Contents of /trunk/kernel-alx/patches-4.9/0199-4.9.100-all-fixes.patch
Parent Directory | Revision Log
Revision 3176 -
(show annotations)
(download)
Wed Aug 8 14:17:30 2018 UTC (6 years, 1 month ago) by niro
File size: 40406 byte(s)
Wed Aug 8 14:17:30 2018 UTC (6 years, 1 month ago) by niro
File size: 40406 byte(s)
-linux-4.9.100
1 | diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt |
2 | index d11af52427b4..ac9489fad31b 100644 |
3 | --- a/Documentation/arm64/silicon-errata.txt |
4 | +++ b/Documentation/arm64/silicon-errata.txt |
5 | @@ -54,6 +54,7 @@ stable kernels. |
6 | | ARM | Cortex-A57 | #852523 | N/A | |
7 | | ARM | Cortex-A57 | #834220 | ARM64_ERRATUM_834220 | |
8 | | ARM | Cortex-A72 | #853709 | N/A | |
9 | +| ARM | Cortex-A55 | #1024718 | ARM64_ERRATUM_1024718 | |
10 | | ARM | MMU-500 | #841119,#826419 | N/A | |
11 | | | | | | |
12 | | Cavium | ThunderX ITS | #22375, #24313 | CAVIUM_ERRATUM_22375 | |
13 | diff --git a/Makefile b/Makefile |
14 | index d51e99f4a987..52a41396680c 100644 |
15 | --- a/Makefile |
16 | +++ b/Makefile |
17 | @@ -1,6 +1,6 @@ |
18 | VERSION = 4 |
19 | PATCHLEVEL = 9 |
20 | -SUBLEVEL = 99 |
21 | +SUBLEVEL = 100 |
22 | EXTRAVERSION = |
23 | NAME = Roaring Lionus |
24 | |
25 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig |
26 | index 90e58bbbd858..d0df3611d1e2 100644 |
27 | --- a/arch/arm64/Kconfig |
28 | +++ b/arch/arm64/Kconfig |
29 | @@ -427,6 +427,20 @@ config ARM64_ERRATUM_843419 |
30 | |
31 | If unsure, say Y. |
32 | |
33 | +config ARM64_ERRATUM_1024718 |
34 | + bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update" |
35 | + default y |
36 | + help |
37 | + This option adds work around for Arm Cortex-A55 Erratum 1024718. |
38 | + |
39 | + Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect |
40 | + update of the hardware dirty bit when the DBM/AP bits are updated |
41 | + without a break-before-make. The work around is to disable the usage |
42 | + of hardware DBM locally on the affected cores. CPUs not affected by |
43 | + erratum will continue to use the feature. |
44 | + |
45 | + If unsure, say Y. |
46 | + |
47 | config CAVIUM_ERRATUM_22375 |
48 | bool "Cavium erratum 22375, 24313" |
49 | default y |
50 | diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h |
51 | index e60375ce0dd2..bfcfec3590f6 100644 |
52 | --- a/arch/arm64/include/asm/assembler.h |
53 | +++ b/arch/arm64/include/asm/assembler.h |
54 | @@ -25,6 +25,7 @@ |
55 | |
56 | #include <asm/asm-offsets.h> |
57 | #include <asm/cpufeature.h> |
58 | +#include <asm/cputype.h> |
59 | #include <asm/page.h> |
60 | #include <asm/pgtable-hwdef.h> |
61 | #include <asm/ptrace.h> |
62 | @@ -435,4 +436,43 @@ alternative_endif |
63 | and \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT) |
64 | .endm |
65 | |
66 | +/* |
67 | + * Check the MIDR_EL1 of the current CPU for a given model and a range of |
68 | + * variant/revision. See asm/cputype.h for the macros used below. |
69 | + * |
70 | + * model: MIDR_CPU_MODEL of CPU |
71 | + * rv_min: Minimum of MIDR_CPU_VAR_REV() |
72 | + * rv_max: Maximum of MIDR_CPU_VAR_REV() |
73 | + * res: Result register. |
74 | + * tmp1, tmp2, tmp3: Temporary registers |
75 | + * |
76 | + * Corrupts: res, tmp1, tmp2, tmp3 |
77 | + * Returns: 0, if the CPU id doesn't match. Non-zero otherwise |
78 | + */ |
79 | + .macro cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3 |
80 | + mrs \res, midr_el1 |
81 | + mov_q \tmp1, (MIDR_REVISION_MASK | MIDR_VARIANT_MASK) |
82 | + mov_q \tmp2, MIDR_CPU_MODEL_MASK |
83 | + and \tmp3, \res, \tmp2 // Extract model |
84 | + and \tmp1, \res, \tmp1 // rev & variant |
85 | + mov_q \tmp2, \model |
86 | + cmp \tmp3, \tmp2 |
87 | + cset \res, eq |
88 | + cbz \res, .Ldone\@ // Model matches ? |
89 | + |
90 | + .if (\rv_min != 0) // Skip min check if rv_min == 0 |
91 | + mov_q \tmp3, \rv_min |
92 | + cmp \tmp1, \tmp3 |
93 | + cset \res, ge |
94 | + .endif // \rv_min != 0 |
95 | + /* Skip rv_max check if rv_min == rv_max && rv_min != 0 */ |
96 | + .if ((\rv_min != \rv_max) || \rv_min == 0) |
97 | + mov_q \tmp2, \rv_max |
98 | + cmp \tmp1, \tmp2 |
99 | + cset \tmp2, le |
100 | + and \res, \res, \tmp2 |
101 | + .endif |
102 | +.Ldone\@: |
103 | + .endm |
104 | + |
105 | #endif /* __ASM_ASSEMBLER_H */ |
106 | diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h |
107 | index 9ee3038a6b98..39d1db68748d 100644 |
108 | --- a/arch/arm64/include/asm/cputype.h |
109 | +++ b/arch/arm64/include/asm/cputype.h |
110 | @@ -56,6 +56,9 @@ |
111 | (0xf << MIDR_ARCHITECTURE_SHIFT) | \ |
112 | ((partnum) << MIDR_PARTNUM_SHIFT)) |
113 | |
114 | +#define MIDR_CPU_VAR_REV(var, rev) \ |
115 | + (((var) << MIDR_VARIANT_SHIFT) | (rev)) |
116 | + |
117 | #define MIDR_CPU_MODEL_MASK (MIDR_IMPLEMENTOR_MASK | MIDR_PARTNUM_MASK | \ |
118 | MIDR_ARCHITECTURE_MASK) |
119 | |
120 | @@ -74,6 +77,7 @@ |
121 | |
122 | #define ARM_CPU_PART_AEM_V8 0xD0F |
123 | #define ARM_CPU_PART_FOUNDATION 0xD00 |
124 | +#define ARM_CPU_PART_CORTEX_A55 0xD05 |
125 | #define ARM_CPU_PART_CORTEX_A57 0xD07 |
126 | #define ARM_CPU_PART_CORTEX_A72 0xD08 |
127 | #define ARM_CPU_PART_CORTEX_A53 0xD03 |
128 | @@ -89,6 +93,7 @@ |
129 | #define BRCM_CPU_PART_VULCAN 0x516 |
130 | |
131 | #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) |
132 | +#define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) |
133 | #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) |
134 | #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) |
135 | #define MIDR_CORTEX_A73 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A73) |
136 | diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S |
137 | index 619da1cbd32b..66cce2138f95 100644 |
138 | --- a/arch/arm64/mm/proc.S |
139 | +++ b/arch/arm64/mm/proc.S |
140 | @@ -425,6 +425,11 @@ ENTRY(__cpu_setup) |
141 | cbz x9, 2f |
142 | cmp x9, #2 |
143 | b.lt 1f |
144 | +#ifdef CONFIG_ARM64_ERRATUM_1024718 |
