1 |
commit: 679479168a68ec71fc95e7a66dac25305220e45f |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Nov 5 18:49:52 2017 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 5 18:49:52 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=67947916 |
7 |
|
8 |
Linux patch 3.10.108 |
9 |
|
10 |
0000_README | 4 + |
11 |
1107_linux-3.10.108.patch | 3467 +++++++++++++++++++++++++++++++++++++++++++++ |
12 |
2 files changed, 3471 insertions(+) |
13 |
|
14 |
diff --git a/0000_README b/0000_README |
15 |
index e949f2e..e964bd4 100644 |
16 |
--- a/0000_README |
17 |
+++ b/0000_README |
18 |
@@ -470,6 +470,10 @@ Patch: 1106_linux-3.10.107.patch |
19 |
From: http://www.kernel.org |
20 |
Desc: Linux 3.10.107 |
21 |
|
22 |
+Patch: 1107_linux-3.10.108.patch |
23 |
+From: http://www.kernel.org |
24 |
+Desc: Linux 3.10.108 |
25 |
+ |
26 |
Patch: 1500_XATTR_USER_PREFIX.patch |
27 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
28 |
Desc: Support for namespace user.pax.* on tmpfs. |
29 |
|
30 |
diff --git a/1107_linux-3.10.108.patch b/1107_linux-3.10.108.patch |
31 |
new file mode 100644 |
32 |
index 0000000..f8e4e90 |
33 |
--- /dev/null |
34 |
+++ b/1107_linux-3.10.108.patch |
35 |
@@ -0,0 +1,3467 @@ |
36 |
+diff --git a/Makefile b/Makefile |
37 |
+index 752b1c67daa0..924f98a4bc0f 100644 |
38 |
+--- a/Makefile |
39 |
++++ b/Makefile |
40 |
+@@ -1,8 +1,8 @@ |
41 |
+ VERSION = 3 |
42 |
+ PATCHLEVEL = 10 |
43 |
+-SUBLEVEL = 107 |
44 |
++SUBLEVEL = 108 |
45 |
+ EXTRAVERSION = |
46 |
+-NAME = TOSSUG Baby Fish |
47 |
++NAME = END-OF-LIFE |
48 |
+ |
49 |
+ # *DOCUMENTATION* |
50 |
+ # To see a list of typical targets execute "make help" |
51 |
+diff --git a/arch/mips/include/asm/branch.h b/arch/mips/include/asm/branch.h |
52 |
+index e28a3e0eb3cb..582d8b61ce5c 100644 |
53 |
+--- a/arch/mips/include/asm/branch.h |
54 |
++++ b/arch/mips/include/asm/branch.h |
55 |
+@@ -44,10 +44,7 @@ static inline int compute_return_epc(struct pt_regs *regs) |
56 |
+ return __microMIPS_compute_return_epc(regs); |
57 |
+ if (cpu_has_mips16) |
58 |
+ return __MIPS16e_compute_return_epc(regs); |
59 |
+- return regs->cp0_epc; |
60 |
+- } |
61 |
+- |
62 |
+- if (!delay_slot(regs)) { |
63 |
++ } else if (!delay_slot(regs)) { |
64 |
+ regs->cp0_epc += 4; |
65 |
+ return 0; |
66 |
+ } |
67 |
+diff --git a/arch/mips/kernel/branch.c b/arch/mips/kernel/branch.c |
68 |
+index 46c2ad0703a0..63b942f613c4 100644 |
69 |
+--- a/arch/mips/kernel/branch.c |
70 |
++++ b/arch/mips/kernel/branch.c |
71 |
+@@ -200,7 +200,7 @@ int __MIPS16e_compute_return_epc(struct pt_regs *regs) |
72 |
+ * |
73 |
+ * @regs: Pointer to pt_regs |
74 |
+ * @insn: branch instruction to decode |
75 |
+- * @returns: -EFAULT on error and forces SIGBUS, and on success |
76 |
++ * @returns: -EFAULT on error and forces SIGILL, and on success |
77 |
+ * returns 0 or BRANCH_LIKELY_TAKEN as appropriate after |
78 |
+ * evaluating the branch. |
79 |
+ */ |
80 |
+@@ -297,6 +297,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs, |
81 |
+ /* |
82 |
+ * These are unconditional and in j_format. |
83 |
+ */ |
84 |
++ case jalx_op: |
85 |
+ case jal_op: |
86 |
+ regs->regs[31] = regs->cp0_epc + 8; |
87 |
+ case j_op: |
88 |
+@@ -436,8 +437,9 @@ int __compute_return_epc_for_insn(struct pt_regs *regs, |
89 |
+ return ret; |
90 |
+ |
91 |
+ sigill: |
92 |
+- printk("%s: DSP branch but not DSP ASE - sending SIGBUS.\n", current->comm); |
93 |
+- force_sig(SIGBUS, current); |
94 |
++ pr_info("%s: DSP branch but not DSP ASE - sending SIGILL.\n", |
95 |
++ current->comm); |
96 |
++ force_sig(SIGILL, current); |
97 |
+ return -EFAULT; |
98 |
+ } |
99 |
+ EXPORT_SYMBOL_GPL(__compute_return_epc_for_insn); |
100 |
+diff --git a/arch/mips/kernel/syscall.c b/arch/mips/kernel/syscall.c |
101 |
+index b79d13f95bf0..eb0f4dfb385c 100644 |
102 |
+--- a/arch/mips/kernel/syscall.c |
103 |
++++ b/arch/mips/kernel/syscall.c |
104 |
+@@ -140,7 +140,7 @@ static inline int mips_atomic_set(unsigned long addr, unsigned long new) |
105 |
+ "1: ll %[old], (%[addr]) \n" |
106 |
+ " move %[tmp], %[new] \n" |
107 |
+ "2: sc %[tmp], (%[addr]) \n" |
108 |
+- " bnez %[tmp], 4f \n" |
109 |
++ " beqz %[tmp], 4f \n" |
110 |
+ "3: \n" |
111 |
+ " .subsection 2 \n" |
112 |
+ "4: b 1b \n" |
113 |
+diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c |
114 |
+index 3d492a823a55..dbddc9ccf270 100644 |
115 |
+--- a/arch/mips/math-emu/cp1emu.c |
116 |
++++ b/arch/mips/math-emu/cp1emu.c |
117 |
+@@ -2002,6 +2002,35 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, |
118 |
+ return 0; |
119 |
+ } |
120 |
+ |
121 |
++/* |
122 |
++ * Emulate FPU instructions. |
123 |
++ * |
124 |
++ * If we use FPU hardware, then we have been typically called to handle |
125 |
++ * an unimplemented operation, such as where an operand is a NaN or |
126 |
++ * denormalized. In that case exit the emulation loop after a single |
127 |
++ * iteration so as to let hardware execute any subsequent instructions. |
128 |
++ * |
129 |
++ * If we have no FPU hardware or it has been disabled, then continue |
130 |
++ * emulating floating-point instructions until one of these conditions |
131 |
++ * has occurred: |
132 |
++ * |
133 |
++ * - a non-FPU instruction has been encountered, |
134 |
++ * |
135 |
++ * - an attempt to emulate has ended with a signal, |
136 |
++ * |
137 |
++ * - the ISA mode has been switched. |
138 |
++ * |
139 |
++ * We need to terminate the emulation loop if we got switched to the |
140 |
++ * MIPS16 mode, whether supported or not, so that we do not attempt |
141 |
++ * to emulate a MIPS16 instruction as a regular MIPS FPU instruction. |
142 |
++ * Similarly if we got switched to the microMIPS mode and only the |
143 |
++ * regular MIPS mode is supported, so that we do not attempt to emulate |
144 |
++ * a microMIPS instruction as a regular MIPS FPU instruction. Or if |
145 |
++ * we got switched to the regular MIPS mode and only the microMIPS mode |
146 |
++ * is supported, so that we do not attempt to emulate a regular MIPS |
147 |
++ * instruction that should cause an Address Error exception instead. |
148 |
++ * For simplicity we always terminate upon an ISA mode switch. |
149 |
++ */ |
150 |
+ int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx, |
151 |
+ int has_fpu, void *__user *fault_addr) |
152 |
+ { |
153 |
+@@ -2093,6 +2122,15 @@ int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx, |
154 |
+ break; |
155 |
+ if (sig) |
156 |
+ break; |
157 |
++ /* |
158 |
++ * We have to check for the ISA bit explicitly here, |
159 |
++ * because `get_isa16_mode' may return 0 if support |
160 |
++ * for code compression has been globally disabled, |
161 |
++ * or otherwise we may produce the wrong signal or |
162 |
++ * even proceed successfully where we must not. |
163 |
++ */ |
164 |
++ if ((xcp->cp0_epc ^ prevepc) & 0x1) |
165 |
++ break; |
166 |
+ |
167 |
+ cond_resched(); |
168 |
+ } while (xcp->cp0_epc > prevepc); |
169 |
+diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h |
170 |
+index e3b1d41c89be..84bcdfa410ff 100644 |
171 |
+--- a/arch/powerpc/include/asm/atomic.h |
172 |
++++ b/arch/powerpc/include/asm/atomic.h |
173 |
+@@ -501,7 +501,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) |
174 |
+ * Atomically increments @v by 1, so long as @v is non-zero. |
175 |
+ * Returns non-zero if @v was non-zero, and zero otherwise. |
176 |
+ */ |
177 |
+-static __inline__ long atomic64_inc_not_zero(atomic64_t *v) |
178 |
++static __inline__ int atomic64_inc_not_zero(atomic64_t *v) |
179 |
+ { |
180 |
+ long t1, t2; |
181 |
+ |
182 |
+@@ -520,7 +520,7 @@ static __inline__ long atomic64_inc_not_zero(atomic64_t *v) |
183 |
+ : "r" (&v->counter) |
184 |
+ : "cc", "xer", "memory"); |
185 |
+ |
186 |
+- return t1; |
187 |
++ return t1 != 0; |
188 |
+ } |
189 |
+ |
190 |
+ #endif /* __powerpc64__ */ |
191 |
+diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h |
192 |
+index 469d7715d6aa..954168be7878 100644 |
193 |
+--- a/arch/powerpc/include/asm/reg.h |
194 |
++++ b/arch/powerpc/include/asm/reg.h |
195 |
+@@ -1136,7 +1136,7 @@ |
196 |
+ " .llong 0\n" \ |
197 |
+ " .llong 0\n" \ |
198 |
+ ".previous" \ |
199 |
+- : "=r" (rval) : "i" (CPU_FTR_CELL_TB_BUG)); rval;}) |
200 |
++ : "=r" (rval) : "i" (CPU_FTR_CELL_TB_BUG) : "cr0"); rval;}) |
201 |
+ #else |
202 |
+ #define mftb() ({unsigned long rval; \ |
203 |
+ asm volatile("mftb %0" : "=r" (rval)); rval;}) |
204 |
+diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c |
205 |
+index 11f5b03a0b06..762c10d46d66 100644 |
206 |
+--- a/arch/powerpc/kernel/kprobes.c |
207 |
++++ b/arch/powerpc/kernel/kprobes.c |
208 |
+@@ -529,6 +529,15 @@ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs) |
209 |
+ regs->gpr[2] = (unsigned long)(((func_descr_t *)jp->entry)->toc); |
210 |
+ #endif |
211 |
+ |
212 |
++ /* |
213 |
++ * jprobes use jprobe_return() which skips the normal return |
214 |
++ * path of the function, and this messes up the accounting of the |
215 |
++ * function graph tracer. |
216 |
++ * |
217 |
++ * Pause function graph tracing while performing the jprobe function. |
218 |
++ */ |
219 |
++ pause_graph_tracing(); |
220 |
++ |
221 |
+ return 1; |
222 |
+ } |
223 |
+ |
224 |
+@@ -551,6 +560,8 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) |
225 |
+ * saved regs... |
226 |
+ */ |
227 |
+ memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs)); |
228 |
++ /* It's OK to start function graph tracing again */ |
229 |
++ unpause_graph_tracing(); |
230 |
+ preempt_enable_no_resched(); |
231 |
+ return 1; |
232 |
+ } |
233 |
+diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c |
234 |
+index 08490ecc465e..23da15ff7796 100644 |
235 |
+--- a/arch/powerpc/lib/sstep.c |
236 |
++++ b/arch/powerpc/lib/sstep.c |
237 |
+@@ -863,6 +863,19 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) |
238 |
+ goto instr_done; |
239 |
+ #endif |
240 |
+ case 19: /* mfcr */ |
241 |
++ if ((instr >> 20) & 1) { |
242 |
++ imm = 0xf0000000UL; |
243 |
++ for (sh = 0; sh < 8; ++sh) { |
244 |
++ if (instr & (0x80000 >> sh)) { |
245 |
++ regs->gpr[rd] = regs->ccr & imm; |
246 |
++ break; |
247 |
++ } |
248 |
++ imm >>= 4; |
249 |
++ } |
250 |
++ |
251 |
++ goto instr_done; |
252 |
++ } |
253 |
++ |
254 |
+ regs->gpr[rd] = regs->ccr; |
255 |
+ regs->gpr[rd] &= 0xffffffffUL; |
256 |
+ goto instr_done; |
257 |
+diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h |
258 |
+index d8e8eefbe24c..86ec87dc1f57 100644 |
259 |
+--- a/arch/x86/include/asm/io.h |
260 |
++++ b/arch/x86/include/asm/io.h |
261 |
+@@ -296,13 +296,13 @@ static inline unsigned type in##bwl##_p(int port) \ |
262 |
+ static inline void outs##bwl(int port, const void *addr, unsigned long count) \ |
263 |
+ { \ |
264 |
+ asm volatile("rep; outs" #bwl \ |
265 |
+- : "+S"(addr), "+c"(count) : "d"(port)); \ |
266 |
++ : "+S"(addr), "+c"(count) : "d"(port) : "memory"); \ |
267 |
+ } \ |
268 |
+ \ |
269 |
+ static inline void ins##bwl(int port, void *addr, unsigned long count) \ |
270 |
+ { \ |
271 |
+ asm volatile("rep; ins" #bwl \ |
272 |
+- : "+D"(addr), "+c"(count) : "d"(port)); \ |
273 |
++ : "+D"(addr), "+c"(count) : "d"(port) : "memory"); \ |
274 |
+ } |
275 |
+ |
276 |
+ BUILDIO(b, b, char) |
277 |
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c |
278 |
+index 3cd8bfc3c4b6..bc37ddeaa627 100644 |
279 |
+--- a/arch/x86/kernel/apic/apic.c |
280 |
++++ b/arch/x86/kernel/apic/apic.c |
281 |
+@@ -1581,8 +1581,10 @@ void __init enable_IR_x2apic(void) |
282 |
+ int ret, x2apic_enabled = 0; |
283 |
+ int hardware_init_ret; |
284 |
+ |
285 |
++#ifdef CONFIG_X86_IO_APIC |
286 |
+ if (skip_ioapic_setup) |
287 |
+ return; |
288 |
++#endif |
289 |
+ |
290 |
+ /* Make sure irq_remap_ops are initialized */ |
291 |
+ setup_irq_remapping_ops(); |
292 |
+diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c |
293 |
+index c4ff2a916139..c95ece93f359 100644 |
294 |
+--- a/arch/x86/kernel/kvm.c |
295 |
++++ b/arch/x86/kernel/kvm.c |
296 |
+@@ -159,8 +159,8 @@ void kvm_async_pf_task_wait(u32 token) |
297 |
+ */ |
298 |
+ rcu_irq_exit(); |
299 |
+ native_safe_halt(); |
300 |
+- rcu_irq_enter(); |
301 |
+ local_irq_disable(); |
302 |
++ rcu_irq_enter(); |
303 |
+ } |
304 |
+ } |
305 |
+ if (!n.halted) |
306 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
307 |
+index d9016e4a80f9..be1389527284 100644 |
308 |
+--- a/arch/x86/kvm/vmx.c |
309 |
++++ b/arch/x86/kvm/vmx.c |
310 |
+@@ -8014,7 +8014,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, |
311 |
+ * (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask(); |
312 |
+ */ |
313 |
+ vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK); |
314 |
+- kvm_set_cr4(vcpu, vmcs12->host_cr4); |
315 |
++ vmx_set_cr4(vcpu, vmcs12->host_cr4); |
316 |
+ |
317 |
+ /* shadow page tables on either EPT or shadow page tables */ |
318 |
+ kvm_set_cr3(vcpu, vmcs12->host_cr3); |
319 |
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c |
320 |
+index b70b67bde90d..3d316cafff91 100644 |
321 |
+--- a/arch/x86/kvm/x86.c |
322 |
++++ b/arch/x86/kvm/x86.c |
323 |
+@@ -4596,6 +4596,8 @@ static bool emulator_get_segment(struct x86_emulate_ctxt *ctxt, u16 *selector, |
324 |
+ |
325 |
+ if (var.unusable) { |
326 |
+ memset(desc, 0, sizeof(*desc)); |
327 |
++ if (base3) |
328 |
++ *base3 = 0; |
329 |
+ return false; |
330 |
+ } |
331 |
+ |
332 |
+diff --git a/arch/x86/mm/numa_32.c b/arch/x86/mm/numa_32.c |
333 |
+index 73a6d7395bd3..58e7e9d4bbc7 100644 |
334 |
+--- a/arch/x86/mm/numa_32.c |
335 |
++++ b/arch/x86/mm/numa_32.c |
336 |
+@@ -100,5 +100,6 @@ void __init initmem_init(void) |
337 |
+ printk(KERN_DEBUG "High memory starts at vaddr %08lx\n", |
338 |
+ (ulong) pfn_to_kaddr(highstart_pfn)); |
339 |
+ |
340 |
++ __vmalloc_start_set = true; |
341 |
+ setup_bootmem_allocator(); |
342 |
+ } |
343 |
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c |
344 |
+index ea05c531db26..8e2747401d34 100644 |
345 |
+--- a/crypto/algif_skcipher.c |
346 |
++++ b/crypto/algif_skcipher.c |
347 |
+@@ -92,8 +92,10 @@ static int skcipher_alloc_sgl(struct sock *sk) |
348 |
+ sg_init_table(sgl->sg, MAX_SGL_ENTS + 1); |
349 |
+ sgl->cur = 0; |
350 |
+ |
351 |
+- if (sg) |
352 |
++ if (sg) { |
353 |
+ scatterwalk_sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg); |
354 |
++ sg_unmark_end(sg + (MAX_SGL_ENTS - 1)); |
355 |
++ } |
356 |
+ |
357 |
+ list_add_tail(&sgl->list, &ctx->tsgl); |
358 |
+ } |
359 |
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c |
360 |
+index 070b843c37ee..8cff7cae7331 100644 |
361 |
+--- a/drivers/acpi/apei/ghes.c |
362 |
++++ b/drivers/acpi/apei/ghes.c |
363 |
+@@ -988,6 +988,7 @@ static int ghes_remove(struct platform_device *ghes_dev) |
364 |
+ if (list_empty(&ghes_sci)) |
365 |
+ unregister_acpi_hed_notifier(&ghes_notifier_sci); |
366 |
+ mutex_unlock(&ghes_list_mutex); |
367 |
++ synchronize_rcu(); |
368 |
+ break; |
369 |
+ case ACPI_HEST_NOTIFY_NMI: |
370 |
+ mutex_lock(&ghes_list_mutex); |
371 |
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c |
372 |
+index f3f0801a0e81..aa4e36b3a599 100644 |
373 |
+--- a/drivers/ata/libata-scsi.c |
374 |
++++ b/drivers/ata/libata-scsi.c |
375 |
+@@ -2794,10 +2794,12 @@ static unsigned int atapi_xlat(struct ata_queued_cmd *qc) |
376 |
+ static struct ata_device *ata_find_dev(struct ata_port *ap, int devno) |
377 |
+ { |
378 |
+ if (!sata_pmp_attached(ap)) { |
379 |
+- if (likely(devno < ata_link_max_devices(&ap->link))) |
380 |
++ if (likely(devno >= 0 && |
381 |
++ devno < ata_link_max_devices(&ap->link))) |
382 |
+ return &ap->link.device[devno]; |
383 |
+ } else { |
384 |
