Annotation of /trunk/kernel-magellan/patches-5.2/0100-5.2.1-all-fixes.patch
Parent Directory | Revision Log
Revision 3370 -
(hide annotations)
(download)
Tue Jul 16 19:50:37 2019 UTC (5 years, 2 months ago) by niro
File size: 141143 byte(s)
Tue Jul 16 19:50:37 2019 UTC (5 years, 2 months ago) by niro
File size: 141143 byte(s)
-linux-5.2.1
1 | niro | 3370 | diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst |
2 | index ffc064c1ec68..49311f3da6f2 100644 | ||
3 | --- a/Documentation/admin-guide/hw-vuln/index.rst | ||
4 | +++ b/Documentation/admin-guide/hw-vuln/index.rst | ||
5 | @@ -9,5 +9,6 @@ are configurable at compile, boot or run time. | ||
6 | .. toctree:: | ||
7 | :maxdepth: 1 | ||
8 | |||
9 | + spectre | ||
10 | l1tf | ||
11 | mds | ||
12 | diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst | ||
13 | new file mode 100644 | ||
14 | index 000000000000..25f3b2532198 | ||
15 | --- /dev/null | ||
16 | +++ b/Documentation/admin-guide/hw-vuln/spectre.rst | ||
17 | @@ -0,0 +1,697 @@ | ||
18 | +.. SPDX-License-Identifier: GPL-2.0 | ||
19 | + | ||
20 | +Spectre Side Channels | ||
21 | +===================== | ||
22 | + | ||
23 | +Spectre is a class of side channel attacks that exploit branch prediction | ||
24 | +and speculative execution on modern CPUs to read memory, possibly | ||
25 | +bypassing access controls. Speculative execution side channel exploits | ||
26 | +do not modify memory but attempt to infer privileged data in the memory. | ||
27 | + | ||
28 | +This document covers Spectre variant 1 and Spectre variant 2. | ||
29 | + | ||
30 | +Affected processors | ||
31 | +------------------- | ||
32 | + | ||
33 | +Speculative execution side channel methods affect a wide range of modern | ||
34 | +high performance processors, since most modern high speed processors | ||
35 | +use branch prediction and speculative execution. | ||
36 | + | ||
37 | +The following CPUs are vulnerable: | ||
38 | + | ||
39 | + - Intel Core, Atom, Pentium, and Xeon processors | ||
40 | + | ||
41 | + - AMD Phenom, EPYC, and Zen processors | ||
42 | + | ||
43 | + - IBM POWER and zSeries processors | ||
44 | + | ||
45 | + - Higher end ARM processors | ||
46 | + | ||
47 | + - Apple CPUs | ||
48 | + | ||
49 | + - Higher end MIPS CPUs | ||
50 | + | ||
51 | + - Likely most other high performance CPUs. Contact your CPU vendor for details. | ||
52 | + | ||
53 | +Whether a processor is affected or not can be read out from the Spectre | ||
54 | +vulnerability files in sysfs. See :ref:`spectre_sys_info`. | ||
55 | + | ||
56 | +Related CVEs | ||
57 | +------------ | ||
58 | + | ||
59 | +The following CVE entries describe Spectre variants: | ||
60 | + | ||
61 | + ============= ======================= ================= | ||
62 | + CVE-2017-5753 Bounds check bypass Spectre variant 1 | ||
63 | + CVE-2017-5715 Branch target injection Spectre variant 2 | ||
64 | + ============= ======================= ================= | ||
65 | + | ||
66 | +Problem | ||
67 | +------- | ||
68 | + | ||
69 | +CPUs use speculative operations to improve performance. That may leave | ||
70 | +traces of memory accesses or computations in the processor's caches, | ||
71 | +buffers, and branch predictors. Malicious software may be able to | ||
72 | +influence the speculative execution paths, and then use the side effects | ||
73 | +of the speculative execution in the CPUs' caches and buffers to infer | ||
74 | +privileged data touched during the speculative execution. | ||
75 | + | ||
76 | +Spectre variant 1 attacks take advantage of speculative execution of | ||
77 | +conditional branches, while Spectre variant 2 attacks use speculative | ||
78 | +execution of indirect branches to leak privileged memory. | ||
79 | +See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[7] <spec_ref7>` | ||
80 | +:ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`. | ||
81 | + | ||
82 | +Spectre variant 1 (Bounds Check Bypass) | ||
83 | +--------------------------------------- | ||
84 | + | ||
85 | +The bounds check bypass attack :ref:`[2] <spec_ref2>` takes advantage | ||
86 | +of speculative execution that bypasses conditional branch instructions | ||
87 | +used for memory access bounds check (e.g. checking if the index of an | ||
88 | +array results in memory access within a valid range). This results in | ||
89 | +memory accesses to invalid memory (with out-of-bound index) that are | ||
90 | +done speculatively before validation checks resolve. Such speculative | ||
91 | +memory accesses can leave side effects, creating side channels which | ||
92 | +leak information to the attacker. | ||
93 | + | ||
94 | +There are some extensions of Spectre variant 1 attacks for reading data | ||
95 | +over the network, see :ref:`[12] <spec_ref12>`. However such attacks | ||
96 | +are difficult, low bandwidth, fragile, and are considered low risk. | ||
97 | + | ||
98 | +Spectre variant 2 (Branch Target Injection) | ||
99 | +------------------------------------------- | ||
100 | + | ||
101 | +The branch target injection attack takes advantage of speculative | ||
102 | +execution of indirect branches :ref:`[3] <spec_ref3>`. The indirect | ||
103 | +branch predictors inside the processor used to guess the target of | ||
104 | +indirect branches can be influenced by an attacker, causing gadget code | ||
105 | +to be speculatively executed, thus exposing sensitive data touched by | ||
106 | +the victim. The side effects left in the CPU's caches during speculative | ||
107 | +execution can be measured to infer data values. | ||
108 | + | ||
109 | +.. _poison_btb: | ||
110 | + | ||
111 | +In Spectre variant 2 attacks, the attacker can steer speculative indirect | ||
112 | +branches in the victim to gadget code by poisoning the branch target | ||
113 | +buffer of a CPU used for predicting indirect branch addresses. Such | ||
114 | +poisoning could be done by indirect branching into existing code, | ||
115 | +with the address offset of the indirect branch under the attacker's | ||
116 | +control. Since the branch prediction on impacted hardware does not | ||
117 | +fully disambiguate branch address and uses the offset for prediction, | ||
118 | +this could cause privileged code's indirect branch to jump to a gadget | ||
119 | +code with the same offset. | ||
120 | + | ||
121 | +The most useful gadgets take an attacker-controlled input parameter (such | ||
122 | +as a register value) so that the memory read can be controlled. Gadgets | ||
123 | +without input parameters might be possible, but the attacker would have | ||
124 | +very little control over what memory can be read, reducing the risk of | ||
125 | +the attack revealing useful data. | ||
126 | + | ||
127 | +One other variant 2 attack vector is for the attacker to poison the | ||
128 | +return stack buffer (RSB) :ref:`[13] <spec_ref13>` to cause speculative | ||
129 | +subroutine return instruction execution to go to a gadget. An attacker's | ||
130 | +imbalanced subroutine call instructions might "poison" entries in the | ||
131 | +return stack buffer which are later consumed by a victim's subroutine | ||
132 | +return instructions. This attack can be mitigated by flushing the return | ||
133 | +stack buffer on context switch, or virtual machine (VM) exit. | ||
134 | + | ||
135 | +On systems with simultaneous multi-threading (SMT), attacks are possible | ||
136 | +from the sibling thread, as level 1 cache and branch target buffer | ||
137 | +(BTB) may be shared between hardware threads in a CPU core. A malicious | ||
138 | +program running on the sibling thread may influence its peer's BTB to | ||
139 | +steer its indirect branch speculations to gadget code, and measure the | ||
140 | +speculative execution's side effects left in level 1 cache to infer the | ||
141 | +victim's data. | ||
142 | + | ||
143 | +Attack scenarios | ||
144 | +---------------- | ||
145 | + | ||
146 | +The following list of attack scenarios have been anticipated, but may | ||
147 | +not cover all possible attack vectors. | ||
148 | + | ||
149 | +1. A user process attacking the kernel | ||
150 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
151 | + | ||
152 | + The attacker passes a parameter to the kernel via a register or | ||
153 | + via a known address in memory during a syscall. Such parameter may | ||
154 | + be used later by the kernel as an index to an array or to derive | ||
155 | + a pointer for a Spectre variant 1 attack. The index or pointer | ||
156 | + is invalid, but bound checks are bypassed in the code branch taken | ||
157 | + for speculative execution. This could cause privileged memory to be | ||
158 | + accessed and leaked. | ||
159 | + | ||
160 | + For kernel code that has been identified where data pointers could | ||
161 | + potentially be influenced for Spectre attacks, new "nospec" accessor | ||
162 | + macros are used to prevent speculative loading of data. | ||
163 | + | ||
164 | + Spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch | ||
165 | + target buffer (BTB) before issuing syscall to launch an attack. | ||
166 | + After entering the kernel, the kernel could use the poisoned branch | ||
167 | + target buffer on indirect jump and jump to gadget code in speculative | ||
168 | + execution. | ||
169 | + | ||
170 | + If an attacker tries to control the memory addresses leaked during | ||
171 | + speculative execution, he would also need to pass a parameter to the | ||
172 | + gadget, either through a register or a known address in memory. After | ||
173 | + the gadget has executed, he can measure the side effect. | ||
174 | + | ||
175 | + The kernel can protect itself against consuming poisoned branch | ||
176 | + target buffer entries by using return trampolines (also known as | ||
177 | + "retpoline") :ref:`[3] <spec_ref3>` :ref:`[9] <spec_ref9>` for all | ||
178 | + indirect branches. Return trampolines trap speculative execution paths | ||
179 | + to prevent jumping to gadget code during speculative execution. | ||
180 | + x86 CPUs with Enhanced Indirect Branch Restricted Speculation | ||
181 | + (Enhanced IBRS) available in hardware should use the feature to | ||
182 | + mitigate Spectre variant 2 instead of retpoline. Enhanced IBRS is | ||
183 | + more efficient than retpoline. | ||
184 | + | ||
185 | + There may be gadget code in firmware which could be exploited with | ||
186 | + Spectre variant 2 attack by a rogue user process. To mitigate such | ||
187 | + attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature | ||
188 | + is turned on before the kernel invokes any firmware code. | ||
189 | + | ||
190 | +2. A user process attacking another user process | ||
191 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
192 | + | ||
193 | + A malicious user process can try to attack another user process, | ||
194 | + either via a context switch on the same hardware thread, or from the | ||
195 | + sibling hyperthread sharing a physical processor core on simultaneous | ||
196 | + multi-threading (SMT) system. | ||
197 | + | ||
198 | + Spectre variant 1 attacks generally require passing parameters | ||
199 | + between the processes, which needs a data passing relationship, such | ||
200 | + as remote procedure calls (RPC). Those parameters are used in gadget | ||
201 | + code to derive invalid data pointers accessing privileged memory in | ||
202 | + the attacked process. | ||
203 | + | ||
204 | + Spectre variant 2 attacks can be launched from a rogue process by | ||
205 | + :ref:`poisoning <poison_btb>` the branch target buffer. This can | ||
206 | + influence the indirect branch targets for a victim process that either | ||
207 | + runs later on the same hardware thread, or running concurrently on | ||
208 | + a sibling hardware thread sharing the same physical core. | ||
209 | + | ||
210 | + A user process can protect itself against Spectre variant 2 attacks | ||
211 | + by using the prctl() syscall to disable indirect branch speculation | ||
212 | + for itself. An administrator can also cordon off an unsafe process | ||
213 | + from polluting the branch target buffer by disabling the process's | ||
214 | + indirect branch speculation. This comes with a performance cost | ||
215 | + from not using indirect branch speculation and clearing the branch | ||
216 | + target buffer. When SMT is enabled on x86, for a process that has | ||
217 | + indirect branch speculation disabled, Single Threaded Indirect Branch | ||
218 | + Predictors (STIBP) :ref:`[4] <spec_ref4>` are turned on to prevent the | ||
219 | + sibling thread from controlling branch target buffer. In addition, | ||
220 | + the Indirect Branch Prediction Barrier (IBPB) is issued to clear the | ||
221 | + branch target buffer when context switching to and from such process. | ||
222 | + | ||
223 | + On x86, the return stack buffer is stuffed on context switch. | ||
224 | + This prevents the branch target buffer from being used for branch | ||
225 | + prediction when the return stack buffer underflows while switching to | ||
226 | + a deeper call stack. Any poisoned entries in the return stack buffer | ||
227 | + left by the previous process will also be cleared. | ||
228 | + | ||
229 | + User programs should use address space randomization to make attacks | ||
230 | + more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2). | ||
231 | + | ||
232 | +3. A virtualized guest attacking the host | ||
233 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
234 | + | ||
235 | + The attack mechanism is similar to how user processes attack the | ||
236 | + kernel. The kernel is entered via hyper-calls or other virtualization | ||
237 | + exit paths. | ||
238 | + | ||
239 | + For Spectre variant 1 attacks, rogue guests can pass parameters | ||
240 | + (e.g. in registers) via hyper-calls to derive invalid pointers to | ||
241 | + speculate into privileged memory after entering the kernel. For places | ||
242 | + where such kernel code has been identified, nospec accessor macros | ||
243 | + are used to stop speculative memory access. | ||
244 | + | ||
245 | + For Spectre variant 2 attacks, rogue guests can :ref:`poison | ||
246 | + <poison_btb>` the branch target buffer or return stack buffer, causing | ||
247 | + the kernel to jump to gadget code in the speculative execution paths. | ||
248 | + | ||
249 | + To mitigate variant 2, the host kernel can use return trampolines | ||
250 | + for indirect branches to bypass the poisoned branch target buffer, | ||
251 | + and flushing the return stack buffer on VM exit. This prevents rogue | ||
252 | + guests from affecting indirect branching in the host kernel. | ||
253 | + | ||
254 | + To protect host processes from rogue guests, host processes can have | ||
255 | + indirect branch speculation disabled via prctl(). The branch target | ||
256 | + buffer is cleared before context switching to such processes. | ||
257 | + | ||
258 | +4. A virtualized guest attacking other guest | ||
259 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
260 | + | ||
261 | + A rogue guest may attack another guest to get data accessible by the | ||
262 | + other guest. | ||
263 | + | ||
264 | + Spectre variant 1 attacks are possible if parameters can be passed | ||
265 | + between guests. This may be done via mechanisms such as shared memory | ||
266 | + or message passing. Such parameters could be used to derive data | ||
267 | + pointers to privileged data in guest. The privileged data could be | ||
268 | + accessed by gadget code in the victim's speculation paths. | ||
269 | + | ||
270 | + Spectre variant 2 attacks can be launched from a rogue guest by | ||
271 | + :ref:`poisoning <poison_btb>` the branch target buffer or the return | ||
272 | + stack buffer. Such poisoned entries could be used to influence | ||
273 | + speculation execution paths in the victim guest. | ||
274 | + | ||
275 | + Linux kernel mitigates attacks to other guests running in the same | ||
276 | + CPU hardware thread by flushing the return stack buffer on VM exit, | ||
277 | + and clearing the branch target buffer before switching to a new guest. | ||
278 | + | ||
279 | + If SMT is used, Spectre variant 2 attacks from an untrusted guest | ||
280 | + in the sibling hyperthread can be mitigated by the administrator, | ||
281 | + by turning off the unsafe guest's indirect branch speculation via | ||
282 | + prctl(). A guest can also protect itself by turning on microcode | ||
283 | + based mitigations (such as IBPB or STIBP on x86) within the guest. | ||
284 | + | ||
285 | +.. _spectre_sys_info: | ||
286 | + | ||
287 | +Spectre system information | ||
288 | +-------------------------- | ||
289 | + | ||
290 | +The Linux kernel provides a sysfs interface to enumerate the current | ||
291 | +mitigation status of the system for Spectre: whether the system is | ||
292 | +vulnerable, and which mitigations are active. | ||
293 | + | ||
294 | +The sysfs file showing Spectre variant 1 mitigation status is: | ||
295 | + | ||
296 | + /sys/devices/system/cpu/vulnerabilities/spectre_v1 | ||
297 | + | ||
298 | +The possible values in this file are: | ||
299 | + | ||
300 | + ======================================= ================================= | ||
301 | + 'Mitigation: __user pointer sanitation' Protection in kernel on a case by | ||
302 | + case base with explicit pointer | ||
303 | + sanitation. | ||
304 | + ======================================= ================================= | ||
305 | + | ||
306 | +However, the protections are put in place on a case by case basis, | ||
307 | +and there is no guarantee that all possible attack vectors for Spectre | ||
308 | +variant 1 are covered. | ||
309 | + | ||
310 | +The spectre_v2 kernel file reports if the kernel has been compiled with | ||
311 | +retpoline mitigation or if the CPU has hardware mitigation, and if the | ||
312 | +CPU has support for additional process-specific mitigation. | ||
313 | + | ||
314 | +This file also reports CPU features enabled by microcode to mitigate | ||
315 | +attack between user processes: | ||
316 | + | ||
317 | +1. Indirect Branch Prediction Barrier (IBPB) to add additional | ||
318 | + isolation between processes of different users. | ||
319 | +2. Single Thread Indirect Branch Predictors (STIBP) to add additional | ||
320 | + isolation between CPU threads running on the same core. | ||
321 | + | ||
322 | +These CPU features may impact performance when used and can be enabled | ||
323 | +per process on a case-by-case base. | ||
324 | + | ||
325 | +The sysfs file showing Spectre variant 2 mitigation status is: | ||
326 | + | ||
327 | + /sys/devices/system/cpu/vulnerabilities/spectre_v2 | ||
328 | + | ||
329 | +The possible values in this file are: | ||
330 | + | ||
331 | + - Kernel status: | ||
332 | + | ||
333 | + ==================================== ================================= | ||
334 | + 'Not affected' The processor is not vulnerable | ||
335 | + 'Vulnerable' Vulnerable, no mitigation | ||
336 | + 'Mitigation: Full generic retpoline' Software-focused mitigation | ||
337 | + 'Mitigation: Full AMD retpoline' AMD-specific software mitigation | ||
338 | + 'Mitigation: Enhanced IBRS' Hardware-focused mitigation | ||
339 | + ==================================== ================================= | ||
340 | + | ||
341 | + - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is | ||
342 | + used to protect against Spectre variant 2 attacks when calling firmware (x86 only). | ||
343 | + | ||
344 | + ========== ============================================================= | ||
345 | + 'IBRS_FW' Protection against user program attacks when calling firmware | ||
346 | + ========== ============================================================= | ||
347 | + | ||
348 | + - Indirect branch prediction barrier (IBPB) status for protection between | ||
349 | + processes of different users. This feature can be controlled through | ||
350 | + prctl() per process, or through kernel command line options. This is | ||
351 | + an x86 only feature. For more details see below. | ||
352 | + | ||
353 | + =================== ======================================================== | ||
354 | + 'IBPB: disabled' IBPB unused | ||
355 | + 'IBPB: always-on' Use IBPB on all tasks | ||
356 | + 'IBPB: conditional' Use IBPB on SECCOMP or indirect branch restricted tasks | ||
357 | + =================== ======================================================== | ||
358 | + | ||
359 | + - Single threaded indirect branch prediction (STIBP) status for protection | ||
360 | + between different hyper threads. This feature can be controlled through | ||
361 | + prctl per process, or through kernel command line options. This is x86 | ||
362 | + only feature. For more details see below. | ||
363 | + | ||
364 | + ==================== ======================================================== | ||
365 | + 'STIBP: disabled' STIBP unused | ||
366 | + 'STIBP: forced' Use STIBP on all tasks | ||
367 | + 'STIBP: conditional' Use STIBP on SECCOMP or indirect branch restricted tasks | ||
368 | + ==================== ======================================================== | ||
369 | + | ||
370 | + - Return stack buffer (RSB) protection status: | ||
371 | + | ||
372 | + ============= =========================================== | ||
373 | + 'RSB filling' Protection of RSB on context switch enabled | ||
374 | + ============= =========================================== | ||
375 | + | ||
376 | +Full mitigation might require a microcode update from the CPU | ||
377 | +vendor. When the necessary microcode is not available, the kernel will | ||
378 | +report vulnerability. | ||
379 | + | ||
380 | +Turning on mitigation for Spectre variant 1 and Spectre variant 2 | ||
381 | +----------------------------------------------------------------- | ||
382 | + | ||
383 | +1. Kernel mitigation | ||
384 | +^^^^^^^^^^^^^^^^^^^^ | ||
385 | + | ||
386 | + For the Spectre variant 1, vulnerable kernel code (as determined | ||
387 | + by code audit or scanning tools) is annotated on a case by case | ||
