Contents of /trunk/kernel-alx/patches-5.4/0307-5.4.208-all-fixes.patch
Parent Directory | Revision Log
Revision 3637 -
(show annotations)
(download)
Mon Oct 24 12:40:44 2022 UTC (23 months ago) by niro
File size: 139689 byte(s)
Mon Oct 24 12:40:44 2022 UTC (23 months ago) by niro
File size: 139689 byte(s)
-add missing
1 | diff --git a/Makefile b/Makefile |
2 | index 89d19f04faabf..884a3f314baf8 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -1,7 +1,7 @@ |
6 | # SPDX-License-Identifier: GPL-2.0 |
7 | VERSION = 5 |
8 | PATCHLEVEL = 4 |
9 | -SUBLEVEL = 207 |
10 | +SUBLEVEL = 208 |
11 | EXTRAVERSION = |
12 | NAME = Kleptomaniac Octopus |
13 | |
14 | diff --git a/arch/Kconfig b/arch/Kconfig |
15 | index a8df66e645442..2219a07dca1ef 100644 |
16 | --- a/arch/Kconfig |
17 | +++ b/arch/Kconfig |
18 | @@ -915,27 +915,6 @@ config STRICT_MODULE_RWX |
19 | config ARCH_HAS_PHYS_TO_DMA |
20 | bool |
21 | |
22 | -config ARCH_HAS_REFCOUNT |
23 | - bool |
24 | - help |
25 | - An architecture selects this when it has implemented refcount_t |
26 | - using open coded assembly primitives that provide an optimized |
27 | - refcount_t implementation, possibly at the expense of some full |
28 | - refcount state checks of CONFIG_REFCOUNT_FULL=y. |
29 | - |
30 | - The refcount overflow check behavior, however, must be retained. |
31 | - Catching overflows is the primary security concern for protecting |
32 | - against bugs in reference counts. |
33 | - |
34 | -config REFCOUNT_FULL |
35 | - bool "Perform full reference count validation at the expense of speed" |
36 | - help |
37 | - Enabling this switches the refcounting infrastructure from a fast |
38 | - unchecked atomic_t implementation to a fully state checked |
39 | - implementation, which can be (slightly) slower but provides protections |
40 | - against various use-after-free conditions that can be used in |
41 | - security flaw exploits. |
42 | - |
43 | config HAVE_ARCH_COMPILER_H |
44 | bool |
45 | help |
46 | diff --git a/arch/alpha/kernel/srmcons.c b/arch/alpha/kernel/srmcons.c |
47 | index 438b10c44d732..2b7a314b84522 100644 |
48 | --- a/arch/alpha/kernel/srmcons.c |
49 | +++ b/arch/alpha/kernel/srmcons.c |
50 | @@ -59,7 +59,7 @@ srmcons_do_receive_chars(struct tty_port *port) |
51 | } while((result.bits.status & 1) && (++loops < 10)); |
52 | |
53 | if (count) |
54 | - tty_schedule_flip(port); |
55 | + tty_flip_buffer_push(port); |
56 | |
57 | return count; |
58 | } |
59 | diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig |
60 | index a1622b9290fd5..a4364cce85f8d 100644 |
61 | --- a/arch/arm/Kconfig |
62 | +++ b/arch/arm/Kconfig |
63 | @@ -119,7 +119,6 @@ config ARM |
64 | select OLD_SIGSUSPEND3 |
65 | select PCI_SYSCALL if PCI |
66 | select PERF_USE_VMALLOC |
67 | - select REFCOUNT_FULL |
68 | select RTC_LIB |
69 | select SYS_SUPPORTS_APM_EMULATION |
70 | # Above selects are sorted alphabetically; please add new ones |
71 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig |
72 | index a1a828ca188cf..6b73143f0cf8c 100644 |
73 | --- a/arch/arm64/Kconfig |
74 | +++ b/arch/arm64/Kconfig |
75 | @@ -181,7 +181,6 @@ config ARM64 |
76 | select PCI_SYSCALL if PCI |
77 | select POWER_RESET |
78 | select POWER_SUPPLY |
79 | - select REFCOUNT_FULL |
80 | select SPARSE_IRQ |
81 | select SWIOTLB |
82 | select SYSCTL_EXCEPTION_TRACE |
83 | diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile |
84 | index 7b579a003e30a..d1a9615391010 100644 |
85 | --- a/arch/riscv/Makefile |
86 | +++ b/arch/riscv/Makefile |
87 | @@ -74,6 +74,7 @@ ifeq ($(CONFIG_PERF_EVENTS),y) |
88 | endif |
89 | |
90 | KBUILD_CFLAGS_MODULE += $(call cc-option,-mno-relax) |
91 | +KBUILD_AFLAGS_MODULE += $(call as-option,-Wa$(comma)-mno-relax) |
92 | |
93 | # GCC versions that support the "-mstrict-align" option default to allowing |
94 | # unaligned accesses. While unaligned accesses are explicitly allowed in the |
95 | diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_defconfig |
96 | index 38d64030aacf6..2e60c80395ab0 100644 |
97 | --- a/arch/s390/configs/debug_defconfig |
98 | +++ b/arch/s390/configs/debug_defconfig |
99 | @@ -62,7 +62,6 @@ CONFIG_OPROFILE=m |
100 | CONFIG_KPROBES=y |
101 | CONFIG_JUMP_LABEL=y |
102 | CONFIG_STATIC_KEYS_SELFTEST=y |
103 | -CONFIG_REFCOUNT_FULL=y |
104 | CONFIG_LOCK_EVENT_COUNTS=y |
105 | CONFIG_MODULES=y |
106 | CONFIG_MODULE_FORCE_LOAD=y |
107 | diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig |
108 | index c6c71592f6e46..6002252692af4 100644 |
109 | --- a/arch/x86/Kconfig |
110 | +++ b/arch/x86/Kconfig |
111 | @@ -73,7 +73,6 @@ config X86 |
112 | select ARCH_HAS_PMEM_API if X86_64 |
113 | select ARCH_HAS_PTE_DEVMAP if X86_64 |
114 | select ARCH_HAS_PTE_SPECIAL |
115 | - select ARCH_HAS_REFCOUNT |
116 | select ARCH_HAS_UACCESS_FLUSHCACHE if X86_64 |
117 | select ARCH_HAS_UACCESS_MCSAFE if X86_64 && X86_MCE |
118 | select ARCH_HAS_SET_MEMORY |
119 | diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h |
120 | index 1b563f9167eae..cd339b88d5d46 100644 |
121 | --- a/arch/x86/include/asm/asm.h |
122 | +++ b/arch/x86/include/asm/asm.h |
123 | @@ -141,9 +141,6 @@ |
124 | # define _ASM_EXTABLE_EX(from, to) \ |
125 | _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext) |
126 | |
127 | -# define _ASM_EXTABLE_REFCOUNT(from, to) \ |
128 | - _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) |
129 | - |
130 | # define _ASM_NOKPROBE(entry) \ |
131 | .pushsection "_kprobe_blacklist","aw" ; \ |
132 | _ASM_ALIGN ; \ |
133 | @@ -172,9 +169,6 @@ |
134 | # define _ASM_EXTABLE_EX(from, to) \ |
135 | _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext) |
136 | |
137 | -# define _ASM_EXTABLE_REFCOUNT(from, to) \ |
138 | - _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) |
139 | - |
140 | /* For C file, we already have NOKPROBE_SYMBOL macro */ |
141 | #endif |
142 | |
143 | diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h |
144 | deleted file mode 100644 |
145 | index 232f856e0db06..0000000000000 |
146 | --- a/arch/x86/include/asm/refcount.h |
147 | +++ /dev/null |
148 | @@ -1,126 +0,0 @@ |
149 | -#ifndef __ASM_X86_REFCOUNT_H |
150 | -#define __ASM_X86_REFCOUNT_H |
151 | -/* |
152 | - * x86-specific implementation of refcount_t. Based on PAX_REFCOUNT from |
153 | - * PaX/grsecurity. |
154 | - */ |
155 | -#include <linux/refcount.h> |
156 | -#include <asm/bug.h> |
157 | - |
158 | -/* |
159 | - * This is the first portion of the refcount error handling, which lives in |
160 | - * .text.unlikely, and is jumped to from the CPU flag check (in the |
161 | - * following macros). This saves the refcount value location into CX for |
162 | - * the exception handler to use (in mm/extable.c), and then triggers the |
163 | - * central refcount exception. The fixup address for the exception points |
164 | - * back to the regular execution flow in .text. |
165 | - */ |
166 | -#define _REFCOUNT_EXCEPTION \ |
167 | - ".pushsection .text..refcount\n" \ |
168 | - "111:\tlea %[var], %%" _ASM_CX "\n" \ |
169 | - "112:\t" ASM_UD2 "\n" \ |
170 | - ASM_UNREACHABLE \ |
171 | - ".popsection\n" \ |
172 | - "113:\n" \ |
173 | - _ASM_EXTABLE_REFCOUNT(112b, 113b) |
174 | - |
175 | -/* Trigger refcount exception if refcount result is negative. */ |
176 | -#define REFCOUNT_CHECK_LT_ZERO \ |
177 | - "js 111f\n\t" \ |
178 | - _REFCOUNT_EXCEPTION |
179 | - |
180 | -/* Trigger refcount exception if refcount result is zero or negative. */ |
181 | -#define REFCOUNT_CHECK_LE_ZERO \ |
182 | - "jz 111f\n\t" \ |
183 | - REFCOUNT_CHECK_LT_ZERO |
184 | - |
185 | -/* Trigger refcount exception unconditionally. */ |
186 | -#define REFCOUNT_ERROR \ |
187 | - "jmp 111f\n\t" \ |
188 | - _REFCOUNT_EXCEPTION |
189 | - |
190 | -static __always_inline void refcount_add(unsigned int i, refcount_t *r) |
191 | -{ |
192 | - asm volatile(LOCK_PREFIX "addl %1,%0\n\t" |
193 | - REFCOUNT_CHECK_LT_ZERO |
194 | - : [var] "+m" (r->refs.counter) |
195 | - : "ir" (i) |
196 | - : "cc", "cx"); |
197 | -} |
198 | - |
199 | -static __always_inline void refcount_inc(refcount_t *r) |
200 | -{ |
201 | - asm volatile(LOCK_PREFIX "incl %0\n\t" |
202 | - REFCOUNT_CHECK_LT_ZERO |
203 | - : [var] "+m" (r->refs.counter) |
204 | - : : "cc", "cx"); |
205 | -} |
206 | - |
207 | -static __always_inline void refcount_dec(refcount_t *r) |
208 | -{ |
209 | - asm volatile(LOCK_PREFIX "decl %0\n\t" |
210 | - REFCOUNT_CHECK_LE_ZERO |
211 | - : [var] "+m" (r->refs.counter) |
212 | - : : "cc", "cx"); |
213 | -} |
214 | - |
215 | -static __always_inline __must_check |
216 | -bool refcount_sub_and_test(unsigned int i, refcount_t *r) |
217 | -{ |
218 | - bool ret = GEN_BINARY_SUFFIXED_RMWcc(LOCK_PREFIX "subl", |
219 | - REFCOUNT_CHECK_LT_ZERO, |
220 | - r->refs.counter, e, "er", i, "cx"); |
221 | - |
222 | - if (ret) { |
223 | - smp_acquire__after_ctrl_dep(); |
224 | - return true; |
225 | - } |
226 | - |
227 | - return false; |
228 | -} |
229 | - |
230 | -static __always_inline __must_check bool refcount_dec_and_test(refcount_t *r) |
231 | -{ |
232 | - bool ret = GEN_UNARY_SUFFIXED_RMWcc(LOCK_PREFIX "decl", |
233 | - REFCOUNT_CHECK_LT_ZERO, |
234 | - r->refs.counter, e, "cx"); |
235 | - |
236 | - if (ret) { |
237 | - smp_acquire__after_ctrl_dep(); |
238 | - return true; |
239 | - } |
240 | - |
241 | - return false; |
242 | -} |
243 | - |
244 | -static __always_inline __must_check |
245 | -bool refcount_add_not_zero(unsigned int i, refcount_t *r) |
246 | -{ |
247 | - int c, result; |
248 | - |
249 | - c = atomic_read(&(r->refs)); |
250 | - do { |
251 | - if (unlikely(c == 0)) |
252 | - return false; |
253 | - |
254 | - result = c + i; |
255 | - |
256 | - /* Did we try to increment from/to an undesirable state? */ |
257 | - if (unlikely(c < 0 || c == INT_MAX || result < c)) { |
258 | - asm volatile(REFCOUNT_ERROR |
259 | - : : [var] "m" (r->refs.counter) |
260 | - : "cc", "cx"); |
261 | - break; |
262 | - } |
263 | - |
264 | - } while (!atomic_try_cmpxchg(&(r->refs), &c, result)); |
265 | - |
266 | - return c != 0; |
267 | -} |
268 | - |
269 | -static __always_inline __must_check bool refcount_inc_not_zero(refcount_t *r) |
270 | -{ |
271 | - return refcount_add_not_zero(1, r); |
272 | -} |
273 | - |
274 | -#endif |
275 | diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h |
276 | index 61d93f062a36e..d6a0e57ecc073 100644 |
277 | --- a/arch/x86/include/asm/uaccess.h |
278 | +++ b/arch/x86/include/asm/uaccess.h |
279 | @@ -378,18 +378,6 @@ do { \ |
280 | : "=r" (err), ltype(x) \ |
281 | : "m" (__m(addr)), "i" (errret), "0" (err)) |
282 | |
283 | -#define __get_user_asm_nozero(x, addr, err, itype, rtype, ltype, errret) \ |
284 | - asm volatile("\n" \ |
285 | - "1: mov"itype" %2,%"rtype"1\n" \ |
286 | - "2:\n" \ |
287 | - ".section .fixup,\"ax\"\n" \ |
288 | - "3: mov %3,%0\n" \ |
289 | - " jmp 2b\n" \ |
290 | - ".previous\n" \ |
291 | - _ASM_EXTABLE_UA(1b, 3b) \ |
292 | - : "=r" (err), ltype(x) \ |
293 | - : "m" (__m(addr)), "i" (errret), "0" (err)) |
294 | - |
295 | /* |
296 | * This doesn't do __uaccess_begin/end - the exception handling |
297 | * around it must do that. |
298 | @@ -453,6 +441,103 @@ __pu_label: \ |
299 | __builtin_expect(__gu_err, 0); \ |
300 | }) |
301 | |
302 | +#ifdef CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT |
303 | +#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ |
304 | + bool success; \ |
305 | + __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
306 | + __typeof__(*(_ptr)) __old = *_old; \ |
307 | + __typeof__(*(_ptr)) __new = (_new); \ |
308 | + asm_volatile_goto("\n" \ |
309 | + "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\ |
310 | + _ASM_EXTABLE_UA(1b, %l[label]) \ |
311 | + : CC_OUT(z) (success), \ |
312 | + [ptr] "+m" (*_ptr), \ |
313 | + [old] "+a" (__old) \ |
314 | + : [new] ltype (__new) \ |
315 | + : "memory" \ |
316 | + : label); \ |
317 | + if (unlikely(!success)) \ |
318 | + *_old = __old; \ |
319 | + likely(success); }) |
320 | + |
321 | +#ifdef CONFIG_X86_32 |
322 | +#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \ |
323 | + bool success; \ |
324 | + __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
325 | + __typeof__(*(_ptr)) __old = *_old; \ |
326 | + __typeof__(*(_ptr)) __new = (_new); \ |
327 | + asm_volatile_goto("\n" \ |
328 | + "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \ |
329 | + _ASM_EXTABLE_UA(1b, %l[label]) \ |
330 | + : CC_OUT(z) (success), \ |
331 | + "+A" (__old), \ |
332 | + [ptr] "+m" (*_ptr) \ |
333 | + : "b" ((u32)__new), \ |
334 | + "c" ((u32)((u64)__new >> 32)) \ |
335 | + : "memory" \ |
336 | + : label); \ |
337 | + if (unlikely(!success)) \ |
338 | + *_old = __old; \ |
339 | + likely(success); }) |
340 | +#endif // CONFIG_X86_32 |
341 | +#else // !CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT |
342 | +#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ |
343 | + int __err = 0; \ |
344 | + bool success; \ |
345 | + __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
346 | + __typeof__(*(_ptr)) __old = *_old; \ |
347 | + __typeof__(*(_ptr)) __new = (_new); \ |
348 | + asm volatile("\n" \ |
349 | + "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\ |
350 | + CC_SET(z) \ |
351 | + "2:\n" \ |
352 | + _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, \ |
353 | + %[errout]) \ |
354 | + : CC_OUT(z) (success), \ |
355 | + [errout] "+r" (__err), \ |
356 | + [ptr] "+m" (*_ptr), \ |
357 | + [old] "+a" (__old) \ |
358 | + : [new] ltype (__new) \ |
359 | + : "memory"); \ |
360 | + if (unlikely(__err)) \ |
361 | + goto label; \ |
362 | + if (unlikely(!success)) \ |
363 | + *_old = __old; \ |
364 | + likely(success); }) |
365 | + |
366 | +#ifdef CONFIG_X86_32 |
367 | +/* |
368 | + * Unlike the normal CMPXCHG, hardcode ECX for both success/fail and error. |
369 | + * There are only six GPRs available and four (EAX, EBX, ECX, and EDX) are |
370 | + * hardcoded by CMPXCHG8B, leaving only ESI and EDI. If the compiler uses |
371 | + * both ESI and EDI for the memory operand, compilation will fail if the error |
372 | + * is an input+output as there will be no register available for input. |
373 | + */ |
374 | +#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \ |
375 | + int __result; \ |
376 | + __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
377 | + __typeof__(*(_ptr)) __old = *_old; \ |
378 | + __typeof__(*(_ptr)) __new = (_new); \ |
379 | + asm volatile("\n" \ |
380 | + "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \ |
381 | + "mov $0, %%ecx\n\t" \ |
382 | + "setz %%cl\n" \ |
383 | + "2:\n" \ |
384 | + _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, %%ecx) \ |
385 | + : [result]"=c" (__result), \ |
386 | + "+A" (__old), \ |
387 | + [ptr] "+m" (*_ptr) \ |
388 | + : "b" ((u32)__new), \ |
389 | + "c" ((u32)((u64)__new >> 32)) \ |
390 | + : "memory", "cc"); \ |
391 | + if (unlikely(__result < 0)) \ |
392 | + goto label; \ |
393 | + if (unlikely(!__result)) \ |
394 | + *_old = __old; \ |
395 | + likely(__result); }) |
396 | +#endif // CONFIG_X86_32 |
397 | +#endif // CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT |
398 | + |
399 | /* FIXME: this hack is definitely wrong -AK */ |
400 | struct __large_struct { unsigned long buf[100]; }; |
401 | #define __m(x) (*(struct __large_struct __user *)(x)) |
402 | @@ -734,6 +819,51 @@ do { \ |
403 | if (unlikely(__gu_err)) goto err_label; \ |
404 | } while (0) |
405 | |
406 | +extern void __try_cmpxchg_user_wrong_size(void); |
407 | + |
408 | +#ifndef CONFIG_X86_32 |
409 | +#define __try_cmpxchg64_user_asm(_ptr, _oldp, _nval, _label) \ |
410 | + __try_cmpxchg_user_asm("q", "r", (_ptr), (_oldp), (_nval), _label) |
411 | +#endif |
412 | + |
413 | +/* |
414 | + * Force the pointer to u<size> to match the size expected by the asm helper. |
415 | + * clang/LLVM compiles all cases and only discards the unused paths after |
416 | + * processing errors, which breaks i386 if the pointer is an 8-byte value. |
417 | + */ |
418 | +#define unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \ |
419 | + bool __ret; \ |
420 | + __chk_user_ptr(_ptr); \ |
421 | + switch (sizeof(*(_ptr))) { \ |
422 | + case 1: __ret = __try_cmpxchg_user_asm("b", "q", \ |
423 | + (__force u8 *)(_ptr), (_oldp), \ |
424 | + (_nval), _label); \ |
425 | + break; \ |
426 | + case 2: __ret = __try_cmpxchg_user_asm("w", "r", \ |
427 | + (__force u16 *)(_ptr), (_oldp), \ |
428 | + (_nval), _label); \ |
429 | + break; \ |
430 | + case 4: __ret = __try_cmpxchg_user_asm("l", "r", \ |
431 | + (__force u32 *)(_ptr), (_oldp), \ |
432 | + (_nval), _label); \ |
433 | + break; \ |
434 | + case 8: __ret = __try_cmpxchg64_user_asm((__force u64 *)(_ptr), (_oldp),\ |
435 | + (_nval), _label); \ |
436 | + break; \ |
437 | + default: __try_cmpxchg_user_wrong_size(); \ |
438 | + } \ |
439 | + __ret; }) |
440 | + |
441 | +/* "Returns" 0 on success, 1 on failure, -EFAULT if the access faults. */ |
442 | +#define __try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \ |
443 | + int __ret = -EFAULT; \ |
444 | + __uaccess_begin_nospec(); \ |
445 | + __ret = !unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label); \ |
446 | +_label: \ |
447 | + __uaccess_end(); \ |
448 | + __ret; \ |
449 | + }) |
450 | + |
451 | /* |
452 | * We want the unsafe accessors to always be inlined and use |
453 | * the error labels - thus the macro games. |
454 | diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h |
455 | index ba2dc19306303..388a40660c7b5 100644 |
456 | --- a/arch/x86/include/asm/uaccess_32.h |
457 | +++ b/arch/x86/include/asm/uaccess_32.h |
458 | @@ -23,33 +23,6 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n) |
459 | static __always_inline unsigned long |
460 | raw_copy_from_user(void *to, const void __user *from, unsigned long n) |
461 | { |
462 | - if (__builtin_constant_p(n)) { |
463 | - unsigned long ret; |
464 | - |
465 | - switch (n) { |
466 | - case 1: |
467 | - ret = 0; |
468 | - __uaccess_begin_nospec(); |
469 | - __get_user_asm_nozero(*(u8 *)to, from, ret, |
470 | - "b", "b", "=q", 1); |
471 | - __uaccess_end(); |
472 | - return ret; |
473 | - case 2: |
474 | - ret = 0; |
475 | - __uaccess_begin_nospec(); |
476 | - __get_user_asm_nozero(*(u16 *)to, from, ret, |
477 | - "w", "w", "=r", 2); |
478 | - __uaccess_end(); |
479 | - return ret; |
480 | - case 4: |
481 | - ret = 0; |
482 | - __uaccess_begin_nospec(); |
483 | - __get_user_asm_nozero(*(u32 *)to, from, ret, |
484 | - "l", "k", "=r", 4); |
485 | - __uaccess_end(); |
486 | - return ret; |
487 | - } |
488 | - } |
489 | return __copy_user_ll(to, (__force const void *)from, n); |
490 | } |
491 | |
492 | diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h |
493 | index 5cd1caa8bc653..bc10e3dc64fed 100644 |
494 | --- a/arch/x86/include/asm/uaccess_64.h |
495 | +++ b/arch/x86/include/asm/uaccess_64.h |
496 | @@ -65,117 +65,13 @@ copy_to_user_mcsafe(void *to, const void *from, unsigned len) |
497 | static __always_inline __must_check unsigned long |
498 | raw_copy_from_user(void *dst, const void __user *src, unsigned long size) |
499 | { |
500 | - int ret = 0; |
501 | - |
502 | - if (!__builtin_constant_p(size)) |
503 | - return copy_user_generic(dst, (__force void *)src, size); |
504 | - switch (size) { |
505 | - case 1: |
506 | - __uaccess_begin_nospec(); |
507 | - __get_user_asm_nozero(*(u8 *)dst, (u8 __user *)src, |
508 | - ret, "b", "b", "=q", 1); |
509 | - __uaccess_end(); |
510 | - return ret; |
511 | - case 2: |
512 | - __uaccess_begin_nospec(); |
513 | - __get_user_asm_nozero(*(u16 *)dst, (u16 __user *)src, |
514 | - ret, "w", "w", "=r", 2); |
515 | - __uaccess_end(); |
516 | - return ret; |
517 | - case 4: |
518 | - __uaccess_begin_nospec(); |
519 | - __get_user_asm_nozero(*(u32 *)dst, (u32 __user *)src, |
520 | - ret, "l", "k", "=r", 4); |
521 | - __uaccess_end(); |
522 | - return ret; |
523 | - case 8: |
524 | - __uaccess_begin_nospec(); |
525 | - __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, |
526 | - ret, "q", "", "=r", 8); |
527 | - __uaccess_end(); |
528 | - return ret; |
529 | - case 10: |
530 | - __uaccess_begin_nospec(); |
531 | - __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, |
532 | - ret, "q", "", "=r", 10); |
533 | - if (likely(!ret)) |
534 | - __get_user_asm_nozero(*(u16 *)(8 + (char *)dst), |
535 | - (u16 __user *)(8 + (char __user *)src), |
536 | - ret, "w", "w", "=r", 2); |
537 | - __uaccess_end(); |
538 | - return ret; |
539 | - case 16: |
540 | - __uaccess_begin_nospec(); |
541 | - __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, |
542 | - ret, "q", "", "=r", 16); |
543 | - if (likely(!ret)) |
544 | - __get_user_asm_nozero(*(u64 *)(8 + (char *)dst), |
545 | - (u64 __user *)(8 + (char __user *)src), |
546 | - ret, "q", "", "=r", 8); |
547 | - __uaccess_end(); |
548 | - return ret; |
549 | - default: |
550 | - return copy_user_generic(dst, (__force void *)src, size); |
551 | - } |
552 | + return copy_user_generic(dst, (__force void *)src, size); |
553 | } |
554 | |
