1 |
commit: 7cadd67192ac4963f002a414373dce7cd7eea829 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Feb 25 20:31:00 2016 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Feb 25 20:31:00 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=7cadd671 |
7 |
|
8 |
Linux patch 3.10.98 |
9 |
|
10 |
0000_README | 4 + |
11 |
1097_linux-3.10.98.patch | 1792 ++++++++++++++++++++++++++++++++++++++++++++++ |
12 |
2 files changed, 1796 insertions(+) |
13 |
|
14 |
diff --git a/0000_README b/0000_README |
15 |
index f3215a3..180e0a0 100644 |
16 |
--- a/0000_README |
17 |
+++ b/0000_README |
18 |
@@ -430,6 +430,10 @@ Patch: 1096_linux-3.10.97.patch |
19 |
From: http://www.kernel.org |
20 |
Desc: Linux 3.10.97 |
21 |
|
22 |
+Patch: 1097_linux-3.10.98.patch |
23 |
+From: http://www.kernel.org |
24 |
+Desc: Linux 3.10.98 |
25 |
+ |
26 |
Patch: 1500_XATTR_USER_PREFIX.patch |
27 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
28 |
Desc: Support for namespace user.pax.* on tmpfs. |
29 |
|
30 |
diff --git a/1097_linux-3.10.98.patch b/1097_linux-3.10.98.patch |
31 |
new file mode 100644 |
32 |
index 0000000..332f8fe |
33 |
--- /dev/null |
34 |
+++ b/1097_linux-3.10.98.patch |
35 |
@@ -0,0 +1,1792 @@ |
36 |
+diff --git a/Makefile b/Makefile |
37 |
+index f26470169c70..dadd1edc6f84 100644 |
38 |
+--- a/Makefile |
39 |
++++ b/Makefile |
40 |
+@@ -1,6 +1,6 @@ |
41 |
+ VERSION = 3 |
42 |
+ PATCHLEVEL = 10 |
43 |
+-SUBLEVEL = 97 |
44 |
++SUBLEVEL = 98 |
45 |
+ EXTRAVERSION = |
46 |
+ NAME = TOSSUG Baby Fish |
47 |
+ |
48 |
+diff --git a/arch/arm/common/icst.c b/arch/arm/common/icst.c |
49 |
+index 2dc6da70ae59..d7ed252708c5 100644 |
50 |
+--- a/arch/arm/common/icst.c |
51 |
++++ b/arch/arm/common/icst.c |
52 |
+@@ -16,7 +16,7 @@ |
53 |
+ */ |
54 |
+ #include <linux/module.h> |
55 |
+ #include <linux/kernel.h> |
56 |
+- |
57 |
++#include <asm/div64.h> |
58 |
+ #include <asm/hardware/icst.h> |
59 |
+ |
60 |
+ /* |
61 |
+@@ -29,7 +29,11 @@ EXPORT_SYMBOL(icst525_s2div); |
62 |
+ |
63 |
+ unsigned long icst_hz(const struct icst_params *p, struct icst_vco vco) |
64 |
+ { |
65 |
+- return p->ref * 2 * (vco.v + 8) / ((vco.r + 2) * p->s2div[vco.s]); |
66 |
++ u64 dividend = p->ref * 2 * (u64)(vco.v + 8); |
67 |
++ u32 divisor = (vco.r + 2) * p->s2div[vco.s]; |
68 |
++ |
69 |
++ do_div(dividend, divisor); |
70 |
++ return (unsigned long)dividend; |
71 |
+ } |
72 |
+ |
73 |
+ EXPORT_SYMBOL(icst_hz); |
74 |
+@@ -58,6 +62,7 @@ icst_hz_to_vco(const struct icst_params *p, unsigned long freq) |
75 |
+ |
76 |
+ if (f > p->vco_min && f <= p->vco_max) |
77 |
+ break; |
78 |
++ i++; |
79 |
+ } while (i < 8); |
80 |
+ |
81 |
+ if (i >= 8) |
82 |
+diff --git a/arch/m32r/kernel/setup.c b/arch/m32r/kernel/setup.c |
83 |
+index 0392112a5d70..a5ecef7188ba 100644 |
84 |
+--- a/arch/m32r/kernel/setup.c |
85 |
++++ b/arch/m32r/kernel/setup.c |
86 |
+@@ -81,7 +81,10 @@ static struct resource code_resource = { |
87 |
+ }; |
88 |
+ |
89 |
+ unsigned long memory_start; |
90 |
++EXPORT_SYMBOL(memory_start); |
91 |
++ |
92 |
+ unsigned long memory_end; |
93 |
++EXPORT_SYMBOL(memory_end); |
94 |
+ |
95 |
+ void __init setup_arch(char **); |
96 |
+ int get_cpuinfo(char *); |
97 |
+diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h |
98 |
+index c48a95035a77..4dde707a6ff7 100644 |
99 |
+--- a/arch/x86/include/asm/segment.h |
100 |
++++ b/arch/x86/include/asm/segment.h |
101 |
+@@ -212,8 +212,19 @@ |
102 |
+ #define TLS_SIZE (GDT_ENTRY_TLS_ENTRIES * 8) |
103 |
+ |
104 |
+ #ifdef __KERNEL__ |
105 |
++ |
106 |
++/* |
107 |
++ * early_idt_handler_array is an array of entry points referenced in the |
108 |
++ * early IDT. For simplicity, it's a real array with one entry point |
109 |
++ * every nine bytes. That leaves room for an optional 'push $0' if the |
110 |
++ * vector has no error code (two bytes), a 'push $vector_number' (two |
111 |
++ * bytes), and a jump to the common entry code (up to five bytes). |
112 |
++ */ |
113 |
++#define EARLY_IDT_HANDLER_SIZE 9 |
114 |
++ |
115 |
+ #ifndef __ASSEMBLY__ |
116 |
+-extern const char early_idt_handlers[NUM_EXCEPTION_VECTORS][2+2+5]; |
117 |
++ |
118 |
++extern const char early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE]; |
119 |
+ |
120 |
+ /* |
121 |
+ * Load a segment. Fall back on loading the zero |
122 |
+diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c |
123 |
+index 55b67614ed94..3b861b7661ee 100644 |
124 |
+--- a/arch/x86/kernel/head64.c |
125 |
++++ b/arch/x86/kernel/head64.c |
126 |
+@@ -162,7 +162,7 @@ void __init x86_64_start_kernel(char * real_mode_data) |
127 |
+ clear_bss(); |
128 |
+ |
129 |
+ for (i = 0; i < NUM_EXCEPTION_VECTORS; i++) |
130 |
+- set_intr_gate(i, &early_idt_handlers[i]); |
131 |
++ set_intr_gate(i, &early_idt_handler_array[i]); |
132 |
+ load_idt((const struct desc_ptr *)&idt_descr); |
133 |
+ |
134 |
+ copy_bootdata(__va(real_mode_data)); |
135 |
+diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S |
136 |
+index df63cae573e0..8060c8b95b3a 100644 |
137 |
+--- a/arch/x86/kernel/head_32.S |
138 |
++++ b/arch/x86/kernel/head_32.S |
139 |
+@@ -499,21 +499,22 @@ check_x87: |
140 |
+ __INIT |
141 |
+ setup_once: |
142 |
+ /* |
143 |
+- * Set up a idt with 256 entries pointing to ignore_int, |
144 |
+- * interrupt gates. It doesn't actually load idt - that needs |
145 |
+- * to be done on each CPU. Interrupts are enabled elsewhere, |
146 |
+- * when we can be relatively sure everything is ok. |
147 |
++ * Set up a idt with 256 interrupt gates that push zero if there |
148 |
++ * is no error code and then jump to early_idt_handler_common. |
149 |
++ * It doesn't actually load the idt - that needs to be done on |
150 |
++ * each CPU. Interrupts are enabled elsewhere, when we can be |
151 |
++ * relatively sure everything is ok. |
152 |
+ */ |
153 |
+ |
154 |
+ movl $idt_table,%edi |
155 |
+- movl $early_idt_handlers,%eax |
156 |
++ movl $early_idt_handler_array,%eax |
157 |
+ movl $NUM_EXCEPTION_VECTORS,%ecx |
158 |
+ 1: |
159 |
+ movl %eax,(%edi) |
160 |
+ movl %eax,4(%edi) |
161 |
+ /* interrupt gate, dpl=0, present */ |
162 |
+ movl $(0x8E000000 + __KERNEL_CS),2(%edi) |
163 |
+- addl $9,%eax |
164 |
++ addl $EARLY_IDT_HANDLER_SIZE,%eax |
165 |
+ addl $8,%edi |
166 |
+ loop 1b |
167 |
+ |
168 |
+@@ -545,26 +546,28 @@ setup_once: |
169 |
+ andl $0,setup_once_ref /* Once is enough, thanks */ |
170 |
+ ret |
171 |
+ |
172 |
+-ENTRY(early_idt_handlers) |
173 |
++ENTRY(early_idt_handler_array) |
174 |
+ # 36(%esp) %eflags |
175 |
+ # 32(%esp) %cs |
176 |
+ # 28(%esp) %eip |
177 |
+ # 24(%rsp) error code |
178 |
+ i = 0 |
179 |
+ .rept NUM_EXCEPTION_VECTORS |
180 |
+- .if (EXCEPTION_ERRCODE_MASK >> i) & 1 |
181 |
+- ASM_NOP2 |
182 |
+- .else |
183 |
++ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1 |
184 |
+ pushl $0 # Dummy error code, to make stack frame uniform |
185 |
+ .endif |
186 |
+ pushl $i # 20(%esp) Vector number |
187 |
+- jmp early_idt_handler |
188 |
++ jmp early_idt_handler_common |
189 |
+ i = i + 1 |
190 |
++ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc |
191 |
+ .endr |
192 |
+-ENDPROC(early_idt_handlers) |
193 |
++ENDPROC(early_idt_handler_array) |
194 |
+ |
195 |
+- /* This is global to keep gas from relaxing the jumps */ |
196 |
+-ENTRY(early_idt_handler) |
197 |
++early_idt_handler_common: |
198 |
++ /* |
199 |
++ * The stack is the hardware frame, an error code or zero, and the |
200 |
++ * vector number. |
201 |
++ */ |
202 |
+ cld |
203 |
+ |
204 |
+ cmpl $2,(%esp) # X86_TRAP_NMI |
205 |
+@@ -624,7 +627,7 @@ ex_entry: |
206 |
+ is_nmi: |
207 |
+ addl $8,%esp /* drop vector number and error code */ |
208 |
+ iret |
209 |
+-ENDPROC(early_idt_handler) |
210 |
++ENDPROC(early_idt_handler_common) |
211 |
+ |
212 |
+ /* This is the default interrupt "handler" :-) */ |
213 |
+ ALIGN |
214 |
+diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S |
215 |
+index 3280489905a8..54bf9c2d0d13 100644 |
216 |
+--- a/arch/x86/kernel/head_64.S |
217 |
++++ b/arch/x86/kernel/head_64.S |
218 |
+@@ -329,26 +329,28 @@ bad_address: |
219 |
+ jmp bad_address |
220 |
+ |
221 |
+ __INIT |
222 |
+- .globl early_idt_handlers |
223 |
+-early_idt_handlers: |
224 |
++ENTRY(early_idt_handler_array) |
225 |
+ # 104(%rsp) %rflags |
226 |
+ # 96(%rsp) %cs |
227 |
+ # 88(%rsp) %rip |
228 |
+ # 80(%rsp) error code |
229 |
+ i = 0 |
230 |
+ .rept NUM_EXCEPTION_VECTORS |
231 |
+- .if (EXCEPTION_ERRCODE_MASK >> i) & 1 |
232 |
+- ASM_NOP2 |
233 |
+- .else |
234 |
++ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1 |
235 |
+ pushq $0 # Dummy error code, to make stack frame uniform |
236 |
+ .endif |
237 |
+ pushq $i # 72(%rsp) Vector number |
238 |
+- jmp early_idt_handler |
239 |
++ jmp early_idt_handler_common |
240 |
+ i = i + 1 |
241 |
++ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc |
242 |
+ .endr |
243 |
++ENDPROC(early_idt_handler_array) |
244 |
+ |
245 |
+-/* This is global to keep gas from relaxing the jumps */ |
246 |
+-ENTRY(early_idt_handler) |
247 |
++early_idt_handler_common: |
248 |
++ /* |
249 |
++ * The stack is the hardware frame, an error code or zero, and the |
250 |
++ * vector number. |
251 |
++ */ |
252 |
+ cld |
253 |
+ |
254 |