+- if (likely(devno < ap->nr_pmp_links)) |
385 |
++ if (likely(devno >= 0 && |
386 |
++ devno < ap->nr_pmp_links)) |
387 |
+ return &ap->pmp_link[devno].device[0]; |
388 |
+ } |
389 |
+ |
390 |
+diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c |
391 |
+index 7072404c8b6d..8d73f999f40f 100644 |
392 |
+--- a/drivers/base/power/domain.c |
393 |
++++ b/drivers/base/power/domain.c |
394 |
+@@ -1692,7 +1692,7 @@ int pm_genpd_add_subdomain_names(const char *master_name, |
395 |
+ int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd, |
396 |
+ struct generic_pm_domain *subdomain) |
397 |
+ { |
398 |
+- struct gpd_link *link; |
399 |
++ struct gpd_link *l, *link; |
400 |
+ int ret = -EINVAL; |
401 |
+ |
402 |
+ if (IS_ERR_OR_NULL(genpd) || IS_ERR_OR_NULL(subdomain)) |
403 |
+@@ -1701,7 +1701,7 @@ int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd, |
404 |
+ start: |
405 |
+ genpd_acquire_lock(genpd); |
406 |
+ |
407 |
+- list_for_each_entry(link, &genpd->master_links, master_node) { |
408 |
++ list_for_each_entry_safe(link, l, &genpd->master_links, master_node) { |
409 |
+ if (link->slave != subdomain) |
410 |
+ continue; |
411 |
+ |
412 |
+diff --git a/drivers/cpufreq/cpufreq_conservative.c b/drivers/cpufreq/cpufreq_conservative.c |
413 |
+index f97cb3d8c5a2..f34e8191665f 100644 |
414 |
+--- a/drivers/cpufreq/cpufreq_conservative.c |
415 |
++++ b/drivers/cpufreq/cpufreq_conservative.c |
416 |
+@@ -212,8 +212,8 @@ static ssize_t store_down_threshold(struct dbs_data *dbs_data, const char *buf, |
417 |
+ int ret; |
418 |
+ ret = sscanf(buf, "%u", &input); |
419 |
+ |
420 |
+- /* cannot be lower than 11 otherwise freq will not fall */ |
421 |
+- if (ret != 1 || input < 11 || input > 100 || |
422 |
++ /* cannot be lower than 1 otherwise freq will not fall */ |
423 |
++ if (ret != 1 || input < 1 || input > 100 || |
424 |
+ input >= cs_tuners->up_threshold) |
425 |
+ return -EINVAL; |
426 |
+ |
427 |
+diff --git a/drivers/cpufreq/s3c2416-cpufreq.c b/drivers/cpufreq/s3c2416-cpufreq.c |
428 |
+index 4f1881eee3f1..6da4fbd4eef4 100644 |
429 |
+--- a/drivers/cpufreq/s3c2416-cpufreq.c |
430 |
++++ b/drivers/cpufreq/s3c2416-cpufreq.c |
431 |
+@@ -434,7 +434,6 @@ static int __init s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy) |
432 |
+ rate = clk_get_rate(s3c_freq->hclk); |
433 |
+ if (rate < 133 * 1000 * 1000) { |
434 |
+ pr_err("cpufreq: HCLK not at 133MHz\n"); |
435 |
+- clk_put(s3c_freq->hclk); |
436 |
+ ret = -EINVAL; |
437 |
+ goto err_armclk; |
438 |
+ } |
439 |
+diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c |
440 |
+index e9d8b235f68d..34815a74d900 100644 |
441 |
+--- a/drivers/crypto/caam/caamhash.c |
442 |
++++ b/drivers/crypto/caam/caamhash.c |
443 |
+@@ -476,7 +476,7 @@ static int hash_digest_key(struct caam_hash_ctx *ctx, const u8 *key_in, |
444 |
+ ret = caam_jr_enqueue(jrdev, desc, split_key_done, &result); |
445 |
+ if (!ret) { |
446 |
+ /* in progress */ |
447 |
+- wait_for_completion_interruptible(&result.completion); |
448 |
++ wait_for_completion(&result.completion); |
449 |
+ ret = result.err; |
450 |
+ #ifdef DEBUG |
451 |
+ print_hex_dump(KERN_ERR, "digested key@"xstr(__LINE__)": ", |
452 |
+diff --git a/drivers/crypto/caam/key_gen.c b/drivers/crypto/caam/key_gen.c |
453 |
+index 87138d2adb5f..fd6bc0bc56c5 100644 |
454 |
+--- a/drivers/crypto/caam/key_gen.c |
455 |
++++ b/drivers/crypto/caam/key_gen.c |
456 |
+@@ -107,7 +107,7 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len, |
457 |
+ ret = caam_jr_enqueue(jrdev, desc, split_key_done, &result); |
458 |
+ if (!ret) { |
459 |
+ /* in progress */ |
460 |
+- wait_for_completion_interruptible(&result.completion); |
461 |
++ wait_for_completion(&result.completion); |
462 |
+ ret = result.err; |
463 |
+ #ifdef DEBUG |
464 |
+ print_hex_dump(KERN_ERR, "ctx.key@"xstr(__LINE__)": ", |
465 |
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c |
466 |
+index 057d894eee66..6e5ba44dfaac 100644 |
467 |
+--- a/drivers/crypto/talitos.c |
468 |
++++ b/drivers/crypto/talitos.c |
469 |
+@@ -623,7 +623,7 @@ static void talitos_unregister_rng(struct device *dev) |
470 |
+ * crypto alg |
471 |
+ */ |
472 |
+ #define TALITOS_CRA_PRIORITY 3000 |
473 |
+-#define TALITOS_MAX_KEY_SIZE 96 |
474 |
++#define TALITOS_MAX_KEY_SIZE (AES_MAX_KEY_SIZE + SHA512_BLOCK_SIZE) |
475 |
+ #define TALITOS_MAX_IV_LENGTH 16 /* max of AES_BLOCK_SIZE, DES3_EDE_BLOCK_SIZE */ |
476 |
+ |
477 |
+ #define MD5_BLOCK_SIZE 64 |
478 |
+@@ -1380,6 +1380,11 @@ static int ablkcipher_setkey(struct crypto_ablkcipher *cipher, |
479 |
+ { |
480 |
+ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); |
481 |
+ |
482 |
++ if (keylen > TALITOS_MAX_KEY_SIZE) { |
483 |
++ crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN); |
484 |
++ return -EINVAL; |
485 |
++ } |
486 |
++ |
487 |
+ memcpy(&ctx->key, key, keylen); |
488 |
+ ctx->keylen = keylen; |
489 |
+ |
490 |
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c |
491 |
+index 89664933861f..a3a70283bded 100644 |
492 |
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c |
493 |
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c |
494 |
+@@ -368,6 +368,8 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes) |
495 |
+ return fifo_state->static_buffer; |
496 |
+ else { |
497 |
+ fifo_state->dynamic_buffer = vmalloc(bytes); |
498 |
++ if (!fifo_state->dynamic_buffer) |
499 |
++ goto out_err; |
500 |
+ return fifo_state->dynamic_buffer; |
501 |
+ } |
502 |
+ } |
503 |
+diff --git a/drivers/infiniband/hw/qib/qib_iba7322.c b/drivers/infiniband/hw/qib/qib_iba7322.c |
504 |
+index 5f5f20f42231..c61f3e7aa353 100644 |
505 |
+--- a/drivers/infiniband/hw/qib/qib_iba7322.c |
506 |
++++ b/drivers/infiniband/hw/qib/qib_iba7322.c |
507 |
+@@ -6670,7 +6670,7 @@ static void qib_7322_txchk_change(struct qib_devdata *dd, u32 start, |
508 |
+ unsigned long flags; |
509 |
+ |
510 |
+ while (wait) { |
511 |
+- unsigned long shadow; |
512 |
++ unsigned long shadow = 0; |
513 |
+ int cstart, previ = -1; |
514 |
+ |
515 |
+ /* |
516 |
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c |
517 |
+index 8292554bccb5..7604ae54d7bc 100644 |
518 |
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c |
519 |
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c |
520 |
+@@ -165,11 +165,11 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) |
521 |
+ out: |
522 |
+ mutex_unlock(&ppriv->vlan_mutex); |
523 |
+ |
524 |
++ rtnl_unlock(); |
525 |
++ |
526 |
+ if (result) |
527 |
+ free_netdev(priv->dev); |
528 |
+ |
529 |
+- rtnl_unlock(); |
530 |
+- |
531 |
+ return result; |
532 |
+ } |
533 |
+ |
534 |
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c |
535 |
+index 0e7cd14bf7bb..88ba9649bd1f 100644 |
536 |
+--- a/drivers/iommu/amd_iommu.c |
537 |
++++ b/drivers/iommu/amd_iommu.c |
538 |
+@@ -3402,6 +3402,7 @@ static size_t amd_iommu_unmap(struct iommu_domain *dom, unsigned long iova, |
539 |
+ mutex_unlock(&domain->api_lock); |
540 |
+ |
541 |
+ domain_flush_tlb_pde(domain); |
542 |
++ domain_flush_complete(domain); |
543 |
+ |
544 |
+ return unmap_size; |
545 |
+ } |
546 |
+diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c |
547 |
+index 37470ee7c850..4d874427101d 100644 |
548 |
+--- a/drivers/md/bitmap.c |
549 |
++++ b/drivers/md/bitmap.c |
550 |
+@@ -1806,6 +1806,11 @@ int bitmap_resize(struct bitmap *bitmap, sector_t blocks, |
551 |
+ long pages; |
552 |
+ struct bitmap_page *new_bp; |
553 |
+ |
554 |
++ if (bitmap->storage.file && !init) { |
555 |
++ pr_info("md: cannot resize file-based bitmap\n"); |
556 |
++ return -EINVAL; |
557 |
++ } |
558 |
++ |
559 |
+ if (chunksize == 0) { |
560 |
+ /* If there is enough space, leave the chunk size unchanged, |
561 |
+ * else increase by factor of two until there is enough space. |
562 |
+diff --git a/drivers/md/md.c b/drivers/md/md.c |
563 |
+index 7c45286e2662..95eb53f68413 100644 |
564 |
+--- a/drivers/md/md.c |
565 |
++++ b/drivers/md/md.c |
566 |
+@@ -1898,7 +1898,7 @@ super_1_rdev_size_change(struct md_rdev *rdev, sector_t num_sectors) |
567 |
+ } |
568 |
+ sb = page_address(rdev->sb_page); |
569 |
+ sb->data_size = cpu_to_le64(num_sectors); |
570 |
+- sb->super_offset = rdev->sb_start; |
571 |
++ sb->super_offset = cpu_to_le64(rdev->sb_start); |
572 |
+ sb->sb_csum = calc_sb_1_csum(sb); |
573 |
+ md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size, |
574 |
+ rdev->sb_page); |
575 |
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c |
576 |
+index f53f4f895502..b4de9c3e5ca4 100644 |
577 |
+--- a/drivers/md/raid10.c |
578 |
++++ b/drivers/md/raid10.c |
579 |
+@@ -1569,11 +1569,24 @@ retry_write: |
580 |
+ mbio->bi_private = r10_bio; |
581 |
+ |
582 |
+ atomic_inc(&r10_bio->remaining); |
583 |
++ |
584 |
++ cb = blk_check_plugged(raid10_unplug, mddev, |
585 |
++ sizeof(*plug)); |
586 |
++ if (cb) |
587 |
++ plug = container_of(cb, struct raid10_plug_cb, |
588 |
++ cb); |
589 |
++ else |
590 |
++ plug = NULL; |
591 |
+ spin_lock_irqsave(&conf->device_lock, flags); |
592 |
+- bio_list_add(&conf->pending_bio_list, mbio); |
593 |
+- conf->pending_count++; |
594 |
++ if (plug) { |
595 |
++ bio_list_add(&plug->pending, mbio); |
596 |
++ plug->pending_cnt++; |
597 |
++ } else { |
598 |
++ bio_list_add(&conf->pending_bio_list, mbio); |
599 |
++ conf->pending_count++; |
600 |
++ } |
601 |
+ spin_unlock_irqrestore(&conf->device_lock, flags); |
602 |
+- if (!mddev_check_plugged(mddev)) |
603 |
++ if (!plug) |
604 |
+ md_wakeup_thread(mddev->thread); |
605 |
+ } |
606 |
+ } |
607 |
+diff --git a/drivers/media/platform/davinci/vpfe_capture.c b/drivers/media/platform/davinci/vpfe_capture.c |
608 |
+index 93609091cb23..9dad717fb78c 100644 |
609 |
+--- a/drivers/media/platform/davinci/vpfe_capture.c |
610 |
++++ b/drivers/media/platform/davinci/vpfe_capture.c |
611 |
+@@ -1706,27 +1706,9 @@ static long vpfe_param_handler(struct file *file, void *priv, |
612 |
+ |
613 |
+ switch (cmd) { |
614 |
+ case VPFE_CMD_S_CCDC_RAW_PARAMS: |
615 |
++ ret = -EINVAL; |
616 |
+ v4l2_warn(&vpfe_dev->v4l2_dev, |
617 |
+- "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n"); |
618 |
+- if (ccdc_dev->hw_ops.set_params) { |
619 |
+- ret = ccdc_dev->hw_ops.set_params(param); |
620 |
+- if (ret) { |
621 |
+- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, |
622 |
+- "Error setting parameters in CCDC\n"); |
623 |
+- goto unlock_out; |
624 |
+- } |
625 |
+- ret = vpfe_get_ccdc_image_format(vpfe_dev, |
626 |
+- &vpfe_dev->fmt); |
627 |
+- if (ret < 0) { |
628 |
+- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, |
629 |
+- "Invalid image format at CCDC\n"); |
630 |
+- goto unlock_out; |
631 |
+- } |
632 |
+- } else { |
633 |
+- ret = -EINVAL; |
634 |
+- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, |
635 |
+- "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); |
636 |
+- } |
637 |
++ "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); |
638 |
+ break; |
639 |
+ default: |
640 |
+ ret = -ENOTTY; |
641 |
+diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c |
642 |
+index 72e3fa652481..257bb7a6ff54 100644 |
643 |
+--- a/drivers/media/rc/imon.c |
644 |
++++ b/drivers/media/rc/imon.c |
645 |
+@@ -1530,7 +1530,7 @@ static void imon_incoming_packet(struct imon_context *ictx, |
646 |
+ if (kc == KEY_KEYBOARD && !ictx->release_code) { |
647 |
+ ictx->last_keycode = kc; |
648 |
+ if (!nomouse) { |
649 |
+- ictx->pad_mouse = ~(ictx->pad_mouse) & 0x1; |
650 |
++ ictx->pad_mouse = !ictx->pad_mouse; |
651 |
+ dev_dbg(dev, "toggling to %s mode\n", |
652 |
+ ictx->pad_mouse ? "mouse" : "keyboard"); |
653 |
+ spin_unlock_irqrestore(&ictx->kc_lock, flags); |
654 |
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c b/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c |
655 |
+index 9515f3a68f8f..122815e1cb65 100644 |
656 |
+--- a/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c |
657 |
++++ b/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c |
658 |
+@@ -123,15 +123,10 @@ int pvr2_eeprom_analyze(struct pvr2_hdw *hdw) |
659 |
+ memset(&tvdata,0,sizeof(tvdata)); |
660 |
+ |
661 |
+ eeprom = pvr2_eeprom_fetch(hdw); |
662 |
+- if (!eeprom) return -EINVAL; |
663 |
+- |
664 |
+- { |
665 |
+- struct i2c_client fake_client; |
666 |
+- /* Newer version expects a useless client interface */ |
667 |
+- fake_client.addr = hdw->eeprom_addr; |
668 |
+- fake_client.adapter = &hdw->i2c_adap; |
669 |
+- tveeprom_hauppauge_analog(&fake_client,&tvdata,eeprom); |
670 |
+- } |
671 |
++ if (!eeprom) |
672 |
++ return -EINVAL; |
673 |
++ |
674 |
++ tveeprom_hauppauge_analog(NULL, &tvdata, eeprom); |
675 |
+ |
676 |
+ trace_eeprom("eeprom assumed v4l tveeprom module"); |
677 |
+ trace_eeprom("eeprom direct call results:"); |
678 |
+diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c |
679 |
+index c7576a503e5b..2afadd00d3fd 100644 |
680 |
+--- a/drivers/mfd/omap-usb-tll.c |
681 |
++++ b/drivers/mfd/omap-usb-tll.c |
682 |
+@@ -380,8 +380,8 @@ int omap_tll_init(struct usbhs_omap_platform_data *pdata) |
683 |
+ * and use SDR Mode |
684 |
+ */ |
685 |
+ reg &= ~(OMAP_TLL_CHANNEL_CONF_UTMIAUTOIDLE |
686 |
+- | OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF |
687 |
+ | OMAP_TLL_CHANNEL_CONF_ULPIDDRMODE); |
688 |
++ reg |= OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF; |
689 |
+ } else if (pdata->port_mode[i] == |
690 |
+ OMAP_EHCI_PORT_MODE_HSIC) { |
691 |
+ /* |
692 |
+diff --git a/drivers/misc/c2port/c2port-duramar2150.c b/drivers/misc/c2port/c2port-duramar2150.c |
693 |
+index 5484301d57d9..3dc61ea7dc64 100644 |
694 |
+--- a/drivers/misc/c2port/c2port-duramar2150.c |
695 |
++++ b/drivers/misc/c2port/c2port-duramar2150.c |
696 |
+@@ -129,8 +129,8 @@ static int __init duramar2150_c2port_init(void) |
697 |
+ |
698 |
+ duramar2150_c2port_dev = c2port_device_register("uc", |
699 |
+ &duramar2150_c2port_ops, NULL); |
700 |
+- if (!duramar2150_c2port_dev) { |
701 |
+- ret = -ENODEV; |
702 |
++ if (IS_ERR(duramar2150_c2port_dev)) { |
703 |
++ ret = PTR_ERR(duramar2150_c2port_dev); |
704 |
+ goto free_region; |
705 |
+ } |
706 |
+ |
707 |
+diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c |
708 |
+index d5455c760618..503f37850fb3 100644 |
709 |
+--- a/drivers/net/can/usb/esd_usb2.c |
710 |
++++ b/drivers/net/can/usb/esd_usb2.c |
711 |
+@@ -335,7 +335,7 @@ static void esd_usb2_rx_can_msg(struct esd_usb2_net_priv *priv, |
712 |
+ } |
713 |
+ |
714 |
+ cf->can_id = id & ESD_IDMASK; |
715 |
+- cf->can_dlc = get_can_dlc(msg->msg.rx.dlc); |
716 |
++ cf->can_dlc = get_can_dlc(msg->msg.rx.dlc & ~ESD_RTR); |
717 |
+ |
718 |
+ if (id & ESD_EXTID) |
719 |
+ cf->can_id |= CAN_EFF_FLAG; |
720 |
+diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c |
721 |
+index 5409fe876a44..69bc0a0eb423 100644 |
722 |
+--- a/drivers/net/ethernet/korina.c |
723 |
++++ b/drivers/net/ethernet/korina.c |
724 |
+@@ -905,10 +905,10 @@ static void korina_restart_task(struct work_struct *work) |
725 |
+ DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR, |
726 |
+ &lp->rx_dma_regs->dmasm); |
727 |
+ |
728 |
+- korina_free_ring(dev); |
729 |
+- |
730 |
+ napi_disable(&lp->napi); |
731 |
+ |
732 |
++ korina_free_ring(dev); |
733 |
++ |
734 |
+ if (korina_init(dev) < 0) { |
735 |
+ printk(KERN_ERR "%s: cannot restart device\n", dev->name); |
736 |
+ return; |
737 |
+@@ -1069,12 +1069,12 @@ static int korina_close(struct net_device *dev) |
738 |
+ tmp = tmp | DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR; |
739 |
+ writel(tmp, &lp->rx_dma_regs->dmasm); |
740 |
+ |
741 |
+- korina_free_ring(dev); |
742 |
+- |
743 |
+ napi_disable(&lp->napi); |