555 | static __always_inline __must_check unsigned long |
556 | raw_copy_to_user(void __user *dst, const void *src, unsigned long size) |
557 | { |
558 | - int ret = 0; |
559 | - |
560 | - if (!__builtin_constant_p(size)) |
561 | - return copy_user_generic((__force void *)dst, src, size); |
562 | - switch (size) { |
563 | - case 1: |
564 | - __uaccess_begin(); |
565 | - __put_user_asm(*(u8 *)src, (u8 __user *)dst, |
566 | - ret, "b", "b", "iq", 1); |
567 | - __uaccess_end(); |
568 | - return ret; |
569 | - case 2: |
570 | - __uaccess_begin(); |
571 | - __put_user_asm(*(u16 *)src, (u16 __user *)dst, |
572 | - ret, "w", "w", "ir", 2); |
573 | - __uaccess_end(); |
574 | - return ret; |
575 | - case 4: |
576 | - __uaccess_begin(); |
577 | - __put_user_asm(*(u32 *)src, (u32 __user *)dst, |
578 | - ret, "l", "k", "ir", 4); |
579 | - __uaccess_end(); |
580 | - return ret; |
581 | - case 8: |
582 | - __uaccess_begin(); |
583 | - __put_user_asm(*(u64 *)src, (u64 __user *)dst, |
584 | - ret, "q", "", "er", 8); |
585 | - __uaccess_end(); |
586 | - return ret; |
587 | - case 10: |
588 | - __uaccess_begin(); |
589 | - __put_user_asm(*(u64 *)src, (u64 __user *)dst, |
590 | - ret, "q", "", "er", 10); |
591 | - if (likely(!ret)) { |
592 | - asm("":::"memory"); |
593 | - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst, |
594 | - ret, "w", "w", "ir", 2); |
595 | - } |
596 | - __uaccess_end(); |
597 | - return ret; |
598 | - case 16: |
599 | - __uaccess_begin(); |
600 | - __put_user_asm(*(u64 *)src, (u64 __user *)dst, |
601 | - ret, "q", "", "er", 16); |
602 | - if (likely(!ret)) { |
603 | - asm("":::"memory"); |
604 | - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst, |
605 | - ret, "q", "", "er", 8); |
606 | - } |
607 | - __uaccess_end(); |
608 | - return ret; |
609 | - default: |
610 | - return copy_user_generic((__force void *)dst, src, size); |
611 | - } |
612 | + return copy_user_generic((__force void *)dst, src, size); |
613 | } |
614 | |
615 | static __always_inline __must_check |
616 | diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c |
617 | index 8a2b8e7913149..9b98a7d8ac604 100644 |
618 | --- a/arch/x86/kernel/cpu/mce/core.c |
619 | +++ b/arch/x86/kernel/cpu/mce/core.c |
620 | @@ -397,13 +397,16 @@ static int msr_to_offset(u32 msr) |
621 | return -1; |
622 | } |
623 | |
624 | -__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, |
625 | - struct pt_regs *regs, int trapnr, |
626 | - unsigned long error_code, |
627 | - unsigned long fault_addr) |
628 | +static void ex_handler_msr_mce(struct pt_regs *regs, bool wrmsr) |
629 | { |
630 | - pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", |
631 | - (unsigned int)regs->cx, regs->ip, (void *)regs->ip); |
632 | + if (wrmsr) { |
633 | + pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n", |
634 | + (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, |
635 | + regs->ip, (void *)regs->ip); |
636 | + } else { |
637 | + pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", |
638 | + (unsigned int)regs->cx, regs->ip, (void *)regs->ip); |
639 | + } |
640 | |
641 | show_stack_regs(regs); |
642 | |
643 | @@ -411,7 +414,14 @@ __visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, |
644 | |
645 | while (true) |
646 | cpu_relax(); |
647 | +} |
648 | |
649 | +__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, |
650 | + struct pt_regs *regs, int trapnr, |
651 | + unsigned long error_code, |
652 | + unsigned long fault_addr) |
653 | +{ |
654 | + ex_handler_msr_mce(regs, false); |
655 | return true; |
656 | } |
657 | |
658 | @@ -447,17 +457,7 @@ __visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, |
659 | unsigned long error_code, |
660 | unsigned long fault_addr) |
661 | { |
662 | - pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n", |
663 | - (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, |
664 | - regs->ip, (void *)regs->ip); |
665 | - |
666 | - show_stack_regs(regs); |
667 | - |
668 | - panic("MCA architectural violation!\n"); |
669 | - |
670 | - while (true) |
671 | - cpu_relax(); |
672 | - |
673 | + ex_handler_msr_mce(regs, true); |
674 | return true; |
675 | } |
676 | |
677 | diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c |
678 | index 4d75bc656f971..30bb0bd3b1b88 100644 |
679 | --- a/arch/x86/mm/extable.c |
680 | +++ b/arch/x86/mm/extable.c |
681 | @@ -44,55 +44,6 @@ __visible bool ex_handler_fault(const struct exception_table_entry *fixup, |
682 | } |
683 | EXPORT_SYMBOL_GPL(ex_handler_fault); |
684 | |
685 | -/* |
686 | - * Handler for UD0 exception following a failed test against the |
687 | - * result of a refcount inc/dec/add/sub. |
688 | - */ |
689 | -__visible bool ex_handler_refcount(const struct exception_table_entry *fixup, |
690 | - struct pt_regs *regs, int trapnr, |
691 | - unsigned long error_code, |
692 | - unsigned long fault_addr) |
693 | -{ |
694 | - /* First unconditionally saturate the refcount. */ |
695 | - *(int *)regs->cx = INT_MIN / 2; |
696 | - |
697 | - /* |
698 | - * Strictly speaking, this reports the fixup destination, not |
699 | - * the fault location, and not the actually overflowing |
700 | - * instruction, which is the instruction before the "js", but |
701 | - * since that instruction could be a variety of lengths, just |
702 | - * report the location after the overflow, which should be close |
703 | - * enough for finding the overflow, as it's at least back in |
704 | - * the function, having returned from .text.unlikely. |
705 | - */ |
706 | - regs->ip = ex_fixup_addr(fixup); |
707 | - |
708 | - /* |
709 | - * This function has been called because either a negative refcount |
710 | - * value was seen by any of the refcount functions, or a zero |
711 | - * refcount value was seen by refcount_dec(). |
712 | - * |
713 | - * If we crossed from INT_MAX to INT_MIN, OF (Overflow Flag: result |
714 | - * wrapped around) will be set. Additionally, seeing the refcount |
715 | - * reach 0 will set ZF (Zero Flag: result was zero). In each of |
716 | - * these cases we want a report, since it's a boundary condition. |
717 | - * The SF case is not reported since it indicates post-boundary |
718 | - * manipulations below zero or above INT_MAX. And if none of the |
719 | - * flags are set, something has gone very wrong, so report it. |
720 | - */ |
721 | - if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_ZF)) { |
722 | - bool zero = regs->flags & X86_EFLAGS_ZF; |
723 | - |
724 | - refcount_error_report(regs, zero ? "hit zero" : "overflow"); |
725 | - } else if ((regs->flags & X86_EFLAGS_SF) == 0) { |
726 | - /* Report if none of OF, ZF, nor SF are set. */ |
727 | - refcount_error_report(regs, "unexpected saturation"); |
728 | - } |
729 | - |
730 | - return true; |
731 | -} |
732 | -EXPORT_SYMBOL(ex_handler_refcount); |
733 | - |
734 | /* |
735 | * Handler for when we fail to restore a task's FPU state. We should never get |
736 | * here because the FPU state of a task using the FPU (task->thread.fpu.state) |
737 | diff --git a/drivers/crypto/chelsio/chtls/chtls_cm.c b/drivers/crypto/chelsio/chtls/chtls_cm.c |
738 | index 82b76df43ae57..3b79bcd03e7bc 100644 |
739 | --- a/drivers/crypto/chelsio/chtls/chtls_cm.c |
740 | +++ b/drivers/crypto/chelsio/chtls/chtls_cm.c |
741 | @@ -1103,8 +1103,8 @@ static struct sock *chtls_recv_sock(struct sock *lsk, |
742 | csk->sndbuf = newsk->sk_sndbuf; |
743 | csk->smac_idx = ((struct port_info *)netdev_priv(ndev))->smt_idx; |
744 | RCV_WSCALE(tp) = select_rcv_wscale(tcp_full_space(newsk), |
745 | - sock_net(newsk)-> |
746 | - ipv4.sysctl_tcp_window_scaling, |
747 | + READ_ONCE(sock_net(newsk)-> |
748 | + ipv4.sysctl_tcp_window_scaling), |
749 | tp->window_clamp); |
750 | neigh_release(n); |
751 | inet_inherit_port(&tcp_hashinfo, lsk, newsk); |
752 | @@ -1235,7 +1235,7 @@ static void chtls_pass_accept_request(struct sock *sk, |
753 | chtls_set_req_addr(oreq, iph->daddr, iph->saddr); |
754 | ip_dsfield = ipv4_get_dsfield(iph); |
755 | if (req->tcpopt.wsf <= 14 && |
756 | - sock_net(sk)->ipv4.sysctl_tcp_window_scaling) { |
757 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) { |
758 | inet_rsk(oreq)->wscale_ok = 1; |
759 | inet_rsk(oreq)->snd_wscale = req->tcpopt.wsf; |
760 | } |
761 | diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c |
762 | index 54da66d02b0e5..317f54f19477e 100644 |
763 | --- a/drivers/gpio/gpio-pca953x.c |
764 | +++ b/drivers/gpio/gpio-pca953x.c |
765 | @@ -379,6 +379,9 @@ static const struct regmap_config pca953x_i2c_regmap = { |
766 | .reg_bits = 8, |
767 | .val_bits = 8, |
768 | |
769 | + .use_single_read = true, |
770 | + .use_single_write = true, |
771 | + |
772 | .readable_reg = pca953x_readable_register, |
773 | .writeable_reg = pca953x_writeable_register, |
774 | .volatile_reg = pca953x_volatile_register, |
775 | diff --git a/drivers/gpu/drm/i915/Kconfig.debug b/drivers/gpu/drm/i915/Kconfig.debug |
776 | index 41c8e39a73ba8..e4f03fcb125e4 100644 |
777 | --- a/drivers/gpu/drm/i915/Kconfig.debug |
778 | +++ b/drivers/gpu/drm/i915/Kconfig.debug |
779 | @@ -21,7 +21,6 @@ config DRM_I915_DEBUG |
780 | depends on DRM_I915 |
781 | select DEBUG_FS |
782 | select PREEMPT_COUNT |
783 | - select REFCOUNT_FULL |
784 | select I2C_CHARDEV |
785 | select STACKDEPOT |
786 | select DRM_DP_AUX_CHARDEV |
787 | diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c |
788 | index 3a1bdc75275f4..8750e444f4492 100644 |
789 | --- a/drivers/i2c/busses/i2c-cadence.c |
790 | +++ b/drivers/i2c/busses/i2c-cadence.c |
791 | @@ -198,9 +198,9 @@ static inline bool cdns_is_holdquirk(struct cdns_i2c *id, bool hold_wrkaround) |
792 | */ |
793 | static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
794 | { |
795 | - unsigned int isr_status, avail_bytes, updatetx; |
796 | + unsigned int isr_status, avail_bytes; |
797 | unsigned int bytes_to_send; |
798 | - bool hold_quirk; |
799 | + bool updatetx; |
800 | struct cdns_i2c *id = ptr; |
801 | /* Signal completion only after everything is updated */ |
802 | int done_flag = 0; |
803 | @@ -219,11 +219,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
804 | * Check if transfer size register needs to be updated again for a |
805 | * large data receive operation. |
806 | */ |
807 | - updatetx = 0; |
808 | - if (id->recv_count > id->curr_recv_count) |
809 | - updatetx = 1; |
810 | - |
811 | - hold_quirk = (id->quirks & CDNS_I2C_BROKEN_HOLD_BIT) && updatetx; |
812 | + updatetx = id->recv_count > id->curr_recv_count; |
813 | |
814 | /* When receiving, handle data interrupt and completion interrupt */ |
815 | if (id->p_recv_buf && |
816 | @@ -246,7 +242,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
817 | id->recv_count--; |
818 | id->curr_recv_count--; |
819 | |
820 | - if (cdns_is_holdquirk(id, hold_quirk)) |
821 | + if (cdns_is_holdquirk(id, updatetx)) |
822 | break; |
823 | } |
824 | |
825 | @@ -257,7 +253,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
826 | * maintain transfer size non-zero while performing a large |
827 | * receive operation. |
828 | */ |
829 | - if (cdns_is_holdquirk(id, hold_quirk)) { |
830 | + if (cdns_is_holdquirk(id, updatetx)) { |
831 | /* wait while fifo is full */ |
832 | while (cdns_i2c_readreg(CDNS_I2C_XFER_SIZE_OFFSET) != |
833 | (id->curr_recv_count - CDNS_I2C_FIFO_DEPTH)) |
834 | @@ -279,22 +275,6 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
835 | CDNS_I2C_XFER_SIZE_OFFSET); |
836 | id->curr_recv_count = id->recv_count; |
837 | } |
838 | - } else if (id->recv_count && !hold_quirk && |
839 | - !id->curr_recv_count) { |
840 | - |
841 | - /* Set the slave address in address register*/ |
842 | - cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK, |
843 | - CDNS_I2C_ADDR_OFFSET); |
844 | - |
845 | - if (id->recv_count > CDNS_I2C_TRANSFER_SIZE) { |
846 | - cdns_i2c_writereg(CDNS_I2C_TRANSFER_SIZE, |
847 | - CDNS_I2C_XFER_SIZE_OFFSET); |
848 | - id->curr_recv_count = CDNS_I2C_TRANSFER_SIZE; |
849 | - } else { |
850 | - cdns_i2c_writereg(id->recv_count, |
851 | - CDNS_I2C_XFER_SIZE_OFFSET); |
852 | - id->curr_recv_count = id->recv_count; |
853 | - } |
854 | } |
855 | |
856 | /* Clear hold (if not repeated start) and signal completion */ |
857 | diff --git a/drivers/misc/lkdtm/refcount.c b/drivers/misc/lkdtm/refcount.c |
858 | index 0a146b32da132..abf3b7c1f686c 100644 |
859 | --- a/drivers/misc/lkdtm/refcount.c |
860 | +++ b/drivers/misc/lkdtm/refcount.c |
861 | @@ -6,14 +6,6 @@ |
862 | #include "lkdtm.h" |
863 | #include <linux/refcount.h> |
864 | |
865 | -#ifdef CONFIG_REFCOUNT_FULL |
866 | -#define REFCOUNT_MAX (UINT_MAX - 1) |
867 | -#define REFCOUNT_SATURATED UINT_MAX |
868 | -#else |
869 | -#define REFCOUNT_MAX INT_MAX |
870 | -#define REFCOUNT_SATURATED (INT_MIN / 2) |
871 | -#endif |
872 | - |
873 | static void overflow_check(refcount_t *ref) |
874 | { |
875 | switch (refcount_read(ref)) { |
876 | diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c |
877 | index 649c5c429bd7c..1288b5e3d2201 100644 |
878 | --- a/drivers/net/ethernet/emulex/benet/be_cmds.c |
879 | +++ b/drivers/net/ethernet/emulex/benet/be_cmds.c |
880 | @@ -2287,7 +2287,7 @@ err: |
881 | |
882 | /* Uses sync mcc */ |
883 | int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, |
884 | - u8 page_num, u8 *data) |
885 | + u8 page_num, u32 off, u32 len, u8 *data) |
886 | { |
887 | struct be_dma_mem cmd; |
888 | struct be_mcc_wrb *wrb; |
889 | @@ -2321,10 +2321,10 @@ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, |
890 | req->port = cpu_to_le32(adapter->hba_port_num); |
891 | req->page_num = cpu_to_le32(page_num); |
892 | status = be_mcc_notify_wait(adapter); |
893 | - if (!status) { |
894 | + if (!status && len > 0) { |
895 | struct be_cmd_resp_port_type *resp = cmd.va; |
896 | |
897 | - memcpy(data, resp->page_data, PAGE_DATA_LEN); |
898 | + memcpy(data, resp->page_data + off, len); |
899 | } |
900 | err: |
901 | mutex_unlock(&adapter->mcc_lock); |
902 | @@ -2415,7 +2415,7 @@ int be_cmd_query_cable_type(struct be_adapter *adapter) |
903 | int status; |
904 | |
905 | status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
906 | - page_data); |
907 | + 0, PAGE_DATA_LEN, page_data); |
908 | if (!status) { |
909 | switch (adapter->phy.interface_type) { |
910 | case PHY_TYPE_QSFP: |
911 | @@ -2440,7 +2440,7 @@ int be_cmd_query_sfp_info(struct be_adapter *adapter) |
912 | int status; |
913 | |
914 | status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
915 | - page_data); |
916 | + 0, PAGE_DATA_LEN, page_data); |
917 | if (!status) { |
918 | strlcpy(adapter->phy.vendor_name, page_data + |
919 | SFP_VENDOR_NAME_OFFSET, SFP_VENDOR_NAME_LEN - 1); |
920 | diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.h b/drivers/net/ethernet/emulex/benet/be_cmds.h |
921 | index c30d6d6f0f3a0..9e17d6a7ab8cd 100644 |
922 | --- a/drivers/net/ethernet/emulex/benet/be_cmds.h |
923 | +++ b/drivers/net/ethernet/emulex/benet/be_cmds.h |
924 | @@ -2427,7 +2427,7 @@ int be_cmd_set_beacon_state(struct be_adapter *adapter, u8 port_num, u8 beacon, |
925 | int be_cmd_get_beacon_state(struct be_adapter *adapter, u8 port_num, |
926 | u32 *state); |
927 | int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, |
928 | - u8 page_num, u8 *data); |
929 | + u8 page_num, u32 off, u32 len, u8 *data); |
930 | int be_cmd_query_cable_type(struct be_adapter *adapter); |
931 | int be_cmd_query_sfp_info(struct be_adapter *adapter); |
932 | int lancer_cmd_read_object(struct be_adapter *adapter, struct be_dma_mem *cmd, |
933 | diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/ethernet/emulex/benet/be_ethtool.c |
934 | index 5bb5abf995887..7cc1f41971c57 100644 |
935 | --- a/drivers/net/ethernet/emulex/benet/be_ethtool.c |
936 | +++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c |
937 | @@ -1339,7 +1339,7 @@ static int be_get_module_info(struct net_device *netdev, |
938 | return -EOPNOTSUPP; |
939 | |
940 | status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
941 | - page_data); |
942 | + 0, PAGE_DATA_LEN, page_data); |
943 | if (!status) { |
944 | if (!page_data[SFP_PLUS_SFF_8472_COMP]) { |
945 | modinfo->type = ETH_MODULE_SFF_8079; |
946 | @@ -1357,25 +1357,32 @@ static int be_get_module_eeprom(struct net_device *netdev, |
947 | { |
948 | struct be_adapter *adapter = netdev_priv(netdev); |
949 | int status; |
950 | + u32 begin, end; |
951 | |
952 | if (!check_privilege(adapter, MAX_PRIVILEGES)) |
953 | return -EOPNOTSUPP; |
954 | |
955 | - status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
956 | - data); |
957 | - if (status) |
958 | - goto err; |
959 | + begin = eeprom->offset; |
960 | + end = eeprom->offset + eeprom->len; |
961 | + |
962 | + if (begin < PAGE_DATA_LEN) { |
963 | + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, begin, |
964 | + min_t(u32, end, PAGE_DATA_LEN) - begin, |
965 | + data); |
966 | + if (status) |
967 | + goto err; |
968 | + |
969 | + data += PAGE_DATA_LEN - begin; |
970 | + begin = PAGE_DATA_LEN; |
971 | + } |
972 | |
973 | - if (eeprom->offset + eeprom->len > PAGE_DATA_LEN) { |
974 | - status = be_cmd_read_port_transceiver_data(adapter, |
975 | - TR_PAGE_A2, |
976 | - data + |
977 | - PAGE_DATA_LEN); |
978 | + if (end > PAGE_DATA_LEN) { |
979 | + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A2, |
980 | + begin - PAGE_DATA_LEN, |
981 | + end - begin, data); |
982 | if (status) |
983 | goto err; |
984 | } |
985 | - if (eeprom->offset) |
986 | - memcpy(data, data + eeprom->offset, eeprom->len); |
987 | err: |
988 | return be_cmd_status(status); |
989 | } |
990 | diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c |
991 | index 05442bbc218cd..0610d344fdbf0 100644 |
992 | --- a/drivers/net/ethernet/intel/i40e/i40e_main.c |
993 | +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c |
994 | @@ -10068,7 +10068,7 @@ static int i40e_reset(struct i40e_pf *pf) |
995 | **/ |
996 | static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) |
997 | { |
998 | - int old_recovery_mode_bit = test_bit(__I40E_RECOVERY_MODE, pf->state); |
999 | + const bool is_recovery_mode_reported = i40e_check_recovery_mode(pf); |
1000 | struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; |
1001 | struct i40e_hw *hw = &pf->hw; |
1002 | i40e_status ret; |
1003 | @@ -10076,13 +10076,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) |
1004 | int v; |
1005 | |
1006 | if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && |
1007 | - i40e_check_recovery_mode(pf)) { |
1008 | + is_recovery_mode_reported) |
1009 | i40e_set_ethtool_ops(pf->vsi[pf->lan_vsi]->netdev); |
1010 | - } |
1011 | |
1012 | if (test_bit(__I40E_DOWN, pf->state) && |
1013 | - !test_bit(__I40E_RECOVERY_MODE, pf->state) && |
1014 | - !old_recovery_mode_bit) |
1015 | + !test_bit(__I40E_RECOVERY_MODE, pf->state)) |
1016 | goto clear_recovery; |
1017 | dev_dbg(&pf->pdev->dev, "Rebuilding internal switch\n"); |
1018 | |
1019 | @@ -10109,13 +10107,12 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) |
1020 | * accordingly with regard to resources initialization |
1021 | * and deinitialization |
1022 | */ |
1023 | - if (test_bit(__I40E_RECOVERY_MODE, pf->state) || |
1024 | - old_recovery_mode_bit) { |
1025 | + if (test_bit(__I40E_RECOVERY_MODE, pf->state)) { |
1026 | if (i40e_get_capabilities(pf, |
1027 | i40e_aqc_opc_list_func_capabilities)) |
1028 | goto end_unlock; |
1029 | |
1030 | - if (test_bit(__I40E_RECOVERY_MODE, pf->state)) { |
1031 | + if (is_recovery_mode_reported) { |
1032 | /* we're staying in recovery mode so we'll reinitialize |
1033 | * misc vector here |
1034 | */ |
1035 | diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c |
1036 | index 7a30d5d5ef53a..c6905d1b6182c 100644 |
1037 | --- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c |
1038 | +++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c |
1039 | @@ -1263,11 +1263,10 @@ static struct iavf_rx_buffer *iavf_get_rx_buffer(struct iavf_ring *rx_ring, |
1040 | { |
1041 | struct iavf_rx_buffer *rx_buffer; |
1042 | |
1043 | - if (!size) |
1044 | - return NULL; |
1045 | - |
1046 | rx_buffer = &rx_ring->rx_bi[rx_ring->next_to_clean]; |
1047 | prefetchw(rx_buffer->page); |
1048 | + if (!size) |
1049 | + return rx_buffer; |
1050 | |
1051 | /* we are reusing so sync this buffer for CPU use */ |
1052 | dma_sync_single_range_for_cpu(rx_ring->dev, |
1053 | diff --git a/drivers/net/ethernet/intel/igc/igc_regs.h b/drivers/net/ethernet/intel/igc/igc_regs.h |
1054 | index 50d7c04dccf59..7bc7d7618fe1e 100644 |
1055 | --- a/drivers/net/ethernet/intel/igc/igc_regs.h |
1056 | +++ b/drivers/net/ethernet/intel/igc/igc_regs.h |
1057 | @@ -236,4 +236,6 @@ do { \ |
1058 | |
1059 | #define array_rd32(reg, offset) (igc_rd32(hw, (reg) + ((offset) << 2))) |
1060 | |
1061 | +#define IGC_REMOVED(h) unlikely(!(h)) |
1062 | + |
1063 | #endif |
1064 | diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h |
1065 | index 39e73ad60352f..fa49ef2afde5f 100644 |
1066 | --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h |
