Contents of /trunk/kernel-alx/patches-4.9/0199-4.9.100-all-fixes.patch
Parent Directory
| 
Revision Log
Revision 3176 -
(show annotations)
(download)
Wed Aug 8 14:17:30 2018 UTC (5 years, 8 months ago) by niro
File size: 40406 byte(s)
Wed Aug 8 14:17:30 2018 UTC (5 years, 8 months ago) by niro
File size: 40406 byte(s)
-linux-4.9.100
| 1 | diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt |
| 2 | index d11af52427b4..ac9489fad31b 100644 |
| 3 | --- a/Documentation/arm64/silicon-errata.txt |
| 4 | +++ b/Documentation/arm64/silicon-errata.txt |
| 5 | @@ -54,6 +54,7 @@ stable kernels. |
| 6 | | ARM | Cortex-A57 | #852523 | N/A | |
| 7 | | ARM | Cortex-A57 | #834220 | ARM64_ERRATUM_834220 | |
| 8 | | ARM | Cortex-A72 | #853709 | N/A | |
| 9 | +| ARM | Cortex-A55 | #1024718 | ARM64_ERRATUM_1024718 | |
| 10 | | ARM | MMU-500 | #841119,#826419 | N/A | |
| 11 | | | | | | |
| 12 | | Cavium | ThunderX ITS | #22375, #24313 | CAVIUM_ERRATUM_22375 | |
| 13 | diff --git a/Makefile b/Makefile |
| 14 | index d51e99f4a987..52a41396680c 100644 |
| 15 | --- a/Makefile |
| 16 | +++ b/Makefile |
| 17 | @@ -1,6 +1,6 @@ |
| 18 | VERSION = 4 |
| 19 | PATCHLEVEL = 9 |
| 20 | -SUBLEVEL = 99 |
| 21 | +SUBLEVEL = 100 |
| 22 | EXTRAVERSION = |
| 23 | NAME = Roaring Lionus |
| 24 | |
| 25 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig |
| 26 | index 90e58bbbd858..d0df3611d1e2 100644 |
| 27 | --- a/arch/arm64/Kconfig |
| 28 | +++ b/arch/arm64/Kconfig |
| 29 | @@ -427,6 +427,20 @@ config ARM64_ERRATUM_843419 |
| 30 | |
| 31 | If unsure, say Y. |
| 32 | |
| 33 | +config ARM64_ERRATUM_1024718 |
| 34 | + bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update" |
| 35 | + default y |
| 36 | + help |
| 37 | + This option adds work around for Arm Cortex-A55 Erratum 1024718. |
| 38 | + |
| 39 | + Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect |
| 40 | + update of the hardware dirty bit when the DBM/AP bits are updated |
| 41 | + without a break-before-make. The work around is to disable the usage |
| 42 | + of hardware DBM locally on the affected cores. CPUs not affected by |
| 43 | + erratum will continue to use the feature. |
| 44 | + |
| 45 | + If unsure, say Y. |
| 46 | + |
| 47 | config CAVIUM_ERRATUM_22375 |
| 48 | bool "Cavium erratum 22375, 24313" |
| 49 | default y |
| 50 | diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h |
| 51 | index e60375ce0dd2..bfcfec3590f6 100644 |
| 52 | --- a/arch/arm64/include/asm/assembler.h |
| 53 | +++ b/arch/arm64/include/asm/assembler.h |
| 54 | @@ -25,6 +25,7 @@ |
| 55 | |
| 56 | #include <asm/asm-offsets.h> |
| 57 | #include <asm/cpufeature.h> |
| 58 | +#include <asm/cputype.h> |
| 59 | #include <asm/page.h> |
| 60 | #include <asm/pgtable-hwdef.h> |
| 61 | #include <asm/ptrace.h> |
| 62 | @@ -435,4 +436,43 @@ alternative_endif |
| 63 | and \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT) |
| 64 | .endm |
| 65 | |
| 66 | +/* |
| 67 | + * Check the MIDR_EL1 of the current CPU for a given model and a range of |
| 68 | + * variant/revision. See asm/cputype.h for the macros used below. |
| 69 | + * |
| 70 | + * model: MIDR_CPU_MODEL of CPU |
| 71 | + * rv_min: Minimum of MIDR_CPU_VAR_REV() |
| 72 | + * rv_max: Maximum of MIDR_CPU_VAR_REV() |
| 73 | + * res: Result register. |
| 74 | + * tmp1, tmp2, tmp3: Temporary registers |
| 75 | + * |
| 76 | + * Corrupts: res, tmp1, tmp2, tmp3 |
| 77 | + * Returns: 0, if the CPU id doesn't match. Non-zero otherwise |
| 78 | + */ |
| 79 | + .macro cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3 |
| 80 | + mrs \res, midr_el1 |
| 81 | + mov_q \tmp1, (MIDR_REVISION_MASK | MIDR_VARIANT_MASK) |
| 82 | + mov_q \tmp2, MIDR_CPU_MODEL_MASK |
| 83 | + and \tmp3, \res, \tmp2 // Extract model |
| 84 | + and \tmp1, \res, \tmp1 // rev & variant |
| 85 | + mov_q \tmp2, \model |
| 86 | + cmp \tmp3, \tmp2 |
| 87 | + cset \res, eq |
| 88 | + cbz \res, .Ldone\@ // Model matches ? |
| 89 | + |
| 90 | + .if (\rv_min != 0) // Skip min check if rv_min == 0 |
| 91 | + mov_q \tmp3, \rv_min |
| 92 | + cmp \tmp1, \tmp3 |
| 93 | + cset \res, ge |
| 94 | + .endif // \rv_min != 0 |
| 95 | + /* Skip rv_max check if rv_min == rv_max && rv_min != 0 */ |
| 96 | + .if ((\rv_min != \rv_max) || \rv_min == 0) |
| 97 | + mov_q \tmp2, \rv_max |
| 98 | + cmp \tmp1, \tmp2 |
| 99 | + cset \tmp2, le |
| 100 | + and \res, \res, \tmp2 |
| 101 | + .endif |
| 102 | +.Ldone\@: |
| 103 | + .endm |
| 104 | + |
| 105 | #endif /* __ASM_ASSEMBLER_H */ |
| 106 | diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h |
| 107 | index 9ee3038a6b98..39d1db68748d 100644 |
| 108 | --- a/arch/arm64/include/asm/cputype.h |
| 109 | +++ b/arch/arm64/include/asm/cputype.h |
| 110 | @@ -56,6 +56,9 @@ |
| 111 | (0xf << MIDR_ARCHITECTURE_SHIFT) | \ |
| 112 | ((partnum) << MIDR_PARTNUM_SHIFT)) |
| 113 | |
| 114 | +#define MIDR_CPU_VAR_REV(var, rev) \ |
| 115 | + (((var) << MIDR_VARIANT_SHIFT) | (rev)) |
| 116 | + |
| 117 | #define MIDR_CPU_MODEL_MASK (MIDR_IMPLEMENTOR_MASK | MIDR_PARTNUM_MASK | \ |
| 118 | MIDR_ARCHITECTURE_MASK) |
| 119 | |
| 120 | @@ -74,6 +77,7 @@ |
| 121 | |
| 122 | #define ARM_CPU_PART_AEM_V8 0xD0F |
| 123 | #define ARM_CPU_PART_FOUNDATION 0xD00 |
| 124 | +#define ARM_CPU_PART_CORTEX_A55 0xD05 |
| 125 | #define ARM_CPU_PART_CORTEX_A57 0xD07 |
| 126 | #define ARM_CPU_PART_CORTEX_A72 0xD08 |
| 127 | #define ARM_CPU_PART_CORTEX_A53 0xD03 |
| 128 | @@ -89,6 +93,7 @@ |
| 129 | #define BRCM_CPU_PART_VULCAN 0x516 |
| 130 | |
| 131 | #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) |
| 132 | +#define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) |
| 133 | #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) |
| 134 | #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) |
| 135 | #define MIDR_CORTEX_A73 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A73) |
| 136 | diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S |
| 137 | index 619da1cbd32b..66cce2138f95 100644 |
| 138 | --- a/arch/arm64/mm/proc.S |
| 139 | +++ b/arch/arm64/mm/proc.S |
| 140 | @@ -425,6 +425,11 @@ ENTRY(__cpu_setup) |
| 141 | cbz x9, 2f |
| 142 | cmp x9, #2 |
| 143 | b.lt 1f |
| 144 | +#ifdef CONFIG_ARM64_ERRATUM_1024718 |