744 |
+ |
745 |
+ cancel_work_sync(&lp->restart_task); |
746 |
+ |
747 |
++ korina_free_ring(dev); |
748 |
++ |
749 |
+ free_irq(lp->rx_irq, dev); |
750 |
+ free_irq(lp->tx_irq, dev); |
751 |
+ free_irq(lp->ovr_irq, dev); |
752 |
+diff --git a/drivers/net/ethernet/mellanox/mlx4/icm.c b/drivers/net/ethernet/mellanox/mlx4/icm.c |
753 |
+index 31d02649be41..d22482b49744 100644 |
754 |
+--- a/drivers/net/ethernet/mellanox/mlx4/icm.c |
755 |
++++ b/drivers/net/ethernet/mellanox/mlx4/icm.c |
756 |
+@@ -113,8 +113,13 @@ static int mlx4_alloc_icm_coherent(struct device *dev, struct scatterlist *mem, |
757 |
+ if (!buf) |
758 |
+ return -ENOMEM; |
759 |
+ |
760 |
++ if (offset_in_page(buf)) { |
761 |
++ dma_free_coherent(dev, PAGE_SIZE << order, |
762 |
++ buf, sg_dma_address(mem)); |
763 |
++ return -ENOMEM; |
764 |
++ } |
765 |
++ |
766 |
+ sg_set_buf(mem, buf, PAGE_SIZE << order); |
767 |
+- BUG_ON(mem->offset); |
768 |
+ sg_dma_len(mem) = PAGE_SIZE << order; |
769 |
+ return 0; |
770 |
+ } |
771 |
+diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c |
772 |
+index 3fb2643d05b4..8c58001aff1d 100644 |
773 |
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c |
774 |
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c |
775 |
+@@ -511,8 +511,6 @@ static int mlx4_slave_cap(struct mlx4_dev *dev) |
776 |
+ return -ENOSYS; |
777 |
+ } |
778 |
+ |
779 |
+- mlx4_log_num_mgm_entry_size = hca_param.log_mc_entry_sz; |
780 |
+- |
781 |
+ dev->caps.hca_core_clock = hca_param.hca_core_clock; |
782 |
+ |
783 |
+ memset(&dev_cap, 0, sizeof(dev_cap)); |
784 |
+diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c |
785 |
+index 10093f0c4c0f..00a80587b47d 100644 |
786 |
+--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c |
787 |
++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c |
788 |
+@@ -724,7 +724,7 @@ static void ql_build_coredump_seg_header( |
789 |
+ seg_hdr->cookie = MPI_COREDUMP_COOKIE; |
790 |
+ seg_hdr->segNum = seg_number; |
791 |
+ seg_hdr->segSize = seg_size; |
792 |
+- memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); |
793 |
++ strncpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); |
794 |
+ } |
795 |
+ |
796 |
+ /* |
797 |
+diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c |
798 |
+index b7268b3dae77..5f5f84ad0697 100644 |
799 |
+--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c |
800 |
++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c |
801 |
+@@ -398,7 +398,7 @@ static int xemaclite_send_data(struct net_local *drvdata, u8 *data, |
802 |
+ * |
803 |
+ * Return: Total number of bytes received |
804 |
+ */ |
805 |
+-static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data) |
806 |
++static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data, int maxlen) |
807 |
+ { |
808 |
+ void __iomem *addr; |
809 |
+ u16 length, proto_type; |
810 |
+@@ -438,7 +438,7 @@ static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data) |
811 |
+ |
812 |
+ /* Check if received ethernet frame is a raw ethernet frame |
813 |
+ * or an IP packet or an ARP packet */ |
814 |
+- if (proto_type > (ETH_FRAME_LEN + ETH_FCS_LEN)) { |
815 |
++ if (proto_type > ETH_DATA_LEN) { |
816 |
+ |
817 |
+ if (proto_type == ETH_P_IP) { |
818 |
+ length = ((ntohl(in_be32(addr + |
819 |
+@@ -446,6 +446,7 @@ static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data) |
820 |
+ XEL_RXBUFF_OFFSET)) >> |
821 |
+ XEL_HEADER_SHIFT) & |
822 |
+ XEL_RPLR_LENGTH_MASK); |
823 |
++ length = min_t(u16, length, ETH_DATA_LEN); |
824 |
+ length += ETH_HLEN + ETH_FCS_LEN; |
825 |
+ |
826 |
+ } else if (proto_type == ETH_P_ARP) |
827 |
+@@ -458,6 +459,9 @@ static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data) |
828 |
+ /* Use the length in the frame, plus the header and trailer */ |
829 |
+ length = proto_type + ETH_HLEN + ETH_FCS_LEN; |
830 |
+ |
831 |
++ if (WARN_ON(length > maxlen)) |
832 |
++ length = maxlen; |
833 |
++ |
834 |
+ /* Read from the EmacLite device */ |
835 |
+ xemaclite_aligned_read((u32 __force *) (addr + XEL_RXBUFF_OFFSET), |
836 |
+ data, length); |
837 |
+@@ -632,7 +636,7 @@ static void xemaclite_rx_handler(struct net_device *dev) |
838 |
+ |
839 |
+ skb_reserve(skb, 2); |
840 |
+ |
841 |
+- len = xemaclite_recv_data(lp, (u8 *) skb->data); |
842 |
++ len = xemaclite_recv_data(lp, (u8 *) skb->data, len); |
843 |
+ |
844 |
+ if (!len) { |
845 |
+ dev->stats.rx_errors++; |
846 |
+diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c |
847 |
+index 202fe1ff1987..b23f36a5b0dd 100644 |
848 |
+--- a/drivers/net/phy/marvell.c |
849 |
++++ b/drivers/net/phy/marvell.c |
850 |
+@@ -656,8 +656,6 @@ static int marvell_read_status(struct phy_device *phydev) |
851 |
+ if (adv < 0) |
852 |
+ return adv; |
853 |
+ |
854 |
+- lpa &= adv; |
855 |
+- |
856 |
+ if (status & MII_M1011_PHY_STATUS_FULLDUPLEX) |
857 |
+ phydev->duplex = DUPLEX_FULL; |
858 |
+ else |
859 |
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c |
860 |
+index 5225d4321e7c..0a3ad7ba2bea 100644 |
861 |
+--- a/drivers/net/team/team.c |
862 |
++++ b/drivers/net/team/team.c |
863 |
+@@ -2121,8 +2121,10 @@ start_again: |
864 |
+ |
865 |
+ hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI, |
866 |
+ TEAM_CMD_OPTIONS_GET); |
867 |
+- if (!hdr) |
868 |
++ if (!hdr) { |
869 |
++ nlmsg_free(skb); |
870 |
+ return -EMSGSIZE; |
871 |
++ } |
872 |
+ |
873 |
+ if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex)) |
874 |
+ goto nla_put_failure; |
875 |
+@@ -2389,8 +2391,10 @@ start_again: |
876 |
+ |
877 |
+ hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI, |
878 |
+ TEAM_CMD_PORT_LIST_GET); |
879 |
+- if (!hdr) |
880 |
++ if (!hdr) { |
881 |
++ nlmsg_free(skb); |
882 |
+ return -EMSGSIZE; |
883 |
++ } |
884 |
+ |
885 |
+ if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex)) |
886 |
+ goto nla_put_failure; |
887 |
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c |
888 |
+index 2c524305589f..8afb60925332 100644 |
889 |
+--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c |
890 |
++++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c |
891 |
+@@ -4019,6 +4019,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, |
892 |
+ cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true, |
893 |
+ GFP_KERNEL); |
894 |
+ } else if (ieee80211_is_action(mgmt->frame_control)) { |
895 |
++ if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) { |
896 |
++ brcmf_err("invalid action frame length\n"); |
897 |
++ err = -EINVAL; |
898 |
++ goto exit; |
899 |
++ } |
900 |
+ af_params = kzalloc(sizeof(*af_params), GFP_KERNEL); |
901 |
+ if (af_params == NULL) { |
902 |
+ brcmf_err("unable to allocate frame\n"); |
903 |
+diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c |
904 |
+index bf13e73ecabc..0f3581b7a2e4 100644 |
905 |
+--- a/drivers/s390/scsi/zfcp_dbf.c |
906 |
++++ b/drivers/s390/scsi/zfcp_dbf.c |
907 |
+@@ -556,19 +556,32 @@ void zfcp_dbf_scsi(char *tag, int level, struct scsi_cmnd *sc, |
908 |
+ |
909 |
+ if (fsf) { |
910 |
+ rec->fsf_req_id = fsf->req_id; |
911 |
++ rec->pl_len = FCP_RESP_WITH_EXT; |
912 |
+ fcp_rsp = (struct fcp_resp_with_ext *) |
913 |
+ &(fsf->qtcb->bottom.io.fcp_rsp); |
914 |
++ /* mandatory parts of FCP_RSP IU in this SCSI record */ |
915 |
+ memcpy(&rec->fcp_rsp, fcp_rsp, FCP_RESP_WITH_EXT); |
916 |
+ if (fcp_rsp->resp.fr_flags & FCP_RSP_LEN_VAL) { |
917 |
+ fcp_rsp_info = (struct fcp_resp_rsp_info *) &fcp_rsp[1]; |
918 |
+ rec->fcp_rsp_info = fcp_rsp_info->rsp_code; |
919 |
++ rec->pl_len += be32_to_cpu(fcp_rsp->ext.fr_rsp_len); |
920 |
+ } |
921 |
+ if (fcp_rsp->resp.fr_flags & FCP_SNS_LEN_VAL) { |
922 |
+- rec->pl_len = min((u16)SCSI_SENSE_BUFFERSIZE, |
923 |
+- (u16)ZFCP_DBF_PAY_MAX_REC); |
924 |
+- zfcp_dbf_pl_write(dbf, sc->sense_buffer, rec->pl_len, |
925 |
+- "fcp_sns", fsf->req_id); |
926 |
++ rec->pl_len += be32_to_cpu(fcp_rsp->ext.fr_sns_len); |
927 |
+ } |
928 |
++ /* complete FCP_RSP IU in associated PAYload record |
929 |
++ * but only if there are optional parts |
930 |
++ */ |
931 |
++ if (fcp_rsp->resp.fr_flags != 0) |
932 |
++ zfcp_dbf_pl_write( |
933 |
++ dbf, fcp_rsp, |
934 |
++ /* at least one full PAY record |
935 |
++ * but not beyond hardware response field |
936 |
++ */ |
937 |
++ min_t(u16, max_t(u16, rec->pl_len, |
938 |
++ ZFCP_DBF_PAY_MAX_REC), |
939 |
++ FSF_FCP_RSP_SIZE), |
940 |
++ "fcp_riu", fsf->req_id); |
941 |
+ } |
942 |
+ |
943 |
+ debug_event(dbf->scsi, level, rec, sizeof(*rec)); |
944 |
+diff --git a/drivers/s390/scsi/zfcp_dbf.h b/drivers/s390/scsi/zfcp_dbf.h |
945 |
+index a8165f142550..712a8484a7b3 100644 |
946 |
+--- a/drivers/s390/scsi/zfcp_dbf.h |
947 |
++++ b/drivers/s390/scsi/zfcp_dbf.h |
948 |
+@@ -323,7 +323,11 @@ void zfcp_dbf_hba_fsf_response(struct zfcp_fsf_req *req) |
949 |
+ { |
950 |
+ struct fsf_qtcb *qtcb = req->qtcb; |
951 |
+ |
952 |
+- if ((qtcb->prefix.prot_status != FSF_PROT_GOOD) && |
953 |
++ if (unlikely(req->status & (ZFCP_STATUS_FSFREQ_DISMISSED | |
954 |
++ ZFCP_STATUS_FSFREQ_ERROR))) { |
955 |
++ zfcp_dbf_hba_fsf_resp("fs_rerr", 3, req); |
956 |
++ |
957 |
++ } else if ((qtcb->prefix.prot_status != FSF_PROT_GOOD) && |
958 |
+ (qtcb->prefix.prot_status != FSF_PROT_FSF_STATUS_PRESENTED)) { |
959 |
+ zfcp_dbf_hba_fsf_resp("fs_perr", 1, req); |
960 |
+ |
961 |
+diff --git a/drivers/s390/scsi/zfcp_fc.h b/drivers/s390/scsi/zfcp_fc.h |
962 |
+index b1d2024ed513..c2e40e10b293 100644 |
963 |
+--- a/drivers/s390/scsi/zfcp_fc.h |
964 |
++++ b/drivers/s390/scsi/zfcp_fc.h |
965 |
+@@ -4,7 +4,7 @@ |
966 |
+ * Fibre Channel related definitions and inline functions for the zfcp |
967 |
+ * device driver |
968 |
+ * |
969 |
+- * Copyright IBM Corp. 2009 |
970 |
++ * Copyright IBM Corp. 2009, 2017 |
971 |
+ */ |
972 |
+ |
973 |
+ #ifndef ZFCP_FC_H |
974 |
+@@ -291,6 +291,10 @@ void zfcp_fc_eval_fcp_rsp(struct fcp_resp_with_ext *fcp_rsp, |
975 |
+ !(rsp_flags & FCP_SNS_LEN_VAL) && |
976 |
+ fcp_rsp->resp.fr_status == SAM_STAT_GOOD) |
977 |
+ set_host_byte(scsi, DID_ERROR); |
978 |
++ } else if (unlikely(rsp_flags & FCP_RESID_OVER)) { |
979 |
++ /* FCP_DL was not sufficient for SCSI data length */ |
980 |
++ if (fcp_rsp->resp.fr_status == SAM_STAT_GOOD) |
981 |
++ set_host_byte(scsi, DID_ERROR); |
982 |
+ } |
983 |
+ } |
984 |
+ |
985 |
+diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c |
986 |
+index ad5718401eab..d27b49194d68 100644 |
987 |
+--- a/drivers/s390/scsi/zfcp_fsf.c |
988 |
++++ b/drivers/s390/scsi/zfcp_fsf.c |
989 |
+@@ -2286,7 +2286,8 @@ int zfcp_fsf_fcp_cmnd(struct scsi_cmnd *scsi_cmnd) |
990 |
+ fcp_cmnd = (struct fcp_cmnd *) &req->qtcb->bottom.io.fcp_cmnd; |
991 |
+ zfcp_fc_scsi_to_fcp(fcp_cmnd, scsi_cmnd, 0); |
992 |
+ |
993 |
+- if (scsi_prot_sg_count(scsi_cmnd)) { |
994 |
++ if ((scsi_get_prot_op(scsi_cmnd) != SCSI_PROT_NORMAL) && |
995 |
++ scsi_prot_sg_count(scsi_cmnd)) { |
996 |
+ zfcp_qdio_set_data_div(qdio, &req->qdio_req, |
997 |
+ scsi_prot_sg_count(scsi_cmnd)); |
998 |
+ retval = zfcp_qdio_sbals_from_sg(qdio, &req->qdio_req, |
999 |
+diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c |
1000 |
+index 66c37e77ac7c..8ec101a4a5eb 100644 |
1001 |
+--- a/drivers/s390/scsi/zfcp_scsi.c |
1002 |
++++ b/drivers/s390/scsi/zfcp_scsi.c |
1003 |
+@@ -294,8 +294,10 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags) |
1004 |
+ |
1005 |
+ zfcp_erp_wait(adapter); |
1006 |
+ ret = fc_block_scsi_eh(scpnt); |
1007 |
+- if (ret) |
1008 |
++ if (ret) { |
1009 |
++ zfcp_dbf_scsi_devreset("fiof", scpnt, tm_flags); |
1010 |
+ return ret; |
1011 |
++ } |
1012 |
+ |
1013 |
+ if (!(atomic_read(&adapter->status) & |
1014 |
+ ZFCP_STATUS_COMMON_RUNNING)) { |
1015 |
+@@ -303,8 +305,10 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags) |
1016 |
+ return SUCCESS; |
1017 |
+ } |
1018 |
+ } |
1019 |
+- if (!fsf_req) |
1020 |
++ if (!fsf_req) { |
1021 |
++ zfcp_dbf_scsi_devreset("reqf", scpnt, tm_flags); |
1022 |
+ return FAILED; |
1023 |
++ } |
1024 |
+ |
1025 |
+ wait_for_completion(&fsf_req->completion); |
1026 |
+ |
1027 |
+diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c |
1028 |
+index e1c8be06de9d..f94fcda1285d 100644 |
1029 |
+--- a/drivers/scsi/device_handler/scsi_dh_emc.c |
1030 |
++++ b/drivers/scsi/device_handler/scsi_dh_emc.c |
1031 |
+@@ -464,7 +464,7 @@ static int clariion_prep_fn(struct scsi_device *sdev, struct request *req) |
1032 |
+ static int clariion_std_inquiry(struct scsi_device *sdev, |
1033 |
+ struct clariion_dh_data *csdev) |
1034 |
+ { |
1035 |
+- int err; |
1036 |
++ int err = SCSI_DH_OK; |
1037 |
+ char *sp_model; |
1038 |
+ |
1039 |
+ err = send_inquiry_cmd(sdev, 0, csdev); |
1040 |
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c |
1041 |
+index bf60c631abb5..3b0f02c146d5 100644 |
1042 |
+--- a/drivers/scsi/qla2xxx/qla_attr.c |
1043 |
++++ b/drivers/scsi/qla2xxx/qla_attr.c |
1044 |
+@@ -299,6 +299,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, |
1045 |
+ return -EINVAL; |
1046 |
+ if (start > ha->optrom_size) |
1047 |
+ return -EINVAL; |
1048 |
++ if (size > ha->optrom_size - start) |
1049 |
++ size = ha->optrom_size - start; |
1050 |
+ |
1051 |
+ switch (val) { |
1052 |
+ case 0: |
1053 |
+@@ -320,8 +322,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, |
1054 |
+ return -EINVAL; |
1055 |
+ |
1056 |
+ ha->optrom_region_start = start; |
1057 |
+- ha->optrom_region_size = start + size > ha->optrom_size ? |
1058 |
+- ha->optrom_size - start : size; |
1059 |
++ ha->optrom_region_size = start + size; |
1060 |
+ |
1061 |
+ ha->optrom_state = QLA_SREADING; |
1062 |
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size); |
1063 |
+@@ -388,8 +389,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, |
1064 |
+ } |
1065 |
+ |
1066 |
+ ha->optrom_region_start = start; |
1067 |
+- ha->optrom_region_size = start + size > ha->optrom_size ? |
1068 |
+- ha->optrom_size - start : size; |
1069 |
++ ha->optrom_region_size = start + size; |
1070 |
+ |
1071 |
+ ha->optrom_state = QLA_SWRITING; |
1072 |
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size); |
1073 |
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c |
1074 |
+index 40fe8a77236a..c11b82e70956 100644 |
1075 |
+--- a/drivers/scsi/qla2xxx/qla_os.c |
1076 |
++++ b/drivers/scsi/qla2xxx/qla_os.c |
1077 |
+@@ -2342,10 +2342,10 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) |
1078 |
+ |
1079 |
+ if (mem_only) { |
1080 |
+ if (pci_enable_device_mem(pdev)) |
1081 |
+- goto probe_out; |
1082 |
++ return ret; |
1083 |
+ } else { |
1084 |
+ if (pci_enable_device(pdev)) |
1085 |
+- goto probe_out; |
1086 |
++ return ret; |
1087 |
+ } |
1088 |
+ |
1089 |
+ /* This may fail but that's ok */ |
1090 |
+@@ -2355,7 +2355,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) |
1091 |
+ if (!ha) { |
1092 |
+ ql_log_pci(ql_log_fatal, pdev, 0x0009, |
1093 |
+ "Unable to allocate memory for ha.\n"); |
1094 |
+- goto probe_out; |
1095 |
++ goto disable_device; |
1096 |
+ } |
1097 |
+ ql_dbg_pci(ql_dbg_init, pdev, 0x000a, |
1098 |
+ "Memory allocated for ha=%p.\n", ha); |
1099 |
+@@ -2899,7 +2899,7 @@ iospace_config_failed: |
1100 |
+ kfree(ha); |
1101 |
+ ha = NULL; |
1102 |
+ |
1103 |
+-probe_out: |
1104 |
++disable_device: |
1105 |
+ pci_disable_device(pdev); |
1106 |
+ return ret; |
1107 |
+ } |
1108 |
+diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c |
1109 |
+index 0ae406a47507..2aba2f75fb87 100644 |
1110 |
+--- a/drivers/staging/comedi/comedi_fops.c |
1111 |
++++ b/drivers/staging/comedi/comedi_fops.c |
1112 |
+@@ -2557,15 +2557,13 @@ static int __init comedi_init(void) |
1113 |
+ |
1114 |
+ comedi_class->dev_attrs = comedi_dev_attrs; |
