Contents of /trunk/kernel-alx/patches-4.9/0251-4.9.152-all-fixes.patch
Parent Directory
| 
Revision Log
Revision 3304 -
(show annotations)
(download)
Tue Mar 12 10:43:11 2019 UTC (5 years, 1 month ago) by niro
File size: 50373 byte(s)
Tue Mar 12 10:43:11 2019 UTC (5 years, 1 month ago) by niro
File size: 50373 byte(s)
-linux-4.9.152
| 1 | diff --git a/Makefile b/Makefile |
| 2 | index f1aeb98f9ace..27a9292fc0ed 100644 |
| 3 | --- a/Makefile |
| 4 | +++ b/Makefile |
| 5 | @@ -1,6 +1,6 @@ |
| 6 | VERSION = 4 |
| 7 | PATCHLEVEL = 9 |
| 8 | -SUBLEVEL = 151 |
| 9 | +SUBLEVEL = 152 |
| 10 | EXTRAVERSION = |
| 11 | NAME = Roaring Lionus |
| 12 | |
| 13 | diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h |
| 14 | index 68dedca5a47e..a11c8c2915c9 100644 |
| 15 | --- a/arch/arm64/include/asm/kvm_arm.h |
| 16 | +++ b/arch/arm64/include/asm/kvm_arm.h |
| 17 | @@ -23,6 +23,8 @@ |
| 18 | #include <asm/types.h> |
| 19 | |
| 20 | /* Hyp Configuration Register (HCR) bits */ |
| 21 | +#define HCR_API (UL(1) << 41) |
| 22 | +#define HCR_APK (UL(1) << 40) |
| 23 | #define HCR_E2H (UL(1) << 34) |
| 24 | #define HCR_ID (UL(1) << 33) |
| 25 | #define HCR_CD (UL(1) << 32) |
| 26 | @@ -82,6 +84,7 @@ |
| 27 | HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW) |
| 28 | #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF) |
| 29 | #define HCR_INT_OVERRIDE (HCR_FMO | HCR_IMO) |
| 30 | +#define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK) |
| 31 | #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H) |
| 32 | |
| 33 | /* TCR_EL2 Registers bits */ |
| 34 | diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S |
| 35 | index fa52817d84c5..3289d1458791 100644 |
| 36 | --- a/arch/arm64/kernel/head.S |
| 37 | +++ b/arch/arm64/kernel/head.S |
| 38 | @@ -517,10 +517,9 @@ CPU_LE( bic x0, x0, #(3 << 24) ) // Clear the EE and E0E bits for EL1 |
| 39 | #endif |
| 40 | |
| 41 | /* Hyp configuration. */ |
| 42 | - mov x0, #HCR_RW // 64-bit EL1 |
| 43 | + mov_q x0, HCR_HOST_NVHE_FLAGS |
| 44 | cbz x2, set_hcr |
| 45 | - orr x0, x0, #HCR_TGE // Enable Host Extensions |
| 46 | - orr x0, x0, #HCR_E2H |
| 47 | + mov_q x0, HCR_HOST_VHE_FLAGS |
| 48 | set_hcr: |
| 49 | msr hcr_el2, x0 |
| 50 | isb |
| 51 | diff --git a/arch/arm64/kernel/kaslr.c b/arch/arm64/kernel/kaslr.c |
| 52 | index d7e90d97f5c4..2a21318fed1d 100644 |
| 53 | --- a/arch/arm64/kernel/kaslr.c |
| 54 | +++ b/arch/arm64/kernel/kaslr.c |
| 55 | @@ -14,6 +14,7 @@ |
| 56 | #include <linux/sched.h> |
| 57 | #include <linux/types.h> |
| 58 | |
| 59 | +#include <asm/cacheflush.h> |
| 60 | #include <asm/fixmap.h> |
| 61 | #include <asm/kernel-pgtable.h> |
| 62 | #include <asm/memory.h> |
| 63 | @@ -43,7 +44,7 @@ static __init u64 get_kaslr_seed(void *fdt) |
| 64 | return ret; |
| 65 | } |
| 66 | |
| 67 | -static __init const u8 *get_cmdline(void *fdt) |
| 68 | +static __init const u8 *kaslr_get_cmdline(void *fdt) |
| 69 | { |
| 70 | static __initconst const u8 default_cmdline[] = CONFIG_CMDLINE; |
| 71 | |
| 72 | @@ -109,7 +110,7 @@ u64 __init kaslr_early_init(u64 dt_phys, u64 modulo_offset) |
| 73 | * Check if 'nokaslr' appears on the command line, and |
| 74 | * return 0 if that is the case. |
| 75 | */ |
| 76 | - cmdline = get_cmdline(fdt); |
| 77 | + cmdline = kaslr_get_cmdline(fdt); |
| 78 | str = strstr(cmdline, "nokaslr"); |
| 79 | if (str == cmdline || (str > cmdline && *(str - 1) == ' ')) |
| 80 | return 0; |
| 81 | @@ -178,5 +179,8 @@ u64 __init kaslr_early_init(u64 dt_phys, u64 modulo_offset) |
| 82 | module_alloc_base += (module_range * (seed & ((1 << 21) - 1))) >> 21; |
| 83 | module_alloc_base &= PAGE_MASK; |
| 84 | |
| 85 | + __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base)); |
| 86 | + __flush_dcache_area(&memstart_offset_seed, sizeof(memstart_offset_seed)); |
| 87 | + |
| 88 | return offset; |
| 89 | } |
| 90 | diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c |
| 91 | index 12f9d1ecdf4c..115b0955715f 100644 |
| 92 | --- a/arch/arm64/kvm/hyp/switch.c |
| 93 | +++ b/arch/arm64/kvm/hyp/switch.c |
| 94 | @@ -112,7 +112,7 @@ static void __hyp_text __deactivate_traps_vhe(void) |
| 95 | |
| 96 | static void __hyp_text __deactivate_traps_nvhe(void) |
| 97 | { |
| 98 | - write_sysreg(HCR_RW, hcr_el2); |
| 99 | + write_sysreg(HCR_HOST_NVHE_FLAGS, hcr_el2); |
| 100 | write_sysreg(CPTR_EL2_DEFAULT, cptr_el2); |
| 101 | } |
| 102 | |
| 103 | diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig |
| 104 | index 34fbbf8fdeaa..1d987061d1a1 100644 |
| 105 | --- a/arch/mips/Kconfig |
| 106 | +++ b/arch/mips/Kconfig |
| 107 | @@ -3135,6 +3135,7 @@ config MIPS32_O32 |
| 108 | config MIPS32_N32 |
| 109 | bool "Kernel support for n32 binaries" |
| 110 | depends on 64BIT |
| 111 | + select ARCH_WANT_COMPAT_IPC_PARSE_VERSION |
| 112 | select COMPAT |
| 113 | select MIPS32_COMPAT |
| 114 | select SYSVIPC_COMPAT if SYSVIPC |
| 115 | diff --git a/arch/mips/pci/msi-octeon.c b/arch/mips/pci/msi-octeon.c |
| 116 | index 2a5bb849b10e..288b58b00dc8 100644 |
| 117 | --- a/arch/mips/pci/msi-octeon.c |
| 118 | +++ b/arch/mips/pci/msi-octeon.c |
| 119 | @@ -369,7 +369,9 @@ int __init octeon_msi_initialize(void) |
| 120 | int irq; |
| 121 | struct irq_chip *msi; |
| 122 | |
| 123 | - if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { |
| 124 | + if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) { |
| 125 | + return 0; |
| 126 | + } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { |
| 127 | msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0; |
| 128 | msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1; |
| 129 | msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2; |
| 130 | diff --git a/crypto/authenc.c b/crypto/authenc.c |
| 131 | index c3180eb6d1ee..6bfec690ca5b 100644 |
| 132 | --- a/crypto/authenc.c |
| 133 | +++ b/crypto/authenc.c |
| 134 | @@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key, |
| 135 | return -EINVAL; |
| 136 | if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM) |
| 137 | return -EINVAL; |
| 138 | - if (RTA_PAYLOAD(rta) < sizeof(*param)) |
| 139 | + |
| 140 | + /* |
| 141 | + * RTA_OK() didn't align the rtattr's payload when validating that it |
| 142 | + * fits in the buffer. Yet, the keys should start on the next 4-byte |
| 143 | + * aligned boundary. To avoid confusion, require that the rtattr |
| 144 | + * payload be exactly the param struct, which has a 4-byte aligned size. |
| 145 | + */ |
| 146 | + if (RTA_PAYLOAD(rta) != sizeof(*param)) |
| 147 | return -EINVAL; |
| 148 | + BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO); |
| 149 | |
| 150 | param = RTA_DATA(rta); |
| 151 | keys->enckeylen = be32_to_cpu(param->enckeylen); |
| 152 | |
| 153 | - key += RTA_ALIGN(rta->rta_len); |
| 154 | - keylen -= RTA_ALIGN(rta->rta_len); |
| 155 | + key += rta->rta_len; |
| 156 | + keylen -= rta->rta_len; |
| 157 | |
| 158 | if (keylen < keys->enckeylen) |
| 159 | return -EINVAL; |
| 160 | diff --git a/crypto/authencesn.c b/crypto/authencesn.c |
| 161 | index 49e7e85a23d5..73b12f128ae5 100644 |
| 162 | --- a/crypto/authencesn.c |
| 163 | +++ b/crypto/authencesn.c |
| 164 | @@ -279,7 +279,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq, |
| 165 | struct aead_request *req = areq->data; |
| 166 | |
| 167 | err = err ?: crypto_authenc_esn_decrypt_tail(req, 0); |
| 168 | - aead_request_complete(req, err); |
| 169 | + authenc_esn_request_complete(req, err); |
| 170 | } |
| 171 | |
| 172 | static int crypto_authenc_esn_decrypt(struct aead_request *req) |
| 173 | diff --git a/drivers/block/loop.c b/drivers/block/loop.c |
| 174 | index 9f840d9fdfcb..344f34746c10 100644 |
| 175 | --- a/drivers/block/loop.c |
| 176 | +++ b/drivers/block/loop.c |
| 177 | @@ -81,7 +81,7 @@ |
| 178 | #include <asm/uaccess.h> |
| 179 | |
| 180 | static DEFINE_IDR(loop_index_idr); |
| 181 | -static DEFINE_MUTEX(loop_index_mutex); |
| 182 | +static DEFINE_MUTEX(loop_ctl_mutex); |
| 183 | |
| 184 | static int max_part; |