145 | + /* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */ |
146 | + cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4 |
147 | + cbnz x1, 1f |
148 | +#endif |
149 | orr x10, x10, #TCR_HD // hardware Dirty flag update |
150 | 1: orr x10, x10, #TCR_HA // hardware Access flag update |
151 | 2: |
152 | diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
153 | index 55fbc0c78721..79a180cf4c94 100644 |
154 | --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
155 | +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
156 | @@ -299,7 +299,6 @@ kvm_novcpu_exit: |
157 | stw r12, STACK_SLOT_TRAP(r1) |
158 | bl kvmhv_commence_exit |
159 | nop |
160 | - lwz r12, STACK_SLOT_TRAP(r1) |
161 | b kvmhv_switch_to_host |
162 | |
163 | /* |
164 | @@ -1023,6 +1022,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) |
165 | |
166 | secondary_too_late: |
167 | li r12, 0 |
168 | + stw r12, STACK_SLOT_TRAP(r1) |
169 | cmpdi r4, 0 |
170 | beq 11f |
171 | stw r12, VCPU_TRAP(r4) |
172 | @@ -1266,12 +1266,12 @@ mc_cont: |
173 | bl kvmhv_accumulate_time |
174 | #endif |
175 | |
176 | + stw r12, STACK_SLOT_TRAP(r1) |
177 | mr r3, r12 |
178 | /* Increment exit count, poke other threads to exit */ |
179 | bl kvmhv_commence_exit |
180 | nop |
181 | ld r9, HSTATE_KVM_VCPU(r13) |
182 | - lwz r12, VCPU_TRAP(r9) |
183 | |
184 | /* Stop others sending VCPU interrupts to this physical CPU */ |
185 | li r0, -1 |
186 | @@ -1549,6 +1549,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) |
187 | * POWER7/POWER8 guest -> host partition switch code. |
188 | * We don't have to lock against tlbies but we do |
189 | * have to coordinate the hardware threads. |
190 | + * Here STACK_SLOT_TRAP(r1) contains the trap number. |
191 | */ |
192 | kvmhv_switch_to_host: |
193 | /* Secondary threads wait for primary to do partition switch */ |
194 | @@ -1599,11 +1600,11 @@ BEGIN_FTR_SECTION |
195 | END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) |
196 | |
197 | /* If HMI, call kvmppc_realmode_hmi_handler() */ |
198 | + lwz r12, STACK_SLOT_TRAP(r1) |
199 | cmpwi r12, BOOK3S_INTERRUPT_HMI |
200 | bne 27f |
201 | bl kvmppc_realmode_hmi_handler |
202 | nop |
203 | - li r12, BOOK3S_INTERRUPT_HMI |
204 | /* |
205 | * At this point kvmppc_realmode_hmi_handler would have resync-ed |
206 | * the TB. Hence it is not required to subtract guest timebase |
207 | @@ -1678,6 +1679,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) |
208 | li r0, KVM_GUEST_MODE_NONE |
209 | stb r0, HSTATE_IN_GUEST(r13) |
210 | |
211 | + lwz r12, STACK_SLOT_TRAP(r1) /* return trap # in r12 */ |
212 | ld r0, SFS+PPC_LR_STKOFF(r1) |
213 | addi r1, r1, SFS |
214 | mtlr r0 |
215 | diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c |
216 | index f73796db8758..02e547f9ca3f 100644 |
217 | --- a/arch/x86/events/core.c |
218 | +++ b/arch/x86/events/core.c |
219 | @@ -26,6 +26,7 @@ |
220 | #include <linux/cpu.h> |
221 | #include <linux/bitops.h> |
222 | #include <linux/device.h> |
223 | +#include <linux/nospec.h> |
224 | |
225 | #include <asm/apic.h> |
226 | #include <asm/stacktrace.h> |
227 | @@ -303,17 +304,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event) |
228 | |
229 | config = attr->config; |
230 | |
231 | - cache_type = (config >> 0) & 0xff; |
232 | + cache_type = (config >> 0) & 0xff; |
233 | if (cache_type >= PERF_COUNT_HW_CACHE_MAX) |
234 | return -EINVAL; |
235 | + cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX); |
236 | |
237 | cache_op = (config >> 8) & 0xff; |
238 | if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX) |
239 | return -EINVAL; |
240 | + cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX); |
241 | |
242 | cache_result = (config >> 16) & 0xff; |
243 | if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX) |
244 | return -EINVAL; |
245 | + cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX); |
246 | |
247 | val = hw_cache_event_ids[cache_type][cache_op][cache_result]; |
248 | |
249 | @@ -420,6 +424,8 @@ int x86_setup_perfctr(struct perf_event *event) |
250 | if (attr->config >= x86_pmu.max_events) |
251 | return -EINVAL; |
252 | |
253 | + attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events); |
254 | + |
255 | /* |
256 | * The generic map: |
257 | */ |
258 | diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c |
259 | index 1076c9a77292..47d526c700a1 100644 |
260 | --- a/arch/x86/events/intel/cstate.c |
261 | +++ b/arch/x86/events/intel/cstate.c |
262 | @@ -90,6 +90,7 @@ |
263 | #include <linux/module.h> |
264 | #include <linux/slab.h> |
265 | #include <linux/perf_event.h> |
266 | +#include <linux/nospec.h> |
267 | #include <asm/cpu_device_id.h> |
268 | #include <asm/intel-family.h> |
269 | #include "../perf_event.h" |
270 | @@ -300,6 +301,7 @@ static int cstate_pmu_event_init(struct perf_event *event) |
271 | } else if (event->pmu == &cstate_pkg_pmu) { |
272 | if (cfg >= PERF_CSTATE_PKG_EVENT_MAX) |
273 | return -EINVAL; |
274 | + cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX); |
275 | if (!pkg_msr[cfg].attr) |
276 | return -EINVAL; |
277 | event->hw.event_base = pkg_msr[cfg].msr; |
278 | diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c |
279 | index 4bb3ec69e8ea..be0b1968d60a 100644 |
280 | --- a/arch/x86/events/msr.c |
281 | +++ b/arch/x86/events/msr.c |
282 | @@ -1,4 +1,5 @@ |
283 | #include <linux/perf_event.h> |
284 | +#include <linux/nospec.h> |
285 | #include <asm/intel-family.h> |
286 | |
287 | enum perf_msr_id { |
288 | @@ -136,9 +137,6 @@ static int msr_event_init(struct perf_event *event) |
289 | if (event->attr.type != event->pmu->type) |
290 | return -ENOENT; |
291 | |
292 | - if (cfg >= PERF_MSR_EVENT_MAX) |
293 | - return -EINVAL; |
294 | - |
295 | /* unsupported modes and filters */ |
296 | if (event->attr.exclude_user || |
297 | event->attr.exclude_kernel || |
298 | @@ -149,6 +147,11 @@ static int msr_event_init(struct perf_event *event) |