| 145 | + /* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */ |
| 146 | + cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4 |
| 147 | + cbnz x1, 1f |
| 148 | +#endif |
| 149 | orr x10, x10, #TCR_HD // hardware Dirty flag update |
| 150 | 1: orr x10, x10, #TCR_HA // hardware Access flag update |
| 151 | 2: |
| 152 | diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
| 153 | index 55fbc0c78721..79a180cf4c94 100644 |
| 154 | --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
| 155 | +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
| 156 | @@ -299,7 +299,6 @@ kvm_novcpu_exit: |
| 157 | stw r12, STACK_SLOT_TRAP(r1) |
| 158 | bl kvmhv_commence_exit |
| 159 | nop |
| 160 | - lwz r12, STACK_SLOT_TRAP(r1) |
| 161 | b kvmhv_switch_to_host |
| 162 | |
| 163 | /* |
| 164 | @@ -1023,6 +1022,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) |
| 165 | |
| 166 | secondary_too_late: |
| 167 | li r12, 0 |
| 168 | + stw r12, STACK_SLOT_TRAP(r1) |
| 169 | cmpdi r4, 0 |
| 170 | beq 11f |
| 171 | stw r12, VCPU_TRAP(r4) |
| 172 | @@ -1266,12 +1266,12 @@ mc_cont: |
| 173 | bl kvmhv_accumulate_time |
| 174 | #endif |
| 175 | |
| 176 | + stw r12, STACK_SLOT_TRAP(r1) |
| 177 | mr r3, r12 |
| 178 | /* Increment exit count, poke other threads to exit */ |
| 179 | bl kvmhv_commence_exit |
| 180 | nop |
| 181 | ld r9, HSTATE_KVM_VCPU(r13) |
| 182 | - lwz r12, VCPU_TRAP(r9) |
| 183 | |
| 184 | /* Stop others sending VCPU interrupts to this physical CPU */ |
| 185 | li r0, -1 |
| 186 | @@ -1549,6 +1549,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) |
| 187 | * POWER7/POWER8 guest -> host partition switch code. |
| 188 | * We don't have to lock against tlbies but we do |
| 189 | * have to coordinate the hardware threads. |
| 190 | + * Here STACK_SLOT_TRAP(r1) contains the trap number. |
| 191 | */ |
| 192 | kvmhv_switch_to_host: |
| 193 | /* Secondary threads wait for primary to do partition switch */ |
| 194 | @@ -1599,11 +1600,11 @@ BEGIN_FTR_SECTION |
| 195 | END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) |
| 196 | |
| 197 | /* If HMI, call kvmppc_realmode_hmi_handler() */ |
| 198 | + lwz r12, STACK_SLOT_TRAP(r1) |
| 199 | cmpwi r12, BOOK3S_INTERRUPT_HMI |
| 200 | bne 27f |
| 201 | bl kvmppc_realmode_hmi_handler |
| 202 | nop |
| 203 | - li r12, BOOK3S_INTERRUPT_HMI |
| 204 | /* |
| 205 | * At this point kvmppc_realmode_hmi_handler would have resync-ed |
| 206 | * the TB. Hence it is not required to subtract guest timebase |
| 207 | @@ -1678,6 +1679,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) |
| 208 | li r0, KVM_GUEST_MODE_NONE |
| 209 | stb r0, HSTATE_IN_GUEST(r13) |
| 210 | |
| 211 | + lwz r12, STACK_SLOT_TRAP(r1) /* return trap # in r12 */ |
| 212 | ld r0, SFS+PPC_LR_STKOFF(r1) |
| 213 | addi r1, r1, SFS |
| 214 | mtlr r0 |
| 215 | diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c |
| 216 | index f73796db8758..02e547f9ca3f 100644 |
| 217 | --- a/arch/x86/events/core.c |
| 218 | +++ b/arch/x86/events/core.c |
| 219 | @@ -26,6 +26,7 @@ |
| 220 | #include <linux/cpu.h> |
| 221 | #include <linux/bitops.h> |
| 222 | #include <linux/device.h> |
| 223 | +#include <linux/nospec.h> |
| 224 | |
| 225 | #include <asm/apic.h> |
| 226 | #include <asm/stacktrace.h> |
| 227 | @@ -303,17 +304,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event) |
| 228 | |
| 229 | config = attr->config; |
| 230 | |
| 231 | - cache_type = (config >> 0) & 0xff; |
| 232 | + cache_type = (config >> 0) & 0xff; |
| 233 | if (cache_type >= PERF_COUNT_HW_CACHE_MAX) |
| 234 | return -EINVAL; |
| 235 | + cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX); |
| 236 | |
| 237 | cache_op = (config >> 8) & 0xff; |
| 238 | if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX) |
| 239 | return -EINVAL; |
| 240 | + cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX); |
| 241 | |
| 242 | cache_result = (config >> 16) & 0xff; |
| 243 | if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX) |
| 244 | return -EINVAL; |
| 245 | + cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX); |
| 246 | |
| 247 | val = hw_cache_event_ids[cache_type][cache_op][cache_result]; |
| 248 | |
| 249 | @@ -420,6 +424,8 @@ int x86_setup_perfctr(struct perf_event *event) |
| 250 | if (attr->config >= x86_pmu.max_events) |
| 251 | return -EINVAL; |
| 252 | |
| 253 | + attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events); |
| 254 | + |
| 255 | /* |
| 256 | * The generic map: |
| 257 | */ |
| 258 | diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c |
| 259 | index 1076c9a77292..47d526c700a1 100644 |
| 260 | --- a/arch/x86/events/intel/cstate.c |
| 261 | +++ b/arch/x86/events/intel/cstate.c |
| 262 | @@ -90,6 +90,7 @@ |
| 263 | #include <linux/module.h> |
| 264 | #include <linux/slab.h> |
| 265 | #include <linux/perf_event.h> |
| 266 | +#include <linux/nospec.h> |
| 267 | #include <asm/cpu_device_id.h> |
| 268 | #include <asm/intel-family.h> |
| 269 | #include "../perf_event.h" |
| 270 | @@ -300,6 +301,7 @@ static int cstate_pmu_event_init(struct perf_event *event) |
| 271 | } else if (event->pmu == &cstate_pkg_pmu) { |
| 272 | if (cfg >= PERF_CSTATE_PKG_EVENT_MAX) |
| 273 | return -EINVAL; |
| 274 | + cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX); |
| 275 | if (!pkg_msr[cfg].attr) |
| 276 | return -EINVAL; |
| 277 | event->hw.event_base = pkg_msr[cfg].msr; |
| 278 | diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c |
| 279 | index 4bb3ec69e8ea..be0b1968d60a 100644 |
| 280 | --- a/arch/x86/events/msr.c |
| 281 | +++ b/arch/x86/events/msr.c |
| 282 | @@ -1,4 +1,5 @@ |
| 283 | #include <linux/perf_event.h> |
| 284 | +#include <linux/nospec.h> |
| 285 | #include <asm/intel-family.h> |
| 286 | |
| 287 | enum perf_msr_id { |
| 288 | @@ -136,9 +137,6 @@ static int msr_event_init(struct perf_event *event) |
| 289 | if (event->attr.type != event->pmu->type) |
| 290 | return -ENOENT; |
| 291 | |
| 292 | - if (cfg >= PERF_MSR_EVENT_MAX) |
| 293 | - return -EINVAL; |
| 294 | - |
| 295 | /* unsupported modes and filters */ |
| 296 | if (event->attr.exclude_user || |
| 297 | event->attr.exclude_kernel || |
| 298 | @@ -149,6 +147,11 @@ static int msr_event_init(struct perf_event *event) |
