Annotation of /trunk/kernel-alx/patches-4.9/0287-4.9.188-all-fixes.patch
Parent Directory | Revision Log
Revision 3562 -
(hide annotations)
(download)
Thu Aug 13 10:21:06 2020 UTC (4 years, 1 month ago) by niro
File size: 41514 byte(s)
Thu Aug 13 10:21:06 2020 UTC (4 years, 1 month ago) by niro
File size: 41514 byte(s)
linux-188
1 | niro | 3562 | diff --git a/Makefile b/Makefile |
2 | index 65ed5dc69ec9..b6b54e6f67e8 100644 | ||
3 | --- a/Makefile | ||
4 | +++ b/Makefile | ||
5 | @@ -1,6 +1,6 @@ | ||
6 | VERSION = 4 | ||
7 | PATCHLEVEL = 9 | ||
8 | -SUBLEVEL = 187 | ||
9 | +SUBLEVEL = 188 | ||
10 | EXTRAVERSION = | ||
11 | NAME = Roaring Lionus | ||
12 | |||
13 | @@ -400,6 +400,7 @@ KBUILD_AFLAGS_MODULE := -DMODULE | ||
14 | KBUILD_CFLAGS_MODULE := -DMODULE | ||
15 | KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds | ||
16 | GCC_PLUGINS_CFLAGS := | ||
17 | +CLANG_FLAGS := | ||
18 | |||
19 | # Read KERNELRELEASE from include/config/kernel.release (if it exists) | ||
20 | KERNELRELEASE = $(shell cat include/config/kernel.release 2> /dev/null) | ||
21 | @@ -506,7 +507,7 @@ endif | ||
22 | |||
23 | ifeq ($(cc-name),clang) | ||
24 | ifneq ($(CROSS_COMPILE),) | ||
25 | -CLANG_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%)) | ||
26 | +CLANG_FLAGS += --target=$(notdir $(CROSS_COMPILE:%-=%)) | ||
27 | GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)elfedit)) | ||
28 | CLANG_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR) | ||
29 | GCC_TOOLCHAIN := $(realpath $(GCC_TOOLCHAIN_DIR)/..) | ||
30 | diff --git a/arch/arm/boot/dts/rk3288-veyron-mickey.dts b/arch/arm/boot/dts/rk3288-veyron-mickey.dts | ||
31 | index f36f6f459225..365382ab9ebd 100644 | ||
32 | --- a/arch/arm/boot/dts/rk3288-veyron-mickey.dts | ||
33 | +++ b/arch/arm/boot/dts/rk3288-veyron-mickey.dts | ||
34 | @@ -161,10 +161,6 @@ | ||
35 | }; | ||
36 | }; | ||
37 | |||
38 | -&emmc { | ||
39 | - /delete-property/mmc-hs200-1_8v; | ||
40 | -}; | ||
41 | - | ||
42 | &i2c2 { | ||
43 | status = "disabled"; | ||
44 | }; | ||
45 | diff --git a/arch/arm/boot/dts/rk3288-veyron-minnie.dts b/arch/arm/boot/dts/rk3288-veyron-minnie.dts | ||
46 | index f72d616d1bf8..9647d9b6b299 100644 | ||
47 | --- a/arch/arm/boot/dts/rk3288-veyron-minnie.dts | ||
48 | +++ b/arch/arm/boot/dts/rk3288-veyron-minnie.dts | ||
49 | @@ -125,10 +125,6 @@ | ||
50 | power-supply = <&backlight_regulator>; | ||
51 | }; | ||
52 | |||
53 | -&emmc { | ||
54 | - /delete-property/mmc-hs200-1_8v; | ||
55 | -}; | ||
56 | - | ||
57 | &gpio_keys { | ||
58 | pinctrl-0 = <&pwr_key_l &ap_lid_int_l &volum_down_l &volum_up_l>; | ||
59 | |||
60 | diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi | ||
61 | index 17ec2e2d7a60..30f1384f619b 100644 | ||
62 | --- a/arch/arm/boot/dts/rk3288.dtsi | ||
63 | +++ b/arch/arm/boot/dts/rk3288.dtsi | ||
64 | @@ -210,6 +210,7 @@ | ||
65 | <GIC_PPI 11 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>, | ||
66 | <GIC_PPI 10 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>; | ||
67 | clock-frequency = <24000000>; | ||
68 | + arm,no-tick-in-suspend; | ||
69 | }; | ||
70 | |||
71 | timer: timer@ff810000 { | ||
72 | diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c | ||
73 | index 6d3517dc4772..82aac38fa2cf 100644 | ||
74 | --- a/arch/arm/mach-rpc/dma.c | ||
75 | +++ b/arch/arm/mach-rpc/dma.c | ||
76 | @@ -131,7 +131,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id) | ||
77 | } while (1); | ||
78 | |||
79 | idma->state = ~DMA_ST_AB; | ||
80 | - disable_irq(irq); | ||
81 | + disable_irq_nosync(irq); | ||
82 | |||
83 | return IRQ_HANDLED; | ||
84 | } | ||
85 | @@ -174,6 +174,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma) | ||
86 | DMA_FROM_DEVICE : DMA_TO_DEVICE); | ||
87 | } | ||
88 | |||
89 | + idma->dma_addr = idma->dma.sg->dma_address; | ||
90 | + idma->dma_len = idma->dma.sg->length; | ||
91 | + | ||
92 | iomd_writeb(DMA_CR_C, dma_base + CR); | ||
93 | idma->state = DMA_ST_AB; | ||
94 | } | ||
95 | diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c | ||
96 | index 8ac0e5994ed2..7c6f75c2aa4d 100644 | ||
97 | --- a/arch/mips/lantiq/irq.c | ||
98 | +++ b/arch/mips/lantiq/irq.c | ||
99 | @@ -160,8 +160,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type) | ||
100 | if (edge) | ||
101 | irq_set_handler(d->hwirq, handle_edge_irq); | ||
102 | |||
103 | - ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) | | ||
104 | - (val << (i * 4)), LTQ_EIU_EXIN_C); | ||
105 | + ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) & | ||
106 | + (~(7 << (i * 4)))) | (val << (i * 4)), | ||
107 | + LTQ_EIU_EXIN_C); | ||
108 | } | ||
109 | } | ||
110 | |||
111 | diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c | ||
112 | index d86e68d3c794..1912b2671f10 100644 | ||
113 | --- a/arch/x86/boot/compressed/misc.c | ||
114 | +++ b/arch/x86/boot/compressed/misc.c | ||
115 | @@ -15,6 +15,7 @@ | ||
116 | #include "error.h" | ||
117 | #include "../string.h" | ||
118 | #include "../voffset.h" | ||
119 | +#include <asm/bootparam_utils.h> | ||
120 | |||
121 | /* | ||
122 | * WARNING!! | ||
123 | diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h | ||
124 | index 2728e1b7e4a6..a8789aa647b4 100644 | ||
125 | --- a/arch/x86/boot/compressed/misc.h | ||
126 | +++ b/arch/x86/boot/compressed/misc.h | ||
127 | @@ -19,7 +19,6 @@ | ||
128 | #include <asm/page.h> | ||
129 | #include <asm/boot.h> | ||
130 | #include <asm/bootparam.h> | ||
131 | -#include <asm/bootparam_utils.h> | ||
132 | |||
133 | #define BOOT_BOOT_H | ||
134 | #include "../ctype.h" | ||
135 | diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h | ||
136 | index 2188b5af8167..f39fd349cef6 100644 | ||
137 | --- a/arch/x86/include/asm/apic.h | ||
138 | +++ b/arch/x86/include/asm/apic.h | ||
139 | @@ -50,7 +50,7 @@ static inline void generic_apic_probe(void) | ||
140 | |||
141 | #ifdef CONFIG_X86_LOCAL_APIC | ||
142 | |||
143 | -extern unsigned int apic_verbosity; | ||
144 | +extern int apic_verbosity; | ||
145 | extern int local_apic_timer_c2_ok; | ||
146 | |||
147 | extern int disable_apic; | ||
148 | diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h | ||
149 | index 83b5b2990b49..222cb69e1219 100644 | ||
150 | --- a/arch/x86/include/asm/kvm_host.h | ||
151 | +++ b/arch/x86/include/asm/kvm_host.h | ||
152 | @@ -1309,25 +1309,29 @@ enum { | ||
153 | #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) | ||
154 | #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) | ||
155 | |||
156 | +asmlinkage void __noreturn kvm_spurious_fault(void); | ||