| 185 | static int part_shift; |
| 186 | @@ -1033,7 +1033,7 @@ static int loop_clr_fd(struct loop_device *lo) |
| 187 | */ |
| 188 | if (atomic_read(&lo->lo_refcnt) > 1) { |
| 189 | lo->lo_flags |= LO_FLAGS_AUTOCLEAR; |
| 190 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 191 | + mutex_unlock(&loop_ctl_mutex); |
| 192 | return 0; |
| 193 | } |
| 194 | |
| 195 | @@ -1082,12 +1082,12 @@ static int loop_clr_fd(struct loop_device *lo) |
| 196 | if (!part_shift) |
| 197 | lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; |
| 198 | loop_unprepare_queue(lo); |
| 199 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 200 | + mutex_unlock(&loop_ctl_mutex); |
| 201 | /* |
| 202 | - * Need not hold lo_ctl_mutex to fput backing file. |
| 203 | - * Calling fput holding lo_ctl_mutex triggers a circular |
| 204 | + * Need not hold loop_ctl_mutex to fput backing file. |
| 205 | + * Calling fput holding loop_ctl_mutex triggers a circular |
| 206 | * lock dependency possibility warning as fput can take |
| 207 | - * bd_mutex which is usually taken before lo_ctl_mutex. |
| 208 | + * bd_mutex which is usually taken before loop_ctl_mutex. |
| 209 | */ |
| 210 | fput(filp); |
| 211 | return 0; |
| 212 | @@ -1350,7 +1350,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, |
| 213 | struct loop_device *lo = bdev->bd_disk->private_data; |
| 214 | int err; |
| 215 | |
| 216 | - mutex_lock_nested(&lo->lo_ctl_mutex, 1); |
| 217 | + mutex_lock_nested(&loop_ctl_mutex, 1); |
| 218 | switch (cmd) { |
| 219 | case LOOP_SET_FD: |
| 220 | err = loop_set_fd(lo, mode, bdev, arg); |
| 221 | @@ -1359,7 +1359,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, |
| 222 | err = loop_change_fd(lo, bdev, arg); |
| 223 | break; |
| 224 | case LOOP_CLR_FD: |
| 225 | - /* loop_clr_fd would have unlocked lo_ctl_mutex on success */ |
| 226 | + /* loop_clr_fd would have unlocked loop_ctl_mutex on success */ |
| 227 | err = loop_clr_fd(lo); |
| 228 | if (!err) |
| 229 | goto out_unlocked; |
| 230 | @@ -1395,7 +1395,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, |
| 231 | default: |
| 232 | err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL; |
| 233 | } |
| 234 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 235 | + mutex_unlock(&loop_ctl_mutex); |
| 236 | |
| 237 | out_unlocked: |
| 238 | return err; |
| 239 | @@ -1528,16 +1528,16 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode, |
| 240 | |
| 241 | switch(cmd) { |
| 242 | case LOOP_SET_STATUS: |
| 243 | - mutex_lock(&lo->lo_ctl_mutex); |
| 244 | + mutex_lock(&loop_ctl_mutex); |
| 245 | err = loop_set_status_compat( |
| 246 | lo, (const struct compat_loop_info __user *) arg); |
| 247 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 248 | + mutex_unlock(&loop_ctl_mutex); |
| 249 | break; |
| 250 | case LOOP_GET_STATUS: |
| 251 | - mutex_lock(&lo->lo_ctl_mutex); |
| 252 | + mutex_lock(&loop_ctl_mutex); |
| 253 | err = loop_get_status_compat( |
| 254 | lo, (struct compat_loop_info __user *) arg); |
| 255 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 256 | + mutex_unlock(&loop_ctl_mutex); |
| 257 | break; |
| 258 | case LOOP_SET_CAPACITY: |
| 259 | case LOOP_CLR_FD: |
| 260 | @@ -1559,9 +1559,11 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode, |
| 261 | static int lo_open(struct block_device *bdev, fmode_t mode) |
| 262 | { |
| 263 | struct loop_device *lo; |
| 264 | - int err = 0; |
| 265 | + int err; |
| 266 | |
| 267 | - mutex_lock(&loop_index_mutex); |
| 268 | + err = mutex_lock_killable(&loop_ctl_mutex); |
| 269 | + if (err) |
| 270 | + return err; |
| 271 | lo = bdev->bd_disk->private_data; |
| 272 | if (!lo) { |
| 273 | err = -ENXIO; |
| 274 | @@ -1570,18 +1572,20 @@ static int lo_open(struct block_device *bdev, fmode_t mode) |
| 275 | |
| 276 | atomic_inc(&lo->lo_refcnt); |
| 277 | out: |
| 278 | - mutex_unlock(&loop_index_mutex); |
| 279 | + mutex_unlock(&loop_ctl_mutex); |
| 280 | return err; |
| 281 | } |
| 282 | |
| 283 | -static void __lo_release(struct loop_device *lo) |
| 284 | +static void lo_release(struct gendisk *disk, fmode_t mode) |
| 285 | { |
| 286 | + struct loop_device *lo; |
| 287 | int err; |
| 288 | |
| 289 | + mutex_lock(&loop_ctl_mutex); |
| 290 | + lo = disk->private_data; |
| 291 | if (atomic_dec_return(&lo->lo_refcnt)) |
| 292 | - return; |
| 293 | + goto out_unlock; |
| 294 | |
| 295 | - mutex_lock(&lo->lo_ctl_mutex); |
| 296 | if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) { |
| 297 | /* |
| 298 | * In autoclear mode, stop the loop thread |
| 299 | @@ -1598,14 +1602,8 @@ static void __lo_release(struct loop_device *lo) |
| 300 | loop_flush(lo); |
| 301 | } |
| 302 | |
| 303 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 304 | -} |
| 305 | - |
| 306 | -static void lo_release(struct gendisk *disk, fmode_t mode) |
| 307 | -{ |
| 308 | - mutex_lock(&loop_index_mutex); |
| 309 | - __lo_release(disk->private_data); |
| 310 | - mutex_unlock(&loop_index_mutex); |
| 311 | +out_unlock: |
| 312 | + mutex_unlock(&loop_ctl_mutex); |
| 313 | } |
| 314 | |
| 315 | static const struct block_device_operations lo_fops = { |
| 316 | @@ -1644,10 +1642,10 @@ static int unregister_transfer_cb(int id, void *ptr, void *data) |
| 317 | struct loop_device *lo = ptr; |
| 318 | struct loop_func_table *xfer = data; |
| 319 | |
| 320 | - mutex_lock(&lo->lo_ctl_mutex); |
| 321 | + mutex_lock(&loop_ctl_mutex); |
| 322 | if (lo->lo_encryption == xfer) |
| 323 | loop_release_xfer(lo); |
| 324 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 325 | + mutex_unlock(&loop_ctl_mutex); |
| 326 | return 0; |
| 327 | } |
| 328 | |
| 329 | @@ -1813,7 +1811,6 @@ static int loop_add(struct loop_device **l, int i) |
| 330 | if (!part_shift) |
| 331 | disk->flags |= GENHD_FL_NO_PART_SCAN; |
| 332 | disk->flags |= GENHD_FL_EXT_DEVT; |
| 333 | - mutex_init(&lo->lo_ctl_mutex); |
| 334 | atomic_set(&lo->lo_refcnt, 0); |
| 335 | lo->lo_number = i; |
| 336 | spin_lock_init(&lo->lo_lock); |
| 337 | @@ -1892,7 +1889,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data) |
| 338 | struct kobject *kobj; |
| 339 | int err; |
| 340 | |
| 341 | - mutex_lock(&loop_index_mutex); |
| 342 | + mutex_lock(&loop_ctl_mutex); |
| 343 | err = loop_lookup(&lo, MINOR(dev) >> part_shift); |
| 344 | if (err < 0) |
| 345 | err = loop_add(&lo, MINOR(dev) >> part_shift); |
| 346 | @@ -1900,7 +1897,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data) |
| 347 | kobj = NULL; |
| 348 | else |
| 349 | kobj = get_disk(lo->lo_disk); |
| 350 | - mutex_unlock(&loop_index_mutex); |
| 351 | + mutex_unlock(&loop_ctl_mutex); |
| 352 | |
| 353 | *part = 0; |
| 354 | return kobj; |
| 355 | @@ -1910,9 +1907,13 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, |
| 356 | unsigned long parm) |
| 357 | { |
| 358 | struct loop_device *lo; |
| 359 | - int ret = -ENOSYS; |
| 360 | + int ret; |
| 361 | + |
| 362 | + ret = mutex_lock_killable(&loop_ctl_mutex); |
| 363 | + if (ret) |
| 364 | + return ret; |
| 365 | |
| 366 | - mutex_lock(&loop_index_mutex); |
| 367 | + ret = -ENOSYS; |
| 368 | switch (cmd) { |
| 369 | case LOOP_CTL_ADD: |
| 370 | ret = loop_lookup(&lo, parm); |
| 371 | @@ -1926,19 +1927,15 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, |
| 372 | ret = loop_lookup(&lo, parm); |
| 373 | if (ret < 0) |
| 374 | break; |
| 375 | - mutex_lock(&lo->lo_ctl_mutex); |
| 376 | if (lo->lo_state != Lo_unbound) { |
| 377 | ret = -EBUSY; |
| 378 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 379 | break; |
| 380 | } |
| 381 | if (atomic_read(&lo->lo_refcnt) > 0) { |
| 382 | ret = -EBUSY; |
| 383 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 384 | break; |
| 385 | } |
| 386 | lo->lo_disk->private_data = NULL; |
| 387 | - mutex_unlock(&lo->lo_ctl_mutex); |
| 388 | idr_remove(&loop_index_idr, lo->lo_number); |
| 389 | loop_remove(lo); |
| 390 | break; |
| 391 | @@ -1948,7 +1945,7 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, |
| 392 | break; |