| 299 | event->attr.sample_period) /* no sampling */ |
| 300 | return -EINVAL; |
| 301 | |
| 302 | + if (cfg >= PERF_MSR_EVENT_MAX) |
| 303 | + return -EINVAL; |
| 304 | + |
| 305 | + cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX); |
| 306 | + |
| 307 | if (!msr[cfg].attr) |
| 308 | return -EINVAL; |
| 309 | |
| 310 | diff --git a/crypto/af_alg.c b/crypto/af_alg.c |
| 311 | index ca50eeb13097..b5953f1d1a18 100644 |
| 312 | --- a/crypto/af_alg.c |
| 313 | +++ b/crypto/af_alg.c |
| 314 | @@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
| 315 | void *private; |
| 316 | int err; |
| 317 | |
| 318 | - /* If caller uses non-allowed flag, return error. */ |
| 319 | - if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) |
| 320 | - return -EINVAL; |
| 321 | - |
| 322 | if (sock->state == SS_CONNECTED) |
| 323 | return -EINVAL; |
| 324 | |
| 325 | if (addr_len != sizeof(*sa)) |
| 326 | return -EINVAL; |
| 327 | |
| 328 | + /* If caller uses non-allowed flag, return error. */ |
| 329 | + if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) |
| 330 | + return -EINVAL; |
| 331 | + |
| 332 | sa->salg_type[sizeof(sa->salg_type) - 1] = 0; |
| 333 | sa->salg_name[sizeof(sa->salg_name) - 1] = 0; |
| 334 | |
| 335 | diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c |
| 336 | index e08c09fa5da0..4fe3ec122bf0 100644 |
| 337 | --- a/drivers/ata/libata-core.c |
| 338 | +++ b/drivers/ata/libata-core.c |
| 339 | @@ -4422,6 +4422,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { |
| 340 | ATA_HORKAGE_ZERO_AFTER_TRIM | |
| 341 | ATA_HORKAGE_NOLPM, }, |
| 342 | |
| 343 | + /* Sandisk devices which are known to not handle LPM well */ |
| 344 | + { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, |
| 345 | + |
| 346 | /* devices that don't properly handle queued TRIM commands */ |
| 347 | { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | |
| 348 | ATA_HORKAGE_ZERO_AFTER_TRIM, }, |
| 349 | diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c |
| 350 | index d3dc95484161..81bfeec67b77 100644 |
| 351 | --- a/drivers/atm/zatm.c |
| 352 | +++ b/drivers/atm/zatm.c |
| 353 | @@ -23,6 +23,7 @@ |
| 354 | #include <linux/bitops.h> |
| 355 | #include <linux/wait.h> |
| 356 | #include <linux/slab.h> |
| 357 | +#include <linux/nospec.h> |
| 358 | #include <asm/byteorder.h> |
| 359 | #include <asm/string.h> |
| 360 | #include <asm/io.h> |
| 361 | @@ -1458,6 +1459,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg) |
| 362 | return -EFAULT; |
| 363 | if (pool < 0 || pool > ZATM_LAST_POOL) |
| 364 | return -EINVAL; |
| 365 | + pool = array_index_nospec(pool, |
| 366 | + ZATM_LAST_POOL + 1); |
| 367 | spin_lock_irqsave(&zatm_dev->lock, flags); |
| 368 | info = zatm_dev->pool_info[pool]; |
| 369 | if (cmd == ZATM_GETPOOLZ) { |
| 370 | diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c |
| 371 | index f8ba5c714df5..3257647d4f74 100644 |
| 372 | --- a/drivers/bluetooth/btusb.c |
| 373 | +++ b/drivers/bluetooth/btusb.c |
| 374 | @@ -217,6 +217,7 @@ static const struct usb_device_id blacklist_table[] = { |
| 375 | { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, |
| 376 | { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, |
| 377 | { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, |
| 378 | + { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, |
| 379 | { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, |
| 380 | { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, |
| 381 | { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, |
| 382 | @@ -249,7 +250,6 @@ static const struct usb_device_id blacklist_table[] = { |
| 383 | { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, |
| 384 | |
| 385 | /* QCA ROME chipset */ |
| 386 | - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, |
| 387 | { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, |
| 388 | { USB_DEVICE(0x0cf3, 0xe009), .driver_info = BTUSB_QCA_ROME }, |
| 389 | { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, |
| 390 | diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c |
| 391 | index 03a5925a423c..a9daf7121e6e 100644 |
| 392 | --- a/drivers/gpio/gpio-aspeed.c |
| 393 | +++ b/drivers/gpio/gpio-aspeed.c |
| 394 | @@ -256,7 +256,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set) |
| 395 | if (set) |
| 396 | reg |= bit; |
| 397 | else |
| 398 | - reg &= bit; |
| 399 | + reg &= ~bit; |
| 400 | iowrite32(reg, addr); |
| 401 | |
| 402 | spin_unlock_irqrestore(&gpio->lock, flags); |
| 403 | diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c |
| 404 | index 4f54ff45e09e..56b24198741c 100644 |
| 405 | --- a/drivers/gpio/gpiolib.c |
| 406 | +++ b/drivers/gpio/gpiolib.c |
| 407 | @@ -425,7 +425,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) |
| 408 | struct gpiohandle_request handlereq; |
| 409 | struct linehandle_state *lh; |
| 410 | struct file *file; |
| 411 | - int fd, i, ret; |
| 412 | + int fd, i, count = 0, ret; |
| 413 | |
| 414 | if (copy_from_user(&handlereq, ip, sizeof(handlereq))) |
| 415 | return -EFAULT; |
| 416 | @@ -471,6 +471,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) |
| 417 | if (ret) |
| 418 | goto out_free_descs; |
| 419 | lh->descs[i] = desc; |
| 420 | + count = i; |
| 421 | |
| 422 | if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) |
| 423 | set_bit(FLAG_ACTIVE_LOW, &desc->flags); |
| 424 | @@ -537,7 +538,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) |
| 425 | out_put_unused_fd: |
| 426 | put_unused_fd(fd); |
| 427 | out_free_descs: |
| 428 | - for (; i >= 0; i--) |
| 429 | + for (i = 0; i < count; i++) |
| 430 | gpiod_free(lh->descs[i]); |
| 431 | kfree(lh->label); |
| 432 | out_free_lh: |
| 433 | @@ -794,7 +795,7 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) |
| 434 | desc = &gdev->descs[offset]; |
| 435 | ret = gpiod_request(desc, le->label); |
| 436 | if (ret) |
| 437 | - goto out_free_desc; |
| 438 | + goto out_free_label; |
| 439 | le->desc = desc; |
| 440 | le->eflags = eflags; |
| 441 | |
| 442 | diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c |
| 443 | index e1d47d51ea47..3517c0ed984a 100644 |
| 444 | --- a/drivers/gpu/drm/i915/intel_lvds.c |
