs->bcfg.mcast_ifn); | ||
1000 | + dev); | ||
1001 | if (result < 0) { | ||
1002 | pr_err("Error joining to the multicast group\n"); | ||
1003 | goto error; | ||
1004 | } | ||
1005 | |||
1006 | - return sock; | ||
1007 | + return 0; | ||
1008 | |||
1009 | error: | ||
1010 | - sock_release(sock); | ||
1011 | - return ERR_PTR(result); | ||
1012 | + return result; | ||
1013 | } | ||
1014 | |||
1015 | |||
1016 | @@ -1780,13 +1760,12 @@ static int sync_thread_backup(void *data) | ||
1017 | int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
1018 | int state) | ||
1019 | { | ||
1020 | - struct ip_vs_sync_thread_data *tinfo; | ||
1021 | + struct ip_vs_sync_thread_data *tinfo = NULL; | ||
1022 | struct task_struct **array = NULL, *task; | ||
1023 | - struct socket *sock; | ||
1024 | struct net_device *dev; | ||
1025 | char *name; | ||
1026 | int (*threadfn)(void *data); | ||
1027 | - int id, count, hlen; | ||
1028 | + int id = 0, count, hlen; | ||
1029 | int result = -ENOMEM; | ||
1030 | u16 mtu, min_mtu; | ||
1031 | |||
1032 | @@ -1794,6 +1773,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
1033 | IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n", | ||
1034 | sizeof(struct ip_vs_sync_conn_v0)); | ||
1035 | |||
1036 | + /* Do not hold one mutex and then to block on another */ | ||
1037 | + for (;;) { | ||
1038 | + rtnl_lock(); | ||
1039 | + if (mutex_trylock(&ipvs->sync_mutex)) | ||
1040 | + break; | ||
1041 | + rtnl_unlock(); | ||
1042 | + mutex_lock(&ipvs->sync_mutex); | ||
1043 | + if (rtnl_trylock()) | ||
1044 | + break; | ||
1045 | + mutex_unlock(&ipvs->sync_mutex); | ||
1046 | + } | ||
1047 | + | ||
1048 | if (!ipvs->sync_state) { | ||
1049 | count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX); | ||
1050 | ipvs->threads_mask = count - 1; | ||
1051 | @@ -1812,7 +1803,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
1052 | dev = __dev_get_by_name(ipvs->net, c->mcast_ifn); | ||
1053 | if (!dev) { | ||
1054 | pr_err("Unknown mcast interface: %s\n", c->mcast_ifn); | ||
1055 | - return -ENODEV; | ||
1056 | + result = -ENODEV; | ||
1057 | + goto out_early; | ||
1058 | } | ||
1059 | hlen = (AF_INET6 == c->mcast_af) ? | ||
1060 | sizeof(struct ipv6hdr) + sizeof(struct udphdr) : | ||
1061 | @@ -1829,26 +1821,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
1062 | c->sync_maxlen = mtu - hlen; | ||
1063 | |||
1064 | if (state == IP_VS_STATE_MASTER) { | ||
1065 | + result = -EEXIST; | ||
1066 | if (ipvs->ms) | ||
1067 | - return -EEXIST; | ||
1068 | + goto out_early; | ||
1069 | |||
1070 | ipvs->mcfg = *c; | ||
1071 | name = "ipvs-m:%d:%d"; | ||
1072 | threadfn = sync_thread_master; | ||
1073 | } else if (state == IP_VS_STATE_BACKUP) { | ||
1074 | + result = -EEXIST; | ||
1075 | if (ipvs->backup_threads) | ||
1076 | - return -EEXIST; | ||
1077 | + goto out_early; | ||
1078 | |||
1079 | ipvs->bcfg = *c; | ||
1080 | name = "ipvs-b:%d:%d"; | ||
1081 | threadfn = sync_thread_backup; | ||
1082 | } else { | ||
1083 | - return -EINVAL; | ||
1084 | + result = -EINVAL; | ||
1085 | + goto out_early; | ||
1086 | } | ||
1087 | |||
1088 | if (state == IP_VS_STATE_MASTER) { | ||
1089 | struct ipvs_master_sync_state *ms; | ||
1090 | |||
1091 | + result = -ENOMEM; | ||
1092 | ipvs->ms = kzalloc(count * sizeof(ipvs->ms[0]), GFP_KERNEL); | ||
1093 | if (!ipvs->ms) | ||
1094 | goto out; | ||
1095 | @@ -1864,39 +1860,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
1096 | } else { | ||
1097 | array = kzalloc(count * sizeof(struct task_struct *), | ||
1098 | GFP_KERNEL); | ||
1099 | + result = -ENOMEM; | ||
1100 | if (!array) | ||
1101 | goto out; | ||
1102 | } | ||
1103 | |||
1104 | - tinfo = NULL; | ||
1105 | for (id = 0; id < count; id++) { | ||
1106 | - if (state == IP_VS_STATE_MASTER) | ||
1107 | - sock = make_send_sock(ipvs, id); | ||
1108 | - else | ||
1109 | - sock = make_receive_sock(ipvs, id, dev->ifindex); | ||
1110 | - if (IS_ERR(sock)) { | ||
1111 | - result = PTR_ERR(sock); | ||
1112 | - goto outtinfo; | ||
1113 | - } | ||
1114 | + result = -ENOMEM; | ||
1115 | tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); | ||
1116 | if (!tinfo) | ||
1117 | - goto outsocket; | ||
1118 | + goto out; | ||