| 393 | ret = loop_add(&lo, -1); |
| 394 | } |
| 395 | - mutex_unlock(&loop_index_mutex); |
| 396 | + mutex_unlock(&loop_ctl_mutex); |
| 397 | |
| 398 | return ret; |
| 399 | } |
| 400 | @@ -2031,10 +2028,10 @@ static int __init loop_init(void) |
| 401 | THIS_MODULE, loop_probe, NULL, NULL); |
| 402 | |
| 403 | /* pre-create number of devices given by config or max_loop */ |
| 404 | - mutex_lock(&loop_index_mutex); |
| 405 | + mutex_lock(&loop_ctl_mutex); |
| 406 | for (i = 0; i < nr; i++) |
| 407 | loop_add(&lo, i); |
| 408 | - mutex_unlock(&loop_index_mutex); |
| 409 | + mutex_unlock(&loop_ctl_mutex); |
| 410 | |
| 411 | printk(KERN_INFO "loop: module loaded\n"); |
| 412 | return 0; |
| 413 | diff --git a/drivers/block/loop.h b/drivers/block/loop.h |
| 414 | index 60f0fd2c0c65..a923e74495ce 100644 |
| 415 | --- a/drivers/block/loop.h |
| 416 | +++ b/drivers/block/loop.h |
| 417 | @@ -55,7 +55,6 @@ struct loop_device { |
| 418 | |
| 419 | spinlock_t lo_lock; |
| 420 | int lo_state; |
| 421 | - struct mutex lo_ctl_mutex; |
| 422 | struct kthread_worker worker; |
| 423 | struct task_struct *worker_task; |
| 424 | bool use_dio; |
| 425 | diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c |
| 426 | index 42a53956aefe..394f8ec83cf0 100644 |
| 427 | --- a/drivers/block/nbd.c |
| 428 | +++ b/drivers/block/nbd.c |
| 429 | @@ -108,7 +108,7 @@ static const char *nbdcmd_to_ascii(int cmd) |
| 430 | |
| 431 | static int nbd_size_clear(struct nbd_device *nbd, struct block_device *bdev) |
| 432 | { |
| 433 | - bdev->bd_inode->i_size = 0; |
| 434 | + bd_set_size(bdev, 0); |
| 435 | set_capacity(nbd->disk, 0); |
| 436 | kobject_uevent(&nbd_to_dev(nbd)->kobj, KOBJ_CHANGE); |
| 437 | |
| 438 | @@ -117,29 +117,21 @@ static int nbd_size_clear(struct nbd_device *nbd, struct block_device *bdev) |
| 439 | |
| 440 | static void nbd_size_update(struct nbd_device *nbd, struct block_device *bdev) |
| 441 | { |
| 442 | - if (!nbd_is_connected(nbd)) |
| 443 | - return; |
| 444 | - |
| 445 | - bdev->bd_inode->i_size = nbd->bytesize; |
| 446 | + blk_queue_logical_block_size(nbd->disk->queue, nbd->blksize); |
| 447 | + blk_queue_physical_block_size(nbd->disk->queue, nbd->blksize); |
| 448 | + bd_set_size(bdev, nbd->bytesize); |
| 449 | + set_blocksize(bdev, nbd->blksize); |
| 450 | set_capacity(nbd->disk, nbd->bytesize >> 9); |
| 451 | kobject_uevent(&nbd_to_dev(nbd)->kobj, KOBJ_CHANGE); |
| 452 | } |
| 453 | |
| 454 | -static int nbd_size_set(struct nbd_device *nbd, struct block_device *bdev, |
| 455 | +static void nbd_size_set(struct nbd_device *nbd, struct block_device *bdev, |
| 456 | loff_t blocksize, loff_t nr_blocks) |
| 457 | { |
| 458 | - int ret; |
| 459 | - |
| 460 | - ret = set_blocksize(bdev, blocksize); |
| 461 | - if (ret) |
| 462 | - return ret; |
| 463 | - |
| 464 | nbd->blksize = blocksize; |
| 465 | nbd->bytesize = blocksize * nr_blocks; |
| 466 | - |
| 467 | - nbd_size_update(nbd, bdev); |
| 468 | - |
| 469 | - return 0; |
| 470 | + if (nbd_is_connected(nbd)) |
| 471 | + nbd_size_update(nbd, bdev); |
| 472 | } |
| 473 | |
| 474 | static void nbd_end_request(struct nbd_cmd *cmd) |
| 475 | @@ -655,16 +647,17 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, |
| 476 | case NBD_SET_BLKSIZE: { |
| 477 | loff_t bsize = div_s64(nbd->bytesize, arg); |
| 478 | |
| 479 | - return nbd_size_set(nbd, bdev, arg, bsize); |
| 480 | + nbd_size_set(nbd, bdev, arg, bsize); |
| 481 | + return 0; |
| 482 | } |
| 483 | |
| 484 | case NBD_SET_SIZE: |
| 485 | - return nbd_size_set(nbd, bdev, nbd->blksize, |
| 486 | - div_s64(arg, nbd->blksize)); |
| 487 | - |
| 488 | + nbd_size_set(nbd, bdev, nbd->blksize, |
| 489 | + div_s64(arg, nbd->blksize)); |
| 490 | + return 0; |
| 491 | case NBD_SET_SIZE_BLOCKS: |
| 492 | - return nbd_size_set(nbd, bdev, nbd->blksize, arg); |
| 493 | - |
| 494 | + nbd_size_set(nbd, bdev, nbd->blksize, arg); |
| 495 | + return 0; |
| 496 | case NBD_SET_TIMEOUT: |
| 497 | if (arg) { |
| 498 | nbd->tag_set.timeout = arg * HZ; |
| 499 | diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c |
| 500 | index 631337c2e4a7..9eac4dcb9971 100644 |
| 501 | --- a/drivers/crypto/caam/caamhash.c |
| 502 | +++ b/drivers/crypto/caam/caamhash.c |
| 503 | @@ -1232,13 +1232,16 @@ static int ahash_final_no_ctx(struct ahash_request *req) |
| 504 | |
| 505 | desc = edesc->hw_desc; |
| 506 | |
| 507 | - state->buf_dma = dma_map_single(jrdev, buf, buflen, DMA_TO_DEVICE); |
| 508 | - if (dma_mapping_error(jrdev, state->buf_dma)) { |
| 509 | - dev_err(jrdev, "unable to map src\n"); |
| 510 | - goto unmap; |
| 511 | - } |
| 512 | + if (buflen) { |
| 513 | + state->buf_dma = dma_map_single(jrdev, buf, buflen, |
| 514 | + DMA_TO_DEVICE); |
| 515 | + if (dma_mapping_error(jrdev, state->buf_dma)) { |
| 516 | + dev_err(jrdev, "unable to map src\n"); |
| 517 | + goto unmap; |
| 518 | + } |
| 519 | |
| 520 | - append_seq_in_ptr(desc, state->buf_dma, buflen, 0); |
| 521 | + append_seq_in_ptr(desc, state->buf_dma, buflen, 0); |
| 522 | + } |
| 523 | |
| 524 | edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, |
| 525 | digestsize); |
| 526 | diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c |
| 527 | index 7c71722be395..463033b4db1d 100644 |
| 528 | --- a/drivers/crypto/talitos.c |
| 529 | +++ b/drivers/crypto/talitos.c |
| 530 | @@ -1347,23 +1347,18 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, |
| 531 | struct talitos_private *priv = dev_get_drvdata(dev); |
| 532 | bool is_sec1 = has_ftr_sec1(priv); |
| 533 | int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN; |
| 534 | - void *err; |
| 535 | |
| 536 | if (cryptlen + authsize > max_len) { |
| 537 | dev_err(dev, "length exceeds h/w max limit\n"); |
| 538 | return ERR_PTR(-EINVAL); |
| 539 | } |
| 540 | |
| 541 | - if (ivsize) |
| 542 | - iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE); |
| 543 | - |
| 544 | if (!dst || dst == src) { |
| 545 | src_len = assoclen + cryptlen + authsize; |
| 546 | src_nents = sg_nents_for_len(src, src_len); |
| 547 | if (src_nents < 0) { |
| 548 | dev_err(dev, "Invalid number of src SG.\n"); |
| 549 | - err = ERR_PTR(-EINVAL); |
| 550 | - goto error_sg; |
| 551 | + return ERR_PTR(-EINVAL); |
| 552 | } |
| 553 | src_nents = (src_nents == 1) ? 0 : src_nents; |
| 554 | dst_nents = dst ? src_nents : 0; |
| 555 | @@ -1373,16 +1368,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, |
| 556 | src_nents = sg_nents_for_len(src, src_len); |
| 557 | if (src_nents < 0) { |
| 558 | dev_err(dev, "Invalid number of src SG.\n"); |
| 559 | - err = ERR_PTR(-EINVAL); |
| 560 | - goto error_sg; |
| 561 | + return ERR_PTR(-EINVAL); |
| 562 | } |
| 563 | src_nents = (src_nents == 1) ? 0 : src_nents; |
| 564 | dst_len = assoclen + cryptlen + (encrypt ? authsize : 0); |
| 565 | dst_nents = sg_nents_for_len(dst, dst_len); |
| 566 | if (dst_nents < 0) { |
| 567 | dev_err(dev, "Invalid number of dst SG.\n"); |
| 568 | - err = ERR_PTR(-EINVAL); |
| 569 | - goto error_sg; |
| 570 | + return ERR_PTR(-EINVAL); |
| 571 | } |
| 572 | dst_nents = (dst_nents == 1) ? 0 : dst_nents; |
| 573 | } |
| 574 | @@ -1405,12 +1398,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, |
| 575 | dma_len = 0; |
| 576 | alloc_len += icv_stashing ? authsize : 0; |
| 577 | } |
| 578 | + alloc_len += ivsize; |
| 579 | |
| 580 | edesc = kmalloc(alloc_len, GFP_DMA | flags); |
| 581 | - if (!edesc) { |
| 582 | - dev_err(dev, "could not allocate edescriptor\n"); |
| 583 | - err = ERR_PTR(-ENOMEM); |
| 584 | - goto error_sg; |
| 585 | + if (!edesc) |
| 586 | + return ERR_PTR(-ENOMEM); |
| 587 | + if (ivsize) { |
| 588 | + iv = memcpy(((u8 *)edesc) + alloc_len - ivsize, iv, ivsize); |
| 589 | + iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE); |
| 590 | } |
| 591 | |
| 592 | edesc->src_nents = src_nents; |
| 593 | @@ -1423,10 +1418,6 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, |
| 594 | DMA_BIDIRECTIONAL); |
| 595 | |
| 596 | return edesc; |
| 597 | -error_sg: |