157 | + | ||
158 | /* | ||
159 | * Hardware virtualization extension instructions may fault if a | ||
160 | * reboot turns off virtualization while processes are running. | ||
161 | - * Trap the fault and ignore the instruction if that happens. | ||
162 | + * Usually after catching the fault we just panic; during reboot | ||
163 | + * instead the instruction is ignored. | ||
164 | */ | ||
165 | -asmlinkage void kvm_spurious_fault(void); | ||
166 | - | ||
167 | -#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ | ||
168 | - "666: " insn "\n\t" \ | ||
169 | - "668: \n\t" \ | ||
170 | - ".pushsection .fixup, \"ax\" \n" \ | ||
171 | - "667: \n\t" \ | ||
172 | - cleanup_insn "\n\t" \ | ||
173 | - "cmpb $0, kvm_rebooting \n\t" \ | ||
174 | - "jne 668b \n\t" \ | ||
175 | - __ASM_SIZE(push) " $666b \n\t" \ | ||
176 | - "jmp kvm_spurious_fault \n\t" \ | ||
177 | - ".popsection \n\t" \ | ||
178 | - _ASM_EXTABLE(666b, 667b) | ||
179 | +#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ | ||
180 | + "666: \n\t" \ | ||
181 | + insn "\n\t" \ | ||
182 | + "jmp 668f \n\t" \ | ||
183 | + "667: \n\t" \ | ||
184 | + "call kvm_spurious_fault \n\t" \ | ||
185 | + "668: \n\t" \ | ||
186 | + ".pushsection .fixup, \"ax\" \n\t" \ | ||
187 | + "700: \n\t" \ | ||
188 | + cleanup_insn "\n\t" \ | ||
189 | + "cmpb $0, kvm_rebooting\n\t" \ | ||
190 | + "je 667b \n\t" \ | ||
191 | + "jmp 668b \n\t" \ | ||
192 | + ".popsection \n\t" \ | ||
193 | + _ASM_EXTABLE(666b, 700b) | ||
194 | |||
195 | #define __kvm_handle_fault_on_reboot(insn) \ | ||
196 | ____kvm_handle_fault_on_reboot(insn, "") | ||
197 | diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c | ||
198 | index 4f2af1ee09cb..cc9a6f680225 100644 | ||
199 | --- a/arch/x86/kernel/apic/apic.c | ||
200 | +++ b/arch/x86/kernel/apic/apic.c | ||
201 | @@ -183,7 +183,7 @@ int first_system_vector = FIRST_SYSTEM_VECTOR; | ||
202 | /* | ||
203 | * Debug level, exported for io_apic.c | ||
204 | */ | ||
205 | -unsigned int apic_verbosity; | ||
206 | +int apic_verbosity; | ||
207 | |||
208 | int pic_mode; | ||
209 | |||
210 | diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h | ||
211 | index afbc4d805d66..df5aee5402c4 100644 | ||
212 | --- a/arch/x86/math-emu/fpu_emu.h | ||
213 | +++ b/arch/x86/math-emu/fpu_emu.h | ||
214 | @@ -176,7 +176,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y) | ||
215 | #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \ | ||
216 | ((y) + EXTENDED_Ebias) & 0x7fff; } | ||
217 | #define exponent16(x) (*(short *)&((x)->exp)) | ||
218 | -#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } | ||
219 | +#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); } | ||
220 | #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); } | ||
221 | #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; } | ||
222 | |||
223 | diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c | ||
224 | index 00548354912f..382093c5072b 100644 | ||
225 | --- a/arch/x86/math-emu/reg_constant.c | ||
226 | +++ b/arch/x86/math-emu/reg_constant.c | ||
227 | @@ -17,7 +17,7 @@ | ||
228 | #include "control_w.h" | ||
229 | |||
230 | #define MAKE_REG(s, e, l, h) { l, h, \ | ||
231 | - ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } | ||
232 | + (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } | ||
233 | |||
234 | FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000); | ||
235 | #if 0 | ||
236 | diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c | ||
237 | index 1680768d392c..d7db45bdfb3b 100644 | ||
238 | --- a/arch/x86/mm/gup.c | ||
239 | +++ b/arch/x86/mm/gup.c | ||
240 | @@ -97,6 +97,20 @@ static inline int pte_allows_gup(unsigned long pteval, int write) | ||
241 | return 1; | ||
242 | } | ||
243 | |||
244 | +/* | ||
245 | + * Return the compund head page with ref appropriately incremented, | ||
246 | + * or NULL if that failed. | ||
247 | + */ | ||
248 | +static inline struct page *try_get_compound_head(struct page *page, int refs) | ||
249 | +{ | ||
250 | + struct page *head = compound_head(page); | ||
251 | + if (WARN_ON_ONCE(page_ref_count(head) < 0)) | ||
252 | + return NULL; | ||
253 | + if (unlikely(!page_cache_add_speculative(head, refs))) | ||
254 | + return NULL; | ||
255 | + return head; | ||
256 | +} | ||
257 | + | ||
258 | /* | ||
259 | * The performance critical leaf functions are made noinline otherwise gcc | ||
260 | * inlines everything into a single function which results in too much | ||
261 | @@ -112,7 +126,7 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr, | ||
262 | ptep = pte_offset_map(&pmd, addr); | ||
263 | do { | ||
264 | pte_t pte = gup_get_pte(ptep); | ||
265 | - struct page *page; | ||
266 | + struct page *head, *page; | ||
267 | |||
268 | /* Similar to the PMD case, NUMA hinting must take slow path */ | ||
269 | if (pte_protnone(pte)) { | ||
270 | @@ -138,7 +152,21 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr, | ||
271 | } | ||
272 | VM_BUG_ON(!pfn_valid(pte_pfn(pte))); | ||
273 | page = pte_page(pte); | ||
274 | - get_page(page); | ||
275 | + | ||
276 | + head = try_get_compound_head(page, 1); | ||
277 | + if (!head) { | ||
278 | + put_dev_pagemap(pgmap); | ||
279 | + pte_unmap(ptep); | ||
280 | + return 0; | ||
281 | + } | ||
282 | + | ||
283 | + if (unlikely(pte_val(pte) != pte_val(*ptep))) { | ||
284 | + put_page(head); | ||
285 | + put_dev_pagemap(pgmap); | ||
286 | + pte_unmap(ptep); | ||
287 | + return 0; | ||
288 | + } | ||
289 | + | ||
290 | put_dev_pagemap(pgmap); | ||
291 | SetPageReferenced(page); | ||
292 | pages[*nr] = page; | ||
293 | diff --git a/drivers/android/binder.c b/drivers/android/binder.c | ||
294 | index 29632a6dd1c6..8056759073b0 100644 | ||
295 | --- a/drivers/android/binder.c | ||
296 | +++ b/drivers/android/binder.c | ||
297 | @@ -581,6 +581,12 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate, | ||
298 | |||
299 | if (mm) { | ||
300 | down_write(&mm->mmap_sem); | ||
301 | + if (!mmget_still_valid(mm)) { | ||
302 | + if (allocate == 0) | ||
303 | + goto free_range; | ||
304 | + goto err_no_vma; | ||
305 | + } | ||
306 | + | ||
307 | vma = proc->vma; | ||
308 | if (vma && mm != proc->vma_vm_mm) { | ||
309 | pr_err("%d: vma mm and task mm mismatch\n", | ||
310 | diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c | ||
311 | index f37a6ef4f544..e4fe24be3d7a 100644 | ||
312 | --- a/drivers/dma/sh/rcar-dmac.c | ||
313 | +++ b/drivers/dma/sh/rcar-dmac.c | ||
314 | @@ -1111,7 +1111,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, | ||