388 | + basis to use nospec accessor macros for bounds clipping :ref:`[2] | ||
389 | + <spec_ref2>` to avoid any usable disclosure gadgets. However, it may | ||
390 | + not cover all attack vectors for Spectre variant 1. | ||
391 | + | ||
392 | + For Spectre variant 2 mitigation, the compiler turns indirect calls or | ||
393 | + jumps in the kernel into equivalent return trampolines (retpolines) | ||
394 | + :ref:`[3] <spec_ref3>` :ref:`[9] <spec_ref9>` to go to the target | ||
395 | + addresses. Speculative execution paths under retpolines are trapped | ||
396 | + in an infinite loop to prevent any speculative execution jumping to | ||
397 | + a gadget. | ||
398 | + | ||
399 | + To turn on retpoline mitigation on a vulnerable CPU, the kernel | ||
400 | + needs to be compiled with a gcc compiler that supports the | ||
401 | + -mindirect-branch=thunk-extern -mindirect-branch-register options. | ||
402 | + If the kernel is compiled with a Clang compiler, the compiler needs | ||
403 | + to support -mretpoline-external-thunk option. The kernel config | ||
404 | + CONFIG_RETPOLINE needs to be turned on, and the CPU needs to run with | ||
405 | + the latest updated microcode. | ||
406 | + | ||
407 | + On Intel Skylake-era systems the mitigation covers most, but not all, | ||
408 | + cases. See :ref:`[3] <spec_ref3>` for more details. | ||
409 | + | ||
410 | + On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced | ||
411 | + IBRS on x86), retpoline is automatically disabled at run time. | ||
412 | + | ||
413 | + The retpoline mitigation is turned on by default on vulnerable | ||
414 | + CPUs. It can be forced on or off by the administrator | ||
415 | + via the kernel command line and sysfs control files. See | ||
416 | + :ref:`spectre_mitigation_control_command_line`. | ||
417 | + | ||
418 | + On x86, indirect branch restricted speculation is turned on by default | ||
419 | + before invoking any firmware code to prevent Spectre variant 2 exploits | ||
420 | + using the firmware. | ||
421 | + | ||
422 | + Using kernel address space randomization (CONFIG_RANDOMIZE_SLAB=y | ||
423 | + and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes | ||
424 | + attacks on the kernel generally more difficult. | ||
425 | + | ||
426 | +2. User program mitigation | ||
427 | +^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
428 | + | ||
429 | + User programs can mitigate Spectre variant 1 using LFENCE or "bounds | ||
430 | + clipping". For more details see :ref:`[2] <spec_ref2>`. | ||
431 | + | ||
432 | + For Spectre variant 2 mitigation, individual user programs | ||
433 | + can be compiled with return trampolines for indirect branches. | ||
434 | + This protects them from consuming poisoned entries in the branch | ||
435 | + target buffer left by malicious software. Alternatively, the | ||
436 | + programs can disable their indirect branch speculation via prctl() | ||
437 | + (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). | ||
438 | + On x86, this will turn on STIBP to guard against attacks from the | ||
439 | + sibling thread when the user program is running, and use IBPB to | ||
440 | + flush the branch target buffer when switching to/from the program. | ||
441 | + | ||
442 | + Restricting indirect branch speculation on a user program will | ||
443 | + also prevent the program from launching a variant 2 attack | ||
444 | + on x86. All sand-boxed SECCOMP programs have indirect branch | ||
445 | + speculation restricted by default. Administrators can change | ||
446 | + that behavior via the kernel command line and sysfs control files. | ||
447 | + See :ref:`spectre_mitigation_control_command_line`. | ||
448 | + | ||
449 | + Programs that disable their indirect branch speculation will have | ||
450 | + more overhead and run slower. | ||
451 | + | ||
452 | + User programs should use address space randomization | ||
453 | + (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more | ||
454 | + difficult. | ||
455 | + | ||
456 | +3. VM mitigation | ||
457 | +^^^^^^^^^^^^^^^^ | ||
458 | + | ||
459 | + Within the kernel, Spectre variant 1 attacks from rogue guests are | ||
460 | + mitigated on a case by case basis in VM exit paths. Vulnerable code | ||
461 | + uses nospec accessor macros for "bounds clipping", to avoid any | ||
462 | + usable disclosure gadgets. However, this may not cover all variant | ||
463 | + 1 attack vectors. | ||
464 | + | ||
465 | + For Spectre variant 2 attacks from rogue guests to the kernel, the | ||
466 | + Linux kernel uses retpoline or Enhanced IBRS to prevent consumption of | ||
467 | + poisoned entries in branch target buffer left by rogue guests. It also | ||
468 | + flushes the return stack buffer on every VM exit to prevent a return | ||
469 | + stack buffer underflow so poisoned branch target buffer could be used, | ||
470 | + or attacker guests leaving poisoned entries in the return stack buffer. | ||
471 | + | ||
472 | + To mitigate guest-to-guest attacks in the same CPU hardware thread, | ||
473 | + the branch target buffer is sanitized by flushing before switching | ||
474 | + to a new guest on a CPU. | ||
475 | + | ||
476 | + The above mitigations are turned on by default on vulnerable CPUs. | ||
477 | + | ||
478 | + To mitigate guest-to-guest attacks from sibling thread when SMT is | ||
479 | + in use, an untrusted guest running in the sibling thread can have | ||
480 | + its indirect branch speculation disabled by administrator via prctl(). | ||
481 | + | ||
482 | + The kernel also allows guests to use any microcode based mitigation | ||
483 | + they choose to use (such as IBPB or STIBP on x86) to protect themselves. | ||
484 | + | ||
485 | +.. _spectre_mitigation_control_command_line: | ||
486 | + | ||
487 | +Mitigation control on the kernel command line | ||
488 | +--------------------------------------------- | ||
489 | + | ||
490 | +Spectre variant 2 mitigation can be disabled or force enabled at the | ||
491 | +kernel command line. | ||
492 | + | ||
493 | + nospectre_v2 | ||
494 | + | ||
495 | + [X86] Disable all mitigations for the Spectre variant 2 | ||
496 | + (indirect branch prediction) vulnerability. System may | ||
497 | + allow data leaks with this option, which is equivalent | ||
498 | + to spectre_v2=off. | ||
499 | + | ||
500 | + | ||
501 | + spectre_v2= | ||
502 | + | ||
503 | + [X86] Control mitigation of Spectre variant 2 | ||
504 | + (indirect branch speculation) vulnerability. | ||
505 | + The default operation protects the kernel from | ||
506 | + user space attacks. | ||
507 | + | ||
508 | + on | ||
509 | + unconditionally enable, implies | ||
510 | + spectre_v2_user=on | ||
511 | + off | ||
512 | + unconditionally disable, implies | ||
513 | + spectre_v2_user=off | ||
514 | + auto | ||
515 | + kernel detects whether your CPU model is | ||
516 | + vulnerable | ||
517 | + | ||
518 | + Selecting 'on' will, and 'auto' may, choose a | ||
519 | + mitigation method at run time according to the | ||
520 | + CPU, the available microcode, the setting of the | ||
521 | + CONFIG_RETPOLINE configuration option, and the | ||
522 | + compiler with which the kernel was built. | ||
523 | + | ||
524 | + Selecting 'on' will also enable the mitigation | ||
525 | + against user space to user space task attacks. | ||
526 | + | ||
527 | + Selecting 'off' will disable both the kernel and | ||
528 | + the user space protections. | ||
529 | + | ||
530 | + Specific mitigations can also be selected manually: | ||
531 | + | ||
532 | + retpoline | ||
533 | + replace indirect branches | ||
534 | + retpoline,generic | ||
535 | + google's original retpoline | ||
536 | + retpoline,amd | ||
537 | + AMD-specific minimal thunk | ||
538 | + | ||
539 | + Not specifying this option is equivalent to | ||
540 | + spectre_v2=auto. | ||
541 | + | ||
542 | +For user space mitigation: | ||
543 | + | ||
544 | + spectre_v2_user= | ||
545 | + | ||
546 | + [X86] Control mitigation of Spectre variant 2 | ||
547 | + (indirect branch speculation) vulnerability between | ||
548 | + user space tasks | ||
549 | + | ||
550 | + on | ||
551 | + Unconditionally enable mitigations. Is | ||
552 | + enforced by spectre_v2=on | ||
553 | + | ||
554 | + off | ||
555 | + Unconditionally disable mitigations. Is | ||
556 | + enforced by spectre_v2=off | ||
557 | + | ||
558 | + prctl | ||
559 | + Indirect branch speculation is enabled, | ||
560 | + but mitigation can be enabled via prctl | ||
561 | + per thread. The mitigation control state | ||
562 | + is inherited on fork. | ||
563 | + | ||
564 | + prctl,ibpb | ||
565 | + Like "prctl" above, but only STIBP is | ||
566 | + controlled per thread. IBPB is issued | ||
567 | + always when switching between different user | ||
568 | + space processes. | ||
569 | + | ||
570 | + seccomp | ||
571 | + Same as "prctl" above, but all seccomp | ||
572 | + threads will enable the mitigation unless | ||
573 | + they explicitly opt out. | ||
574 | + | ||
575 | + seccomp,ibpb | ||
576 | + Like "seccomp" above, but only STIBP is | ||
577 | + controlled per thread. IBPB is issued | ||
578 | + always when switching between different | ||
579 | + user space processes. | ||
580 | + | ||
581 | + auto | ||
582 | + Kernel selects the mitigation depending on | ||
583 | + the available CPU features and vulnerability. | ||
584 | + | ||
585 | + Default mitigation: | ||
586 | + If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" | ||
587 | + | ||
588 | + Not specifying this option is equivalent to | ||
589 | + spectre_v2_user=auto. | ||
590 | + | ||
591 | + In general the kernel by default selects | ||
592 | + reasonable mitigations for the current CPU. To | ||
593 | + disable Spectre variant 2 mitigations, boot with | ||
594 | + spectre_v2=off. Spectre variant 1 mitigations | ||
595 | + cannot be disabled. | ||
596 | + | ||
597 | +Mitigation selection guide | ||
598 | +-------------------------- | ||
599 | + | ||
600 | +1. Trusted userspace | ||
601 | +^^^^^^^^^^^^^^^^^^^^ | ||
602 | + | ||
603 | + If all userspace applications are from trusted sources and do not | ||
604 | + execute externally supplied untrusted code, then the mitigations can | ||
605 | + be disabled. | ||
606 | + | ||
607 | +2. Protect sensitive programs | ||
608 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
609 | + | ||
610 | + For security-sensitive programs that have secrets (e.g. crypto | ||
611 | + keys), protection against Spectre variant 2 can be put in place by | ||
612 | + disabling indirect branch speculation when the program is running | ||
613 | + (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). | ||
614 | + | ||
615 | +3. Sandbox untrusted programs | ||
616 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
617 | + | ||
618 | + Untrusted programs that could be a source of attacks can be cordoned | ||
619 | + off by disabling their indirect branch speculation when they are run | ||
620 | + (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). | ||
621 | + This prevents untrusted programs from polluting the branch target | ||
622 | + buffer. All programs running in SECCOMP sandboxes have indirect | ||
623 | + branch speculation restricted by default. This behavior can be | ||
624 | + changed via the kernel command line and sysfs control files. See | ||
625 | + :ref:`spectre_mitigation_control_command_line`. | ||
626 | + | ||
627 | +3. High security mode | ||
628 | +^^^^^^^^^^^^^^^^^^^^^ | ||
629 | + | ||
630 | + All Spectre variant 2 mitigations can be forced on | ||
631 | + at boot time for all programs (See the "on" option in | ||
632 | + :ref:`spectre_mitigation_control_command_line`). This will add | ||
633 | + overhead as indirect branch speculations for all programs will be | ||
634 | + restricted. | ||
635 | + | ||
636 | + On x86, branch target buffer will be flushed with IBPB when switching | ||
637 | + to a new program. STIBP is left on all the time to protect programs | ||
638 | + against variant 2 attacks originating from programs running on | ||
639 | + sibling threads. | ||
640 | + | ||
641 | + Alternatively, STIBP can be used only when running programs | ||
642 | + whose indirect branch speculation is explicitly disabled, | ||
643 | + while IBPB is still used all the time when switching to a new | ||
644 | + program to clear the branch target buffer (See "ibpb" option in | ||
645 | + :ref:`spectre_mitigation_control_command_line`). This "ibpb" option | ||
646 | + has less performance cost than the "on" option, which leaves STIBP | ||
647 | + on all the time. | ||
648 | + | ||
649 | +References on Spectre | ||
650 | +--------------------- | ||
651 | + | ||
652 | +Intel white papers: | ||
653 | + | ||
654 | +.. _spec_ref1: | ||
655 | + | ||
656 | +[1] `Intel analysis of speculative execution side channels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf>`_. | ||
657 | + | ||
658 | +.. _spec_ref2: | ||
659 | + | ||
660 | +[2] `Bounds check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-check-bypass>`_. | ||
661 | + | ||
662 | +.. _spec_ref3: | ||
663 | + | ||
664 | +[3] `Deep dive: Retpoline: A branch target injection mitigation <https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-target-injection-mitigation>`_. | ||
665 | + | ||
666 | +.. _spec_ref4: | ||
667 | + | ||
668 | +[4] `Deep Dive: Single Thread Indirect Branch Predictors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors>`_. | ||
669 | + | ||
670 | +AMD white papers: | ||
671 | + | ||
672 | +.. _spec_ref5: | ||
673 | + | ||
674 | +[5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf>`_. | ||
675 | + | ||
676 | +.. _spec_ref6: | ||
677 | + | ||
678 | +[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/90343-B_SoftwareTechniquesforManagingSpeculation_WP_7-18Update_FNL.pdf>`_. | ||
679 | + | ||
680 | +ARM white papers: | ||
681 | + | ||
682 | +.. _spec_ref7: | ||
683 | + | ||
684 | +[7] `Cache speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/download-the-whitepaper>`_. | ||
685 | + | ||
686 | +.. _spec_ref8: | ||
687 | + | ||
688 | +[8] `Cache speculation issues update <https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/cache-speculation-issues-update>`_. | ||
689 | + | ||
690 | +Google white paper: | ||
691 | + | ||
692 | +.. _spec_ref9: | ||
693 | + | ||
694 | +[9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google.com/faqs/answer/7625886>`_. | ||
695 | + | ||
696 | +MIPS white paper: | ||
697 | + | ||
698 | +.. _spec_ref10: | ||
699 | + | ||
700 | +[10] `MIPS: response on speculative execution and side channel vulnerabilities <https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/>`_. | ||
701 | + | ||
702 | +Academic papers: | ||
703 | + | ||
704 | +.. _spec_ref11: | ||
705 | + | ||
706 | +[11] `Spectre Attacks: Exploiting Speculative Execution <https://spectreattack.com/spectre.pdf>`_. | ||
707 | + | ||
708 | +.. _spec_ref12: | ||
709 | + | ||
710 | +[12] `NetSpectre: Read Arbitrary Memory over Network <https://arxiv.org/abs/1807.10535>`_. | ||
711 | + | ||
712 | +.. _spec_ref13: | ||
713 | + | ||
714 | +[13] `Spectre Returns! Speculation Attacks using the Return Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_. | ||
715 | diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt | ||
716 | index 138f6664b2e2..0082d1e56999 100644 | ||
717 | --- a/Documentation/admin-guide/kernel-parameters.txt | ||
718 | +++ b/Documentation/admin-guide/kernel-parameters.txt | ||
719 | @@ -5102,12 +5102,6 @@ | ||
720 | emulate [default] Vsyscalls turn into traps and are | ||
721 | emulated reasonably safely. | ||
722 | |||
723 | - native Vsyscalls are native syscall instructions. | ||
724 | - This is a little bit faster than trapping | ||
725 | - and makes a few dynamic recompilers work | ||
726 | - better than they would in emulation mode. | ||
727 | - It also makes exploits much easier to write. | ||
728 | - | ||
729 | none Vsyscalls don't work at all. This makes | ||
730 | them quite hard to use for exploits but | ||
731 | might break your system. | ||
732 | diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst | ||
733 | index 1129c7550a48..7ddd8f667459 100644 | ||
734 | --- a/Documentation/userspace-api/spec_ctrl.rst | ||
735 | +++ b/Documentation/userspace-api/spec_ctrl.rst | ||
736 | @@ -49,6 +49,8 @@ If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is | ||
737 | available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation | ||
738 | misfeature will fail. | ||
739 | |||
740 | +.. _set_spec_ctrl: | ||
741 | + | ||
742 | PR_SET_SPECULATION_CTRL | ||
743 | ----------------------- | ||
744 | |||
745 | diff --git a/Makefile b/Makefile | ||
746 | index 3e4868a6498b..d8f5dbfd6b76 100644 | ||
747 | --- a/Makefile | ||
748 | +++ b/Makefile | ||
749 | @@ -1,7 +1,7 @@ | ||
750 | # SPDX-License-Identifier: GPL-2.0 | ||
751 | VERSION = 5 | ||
752 | PATCHLEVEL = 2 | ||
753 | -SUBLEVEL = 0 | ||
754 | +SUBLEVEL = 1 | ||
755 | EXTRAVERSION = | ||
756 | NAME = Bobtail Squid | ||
757 | |||
758 | diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c | ||
759 | index a166c960bc9e..e9d0bc3a5e88 100644 | ||
760 | --- a/arch/x86/kernel/ptrace.c | ||
761 | +++ b/arch/x86/kernel/ptrace.c | ||
762 | @@ -25,6 +25,7 @@ | ||
763 | #include <linux/rcupdate.h> | ||
764 | #include <linux/export.h> | ||
765 | #include <linux/context_tracking.h> | ||
766 | +#include <linux/nospec.h> | ||
767 | |||
768 | #include <linux/uaccess.h> | ||
769 | #include <asm/pgtable.h> | ||
770 | @@ -643,9 +644,11 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n) | ||
771 | { | ||
772 | struct thread_struct *thread = &tsk->thread; | ||
773 | unsigned long val = 0; | ||
774 | + int index = n; | ||
775 | |||
776 | if (n < HBP_NUM) { | ||
777 | - struct perf_event *bp = thread->ptrace_bps[n]; | ||
778 | + struct perf_event *bp = thread->ptrace_bps[index]; | ||
779 | + index = array_index_nospec(index, HBP_NUM); | ||
780 | |||
781 | if (bp) | ||
782 | val = bp->hw.info.address; | ||
783 | diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c | ||
784 | index a5b802a12212..71d3fef1edc9 100644 | ||
785 | --- a/arch/x86/kernel/tls.c | ||
786 | +++ b/arch/x86/kernel/tls.c | ||
787 | @@ -5,6 +5,7 @@ | ||
788 | #include <linux/user.h> | ||
789 | #include <linux/regset.h> | ||
790 | #include <linux/syscalls.h> | ||
791 | +#include <linux/nospec.h> | ||
792 | |||
793 | #include <linux/uaccess.h> | ||
794 | #include <asm/desc.h> | ||
795 | @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx, | ||
796 | struct user_desc __user *u_info) | ||
797 | { | ||
798 | struct user_desc info; | ||
799 | + int index; | ||
800 | |||
801 | if (idx == -1 && get_user(idx, &u_info->entry_number)) | ||
802 | return -EFAULT; | ||
803 | @@ -227,8 +229,11 @@ int do_get_thread_area(struct task_struct *p, int idx, | ||
804 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) | ||
805 | return -EINVAL; | ||
806 | |||
807 | - fill_user_desc(&info, idx, | ||
808 | - &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]); | ||
809 | + index = idx - GDT_ENTRY_TLS_MIN; | ||
810 | + index = array_index_nospec(index, | ||
811 | + GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1); | ||
812 | + | ||
813 | + fill_user_desc(&info, idx, &p->thread.tls_array[index]); | ||
814 | |||
815 | if (copy_to_user(u_info, &info, sizeof(info))) | ||
816 | return -EFAULT; | ||
817 | diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S | ||
818 | index 0850b5149345..4d1517022a14 100644 | ||
819 | --- a/arch/x86/kernel/vmlinux.lds.S | ||
820 | +++ b/arch/x86/kernel/vmlinux.lds.S | ||
821 | @@ -141,10 +141,10 @@ SECTIONS | ||
822 | *(.text.__x86.indirect_thunk) | ||
823 | __indirect_thunk_end = .; | ||
824 | #endif | ||
825 | - } :text = 0x9090 | ||
826 | |||
827 | - /* End of text section */ | ||
828 | - _etext = .; | ||
829 | + /* End of text section */ | ||
830 | + _etext = .; | ||
831 | + } :text = 0x9090 | ||
832 | |||
833 | NOTES :text :note | ||
834 | |||
835 | diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c | ||
836 | index f9269ae6da9c..e5db3856b194 100644 | ||
837 | --- a/block/bfq-iosched.c | ||
838 | +++ b/block/bfq-iosched.c | ||
839 | @@ -4584,6 +4584,7 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync) | ||
840 | unsigned long flags; | ||
841 | |||
842 | spin_lock_irqsave(&bfqd->lock, flags); | ||
843 | + bfqq->bic = NULL; | ||
844 | bfq_exit_bfqq(bfqd, bfqq); | ||
845 | bic_set_bfqq(bic, NULL, is_sync); | ||
846 | spin_unlock_irqrestore(&bfqd->lock, flags); | ||
847 | diff --git a/block/bio.c b/block/bio.c | ||
848 | index ce797d73bb43..67bba12d273b 100644 | ||
849 | --- a/block/bio.c | ||
850 | +++ b/block/bio.c | ||
851 | @@ -731,7 +731,7 @@ static int __bio_add_pc_page(struct request_queue *q, struct bio *bio, | ||
852 | } | ||
853 | } | ||
854 | |||
855 | - if (bio_full(bio)) | ||
856 | + if (bio_full(bio, len)) | ||
857 | return 0; | ||
858 | |||
859 | if (bio->bi_phys_segments >= queue_max_segments(q)) | ||
860 | @@ -807,7 +807,7 @@ void __bio_add_page(struct bio *bio, struct page *page, | ||
861 | struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt]; | ||
862 | |||
863 | WARN_ON_ONCE(bio_flagged(bio, BIO_CLONED)); | ||
864 | - WARN_ON_ONCE(bio_full(bio)); | ||
865 | + WARN_ON_ONCE(bio_full(bio, len)); | ||
866 | |||
867 | bv->bv_page = page; | ||
868 | bv->bv_offset = off; | ||
869 | @@ -834,7 +834,7 @@ int bio_add_page(struct bio *bio, struct page *page, | ||
870 | bool same_page = false; | ||
871 | |||
872 | if (!__bio_try_merge_page(bio, page, len, offset, &same_page)) { | ||
873 | - if (bio_full(bio)) | ||
874 | + if (bio_full(bio, len)) | ||
875 | return 0; | ||
876 | __bio_add_page(bio, page, len, offset); | ||
877 | } | ||
878 | @@ -922,7 +922,7 @@ static int __bio_iov_iter_get_pages(struct bio *bio, struct iov_iter *iter) | ||
879 | if (same_page) | ||
880 | put_page(page); | ||
881 | } else { | ||
882 | - if (WARN_ON_ONCE(bio_full(bio))) | ||
883 | + if (WARN_ON_ONCE(bio_full(bio, len))) | ||
884 | return -EINVAL; | ||
885 | __bio_add_page(bio, page, len, offset); | ||