1115 |
+ |
1116 |
+- /* XXX requires /proc interface */ |
1117 |
+- comedi_proc_init(); |
1118 |
+- |
1119 |
+ /* create devices files for legacy/manual use */ |
1120 |
+ for (i = 0; i < comedi_num_legacy_minors; i++) { |
1121 |
+ struct comedi_device *dev; |
1122 |
+ dev = comedi_alloc_board_minor(NULL); |
1123 |
+ if (IS_ERR(dev)) { |
1124 |
+ comedi_cleanup_board_minors(); |
1125 |
++ class_destroy(comedi_class); |
1126 |
+ cdev_del(&comedi_cdev); |
1127 |
+ unregister_chrdev_region(MKDEV(COMEDI_MAJOR, 0), |
1128 |
+ COMEDI_NUM_MINORS); |
1129 |
+@@ -2576,6 +2574,9 @@ static int __init comedi_init(void) |
1130 |
+ } |
1131 |
+ } |
1132 |
+ |
1133 |
++ /* XXX requires /proc interface */ |
1134 |
++ comedi_proc_init(); |
1135 |
++ |
1136 |
+ return 0; |
1137 |
+ } |
1138 |
+ module_init(comedi_init); |
1139 |
+diff --git a/drivers/staging/iio/resolver/ad2s1210.c b/drivers/staging/iio/resolver/ad2s1210.c |
1140 |
+index 0d3356d4b7d2..3c0b16fe172b 100644 |
1141 |
+--- a/drivers/staging/iio/resolver/ad2s1210.c |
1142 |
++++ b/drivers/staging/iio/resolver/ad2s1210.c |
1143 |
+@@ -477,7 +477,7 @@ static int ad2s1210_read_raw(struct iio_dev *indio_dev, |
1144 |
+ long m) |
1145 |
+ { |
1146 |
+ struct ad2s1210_state *st = iio_priv(indio_dev); |
1147 |
+- bool negative; |
1148 |
++ u16 negative; |
1149 |
+ int ret = 0; |
1150 |
+ u16 pos; |
1151 |
+ s16 vel; |
1152 |
+diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c |
1153 |
+index 04c775cb3e65..179f7810d398 100644 |
1154 |
+--- a/drivers/target/target_core_fabric_configfs.c |
1155 |
++++ b/drivers/target/target_core_fabric_configfs.c |
1156 |
+@@ -84,6 +84,11 @@ static int target_fabric_mappedlun_link( |
1157 |
+ "_tpg does not exist\n"); |
1158 |
+ return -EINVAL; |
1159 |
+ } |
1160 |
++ if (lun->lun_shutdown) { |
1161 |
++ pr_err("Unable to create mappedlun symlink because" |
1162 |
++ " lun->lun_shutdown=true\n"); |
1163 |
++ return -EINVAL; |
1164 |
++ } |
1165 |
+ se_tpg = lun->lun_sep->sep_tpg; |
1166 |
+ |
1167 |
+ nacl_ci = &lun_acl_ci->ci_parent->ci_group->cg_item; |
1168 |
+diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c |
1169 |
+index 8572207e3d4d..bc3092f032b0 100644 |
1170 |
+--- a/drivers/target/target_core_tpg.c |
1171 |
++++ b/drivers/target/target_core_tpg.c |
1172 |
+@@ -839,6 +839,8 @@ static void core_tpg_shutdown_lun( |
1173 |
+ struct se_portal_group *tpg, |
1174 |
+ struct se_lun *lun) |
1175 |
+ { |
1176 |
++ lun->lun_shutdown = true; |
1177 |
++ |
1178 |
+ core_clear_lun_from_tpg(lun, tpg); |
1179 |
+ transport_clear_lun_from_sessions(lun); |
1180 |
+ } |
1181 |
+@@ -868,6 +870,7 @@ struct se_lun *core_tpg_pre_dellun( |
1182 |
+ spin_unlock(&tpg->tpg_lun_lock); |
1183 |
+ return ERR_PTR(-ENODEV); |
1184 |
+ } |
1185 |
++ lun->lun_shutdown = false; |
1186 |
+ spin_unlock(&tpg->tpg_lun_lock); |
1187 |
+ |
1188 |
+ return lun; |
1189 |
+diff --git a/drivers/tty/serial/efm32-uart.c b/drivers/tty/serial/efm32-uart.c |
1190 |
+index 7d199c8e1a75..c9635f1c7108 100644 |
1191 |
+--- a/drivers/tty/serial/efm32-uart.c |
1192 |
++++ b/drivers/tty/serial/efm32-uart.c |
1193 |
+@@ -27,6 +27,7 @@ |
1194 |
+ #define UARTn_FRAME 0x04 |
1195 |
+ #define UARTn_FRAME_DATABITS__MASK 0x000f |
1196 |
+ #define UARTn_FRAME_DATABITS(n) ((n) - 3) |
1197 |
++#define UARTn_FRAME_PARITY__MASK 0x0300 |
1198 |
+ #define UARTn_FRAME_PARITY_NONE 0x0000 |
1199 |
+ #define UARTn_FRAME_PARITY_EVEN 0x0200 |
1200 |
+ #define UARTn_FRAME_PARITY_ODD 0x0300 |
1201 |
+@@ -578,12 +579,16 @@ static void efm32_uart_console_get_options(struct efm32_uart_port *efm_port, |
1202 |
+ 16 * (4 + (clkdiv >> 6))); |
1203 |
+ |
1204 |
+ frame = efm32_uart_read32(efm_port, UARTn_FRAME); |
1205 |
+- if (frame & UARTn_FRAME_PARITY_ODD) |
1206 |
++ switch (frame & UARTn_FRAME_PARITY__MASK) { |
1207 |
++ case UARTn_FRAME_PARITY_ODD: |
1208 |
+ *parity = 'o'; |
1209 |
+- else if (frame & UARTn_FRAME_PARITY_EVEN) |
1210 |
++ break; |
1211 |
++ case UARTn_FRAME_PARITY_EVEN: |
1212 |
+ *parity = 'e'; |
1213 |
+- else |
1214 |
++ break; |
1215 |
++ default: |
1216 |
+ *parity = 'n'; |
1217 |
++ } |
1218 |
+ |
1219 |
+ *bits = (frame & UARTn_FRAME_DATABITS__MASK) - |
1220 |
+ UARTn_FRAME_DATABITS(4) + 4; |
1221 |
+diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c |
1222 |
+index 8b1534c424af..be3dc751dfbb 100644 |
1223 |
+--- a/drivers/tty/serial/ifx6x60.c |
1224 |
++++ b/drivers/tty/serial/ifx6x60.c |
1225 |
+@@ -1379,9 +1379,9 @@ static struct spi_driver ifx_spi_driver = { |
1226 |
+ static void __exit ifx_spi_exit(void) |
1227 |
+ { |
1228 |
+ /* unregister */ |
1229 |
++ spi_unregister_driver((void *)&ifx_spi_driver); |
1230 |
+ tty_unregister_driver(tty_drv); |
1231 |
+ put_tty_driver(tty_drv); |
1232 |
+- spi_unregister_driver((void *)&ifx_spi_driver); |
1233 |
+ unregister_reboot_notifier(&ifx_modem_reboot_notifier_block); |
1234 |
+ } |
1235 |
+ |
1236 |
+diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c |
1237 |
+index 010ec70d59fb..3390a39f5a78 100644 |
1238 |
+--- a/drivers/tty/vt/vt.c |
1239 |
++++ b/drivers/tty/vt/vt.c |
1240 |
+@@ -2601,13 +2601,13 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) |
1241 |
+ * related to the kernel should not use this. |
1242 |
+ */ |
1243 |
+ data = vt_get_shift_state(); |
1244 |
+- ret = __put_user(data, p); |
1245 |
++ ret = put_user(data, p); |
1246 |
+ break; |
1247 |
+ case TIOCL_GETMOUSEREPORTING: |
1248 |
+ console_lock(); /* May be overkill */ |
1249 |
+ data = mouse_reporting(); |
1250 |
+ console_unlock(); |
1251 |
+- ret = __put_user(data, p); |
1252 |
++ ret = put_user(data, p); |
1253 |
+ break; |
1254 |
+ case TIOCL_SETVESABLANK: |
1255 |
+ console_lock(); |
1256 |
+@@ -2616,7 +2616,7 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) |
1257 |
+ break; |
1258 |
+ case TIOCL_GETKMSGREDIRECT: |
1259 |
+ data = vt_get_kmsg_redirect(); |
1260 |
+- ret = __put_user(data, p); |
1261 |
++ ret = put_user(data, p); |
1262 |
+ break; |
1263 |
+ case TIOCL_SETKMSGREDIRECT: |
1264 |
+ if (!capable(CAP_SYS_ADMIN)) { |
1265 |
+diff --git a/drivers/usb/chipidea/debug.c b/drivers/usb/chipidea/debug.c |
1266 |
+index 36a7063a6cba..5a38ca87f406 100644 |
1267 |
+--- a/drivers/usb/chipidea/debug.c |
1268 |
++++ b/drivers/usb/chipidea/debug.c |
1269 |
+@@ -203,7 +203,8 @@ static int ci_role_show(struct seq_file *s, void *data) |
1270 |
+ { |
1271 |
+ struct ci13xxx *ci = s->private; |
1272 |
+ |
1273 |
+- seq_printf(s, "%s\n", ci_role(ci)->name); |
1274 |
++ if (ci->role != CI_ROLE_END) |
1275 |
++ seq_printf(s, "%s\n", ci_role(ci)->name); |
1276 |
+ |
1277 |
+ return 0; |
1278 |
+ } |
1279 |
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c |
1280 |
+index a9142a46ae82..2cbb26c20082 100644 |
1281 |
+--- a/drivers/usb/gadget/composite.c |
1282 |
++++ b/drivers/usb/gadget/composite.c |
1283 |
+@@ -1522,6 +1522,8 @@ static DEVICE_ATTR(suspended, 0444, composite_show_suspended, NULL); |
1284 |
+ static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver) |
1285 |
+ { |
1286 |
+ struct usb_composite_dev *cdev = get_gadget_data(gadget); |
1287 |
++ struct usb_gadget_strings *gstr = cdev->driver->strings[0]; |
1288 |
++ struct usb_string *dev_str = gstr->strings; |
1289 |
+ |
1290 |
+ /* composite_disconnect() must already have been called |
1291 |
+ * by the underlying peripheral controller driver! |
1292 |
+@@ -1541,6 +1543,9 @@ static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver) |
1293 |
+ |
1294 |
+ composite_dev_cleanup(cdev); |
1295 |
+ |
1296 |
++ if (dev_str[USB_GADGET_MANUFACTURER_IDX].s == cdev->def_manufacturer) |
1297 |
++ dev_str[USB_GADGET_MANUFACTURER_IDX].s = ""; |
1298 |
++ |
1299 |
+ kfree(cdev->def_manufacturer); |
1300 |
+ kfree(cdev); |
1301 |
+ set_gadget_data(gadget, NULL); |
1302 |
+diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c |
1303 |
+index 6656dfda5665..0fa139081b16 100644 |
1304 |
+--- a/drivers/usb/host/r8a66597-hcd.c |
1305 |
++++ b/drivers/usb/host/r8a66597-hcd.c |
1306 |
+@@ -1270,7 +1270,7 @@ static void set_td_timer(struct r8a66597 *r8a66597, struct r8a66597_td *td) |
1307 |
+ time = 30; |
1308 |
+ break; |
1309 |
+ default: |
1310 |
+- time = 300; |
1311 |
++ time = 50; |
1312 |
+ break; |
1313 |
+ } |
1314 |
+ |
1315 |
+@@ -1786,6 +1786,7 @@ static void r8a66597_td_timer(unsigned long _r8a66597) |
1316 |
+ pipe = td->pipe; |
1317 |
+ pipe_stop(r8a66597, pipe); |
1318 |
+ |
1319 |
++ /* Select a different address or endpoint */ |
1320 |
+ new_td = td; |
1321 |
+ do { |
1322 |
+ list_move_tail(&new_td->queue, |
1323 |
+@@ -1795,7 +1796,8 @@ static void r8a66597_td_timer(unsigned long _r8a66597) |
1324 |
+ new_td = td; |
1325 |
+ break; |
1326 |
+ } |
1327 |
+- } while (td != new_td && td->address == new_td->address); |
1328 |
++ } while (td != new_td && td->address == new_td->address && |
1329 |
++ td->pipe->info.epnum == new_td->pipe->info.epnum); |
1330 |
+ |
1331 |
+ start_transfer(r8a66597, new_td); |
1332 |
+ |
1333 |
+diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c |
1334 |
+index cfd205036aba..a4b027342589 100644 |
1335 |
+--- a/drivers/usb/renesas_usbhs/common.c |
1336 |
++++ b/drivers/usb/renesas_usbhs/common.c |
1337 |
+@@ -600,8 +600,10 @@ static int usbhsc_resume(struct device *dev) |
1338 |
+ struct usbhs_priv *priv = dev_get_drvdata(dev); |
1339 |
+ struct platform_device *pdev = usbhs_priv_to_pdev(priv); |
1340 |
+ |
1341 |
+- if (!usbhsc_flags_has(priv, USBHSF_RUNTIME_PWCTRL)) |
1342 |
++ if (!usbhsc_flags_has(priv, USBHSF_RUNTIME_PWCTRL)) { |
1343 |
+ usbhsc_power_ctrl(priv, 1); |
1344 |
++ usbhs_mod_autonomy_mode(priv); |
1345 |
++ } |
1346 |
+ |
1347 |
+ usbhs_platform_call(priv, phy_reset, pdev); |
1348 |
+ |
1349 |
+diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c |
1350 |
+index 157a9f9afc2d..0c962ff5eed2 100644 |
1351 |
+--- a/drivers/usb/renesas_usbhs/fifo.c |
1352 |
++++ b/drivers/usb/renesas_usbhs/fifo.c |
1353 |
+@@ -261,11 +261,26 @@ static void usbhsf_fifo_clear(struct usbhs_pipe *pipe, |
1354 |
+ struct usbhs_fifo *fifo) |
1355 |
+ { |
1356 |
+ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); |
1357 |
++ int ret = 0; |
1358 |
+ |
1359 |
+- if (!usbhs_pipe_is_dcp(pipe)) |
1360 |
+- usbhsf_fifo_barrier(priv, fifo); |
1361 |
++ if (!usbhs_pipe_is_dcp(pipe)) { |
1362 |
++ /* |
1363 |
++ * This driver checks the pipe condition first to avoid -EBUSY |
1364 |
++ * from usbhsf_fifo_barrier() with about 10 msec delay in |
1365 |
++ * the interrupt handler if the pipe is RX direction and empty. |
1366 |
++ */ |
1367 |
++ if (usbhs_pipe_is_dir_in(pipe)) |
1368 |
++ ret = usbhs_pipe_is_accessible(pipe); |
1369 |
++ if (!ret) |
1370 |
++ ret = usbhsf_fifo_barrier(priv, fifo); |
1371 |
++ } |
1372 |
+ |
1373 |
+- usbhs_write(priv, fifo->ctr, BCLR); |
1374 |
++ /* |
1375 |
++ * if non-DCP pipe, this driver should set BCLR when |
1376 |
++ * usbhsf_fifo_barrier() returns 0. |
1377 |
++ */ |
1378 |
++ if (!ret) |
1379 |
++ usbhs_write(priv, fifo->ctr, BCLR); |
1380 |
+ } |
1381 |
+ |
1382 |
+ static int usbhsf_fifo_rcv_len(struct usbhs_priv *priv, |
1383 |
+@@ -545,6 +560,7 @@ static int usbhsf_pio_try_push(struct usbhs_pkt *pkt, int *is_done) |
1384 |
+ usbhsf_send_terminator(pipe, fifo); |
1385 |
+ |
1386 |
+ usbhsf_tx_irq_ctrl(pipe, !*is_done); |
1387 |
++ usbhs_pipe_running(pipe, !*is_done); |
1388 |
+ usbhs_pipe_enable(pipe); |
1389 |
+ |
1390 |
+ dev_dbg(dev, " send %d (%d/ %d/ %d/ %d)\n", |
1391 |
+@@ -571,12 +587,21 @@ usbhs_fifo_write_busy: |
1392 |
+ * retry in interrupt |
1393 |
+ */ |
1394 |
+ usbhsf_tx_irq_ctrl(pipe, 1); |
1395 |
++ usbhs_pipe_running(pipe, 1); |
1396 |
+ |
1397 |
+ return ret; |
1398 |
+ } |
1399 |
+ |
1400 |
++static int usbhsf_pio_prepare_push(struct usbhs_pkt *pkt, int *is_done) |
1401 |
++{ |
1402 |
++ if (usbhs_pipe_is_running(pkt->pipe)) |
1403 |
++ return 0; |
1404 |
++ |
1405 |
++ return usbhsf_pio_try_push(pkt, is_done); |
1406 |
++} |
1407 |
++ |
1408 |
+ struct usbhs_pkt_handle usbhs_fifo_pio_push_handler = { |
1409 |
+- .prepare = usbhsf_pio_try_push, |
1410 |
++ .prepare = usbhsf_pio_prepare_push, |
1411 |
+ .try_run = usbhsf_pio_try_push, |
1412 |
+ }; |
1413 |
+ |
1414 |
+@@ -590,6 +615,9 @@ static int usbhsf_prepare_pop(struct usbhs_pkt *pkt, int *is_done) |
1415 |
+ if (usbhs_pipe_is_busy(pipe)) |
1416 |
+ return 0; |
1417 |
+ |
1418 |
++ if (usbhs_pipe_is_running(pipe)) |
1419 |
++ return 0; |
1420 |
++ |
1421 |
+ /* |
1422 |
+ * pipe enable to prepare packet receive |
1423 |
+ */ |
1424 |
+@@ -598,6 +626,7 @@ static int usbhsf_prepare_pop(struct usbhs_pkt *pkt, int *is_done) |
1425 |
+ |
1426 |
+ usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->length); |
1427 |
+ usbhs_pipe_enable(pipe); |
1428 |
++ usbhs_pipe_running(pipe, 1); |
1429 |
+ usbhsf_rx_irq_ctrl(pipe, 1); |
1430 |
+ |
1431 |
+ return 0; |
1432 |
+@@ -643,6 +672,7 @@ static int usbhsf_pio_try_pop(struct usbhs_pkt *pkt, int *is_done) |
1433 |
+ (total_len < maxp)) { /* short packet */ |
1434 |
+ *is_done = 1; |
1435 |
+ usbhsf_rx_irq_ctrl(pipe, 0); |
1436 |
++ usbhs_pipe_running(pipe, 0); |
1437 |
+ usbhs_pipe_disable(pipe); /* disable pipe first */ |
1438 |
+ } |
1439 |
+ |
1440 |
+@@ -798,10 +828,11 @@ static void xfer_work(struct work_struct *work) |
1441 |
+ dev_dbg(dev, " %s %d (%d/ %d)\n", |
1442 |
+ fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero); |
1443 |
+ |
1444 |
++ usbhs_pipe_running(pipe, 1); |
1445 |
+ usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans); |
1446 |
+- usbhs_pipe_enable(pipe); |
1447 |
+- usbhsf_dma_start(pipe, fifo); |
1448 |
+ dma_async_issue_pending(chan); |
1449 |
++ usbhsf_dma_start(pipe, fifo); |
1450 |
++ usbhs_pipe_enable(pipe); |
1451 |
+ } |
1452 |
+ |
1453 |
+ /* |
1454 |
+@@ -829,6 +860,10 @@ static int usbhsf_dma_prepare_push(struct usbhs_pkt *pkt, int *is_done) |
1455 |
+ if ((uintptr_t)(pkt->buf + pkt->actual) & 0x7) /* 8byte alignment */ |
1456 |
+ goto usbhsf_pio_prepare_push; |
1457 |
+ |
1458 |
++ /* return at this time if the pipe is running */ |
1459 |
++ if (usbhs_pipe_is_running(pipe)) |
1460 |
++ return 0; |
1461 |
++ |
1462 |
+ /* get enable DMA fifo */ |
1463 |
+ fifo = usbhsf_get_dma_fifo(priv, pkt); |
1464 |
+ if (!fifo) |
1465 |
+@@ -866,6 +901,7 @@ static int usbhsf_dma_push_done(struct usbhs_pkt *pkt, int *is_done) |
1466 |
+ pkt->actual = pkt->trans; |
1467 |
+ |
1468 |
+ *is_done = !pkt->zero; /* send zero packet ? */ |
1469 |
++ usbhs_pipe_running(pipe, !*is_done); |
1470 |
+ |
1471 |
+ usbhsf_dma_stop(pipe, pipe->fifo); |
1472 |
+ usbhsf_dma_unmap(pkt); |
1473 |
+@@ -966,8 +1002,10 @@ static int usbhsf_dma_pop_done(struct usbhs_pkt *pkt, int *is_done) |
1474 |
+ if ((pkt->actual == pkt->length) || /* receive all data */ |
1475 |
+ (pkt->trans < maxp)) { /* short packet */ |
1476 |
+ *is_done = 1; |
1477 |
++ usbhs_pipe_running(pipe, 0); |
1478 |
+ } else { |
1479 |
+ /* re-enable */ |
1480 |
++ usbhs_pipe_running(pipe, 0); |
1481 |
+ usbhsf_prepare_pop(pkt, is_done); |
1482 |
+ } |
1483 |
+ |
1484 |
+diff --git a/drivers/usb/renesas_usbhs/pipe.c b/drivers/usb/renesas_usbhs/pipe.c |
1485 |
+index 7926e1c700f1..85e30e1d5e82 100644 |
1486 |
+--- a/drivers/usb/renesas_usbhs/pipe.c |
1487 |
++++ b/drivers/usb/renesas_usbhs/pipe.c |
1488 |
+@@ -578,6 +578,19 @@ int usbhs_pipe_is_dir_host(struct usbhs_pipe *pipe) |
1489 |
+ return usbhsp_flags_has(pipe, IS_DIR_HOST); |
1490 |
+ } |
1491 |
+ |
1492 |
++int usbhs_pipe_is_running(struct usbhs_pipe *pipe) |
1493 |
++{ |
1494 |
++ return usbhsp_flags_has(pipe, IS_RUNNING); |
1495 |
++} |
1496 |
++ |
1497 |
++void usbhs_pipe_running(struct usbhs_pipe *pipe, int running) |