1067 | +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h |
1068 | @@ -773,6 +773,7 @@ struct ixgbe_adapter { |
1069 | #ifdef CONFIG_IXGBE_IPSEC |
1070 | struct ixgbe_ipsec *ipsec; |
1071 | #endif /* CONFIG_IXGBE_IPSEC */ |
1072 | + spinlock_t vfs_lock; |
1073 | }; |
1074 | |
1075 | static inline u8 ixgbe_max_rss_indices(struct ixgbe_adapter *adapter) |
1076 | diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
1077 | index 8a894e5d923f0..f8aa1a0b89c5d 100644 |
1078 | --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
1079 | +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
1080 | @@ -6396,6 +6396,9 @@ static int ixgbe_sw_init(struct ixgbe_adapter *adapter, |
1081 | /* n-tuple support exists, always init our spinlock */ |
1082 | spin_lock_init(&adapter->fdir_perfect_lock); |
1083 | |
1084 | + /* init spinlock to avoid concurrency of VF resources */ |
1085 | + spin_lock_init(&adapter->vfs_lock); |
1086 | + |
1087 | #ifdef CONFIG_IXGBE_DCB |
1088 | ixgbe_init_dcb(adapter); |
1089 | #endif |
1090 | diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |
1091 | index cf5c2b9465eba..0e73e3b1af19a 100644 |
1092 | --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |
1093 | +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |
1094 | @@ -204,10 +204,13 @@ void ixgbe_enable_sriov(struct ixgbe_adapter *adapter, unsigned int max_vfs) |
1095 | int ixgbe_disable_sriov(struct ixgbe_adapter *adapter) |
1096 | { |
1097 | unsigned int num_vfs = adapter->num_vfs, vf; |
1098 | + unsigned long flags; |
1099 | int rss; |
1100 | |
1101 | + spin_lock_irqsave(&adapter->vfs_lock, flags); |
1102 | /* set num VFs to 0 to prevent access to vfinfo */ |
1103 | adapter->num_vfs = 0; |
1104 | + spin_unlock_irqrestore(&adapter->vfs_lock, flags); |
1105 | |
1106 | /* put the reference to all of the vf devices */ |
1107 | for (vf = 0; vf < num_vfs; ++vf) { |
1108 | @@ -1305,8 +1308,10 @@ static void ixgbe_rcv_ack_from_vf(struct ixgbe_adapter *adapter, u32 vf) |
1109 | void ixgbe_msg_task(struct ixgbe_adapter *adapter) |
1110 | { |
1111 | struct ixgbe_hw *hw = &adapter->hw; |
1112 | + unsigned long flags; |
1113 | u32 vf; |
1114 | |
1115 | + spin_lock_irqsave(&adapter->vfs_lock, flags); |
1116 | for (vf = 0; vf < adapter->num_vfs; vf++) { |
1117 | /* process any reset requests */ |
1118 | if (!ixgbe_check_for_rst(hw, vf)) |
1119 | @@ -1320,6 +1325,7 @@ void ixgbe_msg_task(struct ixgbe_adapter *adapter) |
1120 | if (!ixgbe_check_for_ack(hw, vf)) |
1121 | ixgbe_rcv_ack_from_vf(adapter, vf); |
1122 | } |
1123 | + spin_unlock_irqrestore(&adapter->vfs_lock, flags); |
1124 | } |
1125 | |
1126 | void ixgbe_disable_tx_rx(struct ixgbe_adapter *adapter) |
1127 | diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
1128 | index 2f013fc716985..91214cce874b1 100644 |
1129 | --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
1130 | +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
1131 | @@ -3871,7 +3871,7 @@ static bool mlxsw_sp_fi_is_gateway(const struct mlxsw_sp *mlxsw_sp, |
1132 | { |
1133 | const struct fib_nh *nh = fib_info_nh(fi, 0); |
1134 | |
1135 | - return nh->fib_nh_scope == RT_SCOPE_LINK || |
1136 | + return nh->fib_nh_gw_family || |
1137 | mlxsw_sp_nexthop4_ipip_type(mlxsw_sp, nh, NULL); |
1138 | } |
1139 | |
1140 | diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c |
1141 | index 66e60c7e98504..c440b192ec715 100644 |
1142 | --- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c |
1143 | +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c |
1144 | @@ -215,6 +215,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan) |
1145 | if (queue == 0 || queue == 4) { |
1146 | value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK; |
1147 | value |= MTL_RXQ_DMA_Q04MDMACH(chan); |
1148 | + } else if (queue > 4) { |
1149 | + value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4); |
1150 | + value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4); |
1151 | } else { |
1152 | value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue); |
1153 | value |= MTL_RXQ_DMA_QXMDMACH(chan, queue); |
1154 | diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c |
1155 | index ea9c8361bf464..5ee3e457a79c7 100644 |
1156 | --- a/drivers/net/usb/ax88179_178a.c |
1157 | +++ b/drivers/net/usb/ax88179_178a.c |
1158 | @@ -1690,7 +1690,7 @@ static const struct driver_info ax88179_info = { |
1159 | .link_reset = ax88179_link_reset, |
1160 | .reset = ax88179_reset, |
1161 | .stop = ax88179_stop, |
1162 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1163 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1164 | .rx_fixup = ax88179_rx_fixup, |
1165 | .tx_fixup = ax88179_tx_fixup, |
1166 | }; |
1167 | @@ -1703,7 +1703,7 @@ static const struct driver_info ax88178a_info = { |
1168 | .link_reset = ax88179_link_reset, |
1169 | .reset = ax88179_reset, |
1170 | .stop = ax88179_stop, |
1171 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1172 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1173 | .rx_fixup = ax88179_rx_fixup, |
1174 | .tx_fixup = ax88179_tx_fixup, |
1175 | }; |
1176 | @@ -1716,7 +1716,7 @@ static const struct driver_info cypress_GX3_info = { |
1177 | .link_reset = ax88179_link_reset, |
1178 | .reset = ax88179_reset, |
1179 | .stop = ax88179_stop, |
1180 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1181 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1182 | .rx_fixup = ax88179_rx_fixup, |
1183 | .tx_fixup = ax88179_tx_fixup, |
1184 | }; |
1185 | @@ -1729,7 +1729,7 @@ static const struct driver_info dlink_dub1312_info = { |
1186 | .link_reset = ax88179_link_reset, |
1187 | .reset = ax88179_reset, |
1188 | .stop = ax88179_stop, |
1189 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1190 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1191 | .rx_fixup = ax88179_rx_fixup, |
1192 | .tx_fixup = ax88179_tx_fixup, |
1193 | }; |
1194 | @@ -1742,7 +1742,7 @@ static const struct driver_info sitecom_info = { |
1195 | .link_reset = ax88179_link_reset, |
1196 | .reset = ax88179_reset, |
1197 | .stop = ax88179_stop, |
1198 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1199 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1200 | .rx_fixup = ax88179_rx_fixup, |
1201 | .tx_fixup = ax88179_tx_fixup, |
1202 | }; |
1203 | @@ -1755,7 +1755,7 @@ static const struct driver_info samsung_info = { |
1204 | .link_reset = ax88179_link_reset, |
1205 | .reset = ax88179_reset, |
1206 | .stop = ax88179_stop, |
1207 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1208 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1209 | .rx_fixup = ax88179_rx_fixup, |
1210 | .tx_fixup = ax88179_tx_fixup, |
1211 | }; |
1212 | @@ -1768,7 +1768,7 @@ static const struct driver_info lenovo_info = { |
1213 | .link_reset = ax88179_link_reset, |
1214 | .reset = ax88179_reset, |
1215 | .stop = ax88179_stop, |
1216 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1217 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1218 | .rx_fixup = ax88179_rx_fixup, |
1219 | .tx_fixup = ax88179_tx_fixup, |
1220 | }; |
1221 | @@ -1781,7 +1781,7 @@ static const struct driver_info belkin_info = { |
1222 | .link_reset = ax88179_link_reset, |
1223 | .reset = ax88179_reset, |
1224 | .stop = ax88179_stop, |
1225 | - .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1226 | + .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1227 | .rx_fixup = ax88179_rx_fixup, |
1228 | .tx_fixup = ax88179_tx_fixup, |
1229 | }; |
1230 | diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c |
1231 | index 8c45d6c32c30e..3d48fa685aaae 100644 |
1232 | --- a/drivers/pci/controller/pci-hyperv.c |
1233 | +++ b/drivers/pci/controller/pci-hyperv.c |
1234 | @@ -1110,6 +1110,10 @@ static void hv_int_desc_free(struct hv_pci_dev *hpdev, |
1235 | u8 buffer[sizeof(struct pci_delete_interrupt)]; |
1236 | } ctxt; |
1237 | |
1238 | + if (!int_desc->vector_count) { |
1239 | + kfree(int_desc); |
1240 | + return; |
1241 | + } |
1242 | memset(&ctxt, 0, sizeof(ctxt)); |
1243 | int_pkt = (struct pci_delete_interrupt *)&ctxt.pkt.message; |
1244 | int_pkt->message_type.type = |
1245 | @@ -1172,6 +1176,28 @@ static void hv_irq_mask(struct irq_data *data) |
1246 | pci_msi_mask_irq(data); |
1247 | } |
1248 | |
1249 | +static unsigned int hv_msi_get_int_vector(struct irq_data *data) |
1250 | +{ |
1251 | + struct irq_cfg *cfg = irqd_cfg(data); |
1252 | + |
1253 | + return cfg->vector; |
1254 | +} |
1255 | + |
1256 | +static int hv_msi_prepare(struct irq_domain *domain, struct device *dev, |
1257 | + int nvec, msi_alloc_info_t *info) |
1258 | +{ |
1259 | + int ret = pci_msi_prepare(domain, dev, nvec, info); |
1260 | + |
1261 | + /* |
1262 | + * By using the interrupt remapper in the hypervisor IOMMU, contiguous |
1263 | + * CPU vectors is not needed for multi-MSI |
1264 | + */ |
1265 | + if (info->type == X86_IRQ_ALLOC_TYPE_MSI) |
1266 | + info->flags &= ~X86_IRQ_ALLOC_CONTIGUOUS_VECTORS; |
1267 | + |
1268 | + return ret; |
1269 | +} |
1270 | + |
1271 | /** |
1272 | * hv_irq_unmask() - "Unmask" the IRQ by setting its current |
1273 | * affinity. |
1274 | @@ -1187,6 +1213,7 @@ static void hv_irq_unmask(struct irq_data *data) |
1275 | struct msi_desc *msi_desc = irq_data_get_msi_desc(data); |
1276 | struct irq_cfg *cfg = irqd_cfg(data); |
1277 | struct retarget_msi_interrupt *params; |
1278 | + struct tran_int_desc *int_desc; |
1279 | struct hv_pcibus_device *hbus; |
1280 | struct cpumask *dest; |
1281 | cpumask_var_t tmp; |
1282 | @@ -1201,6 +1228,7 @@ static void hv_irq_unmask(struct irq_data *data) |
1283 | pdev = msi_desc_to_pci_dev(msi_desc); |
1284 | pbus = pdev->bus; |
1285 | hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); |
1286 | + int_desc = data->chip_data; |
1287 | |
1288 | spin_lock_irqsave(&hbus->retarget_msi_interrupt_lock, flags); |
1289 | |
1290 | @@ -1208,8 +1236,8 @@ static void hv_irq_unmask(struct irq_data *data) |
1291 | memset(params, 0, sizeof(*params)); |
1292 | params->partition_id = HV_PARTITION_ID_SELF; |
1293 | params->int_entry.source = 1; /* MSI(-X) */ |
1294 | - params->int_entry.address = msi_desc->msg.address_lo; |
1295 | - params->int_entry.data = msi_desc->msg.data; |
1296 | + params->int_entry.address = int_desc->address & 0xffffffff; |
1297 | + params->int_entry.data = int_desc->data; |
1298 | params->device_id = (hbus->hdev->dev_instance.b[5] << 24) | |
1299 | (hbus->hdev->dev_instance.b[4] << 16) | |
1300 | (hbus->hdev->dev_instance.b[7] << 8) | |
1301 | @@ -1296,12 +1324,12 @@ static void hv_pci_compose_compl(void *context, struct pci_response *resp, |
1302 | |
1303 | static u32 hv_compose_msi_req_v1( |
1304 | struct pci_create_interrupt *int_pkt, struct cpumask *affinity, |
1305 | - u32 slot, u8 vector) |
1306 | + u32 slot, u8 vector, u8 vector_count) |
1307 | { |
1308 | int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE; |
1309 | int_pkt->wslot.slot = slot; |
1310 | int_pkt->int_desc.vector = vector; |
1311 | - int_pkt->int_desc.vector_count = 1; |
1312 | + int_pkt->int_desc.vector_count = vector_count; |
1313 | int_pkt->int_desc.delivery_mode = dest_Fixed; |
1314 | |
1315 | /* |
1316 | @@ -1315,14 +1343,14 @@ static u32 hv_compose_msi_req_v1( |
1317 | |
1318 | static u32 hv_compose_msi_req_v2( |
1319 | struct pci_create_interrupt2 *int_pkt, struct cpumask *affinity, |
1320 | - u32 slot, u8 vector) |
1321 | + u32 slot, u8 vector, u8 vector_count) |
1322 | { |
1323 | int cpu; |
1324 | |
1325 | int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE2; |
1326 | int_pkt->wslot.slot = slot; |
1327 | int_pkt->int_desc.vector = vector; |
1328 | - int_pkt->int_desc.vector_count = 1; |
1329 | + int_pkt->int_desc.vector_count = vector_count; |
1330 | int_pkt->int_desc.delivery_mode = dest_Fixed; |
1331 | |
1332 | /* |
1333 | @@ -1350,7 +1378,6 @@ static u32 hv_compose_msi_req_v2( |
1334 | */ |
1335 | static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1336 | { |
1337 | - struct irq_cfg *cfg = irqd_cfg(data); |
1338 | struct hv_pcibus_device *hbus; |
1339 | struct hv_pci_dev *hpdev; |
1340 | struct pci_bus *pbus; |
1341 | @@ -1359,6 +1386,8 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1342 | unsigned long flags; |
1343 | struct compose_comp_ctxt comp; |
1344 | struct tran_int_desc *int_desc; |
1345 | + struct msi_desc *msi_desc; |
1346 | + u8 vector, vector_count; |
1347 | struct { |
1348 | struct pci_packet pci_pkt; |
1349 | union { |
1350 | @@ -1370,7 +1399,17 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1351 | u32 size; |
1352 | int ret; |
1353 | |
1354 | - pdev = msi_desc_to_pci_dev(irq_data_get_msi_desc(data)); |
1355 | + /* Reuse the previous allocation */ |
1356 | + if (data->chip_data) { |
1357 | + int_desc = data->chip_data; |
1358 | + msg->address_hi = int_desc->address >> 32; |
1359 | + msg->address_lo = int_desc->address & 0xffffffff; |
1360 | + msg->data = int_desc->data; |
1361 | + return; |
1362 | + } |
1363 | + |
1364 | + msi_desc = irq_data_get_msi_desc(data); |
1365 | + pdev = msi_desc_to_pci_dev(msi_desc); |
1366 | dest = irq_data_get_effective_affinity_mask(data); |
1367 | pbus = pdev->bus; |
1368 | hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); |
1369 | @@ -1378,17 +1417,40 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1370 | if (!hpdev) |
1371 | goto return_null_message; |
1372 | |
1373 | - /* Free any previous message that might have already been composed. */ |
1374 | - if (data->chip_data) { |
1375 | - int_desc = data->chip_data; |
1376 | - data->chip_data = NULL; |
1377 | - hv_int_desc_free(hpdev, int_desc); |
1378 | - } |
1379 | - |
1380 | int_desc = kzalloc(sizeof(*int_desc), GFP_ATOMIC); |
1381 | if (!int_desc) |
1382 | goto drop_reference; |
1383 | |
1384 | + if (!msi_desc->msi_attrib.is_msix && msi_desc->nvec_used > 1) { |
1385 | + /* |
1386 | + * If this is not the first MSI of Multi MSI, we already have |
1387 | + * a mapping. Can exit early. |
1388 | + */ |
1389 | + if (msi_desc->irq != data->irq) { |
1390 | + data->chip_data = int_desc; |
1391 | + int_desc->address = msi_desc->msg.address_lo | |
1392 | + (u64)msi_desc->msg.address_hi << 32; |
1393 | + int_desc->data = msi_desc->msg.data + |
1394 | + (data->irq - msi_desc->irq); |
1395 | + msg->address_hi = msi_desc->msg.address_hi; |
1396 | + msg->address_lo = msi_desc->msg.address_lo; |
1397 | + msg->data = int_desc->data; |
1398 | + put_pcichild(hpdev); |
1399 | + return; |
1400 | + } |
1401 | + /* |
1402 | + * The vector we select here is a dummy value. The correct |
1403 | + * value gets sent to the hypervisor in unmask(). This needs |
1404 | + * to be aligned with the count, and also not zero. Multi-msi |
1405 | + * is powers of 2 up to 32, so 32 will always work here. |
1406 | + */ |
1407 | + vector = 32; |
1408 | + vector_count = msi_desc->nvec_used; |
1409 | + } else { |
1410 | + vector = hv_msi_get_int_vector(data); |
1411 | + vector_count = 1; |
1412 | + } |
1413 | + |
1414 | memset(&ctxt, 0, sizeof(ctxt)); |
1415 | init_completion(&comp.comp_pkt.host_event); |
1416 | ctxt.pci_pkt.completion_func = hv_pci_compose_compl; |
1417 | @@ -1399,14 +1461,16 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1418 | size = hv_compose_msi_req_v1(&ctxt.int_pkts.v1, |
1419 | dest, |
1420 | hpdev->desc.win_slot.slot, |
1421 | - cfg->vector); |
1422 | + vector, |
1423 | + vector_count); |
1424 | break; |
1425 | |
1426 | case PCI_PROTOCOL_VERSION_1_2: |
1427 | size = hv_compose_msi_req_v2(&ctxt.int_pkts.v2, |
1428 | dest, |
1429 | hpdev->desc.win_slot.slot, |
1430 | - cfg->vector); |
1431 | + vector, |
1432 | + vector_count); |
1433 | break; |
1434 | |
1435 | default: |
1436 | @@ -1518,7 +1582,7 @@ static irq_hw_number_t hv_msi_domain_ops_get_hwirq(struct msi_domain_info *info, |
1437 | |
1438 | static struct msi_domain_ops hv_msi_ops = { |
1439 | .get_hwirq = hv_msi_domain_ops_get_hwirq, |
1440 | - .msi_prepare = pci_msi_prepare, |
1441 | + .msi_prepare = hv_msi_prepare, |
1442 | .set_desc = pci_msi_set_desc, |
1443 | .msi_free = hv_msi_free, |
1444 | }; |
1445 | diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c |
1446 | index f9abd4364fbaa..e8149ff1d401c 100644 |
1447 | --- a/drivers/pinctrl/stm32/pinctrl-stm32.c |
1448 | +++ b/drivers/pinctrl/stm32/pinctrl-stm32.c |
1449 | @@ -1215,15 +1215,17 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, |
1450 | bank->bank_ioport_nr = bank_ioport_nr; |
1451 | spin_lock_init(&bank->lock); |
1452 | |
1453 | - /* create irq hierarchical domain */ |
1454 | - bank->fwnode = of_node_to_fwnode(np); |
1455 | + if (pctl->domain) { |
1456 | + /* create irq hierarchical domain */ |
1457 | + bank->fwnode = of_node_to_fwnode(np); |
1458 | |
1459 | - bank->domain = irq_domain_create_hierarchy(pctl->domain, 0, |
1460 | - STM32_GPIO_IRQ_LINE, bank->fwnode, |
1461 | - &stm32_gpio_domain_ops, bank); |
1462 | + bank->domain = irq_domain_create_hierarchy(pctl->domain, 0, STM32_GPIO_IRQ_LINE, |
1463 | + bank->fwnode, &stm32_gpio_domain_ops, |
1464 | + bank); |
1465 | |
1466 | - if (!bank->domain) |
1467 | - return -ENODEV; |
1468 | + if (!bank->domain) |
1469 | + return -ENODEV; |
1470 | + } |
1471 | |
1472 | err = gpiochip_add_data(&bank->gpio_chip, bank); |
1473 | if (err) { |
1474 | @@ -1393,6 +1395,8 @@ int stm32_pctl_probe(struct platform_device *pdev) |
1475 | pctl->domain = stm32_pctrl_get_irq_domain(np); |
1476 | if (IS_ERR(pctl->domain)) |
1477 | return PTR_ERR(pctl->domain); |
1478 | + if (!pctl->domain) |
1479 | + dev_warn(dev, "pinctrl without interrupt support\n"); |
1480 | |
1481 | /* hwspinlock is optional */ |
1482 | hwlock_id = of_hwspin_lock_get_id(pdev->dev.of_node, 0); |
1483 | diff --git a/drivers/power/reset/arm-versatile-reboot.c b/drivers/power/reset/arm-versatile-reboot.c |
1484 | index 08d0a07b58ef2..c7624d7611a7e 100644 |
1485 | --- a/drivers/power/reset/arm-versatile-reboot.c |
1486 | +++ b/drivers/power/reset/arm-versatile-reboot.c |
1487 | @@ -146,6 +146,7 @@ static int __init versatile_reboot_probe(void) |
1488 | versatile_reboot_type = (enum versatile_reboot)reboot_id->data; |
1489 | |
1490 | syscon_regmap = syscon_node_to_regmap(np); |
1491 | + of_node_put(np); |
1492 | if (IS_ERR(syscon_regmap)) |
1493 | return PTR_ERR(syscon_regmap); |
1494 | |
1495 | diff --git a/drivers/s390/char/keyboard.h b/drivers/s390/char/keyboard.h |
1496 | index c467589c7f452..c06d399b9b1f1 100644 |
1497 | --- a/drivers/s390/char/keyboard.h |
1498 | +++ b/drivers/s390/char/keyboard.h |
1499 | @@ -56,7 +56,7 @@ static inline void |
1500 | kbd_put_queue(struct tty_port *port, int ch) |
1501 | { |
1502 | tty_insert_flip_char(port, ch, 0); |
1503 | - tty_schedule_flip(port); |
1504 | + tty_flip_buffer_push(port); |
1505 | } |
1506 | |
1507 | static inline void |
1508 | @@ -64,5 +64,5 @@ kbd_puts_queue(struct tty_port *port, char *cp) |
1509 | { |
1510 | while (*cp) |
1511 | tty_insert_flip_char(port, *cp++, 0); |
1512 | - tty_schedule_flip(port); |
1513 | + tty_flip_buffer_push(port); |
1514 | } |
1515 | diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c |
1516 | index c86c3ac6097dd..b1003876cb350 100644 |
1517 | --- a/drivers/spi/spi-bcm2835.c |
1518 | +++ b/drivers/spi/spi-bcm2835.c |
1519 | @@ -1159,10 +1159,14 @@ static void bcm2835_spi_handle_err(struct spi_controller *ctlr, |
1520 | struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); |
1521 | |
1522 | /* if an error occurred and we have an active dma, then terminate */ |
1523 | - dmaengine_terminate_sync(ctlr->dma_tx); |
1524 | - bs->tx_dma_active = false; |
1525 | - dmaengine_terminate_sync(ctlr->dma_rx); |
1526 | - bs->rx_dma_active = false; |
1527 | + if (ctlr->dma_tx) { |
1528 | + dmaengine_terminate_sync(ctlr->dma_tx); |
1529 | + bs->tx_dma_active = false; |
1530 | + } |
1531 | + if (ctlr->dma_rx) { |
1532 | + dmaengine_terminate_sync(ctlr->dma_rx); |
1533 | + bs->rx_dma_active = false; |
1534 | + } |
1535 | bcm2835_spi_undo_prologue(bs); |
1536 | |
1537 | /* and reset */ |
1538 | diff --git a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c |
1539 | index 0ba4e4e070a9f..7cfbdfb10e23e 100644 |
1540 | --- a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c |
1541 | +++ b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c |
1542 | @@ -267,6 +267,8 @@ static int rt2880_pinmux_pins(struct rt2880_priv *p) |
1543 | p->func[i]->pin_count, |
1544 | sizeof(int), |
1545 | GFP_KERNEL); |
1546 | + if (!p->func[i]->pins) |
1547 | + return -ENOMEM; |
1548 | for (j = 0; j < p->func[i]->pin_count; j++) |
1549 | p->func[i]->pins[j] = p->func[i]->pin_first + j; |
1550 | |
1551 | diff --git a/drivers/staging/speakup/spk_ttyio.c b/drivers/staging/speakup/spk_ttyio.c |
1552 | index 472804c3f44dc..aec8222361743 100644 |
1553 | --- a/drivers/staging/speakup/spk_ttyio.c |
1554 | +++ b/drivers/staging/speakup/spk_ttyio.c |
1555 | @@ -88,7 +88,7 @@ static int spk_ttyio_receive_buf2(struct tty_struct *tty, |
1556 | } |
1557 | |
1558 | if (!ldisc_data->buf_free) |
1559 | - /* ttyio_in will tty_schedule_flip */ |