886 | } | ||
887 | @@ -966,7 +966,7 @@ int bio_iov_iter_get_pages(struct bio *bio, struct iov_iter *iter) | ||
888 | ret = __bio_iov_bvec_add_pages(bio, iter); | ||
889 | else | ||
890 | ret = __bio_iov_iter_get_pages(bio, iter); | ||
891 | - } while (!ret && iov_iter_count(iter) && !bio_full(bio)); | ||
892 | + } while (!ret && iov_iter_count(iter) && !bio_full(bio, 0)); | ||
893 | |||
894 | if (iov_iter_bvec_no_ref(iter)) | ||
895 | bio_set_flag(bio, BIO_NO_PAGE_REF); | ||
896 | diff --git a/crypto/lrw.c b/crypto/lrw.c | ||
897 | index 58009cf63a6e..be829f6afc8e 100644 | ||
898 | --- a/crypto/lrw.c | ||
899 | +++ b/crypto/lrw.c | ||
900 | @@ -384,7 +384,7 @@ static int create(struct crypto_template *tmpl, struct rtattr **tb) | ||
901 | inst->alg.base.cra_priority = alg->base.cra_priority; | ||
902 | inst->alg.base.cra_blocksize = LRW_BLOCK_SIZE; | ||
903 | inst->alg.base.cra_alignmask = alg->base.cra_alignmask | | ||
904 | - (__alignof__(__be32) - 1); | ||
905 | + (__alignof__(be128) - 1); | ||
906 | |||
907 | inst->alg.ivsize = LRW_BLOCK_SIZE; | ||
908 | inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg) + | ||
909 | diff --git a/drivers/android/binder.c b/drivers/android/binder.c | ||
910 | index bc26b5511f0a..38a59a630cd4 100644 | ||
911 | --- a/drivers/android/binder.c | ||
912 | +++ b/drivers/android/binder.c | ||
913 | @@ -2059,10 +2059,9 @@ static size_t binder_get_object(struct binder_proc *proc, | ||
914 | |||
915 | read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset); | ||
916 | if (offset > buffer->data_size || read_size < sizeof(*hdr) || | ||
917 | - !IS_ALIGNED(offset, sizeof(u32))) | ||
918 | + binder_alloc_copy_from_buffer(&proc->alloc, object, buffer, | ||
919 | + offset, read_size)) | ||
920 | return 0; | ||
921 | - binder_alloc_copy_from_buffer(&proc->alloc, object, buffer, | ||
922 | - offset, read_size); | ||
923 | |||
924 | /* Ok, now see if we read a complete object. */ | ||
925 | hdr = &object->hdr; | ||
926 | @@ -2131,8 +2130,10 @@ static struct binder_buffer_object *binder_validate_ptr( | ||
927 | return NULL; | ||
928 | |||
929 | buffer_offset = start_offset + sizeof(binder_size_t) * index; | ||
930 | - binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, | ||
931 | - b, buffer_offset, sizeof(object_offset)); | ||
932 | + if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, | ||
933 | + b, buffer_offset, | ||
934 | + sizeof(object_offset))) | ||
935 | + return NULL; | ||
936 | object_size = binder_get_object(proc, b, object_offset, object); | ||
937 | if (!object_size || object->hdr.type != BINDER_TYPE_PTR) | ||
938 | return NULL; | ||
939 | @@ -2212,10 +2213,12 @@ static bool binder_validate_fixup(struct binder_proc *proc, | ||
940 | return false; | ||
941 | last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t); | ||
942 | buffer_offset = objects_start_offset + | ||
943 | - sizeof(binder_size_t) * last_bbo->parent, | ||
944 | - binder_alloc_copy_from_buffer(&proc->alloc, &last_obj_offset, | ||
945 | - b, buffer_offset, | ||
946 | - sizeof(last_obj_offset)); | ||
947 | + sizeof(binder_size_t) * last_bbo->parent; | ||
948 | + if (binder_alloc_copy_from_buffer(&proc->alloc, | ||
949 | + &last_obj_offset, | ||
950 | + b, buffer_offset, | ||
951 | + sizeof(last_obj_offset))) | ||
952 | + return false; | ||
953 | } | ||
954 | return (fixup_offset >= last_min_offset); | ||
955 | } | ||
956 | @@ -2301,15 +2304,15 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, | ||
957 | for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; | ||
958 | buffer_offset += sizeof(binder_size_t)) { | ||
959 | struct binder_object_header *hdr; | ||
960 | - size_t object_size; | ||
961 | + size_t object_size = 0; | ||
962 | struct binder_object object; | ||
963 | binder_size_t object_offset; | ||
964 | |||
965 | - binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, | ||
966 | - buffer, buffer_offset, | ||
967 | - sizeof(object_offset)); | ||
968 | - object_size = binder_get_object(proc, buffer, | ||
969 | - object_offset, &object); | ||
970 | + if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, | ||
971 | + buffer, buffer_offset, | ||
972 | + sizeof(object_offset))) | ||
973 | + object_size = binder_get_object(proc, buffer, | ||
974 | + object_offset, &object); | ||
975 | if (object_size == 0) { | ||
976 | pr_err("transaction release %d bad object at offset %lld, size %zd\n", | ||
977 | debug_id, (u64)object_offset, buffer->data_size); | ||
978 | @@ -2432,15 +2435,16 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, | ||
979 | for (fd_index = 0; fd_index < fda->num_fds; | ||
980 | fd_index++) { | ||
981 | u32 fd; | ||
982 | + int err; | ||
983 | binder_size_t offset = fda_offset + | ||
984 | fd_index * sizeof(fd); | ||
985 | |||
986 | - binder_alloc_copy_from_buffer(&proc->alloc, | ||
987 | - &fd, | ||
988 | - buffer, | ||
989 | - offset, | ||
990 | - sizeof(fd)); | ||
991 | - binder_deferred_fd_close(fd); | ||
992 | + err = binder_alloc_copy_from_buffer( | ||
993 | + &proc->alloc, &fd, buffer, | ||
994 | + offset, sizeof(fd)); | ||
995 | + WARN_ON(err); | ||
996 | + if (!err) | ||
997 | + binder_deferred_fd_close(fd); | ||
998 | } | ||
999 | } break; | ||
1000 | default: | ||
1001 | @@ -2683,11 +2687,12 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda, | ||
1002 | int ret; | ||
1003 | binder_size_t offset = fda_offset + fdi * sizeof(fd); | ||
1004 | |||
1005 | - binder_alloc_copy_from_buffer(&target_proc->alloc, | ||
1006 | - &fd, t->buffer, | ||
1007 | - offset, sizeof(fd)); | ||
1008 | - ret = binder_translate_fd(fd, offset, t, thread, | ||
1009 | - in_reply_to); | ||
1010 | + ret = binder_alloc_copy_from_buffer(&target_proc->alloc, | ||
1011 | + &fd, t->buffer, | ||
1012 | + offset, sizeof(fd)); | ||
1013 | + if (!ret) | ||
1014 | + ret = binder_translate_fd(fd, offset, t, thread, | ||
1015 | + in_reply_to); | ||
1016 | if (ret < 0) | ||
1017 | return ret; | ||
1018 | } | ||
1019 | @@ -2740,8 +2745,12 @@ static int binder_fixup_parent(struct binder_transaction *t, | ||
1020 | } | ||
1021 | buffer_offset = bp->parent_offset + | ||
1022 | (uintptr_t)parent->buffer - (uintptr_t)b->user_data; | ||
1023 | - binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset, | ||
1024 | - &bp->buffer, sizeof(bp->buffer)); | ||
1025 | + if (binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset, | ||
1026 | + &bp->buffer, sizeof(bp->buffer))) { | ||
1027 | + binder_user_error("%d:%d got transaction with invalid parent offset\n", | ||
1028 | + proc->pid, thread->pid); | ||
1029 | + return -EINVAL; | ||
1030 | + } | ||
1031 | |||
1032 | return 0; | ||
1033 | } | ||
1034 | @@ -3160,15 +3169,20 @@ static void binder_transaction(struct binder_proc *proc, | ||
1035 | goto err_binder_alloc_buf_failed; | ||
1036 | } | ||
1037 | if (secctx) { | ||
1038 | + int err; | ||
1039 | size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + | ||
1040 | ALIGN(tr->offsets_size, sizeof(void *)) + | ||
1041 | ALIGN(extra_buffers_size, sizeof(void *)) - | ||
1042 | ALIGN(secctx_sz, sizeof(u64)); | ||
1043 | |||
1044 | t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; | ||
1045 | - binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1046 | - t->buffer, buf_offset, | ||
1047 | - secctx, secctx_sz); | ||
1048 | + err = binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1049 | + t->buffer, buf_offset, | ||
1050 | + secctx, secctx_sz); | ||
1051 | + if (err) { | ||
1052 | + t->security_ctx = 0; | ||
1053 | + WARN_ON(1); | ||
1054 | + } | ||
1055 | security_release_secctx(secctx, secctx_sz); | ||
1056 | secctx = NULL; | ||
1057 | } | ||
1058 | @@ -3234,11 +3248,16 @@ static void binder_transaction(struct binder_proc *proc, | ||
1059 | struct binder_object object; | ||
1060 | binder_size_t object_offset; | ||
1061 | |||
1062 | - binder_alloc_copy_from_buffer(&target_proc->alloc, | ||
1063 | - &object_offset, | ||
1064 | - t->buffer, | ||
1065 | - buffer_offset, | ||
1066 | - sizeof(object_offset)); | ||
1067 | + if (binder_alloc_copy_from_buffer(&target_proc->alloc, | ||
1068 | + &object_offset, | ||
1069 | + t->buffer, | ||
1070 | + buffer_offset, | ||
1071 | + sizeof(object_offset))) { | ||
1072 | + return_error = BR_FAILED_REPLY; | ||
1073 | + return_error_param = -EINVAL; | ||
1074 | + return_error_line = __LINE__; | ||
1075 | + goto err_bad_offset; | ||
1076 | + } | ||
1077 | object_size = binder_get_object(target_proc, t->buffer, | ||
1078 | object_offset, &object); | ||
1079 | if (object_size == 0 || object_offset < off_min) { | ||
1080 | @@ -3262,15 +3281,17 @@ static void binder_transaction(struct binder_proc *proc, | ||
1081 | |||
1082 | fp = to_flat_binder_object(hdr); | ||
1083 | ret = binder_translate_binder(fp, t, thread); | ||
1084 | - if (ret < 0) { | ||
1085 | + | ||
1086 | + if (ret < 0 || | ||
1087 | + binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1088 | + t->buffer, | ||
1089 | + object_offset, | ||
1090 | + fp, sizeof(*fp))) { | ||
1091 | return_error = BR_FAILED_REPLY; | ||
1092 | return_error_param = ret; | ||
1093 | return_error_line = __LINE__; | ||
1094 | goto err_translate_failed; | ||
1095 | } | ||
1096 | - binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1097 | - t->buffer, object_offset, | ||
1098 | - fp, sizeof(*fp)); | ||
1099 | } break; | ||
1100 | case BINDER_TYPE_HANDLE: | ||
1101 | case BINDER_TYPE_WEAK_HANDLE: { | ||
1102 | @@ -3278,15 +3299,16 @@ static void binder_transaction(struct binder_proc *proc, | ||
1103 | |||
1104 | fp = to_flat_binder_object(hdr); | ||
1105 | ret = binder_translate_handle(fp, t, thread); | ||
1106 | - if (ret < 0) { | ||
1107 | + if (ret < 0 || | ||
1108 | + binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1109 | + t->buffer, | ||
1110 | + object_offset, | ||
1111 | + fp, sizeof(*fp))) { | ||
1112 | return_error = BR_FAILED_REPLY; | ||
1113 | return_error_param = ret; | ||
1114 | return_error_line = __LINE__; | ||
1115 | goto err_translate_failed; | ||
1116 | } | ||
1117 | - binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1118 | - t->buffer, object_offset, | ||
1119 | - fp, sizeof(*fp)); | ||
1120 | } break; | ||
1121 | |||
1122 | case BINDER_TYPE_FD: { | ||
1123 | @@ -3296,16 +3318,17 @@ static void binder_transaction(struct binder_proc *proc, | ||
1124 | int ret = binder_translate_fd(fp->fd, fd_offset, t, | ||
1125 | thread, in_reply_to); | ||
1126 | |||
1127 | - if (ret < 0) { | ||
1128 | + fp->pad_binder = 0; | ||
1129 | + if (ret < 0 || | ||
1130 | + binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1131 | + t->buffer, | ||
1132 | + object_offset, | ||
1133 | + fp, sizeof(*fp))) { | ||
1134 | return_error = BR_FAILED_REPLY; | ||
1135 | return_error_param = ret; | ||
1136 | return_error_line = __LINE__; | ||
1137 | goto err_translate_failed; | ||
1138 | } | ||
1139 | - fp->pad_binder = 0; | ||
1140 | - binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1141 | - t->buffer, object_offset, | ||
1142 | - fp, sizeof(*fp)); | ||
1143 | } break; | ||
1144 | case BINDER_TYPE_FDA: { | ||
1145 | struct binder_object ptr_object; | ||
1146 | @@ -3393,15 +3416,16 @@ static void binder_transaction(struct binder_proc *proc, | ||
1147 | num_valid, | ||
1148 | last_fixup_obj_off, | ||
1149 | last_fixup_min_off); | ||
1150 | - if (ret < 0) { | ||
1151 | + if (ret < 0 || | ||
1152 | + binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1153 | + t->buffer, | ||
1154 | + object_offset, | ||
1155 | + bp, sizeof(*bp))) { | ||
1156 | return_error = BR_FAILED_REPLY; | ||
1157 | return_error_param = ret; | ||
1158 | return_error_line = __LINE__; | ||
1159 | goto err_translate_failed; | ||
1160 | } | ||
1161 | - binder_alloc_copy_to_buffer(&target_proc->alloc, | ||
1162 | - t->buffer, object_offset, | ||
1163 | - bp, sizeof(*bp)); | ||
1164 | last_fixup_obj_off = object_offset; | ||
1165 | last_fixup_min_off = 0; | ||
1166 | } break; | ||
1167 | @@ -4140,20 +4164,27 @@ static int binder_apply_fd_fixups(struct binder_proc *proc, | ||
1168 | trace_binder_transaction_fd_recv(t, fd, fixup->offset); | ||
1169 | fd_install(fd, fixup->file); | ||
1170 | fixup->file = NULL; | ||
1171 | - binder_alloc_copy_to_buffer(&proc->alloc, t->buffer, | ||
1172 | - fixup->offset, &fd, | ||
1173 | - sizeof(u32)); | ||
1174 | + if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer, | ||
1175 | + fixup->offset, &fd, | ||
1176 | + sizeof(u32))) { | ||
1177 | + ret = -EINVAL; | ||
1178 | + break; | ||
1179 | + } | ||
1180 | } | ||
1181 | list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) { | ||
1182 | if (fixup->file) { | ||
1183 | fput(fixup->file); | ||
1184 | } else if (ret) { | ||
1185 | u32 fd; | ||
1186 | - | ||
1187 | - binder_alloc_copy_from_buffer(&proc->alloc, &fd, | ||
1188 | - t->buffer, fixup->offset, | ||
1189 | - sizeof(fd)); | ||
1190 | - binder_deferred_fd_close(fd); | ||
1191 | + int err; | ||
1192 | + | ||
1193 | + err = binder_alloc_copy_from_buffer(&proc->alloc, &fd, | ||
1194 | + t->buffer, | ||
1195 | + fixup->offset, | ||
1196 | + sizeof(fd)); | ||
1197 | + WARN_ON(err); | ||
1198 | + if (!err) | ||
1199 | + binder_deferred_fd_close(fd); | ||
1200 | } | ||
1201 | list_del(&fixup->fixup_entry); | ||
1202 | kfree(fixup); | ||
1203 | @@ -4268,6 +4299,8 @@ retry: | ||
1204 | case BINDER_WORK_TRANSACTION_COMPLETE: { | ||
1205 | binder_inner_proc_unlock(proc); | ||
1206 | cmd = BR_TRANSACTION_COMPLETE; | ||
1207 | + kfree(w); | ||
1208 | + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); | ||
1209 | if (put_user(cmd, (uint32_t __user *)ptr)) | ||
1210 | return -EFAULT; | ||
1211 | ptr += sizeof(uint32_t); | ||
1212 | @@ -4276,8 +4309,6 @@ retry: | ||
1213 | binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, | ||
1214 | "%d:%d BR_TRANSACTION_COMPLETE\n", | ||
1215 | proc->pid, thread->pid); | ||
1216 | - kfree(w); | ||
1217 | - binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); | ||
1218 | } break; | ||
1219 | case BINDER_WORK_NODE: { | ||
1220 | struct binder_node *node = container_of(w, struct binder_node, work); | ||
1221 | diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c | ||
1222 | index ce5603c2291c..6d79a1b0d446 100644 | ||
1223 | --- a/drivers/android/binder_alloc.c | ||
1224 | +++ b/drivers/android/binder_alloc.c | ||
1225 | @@ -1119,15 +1119,16 @@ binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc, | ||
1226 | return 0; | ||
1227 | } | ||
1228 | |||
1229 | -static void binder_alloc_do_buffer_copy(struct binder_alloc *alloc, | ||
1230 | - bool to_buffer, | ||
1231 | - struct binder_buffer *buffer, | ||
1232 | - binder_size_t buffer_offset, | ||
1233 | - void *ptr, | ||
1234 | - size_t bytes) | ||
1235 | +static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc, | ||
1236 | + bool to_buffer, | ||
1237 | + struct binder_buffer *buffer, | ||
1238 | + binder_size_t buffer_offset, | ||
1239 | + void *ptr, | ||
1240 | + size_t bytes) | ||
1241 | { | ||
1242 | /* All copies must be 32-bit aligned and 32-bit size */ | ||
1243 | - BUG_ON(!check_buffer(alloc, buffer, buffer_offset, bytes)); | ||
1244 | + if (!check_buffer(alloc, buffer, buffer_offset, bytes)) | ||
1245 | + return -EINVAL; | ||
1246 | |||
1247 | while (bytes) { | ||
1248 | unsigned long size; | ||
1249 | @@ -1155,25 +1156,26 @@ static void binder_alloc_do_buffer_copy(struct binder_alloc *alloc, | ||
1250 | ptr = ptr + size; | ||
1251 | buffer_offset += size; | ||
1252 | } | ||
1253 | + return 0; | ||
1254 | } | ||
1255 | |||
1256 | -void binder_alloc_copy_to_buffer(struct binder_alloc *alloc, | ||
1257 | - struct binder_buffer *buffer, | ||
1258 | - binder_size_t buffer_offset, | ||
1259 | - void *src, | ||
1260 | - size_t bytes) | ||
1261 | +int binder_alloc_copy_to_buffer(struct binder_alloc *alloc, | ||
1262 | + struct binder_buffer *buffer, | ||
1263 | + binder_size_t buffer_offset, | ||
1264 | + void *src, | ||
1265 | + size_t bytes) | ||
1266 | { | ||
1267 | - binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset, | ||
1268 | - src, bytes); | ||
1269 | + return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset, | ||
1270 | + src, bytes); | ||
1271 | } | ||
1272 | |||
1273 | -void binder_alloc_copy_from_buffer(struct binder_alloc *alloc, | ||
1274 | - void *dest, | ||
1275 | - struct binder_buffer *buffer, | ||
1276 | - binder_size_t buffer_offset, | ||
1277 | - size_t bytes) | ||
1278 | +int binder_alloc_copy_from_buffer(struct binder_alloc *alloc, | ||
1279 | + void *dest, | ||
1280 | + struct binder_buffer *buffer, | ||
1281 | + binder_size_t buffer_offset, | ||
1282 | + size_t bytes) | ||
1283 | { | ||
1284 | - binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset, | ||
1285 | - dest, bytes); | ||
1286 | + return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset, | ||
1287 | + dest, bytes); | ||
1288 | } | ||
1289 | |||
1290 | diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h | ||
1291 | index 71bfa95f8e09..db9c1b984695 100644 | ||
1292 | --- a/drivers/android/binder_alloc.h | ||
1293 | +++ b/drivers/android/binder_alloc.h | ||
1294 | @@ -159,17 +159,17 @@ binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc, | ||
1295 | const void __user *from, | ||
1296 | size_t bytes); | ||
1297 | |||
1298 | -void binder_alloc_copy_to_buffer(struct binder_alloc *alloc, | ||
1299 | - struct binder_buffer *buffer, | ||
1300 | - binder_size_t buffer_offset, | ||
1301 | - void *src, | ||
1302 | - size_t bytes); | ||
1303 | - | ||
1304 | -void binder_alloc_copy_from_buffer(struct binder_alloc *alloc, | ||
1305 | - void *dest, | ||
1306 | - struct binder_buffer *buffer, | ||
1307 | - binder_size_t buffer_offset, | ||
1308 | - size_t bytes); | ||
1309 | +int binder_alloc_copy_to_buffer(struct binder_alloc *alloc, | ||
1310 | + struct binder_buffer *buffer, | ||
1311 | + binder_size_t buffer_offset, | ||
1312 | + void *src, | ||
1313 | + size_t bytes); | ||
1314 | + | ||
1315 | +int binder_alloc_copy_from_buffer(struct binder_alloc *alloc, | ||
1316 | + void *dest, | ||
1317 | + struct binder_buffer *buffer, | ||
1318 | + binder_size_t buffer_offset, | ||
1319 | + size_t bytes); | ||
1320 | |||
1321 | #endif /* _LINUX_BINDER_ALLOC_H */ | ||
1322 | |||
1323 | diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c | ||
1324 | index 90325e1749fb..d47ad10a35fe 100644 | ||
1325 | --- a/drivers/char/tpm/tpm-chip.c | ||
1326 | +++ b/drivers/char/tpm/tpm-chip.c | ||
1327 | @@ -289,15 +289,15 @@ static int tpm_class_shutdown(struct device *dev) | ||
1328 | { | ||
1329 | struct tpm_chip *chip = container_of(dev, struct tpm_chip, dev); | ||
1330 | |||
1331 | + down_write(&chip->ops_sem); | ||
1332 | if (chip->flags & TPM_CHIP_FLAG_TPM2) { | ||
1333 | - down_write(&chip->ops_sem); | ||
1334 | if (!tpm_chip_start(chip)) { | ||
1335 | tpm2_shutdown(chip, TPM2_SU_CLEAR); | ||
1336 | tpm_chip_stop(chip); | ||
1337 | } | ||
1338 | - chip->ops = NULL; | ||
1339 | - up_write(&chip->ops_sem); | ||
1340 | } | ||
1341 | + chip->ops = NULL; | ||
1342 | + up_write(&chip->ops_sem); | ||
1343 | |||
1344 | return 0; | ||
1345 | } | ||
1346 | diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c | ||
1347 | index 85dcf2654d11..faacbe1ffa1a 100644 | ||
1348 | --- a/drivers/char/tpm/tpm1-cmd.c | ||
1349 | +++ b/drivers/char/tpm/tpm1-cmd.c | ||
1350 | @@ -510,7 +510,7 @@ struct tpm1_get_random_out { | ||
1351 | * | ||
1352 | * Return: | ||
1353 | * * number of bytes read | ||
1354 | - * * -errno or a TPM return code otherwise | ||
1355 | + * * -errno (positive TPM return codes are masked to -EIO) | ||
1356 | */ | ||
1357 | int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max) | ||
1358 | { | ||
1359 | @@ -531,8 +531,11 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max) | ||
1360 | |||
1361 | rc = tpm_transmit_cmd(chip, &buf, sizeof(out->rng_data_len), | ||
1362 | "attempting get random"); | ||
1363 | - if (rc) | ||
1364 | + if (rc) { | ||
1365 | + if (rc > 0) | ||
1366 | + rc = -EIO; | ||
1367 | goto out; | ||
1368 | + } | ||
1369 | |||
1370 | out = (struct tpm1_get_random_out *)&buf.data[TPM_HEADER_SIZE]; | ||
1371 | |||
1372 | diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c | ||
1373 | index 4de49924cfc4..d103545e4055 100644 | ||
1374 | --- a/drivers/char/tpm/tpm2-cmd.c | ||
1375 | +++ b/drivers/char/tpm/tpm2-cmd.c | ||
1376 | @@ -297,7 +297,7 @@ struct tpm2_get_random_out { | ||
1377 | * | ||
1378 | * Return: | ||
1379 | * size of the buffer on success, | ||
1380 | - * -errno otherwise | ||
1381 | + * -errno otherwise (positive TPM return codes are masked to -EIO) | ||
1382 | */ | ||
1383 | int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) | ||
1384 | { | ||
1385 | @@ -324,8 +324,11 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) | ||
1386 | offsetof(struct tpm2_get_random_out, | ||
1387 | buffer), | ||
1388 | "attempting get random"); | ||
1389 | - if (err) | ||
1390 | + if (err) { | ||
1391 | + if (err > 0) | ||
1392 | + err = -EIO; | ||
1393 | goto out; | ||
1394 | + } | ||
1395 | |||
1396 | out = (struct tpm2_get_random_out *) | ||
1397 | &buf.data[TPM_HEADER_SIZE]; | ||
1398 | diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c | ||
1399 | index fbc7bf9d7380..427c78d4d948 100644 | ||
1400 | --- a/drivers/crypto/talitos.c | ||
1401 | +++ b/drivers/crypto/talitos.c | ||
1402 | @@ -2339,7 +2339,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1403 | .base = { | ||
1404 | .cra_name = "authenc(hmac(sha1),cbc(aes))", | ||
1405 | .cra_driver_name = "authenc-hmac-sha1-" | ||
1406 | - "cbc-aes-talitos", | ||
1407 | + "cbc-aes-talitos-hsna", | ||
1408 | .cra_blocksize = AES_BLOCK_SIZE, | ||
1409 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1410 | }, | ||
1411 | @@ -2384,7 +2384,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1412 | .cra_name = "authenc(hmac(sha1)," | ||
1413 | "cbc(des3_ede))", | ||
1414 | .cra_driver_name = "authenc-hmac-sha1-" | ||
1415 | - "cbc-3des-talitos", | ||
1416 | + "cbc-3des-talitos-hsna", | ||
1417 | .cra_blocksize = DES3_EDE_BLOCK_SIZE, | ||