315 | struct rcar_dmac_chan *rchan = to_rcar_dmac_chan(chan); | ||
316 | |||
317 | /* Someone calling slave DMA on a generic channel? */ | ||
318 | - if (rchan->mid_rid < 0 || !sg_len) { | ||
319 | + if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) { | ||
320 | dev_warn(chan->device->dev, | ||
321 | "%s: bad parameter: len=%d, id=%d\n", | ||
322 | __func__, sg_len, rchan->mid_rid); | ||
323 | diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c | ||
324 | index a3251faa3ed8..d3675819f561 100644 | ||
325 | --- a/drivers/gpio/gpiolib.c | ||
326 | +++ b/drivers/gpio/gpiolib.c | ||
327 | @@ -817,9 +817,11 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) | ||
328 | } | ||
329 | |||
330 | if (eflags & GPIOEVENT_REQUEST_RISING_EDGE) | ||
331 | - irqflags |= IRQF_TRIGGER_RISING; | ||
332 | + irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ? | ||
333 | + IRQF_TRIGGER_FALLING : IRQF_TRIGGER_RISING; | ||
334 | if (eflags & GPIOEVENT_REQUEST_FALLING_EDGE) | ||
335 | - irqflags |= IRQF_TRIGGER_FALLING; | ||
336 | + irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ? | ||
337 | + IRQF_TRIGGER_RISING : IRQF_TRIGGER_FALLING; | ||
338 | irqflags |= IRQF_ONESHOT; | ||
339 | irqflags |= IRQF_SHARED; | ||
340 | |||
341 | diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c | ||
342 | index 8d59a5905ee8..7ccf7225f75a 100644 | ||
343 | --- a/drivers/infiniband/hw/mlx4/main.c | ||
344 | +++ b/drivers/infiniband/hw/mlx4/main.c | ||
345 | @@ -1172,6 +1172,8 @@ static void mlx4_ib_disassociate_ucontext(struct ib_ucontext *ibcontext) | ||
346 | * mlx4_ib_vma_close(). | ||
347 | */ | ||
348 | down_write(&owning_mm->mmap_sem); | ||
349 | + if (!mmget_still_valid(owning_mm)) | ||
350 | + goto skip_mm; | ||
351 | for (i = 0; i < HW_BAR_COUNT; i++) { | ||
352 | vma = context->hw_bar_info[i].vma; | ||
353 | if (!vma) | ||
354 | @@ -1190,7 +1192,7 @@ static void mlx4_ib_disassociate_ucontext(struct ib_ucontext *ibcontext) | ||
355 | /* context going to be destroyed, should not access ops any more */ | ||
356 | context->hw_bar_info[i].vma->vm_ops = NULL; | ||
357 | } | ||
358 | - | ||
359 | +skip_mm: | ||
360 | up_write(&owning_mm->mmap_sem); | ||
361 | mmput(owning_mm); | ||
362 | put_task_struct(owning_process); | ||
363 | diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c | ||
364 | index b1daf5c16117..f94df0e6a0f2 100644 | ||
365 | --- a/drivers/infiniband/hw/mlx5/main.c | ||
366 | +++ b/drivers/infiniband/hw/mlx5/main.c | ||
367 | @@ -1307,6 +1307,8 @@ static void mlx5_ib_disassociate_ucontext(struct ib_ucontext *ibcontext) | ||
368 | * mlx5_ib_vma_close. | ||
369 | */ | ||
370 | down_write(&owning_mm->mmap_sem); | ||
371 | + if (!mmget_still_valid(owning_mm)) | ||
372 | + goto skip_mm; | ||
373 | list_for_each_entry_safe(vma_private, n, &context->vma_private_list, | ||
374 | list) { | ||
375 | vma = vma_private->vma; | ||
376 | @@ -1321,6 +1323,7 @@ static void mlx5_ib_disassociate_ucontext(struct ib_ucontext *ibcontext) | ||
377 | list_del(&vma_private->list); | ||
378 | kfree(vma_private); | ||
379 | } | ||
380 | +skip_mm: | ||
381 | up_write(&owning_mm->mmap_sem); | ||
382 | mmput(owning_mm); | ||
383 | put_task_struct(owning_process); | ||
384 | diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c | ||
385 | index f89489b28575..a7bc89f5dae7 100644 | ||
386 | --- a/drivers/infiniband/hw/mlx5/qp.c | ||
387 | +++ b/drivers/infiniband/hw/mlx5/qp.c | ||
388 | @@ -1421,7 +1421,6 @@ static int create_rss_raw_qp_tir(struct mlx5_ib_dev *dev, struct mlx5_ib_qp *qp, | ||
389 | } | ||
390 | |||
391 | MLX5_SET(tirc, tirc, rx_hash_fn, MLX5_RX_HASH_FN_TOEPLITZ); | ||
392 | - MLX5_SET(tirc, tirc, rx_hash_symmetric, 1); | ||
393 | memcpy(rss_key, ucmd.rx_hash_key, len); | ||
394 | break; | ||
395 | } | ||
396 | diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c | ||
397 | index a37b9b6a315a..2eef811764ad 100644 | ||
398 | --- a/drivers/misc/eeprom/at24.c | ||
399 | +++ b/drivers/misc/eeprom/at24.c | ||
400 | @@ -777,7 +777,7 @@ static int at24_probe(struct i2c_client *client, const struct i2c_device_id *id) | ||
401 | at24->nvmem_config.name = dev_name(&client->dev); | ||
402 | at24->nvmem_config.dev = &client->dev; | ||
403 | at24->nvmem_config.read_only = !writable; | ||
404 | - at24->nvmem_config.root_only = true; | ||
405 | + at24->nvmem_config.root_only = !(chip.flags & AT24_FLAG_IRUGO); | ||
406 | at24->nvmem_config.owner = THIS_MODULE; | ||
407 | at24->nvmem_config.compat = true; | ||
408 | at24->nvmem_config.base_dev = &client->dev; | ||
409 | diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c | ||
410 | index e10a00d0d44d..d9c7fd0cabaf 100644 | ||
411 | --- a/drivers/mmc/host/dw_mmc.c | ||
412 | +++ b/drivers/mmc/host/dw_mmc.c | ||
413 | @@ -1864,8 +1864,7 @@ static void dw_mci_tasklet_func(unsigned long priv) | ||
414 | * delayed. Allowing the transfer to take place | ||
415 | * avoids races and keeps things simple. | ||
416 | */ | ||
417 | - if ((err != -ETIMEDOUT) && | ||
418 | - (cmd->opcode == MMC_SEND_TUNING_BLOCK)) { | ||
419 | + if (err != -ETIMEDOUT) { | ||
420 | state = STATE_SENDING_DATA; | ||
421 | continue; | ||
422 | } | ||
423 | diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c | ||
424 | index b2eeecb26939..289560b0f643 100644 | ||
425 | --- a/drivers/net/ethernet/emulex/benet/be_main.c | ||
426 | +++ b/drivers/net/ethernet/emulex/benet/be_main.c | ||
427 | @@ -4701,8 +4701,12 @@ int be_update_queues(struct be_adapter *adapter) | ||
428 | struct net_device *netdev = adapter->netdev; | ||
429 | int status; | ||
430 | |||
431 | - if (netif_running(netdev)) | ||
432 | + if (netif_running(netdev)) { | ||
433 | + /* device cannot transmit now, avoid dev_watchdog timeouts */ | ||
434 | + netif_carrier_off(netdev); | ||
435 | + | ||
436 | be_close(netdev); | ||
437 | + } | ||
438 | |||
439 | be_cancel_worker(adapter); | ||
440 | |||
441 | diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c | ||
442 | index af82edc7fa5c..9b899af86cd5 100644 | ||
443 | --- a/drivers/perf/arm_pmu.c | ||
444 | +++ b/drivers/perf/arm_pmu.c | ||
445 | @@ -804,8 +804,8 @@ static int cpu_pm_pmu_notify(struct notifier_block *b, unsigned long cmd, | ||
446 | cpu_pm_pmu_setup(armpmu, cmd); | ||
447 | break; | ||
448 | case CPU_PM_EXIT: | ||
449 | - cpu_pm_pmu_setup(armpmu, cmd); | ||
450 | case CPU_PM_ENTER_FAILED: | ||
451 | + cpu_pm_pmu_setup(armpmu, cmd); | ||
452 | armpmu->start(armpmu); | ||
453 | break; | ||
454 | default: | ||
455 | diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c | ||
456 | index f32fc704cb7e..28c45db45aba 100644 | ||