299 | event->attr.sample_period) /* no sampling */ |
300 | return -EINVAL; |
301 | |
302 | + if (cfg >= PERF_MSR_EVENT_MAX) |
303 | + return -EINVAL; |
304 | + |
305 | + cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX); |
306 | + |
307 | if (!msr[cfg].attr) |
308 | return -EINVAL; |
309 | |
310 | diff --git a/crypto/af_alg.c b/crypto/af_alg.c |
311 | index ca50eeb13097..b5953f1d1a18 100644 |
312 | --- a/crypto/af_alg.c |
313 | +++ b/crypto/af_alg.c |
314 | @@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
315 | void *private; |
316 | int err; |
317 | |
318 | - /* If caller uses non-allowed flag, return error. */ |
319 | - if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) |
320 | - return -EINVAL; |
321 | - |
322 | if (sock->state == SS_CONNECTED) |
323 | return -EINVAL; |
324 | |
325 | if (addr_len != sizeof(*sa)) |
326 | return -EINVAL; |
327 | |
328 | + /* If caller uses non-allowed flag, return error. */ |
329 | + if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) |
330 | + return -EINVAL; |
331 | + |
332 | sa->salg_type[sizeof(sa->salg_type) - 1] = 0; |
333 | sa->salg_name[sizeof(sa->salg_name) - 1] = 0; |
334 | |
335 | diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c |
336 | index e08c09fa5da0..4fe3ec122bf0 100644 |
337 | --- a/drivers/ata/libata-core.c |
338 | +++ b/drivers/ata/libata-core.c |
339 | @@ -4422,6 +4422,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { |
340 | ATA_HORKAGE_ZERO_AFTER_TRIM | |
341 | ATA_HORKAGE_NOLPM, }, |
342 | |
343 | + /* Sandisk devices which are known to not handle LPM well */ |
344 | + { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, |
345 | + |
346 | /* devices that don't properly handle queued TRIM commands */ |
347 | { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | |
348 | ATA_HORKAGE_ZERO_AFTER_TRIM, }, |
349 | diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c |
350 | index d3dc95484161..81bfeec67b77 100644 |
351 | --- a/drivers/atm/zatm.c |
352 | +++ b/drivers/atm/zatm.c |
353 | @@ -23,6 +23,7 @@ |
354 | #include <linux/bitops.h> |
355 | #include <linux/wait.h> |
356 | #include <linux/slab.h> |
357 | +#include <linux/nospec.h> |
358 | #include <asm/byteorder.h> |
359 | #include <asm/string.h> |
360 | #include <asm/io.h> |
361 | @@ -1458,6 +1459,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg) |
362 | return -EFAULT; |
363 | if (pool < 0 || pool > ZATM_LAST_POOL) |
364 | return -EINVAL; |
365 | + pool = array_index_nospec(pool, |
366 | + ZATM_LAST_POOL + 1); |
367 | spin_lock_irqsave(&zatm_dev->lock, flags); |
368 | info = zatm_dev->pool_info[pool]; |
369 | if (cmd == ZATM_GETPOOLZ) { |
370 | diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c |
371 | index f8ba5c714df5..3257647d4f74 100644 |
372 | --- a/drivers/bluetooth/btusb.c |
373 | +++ b/drivers/bluetooth/btusb.c |
374 | @@ -217,6 +217,7 @@ static const struct usb_device_id blacklist_table[] = { |
375 | { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, |
376 | { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, |
377 | { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, |
378 | + { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, |
379 | { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, |
380 | { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, |
381 | { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, |
382 | @@ -249,7 +250,6 @@ static const struct usb_device_id blacklist_table[] = { |
383 | { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, |
384 | |
385 | /* QCA ROME chipset */ |
386 | - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, |
387 | { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, |
388 | { USB_DEVICE(0x0cf3, 0xe009), .driver_info = BTUSB_QCA_ROME }, |
389 | { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, |
390 | diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c |
391 | index 03a5925a423c..a9daf7121e6e 100644 |
392 | --- a/drivers/gpio/gpio-aspeed.c |
393 | +++ b/drivers/gpio/gpio-aspeed.c |
394 | @@ -256,7 +256,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set) |
395 | if (set) |
396 | reg |= bit; |
397 | else |
398 | - reg &= bit; |
399 | + reg &= ~bit; |
400 | iowrite32(reg, addr); |
401 | |
402 | spin_unlock_irqrestore(&gpio->lock, flags); |
403 | diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c |
404 | index 4f54ff45e09e..56b24198741c 100644 |
405 | --- a/drivers/gpio/gpiolib.c |
406 | +++ b/drivers/gpio/gpiolib.c |
407 | @@ -425,7 +425,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) |
408 | struct gpiohandle_request handlereq; |
409 | struct linehandle_state *lh; |
410 | struct file *file; |
411 | - int fd, i, ret; |
412 | + int fd, i, count = 0, ret; |
413 | |
414 | if (copy_from_user(&handlereq, ip, sizeof(handlereq))) |
415 | return -EFAULT; |
416 | @@ -471,6 +471,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) |
417 | if (ret) |
418 | goto out_free_descs; |
419 | lh->descs[i] = desc; |
420 | + count = i; |
421 | |
422 | if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) |
423 | set_bit(FLAG_ACTIVE_LOW, &desc->flags); |
424 | @@ -537,7 +538,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) |
425 | out_put_unused_fd: |
426 | put_unused_fd(fd); |
427 | out_free_descs: |
428 | - for (; i >= 0; i--) |
429 | + for (i = 0; i < count; i++) |
430 | gpiod_free(lh->descs[i]); |
431 | kfree(lh->label); |
432 | out_free_lh: |
433 | @@ -794,7 +795,7 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) |
434 | desc = &gdev->descs[offset]; |
435 | ret = gpiod_request(desc, le->label); |
436 | if (ret) |
437 | - goto out_free_desc; |
438 | + goto out_free_label; |
439 | le->desc = desc; |
440 | le->eflags = eflags; |
441 | |
442 | diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c |
443 | index e1d47d51ea47..3517c0ed984a 100644 |