1418 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1419 | }, | ||
1420 | @@ -2427,7 +2427,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1421 | .base = { | ||
1422 | .cra_name = "authenc(hmac(sha224),cbc(aes))", | ||
1423 | .cra_driver_name = "authenc-hmac-sha224-" | ||
1424 | - "cbc-aes-talitos", | ||
1425 | + "cbc-aes-talitos-hsna", | ||
1426 | .cra_blocksize = AES_BLOCK_SIZE, | ||
1427 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1428 | }, | ||
1429 | @@ -2472,7 +2472,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1430 | .cra_name = "authenc(hmac(sha224)," | ||
1431 | "cbc(des3_ede))", | ||
1432 | .cra_driver_name = "authenc-hmac-sha224-" | ||
1433 | - "cbc-3des-talitos", | ||
1434 | + "cbc-3des-talitos-hsna", | ||
1435 | .cra_blocksize = DES3_EDE_BLOCK_SIZE, | ||
1436 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1437 | }, | ||
1438 | @@ -2515,7 +2515,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1439 | .base = { | ||
1440 | .cra_name = "authenc(hmac(sha256),cbc(aes))", | ||
1441 | .cra_driver_name = "authenc-hmac-sha256-" | ||
1442 | - "cbc-aes-talitos", | ||
1443 | + "cbc-aes-talitos-hsna", | ||
1444 | .cra_blocksize = AES_BLOCK_SIZE, | ||
1445 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1446 | }, | ||
1447 | @@ -2560,7 +2560,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1448 | .cra_name = "authenc(hmac(sha256)," | ||
1449 | "cbc(des3_ede))", | ||
1450 | .cra_driver_name = "authenc-hmac-sha256-" | ||
1451 | - "cbc-3des-talitos", | ||
1452 | + "cbc-3des-talitos-hsna", | ||
1453 | .cra_blocksize = DES3_EDE_BLOCK_SIZE, | ||
1454 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1455 | }, | ||
1456 | @@ -2689,7 +2689,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1457 | .base = { | ||
1458 | .cra_name = "authenc(hmac(md5),cbc(aes))", | ||
1459 | .cra_driver_name = "authenc-hmac-md5-" | ||
1460 | - "cbc-aes-talitos", | ||
1461 | + "cbc-aes-talitos-hsna", | ||
1462 | .cra_blocksize = AES_BLOCK_SIZE, | ||
1463 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1464 | }, | ||
1465 | @@ -2732,7 +2732,7 @@ static struct talitos_alg_template driver_algs[] = { | ||
1466 | .base = { | ||
1467 | .cra_name = "authenc(hmac(md5),cbc(des3_ede))", | ||
1468 | .cra_driver_name = "authenc-hmac-md5-" | ||
1469 | - "cbc-3des-talitos", | ||
1470 | + "cbc-3des-talitos-hsna", | ||
1471 | .cra_blocksize = DES3_EDE_BLOCK_SIZE, | ||
1472 | .cra_flags = CRYPTO_ALG_ASYNC, | ||
1473 | }, | ||
1474 | diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h | ||
1475 | index b032d3899fa3..bfc584ada4eb 100644 | ||
1476 | --- a/drivers/hid/hid-ids.h | ||
1477 | +++ b/drivers/hid/hid-ids.h | ||
1478 | @@ -1241,6 +1241,7 @@ | ||
1479 | #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 | ||
1480 | #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 | ||
1481 | #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f | ||
1482 | +#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65 0x4d65 | ||
1483 | #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22 0x4e22 | ||
1484 | |||
1485 | |||
1486 | diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c | ||
1487 | index 671a285724f9..1549c7a2f04c 100644 | ||
1488 | --- a/drivers/hid/hid-quirks.c | ||
1489 | +++ b/drivers/hid/hid-quirks.c | ||
1490 | @@ -130,6 +130,7 @@ static const struct hid_device_id hid_quirks[] = { | ||
1491 | { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, | ||
1492 | { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, | ||
1493 | { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, | ||
1494 | + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL }, | ||
1495 | { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, | ||
1496 | { HID_USB_DEVICE(USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS), HID_QUIRK_NOGET }, | ||
1497 | { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001), HID_QUIRK_NOGET }, | ||
1498 | diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c | ||
1499 | index 4ee4c80a4354..543cc3d36e1d 100644 | ||
1500 | --- a/drivers/hwtracing/coresight/coresight-etb10.c | ||
1501 | +++ b/drivers/hwtracing/coresight/coresight-etb10.c | ||
1502 | @@ -373,12 +373,10 @@ static void *etb_alloc_buffer(struct coresight_device *csdev, | ||
1503 | struct perf_event *event, void **pages, | ||
1504 | int nr_pages, bool overwrite) | ||
1505 | { | ||
1506 | - int node, cpu = event->cpu; | ||
1507 | + int node; | ||
1508 | struct cs_buffers *buf; | ||
1509 | |||
1510 | - if (cpu == -1) | ||
1511 | - cpu = smp_processor_id(); | ||
1512 | - node = cpu_to_node(cpu); | ||
1513 | + node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu); | ||
1514 | |||
1515 | buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); | ||
1516 | if (!buf) | ||
1517 | diff --git a/drivers/hwtracing/coresight/coresight-funnel.c b/drivers/hwtracing/coresight/coresight-funnel.c | ||
1518 | index 16b0c0e1e43a..ad6e16c96263 100644 | ||
1519 | --- a/drivers/hwtracing/coresight/coresight-funnel.c | ||
1520 | +++ b/drivers/hwtracing/coresight/coresight-funnel.c | ||
1521 | @@ -241,6 +241,7 @@ static int funnel_probe(struct device *dev, struct resource *res) | ||
1522 | } | ||
1523 | |||
1524 | pm_runtime_put(dev); | ||
1525 | + ret = 0; | ||
1526 | |||
1527 | out_disable_clk: | ||
1528 | if (ret && !IS_ERR_OR_NULL(drvdata->atclk)) | ||
1529 | diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c | ||
1530 | index 2527b5d3b65e..8de109de171f 100644 | ||
1531 | --- a/drivers/hwtracing/coresight/coresight-tmc-etf.c | ||
1532 | +++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c | ||
1533 | @@ -378,12 +378,10 @@ static void *tmc_alloc_etf_buffer(struct coresight_device *csdev, | ||
1534 | struct perf_event *event, void **pages, | ||
1535 | int nr_pages, bool overwrite) | ||
1536 | { | ||
1537 | - int node, cpu = event->cpu; | ||
1538 | + int node; | ||
1539 | struct cs_buffers *buf; | ||
1540 | |||
1541 | - if (cpu == -1) | ||
1542 | - cpu = smp_processor_id(); | ||
1543 | - node = cpu_to_node(cpu); | ||
1544 | + node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu); | ||
1545 | |||
1546 | /* Allocate memory structure for interaction with Perf */ | ||
1547 | buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); | ||
1548 | diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c | ||
1549 | index df6e4b0b84e9..9f293b9dce8c 100644 | ||
1550 | --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c | ||
1551 | +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c | ||
1552 | @@ -1178,14 +1178,11 @@ static struct etr_buf * | ||
1553 | alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event, | ||
1554 | int nr_pages, void **pages, bool snapshot) | ||
1555 | { | ||
1556 | - int node, cpu = event->cpu; | ||
1557 | + int node; | ||
1558 | struct etr_buf *etr_buf; | ||
1559 | unsigned long size; | ||
1560 | |||
1561 | - if (cpu == -1) | ||
1562 | - cpu = smp_processor_id(); | ||
1563 | - node = cpu_to_node(cpu); | ||
1564 | - | ||
1565 | + node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu); | ||
1566 | /* | ||
1567 | * Try to match the perf ring buffer size if it is larger | ||
1568 | * than the size requested via sysfs. | ||
1569 | @@ -1317,13 +1314,11 @@ static struct etr_perf_buffer * | ||
1570 | tmc_etr_setup_perf_buf(struct tmc_drvdata *drvdata, struct perf_event *event, | ||
1571 | int nr_pages, void **pages, bool snapshot) | ||
1572 | { | ||
1573 | - int node, cpu = event->cpu; | ||
1574 | + int node; | ||
1575 | struct etr_buf *etr_buf; | ||
1576 | struct etr_perf_buffer *etr_perf; | ||
1577 | |||
1578 | - if (cpu == -1) | ||
1579 | - cpu = smp_processor_id(); | ||
1580 | - node = cpu_to_node(cpu); | ||
1581 | + node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu); | ||
1582 | |||
1583 | etr_perf = kzalloc_node(sizeof(*etr_perf), GFP_KERNEL, node); | ||
1584 | if (!etr_perf) | ||
1585 | diff --git a/drivers/iio/adc/stm32-adc-core.c b/drivers/iio/adc/stm32-adc-core.c | ||
1586 | index 2327ec18b40c..1f7ce5186dfc 100644 | ||
1587 | --- a/drivers/iio/adc/stm32-adc-core.c | ||
1588 | +++ b/drivers/iio/adc/stm32-adc-core.c | ||
1589 | @@ -87,6 +87,7 @@ struct stm32_adc_priv_cfg { | ||
1590 | * @domain: irq domain reference | ||
1591 | * @aclk: clock reference for the analog circuitry | ||
1592 | * @bclk: bus clock common for all ADCs, depends on part used | ||
1593 | + * @vdda: vdda analog supply reference | ||
1594 | * @vref: regulator reference | ||
1595 | * @cfg: compatible configuration data | ||
1596 | * @common: common data for all ADC instances | ||
1597 | @@ -97,6 +98,7 @@ struct stm32_adc_priv { | ||
1598 | struct irq_domain *domain; | ||
1599 | struct clk *aclk; | ||
1600 | struct clk *bclk; | ||
1601 | + struct regulator *vdda; | ||
1602 | struct regulator *vref; | ||
1603 | const struct stm32_adc_priv_cfg *cfg; | ||
1604 | struct stm32_adc_common common; | ||
1605 | @@ -394,10 +396,16 @@ static int stm32_adc_core_hw_start(struct device *dev) | ||
1606 | struct stm32_adc_priv *priv = to_stm32_adc_priv(common); | ||
1607 | int ret; | ||
1608 | |||
1609 | + ret = regulator_enable(priv->vdda); | ||
1610 | + if (ret < 0) { | ||
1611 | + dev_err(dev, "vdda enable failed %d\n", ret); | ||
1612 | + return ret; | ||
1613 | + } | ||
1614 | + | ||
1615 | ret = regulator_enable(priv->vref); | ||
1616 | if (ret < 0) { | ||
1617 | dev_err(dev, "vref enable failed\n"); | ||
1618 | - return ret; | ||
1619 | + goto err_vdda_disable; | ||
1620 | } | ||
1621 | |||
1622 | if (priv->bclk) { | ||
1623 | @@ -425,6 +433,8 @@ err_bclk_disable: | ||
1624 | clk_disable_unprepare(priv->bclk); | ||
1625 | err_regulator_disable: | ||
1626 | regulator_disable(priv->vref); | ||
1627 | +err_vdda_disable: | ||
1628 | + regulator_disable(priv->vdda); | ||
1629 | |||
1630 | return ret; | ||
1631 | } | ||
1632 | @@ -441,6 +451,7 @@ static void stm32_adc_core_hw_stop(struct device *dev) | ||
1633 | if (priv->bclk) | ||
1634 | clk_disable_unprepare(priv->bclk); | ||
1635 | regulator_disable(priv->vref); | ||
1636 | + regulator_disable(priv->vdda); | ||
1637 | } | ||
1638 | |||
1639 | static int stm32_adc_probe(struct platform_device *pdev) | ||
1640 | @@ -468,6 +479,14 @@ static int stm32_adc_probe(struct platform_device *pdev) | ||
1641 | return PTR_ERR(priv->common.base); | ||
1642 | priv->common.phys_base = res->start; | ||
1643 | |||
1644 | + priv->vdda = devm_regulator_get(&pdev->dev, "vdda"); | ||
1645 | + if (IS_ERR(priv->vdda)) { | ||
1646 | + ret = PTR_ERR(priv->vdda); | ||
1647 | + if (ret != -EPROBE_DEFER) | ||
1648 | + dev_err(&pdev->dev, "vdda get failed, %d\n", ret); | ||
1649 | + return ret; | ||
1650 | + } | ||
1651 | + | ||
1652 | priv->vref = devm_regulator_get(&pdev->dev, "vref"); | ||
1653 | if (IS_ERR(priv->vref)) { | ||
1654 | ret = PTR_ERR(priv->vref); | ||
1655 | diff --git a/drivers/media/dvb-frontends/stv0297.c b/drivers/media/dvb-frontends/stv0297.c | ||
1656 | index dac396c95a59..6d5962d5697a 100644 | ||
1657 | --- a/drivers/media/dvb-frontends/stv0297.c | ||
1658 | +++ b/drivers/media/dvb-frontends/stv0297.c | ||
1659 | @@ -682,7 +682,7 @@ static const struct dvb_frontend_ops stv0297_ops = { | ||
1660 | .delsys = { SYS_DVBC_ANNEX_A }, | ||
1661 | .info = { | ||
1662 | .name = "ST STV0297 DVB-C", | ||
1663 | - .frequency_min_hz = 470 * MHz, | ||
1664 | + .frequency_min_hz = 47 * MHz, | ||
1665 | .frequency_max_hz = 862 * MHz, | ||
1666 | .frequency_stepsize_hz = 62500, | ||
1667 | .symbol_rate_min = 870000, | ||
1668 | diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile | ||
1669 | index 951c984de61a..fb10eafe9bde 100644 | ||
1670 | --- a/drivers/misc/lkdtm/Makefile | ||
1671 | +++ b/drivers/misc/lkdtm/Makefile | ||
1672 | @@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o := n | ||
1673 | |||
1674 | OBJCOPYFLAGS := | ||
1675 | OBJCOPYFLAGS_rodata_objcopy.o := \ | ||
1676 | - --set-section-flags .text=alloc,readonly \ | ||
1677 | - --rename-section .text=.rodata | ||
1678 | + --rename-section .text=.rodata,alloc,readonly,load | ||
1679 | targets += rodata.o rodata_objcopy.o | ||
1680 | $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE | ||
1681 | $(call if_changed,objcopy) | ||
1682 | diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c | ||
1683 | index 300ed69fe2c7..16695366ec92 100644 | ||
1684 | --- a/drivers/misc/vmw_vmci/vmci_context.c | ||
1685 | +++ b/drivers/misc/vmw_vmci/vmci_context.c | ||
1686 | @@ -21,6 +21,9 @@ | ||
1687 | #include "vmci_driver.h" | ||
1688 | #include "vmci_event.h" | ||
1689 | |||
1690 | +/* Use a wide upper bound for the maximum contexts. */ | ||
1691 | +#define VMCI_MAX_CONTEXTS 2000 | ||
1692 | + | ||
1693 | /* | ||
1694 | * List of current VMCI contexts. Contexts can be added by | ||
1695 | * vmci_ctx_create() and removed via vmci_ctx_destroy(). | ||
1696 | @@ -117,19 +120,22 @@ struct vmci_ctx *vmci_ctx_create(u32 cid, u32 priv_flags, | ||
1697 | /* Initialize host-specific VMCI context. */ | ||
1698 | init_waitqueue_head(&context->host_context.wait_queue); | ||
1699 | |||
1700 | - context->queue_pair_array = vmci_handle_arr_create(0); | ||
1701 | + context->queue_pair_array = | ||
1702 | + vmci_handle_arr_create(0, VMCI_MAX_GUEST_QP_COUNT); | ||
1703 | if (!context->queue_pair_array) { | ||
1704 | error = -ENOMEM; | ||
1705 | goto err_free_ctx; | ||
1706 | } | ||
1707 | |||
1708 | - context->doorbell_array = vmci_handle_arr_create(0); | ||
1709 | + context->doorbell_array = | ||
1710 | + vmci_handle_arr_create(0, VMCI_MAX_GUEST_DOORBELL_COUNT); | ||
1711 | if (!context->doorbell_array) { | ||
1712 | error = -ENOMEM; | ||
1713 | goto err_free_qp_array; | ||
1714 | } | ||
1715 | |||
1716 | - context->pending_doorbell_array = vmci_handle_arr_create(0); | ||
1717 | + context->pending_doorbell_array = | ||
1718 | + vmci_handle_arr_create(0, VMCI_MAX_GUEST_DOORBELL_COUNT); | ||
1719 | if (!context->pending_doorbell_array) { | ||
1720 | error = -ENOMEM; | ||
1721 | goto err_free_db_array; | ||
1722 | @@ -204,7 +210,7 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags) | ||
1723 | * We create an array to hold the subscribers we find when | ||
1724 | * scanning through all contexts. | ||
1725 | */ | ||
1726 | - subscriber_array = vmci_handle_arr_create(0); | ||
1727 | + subscriber_array = vmci_handle_arr_create(0, VMCI_MAX_CONTEXTS); | ||
1728 | if (subscriber_array == NULL) | ||
1729 | return VMCI_ERROR_NO_MEM; | ||
1730 | |||
1731 | @@ -623,20 +629,26 @@ int vmci_ctx_add_notification(u32 context_id, u32 remote_cid) | ||
1732 | |||
1733 | spin_lock(&context->lock); | ||
1734 | |||
1735 | - list_for_each_entry(n, &context->notifier_list, node) { | ||
1736 | - if (vmci_handle_is_equal(n->handle, notifier->handle)) { | ||
1737 | - exists = true; | ||
1738 | - break; | ||
1739 | + if (context->n_notifiers < VMCI_MAX_CONTEXTS) { | ||
1740 | + list_for_each_entry(n, &context->notifier_list, node) { | ||
1741 | + if (vmci_handle_is_equal(n->handle, notifier->handle)) { | ||
1742 | + exists = true; | ||
1743 | + break; | ||
1744 | + } | ||
1745 | } | ||
1746 | - } | ||
1747 | |||
1748 | - if (exists) { | ||
1749 | - kfree(notifier); | ||
1750 | - result = VMCI_ERROR_ALREADY_EXISTS; | ||
1751 | + if (exists) { | ||
1752 | + kfree(notifier); | ||
1753 | + result = VMCI_ERROR_ALREADY_EXISTS; | ||
1754 | + } else { | ||
1755 | + list_add_tail_rcu(¬ifier->node, | ||
1756 | + &context->notifier_list); | ||
1757 | + context->n_notifiers++; | ||
1758 | + result = VMCI_SUCCESS; | ||
1759 | + } | ||
1760 | } else { | ||
1761 | - list_add_tail_rcu(¬ifier->node, &context->notifier_list); | ||
1762 | - context->n_notifiers++; | ||
1763 | - result = VMCI_SUCCESS; | ||
1764 | + kfree(notifier); | ||
1765 | + result = VMCI_ERROR_NO_MEM; | ||
1766 | } | ||
1767 | |||
1768 | spin_unlock(&context->lock); | ||
1769 | @@ -721,8 +733,7 @@ static int vmci_ctx_get_chkpt_doorbells(struct vmci_ctx *context, | ||
1770 | u32 *buf_size, void **pbuf) | ||
1771 | { | ||
1772 | struct dbell_cpt_state *dbells; | ||
1773 | - size_t n_doorbells; | ||
1774 | - int i; | ||
1775 | + u32 i, n_doorbells; | ||
1776 | |||
1777 | n_doorbells = vmci_handle_arr_get_size(context->doorbell_array); | ||
1778 | if (n_doorbells > 0) { | ||
1779 | @@ -860,7 +871,8 @@ int vmci_ctx_rcv_notifications_get(u32 context_id, | ||
1780 | spin_lock(&context->lock); | ||
1781 | |||
1782 | *db_handle_array = context->pending_doorbell_array; | ||
1783 | - context->pending_doorbell_array = vmci_handle_arr_create(0); | ||
1784 | + context->pending_doorbell_array = | ||
1785 | + vmci_handle_arr_create(0, VMCI_MAX_GUEST_DOORBELL_COUNT); | ||
1786 | if (!context->pending_doorbell_array) { | ||
1787 | context->pending_doorbell_array = *db_handle_array; | ||
1788 | *db_handle_array = NULL; | ||
1789 | @@ -942,12 +954,11 @@ int vmci_ctx_dbell_create(u32 context_id, struct vmci_handle handle) | ||
1790 | return VMCI_ERROR_NOT_FOUND; | ||
1791 | |||
1792 | spin_lock(&context->lock); | ||
1793 | - if (!vmci_handle_arr_has_entry(context->doorbell_array, handle)) { | ||
1794 | - vmci_handle_arr_append_entry(&context->doorbell_array, handle); | ||
1795 | - result = VMCI_SUCCESS; | ||
1796 | - } else { | ||
1797 | + if (!vmci_handle_arr_has_entry(context->doorbell_array, handle)) | ||
1798 | + result = vmci_handle_arr_append_entry(&context->doorbell_array, | ||
1799 | + handle); | ||
1800 | + else | ||
1801 | result = VMCI_ERROR_DUPLICATE_ENTRY; | ||
1802 | - } | ||
1803 | |||
1804 | spin_unlock(&context->lock); | ||
1805 | vmci_ctx_put(context); | ||
1806 | @@ -1083,15 +1094,16 @@ int vmci_ctx_notify_dbell(u32 src_cid, | ||
1807 | if (!vmci_handle_arr_has_entry( | ||
1808 | dst_context->pending_doorbell_array, | ||
1809 | handle)) { | ||
1810 | - vmci_handle_arr_append_entry( | ||
1811 | + result = vmci_handle_arr_append_entry( | ||
1812 | &dst_context->pending_doorbell_array, | ||
1813 | handle); | ||
1814 | - | ||
1815 | - ctx_signal_notify(dst_context); | ||
1816 | - wake_up(&dst_context->host_context.wait_queue); | ||
1817 | - | ||
1818 | + if (result == VMCI_SUCCESS) { | ||
1819 | + ctx_signal_notify(dst_context); | ||
1820 | + wake_up(&dst_context->host_context.wait_queue); | ||
1821 | + } | ||
1822 | + } else { | ||
1823 | + result = VMCI_SUCCESS; | ||
1824 | } | ||
1825 | - result = VMCI_SUCCESS; | ||
1826 | } | ||
1827 | spin_unlock(&dst_context->lock); | ||
1828 | } | ||
1829 | @@ -1118,13 +1130,11 @@ int vmci_ctx_qp_create(struct vmci_ctx *context, struct vmci_handle handle) | ||
1830 | if (context == NULL || vmci_handle_is_invalid(handle)) | ||
1831 | return VMCI_ERROR_INVALID_ARGS; | ||
1832 | |||
1833 | - if (!vmci_handle_arr_has_entry(context->queue_pair_array, handle)) { | ||
1834 | - vmci_handle_arr_append_entry(&context->queue_pair_array, | ||
1835 | - handle); | ||
1836 | - result = VMCI_SUCCESS; | ||
1837 | - } else { | ||
1838 | + if (!vmci_handle_arr_has_entry(context->queue_pair_array, handle)) | ||
1839 | + result = vmci_handle_arr_append_entry( | ||
1840 | + &context->queue_pair_array, handle); | ||
1841 | + else | ||
1842 | result = VMCI_ERROR_DUPLICATE_ENTRY; | ||
1843 | - } | ||
1844 | |||
1845 | return result; | ||
1846 | } | ||
1847 | diff --git a/drivers/misc/vmw_vmci/vmci_handle_array.c b/drivers/misc/vmw_vmci/vmci_handle_array.c | ||
1848 | index c527388f5d7b..de7fee7ead1b 100644 | ||
1849 | --- a/drivers/misc/vmw_vmci/vmci_handle_array.c | ||
1850 | +++ b/drivers/misc/vmw_vmci/vmci_handle_array.c | ||
1851 | @@ -8,24 +8,29 @@ | ||
1852 | #include <linux/slab.h> | ||
1853 | #include "vmci_handle_array.h" | ||
1854 | |||
1855 | -static size_t handle_arr_calc_size(size_t capacity) | ||
1856 | +static size_t handle_arr_calc_size(u32 capacity) | ||
1857 | { | ||
1858 | - return sizeof(struct vmci_handle_arr) + | ||
1859 | + return VMCI_HANDLE_ARRAY_HEADER_SIZE + | ||
1860 | capacity * sizeof(struct vmci_handle); | ||
1861 | } | ||
1862 | |||
1863 | -struct vmci_handle_arr *vmci_handle_arr_create(size_t capacity) | ||
1864 | +struct vmci_handle_arr *vmci_handle_arr_create(u32 capacity, u32 max_capacity) | ||
1865 | { | ||
1866 | struct vmci_handle_arr *array; | ||
1867 | |||
1868 | + if (max_capacity == 0 || capacity > max_capacity) | ||
1869 | + return NULL; | ||
1870 | + | ||
1871 | if (capacity == 0) | ||
1872 | - capacity = VMCI_HANDLE_ARRAY_DEFAULT_SIZE; | ||
1873 | + capacity = min((u32)VMCI_HANDLE_ARRAY_DEFAULT_CAPACITY, | ||
1874 | + max_capacity); | ||
1875 | |||
1876 | array = kmalloc(handle_arr_calc_size(capacity), GFP_ATOMIC); | ||
1877 | if (!array) | ||
1878 | return NULL; | ||
1879 | |||
1880 | array->capacity = capacity; | ||
1881 | + array->max_capacity = max_capacity; | ||
1882 | array->size = 0; | ||
1883 | |||
1884 | return array; | ||
1885 | @@ -36,27 +41,34 @@ void vmci_handle_arr_destroy(struct vmci_handle_arr *array) | ||
1886 | kfree(array); | ||
1887 | } | ||
1888 | |||
1889 | -void vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr, | ||
1890 | - struct vmci_handle handle) | ||
1891 | +int vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr, | ||
1892 | + struct vmci_handle handle) | ||
1893 | { | ||
1894 | struct vmci_handle_arr *array = *array_ptr; | ||
1895 | |||
1896 | if (unlikely(array->size >= array->capacity)) { | ||
1897 | /* reallocate. */ | ||
1898 | struct vmci_handle_arr *new_array; | ||
1899 | - size_t new_capacity = array->capacity * VMCI_ARR_CAP_MULT; | ||
1900 | - size_t new_size = handle_arr_calc_size(new_capacity); | ||
1901 | + u32 capacity_bump = min(array->max_capacity - array->capacity, | ||
1902 | + array->capacity); | ||
1903 | + size_t new_size = handle_arr_calc_size(array->capacity + | ||
1904 | + capacity_bump); | ||
1905 | + | ||
1906 | + if (array->size >= array->max_capacity) | ||
1907 | + return VMCI_ERROR_NO_MEM; | ||
1908 | |||
1909 | new_array = krealloc(array, new_size, GFP_ATOMIC); | ||
1910 | if (!new_array) | ||
1911 | - return; | ||
1912 | + return VMCI_ERROR_NO_MEM; | ||
1913 | |||
1914 | - new_array->capacity = new_capacity; | ||
1915 | + new_array->capacity += capacity_bump; | ||
1916 | *array_ptr = array = new_array; | ||