457 | --- a/drivers/rapidio/devices/rio_mport_cdev.c | ||
458 | +++ b/drivers/rapidio/devices/rio_mport_cdev.c | ||
459 | @@ -1743,6 +1743,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, | ||
460 | |||
461 | if (copy_from_user(&dev_info, arg, sizeof(dev_info))) | ||
462 | return -EFAULT; | ||
463 | + dev_info.name[sizeof(dev_info.name) - 1] = '\0'; | ||
464 | |||
465 | rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, | ||
466 | dev_info.comptag, dev_info.destid, dev_info.hopcount); | ||
467 | @@ -1874,6 +1875,7 @@ static int rio_mport_del_riodev(struct mport_cdev_priv *priv, void __user *arg) | ||
468 | |||
469 | if (copy_from_user(&dev_info, arg, sizeof(dev_info))) | ||
470 | return -EFAULT; | ||
471 | + dev_info.name[sizeof(dev_info.name) - 1] = '\0'; | ||
472 | |||
473 | mport = priv->md->mport; | ||
474 | |||
475 | diff --git a/drivers/s390/block/dasd_alias.c b/drivers/s390/block/dasd_alias.c | ||
476 | index e453d2a7d7f9..f40d606f86c9 100644 | ||
477 | --- a/drivers/s390/block/dasd_alias.c | ||
478 | +++ b/drivers/s390/block/dasd_alias.c | ||
479 | @@ -382,6 +382,20 @@ suborder_not_supported(struct dasd_ccw_req *cqr) | ||
480 | char msg_format; | ||
481 | char msg_no; | ||
482 | |||
483 | + /* | ||
484 | + * intrc values ENODEV, ENOLINK and EPERM | ||
485 | + * will be optained from sleep_on to indicate that no | ||
486 | + * IO operation can be started | ||
487 | + */ | ||
488 | + if (cqr->intrc == -ENODEV) | ||
489 | + return 1; | ||
490 | + | ||
491 | + if (cqr->intrc == -ENOLINK) | ||
492 | + return 1; | ||
493 | + | ||
494 | + if (cqr->intrc == -EPERM) | ||
495 | + return 1; | ||
496 | + | ||
497 | sense = dasd_get_sense(&cqr->irb); | ||
498 | if (!sense) | ||
499 | return 0; | ||
500 | @@ -446,12 +460,8 @@ static int read_unit_address_configuration(struct dasd_device *device, | ||
501 | lcu->flags &= ~NEED_UAC_UPDATE; | ||
502 | spin_unlock_irqrestore(&lcu->lock, flags); | ||
503 | |||
504 | - do { | ||
505 | - rc = dasd_sleep_on(cqr); | ||
506 | - if (rc && suborder_not_supported(cqr)) | ||
507 | - return -EOPNOTSUPP; | ||
508 | - } while (rc && (cqr->retries > 0)); | ||
509 | - if (rc) { | ||
510 | + rc = dasd_sleep_on(cqr); | ||
511 | + if (rc && !suborder_not_supported(cqr)) { | ||
512 | spin_lock_irqsave(&lcu->lock, flags); | ||
513 | lcu->flags |= NEED_UAC_UPDATE; | ||
514 | spin_unlock_irqrestore(&lcu->lock, flags); | ||
515 | diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c | ||
516 | index abe460eac712..cc62d8cc8cfd 100644 | ||
517 | --- a/drivers/s390/scsi/zfcp_erp.c | ||
518 | +++ b/drivers/s390/scsi/zfcp_erp.c | ||
519 | @@ -10,6 +10,7 @@ | ||
520 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt | ||
521 | |||
522 | #include <linux/kthread.h> | ||
523 | +#include <linux/bug.h> | ||
524 | #include "zfcp_ext.h" | ||
525 | #include "zfcp_reqlist.h" | ||
526 | |||
527 | @@ -244,6 +245,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(int need, u32 act_status, | ||
528 | struct zfcp_erp_action *erp_action; | ||
529 | struct zfcp_scsi_dev *zfcp_sdev; | ||
530 | |||
531 | + if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN && | ||
532 | + need != ZFCP_ERP_ACTION_REOPEN_PORT && | ||
533 | + need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED && | ||
534 | + need != ZFCP_ERP_ACTION_REOPEN_ADAPTER)) | ||
535 | + return NULL; | ||
536 | + | ||
537 | switch (need) { | ||
538 | case ZFCP_ERP_ACTION_REOPEN_LUN: | ||
539 | zfcp_sdev = sdev_to_zfcp(sdev); | ||
540 | diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c | ||
541 | index 5d04b362837d..9fdb39f377db 100644 | ||
542 | --- a/drivers/xen/swiotlb-xen.c | ||
543 | +++ b/drivers/xen/swiotlb-xen.c | ||
544 | @@ -365,8 +365,8 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr, | ||
545 | /* Convert the size to actually allocated. */ | ||
546 | size = 1UL << (order + XEN_PAGE_SHIFT); | ||
547 | |||
548 | - if (((dev_addr + size - 1 <= dma_mask)) || | ||
549 | - range_straddles_page_boundary(phys, size)) | ||
550 | + if (!WARN_ON((dev_addr + size - 1 > dma_mask) || | ||
551 | + range_straddles_page_boundary(phys, size))) | ||
552 | xen_destroy_contiguous_region(phys, order); | ||
553 | |||
554 | xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs); | ||
555 | diff --git a/fs/adfs/super.c b/fs/adfs/super.c | ||
556 | index c9fdfb112933..e42c30001509 100644 | ||
557 | --- a/fs/adfs/super.c | ||
558 | +++ b/fs/adfs/super.c | ||
559 | @@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) | ||
560 | struct buffer_head *bh; | ||
561 | struct object_info root_obj; | ||
562 | unsigned char *b_data; | ||
563 | + unsigned int blocksize; | ||
564 | struct adfs_sb_info *asb; | ||
565 | struct inode *root; | ||
566 | int ret = -EINVAL; | ||
567 | @@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) | ||
568 | goto error_free_bh; | ||
569 | } | ||
570 | |||
571 | + blocksize = 1 << dr->log2secsize; | ||
572 | brelse(bh); | ||
573 | - if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { | ||
574 | + | ||
575 | + if (sb_set_blocksize(sb, blocksize)) { | ||
576 | bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); | ||
577 | if (!bh) { | ||
578 | adfs_error(sb, "couldn't read superblock on " | ||
579 | diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c | ||
580 | index a45f26ac5da7..d9e49705a289 100644 | ||
581 | --- a/fs/btrfs/send.c | ||
582 | +++ b/fs/btrfs/send.c | ||
583 | @@ -5835,68 +5835,21 @@ static int changed_extent(struct send_ctx *sctx, | ||
584 | { | ||
585 | int ret = 0; | ||
586 | |||
587 | - if (sctx->cur_ino != sctx->cmp_key->objectid) { | ||
588 | - | ||
589 | - if (result == BTRFS_COMPARE_TREE_CHANGED) { | ||
590 | - struct extent_buffer *leaf_l; | ||
591 | - struct extent_buffer *leaf_r; | ||
592 | - struct btrfs_file_extent_item *ei_l; | ||
593 | - struct btrfs_file_extent_item *ei_r; | ||
594 | - | ||
595 | - leaf_l = sctx->left_path->nodes[0]; | ||
596 | - leaf_r = sctx->right_path->nodes[0]; | ||
597 | - ei_l = btrfs_item_ptr(leaf_l, | ||
598 | - sctx->left_path->slots[0], | ||
599 | - struct btrfs_file_extent_item); | ||
600 | - ei_r = btrfs_item_ptr(leaf_r, | ||
601 | - sctx->right_path->slots[0], | ||
602 | - struct btrfs_file_extent_item); | ||
603 | - | ||
604 | - /* | ||
605 | - * We may have found an extent item that has changed | ||
606 | - * only its disk_bytenr field and the corresponding | ||
607 | - * inode item was not updated. This case happens due to | ||
608 | - * very specific timings during relocation when a leaf | ||