1560 | + /* ttyio_in will tty_flip_buffer_push */ |
1561 | return 0; |
1562 | |
1563 | /* Make sure the consumer has read buf before we have seen |
1564 | @@ -325,7 +325,7 @@ static unsigned char ttyio_in(int timeout) |
1565 | mb(); |
1566 | ldisc_data->buf_free = true; |
1567 | /* Let TTY push more characters */ |
1568 | - tty_schedule_flip(speakup_tty->port); |
1569 | + tty_flip_buffer_push(speakup_tty->port); |
1570 | |
1571 | return rv; |
1572 | } |
1573 | diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c |
1574 | index 4562c8060d09e..26581d2456c8f 100644 |
1575 | --- a/drivers/tty/cyclades.c |
1576 | +++ b/drivers/tty/cyclades.c |
1577 | @@ -556,7 +556,7 @@ static void cyy_chip_rx(struct cyclades_card *cinfo, int chip, |
1578 | } |
1579 | info->idle_stats.recv_idle = jiffies; |
1580 | } |
1581 | - tty_schedule_flip(port); |
1582 | + tty_flip_buffer_push(port); |
1583 | |
1584 | /* end of service */ |
1585 | cyy_writeb(info, CyRIR, save_xir & 0x3f); |
1586 | @@ -996,7 +996,7 @@ static void cyz_handle_rx(struct cyclades_port *info) |
1587 | mod_timer(&info->rx_full_timer, jiffies + 1); |
1588 | #endif |
1589 | info->idle_stats.recv_idle = jiffies; |
1590 | - tty_schedule_flip(&info->port); |
1591 | + tty_flip_buffer_push(&info->port); |
1592 | |
1593 | /* Update rx_get */ |
1594 | cy_writel(&buf_ctrl->rx_get, new_rx_get); |
1595 | @@ -1172,7 +1172,7 @@ static void cyz_handle_cmd(struct cyclades_card *cinfo) |
1596 | if (delta_count) |
1597 | wake_up_interruptible(&info->port.delta_msr_wait); |
1598 | if (special_count) |
1599 | - tty_schedule_flip(&info->port); |
1600 | + tty_flip_buffer_push(&info->port); |
1601 | } |
1602 | } |
1603 | |
1604 | diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c |
1605 | index 9180ca5e4dcd4..d6e82eb61fc2d 100644 |
1606 | --- a/drivers/tty/goldfish.c |
1607 | +++ b/drivers/tty/goldfish.c |
1608 | @@ -151,7 +151,7 @@ static irqreturn_t goldfish_tty_interrupt(int irq, void *dev_id) |
1609 | address = (unsigned long)(void *)buf; |
1610 | goldfish_tty_rw(qtty, address, count, 0); |
1611 | |
1612 | - tty_schedule_flip(&qtty->port); |
1613 | + tty_flip_buffer_push(&qtty->port); |
1614 | return IRQ_HANDLED; |
1615 | } |
1616 | |
1617 | diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c |
1618 | index 1254b39074edb..e67a1aef1fd0d 100644 |
1619 | --- a/drivers/tty/moxa.c |
1620 | +++ b/drivers/tty/moxa.c |
1621 | @@ -1385,7 +1385,7 @@ static int moxa_poll_port(struct moxa_port *p, unsigned int handle, |
1622 | if (inited && !tty_throttled(tty) && |
1623 | MoxaPortRxQueue(p) > 0) { /* RX */ |
1624 | MoxaPortReadData(p); |
1625 | - tty_schedule_flip(&p->port); |
1626 | + tty_flip_buffer_push(&p->port); |
1627 | } |
1628 | } else { |
1629 | clear_bit(EMPTYWAIT, &p->statusflags); |
1630 | @@ -1410,7 +1410,7 @@ static int moxa_poll_port(struct moxa_port *p, unsigned int handle, |
1631 | |
1632 | if (tty && (intr & IntrBreak) && !I_IGNBRK(tty)) { /* BREAK */ |
1633 | tty_insert_flip_char(&p->port, 0, TTY_BREAK); |
1634 | - tty_schedule_flip(&p->port); |
1635 | + tty_flip_buffer_push(&p->port); |
1636 | } |
1637 | |
1638 | if (intr & IntrLine) |
1639 | diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c |
1640 | index c6a1d8c4e6894..73226e482e919 100644 |
1641 | --- a/drivers/tty/pty.c |
1642 | +++ b/drivers/tty/pty.c |
1643 | @@ -111,21 +111,11 @@ static void pty_unthrottle(struct tty_struct *tty) |
1644 | static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) |
1645 | { |
1646 | struct tty_struct *to = tty->link; |
1647 | - unsigned long flags; |
1648 | |
1649 | - if (tty->stopped) |
1650 | + if (tty->stopped || !c) |
1651 | return 0; |
1652 | |
1653 | - if (c > 0) { |
1654 | - spin_lock_irqsave(&to->port->lock, flags); |
1655 | - /* Stuff the data into the input queue of the other end */ |
1656 | - c = tty_insert_flip_string(to->port, buf, c); |
1657 | - spin_unlock_irqrestore(&to->port->lock, flags); |
1658 | - /* And shovel */ |
1659 | - if (c) |
1660 | - tty_flip_buffer_push(to->port); |
1661 | - } |
1662 | - return c; |
1663 | + return tty_insert_flip_string_and_push_buffer(to->port, buf, c); |
1664 | } |
1665 | |
1666 | /** |
1667 | diff --git a/drivers/tty/serial/lpc32xx_hs.c b/drivers/tty/serial/lpc32xx_hs.c |
1668 | index 9a836dcac157c..a03618f89c0dd 100644 |
1669 | --- a/drivers/tty/serial/lpc32xx_hs.c |
1670 | +++ b/drivers/tty/serial/lpc32xx_hs.c |
1671 | @@ -345,7 +345,7 @@ static irqreturn_t serial_lpc32xx_interrupt(int irq, void *dev_id) |
1672 | LPC32XX_HSUART_IIR(port->membase)); |
1673 | port->icount.overrun++; |
1674 | tty_insert_flip_char(tport, 0, TTY_OVERRUN); |
1675 | - tty_schedule_flip(tport); |
1676 | + tty_flip_buffer_push(tport); |
1677 | } |
1678 | |
1679 | /* Data received? */ |
1680 | diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c |
1681 | index 13db15118cb94..2ce0d05be3681 100644 |
1682 | --- a/drivers/tty/serial/mvebu-uart.c |
1683 | +++ b/drivers/tty/serial/mvebu-uart.c |
1684 | @@ -443,13 +443,13 @@ static void mvebu_uart_shutdown(struct uart_port *port) |
1685 | } |
1686 | } |
1687 | |
1688 | -static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) |
1689 | +static unsigned int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) |
1690 | { |
1691 | unsigned int d_divisor, m_divisor; |
1692 | u32 brdv, osamp; |
1693 | |
1694 | if (!port->uartclk) |
1695 | - return -EOPNOTSUPP; |
1696 | + return 0; |
1697 | |
1698 | /* |
1699 | * The baudrate is derived from the UART clock thanks to two divisors: |
1700 | @@ -473,7 +473,7 @@ static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) |
1701 | osamp &= ~OSAMP_DIVISORS_MASK; |
1702 | writel(osamp, port->membase + UART_OSAMP); |
1703 | |
1704 | - return 0; |
1705 | + return DIV_ROUND_CLOSEST(port->uartclk, d_divisor * m_divisor); |
1706 | } |
1707 | |
1708 | static void mvebu_uart_set_termios(struct uart_port *port, |
1709 | @@ -510,15 +510,11 @@ static void mvebu_uart_set_termios(struct uart_port *port, |
1710 | max_baud = 230400; |
1711 | |
1712 | baud = uart_get_baud_rate(port, termios, old, min_baud, max_baud); |
1713 | - if (mvebu_uart_baud_rate_set(port, baud)) { |
1714 | - /* No clock available, baudrate cannot be changed */ |
1715 | - if (old) |
1716 | - baud = uart_get_baud_rate(port, old, NULL, |
1717 | - min_baud, max_baud); |
1718 | - } else { |
1719 | - tty_termios_encode_baud_rate(termios, baud, baud); |
1720 | - uart_update_timeout(port, termios->c_cflag, baud); |
1721 | - } |
1722 | + baud = mvebu_uart_baud_rate_set(port, baud); |
1723 | + |
1724 | + /* In case baudrate cannot be changed, report previous old value */ |
1725 | + if (baud == 0 && old) |
1726 | + baud = tty_termios_baud_rate(old); |
1727 | |
1728 | /* Only the following flag changes are supported */ |
1729 | if (old) { |
1730 | @@ -529,6 +525,11 @@ static void mvebu_uart_set_termios(struct uart_port *port, |
1731 | termios->c_cflag |= CS8; |
1732 | } |
1733 | |
1734 | + if (baud != 0) { |
1735 | + tty_termios_encode_baud_rate(termios, baud, baud); |
1736 | + uart_update_timeout(port, termios->c_cflag, baud); |
1737 | + } |
1738 | + |
1739 | spin_unlock_irqrestore(&port->lock, flags); |
1740 | } |
1741 | |
1742 | diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c |
1743 | index 47f2370ad85cb..49f39c041c351 100644 |
1744 | --- a/drivers/tty/tty_buffer.c |
1745 | +++ b/drivers/tty/tty_buffer.c |
1746 | @@ -394,27 +394,6 @@ int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag) |
1747 | } |
1748 | EXPORT_SYMBOL(__tty_insert_flip_char); |
1749 | |
1750 | -/** |
1751 | - * tty_schedule_flip - push characters to ldisc |
1752 | - * @port: tty port to push from |
1753 | - * |
1754 | - * Takes any pending buffers and transfers their ownership to the |
1755 | - * ldisc side of the queue. It then schedules those characters for |
1756 | - * processing by the line discipline. |
1757 | - */ |
1758 | - |
1759 | -void tty_schedule_flip(struct tty_port *port) |
1760 | -{ |
1761 | - struct tty_bufhead *buf = &port->buf; |
1762 | - |
1763 | - /* paired w/ acquire in flush_to_ldisc(); ensures |
1764 | - * flush_to_ldisc() sees buffer data. |
1765 | - */ |
1766 | - smp_store_release(&buf->tail->commit, buf->tail->used); |
1767 | - queue_work(system_unbound_wq, &buf->work); |
1768 | -} |
1769 | -EXPORT_SYMBOL(tty_schedule_flip); |
1770 | - |
1771 | /** |
1772 | * tty_prepare_flip_string - make room for characters |
1773 | * @port: tty port |
1774 | @@ -544,6 +523,15 @@ static void flush_to_ldisc(struct work_struct *work) |
1775 | |
1776 | } |
1777 | |
1778 | +static inline void tty_flip_buffer_commit(struct tty_buffer *tail) |
1779 | +{ |
1780 | + /* |
1781 | + * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees |
1782 | + * buffer data. |
1783 | + */ |
1784 | + smp_store_release(&tail->commit, tail->used); |
1785 | +} |
1786 | + |
1787 | /** |
1788 | * tty_flip_buffer_push - terminal |
1789 | * @port: tty port to push |
1790 | @@ -557,10 +545,44 @@ static void flush_to_ldisc(struct work_struct *work) |
1791 | |
1792 | void tty_flip_buffer_push(struct tty_port *port) |
1793 | { |
1794 | - tty_schedule_flip(port); |
1795 | + struct tty_bufhead *buf = &port->buf; |
1796 | + |
1797 | + tty_flip_buffer_commit(buf->tail); |
1798 | + queue_work(system_unbound_wq, &buf->work); |
1799 | } |
1800 | EXPORT_SYMBOL(tty_flip_buffer_push); |
1801 | |
1802 | +/** |
1803 | + * tty_insert_flip_string_and_push_buffer - add characters to the tty buffer and |
1804 | + * push |
1805 | + * @port: tty port |
1806 | + * @chars: characters |
1807 | + * @size: size |
1808 | + * |
1809 | + * The function combines tty_insert_flip_string() and tty_flip_buffer_push() |
1810 | + * with the exception of properly holding the @port->lock. |
1811 | + * |
1812 | + * To be used only internally (by pty currently). |
1813 | + * |
1814 | + * Returns: the number added. |
1815 | + */ |
1816 | +int tty_insert_flip_string_and_push_buffer(struct tty_port *port, |
1817 | + const unsigned char *chars, size_t size) |
1818 | +{ |
1819 | + struct tty_bufhead *buf = &port->buf; |
1820 | + unsigned long flags; |
1821 | + |
1822 | + spin_lock_irqsave(&port->lock, flags); |
1823 | + size = tty_insert_flip_string(port, chars, size); |
1824 | + if (size) |
1825 | + tty_flip_buffer_commit(buf->tail); |
1826 | + spin_unlock_irqrestore(&port->lock, flags); |
1827 | + |
1828 | + queue_work(system_unbound_wq, &buf->work); |
1829 | + |
1830 | + return size; |
1831 | +} |
1832 | + |
1833 | /** |
1834 | * tty_buffer_init - prepare a tty buffer structure |
1835 | * @tty: tty to initialise |
1836 | diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c |
1837 | index b6e78fdbfdff9..68643f61f6f90 100644 |
1838 | --- a/drivers/tty/vt/keyboard.c |
1839 | +++ b/drivers/tty/vt/keyboard.c |
1840 | @@ -310,7 +310,7 @@ int kbd_rate(struct kbd_repeat *rpt) |
1841 | static void put_queue(struct vc_data *vc, int ch) |
1842 | { |
1843 | tty_insert_flip_char(&vc->port, ch, 0); |
1844 | - tty_schedule_flip(&vc->port); |
1845 | + tty_flip_buffer_push(&vc->port); |
1846 | } |
1847 | |
1848 | static void puts_queue(struct vc_data *vc, char *cp) |
1849 | @@ -319,7 +319,7 @@ static void puts_queue(struct vc_data *vc, char *cp) |
1850 | tty_insert_flip_char(&vc->port, *cp, 0); |
1851 | cp++; |
1852 | } |
1853 | - tty_schedule_flip(&vc->port); |
1854 | + tty_flip_buffer_push(&vc->port); |
1855 | } |
1856 | |
1857 | static void applkey(struct vc_data *vc, int key, char mode) |
1858 | @@ -564,7 +564,7 @@ static void fn_inc_console(struct vc_data *vc) |
1859 | static void fn_send_intr(struct vc_data *vc) |
1860 | { |
1861 | tty_insert_flip_char(&vc->port, 0, TTY_BREAK); |
1862 | - tty_schedule_flip(&vc->port); |
1863 | + tty_flip_buffer_push(&vc->port); |
1864 | } |
1865 | |
1866 | static void fn_scroll_forw(struct vc_data *vc) |
1867 | diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c |
1868 | index c3df1660cb5c5..9d9e056f94ac8 100644 |
1869 | --- a/drivers/tty/vt/vt.c |
1870 | +++ b/drivers/tty/vt/vt.c |
1871 | @@ -1837,7 +1837,7 @@ static void respond_string(const char *p, struct tty_port *port) |
1872 | tty_insert_flip_char(port, *p, 0); |
1873 | p++; |
1874 | } |
1875 | - tty_schedule_flip(port); |
1876 | + tty_flip_buffer_push(port); |
1877 | } |
1878 | |
1879 | static void cursor_report(struct vc_data *vc, struct tty_struct *tty) |
1880 | diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c |
1881 | index f464793477650..bba849e5d8a7b 100644 |
1882 | --- a/drivers/xen/gntdev.c |
1883 | +++ b/drivers/xen/gntdev.c |
1884 | @@ -413,7 +413,8 @@ static void __unmap_grant_pages_done(int result, |
1885 | unsigned int offset = data->unmap_ops - map->unmap_ops; |
1886 | |
1887 | for (i = 0; i < data->count; i++) { |
1888 | - WARN_ON(map->unmap_ops[offset+i].status); |
1889 | + WARN_ON(map->unmap_ops[offset+i].status && |
1890 | + map->unmap_ops[offset+i].handle != -1); |
1891 | pr_debug("unmap handle=%d st=%d\n", |
1892 | map->unmap_ops[offset+i].handle, |
1893 | map->unmap_ops[offset+i].status); |
1894 | diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c |
1895 | index 4ae8becdb51db..9165bf56c6e8e 100644 |
1896 | --- a/fs/dlm/lock.c |
1897 | +++ b/fs/dlm/lock.c |
1898 | @@ -4067,13 +4067,14 @@ static void send_repeat_remove(struct dlm_ls *ls, char *ms_name, int len) |
1899 | rv = _create_message(ls, sizeof(struct dlm_message) + len, |
1900 | dir_nodeid, DLM_MSG_REMOVE, &ms, &mh); |
1901 | if (rv) |
1902 | - return; |
1903 | + goto out; |
1904 | |
1905 | memcpy(ms->m_extra, name, len); |
1906 | ms->m_hash = hash; |
1907 | |
1908 | send_message(mh, ms); |
1909 | |
1910 | +out: |
1911 | spin_lock(&ls->ls_remove_spin); |
1912 | ls->ls_remove_len = 0; |
1913 | memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN); |
1914 | diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h |
1915 | index 4c0224ff0a14b..4f1c0f8e1bb0b 100644 |
1916 | --- a/include/linux/bitfield.h |
1917 | +++ b/include/linux/bitfield.h |
1918 | @@ -41,6 +41,22 @@ |
1919 | |
1920 | #define __bf_shf(x) (__builtin_ffsll(x) - 1) |
1921 | |
1922 | +#define __scalar_type_to_unsigned_cases(type) \ |
1923 | + unsigned type: (unsigned type)0, \ |
1924 | + signed type: (unsigned type)0 |
1925 | + |
1926 | +#define __unsigned_scalar_typeof(x) typeof( \ |
1927 | + _Generic((x), \ |
1928 | + char: (unsigned char)0, \ |
1929 | + __scalar_type_to_unsigned_cases(char), \ |
1930 | + __scalar_type_to_unsigned_cases(short), \ |
1931 | + __scalar_type_to_unsigned_cases(int), \ |
1932 | + __scalar_type_to_unsigned_cases(long), \ |
1933 | + __scalar_type_to_unsigned_cases(long long), \ |
1934 | + default: (x))) |
1935 | + |
1936 | +#define __bf_cast_unsigned(type, x) ((__unsigned_scalar_typeof(type))(x)) |
1937 | + |
1938 | #define __BF_FIELD_CHECK(_mask, _reg, _val, _pfx) \ |
1939 | ({ \ |
1940 | BUILD_BUG_ON_MSG(!__builtin_constant_p(_mask), \ |
1941 | @@ -49,7 +65,8 @@ |
1942 | BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ? \ |
1943 | ~((_mask) >> __bf_shf(_mask)) & (_val) : 0, \ |
1944 | _pfx "value too large for the field"); \ |
1945 | - BUILD_BUG_ON_MSG((_mask) > (typeof(_reg))~0ull, \ |
1946 | + BUILD_BUG_ON_MSG(__bf_cast_unsigned(_mask, _mask) > \ |
1947 | + __bf_cast_unsigned(_reg, ~0ull), \ |
1948 | _pfx "type of reg too small for mask"); \ |
1949 | __BUILD_BUG_ON_NOT_POWER_OF_2((_mask) + \ |
1950 | (1ULL << __bf_shf(_mask))); \ |
1951 | diff --git a/include/linux/mm.h b/include/linux/mm.h |
1952 | index c125fea49752f..d35c29d322d83 100644 |
1953 | --- a/include/linux/mm.h |
1954 | +++ b/include/linux/mm.h |
1955 | @@ -15,6 +15,7 @@ |
1956 | #include <linux/atomic.h> |
1957 | #include <linux/debug_locks.h> |
1958 | #include <linux/mm_types.h> |
1959 | +#include <linux/mmap_lock.h> |
1960 | #include <linux/range.h> |
1961 | #include <linux/pfn.h> |
1962 | #include <linux/percpu-refcount.h> |
1963 | diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h |
1964 | new file mode 100644 |
1965 | index 0000000000000..97ac53b66052e |
1966 | --- /dev/null |
1967 | +++ b/include/linux/mmap_lock.h |
1968 | @@ -0,0 +1,54 @@ |
1969 | +#ifndef _LINUX_MMAP_LOCK_H |
1970 | +#define _LINUX_MMAP_LOCK_H |
1971 | + |
1972 | +static inline void mmap_init_lock(struct mm_struct *mm) |
1973 | +{ |
1974 | + init_rwsem(&mm->mmap_sem); |
1975 | +} |
1976 | + |
1977 | +static inline void mmap_write_lock(struct mm_struct *mm) |
1978 | +{ |
1979 | + down_write(&mm->mmap_sem); |
1980 | +} |
1981 | + |
1982 | +static inline int mmap_write_lock_killable(struct mm_struct *mm) |
1983 | +{ |
1984 | + return down_write_killable(&mm->mmap_sem); |
1985 | +} |
1986 | + |
1987 | +static inline bool mmap_write_trylock(struct mm_struct *mm) |
1988 | +{ |
1989 | + return down_write_trylock(&mm->mmap_sem) != 0; |
1990 | +} |
1991 | + |
1992 | +static inline void mmap_write_unlock(struct mm_struct *mm) |
1993 | +{ |
1994 | + up_write(&mm->mmap_sem); |
1995 | +} |
1996 | + |
1997 | +static inline void mmap_write_downgrade(struct mm_struct *mm) |
1998 | +{ |
1999 | + downgrade_write(&mm->mmap_sem); |
2000 | +} |
2001 | + |
2002 | +static inline void mmap_read_lock(struct mm_struct *mm) |
2003 | +{ |
2004 | + down_read(&mm->mmap_sem); |
2005 | +} |
2006 | + |
2007 | +static inline int mmap_read_lock_killable(struct mm_struct *mm) |
2008 | +{ |
2009 | + return down_read_killable(&mm->mmap_sem); |
2010 | +} |
2011 | + |
2012 | +static inline bool mmap_read_trylock(struct mm_struct *mm) |
2013 | +{ |
2014 | + return down_read_trylock(&mm->mmap_sem) != 0; |
2015 | +} |
2016 | + |
2017 | +static inline void mmap_read_unlock(struct mm_struct *mm) |
2018 | +{ |
2019 | + up_read(&mm->mmap_sem); |
2020 | +} |
2021 | + |
2022 | +#endif /* _LINUX_MMAP_LOCK_H */ |
2023 | diff --git a/include/linux/refcount.h b/include/linux/refcount.h |
2024 | index e28cce21bad6c..0ac50cf62d062 100644 |
2025 | --- a/include/linux/refcount.h |
2026 | +++ b/include/linux/refcount.h |
2027 | @@ -1,9 +1,88 @@ |
2028 | /* SPDX-License-Identifier: GPL-2.0 */ |
2029 | +/* |
2030 | + * Variant of atomic_t specialized for reference counts. |
2031 | + * |
2032 | + * The interface matches the atomic_t interface (to aid in porting) but only |
2033 | + * provides the few functions one should use for reference counting. |
2034 | + * |
2035 | + * Saturation semantics |
2036 | + * ==================== |
2037 | + * |
2038 | + * refcount_t differs from atomic_t in that the counter saturates at |
2039 | + * REFCOUNT_SATURATED and will not move once there. This avoids wrapping the |
2040 | + * counter and causing 'spurious' use-after-free issues. In order to avoid the |
2041 | + * cost associated with introducing cmpxchg() loops into all of the saturating |
2042 | + * operations, we temporarily allow the counter to take on an unchecked value |
2043 | + * and then explicitly set it to REFCOUNT_SATURATED on detecting that underflow |
2044 | + * or overflow has occurred. Although this is racy when multiple threads |
2045 | + * access the refcount concurrently, by placing REFCOUNT_SATURATED roughly |
2046 | + * equidistant from 0 and INT_MAX we minimise the scope for error: |
2047 | + * |
2048 | + * INT_MAX REFCOUNT_SATURATED UINT_MAX |
2049 | + * 0 (0x7fff_ffff) (0xc000_0000) (0xffff_ffff) |
2050 | + * +--------------------------------+----------------+----------------+ |
2051 | + * <---------- bad value! ----------> |
2052 | + * |
2053 | + * (in a signed view of the world, the "bad value" range corresponds to |
2054 | + * a negative counter value). |
2055 | + * |
2056 | + * As an example, consider a refcount_inc() operation that causes the counter |
2057 | + * to overflow: |
2058 | + * |
2059 | + * int old = atomic_fetch_add_relaxed(r); |
2060 | + * // old is INT_MAX, refcount now INT_MIN (0x8000_0000) |
2061 | + * if (old < 0) |
2062 | + * atomic_set(r, REFCOUNT_SATURATED); |
2063 | + * |
2064 | + * If another thread also performs a refcount_inc() operation between the two |
2065 | + * atomic operations, then the count will continue to edge closer to 0. If it |
2066 | + * reaches a value of 1 before /any/ of the threads reset it to the saturated |
2067 | + * value, then a concurrent refcount_dec_and_test() may erroneously free the |
2068 | + * underlying object. Given the precise timing details involved with the |
2069 | + * round-robin scheduling of each thread manipulating the refcount and the need |
2070 | + * to hit the race multiple times in succession, there doesn't appear to be a |
2071 | + * practical avenue of attack even if using refcount_add() operations with |
2072 | + * larger increments. |
2073 | + * |
2074 | + * Memory ordering |
2075 | + * =============== |
2076 | + * |
2077 | + * Memory ordering rules are slightly relaxed wrt regular atomic_t functions |
2078 | + * and provide only what is strictly required for refcounts. |
2079 | + * |
2080 | + * The increments are fully relaxed; these will not provide ordering. The |
2081 | + * rationale is that whatever is used to obtain the object we're increasing the |