| 598 | - if (iv_dma) |
| 599 | - dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE); |
| 600 | - return err; |
| 601 | } |
| 602 | |
| 603 | static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv, |
| 604 | diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c |
| 605 | index 6a48d6637e5c..2e85e609f125 100644 |
| 606 | --- a/drivers/gpu/drm/drm_fb_helper.c |
| 607 | +++ b/drivers/gpu/drm/drm_fb_helper.c |
| 608 | @@ -1238,9 +1238,14 @@ int drm_fb_helper_check_var(struct fb_var_screeninfo *var, |
| 609 | struct drm_framebuffer *fb = fb_helper->fb; |
| 610 | int depth; |
| 611 | |
| 612 | - if (var->pixclock != 0 || in_dbg_master()) |
| 613 | + if (in_dbg_master()) |
| 614 | return -EINVAL; |
| 615 | |
| 616 | + if (var->pixclock != 0) { |
| 617 | + DRM_DEBUG("fbdev emulation doesn't support changing the pixel clock, value of pixclock is ignored\n"); |
| 618 | + var->pixclock = 0; |
| 619 | + } |
| 620 | + |
| 621 | /* Need to resize the fb object !!! */ |
| 622 | if (var->bits_per_pixel > fb->bits_per_pixel || |
| 623 | var->xres > fb->width || var->yres > fb->height || |
| 624 | diff --git a/drivers/media/platform/vivid/vivid-kthread-cap.c b/drivers/media/platform/vivid/vivid-kthread-cap.c |
| 625 | index 6ca71aabb576..d300e5e7eadc 100644 |
| 626 | --- a/drivers/media/platform/vivid/vivid-kthread-cap.c |
| 627 | +++ b/drivers/media/platform/vivid/vivid-kthread-cap.c |
| 628 | @@ -877,8 +877,11 @@ int vivid_start_generating_vid_cap(struct vivid_dev *dev, bool *pstreaming) |
| 629 | "%s-vid-cap", dev->v4l2_dev.name); |
| 630 | |
| 631 | if (IS_ERR(dev->kthread_vid_cap)) { |
| 632 | + int err = PTR_ERR(dev->kthread_vid_cap); |
| 633 | + |
| 634 | + dev->kthread_vid_cap = NULL; |
| 635 | v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); |
| 636 | - return PTR_ERR(dev->kthread_vid_cap); |
| 637 | + return err; |
| 638 | } |
| 639 | *pstreaming = true; |
| 640 | vivid_grab_controls(dev, true); |
| 641 | diff --git a/drivers/media/platform/vivid/vivid-kthread-out.c b/drivers/media/platform/vivid/vivid-kthread-out.c |
| 642 | index 98eed5889bc1..7c8d75852816 100644 |
| 643 | --- a/drivers/media/platform/vivid/vivid-kthread-out.c |
| 644 | +++ b/drivers/media/platform/vivid/vivid-kthread-out.c |
| 645 | @@ -248,8 +248,11 @@ int vivid_start_generating_vid_out(struct vivid_dev *dev, bool *pstreaming) |
| 646 | "%s-vid-out", dev->v4l2_dev.name); |
| 647 | |
| 648 | if (IS_ERR(dev->kthread_vid_out)) { |
| 649 | + int err = PTR_ERR(dev->kthread_vid_out); |
| 650 | + |
| 651 | + dev->kthread_vid_out = NULL; |
| 652 | v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); |
| 653 | - return PTR_ERR(dev->kthread_vid_out); |
| 654 | + return err; |
| 655 | } |
| 656 | *pstreaming = true; |
| 657 | vivid_grab_controls(dev, true); |
| 658 | diff --git a/drivers/media/platform/vivid/vivid-vid-common.c b/drivers/media/platform/vivid/vivid-vid-common.c |
| 659 | index fcda3ae4e6b0..f9a810e3f521 100644 |
| 660 | --- a/drivers/media/platform/vivid/vivid-vid-common.c |
| 661 | +++ b/drivers/media/platform/vivid/vivid-vid-common.c |
| 662 | @@ -33,7 +33,7 @@ const struct v4l2_dv_timings_cap vivid_dv_timings_cap = { |
| 663 | .type = V4L2_DV_BT_656_1120, |
| 664 | /* keep this initialization for compatibility with GCC < 4.4.6 */ |
| 665 | .reserved = { 0 }, |
| 666 | - V4L2_INIT_BT_TIMINGS(0, MAX_WIDTH, 0, MAX_HEIGHT, 14000000, 775000000, |
| 667 | + V4L2_INIT_BT_TIMINGS(16, MAX_WIDTH, 16, MAX_HEIGHT, 14000000, 775000000, |
| 668 | V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | |
| 669 | V4L2_DV_BT_STD_CVT | V4L2_DV_BT_STD_GTF, |
| 670 | V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_INTERLACED) |
| 671 | diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c |
| 672 | index 1ed7ba3dfdbe..ae959e01042a 100644 |
| 673 | --- a/drivers/media/usb/em28xx/em28xx-video.c |
| 674 | +++ b/drivers/media/usb/em28xx/em28xx-video.c |
| 675 | @@ -1062,6 +1062,8 @@ int em28xx_start_analog_streaming(struct vb2_queue *vq, unsigned int count) |
| 676 | |
| 677 | em28xx_videodbg("%s\n", __func__); |
| 678 | |
| 679 | + dev->v4l2->field_count = 0; |
| 680 | + |
| 681 | /* Make sure streaming is not already in progress for this type |
| 682 | of filehandle (e.g. video, vbi) */ |
| 683 | rc = res_get(dev, vq->type); |
| 684 | @@ -1290,8 +1292,6 @@ static void em28xx_ctrl_notify(struct v4l2_ctrl *ctrl, void *priv) |
| 685 | { |
| 686 | struct em28xx *dev = priv; |
| 687 | |
| 688 | - dev->v4l2->field_count = 0; |
| 689 | - |
| 690 | /* |
| 691 | * In the case of non-AC97 volume controls, we still need |
| 692 | * to do some setups at em28xx, in order to mute/unmute |
| 693 | diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c |
| 694 | index 4df4a1f402be..b1a4d4e2341b 100644 |
| 695 | --- a/drivers/media/v4l2-core/videobuf2-core.c |
| 696 | +++ b/drivers/media/v4l2-core/videobuf2-core.c |
| 697 | @@ -1916,9 +1916,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) |
| 698 | return -EINVAL; |
| 699 | } |
| 700 | } |
| 701 | + |
| 702 | + mutex_lock(&q->mmap_lock); |
| 703 | + |
| 704 | if (vb2_fileio_is_active(q)) { |
| 705 | dprintk(1, "mmap: file io in progress\n"); |
| 706 | - return -EBUSY; |
| 707 | + ret = -EBUSY; |
| 708 | + goto unlock; |
| 709 | } |
| 710 | |
| 711 | /* |
| 712 | @@ -1926,7 +1930,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) |
| 713 | */ |
| 714 | ret = __find_plane_by_offset(q, off, &buffer, &plane); |
| 715 | if (ret) |
| 716 | - return ret; |
| 717 | + goto unlock; |
| 718 | |
| 719 | vb = q->bufs[buffer]; |
| 720 | |
| 721 | @@ -1939,11 +1943,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) |
| 722 | if (length < (vma->vm_end - vma->vm_start)) { |
| 723 | dprintk(1, |
| 724 | "MMAP invalid, as it would overflow buffer length\n"); |
| 725 | - return -EINVAL; |
| 726 | + ret = -EINVAL; |
| 727 | + goto unlock; |
| 728 | } |
| 729 | |
| 730 | - mutex_lock(&q->mmap_lock); |
| 731 | ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma); |
| 732 | + |
| 733 | +unlock: |
| 734 | mutex_unlock(&q->mmap_lock); |
| 735 | if (ret) |
| 736 | return ret; |
| 737 | diff --git a/drivers/mfd/tps6586x.c b/drivers/mfd/tps6586x.c |
| 738 | index 5628a6b5b19b..c5c320efc7b4 100644 |
| 739 | --- a/drivers/mfd/tps6586x.c |
| 740 | +++ b/drivers/mfd/tps6586x.c |
| 741 | @@ -594,6 +594,29 @@ static int tps6586x_i2c_remove(struct i2c_client *client) |
| 742 | return 0; |
| 743 | } |
| 744 | |
| 745 | +static int __maybe_unused tps6586x_i2c_suspend(struct device *dev) |
| 746 | +{ |
| 747 | + struct tps6586x *tps6586x = dev_get_drvdata(dev); |
| 748 | + |
| 749 | + if (tps6586x->client->irq) |
| 750 | + disable_irq(tps6586x->client->irq); |
| 751 | + |
| 752 | + return 0; |
| 753 | +} |
| 754 | + |
| 755 | +static int __maybe_unused tps6586x_i2c_resume(struct device *dev) |
| 756 | +{ |
| 757 | + struct tps6586x *tps6586x = dev_get_drvdata(dev); |
| 758 | + |
| 759 | + if (tps6586x->client->irq) |
| 760 | + enable_irq(tps6586x->client->irq); |
| 761 | + |
| 762 | + return 0; |
| 763 | +} |
| 764 | + |
| 765 | +static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend, |
| 766 | + tps6586x_i2c_resume); |
| 767 | + |
| 768 | static const struct i2c_device_id tps6586x_id_table[] = { |
| 769 | { "tps6586x", 0 }, |
| 770 | { }, |
| 771 | @@ -604,6 +627,7 @@ static struct i2c_driver tps6586x_driver = { |
| 772 | .driver = { |
| 773 | .name = "tps6586x", |
| 774 | .of_match_table = of_match_ptr(tps6586x_of_match), |
| 775 | + .pm = &tps6586x_pm_ops, |
| 776 | }, |
| 777 | .probe = tps6586x_i2c_probe, |
| 778 | .remove = tps6586x_i2c_remove, |
| 779 | diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c |
| 780 | index 389d1db69a32..24a3433f3944 100644 |
| 781 | --- a/drivers/net/bonding/bond_main.c |
| 782 | +++ b/drivers/net/bonding/bond_main.c |
| 783 | @@ -1900,6 +1900,9 @@ static int __bond_release_one(struct net_device *bond_dev, |
| 784 | if (!bond_has_slaves(bond)) { |