609 | - * that contains file extent items is COWed while | ||
610 | - * relocation is ongoing and its in the stage where it | ||
611 | - * updates data pointers. So when this happens we can | ||
612 | - * safely ignore it since we know it's the same extent, | ||
613 | - * but just at different logical and physical locations | ||
614 | - * (when an extent is fully replaced with a new one, we | ||
615 | - * know the generation number must have changed too, | ||
616 | - * since snapshot creation implies committing the current | ||
617 | - * transaction, and the inode item must have been updated | ||
618 | - * as well). | ||
619 | - * This replacement of the disk_bytenr happens at | ||
620 | - * relocation.c:replace_file_extents() through | ||
621 | - * relocation.c:btrfs_reloc_cow_block(). | ||
622 | - */ | ||
623 | - if (btrfs_file_extent_generation(leaf_l, ei_l) == | ||
624 | - btrfs_file_extent_generation(leaf_r, ei_r) && | ||
625 | - btrfs_file_extent_ram_bytes(leaf_l, ei_l) == | ||
626 | - btrfs_file_extent_ram_bytes(leaf_r, ei_r) && | ||
627 | - btrfs_file_extent_compression(leaf_l, ei_l) == | ||
628 | - btrfs_file_extent_compression(leaf_r, ei_r) && | ||
629 | - btrfs_file_extent_encryption(leaf_l, ei_l) == | ||
630 | - btrfs_file_extent_encryption(leaf_r, ei_r) && | ||
631 | - btrfs_file_extent_other_encoding(leaf_l, ei_l) == | ||
632 | - btrfs_file_extent_other_encoding(leaf_r, ei_r) && | ||
633 | - btrfs_file_extent_type(leaf_l, ei_l) == | ||
634 | - btrfs_file_extent_type(leaf_r, ei_r) && | ||
635 | - btrfs_file_extent_disk_bytenr(leaf_l, ei_l) != | ||
636 | - btrfs_file_extent_disk_bytenr(leaf_r, ei_r) && | ||
637 | - btrfs_file_extent_disk_num_bytes(leaf_l, ei_l) == | ||
638 | - btrfs_file_extent_disk_num_bytes(leaf_r, ei_r) && | ||
639 | - btrfs_file_extent_offset(leaf_l, ei_l) == | ||
640 | - btrfs_file_extent_offset(leaf_r, ei_r) && | ||
641 | - btrfs_file_extent_num_bytes(leaf_l, ei_l) == | ||
642 | - btrfs_file_extent_num_bytes(leaf_r, ei_r)) | ||
643 | - return 0; | ||
644 | - } | ||
645 | - | ||
646 | - inconsistent_snapshot_error(sctx, result, "extent"); | ||
647 | - return -EIO; | ||
648 | - } | ||
649 | + /* | ||
650 | + * We have found an extent item that changed without the inode item | ||
651 | + * having changed. This can happen either after relocation (where the | ||
652 | + * disk_bytenr of an extent item is replaced at | ||
653 | + * relocation.c:replace_file_extents()) or after deduplication into a | ||
654 | + * file in both the parent and send snapshots (where an extent item can | ||
655 | + * get modified or replaced with a new one). Note that deduplication | ||
656 | + * updates the inode item, but it only changes the iversion (sequence | ||
657 | + * field in the inode item) of the inode, so if a file is deduplicated | ||
658 | + * the same amount of times in both the parent and send snapshots, its | ||
659 | + * iversion becames the same in both snapshots, whence the inode item is | ||
660 | + * the same on both snapshots. | ||
661 | + */ | ||
662 | + if (sctx->cur_ino != sctx->cmp_key->objectid) | ||
663 | + return 0; | ||
664 | |||
665 | if (!sctx->cur_inode_new_gen && !sctx->cur_inode_deleted) { | ||
666 | if (result != BTRFS_COMPARE_TREE_DELETED) | ||
667 | diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c | ||
668 | index 94b61afe996c..70aa22a8a9cc 100644 | ||
669 | --- a/fs/btrfs/volumes.c | ||
670 | +++ b/fs/btrfs/volumes.c | ||
671 | @@ -5072,8 +5072,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map) | ||
672 | |||
673 | if (map->type & (BTRFS_BLOCK_GROUP_RAID1 | | ||
674 | BTRFS_BLOCK_GROUP_RAID10 | | ||
675 | - BTRFS_BLOCK_GROUP_RAID5 | | ||
676 | - BTRFS_BLOCK_GROUP_DUP)) { | ||
677 | + BTRFS_BLOCK_GROUP_RAID5)) { | ||
678 | max_errors = 1; | ||
679 | } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) { | ||
680 | max_errors = 2; | ||
681 | diff --git a/fs/ceph/super.h b/fs/ceph/super.h | ||
682 | index 622d5dd9f616..9bd0d928057b 100644 | ||
683 | --- a/fs/ceph/super.h | ||
684 | +++ b/fs/ceph/super.h | ||
685 | @@ -476,7 +476,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci, | ||
686 | long long release_count, | ||
687 | long long ordered_count) | ||
688 | { | ||
689 | - smp_mb__before_atomic(); | ||
690 | + /* | ||
691 | + * Makes sure operations that setup readdir cache (update page | ||
692 | + * cache and i_size) are strongly ordered w.r.t. the following | ||
693 | + * atomic64_set() operations. | ||
694 | + */ | ||
695 | + smp_mb(); | ||
696 | atomic64_set(&ci->i_complete_seq[0], release_count); | ||
697 | atomic64_set(&ci->i_complete_seq[1], ordered_count); | ||
698 | } | ||
699 | diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c | ||
700 | index 75267cdd5dfd..81144a8c0927 100644 | ||
701 | --- a/fs/ceph/xattr.c | ||
702 | +++ b/fs/ceph/xattr.c | ||
703 | @@ -74,7 +74,7 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, | ||
704 | const char *ns_field = " pool_namespace="; | ||
705 | char buf[128]; | ||
706 | size_t len, total_len = 0; | ||
707 | - int ret; | ||
708 | + ssize_t ret; | ||
709 | |||
710 | pool_ns = ceph_try_get_string(ci->i_layout.pool_ns); | ||
711 | |||
712 | @@ -98,11 +98,8 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, | ||
713 | if (pool_ns) | ||
714 | total_len += strlen(ns_field) + pool_ns->len; | ||
715 | |||
716 | - if (!size) { | ||
717 | - ret = total_len; | ||
718 | - } else if (total_len > size) { | ||
719 | - ret = -ERANGE; | ||
720 | - } else { | ||
721 | + ret = total_len; | ||
722 | + if (size >= total_len) { | ||
723 | memcpy(val, buf, len); | ||
724 | ret = len; | ||
725 | if (pool_name) { | ||
726 | @@ -757,8 +754,11 @@ ssize_t __ceph_getxattr(struct inode *inode, const char *name, void *value, | ||
727 | vxattr = ceph_match_vxattr(inode, name); | ||
728 | if (vxattr) { | ||
729 | err = -ENODATA; | ||
730 | - if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) | ||
731 | + if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) { | ||
732 | err = vxattr->getxattr_cb(ci, value, size); | ||
733 | + if (size && size < err) | ||
734 | + err = -ERANGE; | ||
735 | + } | ||
736 | return err; | ||
737 | } | ||
738 | |||
739 | diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c | ||
740 | index 822629126e89..ff9b5cf8ff01 100644 | ||
741 | --- a/fs/coda/psdev.c | ||
742 | +++ b/fs/coda/psdev.c | ||
743 | @@ -187,8 +187,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, | ||
744 | if (req->uc_opcode == CODA_OPEN_BY_FD) { | ||
745 | struct coda_open_by_fd_out *outp = | ||
