Contents of /trunk/kernel-alx/patches-5.4/0100-5.4.1-all-fixes.patch
Parent Directory | Revision Log
Revision 3481 -
(show annotations)
(download)
Mon May 11 14:34:05 2020 UTC (4 years, 4 months ago) by niro
File size: 114322 byte(s)
Mon May 11 14:34:05 2020 UTC (4 years, 4 months ago) by niro
File size: 114322 byte(s)
-linux-5.4.1
1 | diff --git a/Documentation/admin-guide/hw-vuln/mds.rst b/Documentation/admin-guide/hw-vuln/mds.rst |
2 | index e3a796c0d3a2..2d19c9f4c1fe 100644 |
3 | --- a/Documentation/admin-guide/hw-vuln/mds.rst |
4 | +++ b/Documentation/admin-guide/hw-vuln/mds.rst |
5 | @@ -265,8 +265,11 @@ time with the option "mds=". The valid arguments for this option are: |
6 | |
7 | ============ ============================================================= |
8 | |
9 | -Not specifying this option is equivalent to "mds=full". |
10 | - |
11 | +Not specifying this option is equivalent to "mds=full". For processors |
12 | +that are affected by both TAA (TSX Asynchronous Abort) and MDS, |
13 | +specifying just "mds=off" without an accompanying "tsx_async_abort=off" |
14 | +will have no effect as the same mitigation is used for both |
15 | +vulnerabilities. |
16 | |
17 | Mitigation selection guide |
18 | -------------------------- |
19 | diff --git a/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst |
20 | index fddbd7579c53..af6865b822d2 100644 |
21 | --- a/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst |
22 | +++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst |
23 | @@ -174,7 +174,10 @@ the option "tsx_async_abort=". The valid arguments for this option are: |
24 | CPU is not vulnerable to cross-thread TAA attacks. |
25 | ============ ============================================================= |
26 | |
27 | -Not specifying this option is equivalent to "tsx_async_abort=full". |
28 | +Not specifying this option is equivalent to "tsx_async_abort=full". For |
29 | +processors that are affected by both TAA and MDS, specifying just |
30 | +"tsx_async_abort=off" without an accompanying "mds=off" will have no |
31 | +effect as the same mitigation is used for both vulnerabilities. |
32 | |
33 | The kernel command line also allows to control the TSX feature using the |
34 | parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used |
35 | diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt |
36 | index 8dee8f68fe15..9983ac73b66d 100644 |
37 | --- a/Documentation/admin-guide/kernel-parameters.txt |
38 | +++ b/Documentation/admin-guide/kernel-parameters.txt |
39 | @@ -2473,6 +2473,12 @@ |
40 | SMT on vulnerable CPUs |
41 | off - Unconditionally disable MDS mitigation |
42 | |
43 | + On TAA-affected machines, mds=off can be prevented by |
44 | + an active TAA mitigation as both vulnerabilities are |
45 | + mitigated with the same mechanism so in order to disable |
46 | + this mitigation, you need to specify tsx_async_abort=off |
47 | + too. |
48 | + |
49 | Not specifying this option is equivalent to |
50 | mds=full. |
51 | |
52 | @@ -4931,6 +4937,11 @@ |
53 | vulnerable to cross-thread TAA attacks. |
54 | off - Unconditionally disable TAA mitigation |
55 | |
56 | + On MDS-affected machines, tsx_async_abort=off can be |
57 | + prevented by an active MDS mitigation as both vulnerabilities |
58 | + are mitigated with the same mechanism so in order to disable |
59 | + this mitigation, you need to specify mds=off too. |
60 | + |
61 | Not specifying this option is equivalent to |
62 | tsx_async_abort=full. On CPUs which are MDS affected |
63 | and deploy MDS mitigation, TAA mitigation is not |
64 | diff --git a/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.txt b/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.txt |
65 | index ae661e65354e..f9499b20d840 100644 |
66 | --- a/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.txt |
67 | +++ b/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.txt |
68 | @@ -81,6 +81,12 @@ Optional properties: |
69 | Definition: Name of external front end module used. Some valid FEM names |
70 | for example: "microsemi-lx5586", "sky85703-11" |
71 | and "sky85803" etc. |
72 | +- qcom,snoc-host-cap-8bit-quirk: |
73 | + Usage: Optional |
74 | + Value type: <empty> |
75 | + Definition: Quirk specifying that the firmware expects the 8bit version |
76 | + of the host capability QMI request |
77 | + |
78 | |
79 | Example (to supply PCI based wifi block details): |
80 | |
81 | diff --git a/Makefile b/Makefile |
82 | index d4d36c61940b..641a62423fd6 100644 |
83 | --- a/Makefile |
84 | +++ b/Makefile |
85 | @@ -1,7 +1,7 @@ |
86 | # SPDX-License-Identifier: GPL-2.0 |
87 | VERSION = 5 |
88 | PATCHLEVEL = 4 |
89 | -SUBLEVEL = 0 |
90 | +SUBLEVEL = 1 |
91 | EXTRAVERSION = |
92 | NAME = Kleptomaniac Octopus |
93 | |
94 | diff --git a/arch/powerpc/include/asm/asm-prototypes.h b/arch/powerpc/include/asm/asm-prototypes.h |
95 | index 8561498e653c..d84d1417ddb6 100644 |
96 | --- a/arch/powerpc/include/asm/asm-prototypes.h |
97 | +++ b/arch/powerpc/include/asm/asm-prototypes.h |
98 | @@ -152,9 +152,12 @@ void _kvmppc_save_tm_pr(struct kvm_vcpu *vcpu, u64 guest_msr); |
99 | /* Patch sites */ |
100 | extern s32 patch__call_flush_count_cache; |
101 | extern s32 patch__flush_count_cache_return; |
102 | +extern s32 patch__flush_link_stack_return; |
103 | +extern s32 patch__call_kvm_flush_link_stack; |
104 | extern s32 patch__memset_nocache, patch__memcpy_nocache; |
105 | |
106 | extern long flush_count_cache; |
107 | +extern long kvm_flush_link_stack; |
108 | |
109 | #ifdef CONFIG_PPC_TRANSACTIONAL_MEM |
110 | void kvmppc_save_tm_hv(struct kvm_vcpu *vcpu, u64 msr, bool preserve_nv); |
111 | diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h |
112 | index 759597bf0fd8..ccf44c135389 100644 |
113 | --- a/arch/powerpc/include/asm/security_features.h |
114 | +++ b/arch/powerpc/include/asm/security_features.h |
115 | @@ -81,6 +81,9 @@ static inline bool security_ftr_enabled(unsigned long feature) |
116 | // Software required to flush count cache on context switch |
117 | #define SEC_FTR_FLUSH_COUNT_CACHE 0x0000000000000400ull |
118 | |
119 | +// Software required to flush link stack on context switch |
120 | +#define SEC_FTR_FLUSH_LINK_STACK 0x0000000000001000ull |
121 | + |
122 | |
123 | // Features enabled by default |
124 | #define SEC_FTR_DEFAULT \ |
125 | diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S |
126 | index 6467bdab8d40..3fd3ef352e3f 100644 |
127 | --- a/arch/powerpc/kernel/entry_64.S |
128 | +++ b/arch/powerpc/kernel/entry_64.S |
129 | @@ -537,6 +537,7 @@ flush_count_cache: |
130 | /* Save LR into r9 */ |
131 | mflr r9 |
132 | |
133 | + // Flush the link stack |
134 | .rept 64 |
135 | bl .+4 |
136 | .endr |
137 | @@ -546,6 +547,11 @@ flush_count_cache: |
138 | .balign 32 |
139 | /* Restore LR */ |
140 | 1: mtlr r9 |
141 | + |
142 | + // If we're just flushing the link stack, return here |
143 | +3: nop |
144 | + patch_site 3b patch__flush_link_stack_return |
145 | + |
146 | li r9,0x7fff |
147 | mtctr r9 |
148 | |
149 | diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c |
150 | index 7cfcb294b11c..bd91dceb7010 100644 |
151 | --- a/arch/powerpc/kernel/security.c |
152 | +++ b/arch/powerpc/kernel/security.c |
153 | @@ -24,6 +24,7 @@ enum count_cache_flush_type { |
154 | COUNT_CACHE_FLUSH_HW = 0x4, |
155 | }; |
156 | static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; |
157 | +static bool link_stack_flush_enabled; |
158 | |
159 | bool barrier_nospec_enabled; |
160 | static bool no_nospec; |
161 | @@ -212,11 +213,19 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c |
162 | |
163 | if (ccd) |
164 | seq_buf_printf(&s, "Indirect branch cache disabled"); |
165 | + |
166 | + if (link_stack_flush_enabled) |
167 | + seq_buf_printf(&s, ", Software link stack flush"); |
168 | + |
169 | } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) { |
170 | seq_buf_printf(&s, "Mitigation: Software count cache flush"); |
171 | |
172 | if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW) |
173 | seq_buf_printf(&s, " (hardware accelerated)"); |
174 | + |
175 | + if (link_stack_flush_enabled) |
176 | + seq_buf_printf(&s, ", Software link stack flush"); |
177 | + |
178 | } else if (btb_flush_enabled) { |
179 | seq_buf_printf(&s, "Mitigation: Branch predictor state flush"); |
180 | } else { |
181 | @@ -377,18 +386,49 @@ static __init int stf_barrier_debugfs_init(void) |
182 | device_initcall(stf_barrier_debugfs_init); |
183 | #endif /* CONFIG_DEBUG_FS */ |
184 | |
185 | +static void no_count_cache_flush(void) |
186 | +{ |
187 | + count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; |
188 | + pr_info("count-cache-flush: software flush disabled.\n"); |
189 | +} |
190 | + |
191 | static void toggle_count_cache_flush(bool enable) |
192 | { |
193 | - if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { |
194 | + if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE) && |
195 | + !security_ftr_enabled(SEC_FTR_FLUSH_LINK_STACK)) |
196 | + enable = false; |
197 | + |
198 | + if (!enable) { |
199 | patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP); |
200 | - count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; |
201 | - pr_info("count-cache-flush: software flush disabled.\n"); |
202 | +#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE |
203 | + patch_instruction_site(&patch__call_kvm_flush_link_stack, PPC_INST_NOP); |
204 | +#endif |
205 | + pr_info("link-stack-flush: software flush disabled.\n"); |
206 | + link_stack_flush_enabled = false; |
207 | + no_count_cache_flush(); |
208 | return; |
209 | } |
210 | |
211 | + // This enables the branch from _switch to flush_count_cache |
212 | patch_branch_site(&patch__call_flush_count_cache, |
213 | (u64)&flush_count_cache, BRANCH_SET_LINK); |
214 | |
215 | +#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE |
216 | + // This enables the branch from guest_exit_cont to kvm_flush_link_stack |
217 | + patch_branch_site(&patch__call_kvm_flush_link_stack, |
218 | + (u64)&kvm_flush_link_stack, BRANCH_SET_LINK); |
219 | +#endif |
220 | + |
221 | + pr_info("link-stack-flush: software flush enabled.\n"); |
222 | + link_stack_flush_enabled = true; |
223 | + |
224 | + // If we just need to flush the link stack, patch an early return |
225 | + if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { |
226 | + patch_instruction_site(&patch__flush_link_stack_return, PPC_INST_BLR); |
227 | + no_count_cache_flush(); |
228 | + return; |
229 | + } |
230 | + |
231 | if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) { |
232 | count_cache_flush_type = COUNT_CACHE_FLUSH_SW; |
233 | pr_info("count-cache-flush: full software flush sequence enabled.\n"); |
234 | @@ -407,11 +447,20 @@ void setup_count_cache_flush(void) |
235 | if (no_spectrev2 || cpu_mitigations_off()) { |
236 | if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) || |
237 | security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED)) |
238 | - pr_warn("Spectre v2 mitigations not under software control, can't disable\n"); |
239 | + pr_warn("Spectre v2 mitigations not fully under software control, can't disable\n"); |
240 | |
241 | enable = false; |
242 | } |
243 | |
244 | + /* |
245 | + * There's no firmware feature flag/hypervisor bit to tell us we need to |
246 | + * flush the link stack on context switch. So we set it here if we see |
247 | + * either of the Spectre v2 mitigations that aim to protect userspace. |
248 | + */ |
249 | + if (security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED) || |
250 | + security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) |
251 | + security_ftr_set(SEC_FTR_FLUSH_LINK_STACK); |
252 | + |
253 | toggle_count_cache_flush(enable); |
254 | } |
255 | |
256 | diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
257 | index faebcbb8c4db..0496e66aaa56 100644 |
258 | --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
259 | +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S |
260 | @@ -11,6 +11,7 @@ |
261 | */ |
262 | |
263 | #include <asm/ppc_asm.h> |
264 | +#include <asm/code-patching-asm.h> |
265 | #include <asm/kvm_asm.h> |
266 | #include <asm/reg.h> |
267 | #include <asm/mmu.h> |
268 | @@ -1487,6 +1488,13 @@ guest_exit_cont: /* r9 = vcpu, r12 = trap, r13 = paca */ |
269 | 1: |
270 | #endif /* CONFIG_KVM_XICS */ |
271 | |
272 | + /* |
273 | + * Possibly flush the link stack here, before we do a blr in |
274 | + * guest_exit_short_path. |
275 | + */ |
276 | +1: nop |
277 | + patch_site 1b patch__call_kvm_flush_link_stack |
278 | + |
279 | /* If we came in through the P9 short path, go back out to C now */ |
280 | lwz r0, STACK_SLOT_SHORT_PATH(r1) |
281 | cmpwi r0, 0 |
282 | @@ -1963,6 +1971,28 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) |
283 | mtlr r0 |
284 | blr |
285 | |
286 | +.balign 32 |
287 | +.global kvm_flush_link_stack |
288 | +kvm_flush_link_stack: |
289 | + /* Save LR into r0 */ |
290 | + mflr r0 |
291 | + |
292 | + /* Flush the link stack. On Power8 it's up to 32 entries in size. */ |
293 | + .rept 32 |
294 | + bl .+4 |
295 | + .endr |
296 | + |
297 | + /* And on Power9 it's up to 64. */ |
298 | +BEGIN_FTR_SECTION |
299 | + .rept 32 |
300 | + bl .+4 |
301 | + .endr |
302 | +END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) |
303 | + |
304 | + /* Restore LR */ |
305 | + mtlr r0 |
306 | + blr |
307 | + |
308 | kvmppc_guest_external: |
309 | /* External interrupt, first check for host_ipi. If this is |
310 | * set, we know the host wants us out so let's do it now |
311 | diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S |
312 | index f83ca5aa8b77..f07baf0388bc 100644 |
313 | --- a/arch/x86/entry/entry_32.S |
314 | +++ b/arch/x86/entry/entry_32.S |
315 | @@ -172,7 +172,7 @@ |
316 | ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI |
317 | .if \no_user_check == 0 |
318 | /* coming from usermode? */ |
319 | - testl $SEGMENT_RPL_MASK, PT_CS(%esp) |
320 | + testl $USER_SEGMENT_RPL_MASK, PT_CS(%esp) |
321 | jz .Lend_\@ |
322 | .endif |
323 | /* On user-cr3? */ |
324 | @@ -205,64 +205,76 @@ |
325 | #define CS_FROM_ENTRY_STACK (1 << 31) |
326 | #define CS_FROM_USER_CR3 (1 << 30) |
327 | #define CS_FROM_KERNEL (1 << 29) |
328 | +#define CS_FROM_ESPFIX (1 << 28) |
329 | |
330 | .macro FIXUP_FRAME |
331 | /* |
332 | * The high bits of the CS dword (__csh) are used for CS_FROM_*. |
333 | * Clear them in case hardware didn't do this for us. |
334 | */ |
335 | - andl $0x0000ffff, 3*4(%esp) |
336 | + andl $0x0000ffff, 4*4(%esp) |
337 | |
338 | #ifdef CONFIG_VM86 |
339 | - testl $X86_EFLAGS_VM, 4*4(%esp) |
340 | + testl $X86_EFLAGS_VM, 5*4(%esp) |
341 | jnz .Lfrom_usermode_no_fixup_\@ |
342 | #endif |
343 | - testl $SEGMENT_RPL_MASK, 3*4(%esp) |
344 | + testl $USER_SEGMENT_RPL_MASK, 4*4(%esp) |
345 | jnz .Lfrom_usermode_no_fixup_\@ |
346 | |
347 | - orl $CS_FROM_KERNEL, 3*4(%esp) |
348 | + orl $CS_FROM_KERNEL, 4*4(%esp) |
349 | |
350 | /* |
351 | * When we're here from kernel mode; the (exception) stack looks like: |
352 | * |
353 | - * 5*4(%esp) - <previous context> |
354 | - * 4*4(%esp) - flags |
355 | - * 3*4(%esp) - cs |
356 | - * 2*4(%esp) - ip |
357 | - * 1*4(%esp) - orig_eax |
358 | - * 0*4(%esp) - gs / function |
359 | + * 6*4(%esp) - <previous context> |
360 | + * 5*4(%esp) - flags |
361 | + * 4*4(%esp) - cs |
362 | + * 3*4(%esp) - ip |
363 | + * 2*4(%esp) - orig_eax |
364 | + * 1*4(%esp) - gs / function |
365 | + * 0*4(%esp) - fs |
366 | * |
367 | * Lets build a 5 entry IRET frame after that, such that struct pt_regs |
368 | * is complete and in particular regs->sp is correct. This gives us |
369 | - * the original 5 enties as gap: |
370 | + * the original 6 enties as gap: |
371 | * |
372 | - * 12*4(%esp) - <previous context> |
373 | - * 11*4(%esp) - gap / flags |
374 | - * 10*4(%esp) - gap / cs |
375 | - * 9*4(%esp) - gap / ip |
376 | - * 8*4(%esp) - gap / orig_eax |
377 | - * 7*4(%esp) - gap / gs / function |
378 | - * 6*4(%esp) - ss |
379 | - * 5*4(%esp) - sp |
380 | - * 4*4(%esp) - flags |
381 | - * 3*4(%esp) - cs |
382 | - * 2*4(%esp) - ip |
383 | - * 1*4(%esp) - orig_eax |
384 | - * 0*4(%esp) - gs / function |
385 | + * 14*4(%esp) - <previous context> |
386 | + * 13*4(%esp) - gap / flags |
387 | + * 12*4(%esp) - gap / cs |
388 | + * 11*4(%esp) - gap / ip |
389 | + * 10*4(%esp) - gap / orig_eax |
390 | + * 9*4(%esp) - gap / gs / function |
391 | + * 8*4(%esp) - gap / fs |
392 | + * 7*4(%esp) - ss |
393 | + * 6*4(%esp) - sp |
394 | + * 5*4(%esp) - flags |
395 | + * 4*4(%esp) - cs |
396 | + * 3*4(%esp) - ip |
397 | + * 2*4(%esp) - orig_eax |
398 | + * 1*4(%esp) - gs / function |
399 | + * 0*4(%esp) - fs |
400 | */ |
401 | |
402 | pushl %ss # ss |
403 | pushl %esp # sp (points at ss) |
404 | - addl $6*4, (%esp) # point sp back at the previous context |
405 | - pushl 6*4(%esp) # flags |
406 | - pushl 6*4(%esp) # cs |
407 | - pushl 6*4(%esp) # ip |
408 | - pushl 6*4(%esp) # orig_eax |
409 | - pushl 6*4(%esp) # gs / function |
410 | + addl $7*4, (%esp) # point sp back at the previous context |
411 | + pushl 7*4(%esp) # flags |
412 | + pushl 7*4(%esp) # cs |
413 | + pushl 7*4(%esp) # ip |
414 | + pushl 7*4(%esp) # orig_eax |
415 | + pushl 7*4(%esp) # gs / function |
416 | + pushl 7*4(%esp) # fs |
417 | .Lfrom_usermode_no_fixup_\@: |
418 | .endm |
419 | |
420 | .macro IRET_FRAME |
421 | + /* |