+ cmpl $2,(%rsp) # X86_TRAP_NMI |
255 |
+@@ -420,7 +422,7 @@ ENTRY(early_idt_handler) |
256 |
+ is_nmi: |
257 |
+ addq $16,%rsp # drop vector number and error code |
258 |
+ INTERRUPT_RETURN |
259 |
+-ENDPROC(early_idt_handler) |
260 |
++ENDPROC(early_idt_handler_common) |
261 |
+ |
262 |
+ __INITDATA |
263 |
+ |
264 |
+diff --git a/block/blk-core.c b/block/blk-core.c |
265 |
+index 5a750b18172e..9ae84ae05e6a 100644 |
266 |
+--- a/block/blk-core.c |
267 |
++++ b/block/blk-core.c |
268 |
+@@ -3097,6 +3097,9 @@ int blk_pre_runtime_suspend(struct request_queue *q) |
269 |
+ { |
270 |
+ int ret = 0; |
271 |
+ |
272 |
++ if (!q->dev) |
273 |
++ return ret; |
274 |
++ |
275 |
+ spin_lock_irq(q->queue_lock); |
276 |
+ if (q->nr_pending) { |
277 |
+ ret = -EBUSY; |
278 |
+@@ -3124,6 +3127,9 @@ EXPORT_SYMBOL(blk_pre_runtime_suspend); |
279 |
+ */ |
280 |
+ void blk_post_runtime_suspend(struct request_queue *q, int err) |
281 |
+ { |
282 |
++ if (!q->dev) |
283 |
++ return; |
284 |
++ |
285 |
+ spin_lock_irq(q->queue_lock); |
286 |
+ if (!err) { |
287 |
+ q->rpm_status = RPM_SUSPENDED; |
288 |
+@@ -3148,6 +3154,9 @@ EXPORT_SYMBOL(blk_post_runtime_suspend); |
289 |
+ */ |
290 |
+ void blk_pre_runtime_resume(struct request_queue *q) |
291 |
+ { |
292 |
++ if (!q->dev) |
293 |
++ return; |
294 |
++ |
295 |
+ spin_lock_irq(q->queue_lock); |
296 |
+ q->rpm_status = RPM_RESUMING; |
297 |
+ spin_unlock_irq(q->queue_lock); |
298 |
+@@ -3170,6 +3179,9 @@ EXPORT_SYMBOL(blk_pre_runtime_resume); |
299 |
+ */ |
300 |
+ void blk_post_runtime_resume(struct request_queue *q, int err) |
301 |
+ { |
302 |
++ if (!q->dev) |
303 |
++ return; |
304 |
++ |
305 |
+ spin_lock_irq(q->queue_lock); |
306 |
+ if (!err) { |
307 |
+ q->rpm_status = RPM_ACTIVE; |
308 |
+diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c |
309 |
+index 334e31ff7a4e..6bd0c1ade9f2 100644 |
310 |
+--- a/drivers/iio/adc/ad7793.c |
311 |
++++ b/drivers/iio/adc/ad7793.c |
312 |
+@@ -101,7 +101,7 @@ |
313 |
+ #define AD7795_CH_AIN1M_AIN1M 8 /* AIN1(-) - AIN1(-) */ |
314 |
+ |
315 |
+ /* ID Register Bit Designations (AD7793_REG_ID) */ |
316 |
+-#define AD7785_ID 0xB |
317 |
++#define AD7785_ID 0x3 |
318 |
+ #define AD7792_ID 0xA |
319 |
+ #define AD7793_ID 0xB |
320 |
+ #define AD7794_ID 0xF |
321 |
+diff --git a/drivers/iio/dac/ad5064.c b/drivers/iio/dac/ad5064.c |
322 |
+index aa26d50ab638..4eda4ea037b7 100644 |
323 |
+--- a/drivers/iio/dac/ad5064.c |
324 |
++++ b/drivers/iio/dac/ad5064.c |
325 |
+@@ -602,10 +602,16 @@ static int ad5064_i2c_write(struct ad5064_state *st, unsigned int cmd, |
326 |
+ unsigned int addr, unsigned int val) |
327 |
+ { |
328 |
+ struct i2c_client *i2c = to_i2c_client(st->dev); |
329 |
++ int ret; |
330 |
+ |
331 |
+ st->data.i2c[0] = (cmd << 4) | addr; |
332 |
+ put_unaligned_be16(val, &st->data.i2c[1]); |
333 |
+- return i2c_master_send(i2c, st->data.i2c, 3); |
334 |
++ |
335 |
++ ret = i2c_master_send(i2c, st->data.i2c, 3); |
336 |
++ if (ret < 0) |
337 |
++ return ret; |
338 |
++ |
339 |
++ return 0; |
340 |
+ } |
341 |
+ |
342 |
+ static int ad5064_i2c_probe(struct i2c_client *i2c, |
343 |
+diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c |
344 |
+index a612ec766d96..029207bbf03d 100644 |
345 |
+--- a/drivers/iio/dac/mcp4725.c |
346 |
++++ b/drivers/iio/dac/mcp4725.c |
347 |
+@@ -166,6 +166,7 @@ static int mcp4725_probe(struct i2c_client *client, |
348 |
+ data->client = client; |
349 |
+ |
350 |
+ indio_dev->dev.parent = &client->dev; |
351 |
++ indio_dev->name = id->name; |
352 |
+ indio_dev->info = &mcp4725_info; |
353 |
+ indio_dev->channels = &mcp4725_channel; |
354 |
+ indio_dev->num_channels = 1; |
355 |
+diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c |
356 |
+index 99d8e0b0dd34..d0538bcdc1b8 100644 |
357 |
+--- a/drivers/iio/imu/adis_buffer.c |
358 |
++++ b/drivers/iio/imu/adis_buffer.c |
359 |
+@@ -43,7 +43,7 @@ int adis_update_scan_mode(struct iio_dev *indio_dev, |
360 |
+ return -ENOMEM; |
361 |
+ |
362 |
+ rx = adis->buffer; |
363 |
+- tx = rx + indio_dev->scan_bytes; |
364 |
++ tx = rx + scan_count; |
365 |
+ |
366 |
+ spi_message_init(&adis->msg); |
367 |
+ |
368 |
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c |
369 |
+index 02099afb6c79..77f06d001a66 100644 |
370 |
+--- a/drivers/input/mouse/elantech.c |
371 |
++++ b/drivers/input/mouse/elantech.c |
372 |
+@@ -1081,7 +1081,7 @@ static int elantech_set_input_params(struct psmouse *psmouse) |
373 |
+ input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2, |
374 |
+ ETP_WMAX_V2, 0, 0); |
375 |
+ } |
376 |
+- input_mt_init_slots(dev, 2, 0); |
377 |
++ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT); |
378 |
+ input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0); |
379 |
+ input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0); |
380 |
+ break; |
381 |
+@@ -1357,6 +1357,13 @@ static const struct dmi_system_id no_hw_res_dmi_table[] = { |
382 |
+ DMI_MATCH(DMI_PRODUCT_NAME, "U2442"), |
383 |
+ }, |
384 |
+ }, |
385 |
++ { |
386 |
++ /* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */ |
387 |
++ .matches = { |
388 |
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), |
389 |
++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), |
390 |
++ }, |
391 |
++ }, |
392 |
+ #endif |
393 |
+ { } |
394 |
+ }; |
395 |
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h |
396 |
+index 4de2571938b8..5102b4f68f18 100644 |
397 |
+--- a/drivers/input/serio/i8042-x86ia64io.h |
398 |
++++ b/drivers/input/serio/i8042-x86ia64io.h |
399 |
+@@ -258,6 +258,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { |
400 |
+ }, |
401 |
+ }, |
402 |
+ { |
403 |
++ /* Fujitsu Lifebook U745 */ |
404 |
++ .matches = { |
405 |
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), |
406 |
++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), |
407 |
++ }, |
408 |
++ }, |
409 |
++ { |
410 |
+ /* Fujitsu T70H */ |
411 |
+ .matches = { |
412 |
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), |
413 |
+diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c |
414 |
+index a7967ceb79e6..3d4622cae2cf 100644 |
415 |
+--- a/drivers/iommu/dmar.c |
416 |
++++ b/drivers/iommu/dmar.c |
417 |
+@@ -968,7 +968,7 @@ void dmar_disable_qi(struct intel_iommu *iommu) |
418 |
+ |
419 |
+ raw_spin_lock_irqsave(&iommu->register_lock, flags); |
420 |
+ |
421 |
+- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); |
422 |
++ sts = readl(iommu->reg + DMAR_GSTS_REG); |
423 |
+ if (!(sts & DMA_GSTS_QIES)) |
424 |
+ goto end; |
425 |
+ |
426 |
+diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c |
427 |
+index 45011f63ad16..990cc298824a 100644 |
428 |
+--- a/drivers/iommu/intel_irq_remapping.c |
429 |
++++ b/drivers/iommu/intel_irq_remapping.c |
430 |
+@@ -495,7 +495,7 @@ static void iommu_disable_irq_remapping(struct intel_iommu *iommu) |
431 |
+ |
432 |
+ raw_spin_lock_irqsave(&iommu->register_lock, flags); |
433 |
+ |
434 |
+- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); |
435 |
++ sts = readl(iommu->reg + DMAR_GSTS_REG); |
436 |
+ if (!(sts & DMA_GSTS_IRES)) |
437 |
+ goto end; |
438 |
+ |
439 |
+diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c |
440 |
+index 5895f1978691..e98de425f8e0 100644 |
441 |
+--- a/drivers/net/wan/x25_asy.c |
442 |
++++ b/drivers/net/wan/x25_asy.c |
443 |
+@@ -545,16 +545,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty, |
444 |
+ |
445 |
+ static int x25_asy_open_tty(struct tty_struct *tty) |
446 |
+ { |
447 |
+- struct x25_asy *sl = tty->disc_data; |
448 |
++ struct x25_asy *sl; |
449 |
+ int err; |
450 |
+ |
451 |
+ if (tty->ops->write == NULL) |
452 |
+ return -EOPNOTSUPP; |
453 |
+ |
454 |
+- /* First make sure we're not already connected. */ |
455 |
+- if (sl && sl->magic == X25_ASY_MAGIC) |
456 |
+- return -EEXIST; |
457 |
+- |
458 |
+ /* OK. Find a free X.25 channel to use. */ |
459 |
+ sl = x25_asy_alloc(); |
460 |
+ if (sl == NULL) |
461 |
+diff --git a/drivers/platform/x86/intel_scu_ipcutil.c b/drivers/platform/x86/intel_scu_ipcutil.c |
462 |
+index 02bc5a6343c3..aa454241489c 100644 |
463 |
+--- a/drivers/platform/x86/intel_scu_ipcutil.c |
464 |
++++ b/drivers/platform/x86/intel_scu_ipcutil.c |
465 |
+@@ -49,7 +49,7 @@ struct scu_ipc_data { |
466 |
+ |
467 |
+ static int scu_reg_access(u32 cmd, struct scu_ipc_data *data) |
468 |
+ { |
469 |
+- int count = data->count; |
470 |
++ unsigned int count = data->count; |
471 |
+ |
472 |
+ if (count == 0 || count == 3 || count > 4) |
473 |
+ return -EINVAL; |
474 |
+diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c |
475 |
+index 69c915aa77c2..d661fcda1932 100644 |
476 |
+--- a/drivers/scsi/device_handler/scsi_dh_rdac.c |
477 |
++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c |
478 |
+@@ -569,7 +569,7 @@ static int mode_select_handle_sense(struct scsi_device *sdev, |
479 |
+ /* |
480 |
+ * Command Lock contention |
481 |
+ */ |
482 |
+- err = SCSI_DH_RETRY; |
483 |
++ err = SCSI_DH_IMM_RETRY; |
484 |
+ break; |
485 |
+ default: |
486 |
+ break; |
487 |
+@@ -619,6 +619,8 @@ retry: |
488 |
+ err = mode_select_handle_sense(sdev, h->sense); |
489 |
+ if (err == SCSI_DH_RETRY && retry_cnt--) |
490 |
+ goto retry; |
491 |
++ if (err == SCSI_DH_IMM_RETRY) |