746 | (struct coda_open_by_fd_out *)req->uc_data; | ||
747 | - if (!outp->oh.result) | ||
748 | + if (!outp->oh.result) { | ||
749 | outp->fh = fget(outp->fd); | ||
750 | + if (!outp->fh) | ||
751 | + return -EBADF; | ||
752 | + } | ||
753 | } | ||
754 | |||
755 | wake_up(&req->uc_sleep); | ||
756 | diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c | ||
757 | index 5138e781737a..4b207b10db03 100644 | ||
758 | --- a/fs/proc/task_mmu.c | ||
759 | +++ b/fs/proc/task_mmu.c | ||
760 | @@ -1057,6 +1057,24 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf, | ||
761 | count = -EINTR; | ||
762 | goto out_mm; | ||
763 | } | ||
764 | + /* | ||
765 | + * Avoid to modify vma->vm_flags | ||
766 | + * without locked ops while the | ||
767 | + * coredump reads the vm_flags. | ||
768 | + */ | ||
769 | + if (!mmget_still_valid(mm)) { | ||
770 | + /* | ||
771 | + * Silently return "count" | ||
772 | + * like if get_task_mm() | ||
773 | + * failed. FIXME: should this | ||
774 | + * function have returned | ||
775 | + * -ESRCH if get_task_mm() | ||
776 | + * failed like if | ||
777 | + * get_proc_task() fails? | ||
778 | + */ | ||
779 | + up_write(&mm->mmap_sem); | ||
780 | + goto out_mm; | ||
781 | + } | ||
782 | for (vma = mm->mmap; vma; vma = vma->vm_next) { | ||
783 | vma->vm_flags &= ~VM_SOFTDIRTY; | ||
784 | vma_set_page_prot(vma); | ||
785 | diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c | ||
786 | index 784d667475ae..8bf425a103f0 100644 | ||
787 | --- a/fs/userfaultfd.c | ||
788 | +++ b/fs/userfaultfd.c | ||
789 | @@ -479,6 +479,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file) | ||
790 | * taking the mmap_sem for writing. | ||
791 | */ | ||
792 | down_write(&mm->mmap_sem); | ||
793 | + if (!mmget_still_valid(mm)) | ||
794 | + goto skip_mm; | ||
795 | prev = NULL; | ||
796 | for (vma = mm->mmap; vma; vma = vma->vm_next) { | ||
797 | cond_resched(); | ||
798 | @@ -501,6 +503,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file) | ||
799 | vma->vm_flags = new_flags; | ||
800 | vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; | ||
801 | } | ||
802 | +skip_mm: | ||
803 | up_write(&mm->mmap_sem); | ||
804 | mmput(mm); | ||
805 | wakeup: | ||
806 | @@ -802,6 +805,9 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, | ||
807 | goto out; | ||
808 | |||
809 | down_write(&mm->mmap_sem); | ||
810 | + if (!mmget_still_valid(mm)) | ||
811 | + goto out_unlock; | ||
812 | + | ||
813 | vma = find_vma_prev(mm, start, &prev); | ||
814 | if (!vma) | ||
815 | goto out_unlock; | ||
816 | @@ -947,6 +953,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, | ||
817 | goto out; | ||
818 | |||
819 | down_write(&mm->mmap_sem); | ||
820 | + if (!mmget_still_valid(mm)) | ||
821 | + goto out_unlock; | ||
822 | + | ||
823 | vma = find_vma_prev(mm, start, &prev); | ||
824 | if (!vma) | ||
825 | goto out_unlock; | ||
826 | diff --git a/include/linux/acpi.h b/include/linux/acpi.h | ||
827 | index ca2b4c4aec42..719eb97217a3 100644 | ||
828 | --- a/include/linux/acpi.h | ||
829 | +++ b/include/linux/acpi.h | ||
830 | @@ -309,7 +309,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model, | ||
831 | #ifdef CONFIG_X86_IO_APIC | ||
832 | extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity); | ||
833 | #else | ||
834 | -#define acpi_get_override_irq(gsi, trigger, polarity) (-1) | ||
835 | +static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity) | ||
836 | +{ | ||
837 | + return -1; | ||
838 | +} | ||
839 | #endif | ||
840 | /* | ||
841 | * This function undoes the effect of one call to acpi_register_gsi(). | ||
842 | diff --git a/include/linux/coda.h b/include/linux/coda.h | ||
843 | index d30209b9cef8..0ca0c83fdb1c 100644 | ||
844 | --- a/include/linux/coda.h | ||
845 | +++ b/include/linux/coda.h | ||
846 | @@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance. | ||
847 | #ifndef _CODA_HEADER_ | ||
848 | #define _CODA_HEADER_ | ||
849 | |||
850 | -#if defined(__linux__) | ||
851 | typedef unsigned long long u_quad_t; | ||
852 | -#endif | ||
853 | + | ||
854 | #include <uapi/linux/coda.h> | ||
855 | #endif | ||
856 | diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h | ||
857 | index 5b8721efa948..fe1466daf291 100644 | ||
858 | --- a/include/linux/coda_psdev.h | ||
859 | +++ b/include/linux/coda_psdev.h | ||
860 | @@ -19,6 +19,17 @@ struct venus_comm { | ||
861 | struct mutex vc_mutex; | ||
862 | }; | ||
863 | |||
864 | +/* messages between coda filesystem in kernel and Venus */ | ||
865 | +struct upc_req { | ||
866 | + struct list_head uc_chain; | ||
867 | + caddr_t uc_data; | ||
868 | + u_short uc_flags; | ||
869 | + u_short uc_inSize; /* Size is at most 5000 bytes */ | ||
870 | + u_short uc_outSize; | ||
871 | + u_short uc_opcode; /* copied from data to save lookup */ | ||
872 | + int uc_unique; | ||
873 | + wait_queue_head_t uc_sleep; /* process' wait queue */ | ||
874 | +}; | ||
875 | |||
876 | static inline struct venus_comm *coda_vcp(struct super_block *sb) | ||
877 | { | ||
878 | diff --git a/include/linux/compiler.h b/include/linux/compiler.h | ||
879 | index 3050de0dac96..0020ee1cab37 100644 | ||
880 | --- a/include/linux/compiler.h | ||
881 | +++ b/include/linux/compiler.h | ||
882 | @@ -54,6 +54,22 @@ extern void __chk_io_ptr(const volatile void __iomem *); | ||
883 | |||
884 | #ifdef __KERNEL__ | ||
885 | |||
886 | +/* | ||
887 | + * Minimal backport of compiler_attributes.h to add support for __copy | ||
888 | + * to v4.9.y so that we can use it in init/exit_module to avoid | ||
889 | + * -Werror=missing-attributes errors on GCC 9. | ||
890 | + */ | ||
891 | +#ifndef __has_attribute | ||
892 | +# define __has_attribute(x) __GCC4_has_attribute_##x | ||
893 | +# define __GCC4_has_attribute___copy__ 0 | ||
894 | +#endif | ||
895 | + | ||
896 | +#if __has_attribute(__copy__) | ||
897 | +# define __copy(symbol) __attribute__((__copy__(symbol))) | ||
898 | +#else | ||
899 | +# define __copy(symbol) | ||
900 | +#endif | ||
901 | + | ||
902 | #ifdef __GNUC__ | ||
903 | #include <linux/compiler-gcc.h> | ||
904 | #endif | ||
905 | diff --git a/include/linux/mm.h b/include/linux/mm.h | ||
906 | index 478466081265..ade072a6fd24 100644 | ||
907 | --- a/include/linux/mm.h | ||
908 | +++ b/include/linux/mm.h | ||
909 | @@ -1192,6 +1192,30 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long address, | ||
910 | unsigned long size, struct zap_details *); | ||
911 | void unmap_vmas(struct mmu_gather *tlb, struct vm_area_struct *start_vma, | ||
912 | unsigned long start, unsigned long end); | ||