| 445 | +++ b/drivers/gpu/drm/i915/intel_lvds.c |
| 446 | @@ -321,7 +321,8 @@ static void intel_enable_lvds(struct intel_encoder *encoder, |
| 447 | |
| 448 | I915_WRITE(PP_CONTROL(0), I915_READ(PP_CONTROL(0)) | PANEL_POWER_ON); |
| 449 | POSTING_READ(lvds_encoder->reg); |
| 450 | - if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 1000)) |
| 451 | + |
| 452 | + if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 5000)) |
| 453 | DRM_ERROR("timed out waiting for panel to power on\n"); |
| 454 | |
| 455 | intel_panel_enable_backlight(intel_connector); |
| 456 | diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c |
| 457 | index 881bf489478b..75056553b06c 100644 |
| 458 | --- a/drivers/gpu/drm/vc4/vc4_plane.c |
| 459 | +++ b/drivers/gpu/drm/vc4/vc4_plane.c |
| 460 | @@ -533,7 +533,7 @@ static int vc4_plane_mode_set(struct drm_plane *plane, |
| 461 | * the scl fields here. |
| 462 | */ |
| 463 | if (num_planes == 1) { |
| 464 | - scl0 = vc4_get_scl_field(state, 1); |
| 465 | + scl0 = vc4_get_scl_field(state, 0); |
| 466 | scl1 = scl0; |
| 467 | } else { |
| 468 | scl0 = vc4_get_scl_field(state, 1); |
| 469 | diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c |
| 470 | index 760ef603a468..15f4bdf89fe1 100644 |
| 471 | --- a/drivers/infiniband/core/device.c |
| 472 | +++ b/drivers/infiniband/core/device.c |
| 473 | @@ -999,8 +999,7 @@ static int __init ib_core_init(void) |
| 474 | return -ENOMEM; |
| 475 | |
| 476 | ib_comp_wq = alloc_workqueue("ib-comp-wq", |
| 477 | - WQ_UNBOUND | WQ_HIGHPRI | WQ_MEM_RECLAIM, |
| 478 | - WQ_UNBOUND_MAX_ACTIVE); |
| 479 | + WQ_HIGHPRI | WQ_MEM_RECLAIM | WQ_SYSFS, 0); |
| 480 | if (!ib_comp_wq) { |
| 481 | ret = -ENOMEM; |
| 482 | goto err; |
| 483 | diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c |
| 484 | index c9d61a6dfb7a..3a75352f632b 100644 |
| 485 | --- a/drivers/net/can/usb/kvaser_usb.c |
| 486 | +++ b/drivers/net/can/usb/kvaser_usb.c |
| 487 | @@ -1179,7 +1179,7 @@ static void kvaser_usb_rx_can_msg(const struct kvaser_usb *dev, |
| 488 | |
| 489 | skb = alloc_can_skb(priv->netdev, &cf); |
| 490 | if (!skb) { |
| 491 | - stats->tx_dropped++; |
| 492 | + stats->rx_dropped++; |
| 493 | return; |
| 494 | } |
| 495 | |
| 496 | diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c |
| 497 | index ad1186dd6132..a45810b43f70 100644 |
| 498 | --- a/drivers/thermal/samsung/exynos_tmu.c |
| 499 | +++ b/drivers/thermal/samsung/exynos_tmu.c |
| 500 | @@ -185,6 +185,7 @@ |
| 501 | * @regulator: pointer to the TMU regulator structure. |
| 502 | * @reg_conf: pointer to structure to register with core thermal. |
| 503 | * @ntrip: number of supported trip points. |
| 504 | + * @enabled: current status of TMU device |
| 505 | * @tmu_initialize: SoC specific TMU initialization method |
| 506 | * @tmu_control: SoC specific TMU control method |
| 507 | * @tmu_read: SoC specific TMU temperature read method |
| 508 | @@ -205,6 +206,7 @@ struct exynos_tmu_data { |
| 509 | struct regulator *regulator; |
| 510 | struct thermal_zone_device *tzd; |
| 511 | unsigned int ntrip; |
| 512 | + bool enabled; |
| 513 | |
| 514 | int (*tmu_initialize)(struct platform_device *pdev); |
| 515 | void (*tmu_control)(struct platform_device *pdev, bool on); |
| 516 | @@ -398,6 +400,7 @@ static void exynos_tmu_control(struct platform_device *pdev, bool on) |
| 517 | mutex_lock(&data->lock); |
| 518 | clk_enable(data->clk); |
| 519 | data->tmu_control(pdev, on); |
| 520 | + data->enabled = on; |
| 521 | clk_disable(data->clk); |
| 522 | mutex_unlock(&data->lock); |
| 523 | } |
| 524 | @@ -889,19 +892,24 @@ static void exynos7_tmu_control(struct platform_device *pdev, bool on) |
| 525 | static int exynos_get_temp(void *p, int *temp) |
| 526 | { |
| 527 | struct exynos_tmu_data *data = p; |
| 528 | + int value, ret = 0; |
| 529 | |
| 530 | - if (!data || !data->tmu_read) |
| 531 | + if (!data || !data->tmu_read || !data->enabled) |
| 532 | return -EINVAL; |
| 533 | |
| 534 | mutex_lock(&data->lock); |
| 535 | clk_enable(data->clk); |
| 536 | |
| 537 | - *temp = code_to_temp(data, data->tmu_read(data)) * MCELSIUS; |
| 538 | + value = data->tmu_read(data); |
| 539 | + if (value < 0) |
| 540 | + ret = value; |
| 541 | + else |
| 542 | + *temp = code_to_temp(data, value) * MCELSIUS; |
| 543 | |
| 544 | clk_disable(data->clk); |
| 545 | mutex_unlock(&data->lock); |
| 546 | |
| 547 | - return 0; |
| 548 | + return ret; |
| 549 | } |
| 550 | |
| 551 | #ifdef CONFIG_THERMAL_EMULATION |
| 552 | diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c |
| 553 | index 99432b59c5cb..ae354ac67da1 100644 |
| 554 | --- a/fs/f2fs/data.c |
| 555 | +++ b/fs/f2fs/data.c |
| 556 | @@ -844,7 +844,7 @@ static int __get_data_block(struct inode *inode, sector_t iblock, |
| 557 | if (!ret) { |
| 558 | map_bh(bh, inode->i_sb, map.m_pblk); |
| 559 | bh->b_state = (bh->b_state & ~F2FS_MAP_FLAGS) | map.m_flags; |
| 560 | - bh->b_size = map.m_len << inode->i_blkbits; |
| 561 | + bh->b_size = (u64)map.m_len << inode->i_blkbits; |
| 562 | } |
| 563 | return ret; |
| 564 | } |
| 565 | diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c |
| 566 | index 3d8b35f28a9b..f3aea1b8702c 100644 |
| 567 | --- a/fs/fs-writeback.c |
| 568 | +++ b/fs/fs-writeback.c |
| 569 | @@ -1942,7 +1942,7 @@ void wb_workfn(struct work_struct *work) |
| 570 | } |
| 571 | |
| 572 | if (!list_empty(&wb->work_list)) |
| 573 | - mod_delayed_work(bdi_wq, &wb->dwork, 0); |
| 574 | + wb_wakeup(wb); |
| 575 | else if (wb_has_dirty_io(wb) && dirty_writeback_interval) |
| 576 | wb_wakeup_delayed(wb); |
| 577 | |
| 578 | diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h |
| 579 | index c9b3eb70f340..567017b5fc9e 100644 |
| 580 | --- a/include/net/inet_timewait_sock.h |
| 581 | +++ b/include/net/inet_timewait_sock.h |
| 582 | @@ -55,6 +55,7 @@ struct inet_timewait_sock { |
| 583 | #define tw_family __tw_common.skc_family |
| 584 | #define tw_state __tw_common.skc_state |
| 585 | #define tw_reuse __tw_common.skc_reuse |
| 586 | +#define tw_reuseport __tw_common.skc_reuseport |
| 587 | #define tw_ipv6only __tw_common.skc_ipv6only |
| 588 | #define tw_bound_dev_if __tw_common.skc_bound_dev_if |
| 589 | #define tw_node __tw_common.skc_nulls_node |