2082 | + * reference count on will provide the ordering. For locked data structures, |
2083 | + * its the lock acquire, for RCU/lockless data structures its the dependent |
2084 | + * load. |
2085 | + * |
2086 | + * Do note that inc_not_zero() provides a control dependency which will order |
2087 | + * future stores against the inc, this ensures we'll never modify the object |
2088 | + * if we did not in fact acquire a reference. |
2089 | + * |
2090 | + * The decrements will provide release order, such that all the prior loads and |
2091 | + * stores will be issued before, it also provides a control dependency, which |
2092 | + * will order us against the subsequent free(). |
2093 | + * |
2094 | + * The control dependency is against the load of the cmpxchg (ll/sc) that |
2095 | + * succeeded. This means the stores aren't fully ordered, but this is fine |
2096 | + * because the 1->0 transition indicates no concurrency. |
2097 | + * |
2098 | + * Note that the allocator is responsible for ordering things between free() |
2099 | + * and alloc(). |
2100 | + * |
2101 | + * The decrements dec_and_test() and sub_and_test() also provide acquire |
2102 | + * ordering on success. |
2103 | + * |
2104 | + */ |
2105 | + |
2106 | #ifndef _LINUX_REFCOUNT_H |
2107 | #define _LINUX_REFCOUNT_H |
2108 | |
2109 | #include <linux/atomic.h> |
2110 | +#include <linux/bug.h> |
2111 | #include <linux/compiler.h> |
2112 | +#include <linux/limits.h> |
2113 | #include <linux/spinlock_types.h> |
2114 | |
2115 | struct mutex; |
2116 | @@ -12,7 +91,7 @@ struct mutex; |
2117 | * struct refcount_t - variant of atomic_t specialized for reference counts |
2118 | * @refs: atomic_t counter field |
2119 | * |
2120 | - * The counter saturates at UINT_MAX and will not move once |
2121 | + * The counter saturates at REFCOUNT_SATURATED and will not move once |
2122 | * there. This avoids wrapping the counter and causing 'spurious' |
2123 | * use-after-free bugs. |
2124 | */ |
2125 | @@ -21,13 +100,25 @@ typedef struct refcount_struct { |
2126 | } refcount_t; |
2127 | |
2128 | #define REFCOUNT_INIT(n) { .refs = ATOMIC_INIT(n), } |
2129 | +#define REFCOUNT_MAX INT_MAX |
2130 | +#define REFCOUNT_SATURATED (INT_MIN / 2) |
2131 | + |
2132 | +enum refcount_saturation_type { |
2133 | + REFCOUNT_ADD_NOT_ZERO_OVF, |
2134 | + REFCOUNT_ADD_OVF, |
2135 | + REFCOUNT_ADD_UAF, |
2136 | + REFCOUNT_SUB_UAF, |
2137 | + REFCOUNT_DEC_LEAK, |
2138 | +}; |
2139 | + |
2140 | +void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t); |
2141 | |
2142 | /** |
2143 | * refcount_set - set a refcount's value |
2144 | * @r: the refcount |
2145 | * @n: value to which the refcount will be set |
2146 | */ |
2147 | -static inline void refcount_set(refcount_t *r, unsigned int n) |
2148 | +static inline void refcount_set(refcount_t *r, int n) |
2149 | { |
2150 | atomic_set(&r->refs, n); |
2151 | } |
2152 | @@ -43,70 +134,168 @@ static inline unsigned int refcount_read(const refcount_t *r) |
2153 | return atomic_read(&r->refs); |
2154 | } |
2155 | |
2156 | -extern __must_check bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r); |
2157 | -extern void refcount_add_checked(unsigned int i, refcount_t *r); |
2158 | - |
2159 | -extern __must_check bool refcount_inc_not_zero_checked(refcount_t *r); |
2160 | -extern void refcount_inc_checked(refcount_t *r); |
2161 | - |
2162 | -extern __must_check bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r); |
2163 | - |
2164 | -extern __must_check bool refcount_dec_and_test_checked(refcount_t *r); |
2165 | -extern void refcount_dec_checked(refcount_t *r); |
2166 | - |
2167 | -#ifdef CONFIG_REFCOUNT_FULL |
2168 | - |
2169 | -#define refcount_add_not_zero refcount_add_not_zero_checked |
2170 | -#define refcount_add refcount_add_checked |
2171 | - |
2172 | -#define refcount_inc_not_zero refcount_inc_not_zero_checked |
2173 | -#define refcount_inc refcount_inc_checked |
2174 | +/** |
2175 | + * refcount_add_not_zero - add a value to a refcount unless it is 0 |
2176 | + * @i: the value to add to the refcount |
2177 | + * @r: the refcount |
2178 | + * |
2179 | + * Will saturate at REFCOUNT_SATURATED and WARN. |
2180 | + * |
2181 | + * Provides no memory ordering, it is assumed the caller has guaranteed the |
2182 | + * object memory to be stable (RCU, etc.). It does provide a control dependency |
2183 | + * and thereby orders future stores. See the comment on top. |
2184 | + * |
2185 | + * Use of this function is not recommended for the normal reference counting |
2186 | + * use case in which references are taken and released one at a time. In these |
2187 | + * cases, refcount_inc(), or one of its variants, should instead be used to |
2188 | + * increment a reference count. |
2189 | + * |
2190 | + * Return: false if the passed refcount is 0, true otherwise |
2191 | + */ |
2192 | +static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) |
2193 | +{ |
2194 | + int old = refcount_read(r); |
2195 | |
2196 | -#define refcount_sub_and_test refcount_sub_and_test_checked |
2197 | + do { |
2198 | + if (!old) |
2199 | + break; |
2200 | + } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i)); |
2201 | |
2202 | -#define refcount_dec_and_test refcount_dec_and_test_checked |
2203 | -#define refcount_dec refcount_dec_checked |
2204 | + if (unlikely(old < 0 || old + i < 0)) |
2205 | + refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF); |
2206 | |
2207 | -#else |
2208 | -# ifdef CONFIG_ARCH_HAS_REFCOUNT |
2209 | -# include <asm/refcount.h> |
2210 | -# else |
2211 | -static inline __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r) |
2212 | -{ |
2213 | - return atomic_add_unless(&r->refs, i, 0); |
2214 | + return old; |
2215 | } |
2216 | |
2217 | -static inline void refcount_add(unsigned int i, refcount_t *r) |
2218 | +/** |
2219 | + * refcount_add - add a value to a refcount |
2220 | + * @i: the value to add to the refcount |
2221 | + * @r: the refcount |
2222 | + * |
2223 | + * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WARN. |
2224 | + * |
2225 | + * Provides no memory ordering, it is assumed the caller has guaranteed the |
2226 | + * object memory to be stable (RCU, etc.). It does provide a control dependency |
2227 | + * and thereby orders future stores. See the comment on top. |
2228 | + * |
2229 | + * Use of this function is not recommended for the normal reference counting |
2230 | + * use case in which references are taken and released one at a time. In these |
2231 | + * cases, refcount_inc(), or one of its variants, should instead be used to |
2232 | + * increment a reference count. |
2233 | + */ |
2234 | +static inline void refcount_add(int i, refcount_t *r) |
2235 | { |
2236 | - atomic_add(i, &r->refs); |
2237 | + int old = atomic_fetch_add_relaxed(i, &r->refs); |
2238 | + |
2239 | + if (unlikely(!old)) |
2240 | + refcount_warn_saturate(r, REFCOUNT_ADD_UAF); |
2241 | + else if (unlikely(old < 0 || old + i < 0)) |
2242 | + refcount_warn_saturate(r, REFCOUNT_ADD_OVF); |
2243 | } |
2244 | |
2245 | +/** |
2246 | + * refcount_inc_not_zero - increment a refcount unless it is 0 |
2247 | + * @r: the refcount to increment |
2248 | + * |
2249 | + * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURATED |
2250 | + * and WARN. |
2251 | + * |
2252 | + * Provides no memory ordering, it is assumed the caller has guaranteed the |
2253 | + * object memory to be stable (RCU, etc.). It does provide a control dependency |
2254 | + * and thereby orders future stores. See the comment on top. |
2255 | + * |
2256 | + * Return: true if the increment was successful, false otherwise |
2257 | + */ |
2258 | static inline __must_check bool refcount_inc_not_zero(refcount_t *r) |
2259 | { |
2260 | - return atomic_add_unless(&r->refs, 1, 0); |
2261 | + return refcount_add_not_zero(1, r); |
2262 | } |
2263 | |
2264 | +/** |
2265 | + * refcount_inc - increment a refcount |
2266 | + * @r: the refcount to increment |
2267 | + * |
2268 | + * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WARN. |
2269 | + * |
2270 | + * Provides no memory ordering, it is assumed the caller already has a |
2271 | + * reference on the object. |
2272 | + * |
2273 | + * Will WARN if the refcount is 0, as this represents a possible use-after-free |
2274 | + * condition. |
2275 | + */ |
2276 | static inline void refcount_inc(refcount_t *r) |
2277 | { |
2278 | - atomic_inc(&r->refs); |
2279 | + refcount_add(1, r); |
2280 | } |
2281 | |
2282 | -static inline __must_check bool refcount_sub_and_test(unsigned int i, refcount_t *r) |
2283 | +/** |
2284 | + * refcount_sub_and_test - subtract from a refcount and test if it is 0 |
2285 | + * @i: amount to subtract from the refcount |
2286 | + * @r: the refcount |
2287 | + * |
2288 | + * Similar to atomic_dec_and_test(), but it will WARN, return false and |
2289 | + * ultimately leak on underflow and will fail to decrement when saturated |
2290 | + * at REFCOUNT_SATURATED. |
2291 | + * |
2292 | + * Provides release memory ordering, such that prior loads and stores are done |
2293 | + * before, and provides an acquire ordering on success such that free() |
2294 | + * must come after. |
2295 | + * |
2296 | + * Use of this function is not recommended for the normal reference counting |
2297 | + * use case in which references are taken and released one at a time. In these |
2298 | + * cases, refcount_dec(), or one of its variants, should instead be used to |
2299 | + * decrement a reference count. |
2300 | + * |
2301 | + * Return: true if the resulting refcount is 0, false otherwise |
2302 | + */ |
2303 | +static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) |
2304 | { |
2305 | - return atomic_sub_and_test(i, &r->refs); |
2306 | + int old = atomic_fetch_sub_release(i, &r->refs); |
2307 | + |
2308 | + if (old == i) { |
2309 | + smp_acquire__after_ctrl_dep(); |
2310 | + return true; |
2311 | + } |
2312 | + |
2313 | + if (unlikely(old < 0 || old - i < 0)) |
2314 | + refcount_warn_saturate(r, REFCOUNT_SUB_UAF); |
2315 | + |
2316 | + return false; |
2317 | } |
2318 | |
2319 | +/** |
2320 | + * refcount_dec_and_test - decrement a refcount and test if it is 0 |
2321 | + * @r: the refcount |
2322 | + * |
2323 | + * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to |
2324 | + * decrement when saturated at REFCOUNT_SATURATED. |
2325 | + * |
2326 | + * Provides release memory ordering, such that prior loads and stores are done |
2327 | + * before, and provides an acquire ordering on success such that free() |
2328 | + * must come after. |
2329 | + * |
2330 | + * Return: true if the resulting refcount is 0, false otherwise |
2331 | + */ |
2332 | static inline __must_check bool refcount_dec_and_test(refcount_t *r) |
2333 | { |
2334 | - return atomic_dec_and_test(&r->refs); |
2335 | + return refcount_sub_and_test(1, r); |
2336 | } |
2337 | |
2338 | +/** |
2339 | + * refcount_dec - decrement a refcount |
2340 | + * @r: the refcount |
2341 | + * |
2342 | + * Similar to atomic_dec(), it will WARN on underflow and fail to decrement |
2343 | + * when saturated at REFCOUNT_SATURATED. |
2344 | + * |
2345 | + * Provides release memory ordering, such that prior loads and stores are done |
2346 | + * before. |
2347 | + */ |
2348 | static inline void refcount_dec(refcount_t *r) |
2349 | { |
2350 | - atomic_dec(&r->refs); |
2351 | + if (unlikely(atomic_fetch_sub_release(1, &r->refs) <= 1)) |
2352 | + refcount_warn_saturate(r, REFCOUNT_DEC_LEAK); |
2353 | } |
2354 | -# endif /* !CONFIG_ARCH_HAS_REFCOUNT */ |
2355 | -#endif /* CONFIG_REFCOUNT_FULL */ |
2356 | |
2357 | extern __must_check bool refcount_dec_if_one(refcount_t *r); |
2358 | extern __must_check bool refcount_dec_not_one(refcount_t *r); |
2359 | diff --git a/include/linux/tty_flip.h b/include/linux/tty_flip.h |
2360 | index 767f62086bd9b..c326bfdb5ec2c 100644 |
2361 | --- a/include/linux/tty_flip.h |
2362 | +++ b/include/linux/tty_flip.h |
2363 | @@ -12,7 +12,6 @@ extern int tty_insert_flip_string_fixed_flag(struct tty_port *port, |
2364 | extern int tty_prepare_flip_string(struct tty_port *port, |
2365 | unsigned char **chars, size_t size); |
2366 | extern void tty_flip_buffer_push(struct tty_port *port); |
2367 | -void tty_schedule_flip(struct tty_port *port); |
2368 | int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag); |
2369 | |
2370 | static inline int tty_insert_flip_char(struct tty_port *port, |
2371 | @@ -40,4 +39,7 @@ static inline int tty_insert_flip_string(struct tty_port *port, |
2372 | extern void tty_buffer_lock_exclusive(struct tty_port *port); |
2373 | extern void tty_buffer_unlock_exclusive(struct tty_port *port); |
2374 | |
2375 | +int tty_insert_flip_string_and_push_buffer(struct tty_port *port, |
2376 | + const unsigned char *chars, size_t cnt); |
2377 | + |
2378 | #endif /* _LINUX_TTY_FLIP_H */ |
2379 | diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h |
2380 | index fabee6db0abb7..421d41ef4e9ca 100644 |
2381 | --- a/include/net/bluetooth/bluetooth.h |
2382 | +++ b/include/net/bluetooth/bluetooth.h |
2383 | @@ -370,6 +370,71 @@ out: |
2384 | return NULL; |
2385 | } |
2386 | |
2387 | +/* Shall not be called with lock_sock held */ |
2388 | +static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk, |
2389 | + struct msghdr *msg, |
2390 | + size_t len, size_t mtu, |
2391 | + size_t headroom, size_t tailroom) |
2392 | +{ |
2393 | + struct sk_buff *skb; |
2394 | + size_t size = min_t(size_t, len, mtu); |
2395 | + int err; |
2396 | + |
2397 | + skb = bt_skb_send_alloc(sk, size + headroom + tailroom, |
2398 | + msg->msg_flags & MSG_DONTWAIT, &err); |
2399 | + if (!skb) |
2400 | + return ERR_PTR(err); |
2401 | + |
2402 | + skb_reserve(skb, headroom); |
2403 | + skb_tailroom_reserve(skb, mtu, tailroom); |
2404 | + |
2405 | + if (!copy_from_iter_full(skb_put(skb, size), size, &msg->msg_iter)) { |
2406 | + kfree_skb(skb); |
2407 | + return ERR_PTR(-EFAULT); |
2408 | + } |
2409 | + |
2410 | + skb->priority = sk->sk_priority; |
2411 | + |
2412 | + return skb; |
2413 | +} |
2414 | + |
2415 | +/* Similar to bt_skb_sendmsg but can split the msg into multiple fragments |
2416 | + * accourding to the MTU. |
2417 | + */ |
2418 | +static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, |
2419 | + struct msghdr *msg, |
2420 | + size_t len, size_t mtu, |
2421 | + size_t headroom, size_t tailroom) |
2422 | +{ |
2423 | + struct sk_buff *skb, **frag; |
2424 | + |
2425 | + skb = bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); |
2426 | + if (IS_ERR_OR_NULL(skb)) |
2427 | + return skb; |
2428 | + |
2429 | + len -= skb->len; |
2430 | + if (!len) |
2431 | + return skb; |
2432 | + |
2433 | + /* Add remaining data over MTU as continuation fragments */ |
2434 | + frag = &skb_shinfo(skb)->frag_list; |
2435 | + while (len) { |
2436 | + struct sk_buff *tmp; |
2437 | + |
2438 | + tmp = bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); |
2439 | + if (IS_ERR(tmp)) { |
2440 | + return skb; |
2441 | + } |
2442 | + |
2443 | + len -= tmp->len; |
2444 | + |
2445 | + *frag = tmp; |
2446 | + frag = &(*frag)->next; |
2447 | + } |
2448 | + |
2449 | + return skb; |
2450 | +} |
2451 | + |
2452 | int bt_to_errno(u16 code); |
2453 | |
2454 | void hci_sock_set_flag(struct sock *sk, int nr); |
2455 | diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h |
2456 | index 34c4436fd18ff..58db7c69c146d 100644 |
2457 | --- a/include/net/inet_sock.h |
2458 | +++ b/include/net/inet_sock.h |
2459 | @@ -107,7 +107,8 @@ static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk) |
2460 | |
2461 | static inline u32 inet_request_mark(const struct sock *sk, struct sk_buff *skb) |
2462 | { |
2463 | - if (!sk->sk_mark && sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept) |
2464 | + if (!sk->sk_mark && |
2465 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)) |
2466 | return skb->mark; |
2467 | |
2468 | return sk->sk_mark; |
2469 | @@ -375,7 +376,7 @@ static inline bool inet_get_convert_csum(struct sock *sk) |
2470 | static inline bool inet_can_nonlocal_bind(struct net *net, |
2471 | struct inet_sock *inet) |
2472 | { |
2473 | - return net->ipv4.sysctl_ip_nonlocal_bind || |
2474 | + return READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind) || |
2475 | inet->freebind || inet->transparent; |
2476 | } |
2477 | |
2478 | diff --git a/include/net/ip.h b/include/net/ip.h |
2479 | index 3f3ea86b2173c..db841ab388c0e 100644 |
2480 | --- a/include/net/ip.h |
2481 | +++ b/include/net/ip.h |
2482 | @@ -381,7 +381,7 @@ void ipfrag_init(void); |
2483 | void ip_static_sysctl_init(void); |
2484 | |
2485 | #define IP4_REPLY_MARK(net, mark) \ |
2486 | - ((net)->ipv4.sysctl_fwmark_reflect ? (mark) : 0) |
2487 | + (READ_ONCE((net)->ipv4.sysctl_fwmark_reflect) ? (mark) : 0) |
2488 | |
2489 | static inline bool ip_is_fragment(const struct iphdr *iph) |
2490 | { |
2491 | @@ -442,7 +442,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, |
2492 | struct net *net = dev_net(dst->dev); |
2493 | unsigned int mtu; |
2494 | |
2495 | - if (net->ipv4.sysctl_ip_fwd_use_pmtu || |
2496 | + if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) || |
2497 | ip_mtu_locked(dst) || |
2498 | !forwarding) |
2499 | return dst_mtu(dst); |
2500 | diff --git a/include/net/tcp.h b/include/net/tcp.h |
2501 | index 65be8bd1f0f4a..aaf1d5d5a13b0 100644 |
2502 | --- a/include/net/tcp.h |
2503 | +++ b/include/net/tcp.h |
2504 | @@ -1373,8 +1373,8 @@ static inline void tcp_slow_start_after_idle_check(struct sock *sk) |
2505 | struct tcp_sock *tp = tcp_sk(sk); |
2506 | s32 delta; |
2507 | |
2508 | - if (!sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle || tp->packets_out || |
2509 | - ca_ops->cong_control) |
2510 | + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) || |
2511 | + tp->packets_out || ca_ops->cong_control) |
2512 | return; |
2513 | delta = tcp_jiffies32 - tp->lsndtime; |
2514 | if (delta > inet_csk(sk)->icsk_rto) |
2515 | @@ -1465,7 +1465,8 @@ static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) |
2516 | |
2517 | static inline int tcp_fin_time(const struct sock *sk) |
2518 | { |
2519 | - int fin_timeout = tcp_sk(sk)->linger2 ? : sock_net(sk)->ipv4.sysctl_tcp_fin_timeout; |
2520 | + int fin_timeout = tcp_sk(sk)->linger2 ? : |
2521 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fin_timeout); |
2522 | const int rto = inet_csk(sk)->icsk_rto; |
2523 | |
2524 | if (fin_timeout < (rto << 2) - (rto >> 1)) |
2525 | @@ -1946,7 +1947,7 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); |
2526 | static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) |
2527 | { |
2528 | struct net *net = sock_net((struct sock *)tp); |
2529 | - return tp->notsent_lowat ?: net->ipv4.sysctl_tcp_notsent_lowat; |
2530 | + return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); |
2531 | } |
2532 | |
2533 | /* @wake is one when sk_stream_write_space() calls us. |
2534 | diff --git a/include/net/udp.h b/include/net/udp.h |
2535 | index 9787a42f7ed3e..e66854e767dcc 100644 |
2536 | --- a/include/net/udp.h |
2537 | +++ b/include/net/udp.h |
2538 | @@ -252,7 +252,7 @@ static inline bool udp_sk_bound_dev_eq(struct net *net, int bound_dev_if, |
2539 | int dif, int sdif) |
2540 | { |
2541 | #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) |
2542 | - return inet_bound_dev_eq(!!net->ipv4.sysctl_udp_l3mdev_accept, |
2543 | + return inet_bound_dev_eq(!!READ_ONCE(net->ipv4.sysctl_udp_l3mdev_accept), |
2544 | bound_dev_if, dif, sdif); |
2545 | #else |
2546 | return inet_bound_dev_eq(true, bound_dev_if, dif, sdif); |
2547 | diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c |
2548 | index 1238ef9c569df..6b33a8a148b85 100644 |
2549 | --- a/kernel/bpf/core.c |
2550 | +++ b/kernel/bpf/core.c |
2551 | @@ -64,11 +64,13 @@ void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, uns |
2552 | { |
2553 | u8 *ptr = NULL; |
2554 | |
2555 | - if (k >= SKF_NET_OFF) |
2556 | + if (k >= SKF_NET_OFF) { |
2557 | ptr = skb_network_header(skb) + k - SKF_NET_OFF; |
2558 | - else if (k >= SKF_LL_OFF) |
2559 | + } else if (k >= SKF_LL_OFF) { |
2560 | + if (unlikely(!skb_mac_header_was_set(skb))) |
2561 | + return NULL; |
2562 | ptr = skb_mac_header(skb) + k - SKF_LL_OFF; |
2563 | - |
2564 | + } |
2565 | if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb)) |
2566 | return ptr; |
2567 | |
2568 | diff --git a/kernel/events/core.c b/kernel/events/core.c |
2569 | index 8336dcb2bd432..0a54780e0942d 100644 |
2570 | --- a/kernel/events/core.c |
2571 | +++ b/kernel/events/core.c |
2572 | @@ -5819,10 +5819,10 @@ again: |
2573 | |
2574 | if (!atomic_inc_not_zero(&event->rb->mmap_count)) { |
2575 | /* |
2576 | - * Raced against perf_mmap_close() through |
2577 | - * perf_event_set_output(). Try again, hope for better |
2578 | - * luck. |
2579 | + * Raced against perf_mmap_close(); remove the |
2580 | + * event and try again. |
2581 | */ |
2582 | + ring_buffer_attach(event, NULL); |
2583 | mutex_unlock(&event->mmap_mutex); |
2584 | goto again; |
2585 | } |