1498 |
++{ |
1499 |
++ if (running) |
1500 |
++ usbhsp_flags_set(pipe, IS_RUNNING); |
1501 |
++ else |
1502 |
++ usbhsp_flags_clr(pipe, IS_RUNNING); |
1503 |
++} |
1504 |
++ |
1505 |
+ void usbhs_pipe_data_sequence(struct usbhs_pipe *pipe, int sequence) |
1506 |
+ { |
1507 |
+ u16 mask = (SQCLR | SQSET); |
1508 |
+diff --git a/drivers/usb/renesas_usbhs/pipe.h b/drivers/usb/renesas_usbhs/pipe.h |
1509 |
+index b476fde955bf..b18a794922d3 100644 |
1510 |
+--- a/drivers/usb/renesas_usbhs/pipe.h |
1511 |
++++ b/drivers/usb/renesas_usbhs/pipe.h |
1512 |
+@@ -36,6 +36,7 @@ struct usbhs_pipe { |
1513 |
+ #define USBHS_PIPE_FLAGS_IS_USED (1 << 0) |
1514 |
+ #define USBHS_PIPE_FLAGS_IS_DIR_IN (1 << 1) |
1515 |
+ #define USBHS_PIPE_FLAGS_IS_DIR_HOST (1 << 2) |
1516 |
++#define USBHS_PIPE_FLAGS_IS_RUNNING (1 << 3) |
1517 |
+ |
1518 |
+ struct usbhs_pkt_handle *handler; |
1519 |
+ |
1520 |
+@@ -79,6 +80,9 @@ int usbhs_pipe_probe(struct usbhs_priv *priv); |
1521 |
+ void usbhs_pipe_remove(struct usbhs_priv *priv); |
1522 |
+ int usbhs_pipe_is_dir_in(struct usbhs_pipe *pipe); |
1523 |
+ int usbhs_pipe_is_dir_host(struct usbhs_pipe *pipe); |
1524 |
++int usbhs_pipe_is_running(struct usbhs_pipe *pipe); |
1525 |
++void usbhs_pipe_running(struct usbhs_pipe *pipe, int running); |
1526 |
++ |
1527 |
+ void usbhs_pipe_init(struct usbhs_priv *priv, |
1528 |
+ int (*dma_map_ctrl)(struct usbhs_pkt *pkt, int map)); |
1529 |
+ int usbhs_pipe_get_maxpacket(struct usbhs_pipe *pipe); |
1530 |
+diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c |
1531 |
+index 5f3bcd31e204..f3bbe210119d 100644 |
1532 |
+--- a/drivers/usb/serial/console.c |
1533 |
++++ b/drivers/usb/serial/console.c |
1534 |
+@@ -188,6 +188,7 @@ static int usb_console_setup(struct console *co, char *options) |
1535 |
+ kfree(tty); |
1536 |
+ reset_open_count: |
1537 |
+ port->port.count = 0; |
1538 |
++ info->port = NULL; |
1539 |
+ usb_autopm_put_interface(serial->interface); |
1540 |
+ error_get_interface: |
1541 |
+ usb_serial_put(serial); |
1542 |
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c |
1543 |
+index 296cc1b49446..7831e6865f16 100644 |
1544 |
+--- a/fs/btrfs/ioctl.c |
1545 |
++++ b/fs/btrfs/ioctl.c |
1546 |
+@@ -2974,6 +2974,10 @@ static long btrfs_ioctl_default_subvol(struct file *file, void __user *argp) |
1547 |
+ ret = PTR_ERR(new_root); |
1548 |
+ goto out; |
1549 |
+ } |
1550 |
++ if (!is_fstree(new_root->objectid)) { |
1551 |
++ ret = -ENOENT; |
1552 |
++ goto out; |
1553 |
++ } |
1554 |
+ |
1555 |
+ if (btrfs_root_refs(&new_root->root_item) == 0) { |
1556 |
+ ret = -ENOENT; |
1557 |
+diff --git a/fs/direct-io.c b/fs/direct-io.c |
1558 |
+index 7ab90f5081ee..4007749a478e 100644 |
1559 |
+--- a/fs/direct-io.c |
1560 |
++++ b/fs/direct-io.c |
1561 |
+@@ -759,7 +759,8 @@ out: |
1562 |
+ */ |
1563 |
+ if (sdio->boundary) { |
1564 |
+ ret = dio_send_cur_page(dio, sdio, map_bh); |
1565 |
+- dio_bio_submit(dio, sdio); |
1566 |
++ if (sdio->bio) |
1567 |
++ dio_bio_submit(dio, sdio); |
1568 |
+ page_cache_release(sdio->cur_page); |
1569 |
+ sdio->cur_page = NULL; |
1570 |
+ } |
1571 |
+@@ -933,6 +934,7 @@ do_holes: |
1572 |
+ i_size_aligned >> blkbits) { |
1573 |
+ /* We hit eof */ |
1574 |
+ page_cache_release(page); |
1575 |
++ dio_cleanup(dio, sdio); |
1576 |
+ goto out; |
1577 |
+ } |
1578 |
+ zero_user(page, block_in_page << blkbits, |
1579 |
+diff --git a/fs/exec.c b/fs/exec.c |
1580 |
+index c945a555eb25..e3abc8e3d58f 100644 |
1581 |
+--- a/fs/exec.c |
1582 |
++++ b/fs/exec.c |
1583 |
+@@ -196,8 +196,26 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, |
1584 |
+ |
1585 |
+ if (write) { |
1586 |
+ unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; |
1587 |
++ unsigned long ptr_size; |
1588 |
+ struct rlimit *rlim; |
1589 |
+ |
1590 |
++ /* |
1591 |
++ * Since the stack will hold pointers to the strings, we |
1592 |
++ * must account for them as well. |
1593 |
++ * |
1594 |
++ * The size calculation is the entire vma while each arg page is |
1595 |
++ * built, so each time we get here it's calculating how far it |
1596 |
++ * is currently (rather than each call being just the newly |
1597 |
++ * added size from the arg page). As a result, we need to |
1598 |
++ * always add the entire size of the pointers, so that on the |
1599 |
++ * last call to get_arg_page() we'll actually have the entire |
1600 |
++ * correct size. |
1601 |
++ */ |
1602 |
++ ptr_size = (bprm->argc + bprm->envc) * sizeof(void *); |
1603 |
++ if (ptr_size > ULONG_MAX - size) |
1604 |
++ goto fail; |
1605 |
++ size += ptr_size; |
1606 |
++ |
1607 |
+ acct_arg_size(bprm, size / PAGE_SIZE); |
1608 |
+ |
1609 |
+ /* |
1610 |
+@@ -215,13 +233,15 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, |
1611 |
+ * to work from. |
1612 |
+ */ |
1613 |
+ rlim = current->signal->rlim; |
1614 |
+- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) { |
1615 |
+- put_page(page); |
1616 |
+- return NULL; |
1617 |
+- } |
1618 |
++ if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) |
1619 |
++ goto fail; |
1620 |
+ } |
1621 |
+ |
1622 |
+ return page; |
1623 |
++ |
1624 |
++fail: |
1625 |
++ put_page(page); |
1626 |
++ return NULL; |
1627 |
+ } |
1628 |
+ |
1629 |
+ static void put_arg_page(struct page *page) |
1630 |
+diff --git a/fs/ext4/file.c b/fs/ext4/file.c |
1631 |
+index ec9770f42538..ed2badabebf0 100644 |
1632 |
+--- a/fs/ext4/file.c |
1633 |
++++ b/fs/ext4/file.c |
1634 |
+@@ -325,47 +325,27 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, |
1635 |
+ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE); |
1636 |
+ nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index, |
1637 |
+ (pgoff_t)num); |
1638 |
+- if (nr_pages == 0) { |
1639 |
+- if (whence == SEEK_DATA) |
1640 |
+- break; |
1641 |
+- |
1642 |
+- BUG_ON(whence != SEEK_HOLE); |
1643 |
+- /* |
1644 |
+- * If this is the first time to go into the loop and |
1645 |
+- * offset is not beyond the end offset, it will be a |
1646 |
+- * hole at this offset |
1647 |
+- */ |
1648 |
+- if (lastoff == startoff || lastoff < endoff) |
1649 |
+- found = 1; |
1650 |
++ if (nr_pages == 0) |
1651 |
+ break; |
1652 |
+- } |
1653 |
+- |
1654 |
+- /* |
1655 |
+- * If this is the first time to go into the loop and |
1656 |
+- * offset is smaller than the first page offset, it will be a |
1657 |
+- * hole at this offset. |
1658 |
+- */ |
1659 |
+- if (lastoff == startoff && whence == SEEK_HOLE && |
1660 |
+- lastoff < page_offset(pvec.pages[0])) { |
1661 |
+- found = 1; |
1662 |
+- break; |
1663 |
+- } |
1664 |
+ |
1665 |
+ for (i = 0; i < nr_pages; i++) { |
1666 |
+ struct page *page = pvec.pages[i]; |
1667 |
+ struct buffer_head *bh, *head; |
1668 |
+ |
1669 |
+ /* |
1670 |
+- * If the current offset is not beyond the end of given |
1671 |
+- * range, it will be a hole. |
1672 |
++ * If current offset is smaller than the page offset, |
1673 |
++ * there is a hole at this offset. |
1674 |
+ */ |
1675 |
+- if (lastoff < endoff && whence == SEEK_HOLE && |
1676 |
+- page->index > end) { |
1677 |
++ if (whence == SEEK_HOLE && lastoff < endoff && |
1678 |
++ lastoff < page_offset(pvec.pages[i])) { |
1679 |
+ found = 1; |
1680 |
+ *offset = lastoff; |
1681 |
+ goto out; |
1682 |
+ } |
1683 |
+ |
1684 |
++ if (page->index > end) |
1685 |
++ goto out; |
1686 |
++ |
1687 |
+ lock_page(page); |
1688 |
+ |
1689 |
+ if (unlikely(page->mapping != inode->i_mapping)) { |
1690 |
+@@ -382,6 +362,8 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, |
1691 |
+ lastoff = page_offset(page); |
1692 |
+ bh = head = page_buffers(page); |
1693 |
+ do { |
1694 |
++ if (lastoff + bh->b_size <= startoff) |
1695 |
++ goto next; |
1696 |
+ if (buffer_uptodate(bh) || |
1697 |
+ buffer_unwritten(bh)) { |
1698 |
+ if (whence == SEEK_DATA) |
1699 |
+@@ -396,6 +378,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, |
1700 |
+ unlock_page(page); |
1701 |
+ goto out; |
1702 |
+ } |
1703 |
++next: |
1704 |
+ lastoff += bh->b_size; |
1705 |
+ bh = bh->b_this_page; |
1706 |
+ } while (bh != head); |
1707 |
+@@ -405,20 +388,18 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, |
1708 |
+ unlock_page(page); |
1709 |
+ } |
1710 |
+ |
1711 |
+- /* |
1712 |
+- * The no. of pages is less than our desired, that would be a |
1713 |
+- * hole in there. |
1714 |
+- */ |
1715 |
+- if (nr_pages < num && whence == SEEK_HOLE) { |
1716 |
+- found = 1; |
1717 |
+- *offset = lastoff; |
1718 |
++ /* The no. of pages is less than our desired, we are done. */ |
1719 |
++ if (nr_pages < num) |
1720 |
+ break; |
1721 |
+- } |
1722 |
+ |
1723 |
+ index = pvec.pages[i - 1]->index + 1; |
1724 |
+ pagevec_release(&pvec); |
1725 |
+ } while (index <= end); |
1726 |
+ |
1727 |
++ if (whence == SEEK_HOLE && lastoff < endoff) { |
1728 |
++ found = 1; |
1729 |
++ *offset = lastoff; |
1730 |
++ } |
1731 |
+ out: |
1732 |
+ pagevec_release(&pvec); |
1733 |
+ return found; |
1734 |
+@@ -440,7 +421,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) |
1735 |
+ mutex_lock(&inode->i_mutex); |
1736 |
+ |
1737 |
+ isize = i_size_read(inode); |
1738 |
+- if (offset >= isize) { |
1739 |
++ if (offset < 0 || offset >= isize) { |
1740 |
+ mutex_unlock(&inode->i_mutex); |
1741 |
+ return -ENXIO; |
1742 |
+ } |
1743 |
+@@ -523,7 +504,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) |
1744 |
+ mutex_lock(&inode->i_mutex); |
1745 |
+ |
1746 |
+ isize = i_size_read(inode); |
1747 |
+- if (offset >= isize) { |
1748 |
++ if (offset < 0 || offset >= isize) { |
1749 |
+ mutex_unlock(&inode->i_mutex); |
1750 |
+ return -ENXIO; |
1751 |
+ } |
1752 |
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c |
1753 |
+index 1095d77c2a9d..26054c19e6cd 100644 |
1754 |
+--- a/fs/ext4/inode.c |
1755 |
++++ b/fs/ext4/inode.c |
1756 |
+@@ -5045,8 +5045,9 @@ static int ext4_expand_extra_isize(struct inode *inode, |
1757 |
+ /* No extended attributes present */ |
1758 |
+ if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR) || |
1759 |
+ header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)) { |
1760 |
+- memset((void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE, 0, |
1761 |
+- new_extra_isize); |
1762 |
++ memset((void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE + |
1763 |
++ EXT4_I(inode)->i_extra_isize, 0, |
1764 |
++ new_extra_isize - EXT4_I(inode)->i_extra_isize); |
1765 |
+ EXT4_I(inode)->i_extra_isize = new_extra_isize; |
1766 |
+ return 0; |
1767 |
+ } |
1768 |
+@@ -5097,8 +5098,6 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) |
1769 |
+ sbi->s_want_extra_isize, |
1770 |
+ iloc, handle); |
1771 |
+ if (ret) { |
1772 |
+- ext4_set_inode_state(inode, |
1773 |
+- EXT4_STATE_NO_EXPAND); |
1774 |
+ if (mnt_count != |
1775 |
+ le16_to_cpu(sbi->s_es->s_mnt_count)) { |
1776 |
+ ext4_warning(inode->i_sb, |
1777 |
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c |
1778 |
+index cf0a70486618..f6190fdfd8ce 100644 |
1779 |
+--- a/fs/ext4/resize.c |
1780 |
++++ b/fs/ext4/resize.c |
1781 |
+@@ -1911,7 +1911,8 @@ retry: |
1782 |
+ n_desc_blocks = o_desc_blocks + |
1783 |
+ le16_to_cpu(es->s_reserved_gdt_blocks); |
1784 |
+ n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb); |
1785 |
+- n_blocks_count = n_group * EXT4_BLOCKS_PER_GROUP(sb); |
1786 |
++ n_blocks_count = (ext4_fsblk_t)n_group * |
1787 |
++ EXT4_BLOCKS_PER_GROUP(sb); |
1788 |
+ n_group--; /* set to last group number */ |
1789 |
+ } |
1790 |
+ |
1791 |
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c |
1792 |
+index 92850bab4513..dde00d1e2994 100644 |
1793 |
+--- a/fs/ext4/xattr.c |
1794 |
++++ b/fs/ext4/xattr.c |
1795 |
+@@ -1266,11 +1266,13 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize, |
1796 |
+ int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize); |
1797 |
+ |
1798 |
+ down_write(&EXT4_I(inode)->xattr_sem); |
1799 |
++ /* |
1800 |
++ * Set EXT4_STATE_NO_EXPAND to avoid recursion when marking inode dirty |
1801 |
++ */ |
1802 |
++ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND); |
1803 |
+ retry: |
1804 |
+- if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) { |
1805 |
+- up_write(&EXT4_I(inode)->xattr_sem); |
1806 |
+- return 0; |
1807 |
+- } |
1808 |
++ if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) |
1809 |
++ goto out; |
1810 |
+ |
1811 |
+ header = IHDR(inode, raw_inode); |
1812 |
+ entry = IFIRST(header); |
1813 |
+@@ -1295,8 +1297,7 @@ retry: |
1814 |
+ (void *)header, total_ino, |
1815 |
+ inode->i_sb->s_blocksize); |
1816 |
+ EXT4_I(inode)->i_extra_isize = new_extra_isize; |
1817 |
+- error = 0; |
1818 |
+- goto cleanup; |
1819 |
++ goto out; |
1820 |
+ } |
1821 |
+ |
1822 |
+ /* |
1823 |
+@@ -1457,6 +1458,8 @@ retry: |
1824 |
+ kfree(bs); |
1825 |
+ } |
1826 |
+ brelse(bh); |
1827 |
++out: |
1828 |
++ ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND); |
1829 |
+ up_write(&EXT4_I(inode)->xattr_sem); |
1830 |
+ return 0; |
1831 |
+ |
1832 |
+@@ -1468,6 +1471,10 @@ cleanup: |
1833 |
+ kfree(is); |
1834 |
+ kfree(bs); |
1835 |
+ brelse(bh); |
1836 |
++ /* |
1837 |
++ * We deliberately leave EXT4_STATE_NO_EXPAND set here since inode |
1838 |
++ * size expansion failed. |
1839 |
++ */ |
1840 |
+ up_write(&EXT4_I(inode)->xattr_sem); |
1841 |
+ return error; |
1842 |
+ } |
1843 |
+diff --git a/fs/fscache/object-list.c b/fs/fscache/object-list.c |
1844 |
+index f27c89d17885..e7cf8c5f2677 100644 |
1845 |
+--- a/fs/fscache/object-list.c |
1846 |
++++ b/fs/fscache/object-list.c |
1847 |
+@@ -338,6 +338,13 @@ static void fscache_objlist_config(struct fscache_objlist_data *data) |
1848 |
+ rcu_read_lock(); |
1849 |
+ |
1850 |
+ confkey = key->payload.data; |
1851 |
++ if (!confkey) { |
1852 |
++ /* key was revoked */ |
1853 |
++ rcu_read_unlock(); |
1854 |
++ key_put(key); |
1855 |
++ goto no_config; |
1856 |
++ } |
1857 |
++ |
1858 |
+ buf = confkey->data; |
1859 |
+ |
1860 |
+ for (len = confkey->datalen - 1; len >= 0; len--) { |
1861 |
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c |
1862 |
+index 1dce93041012..ee5c3e9a5983 100644 |
1863 |
+--- a/fs/fuse/file.c |
1864 |
++++ b/fs/fuse/file.c |
1865 |
+@@ -54,7 +54,7 @@ struct fuse_file *fuse_file_alloc(struct fuse_conn *fc) |
1866 |
+ { |
1867 |
+ struct fuse_file *ff; |
1868 |
+ |
1869 |
+- ff = kmalloc(sizeof(struct fuse_file), GFP_KERNEL); |
1870 |
++ ff = kzalloc(sizeof(struct fuse_file), GFP_KERNEL); |
1871 |
+ if (unlikely(!ff)) |
1872 |
+ return NULL; |
1873 |
+ |
1874 |
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c |
1875 |
+index 5c1120a5fa42..0ead8bed774a 100644 |
1876 |
+--- a/fs/udf/inode.c |
1877 |
++++ b/fs/udf/inode.c |
1878 |
+@@ -1237,8 +1237,8 @@ int udf_setsize(struct inode *inode, loff_t newsize) |
1879 |
+ return err; |
1880 |
+ } |
1881 |
+ set_size: |
1882 |
+- truncate_setsize(inode, newsize); |
1883 |
+ up_write(&iinfo->i_data_sem); |
1884 |
++ truncate_setsize(inode, newsize); |
1885 |
+ } else { |
1886 |
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { |
1887 |
+ down_write(&iinfo->i_data_sem); |
1888 |
+@@ -1255,9 +1255,9 @@ set_size: |
1889 |
+ udf_get_block); |
1890 |
+ if (err) |
1891 |
+ return err; |
1892 |
++ truncate_setsize(inode, newsize); |
1893 |
+ down_write(&iinfo->i_data_sem); |
1894 |
+ udf_clear_extent_cache(inode); |
1895 |
+- truncate_setsize(inode, newsize); |
1896 |
+ udf_truncate_extents(inode); |
1897 |
+ up_write(&iinfo->i_data_sem); |
1898 |
+ } |
1899 |
+diff --git a/include/linux/key.h b/include/linux/key.h |
1900 |
+index 4dfde1161c5e..66633b5f2f65 100644 |
1901 |
+--- a/include/linux/key.h |
1902 |
++++ b/include/linux/key.h |
1903 |