492 |
++ goto retry; |
493 |
+ } |
494 |
+ if (err == SCSI_DH_OK) { |
495 |
+ h->state = RDAC_STATE_ACTIVE; |
496 |
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c |
497 |
+index 3cafe0d784b8..3020f1ff4abb 100644 |
498 |
+--- a/drivers/scsi/hosts.c |
499 |
++++ b/drivers/scsi/hosts.c |
500 |
+@@ -305,6 +305,17 @@ static void scsi_host_dev_release(struct device *dev) |
501 |
+ kfree(queuedata); |
502 |
+ } |
503 |
+ |
504 |
++ if (shost->shost_state == SHOST_CREATED) { |
505 |
++ /* |
506 |
++ * Free the shost_dev device name here if scsi_host_alloc() |
507 |
++ * and scsi_host_put() have been called but neither |
508 |
++ * scsi_host_add() nor scsi_host_remove() has been called. |
509 |
++ * This avoids that the memory allocated for the shost_dev |
510 |
++ * name is leaked. |
511 |
++ */ |
512 |
++ kfree(dev_name(&shost->shost_dev)); |
513 |
++ } |
514 |
++ |
515 |
+ scsi_destroy_command_freelist(shost); |
516 |
+ if (shost->bqt) |
517 |
+ blk_free_tags(shost->bqt); |
518 |
+diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c |
519 |
+index 9e2dd478dd15..135d7b56fbe6 100644 |
520 |
+--- a/drivers/scsi/scsi_sysfs.c |
521 |
++++ b/drivers/scsi/scsi_sysfs.c |
522 |
+@@ -789,7 +789,7 @@ sdev_store_queue_ramp_up_period(struct device *dev, |
523 |
+ return -EINVAL; |
524 |
+ |
525 |
+ sdev->queue_ramp_up_period = msecs_to_jiffies(period); |
526 |
+- return period; |
527 |
++ return count; |
528 |
+ } |
529 |
+ |
530 |
+ static struct device_attribute sdev_attr_queue_ramp_up_period = |
531 |
+@@ -1030,31 +1030,25 @@ static void __scsi_remove_target(struct scsi_target *starget) |
532 |
+ void scsi_remove_target(struct device *dev) |
533 |
+ { |
534 |
+ struct Scsi_Host *shost = dev_to_shost(dev->parent); |
535 |
+- struct scsi_target *starget, *last = NULL; |
536 |
++ struct scsi_target *starget, *last_target = NULL; |
537 |
+ unsigned long flags; |
538 |
+ |
539 |
+- /* remove targets being careful to lookup next entry before |
540 |
+- * deleting the last |
541 |
+- */ |
542 |
++restart: |
543 |
+ spin_lock_irqsave(shost->host_lock, flags); |
544 |
+ list_for_each_entry(starget, &shost->__targets, siblings) { |
545 |
+- if (starget->state == STARGET_DEL) |
546 |
++ if (starget->state == STARGET_DEL || |
547 |
++ starget == last_target) |
548 |
+ continue; |
549 |
+ if (starget->dev.parent == dev || &starget->dev == dev) { |
550 |
+- /* assuming new targets arrive at the end */ |
551 |
+ kref_get(&starget->reap_ref); |
552 |
++ last_target = starget; |
553 |
+ spin_unlock_irqrestore(shost->host_lock, flags); |
554 |
+- if (last) |
555 |
+- scsi_target_reap(last); |
556 |
+- last = starget; |
557 |
+ __scsi_remove_target(starget); |
558 |
+- spin_lock_irqsave(shost->host_lock, flags); |
559 |
++ scsi_target_reap(starget); |
560 |
++ goto restart; |
561 |
+ } |
562 |
+ } |
563 |
+ spin_unlock_irqrestore(shost->host_lock, flags); |
564 |
+- |
565 |
+- if (last) |
566 |
+- scsi_target_reap(last); |
567 |
+ } |
568 |
+ EXPORT_SYMBOL(scsi_remove_target); |
569 |
+ |
570 |
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c |
571 |
+index 26b543bc4f53..4afce0e838a2 100644 |
572 |
+--- a/drivers/scsi/sd.c |
573 |
++++ b/drivers/scsi/sd.c |
574 |
+@@ -3090,8 +3090,8 @@ static int sd_suspend(struct device *dev) |
575 |
+ struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); |
576 |
+ int ret = 0; |
577 |
+ |
578 |
+- if (!sdkp) |
579 |
+- return 0; /* this can happen */ |
580 |
++ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */ |
581 |
++ return 0; |
582 |
+ |
583 |
+ if (sdkp->WCE) { |
584 |
+ sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); |
585 |
+@@ -3115,6 +3115,9 @@ static int sd_resume(struct device *dev) |
586 |
+ struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); |
587 |
+ int ret = 0; |
588 |
+ |
589 |
++ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */ |
590 |
++ return 0; |
591 |
++ |
592 |
+ if (!sdkp->device->manage_start_stop) |
593 |
+ goto done; |
594 |
+ |
595 |
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c |
596 |
+index 721d839d6c54..0be16bf5f0cd 100644 |
597 |
+--- a/drivers/scsi/sg.c |
598 |
++++ b/drivers/scsi/sg.c |
599 |
+@@ -1258,7 +1258,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma) |
600 |
+ } |
601 |
+ |
602 |
+ sfp->mmap_called = 1; |
603 |
+- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; |
604 |
++ vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP; |
605 |
+ vma->vm_private_data = sfp; |
606 |
+ vma->vm_ops = &sg_mmap_vm_ops; |
607 |
+ return 0; |
608 |
+diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c |
609 |
+index 119d67f9c47e..1ac9943cbb93 100644 |
610 |
+--- a/drivers/scsi/sr.c |
611 |
++++ b/drivers/scsi/sr.c |
612 |
+@@ -142,6 +142,9 @@ static int sr_runtime_suspend(struct device *dev) |
613 |
+ { |
614 |
+ struct scsi_cd *cd = dev_get_drvdata(dev); |
615 |
+ |
616 |
++ if (!cd) /* E.g.: runtime suspend following sr_remove() */ |
617 |
++ return 0; |
618 |
++ |
619 |
+ if (cd->media_present) |
620 |
+ return -EBUSY; |
621 |
+ else |
622 |
+@@ -1006,6 +1009,7 @@ static int sr_remove(struct device *dev) |
623 |
+ |
624 |
+ blk_queue_prep_rq(cd->device->request_queue, scsi_prep_fn); |
625 |
+ del_gendisk(cd->disk); |
626 |
++ dev_set_drvdata(dev, NULL); |
627 |
+ |
628 |
+ mutex_lock(&sr_ref_mutex); |
629 |
+ kref_put(&cd->kref, sr_kref_release); |
630 |
+diff --git a/drivers/staging/iio/adc/lpc32xx_adc.c b/drivers/staging/iio/adc/lpc32xx_adc.c |
631 |
+index 2f2f7fdd0691..9cbe2dd70499 100644 |
632 |
+--- a/drivers/staging/iio/adc/lpc32xx_adc.c |
633 |
++++ b/drivers/staging/iio/adc/lpc32xx_adc.c |
634 |
+@@ -76,7 +76,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, |
635 |
+ |
636 |
+ if (mask == IIO_CHAN_INFO_RAW) { |
637 |
+ mutex_lock(&indio_dev->mlock); |
638 |
+- clk_enable(info->clk); |
639 |
++ clk_prepare_enable(info->clk); |
640 |
+ /* Measurement setup */ |
641 |
+ __raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm, |
642 |
+ LPC32XX_ADC_SELECT(info->adc_base)); |
643 |
+@@ -84,7 +84,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, |
644 |
+ __raw_writel(AD_PDN_CTRL | AD_STROBE, |
645 |
+ LPC32XX_ADC_CTRL(info->adc_base)); |
646 |
+ wait_for_completion(&info->completion); /* set by ISR */ |
647 |
+- clk_disable(info->clk); |
648 |
++ clk_disable_unprepare(info->clk); |
649 |
+ *val = info->value; |
650 |
+ mutex_unlock(&indio_dev->mlock); |
651 |
+ |
652 |
+diff --git a/drivers/staging/speakup/selection.c b/drivers/staging/speakup/selection.c |
653 |
+index b9359753784e..364978e63d8d 100644 |
654 |
+--- a/drivers/staging/speakup/selection.c |
655 |
++++ b/drivers/staging/speakup/selection.c |
656 |
+@@ -139,7 +139,9 @@ static void __speakup_paste_selection(struct work_struct *work) |
657 |
+ struct tty_ldisc *ld; |
658 |
+ DECLARE_WAITQUEUE(wait, current); |
659 |
+ |
660 |
+- ld = tty_ldisc_ref_wait(tty); |
661 |
++ ld = tty_ldisc_ref(tty); |
662 |
++ if (!ld) |
663 |
++ goto tty_unref; |
664 |
+ |
665 |
+ /* FIXME: this is completely unsafe */ |
666 |
+ add_wait_queue(&vc->paste_wait, &wait); |
667 |
+@@ -158,6 +160,7 @@ static void __speakup_paste_selection(struct work_struct *work) |
668 |
+ current->state = TASK_RUNNING; |
669 |
+ |
670 |
+ tty_ldisc_deref(ld); |
671 |
++tty_unref: |
672 |
+ tty_kref_put(tty); |
673 |
+ } |
674 |
+ |
675 |
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c |
676 |
+index 06cd916f91fe..d74da9598d58 100644 |
677 |
+--- a/drivers/target/iscsi/iscsi_target.c |
678 |
++++ b/drivers/target/iscsi/iscsi_target.c |
679 |
+@@ -3960,6 +3960,17 @@ reject: |
680 |
+ return iscsit_add_reject(conn, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); |
681 |
+ } |
682 |
+ |
683 |
++static bool iscsi_target_check_conn_state(struct iscsi_conn *conn) |
684 |
++{ |
685 |
++ bool ret; |
686 |
++ |
687 |
++ spin_lock_bh(&conn->state_lock); |
688 |
++ ret = (conn->conn_state != TARG_CONN_STATE_LOGGED_IN); |
689 |
++ spin_unlock_bh(&conn->state_lock); |
690 |
++ |
691 |
++ return ret; |
692 |
++} |
693 |
++ |
694 |
+ int iscsi_target_rx_thread(void *arg) |
695 |
+ { |
696 |
+ int ret, rc; |
697 |
+@@ -3977,7 +3988,7 @@ int iscsi_target_rx_thread(void *arg) |
698 |
+ * incoming iscsi/tcp socket I/O, and/or failing the connection. |
699 |
+ */ |
700 |
+ rc = wait_for_completion_interruptible(&conn->rx_login_comp); |
701 |
+- if (rc < 0) |
702 |
++ if (rc < 0 || iscsi_target_check_conn_state(conn)) |
703 |
+ return 0; |
704 |
+ |
705 |
+ if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { |
706 |
+diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c |
707 |
+index c45b3365d63d..200d779d0c03 100644 |
708 |
+--- a/drivers/target/iscsi/iscsi_target_configfs.c |
709 |
++++ b/drivers/target/iscsi/iscsi_target_configfs.c |
710 |
+@@ -1730,7 +1730,8 @@ static void lio_tpg_release_fabric_acl( |
711 |
+ } |
712 |
+ |
713 |
+ /* |
714 |
+- * Called with spin_lock_bh(struct se_portal_group->session_lock) held.. |
715 |
++ * Called with spin_lock_irq(struct se_portal_group->session_lock) held |
716 |
++ * or not held. |
717 |
+ * |
718 |
+ * Also, this function calls iscsit_inc_session_usage_count() on the |
719 |
+ * struct iscsi_session in question. |