1917 | } | ||
1918 | |||
1919 | array->entries[array->size] = handle; | ||
1920 | array->size++; | ||
1921 | + | ||
1922 | + return VMCI_SUCCESS; | ||
1923 | } | ||
1924 | |||
1925 | /* | ||
1926 | @@ -66,7 +78,7 @@ struct vmci_handle vmci_handle_arr_remove_entry(struct vmci_handle_arr *array, | ||
1927 | struct vmci_handle entry_handle) | ||
1928 | { | ||
1929 | struct vmci_handle handle = VMCI_INVALID_HANDLE; | ||
1930 | - size_t i; | ||
1931 | + u32 i; | ||
1932 | |||
1933 | for (i = 0; i < array->size; i++) { | ||
1934 | if (vmci_handle_is_equal(array->entries[i], entry_handle)) { | ||
1935 | @@ -101,7 +113,7 @@ struct vmci_handle vmci_handle_arr_remove_tail(struct vmci_handle_arr *array) | ||
1936 | * Handle at given index, VMCI_INVALID_HANDLE if invalid index. | ||
1937 | */ | ||
1938 | struct vmci_handle | ||
1939 | -vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, size_t index) | ||
1940 | +vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, u32 index) | ||
1941 | { | ||
1942 | if (unlikely(index >= array->size)) | ||
1943 | return VMCI_INVALID_HANDLE; | ||
1944 | @@ -112,7 +124,7 @@ vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, size_t index) | ||
1945 | bool vmci_handle_arr_has_entry(const struct vmci_handle_arr *array, | ||
1946 | struct vmci_handle entry_handle) | ||
1947 | { | ||
1948 | - size_t i; | ||
1949 | + u32 i; | ||
1950 | |||
1951 | for (i = 0; i < array->size; i++) | ||
1952 | if (vmci_handle_is_equal(array->entries[i], entry_handle)) | ||
1953 | diff --git a/drivers/misc/vmw_vmci/vmci_handle_array.h b/drivers/misc/vmw_vmci/vmci_handle_array.h | ||
1954 | index bd1559a548e9..96193f85be5b 100644 | ||
1955 | --- a/drivers/misc/vmw_vmci/vmci_handle_array.h | ||
1956 | +++ b/drivers/misc/vmw_vmci/vmci_handle_array.h | ||
1957 | @@ -9,32 +9,41 @@ | ||
1958 | #define _VMCI_HANDLE_ARRAY_H_ | ||
1959 | |||
1960 | #include <linux/vmw_vmci_defs.h> | ||
1961 | +#include <linux/limits.h> | ||
1962 | #include <linux/types.h> | ||
1963 | |||
1964 | -#define VMCI_HANDLE_ARRAY_DEFAULT_SIZE 4 | ||
1965 | -#define VMCI_ARR_CAP_MULT 2 /* Array capacity multiplier */ | ||
1966 | - | ||
1967 | struct vmci_handle_arr { | ||
1968 | - size_t capacity; | ||
1969 | - size_t size; | ||
1970 | + u32 capacity; | ||
1971 | + u32 max_capacity; | ||
1972 | + u32 size; | ||
1973 | + u32 pad; | ||
1974 | struct vmci_handle entries[]; | ||
1975 | }; | ||
1976 | |||
1977 | -struct vmci_handle_arr *vmci_handle_arr_create(size_t capacity); | ||
1978 | +#define VMCI_HANDLE_ARRAY_HEADER_SIZE \ | ||
1979 | + offsetof(struct vmci_handle_arr, entries) | ||
1980 | +/* Select a default capacity that results in a 64 byte sized array */ | ||
1981 | +#define VMCI_HANDLE_ARRAY_DEFAULT_CAPACITY 6 | ||
1982 | +/* Make sure that the max array size can be expressed by a u32 */ | ||
1983 | +#define VMCI_HANDLE_ARRAY_MAX_CAPACITY \ | ||
1984 | + ((U32_MAX - VMCI_HANDLE_ARRAY_HEADER_SIZE - 1) / \ | ||
1985 | + sizeof(struct vmci_handle)) | ||
1986 | + | ||
1987 | +struct vmci_handle_arr *vmci_handle_arr_create(u32 capacity, u32 max_capacity); | ||
1988 | void vmci_handle_arr_destroy(struct vmci_handle_arr *array); | ||
1989 | -void vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr, | ||
1990 | - struct vmci_handle handle); | ||
1991 | +int vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr, | ||
1992 | + struct vmci_handle handle); | ||
1993 | struct vmci_handle vmci_handle_arr_remove_entry(struct vmci_handle_arr *array, | ||
1994 | struct vmci_handle | ||
1995 | entry_handle); | ||
1996 | struct vmci_handle vmci_handle_arr_remove_tail(struct vmci_handle_arr *array); | ||
1997 | struct vmci_handle | ||
1998 | -vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, size_t index); | ||
1999 | +vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, u32 index); | ||
2000 | bool vmci_handle_arr_has_entry(const struct vmci_handle_arr *array, | ||
2001 | struct vmci_handle entry_handle); | ||
2002 | struct vmci_handle *vmci_handle_arr_get_handles(struct vmci_handle_arr *array); | ||
2003 | |||
2004 | -static inline size_t vmci_handle_arr_get_size( | ||
2005 | +static inline u32 vmci_handle_arr_get_size( | ||
2006 | const struct vmci_handle_arr *array) | ||
2007 | { | ||
2008 | return array->size; | ||
2009 | diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c | ||
2010 | index e7c3f3b8457d..99f1897a775d 100644 | ||
2011 | --- a/drivers/net/wireless/ath/carl9170/usb.c | ||
2012 | +++ b/drivers/net/wireless/ath/carl9170/usb.c | ||
2013 | @@ -128,6 +128,8 @@ static const struct usb_device_id carl9170_usb_ids[] = { | ||
2014 | }; | ||
2015 | MODULE_DEVICE_TABLE(usb, carl9170_usb_ids); | ||
2016 | |||
2017 | +static struct usb_driver carl9170_driver; | ||
2018 | + | ||
2019 | static void carl9170_usb_submit_data_urb(struct ar9170 *ar) | ||
2020 | { | ||
2021 | struct urb *urb; | ||
2022 | @@ -966,32 +968,28 @@ err_out: | ||
2023 | |||
2024 | static void carl9170_usb_firmware_failed(struct ar9170 *ar) | ||
2025 | { | ||
2026 | - struct device *parent = ar->udev->dev.parent; | ||
2027 | - struct usb_device *udev; | ||
2028 | - | ||
2029 | - /* | ||
2030 | - * Store a copy of the usb_device pointer locally. | ||
2031 | - * This is because device_release_driver initiates | ||
2032 | - * carl9170_usb_disconnect, which in turn frees our | ||
2033 | - * driver context (ar). | ||
2034 | + /* Store a copies of the usb_interface and usb_device pointer locally. | ||
2035 | + * This is because release_driver initiates carl9170_usb_disconnect, | ||
2036 | + * which in turn frees our driver context (ar). | ||
2037 | */ | ||
2038 | - udev = ar->udev; | ||
2039 | + struct usb_interface *intf = ar->intf; | ||
2040 | + struct usb_device *udev = ar->udev; | ||
2041 | |||
2042 | complete(&ar->fw_load_wait); | ||
2043 | + /* at this point 'ar' could be already freed. Don't use it anymore */ | ||
2044 | + ar = NULL; | ||
2045 | |||
2046 | /* unbind anything failed */ | ||
2047 | - if (parent) | ||
2048 | - device_lock(parent); | ||
2049 | - | ||
2050 | - device_release_driver(&udev->dev); | ||
2051 | - if (parent) | ||
2052 | - device_unlock(parent); | ||
2053 | + usb_lock_device(udev); | ||
2054 | + usb_driver_release_interface(&carl9170_driver, intf); | ||
2055 | + usb_unlock_device(udev); | ||
2056 | |||
2057 | - usb_put_dev(udev); | ||
2058 | + usb_put_intf(intf); | ||
2059 | } | ||
2060 | |||
2061 | static void carl9170_usb_firmware_finish(struct ar9170 *ar) | ||
2062 | { | ||
2063 | + struct usb_interface *intf = ar->intf; | ||
2064 | int err; | ||
2065 | |||
2066 | err = carl9170_parse_firmware(ar); | ||
2067 | @@ -1009,7 +1007,7 @@ static void carl9170_usb_firmware_finish(struct ar9170 *ar) | ||
2068 | goto err_unrx; | ||
2069 | |||
2070 | complete(&ar->fw_load_wait); | ||
2071 | - usb_put_dev(ar->udev); | ||
2072 | + usb_put_intf(intf); | ||
2073 | return; | ||
2074 | |||
2075 | err_unrx: | ||
2076 | @@ -1052,7 +1050,6 @@ static int carl9170_usb_probe(struct usb_interface *intf, | ||
2077 | return PTR_ERR(ar); | ||
2078 | |||
2079 | udev = interface_to_usbdev(intf); | ||
2080 | - usb_get_dev(udev); | ||
2081 | ar->udev = udev; | ||
2082 | ar->intf = intf; | ||
2083 | ar->features = id->driver_info; | ||
2084 | @@ -1094,15 +1091,14 @@ static int carl9170_usb_probe(struct usb_interface *intf, | ||
2085 | atomic_set(&ar->rx_anch_urbs, 0); | ||
2086 | atomic_set(&ar->rx_pool_urbs, 0); | ||
2087 | |||
2088 | - usb_get_dev(ar->udev); | ||
2089 | + usb_get_intf(intf); | ||
2090 | |||
2091 | carl9170_set_state(ar, CARL9170_STOPPED); | ||
2092 | |||
2093 | err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME, | ||
2094 | &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2); | ||
2095 | if (err) { | ||
2096 | - usb_put_dev(udev); | ||
2097 | - usb_put_dev(udev); | ||
2098 | + usb_put_intf(intf); | ||
2099 | carl9170_free(ar); | ||
2100 | } | ||
2101 | return err; | ||
2102 | @@ -1131,7 +1127,6 @@ static void carl9170_usb_disconnect(struct usb_interface *intf) | ||
2103 | |||
2104 | carl9170_release_firmware(ar); | ||
2105 | carl9170_free(ar); | ||
2106 | - usb_put_dev(udev); | ||
2107 | } | ||
2108 | |||
2109 | #ifdef CONFIG_PM | ||
2110 | diff --git a/drivers/net/wireless/intersil/p54/p54usb.c b/drivers/net/wireless/intersil/p54/p54usb.c | ||
2111 | index f937815f0f2c..b94764c88750 100644 | ||
2112 | --- a/drivers/net/wireless/intersil/p54/p54usb.c | ||
2113 | +++ b/drivers/net/wireless/intersil/p54/p54usb.c | ||
2114 | @@ -30,6 +30,8 @@ MODULE_ALIAS("prism54usb"); | ||
2115 | MODULE_FIRMWARE("isl3886usb"); | ||
2116 | MODULE_FIRMWARE("isl3887usb"); | ||
2117 | |||
2118 | +static struct usb_driver p54u_driver; | ||
2119 | + | ||
2120 | /* | ||
2121 | * Note: | ||
2122 | * | ||
2123 | @@ -918,9 +920,9 @@ static void p54u_load_firmware_cb(const struct firmware *firmware, | ||
2124 | { | ||
2125 | struct p54u_priv *priv = context; | ||
2126 | struct usb_device *udev = priv->udev; | ||
2127 | + struct usb_interface *intf = priv->intf; | ||
2128 | int err; | ||
2129 | |||
2130 | - complete(&priv->fw_wait_load); | ||
2131 | if (firmware) { | ||
2132 | priv->fw = firmware; | ||
2133 | err = p54u_start_ops(priv); | ||
2134 | @@ -929,26 +931,22 @@ static void p54u_load_firmware_cb(const struct firmware *firmware, | ||
2135 | dev_err(&udev->dev, "Firmware not found.\n"); | ||
2136 | } | ||
2137 | |||
2138 | - if (err) { | ||
2139 | - struct device *parent = priv->udev->dev.parent; | ||
2140 | - | ||
2141 | - dev_err(&udev->dev, "failed to initialize device (%d)\n", err); | ||
2142 | - | ||
2143 | - if (parent) | ||
2144 | - device_lock(parent); | ||
2145 | + complete(&priv->fw_wait_load); | ||
2146 | + /* | ||
2147 | + * At this point p54u_disconnect may have already freed | ||
2148 | + * the "priv" context. Do not use it anymore! | ||
2149 | + */ | ||
2150 | + priv = NULL; | ||
2151 | |||
2152 | - device_release_driver(&udev->dev); | ||
2153 | - /* | ||
2154 | - * At this point p54u_disconnect has already freed | ||
2155 | - * the "priv" context. Do not use it anymore! | ||
2156 | - */ | ||
2157 | - priv = NULL; | ||
2158 | + if (err) { | ||
2159 | + dev_err(&intf->dev, "failed to initialize device (%d)\n", err); | ||
2160 | |||
2161 | - if (parent) | ||
2162 | - device_unlock(parent); | ||
2163 | + usb_lock_device(udev); | ||
2164 | + usb_driver_release_interface(&p54u_driver, intf); | ||
2165 | + usb_unlock_device(udev); | ||
2166 | } | ||
2167 | |||
2168 | - usb_put_dev(udev); | ||
2169 | + usb_put_intf(intf); | ||
2170 | } | ||
2171 | |||
2172 | static int p54u_load_firmware(struct ieee80211_hw *dev, | ||
2173 | @@ -969,14 +967,14 @@ static int p54u_load_firmware(struct ieee80211_hw *dev, | ||
2174 | dev_info(&priv->udev->dev, "Loading firmware file %s\n", | ||
2175 | p54u_fwlist[i].fw); | ||
2176 | |||
2177 | - usb_get_dev(udev); | ||
2178 | + usb_get_intf(intf); | ||
2179 | err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw, | ||
2180 | device, GFP_KERNEL, priv, | ||
2181 | p54u_load_firmware_cb); | ||
2182 | if (err) { | ||
2183 | dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s " | ||
2184 | "(%d)!\n", p54u_fwlist[i].fw, err); | ||
2185 | - usb_put_dev(udev); | ||
2186 | + usb_put_intf(intf); | ||
2187 | } | ||
2188 | |||
2189 | return err; | ||
2190 | @@ -1008,8 +1006,6 @@ static int p54u_probe(struct usb_interface *intf, | ||
2191 | skb_queue_head_init(&priv->rx_queue); | ||
2192 | init_usb_anchor(&priv->submitted); | ||
2193 | |||
2194 | - usb_get_dev(udev); | ||
2195 | - | ||
2196 | /* really lazy and simple way of figuring out if we're a 3887 */ | ||
2197 | /* TODO: should just stick the identification in the device table */ | ||
2198 | i = intf->altsetting->desc.bNumEndpoints; | ||
2199 | @@ -1050,10 +1046,8 @@ static int p54u_probe(struct usb_interface *intf, | ||
2200 | priv->upload_fw = p54u_upload_firmware_net2280; | ||
2201 | } | ||
2202 | err = p54u_load_firmware(dev, intf); | ||
2203 | - if (err) { | ||
2204 | - usb_put_dev(udev); | ||
2205 | + if (err) | ||
2206 | p54_free_common(dev); | ||
2207 | - } | ||
2208 | return err; | ||
2209 | } | ||
2210 | |||
2211 | @@ -1069,7 +1063,6 @@ static void p54u_disconnect(struct usb_interface *intf) | ||
2212 | wait_for_completion(&priv->fw_wait_load); | ||
2213 | p54_unregister_common(dev); | ||
2214 | |||
2215 | - usb_put_dev(interface_to_usbdev(intf)); | ||
2216 | release_firmware(priv->fw); | ||
2217 | p54_free_common(dev); | ||
2218 | } | ||
2219 | diff --git a/drivers/net/wireless/intersil/p54/txrx.c b/drivers/net/wireless/intersil/p54/txrx.c | ||
2220 | index ff9acd1563f4..5892898f8853 100644 | ||
2221 | --- a/drivers/net/wireless/intersil/p54/txrx.c | ||
2222 | +++ b/drivers/net/wireless/intersil/p54/txrx.c | ||
2223 | @@ -139,7 +139,10 @@ static int p54_assign_address(struct p54_common *priv, struct sk_buff *skb) | ||
2224 | unlikely(GET_HW_QUEUE(skb) == P54_QUEUE_BEACON)) | ||
2225 | priv->beacon_req_id = data->req_id; | ||
2226 | |||
2227 | - __skb_queue_after(&priv->tx_queue, target_skb, skb); | ||
2228 | + if (target_skb) | ||
2229 | + __skb_queue_after(&priv->tx_queue, target_skb, skb); | ||
2230 | + else | ||
2231 | + __skb_queue_head(&priv->tx_queue, skb); | ||
2232 | spin_unlock_irqrestore(&priv->tx_queue.lock, flags); | ||
2233 | return 0; | ||
2234 | } | ||
2235 | diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h | ||
2236 | index b73f99dc5a72..1fb76d2f5d3f 100644 | ||
2237 | --- a/drivers/net/wireless/marvell/mwifiex/fw.h | ||
2238 | +++ b/drivers/net/wireless/marvell/mwifiex/fw.h | ||
2239 | @@ -1759,9 +1759,10 @@ struct mwifiex_ie_types_wmm_queue_status { | ||
2240 | struct ieee_types_vendor_header { | ||
2241 | u8 element_id; | ||
2242 | u8 len; | ||
2243 | - u8 oui[4]; /* 0~2: oui, 3: oui_type */ | ||
2244 | - u8 oui_subtype; | ||
2245 | - u8 version; | ||
2246 | + struct { | ||
2247 | + u8 oui[3]; | ||
2248 | + u8 oui_type; | ||
2249 | + } __packed oui; | ||
2250 | } __packed; | ||
2251 | |||
2252 | struct ieee_types_wmm_parameter { | ||
2253 | @@ -1775,6 +1776,9 @@ struct ieee_types_wmm_parameter { | ||
2254 | * Version [1] | ||
2255 | */ | ||
2256 | struct ieee_types_vendor_header vend_hdr; | ||
2257 | + u8 oui_subtype; | ||
2258 | + u8 version; | ||
2259 | + | ||
2260 | u8 qos_info_bitmap; | ||
2261 | u8 reserved; | ||
2262 | struct ieee_types_wmm_ac_parameters ac_params[IEEE80211_NUM_ACS]; | ||
2263 | @@ -1792,6 +1796,8 @@ struct ieee_types_wmm_info { | ||
2264 | * Version [1] | ||
2265 | */ | ||
2266 | struct ieee_types_vendor_header vend_hdr; | ||
2267 | + u8 oui_subtype; | ||
2268 | + u8 version; | ||
2269 | |||
2270 | u8 qos_info_bitmap; | ||
2271 | } __packed; | ||
2272 | diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c | ||
2273 | index c269a0de9413..e2786ab612ca 100644 | ||
2274 | --- a/drivers/net/wireless/marvell/mwifiex/scan.c | ||
2275 | +++ b/drivers/net/wireless/marvell/mwifiex/scan.c | ||
2276 | @@ -1361,21 +1361,25 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, | ||
2277 | break; | ||
2278 | |||
2279 | case WLAN_EID_VENDOR_SPECIFIC: | ||
2280 | - if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) | ||
2281 | - return -EINVAL; | ||
2282 | - | ||
2283 | vendor_ie = (struct ieee_types_vendor_specific *) | ||
2284 | current_ptr; | ||
2285 | |||
2286 | - if (!memcmp | ||
2287 | - (vendor_ie->vend_hdr.oui, wpa_oui, | ||
2288 | - sizeof(wpa_oui))) { | ||
2289 | + /* 802.11 requires at least 3-byte OUI. */ | ||
2290 | + if (element_len < sizeof(vendor_ie->vend_hdr.oui.oui)) | ||
2291 | + return -EINVAL; | ||
2292 | + | ||
2293 | + /* Not long enough for a match? Skip it. */ | ||
2294 | + if (element_len < sizeof(wpa_oui)) | ||
2295 | + break; | ||
2296 | + | ||
2297 | + if (!memcmp(&vendor_ie->vend_hdr.oui, wpa_oui, | ||
2298 | + sizeof(wpa_oui))) { | ||
2299 | bss_entry->bcn_wpa_ie = | ||
2300 | (struct ieee_types_vendor_specific *) | ||
2301 | current_ptr; | ||
2302 | bss_entry->wpa_offset = (u16) | ||
2303 | (current_ptr - bss_entry->beacon_buf); | ||
2304 | - } else if (!memcmp(vendor_ie->vend_hdr.oui, wmm_oui, | ||
2305 | + } else if (!memcmp(&vendor_ie->vend_hdr.oui, wmm_oui, | ||
2306 | sizeof(wmm_oui))) { | ||
2307 | if (total_ie_len == | ||
2308 | sizeof(struct ieee_types_wmm_parameter) || | ||
2309 | diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | ||
2310 | index ebc0e41e5d3b..74e50566db1f 100644 | ||
2311 | --- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | ||
2312 | +++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | ||
2313 | @@ -1351,7 +1351,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex_private *priv, u8 *ie_data_ptr, | ||
2314 | /* Test to see if it is a WPA IE, if not, then | ||
2315 | * it is a gen IE | ||
2316 | */ | ||
2317 | - if (!memcmp(pvendor_ie->oui, wpa_oui, | ||
2318 | + if (!memcmp(&pvendor_ie->oui, wpa_oui, | ||
2319 | sizeof(wpa_oui))) { | ||
2320 | /* IE is a WPA/WPA2 IE so call set_wpa function | ||
2321 | */ | ||
2322 | @@ -1361,7 +1361,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex_private *priv, u8 *ie_data_ptr, | ||
2323 | goto next_ie; | ||
2324 | } | ||
2325 | |||
2326 | - if (!memcmp(pvendor_ie->oui, wps_oui, | ||
2327 | + if (!memcmp(&pvendor_ie->oui, wps_oui, | ||
2328 | sizeof(wps_oui))) { | ||
2329 | /* Test to see if it is a WPS IE, | ||
2330 | * if so, enable wps session flag | ||
2331 | diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c | ||
2332 | index 407b9932ca4d..64916ba15df5 100644 | ||
2333 | --- a/drivers/net/wireless/marvell/mwifiex/wmm.c | ||
2334 | +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c | ||
2335 | @@ -240,7 +240,7 @@ mwifiex_wmm_setup_queue_priorities(struct mwifiex_private *priv, | ||
2336 | mwifiex_dbg(priv->adapter, INFO, | ||
2337 | "info: WMM Parameter IE: version=%d,\t" | ||
2338 | "qos_info Parameter Set Count=%d, Reserved=%#x\n", | ||
2339 | - wmm_ie->vend_hdr.version, wmm_ie->qos_info_bitmap & | ||
2340 | + wmm_ie->version, wmm_ie->qos_info_bitmap & | ||
2341 | IEEE80211_WMM_IE_AP_QOSINFO_PARAM_SET_CNT_MASK, | ||
2342 | wmm_ie->reserved); | ||
2343 | |||
2344 | diff --git a/drivers/staging/comedi/drivers/amplc_pci230.c b/drivers/staging/comedi/drivers/amplc_pci230.c | ||
2345 | index 65f60c2b702a..f7e673121864 100644 | ||
2346 | --- a/drivers/staging/comedi/drivers/amplc_pci230.c | ||
2347 | +++ b/drivers/staging/comedi/drivers/amplc_pci230.c | ||
2348 | @@ -2330,7 +2330,8 @@ static irqreturn_t pci230_interrupt(int irq, void *d) | ||
2349 | devpriv->intr_running = false; | ||
2350 | spin_unlock_irqrestore(&devpriv->isr_spinlock, irqflags); | ||
2351 | |||
2352 | - comedi_handle_events(dev, s_ao); | ||
2353 | + if (s_ao) | ||
2354 | + comedi_handle_events(dev, s_ao); | ||
2355 | comedi_handle_events(dev, s_ai); | ||
2356 | |||
2357 | return IRQ_HANDLED; | ||
2358 | diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c | ||
2359 | index 3be927f1d3a9..e15e33ed94ae 100644 | ||
2360 | --- a/drivers/staging/comedi/drivers/dt282x.c | ||
2361 | +++ b/drivers/staging/comedi/drivers/dt282x.c | ||
2362 | @@ -557,7 +557,8 @@ static irqreturn_t dt282x_interrupt(int irq, void *d) | ||
2363 | } | ||
2364 | #endif | ||
2365 | comedi_handle_events(dev, s); | ||
2366 | - comedi_handle_events(dev, s_ao); | ||
2367 | + if (s_ao) | ||
2368 | + comedi_handle_events(dev, s_ao); | ||
2369 | |||
2370 | return IRQ_RETVAL(handled); | ||
2371 | } | ||
2372 | diff --git a/drivers/staging/fsl-dpaa2/ethsw/ethsw.c b/drivers/staging/fsl-dpaa2/ethsw/ethsw.c | ||
2373 | index e3c3e427309a..f73edaf6ce87 100644 | ||
2374 | --- a/drivers/staging/fsl-dpaa2/ethsw/ethsw.c | ||
2375 | +++ b/drivers/staging/fsl-dpaa2/ethsw/ethsw.c | ||
2376 | @@ -1086,6 +1086,7 @@ static int port_switchdev_event(struct notifier_block *unused, | ||
2377 | dev_hold(dev); | ||
2378 | break; | ||
2379 | default: | ||
2380 | + kfree(switchdev_work); | ||
2381 | return NOTIFY_DONE; | ||
2382 | } | ||
2383 | |||
2384 | diff --git a/drivers/staging/mt7621-pci/pci-mt7621.c b/drivers/staging/mt7621-pci/pci-mt7621.c | ||
2385 | index 03d919a94552..93763d40e3a1 100644 | ||
2386 | --- a/drivers/staging/mt7621-pci/pci-mt7621.c | ||
2387 | +++ b/drivers/staging/mt7621-pci/pci-mt7621.c | ||
2388 | @@ -40,7 +40,7 @@ | ||
2389 | /* MediaTek specific configuration registers */ | ||
2390 | #define PCIE_FTS_NUM 0x70c | ||
2391 | #define PCIE_FTS_NUM_MASK GENMASK(15, 8) | ||
2392 | -#define PCIE_FTS_NUM_L0(x) ((x) & 0xff << 8) | ||
2393 | +#define PCIE_FTS_NUM_L0(x) (((x) & 0xff) << 8) | ||
2394 | |||
2395 | /* rt_sysc_membase relative registers */ | ||
2396 | #define RALINK_PCIE_CLK_GEN 0x7c | ||
2397 | diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c | ||
2398 | index a7230c0c7b23..8f5a8ac1b010 100644 | ||
2399 | --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c | ||
2400 | +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c | ||
2401 | @@ -124,10 +124,91 @@ static inline void handle_group_key(struct ieee_param *param, | ||
2402 | } | ||
2403 | } | ||
2404 | |||
2405 | -static noinline_for_stack char *translate_scan(struct _adapter *padapter, | ||
2406 | - struct iw_request_info *info, | ||
2407 | - struct wlan_network *pnetwork, | ||
2408 | - char *start, char *stop) | ||
2409 | +static noinline_for_stack char *translate_scan_wpa(struct iw_request_info *info, | ||
2410 | + struct wlan_network *pnetwork, | ||
2411 | + struct iw_event *iwe, | ||
2412 | + char *start, char *stop) | ||
2413 | +{ | ||
2414 | + /* parsing WPA/WPA2 IE */ | ||
2415 | + u8 buf[MAX_WPA_IE_LEN]; | ||
2416 | + u8 wpa_ie[255], rsn_ie[255]; | ||
2417 | + u16 wpa_len = 0, rsn_len = 0; | ||
2418 | + int n, i; | ||
2419 | + | ||
2420 | + r8712_get_sec_ie(pnetwork->network.IEs, | ||
2421 | + pnetwork->network.IELength, rsn_ie, &rsn_len, | ||
2422 | + wpa_ie, &wpa_len); | ||
2423 | + if (wpa_len > 0) { | ||
2424 | + memset(buf, 0, MAX_WPA_IE_LEN); | ||
2425 | + n = sprintf(buf, "wpa_ie="); | ||
2426 | + for (i = 0; i < wpa_len; i++) { | ||
2427 | + n += snprintf(buf + n, MAX_WPA_IE_LEN - n, | ||
2428 | + "%02x", wpa_ie[i]); | ||
2429 | + if (n >= MAX_WPA_IE_LEN) | ||