| 785 | bond_set_carrier(bond); |
| 786 | eth_hw_addr_random(bond_dev); |
| 787 | + bond->nest_level = SINGLE_DEPTH_NESTING; |
| 788 | + } else { |
| 789 | + bond->nest_level = dev_get_nest_level(bond_dev) + 1; |
| 790 | } |
| 791 | |
| 792 | unblock_netpoll_tx(); |
| 793 | diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c |
| 794 | index b44c1bb687a2..ebc193f7f7dd 100644 |
| 795 | --- a/drivers/scsi/scsi_pm.c |
| 796 | +++ b/drivers/scsi/scsi_pm.c |
| 797 | @@ -79,8 +79,22 @@ static int scsi_dev_type_resume(struct device *dev, |
| 798 | |
| 799 | if (err == 0) { |
| 800 | pm_runtime_disable(dev); |
| 801 | - pm_runtime_set_active(dev); |
| 802 | + err = pm_runtime_set_active(dev); |
| 803 | pm_runtime_enable(dev); |
| 804 | + |
| 805 | + /* |
| 806 | + * Forcibly set runtime PM status of request queue to "active" |
| 807 | + * to make sure we can again get requests from the queue |
| 808 | + * (see also blk_pm_peek_request()). |
| 809 | + * |
| 810 | + * The resume hook will correct runtime PM status of the disk. |
| 811 | + */ |
| 812 | + if (!err && scsi_is_sdev_device(dev)) { |
| 813 | + struct scsi_device *sdev = to_scsi_device(dev); |
| 814 | + |
| 815 | + if (sdev->request_queue->dev) |
| 816 | + blk_set_runtime_active(sdev->request_queue); |
| 817 | + } |
| 818 | } |
| 819 | |
| 820 | return err; |
| 821 | @@ -139,16 +153,6 @@ static int scsi_bus_resume_common(struct device *dev, |
| 822 | else |
| 823 | fn = NULL; |
| 824 | |
| 825 | - /* |
| 826 | - * Forcibly set runtime PM status of request queue to "active" to |
| 827 | - * make sure we can again get requests from the queue (see also |
| 828 | - * blk_pm_peek_request()). |
| 829 | - * |
| 830 | - * The resume hook will correct runtime PM status of the disk. |
| 831 | - */ |
| 832 | - if (scsi_is_sdev_device(dev) && pm_runtime_suspended(dev)) |
| 833 | - blk_set_runtime_active(to_scsi_device(dev)->request_queue); |
| 834 | - |
| 835 | if (fn) { |
| 836 | async_schedule_domain(fn, dev, &scsi_sd_pm_domain); |
| 837 | |
| 838 | diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c |
| 839 | index ab999c4444b8..867ae76f93f2 100644 |
| 840 | --- a/drivers/scsi/sd.c |
| 841 | +++ b/drivers/scsi/sd.c |
| 842 | @@ -208,6 +208,12 @@ cache_type_store(struct device *dev, struct device_attribute *attr, |
| 843 | sp = buffer_data[0] & 0x80 ? 1 : 0; |
| 844 | buffer_data[0] &= ~0x80; |
| 845 | |
| 846 | + /* |
| 847 | + * Ensure WP, DPOFUA, and RESERVED fields are cleared in |
| 848 | + * received mode parameter buffer before doing MODE SELECT. |
| 849 | + */ |
| 850 | + data.device_specific = 0; |
| 851 | + |
| 852 | if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT, |
| 853 | SD_MAX_RETRIES, &data, &sshdr)) { |
| 854 | if (scsi_sense_valid(&sshdr)) |
| 855 | diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c |
| 856 | index e6c4321d695c..f61f8650665f 100644 |
| 857 | --- a/drivers/tty/tty_io.c |
| 858 | +++ b/drivers/tty/tty_io.c |
| 859 | @@ -1475,7 +1475,8 @@ static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct * |
| 860 | static int tty_reopen(struct tty_struct *tty) |
| 861 | { |
| 862 | struct tty_driver *driver = tty->driver; |
| 863 | - int retval; |
| 864 | + struct tty_ldisc *ld; |
| 865 | + int retval = 0; |
| 866 | |
| 867 | if (driver->type == TTY_DRIVER_TYPE_PTY && |
| 868 | driver->subtype == PTY_TYPE_MASTER) |
| 869 | @@ -1487,14 +1488,21 @@ static int tty_reopen(struct tty_struct *tty) |
| 870 | if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN)) |
| 871 | return -EBUSY; |
| 872 | |
| 873 | - tty->count++; |
| 874 | + ld = tty_ldisc_ref_wait(tty); |
| 875 | + if (ld) { |
| 876 | + tty_ldisc_deref(ld); |
| 877 | + } else { |
| 878 | + retval = tty_ldisc_lock(tty, 5 * HZ); |
| 879 | + if (retval) |
| 880 | + return retval; |
| 881 | |
| 882 | - if (tty->ldisc) |
| 883 | - return 0; |
| 884 | + if (!tty->ldisc) |
| 885 | + retval = tty_ldisc_reinit(tty, tty->termios.c_line); |
| 886 | + tty_ldisc_unlock(tty); |
| 887 | + } |
| 888 | |
| 889 | - retval = tty_ldisc_reinit(tty, tty->termios.c_line); |
| 890 | - if (retval) |
| 891 | - tty->count--; |
| 892 | + if (retval == 0) |
| 893 | + tty->count++; |
| 894 | |
| 895 | return retval; |
| 896 | } |
| 897 | diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c |
| 898 | index 1bf8ed13f827..dbd7ba32caac 100644 |
| 899 | --- a/drivers/tty/tty_ldsem.c |
| 900 | +++ b/drivers/tty/tty_ldsem.c |
| 901 | @@ -307,6 +307,16 @@ down_write_failed(struct ld_semaphore *sem, long count, long timeout) |
| 902 | if (!locked) |
| 903 | ldsem_atomic_update(-LDSEM_WAIT_BIAS, sem); |
| 904 | list_del(&waiter.list); |
| 905 | + |
| 906 | + /* |
| 907 | + * In case of timeout, wake up every reader who gave the right of way |
| 908 | + * to writer. Prevent separation readers into two groups: |
| 909 | + * one that helds semaphore and another that sleeps. |
| 910 | + * (in case of no contention with a writer) |
| 911 | + */ |
| 912 | + if (!locked && list_empty(&sem->write_wait)) |
| 913 | + __ldsem_wake_readers(sem); |
| 914 | + |
| 915 | raw_spin_unlock_irq(&sem->wait_lock); |
| 916 | |
| 917 | __set_task_state(tsk, TASK_RUNNING); |
| 918 | diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c |
| 919 | index a3edb20ea4c3..a846d32ee653 100644 |
| 920 | --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c |
| 921 | +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c |
| 922 | @@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg) |
| 923 | |
| 924 | int r = 0; |
| 925 | |
| 926 | + memset(&p, 0, sizeof(p)); |
| 927 | + |
| 928 | switch (cmd) { |
| 929 | case OMAPFB_SYNC_GFX: |
| 930 | DBG("ioctl SYNC_GFX\n"); |
| 931 | diff --git a/fs/block_dev.c b/fs/block_dev.c |
| 932 | index cb936c90ae82..8a894cd4875b 100644 |
| 933 | --- a/fs/block_dev.c |
| 934 | +++ b/fs/block_dev.c |
| 935 | @@ -114,6 +114,20 @@ void invalidate_bdev(struct block_device *bdev) |
| 936 | } |
| 937 | EXPORT_SYMBOL(invalidate_bdev); |
| 938 | |
| 939 | +static void set_init_blocksize(struct block_device *bdev) |
| 940 | +{ |
| 941 | + unsigned bsize = bdev_logical_block_size(bdev); |
| 942 | + loff_t size = i_size_read(bdev->bd_inode); |
| 943 | + |
| 944 | + while (bsize < PAGE_SIZE) { |
| 945 | + if (size & bsize) |
| 946 | + break; |
| 947 | + bsize <<= 1; |
| 948 | + } |
| 949 | + bdev->bd_block_size = bsize; |
| 950 | + bdev->bd_inode->i_blkbits = blksize_bits(bsize); |
| 951 | +} |
| 952 | + |
| 953 | int set_blocksize(struct block_device *bdev, int size) |
| 954 | { |
| 955 | /* Size must be a power of two, and between 512 and PAGE_SIZE */ |
| 956 | @@ -1209,18 +1223,9 @@ EXPORT_SYMBOL(check_disk_change); |
| 957 | |
| 958 | void bd_set_size(struct block_device *bdev, loff_t size) |
| 959 | { |
| 960 | - unsigned bsize = bdev_logical_block_size(bdev); |
| 961 | - |
| 962 | inode_lock(bdev->bd_inode); |
| 963 | i_size_write(bdev->bd_inode, size); |
| 964 | inode_unlock(bdev->bd_inode); |
| 965 | - while (bsize < PAGE_SIZE) { |
| 966 | - if (size & bsize) |
| 967 | - break; |
| 968 | - bsize <<= 1; |
| 969 | - } |
| 970 | - bdev->bd_block_size = bsize; |
| 971 | - bdev->bd_inode->i_blkbits = blksize_bits(bsize); |
| 972 | } |
| 973 | EXPORT_SYMBOL(bd_set_size); |
| 974 | |
| 975 | @@ -1297,8 +1302,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) |
| 976 | } |
| 977 | } |
| 978 | |
| 979 | - if (!ret) |
| 980 | + if (!ret) { |
| 981 | bd_set_size(bdev,(loff_t)get_capacity(disk)<<9); |
| 982 | + set_init_blocksize(bdev); |
| 983 | + } |
| 984 | |
| 985 | /* |
| 986 | * If the device is invalidated, rescan partition |
| 987 | @@ -1333,6 +1340,7 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) |
| 988 | goto out_clear; |
| 989 | } |
| 990 | bd_set_size(bdev, (loff_t)bdev->bd_part->nr_sects << 9); |
| 991 | + set_init_blocksize(bdev); |
| 992 | } |
| 993 | } else { |
| 994 | if (bdev->bd_contains == bdev) { |
| 995 | diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c |