| 590 | diff --git a/include/net/nexthop.h b/include/net/nexthop.h |
| 591 | index 3334dbfa5aa4..7fc78663ec9d 100644 |
| 592 | --- a/include/net/nexthop.h |
| 593 | +++ b/include/net/nexthop.h |
| 594 | @@ -6,7 +6,7 @@ |
| 595 | |
| 596 | static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) |
| 597 | { |
| 598 | - return remaining >= sizeof(*rtnh) && |
| 599 | + return remaining >= (int)sizeof(*rtnh) && |
| 600 | rtnh->rtnh_len >= sizeof(*rtnh) && |
| 601 | rtnh->rtnh_len <= remaining; |
| 602 | } |
| 603 | diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c |
| 604 | index 04988d6466bf..c265f1c3ae50 100644 |
| 605 | --- a/kernel/events/callchain.c |
| 606 | +++ b/kernel/events/callchain.c |
| 607 | @@ -129,14 +129,8 @@ int get_callchain_buffers(int event_max_stack) |
| 608 | goto exit; |
| 609 | } |
| 610 | |
| 611 | - if (count > 1) { |
| 612 | - /* If the allocation failed, give up */ |
| 613 | - if (!callchain_cpus_entries) |
| 614 | - err = -ENOMEM; |
| 615 | - goto exit; |
| 616 | - } |
| 617 | - |
| 618 | - err = alloc_callchain_buffers(); |
| 619 | + if (count == 1) |
| 620 | + err = alloc_callchain_buffers(); |
| 621 | exit: |
| 622 | if (err) |
| 623 | atomic_dec(&nr_callchain_events); |
| 624 | diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c |
| 625 | index 257fa460b846..017f7933a37d 100644 |
| 626 | --- a/kernel/events/ring_buffer.c |
| 627 | +++ b/kernel/events/ring_buffer.c |
| 628 | @@ -14,6 +14,7 @@ |
| 629 | #include <linux/slab.h> |
| 630 | #include <linux/circ_buf.h> |
| 631 | #include <linux/poll.h> |
| 632 | +#include <linux/nospec.h> |
| 633 | |
| 634 | #include "internal.h" |
| 635 | |
| 636 | @@ -844,8 +845,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff) |
| 637 | return NULL; |
| 638 | |
| 639 | /* AUX space */ |
| 640 | - if (pgoff >= rb->aux_pgoff) |
| 641 | - return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]); |
| 642 | + if (pgoff >= rb->aux_pgoff) { |
| 643 | + int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages); |
| 644 | + return virt_to_page(rb->aux_pages[aux_pgoff]); |
| 645 | + } |
| 646 | } |
| 647 | |
| 648 | return __perf_mmap_to_page(rb, pgoff); |
| 649 | diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c |
| 650 | index 0193f58c45f0..e35a411bea4b 100644 |
| 651 | --- a/kernel/trace/trace_events_filter.c |
| 652 | +++ b/kernel/trace/trace_events_filter.c |
| 653 | @@ -322,6 +322,9 @@ static int regex_match_full(char *str, struct regex *r, int len) |
| 654 | |
| 655 | static int regex_match_front(char *str, struct regex *r, int len) |
| 656 | { |
| 657 | + if (len < r->len) |
| 658 | + return 0; |
| 659 | + |
| 660 | if (strncmp(str, r->pattern, r->len) == 0) |
| 661 | return 1; |
| 662 | return 0; |
| 663 | diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c |
| 664 | index 0913693caf6e..788262984818 100644 |
| 665 | --- a/kernel/trace/trace_uprobe.c |
| 666 | +++ b/kernel/trace/trace_uprobe.c |
| 667 | @@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs, |
| 668 | return; |
| 669 | |
| 670 | ret = strncpy_from_user(dst, src, maxlen); |
| 671 | + if (ret == maxlen) |
| 672 | + dst[--ret] = '\0'; |
| 673 | |
| 674 | if (ret < 0) { /* Failed to fetch string */ |
| 675 | ((u8 *)get_rloc_data(dest))[0] = '\0'; |
| 676 | diff --git a/net/atm/lec.c b/net/atm/lec.c |
| 677 | index 5d2693826afb..1e84c5226c84 100644 |
| 678 | --- a/net/atm/lec.c |
| 679 | +++ b/net/atm/lec.c |
| 680 | @@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 }; |
| 681 | #include <linux/module.h> |
| 682 | #include <linux/init.h> |
| 683 | |
| 684 | +/* Hardening for Spectre-v1 */ |
| 685 | +#include <linux/nospec.h> |
| 686 | + |
| 687 | #include "lec.h" |
| 688 | #include "lec_arpc.h" |
| 689 | #include "resources.h" |
| 690 | @@ -697,8 +700,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) |
| 691 | bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); |
| 692 | if (bytes_left != 0) |
| 693 | pr_info("copy from user failed for %d bytes\n", bytes_left); |
| 694 | - if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || |
| 695 | - !dev_lec[ioc_data.dev_num]) |
| 696 | + if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) |
| 697 | + return -EINVAL; |
| 698 | + ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); |
| 699 | + if (!dev_lec[ioc_data.dev_num]) |
| 700 | return -EINVAL; |
| 701 | vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); |
| 702 | if (!vpriv) |
| 703 | diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c |
| 704 | index c0548d268e1a..e3e6a3e2ca22 100644 |
| 705 | --- a/net/core/dev_addr_lists.c |
| 706 | +++ b/net/core/dev_addr_lists.c |
| 707 | @@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list, |
| 708 | return -EINVAL; |
| 709 | |
| 710 | list_for_each_entry(ha, &list->list, list) { |
| 711 | - if (!memcmp(ha->addr, addr, addr_len) && |
| 712 | - ha->type == addr_type) { |
| 713 | + if (ha->type == addr_type && |
| 714 | + !memcmp(ha->addr, addr, addr_len)) { |
| 715 | if (global) { |
| 716 | /* check if addr is already used as global */ |
| 717 | if (ha->global_use) |
| 718 | diff --git a/net/core/skbuff.c b/net/core/skbuff.c |
| 719 | index fb422dfec848..a40ccc184b83 100644 |
| 720 | --- a/net/core/skbuff.c |
| 721 | +++ b/net/core/skbuff.c |
| 722 | @@ -903,6 +903,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) |
| 723 | n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; |
| 724 | n->cloned = 1; |
| 725 | n->nohdr = 0; |
| 726 | + n->peeked = 0; |
| 727 | n->destructor = NULL; |
| 728 | C(tail); |
| 729 | C(end); |
| 730 | diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c |
| 731 | index 8c7799cdd3cf..6697b180e122 100644 |
| 732 | --- a/net/dccp/ipv4.c |
| 733 | +++ b/net/dccp/ipv4.c |
| 734 | @@ -620,6 +620,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) |
| 735 | ireq = inet_rsk(req); |
| 736 | sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); |
| 737 | sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); |
| 738 | + ireq->ir_mark = inet_request_mark(sk, skb); |
| 739 | ireq->ireq_family = AF_INET; |
| 740 | ireq->ir_iif = sk->sk_bound_dev_if; |
| 741 | |