720 |
+@@ -1738,19 +1739,32 @@ static void lio_tpg_release_fabric_acl( |
721 |
+ static int lio_tpg_shutdown_session(struct se_session *se_sess) |
722 |
+ { |
723 |
+ struct iscsi_session *sess = se_sess->fabric_sess_ptr; |
724 |
++ struct se_portal_group *se_tpg = se_sess->se_tpg; |
725 |
++ bool local_lock = false; |
726 |
++ |
727 |
++ if (!spin_is_locked(&se_tpg->session_lock)) { |
728 |
++ spin_lock_irq(&se_tpg->session_lock); |
729 |
++ local_lock = true; |
730 |
++ } |
731 |
+ |
732 |
+ spin_lock(&sess->conn_lock); |
733 |
+ if (atomic_read(&sess->session_fall_back_to_erl0) || |
734 |
+ atomic_read(&sess->session_logout) || |
735 |
+ (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { |
736 |
+ spin_unlock(&sess->conn_lock); |
737 |
++ if (local_lock) |
738 |
++ spin_unlock_irq(&sess->conn_lock); |
739 |
+ return 0; |
740 |
+ } |
741 |
+ atomic_set(&sess->session_reinstatement, 1); |
742 |
+ spin_unlock(&sess->conn_lock); |
743 |
+ |
744 |
+ iscsit_stop_time2retain_timer(sess); |
745 |
++ spin_unlock_irq(&se_tpg->session_lock); |
746 |
++ |
747 |
+ iscsit_stop_session(sess, 1, 1); |
748 |
++ if (!local_lock) |
749 |
++ spin_lock_irq(&se_tpg->session_lock); |
750 |
+ |
751 |
+ return 1; |
752 |
+ } |
753 |
+diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c |
754 |
+index 77c276acccb6..2a61a01142e9 100644 |
755 |
+--- a/drivers/target/iscsi/iscsi_target_nego.c |
756 |
++++ b/drivers/target/iscsi/iscsi_target_nego.c |
757 |
+@@ -384,6 +384,7 @@ err: |
758 |
+ if (login->login_complete) { |
759 |
+ if (conn->rx_thread && conn->rx_thread_active) { |
760 |
+ send_sig(SIGINT, conn->rx_thread, 1); |
761 |
++ complete(&conn->rx_login_comp); |
762 |
+ kthread_stop(conn->rx_thread); |
763 |
+ } |
764 |
+ if (conn->tx_thread && conn->tx_thread_active) { |
765 |
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c |
766 |
+index 7cb36813aac2..deee2b81afff 100644 |
767 |
+--- a/drivers/tty/pty.c |
768 |
++++ b/drivers/tty/pty.c |
769 |
+@@ -623,7 +623,14 @@ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty) |
770 |
+ /* this is called once with whichever end is closed last */ |
771 |
+ static void pty_unix98_shutdown(struct tty_struct *tty) |
772 |
+ { |
773 |
+- devpts_kill_index(tty->driver_data, tty->index); |
774 |
++ struct inode *ptmx_inode; |
775 |
++ |
776 |
++ if (tty->driver->subtype == PTY_TYPE_MASTER) |
777 |
++ ptmx_inode = tty->driver_data; |
778 |
++ else |
779 |
++ ptmx_inode = tty->link->driver_data; |
780 |
++ devpts_kill_index(ptmx_inode, tty->index); |
781 |
++ devpts_del_ref(ptmx_inode); |
782 |
+ } |
783 |
+ |
784 |
+ static const struct tty_operations ptm_unix98_ops = { |
785 |
+@@ -714,6 +721,18 @@ static int ptmx_open(struct inode *inode, struct file *filp) |
786 |
+ set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */ |
787 |
+ tty->driver_data = inode; |
788 |
+ |
789 |
++ /* |
790 |
++ * In the case where all references to ptmx inode are dropped and we |
791 |
++ * still have /dev/tty opened pointing to the master/slave pair (ptmx |
792 |
++ * is closed/released before /dev/tty), we must make sure that the inode |
793 |
++ * is still valid when we call the final pty_unix98_shutdown, thus we |
794 |
++ * hold an additional reference to the ptmx inode. For the same /dev/tty |
795 |
++ * last close case, we also need to make sure the super_block isn't |
796 |
++ * destroyed (devpts instance unmounted), before /dev/tty is closed and |
797 |
++ * on its release devpts_kill_index is called. |
798 |
++ */ |
799 |
++ devpts_add_ref(inode); |
800 |
++ |
801 |
+ tty_add_file(tty, filp); |
802 |
+ |
803 |
+ slave_inode = devpts_pty_new(inode, |
804 |
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c |
805 |
+index 9dd6fa3a1260..507677b9bdc7 100644 |
806 |
+--- a/drivers/usb/host/xhci.c |
807 |
++++ b/drivers/usb/host/xhci.c |
808 |
+@@ -1502,7 +1502,9 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) |
809 |
+ if (temp == 0xffffffff || (xhci->xhc_state & XHCI_STATE_HALTED)) { |
810 |
+ xhci_dbg(xhci, "HW died, freeing TD.\n"); |
811 |
+ urb_priv = urb->hcpriv; |
812 |
+- for (i = urb_priv->td_cnt; i < urb_priv->length; i++) { |
813 |
++ for (i = urb_priv->td_cnt; |
814 |
++ i < urb_priv->length && xhci->devs[urb->dev->slot_id]; |
815 |
++ i++) { |
816 |
+ td = urb_priv->td[i]; |
817 |
+ if (!list_empty(&td->td_list)) |
818 |
+ list_del_init(&td->td_list); |
819 |
+diff --git a/fs/aio.c b/fs/aio.c |
820 |
+index ded94c4fa30d..9798d4edfd8f 100644 |
821 |
+--- a/fs/aio.c |
822 |
++++ b/fs/aio.c |
823 |
+@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat) |
824 |
+ |
825 |
+ static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb) |
826 |
+ { |
827 |
+- if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes))) |
828 |
+- return -EFAULT; |
829 |
++ size_t len = kiocb->ki_nbytes; |
830 |
++ |
831 |
++ if (len > MAX_RW_COUNT) |
832 |
++ len = MAX_RW_COUNT; |
833 |
++ |
834 |
++ if (unlikely(!access_ok(!rw, kiocb->ki_buf, len))) |
835 |
++ return -EFAULT; |
836 |
+ |
837 |
+ kiocb->ki_iovec = &kiocb->ki_inline_vec; |
838 |
+ kiocb->ki_iovec->iov_base = kiocb->ki_buf; |
839 |
+- kiocb->ki_iovec->iov_len = kiocb->ki_nbytes; |
840 |
++ kiocb->ki_iovec->iov_len = len; |
841 |
+ kiocb->ki_nr_segs = 1; |
842 |
+ return 0; |
843 |
+ } |
844 |
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c |
845 |
+index d85f90c92bb4..bca854b44056 100644 |
846 |
+--- a/fs/btrfs/backref.c |
847 |
++++ b/fs/btrfs/backref.c |
848 |
+@@ -1228,7 +1228,8 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, |
849 |
+ read_extent_buffer(eb, dest + bytes_left, |
850 |
+ name_off, name_len); |
851 |
+ if (eb != eb_in) { |
852 |
+- btrfs_tree_read_unlock_blocking(eb); |
853 |
++ if (!path->skip_locking) |
854 |
++ btrfs_tree_read_unlock_blocking(eb); |
855 |
+ free_extent_buffer(eb); |
856 |
+ } |
857 |
+ ret = inode_ref_info(parent, 0, fs_root, path, &found_key); |
858 |
+@@ -1247,9 +1248,10 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, |
859 |
+ eb = path->nodes[0]; |
860 |
+ /* make sure we can use eb after releasing the path */ |
861 |
+ if (eb != eb_in) { |
862 |
+- atomic_inc(&eb->refs); |
863 |
+- btrfs_tree_read_lock(eb); |
864 |
+- btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); |
865 |
++ if (!path->skip_locking) |
866 |
++ btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); |
867 |
++ path->nodes[0] = NULL; |
868 |
++ path->locks[0] = 0; |
869 |
+ } |
870 |
+ btrfs_release_path(path); |
871 |
+ iref = btrfs_item_ptr(eb, slot, struct btrfs_inode_ref); |
872 |
+diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c |
873 |
+index 5c807b23ca67..182e82f22b3a 100644 |
874 |
+--- a/fs/cifs/cifsencrypt.c |
875 |
++++ b/fs/cifs/cifsencrypt.c |
876 |
+@@ -591,7 +591,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) |
877 |
+ |
878 |
+ ses->auth_key.response = kmalloc(baselen + tilen, GFP_KERNEL); |
879 |
+ if (!ses->auth_key.response) { |
880 |
+- rc = ENOMEM; |
881 |
++ rc = -ENOMEM; |
882 |
+ ses->auth_key.len = 0; |
883 |
+ goto setup_ntlmv2_rsp_ret; |
884 |
+ } |
885 |
+diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c |
886 |
+index a726b9f29cb7..61af24e379ad 100644 |
887 |
+--- a/fs/devpts/inode.c |
888 |
++++ b/fs/devpts/inode.c |
889 |
+@@ -564,6 +564,26 @@ void devpts_kill_index(struct inode *ptmx_inode, int idx) |
890 |
+ mutex_unlock(&allocated_ptys_lock); |
891 |
+ } |
892 |
+ |
893 |
++/* |
894 |
++ * pty code needs to hold extra references in case of last /dev/tty close |
895 |
++ */ |
896 |
++ |
897 |
++void devpts_add_ref(struct inode *ptmx_inode) |
898 |
++{ |
899 |
++ struct super_block *sb = pts_sb_from_inode(ptmx_inode); |
900 |
++ |
901 |
++ atomic_inc(&sb->s_active); |
902 |
++ ihold(ptmx_inode); |
903 |
++} |
904 |
++ |
905 |
++void devpts_del_ref(struct inode *ptmx_inode) |
906 |
++{ |
907 |
++ struct super_block *sb = pts_sb_from_inode(ptmx_inode); |
908 |
++ |
909 |
++ iput(ptmx_inode); |
910 |
++ deactivate_super(sb); |
911 |
++} |
912 |
++ |
913 |
+ /** |
914 |
+ * devpts_pty_new -- create a new inode in /dev/pts/ |
915 |
+ * @ptmx_inode: inode of the master |
916 |
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c |
917 |
+index fa7d2e668c3a..cf0a70486618 100644 |
918 |
+--- a/fs/ext4/resize.c |
919 |
++++ b/fs/ext4/resize.c |
920 |
+@@ -181,7 +181,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) |
921 |
+ if (flex_gd == NULL) |
922 |
+ goto out3; |
923 |
+ |
924 |
+- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data)) |
925 |
++ if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data)) |
926 |
+ goto out2; |
927 |
+ flex_gd->count = flexbg_size; |
928 |
+ |
929 |
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c |
930 |
+index 4fafb8484bbc..35f604b5f408 100644 |
931 |
+--- a/fs/fuse/file.c |
932 |
++++ b/fs/fuse/file.c |
933 |
+@@ -993,6 +993,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, |
934 |
+ |
935 |
+ mark_page_accessed(page); |
936 |
+ |
937 |
++ iov_iter_advance(ii, tmp); |
938 |
+ if (!tmp) { |
939 |
+ unlock_page(page); |
940 |
+ page_cache_release(page); |
941 |
+@@ -1005,7 +1006,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, |
942 |
+ req->page_descs[req->num_pages].length = tmp; |