+@@ -162,6 +162,7 @@ struct key { |
1904 |
+ #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ |
1905 |
+ #define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ |
1906 |
+ #define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ |
1907 |
++#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */ |
1908 |
+ |
1909 |
+ /* the description string |
1910 |
+ * - this is used to match a key against search criteria |
1911 |
+@@ -203,6 +204,7 @@ extern struct key *key_alloc(struct key_type *type, |
1912 |
+ #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ |
1913 |
+ #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */ |
1914 |
+ #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */ |
1915 |
++#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ |
1916 |
+ |
1917 |
+ extern void key_revoke(struct key *key); |
1918 |
+ extern void key_invalidate(struct key *key); |
1919 |
+diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h |
1920 |
+index 120dd354849d..4dab847a1d75 100644 |
1921 |
+--- a/include/linux/workqueue.h |
1922 |
++++ b/include/linux/workqueue.h |
1923 |
+@@ -306,6 +306,7 @@ enum { |
1924 |
+ |
1925 |
+ __WQ_DRAINING = 1 << 16, /* internal: workqueue is draining */ |
1926 |
+ __WQ_ORDERED = 1 << 17, /* internal: workqueue is ordered */ |
1927 |
++ __WQ_ORDERED_EXPLICIT = 1 << 18, /* internal: alloc_ordered_workqueue() */ |
1928 |
+ |
1929 |
+ WQ_MAX_ACTIVE = 512, /* I like 512, better ideas? */ |
1930 |
+ WQ_MAX_UNBOUND_PER_CPU = 4, /* 4 * #cpus for unbound wq */ |
1931 |
+@@ -408,7 +409,8 @@ __alloc_workqueue_key(const char *fmt, unsigned int flags, int max_active, |
1932 |
+ * Pointer to the allocated workqueue on success, %NULL on failure. |
1933 |
+ */ |
1934 |
+ #define alloc_ordered_workqueue(fmt, flags, args...) \ |
1935 |
+- alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED | (flags), 1, ##args) |
1936 |
++ alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED | \ |
1937 |
++ __WQ_ORDERED_EXPLICIT | (flags), 1, ##args) |
1938 |
+ |
1939 |
+ #define create_workqueue(name) \ |
1940 |
+ alloc_workqueue((name), WQ_MEM_RECLAIM, 1) |
1941 |
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h |
1942 |
+index 413e23be60d1..1c96547c2a3f 100644 |
1943 |
+--- a/include/net/ipv6.h |
1944 |
++++ b/include/net/ipv6.h |
1945 |
+@@ -822,6 +822,7 @@ extern int inet6_hash_connect(struct inet_timewait_death_row *death_row, |
1946 |
+ */ |
1947 |
+ extern const struct proto_ops inet6_stream_ops; |
1948 |
+ extern const struct proto_ops inet6_dgram_ops; |
1949 |
++extern const struct proto_ops inet6_sockraw_ops; |
1950 |
+ |
1951 |
+ struct group_source_req; |
1952 |
+ struct group_filter; |
1953 |
+diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h |
1954 |
+index 5d5a6a4732ef..5af07a1ab0c2 100644 |
1955 |
+--- a/include/net/iw_handler.h |
1956 |
++++ b/include/net/iw_handler.h |
1957 |
+@@ -551,7 +551,8 @@ iwe_stream_add_point(struct iw_request_info *info, char *stream, char *ends, |
1958 |
+ memcpy(stream + lcp_len, |
1959 |
+ ((char *) &iwe->u) + IW_EV_POINT_OFF, |
1960 |
+ IW_EV_POINT_PK_LEN - IW_EV_LCP_PK_LEN); |
1961 |
+- memcpy(stream + point_len, extra, iwe->u.data.length); |
1962 |
++ if (iwe->u.data.length && extra) |
1963 |
++ memcpy(stream + point_len, extra, iwe->u.data.length); |
1964 |
+ stream += event_len; |
1965 |
+ } |
1966 |
+ return stream; |
1967 |
+diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h |
1968 |
+index 845ab6decc45..ee81c68f24a6 100644 |
1969 |
+--- a/include/net/sctp/sctp.h |
1970 |
++++ b/include/net/sctp/sctp.h |
1971 |
+@@ -555,6 +555,8 @@ _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) |
1972 |
+ |
1973 |
+ #define _sctp_walk_params(pos, chunk, end, member)\ |
1974 |
+ for (pos.v = chunk->member;\ |
1975 |
++ (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <=\ |
1976 |
++ (void *)chunk + end) &&\ |
1977 |
+ pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ |
1978 |
+ ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ |
1979 |
+ pos.v += WORD_ROUND(ntohs(pos.p->length))) |
1980 |
+@@ -565,6 +567,8 @@ _sctp_walk_errors((err), (chunk_hdr), ntohs((chunk_hdr)->length)) |
1981 |
+ #define _sctp_walk_errors(err, chunk_hdr, end)\ |
1982 |
+ for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ |
1983 |
+ sizeof(sctp_chunkhdr_t));\ |
1984 |
++ ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <=\ |
1985 |
++ (void *)chunk_hdr + end) &&\ |
1986 |
+ (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ |
1987 |
+ ntohs(err->length) >= sizeof(sctp_errhdr_t); \ |
1988 |
+ err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) |
1989 |
+diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h |
1990 |
+index ca4693b4e09e..00c0e5bf5d3e 100644 |
1991 |
+--- a/include/net/sctp/ulpevent.h |
1992 |
++++ b/include/net/sctp/ulpevent.h |
1993 |
+@@ -143,8 +143,12 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event); |
1994 |
+ static inline int sctp_ulpevent_type_enabled(__u16 sn_type, |
1995 |
+ struct sctp_event_subscribe *mask) |
1996 |
+ { |
1997 |
++ int offset = sn_type - SCTP_SN_TYPE_BASE; |
1998 |
+ char *amask = (char *) mask; |
1999 |
+- return amask[sn_type - SCTP_SN_TYPE_BASE]; |
2000 |
++ |
2001 |
++ if (offset >= sizeof(struct sctp_event_subscribe)) |
2002 |
++ return 0; |
2003 |
++ return amask[offset]; |
2004 |
+ } |
2005 |
+ |
2006 |
+ /* Given an event subscription, is this event enabled? */ |
2007 |
+diff --git a/include/net/tcp.h b/include/net/tcp.h |
2008 |
+index 79cd118d5994..c4db9acefa9c 100644 |
2009 |
+--- a/include/net/tcp.h |
2010 |
++++ b/include/net/tcp.h |
2011 |
+@@ -1592,4 +1592,14 @@ struct tcp_request_sock_ops { |
2012 |
+ extern void tcp_v4_init(void); |
2013 |
+ extern void tcp_init(void); |
2014 |
+ |
2015 |
++/* At how many jiffies into the future should the RTO fire? */ |
2016 |
++static inline s32 tcp_rto_delta(const struct sock *sk) |
2017 |
++{ |
2018 |
++ const struct sk_buff *skb = tcp_write_queue_head(sk); |
2019 |
++ const u32 rto = inet_csk(sk)->icsk_rto; |
2020 |
++ const u32 rto_time_stamp = TCP_SKB_CB(skb)->when + rto; |
2021 |
++ |
2022 |
++ return (s32)(rto_time_stamp - tcp_time_stamp); |
2023 |
++} |
2024 |
++ |
2025 |
+ #endif /* _TCP_H */ |
2026 |
+diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h |
2027 |
+index 7d99c0b5b789..8e271438f77c 100644 |
2028 |
+--- a/include/target/target_core_base.h |
2029 |
++++ b/include/target/target_core_base.h |
2030 |
+@@ -729,6 +729,7 @@ struct se_port_stat_grps { |
2031 |
+ struct se_lun { |
2032 |
+ #define SE_LUN_LINK_MAGIC 0xffff7771 |
2033 |
+ u32 lun_link_magic; |
2034 |
++ bool lun_shutdown; |
2035 |
+ /* See transport_lun_status_table */ |
2036 |
+ enum transport_lun_status_table lun_status; |
2037 |
+ u32 lun_access; |
2038 |
+diff --git a/kernel/extable.c b/kernel/extable.c |
2039 |
+index 67460b93b1a1..5ec4b6f861d1 100644 |
2040 |
+--- a/kernel/extable.c |
2041 |
++++ b/kernel/extable.c |
2042 |
+@@ -66,7 +66,7 @@ static inline int init_kernel_text(unsigned long addr) |
2043 |
+ return 0; |
2044 |
+ } |
2045 |
+ |
2046 |
+-int core_kernel_text(unsigned long addr) |
2047 |
++int notrace core_kernel_text(unsigned long addr) |
2048 |
+ { |
2049 |
+ if (addr >= (unsigned long)_stext && |
2050 |
+ addr <= (unsigned long)_etext) |
2051 |
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c |
2052 |
+index edffb6781c0e..359fbd32dc9e 100644 |
2053 |
+--- a/kernel/trace/trace.c |
2054 |
++++ b/kernel/trace/trace.c |
2055 |
+@@ -3061,11 +3061,17 @@ static int tracing_open(struct inode *inode, struct file *file) |
2056 |
+ /* If this file was open for write, then erase contents */ |
2057 |
+ if ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) { |
2058 |
+ int cpu = tracing_get_cpu(inode); |
2059 |
++ struct trace_buffer *trace_buf = &tr->trace_buffer; |
2060 |
++ |
2061 |
++#ifdef CONFIG_TRACER_MAX_TRACE |
2062 |
++ if (tr->current_trace->print_max) |
2063 |
++ trace_buf = &tr->max_buffer; |
2064 |
++#endif |
2065 |
+ |
2066 |
+ if (cpu == RING_BUFFER_ALL_CPUS) |
2067 |
+- tracing_reset_online_cpus(&tr->trace_buffer); |
2068 |
++ tracing_reset_online_cpus(trace_buf); |
2069 |
+ else |
2070 |
+- tracing_reset(&tr->trace_buffer, cpu); |
2071 |
++ tracing_reset(trace_buf, cpu); |
2072 |
+ } |
2073 |
+ |
2074 |
+ if (file->f_mode & FMODE_READ) { |
2075 |
+@@ -4654,7 +4660,7 @@ static ssize_t tracing_clock_write(struct file *filp, const char __user *ubuf, |
2076 |
+ tracing_reset_online_cpus(&tr->trace_buffer); |
2077 |
+ |
2078 |
+ #ifdef CONFIG_TRACER_MAX_TRACE |
2079 |
+- if (tr->flags & TRACE_ARRAY_FL_GLOBAL && tr->max_buffer.buffer) |
2080 |
++ if (tr->max_buffer.buffer) |
2081 |
+ ring_buffer_set_clock(tr->max_buffer.buffer, trace_clocks[i].func); |
2082 |
+ tracing_reset_online_cpus(&tr->max_buffer); |
2083 |
+ #endif |
2084 |
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c |
2085 |
+index 66972ac0c6c0..f55fbfa7feda 100644 |
2086 |
+--- a/kernel/workqueue.c |
2087 |
++++ b/kernel/workqueue.c |
2088 |
+@@ -3399,7 +3399,7 @@ int workqueue_sysfs_register(struct workqueue_struct *wq) |
2089 |
+ * attributes breaks ordering guarantee. Disallow exposing ordered |
2090 |
+ * workqueues. |
2091 |
+ */ |
2092 |
+- if (WARN_ON(wq->flags & __WQ_ORDERED)) |
2093 |
++ if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT)) |
2094 |
+ return -EINVAL; |
2095 |
+ |
2096 |
+ wq->wq_dev = wq_dev = kzalloc(sizeof(*wq_dev), GFP_KERNEL); |
2097 |
+@@ -3964,8 +3964,12 @@ int apply_workqueue_attrs(struct workqueue_struct *wq, |
2098 |
+ return -EINVAL; |
2099 |
+ |
2100 |
+ /* creating multiple pwqs breaks ordering guarantee */ |
2101 |
+- if (WARN_ON((wq->flags & __WQ_ORDERED) && !list_empty(&wq->pwqs))) |
2102 |
+- return -EINVAL; |
2103 |
++ if (!list_empty(&wq->pwqs)) { |
2104 |
++ if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT)) |
2105 |
++ return -EINVAL; |
2106 |
++ |
2107 |
++ wq->flags &= ~__WQ_ORDERED; |
2108 |
++ } |
2109 |
+ |
2110 |
+ pwq_tbl = kzalloc(wq_numa_tbl_len * sizeof(pwq_tbl[0]), GFP_KERNEL); |
2111 |
+ new_attrs = alloc_workqueue_attrs(GFP_KERNEL); |
2112 |
+@@ -4213,6 +4217,16 @@ struct workqueue_struct *__alloc_workqueue_key(const char *fmt, |
2113 |
+ struct workqueue_struct *wq; |
2114 |
+ struct pool_workqueue *pwq; |
2115 |
+ |
2116 |
++ /* |
2117 |
++ * Unbound && max_active == 1 used to imply ordered, which is no |
2118 |
++ * longer the case on NUMA machines due to per-node pools. While |
2119 |
++ * alloc_ordered_workqueue() is the right way to create an ordered |
2120 |
++ * workqueue, keep the previous behavior to avoid subtle breakages |
2121 |
++ * on NUMA. |
2122 |
++ */ |
2123 |
++ if ((flags & WQ_UNBOUND) && max_active == 1) |
2124 |
++ flags |= __WQ_ORDERED; |
2125 |
++ |
2126 |
+ /* allocate wq and format name */ |
2127 |
+ if (flags & WQ_UNBOUND) |
2128 |
+ tbl_size = wq_numa_tbl_len * sizeof(wq->numa_pwq_tbl[0]); |
2129 |
+@@ -4401,13 +4415,14 @@ void workqueue_set_max_active(struct workqueue_struct *wq, int max_active) |
2130 |
+ struct pool_workqueue *pwq; |
2131 |
+ |
2132 |
+ /* disallow meddling with max_active for ordered workqueues */ |
2133 |
+- if (WARN_ON(wq->flags & __WQ_ORDERED)) |
2134 |
++ if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT)) |
2135 |
+ return; |
2136 |
+ |
2137 |
+ max_active = wq_clamp_max_active(max_active, wq->flags, wq->name); |
2138 |
+ |
2139 |
+ mutex_lock(&wq->mutex); |
2140 |
+ |
2141 |
++ wq->flags &= ~__WQ_ORDERED; |
2142 |
+ wq->saved_max_active = max_active; |
2143 |
+ |
2144 |
+ for_each_pwq(pwq, wq) |
2145 |
+diff --git a/lib/cmdline.c b/lib/cmdline.c |
2146 |
+index eb6791188cf5..efc35fbce780 100644 |
2147 |
+--- a/lib/cmdline.c |
2148 |
++++ b/lib/cmdline.c |
2149 |
+@@ -22,14 +22,14 @@ |
2150 |
+ * the values[M, M+1, ..., N] into the ints array in get_options. |
2151 |
+ */ |
2152 |
+ |
2153 |
+-static int get_range(char **str, int *pint) |
2154 |
++static int get_range(char **str, int *pint, int n) |
2155 |
+ { |
2156 |
+ int x, inc_counter, upper_range; |
2157 |
+ |
2158 |
+ (*str)++; |
2159 |
+ upper_range = simple_strtol((*str), NULL, 0); |
2160 |
+ inc_counter = upper_range - *pint; |
2161 |
+- for (x = *pint; x < upper_range; x++) |
2162 |
++ for (x = *pint; n && x < upper_range; x++, n--) |
2163 |
+ *pint++ = x; |
2164 |
+ return inc_counter; |
2165 |
+ } |
2166 |
+@@ -95,7 +95,7 @@ char *get_options(const char *str, int nints, int *ints) |
2167 |
+ break; |
2168 |
+ if (res == 3) { |
2169 |
+ int range_nums; |
2170 |
+- range_nums = get_range((char **)&str, ints + i); |
2171 |
++ range_nums = get_range((char **)&str, ints + i, nints - i); |
2172 |
+ if (range_nums < 0) |
2173 |
+ break; |
2174 |
+ /* |
2175 |
+diff --git a/lib/digsig.c b/lib/digsig.c |
2176 |
+index 2f31e6a45f0a..ae703dfc9731 100644 |
2177 |
+--- a/lib/digsig.c |
2178 |
++++ b/lib/digsig.c |
2179 |
+@@ -86,6 +86,12 @@ static int digsig_verify_rsa(struct key *key, |
2180 |
+ down_read(&key->sem); |
2181 |
+ ukp = key->payload.data; |
2182 |
+ |
2183 |
++ if (!ukp) { |
2184 |
++ /* key was revoked before we acquired its semaphore */ |
2185 |
++ err = -EKEYREVOKED; |
2186 |
++ goto err1; |
2187 |
++ } |
2188 |
++ |
2189 |
+ if (ukp->datalen < sizeof(*pkh)) |
2190 |
+ goto err1; |
2191 |
+ |
2192 |
+diff --git a/mm/mmap.c b/mm/mmap.c |
2193 |
+index 3c4e4d7ae54e..d042e254a163 100644 |
2194 |
+--- a/mm/mmap.c |
2195 |
++++ b/mm/mmap.c |
2196 |
+@@ -2132,7 +2132,7 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) |
2197 |
+ |
2198 |
+ /* Guard against exceeding limits of the address space. */ |
2199 |
+ address &= PAGE_MASK; |
2200 |
+- if (address >= TASK_SIZE) |
2201 |
++ if (address >= (TASK_SIZE & PAGE_MASK)) |
2202 |
+ return -ENOMEM; |
2203 |
+ address += PAGE_SIZE; |
2204 |
+ |
2205 |
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c |
2206 |
+index 4e8927539299..829ee76d5521 100644 |
2207 |
+--- a/mm/page_alloc.c |
2208 |
++++ b/mm/page_alloc.c |
2209 |
+@@ -5177,8 +5177,8 @@ unsigned long free_reserved_area(unsigned long start, unsigned long end, |
2210 |
+ } |
2211 |
+ |
2212 |
+ if (pages && s) |
2213 |
+- pr_info("Freeing %s memory: %ldK (%lx - %lx)\n", |
2214 |
+- s, pages << (PAGE_SHIFT - 10), start, end); |
2215 |
++ pr_info("Freeing %s memory: %ldK\n", |
2216 |
++ s, pages << (PAGE_SHIFT - 10)); |
2217 |
+ |
2218 |
+ return pages; |
2219 |
+ } |
2220 |
+diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c |
2221 |
+index 86abb2e59aea..82fdb35154fc 100644 |
2222 |
+--- a/net/8021q/vlan.c |
2223 |
++++ b/net/8021q/vlan.c |
2224 |
+@@ -274,7 +274,8 @@ static int register_vlan_device(struct net_device *real_dev, u16 vlan_id) |
2225 |
+ return 0; |
2226 |
+ |
2227 |
+ out_free_newdev: |
2228 |
+- free_netdev(new_dev); |
2229 |
++ if (new_dev->reg_state == NETREG_UNINITIALIZED) |
2230 |
++ free_netdev(new_dev); |
2231 |
+ return err; |
2232 |
+ } |
2233 |
+ |
2234 |
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c |
2235 |
+index e430b1abcd2f..e387e6719fa2 100644 |
2236 |
+--- a/net/bluetooth/bnep/core.c |
2237 |
++++ b/net/bluetooth/bnep/core.c |
2238 |
+@@ -32,6 +32,7 @@ |
2239 |
+ #include <asm/unaligned.h> |
2240 |
+ |
2241 |
+ #include <net/bluetooth/bluetooth.h> |
2242 |
++#include <net/bluetooth/l2cap.h> |
2243 |
+ #include <net/bluetooth/hci_core.h> |
2244 |
+ |
2245 |
+ #include "bnep.h" |
2246 |
+@@ -539,6 +540,9 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock) |
2247 |
+ |
2248 |
+ BT_DBG(""); |
2249 |
+ |
2250 |
++ if (!l2cap_is_socket(sock)) |
2251 |
++ return -EBADFD; |
2252 |
++ |
2253 |
+ baswap((void *) dst, &bt_sk(sock->sk)->dst); |
2254 |