| 742 | diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c |
| 743 | index 28e8252cc5ea..6cbcf399d22b 100644 |
| 744 | --- a/net/dccp/ipv6.c |
| 745 | +++ b/net/dccp/ipv6.c |
| 746 | @@ -349,6 +349,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) |
| 747 | ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; |
| 748 | ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; |
| 749 | ireq->ireq_family = AF_INET6; |
| 750 | + ireq->ir_mark = inet_request_mark(sk, skb); |
| 751 | |
| 752 | if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || |
| 753 | np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || |
| 754 | diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c |
| 755 | index ddcd56c08d14..a6b34ac3139e 100644 |
| 756 | --- a/net/ipv4/inet_timewait_sock.c |
| 757 | +++ b/net/ipv4/inet_timewait_sock.c |
| 758 | @@ -182,6 +182,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, |
| 759 | tw->tw_dport = inet->inet_dport; |
| 760 | tw->tw_family = sk->sk_family; |
| 761 | tw->tw_reuse = sk->sk_reuse; |
| 762 | + tw->tw_reuseport = sk->sk_reuseport; |
| 763 | tw->tw_hash = sk->sk_hash; |
| 764 | tw->tw_ipv6only = 0; |
| 765 | tw->tw_transparent = inet->transparent; |
| 766 | diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
| 767 | index 0fc5dad02fe8..6f501c9deaae 100644 |
| 768 | --- a/net/ipv4/tcp.c |
| 769 | +++ b/net/ipv4/tcp.c |
| 770 | @@ -2523,7 +2523,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, |
| 771 | case TCP_REPAIR_QUEUE: |
| 772 | if (!tp->repair) |
| 773 | err = -EPERM; |
| 774 | - else if (val < TCP_QUEUES_NR) |
| 775 | + else if ((unsigned int)val < TCP_QUEUES_NR) |
| 776 | tp->repair_queue = val; |
| 777 | else |
| 778 | err = -EINVAL; |
| 779 | diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c |
| 780 | index 63e6d08388ab..cc306defcc19 100644 |
| 781 | --- a/net/kcm/kcmsock.c |
| 782 | +++ b/net/kcm/kcmsock.c |
| 783 | @@ -1424,6 +1424,7 @@ static int kcm_attach(struct socket *sock, struct socket *csock, |
| 784 | */ |
| 785 | if (csk->sk_user_data) { |
| 786 | write_unlock_bh(&csk->sk_callback_lock); |
| 787 | + strp_stop(&psock->strp); |
| 788 | strp_done(&psock->strp); |
| 789 | kmem_cache_free(kcm_psockp, psock); |
| 790 | err = -EALREADY; |
| 791 | diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c |
| 792 | index 74d119512d96..c5f2350a2b50 100644 |
| 793 | --- a/net/netfilter/ipvs/ip_vs_ctl.c |
| 794 | +++ b/net/netfilter/ipvs/ip_vs_ctl.c |
| 795 | @@ -2393,11 +2393,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) |
| 796 | strlcpy(cfg.mcast_ifn, dm->mcast_ifn, |
| 797 | sizeof(cfg.mcast_ifn)); |
| 798 | cfg.syncid = dm->syncid; |
| 799 | - rtnl_lock(); |
| 800 | - mutex_lock(&ipvs->sync_mutex); |
| 801 | ret = start_sync_thread(ipvs, &cfg, dm->state); |
| 802 | - mutex_unlock(&ipvs->sync_mutex); |
| 803 | - rtnl_unlock(); |
| 804 | } else { |
| 805 | mutex_lock(&ipvs->sync_mutex); |
| 806 | ret = stop_sync_thread(ipvs, dm->state); |
| 807 | @@ -3495,12 +3491,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) |
| 808 | if (ipvs->mixed_address_family_dests > 0) |
| 809 | return -EINVAL; |
| 810 | |
| 811 | - rtnl_lock(); |
| 812 | - mutex_lock(&ipvs->sync_mutex); |
| 813 | ret = start_sync_thread(ipvs, &c, |
| 814 | nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE])); |
| 815 | - mutex_unlock(&ipvs->sync_mutex); |
| 816 | - rtnl_unlock(); |
| 817 | return ret; |
| 818 | } |
| 819 | |
| 820 | diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c |
| 821 | index 9350530c16c1..5fbf4b232592 100644 |
| 822 | --- a/net/netfilter/ipvs/ip_vs_sync.c |
| 823 | +++ b/net/netfilter/ipvs/ip_vs_sync.c |
| 824 | @@ -48,6 +48,7 @@ |
| 825 | #include <linux/kthread.h> |
| 826 | #include <linux/wait.h> |
| 827 | #include <linux/kernel.h> |
| 828 | +#include <linux/sched.h> |
| 829 | |
| 830 | #include <asm/unaligned.h> /* Used for ntoh_seq and hton_seq */ |
| 831 | |
| 832 | @@ -1359,15 +1360,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val) |
| 833 | /* |
| 834 | * Specifiy default interface for outgoing multicasts |
| 835 | */ |
| 836 | -static int set_mcast_if(struct sock *sk, char *ifname) |
| 837 | +static int set_mcast_if(struct sock *sk, struct net_device *dev) |
| 838 | { |
| 839 | - struct net_device *dev; |
| 840 | struct inet_sock *inet = inet_sk(sk); |
| 841 | - struct net *net = sock_net(sk); |
| 842 | - |
| 843 | - dev = __dev_get_by_name(net, ifname); |
| 844 | - if (!dev) |
| 845 | - return -ENODEV; |
| 846 | |
| 847 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) |
| 848 | return -EINVAL; |
| 849 | @@ -1395,19 +1390,14 @@ static int set_mcast_if(struct sock *sk, char *ifname) |
| 850 | * in the in_addr structure passed in as a parameter. |
| 851 | */ |
| 852 | static int |
| 853 | -join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) |
| 854 | +join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev) |
| 855 | { |
| 856 | - struct net *net = sock_net(sk); |
| 857 | struct ip_mreqn mreq; |
| 858 | - struct net_device *dev; |
| 859 | int ret; |
| 860 | |
| 861 | memset(&mreq, 0, sizeof(mreq)); |
| 862 | memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr)); |
| 863 | |
| 864 | - dev = __dev_get_by_name(net, ifname); |
| 865 | - if (!dev) |
| 866 | - return -ENODEV; |
| 867 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) |
| 868 | return -EINVAL; |
| 869 | |
| 870 | @@ -1422,15 +1412,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) |
| 871 | |
| 872 | #ifdef CONFIG_IP_VS_IPV6 |
| 873 | static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, |
| 874 | - char *ifname) |
| 875 | + struct net_device *dev) |
| 876 | { |
| 877 | - struct net *net = sock_net(sk); |
| 878 | - struct net_device *dev; |
| 879 | int ret; |
| 880 | |
| 881 | - dev = __dev_get_by_name(net, ifname); |
| 882 | - if (!dev) |
| 883 | - return -ENODEV; |
| 884 | if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) |
| 885 | return -EINVAL; |
| 886 | |
| 887 | @@ -1442,24 +1427,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, |
| 888 | } |
| 889 | #endif |
| 890 | |
| 891 | -static int bind_mcastif_addr(struct socket *sock, char *ifname) |