444 | --- a/drivers/gpu/drm/i915/intel_lvds.c |
445 | +++ b/drivers/gpu/drm/i915/intel_lvds.c |
446 | @@ -321,7 +321,8 @@ static void intel_enable_lvds(struct intel_encoder *encoder, |
447 | |
448 | I915_WRITE(PP_CONTROL(0), I915_READ(PP_CONTROL(0)) | PANEL_POWER_ON); |
449 | POSTING_READ(lvds_encoder->reg); |
450 | - if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 1000)) |
451 | + |
452 | + if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 5000)) |
453 | DRM_ERROR("timed out waiting for panel to power on\n"); |
454 | |
455 | intel_panel_enable_backlight(intel_connector); |
456 | diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c |
457 | index 881bf489478b..75056553b06c 100644 |
458 | --- a/drivers/gpu/drm/vc4/vc4_plane.c |
459 | +++ b/drivers/gpu/drm/vc4/vc4_plane.c |
460 | @@ -533,7 +533,7 @@ static int vc4_plane_mode_set(struct drm_plane *plane, |
461 | * the scl fields here. |
462 | */ |
463 | if (num_planes == 1) { |
464 | - scl0 = vc4_get_scl_field(state, 1); |
465 | + scl0 = vc4_get_scl_field(state, 0); |
466 | scl1 = scl0; |
467 | } else { |
468 | scl0 = vc4_get_scl_field(state, 1); |
469 | diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c |
470 | index 760ef603a468..15f4bdf89fe1 100644 |
471 | --- a/drivers/infiniband/core/device.c |
472 | +++ b/drivers/infiniband/core/device.c |
473 | @@ -999,8 +999,7 @@ static int __init ib_core_init(void) |
474 | return -ENOMEM; |
475 | |
476 | ib_comp_wq = alloc_workqueue("ib-comp-wq", |
477 | - WQ_UNBOUND | WQ_HIGHPRI | WQ_MEM_RECLAIM, |
478 | - WQ_UNBOUND_MAX_ACTIVE); |
479 | + WQ_HIGHPRI | WQ_MEM_RECLAIM | WQ_SYSFS, 0); |
480 | if (!ib_comp_wq) { |
481 | ret = -ENOMEM; |
482 | goto err; |
483 | diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c |
484 | index c9d61a6dfb7a..3a75352f632b 100644 |
485 | --- a/drivers/net/can/usb/kvaser_usb.c |
486 | +++ b/drivers/net/can/usb/kvaser_usb.c |
487 | @@ -1179,7 +1179,7 @@ static void kvaser_usb_rx_can_msg(const struct kvaser_usb *dev, |
488 | |
489 | skb = alloc_can_skb(priv->netdev, &cf); |
490 | if (!skb) { |
491 | - stats->tx_dropped++; |
492 | + stats->rx_dropped++; |
493 | return; |
494 | } |
495 | |
496 | diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c |
497 | index ad1186dd6132..a45810b43f70 100644 |
498 | --- a/drivers/thermal/samsung/exynos_tmu.c |
499 | +++ b/drivers/thermal/samsung/exynos_tmu.c |
500 | @@ -185,6 +185,7 @@ |
501 | * @regulator: pointer to the TMU regulator structure. |
502 | * @reg_conf: pointer to structure to register with core thermal. |
503 | * @ntrip: number of supported trip points. |
504 | + * @enabled: current status of TMU device |
505 | * @tmu_initialize: SoC specific TMU initialization method |
506 | * @tmu_control: SoC specific TMU control method |
507 | * @tmu_read: SoC specific TMU temperature read method |
508 | @@ -205,6 +206,7 @@ struct exynos_tmu_data { |
509 | struct regulator *regulator; |
510 | struct thermal_zone_device *tzd; |
511 | unsigned int ntrip; |
512 | + bool enabled; |
513 | |
514 | int (*tmu_initialize)(struct platform_device *pdev); |
515 | void (*tmu_control)(struct platform_device *pdev, bool on); |
516 | @@ -398,6 +400,7 @@ static void exynos_tmu_control(struct platform_device *pdev, bool on) |
517 | mutex_lock(&data->lock); |
518 | clk_enable(data->clk); |
519 | data->tmu_control(pdev, on); |
520 | + data->enabled = on; |
521 | clk_disable(data->clk); |
522 | mutex_unlock(&data->lock); |
523 | } |
524 | @@ -889,19 +892,24 @@ static void exynos7_tmu_control(struct platform_device *pdev, bool on) |
525 | static int exynos_get_temp(void *p, int *temp) |
526 | { |
527 | struct exynos_tmu_data *data = p; |
528 | + int value, ret = 0; |
529 | |
530 | - if (!data || !data->tmu_read) |
531 | + if (!data || !data->tmu_read || !data->enabled) |
532 | return -EINVAL; |
533 | |
534 | mutex_lock(&data->lock); |
535 | clk_enable(data->clk); |
536 | |
537 | - *temp = code_to_temp(data, data->tmu_read(data)) * MCELSIUS; |
538 | + value = data->tmu_read(data); |
539 | + if (value < 0) |
540 | + ret = value; |
541 | + else |
542 | + *temp = code_to_temp(data, value) * MCELSIUS; |
543 | |
544 | clk_disable(data->clk); |
545 | mutex_unlock(&data->lock); |
546 | |
547 | - return 0; |
548 | + return ret; |
549 | } |
550 | |
551 | #ifdef CONFIG_THERMAL_EMULATION |
552 | diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c |
553 | index 99432b59c5cb..ae354ac67da1 100644 |
554 | --- a/fs/f2fs/data.c |
555 | +++ b/fs/f2fs/data.c |
556 | @@ -844,7 +844,7 @@ static int __get_data_block(struct inode *inode, sector_t iblock, |
557 | if (!ret) { |
558 | map_bh(bh, inode->i_sb, map.m_pblk); |
559 | bh->b_state = (bh->b_state & ~F2FS_MAP_FLAGS) | map.m_flags; |
560 | - bh->b_size = map.m_len << inode->i_blkbits; |
561 | + bh->b_size = (u64)map.m_len << inode->i_blkbits; |
562 | } |
563 | return ret; |
564 | } |
565 | diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c |
566 | index 3d8b35f28a9b..f3aea1b8702c 100644 |
567 | --- a/fs/fs-writeback.c |
568 | +++ b/fs/fs-writeback.c |
569 | @@ -1942,7 +1942,7 @@ void wb_workfn(struct work_struct *work) |
570 | } |
571 | |
572 | if (!list_empty(&wb->work_list)) |
573 | - mod_delayed_work(bdi_wq, &wb->dwork, 0); |
574 | + wb_wakeup(wb); |
575 | else if (wb_has_dirty_io(wb) && dirty_writeback_interval) |
576 | wb_wakeup_delayed(wb); |
577 | |
578 | diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h |
579 | index c9b3eb70f340..567017b5fc9e 100644 |
580 | --- a/include/net/inet_timewait_sock.h |
581 | +++ b/include/net/inet_timewait_sock.h |
582 | @@ -55,6 +55,7 @@ struct inet_timewait_sock { |
583 | #define tw_family __tw_common.skc_family |
584 | #define tw_state __tw_common.skc_state |
585 | #define tw_reuse __tw_common.skc_reuse |
586 | +#define tw_reuseport __tw_common.skc_reuseport |
587 | #define tw_ipv6only __tw_common.skc_ipv6only |