913 | +/* | ||
914 | + * This has to be called after a get_task_mm()/mmget_not_zero() | ||
915 | + * followed by taking the mmap_sem for writing before modifying the | ||
916 | + * vmas or anything the coredump pretends not to change from under it. | ||
917 | + * | ||
918 | + * It also has to be called when mmgrab() is used in the context of | ||
919 | + * the process, but then the mm_count refcount is transferred outside | ||
920 | + * the context of the process to run down_write() on that pinned mm. | ||
921 | + * | ||
922 | + * NOTE: find_extend_vma() called from GUP context is the only place | ||
923 | + * that can modify the "mm" (notably the vm_start/end) under mmap_sem | ||
924 | + * for reading and outside the context of the process, so it is also | ||
925 | + * the only case that holds the mmap_sem for reading that must call | ||
926 | + * this function. Generally if the mmap_sem is hold for reading | ||
927 | + * there's no need of this check after get_task_mm()/mmget_not_zero(). | ||
928 | + * | ||
929 | + * This function can be obsoleted and the check can be removed, after | ||
930 | + * the coredump code will hold the mmap_sem for writing before | ||
931 | + * invoking the ->core_dump methods. | ||
932 | + */ | ||
933 | +static inline bool mmget_still_valid(struct mm_struct *mm) | ||
934 | +{ | ||
935 | + return likely(!mm->core_state); | ||
936 | +} | ||
937 | |||
938 | /** | ||
939 | * mm_walk - callbacks for walk_page_range | ||
940 | diff --git a/include/linux/module.h b/include/linux/module.h | ||
941 | index fd9e121c7b3f..99f330ae13da 100644 | ||
942 | --- a/include/linux/module.h | ||
943 | +++ b/include/linux/module.h | ||
944 | @@ -129,13 +129,13 @@ extern void cleanup_module(void); | ||
945 | #define module_init(initfn) \ | ||
946 | static inline initcall_t __maybe_unused __inittest(void) \ | ||
947 | { return initfn; } \ | ||
948 | - int init_module(void) __attribute__((alias(#initfn))); | ||
949 | + int init_module(void) __copy(initfn) __attribute__((alias(#initfn))); | ||
950 | |||
951 | /* This is only required if you want to be unloadable. */ | ||
952 | #define module_exit(exitfn) \ | ||
953 | static inline exitcall_t __maybe_unused __exittest(void) \ | ||
954 | { return exitfn; } \ | ||
955 | - void cleanup_module(void) __attribute__((alias(#exitfn))); | ||
956 | + void cleanup_module(void) __copy(exitfn) __attribute__((alias(#exitfn))); | ||
957 | |||
958 | #endif | ||
959 | |||
960 | diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h | ||
961 | index 79d05981fc4b..e2c44d2f7d5b 100644 | ||
962 | --- a/include/uapi/linux/coda_psdev.h | ||
963 | +++ b/include/uapi/linux/coda_psdev.h | ||
964 | @@ -6,19 +6,6 @@ | ||
965 | #define CODA_PSDEV_MAJOR 67 | ||
966 | #define MAX_CODADEVS 5 /* how many do we allow */ | ||
967 | |||
968 | - | ||
969 | -/* messages between coda filesystem in kernel and Venus */ | ||
970 | -struct upc_req { | ||
971 | - struct list_head uc_chain; | ||
972 | - caddr_t uc_data; | ||
973 | - u_short uc_flags; | ||
974 | - u_short uc_inSize; /* Size is at most 5000 bytes */ | ||
975 | - u_short uc_outSize; | ||
976 | - u_short uc_opcode; /* copied from data to save lookup */ | ||
977 | - int uc_unique; | ||
978 | - wait_queue_head_t uc_sleep; /* process' wait queue */ | ||
979 | -}; | ||
980 | - | ||
981 | #define CODA_REQ_ASYNC 0x1 | ||
982 | #define CODA_REQ_READ 0x2 | ||
983 | #define CODA_REQ_WRITE 0x4 | ||
984 | diff --git a/ipc/mqueue.c b/ipc/mqueue.c | ||
985 | index d5491a880751..3f7dc5f341f7 100644 | ||
986 | --- a/ipc/mqueue.c | ||
987 | +++ b/ipc/mqueue.c | ||
988 | @@ -369,7 +369,6 @@ static void mqueue_evict_inode(struct inode *inode) | ||
989 | { | ||
990 | struct mqueue_inode_info *info; | ||
991 | struct user_struct *user; | ||
992 | - unsigned long mq_bytes, mq_treesize; | ||
993 | struct ipc_namespace *ipc_ns; | ||
994 | struct msg_msg *msg, *nmsg; | ||
995 | LIST_HEAD(tmp_msg); | ||
996 | @@ -392,16 +391,18 @@ static void mqueue_evict_inode(struct inode *inode) | ||
997 | free_msg(msg); | ||
998 | } | ||
999 | |||
1000 | - /* Total amount of bytes accounted for the mqueue */ | ||
1001 | - mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + | ||
1002 | - min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * | ||
1003 | - sizeof(struct posix_msg_tree_node); | ||
1004 | - | ||
1005 | - mq_bytes = mq_treesize + (info->attr.mq_maxmsg * | ||
1006 | - info->attr.mq_msgsize); | ||
1007 | - | ||
1008 | user = info->user; | ||
1009 | if (user) { | ||
1010 | + unsigned long mq_bytes, mq_treesize; | ||
1011 | + | ||
1012 | + /* Total amount of bytes accounted for the mqueue */ | ||
1013 | + mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + | ||
1014 | + min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * | ||
1015 | + sizeof(struct posix_msg_tree_node); | ||
1016 | + | ||
1017 | + mq_bytes = mq_treesize + (info->attr.mq_maxmsg * | ||
1018 | + info->attr.mq_msgsize); | ||
1019 | + | ||
1020 | spin_lock(&mq_lock); | ||
1021 | user->mq_bytes -= mq_bytes; | ||
1022 | /* | ||
1023 | diff --git a/kernel/module.c b/kernel/module.c | ||
1024 | index 2325c9821f2a..fb9e07aec49e 100644 | ||
1025 | --- a/kernel/module.c | ||
1026 | +++ b/kernel/module.c | ||
1027 | @@ -3351,8 +3351,7 @@ static bool finished_loading(const char *name) | ||
1028 | sched_annotate_sleep(); | ||
1029 | mutex_lock(&module_mutex); | ||
1030 | mod = find_module_all(name, strlen(name), true); | ||
1031 | - ret = !mod || mod->state == MODULE_STATE_LIVE | ||
1032 | - || mod->state == MODULE_STATE_GOING; | ||
1033 | + ret = !mod || mod->state == MODULE_STATE_LIVE; | ||
1034 | mutex_unlock(&module_mutex); | ||
1035 | |||
1036 | return ret; | ||
1037 | @@ -3515,8 +3514,7 @@ again: | ||
1038 | mutex_lock(&module_mutex); | ||
1039 | old = find_module_all(mod->name, strlen(mod->name), true); | ||
1040 | if (old != NULL) { | ||
1041 | - if (old->state == MODULE_STATE_COMING | ||
1042 | - || old->state == MODULE_STATE_UNFORMED) { | ||
1043 | + if (old->state != MODULE_STATE_LIVE) { | ||
1044 | /* Wait in case it fails to load. */ | ||
1045 | mutex_unlock(&module_mutex); | ||
1046 | err = wait_event_interruptible(module_wq, | ||
1047 | diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c | ||
1048 | index 0043aef0ed8d..77109b9cf733 100644 | ||
1049 | --- a/kernel/trace/ftrace.c | ||
1050 | +++ b/kernel/trace/ftrace.c | ||
1051 | @@ -1631,6 +1631,11 @@ static bool test_rec_ops_needs_regs(struct dyn_ftrace *rec) | ||
1052 | return keep_regs; | ||
1053 | } | ||
1054 | |||