422 | + * We're called with %ds, %es, %fs, and %gs from the interrupted |
423 | + * frame, so we shouldn't use them. Also, we may be in ESPFIX |
424 | + * mode and therefore have a nonzero SS base and an offset ESP, |
425 | + * so any attempt to access the stack needs to use SS. (except for |
426 | + * accesses through %esp, which automatically use SS.) |
427 | + */ |
428 | testl $CS_FROM_KERNEL, 1*4(%esp) |
429 | jz .Lfinished_frame_\@ |
430 | |
431 | @@ -276,31 +288,40 @@ |
432 | movl 5*4(%esp), %eax # (modified) regs->sp |
433 | |
434 | movl 4*4(%esp), %ecx # flags |
435 | - movl %ecx, -4(%eax) |
436 | + movl %ecx, %ss:-1*4(%eax) |
437 | |
438 | movl 3*4(%esp), %ecx # cs |
439 | andl $0x0000ffff, %ecx |
440 | - movl %ecx, -8(%eax) |
441 | + movl %ecx, %ss:-2*4(%eax) |
442 | |
443 | movl 2*4(%esp), %ecx # ip |
444 | - movl %ecx, -12(%eax) |
445 | + movl %ecx, %ss:-3*4(%eax) |
446 | |
447 | movl 1*4(%esp), %ecx # eax |
448 | - movl %ecx, -16(%eax) |
449 | + movl %ecx, %ss:-4*4(%eax) |
450 | |
451 | popl %ecx |
452 | - lea -16(%eax), %esp |
453 | + lea -4*4(%eax), %esp |
454 | popl %eax |
455 | .Lfinished_frame_\@: |
456 | .endm |
457 | |
458 | -.macro SAVE_ALL pt_regs_ax=%eax switch_stacks=0 skip_gs=0 |
459 | +.macro SAVE_ALL pt_regs_ax=%eax switch_stacks=0 skip_gs=0 unwind_espfix=0 |
460 | cld |
461 | .if \skip_gs == 0 |
462 | PUSH_GS |
463 | .endif |
464 | - FIXUP_FRAME |
465 | pushl %fs |
466 | + |
467 | + pushl %eax |
468 | + movl $(__KERNEL_PERCPU), %eax |
469 | + movl %eax, %fs |
470 | +.if \unwind_espfix > 0 |
471 | + UNWIND_ESPFIX_STACK |
472 | +.endif |
473 | + popl %eax |
474 | + |
475 | + FIXUP_FRAME |
476 | pushl %es |
477 | pushl %ds |
478 | pushl \pt_regs_ax |
479 | @@ -313,8 +334,6 @@ |
480 | movl $(__USER_DS), %edx |
481 | movl %edx, %ds |
482 | movl %edx, %es |
483 | - movl $(__KERNEL_PERCPU), %edx |
484 | - movl %edx, %fs |
485 | .if \skip_gs == 0 |
486 | SET_KERNEL_GS %edx |
487 | .endif |
488 | @@ -324,8 +343,8 @@ |
489 | .endif |
490 | .endm |
491 | |
492 | -.macro SAVE_ALL_NMI cr3_reg:req |
493 | - SAVE_ALL |
494 | +.macro SAVE_ALL_NMI cr3_reg:req unwind_espfix=0 |
495 | + SAVE_ALL unwind_espfix=\unwind_espfix |
496 | |
497 | BUG_IF_WRONG_CR3 |
498 | |
499 | @@ -357,6 +376,7 @@ |
500 | 2: popl %es |
501 | 3: popl %fs |
502 | POP_GS \pop |
503 | + IRET_FRAME |
504 | .pushsection .fixup, "ax" |
505 | 4: movl $0, (%esp) |
506 | jmp 1b |
507 | @@ -395,7 +415,8 @@ |
508 | |
509 | .macro CHECK_AND_APPLY_ESPFIX |
510 | #ifdef CONFIG_X86_ESPFIX32 |
511 | -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8) |
512 | +#define GDT_ESPFIX_OFFSET (GDT_ENTRY_ESPFIX_SS * 8) |
513 | +#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + GDT_ESPFIX_OFFSET |
514 | |
515 | ALTERNATIVE "jmp .Lend_\@", "", X86_BUG_ESPFIX |
516 | |
517 | @@ -1075,7 +1096,6 @@ restore_all: |
518 | /* Restore user state */ |
519 | RESTORE_REGS pop=4 # skip orig_eax/error_code |
520 | .Lirq_return: |
521 | - IRET_FRAME |
522 | /* |
523 | * ARCH_HAS_MEMBARRIER_SYNC_CORE rely on IRET core serialization |
524 | * when returning from IPI handler and when returning from |
525 | @@ -1128,30 +1148,43 @@ ENDPROC(entry_INT80_32) |
526 | * We can't call C functions using the ESPFIX stack. This code reads |
527 | * the high word of the segment base from the GDT and swiches to the |
528 | * normal stack and adjusts ESP with the matching offset. |
529 | + * |
530 | + * We might be on user CR3 here, so percpu data is not mapped and we can't |
531 | + * access the GDT through the percpu segment. Instead, use SGDT to find |
532 | + * the cpu_entry_area alias of the GDT. |
533 | */ |
534 | #ifdef CONFIG_X86_ESPFIX32 |
535 | /* fixup the stack */ |
536 | - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */ |
537 | - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */ |
538 | + pushl %ecx |
539 | + subl $2*4, %esp |
540 | + sgdt (%esp) |
541 | + movl 2(%esp), %ecx /* GDT address */ |
542 | + /* |
543 | + * Careful: ECX is a linear pointer, so we need to force base |
544 | + * zero. %cs is the only known-linear segment we have right now. |
545 | + */ |
546 | + mov %cs:GDT_ESPFIX_OFFSET + 4(%ecx), %al /* bits 16..23 */ |
547 | + mov %cs:GDT_ESPFIX_OFFSET + 7(%ecx), %ah /* bits 24..31 */ |
548 | shl $16, %eax |
549 | + addl $2*4, %esp |
550 | + popl %ecx |
551 | addl %esp, %eax /* the adjusted stack pointer */ |
552 | pushl $__KERNEL_DS |
553 | pushl %eax |
554 | lss (%esp), %esp /* switch to the normal stack segment */ |
555 | #endif |
556 | .endm |
557 | + |
558 | .macro UNWIND_ESPFIX_STACK |
559 | + /* It's safe to clobber %eax, all other regs need to be preserved */ |
560 | #ifdef CONFIG_X86_ESPFIX32 |
561 | movl %ss, %eax |
562 | /* see if on espfix stack */ |
563 | cmpw $__ESPFIX_SS, %ax |
564 | - jne 27f |
565 | - movl $__KERNEL_DS, %eax |
566 | - movl %eax, %ds |
567 | - movl %eax, %es |
568 | + jne .Lno_fixup_\@ |
569 | /* switch to normal stack */ |
570 | FIXUP_ESPFIX_STACK |
571 | -27: |
572 | +.Lno_fixup_\@: |
573 | #endif |
574 | .endm |
575 | |
576 | @@ -1341,11 +1374,6 @@ END(spurious_interrupt_bug) |
577 | |
578 | #ifdef CONFIG_XEN_PV |
579 | ENTRY(xen_hypervisor_callback) |
580 | - pushl $-1 /* orig_ax = -1 => not a system call */ |
581 | - SAVE_ALL |
582 | - ENCODE_FRAME_POINTER |
583 | - TRACE_IRQS_OFF |
584 | - |
585 | /* |
586 | * Check to see if we got the event in the critical |
587 | * region in xen_iret_direct, after we've reenabled |
588 | @@ -1353,16 +1381,17 @@ ENTRY(xen_hypervisor_callback) |
589 | * iret instruction's behaviour where it delivers a |
590 | * pending interrupt when enabling interrupts: |
591 | */ |
592 | - movl PT_EIP(%esp), %eax |
593 | - cmpl $xen_iret_start_crit, %eax |
594 | + cmpl $xen_iret_start_crit, (%esp) |
595 | jb 1f |
596 | - cmpl $xen_iret_end_crit, %eax |
597 | + cmpl $xen_iret_end_crit, (%esp) |
598 | jae 1f |
599 | - |
600 | - jmp xen_iret_crit_fixup |
601 | - |
602 | -ENTRY(xen_do_upcall) |
603 | -1: mov %esp, %eax |
604 | + call xen_iret_crit_fixup |
605 | +1: |
606 | + pushl $-1 /* orig_ax = -1 => not a system call */ |
607 | + SAVE_ALL |
608 | + ENCODE_FRAME_POINTER |
609 | + TRACE_IRQS_OFF |
610 | + mov %esp, %eax |
611 | call xen_evtchn_do_upcall |
612 | #ifndef CONFIG_PREEMPTION |
613 | call xen_maybe_preempt_hcall |
614 | @@ -1449,10 +1478,9 @@ END(page_fault) |
615 | |
616 | common_exception_read_cr2: |
617 | /* the function address is in %gs's slot on the stack */ |
618 | - SAVE_ALL switch_stacks=1 skip_gs=1 |
619 | + SAVE_ALL switch_stacks=1 skip_gs=1 unwind_espfix=1 |
620 | |
621 | ENCODE_FRAME_POINTER |
622 | - UNWIND_ESPFIX_STACK |
623 | |
624 | /* fixup %gs */ |
625 | GS_TO_REG %ecx |
626 | @@ -1474,9 +1502,8 @@ END(common_exception_read_cr2) |
627 | |
628 | common_exception: |
629 | /* the function address is in %gs's slot on the stack */ |
630 | - SAVE_ALL switch_stacks=1 skip_gs=1 |
631 | + SAVE_ALL switch_stacks=1 skip_gs=1 unwind_espfix=1 |
632 | ENCODE_FRAME_POINTER |
633 | - UNWIND_ESPFIX_STACK |
634 | |
635 | /* fixup %gs */ |
636 | GS_TO_REG %ecx |
637 | @@ -1515,6 +1542,10 @@ ENTRY(nmi) |
638 | ASM_CLAC |
639 | |
640 | #ifdef CONFIG_X86_ESPFIX32 |
641 | + /* |
642 | + * ESPFIX_SS is only ever set on the return to user path |
643 | + * after we've switched to the entry stack. |
644 | + */ |
645 | pushl %eax |
646 | movl %ss, %eax |
647 | cmpw $__ESPFIX_SS, %ax |
648 | @@ -1550,6 +1581,11 @@ ENTRY(nmi) |
649 | movl %ebx, %esp |
650 | |
651 | .Lnmi_return: |
652 | +#ifdef CONFIG_X86_ESPFIX32 |
653 | + testl $CS_FROM_ESPFIX, PT_CS(%esp) |
654 | + jnz .Lnmi_from_espfix |
655 | +#endif |
656 | + |
657 | CHECK_AND_APPLY_ESPFIX |
658 | RESTORE_ALL_NMI cr3_reg=%edi pop=4 |
659 | jmp .Lirq_return |
660 | @@ -1557,23 +1593,42 @@ ENTRY(nmi) |
661 | #ifdef CONFIG_X86_ESPFIX32 |
662 | .Lnmi_espfix_stack: |
663 | /* |
664 | - * create the pointer to lss back |
665 | + * Create the pointer to LSS back |
666 | */ |
667 | pushl %ss |
668 | pushl %esp |
669 | addl $4, (%esp) |
670 | - /* copy the iret frame of 12 bytes */ |
671 | - .rept 3 |
672 | - pushl 16(%esp) |
673 | - .endr |
674 | - pushl %eax |
675 | - SAVE_ALL_NMI cr3_reg=%edi |
676 | + |
677 | + /* Copy the (short) IRET frame */ |
678 | + pushl 4*4(%esp) # flags |
679 | + pushl 4*4(%esp) # cs |
680 | + pushl 4*4(%esp) # ip |
681 | + |
682 | + pushl %eax # orig_ax |
683 | + |
684 | + SAVE_ALL_NMI cr3_reg=%edi unwind_espfix=1 |
685 | ENCODE_FRAME_POINTER |
686 | - FIXUP_ESPFIX_STACK # %eax == %esp |
687 | + |
688 | + /* clear CS_FROM_KERNEL, set CS_FROM_ESPFIX */ |
689 | + xorl $(CS_FROM_ESPFIX | CS_FROM_KERNEL), PT_CS(%esp) |
690 | + |
691 | xorl %edx, %edx # zero error code |
692 | - call do_nmi |
693 | + movl %esp, %eax # pt_regs pointer |
694 | + jmp .Lnmi_from_sysenter_stack |
695 | + |
696 | +.Lnmi_from_espfix: |
697 | RESTORE_ALL_NMI cr3_reg=%edi |
698 | - lss 12+4(%esp), %esp # back to espfix stack |
699 | + /* |
700 | + * Because we cleared CS_FROM_KERNEL, IRET_FRAME 'forgot' to |
701 | + * fix up the gap and long frame: |
702 | + * |
703 | + * 3 - original frame (exception) |
704 | + * 2 - ESPFIX block (above) |
705 | + * 6 - gap (FIXUP_FRAME) |
706 | + * 5 - long frame (FIXUP_FRAME) |
707 | + * 1 - orig_ax |
708 | + */ |
709 | + lss (1+5+6)*4(%esp), %esp # back to espfix stack |
710 | jmp .Lirq_return |
711 | #endif |
712 | END(nmi) |
713 | diff --git a/arch/x86/include/asm/cpu_entry_area.h b/arch/x86/include/asm/cpu_entry_area.h |
714 | index 8348f7d69fd5..ea866c7bf31d 100644 |
715 | --- a/arch/x86/include/asm/cpu_entry_area.h |
716 | +++ b/arch/x86/include/asm/cpu_entry_area.h |
717 | @@ -78,8 +78,12 @@ struct cpu_entry_area { |
718 | |
719 | /* |
720 | * The GDT is just below entry_stack and thus serves (on x86_64) as |
721 | - * a a read-only guard page. |
722 | + * a read-only guard page. On 32-bit the GDT must be writeable, so |
723 | + * it needs an extra guard page. |
724 | */ |
725 | +#ifdef CONFIG_X86_32 |
726 | + char guard_entry_stack[PAGE_SIZE]; |
727 | +#endif |
728 | struct entry_stack_page entry_stack_page; |
729 | |
730 | /* |
731 | @@ -94,7 +98,6 @@ struct cpu_entry_area { |
732 | */ |
733 | struct cea_exception_stacks estacks; |
734 | #endif |
735 | -#ifdef CONFIG_CPU_SUP_INTEL |
736 | /* |
737 | * Per CPU debug store for Intel performance monitoring. Wastes a |
738 | * full page at the moment. |
739 | @@ -105,11 +108,13 @@ struct cpu_entry_area { |
740 | * Reserve enough fixmap PTEs. |
741 | */ |
742 | struct debug_store_buffers cpu_debug_buffers; |
743 | -#endif |
744 | }; |
745 | |
746 | -#define CPU_ENTRY_AREA_SIZE (sizeof(struct cpu_entry_area)) |
747 | -#define CPU_ENTRY_AREA_TOT_SIZE (CPU_ENTRY_AREA_SIZE * NR_CPUS) |
748 | +#define CPU_ENTRY_AREA_SIZE (sizeof(struct cpu_entry_area)) |
749 | +#define CPU_ENTRY_AREA_ARRAY_SIZE (CPU_ENTRY_AREA_SIZE * NR_CPUS) |
750 | + |
751 | +/* Total size includes the readonly IDT mapping page as well: */ |
752 | +#define CPU_ENTRY_AREA_TOTAL_SIZE (CPU_ENTRY_AREA_ARRAY_SIZE + PAGE_SIZE) |
753 | |
754 | DECLARE_PER_CPU(struct cpu_entry_area *, cpu_entry_area); |
755 | DECLARE_PER_CPU(struct cea_exception_stacks *, cea_exception_stacks); |
756 | @@ -117,13 +122,14 @@ DECLARE_PER_CPU(struct cea_exception_stacks *, cea_exception_stacks); |
757 | extern void setup_cpu_entry_areas(void); |
758 | extern void cea_set_pte(void *cea_vaddr, phys_addr_t pa, pgprot_t flags); |
759 | |
760 | +/* Single page reserved for the readonly IDT mapping: */ |
761 | #define CPU_ENTRY_AREA_RO_IDT CPU_ENTRY_AREA_BASE |
762 | #define CPU_ENTRY_AREA_PER_CPU (CPU_ENTRY_AREA_RO_IDT + PAGE_SIZE) |
763 | |
764 | #define CPU_ENTRY_AREA_RO_IDT_VADDR ((void *)CPU_ENTRY_AREA_RO_IDT) |
765 | |
766 | #define CPU_ENTRY_AREA_MAP_SIZE \ |
767 | - (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_TOT_SIZE - CPU_ENTRY_AREA_BASE) |
768 | + (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_ARRAY_SIZE - CPU_ENTRY_AREA_BASE) |
769 | |
770 | extern struct cpu_entry_area *get_cpu_entry_area(int cpu); |
771 | |
772 | diff --git a/arch/x86/include/asm/pgtable_32_types.h b/arch/x86/include/asm/pgtable_32_types.h |
773 | index b0bc0fff5f1f..1636eb8e5a5b 100644 |
774 | --- a/arch/x86/include/asm/pgtable_32_types.h |
775 | +++ b/arch/x86/include/asm/pgtable_32_types.h |
776 | @@ -44,11 +44,11 @@ extern bool __vmalloc_start_set; /* set once high_memory is set */ |
777 | * Define this here and validate with BUILD_BUG_ON() in pgtable_32.c |
778 | * to avoid include recursion hell |
779 | */ |
780 | -#define CPU_ENTRY_AREA_PAGES (NR_CPUS * 40) |
781 | +#define CPU_ENTRY_AREA_PAGES (NR_CPUS * 39) |
782 | |
783 | -#define CPU_ENTRY_AREA_BASE \ |
784 | - ((FIXADDR_TOT_START - PAGE_SIZE * (CPU_ENTRY_AREA_PAGES + 1)) \ |
785 | - & PMD_MASK) |
786 | +/* The +1 is for the readonly IDT page: */ |
787 | +#define CPU_ENTRY_AREA_BASE \ |
788 | + ((FIXADDR_TOT_START - PAGE_SIZE*(CPU_ENTRY_AREA_PAGES+1)) & PMD_MASK) |
789 | |
790 | #define LDT_BASE_ADDR \ |
791 | ((CPU_ENTRY_AREA_BASE - PAGE_SIZE) & PMD_MASK) |
792 | diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h |
793 | index ac3892920419..6669164abadc 100644 |
794 | --- a/arch/x86/include/asm/segment.h |
795 | +++ b/arch/x86/include/asm/segment.h |
796 | @@ -31,6 +31,18 @@ |
797 | */ |
798 | #define SEGMENT_RPL_MASK 0x3 |
799 | |
800 | +/* |
801 | + * When running on Xen PV, the actual privilege level of the kernel is 1, |
802 | + * not 0. Testing the Requested Privilege Level in a segment selector to |
803 | + * determine whether the context is user mode or kernel mode with |
804 | + * SEGMENT_RPL_MASK is wrong because the PV kernel's privilege level |
805 | + * matches the 0x3 mask. |
806 | + * |
807 | + * Testing with USER_SEGMENT_RPL_MASK is valid for both native and Xen PV |
808 | + * kernels because privilege level 2 is never used. |
809 | + */ |
810 | +#define USER_SEGMENT_RPL_MASK 0x2 |
811 | + |
812 | /* User mode is privilege level 3: */ |
813 | #define USER_RPL 0x3 |
814 | |
815 | diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
816 | index 4c7b0fa15a19..8bf64899f56a 100644 |
817 | --- a/arch/x86/kernel/cpu/bugs.c |
818 | +++ b/arch/x86/kernel/cpu/bugs.c |
819 | @@ -39,6 +39,7 @@ static void __init spectre_v2_select_mitigation(void); |
820 | static void __init ssb_select_mitigation(void); |
821 | static void __init l1tf_select_mitigation(void); |
822 | static void __init mds_select_mitigation(void); |
823 | +static void __init mds_print_mitigation(void); |
824 | static void __init taa_select_mitigation(void); |
825 | |
826 | /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ |
827 | @@ -108,6 +109,12 @@ void __init check_bugs(void) |
828 | mds_select_mitigation(); |
829 | taa_select_mitigation(); |
830 | |
831 | + /* |
832 | + * As MDS and TAA mitigations are inter-related, print MDS |
833 | + * mitigation until after TAA mitigation selection is done. |
834 | + */ |
835 | + mds_print_mitigation(); |
836 | + |
837 | arch_smt_update(); |
838 | |
839 | #ifdef CONFIG_X86_32 |
840 | @@ -245,6 +252,12 @@ static void __init mds_select_mitigation(void) |
841 | (mds_nosmt || cpu_mitigations_auto_nosmt())) |
842 | cpu_smt_disable(false); |
843 | } |
844 | +} |
845 | + |
846 | +static void __init mds_print_mitigation(void) |
847 | +{ |
848 | + if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) |
849 | + return; |
850 | |
851 | pr_info("%s\n", mds_strings[mds_mitigation]); |
852 | } |
853 | @@ -304,8 +317,12 @@ static void __init taa_select_mitigation(void) |
854 | return; |
855 | } |
856 | |
857 | - /* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */ |
858 | - if (taa_mitigation == TAA_MITIGATION_OFF) |
859 | + /* |
860 | + * TAA mitigation via VERW is turned off if both |
861 | + * tsx_async_abort=off and mds=off are specified. |
862 | + */ |
863 | + if (taa_mitigation == TAA_MITIGATION_OFF && |
864 | + mds_mitigation == MDS_MITIGATION_OFF) |
865 | goto out; |
866 | |
867 | if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) |
868 | @@ -339,6 +356,15 @@ static void __init taa_select_mitigation(void) |
869 | if (taa_nosmt || cpu_mitigations_auto_nosmt()) |
870 | cpu_smt_disable(false); |
871 | |
872 | + /* |
873 | + * Update MDS mitigation, if necessary, as the mds_user_clear is |
874 | + * now enabled for TAA mitigation. |
875 | + */ |
876 | + if (mds_mitigation == MDS_MITIGATION_OFF && |
877 | + boot_cpu_has_bug(X86_BUG_MDS)) { |
878 | + mds_mitigation = MDS_MITIGATION_FULL; |
879 | + mds_select_mitigation(); |
880 | + } |
881 | out: |
882 | pr_info("%s\n", taa_strings[taa_mitigation]); |
883 | } |
884 | diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c |
885 | index 0b8cedb20d6d..d5c9b13bafdf 100644 |
886 | --- a/arch/x86/kernel/doublefault.c |
887 | +++ b/arch/x86/kernel/doublefault.c |
888 | @@ -65,6 +65,9 @@ struct x86_hw_tss doublefault_tss __cacheline_aligned = { |
889 | .ss = __KERNEL_DS, |
890 | .ds = __USER_DS, |
891 | .fs = __KERNEL_PERCPU, |
892 | +#ifndef CONFIG_X86_32_LAZY_GS |
893 | + .gs = __KERNEL_STACK_CANARY, |
894 | +#endif |
895 | |
896 | .__cr3 = __pa_nodebug(swapper_pg_dir), |
897 | }; |
898 | diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S |
899 | index 30f9cb2c0b55..2e6a0676c1f4 100644 |
900 | --- a/arch/x86/kernel/head_32.S |
901 | +++ b/arch/x86/kernel/head_32.S |
902 | @@ -571,6 +571,16 @@ ENTRY(initial_page_table) |
903 | # error "Kernel PMDs should be 1, 2 or 3" |