943 |
+ req->num_pages++; |
944 |
+ |
945 |
+- iov_iter_advance(ii, tmp); |
946 |
+ count += tmp; |
947 |
+ pos += tmp; |
948 |
+ offset += tmp; |
949 |
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c |
950 |
+index 78679b489484..d8ac734a1e44 100644 |
951 |
+--- a/fs/nfs/nfs4proc.c |
952 |
++++ b/fs/nfs/nfs4proc.c |
953 |
+@@ -1005,6 +1005,7 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s |
954 |
+ * Protect the call to nfs4_state_set_mode_locked and |
955 |
+ * serialise the stateid update |
956 |
+ */ |
957 |
++ spin_lock(&state->owner->so_lock); |
958 |
+ write_seqlock(&state->seqlock); |
959 |
+ if (deleg_stateid != NULL) { |
960 |
+ nfs4_stateid_copy(&state->stateid, deleg_stateid); |
961 |
+@@ -1013,7 +1014,6 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s |
962 |
+ if (open_stateid != NULL) |
963 |
+ nfs_set_open_stateid_locked(state, open_stateid, fmode); |
964 |
+ write_sequnlock(&state->seqlock); |
965 |
+- spin_lock(&state->owner->so_lock); |
966 |
+ update_open_stateflags(state, fmode); |
967 |
+ spin_unlock(&state->owner->so_lock); |
968 |
+ } |
969 |
+diff --git a/fs/proc/array.c b/fs/proc/array.c |
970 |
+index 09f0d9c374a3..5c45eb5e4e0d 100644 |
971 |
+--- a/fs/proc/array.c |
972 |
++++ b/fs/proc/array.c |
973 |
+@@ -398,7 +398,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, |
974 |
+ |
975 |
+ state = *get_task_state(task); |
976 |
+ vsize = eip = esp = 0; |
977 |
+- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); |
978 |
++ permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); |
979 |
+ mm = get_task_mm(task); |
980 |
+ if (mm) { |
981 |
+ vsize = task_vsize(mm); |
982 |
+diff --git a/fs/proc/base.c b/fs/proc/base.c |
983 |
+index 8fc784aef0b8..7b5d453ebf53 100644 |
984 |
+--- a/fs/proc/base.c |
985 |
++++ b/fs/proc/base.c |
986 |
+@@ -239,7 +239,7 @@ out: |
987 |
+ |
988 |
+ static int proc_pid_auxv(struct task_struct *task, char *buffer) |
989 |
+ { |
990 |
+- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ); |
991 |
++ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); |
992 |
+ int res = PTR_ERR(mm); |
993 |
+ if (mm && !IS_ERR(mm)) { |
994 |
+ unsigned int nwords = 0; |
995 |
+@@ -269,7 +269,7 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer) |
996 |
+ wchan = get_wchan(task); |
997 |
+ |
998 |
+ if (lookup_symbol_name(wchan, symname) < 0) |
999 |
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
1000 |
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) |
1001 |
+ return 0; |
1002 |
+ else |
1003 |
+ return sprintf(buffer, "%lu", wchan); |
1004 |
+@@ -283,7 +283,7 @@ static int lock_trace(struct task_struct *task) |
1005 |
+ int err = mutex_lock_killable(&task->signal->cred_guard_mutex); |
1006 |
+ if (err) |
1007 |
+ return err; |
1008 |
+- if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) { |
1009 |
++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) { |
1010 |
+ mutex_unlock(&task->signal->cred_guard_mutex); |
1011 |
+ return -EPERM; |
1012 |
+ } |
1013 |
+@@ -557,7 +557,7 @@ static int proc_fd_access_allowed(struct inode *inode) |
1014 |
+ */ |
1015 |
+ task = get_proc_task(inode); |
1016 |
+ if (task) { |
1017 |
+- allowed = ptrace_may_access(task, PTRACE_MODE_READ); |
1018 |
++ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); |
1019 |
+ put_task_struct(task); |
1020 |
+ } |
1021 |
+ return allowed; |
1022 |
+@@ -592,7 +592,7 @@ static bool has_pid_permissions(struct pid_namespace *pid, |
1023 |
+ return true; |
1024 |
+ if (in_group_p(pid->pid_gid)) |
1025 |
+ return true; |
1026 |
+- return ptrace_may_access(task, PTRACE_MODE_READ); |
1027 |
++ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); |
1028 |
+ } |
1029 |
+ |
1030 |
+ |
1031 |
+@@ -707,7 +707,7 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) |
1032 |
+ if (!task) |
1033 |
+ return -ESRCH; |
1034 |
+ |
1035 |
+- mm = mm_access(task, mode); |
1036 |
++ mm = mm_access(task, mode | PTRACE_MODE_FSCREDS); |
1037 |
+ put_task_struct(task); |
1038 |
+ |
1039 |
+ if (IS_ERR(mm)) |
1040 |
+@@ -1761,7 +1761,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags) |
1041 |
+ if (!task) |
1042 |
+ goto out_notask; |
1043 |
+ |
1044 |
+- mm = mm_access(task, PTRACE_MODE_READ); |
1045 |
++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); |
1046 |
+ if (IS_ERR_OR_NULL(mm)) |
1047 |
+ goto out; |
1048 |
+ |
1049 |
+@@ -1896,7 +1896,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir, |
1050 |
+ goto out; |
1051 |
+ |
1052 |
+ result = ERR_PTR(-EACCES); |
1053 |
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
1054 |
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) |
1055 |
+ goto out_put_task; |
1056 |
+ |
1057 |
+ result = ERR_PTR(-ENOENT); |
1058 |
+@@ -1952,7 +1952,7 @@ proc_map_files_readdir(struct file *filp, void *dirent, filldir_t filldir) |
1059 |
+ goto out; |
1060 |
+ |
1061 |
+ ret = -EACCES; |
1062 |
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
1063 |
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) |
1064 |
+ goto out_put_task; |
1065 |
+ |
1066 |
+ ret = 0; |
1067 |
+@@ -2488,7 +2488,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) |
1068 |
+ if (result) |
1069 |
+ return result; |
1070 |
+ |
1071 |
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) { |
1072 |
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { |
1073 |
+ result = -EACCES; |
1074 |
+ goto out_unlock; |
1075 |
+ } |
1076 |
+diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c |
1077 |
+index 54bdc6701e9f..ac49a8d4aaf8 100644 |
1078 |
+--- a/fs/proc/namespaces.c |
1079 |
++++ b/fs/proc/namespaces.c |
1080 |
+@@ -125,7 +125,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd) |
1081 |
+ if (!task) |
1082 |
+ goto out; |
1083 |
+ |
1084 |
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
1085 |
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) |
1086 |
+ goto out_put_task; |
1087 |
+ |
1088 |
+ ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns.ns_ops); |
1089 |
+@@ -158,7 +158,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl |
1090 |
+ if (!task) |
1091 |
+ goto out; |
1092 |
+ |
1093 |
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
1094 |
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) |
1095 |
+ goto out_put_task; |
1096 |
+ |
1097 |
+ len = -ENOENT; |
1098 |
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c |
1099 |
+index 789814f27438..5c1120a5fa42 100644 |
1100 |
+--- a/fs/udf/inode.c |
1101 |
++++ b/fs/udf/inode.c |
1102 |
+@@ -2055,14 +2055,29 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos, |
1103 |
+ epos->offset += adsize; |
1104 |
+ } |
1105 |
+ |
1106 |
++/* |
1107 |
++ * Only 1 indirect extent in a row really makes sense but allow upto 16 in case |
1108 |
++ * someone does some weird stuff. |
1109 |
++ */ |
1110 |
++#define UDF_MAX_INDIR_EXTS 16 |
1111 |
++ |
1112 |
+ int8_t udf_next_aext(struct inode *inode, struct extent_position *epos, |
1113 |
+ struct kernel_lb_addr *eloc, uint32_t *elen, int inc) |
1114 |
+ { |
1115 |
+ int8_t etype; |
1116 |
++ unsigned int indirections = 0; |
1117 |
+ |
1118 |
+ while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) == |
1119 |
+ (EXT_NEXT_EXTENT_ALLOCDECS >> 30)) { |
1120 |
+ int block; |
1121 |
++ |
1122 |
++ if (++indirections > UDF_MAX_INDIR_EXTS) { |
1123 |
++ udf_err(inode->i_sb, |
1124 |
++ "too many indirect extents in inode %lu\n", |
1125 |
++ inode->i_ino); |
1126 |
++ return -1; |
1127 |
++ } |
1128 |
++ |
1129 |
+ epos->block = *eloc; |
1130 |
+ epos->offset = sizeof(struct allocExtDesc); |
1131 |
+ brelse(epos->bh); |
1132 |
+diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c |
1133 |
+index 44b815e57f94..685fbd8a2937 100644 |
1134 |
+--- a/fs/udf/unicode.c |
1135 |
++++ b/fs/udf/unicode.c |
1136 |
+@@ -132,11 +132,15 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) |
1137 |
+ if (c < 0x80U) |
1138 |
+ utf_o->u_name[utf_o->u_len++] = (uint8_t)c; |
1139 |
+ else if (c < 0x800U) { |
1140 |
++ if (utf_o->u_len > (UDF_NAME_LEN - 4)) |
1141 |
++ break; |
1142 |
+ utf_o->u_name[utf_o->u_len++] = |
1143 |
+ (uint8_t)(0xc0 | (c >> 6)); |
1144 |
+ utf_o->u_name[utf_o->u_len++] = |
1145 |
+ (uint8_t)(0x80 | (c & 0x3f)); |
1146 |
+ } else { |
1147 |
++ if (utf_o->u_len > (UDF_NAME_LEN - 5)) |
1148 |
++ break; |
1149 |
+ utf_o->u_name[utf_o->u_len++] = |
1150 |
+ (uint8_t)(0xe0 | (c >> 12)); |
1151 |
+ utf_o->u_name[utf_o->u_len++] = |
1152 |
+@@ -177,17 +181,22 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) |
1153 |
+ static int udf_UTF8toCS0(dstring *ocu, struct ustr *utf, int length) |
1154 |
+ { |
1155 |
+ unsigned c, i, max_val, utf_char; |
1156 |
+- int utf_cnt, u_len; |
1157 |
++ int utf_cnt, u_len, u_ch; |
1158 |
+ |
1159 |
+ memset(ocu, 0, sizeof(dstring) * length); |
1160 |
+ ocu[0] = 8; |
1161 |
+ max_val = 0xffU; |
1162 |
++ u_ch = 1; |
1163 |
+ |
1164 |
+ try_again: |
1165 |
+ u_len = 0U; |
1166 |
+ utf_char = 0U; |
1167 |
+ utf_cnt = 0U; |
1168 |
+ for (i = 0U; i < utf->u_len; i++) { |
1169 |
++ /* Name didn't fit? */ |
1170 |
++ if (u_len + 1 + u_ch >= length) |
1171 |
++ return 0; |
1172 |
++ |
1173 |
+ c = (uint8_t)utf->u_name[i]; |
1174 |
+ |
1175 |