+ baswap((void *) src, &bt_sk(sock->sk)->src); |
2255 |
+ |
2256 |
+diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c |
2257 |
+index e0a6ebf2baa6..84460f623fc8 100644 |
2258 |
+--- a/net/bluetooth/cmtp/core.c |
2259 |
++++ b/net/bluetooth/cmtp/core.c |
2260 |
+@@ -334,6 +334,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) |
2261 |
+ |
2262 |
+ BT_DBG(""); |
2263 |
+ |
2264 |
++ if (!l2cap_is_socket(sock)) |
2265 |
++ return -EBADFD; |
2266 |
++ |
2267 |
+ session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL); |
2268 |
+ if (!session) |
2269 |
+ return -ENOMEM; |
2270 |
+diff --git a/net/core/dev.c b/net/core/dev.c |
2271 |
+index 682bf5ad63a0..d69d8ec11383 100644 |
2272 |
+--- a/net/core/dev.c |
2273 |
++++ b/net/core/dev.c |
2274 |
+@@ -2342,9 +2342,10 @@ EXPORT_SYMBOL(skb_mac_gso_segment); |
2275 |
+ static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path) |
2276 |
+ { |
2277 |
+ if (tx_path) |
2278 |
+- return skb->ip_summed != CHECKSUM_PARTIAL; |
2279 |
+- else |
2280 |
+- return skb->ip_summed == CHECKSUM_NONE; |
2281 |
++ return skb->ip_summed != CHECKSUM_PARTIAL && |
2282 |
++ skb->ip_summed != CHECKSUM_NONE; |
2283 |
++ |
2284 |
++ return skb->ip_summed == CHECKSUM_NONE; |
2285 |
+ } |
2286 |
+ |
2287 |
+ /** |
2288 |
+@@ -2361,11 +2362,12 @@ static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path) |
2289 |
+ struct sk_buff *__skb_gso_segment(struct sk_buff *skb, |
2290 |
+ netdev_features_t features, bool tx_path) |
2291 |
+ { |
2292 |
++ struct sk_buff *segs; |
2293 |
++ |
2294 |
+ if (unlikely(skb_needs_check(skb, tx_path))) { |
2295 |
+ int err; |
2296 |
+ |
2297 |
+- skb_warn_bad_offload(skb); |
2298 |
+- |
2299 |
++ /* We're going to init ->check field in TCP or UDP header */ |
2300 |
+ if (skb_header_cloned(skb) && |
2301 |
+ (err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC))) |
2302 |
+ return ERR_PTR(err); |
2303 |
+@@ -2375,7 +2377,12 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb, |
2304 |
+ skb_reset_mac_header(skb); |
2305 |
+ skb_reset_mac_len(skb); |
2306 |
+ |
2307 |
+- return skb_mac_gso_segment(skb, features); |
2308 |
++ segs = skb_mac_gso_segment(skb, features); |
2309 |
++ |
2310 |
++ if (unlikely(skb_needs_check(skb, tx_path))) |
2311 |
++ skb_warn_bad_offload(skb); |
2312 |
++ |
2313 |
++ return segs; |
2314 |
+ } |
2315 |
+ EXPORT_SYMBOL(__skb_gso_segment); |
2316 |
+ |
2317 |
+@@ -5636,7 +5643,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, |
2318 |
+ } else { |
2319 |
+ netdev_stats_to_stats64(storage, &dev->stats); |
2320 |
+ } |
2321 |
+- storage->rx_dropped += atomic_long_read(&dev->rx_dropped); |
2322 |
++ storage->rx_dropped += (unsigned long)atomic_long_read(&dev->rx_dropped); |
2323 |
+ return storage; |
2324 |
+ } |
2325 |
+ EXPORT_SYMBOL(dev_get_stats); |
2326 |
+diff --git a/net/core/sock.c b/net/core/sock.c |
2327 |
+index 96e125919324..104784ee4bbd 100644 |
2328 |
+--- a/net/core/sock.c |
2329 |
++++ b/net/core/sock.c |
2330 |
+@@ -1470,6 +1470,8 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) |
2331 |
+ |
2332 |
+ sock_copy(newsk, sk); |
2333 |
+ |
2334 |
++ newsk->sk_prot_creator = sk->sk_prot; |
2335 |
++ |
2336 |
+ /* SANITY */ |
2337 |
+ get_net(sock_net(newsk)); |
2338 |
+ sk_node_init(&newsk->sk_node); |
2339 |
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c |
2340 |
+index 975c369d4e6d..03610ebd8d0b 100644 |
2341 |
+--- a/net/ipv4/af_inet.c |
2342 |
++++ b/net/ipv4/af_inet.c |
2343 |
+@@ -1053,7 +1053,7 @@ static struct inet_protosw inetsw_array[] = |
2344 |
+ .type = SOCK_DGRAM, |
2345 |
+ .protocol = IPPROTO_ICMP, |
2346 |
+ .prot = &ping_prot, |
2347 |
+- .ops = &inet_dgram_ops, |
2348 |
++ .ops = &inet_sockraw_ops, |
2349 |
+ .no_check = UDP_CSUM_DEFAULT, |
2350 |
+ .flags = INET_PROTOSW_REUSE, |
2351 |
+ }, |
2352 |
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c |
2353 |
+index 017b4792cd44..bcd0a05d6002 100644 |
2354 |
+--- a/net/ipv4/fib_frontend.c |
2355 |
++++ b/net/ipv4/fib_frontend.c |
2356 |
+@@ -1170,13 +1170,14 @@ static struct pernet_operations fib_net_ops = { |
2357 |
+ |
2358 |
+ void __init ip_fib_init(void) |
2359 |
+ { |
2360 |
+- rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL); |
2361 |
+- rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL); |
2362 |
+- rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL); |
2363 |
++ fib_trie_init(); |
2364 |
+ |
2365 |
+ register_pernet_subsys(&fib_net_ops); |
2366 |
++ |
2367 |
+ register_netdevice_notifier(&fib_netdev_notifier); |
2368 |
+ register_inetaddr_notifier(&fib_inetaddr_notifier); |
2369 |
+ |
2370 |
+- fib_trie_init(); |
2371 |
++ rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL); |
2372 |
++ rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL); |
2373 |
++ rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL); |
2374 |
+ } |
2375 |
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c |
2376 |
+index 5f077efad29d..40faf48cb10c 100644 |
2377 |
+--- a/net/ipv4/ip_output.c |
2378 |
++++ b/net/ipv4/ip_output.c |
2379 |
+@@ -846,10 +846,12 @@ static int __ip_append_data(struct sock *sk, |
2380 |
+ csummode = CHECKSUM_PARTIAL; |
2381 |
+ |
2382 |
+ cork->length += length; |
2383 |
+- if (((length > mtu) || (skb && skb_has_frags(skb))) && |
2384 |
++ if ((skb && skb_has_frags(skb)) || |
2385 |
++ ((length > mtu) && |
2386 |
++ (skb_queue_len(queue) <= 1) && |
2387 |
+ (sk->sk_protocol == IPPROTO_UDP) && |
2388 |
+ (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && |
2389 |
+- (sk->sk_type == SOCK_DGRAM)) { |
2390 |
++ (sk->sk_type == SOCK_DGRAM))) { |
2391 |
+ err = ip_ufo_append_data(sk, queue, getfrag, from, length, |
2392 |
+ hh_len, fragheaderlen, transhdrlen, |
2393 |
+ maxfraglen, flags); |
2394 |
+@@ -1160,6 +1162,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page, |
2395 |
+ |
2396 |
+ cork->length += size; |
2397 |
+ if ((size + skb->len > mtu) && |
2398 |
++ (skb_queue_len(&sk->sk_write_queue) == 1) && |
2399 |
+ (sk->sk_protocol == IPPROTO_UDP) && |
2400 |
+ (rt->dst.dev->features & NETIF_F_UFO)) { |
2401 |
+ skb_shinfo(skb)->gso_size = mtu - fragheaderlen; |
2402 |
+diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c |
2403 |
+index 5f011cc89cd9..1e82bdb0f07e 100644 |
2404 |
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c |
2405 |
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c |
2406 |
+@@ -1305,6 +1305,7 @@ static int __init nf_nat_snmp_basic_init(void) |
2407 |
+ static void __exit nf_nat_snmp_basic_fini(void) |
2408 |
+ { |
2409 |
+ RCU_INIT_POINTER(nf_nat_snmp_hook, NULL); |
2410 |
++ synchronize_rcu(); |
2411 |
+ nf_conntrack_helper_unregister(&snmp_trap_helper); |
2412 |
+ } |
2413 |
+ |
2414 |
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
2415 |
+index d1e04221c275..b80b399f2377 100644 |
2416 |
+--- a/net/ipv4/tcp.c |
2417 |
++++ b/net/ipv4/tcp.c |
2418 |
+@@ -2313,9 +2313,15 @@ int tcp_disconnect(struct sock *sk, int flags) |
2419 |
+ tcp_set_ca_state(sk, TCP_CA_Open); |
2420 |
+ tcp_clear_retrans(tp); |
2421 |
+ inet_csk_delack_init(sk); |
2422 |
++ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 |
2423 |
++ * issue in __tcp_select_window() |
2424 |
++ */ |
2425 |
++ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS; |
2426 |
+ tcp_init_send_head(sk); |
2427 |
+ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); |
2428 |
+ __sk_dst_reset(sk); |
2429 |
++ dst_release(sk->sk_rx_dst); |
2430 |
++ sk->sk_rx_dst = NULL; |
2431 |
+ |
2432 |
+ WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); |
2433 |
+ |
2434 |
+diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c |
2435 |
+index 019c2389a341..2ca6c080a4bc 100644 |
2436 |
+--- a/net/ipv4/tcp_cong.c |
2437 |
++++ b/net/ipv4/tcp_cong.c |
2438 |
+@@ -95,6 +95,7 @@ void tcp_init_congestion_control(struct sock *sk) |
2439 |
+ rcu_read_unlock(); |
2440 |
+ } |
2441 |
+ |
2442 |
++ tcp_sk(sk)->prior_ssthresh = 0; |
2443 |
+ if (icsk->icsk_ca_ops->init) |
2444 |
+ icsk->icsk_ca_ops->init(sk); |
2445 |
+ } |
2446 |
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c |
2447 |
+index 0680058fe693..85dd09be1618 100644 |
2448 |
+--- a/net/ipv4/tcp_input.c |
2449 |
++++ b/net/ipv4/tcp_input.c |
2450 |
+@@ -111,6 +111,7 @@ int sysctl_tcp_early_retrans __read_mostly = 3; |
2451 |
+ #define FLAG_ORIG_SACK_ACKED 0x200 /* Never retransmitted data are (s)acked */ |
2452 |
+ #define FLAG_SND_UNA_ADVANCED 0x400 /* Snd_una was changed (!= FLAG_DATA_ACKED) */ |
2453 |
+ #define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained D-SACK info */ |
2454 |
++#define FLAG_SET_XMIT_TIMER 0x1000 /* Set TLP or RTO timer */ |
2455 |
+ #define FLAG_SACK_RENEGING 0x2000 /* snd_una advanced to a sacked seq */ |
2456 |
+ #define FLAG_UPDATE_TS_RECENT 0x4000 /* tcp_replace_ts_recent() */ |
2457 |
+ |
2458 |
+@@ -2553,8 +2554,8 @@ static inline void tcp_end_cwnd_reduction(struct sock *sk) |
2459 |
+ struct tcp_sock *tp = tcp_sk(sk); |
2460 |
+ |
2461 |
+ /* Reset cwnd to ssthresh in CWR or Recovery (unless it's undone) */ |
2462 |
+- if (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR || |
2463 |
+- (tp->undo_marker && tp->snd_ssthresh < TCP_INFINITE_SSTHRESH)) { |
2464 |
++ if (tp->snd_ssthresh < TCP_INFINITE_SSTHRESH && |
2465 |
++ (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR || tp->undo_marker)) { |
2466 |
+ tp->snd_cwnd = tp->snd_ssthresh; |
2467 |
+ tp->snd_cwnd_stamp = tcp_time_stamp; |
2468 |
+ } |
2469 |
+@@ -2972,14 +2973,11 @@ void tcp_rearm_rto(struct sock *sk) |
2470 |
+ /* Offset the time elapsed after installing regular RTO */ |
2471 |
+ if (icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS || |
2472 |
+ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) { |
2473 |
+- struct sk_buff *skb = tcp_write_queue_head(sk); |
2474 |
+- const u32 rto_time_stamp = TCP_SKB_CB(skb)->when + rto; |
2475 |
+- s32 delta = (s32)(rto_time_stamp - tcp_time_stamp); |
2476 |
++ s32 delta = tcp_rto_delta(sk); |
2477 |
+ /* delta may not be positive if the socket is locked |
2478 |
+ * when the retrans timer fires and is rescheduled. |
2479 |
+ */ |
2480 |
+- if (delta > 0) |
2481 |
+- rto = delta; |
2482 |
++ rto = max_t(int, delta, 1); |
2483 |
+ } |
2484 |
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, rto, |
2485 |
+ TCP_RTO_MAX); |
2486 |
+@@ -3004,6 +3002,13 @@ void tcp_resume_early_retransmit(struct sock *sk) |
2487 |
+ tcp_xmit_retransmit_queue(sk); |
2488 |
+ } |
2489 |
+ |
2490 |
++/* Try to schedule a loss probe; if that doesn't work, then schedule an RTO. */ |
2491 |
++static void tcp_set_xmit_timer(struct sock *sk) |
2492 |
++{ |
2493 |
++ if (!tcp_schedule_loss_probe(sk)) |
2494 |
++ tcp_rearm_rto(sk); |
2495 |
++} |
2496 |
++ |
2497 |
+ /* If we get here, the whole TSO packet has not been acked. */ |
2498 |
+ static u32 tcp_tso_acked(struct sock *sk, struct sk_buff *skb) |
2499 |
+ { |
2500 |
+@@ -3134,7 +3139,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets, |
2501 |
+ } |
2502 |
+ |
2503 |
+ tcp_ack_update_rtt(sk, flag, seq_rtt); |
2504 |
+- tcp_rearm_rto(sk); |
2505 |
++ flag |= FLAG_SET_XMIT_TIMER; /* set TLP or RTO timer */ |
2506 |
+ |
2507 |
+ if (tcp_is_reno(tp)) { |
2508 |
+ tcp_remove_reno_sacks(sk, pkts_acked); |
2509 |
+@@ -3394,10 +3399,6 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) |
2510 |
+ if (after(ack, tp->snd_nxt)) |
2511 |
+ goto invalid_ack; |
2512 |
+ |
2513 |
+- if (icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS || |
2514 |
+- icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) |
2515 |
+- tcp_rearm_rto(sk); |
2516 |
+- |
2517 |
+ if (after(ack, prior_snd_una)) |
2518 |
+ flag |= FLAG_SND_UNA_ADVANCED; |
2519 |
+ |
2520 |
+@@ -3454,6 +3455,12 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) |
2521 |
+ |
2522 |
+ pkts_acked = previous_packets_out - tp->packets_out; |
2523 |
+ |
2524 |
++ if (tp->tlp_high_seq) |
2525 |
++ tcp_process_tlp_ack(sk, ack, flag); |
2526 |
++ /* If needed, reset TLP/RTO timer; RACK may later override this. */ |
2527 |
++ if (flag & FLAG_SET_XMIT_TIMER) |
2528 |
++ tcp_set_xmit_timer(sk); |
2529 |
++ |
2530 |
+ if (tcp_ack_is_dubious(sk, flag)) { |
2531 |
+ /* Advance CWND, if state allows this. */ |
2532 |
+ if ((flag & FLAG_DATA_ACKED) && tcp_may_raise_cwnd(sk, flag)) |
2533 |
+@@ -3466,17 +3473,12 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) |
2534 |
+ tcp_cong_avoid(sk, ack, prior_in_flight); |
2535 |
+ } |
2536 |
+ |
2537 |
+- if (tp->tlp_high_seq) |
2538 |
+- tcp_process_tlp_ack(sk, ack, flag); |
2539 |
+- |
2540 |
+ if ((flag & FLAG_FORWARD_PROGRESS) || !(flag & FLAG_NOT_DUP)) { |
2541 |
+ struct dst_entry *dst = __sk_dst_get(sk); |
2542 |
+ if (dst) |
2543 |
+ dst_confirm(dst); |
2544 |
+ } |
2545 |
+ |
2546 |
+- if (icsk->icsk_pending == ICSK_TIME_RETRANS) |
2547 |
+- tcp_schedule_loss_probe(sk); |
2548 |
+ if (tp->srtt != prior_rtt || tp->snd_cwnd != prior_cwnd) |
2549 |
+ tcp_update_pacing_rate(sk); |
2550 |
+ return 1; |
2551 |
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c |
2552 |
+index 8729a934124f..f5d670ccd403 100644 |
2553 |
+--- a/net/ipv4/tcp_output.c |
2554 |
++++ b/net/ipv4/tcp_output.c |
2555 |
+@@ -1945,28 +1945,16 @@ repair: |
2556 |
+ |
2557 |
+ bool tcp_schedule_loss_probe(struct sock *sk) |
2558 |
+ { |
2559 |
+- struct inet_connection_sock *icsk = inet_csk(sk); |
2560 |
+ struct tcp_sock *tp = tcp_sk(sk); |
2561 |
+- u32 timeout, tlp_time_stamp, rto_time_stamp; |
2562 |
+ u32 rtt = tp->srtt >> 3; |
2563 |
++ u32 timeout, rto_delta; |
2564 |
+ |
2565 |
+- if (WARN_ON(icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS)) |
2566 |
+- return false; |
2567 |
+- /* No consecutive loss probes. */ |
2568 |
+- if (WARN_ON(icsk->icsk_pending == ICSK_TIME_LOSS_PROBE)) { |
2569 |
+- tcp_rearm_rto(sk); |
2570 |
+- return false; |
2571 |
+- } |
2572 |
+ /* Don't do any loss probe on a Fast Open connection before 3WHS |
2573 |
+ * finishes. |
2574 |
+ */ |
2575 |
+ if (sk->sk_state == TCP_SYN_RECV) |
2576 |
+ return false; |
2577 |
+ |
2578 |
+- /* TLP is only scheduled when next timer event is RTO. */ |
2579 |
+- if (icsk->icsk_pending != ICSK_TIME_RETRANS) |
2580 |
+- return false; |
2581 |
+- |
2582 |
+ /* Schedule a loss probe in 2*RTT for SACK capable connections |
2583 |
+ * in Open state, that are either limited by cwnd or application. |
2584 |
+ */ |
2585 |
+@@ -1987,14 +1975,10 @@ bool tcp_schedule_loss_probe(struct sock *sk) |
2586 |
+ (rtt + (rtt >> 1) + TCP_DELACK_MAX)); |
2587 |
+ timeout = max_t(u32, timeout, msecs_to_jiffies(10)); |
2588 |
+ |
2589 |
+- /* If RTO is shorter, just schedule TLP in its place. */ |
2590 |
+- tlp_time_stamp = tcp_time_stamp + timeout; |
2591 |
+- rto_time_stamp = (u32)inet_csk(sk)->icsk_timeout; |
2592 |
+- if ((s32)(tlp_time_stamp - rto_time_stamp) > 0) { |
2593 |
+- s32 delta = rto_time_stamp - tcp_time_stamp; |
2594 |
+- if (delta > 0) |
2595 |
+- timeout = delta; |
2596 |
+- } |
2597 |
++ /* If the RTO formula yields an earlier time, then use that time. */ |
2598 |
++ rto_delta = tcp_rto_delta(sk); /* How far in future is RTO? */ |
2599 |
++ if (rto_delta > 0) |
2600 |
++ timeout = min_t(u32, timeout, rto_delta); |
2601 |
+ |
2602 |
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_LOSS_PROBE, timeout, |
2603 |
+ TCP_RTO_MAX); |
2604 |
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c |
2605 |
+index 68174e4d88c7..882b23e8e777 100644 |
2606 |
+--- a/net/ipv4/udp.c |
2607 |
++++ b/net/ipv4/udp.c |
2608 |
+@@ -763,7 +763,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4) |
2609 |
+ if (is_udplite) /* UDP-Lite */ |