588 | #define tw_bound_dev_if __tw_common.skc_bound_dev_if |
589 | #define tw_node __tw_common.skc_nulls_node |
590 | diff --git a/include/net/nexthop.h b/include/net/nexthop.h |
591 | index 3334dbfa5aa4..7fc78663ec9d 100644 |
592 | --- a/include/net/nexthop.h |
593 | +++ b/include/net/nexthop.h |
594 | @@ -6,7 +6,7 @@ |
595 | |
596 | static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) |
597 | { |
598 | - return remaining >= sizeof(*rtnh) && |
599 | + return remaining >= (int)sizeof(*rtnh) && |
600 | rtnh->rtnh_len >= sizeof(*rtnh) && |
601 | rtnh->rtnh_len <= remaining; |
602 | } |
603 | diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c |
604 | index 04988d6466bf..c265f1c3ae50 100644 |
605 | --- a/kernel/events/callchain.c |
606 | +++ b/kernel/events/callchain.c |
607 | @@ -129,14 +129,8 @@ int get_callchain_buffers(int event_max_stack) |
608 | goto exit; |
609 | } |
610 | |
611 | - if (count > 1) { |
612 | - /* If the allocation failed, give up */ |
613 | - if (!callchain_cpus_entries) |
614 | - err = -ENOMEM; |
615 | - goto exit; |
616 | - } |
617 | - |
618 | - err = alloc_callchain_buffers(); |
619 | + if (count == 1) |
620 | + err = alloc_callchain_buffers(); |
621 | exit: |
622 | if (err) |
623 | atomic_dec(&nr_callchain_events); |
624 | diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c |
625 | index 257fa460b846..017f7933a37d 100644 |
626 | --- a/kernel/events/ring_buffer.c |
627 | +++ b/kernel/events/ring_buffer.c |
628 | @@ -14,6 +14,7 @@ |
629 | #include <linux/slab.h> |
630 | #include <linux/circ_buf.h> |
631 | #include <linux/poll.h> |
632 | +#include <linux/nospec.h> |
633 | |
634 | #include "internal.h" |
635 | |
636 | @@ -844,8 +845,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff) |
637 | return NULL; |
638 | |
639 | /* AUX space */ |
640 | - if (pgoff >= rb->aux_pgoff) |
641 | - return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]); |
642 | + if (pgoff >= rb->aux_pgoff) { |
643 | + int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages); |
644 | + return virt_to_page(rb->aux_pages[aux_pgoff]); |
645 | + } |
646 | } |
647 | |
648 | return __perf_mmap_to_page(rb, pgoff); |
649 | diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c |
650 | index 0193f58c45f0..e35a411bea4b 100644 |
651 | --- a/kernel/trace/trace_events_filter.c |
652 | +++ b/kernel/trace/trace_events_filter.c |
653 | @@ -322,6 +322,9 @@ static int regex_match_full(char *str, struct regex *r, int len) |
654 | |
655 | static int regex_match_front(char *str, struct regex *r, int len) |
656 | { |
657 | + if (len < r->len) |
658 | + return 0; |
659 | + |
660 | if (strncmp(str, r->pattern, r->len) == 0) |
661 | return 1; |
662 | return 0; |
663 | diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c |
664 | index 0913693caf6e..788262984818 100644 |
665 | --- a/kernel/trace/trace_uprobe.c |
666 | +++ b/kernel/trace/trace_uprobe.c |
667 | @@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs, |
668 | return; |
669 | |
670 | ret = strncpy_from_user(dst, src, maxlen); |
671 | + if (ret == maxlen) |
672 | + dst[--ret] = '\0'; |
673 | |
674 | if (ret < 0) { /* Failed to fetch string */ |
675 | ((u8 *)get_rloc_data(dest))[0] = '\0'; |
676 | diff --git a/net/atm/lec.c b/net/atm/lec.c |
677 | index 5d2693826afb..1e84c5226c84 100644 |
678 | --- a/net/atm/lec.c |
679 | +++ b/net/atm/lec.c |
680 | @@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 }; |
681 | #include <linux/module.h> |
682 | #include <linux/init.h> |
683 | |
684 | +/* Hardening for Spectre-v1 */ |
685 | +#include <linux/nospec.h> |
686 | + |
687 | #include "lec.h" |
688 | #include "lec_arpc.h" |
689 | #include "resources.h" |
690 | @@ -697,8 +700,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) |
691 | bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); |
692 | if (bytes_left != 0) |
693 | pr_info("copy from user failed for %d bytes\n", bytes_left); |
694 | - if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || |
695 | - !dev_lec[ioc_data.dev_num]) |
696 | + if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) |
697 | + return -EINVAL; |
698 | + ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); |
699 | + if (!dev_lec[ioc_data.dev_num]) |
700 | return -EINVAL; |
701 | vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); |
702 | if (!vpriv) |
703 | diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c |
704 | index c0548d268e1a..e3e6a3e2ca22 100644 |
705 | --- a/net/core/dev_addr_lists.c |
706 | +++ b/net/core/dev_addr_lists.c |
707 | @@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list, |
708 | return -EINVAL; |
709 | |
710 | list_for_each_entry(ha, &list->list, list) { |
711 | - if (!memcmp(ha->addr, addr, addr_len) && |
712 | - ha->type == addr_type) { |
713 | + if (ha->type == addr_type && |
714 | + !memcmp(ha->addr, addr, addr_len)) { |
715 | if (global) { |
716 | /* check if addr is already used as global */ |
717 | if (ha->global_use) |
718 | diff --git a/net/core/skbuff.c b/net/core/skbuff.c |
719 | index fb422dfec848..a40ccc184b83 100644 |
720 | --- a/net/core/skbuff.c |
721 | +++ b/net/core/skbuff.c |
722 | @@ -903,6 +903,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) |
723 | n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; |
724 | n->cloned = 1; |
725 | n->nohdr = 0; |
726 | + n->peeked = 0; |
727 | n->destructor = NULL; |
728 | C(tail); |
729 | C(end); |
730 | diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c |
731 | index 8c7799cdd3cf..6697b180e122 100644 |
732 | --- a/net/dccp/ipv4.c |
733 | +++ b/net/dccp/ipv4.c |
734 | @@ -620,6 +620,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) |
735 | ireq = inet_rsk(req); |
736 | sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); |
737 | sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); |
738 | + ireq->ir_mark = inet_request_mark(sk, skb); |
739 | ireq->ireq_family = AF_INET; |