+ /* Complete a multi-byte UTF-8 character */ |
1176 |
+@@ -229,6 +238,7 @@ try_again: |
1177 |
+ if (max_val == 0xffU) { |
1178 |
+ max_val = 0xffffU; |
1179 |
+ ocu[0] = (uint8_t)0x10U; |
1180 |
++ u_ch = 2; |
1181 |
+ goto try_again; |
1182 |
+ } |
1183 |
+ goto error_out; |
1184 |
+@@ -281,7 +291,7 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o, |
1185 |
+ c = (c << 8) | ocu[i++]; |
1186 |
+ |
1187 |
+ len = nls->uni2char(c, &utf_o->u_name[utf_o->u_len], |
1188 |
+- UDF_NAME_LEN - utf_o->u_len); |
1189 |
++ UDF_NAME_LEN - 2 - utf_o->u_len); |
1190 |
+ /* Valid character? */ |
1191 |
+ if (len >= 0) |
1192 |
+ utf_o->u_len += len; |
1193 |
+@@ -299,15 +309,19 @@ static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni, |
1194 |
+ int len; |
1195 |
+ unsigned i, max_val; |
1196 |
+ uint16_t uni_char; |
1197 |
+- int u_len; |
1198 |
++ int u_len, u_ch; |
1199 |
+ |
1200 |
+ memset(ocu, 0, sizeof(dstring) * length); |
1201 |
+ ocu[0] = 8; |
1202 |
+ max_val = 0xffU; |
1203 |
++ u_ch = 1; |
1204 |
+ |
1205 |
+ try_again: |
1206 |
+ u_len = 0U; |
1207 |
+ for (i = 0U; i < uni->u_len; i++) { |
1208 |
++ /* Name didn't fit? */ |
1209 |
++ if (u_len + 1 + u_ch >= length) |
1210 |
++ return 0; |
1211 |
+ len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char); |
1212 |
+ if (!len) |
1213 |
+ continue; |
1214 |
+@@ -320,6 +334,7 @@ try_again: |
1215 |
+ if (uni_char > max_val) { |
1216 |
+ max_val = 0xffffU; |
1217 |
+ ocu[0] = (uint8_t)0x10U; |
1218 |
++ u_ch = 2; |
1219 |
+ goto try_again; |
1220 |
+ } |
1221 |
+ |
1222 |
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h |
1223 |
+index a2329c5e6206..a2ce6f8871c4 100644 |
1224 |
+--- a/include/linux/compiler.h |
1225 |
++++ b/include/linux/compiler.h |
1226 |
+@@ -131,7 +131,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); |
1227 |
+ */ |
1228 |
+ #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) ) |
1229 |
+ #define __trace_if(cond) \ |
1230 |
+- if (__builtin_constant_p((cond)) ? !!(cond) : \ |
1231 |
++ if (__builtin_constant_p(!!(cond)) ? !!(cond) : \ |
1232 |
+ ({ \ |
1233 |
+ int ______r; \ |
1234 |
+ static struct ftrace_branch_data \ |
1235 |
+diff --git a/include/linux/devpts_fs.h b/include/linux/devpts_fs.h |
1236 |
+index 251a2090a554..e0ee0b3000b2 100644 |
1237 |
+--- a/include/linux/devpts_fs.h |
1238 |
++++ b/include/linux/devpts_fs.h |
1239 |
+@@ -19,6 +19,8 @@ |
1240 |
+ |
1241 |
+ int devpts_new_index(struct inode *ptmx_inode); |
1242 |
+ void devpts_kill_index(struct inode *ptmx_inode, int idx); |
1243 |
++void devpts_add_ref(struct inode *ptmx_inode); |
1244 |
++void devpts_del_ref(struct inode *ptmx_inode); |
1245 |
+ /* mknod in devpts */ |
1246 |
+ struct inode *devpts_pty_new(struct inode *ptmx_inode, dev_t device, int index, |
1247 |
+ void *priv); |
1248 |
+@@ -32,6 +34,8 @@ void devpts_pty_kill(struct inode *inode); |
1249 |
+ /* Dummy stubs in the no-pty case */ |
1250 |
+ static inline int devpts_new_index(struct inode *ptmx_inode) { return -EINVAL; } |
1251 |
+ static inline void devpts_kill_index(struct inode *ptmx_inode, int idx) { } |
1252 |
++static inline void devpts_add_ref(struct inode *ptmx_inode) { } |
1253 |
++static inline void devpts_del_ref(struct inode *ptmx_inode) { } |
1254 |
+ static inline struct inode *devpts_pty_new(struct inode *ptmx_inode, |
1255 |
+ dev_t device, int index, void *priv) |
1256 |
+ { |
1257 |
+diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h |
1258 |
+index bb980ae6d9d3..6af8988f5ddd 100644 |
1259 |
+--- a/include/linux/ptrace.h |
1260 |
++++ b/include/linux/ptrace.h |
1261 |
+@@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer); |
1262 |
+ #define PTRACE_MODE_READ 0x01 |
1263 |
+ #define PTRACE_MODE_ATTACH 0x02 |
1264 |
+ #define PTRACE_MODE_NOAUDIT 0x04 |
1265 |
+-/* Returns true on success, false on denial. */ |
1266 |
++#define PTRACE_MODE_FSCREDS 0x08 |
1267 |
++#define PTRACE_MODE_REALCREDS 0x10 |
1268 |
++ |
1269 |
++/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ |
1270 |
++#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) |
1271 |
++#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) |
1272 |
++#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) |
1273 |
++#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) |
1274 |
++ |
1275 |
++/** |
1276 |
++ * ptrace_may_access - check whether the caller is permitted to access |
1277 |
++ * a target task. |
1278 |
++ * @task: target task |
1279 |
++ * @mode: selects type of access and caller credentials |
1280 |
++ * |
1281 |
++ * Returns true on success, false on denial. |
1282 |
++ * |
1283 |
++ * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must |
1284 |
++ * be set in @mode to specify whether the access was requested through |
1285 |
++ * a filesystem syscall (should use effective capabilities and fsuid |
1286 |
++ * of the caller) or through an explicit syscall such as |
1287 |
++ * process_vm_writev or ptrace (and should use the real credentials). |
1288 |
++ */ |
1289 |
+ extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); |
1290 |
+ |
1291 |
+ static inline int ptrace_reparented(struct task_struct *child) |
1292 |
+diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h |
1293 |
+index ffc444c38b0a..e02e09f85fad 100644 |
1294 |
+--- a/include/linux/radix-tree.h |
1295 |
++++ b/include/linux/radix-tree.h |
1296 |
+@@ -322,12 +322,28 @@ void **radix_tree_next_chunk(struct radix_tree_root *root, |
1297 |
+ struct radix_tree_iter *iter, unsigned flags); |
1298 |
+ |
1299 |
+ /** |
1300 |
++ * radix_tree_iter_retry - retry this chunk of the iteration |
1301 |
++ * @iter: iterator state |
1302 |
++ * |
1303 |
++ * If we iterate over a tree protected only by the RCU lock, a race |
1304 |
++ * against deletion or creation may result in seeing a slot for which |
1305 |
++ * radix_tree_deref_retry() returns true. If so, call this function |
1306 |
++ * and continue the iteration. |
1307 |
++ */ |
1308 |
++static inline __must_check |
1309 |
++void **radix_tree_iter_retry(struct radix_tree_iter *iter) |
1310 |
++{ |
1311 |
++ iter->next_index = iter->index; |
1312 |
++ return NULL; |
1313 |
++} |
1314 |
++ |
1315 |
++/** |
1316 |
+ * radix_tree_chunk_size - get current chunk size |
1317 |
+ * |
1318 |
+ * @iter: pointer to radix tree iterator |
1319 |
+ * Returns: current chunk size |
1320 |
+ */ |
1321 |
+-static __always_inline unsigned |
1322 |
++static __always_inline long |
1323 |
+ radix_tree_chunk_size(struct radix_tree_iter *iter) |
1324 |
+ { |
1325 |
+ return iter->next_index - iter->index; |
1326 |
+@@ -361,9 +377,9 @@ radix_tree_next_slot(void **slot, struct radix_tree_iter *iter, unsigned flags) |
1327 |
+ return slot + offset + 1; |
1328 |
+ } |
1329 |
+ } else { |
1330 |
+- unsigned size = radix_tree_chunk_size(iter) - 1; |
1331 |
++ long size = radix_tree_chunk_size(iter); |
1332 |
+ |
1333 |
+- while (size--) { |
1334 |
++ while (--size > 0) { |
1335 |
+ slot++; |
1336 |
+ iter->index++; |
1337 |
+ if (likely(*slot)) |
1338 |
+diff --git a/kernel/events/core.c b/kernel/events/core.c |
1339 |
+index d9b0aad17dbf..0f5207839673 100644 |
1340 |
+--- a/kernel/events/core.c |
1341 |
++++ b/kernel/events/core.c |
1342 |
+@@ -2938,7 +2938,7 @@ find_lively_task_by_vpid(pid_t vpid) |
1343 |
+ |
1344 |
+ /* Reuse ptrace permission checks for now. */ |
1345 |
+ err = -EACCES; |
1346 |
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
1347 |
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) |
1348 |
+ goto errout; |
1349 |
+ |
1350 |
+ return task; |
1351 |
+@@ -5639,6 +5639,10 @@ static int perf_tp_filter_match(struct perf_event *event, |
1352 |
+ { |
1353 |
+ void *record = data->raw->data; |
1354 |
+ |
1355 |
++ /* only top level events have filters set */ |
1356 |
++ if (event->parent) |
1357 |
++ event = event->parent; |
1358 |
++ |
1359 |
+ if (likely(!event->filter) || filter_match_preds(event->filter, record)) |
1360 |
+ return 1; |
1361 |
+ return 0; |
1362 |
+diff --git a/kernel/futex.c b/kernel/futex.c |
1363 |
+index 625a4e659e7a..edc4beae4df1 100644 |
1364 |
+--- a/kernel/futex.c |
1365 |
++++ b/kernel/futex.c |
1366 |
+@@ -2494,6 +2494,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, |
1367 |
+ if (q.pi_state && (q.pi_state->owner != current)) { |
1368 |
+ spin_lock(q.lock_ptr); |
1369 |
+ ret = fixup_pi_state_owner(uaddr2, &q, current); |
1370 |
++ /* |
1371 |
++ * Drop the reference to the pi state which |
1372 |
++ * the requeue_pi() code acquired for us. |
1373 |
++ */ |
1374 |
++ free_pi_state(q.pi_state); |
1375 |
+ spin_unlock(q.lock_ptr); |
1376 |
+ } |
1377 |
+ } else { |
1378 |
+@@ -2620,7 +2625,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, |
1379 |
+ } |
1380 |
+ |
1381 |
+ ret = -EPERM; |
1382 |
+- if (!ptrace_may_access(p, PTRACE_MODE_READ)) |
1383 |
++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) |
1384 |
+ goto err_unlock; |
1385 |
+ |
1386 |
+ head = p->robust_list; |
1387 |
+diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c |
1388 |
+index f9f44fd4d34d..3888617a1f9e 100644 |
1389 |
+--- a/kernel/futex_compat.c |
1390 |
++++ b/kernel/futex_compat.c |
1391 |
+@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, |