| 996 | index 77b32415d9f2..9d3352fe8dc9 100644 |
| 997 | --- a/fs/btrfs/disk-io.c |
| 998 | +++ b/fs/btrfs/disk-io.c |
| 999 | @@ -4193,6 +4193,14 @@ static void btrfs_destroy_all_ordered_extents(struct btrfs_fs_info *fs_info) |
| 1000 | spin_lock(&fs_info->ordered_root_lock); |
| 1001 | } |
| 1002 | spin_unlock(&fs_info->ordered_root_lock); |
| 1003 | + |
| 1004 | + /* |
| 1005 | + * We need this here because if we've been flipped read-only we won't |
| 1006 | + * get sync() from the umount, so we need to make sure any ordered |
| 1007 | + * extents that haven't had their dirty pages IO start writeout yet |
| 1008 | + * actually get run and error out properly. |
| 1009 | + */ |
| 1010 | + btrfs_wait_ordered_roots(fs_info, -1, 0, (u64)-1); |
| 1011 | } |
| 1012 | |
| 1013 | static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, |
| 1014 | diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c |
| 1015 | index ab4cbb4be423..e59eeaf02eaa 100644 |
| 1016 | --- a/fs/f2fs/recovery.c |
| 1017 | +++ b/fs/f2fs/recovery.c |
| 1018 | @@ -196,32 +196,6 @@ static void recover_inode(struct inode *inode, struct page *page) |
| 1019 | ino_of_node(page), name); |
| 1020 | } |
| 1021 | |
| 1022 | -static bool is_same_inode(struct inode *inode, struct page *ipage) |
| 1023 | -{ |
| 1024 | - struct f2fs_inode *ri = F2FS_INODE(ipage); |
| 1025 | - struct timespec disk; |
| 1026 | - |
| 1027 | - if (!IS_INODE(ipage)) |
| 1028 | - return true; |
| 1029 | - |
| 1030 | - disk.tv_sec = le64_to_cpu(ri->i_ctime); |
| 1031 | - disk.tv_nsec = le32_to_cpu(ri->i_ctime_nsec); |
| 1032 | - if (timespec_compare(&inode->i_ctime, &disk) > 0) |
| 1033 | - return false; |
| 1034 | - |
| 1035 | - disk.tv_sec = le64_to_cpu(ri->i_atime); |
| 1036 | - disk.tv_nsec = le32_to_cpu(ri->i_atime_nsec); |
| 1037 | - if (timespec_compare(&inode->i_atime, &disk) > 0) |
| 1038 | - return false; |
| 1039 | - |
| 1040 | - disk.tv_sec = le64_to_cpu(ri->i_mtime); |
| 1041 | - disk.tv_nsec = le32_to_cpu(ri->i_mtime_nsec); |
| 1042 | - if (timespec_compare(&inode->i_mtime, &disk) > 0) |
| 1043 | - return false; |
| 1044 | - |
| 1045 | - return true; |
| 1046 | -} |
| 1047 | - |
| 1048 | static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head) |
| 1049 | { |
| 1050 | struct curseg_info *curseg; |
| 1051 | @@ -248,10 +222,7 @@ static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head) |
| 1052 | goto next; |
| 1053 | |
| 1054 | entry = get_fsync_inode(head, ino_of_node(page)); |
| 1055 | - if (entry) { |
| 1056 | - if (!is_same_inode(entry->inode, page)) |
| 1057 | - goto next; |
| 1058 | - } else { |
| 1059 | + if (!entry) { |
| 1060 | if (IS_INODE(page) && is_dent_dnode(page)) { |
| 1061 | err = recover_inode_page(sbi, page); |
| 1062 | if (err) |
| 1063 | diff --git a/fs/proc/array.c b/fs/proc/array.c |
| 1064 | index 94f83e74db24..712b44c63701 100644 |
| 1065 | --- a/fs/proc/array.c |
| 1066 | +++ b/fs/proc/array.c |
| 1067 | @@ -346,8 +346,9 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p) |
| 1068 | { |
| 1069 | #ifdef CONFIG_SECCOMP |
| 1070 | seq_put_decimal_ull(m, "Seccomp:\t", p->seccomp.mode); |
| 1071 | + seq_putc(m, '\n'); |
| 1072 | #endif |
| 1073 | - seq_printf(m, "\nSpeculation_Store_Bypass:\t"); |
| 1074 | + seq_printf(m, "Speculation_Store_Bypass:\t"); |
| 1075 | switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) { |
| 1076 | case -EINVAL: |
| 1077 | seq_printf(m, "unknown"); |
| 1078 | diff --git a/mm/memory.c b/mm/memory.c |
| 1079 | index f3fef1df7402..35d8217bb046 100644 |
| 1080 | --- a/mm/memory.c |
| 1081 | +++ b/mm/memory.c |
| 1082 | @@ -2823,6 +2823,28 @@ static int __do_fault(struct fault_env *fe, pgoff_t pgoff, |
| 1083 | struct vm_fault vmf; |
| 1084 | int ret; |
| 1085 | |
| 1086 | + /* |
| 1087 | + * Preallocate pte before we take page_lock because this might lead to |
| 1088 | + * deadlocks for memcg reclaim which waits for pages under writeback: |
| 1089 | + * lock_page(A) |
| 1090 | + * SetPageWriteback(A) |
| 1091 | + * unlock_page(A) |
| 1092 | + * lock_page(B) |
| 1093 | + * lock_page(B) |
| 1094 | + * pte_alloc_pne |
| 1095 | + * shrink_page_list |
| 1096 | + * wait_on_page_writeback(A) |
| 1097 | + * SetPageWriteback(B) |
| 1098 | + * unlock_page(B) |
| 1099 | + * # flush A, B to clear the writeback |
| 1100 | + */ |
| 1101 | + if (pmd_none(*fe->pmd) && !fe->prealloc_pte) { |
| 1102 | + fe->prealloc_pte = pte_alloc_one(vma->vm_mm, fe->address); |
| 1103 | + if (!fe->prealloc_pte) |
| 1104 | + return VM_FAULT_OOM; |
| 1105 | + smp_wmb(); /* See comment in __pte_alloc() */ |
| 1106 | + } |
| 1107 | + |
| 1108 | vmf.virtual_address = (void __user *)(fe->address & PAGE_MASK); |
| 1109 | vmf.pgoff = pgoff; |
| 1110 | vmf.flags = fe->flags; |
| 1111 | diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c |
| 1112 | index 82ce5713f744..7e42c0d1f55b 100644 |
| 1113 | --- a/net/bridge/br_netfilter_hooks.c |
| 1114 | +++ b/net/bridge/br_netfilter_hooks.c |
| 1115 | @@ -275,7 +275,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_ |
| 1116 | struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); |
| 1117 | int ret; |
| 1118 | |
| 1119 | - if (neigh->hh.hh_len) { |
| 1120 | + if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) { |
| 1121 | neigh_hh_bridge(&neigh->hh, skb); |
| 1122 | skb->dev = nf_bridge->physindev; |
| 1123 | ret = br_handle_frame_finish(net, sk, skb); |
| 1124 | diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c |
| 1125 | index 18c1f07e4f3b..c7e5aaf2eeb8 100644 |
| 1126 | --- a/net/bridge/netfilter/ebtables.c |
| 1127 | +++ b/net/bridge/netfilter/ebtables.c |
| 1128 | @@ -1147,14 +1147,16 @@ static int do_replace(struct net *net, const void __user *user, |
| 1129 | tmp.name[sizeof(tmp.name) - 1] = 0; |
| 1130 | |
| 1131 | countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; |
| 1132 | - newinfo = vmalloc(sizeof(*newinfo) + countersize); |
| 1133 | + newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT, |
| 1134 | + PAGE_KERNEL); |
| 1135 | if (!newinfo) |
| 1136 | return -ENOMEM; |
| 1137 | |
| 1138 | if (countersize) |
| 1139 | memset(newinfo->counters, 0, countersize); |
| 1140 | |
| 1141 | - newinfo->entries = vmalloc(tmp.entries_size); |
| 1142 | + newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT, |
| 1143 | + PAGE_KERNEL); |
| 1144 | if (!newinfo->entries) { |
| 1145 | ret = -ENOMEM; |
| 1146 | goto free_newinfo; |
| 1147 | diff --git a/net/can/gw.c b/net/can/gw.c |
| 1148 | index 77c8af4047ef..81650affa3fa 100644 |
| 1149 | --- a/net/can/gw.c |
| 1150 | +++ b/net/can/gw.c |
| 1151 | @@ -418,13 +418,29 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data) |
| 1152 | while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx]) |
| 1153 | (*gwj->mod.modfunc[modidx++])(cf, &gwj->mod); |
| 1154 | |
| 1155 | - /* check for checksum updates when the CAN frame has been modified */ |
| 1156 | + /* Has the CAN frame been modified? */ |
| 1157 | if (modidx) { |
| 1158 | - if (gwj->mod.csumfunc.crc8) |
| 1159 | + /* get available space for the processed CAN frame type */ |
| 1160 | + int max_len = nskb->len - offsetof(struct can_frame, data); |
| 1161 | + |
| 1162 | + /* dlc may have changed, make sure it fits to the CAN frame */ |
| 1163 | + if (cf->can_dlc > max_len) |
| 1164 | + goto out_delete; |
| 1165 | + |
| 1166 | + /* check for checksum updates in classic CAN length only */ |
| 1167 | + if (gwj->mod.csumfunc.crc8) { |
| 1168 | + if (cf->can_dlc > 8) |
| 1169 | + goto out_delete; |
| 1170 | + |
| 1171 | (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8); |
| 1172 | + } |
| 1173 | + |
| 1174 | + if (gwj->mod.csumfunc.xor) { |
| 1175 | + if (cf->can_dlc > 8) |
| 1176 | + goto out_delete; |
| 1177 | |
| 1178 | - if (gwj->mod.csumfunc.xor) |
| 1179 | (*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor); |
| 1180 | + } |
| 1181 | } |
| 1182 | |
| 1183 | /* clear the skb timestamp if not configured the other way */ |