904 | # endif |
905 | .align PAGE_SIZE /* needs to be page-sized too */ |
906 | + |
907 | +#ifdef CONFIG_PAGE_TABLE_ISOLATION |
908 | + /* |
909 | + * PTI needs another page so sync_initial_pagetable() works correctly |
910 | + * and does not scribble over the data which is placed behind the |
911 | + * actual initial_page_table. See clone_pgd_range(). |
912 | + */ |
913 | + .fill 1024, 4, 0 |
914 | +#endif |
915 | + |
916 | #endif |
917 | |
918 | .data |
919 | diff --git a/arch/x86/mm/cpu_entry_area.c b/arch/x86/mm/cpu_entry_area.c |
920 | index 752ad11d6868..d9643647a9ce 100644 |
921 | --- a/arch/x86/mm/cpu_entry_area.c |
922 | +++ b/arch/x86/mm/cpu_entry_area.c |
923 | @@ -178,7 +178,9 @@ static __init void setup_cpu_entry_area_ptes(void) |
924 | #ifdef CONFIG_X86_32 |
925 | unsigned long start, end; |
926 | |
927 | - BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE); |
928 | + /* The +1 is for the readonly IDT: */ |
929 | + BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE); |
930 | + BUILD_BUG_ON(CPU_ENTRY_AREA_TOTAL_SIZE != CPU_ENTRY_AREA_MAP_SIZE); |
931 | BUG_ON(CPU_ENTRY_AREA_BASE & ~PMD_MASK); |
932 | |
933 | start = CPU_ENTRY_AREA_BASE; |
934 | diff --git a/arch/x86/tools/gen-insn-attr-x86.awk b/arch/x86/tools/gen-insn-attr-x86.awk |
935 | index b02a36b2c14f..a42015b305f4 100644 |
936 | --- a/arch/x86/tools/gen-insn-attr-x86.awk |
937 | +++ b/arch/x86/tools/gen-insn-attr-x86.awk |
938 | @@ -69,7 +69,7 @@ BEGIN { |
939 | |
940 | lprefix1_expr = "\\((66|!F3)\\)" |
941 | lprefix2_expr = "\\(F3\\)" |
942 | - lprefix3_expr = "\\((F2|!F3|66\\&F2)\\)" |
943 | + lprefix3_expr = "\\((F2|!F3|66&F2)\\)" |
944 | lprefix_expr = "\\((66|F2|F3)\\)" |
945 | max_lprefix = 4 |
946 | |
947 | @@ -257,7 +257,7 @@ function convert_operands(count,opnd, i,j,imm,mod) |
948 | return add_flags(imm, mod) |
949 | } |
950 | |
951 | -/^[0-9a-f]+\:/ { |
952 | +/^[0-9a-f]+:/ { |
953 | if (NR == 1) |
954 | next |
955 | # get index |
956 | diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S |
957 | index c15db060a242..cd177772fe4d 100644 |
958 | --- a/arch/x86/xen/xen-asm_32.S |
959 | +++ b/arch/x86/xen/xen-asm_32.S |
960 | @@ -126,10 +126,9 @@ hyper_iret: |
961 | .globl xen_iret_start_crit, xen_iret_end_crit |
962 | |
963 | /* |
964 | - * This is called by xen_hypervisor_callback in entry.S when it sees |
965 | + * This is called by xen_hypervisor_callback in entry_32.S when it sees |
966 | * that the EIP at the time of interrupt was between |
967 | - * xen_iret_start_crit and xen_iret_end_crit. We're passed the EIP in |
968 | - * %eax so we can do a more refined determination of what to do. |
969 | + * xen_iret_start_crit and xen_iret_end_crit. |
970 | * |
971 | * The stack format at this point is: |
972 | * ---------------- |
973 | @@ -138,70 +137,46 @@ hyper_iret: |
974 | * eflags } outer exception info |
975 | * cs } |
976 | * eip } |
977 | - * ---------------- <- edi (copy dest) |
978 | - * eax : outer eax if it hasn't been restored |
979 | * ---------------- |
980 | - * eflags } nested exception info |
981 | - * cs } (no ss/esp because we're nested |
982 | - * eip } from the same ring) |
983 | - * orig_eax }<- esi (copy src) |
984 | - * - - - - - - - - |
985 | - * fs } |
986 | - * es } |
987 | - * ds } SAVE_ALL state |
988 | - * eax } |
989 | - * : : |
990 | - * ebx }<- esp |
991 | + * eax : outer eax if it hasn't been restored |
992 | * ---------------- |
993 | + * eflags } |
994 | + * cs } nested exception info |
995 | + * eip } |
996 | + * return address : (into xen_hypervisor_callback) |
997 | * |
998 | - * In order to deliver the nested exception properly, we need to shift |
999 | - * everything from the return addr up to the error code so it sits |
1000 | - * just under the outer exception info. This means that when we |
1001 | - * handle the exception, we do it in the context of the outer |
1002 | - * exception rather than starting a new one. |
1003 | + * In order to deliver the nested exception properly, we need to discard the |
1004 | + * nested exception frame such that when we handle the exception, we do it |
1005 | + * in the context of the outer exception rather than starting a new one. |
1006 | * |
1007 | - * The only caveat is that if the outer eax hasn't been restored yet |
1008 | - * (ie, it's still on stack), we need to insert its value into the |
1009 | - * SAVE_ALL state before going on, since it's usermode state which we |
1010 | - * eventually need to restore. |
1011 | + * The only caveat is that if the outer eax hasn't been restored yet (i.e. |
1012 | + * it's still on stack), we need to restore its value here. |
1013 | */ |
1014 | ENTRY(xen_iret_crit_fixup) |
1015 | /* |
1016 | * Paranoia: Make sure we're really coming from kernel space. |
1017 | * One could imagine a case where userspace jumps into the |
1018 | * critical range address, but just before the CPU delivers a |
1019 | - * GP, it decides to deliver an interrupt instead. Unlikely? |
1020 | - * Definitely. Easy to avoid? Yes. The Intel documents |
1021 | - * explicitly say that the reported EIP for a bad jump is the |
1022 | - * jump instruction itself, not the destination, but some |
1023 | - * virtual environments get this wrong. |
1024 | + * PF, it decides to deliver an interrupt instead. Unlikely? |
1025 | + * Definitely. Easy to avoid? Yes. |
1026 | */ |
1027 | - movl PT_CS(%esp), %ecx |
1028 | - andl $SEGMENT_RPL_MASK, %ecx |
1029 | - cmpl $USER_RPL, %ecx |
1030 | - je 2f |
1031 | - |
1032 | - lea PT_ORIG_EAX(%esp), %esi |
1033 | - lea PT_EFLAGS(%esp), %edi |
1034 | + testb $2, 2*4(%esp) /* nested CS */ |
1035 | + jnz 2f |
1036 | |
1037 | /* |
1038 | * If eip is before iret_restore_end then stack |
1039 | * hasn't been restored yet. |
1040 | */ |
1041 | - cmp $iret_restore_end, %eax |
1042 | + cmpl $iret_restore_end, 1*4(%esp) |
1043 | jae 1f |
1044 | |
1045 | - movl 0+4(%edi), %eax /* copy EAX (just above top of frame) */ |
1046 | - movl %eax, PT_EAX(%esp) |
1047 | + movl 4*4(%esp), %eax /* load outer EAX */ |
1048 | + ret $4*4 /* discard nested EIP, CS, and EFLAGS as |
1049 | + * well as the just restored EAX */ |
1050 | |
1051 | - lea ESP_OFFSET(%edi), %edi /* move dest up over saved regs */ |
1052 | - |
1053 | - /* set up the copy */ |
1054 | -1: std |
1055 | - mov $PT_EIP / 4, %ecx /* saved regs up to orig_eax */ |
1056 | - rep movsl |
1057 | - cld |
1058 | - |
1059 | - lea 4(%edi), %esp /* point esp to new frame */ |
1060 | -2: jmp xen_do_upcall |
1061 | +1: |
1062 | + ret $3*4 /* discard nested EIP, CS, and EFLAGS */ |
1063 | |
1064 | +2: |
1065 | + ret |
1066 | +END(xen_iret_crit_fixup) |
1067 | diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c |
1068 | index 19e75999bb15..57532465fb83 100644 |
1069 | --- a/drivers/block/nbd.c |
1070 | +++ b/drivers/block/nbd.c |
1071 | @@ -1032,14 +1032,15 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, |
1072 | sockfd_put(sock); |
1073 | return -ENOMEM; |
1074 | } |
1075 | + |
1076 | + config->socks = socks; |
1077 | + |
1078 | nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL); |
1079 | if (!nsock) { |
1080 | sockfd_put(sock); |
1081 | return -ENOMEM; |
1082 | } |
1083 | |
1084 | - config->socks = socks; |
1085 | - |
1086 | nsock->fallback_index = -1; |
1087 | nsock->dead = false; |
1088 | mutex_init(&nsock->tx_lock); |
1089 | diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c |
1090 | index fe2e307009f4..cf4a56095817 100644 |
1091 | --- a/drivers/bluetooth/hci_bcsp.c |
1092 | +++ b/drivers/bluetooth/hci_bcsp.c |
1093 | @@ -591,6 +591,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) |
1094 | if (*ptr == 0xc0) { |
1095 | BT_ERR("Short BCSP packet"); |
1096 | kfree_skb(bcsp->rx_skb); |
1097 | + bcsp->rx_skb = NULL; |
1098 | bcsp->rx_state = BCSP_W4_PKT_START; |
1099 | bcsp->rx_count = 0; |
1100 | } else |
1101 | @@ -606,6 +607,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) |
1102 | bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) { |
1103 | BT_ERR("Error in BCSP hdr checksum"); |
1104 | kfree_skb(bcsp->rx_skb); |
1105 | + bcsp->rx_skb = NULL; |
1106 | bcsp->rx_state = BCSP_W4_PKT_DELIMITER; |
1107 | bcsp->rx_count = 0; |
1108 | continue; |
1109 | @@ -630,6 +632,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) |
1110 | bscp_get_crc(bcsp)); |
1111 | |
1112 | kfree_skb(bcsp->rx_skb); |
1113 | + bcsp->rx_skb = NULL; |
1114 | bcsp->rx_state = BCSP_W4_PKT_DELIMITER; |
1115 | bcsp->rx_count = 0; |
1116 | continue; |
1117 | diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c |
1118 | index 285706618f8a..d9a4c6c691e0 100644 |
1119 | --- a/drivers/bluetooth/hci_ll.c |
1120 | +++ b/drivers/bluetooth/hci_ll.c |
1121 | @@ -621,13 +621,6 @@ static int ll_setup(struct hci_uart *hu) |
1122 | |
1123 | serdev_device_set_flow_control(serdev, true); |
1124 | |
1125 | - if (hu->oper_speed) |
1126 | - speed = hu->oper_speed; |
1127 | - else if (hu->proto->oper_speed) |
1128 | - speed = hu->proto->oper_speed; |
1129 | - else |
1130 | - speed = 0; |
1131 | - |
1132 | do { |
1133 | /* Reset the Bluetooth device */ |
1134 | gpiod_set_value_cansleep(lldev->enable_gpio, 0); |
1135 | @@ -639,20 +632,6 @@ static int ll_setup(struct hci_uart *hu) |
1136 | return err; |
1137 | } |
1138 | |
1139 | - if (speed) { |
1140 | - __le32 speed_le = cpu_to_le32(speed); |
1141 | - struct sk_buff *skb; |
1142 | - |
1143 | - skb = __hci_cmd_sync(hu->hdev, |
1144 | - HCI_VS_UPDATE_UART_HCI_BAUDRATE, |
1145 | - sizeof(speed_le), &speed_le, |
1146 | - HCI_INIT_TIMEOUT); |
1147 | - if (!IS_ERR(skb)) { |
1148 | - kfree_skb(skb); |
1149 | - serdev_device_set_baudrate(serdev, speed); |
1150 | - } |
1151 | - } |
1152 | - |
1153 | err = download_firmware(lldev); |
1154 | if (!err) |
1155 | break; |
1156 | @@ -677,7 +656,25 @@ static int ll_setup(struct hci_uart *hu) |
1157 | } |
1158 | |
1159 | /* Operational speed if any */ |
1160 | + if (hu->oper_speed) |
1161 | + speed = hu->oper_speed; |
1162 | + else if (hu->proto->oper_speed) |
1163 | + speed = hu->proto->oper_speed; |
1164 | + else |
1165 | + speed = 0; |
1166 | + |
1167 | + if (speed) { |
1168 | + __le32 speed_le = cpu_to_le32(speed); |
1169 | + struct sk_buff *skb; |
1170 | |
1171 | + skb = __hci_cmd_sync(hu->hdev, HCI_VS_UPDATE_UART_HCI_BAUDRATE, |
1172 | + sizeof(speed_le), &speed_le, |
1173 | + HCI_INIT_TIMEOUT); |
1174 | + if (!IS_ERR(skb)) { |
1175 | + kfree_skb(skb); |
1176 | + serdev_device_set_baudrate(serdev, speed); |
1177 | + } |
1178 | + } |
1179 | |
1180 | return 0; |
1181 | } |
1182 | diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c |
1183 | index 48a224a6b178..bc19d6c16aaa 100644 |
1184 | --- a/drivers/cpufreq/cpufreq.c |
1185 | +++ b/drivers/cpufreq/cpufreq.c |
1186 | @@ -933,6 +933,9 @@ static ssize_t show(struct kobject *kobj, struct attribute *attr, char *buf) |
1187 | struct freq_attr *fattr = to_attr(attr); |
1188 | ssize_t ret; |
1189 | |
1190 | + if (!fattr->show) |
1191 | + return -EIO; |
1192 | + |
1193 | down_read(&policy->rwsem); |
1194 | ret = fattr->show(policy, buf); |
1195 | up_read(&policy->rwsem); |
1196 | @@ -947,6 +950,9 @@ static ssize_t store(struct kobject *kobj, struct attribute *attr, |
1197 | struct freq_attr *fattr = to_attr(attr); |
1198 | ssize_t ret = -EINVAL; |
1199 | |
1200 | + if (!fattr->store) |
1201 | + return -EIO; |
1202 | + |
1203 | /* |
1204 | * cpus_read_trylock() is used here to work around a circular lock |
1205 | * dependency problem with respect to the cpufreq_register_driver(). |
1206 | diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c |
1207 | index f87f6495652f..eb9782fc93fe 100644 |
1208 | --- a/drivers/md/dm-crypt.c |
1209 | +++ b/drivers/md/dm-crypt.c |
1210 | @@ -2700,21 +2700,18 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) |
1211 | } |
1212 | |
1213 | ret = -ENOMEM; |
1214 | - cc->io_queue = alloc_workqueue("kcryptd_io/%s", |
1215 | - WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, |
1216 | - 1, devname); |
1217 | + cc->io_queue = alloc_workqueue("kcryptd_io/%s", WQ_MEM_RECLAIM, 1, devname); |
1218 | if (!cc->io_queue) { |
1219 | ti->error = "Couldn't create kcryptd io queue"; |
1220 | goto bad; |
1221 | } |
1222 | |
1223 | if (test_bit(DM_CRYPT_SAME_CPU, &cc->flags)) |
1224 | - cc->crypt_queue = alloc_workqueue("kcryptd/%s", |
1225 | - WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, |
1226 | + cc->crypt_queue = alloc_workqueue("kcryptd/%s", WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, |
1227 | 1, devname); |
1228 | else |
1229 | cc->crypt_queue = alloc_workqueue("kcryptd/%s", |
1230 | - WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND, |
1231 | + WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND, |
1232 | num_online_cpus(), devname); |
1233 | if (!cc->crypt_queue) { |
1234 | ti->error = "Couldn't create kcryptd queue"; |
1235 | diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c |
1236 | index 299c7b1c9718..8a62c920bb65 100644 |
1237 | --- a/drivers/md/raid10.c |
1238 | +++ b/drivers/md/raid10.c |
1239 | @@ -191,7 +191,7 @@ static void * r10buf_pool_alloc(gfp_t gfp_flags, void *data) |
1240 | |
1241 | out_free_pages: |
1242 | while (--j >= 0) |
1243 | - resync_free_pages(&rps[j * 2]); |
1244 | + resync_free_pages(&rps[j]); |
1245 | |
1246 | j = 0; |
1247 | out_free_bio: |
1248 | diff --git a/drivers/media/platform/vivid/vivid-kthread-cap.c b/drivers/media/platform/vivid/vivid-kthread-cap.c |
1249 | index 003319d7816d..31f78d6a05a4 100644 |
1250 | --- a/drivers/media/platform/vivid/vivid-kthread-cap.c |
1251 | +++ b/drivers/media/platform/vivid/vivid-kthread-cap.c |
1252 | @@ -796,7 +796,11 @@ static int vivid_thread_vid_cap(void *data) |
1253 | if (kthread_should_stop()) |
1254 | break; |
1255 | |
1256 | - mutex_lock(&dev->mutex); |
1257 | + if (!mutex_trylock(&dev->mutex)) { |
1258 | + schedule_timeout_uninterruptible(1); |
1259 | + continue; |
1260 | + } |
1261 | + |
1262 | cur_jiffies = jiffies; |
1263 | if (dev->cap_seq_resync) { |
1264 | dev->jiffies_vid_cap = cur_jiffies; |
1265 | @@ -956,8 +960,6 @@ void vivid_stop_generating_vid_cap(struct vivid_dev *dev, bool *pstreaming) |
1266 | |
1267 | /* shutdown control thread */ |
1268 | vivid_grab_controls(dev, false); |
1269 | - mutex_unlock(&dev->mutex); |
1270 | kthread_stop(dev->kthread_vid_cap); |
1271 | dev->kthread_vid_cap = NULL; |
1272 | - mutex_lock(&dev->mutex); |
1273 | } |
1274 | diff --git a/drivers/media/platform/vivid/vivid-kthread-out.c b/drivers/media/platform/vivid/vivid-kthread-out.c |
1275 | index ce5bcda2348c..1e165a6a2207 100644 |
1276 | --- a/drivers/media/platform/vivid/vivid-kthread-out.c |
1277 | +++ b/drivers/media/platform/vivid/vivid-kthread-out.c |
1278 | @@ -143,7 +143,11 @@ static int vivid_thread_vid_out(void *data) |
1279 | if (kthread_should_stop()) |
1280 | break; |
1281 | |
1282 | - mutex_lock(&dev->mutex); |
1283 | + if (!mutex_trylock(&dev->mutex)) { |
1284 | + schedule_timeout_uninterruptible(1); |
1285 | + continue; |
1286 | + } |
1287 | + |
1288 | cur_jiffies = jiffies; |
1289 | if (dev->out_seq_resync) { |
1290 | dev->jiffies_vid_out = cur_jiffies; |
1291 | @@ -301,8 +305,6 @@ void vivid_stop_generating_vid_out(struct vivid_dev *dev, bool *pstreaming) |
1292 | |
1293 | /* shutdown control thread */ |
1294 | vivid_grab_controls(dev, false); |
1295 | - mutex_unlock(&dev->mutex); |
1296 | kthread_stop(dev->kthread_vid_out); |
1297 | dev->kthread_vid_out = NULL; |
1298 | - mutex_lock(&dev->mutex); |
1299 | } |
1300 | diff --git a/drivers/media/platform/vivid/vivid-sdr-cap.c b/drivers/media/platform/vivid/vivid-sdr-cap.c |
1301 | index 9acc709b0740..2b7522e16efc 100644 |
1302 | --- a/drivers/media/platform/vivid/vivid-sdr-cap.c |
1303 | +++ b/drivers/media/platform/vivid/vivid-sdr-cap.c |
1304 | @@ -141,7 +141,11 @@ static int vivid_thread_sdr_cap(void *data) |
1305 | if (kthread_should_stop()) |
1306 | break; |
1307 | |
1308 | - mutex_lock(&dev->mutex); |
1309 | + if (!mutex_trylock(&dev->mutex)) { |
1310 | + schedule_timeout_uninterruptible(1); |
1311 | + continue; |
1312 | + } |
1313 | + |
1314 | cur_jiffies = jiffies; |
1315 | if (dev->sdr_cap_seq_resync) { |
1316 | dev->jiffies_sdr_cap = cur_jiffies; |
1317 | @@ -303,10 +307,8 @@ static void sdr_cap_stop_streaming(struct vb2_queue *vq) |
1318 | } |
1319 | |
1320 | /* shutdown control thread */ |
1321 | - mutex_unlock(&dev->mutex); |
1322 | kthread_stop(dev->kthread_sdr_cap); |
1323 | dev->kthread_sdr_cap = NULL; |
1324 | - mutex_lock(&dev->mutex); |
1325 | } |
1326 | |
1327 | static void sdr_cap_buf_request_complete(struct vb2_buffer *vb) |
1328 | diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c |
1329 | index 8cbaa0c998ed..2d030732feac 100644 |
1330 | --- a/drivers/media/platform/vivid/vivid-vid-cap.c |
1331 | +++ b/drivers/media/platform/vivid/vivid-vid-cap.c |
1332 | @@ -223,9 +223,6 @@ static int vid_cap_start_streaming(struct vb2_queue *vq, unsigned count) |
1333 | if (vb2_is_streaming(&dev->vb_vid_out_q)) |
1334 | dev->can_loop_video = vivid_vid_can_loop(dev); |
1335 | |
1336 | - if (dev->kthread_vid_cap) |
1337 | - return 0; |
1338 | - |
1339 | dev->vid_cap_seq_count = 0; |
1340 | dprintk(dev, 1, "%s\n", __func__); |
1341 | for (i = 0; i < VIDEO_MAX_FRAME; i++) |
1342 | diff --git a/drivers/media/platform/vivid/vivid-vid-out.c b/drivers/media/platform/vivid/vivid-vid-out.c |