| 892 | +static int bind_mcastif_addr(struct socket *sock, struct net_device *dev) |
| 893 | { |
| 894 | - struct net *net = sock_net(sock->sk); |
| 895 | - struct net_device *dev; |
| 896 | __be32 addr; |
| 897 | struct sockaddr_in sin; |
| 898 | |
| 899 | - dev = __dev_get_by_name(net, ifname); |
| 900 | - if (!dev) |
| 901 | - return -ENODEV; |
| 902 | - |
| 903 | addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE); |
| 904 | if (!addr) |
| 905 | pr_err("You probably need to specify IP address on " |
| 906 | "multicast interface.\n"); |
| 907 | |
| 908 | IP_VS_DBG(7, "binding socket with (%s) %pI4\n", |
| 909 | - ifname, &addr); |
| 910 | + dev->name, &addr); |
| 911 | |
| 912 | /* Now bind the socket with the address of multicast interface */ |
| 913 | sin.sin_family = AF_INET; |
| 914 | @@ -1492,7 +1471,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen, |
| 915 | /* |
| 916 | * Set up sending multicast socket over UDP |
| 917 | */ |
| 918 | -static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
| 919 | +static int make_send_sock(struct netns_ipvs *ipvs, int id, |
| 920 | + struct net_device *dev, struct socket **sock_ret) |
| 921 | { |
| 922 | /* multicast addr */ |
| 923 | union ipvs_sockaddr mcast_addr; |
| 924 | @@ -1504,9 +1484,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
| 925 | IPPROTO_UDP, &sock); |
| 926 | if (result < 0) { |
| 927 | pr_err("Error during creation of socket; terminating\n"); |
| 928 | - return ERR_PTR(result); |
| 929 | + goto error; |
| 930 | } |
| 931 | - result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn); |
| 932 | + *sock_ret = sock; |
| 933 | + result = set_mcast_if(sock->sk, dev); |
| 934 | if (result < 0) { |
| 935 | pr_err("Error setting outbound mcast interface\n"); |
| 936 | goto error; |
| 937 | @@ -1521,7 +1502,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
| 938 | set_sock_size(sock->sk, 1, result); |
| 939 | |
| 940 | if (AF_INET == ipvs->mcfg.mcast_af) |
| 941 | - result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn); |
| 942 | + result = bind_mcastif_addr(sock, dev); |
| 943 | else |
| 944 | result = 0; |
| 945 | if (result < 0) { |
| 946 | @@ -1537,19 +1518,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) |
| 947 | goto error; |
| 948 | } |
| 949 | |
| 950 | - return sock; |
| 951 | + return 0; |
| 952 | |
| 953 | error: |
| 954 | - sock_release(sock); |
| 955 | - return ERR_PTR(result); |
| 956 | + return result; |
| 957 | } |
| 958 | |
| 959 | |
| 960 | /* |
| 961 | * Set up receiving multicast socket over UDP |
| 962 | */ |
| 963 | -static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
| 964 | - int ifindex) |
| 965 | +static int make_receive_sock(struct netns_ipvs *ipvs, int id, |
| 966 | + struct net_device *dev, struct socket **sock_ret) |
| 967 | { |
| 968 | /* multicast addr */ |
| 969 | union ipvs_sockaddr mcast_addr; |
| 970 | @@ -1561,8 +1541,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
| 971 | IPPROTO_UDP, &sock); |
| 972 | if (result < 0) { |
| 973 | pr_err("Error during creation of socket; terminating\n"); |
| 974 | - return ERR_PTR(result); |
| 975 | + goto error; |
| 976 | } |
| 977 | + *sock_ret = sock; |
| 978 | /* it is equivalent to the REUSEADDR option in user-space */ |
| 979 | sock->sk->sk_reuse = SK_CAN_REUSE; |
| 980 | result = sysctl_sync_sock_size(ipvs); |
| 981 | @@ -1570,7 +1551,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
| 982 | set_sock_size(sock->sk, 0, result); |
| 983 | |
| 984 | get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id); |
| 985 | - sock->sk->sk_bound_dev_if = ifindex; |
| 986 | + sock->sk->sk_bound_dev_if = dev->ifindex; |
| 987 | result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen); |
| 988 | if (result < 0) { |
| 989 | pr_err("Error binding to the multicast addr\n"); |
| 990 | @@ -1581,21 +1562,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, |
| 991 | #ifdef CONFIG_IP_VS_IPV6 |
| 992 | if (ipvs->bcfg.mcast_af == AF_INET6) |
| 993 | result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr, |
| 994 | - ipvs->bcfg.mcast_ifn); |
| 995 | + dev); |
| 996 | else |
| 997 | #endif |
| 998 | result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr, |
| 999 | - ipvs->bcfg.mcast_ifn); |
| 1000 | + dev); |
| 1001 | if (result < 0) { |
| 1002 | pr_err("Error joining to the multicast group\n"); |
| 1003 | goto error; |
| 1004 | } |
| 1005 | |
| 1006 | - return sock; |
| 1007 | + return 0; |
| 1008 | |
| 1009 | error: |
| 1010 | - sock_release(sock); |
| 1011 | - return ERR_PTR(result); |
| 1012 | + return result; |
| 1013 | } |
| 1014 | |
| 1015 | |
| 1016 | @@ -1780,13 +1760,12 @@ static int sync_thread_backup(void *data) |
| 1017 | int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
| 1018 | int state) |
| 1019 | { |
| 1020 | - struct ip_vs_sync_thread_data *tinfo; |
| 1021 | + struct ip_vs_sync_thread_data *tinfo = NULL; |
| 1022 | struct task_struct **array = NULL, *task; |
| 1023 | - struct socket *sock; |
| 1024 | struct net_device *dev; |
| 1025 | char *name; |
| 1026 | int (*threadfn)(void *data); |
| 1027 | - int id, count, hlen; |
| 1028 | + int id = 0, count, hlen; |
| 1029 | int result = -ENOMEM; |
| 1030 | u16 mtu, min_mtu; |
| 1031 | |
| 1032 | @@ -1794,6 +1773,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
| 1033 | IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n", |
| 1034 | sizeof(struct ip_vs_sync_conn_v0)); |
| 1035 | |
| 1036 | + /* Do not hold one mutex and then to block on another */ |
| 1037 | + for (;;) { |
| 1038 | + rtnl_lock(); |
| 1039 | + if (mutex_trylock(&ipvs->sync_mutex)) |
| 1040 | + break; |
| 1041 | + rtnl_unlock(); |
| 1042 | + mutex_lock(&ipvs->sync_mutex); |
| 1043 | + if (rtnl_trylock()) |
| 1044 | + break; |
| 1045 | + mutex_unlock(&ipvs->sync_mutex); |
| 1046 | + } |
| 1047 | + |
| 1048 | if (!ipvs->sync_state) { |
| 1049 | count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX); |
| 1050 | ipvs->threads_mask = count - 1; |
| 1051 | @@ -1812,7 +1803,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
| 1052 | dev = __dev_get_by_name(ipvs->net, c->mcast_ifn); |
| 1053 | if (!dev) { |
| 1054 | pr_err("Unknown mcast interface: %s\n", c->mcast_ifn); |