740 | ireq->ir_iif = sk->sk_bound_dev_if; |
741 | |
742 | diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c |
743 | index 28e8252cc5ea..6cbcf399d22b 100644 |
744 | --- a/net/dccp/ipv6.c |
745 | +++ b/net/dccp/ipv6.c |
746 | @@ -349,6 +349,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) |
747 | ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; |
748 | ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; |
749 | ireq->ireq_family = AF_INET6; |
750 | + ireq->ir_mark = inet_request_mark(sk, skb); |
751 | |
752 | if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || |
753 | np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || |
754 | diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c |
755 | index ddcd56c08d14..a6b34ac3139e 100644 |
756 | --- a/net/ipv4/inet_timewait_sock.c |
757 | +++ b/net/ipv4/inet_timewait_sock.c |
758 | @@ -182,6 +182,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, |
759 | tw->tw_dport = inet->inet_dport; |
760 | tw->tw_family = sk->sk_family; |
761 | tw->tw_reuse = sk->sk_reuse; |
762 | + tw->tw_reuseport = sk->sk_reuseport; |
763 | tw->tw_hash = sk->sk_hash; |
764 | tw->tw_ipv6only = 0; |
765 | tw->tw_transparent = inet->transparent; |
766 | diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
767 | index 0fc5dad02fe8..6f501c9deaae 100644 |
768 | --- a/net/ipv4/tcp.c |
769 | +++ b/net/ipv4/tcp.c |
770 | @@ -2523,7 +2523,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, |
771 | case TCP_REPAIR_QUEUE: |
772 | if (!tp->repair) |
773 | err = -EPERM; |
774 | - else if (val < TCP_QUEUES_NR) |
775 | + else if ((unsigned int)val < TCP_QUEUES_NR) |
776 | tp->repair_queue = val; |
777 | else |
778 | err = -EINVAL; |
779 | diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c |
780 | index 63e6d08388ab..cc306defcc19 100644 |
781 | --- a/net/kcm/kcmsock.c |
782 | +++ b/net/kcm/kcmsock.c |
783 | @@ -1424,6 +1424,7 @@ static int kcm_attach(struct socket *sock, struct socket *csock, |
784 | */ |
785 | if (csk->sk_user_data) { |
786 | write_unlock_bh(&csk->sk_callback_lock); |
787 | + strp_stop(&psock->strp); |
788 | strp_done(&psock->strp); |
789 | kmem_cache_free(kcm_psockp, psock); |
790 | err = -EALREADY; |
791 | diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c |
792 | index 74d119512d96..c5f2350a2b50 100644 |
793 | --- a/net/netfilter/ipvs/ip_vs_ctl.c |
794 | +++ b/net/netfilter/ipvs/ip_vs_ctl.c |
795 | @@ -2393,11 +2393,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) |
796 | strlcpy(cfg.mcast_ifn, dm->mcast_ifn, |
797 | sizeof(cfg.mcast_ifn)); |
798 | cfg.syncid = dm->syncid; |
799 | - rtnl_lock(); |
800 | - mutex_lock(&ipvs->sync_mutex); |
801 | ret = start_sync_thread(ipvs, &cfg, dm->state); |
802 | - mutex_unlock(&ipvs->sync_mutex); |
803 | - rtnl_unlock(); |
804 | } else { |
805 | mutex_lock(&ipvs->sync_mutex); |
806 | ret = stop_sync_thread(ipvs, dm->state); |
807 | @@ -3495,12 +3491,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) |
808 | if (ipvs->mixed_address_family_dests > 0) |
809 | return -EINVAL; |
810 | |
811 | - rtnl_lock(); |
812 | - mutex_lock(&ipvs->sync_mutex); |
813 | ret = start_sync_thread(ipvs, &c, |
814 | nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE])); |
815 | - mutex_unlock(&ipvs->sync_mutex); |
816 | - rtnl_unlock(); |
817 | return ret; |
818 | } |
819 | |
820 | diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c |
821 | index 9350530c16c1..5fbf4b232592 100644 |
822 | --- a/net/netfilter/ipvs/ip_vs_sync.c |
823 | +++ b/net/netfilter/ipvs/ip_vs_sync.c |
824 | @@ -48,6 +48,7 @@ |
825 | #include <linux/kthread.h> |
826 | #include <linux/wait.h> |
827 | #include <linux/kernel.h> |
828 | +#include <linux/sched.h> |
829 | |
830 | #include <asm/unaligned.h> /* Used for ntoh_seq and hton_seq */ |
831 | |
832 | @@ -1359,15 +1360,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val) |
833 | /* |
834 | * Specifiy default interface for outgoing multicasts |
835 | */ |
836 | -static int set_mcast_if(struct sock *sk, char *ifname) |
837 | +static int set_mcast_if(struct sock *sk, struct net_device *dev) |
838 | { |
839 | - struct net_device *dev; |
840 | struct inet_sock *inet = inet_sk(sk); |
841 | - struct net *net = sock_net(sk); |
842 | - |
843 | - dev = __dev_get_by_name(net, ifname); |
844 | - if (!dev) |
845 | - return -ENODEV; |
846 | |
847 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) |
848 | return -EINVAL; |
849 | @@ -1395,19 +1390,14 @@ static int set_mcast_if(struct sock *sk, char *ifname) |
850 | * in the in_addr structure passed in as a parameter. |
851 | */ |
852 | static int |
853 | -join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) |
854 | +join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev) |
855 | { |
856 | - struct net *net = sock_net(sk); |
857 | struct ip_mreqn mreq; |
858 | - struct net_device *dev; |
859 | int ret; |
860 | |
861 | memset(&mreq, 0, sizeof(mreq)); |
862 | memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr)); |
863 | |
864 | - dev = __dev_get_by_name(net, ifname); |
865 | - if (!dev) |
866 | - return -ENODEV; |
867 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) |
868 | return -EINVAL; |
869 | |
870 | @@ -1422,15 +1412,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) |
871 | |
872 | #ifdef CONFIG_IP_VS_IPV6 |
873 | static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, |
874 | - char *ifname) |
875 | + struct net_device *dev) |
876 | { |
877 | - struct net *net = sock_net(sk); |
878 | - struct net_device *dev; |
879 | int ret; |
880 | |
881 | - dev = __dev_get_by_name(net, ifname); |
882 | - if (!dev) |
883 | - return -ENODEV; |
884 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) |
885 | return -EINVAL; |
886 | |
887 | @@ -1442,24 +1427,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, |
888 | } |
889 | #endif |
890 | |