1343 | index 148b663a6075..a0364ac497f9 100644 |
1344 | --- a/drivers/media/platform/vivid/vivid-vid-out.c |
1345 | +++ b/drivers/media/platform/vivid/vivid-vid-out.c |
1346 | @@ -161,9 +161,6 @@ static int vid_out_start_streaming(struct vb2_queue *vq, unsigned count) |
1347 | if (vb2_is_streaming(&dev->vb_vid_cap_q)) |
1348 | dev->can_loop_video = vivid_vid_can_loop(dev); |
1349 | |
1350 | - if (dev->kthread_vid_out) |
1351 | - return 0; |
1352 | - |
1353 | dev->vid_out_seq_count = 0; |
1354 | dprintk(dev, 1, "%s\n", __func__); |
1355 | if (dev->start_streaming_error) { |
1356 | diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c |
1357 | index 37a850421fbb..c683a244b9fa 100644 |
1358 | --- a/drivers/media/rc/imon.c |
1359 | +++ b/drivers/media/rc/imon.c |
1360 | @@ -1598,8 +1598,7 @@ static void imon_incoming_packet(struct imon_context *ictx, |
1361 | spin_unlock_irqrestore(&ictx->kc_lock, flags); |
1362 | |
1363 | /* send touchscreen events through input subsystem if touchpad data */ |
1364 | - if (ictx->display_type == IMON_DISPLAY_TYPE_VGA && len == 8 && |
1365 | - buf[7] == 0x86) { |
1366 | + if (ictx->touch && len == 8 && buf[7] == 0x86) { |
1367 | imon_touch_event(ictx, buf); |
1368 | return; |
1369 | |
1370 | diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c |
1371 | index 3fc9829a9233..f9616158bcf4 100644 |
1372 | --- a/drivers/media/rc/mceusb.c |
1373 | +++ b/drivers/media/rc/mceusb.c |
1374 | @@ -564,7 +564,7 @@ static int mceusb_cmd_datasize(u8 cmd, u8 subcmd) |
1375 | datasize = 4; |
1376 | break; |
1377 | case MCE_CMD_G_REVISION: |
1378 | - datasize = 2; |
1379 | + datasize = 4; |
1380 | break; |
1381 | case MCE_RSP_EQWAKESUPPORT: |
1382 | case MCE_RSP_GETWAKESOURCE: |
1383 | @@ -600,14 +600,9 @@ static void mceusb_dev_printdata(struct mceusb_dev *ir, u8 *buf, int buf_len, |
1384 | char *inout; |
1385 | u8 cmd, subcmd, *data; |
1386 | struct device *dev = ir->dev; |
1387 | - int start, skip = 0; |
1388 | u32 carrier, period; |
1389 | |
1390 | - /* skip meaningless 0xb1 0x60 header bytes on orig receiver */ |
1391 | - if (ir->flags.microsoft_gen1 && !out && !offset) |
1392 | - skip = 2; |
1393 | - |
1394 | - if (len <= skip) |
1395 | + if (offset < 0 || offset >= buf_len) |
1396 | return; |
1397 | |
1398 | dev_dbg(dev, "%cx data[%d]: %*ph (len=%d sz=%d)", |
1399 | @@ -616,11 +611,32 @@ static void mceusb_dev_printdata(struct mceusb_dev *ir, u8 *buf, int buf_len, |
1400 | |
1401 | inout = out ? "Request" : "Got"; |
1402 | |
1403 | - start = offset + skip; |
1404 | - cmd = buf[start] & 0xff; |
1405 | - subcmd = buf[start + 1] & 0xff; |
1406 | - data = buf + start + 2; |
1407 | + cmd = buf[offset]; |
1408 | + subcmd = (offset + 1 < buf_len) ? buf[offset + 1] : 0; |
1409 | + data = &buf[offset] + 2; |
1410 | + |
1411 | + /* Trace meaningless 0xb1 0x60 header bytes on original receiver */ |
1412 | + if (ir->flags.microsoft_gen1 && !out && !offset) { |
1413 | + dev_dbg(dev, "MCE gen 1 header"); |
1414 | + return; |
1415 | + } |
1416 | + |
1417 | + /* Trace IR data header or trailer */ |
1418 | + if (cmd != MCE_CMD_PORT_IR && |
1419 | + (cmd & MCE_PORT_MASK) == MCE_COMMAND_IRDATA) { |
1420 | + if (cmd == MCE_IRDATA_TRAILER) |
1421 | + dev_dbg(dev, "End of raw IR data"); |
1422 | + else |
1423 | + dev_dbg(dev, "Raw IR data, %d pulse/space samples", |
1424 | + cmd & MCE_PACKET_LENGTH_MASK); |
1425 | + return; |
1426 | + } |
1427 | + |
1428 | + /* Unexpected end of buffer? */ |
1429 | + if (offset + len > buf_len) |
1430 | + return; |
1431 | |
1432 | + /* Decode MCE command/response */ |
1433 | switch (cmd) { |
1434 | case MCE_CMD_NULL: |
1435 | if (subcmd == MCE_CMD_NULL) |
1436 | @@ -644,7 +660,7 @@ static void mceusb_dev_printdata(struct mceusb_dev *ir, u8 *buf, int buf_len, |
1437 | dev_dbg(dev, "Get hw/sw rev?"); |
1438 | else |
1439 | dev_dbg(dev, "hw/sw rev %*ph", |
1440 | - 4, &buf[start + 2]); |
1441 | + 4, &buf[offset + 2]); |
1442 | break; |
1443 | case MCE_CMD_RESUME: |
1444 | dev_dbg(dev, "Device resume requested"); |
1445 | @@ -746,13 +762,6 @@ static void mceusb_dev_printdata(struct mceusb_dev *ir, u8 *buf, int buf_len, |
1446 | default: |
1447 | break; |
1448 | } |
1449 | - |
1450 | - if (cmd == MCE_IRDATA_TRAILER) |
1451 | - dev_dbg(dev, "End of raw IR data"); |
1452 | - else if ((cmd != MCE_CMD_PORT_IR) && |
1453 | - ((cmd & MCE_PORT_MASK) == MCE_COMMAND_IRDATA)) |
1454 | - dev_dbg(dev, "Raw IR data, %d pulse/space samples", |
1455 | - cmd & MCE_PACKET_LENGTH_MASK); |
1456 | #endif |
1457 | } |
1458 | |
1459 | @@ -1136,32 +1145,62 @@ static int mceusb_set_rx_carrier_report(struct rc_dev *dev, int enable) |
1460 | } |
1461 | |
1462 | /* |
1463 | + * Handle PORT_SYS/IR command response received from the MCE device. |
1464 | + * |
1465 | + * Assumes single response with all its data (not truncated) |
1466 | + * in buf_in[]. The response itself determines its total length |
1467 | + * (mceusb_cmd_datasize() + 2) and hence the minimum size of buf_in[]. |
1468 | + * |
1469 | * We don't do anything but print debug spew for many of the command bits |
1470 | * we receive from the hardware, but some of them are useful information |
1471 | * we want to store so that we can use them. |
1472 | */ |
1473 | -static void mceusb_handle_command(struct mceusb_dev *ir, int index) |
1474 | +static void mceusb_handle_command(struct mceusb_dev *ir, u8 *buf_in) |
1475 | { |
1476 | + u8 cmd = buf_in[0]; |
1477 | + u8 subcmd = buf_in[1]; |
1478 | + u8 *hi = &buf_in[2]; /* read only when required */ |
1479 | + u8 *lo = &buf_in[3]; /* read only when required */ |
1480 | struct ir_raw_event rawir = {}; |
1481 | - u8 hi = ir->buf_in[index + 1] & 0xff; |
1482 | - u8 lo = ir->buf_in[index + 2] & 0xff; |
1483 | u32 carrier_cycles; |
1484 | u32 cycles_fix; |
1485 | |
1486 | - switch (ir->buf_in[index]) { |
1487 | - /* the one and only 5-byte return value command */ |
1488 | - case MCE_RSP_GETPORTSTATUS: |
1489 | - if ((ir->buf_in[index + 4] & 0xff) == 0x00) |
1490 | - ir->txports_cabled |= 1 << hi; |
1491 | - break; |
1492 | + if (cmd == MCE_CMD_PORT_SYS) { |
1493 | + switch (subcmd) { |
1494 | + /* the one and only 5-byte return value command */ |
1495 | + case MCE_RSP_GETPORTSTATUS: |
1496 | + if (buf_in[5] == 0) |
1497 | + ir->txports_cabled |= 1 << *hi; |
1498 | + break; |
1499 | + |
1500 | + /* 1-byte return value commands */ |
1501 | + case MCE_RSP_EQEMVER: |
1502 | + ir->emver = *hi; |
1503 | + break; |
1504 | + |
1505 | + /* No return value commands */ |
1506 | + case MCE_RSP_CMD_ILLEGAL: |
1507 | + ir->need_reset = true; |
1508 | + break; |
1509 | + |
1510 | + default: |
1511 | + break; |
1512 | + } |
1513 | + |
1514 | + return; |
1515 | + } |
1516 | |
1517 | + if (cmd != MCE_CMD_PORT_IR) |
1518 | + return; |
1519 | + |
1520 | + switch (subcmd) { |
1521 | /* 2-byte return value commands */ |
1522 | case MCE_RSP_EQIRTIMEOUT: |
1523 | - ir->rc->timeout = US_TO_NS((hi << 8 | lo) * MCE_TIME_UNIT); |
1524 | + ir->rc->timeout = US_TO_NS((*hi << 8 | *lo) * MCE_TIME_UNIT); |
1525 | break; |
1526 | case MCE_RSP_EQIRNUMPORTS: |
1527 | - ir->num_txports = hi; |
1528 | - ir->num_rxports = lo; |
1529 | + ir->num_txports = *hi; |
1530 | + ir->num_rxports = *lo; |
1531 | break; |
1532 | case MCE_RSP_EQIRRXCFCNT: |
1533 | /* |
1534 | @@ -1174,7 +1213,7 @@ static void mceusb_handle_command(struct mceusb_dev *ir, int index) |
1535 | */ |
1536 | if (ir->carrier_report_enabled && ir->learning_active && |
1537 | ir->pulse_tunit > 0) { |
1538 | - carrier_cycles = (hi << 8 | lo); |
1539 | + carrier_cycles = (*hi << 8 | *lo); |
1540 | /* |
1541 | * Adjust carrier cycle count by adding |
1542 | * 1 missed count per pulse "on" |
1543 | @@ -1192,24 +1231,24 @@ static void mceusb_handle_command(struct mceusb_dev *ir, int index) |
1544 | break; |
1545 | |
1546 | /* 1-byte return value commands */ |
1547 | - case MCE_RSP_EQEMVER: |
1548 | - ir->emver = hi; |
1549 | - break; |
1550 | case MCE_RSP_EQIRTXPORTS: |
1551 | - ir->tx_mask = hi; |
1552 | + ir->tx_mask = *hi; |
1553 | break; |
1554 | case MCE_RSP_EQIRRXPORTEN: |
1555 | - ir->learning_active = ((hi & 0x02) == 0x02); |
1556 | - if (ir->rxports_active != hi) { |
1557 | + ir->learning_active = ((*hi & 0x02) == 0x02); |
1558 | + if (ir->rxports_active != *hi) { |
1559 | dev_info(ir->dev, "%s-range (0x%x) receiver active", |
1560 | - ir->learning_active ? "short" : "long", hi); |
1561 | - ir->rxports_active = hi; |
1562 | + ir->learning_active ? "short" : "long", *hi); |
1563 | + ir->rxports_active = *hi; |
1564 | } |
1565 | break; |
1566 | + |
1567 | + /* No return value commands */ |
1568 | case MCE_RSP_CMD_ILLEGAL: |
1569 | case MCE_RSP_TX_TIMEOUT: |
1570 | ir->need_reset = true; |
1571 | break; |
1572 | + |
1573 | default: |
1574 | break; |
1575 | } |
1576 | @@ -1235,7 +1274,8 @@ static void mceusb_process_ir_data(struct mceusb_dev *ir, int buf_len) |
1577 | ir->rem = mceusb_cmd_datasize(ir->cmd, ir->buf_in[i]); |
1578 | mceusb_dev_printdata(ir, ir->buf_in, buf_len, i - 1, |
1579 | ir->rem + 2, false); |
1580 | - mceusb_handle_command(ir, i); |
1581 | + if (i + ir->rem < buf_len) |
1582 | + mceusb_handle_command(ir, &ir->buf_in[i - 1]); |
1583 | ir->parser_state = CMD_DATA; |
1584 | break; |
1585 | case PARSE_IRDATA: |
1586 | @@ -1264,15 +1304,22 @@ static void mceusb_process_ir_data(struct mceusb_dev *ir, int buf_len) |
1587 | ir->rem--; |
1588 | break; |
1589 | case CMD_HEADER: |
1590 | - /* decode mce packets of the form (84),AA,BB,CC,DD */ |
1591 | - /* IR data packets can span USB messages - rem */ |
1592 | ir->cmd = ir->buf_in[i]; |
1593 | if ((ir->cmd == MCE_CMD_PORT_IR) || |
1594 | ((ir->cmd & MCE_PORT_MASK) != |
1595 | MCE_COMMAND_IRDATA)) { |
1596 | + /* |
1597 | + * got PORT_SYS, PORT_IR, or unknown |
1598 | + * command response prefix |
1599 | + */ |
1600 | ir->parser_state = SUBCMD; |
1601 | continue; |
1602 | } |
1603 | + /* |
1604 | + * got IR data prefix (0x80 + num_bytes) |
1605 | + * decode MCE packets of the form {0x83, AA, BB, CC} |
1606 | + * IR data packets can span USB messages |
1607 | + */ |
1608 | ir->rem = (ir->cmd & MCE_PACKET_LENGTH_MASK); |
1609 | mceusb_dev_printdata(ir, ir->buf_in, buf_len, |
1610 | i, ir->rem + 1, false); |
1611 | @@ -1296,6 +1343,14 @@ static void mceusb_process_ir_data(struct mceusb_dev *ir, int buf_len) |
1612 | if (ir->parser_state != CMD_HEADER && !ir->rem) |
1613 | ir->parser_state = CMD_HEADER; |
1614 | } |
1615 | + |
1616 | + /* |
1617 | + * Accept IR data spanning multiple rx buffers. |
1618 | + * Reject MCE command response spanning multiple rx buffers. |
1619 | + */ |
1620 | + if (ir->parser_state != PARSE_IRDATA || !ir->rem) |
1621 | + ir->parser_state = CMD_HEADER; |
1622 | + |
1623 | if (event) { |
1624 | dev_dbg(ir->dev, "processed IR data"); |
1625 | ir_raw_event_handle(ir->rc); |
1626 | diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c |
1627 | index 1826ff825c2e..1a801dc286f8 100644 |
1628 | --- a/drivers/media/usb/b2c2/flexcop-usb.c |
1629 | +++ b/drivers/media/usb/b2c2/flexcop-usb.c |
1630 | @@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf, |
1631 | struct flexcop_device *fc = NULL; |
1632 | int ret; |
1633 | |
1634 | + if (intf->cur_altsetting->desc.bNumEndpoints < 1) |
1635 | + return -ENODEV; |
1636 | + |
1637 | if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) { |
1638 | err("out of memory\n"); |
1639 | return -ENOMEM; |
1640 | diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c |
1641 | index f02fa0a67aa4..fac19ec46089 100644 |
1642 | --- a/drivers/media/usb/dvb-usb/cxusb.c |
1643 | +++ b/drivers/media/usb/dvb-usb/cxusb.c |
1644 | @@ -521,7 +521,8 @@ static int cxusb_rc_query(struct dvb_usb_device *d) |
1645 | { |
1646 | u8 ircode[4]; |
1647 | |
1648 | - cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4); |
1649 | + if (cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4) < 0) |
1650 | + return 0; |
1651 | |
1652 | if (ircode[2] || ircode[3]) |
1653 | rc_keydown(d->rc_dev, RC_PROTO_NEC, |
1654 | diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c |
1655 | index cdc66adda755..93d36aab824f 100644 |
1656 | --- a/drivers/media/usb/usbvision/usbvision-video.c |
1657 | +++ b/drivers/media/usb/usbvision/usbvision-video.c |
1658 | @@ -314,6 +314,10 @@ static int usbvision_v4l2_open(struct file *file) |
1659 | if (mutex_lock_interruptible(&usbvision->v4l2_lock)) |
1660 | return -ERESTARTSYS; |
1661 | |
1662 | + if (usbvision->remove_pending) { |
1663 | + err_code = -ENODEV; |
1664 | + goto unlock; |
1665 | + } |
1666 | if (usbvision->user) { |
1667 | err_code = -EBUSY; |
1668 | } else { |
1669 | @@ -377,6 +381,7 @@ unlock: |
1670 | static int usbvision_v4l2_close(struct file *file) |
1671 | { |
1672 | struct usb_usbvision *usbvision = video_drvdata(file); |
1673 | + int r; |
1674 | |
1675 | PDEBUG(DBG_IO, "close"); |
1676 | |
1677 | @@ -391,9 +396,10 @@ static int usbvision_v4l2_close(struct file *file) |
1678 | usbvision_scratch_free(usbvision); |
1679 | |
1680 | usbvision->user--; |
1681 | + r = usbvision->remove_pending; |
1682 | mutex_unlock(&usbvision->v4l2_lock); |
1683 | |
1684 | - if (usbvision->remove_pending) { |
1685 | + if (r) { |
1686 | printk(KERN_INFO "%s: Final disconnect\n", __func__); |
1687 | usbvision_release(usbvision); |
1688 | return 0; |
1689 | @@ -453,6 +459,9 @@ static int vidioc_querycap(struct file *file, void *priv, |
1690 | { |
1691 | struct usb_usbvision *usbvision = video_drvdata(file); |
1692 | |
1693 | + if (!usbvision->dev) |
1694 | + return -ENODEV; |
1695 | + |
1696 | strscpy(vc->driver, "USBVision", sizeof(vc->driver)); |
1697 | strscpy(vc->card, |
1698 | usbvision_device_data[usbvision->dev_model].model_string, |
1699 | @@ -1061,6 +1070,11 @@ static int usbvision_radio_open(struct file *file) |
1700 | |
1701 | if (mutex_lock_interruptible(&usbvision->v4l2_lock)) |
1702 | return -ERESTARTSYS; |
1703 | + |
1704 | + if (usbvision->remove_pending) { |
1705 | + err_code = -ENODEV; |
1706 | + goto out; |
1707 | + } |
1708 | err_code = v4l2_fh_open(file); |
1709 | if (err_code) |
1710 | goto out; |
1711 | @@ -1093,21 +1107,24 @@ out: |
1712 | static int usbvision_radio_close(struct file *file) |
1713 | { |
1714 | struct usb_usbvision *usbvision = video_drvdata(file); |
1715 | + int r; |
1716 | |
1717 | PDEBUG(DBG_IO, ""); |
1718 | |
1719 | mutex_lock(&usbvision->v4l2_lock); |
1720 | /* Set packet size to 0 */ |
1721 | usbvision->iface_alt = 0; |
1722 | - usb_set_interface(usbvision->dev, usbvision->iface, |
1723 | - usbvision->iface_alt); |
1724 | + if (usbvision->dev) |
1725 | + usb_set_interface(usbvision->dev, usbvision->iface, |
1726 | + usbvision->iface_alt); |
1727 | |
1728 | usbvision_audio_off(usbvision); |
1729 | usbvision->radio = 0; |
1730 | usbvision->user--; |
1731 | + r = usbvision->remove_pending; |
1732 | mutex_unlock(&usbvision->v4l2_lock); |
1733 | |
1734 | - if (usbvision->remove_pending) { |
1735 | + if (r) { |
1736 | printk(KERN_INFO "%s: Final disconnect\n", __func__); |
1737 | v4l2_fh_release(file); |
1738 | usbvision_release(usbvision); |
1739 | @@ -1539,6 +1556,7 @@ err_usb: |
1740 | static void usbvision_disconnect(struct usb_interface *intf) |
1741 | { |
1742 | struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf)); |
1743 | + int u; |
1744 | |
1745 | PDEBUG(DBG_PROBE, ""); |
1746 | |
1747 | @@ -1555,13 +1573,14 @@ static void usbvision_disconnect(struct usb_interface *intf) |
1748 | v4l2_device_disconnect(&usbvision->v4l2_dev); |
1749 | usbvision_i2c_unregister(usbvision); |
1750 | usbvision->remove_pending = 1; /* Now all ISO data will be ignored */ |
1751 | + u = usbvision->user; |
1752 | |
1753 | usb_put_dev(usbvision->dev); |
1754 | usbvision->dev = NULL; /* USB device is no more */ |
1755 | |
1756 | mutex_unlock(&usbvision->v4l2_lock); |
1757 | |
1758 | - if (usbvision->user) { |
1759 | + if (u) { |
1760 | printk(KERN_INFO "%s: In use, disconnect pending\n", |
1761 | __func__); |
1762 | wake_up_interruptible(&usbvision->wait_frame); |
1763 | diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c |
1764 | index 66ee168ddc7e..428235ca2635 100644 |
1765 | --- a/drivers/media/usb/uvc/uvc_driver.c |
1766 | +++ b/drivers/media/usb/uvc/uvc_driver.c |
1767 | @@ -2151,6 +2151,20 @@ static int uvc_probe(struct usb_interface *intf, |
1768 | sizeof(dev->name) - len); |
1769 | } |
1770 | |
1771 | + /* Initialize the media device. */ |
1772 | +#ifdef CONFIG_MEDIA_CONTROLLER |
1773 | + dev->mdev.dev = &intf->dev; |
1774 | + strscpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model)); |
1775 | + if (udev->serial) |
1776 | + strscpy(dev->mdev.serial, udev->serial, |
1777 | + sizeof(dev->mdev.serial)); |
1778 | + usb_make_path(udev, dev->mdev.bus_info, sizeof(dev->mdev.bus_info)); |
1779 | + dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice); |
1780 | + media_device_init(&dev->mdev); |
1781 | + |
1782 | + dev->vdev.mdev = &dev->mdev; |
1783 | +#endif |
1784 | + |
1785 | /* Parse the Video Class control descriptor. */ |
1786 | if (uvc_parse_control(dev) < 0) { |
1787 | uvc_trace(UVC_TRACE_PROBE, "Unable to parse UVC " |
1788 | @@ -2171,19 +2185,7 @@ static int uvc_probe(struct usb_interface *intf, |
1789 | "linux-uvc-devel mailing list.\n"); |
1790 | } |
1791 | |
1792 | - /* Initialize the media device and register the V4L2 device. */ |
1793 | -#ifdef CONFIG_MEDIA_CONTROLLER |