2430 | + break; | ||
2431 | + } | ||
2432 | + memset(iwe, 0, sizeof(*iwe)); | ||
2433 | + iwe->cmd = IWEVCUSTOM; | ||
2434 | + iwe->u.data.length = (u16)strlen(buf); | ||
2435 | + start = iwe_stream_add_point(info, start, stop, | ||
2436 | + iwe, buf); | ||
2437 | + memset(iwe, 0, sizeof(*iwe)); | ||
2438 | + iwe->cmd = IWEVGENIE; | ||
2439 | + iwe->u.data.length = (u16)wpa_len; | ||
2440 | + start = iwe_stream_add_point(info, start, stop, | ||
2441 | + iwe, wpa_ie); | ||
2442 | + } | ||
2443 | + if (rsn_len > 0) { | ||
2444 | + memset(buf, 0, MAX_WPA_IE_LEN); | ||
2445 | + n = sprintf(buf, "rsn_ie="); | ||
2446 | + for (i = 0; i < rsn_len; i++) { | ||
2447 | + n += snprintf(buf + n, MAX_WPA_IE_LEN - n, | ||
2448 | + "%02x", rsn_ie[i]); | ||
2449 | + if (n >= MAX_WPA_IE_LEN) | ||
2450 | + break; | ||
2451 | + } | ||
2452 | + memset(iwe, 0, sizeof(*iwe)); | ||
2453 | + iwe->cmd = IWEVCUSTOM; | ||
2454 | + iwe->u.data.length = strlen(buf); | ||
2455 | + start = iwe_stream_add_point(info, start, stop, | ||
2456 | + iwe, buf); | ||
2457 | + memset(iwe, 0, sizeof(*iwe)); | ||
2458 | + iwe->cmd = IWEVGENIE; | ||
2459 | + iwe->u.data.length = rsn_len; | ||
2460 | + start = iwe_stream_add_point(info, start, stop, iwe, | ||
2461 | + rsn_ie); | ||
2462 | + } | ||
2463 | + | ||
2464 | + return start; | ||
2465 | +} | ||
2466 | + | ||
2467 | +static noinline_for_stack char *translate_scan_wps(struct iw_request_info *info, | ||
2468 | + struct wlan_network *pnetwork, | ||
2469 | + struct iw_event *iwe, | ||
2470 | + char *start, char *stop) | ||
2471 | +{ | ||
2472 | + /* parsing WPS IE */ | ||
2473 | + u8 wps_ie[512]; | ||
2474 | + uint wps_ielen; | ||
2475 | + | ||
2476 | + if (r8712_get_wps_ie(pnetwork->network.IEs, | ||
2477 | + pnetwork->network.IELength, | ||
2478 | + wps_ie, &wps_ielen)) { | ||
2479 | + if (wps_ielen > 2) { | ||
2480 | + iwe->cmd = IWEVGENIE; | ||
2481 | + iwe->u.data.length = (u16)wps_ielen; | ||
2482 | + start = iwe_stream_add_point(info, start, stop, | ||
2483 | + iwe, wps_ie); | ||
2484 | + } | ||
2485 | + } | ||
2486 | + | ||
2487 | + return start; | ||
2488 | +} | ||
2489 | + | ||
2490 | +static char *translate_scan(struct _adapter *padapter, | ||
2491 | + struct iw_request_info *info, | ||
2492 | + struct wlan_network *pnetwork, | ||
2493 | + char *start, char *stop) | ||
2494 | { | ||
2495 | struct iw_event iwe; | ||
2496 | struct ieee80211_ht_cap *pht_capie; | ||
2497 | @@ -240,73 +321,11 @@ static noinline_for_stack char *translate_scan(struct _adapter *padapter, | ||
2498 | /* Check if we added any event */ | ||
2499 | if ((current_val - start) > iwe_stream_lcp_len(info)) | ||
2500 | start = current_val; | ||
2501 | - /* parsing WPA/WPA2 IE */ | ||
2502 | - { | ||
2503 | - u8 buf[MAX_WPA_IE_LEN]; | ||
2504 | - u8 wpa_ie[255], rsn_ie[255]; | ||
2505 | - u16 wpa_len = 0, rsn_len = 0; | ||
2506 | - int n; | ||
2507 | - | ||
2508 | - r8712_get_sec_ie(pnetwork->network.IEs, | ||
2509 | - pnetwork->network.IELength, rsn_ie, &rsn_len, | ||
2510 | - wpa_ie, &wpa_len); | ||
2511 | - if (wpa_len > 0) { | ||
2512 | - memset(buf, 0, MAX_WPA_IE_LEN); | ||
2513 | - n = sprintf(buf, "wpa_ie="); | ||
2514 | - for (i = 0; i < wpa_len; i++) { | ||
2515 | - n += snprintf(buf + n, MAX_WPA_IE_LEN - n, | ||
2516 | - "%02x", wpa_ie[i]); | ||
2517 | - if (n >= MAX_WPA_IE_LEN) | ||
2518 | - break; | ||
2519 | - } | ||
2520 | - memset(&iwe, 0, sizeof(iwe)); | ||
2521 | - iwe.cmd = IWEVCUSTOM; | ||
2522 | - iwe.u.data.length = (u16)strlen(buf); | ||
2523 | - start = iwe_stream_add_point(info, start, stop, | ||
2524 | - &iwe, buf); | ||
2525 | - memset(&iwe, 0, sizeof(iwe)); | ||
2526 | - iwe.cmd = IWEVGENIE; | ||
2527 | - iwe.u.data.length = (u16)wpa_len; | ||
2528 | - start = iwe_stream_add_point(info, start, stop, | ||
2529 | - &iwe, wpa_ie); | ||
2530 | - } | ||
2531 | - if (rsn_len > 0) { | ||
2532 | - memset(buf, 0, MAX_WPA_IE_LEN); | ||
2533 | - n = sprintf(buf, "rsn_ie="); | ||
2534 | - for (i = 0; i < rsn_len; i++) { | ||
2535 | - n += snprintf(buf + n, MAX_WPA_IE_LEN - n, | ||
2536 | - "%02x", rsn_ie[i]); | ||
2537 | - if (n >= MAX_WPA_IE_LEN) | ||
2538 | - break; | ||
2539 | - } | ||
2540 | - memset(&iwe, 0, sizeof(iwe)); | ||
2541 | - iwe.cmd = IWEVCUSTOM; | ||
2542 | - iwe.u.data.length = strlen(buf); | ||
2543 | - start = iwe_stream_add_point(info, start, stop, | ||
2544 | - &iwe, buf); | ||
2545 | - memset(&iwe, 0, sizeof(iwe)); | ||
2546 | - iwe.cmd = IWEVGENIE; | ||
2547 | - iwe.u.data.length = rsn_len; | ||
2548 | - start = iwe_stream_add_point(info, start, stop, &iwe, | ||
2549 | - rsn_ie); | ||
2550 | - } | ||
2551 | - } | ||
2552 | |||
2553 | - { /* parsing WPS IE */ | ||
2554 | - u8 wps_ie[512]; | ||
2555 | - uint wps_ielen; | ||
2556 | + start = translate_scan_wpa(info, pnetwork, &iwe, start, stop); | ||
2557 | + | ||
2558 | + start = translate_scan_wps(info, pnetwork, &iwe, start, stop); | ||
2559 | |||
2560 | - if (r8712_get_wps_ie(pnetwork->network.IEs, | ||
2561 | - pnetwork->network.IELength, | ||
2562 | - wps_ie, &wps_ielen)) { | ||
2563 | - if (wps_ielen > 2) { | ||
2564 | - iwe.cmd = IWEVGENIE; | ||
2565 | - iwe.u.data.length = (u16)wps_ielen; | ||
2566 | - start = iwe_stream_add_point(info, start, stop, | ||
2567 | - &iwe, wps_ie); | ||
2568 | - } | ||
2569 | - } | ||
2570 | - } | ||
2571 | /* Add quality statistics */ | ||
2572 | iwe.cmd = IWEVQUAL; | ||
2573 | rssi = r8712_signal_scale_mapping(pnetwork->network.Rssi); | ||
2574 | diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | ||
2575 | index 68f08dc18da9..5e9187edeef4 100644 | ||
2576 | --- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | ||
2577 | +++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | ||
2578 | @@ -336,16 +336,13 @@ static void buffer_cb(struct vchiq_mmal_instance *instance, | ||
2579 | return; | ||
2580 | } else if (length == 0) { | ||
2581 | /* stream ended */ | ||
2582 | - if (buf) { | ||
2583 | - /* this should only ever happen if the port is | ||
2584 | - * disabled and there are buffers still queued | ||
2585 | + if (dev->capture.frame_count) { | ||
2586 | + /* empty buffer whilst capturing - expected to be an | ||
2587 | + * EOS, so grab another frame | ||
2588 | */ | ||
2589 | - vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR); | ||
2590 | - pr_debug("Empty buffer"); | ||
2591 | - } else if (dev->capture.frame_count) { | ||
2592 | - /* grab another frame */ | ||
2593 | if (is_capturing(dev)) { | ||
2594 | - pr_debug("Grab another frame"); | ||
2595 | + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, | ||
2596 | + "Grab another frame"); | ||
2597 | vchiq_mmal_port_parameter_set( | ||
2598 | instance, | ||
2599 | dev->capture.camera_port, | ||
2600 | @@ -353,8 +350,14 @@ static void buffer_cb(struct vchiq_mmal_instance *instance, | ||
2601 | &dev->capture.frame_count, | ||
2602 | sizeof(dev->capture.frame_count)); | ||
2603 | } | ||
2604 | + if (vchiq_mmal_submit_buffer(instance, port, buf)) | ||
2605 | + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, | ||
2606 | + "Failed to return EOS buffer"); | ||
2607 | } else { | ||
2608 | - /* signal frame completion */ | ||
2609 | + /* stopping streaming. | ||
2610 | + * return buffer, and signal frame completion | ||
2611 | + */ | ||
2612 | + vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR); | ||
2613 | complete(&dev->capture.frame_cmplt); | ||
2614 | } | ||
2615 | } else { | ||
2616 | @@ -576,6 +579,7 @@ static void stop_streaming(struct vb2_queue *vq) | ||
2617 | int ret; | ||
2618 | unsigned long timeout; | ||
2619 | struct bm2835_mmal_dev *dev = vb2_get_drv_priv(vq); | ||
2620 | + struct vchiq_mmal_port *port = dev->capture.port; | ||
2621 | |||
2622 | v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, "%s: dev:%p\n", | ||
2623 | __func__, dev); | ||
2624 | @@ -599,12 +603,6 @@ static void stop_streaming(struct vb2_queue *vq) | ||
2625 | &dev->capture.frame_count, | ||
2626 | sizeof(dev->capture.frame_count)); | ||
2627 | |||
2628 | - /* wait for last frame to complete */ | ||
2629 | - timeout = wait_for_completion_timeout(&dev->capture.frame_cmplt, HZ); | ||
2630 | - if (timeout == 0) | ||
2631 | - v4l2_err(&dev->v4l2_dev, | ||
2632 | - "timed out waiting for frame completion\n"); | ||
2633 | - | ||
2634 | v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, | ||
2635 | "disabling connection\n"); | ||
2636 | |||
2637 | @@ -619,6 +617,21 @@ static void stop_streaming(struct vb2_queue *vq) | ||
2638 | ret); | ||
2639 | } | ||
2640 | |||
2641 | + /* wait for all buffers to be returned */ | ||
2642 | + while (atomic_read(&port->buffers_with_vpu)) { | ||
2643 | + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, | ||
2644 | + "%s: Waiting for buffers to be returned - %d outstanding\n", | ||
2645 | + __func__, atomic_read(&port->buffers_with_vpu)); | ||
2646 | + timeout = wait_for_completion_timeout(&dev->capture.frame_cmplt, | ||
2647 | + HZ); | ||
2648 | + if (timeout == 0) { | ||
2649 | + v4l2_err(&dev->v4l2_dev, "%s: Timeout waiting for buffers to be returned - %d outstanding\n", | ||
2650 | + __func__, | ||
2651 | + atomic_read(&port->buffers_with_vpu)); | ||
2652 | + break; | ||
2653 | + } | ||
2654 | + } | ||
2655 | + | ||
2656 | if (disable_camera(dev) < 0) | ||
2657 | v4l2_err(&dev->v4l2_dev, "Failed to disable camera\n"); | ||
2658 | } | ||
2659 | diff --git a/drivers/staging/vc04_services/bcm2835-camera/controls.c b/drivers/staging/vc04_services/bcm2835-camera/controls.c | ||
2660 | index dade79738a29..12ac3ef61fe6 100644 | ||
2661 | --- a/drivers/staging/vc04_services/bcm2835-camera/controls.c | ||
2662 | +++ b/drivers/staging/vc04_services/bcm2835-camera/controls.c | ||
2663 | @@ -603,15 +603,28 @@ static int ctrl_set_bitrate(struct bm2835_mmal_dev *dev, | ||
2664 | struct v4l2_ctrl *ctrl, | ||
2665 | const struct bm2835_mmal_v4l2_ctrl *mmal_ctrl) | ||
2666 | { | ||
2667 | + int ret; | ||
2668 | struct vchiq_mmal_port *encoder_out; | ||
2669 | |||
2670 | dev->capture.encode_bitrate = ctrl->val; | ||
2671 | |||
2672 | encoder_out = &dev->component[MMAL_COMPONENT_VIDEO_ENCODE]->output[0]; | ||
2673 | |||
2674 | - return vchiq_mmal_port_parameter_set(dev->instance, encoder_out, | ||
2675 | - mmal_ctrl->mmal_id, &ctrl->val, | ||
2676 | - sizeof(ctrl->val)); | ||
2677 | + ret = vchiq_mmal_port_parameter_set(dev->instance, encoder_out, | ||
2678 | + mmal_ctrl->mmal_id, &ctrl->val, | ||
2679 | + sizeof(ctrl->val)); | ||
2680 | + | ||
2681 | + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, | ||
2682 | + "%s: After: mmal_ctrl:%p ctrl id:0x%x ctrl val:%d ret %d(%d)\n", | ||
2683 | + __func__, mmal_ctrl, ctrl->id, ctrl->val, ret, | ||
2684 | + (ret == 0 ? 0 : -EINVAL)); | ||
2685 | + | ||
2686 | + /* | ||
2687 | + * Older firmware versions (pre July 2019) have a bug in handling | ||
2688 | + * MMAL_PARAMETER_VIDEO_BIT_RATE that result in the call | ||
2689 | + * returning -MMAL_MSG_STATUS_EINVAL. So ignore errors from this call. | ||
2690 | + */ | ||
2691 | + return 0; | ||
2692 | } | ||
2693 | |||
2694 | static int ctrl_set_bitrate_mode(struct bm2835_mmal_dev *dev, | ||
2695 | diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | ||
2696 | index 16af735af5c3..29761f6c3b55 100644 | ||
2697 | --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | ||
2698 | +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | ||
2699 | @@ -161,7 +161,8 @@ struct vchiq_mmal_instance { | ||
2700 | void *bulk_scratch; | ||
2701 | |||
2702 | struct idr context_map; | ||
2703 | - spinlock_t context_map_lock; | ||
2704 | + /* protect accesses to context_map */ | ||
2705 | + struct mutex context_map_lock; | ||
2706 | |||
2707 | /* component to use next */ | ||
2708 | int component_idx; | ||
2709 | @@ -184,10 +185,10 @@ get_msg_context(struct vchiq_mmal_instance *instance) | ||
2710 | * that when we service the VCHI reply, we can look up what | ||
2711 | * message is being replied to. | ||
2712 | */ | ||
2713 | - spin_lock(&instance->context_map_lock); | ||
2714 | + mutex_lock(&instance->context_map_lock); | ||
2715 | handle = idr_alloc(&instance->context_map, msg_context, | ||
2716 | 0, 0, GFP_KERNEL); | ||
2717 | - spin_unlock(&instance->context_map_lock); | ||
2718 | + mutex_unlock(&instance->context_map_lock); | ||
2719 | |||
2720 | if (handle < 0) { | ||
2721 | kfree(msg_context); | ||
2722 | @@ -211,9 +212,9 @@ release_msg_context(struct mmal_msg_context *msg_context) | ||
2723 | { | ||
2724 | struct vchiq_mmal_instance *instance = msg_context->instance; | ||
2725 | |||
2726 | - spin_lock(&instance->context_map_lock); | ||
2727 | + mutex_lock(&instance->context_map_lock); | ||
2728 | idr_remove(&instance->context_map, msg_context->handle); | ||
2729 | - spin_unlock(&instance->context_map_lock); | ||
2730 | + mutex_unlock(&instance->context_map_lock); | ||
2731 | kfree(msg_context); | ||
2732 | } | ||
2733 | |||
2734 | @@ -239,6 +240,8 @@ static void buffer_work_cb(struct work_struct *work) | ||
2735 | struct mmal_msg_context *msg_context = | ||
2736 | container_of(work, struct mmal_msg_context, u.bulk.work); | ||
2737 | |||
2738 | + atomic_dec(&msg_context->u.bulk.port->buffers_with_vpu); | ||
2739 | + | ||
2740 | msg_context->u.bulk.port->buffer_cb(msg_context->u.bulk.instance, | ||
2741 | msg_context->u.bulk.port, | ||
2742 | msg_context->u.bulk.status, | ||
2743 | @@ -287,8 +290,6 @@ static int bulk_receive(struct vchiq_mmal_instance *instance, | ||
2744 | |||
2745 | /* store length */ | ||
2746 | msg_context->u.bulk.buffer_used = rd_len; | ||
2747 | - msg_context->u.bulk.mmal_flags = | ||
2748 | - msg->u.buffer_from_host.buffer_header.flags; | ||
2749 | msg_context->u.bulk.dts = msg->u.buffer_from_host.buffer_header.dts; | ||
2750 | msg_context->u.bulk.pts = msg->u.buffer_from_host.buffer_header.pts; | ||
2751 | |||
2752 | @@ -379,6 +380,8 @@ buffer_from_host(struct vchiq_mmal_instance *instance, | ||
2753 | /* initialise work structure ready to schedule callback */ | ||
2754 | INIT_WORK(&msg_context->u.bulk.work, buffer_work_cb); | ||
2755 | |||
2756 | + atomic_inc(&port->buffers_with_vpu); | ||
2757 | + | ||
2758 | /* prep the buffer from host message */ | ||
2759 | memset(&m, 0xbc, sizeof(m)); /* just to make debug clearer */ | ||
2760 | |||
2761 | @@ -447,6 +450,9 @@ static void buffer_to_host_cb(struct vchiq_mmal_instance *instance, | ||
2762 | return; | ||
2763 | } | ||
2764 | |||
2765 | + msg_context->u.bulk.mmal_flags = | ||
2766 | + msg->u.buffer_from_host.buffer_header.flags; | ||
2767 | + | ||
2768 | if (msg->h.status != MMAL_MSG_STATUS_SUCCESS) { | ||
2769 | /* message reception had an error */ | ||
2770 | pr_warn("error %d in reply\n", msg->h.status); | ||
2771 | @@ -1323,16 +1329,6 @@ static int port_enable(struct vchiq_mmal_instance *instance, | ||
2772 | if (port->enabled) | ||
2773 | return 0; | ||
2774 | |||
2775 | - /* ensure there are enough buffers queued to cover the buffer headers */ | ||
2776 | - if (port->buffer_cb) { | ||
2777 | - hdr_count = 0; | ||
2778 | - list_for_each(buf_head, &port->buffers) { | ||
2779 | - hdr_count++; | ||
2780 | - } | ||
2781 | - if (hdr_count < port->current_buffer.num) | ||
2782 | - return -ENOSPC; | ||
2783 | - } | ||
2784 | - | ||
2785 | ret = port_action_port(instance, port, | ||
2786 | MMAL_MSG_PORT_ACTION_TYPE_ENABLE); | ||
2787 | if (ret) | ||
2788 | @@ -1849,7 +1845,7 @@ int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance) | ||
2789 | |||
2790 | instance->bulk_scratch = vmalloc(PAGE_SIZE); | ||
2791 | |||
2792 | - spin_lock_init(&instance->context_map_lock); | ||
2793 | + mutex_init(&instance->context_map_lock); | ||
2794 | idr_init_base(&instance->context_map, 1); | ||
2795 | |||
2796 | params.callback_param = instance; | ||
2797 | diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | ||
2798 | index 22b839ecd5f0..b0ee1716525b 100644 | ||
2799 | --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | ||
2800 | +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | ||
2801 | @@ -71,6 +71,9 @@ struct vchiq_mmal_port { | ||
2802 | struct list_head buffers; | ||
2803 | /* lock to serialise adding and removing buffers from list */ | ||
2804 | spinlock_t slock; | ||
2805 | + | ||
2806 | + /* Count of buffers the VPU has yet to return */ | ||
2807 | + atomic_t buffers_with_vpu; | ||
2808 | /* callback on buffer completion */ | ||
2809 | vchiq_mmal_buffer_cb buffer_cb; | ||
2810 | /* callback context */ | ||
2811 | diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | ||
2812 | index c557c9953724..aa20fcaefa9d 100644 | ||
2813 | --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | ||
2814 | +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | ||
2815 | @@ -523,7 +523,7 @@ create_pagelist(char __user *buf, size_t count, unsigned short type) | ||
2816 | (g_cache_line_size - 1)))) { | ||
2817 | char *fragments; | ||
2818 | |||
2819 | - if (down_killable(&g_free_fragments_sema)) { | ||
2820 | + if (down_interruptible(&g_free_fragments_sema) != 0) { | ||
2821 | cleanup_pagelistinfo(pagelistinfo); | ||
2822 | return NULL; | ||
2823 | } | ||
2824 | diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | ||
2825 | index ab7d6a0ce94c..62d8f599e765 100644 | ||
2826 | --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | ||
2827 | +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | ||
2828 | @@ -532,7 +532,8 @@ add_completion(VCHIQ_INSTANCE_T instance, VCHIQ_REASON_T reason, | ||
2829 | vchiq_log_trace(vchiq_arm_log_level, | ||
2830 | "%s - completion queue full", __func__); | ||
2831 | DEBUG_COUNT(COMPLETION_QUEUE_FULL_COUNT); | ||
2832 | - if (wait_for_completion_killable(&instance->remove_event)) { | ||
2833 | + if (wait_for_completion_interruptible( | ||
2834 | + &instance->remove_event)) { | ||
2835 | vchiq_log_info(vchiq_arm_log_level, | ||
2836 | "service_callback interrupted"); | ||
2837 | return VCHIQ_RETRY; | ||
2838 | @@ -643,7 +644,7 @@ service_callback(VCHIQ_REASON_T reason, struct vchiq_header *header, | ||
2839 | } | ||
2840 | |||
2841 | DEBUG_TRACE(SERVICE_CALLBACK_LINE); | ||
2842 | - if (wait_for_completion_killable( | ||
2843 | + if (wait_for_completion_interruptible( | ||
2844 | &user_service->remove_event) | ||
2845 | != 0) { | ||
2846 | vchiq_log_info(vchiq_arm_log_level, | ||
2847 | @@ -978,7 +979,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | ||
2848 | has been closed until the client library calls the | ||
2849 | CLOSE_DELIVERED ioctl, signalling close_event. */ | ||
2850 | if (user_service->close_pending && | ||
2851 | - wait_for_completion_killable( | ||
2852 | + wait_for_completion_interruptible( | ||
2853 | &user_service->close_event)) | ||
2854 | status = VCHIQ_RETRY; | ||
2855 | break; | ||
2856 | @@ -1154,7 +1155,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | ||
2857 | |||
2858 | DEBUG_TRACE(AWAIT_COMPLETION_LINE); | ||
2859 | mutex_unlock(&instance->completion_mutex); | ||
2860 | - rc = wait_for_completion_killable( | ||
2861 | + rc = wait_for_completion_interruptible( | ||
2862 | &instance->insert_event); | ||
2863 | mutex_lock(&instance->completion_mutex); | ||
2864 | if (rc != 0) { | ||
2865 | @@ -1324,7 +1325,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | ||
2866 | do { | ||
2867 | spin_unlock(&msg_queue_spinlock); | ||
2868 | DEBUG_TRACE(DEQUEUE_MESSAGE_LINE); | ||
2869 | - if (wait_for_completion_killable( | ||
2870 | + if (wait_for_completion_interruptible( | ||
2871 | &user_service->insert_event)) { | ||
2872 | vchiq_log_info(vchiq_arm_log_level, | ||
2873 | "DEQUEUE_MESSAGE interrupted"); | ||
2874 | @@ -2328,7 +2329,7 @@ vchiq_keepalive_thread_func(void *v) | ||
2875 | while (1) { | ||
2876 | long rc = 0, uc = 0; | ||
2877 | |||
2878 | - if (wait_for_completion_killable(&arm_state->ka_evt) | ||
2879 | + if (wait_for_completion_interruptible(&arm_state->ka_evt) | ||
2880 | != 0) { | ||
2881 | vchiq_log_error(vchiq_susp_log_level, | ||
2882 | "%s interrupted", __func__); | ||
2883 | @@ -2579,7 +2580,7 @@ block_resume(struct vchiq_arm_state *arm_state) | ||
2884 | write_unlock_bh(&arm_state->susp_res_lock); | ||
2885 | vchiq_log_info(vchiq_susp_log_level, "%s wait for previously " | ||
2886 | "blocked clients", __func__); | ||
2887 | - if (wait_for_completion_killable_timeout( | ||
2888 | + if (wait_for_completion_interruptible_timeout( | ||
2889 | &arm_state->blocked_blocker, timeout_val) | ||
2890 | <= 0) { | ||
2891 | vchiq_log_error(vchiq_susp_log_level, "%s wait for " | ||
2892 | @@ -2605,7 +2606,7 @@ block_resume(struct vchiq_arm_state *arm_state) | ||
2893 | write_unlock_bh(&arm_state->susp_res_lock); | ||
2894 | vchiq_log_info(vchiq_susp_log_level, "%s wait for resume", | ||
2895 | __func__); | ||
2896 | - if (wait_for_completion_killable_timeout( | ||
2897 | + if (wait_for_completion_interruptible_timeout( | ||
2898 | &arm_state->vc_resume_complete, timeout_val) | ||
2899 | <= 0) { | ||
2900 | vchiq_log_error(vchiq_susp_log_level, "%s wait for " | ||
2901 | @@ -2812,7 +2813,7 @@ vchiq_arm_force_suspend(struct vchiq_state *state) | ||
2902 | do { | ||
2903 | write_unlock_bh(&arm_state->susp_res_lock); | ||
2904 | |||
2905 | - rc = wait_for_completion_killable_timeout( | ||
2906 | + rc = wait_for_completion_interruptible_timeout( | ||
2907 | &arm_state->vc_suspend_complete, | ||
2908 | msecs_to_jiffies(FORCE_SUSPEND_TIMEOUT_MS)); | ||
2909 | |||
2910 | @@ -2908,7 +2909,7 @@ vchiq_arm_allow_resume(struct vchiq_state *state) | ||
2911 | write_unlock_bh(&arm_state->susp_res_lock); | ||
2912 | |||
2913 | if (resume) { | ||
2914 | - if (wait_for_completion_killable( | ||
2915 | + if (wait_for_completion_interruptible( | ||
2916 | &arm_state->vc_resume_complete) < 0) { | ||
2917 | vchiq_log_error(vchiq_susp_log_level, | ||
2918 | "%s interrupted", __func__); | ||
2919 | diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | ||
2920 | index 0c387b6473a5..44bfa890e0e5 100644 | ||
2921 | --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | ||
2922 | +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | ||
2923 | @@ -395,13 +395,21 @@ remote_event_create(wait_queue_head_t *wq, struct remote_event *event) | ||