1392 |
+ } |
1393 |
+ |
1394 |
+ ret = -EPERM; |
1395 |
+- if (!ptrace_may_access(p, PTRACE_MODE_READ)) |
1396 |
++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) |
1397 |
+ goto err_unlock; |
1398 |
+ |
1399 |
+ head = p->compat_robust_list; |
1400 |
+diff --git a/kernel/kcmp.c b/kernel/kcmp.c |
1401 |
+index 0aa69ea1d8fd..3a47fa998fe0 100644 |
1402 |
+--- a/kernel/kcmp.c |
1403 |
++++ b/kernel/kcmp.c |
1404 |
+@@ -122,8 +122,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, |
1405 |
+ &task2->signal->cred_guard_mutex); |
1406 |
+ if (ret) |
1407 |
+ goto err; |
1408 |
+- if (!ptrace_may_access(task1, PTRACE_MODE_READ) || |
1409 |
+- !ptrace_may_access(task2, PTRACE_MODE_READ)) { |
1410 |
++ if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) || |
1411 |
++ !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) { |
1412 |
+ ret = -EPERM; |
1413 |
+ goto err_unlock; |
1414 |
+ } |
1415 |
+diff --git a/kernel/module.c b/kernel/module.c |
1416 |
+index fd2afdf48a89..70a4754c001f 100644 |
1417 |
+--- a/kernel/module.c |
1418 |
++++ b/kernel/module.c |
1419 |
+@@ -3398,6 +3398,11 @@ static inline int is_arm_mapping_symbol(const char *str) |
1420 |
+ && (str[2] == '\0' || str[2] == '.'); |
1421 |
+ } |
1422 |
+ |
1423 |
++static const char *symname(struct module *mod, unsigned int symnum) |
1424 |
++{ |
1425 |
++ return mod->strtab + mod->symtab[symnum].st_name; |
1426 |
++} |
1427 |
++ |
1428 |
+ static const char *get_ksymbol(struct module *mod, |
1429 |
+ unsigned long addr, |
1430 |
+ unsigned long *size, |
1431 |
+@@ -3420,15 +3425,15 @@ static const char *get_ksymbol(struct module *mod, |
1432 |
+ |
1433 |
+ /* We ignore unnamed symbols: they're uninformative |
1434 |
+ * and inserted at a whim. */ |
1435 |
++ if (*symname(mod, i) == '\0' |
1436 |
++ || is_arm_mapping_symbol(symname(mod, i))) |
1437 |
++ continue; |
1438 |
++ |
1439 |
+ if (mod->symtab[i].st_value <= addr |
1440 |
+- && mod->symtab[i].st_value > mod->symtab[best].st_value |
1441 |
+- && *(mod->strtab + mod->symtab[i].st_name) != '\0' |
1442 |
+- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) |
1443 |
++ && mod->symtab[i].st_value > mod->symtab[best].st_value) |
1444 |
+ best = i; |
1445 |
+ if (mod->symtab[i].st_value > addr |
1446 |
+- && mod->symtab[i].st_value < nextval |
1447 |
+- && *(mod->strtab + mod->symtab[i].st_name) != '\0' |
1448 |
+- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) |
1449 |
++ && mod->symtab[i].st_value < nextval) |
1450 |
+ nextval = mod->symtab[i].st_value; |
1451 |
+ } |
1452 |
+ |
1453 |
+@@ -3439,7 +3444,7 @@ static const char *get_ksymbol(struct module *mod, |
1454 |
+ *size = nextval - mod->symtab[best].st_value; |
1455 |
+ if (offset) |
1456 |
+ *offset = addr - mod->symtab[best].st_value; |
1457 |
+- return mod->strtab + mod->symtab[best].st_name; |
1458 |
++ return symname(mod, best); |
1459 |
+ } |
1460 |
+ |
1461 |
+ /* For kallsyms to ask for address resolution. NULL means not found. Careful |
1462 |
+@@ -3540,8 +3545,7 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, |
1463 |
+ if (symnum < mod->num_symtab) { |
1464 |
+ *value = mod->symtab[symnum].st_value; |
1465 |
+ *type = mod->symtab[symnum].st_info; |
1466 |
+- strlcpy(name, mod->strtab + mod->symtab[symnum].st_name, |
1467 |
+- KSYM_NAME_LEN); |
1468 |
++ strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN); |
1469 |
+ strlcpy(module_name, mod->name, MODULE_NAME_LEN); |
1470 |
+ *exported = is_exported(name, *value, mod); |
1471 |
+ preempt_enable(); |
1472 |
+@@ -3558,7 +3562,7 @@ static unsigned long mod_find_symname(struct module *mod, const char *name) |
1473 |
+ unsigned int i; |
1474 |
+ |
1475 |
+ for (i = 0; i < mod->num_symtab; i++) |
1476 |
+- if (strcmp(name, mod->strtab+mod->symtab[i].st_name) == 0 && |
1477 |
++ if (strcmp(name, symname(mod, i)) == 0 && |
1478 |
+ mod->symtab[i].st_info != 'U') |
1479 |
+ return mod->symtab[i].st_value; |
1480 |
+ return 0; |
1481 |
+@@ -3602,7 +3606,7 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, |
1482 |
+ if (mod->state == MODULE_STATE_UNFORMED) |
1483 |
+ continue; |
1484 |
+ for (i = 0; i < mod->num_symtab; i++) { |
1485 |
+- ret = fn(data, mod->strtab + mod->symtab[i].st_name, |
1486 |
++ ret = fn(data, symname(mod, i), |
1487 |
+ mod, mod->symtab[i].st_value); |
1488 |
+ if (ret != 0) |
1489 |
+ return ret; |
1490 |
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c |
1491 |
+index 30ab20623bca..72b0b3e0e065 100644 |
1492 |
+--- a/kernel/ptrace.c |
1493 |
++++ b/kernel/ptrace.c |
1494 |
+@@ -225,6 +225,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) |
1495 |
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) |
1496 |
+ { |
1497 |
+ const struct cred *cred = current_cred(), *tcred; |
1498 |
++ int dumpable = 0; |
1499 |
++ kuid_t caller_uid; |
1500 |
++ kgid_t caller_gid; |
1501 |
++ |
1502 |
++ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { |
1503 |
++ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); |
1504 |
++ return -EPERM; |
1505 |
++ } |
1506 |
+ |
1507 |
+ /* May we inspect the given task? |
1508 |
+ * This check is used both for attaching with ptrace |
1509 |
+@@ -234,18 +242,33 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) |
1510 |
+ * because setting up the necessary parent/child relationship |
1511 |
+ * or halting the specified task is impossible. |
1512 |
+ */ |
1513 |
+- int dumpable = 0; |
1514 |
++ |
1515 |
+ /* Don't let security modules deny introspection */ |
1516 |
+ if (same_thread_group(task, current)) |
1517 |
+ return 0; |
1518 |
+ rcu_read_lock(); |
1519 |
++ if (mode & PTRACE_MODE_FSCREDS) { |
1520 |
++ caller_uid = cred->fsuid; |
1521 |
++ caller_gid = cred->fsgid; |
1522 |
++ } else { |
1523 |
++ /* |
1524 |
++ * Using the euid would make more sense here, but something |
1525 |
++ * in userland might rely on the old behavior, and this |
1526 |
++ * shouldn't be a security problem since |
1527 |
++ * PTRACE_MODE_REALCREDS implies that the caller explicitly |
1528 |
++ * used a syscall that requests access to another process |
1529 |
++ * (and not a filesystem syscall to procfs). |
1530 |
++ */ |
1531 |
++ caller_uid = cred->uid; |
1532 |
++ caller_gid = cred->gid; |
1533 |
++ } |
1534 |
+ tcred = __task_cred(task); |
1535 |
+- if (uid_eq(cred->uid, tcred->euid) && |
1536 |
+- uid_eq(cred->uid, tcred->suid) && |
1537 |
+- uid_eq(cred->uid, tcred->uid) && |
1538 |
+- gid_eq(cred->gid, tcred->egid) && |
1539 |
+- gid_eq(cred->gid, tcred->sgid) && |
1540 |
+- gid_eq(cred->gid, tcred->gid)) |
1541 |
++ if (uid_eq(caller_uid, tcred->euid) && |
1542 |
++ uid_eq(caller_uid, tcred->suid) && |
1543 |
++ uid_eq(caller_uid, tcred->uid) && |
1544 |
++ gid_eq(caller_gid, tcred->egid) && |
1545 |
++ gid_eq(caller_gid, tcred->sgid) && |
1546 |
++ gid_eq(caller_gid, tcred->gid)) |
1547 |
+ goto ok; |
1548 |
+ if (ptrace_has_cap(tcred->user_ns, mode)) |
1549 |
+ goto ok; |
1550 |
+@@ -312,7 +335,7 @@ static int ptrace_attach(struct task_struct *task, long request, |
1551 |
+ goto out; |
1552 |
+ |
1553 |
+ task_lock(task); |
1554 |
+- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH); |
1555 |
++ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); |
1556 |
+ task_unlock(task); |
1557 |
+ if (retval) |
1558 |
+ goto unlock_creds; |
1559 |
+diff --git a/lib/dma-debug.c b/lib/dma-debug.c |
1560 |
+index d87a17a819d0..eb43517bf261 100644 |
1561 |
+--- a/lib/dma-debug.c |
1562 |
++++ b/lib/dma-debug.c |
1563 |
+@@ -962,7 +962,7 @@ static inline bool overlap(void *addr, unsigned long len, void *start, void *end |
1564 |
+ |
1565 |
+ static void check_for_illegal_area(struct device *dev, void *addr, unsigned long len) |
1566 |
+ { |
1567 |
+- if (overlap(addr, len, _text, _etext) || |
1568 |
++ if (overlap(addr, len, _stext, _etext) || |
1569 |
+ overlap(addr, len, __start_rodata, __end_rodata)) |
1570 |
+ err_printk(dev, NULL, "DMA-API: device driver maps memory from kernel text or rodata [addr=%p] [len=%lu]\n", addr, len); |
1571 |
+ } |
1572 |
+diff --git a/lib/klist.c b/lib/klist.c |
1573 |
+index 358a368a2947..2e59aecbec0d 100644 |
1574 |
+--- a/lib/klist.c |
1575 |
++++ b/lib/klist.c |
1576 |
+@@ -282,9 +282,9 @@ void klist_iter_init_node(struct klist *k, struct klist_iter *i, |
1577 |
+ struct klist_node *n) |
1578 |
+ { |
1579 |
+ i->i_klist = k; |
1580 |
+- i->i_cur = n; |
1581 |
+- if (n) |
1582 |
+- kref_get(&n->n_ref); |
1583 |
++ i->i_cur = NULL; |
1584 |
++ if (n && kref_get_unless_zero(&n->n_ref)) |
1585 |
++ i->i_cur = n; |
1586 |
+ } |
1587 |
+ EXPORT_SYMBOL_GPL(klist_iter_init_node); |
1588 |
+ |
1589 |
+diff --git a/lib/radix-tree.c b/lib/radix-tree.c |
1590 |
+index e7964296fd50..936a02c1c77b 100644 |
1591 |
+--- a/lib/radix-tree.c |
1592 |
++++ b/lib/radix-tree.c |
1593 |
+@@ -1015,9 +1015,13 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results, |
1594 |
+ return 0; |
1595 |
+ |
1596 |
+ radix_tree_for_each_slot(slot, root, &iter, first_index) { |
1597 |
+- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); |
1598 |
++ results[ret] = rcu_dereference_raw(*slot); |
1599 |
+ if (!results[ret]) |
1600 |
+ continue; |
1601 |
++ if (radix_tree_is_indirect_ptr(results[ret])) { |