1794 | - dev->mdev.dev = &intf->dev; |
1795 | - strscpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model)); |
1796 | - if (udev->serial) |
1797 | - strscpy(dev->mdev.serial, udev->serial, |
1798 | - sizeof(dev->mdev.serial)); |
1799 | - usb_make_path(udev, dev->mdev.bus_info, sizeof(dev->mdev.bus_info)); |
1800 | - dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice); |
1801 | - media_device_init(&dev->mdev); |
1802 | - |
1803 | - dev->vdev.mdev = &dev->mdev; |
1804 | -#endif |
1805 | + /* Register the V4L2 device. */ |
1806 | if (v4l2_device_register(&intf->dev, &dev->vdev) < 0) |
1807 | goto error; |
1808 | |
1809 | diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c |
1810 | index a0b4d265c6eb..347bb92e4130 100644 |
1811 | --- a/drivers/net/wireless/ath/ath10k/pci.c |
1812 | +++ b/drivers/net/wireless/ath/ath10k/pci.c |
1813 | @@ -3490,7 +3490,7 @@ static int ath10k_pci_probe(struct pci_dev *pdev, |
1814 | struct ath10k_pci *ar_pci; |
1815 | enum ath10k_hw_rev hw_rev; |
1816 | struct ath10k_bus_params bus_params = {}; |
1817 | - bool pci_ps; |
1818 | + bool pci_ps, is_qca988x = false; |
1819 | int (*pci_soft_reset)(struct ath10k *ar); |
1820 | int (*pci_hard_reset)(struct ath10k *ar); |
1821 | u32 (*targ_cpu_to_ce_addr)(struct ath10k *ar, u32 addr); |
1822 | @@ -3500,6 +3500,7 @@ static int ath10k_pci_probe(struct pci_dev *pdev, |
1823 | case QCA988X_2_0_DEVICE_ID: |
1824 | hw_rev = ATH10K_HW_QCA988X; |
1825 | pci_ps = false; |
1826 | + is_qca988x = true; |
1827 | pci_soft_reset = ath10k_pci_warm_reset; |
1828 | pci_hard_reset = ath10k_pci_qca988x_chip_reset; |
1829 | targ_cpu_to_ce_addr = ath10k_pci_qca988x_targ_cpu_to_ce_addr; |
1830 | @@ -3619,25 +3620,34 @@ static int ath10k_pci_probe(struct pci_dev *pdev, |
1831 | goto err_deinit_irq; |
1832 | } |
1833 | |
1834 | + bus_params.dev_type = ATH10K_DEV_TYPE_LL; |
1835 | + bus_params.link_can_suspend = true; |
1836 | + /* Read CHIP_ID before reset to catch QCA9880-AR1A v1 devices that |
1837 | + * fall off the bus during chip_reset. These chips have the same pci |
1838 | + * device id as the QCA9880 BR4A or 2R4E. So that's why the check. |
1839 | + */ |
1840 | + if (is_qca988x) { |
1841 | + bus_params.chip_id = |
1842 | + ath10k_pci_soc_read32(ar, SOC_CHIP_ID_ADDRESS); |
1843 | + if (bus_params.chip_id != 0xffffffff) { |
1844 | + if (!ath10k_pci_chip_is_supported(pdev->device, |
1845 | + bus_params.chip_id)) |
1846 | + goto err_unsupported; |
1847 | + } |
1848 | + } |
1849 | + |
1850 | ret = ath10k_pci_chip_reset(ar); |
1851 | if (ret) { |
1852 | ath10k_err(ar, "failed to reset chip: %d\n", ret); |
1853 | goto err_free_irq; |
1854 | } |
1855 | |
1856 | - bus_params.dev_type = ATH10K_DEV_TYPE_LL; |
1857 | - bus_params.link_can_suspend = true; |
1858 | bus_params.chip_id = ath10k_pci_soc_read32(ar, SOC_CHIP_ID_ADDRESS); |
1859 | - if (bus_params.chip_id == 0xffffffff) { |
1860 | - ath10k_err(ar, "failed to get chip id\n"); |
1861 | - goto err_free_irq; |
1862 | - } |
1863 | + if (bus_params.chip_id == 0xffffffff) |
1864 | + goto err_unsupported; |
1865 | |
1866 | - if (!ath10k_pci_chip_is_supported(pdev->device, bus_params.chip_id)) { |
1867 | - ath10k_err(ar, "device %04x with chip_id %08x isn't supported\n", |
1868 | - pdev->device, bus_params.chip_id); |
1869 | + if (!ath10k_pci_chip_is_supported(pdev->device, bus_params.chip_id)) |
1870 | goto err_free_irq; |
1871 | - } |
1872 | |
1873 | ret = ath10k_core_register(ar, &bus_params); |
1874 | if (ret) { |
1875 | @@ -3647,6 +3657,10 @@ static int ath10k_pci_probe(struct pci_dev *pdev, |
1876 | |
1877 | return 0; |
1878 | |
1879 | +err_unsupported: |
1880 | + ath10k_err(ar, "device %04x with chip_id %08x isn't supported\n", |
1881 | + pdev->device, bus_params.chip_id); |
1882 | + |
1883 | err_free_irq: |
1884 | ath10k_pci_free_irq(ar); |
1885 | ath10k_pci_rx_retry_sync(ar); |
1886 | diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c |
1887 | index 3b63b6257c43..545ac1f06997 100644 |
1888 | --- a/drivers/net/wireless/ath/ath10k/qmi.c |
1889 | +++ b/drivers/net/wireless/ath/ath10k/qmi.c |
1890 | @@ -581,22 +581,29 @@ static int ath10k_qmi_host_cap_send_sync(struct ath10k_qmi *qmi) |
1891 | { |
1892 | struct wlfw_host_cap_resp_msg_v01 resp = {}; |
1893 | struct wlfw_host_cap_req_msg_v01 req = {}; |
1894 | + struct qmi_elem_info *req_ei; |
1895 | struct ath10k *ar = qmi->ar; |
1896 | + struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); |
1897 | struct qmi_txn txn; |
1898 | int ret; |
1899 | |
1900 | req.daemon_support_valid = 1; |
1901 | req.daemon_support = 0; |
1902 | |
1903 | - ret = qmi_txn_init(&qmi->qmi_hdl, &txn, |
1904 | - wlfw_host_cap_resp_msg_v01_ei, &resp); |
1905 | + ret = qmi_txn_init(&qmi->qmi_hdl, &txn, wlfw_host_cap_resp_msg_v01_ei, |
1906 | + &resp); |
1907 | if (ret < 0) |
1908 | goto out; |
1909 | |
1910 | + if (test_bit(ATH10K_SNOC_FLAG_8BIT_HOST_CAP_QUIRK, &ar_snoc->flags)) |
1911 | + req_ei = wlfw_host_cap_8bit_req_msg_v01_ei; |
1912 | + else |
1913 | + req_ei = wlfw_host_cap_req_msg_v01_ei; |
1914 | + |
1915 | ret = qmi_send_request(&qmi->qmi_hdl, NULL, &txn, |
1916 | QMI_WLFW_HOST_CAP_REQ_V01, |
1917 | WLFW_HOST_CAP_REQ_MSG_V01_MAX_MSG_LEN, |
1918 | - wlfw_host_cap_req_msg_v01_ei, &req); |
1919 | + req_ei, &req); |
1920 | if (ret < 0) { |
1921 | qmi_txn_cancel(&txn); |
1922 | ath10k_err(ar, "failed to send host capability request: %d\n", ret); |
1923 | diff --git a/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.c b/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.c |
1924 | index 1fe05c6218c3..86fcf4e1de5f 100644 |
1925 | --- a/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.c |
1926 | +++ b/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.c |
1927 | @@ -1988,6 +1988,28 @@ struct qmi_elem_info wlfw_host_cap_req_msg_v01_ei[] = { |
1928 | {} |
1929 | }; |
1930 | |
1931 | +struct qmi_elem_info wlfw_host_cap_8bit_req_msg_v01_ei[] = { |
1932 | + { |
1933 | + .data_type = QMI_OPT_FLAG, |
1934 | + .elem_len = 1, |
1935 | + .elem_size = sizeof(u8), |
1936 | + .array_type = NO_ARRAY, |
1937 | + .tlv_type = 0x10, |
1938 | + .offset = offsetof(struct wlfw_host_cap_req_msg_v01, |
1939 | + daemon_support_valid), |
1940 | + }, |
1941 | + { |
1942 | + .data_type = QMI_UNSIGNED_1_BYTE, |
1943 | + .elem_len = 1, |
1944 | + .elem_size = sizeof(u8), |
1945 | + .array_type = NO_ARRAY, |
1946 | + .tlv_type = 0x10, |
1947 | + .offset = offsetof(struct wlfw_host_cap_req_msg_v01, |
1948 | + daemon_support), |
1949 | + }, |
1950 | + {} |
1951 | +}; |
1952 | + |
1953 | struct qmi_elem_info wlfw_host_cap_resp_msg_v01_ei[] = { |
1954 | { |
1955 | .data_type = QMI_STRUCT, |
1956 | diff --git a/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.h b/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.h |
1957 | index bca1186e1560..4d107e1364a8 100644 |
1958 | --- a/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.h |
1959 | +++ b/drivers/net/wireless/ath/ath10k/qmi_wlfw_v01.h |
1960 | @@ -575,6 +575,7 @@ struct wlfw_host_cap_req_msg_v01 { |
1961 | |
1962 | #define WLFW_HOST_CAP_REQ_MSG_V01_MAX_MSG_LEN 189 |
1963 | extern struct qmi_elem_info wlfw_host_cap_req_msg_v01_ei[]; |
1964 | +extern struct qmi_elem_info wlfw_host_cap_8bit_req_msg_v01_ei[]; |
1965 | |
1966 | struct wlfw_host_cap_resp_msg_v01 { |
1967 | struct qmi_response_type_v01 resp; |
1968 | diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c |
1969 | index b491361e6ed4..fc15a0037f0e 100644 |
1970 | --- a/drivers/net/wireless/ath/ath10k/snoc.c |
1971 | +++ b/drivers/net/wireless/ath/ath10k/snoc.c |
1972 | @@ -1261,6 +1261,15 @@ out: |
1973 | return ret; |
1974 | } |
1975 | |
1976 | +static void ath10k_snoc_quirks_init(struct ath10k *ar) |
1977 | +{ |
1978 | + struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); |
1979 | + struct device *dev = &ar_snoc->dev->dev; |
1980 | + |
1981 | + if (of_property_read_bool(dev->of_node, "qcom,snoc-host-cap-8bit-quirk")) |
1982 | + set_bit(ATH10K_SNOC_FLAG_8BIT_HOST_CAP_QUIRK, &ar_snoc->flags); |
1983 | +} |
1984 | + |
1985 | int ath10k_snoc_fw_indication(struct ath10k *ar, u64 type) |
1986 | { |
1987 | struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); |
1988 | @@ -1678,6 +1687,8 @@ static int ath10k_snoc_probe(struct platform_device *pdev) |
1989 | ar->ce_priv = &ar_snoc->ce; |
1990 | msa_size = drv_data->msa_size; |
1991 | |
1992 | + ath10k_snoc_quirks_init(ar); |
1993 | + |
1994 | ret = ath10k_snoc_resource_init(ar); |
1995 | if (ret) { |
1996 | ath10k_warn(ar, "failed to initialize resource: %d\n", ret); |
1997 | diff --git a/drivers/net/wireless/ath/ath10k/snoc.h b/drivers/net/wireless/ath/ath10k/snoc.h |
1998 | index d62f53501fbb..9db823e46314 100644 |
1999 | --- a/drivers/net/wireless/ath/ath10k/snoc.h |
2000 | +++ b/drivers/net/wireless/ath/ath10k/snoc.h |
2001 | @@ -63,6 +63,7 @@ enum ath10k_snoc_flags { |
2002 | ATH10K_SNOC_FLAG_REGISTERED, |
2003 | ATH10K_SNOC_FLAG_UNREGISTERING, |
2004 | ATH10K_SNOC_FLAG_RECOVERY, |
2005 | + ATH10K_SNOC_FLAG_8BIT_HOST_CAP_QUIRK, |
2006 | }; |
2007 | |
2008 | struct ath10k_snoc { |
2009 | diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c |
2010 | index e1420f67f776..9ebe74ee4aef 100644 |
2011 | --- a/drivers/net/wireless/ath/ath10k/usb.c |
2012 | +++ b/drivers/net/wireless/ath/ath10k/usb.c |
2013 | @@ -38,6 +38,10 @@ ath10k_usb_alloc_urb_from_pipe(struct ath10k_usb_pipe *pipe) |
2014 | struct ath10k_urb_context *urb_context = NULL; |
2015 | unsigned long flags; |
2016 | |
2017 | + /* bail if this pipe is not initialized */ |
2018 | + if (!pipe->ar_usb) |
2019 | + return NULL; |
2020 | + |
2021 | spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); |
2022 | if (!list_empty(&pipe->urb_list_head)) { |
2023 | urb_context = list_first_entry(&pipe->urb_list_head, |
2024 | @@ -55,6 +59,10 @@ static void ath10k_usb_free_urb_to_pipe(struct ath10k_usb_pipe *pipe, |
2025 | { |
2026 | unsigned long flags; |
2027 | |
2028 | + /* bail if this pipe is not initialized */ |
2029 | + if (!pipe->ar_usb) |
2030 | + return; |
2031 | + |
2032 | spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); |
2033 | |
2034 | pipe->urb_cnt++; |
2035 | diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |
2036 | index 2b29bf4730f6..b4885a700296 100644 |
2037 | --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |
2038 | +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |
2039 | @@ -4183,7 +4183,7 @@ static void ar9003_hw_thermometer_apply(struct ath_hw *ah) |
2040 | |
2041 | static void ar9003_hw_thermo_cal_apply(struct ath_hw *ah) |
2042 | { |
2043 | - u32 data, ko, kg; |
2044 | + u32 data = 0, ko, kg; |
2045 | |
2046 | if (!AR_SREV_9462_20_OR_LATER(ah)) |
2047 | return; |
2048 | diff --git a/drivers/staging/comedi/drivers/usbduxfast.c b/drivers/staging/comedi/drivers/usbduxfast.c |
2049 | index 04bc488385e6..4af012968cb6 100644 |
2050 | --- a/drivers/staging/comedi/drivers/usbduxfast.c |
2051 | +++ b/drivers/staging/comedi/drivers/usbduxfast.c |
2052 | @@ -1,6 +1,6 @@ |
2053 | // SPDX-License-Identifier: GPL-2.0+ |
2054 | /* |
2055 | - * Copyright (C) 2004-2014 Bernd Porr, mail@berndporr.me.uk |
2056 | + * Copyright (C) 2004-2019 Bernd Porr, mail@berndporr.me.uk |
2057 | */ |
2058 | |
2059 | /* |
2060 | @@ -8,7 +8,7 @@ |
2061 | * Description: University of Stirling USB DAQ & INCITE Technology Limited |
2062 | * Devices: [ITL] USB-DUX-FAST (usbduxfast) |
2063 | * Author: Bernd Porr <mail@berndporr.me.uk> |
2064 | - * Updated: 10 Oct 2014 |
2065 | + * Updated: 16 Nov 2019 |
2066 | * Status: stable |
2067 | */ |
2068 | |
2069 | @@ -22,6 +22,7 @@ |
2070 | * |
2071 | * |
2072 | * Revision history: |
2073 | + * 1.0: Fixed a rounding error in usbduxfast_ai_cmdtest |
2074 | * 0.9: Dropping the first data packet which seems to be from the last transfer. |
2075 | * Buffer overflows in the FX2 are handed over to comedi. |
2076 | * 0.92: Dropping now 4 packets. The quad buffer has to be emptied. |
2077 | @@ -350,6 +351,7 @@ static int usbduxfast_ai_cmdtest(struct comedi_device *dev, |
2078 | struct comedi_cmd *cmd) |
2079 | { |
2080 | int err = 0; |
2081 | + int err2 = 0; |
2082 | unsigned int steps; |
2083 | unsigned int arg; |
2084 | |
2085 | @@ -399,11 +401,16 @@ static int usbduxfast_ai_cmdtest(struct comedi_device *dev, |
2086 | */ |
2087 | steps = (cmd->convert_arg * 30) / 1000; |
2088 | if (cmd->chanlist_len != 1) |
2089 | - err |= comedi_check_trigger_arg_min(&steps, |
2090 | - MIN_SAMPLING_PERIOD); |
2091 | - err |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD); |
2092 | - arg = (steps * 1000) / 30; |
2093 | - err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg); |
2094 | + err2 |= comedi_check_trigger_arg_min(&steps, |
2095 | + MIN_SAMPLING_PERIOD); |
2096 | + else |
2097 | + err2 |= comedi_check_trigger_arg_min(&steps, 1); |
2098 | + err2 |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD); |
2099 | + if (err2) { |
2100 | + err |= err2; |
2101 | + arg = (steps * 1000) / 30; |
2102 | + err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg); |
2103 | + } |
2104 | |
2105 | if (cmd->stop_src == TRIG_COUNT) |
2106 | err |= comedi_check_trigger_arg_min(&cmd->stop_arg, 1); |
2107 | diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c |
2108 | index ac92725458b5..ba1eaabc7796 100644 |
2109 | --- a/drivers/usb/misc/appledisplay.c |
2110 | +++ b/drivers/usb/misc/appledisplay.c |
2111 | @@ -164,7 +164,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd) |
2112 | 0, |
2113 | pdata->msgdata, 2, |
2114 | ACD_USB_TIMEOUT); |
2115 | - brightness = pdata->msgdata[1]; |
2116 | + if (retval < 2) { |
2117 | + if (retval >= 0) |
2118 | + retval = -EMSGSIZE; |
2119 | + } else { |
2120 | + brightness = pdata->msgdata[1]; |
2121 | + } |
2122 | mutex_unlock(&pdata->sysfslock); |
2123 | |
2124 | if (retval < 0) |
2125 | @@ -299,6 +304,7 @@ error: |
2126 | if (pdata) { |
2127 | if (pdata->urb) { |
2128 | usb_kill_urb(pdata->urb); |
2129 | + cancel_delayed_work_sync(&pdata->work); |
2130 | if (pdata->urbdata) |
2131 | usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, |
2132 | pdata->urbdata, pdata->urb->transfer_dma); |
2133 | diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c |
2134 | index 34e6cd6f40d3..87067c3d6109 100644 |
2135 | --- a/drivers/usb/misc/chaoskey.c |
2136 | +++ b/drivers/usb/misc/chaoskey.c |
2137 | @@ -384,13 +384,17 @@ static int _chaoskey_fill(struct chaoskey *dev) |
2138 | !dev->reading, |
2139 | (started ? NAK_TIMEOUT : ALEA_FIRST_TIMEOUT) ); |
2140 | |
2141 | - if (result < 0) |
2142 | + if (result < 0) { |
2143 | + usb_kill_urb(dev->urb); |
2144 | goto out; |
2145 | + } |
2146 | |
2147 | - if (result == 0) |
2148 | + if (result == 0) { |
2149 | result = -ETIMEDOUT; |
2150 | - else |
2151 | + usb_kill_urb(dev->urb); |
2152 | + } else { |
2153 | result = dev->valid; |
2154 | + } |
2155 | out: |
2156 | /* Let the device go back to sleep eventually */ |
2157 | usb_autopm_put_interface(dev->interface); |
2158 | @@ -526,7 +530,21 @@ static int chaoskey_suspend(struct usb_interface *interface, |
2159 | |
2160 | static int chaoskey_resume(struct usb_interface *interface) |
2161 | { |
2162 | + struct chaoskey *dev; |
2163 | + struct usb_device *udev = interface_to_usbdev(interface); |
2164 | + |
2165 | usb_dbg(interface, "resume"); |
2166 | + dev = usb_get_intfdata(interface); |
2167 | + |
2168 | + /* |
2169 | + * We may have lost power. |
2170 | + * In that case the device that needs a long time |
2171 | + * for the first requests needs an extended timeout |
2172 | + * again |
2173 | + */ |
2174 | + if (le16_to_cpu(udev->descriptor.idVendor) == ALEA_VENDOR_ID) |
2175 | + dev->reads_started = false; |
2176 | + |
2177 | return 0; |
2178 | } |
2179 | #else |
2180 | diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c |
2181 | index 979bef9bfb6b..f5143eedbc48 100644 |
2182 | --- a/drivers/usb/serial/cp210x.c |
2183 | +++ b/drivers/usb/serial/cp210x.c |
2184 | @@ -125,6 +125,7 @@ static const struct usb_device_id id_table[] = { |
2185 | { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ |
2186 | { USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */ |
2187 | { USB_DEVICE(0x10C4, 0x83A8) }, /* Amber Wireless AMB2560 */ |
2188 | + { USB_DEVICE(0x10C4, 0x83AA) }, /* Mark-10 Digital Force Gauge */ |
2189 | { USB_DEVICE(0x10C4, 0x83D8) }, /* DekTec DTA Plus VHF/UHF Booster/Attenuator */ |
2190 | { USB_DEVICE(0x10C4, 0x8411) }, /* Kyocera GPS Module */ |
2191 | { USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */ |
2192 | diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c |
2193 | index 18110225d506..2ec4eeacebc7 100644 |
2194 | --- a/drivers/usb/serial/mos7720.c |
2195 | +++ b/drivers/usb/serial/mos7720.c |
2196 | @@ -1833,10 +1833,6 @@ static int mos7720_startup(struct usb_serial *serial) |
2197 | product = le16_to_cpu(serial->dev->descriptor.idProduct); |
2198 | dev = serial->dev; |
2199 | |
2200 | - /* setting configuration feature to one */ |
2201 | - usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), |
2202 | - (__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000); |
2203 | - |
2204 | if (product == MOSCHIP_DEVICE_ID_7715) { |
2205 | struct urb *urb = serial->port[0]->interrupt_in_urb; |
2206 | |
2207 | diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c |
2208 | index a698d46ba773..ab4bf8d6d7df 100644 |