2586 | @@ -10763,14 +10763,25 @@ err_size: |
2587 | goto out; |
2588 | } |
2589 | |
2590 | +static void mutex_lock_double(struct mutex *a, struct mutex *b) |
2591 | +{ |
2592 | + if (b < a) |
2593 | + swap(a, b); |
2594 | + |
2595 | + mutex_lock(a); |
2596 | + mutex_lock_nested(b, SINGLE_DEPTH_NESTING); |
2597 | +} |
2598 | + |
2599 | static int |
2600 | perf_event_set_output(struct perf_event *event, struct perf_event *output_event) |
2601 | { |
2602 | struct ring_buffer *rb = NULL; |
2603 | int ret = -EINVAL; |
2604 | |
2605 | - if (!output_event) |
2606 | + if (!output_event) { |
2607 | + mutex_lock(&event->mmap_mutex); |
2608 | goto set; |
2609 | + } |
2610 | |
2611 | /* don't allow circular references */ |
2612 | if (event == output_event) |
2613 | @@ -10808,8 +10819,15 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event) |
2614 | event->pmu != output_event->pmu) |
2615 | goto out; |
2616 | |
2617 | + /* |
2618 | + * Hold both mmap_mutex to serialize against perf_mmap_close(). Since |
2619 | + * output_event is already on rb->event_list, and the list iteration |
2620 | + * restarts after every removal, it is guaranteed this new event is |
2621 | + * observed *OR* if output_event is already removed, it's guaranteed we |
2622 | + * observe !rb->mmap_count. |
2623 | + */ |
2624 | + mutex_lock_double(&event->mmap_mutex, &output_event->mmap_mutex); |
2625 | set: |
2626 | - mutex_lock(&event->mmap_mutex); |
2627 | /* Can't redirect output if we've got an active mmap() */ |
2628 | if (atomic_read(&event->mmap_count)) |
2629 | goto unlock; |
2630 | @@ -10819,6 +10837,12 @@ set: |
2631 | rb = ring_buffer_get(output_event); |
2632 | if (!rb) |
2633 | goto unlock; |
2634 | + |
2635 | + /* did we race against perf_mmap_close() */ |
2636 | + if (!atomic_read(&rb->mmap_count)) { |
2637 | + ring_buffer_put(rb); |
2638 | + goto unlock; |
2639 | + } |
2640 | } |
2641 | |
2642 | ring_buffer_attach(event, rb); |
2643 | @@ -10826,20 +10850,13 @@ set: |
2644 | ret = 0; |
2645 | unlock: |
2646 | mutex_unlock(&event->mmap_mutex); |
2647 | + if (output_event) |
2648 | + mutex_unlock(&output_event->mmap_mutex); |
2649 | |
2650 | out: |
2651 | return ret; |
2652 | } |
2653 | |
2654 | -static void mutex_lock_double(struct mutex *a, struct mutex *b) |
2655 | -{ |
2656 | - if (b < a) |
2657 | - swap(a, b); |
2658 | - |
2659 | - mutex_lock(a); |
2660 | - mutex_lock_nested(b, SINGLE_DEPTH_NESTING); |
2661 | -} |
2662 | - |
2663 | static int perf_event_set_clock(struct perf_event *event, clockid_t clk_id) |
2664 | { |
2665 | bool nmi_safe = false; |
2666 | diff --git a/lib/refcount.c b/lib/refcount.c |
2667 | index 6e904af0fb3e1..ebac8b7d15a7c 100644 |
2668 | --- a/lib/refcount.c |
2669 | +++ b/lib/refcount.c |
2670 | @@ -1,41 +1,6 @@ |
2671 | // SPDX-License-Identifier: GPL-2.0 |
2672 | /* |
2673 | - * Variant of atomic_t specialized for reference counts. |
2674 | - * |
2675 | - * The interface matches the atomic_t interface (to aid in porting) but only |
2676 | - * provides the few functions one should use for reference counting. |
2677 | - * |
2678 | - * It differs in that the counter saturates at UINT_MAX and will not move once |
2679 | - * there. This avoids wrapping the counter and causing 'spurious' |
2680 | - * use-after-free issues. |
2681 | - * |
2682 | - * Memory ordering rules are slightly relaxed wrt regular atomic_t functions |
2683 | - * and provide only what is strictly required for refcounts. |
2684 | - * |
2685 | - * The increments are fully relaxed; these will not provide ordering. The |
2686 | - * rationale is that whatever is used to obtain the object we're increasing the |
2687 | - * reference count on will provide the ordering. For locked data structures, |
2688 | - * its the lock acquire, for RCU/lockless data structures its the dependent |
2689 | - * load. |
2690 | - * |
2691 | - * Do note that inc_not_zero() provides a control dependency which will order |
2692 | - * future stores against the inc, this ensures we'll never modify the object |
2693 | - * if we did not in fact acquire a reference. |
2694 | - * |
2695 | - * The decrements will provide release order, such that all the prior loads and |
2696 | - * stores will be issued before, it also provides a control dependency, which |
2697 | - * will order us against the subsequent free(). |
2698 | - * |
2699 | - * The control dependency is against the load of the cmpxchg (ll/sc) that |
2700 | - * succeeded. This means the stores aren't fully ordered, but this is fine |
2701 | - * because the 1->0 transition indicates no concurrency. |
2702 | - * |
2703 | - * Note that the allocator is responsible for ordering things between free() |
2704 | - * and alloc(). |
2705 | - * |
2706 | - * The decrements dec_and_test() and sub_and_test() also provide acquire |
2707 | - * ordering on success. |
2708 | - * |
2709 | + * Out-of-line refcount functions. |
2710 | */ |
2711 | |
2712 | #include <linux/mutex.h> |
2713 | @@ -43,199 +8,33 @@ |
2714 | #include <linux/spinlock.h> |
2715 | #include <linux/bug.h> |
2716 | |
2717 | -/** |
2718 | - * refcount_add_not_zero_checked - add a value to a refcount unless it is 0 |
2719 | - * @i: the value to add to the refcount |
2720 | - * @r: the refcount |
2721 | - * |
2722 | - * Will saturate at UINT_MAX and WARN. |
2723 | - * |
2724 | - * Provides no memory ordering, it is assumed the caller has guaranteed the |
2725 | - * object memory to be stable (RCU, etc.). It does provide a control dependency |
2726 | - * and thereby orders future stores. See the comment on top. |
2727 | - * |
2728 | - * Use of this function is not recommended for the normal reference counting |
2729 | - * use case in which references are taken and released one at a time. In these |
2730 | - * cases, refcount_inc(), or one of its variants, should instead be used to |
2731 | - * increment a reference count. |
2732 | - * |
2733 | - * Return: false if the passed refcount is 0, true otherwise |
2734 | - */ |
2735 | -bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r) |
2736 | -{ |
2737 | - unsigned int new, val = atomic_read(&r->refs); |
2738 | - |
2739 | - do { |
2740 | - if (!val) |
2741 | - return false; |
2742 | - |
2743 | - if (unlikely(val == UINT_MAX)) |
2744 | - return true; |
2745 | - |
2746 | - new = val + i; |
2747 | - if (new < val) |
2748 | - new = UINT_MAX; |
2749 | - |
2750 | - } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); |
2751 | - |
2752 | - WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); |
2753 | - |
2754 | - return true; |
2755 | -} |
2756 | -EXPORT_SYMBOL(refcount_add_not_zero_checked); |
2757 | - |
2758 | -/** |
2759 | - * refcount_add_checked - add a value to a refcount |
2760 | - * @i: the value to add to the refcount |
2761 | - * @r: the refcount |
2762 | - * |
2763 | - * Similar to atomic_add(), but will saturate at UINT_MAX and WARN. |
2764 | - * |
2765 | - * Provides no memory ordering, it is assumed the caller has guaranteed the |
2766 | - * object memory to be stable (RCU, etc.). It does provide a control dependency |
2767 | - * and thereby orders future stores. See the comment on top. |
2768 | - * |
2769 | - * Use of this function is not recommended for the normal reference counting |
2770 | - * use case in which references are taken and released one at a time. In these |
2771 | - * cases, refcount_inc(), or one of its variants, should instead be used to |
2772 | - * increment a reference count. |
2773 | - */ |
2774 | -void refcount_add_checked(unsigned int i, refcount_t *r) |
2775 | -{ |
2776 | - WARN_ONCE(!refcount_add_not_zero_checked(i, r), "refcount_t: addition on 0; use-after-free.\n"); |
2777 | -} |
2778 | -EXPORT_SYMBOL(refcount_add_checked); |
2779 | - |
2780 | -/** |
2781 | - * refcount_inc_not_zero_checked - increment a refcount unless it is 0 |
2782 | - * @r: the refcount to increment |
2783 | - * |
2784 | - * Similar to atomic_inc_not_zero(), but will saturate at UINT_MAX and WARN. |
2785 | - * |
2786 | - * Provides no memory ordering, it is assumed the caller has guaranteed the |
2787 | - * object memory to be stable (RCU, etc.). It does provide a control dependency |
2788 | - * and thereby orders future stores. See the comment on top. |
2789 | - * |
2790 | - * Return: true if the increment was successful, false otherwise |
2791 | - */ |
2792 | -bool refcount_inc_not_zero_checked(refcount_t *r) |
2793 | -{ |
2794 | - unsigned int new, val = atomic_read(&r->refs); |
2795 | - |
2796 | - do { |
2797 | - new = val + 1; |
2798 | - |
2799 | - if (!val) |
2800 | - return false; |
2801 | - |
2802 | - if (unlikely(!new)) |
2803 | - return true; |
2804 | - |
2805 | - } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); |
2806 | +#define REFCOUNT_WARN(str) WARN_ONCE(1, "refcount_t: " str ".\n") |
2807 | |
2808 | - WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); |
2809 | - |
2810 | - return true; |
2811 | -} |
2812 | -EXPORT_SYMBOL(refcount_inc_not_zero_checked); |
2813 | - |
2814 | -/** |
2815 | - * refcount_inc_checked - increment a refcount |
2816 | - * @r: the refcount to increment |
2817 | - * |
2818 | - * Similar to atomic_inc(), but will saturate at UINT_MAX and WARN. |
2819 | - * |
2820 | - * Provides no memory ordering, it is assumed the caller already has a |
2821 | - * reference on the object. |
2822 | - * |
2823 | - * Will WARN if the refcount is 0, as this represents a possible use-after-free |
2824 | - * condition. |
2825 | - */ |
2826 | -void refcount_inc_checked(refcount_t *r) |
2827 | +void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t) |
2828 | { |
2829 | - WARN_ONCE(!refcount_inc_not_zero_checked(r), "refcount_t: increment on 0; use-after-free.\n"); |
2830 | -} |
2831 | -EXPORT_SYMBOL(refcount_inc_checked); |
2832 | - |
2833 | -/** |
2834 | - * refcount_sub_and_test_checked - subtract from a refcount and test if it is 0 |
2835 | - * @i: amount to subtract from the refcount |
2836 | - * @r: the refcount |
2837 | - * |
2838 | - * Similar to atomic_dec_and_test(), but it will WARN, return false and |
2839 | - * ultimately leak on underflow and will fail to decrement when saturated |
2840 | - * at UINT_MAX. |
2841 | - * |
2842 | - * Provides release memory ordering, such that prior loads and stores are done |
2843 | - * before, and provides an acquire ordering on success such that free() |
2844 | - * must come after. |
2845 | - * |
2846 | - * Use of this function is not recommended for the normal reference counting |
2847 | - * use case in which references are taken and released one at a time. In these |
2848 | - * cases, refcount_dec(), or one of its variants, should instead be used to |
2849 | - * decrement a reference count. |
2850 | - * |
2851 | - * Return: true if the resulting refcount is 0, false otherwise |
2852 | - */ |
2853 | -bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r) |
2854 | -{ |
2855 | - unsigned int new, val = atomic_read(&r->refs); |
2856 | - |
2857 | - do { |
2858 | - if (unlikely(val == UINT_MAX)) |
2859 | - return false; |
2860 | - |
2861 | - new = val - i; |
2862 | - if (new > val) { |
2863 | - WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); |
2864 | - return false; |
2865 | - } |
2866 | - |
2867 | - } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); |
2868 | - |
2869 | - if (!new) { |
2870 | - smp_acquire__after_ctrl_dep(); |
2871 | - return true; |
2872 | + refcount_set(r, REFCOUNT_SATURATED); |
2873 | + |
2874 | + switch (t) { |
2875 | + case REFCOUNT_ADD_NOT_ZERO_OVF: |
2876 | + REFCOUNT_WARN("saturated; leaking memory"); |
2877 | + break; |
2878 | + case REFCOUNT_ADD_OVF: |
2879 | + REFCOUNT_WARN("saturated; leaking memory"); |
2880 | + break; |
2881 | + case REFCOUNT_ADD_UAF: |
2882 | + REFCOUNT_WARN("addition on 0; use-after-free"); |
2883 | + break; |
2884 | + case REFCOUNT_SUB_UAF: |
2885 | + REFCOUNT_WARN("underflow; use-after-free"); |
2886 | + break; |
2887 | + case REFCOUNT_DEC_LEAK: |
2888 | + REFCOUNT_WARN("decrement hit 0; leaking memory"); |
2889 | + break; |
2890 | + default: |
2891 | + REFCOUNT_WARN("unknown saturation event!?"); |
2892 | } |
2893 | - return false; |
2894 | - |
2895 | -} |
2896 | -EXPORT_SYMBOL(refcount_sub_and_test_checked); |
2897 | - |
2898 | -/** |
2899 | - * refcount_dec_and_test_checked - decrement a refcount and test if it is 0 |
2900 | - * @r: the refcount |
2901 | - * |
2902 | - * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to |
2903 | - * decrement when saturated at UINT_MAX. |
2904 | - * |
2905 | - * Provides release memory ordering, such that prior loads and stores are done |
2906 | - * before, and provides an acquire ordering on success such that free() |
2907 | - * must come after. |
2908 | - * |
2909 | - * Return: true if the resulting refcount is 0, false otherwise |
2910 | - */ |
2911 | -bool refcount_dec_and_test_checked(refcount_t *r) |
2912 | -{ |
2913 | - return refcount_sub_and_test_checked(1, r); |
2914 | -} |
2915 | -EXPORT_SYMBOL(refcount_dec_and_test_checked); |
2916 | - |
2917 | -/** |
2918 | - * refcount_dec_checked - decrement a refcount |
2919 | - * @r: the refcount |
2920 | - * |
2921 | - * Similar to atomic_dec(), it will WARN on underflow and fail to decrement |
2922 | - * when saturated at UINT_MAX. |
2923 | - * |
2924 | - * Provides release memory ordering, such that prior loads and stores are done |
2925 | - * before. |
2926 | - */ |
2927 | -void refcount_dec_checked(refcount_t *r) |
2928 | -{ |
2929 | - WARN_ONCE(refcount_dec_and_test_checked(r), "refcount_t: decrement hit 0; leaking memory.\n"); |
2930 | } |
2931 | -EXPORT_SYMBOL(refcount_dec_checked); |
2932 | +EXPORT_SYMBOL(refcount_warn_saturate); |
2933 | |
2934 | /** |
2935 | * refcount_dec_if_one - decrement a refcount if it is 1 |
2936 | @@ -277,7 +76,7 @@ bool refcount_dec_not_one(refcount_t *r) |
2937 | unsigned int new, val = atomic_read(&r->refs); |
2938 | |
2939 | do { |
2940 | - if (unlikely(val == UINT_MAX)) |
2941 | + if (unlikely(val == REFCOUNT_SATURATED)) |
2942 | return true; |
2943 | |
2944 | if (val == 1) |
2945 | @@ -302,7 +101,7 @@ EXPORT_SYMBOL(refcount_dec_not_one); |
2946 | * @lock: the mutex to be locked |
2947 | * |
2948 | * Similar to atomic_dec_and_mutex_lock(), it will WARN on underflow and fail |
2949 | - * to decrement when saturated at UINT_MAX. |
2950 | + * to decrement when saturated at REFCOUNT_SATURATED. |
2951 | * |
2952 | * Provides release memory ordering, such that prior loads and stores are done |
2953 | * before, and provides a control dependency such that free() must come after. |
2954 | @@ -333,7 +132,7 @@ EXPORT_SYMBOL(refcount_dec_and_mutex_lock); |
2955 | * @lock: the spinlock to be locked |
2956 | * |
2957 | * Similar to atomic_dec_and_lock(), it will WARN on underflow and fail to |
2958 | - * decrement when saturated at UINT_MAX. |
2959 | + * decrement when saturated at REFCOUNT_SATURATED. |
2960 | * |
2961 | * Provides release memory ordering, such that prior loads and stores are done |
2962 | * before, and provides a control dependency such that free() must come after. |
2963 | diff --git a/mm/mempolicy.c b/mm/mempolicy.c |
2964 | index d79ab5116a7be..f7b231f67156b 100644 |
2965 | --- a/mm/mempolicy.c |
2966 | +++ b/mm/mempolicy.c |
2967 | @@ -348,7 +348,7 @@ static void mpol_rebind_preferred(struct mempolicy *pol, |
2968 | */ |
2969 | static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask) |
2970 | { |
2971 | - if (!pol) |
2972 | + if (!pol || pol->mode == MPOL_LOCAL) |
2973 | return; |
2974 | if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) && |
2975 | nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) |
2976 | diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c |
2977 | index 3a9e9d9670be4..83a8c48dfaa8b 100644 |
2978 | --- a/net/bluetooth/rfcomm/core.c |
2979 | +++ b/net/bluetooth/rfcomm/core.c |
2980 | @@ -553,22 +553,58 @@ struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) |
2981 | return dlc; |
2982 | } |
2983 | |
2984 | +static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag) |
2985 | +{ |
2986 | + int len = frag->len; |
2987 | + |
2988 | + BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); |
2989 | + |
2990 | + if (len > d->mtu) |
2991 | + return -EINVAL; |
2992 | + |
2993 | + rfcomm_make_uih(frag, d->addr); |
2994 | + __skb_queue_tail(&d->tx_queue, frag); |
2995 | + |
2996 | + return len; |
2997 | +} |
2998 | + |
2999 | int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) |
3000 | { |
3001 | - int len = skb->len; |
3002 | + unsigned long flags; |
3003 | + struct sk_buff *frag, *next; |
3004 | + int len; |
3005 | |
3006 | if (d->state != BT_CONNECTED) |
3007 | return -ENOTCONN; |
3008 | |
3009 | - BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); |
3010 | + frag = skb_shinfo(skb)->frag_list; |
3011 | + skb_shinfo(skb)->frag_list = NULL; |
3012 | |
3013 | - if (len > d->mtu) |
3014 | - return -EINVAL; |
3015 | + /* Queue all fragments atomically. */ |
3016 | + spin_lock_irqsave(&d->tx_queue.lock, flags); |
3017 | |
3018 | - rfcomm_make_uih(skb, d->addr); |
3019 | - skb_queue_tail(&d->tx_queue, skb); |
3020 | + len = rfcomm_dlc_send_frag(d, skb); |
3021 | + if (len < 0 || !frag) |
3022 | + goto unlock; |
3023 | + |
3024 | + for (; frag; frag = next) { |
3025 | + int ret; |
3026 | + |
3027 | + next = frag->next; |
3028 | + |
3029 | + ret = rfcomm_dlc_send_frag(d, frag); |
3030 | + if (ret < 0) { |
3031 | + kfree_skb(frag); |
3032 | + goto unlock; |
3033 | + } |
3034 | + |
3035 | + len += ret; |
3036 | + } |
3037 | + |
3038 | +unlock: |
3039 | + spin_unlock_irqrestore(&d->tx_queue.lock, flags); |
3040 | |
3041 | - if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) |
3042 | + if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) |
3043 | rfcomm_schedule(); |
3044 | return len; |
3045 | } |
3046 | diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c |
3047 | index 90bb53aa4beed..e67310a749d27 100644 |
3048 | --- a/net/bluetooth/rfcomm/sock.c |
3049 | +++ b/net/bluetooth/rfcomm/sock.c |
3050 | @@ -578,46 +578,20 @@ static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg, |
3051 | lock_sock(sk); |
3052 | |
3053 | sent = bt_sock_wait_ready(sk, msg->msg_flags); |
3054 | - if (sent) |
3055 | - goto done; |
3056 | - |
3057 | - while (len) { |
3058 | - size_t size = min_t(size_t, len, d->mtu); |
3059 | - int err; |
3060 | - |
3061 | - skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, |
3062 | - msg->msg_flags & MSG_DONTWAIT, &err); |
3063 | - if (!skb) { |
3064 | - if (sent == 0) |
3065 | - sent = err; |
3066 | - break; |
3067 | - } |
3068 | - skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE); |
3069 | - |
3070 | - err = memcpy_from_msg(skb_put(skb, size), msg, size); |
3071 | - if (err) { |
3072 | - kfree_skb(skb); |
3073 | - if (sent == 0) |
3074 | - sent = err; |
3075 | - break; |
3076 | - } |
3077 | |
3078 | - skb->priority = sk->sk_priority; |
3079 | + release_sock(sk); |
3080 | |
3081 | - err = rfcomm_dlc_send(d, skb); |
3082 | - if (err < 0) { |
3083 | - kfree_skb(skb); |
3084 | - if (sent == 0) |
3085 | - sent = err; |
3086 | - break; |
3087 | - } |
3088 | + if (sent) |
3089 | + return sent; |
3090 | |
3091 | - sent += size; |
3092 | - len -= size; |
3093 | - } |
3094 | + skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, |
3095 | + RFCOMM_SKB_TAIL_RESERVE); |
3096 | + if (IS_ERR(skb)) |
3097 | + return PTR_ERR(skb); |
3098 | |
3099 | -done: |
3100 | - release_sock(sk); |
3101 | + sent = rfcomm_dlc_send(d, skb); |
3102 | + if (sent < 0) |
3103 | + kfree_skb(skb); |
3104 | |
3105 | return sent; |
3106 | } |
3107 | diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c |
3108 | index fbfb12e430101..78a549e506b12 100644 |
3109 | --- a/net/bluetooth/sco.c |
3110 | +++ b/net/bluetooth/sco.c |
3111 | @@ -279,12 +279,10 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk) |
3112 | return err; |
3113 | } |
3114 | |
3115 | -static int sco_send_frame(struct sock *sk, void *buf, int len, |
3116 | - unsigned int msg_flags) |
3117 | +static int sco_send_frame(struct sock *sk, struct sk_buff *skb) |
3118 | { |
3119 | struct sco_conn *conn = sco_pi(sk)->conn; |
3120 | - struct sk_buff *skb; |
3121 | - int err; |
3122 | + int len = skb->len; |
3123 | |
3124 | /* Check outgoing MTU */ |
3125 | if (len > conn->mtu) |
3126 | @@ -292,11 +290,6 @@ static int sco_send_frame(struct sock *sk, void *buf, int len, |
3127 | |
3128 | BT_DBG("sk %p len %d", sk, len); |
3129 | |
3130 | - skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); |
3131 | - if (!skb) |
3132 | - return err; |
3133 | - |
3134 | - memcpy(skb_put(skb, len), buf, len); |
3135 | hci_send_sco(conn->hcon, skb); |
3136 | |
3137 | return len; |
3138 | @@ -715,7 +708,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, |
3139 | size_t len) |
3140 | { |
3141 | struct sock *sk = sock->sk; |
3142 | - void *buf; |
3143 | + struct sk_buff *skb; |
3144 | int err; |
3145 | |
3146 | BT_DBG("sock %p, sk %p", sock, sk); |