1119 | tinfo->ipvs = ipvs; | ||
1120 | - tinfo->sock = sock; | ||
1121 | + tinfo->sock = NULL; | ||
1122 | if (state == IP_VS_STATE_BACKUP) { | ||
1123 | tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen, | ||
1124 | GFP_KERNEL); | ||
1125 | if (!tinfo->buf) | ||
1126 | - goto outtinfo; | ||
1127 | + goto out; | ||
1128 | } else { | ||
1129 | tinfo->buf = NULL; | ||
1130 | } | ||
1131 | tinfo->id = id; | ||
1132 | + if (state == IP_VS_STATE_MASTER) | ||
1133 | + result = make_send_sock(ipvs, id, dev, &tinfo->sock); | ||
1134 | + else | ||
1135 | + result = make_receive_sock(ipvs, id, dev, &tinfo->sock); | ||
1136 | + if (result < 0) | ||
1137 | + goto out; | ||
1138 | |||
1139 | task = kthread_run(threadfn, tinfo, name, ipvs->gen, id); | ||
1140 | if (IS_ERR(task)) { | ||
1141 | result = PTR_ERR(task); | ||
1142 | - goto outtinfo; | ||
1143 | + goto out; | ||
1144 | } | ||
1145 | tinfo = NULL; | ||
1146 | if (state == IP_VS_STATE_MASTER) | ||
1147 | @@ -1913,20 +1908,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
1148 | ipvs->sync_state |= state; | ||
1149 | spin_unlock_bh(&ipvs->sync_buff_lock); | ||
1150 | |||
1151 | + mutex_unlock(&ipvs->sync_mutex); | ||
1152 | + rtnl_unlock(); | ||
1153 | + | ||
1154 | /* increase the module use count */ | ||
1155 | ip_vs_use_count_inc(); | ||
1156 | |||
1157 | return 0; | ||
1158 | |||
1159 | -outsocket: | ||
1160 | - sock_release(sock); | ||
1161 | - | ||
1162 | -outtinfo: | ||
1163 | - if (tinfo) { | ||
1164 | - sock_release(tinfo->sock); | ||
1165 | - kfree(tinfo->buf); | ||
1166 | - kfree(tinfo); | ||
1167 | - } | ||
1168 | +out: | ||
1169 | + /* We do not need RTNL lock anymore, release it here so that | ||
1170 | + * sock_release below and in the kthreads can use rtnl_lock | ||
1171 | + * to leave the mcast group. | ||
1172 | + */ | ||
1173 | + rtnl_unlock(); | ||
1174 | count = id; | ||
1175 | while (count-- > 0) { | ||
1176 | if (state == IP_VS_STATE_MASTER) | ||
1177 | @@ -1934,13 +1929,23 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, | ||
1178 | else | ||
1179 | kthread_stop(array[count]); | ||
1180 | } | ||
1181 | - kfree(array); | ||
1182 | - | ||
1183 | -out: | ||
1184 | if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) { | ||
1185 | kfree(ipvs->ms); | ||
1186 | ipvs->ms = NULL; | ||
1187 | } | ||
1188 | + mutex_unlock(&ipvs->sync_mutex); | ||
1189 | + if (tinfo) { | ||
1190 | + if (tinfo->sock) | ||
1191 | + sock_release(tinfo->sock); | ||
1192 | + kfree(tinfo->buf); | ||
1193 | + kfree(tinfo); | ||
1194 | + } | ||
1195 | + kfree(array); | ||
1196 | + return result; | ||
1197 | + | ||
1198 | +out_early: | ||
1199 | + mutex_unlock(&ipvs->sync_mutex); | ||
1200 | + rtnl_unlock(); | ||
1201 | return result; | ||
1202 | } | ||
1203 | |||
1204 | diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c | ||
1205 | index 1e97b8d9a159..15e6e7b9fd2b 100644 | ||
1206 | --- a/net/netlink/af_netlink.c | ||
1207 | +++ b/net/netlink/af_netlink.c | ||
1208 | @@ -1795,6 +1795,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) | ||
1209 | |||
1210 | if (msg->msg_namelen) { | ||
1211 | err = -EINVAL; | ||
1212 | + if (msg->msg_namelen < sizeof(struct sockaddr_nl)) | ||
1213 | + goto out; | ||
1214 | if (addr->nl_family != AF_NETLINK) | ||
1215 | goto out; | ||
1216 | dst_portid = addr->nl_pid; | ||
1217 | diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c | ||
1218 | index 76c01cbd56e3..d6d8b34c5f22 100644 | ||
1219 | --- a/net/rfkill/rfkill-gpio.c | ||
1220 | +++ b/net/rfkill/rfkill-gpio.c | ||
1221 | @@ -138,13 +138,18 @@ static int rfkill_gpio_probe(struct platform_device *pdev) | ||
1222 | |||
1223 | ret = rfkill_register(rfkill->rfkill_dev); | ||
1224 | if (ret < 0) | ||
1225 | - return ret; | ||
1226 | + goto err_destroy; | ||
1227 | |||
1228 | platform_set_drvdata(pdev, rfkill); | ||
1229 | |||
1230 | dev_info(&pdev->dev, "%s device registered.\n", rfkill->name); | ||
1231 | |||
1232 | return 0; | ||
1233 | + | ||
1234 | +err_destroy: | ||
1235 | + rfkill_destroy(rfkill->rfkill_dev); | ||
1236 | + | ||
1237 | + return ret; | ||
1238 | } | ||
1239 | |||
1240 | static int rfkill_gpio_remove(struct platform_device *pdev) |