2209 | --- a/drivers/usb/serial/mos7840.c |
2210 | +++ b/drivers/usb/serial/mos7840.c |
2211 | @@ -119,11 +119,15 @@ |
2212 | /* This driver also supports |
2213 | * ATEN UC2324 device using Moschip MCS7840 |
2214 | * ATEN UC2322 device using Moschip MCS7820 |
2215 | + * MOXA UPort 2210 device using Moschip MCS7820 |
2216 | */ |
2217 | #define USB_VENDOR_ID_ATENINTL 0x0557 |
2218 | #define ATENINTL_DEVICE_ID_UC2324 0x2011 |
2219 | #define ATENINTL_DEVICE_ID_UC2322 0x7820 |
2220 | |
2221 | +#define USB_VENDOR_ID_MOXA 0x110a |
2222 | +#define MOXA_DEVICE_ID_2210 0x2210 |
2223 | + |
2224 | /* Interrupt Routine Defines */ |
2225 | |
2226 | #define SERIAL_IIR_RLS 0x06 |
2227 | @@ -195,6 +199,7 @@ static const struct usb_device_id id_table[] = { |
2228 | {USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL2_4)}, |
2229 | {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2324)}, |
2230 | {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2322)}, |
2231 | + {USB_DEVICE(USB_VENDOR_ID_MOXA, MOXA_DEVICE_ID_2210)}, |
2232 | {} /* terminating entry */ |
2233 | }; |
2234 | MODULE_DEVICE_TABLE(usb, id_table); |
2235 | @@ -2020,6 +2025,7 @@ static int mos7840_probe(struct usb_serial *serial, |
2236 | const struct usb_device_id *id) |
2237 | { |
2238 | u16 product = le16_to_cpu(serial->dev->descriptor.idProduct); |
2239 | + u16 vid = le16_to_cpu(serial->dev->descriptor.idVendor); |
2240 | u8 *buf; |
2241 | int device_type; |
2242 | |
2243 | @@ -2030,6 +2036,11 @@ static int mos7840_probe(struct usb_serial *serial, |
2244 | goto out; |
2245 | } |
2246 | |
2247 | + if (vid == USB_VENDOR_ID_MOXA && product == MOXA_DEVICE_ID_2210) { |
2248 | + device_type = MOSCHIP_DEVICE_ID_7820; |
2249 | + goto out; |
2250 | + } |
2251 | + |
2252 | buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL); |
2253 | if (!buf) |
2254 | return -ENOMEM; |
2255 | @@ -2279,11 +2290,6 @@ out: |
2256 | goto error; |
2257 | } else |
2258 | dev_dbg(&port->dev, "ZLP_REG5 Writing success status%d\n", status); |
2259 | - |
2260 | - /* setting configuration feature to one */ |
2261 | - usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), |
2262 | - 0x03, 0x00, 0x01, 0x00, NULL, 0x00, |
2263 | - MOS_WDR_TIMEOUT); |
2264 | } |
2265 | return 0; |
2266 | error: |
2267 | diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c |
2268 | index 06ab016be0b6..e9491d400a24 100644 |
2269 | --- a/drivers/usb/serial/option.c |
2270 | +++ b/drivers/usb/serial/option.c |
2271 | @@ -197,6 +197,7 @@ static void option_instat_callback(struct urb *urb); |
2272 | #define DELL_PRODUCT_5804_MINICARD_ATT 0x819b /* Novatel E371 */ |
2273 | |
2274 | #define DELL_PRODUCT_5821E 0x81d7 |
2275 | +#define DELL_PRODUCT_5821E_ESIM 0x81e0 |
2276 | |
2277 | #define KYOCERA_VENDOR_ID 0x0c88 |
2278 | #define KYOCERA_PRODUCT_KPC650 0x17da |
2279 | @@ -1044,6 +1045,8 @@ static const struct usb_device_id option_ids[] = { |
2280 | { USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5804_MINICARD_ATT, 0xff, 0xff, 0xff) }, |
2281 | { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E), |
2282 | .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, |
2283 | + { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E_ESIM), |
2284 | + .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, |
2285 | { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */ |
2286 | { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) }, |
2287 | { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_620UW) }, |
2288 | @@ -1990,6 +1993,10 @@ static const struct usb_device_id option_ids[] = { |
2289 | { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) }, |
2290 | { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) }, |
2291 | { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, |
2292 | + { USB_DEVICE(0x0489, 0xe0b4), /* Foxconn T77W968 */ |
2293 | + .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, |
2294 | + { USB_DEVICE(0x0489, 0xe0b5), /* Foxconn T77W968 ESIM */ |
2295 | + .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, |
2296 | { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ |
2297 | .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, |
2298 | { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */ |
2299 | diff --git a/drivers/usb/usbip/Kconfig b/drivers/usb/usbip/Kconfig |
2300 | index 2f86b28fa3da..7bbae7a08642 100644 |
2301 | --- a/drivers/usb/usbip/Kconfig |
2302 | +++ b/drivers/usb/usbip/Kconfig |
2303 | @@ -4,6 +4,7 @@ config USBIP_CORE |
2304 | tristate "USB/IP support" |
2305 | depends on NET |
2306 | select USB_COMMON |
2307 | + select SGL_ALLOC |
2308 | ---help--- |
2309 | This enables pushing USB packets over IP to allow remote |
2310 | machines direct access to USB devices. It provides the |
2311 | diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c |
2312 | index 66edfeea68fe..e2b019532234 100644 |
2313 | --- a/drivers/usb/usbip/stub_rx.c |
2314 | +++ b/drivers/usb/usbip/stub_rx.c |
2315 | @@ -470,18 +470,50 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, |
2316 | if (pipe == -1) |
2317 | return; |
2318 | |
2319 | + /* |
2320 | + * Smatch reported the error case where use_sg is true and buf_len is 0. |
2321 | + * In this case, It adds SDEV_EVENT_ERROR_MALLOC and stub_priv will be |
2322 | + * released by stub event handler and connection will be shut down. |
2323 | + */ |
2324 | priv = stub_priv_alloc(sdev, pdu); |
2325 | if (!priv) |
2326 | return; |
2327 | |
2328 | buf_len = (unsigned long long)pdu->u.cmd_submit.transfer_buffer_length; |
2329 | |
2330 | + if (use_sg && !buf_len) { |
2331 | + dev_err(&udev->dev, "sg buffer with zero length\n"); |
2332 | + goto err_malloc; |
2333 | + } |
2334 | + |
2335 | /* allocate urb transfer buffer, if needed */ |
2336 | if (buf_len) { |
2337 | if (use_sg) { |
2338 | sgl = sgl_alloc(buf_len, GFP_KERNEL, &nents); |
2339 | if (!sgl) |
2340 | goto err_malloc; |
2341 | + |
2342 | + /* Check if the server's HCD supports SG */ |
2343 | + if (!udev->bus->sg_tablesize) { |
2344 | + /* |
2345 | + * If the server's HCD doesn't support SG, break |
2346 | + * a single SG request into several URBs and map |
2347 | + * each SG list entry to corresponding URB |
2348 | + * buffer. The previously allocated SG list is |
2349 | + * stored in priv->sgl (If the server's HCD |
2350 | + * support SG, SG list is stored only in |
2351 | + * urb->sg) and it is used as an indicator that |
2352 | + * the server split single SG request into |
2353 | + * several URBs. Later, priv->sgl is used by |
2354 | + * stub_complete() and stub_send_ret_submit() to |
2355 | + * reassemble the divied URBs. |
2356 | + */ |
2357 | + support_sg = 0; |
2358 | + num_urbs = nents; |
2359 | + priv->completed_urbs = 0; |
2360 | + pdu->u.cmd_submit.transfer_flags &= |
2361 | + ~URB_DMA_MAP_SG; |
2362 | + } |
2363 | } else { |
2364 | buffer = kzalloc(buf_len, GFP_KERNEL); |
2365 | if (!buffer) |
2366 | @@ -489,24 +521,6 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, |
2367 | } |
2368 | } |
2369 | |
2370 | - /* Check if the server's HCD supports SG */ |
2371 | - if (use_sg && !udev->bus->sg_tablesize) { |
2372 | - /* |
2373 | - * If the server's HCD doesn't support SG, break a single SG |
2374 | - * request into several URBs and map each SG list entry to |
2375 | - * corresponding URB buffer. The previously allocated SG |
2376 | - * list is stored in priv->sgl (If the server's HCD support SG, |
2377 | - * SG list is stored only in urb->sg) and it is used as an |
2378 | - * indicator that the server split single SG request into |
2379 | - * several URBs. Later, priv->sgl is used by stub_complete() and |
2380 | - * stub_send_ret_submit() to reassemble the divied URBs. |
2381 | - */ |
2382 | - support_sg = 0; |
2383 | - num_urbs = nents; |
2384 | - priv->completed_urbs = 0; |
2385 | - pdu->u.cmd_submit.transfer_flags &= ~URB_DMA_MAP_SG; |
2386 | - } |
2387 | - |
2388 | /* allocate urb array */ |
2389 | priv->num_urbs = num_urbs; |
2390 | priv->urbs = kmalloc_array(num_urbs, sizeof(*priv->urbs), GFP_KERNEL); |
2391 | diff --git a/fs/exec.c b/fs/exec.c |
2392 | index 555e93c7dec8..c27231234764 100644 |
2393 | --- a/fs/exec.c |
2394 | +++ b/fs/exec.c |
2395 | @@ -1015,7 +1015,7 @@ static int exec_mmap(struct mm_struct *mm) |
2396 | /* Notify parent that we're no longer interested in the old VM */ |
2397 | tsk = current; |
2398 | old_mm = current->mm; |
2399 | - mm_release(tsk, old_mm); |
2400 | + exec_mm_release(tsk, old_mm); |
2401 | |
2402 | if (old_mm) { |
2403 | sync_mm_rss(old_mm); |
2404 | diff --git a/include/linux/compat.h b/include/linux/compat.h |
2405 | index 16dafd9f4b86..c4c389c7e1b4 100644 |
2406 | --- a/include/linux/compat.h |
2407 | +++ b/include/linux/compat.h |
2408 | @@ -410,8 +410,6 @@ struct compat_kexec_segment; |
2409 | struct compat_mq_attr; |
2410 | struct compat_msgbuf; |
2411 | |
2412 | -extern void compat_exit_robust_list(struct task_struct *curr); |
2413 | - |
2414 | #define BITS_PER_COMPAT_LONG (8*sizeof(compat_long_t)) |
2415 | |
2416 | #define BITS_TO_COMPAT_LONGS(bits) DIV_ROUND_UP(bits, BITS_PER_COMPAT_LONG) |
2417 | diff --git a/include/linux/futex.h b/include/linux/futex.h |
2418 | index ccaef0097785..5cc3fed27d4c 100644 |
2419 | --- a/include/linux/futex.h |
2420 | +++ b/include/linux/futex.h |
2421 | @@ -2,7 +2,9 @@ |
2422 | #ifndef _LINUX_FUTEX_H |
2423 | #define _LINUX_FUTEX_H |
2424 | |
2425 | +#include <linux/sched.h> |
2426 | #include <linux/ktime.h> |
2427 | + |
2428 | #include <uapi/linux/futex.h> |
2429 | |
2430 | struct inode; |
2431 | @@ -48,15 +50,35 @@ union futex_key { |
2432 | #define FUTEX_KEY_INIT (union futex_key) { .both = { .ptr = NULL } } |
2433 | |
2434 | #ifdef CONFIG_FUTEX |
2435 | -extern void exit_robust_list(struct task_struct *curr); |
2436 | +enum { |
2437 | + FUTEX_STATE_OK, |
2438 | + FUTEX_STATE_EXITING, |
2439 | + FUTEX_STATE_DEAD, |
2440 | +}; |
2441 | |
2442 | -long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, |
2443 | - u32 __user *uaddr2, u32 val2, u32 val3); |
2444 | -#else |
2445 | -static inline void exit_robust_list(struct task_struct *curr) |
2446 | +static inline void futex_init_task(struct task_struct *tsk) |
2447 | { |
2448 | + tsk->robust_list = NULL; |
2449 | +#ifdef CONFIG_COMPAT |
2450 | + tsk->compat_robust_list = NULL; |
2451 | +#endif |
2452 | + INIT_LIST_HEAD(&tsk->pi_state_list); |
2453 | + tsk->pi_state_cache = NULL; |
2454 | + tsk->futex_state = FUTEX_STATE_OK; |
2455 | + mutex_init(&tsk->futex_exit_mutex); |
2456 | } |
2457 | |
2458 | +void futex_exit_recursive(struct task_struct *tsk); |
2459 | +void futex_exit_release(struct task_struct *tsk); |
2460 | +void futex_exec_release(struct task_struct *tsk); |
2461 | + |
2462 | +long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, |
2463 | + u32 __user *uaddr2, u32 val2, u32 val3); |
2464 | +#else |
2465 | +static inline void futex_init_task(struct task_struct *tsk) { } |
2466 | +static inline void futex_exit_recursive(struct task_struct *tsk) { } |
2467 | +static inline void futex_exit_release(struct task_struct *tsk) { } |
2468 | +static inline void futex_exec_release(struct task_struct *tsk) { } |
2469 | static inline long do_futex(u32 __user *uaddr, int op, u32 val, |
2470 | ktime_t *timeout, u32 __user *uaddr2, |
2471 | u32 val2, u32 val3) |
2472 | @@ -65,12 +87,4 @@ static inline long do_futex(u32 __user *uaddr, int op, u32 val, |
2473 | } |
2474 | #endif |
2475 | |
2476 | -#ifdef CONFIG_FUTEX_PI |
2477 | -extern void exit_pi_state_list(struct task_struct *curr); |
2478 | -#else |
2479 | -static inline void exit_pi_state_list(struct task_struct *curr) |
2480 | -{ |
2481 | -} |
2482 | -#endif |
2483 | - |
2484 | #endif |
2485 | diff --git a/include/linux/sched.h b/include/linux/sched.h |
2486 | index 67a1d86981a9..775503573ed7 100644 |
2487 | --- a/include/linux/sched.h |
2488 | +++ b/include/linux/sched.h |
2489 | @@ -1054,6 +1054,8 @@ struct task_struct { |
2490 | #endif |
2491 | struct list_head pi_state_list; |
2492 | struct futex_pi_state *pi_state_cache; |
2493 | + struct mutex futex_exit_mutex; |
2494 | + unsigned int futex_state; |
2495 | #endif |
2496 | #ifdef CONFIG_PERF_EVENTS |
2497 | struct perf_event_context *perf_event_ctxp[perf_nr_task_contexts]; |
2498 | @@ -1442,7 +1444,6 @@ extern struct pid *cad_pid; |
2499 | */ |
2500 | #define PF_IDLE 0x00000002 /* I am an IDLE thread */ |
2501 | #define PF_EXITING 0x00000004 /* Getting shut down */ |
2502 | -#define PF_EXITPIDONE 0x00000008 /* PI exit done on shut down */ |
2503 | #define PF_VCPU 0x00000010 /* I'm a virtual CPU */ |
2504 | #define PF_WQ_WORKER 0x00000020 /* I'm a workqueue worker */ |
2505 | #define PF_FORKNOEXEC 0x00000040 /* Forked but didn't exec */ |
2506 | diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h |
2507 | index e6770012db18..c49257a3b510 100644 |
2508 | --- a/include/linux/sched/mm.h |
2509 | +++ b/include/linux/sched/mm.h |
2510 | @@ -117,8 +117,10 @@ extern struct mm_struct *get_task_mm(struct task_struct *task); |
2511 | * succeeds. |
2512 | */ |
2513 | extern struct mm_struct *mm_access(struct task_struct *task, unsigned int mode); |
2514 | -/* Remove the current tasks stale references to the old mm_struct */ |
2515 | -extern void mm_release(struct task_struct *, struct mm_struct *); |
2516 | +/* Remove the current tasks stale references to the old mm_struct on exit() */ |
2517 | +extern void exit_mm_release(struct task_struct *, struct mm_struct *); |
2518 | +/* Remove the current tasks stale references to the old mm_struct on exec() */ |
2519 | +extern void exec_mm_release(struct task_struct *, struct mm_struct *); |
2520 | |
2521 | #ifdef CONFIG_MEMCG |
2522 | extern void mm_update_next_owner(struct mm_struct *mm); |
2523 | diff --git a/kernel/exit.c b/kernel/exit.c |
2524 | index a46a50d67002..d351fd09e739 100644 |
2525 | --- a/kernel/exit.c |
2526 | +++ b/kernel/exit.c |
2527 | @@ -437,7 +437,7 @@ static void exit_mm(void) |
2528 | struct mm_struct *mm = current->mm; |
2529 | struct core_state *core_state; |
2530 | |
2531 | - mm_release(current, mm); |
2532 | + exit_mm_release(current, mm); |
2533 | if (!mm) |
2534 | return; |
2535 | sync_mm_rss(mm); |
2536 | @@ -746,32 +746,12 @@ void __noreturn do_exit(long code) |
2537 | */ |
2538 | if (unlikely(tsk->flags & PF_EXITING)) { |
2539 | pr_alert("Fixing recursive fault but reboot is needed!\n"); |
2540 | - /* |
2541 | - * We can do this unlocked here. The futex code uses |
2542 | - * this flag just to verify whether the pi state |
2543 | - * cleanup has been done or not. In the worst case it |
2544 | - * loops once more. We pretend that the cleanup was |
2545 | - * done as there is no way to return. Either the |
2546 | - * OWNER_DIED bit is set by now or we push the blocked |
2547 | - * task into the wait for ever nirwana as well. |
2548 | - */ |
2549 | - tsk->flags |= PF_EXITPIDONE; |
2550 | + futex_exit_recursive(tsk); |
2551 | set_current_state(TASK_UNINTERRUPTIBLE); |
2552 | schedule(); |
2553 | } |
2554 | |
2555 | exit_signals(tsk); /* sets PF_EXITING */ |
2556 | - /* |
2557 | - * Ensure that all new tsk->pi_lock acquisitions must observe |
2558 | - * PF_EXITING. Serializes against futex.c:attach_to_pi_owner(). |
2559 | - */ |
2560 | - smp_mb(); |
2561 | - /* |
2562 | - * Ensure that we must observe the pi_state in exit_mm() -> |
2563 | - * mm_release() -> exit_pi_state_list(). |
2564 | - */ |
2565 | - raw_spin_lock_irq(&tsk->pi_lock); |
2566 | - raw_spin_unlock_irq(&tsk->pi_lock); |
2567 | |
2568 | if (unlikely(in_atomic())) { |
2569 | pr_info("note: %s[%d] exited with preempt_count %d\n", |
2570 | @@ -846,12 +826,6 @@ void __noreturn do_exit(long code) |
2571 | * Make sure we are holding no locks: |
2572 | */ |
2573 | debug_check_no_locks_held(); |
2574 | - /* |
2575 | - * We can do this unlocked here. The futex code uses this flag |
2576 | - * just to verify whether the pi state cleanup has been done |
2577 | - * or not. In the worst case it loops once more. |
2578 | - */ |
2579 | - tsk->flags |= PF_EXITPIDONE; |
2580 | |
2581 | if (tsk->io_context) |
2582 | exit_io_context(tsk); |
2583 | diff --git a/kernel/fork.c b/kernel/fork.c |
2584 | index 13b38794efb5..6cabc124378c 100644 |
2585 | --- a/kernel/fork.c |
2586 | +++ b/kernel/fork.c |
2587 | @@ -1283,24 +1283,8 @@ static int wait_for_vfork_done(struct task_struct *child, |
2588 | * restoring the old one. . . |
2589 | * Eric Biederman 10 January 1998 |
2590 | */ |
2591 | -void mm_release(struct task_struct *tsk, struct mm_struct *mm) |
2592 | +static void mm_release(struct task_struct *tsk, struct mm_struct *mm) |
2593 | { |
2594 | - /* Get rid of any futexes when releasing the mm */ |
2595 | -#ifdef CONFIG_FUTEX |
2596 | - if (unlikely(tsk->robust_list)) { |
2597 | - exit_robust_list(tsk); |
2598 | - tsk->robust_list = NULL; |
2599 | - } |
2600 | -#ifdef CONFIG_COMPAT |
2601 | - if (unlikely(tsk->compat_robust_list)) { |
2602 | - compat_exit_robust_list(tsk); |
2603 | - tsk->compat_robust_list = NULL; |
2604 | - } |
2605 | -#endif |
2606 | - if (unlikely(!list_empty(&tsk->pi_state_list))) |
2607 | - exit_pi_state_list(tsk); |
2608 | -#endif |
2609 | - |
2610 | uprobe_free_utask(tsk); |
2611 | |
2612 | /* Get rid of any cached register state */ |
2613 | @@ -1333,6 +1317,18 @@ void mm_release(struct task_struct *tsk, struct mm_struct *mm) |