| 1055 | - return -ENODEV; |
| 1056 | + result = -ENODEV; |
| 1057 | + goto out_early; |
| 1058 | } |
| 1059 | hlen = (AF_INET6 == c->mcast_af) ? |
| 1060 | sizeof(struct ipv6hdr) + sizeof(struct udphdr) : |
| 1061 | @@ -1829,26 +1821,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
| 1062 | c->sync_maxlen = mtu - hlen; |
| 1063 | |
| 1064 | if (state == IP_VS_STATE_MASTER) { |
| 1065 | + result = -EEXIST; |
| 1066 | if (ipvs->ms) |
| 1067 | - return -EEXIST; |
| 1068 | + goto out_early; |
| 1069 | |
| 1070 | ipvs->mcfg = *c; |
| 1071 | name = "ipvs-m:%d:%d"; |
| 1072 | threadfn = sync_thread_master; |
| 1073 | } else if (state == IP_VS_STATE_BACKUP) { |
| 1074 | + result = -EEXIST; |
| 1075 | if (ipvs->backup_threads) |
| 1076 | - return -EEXIST; |
| 1077 | + goto out_early; |
| 1078 | |
| 1079 | ipvs->bcfg = *c; |
| 1080 | name = "ipvs-b:%d:%d"; |
| 1081 | threadfn = sync_thread_backup; |
| 1082 | } else { |
| 1083 | - return -EINVAL; |
| 1084 | + result = -EINVAL; |
| 1085 | + goto out_early; |
| 1086 | } |
| 1087 | |
| 1088 | if (state == IP_VS_STATE_MASTER) { |
| 1089 | struct ipvs_master_sync_state *ms; |
| 1090 | |
| 1091 | + result = -ENOMEM; |
| 1092 | ipvs->ms = kzalloc(count * sizeof(ipvs->ms[0]), GFP_KERNEL); |
| 1093 | if (!ipvs->ms) |
| 1094 | goto out; |
| 1095 | @@ -1864,39 +1860,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
| 1096 | } else { |
| 1097 | array = kzalloc(count * sizeof(struct task_struct *), |
| 1098 | GFP_KERNEL); |
| 1099 | + result = -ENOMEM; |
| 1100 | if (!array) |
| 1101 | goto out; |
| 1102 | } |
| 1103 | |
| 1104 | - tinfo = NULL; |
| 1105 | for (id = 0; id < count; id++) { |
| 1106 | - if (state == IP_VS_STATE_MASTER) |
| 1107 | - sock = make_send_sock(ipvs, id); |
| 1108 | - else |
| 1109 | - sock = make_receive_sock(ipvs, id, dev->ifindex); |
| 1110 | - if (IS_ERR(sock)) { |
| 1111 | - result = PTR_ERR(sock); |
| 1112 | - goto outtinfo; |
| 1113 | - } |
| 1114 | + result = -ENOMEM; |
| 1115 | tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); |
| 1116 | if (!tinfo) |
| 1117 | - goto outsocket; |
| 1118 | + goto out; |
| 1119 | tinfo->ipvs = ipvs; |
| 1120 | - tinfo->sock = sock; |
| 1121 | + tinfo->sock = NULL; |
| 1122 | if (state == IP_VS_STATE_BACKUP) { |
| 1123 | tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen, |
| 1124 | GFP_KERNEL); |
| 1125 | if (!tinfo->buf) |
| 1126 | - goto outtinfo; |
| 1127 | + goto out; |
| 1128 | } else { |
| 1129 | tinfo->buf = NULL; |
| 1130 | } |
| 1131 | tinfo->id = id; |
| 1132 | + if (state == IP_VS_STATE_MASTER) |
| 1133 | + result = make_send_sock(ipvs, id, dev, &tinfo->sock); |
| 1134 | + else |
| 1135 | + result = make_receive_sock(ipvs, id, dev, &tinfo->sock); |
| 1136 | + if (result < 0) |
| 1137 | + goto out; |
| 1138 | |
| 1139 | task = kthread_run(threadfn, tinfo, name, ipvs->gen, id); |
| 1140 | if (IS_ERR(task)) { |
| 1141 | result = PTR_ERR(task); |
| 1142 | - goto outtinfo; |
| 1143 | + goto out; |
| 1144 | } |
| 1145 | tinfo = NULL; |
| 1146 | if (state == IP_VS_STATE_MASTER) |
| 1147 | @@ -1913,20 +1908,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
| 1148 | ipvs->sync_state |= state; |
| 1149 | spin_unlock_bh(&ipvs->sync_buff_lock); |
| 1150 | |
| 1151 | + mutex_unlock(&ipvs->sync_mutex); |
| 1152 | + rtnl_unlock(); |
| 1153 | + |
| 1154 | /* increase the module use count */ |
| 1155 | ip_vs_use_count_inc(); |
| 1156 | |
| 1157 | return 0; |
| 1158 | |
| 1159 | -outsocket: |
| 1160 | - sock_release(sock); |
| 1161 | - |
| 1162 | -outtinfo: |
| 1163 | - if (tinfo) { |
| 1164 | - sock_release(tinfo->sock); |
| 1165 | - kfree(tinfo->buf); |
| 1166 | - kfree(tinfo); |
| 1167 | - } |
| 1168 | +out: |
| 1169 | + /* We do not need RTNL lock anymore, release it here so that |
| 1170 | + * sock_release below and in the kthreads can use rtnl_lock |
| 1171 | + * to leave the mcast group. |
| 1172 | + */ |
| 1173 | + rtnl_unlock(); |
| 1174 | count = id; |
| 1175 | while (count-- > 0) { |
| 1176 | if (state == IP_VS_STATE_MASTER) |
| 1177 | @@ -1934,13 +1929,23 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, |
| 1178 | else |
| 1179 | kthread_stop(array[count]); |
| 1180 | } |
| 1181 | - kfree(array); |
| 1182 | - |
| 1183 | -out: |
| 1184 | if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) { |
| 1185 | kfree(ipvs->ms); |
| 1186 | ipvs->ms = NULL; |
| 1187 | } |
| 1188 | + mutex_unlock(&ipvs->sync_mutex); |
| 1189 | + if (tinfo) { |
| 1190 | + if (tinfo->sock) |
| 1191 | + sock_release(tinfo->sock); |
| 1192 | + kfree(tinfo->buf); |
| 1193 | + kfree(tinfo); |
| 1194 | + } |
| 1195 | + kfree(array); |
| 1196 | + return result; |
| 1197 | + |
| 1198 | +out_early: |
| 1199 | + mutex_unlock(&ipvs->sync_mutex); |
| 1200 | + rtnl_unlock(); |
| 1201 | return result; |
| 1202 | } |
| 1203 | |
| 1204 | diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c |
| 1205 | index 1e97b8d9a159..15e6e7b9fd2b 100644 |
| 1206 | --- a/net/netlink/af_netlink.c |
| 1207 | +++ b/net/netlink/af_netlink.c |
| 1208 | @@ -1795,6 +1795,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) |
| 1209 | |
| 1210 | if (msg->msg_namelen) { |
| 1211 | err = -EINVAL; |
| 1212 | + if (msg->msg_namelen < sizeof(struct sockaddr_nl)) |
| 1213 | + goto out; |
| 1214 | if (addr->nl_family != AF_NETLINK) |
| 1215 | goto out; |
| 1216 | dst_portid = addr->nl_pid; |
| 1217 | diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c |
| 1218 | index 76c01cbd56e3..d6d8b34c5f22 100644 |
| 1219 | --- a/net/rfkill/rfkill-gpio.c |
| 1220 | +++ b/net/rfkill/rfkill-gpio.c |
| 1221 | @@ -138,13 +138,18 @@ static int rfkill_gpio_probe(struct platform_device *pdev) |
| 1222 | |
| 1223 | ret = rfkill_register(rfkill->rfkill_dev); |
| 1224 | if (ret < 0) |
| 1225 | - return ret; |
| 1226 | + goto err_destroy; |
| 1227 | |
| 1228 | platform_set_drvdata(pdev, rfkill); |
| 1229 | |
| 1230 | dev_info(&pdev->dev, "%s device registered.\n", rfkill->name); |
| 1231 | |
| 1232 | return 0; |
| 1233 | + |
| 1234 | +err_destroy: |
| 1235 | + rfkill_destroy(rfkill->rfkill_dev); |
| 1236 | + |
| 1237 | + return ret; |
| 1238 | } |
| 1239 | |
| 1240 | static int rfkill_gpio_remove(struct platform_device *pdev) |