| 1184 | @@ -436,6 +452,14 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data) |
| 1185 | gwj->dropped_frames++; |
| 1186 | else |
| 1187 | gwj->handled_frames++; |
| 1188 | + |
| 1189 | + return; |
| 1190 | + |
| 1191 | + out_delete: |
| 1192 | + /* delete frame due to misconfiguration */ |
| 1193 | + gwj->deleted_frames++; |
| 1194 | + kfree_skb(nskb); |
| 1195 | + return; |
| 1196 | } |
| 1197 | |
| 1198 | static inline int cgw_register_filter(struct cgw_job *gwj) |
| 1199 | diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c |
| 1200 | index a5851c0bc278..e39895ea1b77 100644 |
| 1201 | --- a/net/ipv4/ip_sockglue.c |
| 1202 | +++ b/net/ipv4/ip_sockglue.c |
| 1203 | @@ -133,19 +133,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) |
| 1204 | |
| 1205 | static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) |
| 1206 | { |
| 1207 | + __be16 _ports[2], *ports; |
| 1208 | struct sockaddr_in sin; |
| 1209 | - __be16 *ports; |
| 1210 | - int end; |
| 1211 | - |
| 1212 | - end = skb_transport_offset(skb) + 4; |
| 1213 | - if (end > 0 && !pskb_may_pull(skb, end)) |
| 1214 | - return; |
| 1215 | |
| 1216 | /* All current transport protocols have the port numbers in the |
| 1217 | * first four bytes of the transport header and this function is |
| 1218 | * written with this assumption in mind. |
| 1219 | */ |
| 1220 | - ports = (__be16 *)skb_transport_header(skb); |
| 1221 | + ports = skb_header_pointer(skb, skb_transport_offset(skb), |
| 1222 | + sizeof(_ports), &_ports); |
| 1223 | + if (!ports) |
| 1224 | + return; |
| 1225 | |
| 1226 | sin.sin_family = AF_INET; |
| 1227 | sin.sin_addr.s_addr = ip_hdr(skb)->daddr; |
| 1228 | diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c |
| 1229 | index 2d3c8fe27583..956af11e9ba3 100644 |
| 1230 | --- a/net/ipv6/datagram.c |
| 1231 | +++ b/net/ipv6/datagram.c |
| 1232 | @@ -335,6 +335,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info) |
| 1233 | skb_reset_network_header(skb); |
| 1234 | iph = ipv6_hdr(skb); |
| 1235 | iph->daddr = fl6->daddr; |
| 1236 | + ip6_flow_hdr(iph, 0, 0); |
| 1237 | |
| 1238 | serr = SKB_EXT_ERR(skb); |
| 1239 | serr->ee.ee_errno = err; |
| 1240 | @@ -694,17 +695,15 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg, |
| 1241 | } |
| 1242 | if (np->rxopt.bits.rxorigdstaddr) { |
| 1243 | struct sockaddr_in6 sin6; |
| 1244 | - __be16 *ports; |
| 1245 | - int end; |
| 1246 | + __be16 _ports[2], *ports; |
| 1247 | |
| 1248 | - end = skb_transport_offset(skb) + 4; |
| 1249 | - if (end <= 0 || pskb_may_pull(skb, end)) { |
| 1250 | + ports = skb_header_pointer(skb, skb_transport_offset(skb), |
| 1251 | + sizeof(_ports), &_ports); |
| 1252 | + if (ports) { |
| 1253 | /* All current transport protocols have the port numbers in the |
| 1254 | * first four bytes of the transport header and this function is |
| 1255 | * written with this assumption in mind. |
| 1256 | */ |
| 1257 | - ports = (__be16 *)skb_transport_header(skb); |
| 1258 | - |
| 1259 | sin6.sin6_family = AF_INET6; |
| 1260 | sin6.sin6_addr = ipv6_hdr(skb)->daddr; |
| 1261 | sin6.sin6_port = ports[1]; |
| 1262 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
| 1263 | index a9d0358d4f3b..82e222cd4845 100644 |
| 1264 | --- a/net/packet/af_packet.c |
| 1265 | +++ b/net/packet/af_packet.c |
| 1266 | @@ -2663,7 +2663,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) |
| 1267 | addr = saddr->sll_halen ? saddr->sll_addr : NULL; |
| 1268 | dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); |
| 1269 | if (addr && dev && saddr->sll_halen < dev->addr_len) |
| 1270 | - goto out; |
| 1271 | + goto out_put; |
| 1272 | } |
| 1273 | |
| 1274 | err = -ENXIO; |
| 1275 | @@ -2862,7 +2862,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) |
| 1276 | addr = saddr->sll_halen ? saddr->sll_addr : NULL; |
| 1277 | dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); |
| 1278 | if (addr && dev && saddr->sll_halen < dev->addr_len) |
| 1279 | - goto out; |
| 1280 | + goto out_unlock; |
| 1281 | } |
| 1282 | |
| 1283 | err = -ENXIO; |
| 1284 | diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c |
| 1285 | index e7866d47934d..31f461f955ec 100644 |
| 1286 | --- a/net/sctp/ipv6.c |
| 1287 | +++ b/net/sctp/ipv6.c |
| 1288 | @@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev, |
| 1289 | |
| 1290 | switch (ev) { |
| 1291 | case NETDEV_UP: |
| 1292 | - addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); |
| 1293 | + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); |
| 1294 | if (addr) { |
| 1295 | addr->a.v6.sin6_family = AF_INET6; |
| 1296 | - addr->a.v6.sin6_port = 0; |
| 1297 | - addr->a.v6.sin6_flowinfo = 0; |
| 1298 | addr->a.v6.sin6_addr = ifa->addr; |
| 1299 | addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; |
| 1300 | addr->valid = 1; |
| 1301 | @@ -413,7 +411,6 @@ static void sctp_v6_copy_addrlist(struct list_head *addrlist, |
| 1302 | addr = kzalloc(sizeof(*addr), GFP_ATOMIC); |
| 1303 | if (addr) { |
| 1304 | addr->a.v6.sin6_family = AF_INET6; |
| 1305 | - addr->a.v6.sin6_port = 0; |
| 1306 | addr->a.v6.sin6_addr = ifp->addr; |
| 1307 | addr->a.v6.sin6_scope_id = dev->ifindex; |
| 1308 | addr->valid = 1; |
| 1309 | diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c |
| 1310 | index fb7b7632316a..8ea8217db960 100644 |
| 1311 | --- a/net/sctp/protocol.c |
| 1312 | +++ b/net/sctp/protocol.c |
| 1313 | @@ -151,7 +151,6 @@ static void sctp_v4_copy_addrlist(struct list_head *addrlist, |
| 1314 | addr = kzalloc(sizeof(*addr), GFP_ATOMIC); |
| 1315 | if (addr) { |
| 1316 | addr->a.v4.sin_family = AF_INET; |
| 1317 | - addr->a.v4.sin_port = 0; |
| 1318 | addr->a.v4.sin_addr.s_addr = ifa->ifa_local; |
| 1319 | addr->valid = 1; |
| 1320 | INIT_LIST_HEAD(&addr->list); |
| 1321 | @@ -777,10 +776,9 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev, |
| 1322 | |
| 1323 | switch (ev) { |
| 1324 | case NETDEV_UP: |
| 1325 | - addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); |
| 1326 | + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); |
| 1327 | if (addr) { |
| 1328 | addr->a.v4.sin_family = AF_INET; |
| 1329 | - addr->a.v4.sin_port = 0; |
| 1330 | addr->a.v4.sin_addr.s_addr = ifa->ifa_local; |
| 1331 | addr->valid = 1; |
| 1332 | spin_lock_bh(&net->sctp.local_addr_lock); |
| 1333 | diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c |
| 1334 | index 5b30603596d0..eafc78e063f1 100644 |
| 1335 | --- a/net/sunrpc/rpcb_clnt.c |
| 1336 | +++ b/net/sunrpc/rpcb_clnt.c |
| 1337 | @@ -770,6 +770,12 @@ void rpcb_getport_async(struct rpc_task *task) |
| 1338 | case RPCBVERS_3: |
| 1339 | map->r_netid = xprt->address_strings[RPC_DISPLAY_NETID]; |
| 1340 | map->r_addr = rpc_sockaddr2uaddr(sap, GFP_ATOMIC); |
| 1341 | + if (!map->r_addr) { |
| 1342 | + status = -ENOMEM; |
| 1343 | + dprintk("RPC: %5u %s: no memory available\n", |
| 1344 | + task->tk_pid, __func__); |
| 1345 | + goto bailout_free_args; |
| 1346 | + } |
| 1347 | map->r_owner = ""; |
| 1348 | break; |
| 1349 | case RPCBVERS_2: |
| 1350 | @@ -792,6 +798,8 @@ void rpcb_getport_async(struct rpc_task *task) |
| 1351 | rpc_put_task(child); |
| 1352 | return; |
| 1353 | |
| 1354 | +bailout_free_args: |
| 1355 | + kfree(map); |
| 1356 | bailout_release_client: |
| 1357 | rpc_release_client(rpcb_clnt); |
| 1358 | bailout_nofree: |
| 1359 | diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c |
| 1360 | index aedc476fac02..d947b8210399 100644 |
| 1361 | --- a/net/tipc/netlink_compat.c |
| 1362 | +++ b/net/tipc/netlink_compat.c |
| 1363 | @@ -87,6 +87,11 @@ static int tipc_skb_tailroom(struct sk_buff *skb) |
| 1364 | return limit; |
| 1365 | } |
| 1366 | |
| 1367 | +static inline int TLV_GET_DATA_LEN(struct tlv_desc *tlv) |
| 1368 | +{ |
| 1369 | + return TLV_GET_LEN(tlv) - TLV_SPACE(0); |
| 1370 | +} |
| 1371 | + |
| 1372 | static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len) |
| 1373 | { |
| 1374 | struct tlv_desc *tlv = (struct tlv_desc *)skb_tail_pointer(skb); |