2614 | complete_vfork_done(tsk); |
2615 | } |
2616 | |
2617 | +void exit_mm_release(struct task_struct *tsk, struct mm_struct *mm) |
2618 | +{ |
2619 | + futex_exit_release(tsk); |
2620 | + mm_release(tsk, mm); |
2621 | +} |
2622 | + |
2623 | +void exec_mm_release(struct task_struct *tsk, struct mm_struct *mm) |
2624 | +{ |
2625 | + futex_exec_release(tsk); |
2626 | + mm_release(tsk, mm); |
2627 | +} |
2628 | + |
2629 | /** |
2630 | * dup_mm() - duplicates an existing mm structure |
2631 | * @tsk: the task_struct with which the new mm will be associated. |
2632 | @@ -2062,14 +2058,8 @@ static __latent_entropy struct task_struct *copy_process( |
2633 | #ifdef CONFIG_BLOCK |
2634 | p->plug = NULL; |
2635 | #endif |
2636 | -#ifdef CONFIG_FUTEX |
2637 | - p->robust_list = NULL; |
2638 | -#ifdef CONFIG_COMPAT |
2639 | - p->compat_robust_list = NULL; |
2640 | -#endif |
2641 | - INIT_LIST_HEAD(&p->pi_state_list); |
2642 | - p->pi_state_cache = NULL; |
2643 | -#endif |
2644 | + futex_init_task(p); |
2645 | + |
2646 | /* |
2647 | * sigaltstack should be cleared when sharing the same VM |
2648 | */ |
2649 | diff --git a/kernel/futex.c b/kernel/futex.c |
2650 | index bd18f60e4c6c..afbf928d6a6b 100644 |
2651 | --- a/kernel/futex.c |
2652 | +++ b/kernel/futex.c |
2653 | @@ -325,6 +325,12 @@ static inline bool should_fail_futex(bool fshared) |
2654 | } |
2655 | #endif /* CONFIG_FAIL_FUTEX */ |
2656 | |
2657 | +#ifdef CONFIG_COMPAT |
2658 | +static void compat_exit_robust_list(struct task_struct *curr); |
2659 | +#else |
2660 | +static inline void compat_exit_robust_list(struct task_struct *curr) { } |
2661 | +#endif |
2662 | + |
2663 | static inline void futex_get_mm(union futex_key *key) |
2664 | { |
2665 | mmgrab(key->private.mm); |
2666 | @@ -890,7 +896,7 @@ static void put_pi_state(struct futex_pi_state *pi_state) |
2667 | * Kernel cleans up PI-state, but userspace is likely hosed. |
2668 | * (Robust-futex cleanup is separate and might save the day for userspace.) |
2669 | */ |
2670 | -void exit_pi_state_list(struct task_struct *curr) |
2671 | +static void exit_pi_state_list(struct task_struct *curr) |
2672 | { |
2673 | struct list_head *next, *head = &curr->pi_state_list; |
2674 | struct futex_pi_state *pi_state; |
2675 | @@ -960,7 +966,8 @@ void exit_pi_state_list(struct task_struct *curr) |
2676 | } |
2677 | raw_spin_unlock_irq(&curr->pi_lock); |
2678 | } |
2679 | - |
2680 | +#else |
2681 | +static inline void exit_pi_state_list(struct task_struct *curr) { } |
2682 | #endif |
2683 | |
2684 | /* |
2685 | @@ -1169,16 +1176,47 @@ out_error: |
2686 | return ret; |
2687 | } |
2688 | |
2689 | +/** |
2690 | + * wait_for_owner_exiting - Block until the owner has exited |
2691 | + * @exiting: Pointer to the exiting task |
2692 | + * |
2693 | + * Caller must hold a refcount on @exiting. |
2694 | + */ |
2695 | +static void wait_for_owner_exiting(int ret, struct task_struct *exiting) |
2696 | +{ |
2697 | + if (ret != -EBUSY) { |
2698 | + WARN_ON_ONCE(exiting); |
2699 | + return; |
2700 | + } |
2701 | + |
2702 | + if (WARN_ON_ONCE(ret == -EBUSY && !exiting)) |
2703 | + return; |
2704 | + |
2705 | + mutex_lock(&exiting->futex_exit_mutex); |
2706 | + /* |
2707 | + * No point in doing state checking here. If the waiter got here |
2708 | + * while the task was in exec()->exec_futex_release() then it can |
2709 | + * have any FUTEX_STATE_* value when the waiter has acquired the |
2710 | + * mutex. OK, if running, EXITING or DEAD if it reached exit() |
2711 | + * already. Highly unlikely and not a problem. Just one more round |
2712 | + * through the futex maze. |
2713 | + */ |
2714 | + mutex_unlock(&exiting->futex_exit_mutex); |
2715 | + |
2716 | + put_task_struct(exiting); |
2717 | +} |
2718 | + |
2719 | static int handle_exit_race(u32 __user *uaddr, u32 uval, |
2720 | struct task_struct *tsk) |
2721 | { |
2722 | u32 uval2; |
2723 | |
2724 | /* |
2725 | - * If PF_EXITPIDONE is not yet set, then try again. |
2726 | + * If the futex exit state is not yet FUTEX_STATE_DEAD, tell the |
2727 | + * caller that the alleged owner is busy. |
2728 | */ |
2729 | - if (tsk && !(tsk->flags & PF_EXITPIDONE)) |
2730 | - return -EAGAIN; |
2731 | + if (tsk && tsk->futex_state != FUTEX_STATE_DEAD) |
2732 | + return -EBUSY; |
2733 | |
2734 | /* |
2735 | * Reread the user space value to handle the following situation: |
2736 | @@ -1196,8 +1234,9 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval, |
2737 | * *uaddr = 0xC0000000; tsk = get_task(PID); |
2738 | * } if (!tsk->flags & PF_EXITING) { |
2739 | * ... attach(); |
2740 | - * tsk->flags |= PF_EXITPIDONE; } else { |
2741 | - * if (!(tsk->flags & PF_EXITPIDONE)) |
2742 | + * tsk->futex_state = } else { |
2743 | + * FUTEX_STATE_DEAD; if (tsk->futex_state != |
2744 | + * FUTEX_STATE_DEAD) |
2745 | * return -EAGAIN; |
2746 | * return -ESRCH; <--- FAIL |
2747 | * } |
2748 | @@ -1228,7 +1267,8 @@ static int handle_exit_race(u32 __user *uaddr, u32 uval, |
2749 | * it after doing proper sanity checks. |
2750 | */ |
2751 | static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key, |
2752 | - struct futex_pi_state **ps) |
2753 | + struct futex_pi_state **ps, |
2754 | + struct task_struct **exiting) |
2755 | { |
2756 | pid_t pid = uval & FUTEX_TID_MASK; |
2757 | struct futex_pi_state *pi_state; |
2758 | @@ -1253,22 +1293,33 @@ static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key, |
2759 | } |
2760 | |
2761 | /* |
2762 | - * We need to look at the task state flags to figure out, |
2763 | - * whether the task is exiting. To protect against the do_exit |
2764 | - * change of the task flags, we do this protected by |
2765 | - * p->pi_lock: |
2766 | + * We need to look at the task state to figure out, whether the |
2767 | + * task is exiting. To protect against the change of the task state |
2768 | + * in futex_exit_release(), we do this protected by p->pi_lock: |
2769 | */ |
2770 | raw_spin_lock_irq(&p->pi_lock); |
2771 | - if (unlikely(p->flags & PF_EXITING)) { |
2772 | + if (unlikely(p->futex_state != FUTEX_STATE_OK)) { |
2773 | /* |
2774 | - * The task is on the way out. When PF_EXITPIDONE is |
2775 | - * set, we know that the task has finished the |
2776 | - * cleanup: |
2777 | + * The task is on the way out. When the futex state is |
2778 | + * FUTEX_STATE_DEAD, we know that the task has finished |
2779 | + * the cleanup: |
2780 | */ |
2781 | int ret = handle_exit_race(uaddr, uval, p); |
2782 | |
2783 | raw_spin_unlock_irq(&p->pi_lock); |
2784 | - put_task_struct(p); |
2785 | + /* |
2786 | + * If the owner task is between FUTEX_STATE_EXITING and |
2787 | + * FUTEX_STATE_DEAD then store the task pointer and keep |
2788 | + * the reference on the task struct. The calling code will |
2789 | + * drop all locks, wait for the task to reach |
2790 | + * FUTEX_STATE_DEAD and then drop the refcount. This is |
2791 | + * required to prevent a live lock when the current task |
2792 | + * preempted the exiting task between the two states. |
2793 | + */ |
2794 | + if (ret == -EBUSY) |
2795 | + *exiting = p; |
2796 | + else |
2797 | + put_task_struct(p); |
2798 | return ret; |
2799 | } |
2800 | |
2801 | @@ -1307,7 +1358,8 @@ static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key, |
2802 | |
2803 | static int lookup_pi_state(u32 __user *uaddr, u32 uval, |
2804 | struct futex_hash_bucket *hb, |
2805 | - union futex_key *key, struct futex_pi_state **ps) |
2806 | + union futex_key *key, struct futex_pi_state **ps, |
2807 | + struct task_struct **exiting) |
2808 | { |
2809 | struct futex_q *top_waiter = futex_top_waiter(hb, key); |
2810 | |
2811 | @@ -1322,7 +1374,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval, |
2812 | * We are the first waiter - try to look up the owner based on |
2813 | * @uval and attach to it. |
2814 | */ |
2815 | - return attach_to_pi_owner(uaddr, uval, key, ps); |
2816 | + return attach_to_pi_owner(uaddr, uval, key, ps, exiting); |
2817 | } |
2818 | |
2819 | static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval) |
2820 | @@ -1350,6 +1402,8 @@ static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval) |
2821 | * lookup |
2822 | * @task: the task to perform the atomic lock work for. This will |
2823 | * be "current" except in the case of requeue pi. |
2824 | + * @exiting: Pointer to store the task pointer of the owner task |
2825 | + * which is in the middle of exiting |
2826 | * @set_waiters: force setting the FUTEX_WAITERS bit (1) or not (0) |
2827 | * |
2828 | * Return: |
2829 | @@ -1358,11 +1412,17 @@ static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval) |
2830 | * - <0 - error |
2831 | * |
2832 | * The hb->lock and futex_key refs shall be held by the caller. |
2833 | + * |
2834 | + * @exiting is only set when the return value is -EBUSY. If so, this holds |
2835 | + * a refcount on the exiting task on return and the caller needs to drop it |
2836 | + * after waiting for the exit to complete. |
2837 | */ |
2838 | static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb, |
2839 | union futex_key *key, |
2840 | struct futex_pi_state **ps, |
2841 | - struct task_struct *task, int set_waiters) |
2842 | + struct task_struct *task, |
2843 | + struct task_struct **exiting, |
2844 | + int set_waiters) |
2845 | { |
2846 | u32 uval, newval, vpid = task_pid_vnr(task); |
2847 | struct futex_q *top_waiter; |
2848 | @@ -1432,7 +1492,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb, |
2849 | * attach to the owner. If that fails, no harm done, we only |
2850 | * set the FUTEX_WAITERS bit in the user space variable. |
2851 | */ |
2852 | - return attach_to_pi_owner(uaddr, newval, key, ps); |
2853 | + return attach_to_pi_owner(uaddr, newval, key, ps, exiting); |
2854 | } |
2855 | |
2856 | /** |
2857 | @@ -1850,6 +1910,8 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, |
2858 | * @key1: the from futex key |
2859 | * @key2: the to futex key |
2860 | * @ps: address to store the pi_state pointer |
2861 | + * @exiting: Pointer to store the task pointer of the owner task |
2862 | + * which is in the middle of exiting |
2863 | * @set_waiters: force setting the FUTEX_WAITERS bit (1) or not (0) |
2864 | * |
2865 | * Try and get the lock on behalf of the top waiter if we can do it atomically. |
2866 | @@ -1857,16 +1919,20 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, |
2867 | * then direct futex_lock_pi_atomic() to force setting the FUTEX_WAITERS bit. |
2868 | * hb1 and hb2 must be held by the caller. |
2869 | * |
2870 | + * @exiting is only set when the return value is -EBUSY. If so, this holds |
2871 | + * a refcount on the exiting task on return and the caller needs to drop it |
2872 | + * after waiting for the exit to complete. |
2873 | + * |
2874 | * Return: |
2875 | * - 0 - failed to acquire the lock atomically; |
2876 | * - >0 - acquired the lock, return value is vpid of the top_waiter |
2877 | * - <0 - error |
2878 | */ |
2879 | -static int futex_proxy_trylock_atomic(u32 __user *pifutex, |
2880 | - struct futex_hash_bucket *hb1, |
2881 | - struct futex_hash_bucket *hb2, |
2882 | - union futex_key *key1, union futex_key *key2, |
2883 | - struct futex_pi_state **ps, int set_waiters) |
2884 | +static int |
2885 | +futex_proxy_trylock_atomic(u32 __user *pifutex, struct futex_hash_bucket *hb1, |
2886 | + struct futex_hash_bucket *hb2, union futex_key *key1, |
2887 | + union futex_key *key2, struct futex_pi_state **ps, |
2888 | + struct task_struct **exiting, int set_waiters) |
2889 | { |
2890 | struct futex_q *top_waiter = NULL; |
2891 | u32 curval; |
2892 | @@ -1903,7 +1969,7 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex, |
2893 | */ |
2894 | vpid = task_pid_vnr(top_waiter->task); |
2895 | ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, |
2896 | - set_waiters); |
2897 | + exiting, set_waiters); |
2898 | if (ret == 1) { |
2899 | requeue_pi_wake_futex(top_waiter, key2, hb2); |
2900 | return vpid; |
2901 | @@ -2032,6 +2098,8 @@ retry_private: |
2902 | } |
2903 | |
2904 | if (requeue_pi && (task_count - nr_wake < nr_requeue)) { |
2905 | + struct task_struct *exiting = NULL; |
2906 | + |
2907 | /* |
2908 | * Attempt to acquire uaddr2 and wake the top waiter. If we |
2909 | * intend to requeue waiters, force setting the FUTEX_WAITERS |
2910 | @@ -2039,7 +2107,8 @@ retry_private: |
2911 | * faults rather in the requeue loop below. |
2912 | */ |
2913 | ret = futex_proxy_trylock_atomic(uaddr2, hb1, hb2, &key1, |
2914 | - &key2, &pi_state, nr_requeue); |
2915 | + &key2, &pi_state, |
2916 | + &exiting, nr_requeue); |
2917 | |
2918 | /* |
2919 | * At this point the top_waiter has either taken uaddr2 or is |
2920 | @@ -2066,7 +2135,8 @@ retry_private: |
2921 | * If that call succeeds then we have pi_state and an |
2922 | * initial refcount on it. |
2923 | */ |
2924 | - ret = lookup_pi_state(uaddr2, ret, hb2, &key2, &pi_state); |
2925 | + ret = lookup_pi_state(uaddr2, ret, hb2, &key2, |
2926 | + &pi_state, &exiting); |
2927 | } |
2928 | |
2929 | switch (ret) { |
2930 | @@ -2084,17 +2154,24 @@ retry_private: |
2931 | if (!ret) |
2932 | goto retry; |
2933 | goto out; |
2934 | + case -EBUSY: |
2935 | case -EAGAIN: |
2936 | /* |
2937 | * Two reasons for this: |
2938 | - * - Owner is exiting and we just wait for the |
2939 | + * - EBUSY: Owner is exiting and we just wait for the |
2940 | * exit to complete. |
2941 | - * - The user space value changed. |
2942 | + * - EAGAIN: The user space value changed. |
2943 | */ |
2944 | double_unlock_hb(hb1, hb2); |
2945 | hb_waiters_dec(hb2); |
2946 | put_futex_key(&key2); |
2947 | put_futex_key(&key1); |
2948 | + /* |
2949 | + * Handle the case where the owner is in the middle of |
2950 | + * exiting. Wait for the exit to complete otherwise |
2951 | + * this task might loop forever, aka. live lock. |
2952 | + */ |
2953 | + wait_for_owner_exiting(ret, exiting); |
2954 | cond_resched(); |
2955 | goto retry; |
2956 | default: |
2957 | @@ -2801,6 +2878,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags, |
2958 | { |
2959 | struct hrtimer_sleeper timeout, *to; |
2960 | struct futex_pi_state *pi_state = NULL; |
2961 | + struct task_struct *exiting = NULL; |
2962 | struct rt_mutex_waiter rt_waiter; |
2963 | struct futex_hash_bucket *hb; |
2964 | struct futex_q q = futex_q_init; |
2965 | @@ -2822,7 +2900,8 @@ retry: |
2966 | retry_private: |
2967 | hb = queue_lock(&q); |
2968 | |
2969 | - ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0); |
2970 | + ret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, |
2971 | + &exiting, 0); |
2972 | if (unlikely(ret)) { |
2973 | /* |
2974 | * Atomic work succeeded and we got the lock, |
2975 | @@ -2835,15 +2914,22 @@ retry_private: |
2976 | goto out_unlock_put_key; |
2977 | case -EFAULT: |
2978 | goto uaddr_faulted; |
2979 | + case -EBUSY: |
2980 | case -EAGAIN: |
2981 | /* |
2982 | * Two reasons for this: |
2983 | - * - Task is exiting and we just wait for the |
2984 | + * - EBUSY: Task is exiting and we just wait for the |
2985 | * exit to complete. |
2986 | - * - The user space value changed. |
2987 | + * - EAGAIN: The user space value changed. |
2988 | */ |
2989 | queue_unlock(hb); |
2990 | put_futex_key(&q.key); |
2991 | + /* |
2992 | + * Handle the case where the owner is in the middle of |
2993 | + * exiting. Wait for the exit to complete otherwise |
2994 | + * this task might loop forever, aka. live lock. |
2995 | + */ |
2996 | + wait_for_owner_exiting(ret, exiting); |
2997 | cond_resched(); |
2998 | goto retry; |
2999 | default: |
3000 | @@ -3452,11 +3538,16 @@ err_unlock: |
3001 | return ret; |
3002 | } |
3003 | |
3004 | +/* Constants for the pending_op argument of handle_futex_death */ |
3005 | +#define HANDLE_DEATH_PENDING true |
3006 | +#define HANDLE_DEATH_LIST false |
3007 | + |
3008 | /* |
3009 | * Process a futex-list entry, check whether it's owned by the |
3010 | * dying task, and do notification if so: |
3011 | */ |
3012 | -static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi) |
3013 | +static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, |
3014 | + bool pi, bool pending_op) |
3015 | { |
3016 | u32 uval, uninitialized_var(nval), mval; |
3017 | int err; |
3018 | @@ -3469,6 +3560,42 @@ retry: |
3019 | if (get_user(uval, uaddr)) |
3020 | return -1; |
3021 | |
3022 | + /* |
3023 | + * Special case for regular (non PI) futexes. The unlock path in |
3024 | + * user space has two race scenarios: |
3025 | + * |
3026 | + * 1. The unlock path releases the user space futex value and |
3027 | + * before it can execute the futex() syscall to wake up |
3028 | + * waiters it is killed. |
3029 | + * |
3030 | + * 2. A woken up waiter is killed before it can acquire the |
3031 | + * futex in user space. |
3032 | + * |
3033 | + * In both cases the TID validation below prevents a wakeup of |
3034 | + * potential waiters which can cause these waiters to block |
3035 | + * forever. |
3036 | + * |
3037 | + * In both cases the following conditions are met: |
3038 | + * |
3039 | + * 1) task->robust_list->list_op_pending != NULL |
3040 | + * @pending_op == true |
3041 | + * 2) User space futex value == 0 |
3042 | + * 3) Regular futex: @pi == false |
3043 | + * |
3044 | + * If these conditions are met, it is safe to attempt waking up a |
3045 | + * potential waiter without touching the user space futex value and |