3147 | @@ -727,24 +720,21 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, |
3148 | if (msg->msg_flags & MSG_OOB) |
3149 | return -EOPNOTSUPP; |
3150 | |
3151 | - buf = kmalloc(len, GFP_KERNEL); |
3152 | - if (!buf) |
3153 | - return -ENOMEM; |
3154 | - |
3155 | - if (memcpy_from_msg(buf, msg, len)) { |
3156 | - kfree(buf); |
3157 | - return -EFAULT; |
3158 | - } |
3159 | + skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0); |
3160 | + if (IS_ERR(skb)) |
3161 | + return PTR_ERR(skb); |
3162 | |
3163 | lock_sock(sk); |
3164 | |
3165 | if (sk->sk_state == BT_CONNECTED) |
3166 | - err = sco_send_frame(sk, buf, len, msg->msg_flags); |
3167 | + err = sco_send_frame(sk, skb); |
3168 | else |
3169 | err = -ENOTCONN; |
3170 | |
3171 | release_sock(sk); |
3172 | - kfree(buf); |
3173 | + |
3174 | + if (err < 0) |
3175 | + kfree_skb(skb); |
3176 | return err; |
3177 | } |
3178 | |
3179 | diff --git a/net/core/filter.c b/net/core/filter.c |
3180 | index 75f53b5e63893..72bf78032f458 100644 |
3181 | --- a/net/core/filter.c |
3182 | +++ b/net/core/filter.c |
3183 | @@ -5839,7 +5839,7 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len |
3184 | if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN) |
3185 | return -EINVAL; |
3186 | |
3187 | - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies) |
3188 | + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies)) |
3189 | return -EINVAL; |
3190 | |
3191 | if (!th->ack || th->rst || th->syn) |
3192 | @@ -5914,7 +5914,7 @@ BPF_CALL_5(bpf_tcp_gen_syncookie, struct sock *, sk, void *, iph, u32, iph_len, |
3193 | if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN) |
3194 | return -EINVAL; |
3195 | |
3196 | - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies) |
3197 | + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies)) |
3198 | return -ENOENT; |
3199 | |
3200 | if (!th->syn || th->ack || th->fin || th->rst) |
3201 | diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c |
3202 | index a1867c65ac632..6d86506e315f3 100644 |
3203 | --- a/net/core/secure_seq.c |
3204 | +++ b/net/core/secure_seq.c |
3205 | @@ -65,7 +65,7 @@ u32 secure_tcpv6_ts_off(const struct net *net, |
3206 | .daddr = *(struct in6_addr *)daddr, |
3207 | }; |
3208 | |
3209 | - if (net->ipv4.sysctl_tcp_timestamps != 1) |
3210 | + if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1) |
3211 | return 0; |
3212 | |
3213 | ts_secret_init(); |
3214 | @@ -121,7 +121,7 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral); |
3215 | #ifdef CONFIG_INET |
3216 | u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr) |
3217 | { |
3218 | - if (net->ipv4.sysctl_tcp_timestamps != 1) |
3219 | + if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1) |
3220 | return 0; |
3221 | |
3222 | ts_secret_init(); |
3223 | diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c |
3224 | index 9ab73fcc7411c..d61ca7be6eda6 100644 |
3225 | --- a/net/ipv4/af_inet.c |
3226 | +++ b/net/ipv4/af_inet.c |
3227 | @@ -219,7 +219,7 @@ int inet_listen(struct socket *sock, int backlog) |
3228 | * because the socket was in TCP_LISTEN state previously but |
3229 | * was shutdown() rather than close(). |
3230 | */ |
3231 | - tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen; |
3232 | + tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); |
3233 | if ((tcp_fastopen & TFO_SERVER_WO_SOCKOPT1) && |
3234 | (tcp_fastopen & TFO_SERVER_ENABLE) && |
3235 | !inet_csk(sk)->icsk_accept_queue.fastopenq.max_qlen) { |
3236 | @@ -337,7 +337,7 @@ lookup_protocol: |
3237 | inet->hdrincl = 1; |
3238 | } |
3239 | |
3240 | - if (net->ipv4.sysctl_ip_no_pmtu_disc) |
3241 | + if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) |
3242 | inet->pmtudisc = IP_PMTUDISC_DONT; |
3243 | else |
3244 | inet->pmtudisc = IP_PMTUDISC_WANT; |
3245 | diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c |
3246 | index 16fe034615635..28da0443f3e9e 100644 |
3247 | --- a/net/ipv4/fib_semantics.c |
3248 | +++ b/net/ipv4/fib_semantics.c |
3249 | @@ -2209,7 +2209,7 @@ void fib_select_multipath(struct fib_result *res, int hash) |
3250 | } |
3251 | |
3252 | change_nexthops(fi) { |
3253 | - if (net->ipv4.sysctl_fib_multipath_use_neigh) { |
3254 | + if (READ_ONCE(net->ipv4.sysctl_fib_multipath_use_neigh)) { |
3255 | if (!fib_good_nh(nexthop_nh)) |
3256 | continue; |
3257 | if (!first) { |
3258 | diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c |
3259 | index 9bc01411be4cc..b44f51e404aee 100644 |
3260 | --- a/net/ipv4/icmp.c |
3261 | +++ b/net/ipv4/icmp.c |
3262 | @@ -886,7 +886,7 @@ static bool icmp_unreach(struct sk_buff *skb) |
3263 | * values please see |
3264 | * Documentation/networking/ip-sysctl.txt |
3265 | */ |
3266 | - switch (net->ipv4.sysctl_ip_no_pmtu_disc) { |
3267 | + switch (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) { |
3268 | default: |
3269 | net_dbg_ratelimited("%pI4: fragmentation needed and DF set\n", |
3270 | &iph->daddr); |
3271 | diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c |
3272 | index cac2fdd08df05..660b41040c771 100644 |
3273 | --- a/net/ipv4/igmp.c |
3274 | +++ b/net/ipv4/igmp.c |
3275 | @@ -469,7 +469,8 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, |
3276 | |
3277 | if (pmc->multiaddr == IGMP_ALL_HOSTS) |
3278 | return skb; |
3279 | - if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) |
3280 | + if (ipv4_is_local_multicast(pmc->multiaddr) && |
3281 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3282 | return skb; |
3283 | |
3284 | mtu = READ_ONCE(dev->mtu); |
3285 | @@ -595,7 +596,7 @@ static int igmpv3_send_report(struct in_device *in_dev, struct ip_mc_list *pmc) |
3286 | if (pmc->multiaddr == IGMP_ALL_HOSTS) |
3287 | continue; |
3288 | if (ipv4_is_local_multicast(pmc->multiaddr) && |
3289 | - !net->ipv4.sysctl_igmp_llm_reports) |
3290 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3291 | continue; |
3292 | spin_lock_bh(&pmc->lock); |
3293 | if (pmc->sfcount[MCAST_EXCLUDE]) |
3294 | @@ -738,7 +739,8 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc, |
3295 | if (type == IGMPV3_HOST_MEMBERSHIP_REPORT) |
3296 | return igmpv3_send_report(in_dev, pmc); |
3297 | |
3298 | - if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) |
3299 | + if (ipv4_is_local_multicast(group) && |
3300 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3301 | return 0; |
3302 | |
3303 | if (type == IGMP_HOST_LEAVE_MESSAGE) |
3304 | @@ -922,7 +924,8 @@ static bool igmp_heard_report(struct in_device *in_dev, __be32 group) |
3305 | |
3306 | if (group == IGMP_ALL_HOSTS) |
3307 | return false; |
3308 | - if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) |
3309 | + if (ipv4_is_local_multicast(group) && |
3310 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3311 | return false; |
3312 | |
3313 | rcu_read_lock(); |
3314 | @@ -1047,7 +1050,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, |
3315 | if (im->multiaddr == IGMP_ALL_HOSTS) |
3316 | continue; |
3317 | if (ipv4_is_local_multicast(im->multiaddr) && |
3318 | - !net->ipv4.sysctl_igmp_llm_reports) |
3319 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3320 | continue; |
3321 | spin_lock_bh(&im->lock); |
3322 | if (im->tm_running) |
3323 | @@ -1298,7 +1301,8 @@ static void __igmp_group_dropped(struct ip_mc_list *im, gfp_t gfp) |
3324 | #ifdef CONFIG_IP_MULTICAST |
3325 | if (im->multiaddr == IGMP_ALL_HOSTS) |
3326 | return; |
3327 | - if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) |
3328 | + if (ipv4_is_local_multicast(im->multiaddr) && |
3329 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3330 | return; |
3331 | |
3332 | reporter = im->reporter; |
3333 | @@ -1340,7 +1344,8 @@ static void igmp_group_added(struct ip_mc_list *im) |
3334 | #ifdef CONFIG_IP_MULTICAST |
3335 | if (im->multiaddr == IGMP_ALL_HOSTS) |
3336 | return; |
3337 | - if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) |
3338 | + if (ipv4_is_local_multicast(im->multiaddr) && |
3339 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3340 | return; |
3341 | |
3342 | if (in_dev->dead) |
3343 | @@ -1644,7 +1649,7 @@ static void ip_mc_rejoin_groups(struct in_device *in_dev) |
3344 | if (im->multiaddr == IGMP_ALL_HOSTS) |
3345 | continue; |
3346 | if (ipv4_is_local_multicast(im->multiaddr) && |
3347 | - !net->ipv4.sysctl_igmp_llm_reports) |
3348 | + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3349 | continue; |
3350 | |
3351 | /* a failover is happening and switches |
3352 | @@ -2194,7 +2199,7 @@ static int __ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr, |
3353 | count++; |
3354 | } |
3355 | err = -ENOBUFS; |
3356 | - if (count >= net->ipv4.sysctl_igmp_max_memberships) |
3357 | + if (count >= READ_ONCE(net->ipv4.sysctl_igmp_max_memberships)) |
3358 | goto done; |
3359 | iml = sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL); |
3360 | if (!iml) |
3361 | diff --git a/net/ipv4/route.c b/net/ipv4/route.c |
3362 | index 9280e50871596..7004e379c325f 100644 |
3363 | --- a/net/ipv4/route.c |
3364 | +++ b/net/ipv4/route.c |
3365 | @@ -1423,7 +1423,7 @@ u32 ip_mtu_from_fib_result(struct fib_result *res, __be32 daddr) |
3366 | struct fib_info *fi = res->fi; |
3367 | u32 mtu = 0; |
3368 | |
3369 | - if (dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu || |
3370 | + if (READ_ONCE(dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu) || |
3371 | fi->fib_metrics->metrics[RTAX_LOCK - 1] & (1 << RTAX_MTU)) |
3372 | mtu = fi->fib_mtu; |
3373 | |
3374 | diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c |
3375 | index 6811174ad5189..3f6c9514c7a93 100644 |
3376 | --- a/net/ipv4/syncookies.c |
3377 | +++ b/net/ipv4/syncookies.c |
3378 | @@ -243,12 +243,12 @@ bool cookie_timestamp_decode(const struct net *net, |
3379 | return true; |
3380 | } |
3381 | |
3382 | - if (!net->ipv4.sysctl_tcp_timestamps) |
3383 | + if (!READ_ONCE(net->ipv4.sysctl_tcp_timestamps)) |
3384 | return false; |
3385 | |
3386 | tcp_opt->sack_ok = (options & TS_OPT_SACK) ? TCP_SACK_SEEN : 0; |
3387 | |
3388 | - if (tcp_opt->sack_ok && !net->ipv4.sysctl_tcp_sack) |
3389 | + if (tcp_opt->sack_ok && !READ_ONCE(net->ipv4.sysctl_tcp_sack)) |
3390 | return false; |
3391 | |
3392 | if ((options & TS_OPT_WSCALE_MASK) == TS_OPT_WSCALE_MASK) |
3393 | @@ -257,7 +257,7 @@ bool cookie_timestamp_decode(const struct net *net, |
3394 | tcp_opt->wscale_ok = 1; |
3395 | tcp_opt->snd_wscale = options & TS_OPT_WSCALE_MASK; |
3396 | |
3397 | - return net->ipv4.sysctl_tcp_window_scaling != 0; |
3398 | + return READ_ONCE(net->ipv4.sysctl_tcp_window_scaling) != 0; |
3399 | } |
3400 | EXPORT_SYMBOL(cookie_timestamp_decode); |
3401 | |
3402 | @@ -297,7 +297,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) |
3403 | struct flowi4 fl4; |
3404 | u32 tsoff = 0; |
3405 | |
3406 | - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst) |
3407 | + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) || |
3408 | + !th->ack || th->rst) |
3409 | goto out; |
3410 | |
3411 | if (tcp_synq_no_recent_overflow(sk)) |
3412 | diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
3413 | index 4815cf72569e0..4b31f6e9ec61f 100644 |
3414 | --- a/net/ipv4/tcp.c |
3415 | +++ b/net/ipv4/tcp.c |
3416 | @@ -437,7 +437,7 @@ void tcp_init_sock(struct sock *sk) |
3417 | tp->snd_cwnd_clamp = ~0; |
3418 | tp->mss_cache = TCP_MSS_DEFAULT; |
3419 | |
3420 | - tp->reordering = sock_net(sk)->ipv4.sysctl_tcp_reordering; |
3421 | + tp->reordering = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering); |
3422 | tcp_assign_congestion_control(sk); |
3423 | |
3424 | tp->tsoffset = 0; |
3425 | @@ -1148,7 +1148,8 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, |
3426 | struct sockaddr *uaddr = msg->msg_name; |
3427 | int err, flags; |
3428 | |
3429 | - if (!(sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) || |
3430 | + if (!(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & |
3431 | + TFO_CLIENT_ENABLE) || |
3432 | (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) && |
3433 | uaddr->sa_family == AF_UNSPEC)) |
3434 | return -EOPNOTSUPP; |
3435 | @@ -3127,7 +3128,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, |
3436 | case TCP_FASTOPEN_CONNECT: |
3437 | if (val > 1 || val < 0) { |
3438 | err = -EINVAL; |
3439 | - } else if (net->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) { |
3440 | + } else if (READ_ONCE(net->ipv4.sysctl_tcp_fastopen) & |
3441 | + TFO_CLIENT_ENABLE) { |
3442 | if (sk->sk_state == TCP_CLOSE) |
3443 | tp->fastopen_connect = val; |
3444 | else |
3445 | @@ -3466,7 +3468,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, |
3446 | case TCP_LINGER2: |
3447 | val = tp->linger2; |
3448 | if (val >= 0) |
3449 | - val = (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ; |
3450 | + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; |
3451 | break; |
3452 | case TCP_DEFER_ACCEPT: |
3453 | val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, |
3454 | diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c |
3455 | index a5ec77a5ad6f5..21705b2ddaffa 100644 |
3456 | --- a/net/ipv4/tcp_fastopen.c |
3457 | +++ b/net/ipv4/tcp_fastopen.c |
3458 | @@ -349,7 +349,7 @@ static bool tcp_fastopen_no_cookie(const struct sock *sk, |
3459 | const struct dst_entry *dst, |
3460 | int flag) |
3461 | { |
3462 | - return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) || |
3463 | + return (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & flag) || |
3464 | tcp_sk(sk)->fastopen_no_cookie || |
3465 | (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE)); |
3466 | } |
3467 | @@ -364,7 +364,7 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, |
3468 | const struct dst_entry *dst) |
3469 | { |
3470 | bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1; |
3471 | - int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen; |
3472 | + int tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); |
3473 | struct tcp_fastopen_cookie valid_foc = { .len = -1 }; |
3474 | struct sock *child; |
3475 | int ret = 0; |
3476 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c |
3477 | index 0808110451a0f..c151c4dd4ae63 100644 |
3478 | --- a/net/ipv4/tcp_input.c |
3479 | +++ b/net/ipv4/tcp_input.c |
3480 | @@ -905,7 +905,7 @@ static void tcp_check_sack_reordering(struct sock *sk, const u32 low_seq, |
3481 | tp->undo_marker ? tp->undo_retrans : 0); |
3482 | #endif |
3483 | tp->reordering = min_t(u32, (metric + mss - 1) / mss, |
3484 | - sock_net(sk)->ipv4.sysctl_tcp_max_reordering); |
3485 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); |
3486 | } |
3487 | |
3488 | /* This exciting event is worth to be remembered. 8) */ |
3489 | @@ -1886,7 +1886,7 @@ static void tcp_check_reno_reordering(struct sock *sk, const int addend) |
3490 | return; |
3491 | |
3492 | tp->reordering = min_t(u32, tp->packets_out + addend, |
3493 | - sock_net(sk)->ipv4.sysctl_tcp_max_reordering); |
3494 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); |
3495 | tp->reord_seen++; |
3496 | NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRENOREORDER); |
3497 | } |
3498 | @@ -1950,7 +1950,8 @@ static inline void tcp_init_undo(struct tcp_sock *tp) |
3499 | |
3500 | static bool tcp_is_rack(const struct sock *sk) |
3501 | { |
3502 | - return sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_LOSS_DETECTION; |
3503 | + return READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & |
3504 | + TCP_RACK_LOSS_DETECTION; |
3505 | } |
3506 | |
3507 | /* If we detect SACK reneging, forget all SACK information |
3508 | @@ -1994,6 +1995,7 @@ void tcp_enter_loss(struct sock *sk) |
3509 | struct tcp_sock *tp = tcp_sk(sk); |
3510 | struct net *net = sock_net(sk); |
3511 | bool new_recovery = icsk->icsk_ca_state < TCP_CA_Recovery; |
3512 | + u8 reordering; |
3513 | |
3514 | tcp_timeout_mark_lost(sk); |
3515 | |
3516 | @@ -2014,10 +2016,12 @@ void tcp_enter_loss(struct sock *sk) |
3517 | /* Timeout in disordered state after receiving substantial DUPACKs |
3518 | * suggests that the degree of reordering is over-estimated. |
3519 | */ |
3520 | + reordering = READ_ONCE(net->ipv4.sysctl_tcp_reordering); |
3521 | if (icsk->icsk_ca_state <= TCP_CA_Disorder && |
3522 | - tp->sacked_out >= net->ipv4.sysctl_tcp_reordering) |
3523 | + tp->sacked_out >= reordering) |
3524 | tp->reordering = min_t(unsigned int, tp->reordering, |
3525 | - net->ipv4.sysctl_tcp_reordering); |
3526 | + reordering); |
3527 | + |
3528 | tcp_set_ca_state(sk, TCP_CA_Loss); |
3529 | tp->high_seq = tp->snd_nxt; |
3530 | tcp_ecn_queue_cwr(tp); |
3531 | @@ -3319,7 +3323,8 @@ static inline bool tcp_may_raise_cwnd(const struct sock *sk, const int flag) |
3532 | * new SACK or ECE mark may first advance cwnd here and later reduce |
3533 | * cwnd in tcp_fastretrans_alert() based on more states. |
3534 | */ |
3535 | - if (tcp_sk(sk)->reordering > sock_net(sk)->ipv4.sysctl_tcp_reordering) |
3536 | + if (tcp_sk(sk)->reordering > |
3537 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering)) |
3538 | return flag & FLAG_FORWARD_PROGRESS; |
3539 | |
3540 | return flag & FLAG_DATA_ACKED; |
3541 | @@ -3902,7 +3907,7 @@ void tcp_parse_options(const struct net *net, |
3542 | break; |
3543 | case TCPOPT_WINDOW: |
3544 | if (opsize == TCPOLEN_WINDOW && th->syn && |
3545 | - !estab && net->ipv4.sysctl_tcp_window_scaling) { |
3546 | + !estab && READ_ONCE(net->ipv4.sysctl_tcp_window_scaling)) { |
3547 | __u8 snd_wscale = *(__u8 *)ptr; |
3548 | opt_rx->wscale_ok = 1; |
3549 | if (snd_wscale > TCP_MAX_WSCALE) { |
3550 | @@ -3918,7 +3923,7 @@ void tcp_parse_options(const struct net *net, |
3551 | case TCPOPT_TIMESTAMP: |
3552 | if ((opsize == TCPOLEN_TIMESTAMP) && |
3553 | ((estab && opt_rx->tstamp_ok) || |
3554 | - (!estab && net->ipv4.sysctl_tcp_timestamps))) { |
3555 | + (!estab && READ_ONCE(net->ipv4.sysctl_tcp_timestamps)))) { |
3556 | opt_rx->saw_tstamp = 1; |
3557 | opt_rx->rcv_tsval = get_unaligned_be32(ptr); |
3558 | opt_rx->rcv_tsecr = get_unaligned_be32(ptr + 4); |
3559 | @@ -3926,7 +3931,7 @@ void tcp_parse_options(const struct net *net, |
3560 | break; |
3561 | case TCPOPT_SACK_PERM: |
3562 | if (opsize == TCPOLEN_SACK_PERM && th->syn && |
3563 | - !estab && net->ipv4.sysctl_tcp_sack) { |
3564 | + !estab && READ_ONCE(net->ipv4.sysctl_tcp_sack)) { |
3565 | opt_rx->sack_ok = TCP_SACK_SEEN; |
3566 | tcp_sack_reset(opt_rx); |
3567 | } |
3568 | @@ -5351,7 +5356,7 @@ static void tcp_check_urg(struct sock *sk, const struct tcphdr *th) |
3569 | struct tcp_sock *tp = tcp_sk(sk); |
3570 | u32 ptr = ntohs(th->urg_ptr); |
3571 | |
3572 | - if (ptr && !sock_net(sk)->ipv4.sysctl_tcp_stdurg) |
3573 | + if (ptr && !READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_stdurg)) |
3574 | ptr--; |
3575 | ptr += ntohl(th->seq); |
3576 | |
3577 | @@ -6530,11 +6535,14 @@ static bool tcp_syn_flood_action(const struct sock *sk, const char *proto) |
3578 | { |
3579 | struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; |
3580 | const char *msg = "Dropping request"; |
3581 | - bool want_cookie = false; |
3582 | struct net *net = sock_net(sk); |
3583 | + bool want_cookie = false; |
3584 | + u8 syncookies; |
3585 | + |
3586 | + syncookies = READ_ONCE(net->ipv4.sysctl_tcp_syncookies); |
3587 | |
3588 | #ifdef CONFIG_SYN_COOKIES |
3589 | - if (net->ipv4.sysctl_tcp_syncookies) { |
3590 | + if (syncookies) { |
3591 | msg = "Sending cookies"; |
3592 | want_cookie = true; |
3593 | __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES); |
3594 | @@ -6542,8 +6550,7 @@ static bool tcp_syn_flood_action(const struct sock *sk, const char *proto) |
3595 | #endif |
3596 | __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP); |
3597 | |
3598 | - if (!queue->synflood_warned && |
3599 | - net->ipv4.sysctl_tcp_syncookies != 2 && |
3600 | + if (!queue->synflood_warned && syncookies != 2 && |
3601 | xchg(&queue->synflood_warned, 1) == 0) |
3602 | net_info_ratelimited("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n", |
3603 | proto, sk->sk_num, msg); |
3604 | @@ -6578,7 +6585,7 @@ u16 tcp_get_syncookie_mss(struct request_sock_ops *rsk_ops, |
3605 | struct tcp_sock *tp = tcp_sk(sk); |
3606 | u16 mss; |
3607 | |
3608 | - if (sock_net(sk)->ipv4.sysctl_tcp_syncookies != 2 && |
3609 | + if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) != 2 && |
3610 | !inet_csk_reqsk_queue_is_full(sk)) |
3611 | return 0; |
3612 | |
3613 | @@ -6612,13 +6619,15 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, |
3614 | bool want_cookie = false; |
3615 | struct dst_entry *dst; |
3616 | struct flowi fl; |
3617 | + u8 syncookies; |
3618 | + |
3619 | + syncookies = READ_ONCE(net->ipv4.sysctl_tcp_syncookies); |
3620 | |
3621 | /* TW buckets are converted to open requests without |
3622 | * limitations, they conserve resources and peer is |
3623 | * evidently real one. |
3624 | */ |
3625 | - if ((net->ipv4.sysctl_tcp_syncookies == 2 || |
3626 | - inet_csk_reqsk_queue_is_full(sk)) && !isn) { |
3627 | + if ((syncookies == 2 || inet_csk_reqsk_queue_is_full(sk)) && !isn) { |