2924 | init_waitqueue_head(wq); | ||
2925 | } | ||
2926 | |||
2927 | +/* | ||
2928 | + * All the event waiting routines in VCHIQ used a custom semaphore | ||
2929 | + * implementation that filtered most signals. This achieved a behaviour similar | ||
2930 | + * to the "killable" family of functions. While cleaning up this code all the | ||
2931 | + * routines where switched to the "interruptible" family of functions, as the | ||
2932 | + * former was deemed unjustified and the use "killable" set all VCHIQ's | ||
2933 | + * threads in D state. | ||
2934 | + */ | ||
2935 | static inline int | ||
2936 | remote_event_wait(wait_queue_head_t *wq, struct remote_event *event) | ||
2937 | { | ||
2938 | if (!event->fired) { | ||
2939 | event->armed = 1; | ||
2940 | dsb(sy); | ||
2941 | - if (wait_event_killable(*wq, event->fired)) { | ||
2942 | + if (wait_event_interruptible(*wq, event->fired)) { | ||
2943 | event->armed = 0; | ||
2944 | return 0; | ||
2945 | } | ||
2946 | @@ -560,7 +568,7 @@ reserve_space(struct vchiq_state *state, size_t space, int is_blocking) | ||
2947 | remote_event_signal(&state->remote->trigger); | ||
2948 | |||
2949 | if (!is_blocking || | ||
2950 | - (wait_for_completion_killable( | ||
2951 | + (wait_for_completion_interruptible( | ||
2952 | &state->slot_available_event))) | ||
2953 | return NULL; /* No space available */ | ||
2954 | } | ||
2955 | @@ -830,7 +838,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service, | ||
2956 | spin_unlock("a_spinlock); | ||
2957 | mutex_unlock(&state->slot_mutex); | ||
2958 | |||
2959 | - if (wait_for_completion_killable( | ||
2960 | + if (wait_for_completion_interruptible( | ||
2961 | &state->data_quota_event)) | ||
2962 | return VCHIQ_RETRY; | ||
2963 | |||
2964 | @@ -861,7 +869,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service, | ||
2965 | service_quota->slot_use_count); | ||
2966 | VCHIQ_SERVICE_STATS_INC(service, quota_stalls); | ||
2967 | mutex_unlock(&state->slot_mutex); | ||
2968 | - if (wait_for_completion_killable( | ||
2969 | + if (wait_for_completion_interruptible( | ||
2970 | &service_quota->quota_event)) | ||
2971 | return VCHIQ_RETRY; | ||
2972 | if (service->closing) | ||
2973 | @@ -1710,7 +1718,8 @@ parse_rx_slots(struct vchiq_state *state) | ||
2974 | &service->bulk_rx : &service->bulk_tx; | ||
2975 | |||
2976 | DEBUG_TRACE(PARSE_LINE); | ||
2977 | - if (mutex_lock_killable(&service->bulk_mutex)) { | ||
2978 | + if (mutex_lock_killable( | ||
2979 | + &service->bulk_mutex) != 0) { | ||
2980 | DEBUG_TRACE(PARSE_LINE); | ||
2981 | goto bail_not_ready; | ||
2982 | } | ||
2983 | @@ -2428,7 +2437,7 @@ vchiq_open_service_internal(struct vchiq_service *service, int client_id) | ||
2984 | QMFLAGS_IS_BLOCKING); | ||
2985 | if (status == VCHIQ_SUCCESS) { | ||
2986 | /* Wait for the ACK/NAK */ | ||
2987 | - if (wait_for_completion_killable(&service->remove_event)) { | ||
2988 | + if (wait_for_completion_interruptible(&service->remove_event)) { | ||
2989 | status = VCHIQ_RETRY; | ||
2990 | vchiq_release_service_internal(service); | ||
2991 | } else if ((service->srvstate != VCHIQ_SRVSTATE_OPEN) && | ||
2992 | @@ -2795,7 +2804,7 @@ vchiq_connect_internal(struct vchiq_state *state, VCHIQ_INSTANCE_T instance) | ||
2993 | } | ||
2994 | |||
2995 | if (state->conn_state == VCHIQ_CONNSTATE_CONNECTING) { | ||
2996 | - if (wait_for_completion_killable(&state->connect)) | ||
2997 | + if (wait_for_completion_interruptible(&state->connect)) | ||
2998 | return VCHIQ_RETRY; | ||
2999 | |||
3000 | vchiq_set_conn_state(state, VCHIQ_CONNSTATE_CONNECTED); | ||
3001 | @@ -2894,7 +2903,7 @@ vchiq_close_service(VCHIQ_SERVICE_HANDLE_T handle) | ||
3002 | } | ||
3003 | |||
3004 | while (1) { | ||
3005 | - if (wait_for_completion_killable(&service->remove_event)) { | ||
3006 | + if (wait_for_completion_interruptible(&service->remove_event)) { | ||
3007 | status = VCHIQ_RETRY; | ||
3008 | break; | ||
3009 | } | ||
3010 | @@ -2955,7 +2964,7 @@ vchiq_remove_service(VCHIQ_SERVICE_HANDLE_T handle) | ||
3011 | request_poll(service->state, service, VCHIQ_POLL_REMOVE); | ||
3012 | } | ||
3013 | while (1) { | ||
3014 | - if (wait_for_completion_killable(&service->remove_event)) { | ||
3015 | + if (wait_for_completion_interruptible(&service->remove_event)) { | ||
3016 | status = VCHIQ_RETRY; | ||
3017 | break; | ||
3018 | } | ||
3019 | @@ -3038,7 +3047,7 @@ VCHIQ_STATUS_T vchiq_bulk_transfer(VCHIQ_SERVICE_HANDLE_T handle, | ||
3020 | VCHIQ_SERVICE_STATS_INC(service, bulk_stalls); | ||
3021 | do { | ||
3022 | mutex_unlock(&service->bulk_mutex); | ||
3023 | - if (wait_for_completion_killable( | ||
3024 | + if (wait_for_completion_interruptible( | ||
3025 | &service->bulk_remove_event)) { | ||
3026 | status = VCHIQ_RETRY; | ||
3027 | goto error_exit; | ||
3028 | @@ -3115,7 +3124,7 @@ waiting: | ||
3029 | |||
3030 | if (bulk_waiter) { | ||
3031 | bulk_waiter->bulk = bulk; | ||
3032 | - if (wait_for_completion_killable(&bulk_waiter->event)) | ||
3033 | + if (wait_for_completion_interruptible(&bulk_waiter->event)) | ||
3034 | status = VCHIQ_RETRY; | ||
3035 | else if (bulk_waiter->actual == VCHIQ_BULK_ACTUAL_ABORTED) | ||
3036 | status = VCHIQ_ERROR; | ||
3037 | diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c | ||
3038 | index 6c519d8e48cb..8ee85c5e6f77 100644 | ||
3039 | --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c | ||
3040 | +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c | ||
3041 | @@ -50,7 +50,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header) | ||
3042 | return; | ||
3043 | |||
3044 | while (queue->write == queue->read + queue->size) { | ||
3045 | - if (wait_for_completion_killable(&queue->pop)) | ||
3046 | + if (wait_for_completion_interruptible(&queue->pop)) | ||
3047 | flush_signals(current); | ||
3048 | } | ||
3049 | |||
3050 | @@ -63,7 +63,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header) | ||
3051 | struct vchiq_header *vchiu_queue_peek(struct vchiu_queue *queue) | ||
3052 | { | ||
3053 | while (queue->write == queue->read) { | ||
3054 | - if (wait_for_completion_killable(&queue->push)) | ||
3055 | + if (wait_for_completion_interruptible(&queue->push)) | ||
3056 | flush_signals(current); | ||
3057 | } | ||
3058 | |||
3059 | @@ -77,7 +77,7 @@ struct vchiq_header *vchiu_queue_pop(struct vchiu_queue *queue) | ||
3060 | struct vchiq_header *header; | ||
3061 | |||
3062 | while (queue->write == queue->read) { | ||
3063 | - if (wait_for_completion_killable(&queue->push)) | ||
3064 | + if (wait_for_completion_interruptible(&queue->push)) | ||
3065 | flush_signals(current); | ||
3066 | } | ||
3067 | |||
3068 | diff --git a/drivers/staging/wilc1000/wilc_netdev.c b/drivers/staging/wilc1000/wilc_netdev.c | ||
3069 | index ba78c08a17f1..5338d7d2b248 100644 | ||
3070 | --- a/drivers/staging/wilc1000/wilc_netdev.c | ||
3071 | +++ b/drivers/staging/wilc1000/wilc_netdev.c | ||
3072 | @@ -530,17 +530,17 @@ static int wilc_wlan_initialize(struct net_device *dev, struct wilc_vif *vif) | ||
3073 | goto fail_locks; | ||
3074 | } | ||
3075 | |||
3076 | - if (wl->gpio_irq && init_irq(dev)) { | ||
3077 | - ret = -EIO; | ||
3078 | - goto fail_locks; | ||
3079 | - } | ||
3080 | - | ||
3081 | ret = wlan_initialize_threads(dev); | ||
3082 | if (ret < 0) { | ||
3083 | ret = -EIO; | ||
3084 | goto fail_wilc_wlan; | ||
3085 | } | ||
3086 | |||
3087 | + if (wl->gpio_irq && init_irq(dev)) { | ||
3088 | + ret = -EIO; | ||
3089 | + goto fail_threads; | ||
3090 | + } | ||
3091 | + | ||
3092 | if (!wl->dev_irq_num && | ||
3093 | wl->hif_func->enable_interrupt && | ||
3094 | wl->hif_func->enable_interrupt(wl)) { | ||
3095 | @@ -596,7 +596,7 @@ fail_irq_enable: | ||
3096 | fail_irq_init: | ||
3097 | if (wl->dev_irq_num) | ||
3098 | deinit_irq(dev); | ||
3099 | - | ||
3100 | +fail_threads: | ||
3101 | wlan_deinitialize_threads(dev); | ||
3102 | fail_wilc_wlan: | ||
3103 | wilc_wlan_cleanup(dev); | ||
3104 | diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c | ||
3105 | index d2f3310abe54..682300713be4 100644 | ||
3106 | --- a/drivers/tty/serial/8250/8250_port.c | ||
3107 | +++ b/drivers/tty/serial/8250/8250_port.c | ||
3108 | @@ -1869,8 +1869,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) | ||
3109 | |||
3110 | status = serial_port_in(port, UART_LSR); | ||
3111 | |||
3112 | - if (status & (UART_LSR_DR | UART_LSR_BI) && | ||
3113 | - iir & UART_IIR_RDI) { | ||
3114 | + if (status & (UART_LSR_DR | UART_LSR_BI)) { | ||
3115 | if (!up->dma || handle_rx_dma(up, iir)) | ||
3116 | status = serial8250_rx_chars(up, status); | ||
3117 | } | ||
3118 | diff --git a/drivers/usb/dwc2/core.c b/drivers/usb/dwc2/core.c | ||
3119 | index 8b499d643461..8e41d70fd298 100644 | ||
3120 | --- a/drivers/usb/dwc2/core.c | ||
3121 | +++ b/drivers/usb/dwc2/core.c | ||
3122 | @@ -531,7 +531,7 @@ int dwc2_core_reset(struct dwc2_hsotg *hsotg, bool skip_wait) | ||
3123 | } | ||
3124 | |||
3125 | /* Wait for AHB master IDLE state */ | ||
3126 | - if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 50)) { | ||
3127 | + if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 10000)) { | ||
3128 | dev_warn(hsotg->dev, "%s: HANG! AHB Idle timeout GRSTCTL GRSTCTL_AHBIDLE\n", | ||
3129 | __func__); | ||
3130 | return -EBUSY; | ||
3131 | diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c | ||
3132 | index 47be961f1bf3..c7ed90084d1a 100644 | ||
3133 | --- a/drivers/usb/gadget/function/f_fs.c | ||
3134 | +++ b/drivers/usb/gadget/function/f_fs.c | ||
3135 | @@ -997,7 +997,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) | ||
3136 | * earlier | ||
3137 | */ | ||
3138 | gadget = epfile->ffs->gadget; | ||
3139 | - io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE; | ||
3140 | |||
3141 | spin_lock_irq(&epfile->ffs->eps_lock); | ||
3142 | /* In the meantime, endpoint got disabled or changed. */ | ||
3143 | @@ -1012,6 +1011,8 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) | ||
3144 | */ | ||
3145 | if (io_data->read) | ||
3146 | data_len = usb_ep_align_maybe(gadget, ep->ep, data_len); | ||
3147 | + | ||
3148 | + io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE; | ||
3149 | spin_unlock_irq(&epfile->ffs->eps_lock); | ||
3150 | |||
3151 | data = ffs_alloc_buffer(io_data, data_len); | ||
3152 | diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c | ||
3153 | index 737bd77a575d..2929bb47a618 100644 | ||
3154 | --- a/drivers/usb/gadget/function/u_ether.c | ||
3155 | +++ b/drivers/usb/gadget/function/u_ether.c | ||
3156 | @@ -186,11 +186,12 @@ rx_submit(struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags) | ||
3157 | out = dev->port_usb->out_ep; | ||
3158 | else | ||
3159 | out = NULL; | ||
3160 | - spin_unlock_irqrestore(&dev->lock, flags); | ||
3161 | |||
3162 | if (!out) | ||
3163 | + { | ||
3164 | + spin_unlock_irqrestore(&dev->lock, flags); | ||
3165 | return -ENOTCONN; | ||
3166 | - | ||
3167 | + } | ||
3168 | |||
3169 | /* Padding up to RX_EXTRA handles minor disagreements with host. | ||
3170 | * Normally we use the USB "terminate on short read" convention; | ||
3171 | @@ -214,6 +215,7 @@ rx_submit(struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags) | ||
3172 | |||
3173 | if (dev->port_usb->is_fixed) | ||
3174 | size = max_t(size_t, size, dev->port_usb->fixed_out_len); | ||
3175 | + spin_unlock_irqrestore(&dev->lock, flags); | ||
3176 | |||
3177 | skb = __netdev_alloc_skb(dev->net, size + NET_IP_ALIGN, gfp_flags); | ||
3178 | if (skb == NULL) { | ||
3179 | diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c | ||
3180 | index 39fa2fc1b8b7..6036cbae8c78 100644 | ||
3181 | --- a/drivers/usb/renesas_usbhs/fifo.c | ||
3182 | +++ b/drivers/usb/renesas_usbhs/fifo.c | ||
3183 | @@ -802,9 +802,8 @@ static int __usbhsf_dma_map_ctrl(struct usbhs_pkt *pkt, int map) | ||
3184 | } | ||
3185 | |||
3186 | static void usbhsf_dma_complete(void *arg); | ||
3187 | -static void xfer_work(struct work_struct *work) | ||
3188 | +static void usbhsf_dma_xfer_preparing(struct usbhs_pkt *pkt) | ||
3189 | { | ||
3190 | - struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); | ||
3191 | struct usbhs_pipe *pipe = pkt->pipe; | ||
3192 | struct usbhs_fifo *fifo; | ||
3193 | struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); | ||
3194 | @@ -812,12 +811,10 @@ static void xfer_work(struct work_struct *work) | ||
3195 | struct dma_chan *chan; | ||
3196 | struct device *dev = usbhs_priv_to_dev(priv); | ||
3197 | enum dma_transfer_direction dir; | ||
3198 | - unsigned long flags; | ||
3199 | |||
3200 | - usbhs_lock(priv, flags); | ||
3201 | fifo = usbhs_pipe_to_fifo(pipe); | ||
3202 | if (!fifo) | ||
3203 | - goto xfer_work_end; | ||
3204 | + return; | ||
3205 | |||
3206 | chan = usbhsf_dma_chan_get(fifo, pkt); | ||
3207 | dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV; | ||
3208 | @@ -826,7 +823,7 @@ static void xfer_work(struct work_struct *work) | ||
3209 | pkt->trans, dir, | ||
3210 | DMA_PREP_INTERRUPT | DMA_CTRL_ACK); | ||
3211 | if (!desc) | ||
3212 | - goto xfer_work_end; | ||
3213 | + return; | ||
3214 | |||
3215 | desc->callback = usbhsf_dma_complete; | ||
3216 | desc->callback_param = pipe; | ||
3217 | @@ -834,7 +831,7 @@ static void xfer_work(struct work_struct *work) | ||
3218 | pkt->cookie = dmaengine_submit(desc); | ||
3219 | if (pkt->cookie < 0) { | ||
3220 | dev_err(dev, "Failed to submit dma descriptor\n"); | ||
3221 | - goto xfer_work_end; | ||
3222 | + return; | ||
3223 | } | ||
3224 | |||
3225 | dev_dbg(dev, " %s %d (%d/ %d)\n", | ||
3226 | @@ -845,8 +842,17 @@ static void xfer_work(struct work_struct *work) | ||
3227 | dma_async_issue_pending(chan); | ||
3228 | usbhsf_dma_start(pipe, fifo); | ||
3229 | usbhs_pipe_enable(pipe); | ||
3230 | +} | ||
3231 | + | ||
3232 | +static void xfer_work(struct work_struct *work) | ||
3233 | +{ | ||
3234 | + struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); | ||
3235 | + struct usbhs_pipe *pipe = pkt->pipe; | ||
3236 | + struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); | ||
3237 | + unsigned long flags; | ||
3238 | |||
3239 | -xfer_work_end: | ||
3240 | + usbhs_lock(priv, flags); | ||
3241 | + usbhsf_dma_xfer_preparing(pkt); | ||
3242 | usbhs_unlock(priv, flags); | ||
3243 | } | ||
3244 | |||
3245 | @@ -899,8 +905,13 @@ static int usbhsf_dma_prepare_push(struct usbhs_pkt *pkt, int *is_done) | ||
3246 | pkt->trans = len; | ||
3247 | |||
3248 | usbhsf_tx_irq_ctrl(pipe, 0); | ||
3249 | - INIT_WORK(&pkt->work, xfer_work); | ||
3250 | - schedule_work(&pkt->work); | ||
3251 | + /* FIXME: Workaound for usb dmac that driver can be used in atomic */ | ||
3252 | + if (usbhs_get_dparam(priv, has_usb_dmac)) { | ||
3253 | + usbhsf_dma_xfer_preparing(pkt); | ||
3254 | + } else { | ||
3255 | + INIT_WORK(&pkt->work, xfer_work); | ||
3256 | + schedule_work(&pkt->work); | ||
3257 | + } | ||
3258 | |||
3259 | return 0; | ||
3260 | |||
3261 | @@ -1006,8 +1017,7 @@ static int usbhsf_dma_prepare_pop_with_usb_dmac(struct usbhs_pkt *pkt, | ||
3262 | |||
3263 | pkt->trans = pkt->length; | ||
3264 | |||
3265 | - INIT_WORK(&pkt->work, xfer_work); | ||
3266 | - schedule_work(&pkt->work); | ||
3267 | + usbhsf_dma_xfer_preparing(pkt); | ||
3268 | |||
3269 | return 0; | ||
3270 | |||
3271 | diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c | ||
3272 | index 1d8461ae2c34..23669a584bae 100644 | ||
3273 | --- a/drivers/usb/serial/ftdi_sio.c | ||
3274 | +++ b/drivers/usb/serial/ftdi_sio.c | ||
3275 | @@ -1029,6 +1029,7 @@ static const struct usb_device_id id_table_combined[] = { | ||
3276 | { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, | ||
3277 | /* EZPrototypes devices */ | ||
3278 | { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) }, | ||
3279 | + { USB_DEVICE_INTERFACE_NUMBER(UNJO_VID, UNJO_ISODEBUG_V1_PID, 1) }, | ||
3280 | { } /* Terminating entry */ | ||
3281 | }; | ||
3282 | |||
3283 | diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h | ||
3284 | index 5755f0df0025..f12d806220b4 100644 | ||
3285 | --- a/drivers/usb/serial/ftdi_sio_ids.h | ||
3286 | +++ b/drivers/usb/serial/ftdi_sio_ids.h | ||
3287 | @@ -1543,3 +1543,9 @@ | ||
3288 | #define CHETCO_SEASMART_DISPLAY_PID 0xA5AD /* SeaSmart NMEA2000 Display */ | ||
3289 | #define CHETCO_SEASMART_LITE_PID 0xA5AE /* SeaSmart Lite USB Adapter */ | ||
3290 | #define CHETCO_SEASMART_ANALOG_PID 0xA5AF /* SeaSmart Analog Adapter */ | ||
3291 | + | ||
3292 | +/* | ||
3293 | + * Unjo AB | ||
3294 | + */ | ||
3295 | +#define UNJO_VID 0x22B7 | ||
3296 | +#define UNJO_ISODEBUG_V1_PID 0x150D | ||
3297 | diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c | ||
3298 | index a0aaf0635359..c1582fbd1150 100644 | ||
3299 | --- a/drivers/usb/serial/option.c | ||
3300 | +++ b/drivers/usb/serial/option.c | ||
3301 | @@ -1343,6 +1343,7 @@ static const struct usb_device_id option_ids[] = { | ||
3302 | .driver_info = RSVD(4) }, | ||
3303 | { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) }, | ||
3304 | { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) }, | ||
3305 | + { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0601, 0xff) }, /* GosunCn ZTE WeLink ME3630 (RNDIS mode) */ | ||
3306 | { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */ | ||
3307 | { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff), | ||
3308 | .driver_info = RSVD(4) }, | ||
3309 | diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c | ||
3310 | index c674abe3cf99..a38d1409f15b 100644 | ||
3311 | --- a/drivers/usb/typec/tps6598x.c | ||
3312 | +++ b/drivers/usb/typec/tps6598x.c | ||
3313 | @@ -41,7 +41,7 @@ | ||
3314 | #define TPS_STATUS_VCONN(s) (!!((s) & BIT(7))) | ||
3315 | |||
3316 | /* TPS_REG_SYSTEM_CONF bits */ | ||
3317 | -#define TPS_SYSCONF_PORTINFO(c) ((c) & 3) | ||
3318 | +#define TPS_SYSCONF_PORTINFO(c) ((c) & 7) | ||
3319 | |||
3320 | enum { | ||
3321 | TPS_PORTINFO_SINK, | ||
3322 | @@ -127,7 +127,7 @@ tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len) | ||
3323 | } | ||
3324 | |||
3325 | static int tps6598x_block_write(struct tps6598x *tps, u8 reg, | ||
3326 | - void *val, size_t len) | ||
3327 | + const void *val, size_t len) | ||
3328 | { | ||
3329 | u8 data[TPS_MAX_LEN + 1]; | ||
3330 | |||
3331 | @@ -173,7 +173,7 @@ static inline int tps6598x_write64(struct tps6598x *tps, u8 reg, u64 val) | ||
3332 | static inline int | ||
3333 | tps6598x_write_4cc(struct tps6598x *tps, u8 reg, const char *val) | ||
3334 | { | ||
3335 | - return tps6598x_block_write(tps, reg, &val, sizeof(u32)); | ||
3336 | + return tps6598x_block_write(tps, reg, val, 4); | ||
3337 | } | ||
3338 | |||
3339 | static int tps6598x_read_partner_identity(struct tps6598x *tps) | ||
3340 | diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c | ||
3341 | index d536889ac31b..4941fe8471ce 100644 | ||
3342 | --- a/fs/crypto/policy.c | ||
3343 | +++ b/fs/crypto/policy.c | ||
3344 | @@ -81,6 +81,8 @@ int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) | ||
3345 | if (ret == -ENODATA) { | ||
3346 | if (!S_ISDIR(inode->i_mode)) | ||
3347 | ret = -ENOTDIR; | ||
3348 | + else if (IS_DEADDIR(inode)) | ||
3349 | + ret = -ENOENT; | ||
3350 | else if (!inode->i_sb->s_cop->empty_dir(inode)) | ||
3351 | ret = -ENOTEMPTY; | ||
3352 | else | ||
3353 | diff --git a/fs/iomap.c b/fs/iomap.c | ||
3354 | index 12654c2e78f8..da961fca3180 100644 | ||
3355 | --- a/fs/iomap.c | ||
3356 | +++ b/fs/iomap.c | ||
3357 | @@ -333,7 +333,7 @@ iomap_readpage_actor(struct inode *inode, loff_t pos, loff_t length, void *data, | ||
3358 | if (iop) | ||
3359 | atomic_inc(&iop->read_count); | ||
3360 | |||
3361 | - if (!ctx->bio || !is_contig || bio_full(ctx->bio)) { | ||
3362 | + if (!ctx->bio || !is_contig || bio_full(ctx->bio, plen)) { | ||
3363 | gfp_t gfp = mapping_gfp_constraint(page->mapping, GFP_KERNEL); | ||
3364 | int nr_vecs = (length + PAGE_SIZE - 1) >> PAGE_SHIFT; | ||
3365 | |||
3366 | diff --git a/fs/udf/inode.c b/fs/udf/inode.c | ||
3367 | index e7276932e433..9bb18311a22f 100644 | ||
3368 | --- a/fs/udf/inode.c | ||
3369 | +++ b/fs/udf/inode.c | ||
3370 | @@ -470,13 +470,15 @@ static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, | ||
3371 | return NULL; | ||
3372 | } | ||
3373 | |||
3374 | -/* Extend the file by 'blocks' blocks, return the number of extents added */ | ||
3375 | +/* Extend the file with new blocks totaling 'new_block_bytes', | ||
3376 | + * return the number of extents added | ||
3377 | + */ | ||
3378 | static int udf_do_extend_file(struct inode *inode, | ||
3379 | struct extent_position *last_pos, | ||
3380 | struct kernel_long_ad *last_ext, | ||
3381 | - sector_t blocks) | ||
3382 | + loff_t new_block_bytes) | ||
3383 | { | ||
3384 | - sector_t add; | ||
3385 | + uint32_t add; | ||
3386 | int count = 0, fake = !(last_ext->extLength & UDF_EXTENT_LENGTH_MASK); | ||
3387 | struct super_block *sb = inode->i_sb; | ||
3388 | struct kernel_lb_addr prealloc_loc = {}; | ||
3389 | @@ -486,7 +488,7 @@ static int udf_do_extend_file(struct inode *inode, | ||
3390 | |||
3391 | /* The previous extent is fake and we should not extend by anything | ||
3392 | * - there's nothing to do... */ | ||
3393 | - if (!blocks && fake) | ||
3394 | + if (!new_block_bytes && fake) | ||
3395 | return 0; | ||
3396 | |||
3397 | iinfo = UDF_I(inode); | ||
3398 | @@ -517,13 +519,12 @@ static int udf_do_extend_file(struct inode *inode, | ||
3399 | /* Can we merge with the previous extent? */ | ||
3400 | if ((last_ext->extLength & UDF_EXTENT_FLAG_MASK) == | ||
3401 | EXT_NOT_RECORDED_NOT_ALLOCATED) { | ||
3402 | - add = ((1 << 30) - sb->s_blocksize - | ||
3403 | - (last_ext->extLength & UDF_EXTENT_LENGTH_MASK)) >> | ||
3404 | - sb->s_blocksize_bits; | ||
3405 | - if (add > blocks) | ||
3406 | - add = blocks; | ||
3407 | - blocks -= add; | ||
3408 | - last_ext->extLength += add << sb->s_blocksize_bits; | ||
3409 | + add = (1 << 30) - sb->s_blocksize - | ||
3410 | + (last_ext->extLength & UDF_EXTENT_LENGTH_MASK); | ||
3411 | + if (add > new_block_bytes) | ||
3412 | + add = new_block_bytes; | ||
3413 | + new_block_bytes -= add; | ||