1055 | +static struct ftrace_ops * | ||
1056 | +ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); | ||
1057 | +static struct ftrace_ops * | ||
1058 | +ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); | ||
1059 | + | ||
1060 | static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, | ||
1061 | int filter_hash, | ||
1062 | bool inc) | ||
1063 | @@ -1759,15 +1764,17 @@ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, | ||
1064 | } | ||
1065 | |||
1066 | /* | ||
1067 | - * If the rec had TRAMP enabled, then it needs to | ||
1068 | - * be cleared. As TRAMP can only be enabled iff | ||
1069 | - * there is only a single ops attached to it. | ||
1070 | - * In otherwords, always disable it on decrementing. | ||
1071 | - * In the future, we may set it if rec count is | ||
1072 | - * decremented to one, and the ops that is left | ||
1073 | - * has a trampoline. | ||
1074 | + * The TRAMP needs to be set only if rec count | ||
1075 | + * is decremented to one, and the ops that is | ||
1076 | + * left has a trampoline. As TRAMP can only be | ||
1077 | + * enabled if there is only a single ops attached | ||
1078 | + * to it. | ||
1079 | */ | ||
1080 | - rec->flags &= ~FTRACE_FL_TRAMP; | ||
1081 | + if (ftrace_rec_count(rec) == 1 && | ||
1082 | + ftrace_find_tramp_ops_any(rec)) | ||
1083 | + rec->flags |= FTRACE_FL_TRAMP; | ||
1084 | + else | ||
1085 | + rec->flags &= ~FTRACE_FL_TRAMP; | ||
1086 | |||
1087 | /* | ||
1088 | * flags will be cleared in ftrace_check_record() | ||
1089 | @@ -1960,11 +1967,6 @@ static void print_ip_ins(const char *fmt, const unsigned char *p) | ||
1090 | printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]); | ||
1091 | } | ||
1092 | |||
1093 | -static struct ftrace_ops * | ||
1094 | -ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); | ||
1095 | -static struct ftrace_ops * | ||
1096 | -ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); | ||
1097 | - | ||
1098 | enum ftrace_bug_type ftrace_bug_type; | ||
1099 | const void *ftrace_expected; | ||
1100 | |||
1101 | diff --git a/mm/cma.c b/mm/cma.c | ||
1102 | index 4ea0f32761c1..7cb569a188c4 100644 | ||
1103 | --- a/mm/cma.c | ||
1104 | +++ b/mm/cma.c | ||
1105 | @@ -268,6 +268,12 @@ int __init cma_declare_contiguous(phys_addr_t base, | ||
1106 | */ | ||
1107 | alignment = max(alignment, (phys_addr_t)PAGE_SIZE << | ||
1108 | max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); | ||
1109 | + if (fixed && base & (alignment - 1)) { | ||
1110 | + ret = -EINVAL; | ||
1111 | + pr_err("Region at %pa must be aligned to %pa bytes\n", | ||
1112 | + &base, &alignment); | ||
1113 | + goto err; | ||
1114 | + } | ||
1115 | base = ALIGN(base, alignment); | ||
1116 | size = ALIGN(size, alignment); | ||
1117 | limit &= ~(alignment - 1); | ||
1118 | @@ -298,6 +304,13 @@ int __init cma_declare_contiguous(phys_addr_t base, | ||
1119 | if (limit == 0 || limit > memblock_end) | ||
1120 | limit = memblock_end; | ||
1121 | |||
1122 | + if (base + size > limit) { | ||
1123 | + ret = -EINVAL; | ||
1124 | + pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n", | ||
1125 | + &size, &base, &limit); | ||
1126 | + goto err; | ||
1127 | + } | ||
1128 | + | ||
1129 | /* Reserve memory */ | ||
1130 | if (fixed) { | ||
1131 | if (memblock_is_region_reserved(base, size) || | ||
1132 | diff --git a/mm/khugepaged.c b/mm/khugepaged.c | ||
1133 | index e0cfc3a54b6a..8217ee5d66ef 100644 | ||
1134 | --- a/mm/khugepaged.c | ||
1135 | +++ b/mm/khugepaged.c | ||
1136 | @@ -1004,6 +1004,9 @@ static void collapse_huge_page(struct mm_struct *mm, | ||
1137 | * handled by the anon_vma lock + PG_lock. | ||
1138 | */ | ||
1139 | down_write(&mm->mmap_sem); | ||
1140 | + result = SCAN_ANY_PROCESS; | ||
1141 | + if (!mmget_still_valid(mm)) | ||
1142 | + goto out; | ||
1143 | result = hugepage_vma_revalidate(mm, address, &vma); | ||
1144 | if (result) | ||
1145 | goto out; | ||
1146 | diff --git a/mm/mmap.c b/mm/mmap.c | ||
1147 | index 3f2314ad6acd..19368fbba42a 100644 | ||
1148 | --- a/mm/mmap.c | ||
1149 | +++ b/mm/mmap.c | ||
1150 | @@ -2448,7 +2448,8 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) | ||
1151 | vma = find_vma_prev(mm, addr, &prev); | ||
1152 | if (vma && (vma->vm_start <= addr)) | ||
1153 | return vma; | ||
1154 | - if (!prev || expand_stack(prev, addr)) | ||
1155 | + /* don't alter vm_end if the coredump is running */ | ||
1156 | + if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr)) | ||
1157 | return NULL; | ||
1158 | if (prev->vm_flags & VM_LOCKED) | ||
1159 | populate_vma_page_range(prev, addr, prev->vm_end, NULL); | ||
1160 | @@ -2474,6 +2475,9 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) | ||
1161 | return vma; | ||
1162 | if (!(vma->vm_flags & VM_GROWSDOWN)) | ||
1163 | return NULL; | ||
1164 | + /* don't alter vm_start if the coredump is running */ | ||
1165 | + if (!mmget_still_valid(mm)) | ||
1166 | + return NULL; | ||
1167 | start = vma->vm_start; | ||
1168 | if (expand_stack(vma, addr)) | ||
1169 | return NULL; | ||
1170 | diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c | ||
1171 | index c483de590ba3..af9cc839856f 100644 | ||
1172 | --- a/security/selinux/ss/policydb.c | ||
1173 | +++ b/security/selinux/ss/policydb.c | ||
1174 | @@ -266,6 +266,8 @@ static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2) | ||
1175 | return v; | ||
1176 | } | ||
1177 | |||
1178 | +static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap); | ||
1179 | + | ||
1180 | /* | ||
1181 | * Initialize a policy database structure. | ||
1182 | */ | ||
1183 | @@ -313,8 +315,10 @@ static int policydb_init(struct policydb *p) | ||
1184 | out: | ||
1185 | hashtab_destroy(p->filename_trans); | ||
1186 | hashtab_destroy(p->range_tr); | ||
1187 | - for (i = 0; i < SYM_NUM; i++) | ||
1188 | + for (i = 0; i < SYM_NUM; i++) { | ||
1189 | + hashtab_map(p->symtab[i].table, destroy_f[i], NULL); | ||
1190 | hashtab_destroy(p->symtab[i].table); | ||
1191 | + } | ||
1192 | return rc; | ||
1193 | } | ||
1194 | |||
1195 | diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c | ||
1196 | index dd4ed7c3c062..d84c28eac262 100644 | ||
1197 | --- a/tools/objtool/elf.c | ||
1198 | +++ b/tools/objtool/elf.c | ||
1199 | @@ -305,7 +305,7 @@ static int read_symbols(struct elf *elf) | ||
1200 | if (sym->type != STT_FUNC) | ||
1201 | continue; | ||
1202 | sym->pfunc = sym->cfunc = sym; | ||
1203 | - coldstr = strstr(sym->name, ".cold."); | ||
1204 | + coldstr = strstr(sym->name, ".cold"); | ||
1205 | if (!coldstr) | ||
1206 | continue; | ||
1207 |