1602 |
++ slot = radix_tree_iter_retry(&iter); |
1603 |
++ continue; |
1604 |
++ } |
1605 |
+ if (++ret == max_items) |
1606 |
+ break; |
1607 |
+ } |
1608 |
+@@ -1094,9 +1098,13 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results, |
1609 |
+ return 0; |
1610 |
+ |
1611 |
+ radix_tree_for_each_tagged(slot, root, &iter, first_index, tag) { |
1612 |
+- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); |
1613 |
++ results[ret] = rcu_dereference_raw(*slot); |
1614 |
+ if (!results[ret]) |
1615 |
+ continue; |
1616 |
++ if (radix_tree_is_indirect_ptr(results[ret])) { |
1617 |
++ slot = radix_tree_iter_retry(&iter); |
1618 |
++ continue; |
1619 |
++ } |
1620 |
+ if (++ret == max_items) |
1621 |
+ break; |
1622 |
+ } |
1623 |
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c |
1624 |
+index eaa3accb01e7..437ae2cbe102 100644 |
1625 |
+--- a/mm/memcontrol.c |
1626 |
++++ b/mm/memcontrol.c |
1627 |
+@@ -5790,16 +5790,17 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp, |
1628 |
+ swap_buffers: |
1629 |
+ /* Swap primary and spare array */ |
1630 |
+ thresholds->spare = thresholds->primary; |
1631 |
+- /* If all events are unregistered, free the spare array */ |
1632 |
+- if (!new) { |
1633 |
+- kfree(thresholds->spare); |
1634 |
+- thresholds->spare = NULL; |
1635 |
+- } |
1636 |
+ |
1637 |
+ rcu_assign_pointer(thresholds->primary, new); |
1638 |
+ |
1639 |
+ /* To be sure that nobody uses thresholds */ |
1640 |
+ synchronize_rcu(); |
1641 |
++ |
1642 |
++ /* If all events are unregistered, free the spare array */ |
1643 |
++ if (!new) { |
1644 |
++ kfree(thresholds->spare); |
1645 |
++ thresholds->spare = NULL; |
1646 |
++ } |
1647 |
+ unlock: |
1648 |
+ mutex_unlock(&memcg->thresholds_lock); |
1649 |
+ } |
1650 |
+diff --git a/mm/memory-failure.c b/mm/memory-failure.c |
1651 |
+index f97d709594e6..37df20faddd5 100644 |
1652 |
+--- a/mm/memory-failure.c |
1653 |
++++ b/mm/memory-failure.c |
1654 |
+@@ -1472,7 +1472,7 @@ static int get_any_page(struct page *page, unsigned long pfn, int flags) |
1655 |
+ * Did it turn free? |
1656 |
+ */ |
1657 |
+ ret = __get_any_page(page, pfn, 0); |
1658 |
+- if (!PageLRU(page)) { |
1659 |
++ if (ret == 1 && !PageLRU(page)) { |
1660 |
+ /* Drop page reference which is from __get_any_page() */ |
1661 |
+ put_page(page); |
1662 |
+ pr_info("soft_offline: %#lx: unknown non LRU page type %lx\n", |
1663 |
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c |
1664 |
+index d85d3a0e06ce..7f1bf93fa87f 100644 |
1665 |
+--- a/mm/memory_hotplug.c |
1666 |
++++ b/mm/memory_hotplug.c |
1667 |
+@@ -1209,23 +1209,30 @@ int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) |
1668 |
+ */ |
1669 |
+ static int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn) |
1670 |
+ { |
1671 |
+- unsigned long pfn; |
1672 |
++ unsigned long pfn, sec_end_pfn; |
1673 |
+ struct zone *zone = NULL; |
1674 |
+ struct page *page; |
1675 |
+ int i; |
1676 |
+- for (pfn = start_pfn; |
1677 |
++ for (pfn = start_pfn, sec_end_pfn = SECTION_ALIGN_UP(start_pfn); |
1678 |
+ pfn < end_pfn; |
1679 |
+- pfn += MAX_ORDER_NR_PAGES) { |
1680 |
+- i = 0; |
1681 |
+- /* This is just a CONFIG_HOLES_IN_ZONE check.*/ |
1682 |
+- while ((i < MAX_ORDER_NR_PAGES) && !pfn_valid_within(pfn + i)) |
1683 |
+- i++; |
1684 |
+- if (i == MAX_ORDER_NR_PAGES) |
1685 |
++ pfn = sec_end_pfn + 1, sec_end_pfn += PAGES_PER_SECTION) { |
1686 |
++ /* Make sure the memory section is present first */ |
1687 |
++ if (!present_section_nr(pfn_to_section_nr(pfn))) |
1688 |
+ continue; |
1689 |
+- page = pfn_to_page(pfn + i); |
1690 |
+- if (zone && page_zone(page) != zone) |
1691 |
+- return 0; |
1692 |
+- zone = page_zone(page); |
1693 |
++ for (; pfn < sec_end_pfn && pfn < end_pfn; |
1694 |
++ pfn += MAX_ORDER_NR_PAGES) { |
1695 |
++ i = 0; |
1696 |
++ /* This is just a CONFIG_HOLES_IN_ZONE check.*/ |
1697 |
++ while ((i < MAX_ORDER_NR_PAGES) && |
1698 |
++ !pfn_valid_within(pfn + i)) |
1699 |
++ i++; |
1700 |
++ if (i == MAX_ORDER_NR_PAGES) |
1701 |
++ continue; |
1702 |
++ page = pfn_to_page(pfn + i); |
1703 |
++ if (zone && page_zone(page) != zone) |
1704 |
++ return 0; |
1705 |
++ zone = page_zone(page); |
1706 |
++ } |
1707 |
+ } |
1708 |
+ return 1; |
1709 |
+ } |
1710 |
+diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c |
1711 |
+index fd26d0433509..e739825be8b3 100644 |
1712 |
+--- a/mm/process_vm_access.c |
1713 |
++++ b/mm/process_vm_access.c |
1714 |
+@@ -298,7 +298,7 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec, |
1715 |
+ goto free_proc_pages; |
1716 |
+ } |
1717 |
+ |
1718 |
+- mm = mm_access(task, PTRACE_MODE_ATTACH); |
1719 |
++ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS); |
1720 |
+ if (!mm || IS_ERR(mm)) { |
1721 |
+ rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; |
1722 |
+ /* |
1723 |
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c |
1724 |
+index 9ec416552cc5..8d69df16f6a8 100644 |
1725 |
+--- a/net/ipv6/ip6mr.c |
1726 |
++++ b/net/ipv6/ip6mr.c |
1727 |
+@@ -336,7 +336,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id) |
1728 |
+ |
1729 |
+ static void ip6mr_free_table(struct mr6_table *mrt) |
1730 |
+ { |
1731 |
+- del_timer(&mrt->ipmr_expire_timer); |
1732 |
++ del_timer_sync(&mrt->ipmr_expire_timer); |
1733 |
+ mroute_clean_tables(mrt, true); |
1734 |
+ kfree(mrt); |
1735 |
+ } |
1736 |
+diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter |
1737 |
+index 6129020c41a9..81228a443122 100755 |
1738 |
+--- a/scripts/bloat-o-meter |
1739 |
++++ b/scripts/bloat-o-meter |
1740 |
+@@ -55,8 +55,8 @@ for name in common: |
1741 |
+ delta.sort() |
1742 |
+ delta.reverse() |
1743 |
+ |
1744 |
+-print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ |
1745 |
+- (add, remove, grow, shrink, up, -down, up-down) |
1746 |
+-print "%-40s %7s %7s %+7s" % ("function", "old", "new", "delta") |
1747 |
++print("add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ |
1748 |
++ (add, remove, grow, shrink, up, -down, up-down)) |
1749 |
++print("%-40s %7s %7s %+7s" % ("function", "old", "new", "delta")) |
1750 |
+ for d, n in delta: |
1751 |
+- if d: print "%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d) |
1752 |
++ if d: print("%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d)) |
1753 |
+diff --git a/security/commoncap.c b/security/commoncap.c |
1754 |
+index c9219a66b7c6..4fd7bf2b19e1 100644 |
1755 |
+--- a/security/commoncap.c |
1756 |
++++ b/security/commoncap.c |
1757 |
+@@ -142,12 +142,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) |
1758 |
+ { |
1759 |
+ int ret = 0; |
1760 |
+ const struct cred *cred, *child_cred; |
1761 |
++ const kernel_cap_t *caller_caps; |
1762 |
+ |
1763 |
+ rcu_read_lock(); |
1764 |
+ cred = current_cred(); |
1765 |
+ child_cred = __task_cred(child); |
1766 |
++ if (mode & PTRACE_MODE_FSCREDS) |
1767 |
++ caller_caps = &cred->cap_effective; |
1768 |
++ else |
1769 |
++ caller_caps = &cred->cap_permitted; |
1770 |
+ if (cred->user_ns == child_cred->user_ns && |
1771 |
+- cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
1772 |
++ cap_issubset(child_cred->cap_permitted, *caller_caps)) |
1773 |
+ goto out; |
1774 |
+ if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) |
1775 |
+ goto out; |
1776 |
+diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c |
1777 |
+index 67c91d226552..ee0522a8f730 100644 |
1778 |
+--- a/sound/core/seq/seq_ports.c |
1779 |
++++ b/sound/core/seq/seq_ports.c |
1780 |
+@@ -540,19 +540,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client, |
1781 |
+ bool is_src, bool ack) |
1782 |
+ { |
1783 |
+ struct snd_seq_port_subs_info *grp; |
1784 |
++ struct list_head *list; |
1785 |
++ bool empty; |
1786 |
+ |
1787 |
+ grp = is_src ? &port->c_src : &port->c_dest; |
1788 |
++ list = is_src ? &subs->src_list : &subs->dest_list; |
1789 |
+ down_write(&grp->list_mutex); |
1790 |
+ write_lock_irq(&grp->list_lock); |
1791 |
+- if (is_src) |
1792 |
+- list_del(&subs->src_list); |
1793 |
+- else |
1794 |
+- list_del(&subs->dest_list); |
1795 |
++ empty = list_empty(list); |
1796 |
++ if (!empty) |
1797 |
++ list_del_init(list); |
1798 |
+ grp->exclusive = 0; |
1799 |
+ write_unlock_irq(&grp->list_lock); |
1800 |
+ up_write(&grp->list_mutex); |
1801 |
+ |
1802 |
+- unsubscribe_port(client, port, grp, &subs->info, ack); |
1803 |
++ if (!empty) |
1804 |
++ unsubscribe_port(client, port, grp, &subs->info, ack); |
1805 |
+ } |
1806 |
+ |
1807 |
+ /* connect two ports */ |
1808 |
+diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c |
1809 |
+index 82b0606dcb8a..c3efcf2f816b 100644 |
1810 |
+--- a/tools/lib/traceevent/event-parse.c |
1811 |
++++ b/tools/lib/traceevent/event-parse.c |
1812 |
+@@ -4190,13 +4190,12 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct event |
1813 |
+ sizeof(long) != 8) { |
1814 |
+ char *p; |
1815 |
+ |
1816 |
+- ls = 2; |
1817 |
+ /* make %l into %ll */ |
1818 |
+- p = strchr(format, 'l'); |
1819 |
+- if (p) |
1820 |
++ if (ls == 1 && (p = strchr(format, 'l'))) |
1821 |
+ memmove(p+1, p, strlen(p)+1); |
1822 |
+ else if (strcmp(format, "%p") == 0) |
1823 |
+ strcpy(format, "0x%llx"); |
1824 |
++ ls = 2; |
1825 |
+ } |
1826 |
+ switch (ls) { |
1827 |
+ case -2: |