3414 | + last_ext->extLength += add; | ||
3415 | } | ||
3416 | |||
3417 | if (fake) { | ||
3418 | @@ -544,28 +545,27 @@ static int udf_do_extend_file(struct inode *inode, | ||
3419 | } | ||
3420 | |||
3421 | /* Managed to do everything necessary? */ | ||
3422 | - if (!blocks) | ||
3423 | + if (!new_block_bytes) | ||
3424 | goto out; | ||
3425 | |||
3426 | /* All further extents will be NOT_RECORDED_NOT_ALLOCATED */ | ||
3427 | last_ext->extLocation.logicalBlockNum = 0; | ||
3428 | last_ext->extLocation.partitionReferenceNum = 0; | ||
3429 | - add = (1 << (30-sb->s_blocksize_bits)) - 1; | ||
3430 | - last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED | | ||
3431 | - (add << sb->s_blocksize_bits); | ||
3432 | + add = (1 << 30) - sb->s_blocksize; | ||
3433 | + last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED | add; | ||
3434 | |||
3435 | /* Create enough extents to cover the whole hole */ | ||
3436 | - while (blocks > add) { | ||
3437 | - blocks -= add; | ||
3438 | + while (new_block_bytes > add) { | ||
3439 | + new_block_bytes -= add; | ||
3440 | err = udf_add_aext(inode, last_pos, &last_ext->extLocation, | ||
3441 | last_ext->extLength, 1); | ||
3442 | if (err) | ||
3443 | return err; | ||
3444 | count++; | ||
3445 | } | ||
3446 | - if (blocks) { | ||
3447 | + if (new_block_bytes) { | ||
3448 | last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED | | ||
3449 | - (blocks << sb->s_blocksize_bits); | ||
3450 | + new_block_bytes; | ||
3451 | err = udf_add_aext(inode, last_pos, &last_ext->extLocation, | ||
3452 | last_ext->extLength, 1); | ||
3453 | if (err) | ||
3454 | @@ -596,6 +596,24 @@ out: | ||
3455 | return count; | ||
3456 | } | ||
3457 | |||
3458 | +/* Extend the final block of the file to final_block_len bytes */ | ||
3459 | +static void udf_do_extend_final_block(struct inode *inode, | ||
3460 | + struct extent_position *last_pos, | ||
3461 | + struct kernel_long_ad *last_ext, | ||
3462 | + uint32_t final_block_len) | ||
3463 | +{ | ||
3464 | + struct super_block *sb = inode->i_sb; | ||
3465 | + uint32_t added_bytes; | ||
3466 | + | ||
3467 | + added_bytes = final_block_len - | ||
3468 | + (last_ext->extLength & (sb->s_blocksize - 1)); | ||
3469 | + last_ext->extLength += added_bytes; | ||
3470 | + UDF_I(inode)->i_lenExtents += added_bytes; | ||
3471 | + | ||
3472 | + udf_write_aext(inode, last_pos, &last_ext->extLocation, | ||
3473 | + last_ext->extLength, 1); | ||
3474 | +} | ||
3475 | + | ||
3476 | static int udf_extend_file(struct inode *inode, loff_t newsize) | ||
3477 | { | ||
3478 | |||
3479 | @@ -605,10 +623,12 @@ static int udf_extend_file(struct inode *inode, loff_t newsize) | ||
3480 | int8_t etype; | ||
3481 | struct super_block *sb = inode->i_sb; | ||
3482 | sector_t first_block = newsize >> sb->s_blocksize_bits, offset; | ||
3483 | + unsigned long partial_final_block; | ||
3484 | int adsize; | ||
3485 | struct udf_inode_info *iinfo = UDF_I(inode); | ||
3486 | struct kernel_long_ad extent; | ||
3487 | - int err; | ||
3488 | + int err = 0; | ||
3489 | + int within_final_block; | ||
3490 | |||
3491 | if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT) | ||
3492 | adsize = sizeof(struct short_ad); | ||
3493 | @@ -618,18 +638,8 @@ static int udf_extend_file(struct inode *inode, loff_t newsize) | ||
3494 | BUG(); | ||
3495 | |||
3496 | etype = inode_bmap(inode, first_block, &epos, &eloc, &elen, &offset); | ||
3497 | + within_final_block = (etype != -1); | ||
3498 | |||
3499 | - /* File has extent covering the new size (could happen when extending | ||
3500 | - * inside a block)? */ | ||
3501 | - if (etype != -1) | ||
3502 | - return 0; | ||
3503 | - if (newsize & (sb->s_blocksize - 1)) | ||
3504 | - offset++; | ||
3505 | - /* Extended file just to the boundary of the last file block? */ | ||
3506 | - if (offset == 0) | ||
3507 | - return 0; | ||
3508 | - | ||
3509 | - /* Truncate is extending the file by 'offset' blocks */ | ||
3510 | if ((!epos.bh && epos.offset == udf_file_entry_alloc_offset(inode)) || | ||
3511 | (epos.bh && epos.offset == sizeof(struct allocExtDesc))) { | ||
3512 | /* File has no extents at all or has empty last | ||
3513 | @@ -643,7 +653,22 @@ static int udf_extend_file(struct inode *inode, loff_t newsize) | ||
3514 | &extent.extLength, 0); | ||
3515 | extent.extLength |= etype << 30; | ||
3516 | } | ||
3517 | - err = udf_do_extend_file(inode, &epos, &extent, offset); | ||
3518 | + | ||
3519 | + partial_final_block = newsize & (sb->s_blocksize - 1); | ||
3520 | + | ||
3521 | + /* File has extent covering the new size (could happen when extending | ||
3522 | + * inside a block)? | ||
3523 | + */ | ||
3524 | + if (within_final_block) { | ||
3525 | + /* Extending file within the last file block */ | ||
3526 | + udf_do_extend_final_block(inode, &epos, &extent, | ||
3527 | + partial_final_block); | ||
3528 | + } else { | ||
3529 | + loff_t add = ((loff_t)offset << sb->s_blocksize_bits) | | ||
3530 | + partial_final_block; | ||
3531 | + err = udf_do_extend_file(inode, &epos, &extent, add); | ||
3532 | + } | ||
3533 | + | ||
3534 | if (err < 0) | ||
3535 | goto out; | ||
3536 | err = 0; | ||
3537 | @@ -745,6 +770,7 @@ static sector_t inode_getblk(struct inode *inode, sector_t block, | ||
3538 | /* Are we beyond EOF? */ | ||
3539 | if (etype == -1) { | ||
3540 | int ret; | ||
3541 | + loff_t hole_len; | ||
3542 | isBeyondEOF = true; | ||
3543 | if (count) { | ||
3544 | if (c) | ||
3545 | @@ -760,7 +786,8 @@ static sector_t inode_getblk(struct inode *inode, sector_t block, | ||
3546 | startnum = (offset > 0); | ||
3547 | } | ||
3548 | /* Create extents for the hole between EOF and offset */ | ||
3549 | - ret = udf_do_extend_file(inode, &prev_epos, laarr, offset); | ||
3550 | + hole_len = (loff_t)offset << inode->i_blkbits; | ||
3551 | + ret = udf_do_extend_file(inode, &prev_epos, laarr, hole_len); | ||
3552 | if (ret < 0) { | ||
3553 | *err = ret; | ||
3554 | newblock = 0; | ||
3555 | diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c | ||
3556 | index 8da5e6637771..11f703d4a605 100644 | ||
3557 | --- a/fs/xfs/xfs_aops.c | ||
3558 | +++ b/fs/xfs/xfs_aops.c | ||
3559 | @@ -782,7 +782,7 @@ xfs_add_to_ioend( | ||
3560 | atomic_inc(&iop->write_count); | ||
3561 | |||
3562 | if (!merged) { | ||
3563 | - if (bio_full(wpc->ioend->io_bio)) | ||
3564 | + if (bio_full(wpc->ioend->io_bio, len)) | ||
3565 | xfs_chain_bio(wpc->ioend, wbc, bdev, sector); | ||
3566 | bio_add_page(wpc->ioend->io_bio, page, len, poff); | ||
3567 | } | ||
3568 | diff --git a/include/linux/bio.h b/include/linux/bio.h | ||
3569 | index f87abaa898f0..e36b8fc1b1c3 100644 | ||
3570 | --- a/include/linux/bio.h | ||
3571 | +++ b/include/linux/bio.h | ||
3572 | @@ -102,9 +102,23 @@ static inline void *bio_data(struct bio *bio) | ||
3573 | return NULL; | ||
3574 | } | ||
3575 | |||
3576 | -static inline bool bio_full(struct bio *bio) | ||
3577 | +/** | ||
3578 | + * bio_full - check if the bio is full | ||
3579 | + * @bio: bio to check | ||
3580 | + * @len: length of one segment to be added | ||
3581 | + * | ||
3582 | + * Return true if @bio is full and one segment with @len bytes can't be | ||
3583 | + * added to the bio, otherwise return false | ||
3584 | + */ | ||
3585 | +static inline bool bio_full(struct bio *bio, unsigned len) | ||
3586 | { | ||
3587 | - return bio->bi_vcnt >= bio->bi_max_vecs; | ||
3588 | + if (bio->bi_vcnt >= bio->bi_max_vecs) | ||
3589 | + return true; | ||
3590 | + | ||
3591 | + if (bio->bi_iter.bi_size > UINT_MAX - len) | ||
3592 | + return true; | ||
3593 | + | ||
3594 | + return false; | ||
3595 | } | ||
3596 | |||
3597 | static inline bool bio_next_segment(const struct bio *bio, | ||
3598 | diff --git a/include/linux/vmw_vmci_defs.h b/include/linux/vmw_vmci_defs.h | ||
3599 | index 77ac9c7b9483..762f793e92f6 100644 | ||
3600 | --- a/include/linux/vmw_vmci_defs.h | ||
3601 | +++ b/include/linux/vmw_vmci_defs.h | ||
3602 | @@ -62,9 +62,18 @@ enum { | ||
3603 | |||
3604 | /* | ||
3605 | * A single VMCI device has an upper limit of 128MB on the amount of | ||
3606 | - * memory that can be used for queue pairs. | ||
3607 | + * memory that can be used for queue pairs. Since each queue pair | ||
3608 | + * consists of at least two pages, the memory limit also dictates the | ||
3609 | + * number of queue pairs a guest can create. | ||
3610 | */ | ||
3611 | #define VMCI_MAX_GUEST_QP_MEMORY (128 * 1024 * 1024) | ||
3612 | +#define VMCI_MAX_GUEST_QP_COUNT (VMCI_MAX_GUEST_QP_MEMORY / PAGE_SIZE / 2) | ||
3613 | + | ||
3614 | +/* | ||
3615 | + * There can be at most PAGE_SIZE doorbells since there is one doorbell | ||
3616 | + * per byte in the doorbell bitmap page. | ||
3617 | + */ | ||
3618 | +#define VMCI_MAX_GUEST_DOORBELL_COUNT PAGE_SIZE | ||
3619 | |||
3620 | /* | ||
3621 | * Queues with pre-mapped data pages must be small, so that we don't pin | ||
3622 | diff --git a/include/uapi/linux/usb/audio.h b/include/uapi/linux/usb/audio.h | ||
3623 | index ddc5396800aa..76b7c3f6cd0d 100644 | ||
3624 | --- a/include/uapi/linux/usb/audio.h | ||
3625 | +++ b/include/uapi/linux/usb/audio.h | ||
3626 | @@ -450,6 +450,43 @@ static inline __u8 *uac_processing_unit_specific(struct uac_processing_unit_desc | ||
3627 | } | ||
3628 | } | ||
3629 | |||
3630 | +/* | ||
3631 | + * Extension Unit (XU) has almost compatible layout with Processing Unit, but | ||
3632 | + * on UAC2, it has a different bmControls size (bControlSize); it's 1 byte for | ||
3633 | + * XU while 2 bytes for PU. The last iExtension field is a one-byte index as | ||
3634 | + * well as iProcessing field of PU. | ||
3635 | + */ | ||
3636 | +static inline __u8 uac_extension_unit_bControlSize(struct uac_processing_unit_descriptor *desc, | ||
3637 | + int protocol) | ||
3638 | +{ | ||
3639 | + switch (protocol) { | ||
3640 | + case UAC_VERSION_1: | ||
3641 | + return desc->baSourceID[desc->bNrInPins + 4]; | ||
3642 | + case UAC_VERSION_2: | ||
3643 | + return 1; /* in UAC2, this value is constant */ | ||
3644 | + case UAC_VERSION_3: | ||
3645 | + return 4; /* in UAC3, this value is constant */ | ||
3646 | + default: | ||
3647 | + return 1; | ||
3648 | + } | ||
3649 | +} | ||
3650 | + | ||
3651 | +static inline __u8 uac_extension_unit_iExtension(struct uac_processing_unit_descriptor *desc, | ||
3652 | + int protocol) | ||
3653 | +{ | ||
3654 | + __u8 control_size = uac_extension_unit_bControlSize(desc, protocol); | ||
3655 | + | ||
3656 | + switch (protocol) { | ||
3657 | + case UAC_VERSION_1: | ||
3658 | + case UAC_VERSION_2: | ||
3659 | + default: | ||
3660 | + return *(uac_processing_unit_bmControls(desc, protocol) | ||
3661 | + + control_size); | ||
3662 | + case UAC_VERSION_3: | ||
3663 | + return 0; /* UAC3 does not have this field */ | ||
3664 | + } | ||
3665 | +} | ||
3666 | + | ||
3667 | /* 4.5.2 Class-Specific AS Interface Descriptor */ | ||
3668 | struct uac1_as_header_descriptor { | ||
3669 | __u8 bLength; /* in bytes: 7 */ | ||
3670 | diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c | ||
3671 | index 6f3a35949cdd..f24a757f8239 100644 | ||
3672 | --- a/sound/pci/hda/patch_realtek.c | ||
3673 | +++ b/sound/pci/hda/patch_realtek.c | ||
3674 | @@ -3255,6 +3255,7 @@ static void alc256_init(struct hda_codec *codec) | ||
3675 | alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */ | ||
3676 | alc_update_coefex_idx(codec, 0x53, 0x02, 0x8000, 1 << 15); /* Clear bit */ | ||
3677 | alc_update_coefex_idx(codec, 0x53, 0x02, 0x8000, 0 << 15); | ||
3678 | + alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/ | ||
3679 | } | ||
3680 | |||
3681 | static void alc256_shutup(struct hda_codec *codec) | ||
3682 | @@ -7825,7 +7826,6 @@ static int patch_alc269(struct hda_codec *codec) | ||
3683 | spec->shutup = alc256_shutup; | ||
3684 | spec->init_hook = alc256_init; | ||
3685 | spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ | ||
3686 | - alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/ | ||
3687 | break; | ||
3688 | case 0x10ec0257: | ||
3689 | spec->codec_variant = ALC269_TYPE_ALC257; | ||
3690 | diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c | ||
3691 | index c703f8534b07..7498b5191b68 100644 | ||
3692 | --- a/sound/usb/mixer.c | ||
3693 | +++ b/sound/usb/mixer.c | ||
3694 | @@ -2303,7 +2303,7 @@ static struct procunit_info extunits[] = { | ||
3695 | */ | ||
3696 | static int build_audio_procunit(struct mixer_build *state, int unitid, | ||
3697 | void *raw_desc, struct procunit_info *list, | ||
3698 | - char *name) | ||
3699 | + bool extension_unit) | ||
3700 | { | ||
3701 | struct uac_processing_unit_descriptor *desc = raw_desc; | ||
3702 | int num_ins; | ||
3703 | @@ -2320,6 +2320,8 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, | ||
3704 | static struct procunit_info default_info = { | ||
3705 | 0, NULL, default_value_info | ||
3706 | }; | ||
3707 | + const char *name = extension_unit ? | ||
3708 | + "Extension Unit" : "Processing Unit"; | ||
3709 | |||
3710 | if (desc->bLength < 13) { | ||
3711 | usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); | ||
3712 | @@ -2433,7 +2435,10 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, | ||
3713 | } else if (info->name) { | ||
3714 | strlcpy(kctl->id.name, info->name, sizeof(kctl->id.name)); | ||
3715 | } else { | ||
3716 | - nameid = uac_processing_unit_iProcessing(desc, state->mixer->protocol); | ||
3717 | + if (extension_unit) | ||
3718 | + nameid = uac_extension_unit_iExtension(desc, state->mixer->protocol); | ||
3719 | + else | ||
3720 | + nameid = uac_processing_unit_iProcessing(desc, state->mixer->protocol); | ||
3721 | len = 0; | ||
3722 | if (nameid) | ||
3723 | len = snd_usb_copy_string_desc(state->chip, | ||
3724 | @@ -2466,10 +2471,10 @@ static int parse_audio_processing_unit(struct mixer_build *state, int unitid, | ||
3725 | case UAC_VERSION_2: | ||
3726 | default: | ||
3727 | return build_audio_procunit(state, unitid, raw_desc, | ||
3728 | - procunits, "Processing Unit"); | ||
3729 | + procunits, false); | ||
3730 | case UAC_VERSION_3: | ||
3731 | return build_audio_procunit(state, unitid, raw_desc, | ||
3732 | - uac3_procunits, "Processing Unit"); | ||
3733 | + uac3_procunits, false); | ||
3734 | } | ||
3735 | } | ||
3736 | |||
3737 | @@ -2480,8 +2485,7 @@ static int parse_audio_extension_unit(struct mixer_build *state, int unitid, | ||
3738 | * Note that we parse extension units with processing unit descriptors. | ||
3739 | * That's ok as the layout is the same. | ||
3740 | */ | ||
3741 | - return build_audio_procunit(state, unitid, raw_desc, | ||
3742 | - extunits, "Extension Unit"); | ||
3743 | + return build_audio_procunit(state, unitid, raw_desc, extunits, true); | ||
3744 | } | ||
3745 | |||
3746 | /* | ||
3747 | diff --git a/tools/perf/Documentation/intel-pt.txt b/tools/perf/Documentation/intel-pt.txt | ||
3748 | index 115eaacc455f..60d99e5e7921 100644 | ||
3749 | --- a/tools/perf/Documentation/intel-pt.txt | ||
3750 | +++ b/tools/perf/Documentation/intel-pt.txt | ||
3751 | @@ -88,16 +88,16 @@ smaller. | ||
3752 | |||
3753 | To represent software control flow, "branches" samples are produced. By default | ||
3754 | a branch sample is synthesized for every single branch. To get an idea what | ||
3755 | -data is available you can use the 'perf script' tool with no parameters, which | ||
3756 | -will list all the samples. | ||
3757 | +data is available you can use the 'perf script' tool with all itrace sampling | ||
3758 | +options, which will list all the samples. | ||
3759 | |||
3760 | perf record -e intel_pt//u ls | ||
3761 | - perf script | ||
3762 | + perf script --itrace=ibxwpe | ||
3763 | |||
3764 | An interesting field that is not printed by default is 'flags' which can be | ||
3765 | displayed as follows: | ||
3766 | |||
3767 | - perf script -Fcomm,tid,pid,time,cpu,event,trace,ip,sym,dso,addr,symoff,flags | ||
3768 | + perf script --itrace=ibxwpe -F+flags | ||
3769 | |||
3770 | The flags are "bcrosyiABEx" which stand for branch, call, return, conditional, | ||
3771 | system, asynchronous, interrupt, transaction abort, trace begin, trace end, and | ||
3772 | @@ -713,7 +713,7 @@ Having no option is the same as | ||
3773 | |||
3774 | which, in turn, is the same as | ||
3775 | |||
3776 | - --itrace=ibxwpe | ||
3777 | + --itrace=cepwx | ||
3778 | |||
3779 | The letters are: | ||
3780 | |||
3781 | diff --git a/tools/perf/util/auxtrace.c b/tools/perf/util/auxtrace.c | ||
3782 | index 66e82bd0683e..cfdbf65f1e02 100644 | ||
3783 | --- a/tools/perf/util/auxtrace.c | ||
3784 | +++ b/tools/perf/util/auxtrace.c | ||
3785 | @@ -1001,7 +1001,8 @@ int itrace_parse_synth_opts(const struct option *opt, const char *str, | ||
3786 | } | ||
3787 | |||
3788 | if (!str) { | ||
3789 | - itrace_synth_opts__set_default(synth_opts, false); | ||
3790 | + itrace_synth_opts__set_default(synth_opts, | ||
3791 | + synth_opts->default_no_sample); | ||
3792 | return 0; | ||
3793 | } | ||
3794 | |||
3795 | diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c | ||
3796 | index 847ae51a524b..fb0aa661644b 100644 | ||
3797 | --- a/tools/perf/util/header.c | ||
3798 | +++ b/tools/perf/util/header.c | ||
3799 | @@ -3602,6 +3602,7 @@ int perf_event__synthesize_features(struct perf_tool *tool, | ||
3800 | return -ENOMEM; | ||
3801 | |||
3802 | ff.size = sz - sz_hdr; | ||
3803 | + ff.ph = &session->header; | ||
3804 | |||
3805 | for_each_set_bit(feat, header->adds_features, HEADER_FEAT_BITS) { | ||
3806 | if (!feat_ops[feat].synthesize) { | ||
3807 | diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c | ||
3808 | index d6f1b2a03f9b..f7dd4657535d 100644 | ||
3809 | --- a/tools/perf/util/intel-pt.c | ||
3810 | +++ b/tools/perf/util/intel-pt.c | ||
3811 | @@ -2579,7 +2579,8 @@ int intel_pt_process_auxtrace_info(union perf_event *event, | ||
3812 | } else { | ||
3813 | itrace_synth_opts__set_default(&pt->synth_opts, | ||
3814 | session->itrace_synth_opts->default_no_sample); | ||
3815 | - if (use_browser != -1) { | ||
3816 | + if (!session->itrace_synth_opts->default_no_sample && | ||
3817 | + !session->itrace_synth_opts->inject) { | ||
3818 | pt->synth_opts.branches = false; | ||
3819 | pt->synth_opts.callchain = true; | ||
3820 | } | ||
3821 | diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c | ||
3822 | index e0429f4ef335..faa8eb231e1b 100644 | ||
3823 | --- a/tools/perf/util/pmu.c | ||
3824 | +++ b/tools/perf/util/pmu.c | ||
3825 | @@ -709,9 +709,7 @@ static void pmu_add_cpu_aliases(struct list_head *head, struct perf_pmu *pmu) | ||
3826 | { | ||
3827 | int i; | ||
3828 | struct pmu_events_map *map; | ||
3829 | - struct pmu_event *pe; | ||
3830 | const char *name = pmu->name; | ||
3831 | - const char *pname; | ||
3832 | |||
3833 | map = perf_pmu__find_map(pmu); | ||
3834 | if (!map) | ||
3835 | @@ -722,28 +720,26 @@ static void pmu_add_cpu_aliases(struct list_head *head, struct perf_pmu *pmu) | ||
3836 | */ | ||
3837 | i = 0; | ||
3838 | while (1) { | ||
3839 | + const char *cpu_name = is_arm_pmu_core(name) ? name : "cpu"; | ||
3840 | + struct pmu_event *pe = &map->table[i++]; | ||
3841 | + const char *pname = pe->pmu ? pe->pmu : cpu_name; | ||
3842 | |||
3843 | - pe = &map->table[i++]; | ||
3844 | if (!pe->name) { | ||
3845 | if (pe->metric_group || pe->metric_name) | ||
3846 | continue; | ||
3847 | break; | ||
3848 | } | ||
3849 | |||
3850 | - if (!is_arm_pmu_core(name)) { | ||
3851 | - pname = pe->pmu ? pe->pmu : "cpu"; | ||
3852 | - | ||
3853 | - /* | ||
3854 | - * uncore alias may be from different PMU | ||
3855 | - * with common prefix | ||
3856 | - */ | ||
3857 | - if (pmu_is_uncore(name) && | ||
3858 | - !strncmp(pname, name, strlen(pname))) | ||
3859 | - goto new_alias; | ||
3860 | + /* | ||
3861 | + * uncore alias may be from different PMU | ||
3862 | + * with common prefix | ||
3863 | + */ | ||
3864 | + if (pmu_is_uncore(name) && | ||
3865 | + !strncmp(pname, name, strlen(pname))) | ||
3866 | + goto new_alias; | ||
3867 | |||
3868 | - if (strcmp(pname, name)) | ||
3869 | - continue; | ||
3870 | - } | ||
3871 | + if (strcmp(pname, name)) | ||
3872 | + continue; | ||
3873 | |||
3874 | new_alias: | ||
3875 | /* need type casts to override 'const' */ | ||
3876 | diff --git a/tools/perf/util/thread-stack.c b/tools/perf/util/thread-stack.c | ||
3877 | index 4ba9e866b076..60c9d955c4d7 100644 | ||
3878 | --- a/tools/perf/util/thread-stack.c | ||
3879 | +++ b/tools/perf/util/thread-stack.c | ||
3880 | @@ -616,6 +616,23 @@ static int thread_stack__bottom(struct thread_stack *ts, | ||
3881 | true, false); | ||
3882 | } | ||
3883 | |||
3884 | +static int thread_stack__pop_ks(struct thread *thread, struct thread_stack *ts, | ||
3885 | + struct perf_sample *sample, u64 ref) | ||
3886 | +{ | ||
3887 | + u64 tm = sample->time; | ||
3888 | + int err; | ||
3889 | + | ||
3890 | + /* Return to userspace, so pop all kernel addresses */ | ||
3891 | + while (thread_stack__in_kernel(ts)) { | ||
3892 | + err = thread_stack__call_return(thread, ts, --ts->cnt, | ||
3893 | + tm, ref, true); | ||
3894 | + if (err) | ||
3895 | + return err; | ||
3896 | + } | ||
3897 | + | ||
3898 | + return 0; | ||
3899 | +} | ||
3900 | + | ||
3901 | static int thread_stack__no_call_return(struct thread *thread, | ||
3902 | struct thread_stack *ts, | ||
3903 | struct perf_sample *sample, | ||
3904 | @@ -896,7 +913,18 @@ int thread_stack__process(struct thread *thread, struct comm *comm, | ||
3905 | ts->rstate = X86_RETPOLINE_DETECTED; | ||
3906 | |||
3907 | } else if (sample->flags & PERF_IP_FLAG_RETURN) { | ||
3908 | - if (!sample->ip || !sample->addr) | ||
3909 | + if (!sample->addr) { | ||
3910 | + u32 return_from_kernel = PERF_IP_FLAG_SYSCALLRET | | ||
3911 | + PERF_IP_FLAG_INTERRUPT; | ||
3912 | + | ||
3913 | + if (!(sample->flags & return_from_kernel)) | ||
3914 | + return 0; | ||
3915 | + | ||
3916 | + /* Pop kernel stack */ | ||
3917 | + return thread_stack__pop_ks(thread, ts, sample, ref); | ||
3918 | + } | ||
3919 | + | ||
3920 | + if (!sample->ip) | ||
3921 | return 0; | ||
3922 | |||
3923 | /* x86 retpoline 'return' doesn't match the stack */ |