891 | -static int bind_mcastif_addr(struct socket *sock, char *ifname) |
892 | +static int bind_mcastif_addr(struct socket *sock, struct net_device *dev) |
893 | { |
894 | - struct net *net = sock_net(sock->sk); |
895 | - struct net_device *dev; |
896 | __be32 addr; |
897 | struct sockaddr_in sin; |
898 | |
899 | - dev = __dev_get_by_name(net, ifname); |
900 | - if (!dev) |
901 | - return -ENODEV; |
902 | - |
903 | addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE); |
904 | if (!addr) |
905 | pr_err("You probably need to specify IP address on " |
906 | "multicast interface.\n"); |
907 | |
908 | IP_VS_DBG(7, "binding socket with (%s) %pI4\n", |
909 | - ifname, &addr); |
910 | + dev->name, &addr); |
911 | |
912 | /* Now bind the socket with the address of multicast interface */ |
913 | sin.sin_family = AF_INET; |
914 | @@ -1492,7 +1471,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen, |
915 | /* |
916 | * Set up sending multicast socket over UDP |
917 | */ |
918 | -static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
919 | +static int make_send_sock(struct netns_ipvs *ipvs, int id, |
920 | + struct net_device *dev, struct socket **sock_ret) |
921 | { |
922 | /* multicast addr */ |
923 | union ipvs_sockaddr mcast_addr; |
924 | @@ -1504,9 +1484,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
925 | IPPROTO_UDP, &sock); |
926 | if (result < 0) { |
927 | pr_err("Error during creation of socket; terminating\n"); |
928 | - return ERR_PTR(result); |
929 | + goto error; |
930 | } |
931 | - result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn); |
932 | + *sock_ret = sock; |
933 | + result = set_mcast_if(sock->sk, dev); |
934 | if (result < 0) { |
935 | pr_err("Error setting outbound mcast interface\n"); |
936 | goto error; |
937 | @@ -1521,7 +1502,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
938 | set_sock_size(sock->sk, 1, result); |
939 | |
940 | if (AF_INET == ipvs->mcfg.mcast_af) |
941 | - result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn); |
942 | + result = bind_mcastif_addr(sock, dev); |
943 | else |
944 | result = 0; |
945 | if (result < 0) { |
946 | @@ -1537,19 +1518,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
947 | goto error; |
948 | } |
949 | |
950 | - return sock; |
951 | + return 0; |
952 | |
953 | error: |
954 | - sock_release(sock); |
955 | - return ERR_PTR(result); |
956 | + return result; |
957 | } |
958 | |
959 | |
960 | /* |
961 | * Set up receiving multicast socket over UDP |
962 | */ |
963 | -static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
964 | - int ifindex) |
965 | +static int make_receive_sock(struct netns_ipvs *ipvs, int id, |
966 | + struct net_device *dev, struct socket **sock_ret) |
967 | { |
968 | /* multicast addr */ |
969 | union ipvs_sockaddr mcast_addr; |
970 | @@ -1561,8 +1541,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
971 | IPPROTO_UDP, &sock); |
972 | if (result < 0) { |
973 | pr_err("Error during creation of socket; terminating\n"); |
974 | - return ERR_PTR(result); |
975 | + goto error; |
976 | } |
977 | + *sock_ret = sock; |
978 | /* it is equivalent to the REUSEADDR option in user-space */ |
979 | sock->sk->sk_reuse = SK_CAN_REUSE; |
980 | result = sysctl_sync_sock_size(ipvs); |
981 | @@ -1570,7 +1551,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
982 | set_sock_size(sock->sk, 0, result); |
983 | |
984 | get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id); |
985 | - sock->sk->sk_bound_dev_if = ifindex; |
986 | + sock->sk->sk_bound_dev_if = dev->ifindex; |
987 | result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen); |
988 | if (result < 0) { |
989 | pr_err("Error binding to the multicast addr\n"); |
990 | @@ -1581,21 +1562,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
991 | #ifdef CONFIG_IP_VS_IPV6 |
992 | if (ipvs->bcfg.mcast_af == AF_INET6) |
993 | result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr, |
994 | - ipvs->bcfg.mcast_ifn); |
995 | + dev); |
996 | else |
997 | #endif |
998 | result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr, |
999 | - ipvs->bcfg.mcast_ifn); |
1000 | + dev); |
1001 | if (result < 0) { |
1002 | pr_err("Error joining to the multicast group\n"); |
1003 | goto error; |
1004 | } |
1005 | |
1006 | - return sock; |
1007 | + return 0; |
1008 | |
1009 | error: |
1010 | - sock_release(sock); |
1011 | - return ERR_PTR(result); |
1012 | + return result; |
1013 | } |
1014 | |
1015 | |
1016 | @@ -1780,13 +1760,12 @@ static int sync_thread_backup(void *data) |
1017 | int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
1018 | int state) |
1019 | { |
1020 | - struct ip_vs_sync_thread_data *tinfo; |
1021 | + struct ip_vs_sync_thread_data *tinfo = NULL; |
1022 | struct task_struct **array = NULL, *task; |
1023 | - struct socket *sock; |
1024 | struct net_device *dev; |
1025 | char *name; |
1026 | int (*threadfn)(void *data); |
1027 | - int id, count, hlen; |
1028 | + int id = 0, count, hlen; |
1029 | int result = -ENOMEM; |
1030 | u16 mtu, min_mtu; |
1031 | |
1032 | @@ -1794,6 +1773,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
1033 | IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n", |
1034 | sizeof(struct ip_vs_sync_conn_v0)); |
1035 | |
1036 | + /* Do not hold one mutex and then to block on another */ |
1037 | + for (;;) { |
1038 | + rtnl_lock(); |
1039 | + if (mutex_trylock(&ipvs->sync_mutex)) |
1040 | + break; |
1041 | + rtnl_unlock(); |
1042 | + mutex_lock(&ipvs->sync_mutex); |
1043 | + if (rtnl_trylock()) |
1044 | + break; |
1045 | + mutex_unlock(&ipvs->sync_mutex); |
1046 | + } |
1047 | + |
1048 | if (!ipvs->sync_state) { |
1049 | count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX); |
1050 | ipvs->threads_mask = count - 1; |
1051 | @@ -1812,7 +1803,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
1052 | dev = __dev_get_by_name(ipvs->net, c->mcast_ifn); |
1053 | if (!dev) { |