3628 | want_cookie = tcp_syn_flood_action(sk, rsk_ops->slab_name); |
3629 | if (!want_cookie) |
3630 | goto drop; |
3631 | @@ -6668,10 +6677,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, |
3632 | goto drop_and_free; |
3633 | |
3634 | if (!want_cookie && !isn) { |
3635 | + int max_syn_backlog = READ_ONCE(net->ipv4.sysctl_max_syn_backlog); |
3636 | + |
3637 | /* Kill the following clause, if you dislike this way. */ |
3638 | - if (!net->ipv4.sysctl_tcp_syncookies && |
3639 | - (net->ipv4.sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) < |
3640 | - (net->ipv4.sysctl_max_syn_backlog >> 2)) && |
3641 | + if (!syncookies && |
3642 | + (max_syn_backlog - inet_csk_reqsk_queue_len(sk) < |
3643 | + (max_syn_backlog >> 2)) && |
3644 | !tcp_peer_is_proven(req, dst)) { |
3645 | /* Without syncookies last quarter of |
3646 | * backlog is filled with destinations, |
3647 | diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c |
3648 | index 72fe93ace7d73..b95e1a3487c8b 100644 |
3649 | --- a/net/ipv4/tcp_ipv4.c |
3650 | +++ b/net/ipv4/tcp_ipv4.c |
3651 | @@ -105,10 +105,10 @@ static u32 tcp_v4_init_ts_off(const struct net *net, const struct sk_buff *skb) |
3652 | |
3653 | int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) |
3654 | { |
3655 | + int reuse = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_tw_reuse); |
3656 | const struct inet_timewait_sock *tw = inet_twsk(sktw); |
3657 | const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw); |
3658 | struct tcp_sock *tp = tcp_sk(sk); |
3659 | - int reuse = sock_net(sk)->ipv4.sysctl_tcp_tw_reuse; |
3660 | |
3661 | if (reuse == 2) { |
3662 | /* Still does not detect *everything* that goes through |
3663 | diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c |
3664 | index c4848e7a0aad1..9a7d8a5998578 100644 |
3665 | --- a/net/ipv4/tcp_metrics.c |
3666 | +++ b/net/ipv4/tcp_metrics.c |
3667 | @@ -425,7 +425,8 @@ void tcp_update_metrics(struct sock *sk) |
3668 | if (!tcp_metric_locked(tm, TCP_METRIC_REORDERING)) { |
3669 | val = tcp_metric_get(tm, TCP_METRIC_REORDERING); |
3670 | if (val < tp->reordering && |
3671 | - tp->reordering != net->ipv4.sysctl_tcp_reordering) |
3672 | + tp->reordering != |
3673 | + READ_ONCE(net->ipv4.sysctl_tcp_reordering)) |
3674 | tcp_metric_set(tm, TCP_METRIC_REORDERING, |
3675 | tp->reordering); |
3676 | } |
3677 | diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c |
3678 | index 9b038cb0a43d2..324f43fadb37a 100644 |
3679 | --- a/net/ipv4/tcp_minisocks.c |
3680 | +++ b/net/ipv4/tcp_minisocks.c |
3681 | @@ -180,7 +180,7 @@ tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb, |
3682 | * Oh well... nobody has a sufficient solution to this |
3683 | * protocol bug yet. |
3684 | */ |
3685 | - if (twsk_net(tw)->ipv4.sysctl_tcp_rfc1337 == 0) { |
3686 | + if (!READ_ONCE(twsk_net(tw)->ipv4.sysctl_tcp_rfc1337)) { |
3687 | kill: |
3688 | inet_twsk_deschedule_put(tw); |
3689 | return TCP_TW_SUCCESS; |
3690 | diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c |
3691 | index 739fc69cdcc62..97f29ece38000 100644 |
3692 | --- a/net/ipv4/tcp_output.c |
3693 | +++ b/net/ipv4/tcp_output.c |
3694 | @@ -620,18 +620,18 @@ static unsigned int tcp_syn_options(struct sock *sk, struct sk_buff *skb, |
3695 | opts->mss = tcp_advertise_mss(sk); |
3696 | remaining -= TCPOLEN_MSS_ALIGNED; |
3697 | |
3698 | - if (likely(sock_net(sk)->ipv4.sysctl_tcp_timestamps && !*md5)) { |
3699 | + if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps) && !*md5)) { |
3700 | opts->options |= OPTION_TS; |
3701 | opts->tsval = tcp_skb_timestamp(skb) + tp->tsoffset; |
3702 | opts->tsecr = tp->rx_opt.ts_recent; |
3703 | remaining -= TCPOLEN_TSTAMP_ALIGNED; |
3704 | } |
3705 | - if (likely(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) { |
3706 | + if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling))) { |
3707 | opts->ws = tp->rx_opt.rcv_wscale; |
3708 | opts->options |= OPTION_WSCALE; |
3709 | remaining -= TCPOLEN_WSCALE_ALIGNED; |
3710 | } |
3711 | - if (likely(sock_net(sk)->ipv4.sysctl_tcp_sack)) { |
3712 | + if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_sack))) { |
3713 | opts->options |= OPTION_SACK_ADVERTISE; |
3714 | if (unlikely(!(OPTION_TS & opts->options))) |
3715 | remaining -= TCPOLEN_SACKPERM_ALIGNED; |
3716 | @@ -1494,7 +1494,8 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu) |
3717 | mss_now -= icsk->icsk_ext_hdr_len; |
3718 | |
3719 | /* Then reserve room for full set of TCP options and 8 bytes of data */ |
3720 | - mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss); |
3721 | + mss_now = max(mss_now, |
3722 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss)); |
3723 | return mss_now; |
3724 | } |
3725 | |
3726 | @@ -1537,10 +1538,10 @@ void tcp_mtup_init(struct sock *sk) |
3727 | struct inet_connection_sock *icsk = inet_csk(sk); |
3728 | struct net *net = sock_net(sk); |
3729 | |
3730 | - icsk->icsk_mtup.enabled = net->ipv4.sysctl_tcp_mtu_probing > 1; |
3731 | + icsk->icsk_mtup.enabled = READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing) > 1; |
3732 | icsk->icsk_mtup.search_high = tp->rx_opt.mss_clamp + sizeof(struct tcphdr) + |
3733 | icsk->icsk_af_ops->net_header_len; |
3734 | - icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, net->ipv4.sysctl_tcp_base_mss); |
3735 | + icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, READ_ONCE(net->ipv4.sysctl_tcp_base_mss)); |
3736 | icsk->icsk_mtup.probe_size = 0; |
3737 | if (icsk->icsk_mtup.enabled) |
3738 | icsk->icsk_mtup.probe_timestamp = tcp_jiffies32; |
3739 | @@ -1672,7 +1673,7 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited) |
3740 | if (tp->packets_out > tp->snd_cwnd_used) |
3741 | tp->snd_cwnd_used = tp->packets_out; |
3742 | |
3743 | - if (sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle && |
3744 | + if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) && |
3745 | (s32)(tcp_jiffies32 - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto && |
3746 | !ca_ops->cong_control) |
3747 | tcp_cwnd_application_limited(sk); |
3748 | @@ -2051,7 +2052,7 @@ static inline void tcp_mtu_check_reprobe(struct sock *sk) |
3749 | u32 interval; |
3750 | s32 delta; |
3751 | |
3752 | - interval = net->ipv4.sysctl_tcp_probe_interval; |
3753 | + interval = READ_ONCE(net->ipv4.sysctl_tcp_probe_interval); |
3754 | delta = tcp_jiffies32 - icsk->icsk_mtup.probe_timestamp; |
3755 | if (unlikely(delta >= interval * HZ)) { |
3756 | int mss = tcp_current_mss(sk); |
3757 | @@ -2133,7 +2134,7 @@ static int tcp_mtu_probe(struct sock *sk) |
3758 | * probing process by not resetting search range to its orignal. |
3759 | */ |
3760 | if (probe_size > tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_high) || |
3761 | - interval < net->ipv4.sysctl_tcp_probe_threshold) { |
3762 | + interval < READ_ONCE(net->ipv4.sysctl_tcp_probe_threshold)) { |
3763 | /* Check whether enough time has elaplased for |
3764 | * another round of probing. |
3765 | */ |
3766 | @@ -2508,7 +2509,7 @@ bool tcp_schedule_loss_probe(struct sock *sk, bool advancing_rto) |
3767 | if (rcu_access_pointer(tp->fastopen_rsk)) |
3768 | return false; |
3769 | |
3770 | - early_retrans = sock_net(sk)->ipv4.sysctl_tcp_early_retrans; |
3771 | + early_retrans = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_early_retrans); |
3772 | /* Schedule a loss probe in 2*RTT for SACK capable connections |
3773 | * not in loss recovery, that are either limited by cwnd or application. |
3774 | */ |
3775 | @@ -2870,7 +2871,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to, |
3776 | struct sk_buff *skb = to, *tmp; |
3777 | bool first = true; |
3778 | |
3779 | - if (!sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse) |
3780 | + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse)) |
3781 | return; |
3782 | if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN) |
3783 | return; |
3784 | @@ -3406,7 +3407,7 @@ static void tcp_connect_init(struct sock *sk) |
3785 | * See tcp_input.c:tcp_rcv_state_process case TCP_SYN_SENT. |
3786 | */ |
3787 | tp->tcp_header_len = sizeof(struct tcphdr); |
3788 | - if (sock_net(sk)->ipv4.sysctl_tcp_timestamps) |
3789 | + if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps)) |
3790 | tp->tcp_header_len += TCPOLEN_TSTAMP_ALIGNED; |
3791 | |
3792 | #ifdef CONFIG_TCP_MD5SIG |
3793 | @@ -3442,7 +3443,7 @@ static void tcp_connect_init(struct sock *sk) |
3794 | tp->advmss - (tp->rx_opt.ts_recent_stamp ? tp->tcp_header_len - sizeof(struct tcphdr) : 0), |
3795 | &tp->rcv_wnd, |
3796 | &tp->window_clamp, |
3797 | - sock_net(sk)->ipv4.sysctl_tcp_window_scaling, |
3798 | + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling), |
3799 | &rcv_wscale, |
3800 | rcv_wnd); |
3801 | |
3802 | @@ -3846,7 +3847,7 @@ void tcp_send_probe0(struct sock *sk) |
3803 | |
3804 | icsk->icsk_probes_out++; |
3805 | if (err <= 0) { |
3806 | - if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2) |
3807 | + if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2)) |
3808 | icsk->icsk_backoff++; |
3809 | timeout = tcp_probe0_when(sk, TCP_RTO_MAX); |
3810 | } else { |
3811 | diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c |
3812 | index 8757bb6cb1d93..22ec8dcc1428a 100644 |
3813 | --- a/net/ipv4/tcp_recovery.c |
3814 | +++ b/net/ipv4/tcp_recovery.c |
3815 | @@ -33,7 +33,8 @@ static u32 tcp_rack_reo_wnd(const struct sock *sk) |
3816 | return 0; |
3817 | |
3818 | if (tp->sacked_out >= tp->reordering && |
3819 | - !(sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_NO_DUPTHRESH)) |
3820 | + !(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & |
3821 | + TCP_RACK_NO_DUPTHRESH)) |
3822 | return 0; |
3823 | } |
3824 | |
3825 | @@ -204,7 +205,8 @@ void tcp_rack_update_reo_wnd(struct sock *sk, struct rate_sample *rs) |
3826 | { |
3827 | struct tcp_sock *tp = tcp_sk(sk); |
3828 | |
3829 | - if (sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_STATIC_REO_WND || |
3830 | + if ((READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & |
3831 | + TCP_RACK_STATIC_REO_WND) || |
3832 | !rs->prior_delivered) |
3833 | return; |
3834 | |
3835 | diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c |
3836 | index fa2ae96ecdc40..a0107eb02ae4c 100644 |
3837 | --- a/net/ipv4/tcp_timer.c |
3838 | +++ b/net/ipv4/tcp_timer.c |
3839 | @@ -143,7 +143,7 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset) |
3840 | */ |
3841 | static int tcp_orphan_retries(struct sock *sk, bool alive) |
3842 | { |
3843 | - int retries = sock_net(sk)->ipv4.sysctl_tcp_orphan_retries; /* May be zero. */ |
3844 | + int retries = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_orphan_retries); /* May be zero. */ |
3845 | |
3846 | /* We know from an ICMP that something is wrong. */ |
3847 | if (sk->sk_err_soft && !alive) |
3848 | @@ -163,7 +163,7 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk) |
3849 | int mss; |
3850 | |
3851 | /* Black hole detection */ |
3852 | - if (!net->ipv4.sysctl_tcp_mtu_probing) |
3853 | + if (!READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing)) |
3854 | return; |
3855 | |
3856 | if (!icsk->icsk_mtup.enabled) { |
3857 | @@ -171,9 +171,9 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk) |
3858 | icsk->icsk_mtup.probe_timestamp = tcp_jiffies32; |
3859 | } else { |
3860 | mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; |
3861 | - mss = min(net->ipv4.sysctl_tcp_base_mss, mss); |
3862 | - mss = max(mss, net->ipv4.sysctl_tcp_mtu_probe_floor); |
3863 | - mss = max(mss, net->ipv4.sysctl_tcp_min_snd_mss); |
3864 | + mss = min(READ_ONCE(net->ipv4.sysctl_tcp_base_mss), mss); |
3865 | + mss = max(mss, READ_ONCE(net->ipv4.sysctl_tcp_mtu_probe_floor)); |
3866 | + mss = max(mss, READ_ONCE(net->ipv4.sysctl_tcp_min_snd_mss)); |
3867 | icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss); |
3868 | } |
3869 | tcp_sync_mss(sk, icsk->icsk_pmtu_cookie); |
3870 | @@ -245,7 +245,7 @@ static int tcp_write_timeout(struct sock *sk) |
3871 | retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; |
3872 | expired = icsk->icsk_retransmits >= retry_until; |
3873 | } else { |
3874 | - if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1, 0)) { |
3875 | + if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), 0)) { |
3876 | /* Black hole detection */ |
3877 | tcp_mtu_probing(icsk, sk); |
3878 | |
3879 | @@ -254,7 +254,7 @@ static int tcp_write_timeout(struct sock *sk) |
3880 | sk_rethink_txhash(sk); |
3881 | } |
3882 | |
3883 | - retry_until = net->ipv4.sysctl_tcp_retries2; |
3884 | + retry_until = READ_ONCE(net->ipv4.sysctl_tcp_retries2); |
3885 | if (sock_flag(sk, SOCK_DEAD)) { |
3886 | const bool alive = icsk->icsk_rto < TCP_RTO_MAX; |
3887 | |
3888 | @@ -381,7 +381,7 @@ static void tcp_probe_timer(struct sock *sk) |
3889 | msecs_to_jiffies(icsk->icsk_user_timeout)) |
3890 | goto abort; |
3891 | |
3892 | - max_probes = sock_net(sk)->ipv4.sysctl_tcp_retries2; |
3893 | + max_probes = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retries2); |
3894 | if (sock_flag(sk, SOCK_DEAD)) { |
3895 | const bool alive = inet_csk_rto_backoff(icsk, TCP_RTO_MAX) < TCP_RTO_MAX; |
3896 | |
3897 | @@ -569,7 +569,7 @@ out_reset_timer: |
3898 | * linear-timeout retransmissions into a black hole |
3899 | */ |
3900 | if (sk->sk_state == TCP_ESTABLISHED && |
3901 | - (tp->thin_lto || net->ipv4.sysctl_tcp_thin_linear_timeouts) && |
3902 | + (tp->thin_lto || READ_ONCE(net->ipv4.sysctl_tcp_thin_linear_timeouts)) && |
3903 | tcp_stream_is_thin(tp) && |
3904 | icsk->icsk_retransmits <= TCP_THIN_LINEAR_RETRIES) { |
3905 | icsk->icsk_backoff = 0; |
3906 | @@ -580,7 +580,7 @@ out_reset_timer: |
3907 | } |
3908 | inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, |
3909 | tcp_clamp_rto_to_user_timeout(sk), TCP_RTO_MAX); |
3910 | - if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1 + 1, 0)) |
3911 | + if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1) + 1, 0)) |
3912 | __sk_dst_reset(sk); |
3913 | |
3914 | out:; |
3915 | diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c |
3916 | index 942da168f18fb..56f396ecc26b7 100644 |
3917 | --- a/net/ipv6/af_inet6.c |
3918 | +++ b/net/ipv6/af_inet6.c |
3919 | @@ -222,7 +222,7 @@ lookup_protocol: |
3920 | inet->mc_list = NULL; |
3921 | inet->rcv_tos = 0; |
3922 | |
3923 | - if (net->ipv4.sysctl_ip_no_pmtu_disc) |
3924 | + if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) |
3925 | inet->pmtudisc = IP_PMTUDISC_DONT; |
3926 | else |
3927 | inet->pmtudisc = IP_PMTUDISC_WANT; |
3928 | diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c |
3929 | index 37ab254f7b92d..7e55505465949 100644 |
3930 | --- a/net/ipv6/syncookies.c |
3931 | +++ b/net/ipv6/syncookies.c |
3932 | @@ -141,7 +141,8 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) |
3933 | __u8 rcv_wscale; |
3934 | u32 tsoff = 0; |
3935 | |
3936 | - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst) |
3937 | + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) || |
3938 | + !th->ack || th->rst) |
3939 | goto out; |
3940 | |
3941 | if (tcp_synq_no_recent_overflow(sk)) |
3942 | diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c |
3943 | index bb370a7948f42..363a64c124144 100644 |
3944 | --- a/net/sctp/protocol.c |
3945 | +++ b/net/sctp/protocol.c |
3946 | @@ -358,7 +358,7 @@ static int sctp_v4_available(union sctp_addr *addr, struct sctp_sock *sp) |
3947 | if (addr->v4.sin_addr.s_addr != htonl(INADDR_ANY) && |
3948 | ret != RTN_LOCAL && |
3949 | !sp->inet.freebind && |
3950 | - !net->ipv4.sysctl_ip_nonlocal_bind) |
3951 | + !READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind)) |
3952 | return 0; |
3953 | |
3954 | if (ipv6_only_sock(sctp_opt2sk(sp))) |
3955 | diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c |
3956 | index abb93f7343c53..2c3cf47d730bb 100644 |
3957 | --- a/net/tls/tls_device.c |
3958 | +++ b/net/tls/tls_device.c |
3959 | @@ -94,13 +94,16 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx) |
3960 | unsigned long flags; |
3961 | |
3962 | spin_lock_irqsave(&tls_device_lock, flags); |
3963 | + if (unlikely(!refcount_dec_and_test(&ctx->refcount))) |
3964 | + goto unlock; |
3965 | + |
3966 | list_move_tail(&ctx->list, &tls_device_gc_list); |
3967 | |
3968 | /* schedule_work inside the spinlock |
3969 | * to make sure tls_device_down waits for that work. |
3970 | */ |
3971 | schedule_work(&tls_device_gc_work); |
3972 | - |
3973 | +unlock: |
3974 | spin_unlock_irqrestore(&tls_device_lock, flags); |
3975 | } |
3976 | |
3977 | @@ -191,8 +194,7 @@ static void tls_device_sk_destruct(struct sock *sk) |
3978 | clean_acked_data_disable(inet_csk(sk)); |
3979 | } |
3980 | |
3981 | - if (refcount_dec_and_test(&tls_ctx->refcount)) |
3982 | - tls_device_queue_ctx_destruction(tls_ctx); |
3983 | + tls_device_queue_ctx_destruction(tls_ctx); |
3984 | } |
3985 | |
3986 | void tls_device_free_resources_tx(struct sock *sk) |
3987 | diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c |
3988 | index 3ecb77c58c44e..28a8cdef8e51f 100644 |
3989 | --- a/net/xfrm/xfrm_policy.c |
3990 | +++ b/net/xfrm/xfrm_policy.c |
3991 | @@ -2679,8 +2679,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, |
3992 | *num_xfrms = 0; |
3993 | return 0; |
3994 | } |
3995 | - if (IS_ERR(pols[0])) |
3996 | + if (IS_ERR(pols[0])) { |
3997 | + *num_pols = 0; |
3998 | return PTR_ERR(pols[0]); |
3999 | + } |
4000 | |
4001 | *num_xfrms = pols[0]->xfrm_nr; |
4002 | |
4003 | @@ -2695,6 +2697,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, |
4004 | if (pols[1]) { |
4005 | if (IS_ERR(pols[1])) { |
4006 | xfrm_pols_put(pols, *num_pols); |
4007 | + *num_pols = 0; |
4008 | return PTR_ERR(pols[1]); |
4009 | } |
4010 | (*num_pols)++; |
4011 | diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c |
4012 | index 268bba29bb603..bee1a8143d75f 100644 |
4013 | --- a/net/xfrm/xfrm_state.c |
4014 | +++ b/net/xfrm/xfrm_state.c |
4015 | @@ -2488,7 +2488,7 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) |
4016 | int err; |
4017 | |
4018 | if (family == AF_INET && |
4019 | - xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc) |
4020 | + READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)) |
4021 | x->props.flags |= XFRM_STATE_NOPMTUDISC; |
4022 | |
4023 | err = -EPROTONOSUPPORT; |
4024 | diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig |
4025 | index 748f3ee27b23d..44b3315f32352 100644 |
4026 | --- a/security/integrity/ima/Kconfig |
4027 | +++ b/security/integrity/ima/Kconfig |
4028 | @@ -69,10 +69,9 @@ choice |
4029 | hash, defined as 20 bytes, and a null terminated pathname, |
4030 | limited to 255 characters. The 'ima-ng' measurement list |
4031 | template permits both larger hash digests and longer |
4032 | - pathnames. |
4033 | + pathnames. The configured default template can be replaced |
4034 | + by specifying "ima_template=" on the boot command line. |
4035 | |
4036 | - config IMA_TEMPLATE |
4037 | - bool "ima" |
4038 | config IMA_NG_TEMPLATE |
4039 | bool "ima-ng (default)" |
4040 | config IMA_SIG_TEMPLATE |
4041 | @@ -82,7 +81,6 @@ endchoice |
4042 | config IMA_DEFAULT_TEMPLATE |
4043 | string |
4044 | depends on IMA |
4045 | - default "ima" if IMA_TEMPLATE |
4046 | default "ima-ng" if IMA_NG_TEMPLATE |
4047 | default "ima-sig" if IMA_SIG_TEMPLATE |
4048 | |
4049 | @@ -102,15 +100,15 @@ choice |
4050 | |
4051 | config IMA_DEFAULT_HASH_SHA256 |
4052 | bool "SHA256" |
4053 | - depends on CRYPTO_SHA256=y && !IMA_TEMPLATE |
4054 | + depends on CRYPTO_SHA256=y |
4055 | |
4056 | config IMA_DEFAULT_HASH_SHA512 |
4057 | bool "SHA512" |
4058 | - depends on CRYPTO_SHA512=y && !IMA_TEMPLATE |
4059 | + depends on CRYPTO_SHA512=y |
4060 | |
4061 | config IMA_DEFAULT_HASH_WP512 |
4062 | bool "WP512" |
4063 | - depends on CRYPTO_WP512=y && !IMA_TEMPLATE |
4064 | + depends on CRYPTO_WP512=y |
4065 | endchoice |
4066 | |
4067 | config IMA_DEFAULT_HASH |
4068 | diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c |
4069 | index a073e49d5cd7d..14aef74d3588a 100644 |
4070 | --- a/security/integrity/ima/ima_policy.c |
4071 | +++ b/security/integrity/ima/ima_policy.c |
4072 | @@ -1542,6 +1542,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id) |
4073 | if (id >= READING_MAX_ID) |
4074 | return false; |
4075 | |
4076 | + if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) |
4077 | + && security_locked_down(LOCKDOWN_KEXEC)) |
4078 | + return false; |
4079 | + |
4080 | func = read_idmap[id] ?: FILE_CHECK; |
4081 | |
4082 | rcu_read_lock(); |
4083 | diff --git a/sound/core/memalloc.c b/sound/core/memalloc.c |
4084 | index fe1ea03582cbb..9fc7c81ec6ae5 100644 |
4085 | --- a/sound/core/memalloc.c |
4086 | +++ b/sound/core/memalloc.c |
4087 | @@ -124,6 +124,7 @@ int snd_dma_alloc_pages(int type, struct device *device, size_t size, |
4088 | if (WARN_ON(!device)) |
4089 | return -EINVAL; |
4090 | |
4091 | + size = PAGE_ALIGN(size); |
4092 | dmab->dev.type = type; |
4093 | dmab->dev.dev = device; |
4094 | dmab->bytes = 0; |