3046 | + * trying to set the OWNER_DIED bit. The user space futex value is |
3047 | + * uncontended and the rest of the user space mutex state is |
3048 | + * consistent, so a woken waiter will just take over the |
3049 | + * uncontended futex. Setting the OWNER_DIED bit would create |
3050 | + * inconsistent state and malfunction of the user space owner died |
3051 | + * handling. |
3052 | + */ |
3053 | + if (pending_op && !pi && !uval) { |
3054 | + futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY); |
3055 | + return 0; |
3056 | + } |
3057 | + |
3058 | if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr)) |
3059 | return 0; |
3060 | |
3061 | @@ -3547,7 +3674,7 @@ static inline int fetch_robust_entry(struct robust_list __user **entry, |
3062 | * |
3063 | * We silently return on any sign of list-walking problem. |
3064 | */ |
3065 | -void exit_robust_list(struct task_struct *curr) |
3066 | +static void exit_robust_list(struct task_struct *curr) |
3067 | { |
3068 | struct robust_list_head __user *head = curr->robust_list; |
3069 | struct robust_list __user *entry, *next_entry, *pending; |
3070 | @@ -3588,10 +3715,11 @@ void exit_robust_list(struct task_struct *curr) |
3071 | * A pending lock might already be on the list, so |
3072 | * don't process it twice: |
3073 | */ |
3074 | - if (entry != pending) |
3075 | + if (entry != pending) { |
3076 | if (handle_futex_death((void __user *)entry + futex_offset, |
3077 | - curr, pi)) |
3078 | + curr, pi, HANDLE_DEATH_LIST)) |
3079 | return; |
3080 | + } |
3081 | if (rc) |
3082 | return; |
3083 | entry = next_entry; |
3084 | @@ -3605,9 +3733,118 @@ void exit_robust_list(struct task_struct *curr) |
3085 | cond_resched(); |
3086 | } |
3087 | |
3088 | - if (pending) |
3089 | + if (pending) { |
3090 | handle_futex_death((void __user *)pending + futex_offset, |
3091 | - curr, pip); |
3092 | + curr, pip, HANDLE_DEATH_PENDING); |
3093 | + } |
3094 | +} |
3095 | + |
3096 | +static void futex_cleanup(struct task_struct *tsk) |
3097 | +{ |
3098 | + if (unlikely(tsk->robust_list)) { |
3099 | + exit_robust_list(tsk); |
3100 | + tsk->robust_list = NULL; |
3101 | + } |
3102 | + |
3103 | +#ifdef CONFIG_COMPAT |
3104 | + if (unlikely(tsk->compat_robust_list)) { |
3105 | + compat_exit_robust_list(tsk); |
3106 | + tsk->compat_robust_list = NULL; |
3107 | + } |
3108 | +#endif |
3109 | + |
3110 | + if (unlikely(!list_empty(&tsk->pi_state_list))) |
3111 | + exit_pi_state_list(tsk); |
3112 | +} |
3113 | + |
3114 | +/** |
3115 | + * futex_exit_recursive - Set the tasks futex state to FUTEX_STATE_DEAD |
3116 | + * @tsk: task to set the state on |
3117 | + * |
3118 | + * Set the futex exit state of the task lockless. The futex waiter code |
3119 | + * observes that state when a task is exiting and loops until the task has |
3120 | + * actually finished the futex cleanup. The worst case for this is that the |
3121 | + * waiter runs through the wait loop until the state becomes visible. |
3122 | + * |
3123 | + * This is called from the recursive fault handling path in do_exit(). |
3124 | + * |
3125 | + * This is best effort. Either the futex exit code has run already or |
3126 | + * not. If the OWNER_DIED bit has been set on the futex then the waiter can |
3127 | + * take it over. If not, the problem is pushed back to user space. If the |
3128 | + * futex exit code did not run yet, then an already queued waiter might |
3129 | + * block forever, but there is nothing which can be done about that. |
3130 | + */ |
3131 | +void futex_exit_recursive(struct task_struct *tsk) |
3132 | +{ |
3133 | + /* If the state is FUTEX_STATE_EXITING then futex_exit_mutex is held */ |
3134 | + if (tsk->futex_state == FUTEX_STATE_EXITING) |
3135 | + mutex_unlock(&tsk->futex_exit_mutex); |
3136 | + tsk->futex_state = FUTEX_STATE_DEAD; |
3137 | +} |
3138 | + |
3139 | +static void futex_cleanup_begin(struct task_struct *tsk) |
3140 | +{ |
3141 | + /* |
3142 | + * Prevent various race issues against a concurrent incoming waiter |
3143 | + * including live locks by forcing the waiter to block on |
3144 | + * tsk->futex_exit_mutex when it observes FUTEX_STATE_EXITING in |
3145 | + * attach_to_pi_owner(). |
3146 | + */ |
3147 | + mutex_lock(&tsk->futex_exit_mutex); |
3148 | + |
3149 | + /* |
3150 | + * Switch the state to FUTEX_STATE_EXITING under tsk->pi_lock. |
3151 | + * |
3152 | + * This ensures that all subsequent checks of tsk->futex_state in |
3153 | + * attach_to_pi_owner() must observe FUTEX_STATE_EXITING with |
3154 | + * tsk->pi_lock held. |
3155 | + * |
3156 | + * It guarantees also that a pi_state which was queued right before |
3157 | + * the state change under tsk->pi_lock by a concurrent waiter must |
3158 | + * be observed in exit_pi_state_list(). |
3159 | + */ |
3160 | + raw_spin_lock_irq(&tsk->pi_lock); |
3161 | + tsk->futex_state = FUTEX_STATE_EXITING; |
3162 | + raw_spin_unlock_irq(&tsk->pi_lock); |
3163 | +} |
3164 | + |
3165 | +static void futex_cleanup_end(struct task_struct *tsk, int state) |
3166 | +{ |
3167 | + /* |
3168 | + * Lockless store. The only side effect is that an observer might |
3169 | + * take another loop until it becomes visible. |
3170 | + */ |
3171 | + tsk->futex_state = state; |
3172 | + /* |
3173 | + * Drop the exit protection. This unblocks waiters which observed |
3174 | + * FUTEX_STATE_EXITING to reevaluate the state. |
3175 | + */ |
3176 | + mutex_unlock(&tsk->futex_exit_mutex); |
3177 | +} |
3178 | + |
3179 | +void futex_exec_release(struct task_struct *tsk) |
3180 | +{ |
3181 | + /* |
3182 | + * The state handling is done for consistency, but in the case of |
3183 | + * exec() there is no way to prevent futher damage as the PID stays |
3184 | + * the same. But for the unlikely and arguably buggy case that a |
3185 | + * futex is held on exec(), this provides at least as much state |
3186 | + * consistency protection which is possible. |
3187 | + */ |
3188 | + futex_cleanup_begin(tsk); |
3189 | + futex_cleanup(tsk); |
3190 | + /* |
3191 | + * Reset the state to FUTEX_STATE_OK. The task is alive and about |
3192 | + * exec a new binary. |
3193 | + */ |
3194 | + futex_cleanup_end(tsk, FUTEX_STATE_OK); |
3195 | +} |
3196 | + |
3197 | +void futex_exit_release(struct task_struct *tsk) |
3198 | +{ |
3199 | + futex_cleanup_begin(tsk); |
3200 | + futex_cleanup(tsk); |
3201 | + futex_cleanup_end(tsk, FUTEX_STATE_DEAD); |
3202 | } |
3203 | |
3204 | long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, |
3205 | @@ -3737,7 +3974,7 @@ static void __user *futex_uaddr(struct robust_list __user *entry, |
3206 | * |
3207 | * We silently return on any sign of list-walking problem. |
3208 | */ |
3209 | -void compat_exit_robust_list(struct task_struct *curr) |
3210 | +static void compat_exit_robust_list(struct task_struct *curr) |
3211 | { |
3212 | struct compat_robust_list_head __user *head = curr->compat_robust_list; |
3213 | struct robust_list __user *entry, *next_entry, *pending; |
3214 | @@ -3784,7 +4021,8 @@ void compat_exit_robust_list(struct task_struct *curr) |
3215 | if (entry != pending) { |
3216 | void __user *uaddr = futex_uaddr(entry, futex_offset); |
3217 | |
3218 | - if (handle_futex_death(uaddr, curr, pi)) |
3219 | + if (handle_futex_death(uaddr, curr, pi, |
3220 | + HANDLE_DEATH_LIST)) |
3221 | return; |
3222 | } |
3223 | if (rc) |
3224 | @@ -3803,7 +4041,7 @@ void compat_exit_robust_list(struct task_struct *curr) |
3225 | if (pending) { |
3226 | void __user *uaddr = futex_uaddr(pending, futex_offset); |
3227 | |
3228 | - handle_futex_death(uaddr, curr, pip); |
3229 | + handle_futex_death(uaddr, curr, pip, HANDLE_DEATH_PENDING); |
3230 | } |
3231 | } |
3232 | |
3233 | diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c |
3234 | index 78bd2e3722c7..d14f6684737d 100644 |
3235 | --- a/sound/pci/hda/patch_hdmi.c |
3236 | +++ b/sound/pci/hda/patch_hdmi.c |
3237 | @@ -3454,26 +3454,6 @@ static int nvhdmi_chmap_validate(struct hdac_chmap *chmap, |
3238 | return 0; |
3239 | } |
3240 | |
3241 | -/* map from pin NID to port; port is 0-based */ |
3242 | -/* for Nvidia: assume widget NID starting from 4, with step 1 (4, 5, 6, ...) */ |
3243 | -static int nvhdmi_pin2port(void *audio_ptr, int pin_nid) |
3244 | -{ |
3245 | - return pin_nid - 4; |
3246 | -} |
3247 | - |
3248 | -/* reverse-map from port to pin NID: see above */ |
3249 | -static int nvhdmi_port2pin(struct hda_codec *codec, int port) |
3250 | -{ |
3251 | - return port + 4; |
3252 | -} |
3253 | - |
3254 | -static const struct drm_audio_component_audio_ops nvhdmi_audio_ops = { |
3255 | - .pin2port = nvhdmi_pin2port, |
3256 | - .pin_eld_notify = generic_acomp_pin_eld_notify, |
3257 | - .master_bind = generic_acomp_master_bind, |
3258 | - .master_unbind = generic_acomp_master_unbind, |
3259 | -}; |
3260 | - |
3261 | static int patch_nvhdmi(struct hda_codec *codec) |
3262 | { |
3263 | struct hdmi_spec *spec; |
3264 | @@ -3492,8 +3472,6 @@ static int patch_nvhdmi(struct hda_codec *codec) |
3265 | |
3266 | codec->link_down_at_suspend = 1; |
3267 | |
3268 | - generic_acomp_init(codec, &nvhdmi_audio_ops, nvhdmi_port2pin); |
3269 | - |
3270 | return 0; |
3271 | } |
3272 | |
3273 | diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c |
3274 | index 45eee5cc312e..6cd4ff09c5ee 100644 |
3275 | --- a/sound/usb/mixer.c |
3276 | +++ b/sound/usb/mixer.c |
3277 | @@ -2930,6 +2930,9 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, |
3278 | continue; |
3279 | |
3280 | iface = usb_ifnum_to_if(dev, intf); |
3281 | + if (!iface) |
3282 | + continue; |
3283 | + |
3284 | num = iface->num_altsetting; |
3285 | |
3286 | if (num < 2) |
3287 | diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c |
3288 | index 7d460b1f1735..94b903d95afa 100644 |
3289 | --- a/sound/usb/mixer_scarlett_gen2.c |
3290 | +++ b/sound/usb/mixer_scarlett_gen2.c |
3291 | @@ -261,34 +261,34 @@ static const struct scarlett2_device_info s6i6_gen2_info = { |
3292 | }, |
3293 | |
3294 | .ports = { |
3295 | - { |
3296 | + [SCARLETT2_PORT_TYPE_NONE] = { |
3297 | .id = 0x000, |
3298 | .num = { 1, 0, 8, 8, 8 }, |
3299 | .src_descr = "Off", |
3300 | .src_num_offset = 0, |
3301 | }, |
3302 | - { |
3303 | + [SCARLETT2_PORT_TYPE_ANALOGUE] = { |
3304 | .id = 0x080, |
3305 | .num = { 4, 4, 4, 4, 4 }, |
3306 | .src_descr = "Analogue %d", |
3307 | .src_num_offset = 1, |
3308 | .dst_descr = "Analogue Output %02d Playback" |
3309 | }, |
3310 | - { |
3311 | + [SCARLETT2_PORT_TYPE_SPDIF] = { |
3312 | .id = 0x180, |
3313 | .num = { 2, 2, 2, 2, 2 }, |
3314 | .src_descr = "S/PDIF %d", |
3315 | .src_num_offset = 1, |
3316 | .dst_descr = "S/PDIF Output %d Playback" |
3317 | }, |
3318 | - { |
3319 | + [SCARLETT2_PORT_TYPE_MIX] = { |
3320 | .id = 0x300, |
3321 | .num = { 10, 18, 18, 18, 18 }, |
3322 | .src_descr = "Mix %c", |
3323 | .src_num_offset = 65, |
3324 | .dst_descr = "Mixer Input %02d Capture" |
3325 | }, |
3326 | - { |
3327 | + [SCARLETT2_PORT_TYPE_PCM] = { |
3328 | .id = 0x600, |
3329 | .num = { 6, 6, 6, 6, 6 }, |
3330 | .src_descr = "PCM %d", |
3331 | @@ -317,44 +317,44 @@ static const struct scarlett2_device_info s18i8_gen2_info = { |
3332 | }, |
3333 | |
3334 | .ports = { |
3335 | - { |
3336 | + [SCARLETT2_PORT_TYPE_NONE] = { |
3337 | .id = 0x000, |
3338 | .num = { 1, 0, 8, 8, 4 }, |
3339 | .src_descr = "Off", |
3340 | .src_num_offset = 0, |
3341 | }, |
3342 | - { |
3343 | + [SCARLETT2_PORT_TYPE_ANALOGUE] = { |
3344 | .id = 0x080, |
3345 | .num = { 8, 6, 6, 6, 6 }, |
3346 | .src_descr = "Analogue %d", |
3347 | .src_num_offset = 1, |
3348 | .dst_descr = "Analogue Output %02d Playback" |
3349 | }, |
3350 | - { |
3351 | + [SCARLETT2_PORT_TYPE_SPDIF] = { |
3352 | + .id = 0x180, |
3353 | /* S/PDIF outputs aren't available at 192KHz |
3354 | * but are included in the USB mux I/O |
3355 | * assignment message anyway |
3356 | */ |
3357 | - .id = 0x180, |
3358 | .num = { 2, 2, 2, 2, 2 }, |
3359 | .src_descr = "S/PDIF %d", |
3360 | .src_num_offset = 1, |
3361 | .dst_descr = "S/PDIF Output %d Playback" |
3362 | }, |
3363 | - { |
3364 | + [SCARLETT2_PORT_TYPE_ADAT] = { |
3365 | .id = 0x200, |
3366 | .num = { 8, 0, 0, 0, 0 }, |
3367 | .src_descr = "ADAT %d", |
3368 | .src_num_offset = 1, |
3369 | }, |
3370 | - { |
3371 | + [SCARLETT2_PORT_TYPE_MIX] = { |
3372 | .id = 0x300, |
3373 | .num = { 10, 18, 18, 18, 18 }, |
3374 | .src_descr = "Mix %c", |
3375 | .src_num_offset = 65, |
3376 | .dst_descr = "Mixer Input %02d Capture" |
3377 | }, |
3378 | - { |
3379 | + [SCARLETT2_PORT_TYPE_PCM] = { |
3380 | .id = 0x600, |
3381 | .num = { 20, 18, 18, 14, 10 }, |
3382 | .src_descr = "PCM %d", |
3383 | @@ -387,20 +387,20 @@ static const struct scarlett2_device_info s18i20_gen2_info = { |
3384 | }, |
3385 | |
3386 | .ports = { |
3387 | - { |
3388 | + [SCARLETT2_PORT_TYPE_NONE] = { |
3389 | .id = 0x000, |
3390 | .num = { 1, 0, 8, 8, 6 }, |
3391 | .src_descr = "Off", |
3392 | .src_num_offset = 0, |
3393 | }, |
3394 | - { |
3395 | + [SCARLETT2_PORT_TYPE_ANALOGUE] = { |
3396 | .id = 0x080, |
3397 | .num = { 8, 10, 10, 10, 10 }, |
3398 | .src_descr = "Analogue %d", |
3399 | .src_num_offset = 1, |
3400 | .dst_descr = "Analogue Output %02d Playback" |
3401 | }, |
3402 | - { |
3403 | + [SCARLETT2_PORT_TYPE_SPDIF] = { |
3404 | /* S/PDIF outputs aren't available at 192KHz |
3405 | * but are included in the USB mux I/O |
3406 | * assignment message anyway |
3407 | @@ -411,21 +411,21 @@ static const struct scarlett2_device_info s18i20_gen2_info = { |
3408 | .src_num_offset = 1, |
3409 | .dst_descr = "S/PDIF Output %d Playback" |
3410 | }, |
3411 | - { |
3412 | + [SCARLETT2_PORT_TYPE_ADAT] = { |
3413 | .id = 0x200, |
3414 | .num = { 8, 8, 8, 4, 0 }, |
3415 | .src_descr = "ADAT %d", |
3416 | .src_num_offset = 1, |
3417 | .dst_descr = "ADAT Output %d Playback" |
3418 | }, |
3419 | - { |
3420 | + [SCARLETT2_PORT_TYPE_MIX] = { |
3421 | .id = 0x300, |
3422 | .num = { 10, 18, 18, 18, 18 }, |
3423 | .src_descr = "Mix %c", |
3424 | .src_num_offset = 65, |
3425 | .dst_descr = "Mixer Input %02d Capture" |
3426 | }, |
3427 | - { |
3428 | + [SCARLETT2_PORT_TYPE_PCM] = { |
3429 | .id = 0x600, |
3430 | .num = { 20, 18, 18, 14, 10 }, |
3431 | .src_descr = "PCM %d", |
3432 | diff --git a/tools/arch/x86/tools/gen-insn-attr-x86.awk b/tools/arch/x86/tools/gen-insn-attr-x86.awk |
3433 | index b02a36b2c14f..a42015b305f4 100644 |
3434 | --- a/tools/arch/x86/tools/gen-insn-attr-x86.awk |
3435 | +++ b/tools/arch/x86/tools/gen-insn-attr-x86.awk |
3436 | @@ -69,7 +69,7 @@ BEGIN { |
3437 | |
3438 | lprefix1_expr = "\\((66|!F3)\\)" |
3439 | lprefix2_expr = "\\(F3\\)" |
3440 | - lprefix3_expr = "\\((F2|!F3|66\\&F2)\\)" |
3441 | + lprefix3_expr = "\\((F2|!F3|66&F2)\\)" |
3442 | lprefix_expr = "\\((66|F2|F3)\\)" |
3443 | max_lprefix = 4 |
3444 | |
3445 | @@ -257,7 +257,7 @@ function convert_operands(count,opnd, i,j,imm,mod) |
3446 | return add_flags(imm, mod) |
3447 | } |
3448 | |
3449 | -/^[0-9a-f]+\:/ { |
3450 | +/^[0-9a-f]+:/ { |
3451 | if (NR == 1) |
3452 | next |
3453 | # get index |
3454 | diff --git a/tools/testing/selftests/x86/mov_ss_trap.c b/tools/testing/selftests/x86/mov_ss_trap.c |
3455 | index 3c3a022654f3..6da0ac3f0135 100644 |
3456 | --- a/tools/testing/selftests/x86/mov_ss_trap.c |
3457 | +++ b/tools/testing/selftests/x86/mov_ss_trap.c |
3458 | @@ -257,7 +257,8 @@ int main() |
3459 | err(1, "sigaltstack"); |
3460 | sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK); |
3461 | nr = SYS_getpid; |
3462 | - asm volatile ("mov %[ss], %%ss; SYSENTER" : "+a" (nr) |
3463 | + /* Clear EBP first to make sure we segfault cleanly. */ |
3464 | + asm volatile ("xorl %%ebp, %%ebp; mov %[ss], %%ss; SYSENTER" : "+a" (nr) |
3465 | : [ss] "m" (ss) : "flags", "rcx" |
3466 | #ifdef __x86_64__ |
3467 | , "r11" |
3468 | diff --git a/tools/testing/selftests/x86/sigreturn.c b/tools/testing/selftests/x86/sigreturn.c |
3469 | index 3e49a7873f3e..57c4f67f16ef 100644 |
3470 | --- a/tools/testing/selftests/x86/sigreturn.c |
3471 | +++ b/tools/testing/selftests/x86/sigreturn.c |
3472 | @@ -451,6 +451,19 @@ static void sigusr1(int sig, siginfo_t *info, void *ctx_void) |
3473 | ctx->uc_mcontext.gregs[REG_SP] = (unsigned long)0x8badf00d5aadc0deULL; |
3474 | ctx->uc_mcontext.gregs[REG_CX] = 0; |
3475 | |
3476 | +#ifdef __i386__ |
3477 | + /* |
3478 | + * Make sure the kernel doesn't inadvertently use DS or ES-relative |
3479 | + * accesses in a region where user DS or ES is loaded. |
3480 | + * |
3481 | + * Skip this for 64-bit builds because long mode doesn't care about |
3482 | + * DS and ES and skipping it increases test coverage a little bit, |
3483 | + * since 64-bit kernels can still run the 32-bit build. |
3484 | + */ |
3485 | + ctx->uc_mcontext.gregs[REG_DS] = 0; |
3486 | + ctx->uc_mcontext.gregs[REG_ES] = 0; |
3487 | +#endif |
3488 | + |
3489 | memcpy(&requested_regs, &ctx->uc_mcontext.gregs, sizeof(gregset_t)); |
3490 | requested_regs[REG_CX] = *ssptr(ctx); /* The asm code does this. */ |
3491 | |
3492 | diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c |
3493 | index 2813aa821c82..d1d8ba2a4a40 100644 |
3494 | --- a/tools/usb/usbip/libsrc/usbip_host_common.c |
3495 | +++ b/tools/usb/usbip/libsrc/usbip_host_common.c |
3496 | @@ -57,7 +57,7 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) |
3497 | } |
3498 | |
3499 | value = atoi(status); |
3500 | - |
3501 | + close(fd); |
3502 | return value; |
3503 | } |
3504 |