| 1375 | @@ -166,6 +171,11 @@ static struct sk_buff *tipc_get_err_tlv(char *str) |
| 1376 | return buf; |
| 1377 | } |
| 1378 | |
| 1379 | +static inline bool string_is_valid(char *s, int len) |
| 1380 | +{ |
| 1381 | + return memchr(s, '\0', len) ? true : false; |
| 1382 | +} |
| 1383 | + |
| 1384 | static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, |
| 1385 | struct tipc_nl_compat_msg *msg, |
| 1386 | struct sk_buff *arg) |
| 1387 | @@ -370,6 +380,7 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, |
| 1388 | struct nlattr *prop; |
| 1389 | struct nlattr *bearer; |
| 1390 | struct tipc_bearer_config *b; |
| 1391 | + int len; |
| 1392 | |
| 1393 | b = (struct tipc_bearer_config *)TLV_DATA(msg->req); |
| 1394 | |
| 1395 | @@ -377,6 +388,10 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, |
| 1396 | if (!bearer) |
| 1397 | return -EMSGSIZE; |
| 1398 | |
| 1399 | + len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); |
| 1400 | + if (!string_is_valid(b->name, len)) |
| 1401 | + return -EINVAL; |
| 1402 | + |
| 1403 | if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name)) |
| 1404 | return -EMSGSIZE; |
| 1405 | |
| 1406 | @@ -402,6 +417,7 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd, |
| 1407 | { |
| 1408 | char *name; |
| 1409 | struct nlattr *bearer; |
| 1410 | + int len; |
| 1411 | |
| 1412 | name = (char *)TLV_DATA(msg->req); |
| 1413 | |
| 1414 | @@ -409,6 +425,10 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd, |
| 1415 | if (!bearer) |
| 1416 | return -EMSGSIZE; |
| 1417 | |
| 1418 | + len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); |
| 1419 | + if (!string_is_valid(name, len)) |
| 1420 | + return -EINVAL; |
| 1421 | + |
| 1422 | if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name)) |
| 1423 | return -EMSGSIZE; |
| 1424 | |
| 1425 | @@ -469,6 +489,7 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, |
| 1426 | struct nlattr *prop[TIPC_NLA_PROP_MAX + 1]; |
| 1427 | struct nlattr *stats[TIPC_NLA_STATS_MAX + 1]; |
| 1428 | int err; |
| 1429 | + int len; |
| 1430 | |
| 1431 | if (!attrs[TIPC_NLA_LINK]) |
| 1432 | return -EINVAL; |
| 1433 | @@ -495,6 +516,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, |
| 1434 | return err; |
| 1435 | |
| 1436 | name = (char *)TLV_DATA(msg->req); |
| 1437 | + |
| 1438 | + len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); |
| 1439 | + if (!string_is_valid(name, len)) |
| 1440 | + return -EINVAL; |
| 1441 | + |
| 1442 | if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) |
| 1443 | return 0; |
| 1444 | |
| 1445 | @@ -635,6 +661,7 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb, |
| 1446 | struct nlattr *prop; |
| 1447 | struct nlattr *media; |
| 1448 | struct tipc_link_config *lc; |
| 1449 | + int len; |
| 1450 | |
| 1451 | lc = (struct tipc_link_config *)TLV_DATA(msg->req); |
| 1452 | |
| 1453 | @@ -642,6 +669,10 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb, |
| 1454 | if (!media) |
| 1455 | return -EMSGSIZE; |
| 1456 | |
| 1457 | + len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME); |
| 1458 | + if (!string_is_valid(lc->name, len)) |
| 1459 | + return -EINVAL; |
| 1460 | + |
| 1461 | if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name)) |
| 1462 | return -EMSGSIZE; |
| 1463 | |
| 1464 | @@ -662,6 +693,7 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb, |
| 1465 | struct nlattr *prop; |
| 1466 | struct nlattr *bearer; |
| 1467 | struct tipc_link_config *lc; |
| 1468 | + int len; |
| 1469 | |
| 1470 | lc = (struct tipc_link_config *)TLV_DATA(msg->req); |
| 1471 | |
| 1472 | @@ -669,6 +701,10 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb, |
| 1473 | if (!bearer) |
| 1474 | return -EMSGSIZE; |
| 1475 | |
| 1476 | + len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME); |
| 1477 | + if (!string_is_valid(lc->name, len)) |
| 1478 | + return -EINVAL; |
| 1479 | + |
| 1480 | if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name)) |
| 1481 | return -EMSGSIZE; |
| 1482 | |
| 1483 | @@ -717,9 +753,14 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, |
| 1484 | struct tipc_link_config *lc; |
| 1485 | struct tipc_bearer *bearer; |
| 1486 | struct tipc_media *media; |
| 1487 | + int len; |
| 1488 | |
| 1489 | lc = (struct tipc_link_config *)TLV_DATA(msg->req); |
| 1490 | |
| 1491 | + len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); |
| 1492 | + if (!string_is_valid(lc->name, len)) |
| 1493 | + return -EINVAL; |
| 1494 | + |
| 1495 | media = tipc_media_find(lc->name); |
| 1496 | if (media) { |
| 1497 | cmd->doit = &tipc_nl_media_set; |
| 1498 | @@ -741,6 +782,7 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd, |
| 1499 | { |
| 1500 | char *name; |
| 1501 | struct nlattr *link; |
| 1502 | + int len; |
| 1503 | |
| 1504 | name = (char *)TLV_DATA(msg->req); |
| 1505 | |
| 1506 | @@ -748,6 +790,10 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd, |
| 1507 | if (!link) |
| 1508 | return -EMSGSIZE; |
| 1509 | |
| 1510 | + len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); |
| 1511 | + if (!string_is_valid(name, len)) |
| 1512 | + return -EINVAL; |
| 1513 | + |
| 1514 | if (nla_put_string(skb, TIPC_NLA_LINK_NAME, name)) |
| 1515 | return -EMSGSIZE; |
| 1516 | |
| 1517 | @@ -769,6 +815,8 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg) |
| 1518 | }; |
| 1519 | |
| 1520 | ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req); |
| 1521 | + if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query)) |
| 1522 | + return -EINVAL; |
| 1523 | |
| 1524 | depth = ntohl(ntq->depth); |
| 1525 | |
| 1526 | @@ -1192,7 +1240,7 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info) |
| 1527 | } |
| 1528 | |
| 1529 | len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); |
| 1530 | - if (len && !TLV_OK(msg.req, len)) { |
| 1531 | + if (!len || !TLV_OK(msg.req, len)) { |
| 1532 | msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED); |
| 1533 | err = -EOPNOTSUPP; |
| 1534 | goto send; |
| 1535 | diff --git a/security/security.c b/security/security.c |
| 1536 | index f825304f04a7..112df16be770 100644 |
| 1537 | --- a/security/security.c |
| 1538 | +++ b/security/security.c |
| 1539 | @@ -904,6 +904,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) |
| 1540 | |
| 1541 | void security_cred_free(struct cred *cred) |
| 1542 | { |
| 1543 | + /* |
| 1544 | + * There is a failure case in prepare_creds() that |
| 1545 | + * may result in a call here with ->security being NULL. |
| 1546 | + */ |
| 1547 | + if (unlikely(cred->security == NULL)) |
| 1548 | + return; |
| 1549 | + |
| 1550 | call_void_hook(cred_free, cred); |
| 1551 | } |
| 1552 | |
| 1553 | diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c |
| 1554 | index 175e4dce58df..c483de590ba3 100644 |
| 1555 | --- a/security/selinux/ss/policydb.c |
| 1556 | +++ b/security/selinux/ss/policydb.c |
| 1557 | @@ -726,7 +726,8 @@ static int sens_destroy(void *key, void *datum, void *p) |
| 1558 | kfree(key); |
| 1559 | if (datum) { |
| 1560 | levdatum = datum; |
| 1561 | - ebitmap_destroy(&levdatum->level->cat); |
| 1562 | + if (levdatum->level) |
| 1563 | + ebitmap_destroy(&levdatum->level->cat); |
| 1564 | kfree(levdatum->level); |
| 1565 | } |
| 1566 | kfree(datum); |
| 1567 | diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c |
| 1568 | index 0309f2111c70..5367f854fadc 100644 |
| 1569 | --- a/security/yama/yama_lsm.c |
| 1570 | +++ b/security/yama/yama_lsm.c |
| 1571 | @@ -359,7 +359,9 @@ static int yama_ptrace_access_check(struct task_struct *child, |
| 1572 | break; |
| 1573 | case YAMA_SCOPE_RELATIONAL: |
| 1574 | rcu_read_lock(); |
| 1575 | - if (!task_is_descendant(current, child) && |
| 1576 | + if (!pid_alive(child)) |
| 1577 | + rc = -EPERM; |
| 1578 | + if (!rc && !task_is_descendant(current, child) && |
| 1579 | !ptracer_exception_found(current, child) && |
| 1580 | !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) |
| 1581 | rc = -EPERM; |