1054 | pr_err("Unknown mcast interface: %s\n", c->mcast_ifn); |
1055 | - return -ENODEV; |
1056 | + result = -ENODEV; |
1057 | + goto out_early; |
1058 | } |
1059 | hlen = (AF_INET6 == c->mcast_af) ? |
1060 | sizeof(struct ipv6hdr) + sizeof(struct udphdr) : |
1061 | @@ -1829,26 +1821,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
1062 | c->sync_maxlen = mtu - hlen; |
1063 | |
1064 | if (state == IP_VS_STATE_MASTER) { |
1065 | + result = -EEXIST; |
1066 | if (ipvs->ms) |
1067 | - return -EEXIST; |
1068 | + goto out_early; |
1069 | |
1070 | ipvs->mcfg = *c; |
1071 | name = "ipvs-m:%d:%d"; |
1072 | threadfn = sync_thread_master; |
1073 | } else if (state == IP_VS_STATE_BACKUP) { |
1074 | + result = -EEXIST; |
1075 | if (ipvs->backup_threads) |
1076 | - return -EEXIST; |
1077 | + goto out_early; |
1078 | |
1079 | ipvs->bcfg = *c; |
1080 | name = "ipvs-b:%d:%d"; |
1081 | threadfn = sync_thread_backup; |
1082 | } else { |
1083 | - return -EINVAL; |
1084 | + result = -EINVAL; |
1085 | + goto out_early; |
1086 | } |
1087 | |
1088 | if (state == IP_VS_STATE_MASTER) { |
1089 | struct ipvs_master_sync_state *ms; |
1090 | |
1091 | + result = -ENOMEM; |
1092 | ipvs->ms = kzalloc(count * sizeof(ipvs->ms[0]), GFP_KERNEL); |
1093 | if (!ipvs->ms) |
1094 | goto out; |
1095 | @@ -1864,39 +1860,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
1096 | } else { |
1097 | array = kzalloc(count * sizeof(struct task_struct *), |
1098 | GFP_KERNEL); |
1099 | + result = -ENOMEM; |
1100 | if (!array) |
1101 | goto out; |
1102 | } |
1103 | |
1104 | - tinfo = NULL; |
1105 | for (id = 0; id < count; id++) { |
1106 | - if (state == IP_VS_STATE_MASTER) |
1107 | - sock = make_send_sock(ipvs, id); |
1108 | - else |
1109 | - sock = make_receive_sock(ipvs, id, dev->ifindex); |
1110 | - if (IS_ERR(sock)) { |
1111 | - result = PTR_ERR(sock); |
1112 | - goto outtinfo; |
1113 | - } |
1114 | + result = -ENOMEM; |
1115 | tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); |
1116 | if (!tinfo) |
1117 | - goto outsocket; |
1118 | + goto out; |
1119 | tinfo->ipvs = ipvs; |
1120 | - tinfo->sock = sock; |
1121 | + tinfo->sock = NULL; |
1122 | if (state == IP_VS_STATE_BACKUP) { |
1123 | tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen, |
1124 | GFP_KERNEL); |
1125 | if (!tinfo->buf) |
1126 | - goto outtinfo; |
1127 | + goto out; |
1128 | } else { |
1129 | tinfo->buf = NULL; |
1130 | } |
1131 | tinfo->id = id; |
1132 | + if (state == IP_VS_STATE_MASTER) |
1133 | + result = make_send_sock(ipvs, id, dev, &tinfo->sock); |
1134 | + else |
1135 | + result = make_receive_sock(ipvs, id, dev, &tinfo->sock); |
1136 | + if (result < 0) |
1137 | + goto out; |
1138 | |
1139 | task = kthread_run(threadfn, tinfo, name, ipvs->gen, id); |
1140 | if (IS_ERR(task)) { |
1141 | result = PTR_ERR(task); |
1142 | - goto outtinfo; |
1143 | + goto out; |
1144 | } |
1145 | tinfo = NULL; |
1146 | if (state == IP_VS_STATE_MASTER) |
1147 | @@ -1913,20 +1908,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
1148 | ipvs->sync_state |= state; |
1149 | spin_unlock_bh(&ipvs->sync_buff_lock); |
1150 | |
1151 | + mutex_unlock(&ipvs->sync_mutex); |
1152 | + rtnl_unlock(); |
1153 | + |
1154 | /* increase the module use count */ |
1155 | ip_vs_use_count_inc(); |
1156 | |
1157 | return 0; |
1158 | |
1159 | -outsocket: |
1160 | - sock_release(sock); |
1161 | - |
1162 | -outtinfo: |
1163 | - if (tinfo) { |
1164 | - sock_release(tinfo->sock); |
1165 | - kfree(tinfo->buf); |
1166 | - kfree(tinfo); |
1167 | - } |
1168 | +out: |
1169 | + /* We do not need RTNL lock anymore, release it here so that |
1170 | + * sock_release below and in the kthreads can use rtnl_lock |
1171 | + * to leave the mcast group. |
1172 | + */ |
1173 | + rtnl_unlock(); |
1174 | count = id; |
1175 | while (count-- > 0) { |
1176 | if (state == IP_VS_STATE_MASTER) |
1177 | @@ -1934,13 +1929,23 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
1178 | else |
1179 | kthread_stop(array[count]); |
1180 | } |
1181 | - kfree(array); |
1182 | - |
1183 | -out: |
1184 | if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) { |
1185 | kfree(ipvs->ms); |
1186 | ipvs->ms = NULL; |
1187 | } |
1188 | + mutex_unlock(&ipvs->sync_mutex); |
1189 | + if (tinfo) { |
1190 | + if (tinfo->sock) |
1191 | + sock_release(tinfo->sock); |
1192 | + kfree(tinfo->buf); |
1193 | + kfree(tinfo); |
1194 | + } |
1195 | + kfree(array); |
1196 | + return result; |
1197 | + |
1198 | +out_early: |
1199 | + mutex_unlock(&ipvs->sync_mutex); |
1200 | + rtnl_unlock(); |
1201 | return result; |
1202 | } |
1203 | |
1204 | diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c |
1205 | index 1e97b8d9a159..15e6e7b9fd2b 100644 |
1206 | --- a/net/netlink/af_netlink.c |
1207 | +++ b/net/netlink/af_netlink.c |
1208 | @@ -1795,6 +1795,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) |
1209 | |
1210 | if (msg->msg_namelen) { |
1211 | err = -EINVAL; |
1212 | + if (msg->msg_namelen < sizeof(struct sockaddr_nl)) |
1213 | + goto out; |
1214 | if (addr->nl_family != AF_NETLINK) |
1215 | goto out; |
1216 | dst_portid = addr->nl_pid; |
1217 | diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c |
1218 | index 76c01cbd56e3..d6d8b34c5f22 100644 |
1219 | --- a/net/rfkill/rfkill-gpio.c |
1220 | +++ b/net/rfkill/rfkill-gpio.c |
1221 | @@ -138,13 +138,18 @@ static int rfkill_gpio_probe(struct platform_device *pdev) |
1222 | |
1223 | ret = rfkill_register(rfkill->rfkill_dev); |
1224 | if (ret < 0) |
1225 | - return ret; |
1226 | + goto err_destroy; |
1227 | |
1228 | platform_set_drvdata(pdev, rfkill); |
1229 | |
1230 | dev_info(&pdev->dev, "%s device registered.\n", rfkill->name); |
1231 | |
1232 | return 0; |
1233 | + |
1234 | +err_destroy: |
1235 | + rfkill_destroy(rfkill->rfkill_dev); |
1236 | + |
1237 | + return ret; |
1238 | } |
1239 | |
1240 | static int rfkill_gpio_remove(struct platform_device *pdev) |