2610 |
+ csum = udplite_csum(skb); |
2611 |
+ |
2612 |
+- else if (sk->sk_no_check == UDP_CSUM_NOXMIT) { /* UDP csum disabled */ |
2613 |
++ else if (sk->sk_no_check == UDP_CSUM_NOXMIT && !skb_has_frags(skb)) { /* UDP csum off */ |
2614 |
+ |
2615 |
+ skb->ip_summed = CHECKSUM_NONE; |
2616 |
+ goto send; |
2617 |
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c |
2618 |
+index 9c4aa2e22448..5ea5f77c0ec1 100644 |
2619 |
+--- a/net/ipv6/addrconf.c |
2620 |
++++ b/net/ipv6/addrconf.c |
2621 |
+@@ -2892,6 +2892,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event, |
2622 |
+ { |
2623 |
+ struct net_device *dev = (struct net_device *) data; |
2624 |
+ struct inet6_dev *idev = __in6_dev_get(dev); |
2625 |
++ struct net *net = dev_net(dev); |
2626 |
+ int run_pending = 0; |
2627 |
+ int err; |
2628 |
+ |
2629 |
+@@ -2988,7 +2989,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event, |
2630 |
+ * IPV6_MIN_MTU stop IPv6 on this interface. |
2631 |
+ */ |
2632 |
+ if (dev->mtu < IPV6_MIN_MTU) |
2633 |
+- addrconf_ifdown(dev, 1); |
2634 |
++ addrconf_ifdown(dev, dev != net->loopback_dev); |
2635 |
+ } |
2636 |
+ break; |
2637 |
+ |
2638 |
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c |
2639 |
+index 46458ee31939..6de0d44a9429 100644 |
2640 |
+--- a/net/ipv6/ip6_fib.c |
2641 |
++++ b/net/ipv6/ip6_fib.c |
2642 |
+@@ -167,6 +167,12 @@ static __inline__ void rt6_release(struct rt6_info *rt) |
2643 |
+ dst_free(&rt->dst); |
2644 |
+ } |
2645 |
+ |
2646 |
++static void fib6_free_table(struct fib6_table *table) |
2647 |
++{ |
2648 |
++ inetpeer_invalidate_tree(&table->tb6_peers); |
2649 |
++ kfree(table); |
2650 |
++} |
2651 |
++ |
2652 |
+ static void fib6_link_table(struct net *net, struct fib6_table *tb) |
2653 |
+ { |
2654 |
+ unsigned int h; |
2655 |
+@@ -1738,15 +1744,22 @@ out_timer: |
2656 |
+ |
2657 |
+ static void fib6_net_exit(struct net *net) |
2658 |
+ { |
2659 |
++ unsigned int i; |
2660 |
++ |
2661 |
+ rt6_ifdown(net, NULL); |
2662 |
+ del_timer_sync(&net->ipv6.ip6_fib_timer); |
2663 |
+ |
2664 |
+-#ifdef CONFIG_IPV6_MULTIPLE_TABLES |
2665 |
+- inetpeer_invalidate_tree(&net->ipv6.fib6_local_tbl->tb6_peers); |
2666 |
+- kfree(net->ipv6.fib6_local_tbl); |
2667 |
+-#endif |
2668 |
+- inetpeer_invalidate_tree(&net->ipv6.fib6_main_tbl->tb6_peers); |
2669 |
+- kfree(net->ipv6.fib6_main_tbl); |
2670 |
++ for (i = 0; i < FIB6_TABLE_HASHSZ; i++) { |
2671 |
++ struct hlist_head *head = &net->ipv6.fib_table_hash[i]; |
2672 |
++ struct hlist_node *tmp; |
2673 |
++ struct fib6_table *tb; |
2674 |
++ |
2675 |
++ hlist_for_each_entry_safe(tb, tmp, head, tb6_hlist) { |
2676 |
++ hlist_del(&tb->tb6_hlist); |
2677 |
++ fib6_free_table(tb); |
2678 |
++ } |
2679 |
++ } |
2680 |
++ |
2681 |
+ kfree(net->ipv6.fib_table_hash); |
2682 |
+ kfree(net->ipv6.rt6_stats); |
2683 |
+ } |
2684 |
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c |
2685 |
+index ae88e17f5c72..529348e6a98b 100644 |
2686 |
+--- a/net/ipv6/ip6_gre.c |
2687 |
++++ b/net/ipv6/ip6_gre.c |
2688 |
+@@ -419,7 +419,7 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, |
2689 |
+ if (code == ICMPV6_HDR_FIELD) |
2690 |
+ teli = ip6_tnl_parse_tlv_enc_lim(skb, skb->data); |
2691 |
+ |
2692 |
+- if (teli && teli == info - 2) { |
2693 |
++ if (teli && teli == be32_to_cpu(info) - 2) { |
2694 |
+ tel = (struct ipv6_tlv_tnl_enc_lim *) &skb->data[teli]; |
2695 |
+ if (tel->encap_limit == 0) { |
2696 |
+ net_warn_ratelimited("%s: Too small encapsulation limit or routing loop in tunnel!\n", |
2697 |
+@@ -431,7 +431,7 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, |
2698 |
+ } |
2699 |
+ break; |
2700 |
+ case ICMPV6_PKT_TOOBIG: |
2701 |
+- mtu = info - offset; |
2702 |
++ mtu = be32_to_cpu(info) - offset; |
2703 |
+ if (mtu < IPV6_MIN_MTU) |
2704 |
+ mtu = IPV6_MIN_MTU; |
2705 |
+ t->dev->mtu = mtu; |
2706 |
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c |
2707 |
+index 17a88ebcc845..3a65b9a9cb4d 100644 |
2708 |
+--- a/net/ipv6/ip6_output.c |
2709 |
++++ b/net/ipv6/ip6_output.c |
2710 |
+@@ -1288,11 +1288,12 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, |
2711 |
+ |
2712 |
+ skb = skb_peek_tail(&sk->sk_write_queue); |
2713 |
+ cork->length += length; |
2714 |
+- if (((length > mtu) || |
2715 |
+- (skb && skb_has_frags(skb))) && |
2716 |
++ if ((skb && skb_has_frags(skb)) || |
2717 |
++ (((length + fragheaderlen) > mtu) && |
2718 |
++ (skb_queue_len(&sk->sk_write_queue) <= 1) && |
2719 |
+ (sk->sk_protocol == IPPROTO_UDP) && |
2720 |
+ (rt->dst.dev->features & NETIF_F_UFO) && |
2721 |
+- (sk->sk_type == SOCK_DGRAM)) { |
2722 |
++ (sk->sk_type == SOCK_DGRAM))) { |
2723 |
+ err = ip6_ufo_append_data(sk, getfrag, from, length, |
2724 |
+ hh_len, fragheaderlen, |
2725 |
+ transhdrlen, mtu, flags, rt); |
2726 |
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c |
2727 |
+index c7ce2be09d90..a05e1f1a1a38 100644 |
2728 |
+--- a/net/ipv6/raw.c |
2729 |
++++ b/net/ipv6/raw.c |
2730 |
+@@ -1319,7 +1319,7 @@ void raw6_proc_exit(void) |
2731 |
+ #endif /* CONFIG_PROC_FS */ |
2732 |
+ |
2733 |
+ /* Same as inet6_dgram_ops, sans udp_poll. */ |
2734 |
+-static const struct proto_ops inet6_sockraw_ops = { |
2735 |
++const struct proto_ops inet6_sockraw_ops = { |
2736 |
+ .family = PF_INET6, |
2737 |
+ .owner = THIS_MODULE, |
2738 |
+ .release = inet6_release, |
2739 |
+diff --git a/net/key/af_key.c b/net/key/af_key.c |
2740 |
+index 66f51c5a8a3a..3ff567fb90ee 100644 |
2741 |
+--- a/net/key/af_key.c |
2742 |
++++ b/net/key/af_key.c |
2743 |
+@@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, |
2744 |
+ goto out; |
2745 |
+ } |
2746 |
+ |
2747 |
++ err = -ENOBUFS; |
2748 |
+ key = ext_hdrs[SADB_EXT_KEY_AUTH - 1]; |
2749 |
+ if (sa->sadb_sa_auth) { |
2750 |
+ int keysize = 0; |
2751 |
+@@ -1146,8 +1147,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, |
2752 |
+ if (key) |
2753 |
+ keysize = (key->sadb_key_bits + 7) / 8; |
2754 |
+ x->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL); |
2755 |
+- if (!x->aalg) |
2756 |
++ if (!x->aalg) { |
2757 |
++ err = -ENOMEM; |
2758 |
+ goto out; |
2759 |
++ } |
2760 |
+ strcpy(x->aalg->alg_name, a->name); |
2761 |
+ x->aalg->alg_key_len = 0; |
2762 |
+ if (key) { |
2763 |
+@@ -1166,8 +1169,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, |
2764 |
+ goto out; |
2765 |
+ } |
2766 |
+ x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL); |
2767 |
+- if (!x->calg) |
2768 |
++ if (!x->calg) { |
2769 |
++ err = -ENOMEM; |
2770 |
+ goto out; |
2771 |
++ } |
2772 |
+ strcpy(x->calg->alg_name, a->name); |
2773 |
+ x->props.calgo = sa->sadb_sa_encrypt; |
2774 |
+ } else { |
2775 |
+@@ -1181,8 +1186,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, |
2776 |
+ if (key) |
2777 |
+ keysize = (key->sadb_key_bits + 7) / 8; |
2778 |
+ x->ealg = kmalloc(sizeof(*x->ealg) + keysize, GFP_KERNEL); |
2779 |
+- if (!x->ealg) |
2780 |
++ if (!x->ealg) { |
2781 |
++ err = -ENOMEM; |
2782 |
+ goto out; |
2783 |
++ } |
2784 |
+ strcpy(x->ealg->alg_name, a->name); |
2785 |
+ x->ealg->alg_key_len = 0; |
2786 |
+ if (key) { |
2787 |
+@@ -1230,8 +1237,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, |
2788 |
+ struct xfrm_encap_tmpl *natt; |
2789 |
+ |
2790 |
+ x->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL); |
2791 |
+- if (!x->encap) |
2792 |
++ if (!x->encap) { |
2793 |
++ err = -ENOMEM; |
2794 |
+ goto out; |
2795 |
++ } |
2796 |
+ |
2797 |
+ natt = x->encap; |
2798 |
+ n_type = ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]; |
2799 |
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c |
2800 |
+index 1c6a71c41e62..ca66520b8942 100644 |
2801 |
+--- a/net/netfilter/ipvs/ip_vs_core.c |
2802 |
++++ b/net/netfilter/ipvs/ip_vs_core.c |
2803 |
+@@ -795,10 +795,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, |
2804 |
+ { |
2805 |
+ unsigned int verdict = NF_DROP; |
2806 |
+ |
2807 |
+- if (IP_VS_FWD_METHOD(cp) != 0) { |
2808 |
+- pr_err("shouldn't reach here, because the box is on the " |
2809 |
+- "half connection in the tun/dr module.\n"); |
2810 |
+- } |
2811 |
++ if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) |
2812 |
++ goto ignore_cp; |
2813 |
+ |
2814 |
+ /* Ensure the checksum is correct */ |
2815 |
+ if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) { |
2816 |
+@@ -832,6 +830,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, |
2817 |
+ ip_vs_notrack(skb); |
2818 |
+ else |
2819 |
+ ip_vs_update_conntrack(skb, cp, 0); |
2820 |
++ |
2821 |
++ignore_cp: |
2822 |
+ verdict = NF_ACCEPT; |
2823 |
+ |
2824 |
+ out: |
2825 |
+@@ -1182,8 +1182,11 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) |
2826 |
+ */ |
2827 |
+ cp = pp->conn_out_get(af, skb, &iph, 0); |
2828 |
+ |
2829 |
+- if (likely(cp)) |
2830 |
++ if (likely(cp)) { |
2831 |
++ if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) |
2832 |
++ goto ignore_cp; |
2833 |
+ return handle_response(af, skb, pd, cp, &iph, hooknum); |
2834 |
++ } |
2835 |
+ if (sysctl_nat_icmp_send(net) && |
2836 |
+ (pp->protocol == IPPROTO_TCP || |
2837 |
+ pp->protocol == IPPROTO_UDP || |
2838 |
+@@ -1225,9 +1228,15 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) |
2839 |
+ } |
2840 |
+ } |
2841 |
+ } |
2842 |
++ |
2843 |
++out: |
2844 |
+ IP_VS_DBG_PKT(12, af, pp, skb, 0, |
2845 |
+ "ip_vs_out: packet continues traversal as normal"); |
2846 |
+ return NF_ACCEPT; |
2847 |
++ |
2848 |
++ignore_cp: |
2849 |
++ __ip_vs_conn_put(cp); |
2850 |
++ goto out; |
2851 |
+ } |
2852 |
+ |
2853 |
+ /* |
2854 |
+diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c |
2855 |
+index 1df176146567..c9f131fc4bf3 100644 |
2856 |
+--- a/net/netfilter/nf_conntrack_ecache.c |
2857 |
++++ b/net/netfilter/nf_conntrack_ecache.c |
2858 |
+@@ -116,6 +116,7 @@ void nf_conntrack_unregister_notifier(struct net *net, |
2859 |
+ BUG_ON(notify != new); |
2860 |
+ RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL); |
2861 |
+ mutex_unlock(&nf_ct_ecache_mutex); |
2862 |
++ /* synchronize_rcu() is called from ctnetlink_exit. */ |
2863 |
+ } |
2864 |
+ EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier); |
2865 |
+ |
2866 |
+@@ -152,6 +153,7 @@ void nf_ct_expect_unregister_notifier(struct net *net, |
2867 |
+ BUG_ON(notify != new); |
2868 |
+ RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL); |
2869 |
+ mutex_unlock(&nf_ct_ecache_mutex); |
2870 |
++ /* synchronize_rcu() is called from ctnetlink_exit. */ |
2871 |
+ } |
2872 |
+ EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier); |
2873 |
+ |
2874 |
+diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c |
2875 |
+index 1a9545965c0d..531ca55f1af6 100644 |
2876 |
+--- a/net/netfilter/nf_conntrack_extend.c |
2877 |
++++ b/net/netfilter/nf_conntrack_extend.c |
2878 |
+@@ -53,7 +53,11 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, |
2879 |
+ |
2880 |
+ rcu_read_lock(); |
2881 |
+ t = rcu_dereference(nf_ct_ext_types[id]); |
2882 |
+- BUG_ON(t == NULL); |
2883 |
++ if (!t) { |
2884 |
++ rcu_read_unlock(); |
2885 |
++ return NULL; |
2886 |
++ } |
2887 |
++ |
2888 |
+ off = ALIGN(sizeof(struct nf_ct_ext), t->align); |
2889 |
+ len = off + t->len + var_alloc_len; |
2890 |
+ alloc_size = t->alloc_size + var_alloc_len; |
2891 |
+@@ -88,7 +92,10 @@ void *__nf_ct_ext_add_length(struct nf_conn *ct, enum nf_ct_ext_id id, |
2892 |
+ |
2893 |
+ rcu_read_lock(); |
2894 |
+ t = rcu_dereference(nf_ct_ext_types[id]); |
2895 |
+- BUG_ON(t == NULL); |
2896 |
++ if (!t) { |
2897 |
++ rcu_read_unlock(); |
2898 |
++ return NULL; |
2899 |
++ } |
2900 |
+ |
2901 |
+ newoff = ALIGN(old->len, t->align); |
2902 |
+ newlen = newoff + t->len + var_alloc_len; |
2903 |
+@@ -186,6 +193,6 @@ void nf_ct_extend_unregister(struct nf_ct_ext_type *type) |
2904 |
+ RCU_INIT_POINTER(nf_ct_ext_types[type->id], NULL); |
2905 |
+ update_alloc_size(type); |
2906 |
+ mutex_unlock(&nf_ct_ext_type_mutex); |
2907 |
+- rcu_barrier(); /* Wait for completion of call_rcu()'s */ |
2908 |
++ synchronize_rcu(); |
2909 |
+ } |
2910 |
+ EXPORT_SYMBOL_GPL(nf_ct_extend_unregister); |
2911 |
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c |
2912 |
+index ecf065f94032..df65d52ba768 100644 |
2913 |
+--- a/net/netfilter/nf_conntrack_netlink.c |
2914 |
++++ b/net/netfilter/nf_conntrack_netlink.c |
2915 |
+@@ -3132,6 +3132,7 @@ static void __exit ctnetlink_exit(void) |
2916 |
+ #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT |
2917 |
+ RCU_INIT_POINTER(nfq_ct_hook, NULL); |
2918 |
+ #endif |
2919 |
++ synchronize_rcu(); |
2920 |
+ } |
2921 |
+ |
2922 |
+ module_init(ctnetlink_init); |
2923 |
+diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c |
2924 |
+index 2bb801e3ee8c..7658d0181050 100644 |
2925 |
+--- a/net/netfilter/nf_nat_core.c |
2926 |
++++ b/net/netfilter/nf_nat_core.c |
2927 |
+@@ -853,6 +853,8 @@ static void __exit nf_nat_cleanup(void) |
2928 |
+ #ifdef CONFIG_XFRM |
2929 |
+ RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL); |
2930 |
+ #endif |
2931 |
++ synchronize_rcu(); |
2932 |
++ |
2933 |
+ for (i = 0; i < NFPROTO_NUMPROTO; i++) |
2934 |
+ kfree(nf_nat_l4protos[i]); |
2935 |
+ synchronize_net(); |
2936 |
+diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c |
2937 |
+index 65074dfb9383..10d78dc0d2c6 100644 |
2938 |
+--- a/net/netfilter/nfnetlink_cttimeout.c |
2939 |
++++ b/net/netfilter/nfnetlink_cttimeout.c |
2940 |
+@@ -431,6 +431,7 @@ static void __exit cttimeout_exit(void) |
2941 |
+ #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
2942 |
+ RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL); |
2943 |
+ RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL); |
2944 |
++ synchronize_rcu(); |
2945 |
+ #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
2946 |
+ } |
2947 |
+ |
2948 |
+diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c |
2949 |
+index 7011c71646f0..c656269c4cf0 100644 |
2950 |
+--- a/net/netfilter/xt_TCPMSS.c |
2951 |
++++ b/net/netfilter/xt_TCPMSS.c |
2952 |
+@@ -68,7 +68,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, |
2953 |
+ tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); |
2954 |
+ |
2955 |
+ /* Header cannot be larger than the packet */ |
2956 |
+- if (tcplen < tcph->doff*4) |
2957 |
++ if (tcplen < tcph->doff*4 || tcph->doff*4 < sizeof(struct tcphdr)) |
2958 |
+ return -1; |
2959 |
+ |
2960 |
+ if (info->mss == XT_TCPMSS_CLAMP_PMTU) { |
2961 |
+@@ -117,6 +117,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, |
2962 |
+ if (tcplen > tcph->doff*4) |
2963 |
+ return 0; |
2964 |
+ |
2965 |
++ /* tcph->doff has 4 bits, do not wrap it to 0 */ |
2966 |
++ if (tcph->doff >= 15) |
2967 |
++ return 0; |
2968 |
++ |
2969 |
+ /* |
2970 |
+ * MSS Option not found ?! add it.. |
2971 |
+ */ |
2972 |
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
2973 |
+index 0bbb3470fa78..2f22b0759f2c 100644 |
2974 |
+--- a/net/packet/af_packet.c |
2975 |
++++ b/net/packet/af_packet.c |
2976 |
+@@ -3183,14 +3183,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv |
2977 |
+ |
2978 |
+ if (optlen != sizeof(val)) |
2979 |
+ return -EINVAL; |
2980 |
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) |
2981 |
+- return -EBUSY; |
2982 |
+ if (copy_from_user(&val, optval, sizeof(val))) |
2983 |
+ return -EFAULT; |
2984 |
+ if (val > INT_MAX) |
2985 |
+ return -EINVAL; |
2986 |
+- po->tp_reserve = val; |
2987 |
+- return 0; |
2988 |
++ lock_sock(sk); |
2989 |
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { |
2990 |
++ ret = -EBUSY; |
2991 |
++ } else { |
2992 |
++ po->tp_reserve = val; |
2993 |
++ ret = 0; |
2994 |
++ } |
2995 |
++ release_sock(sk); |
2996 |
++ return ret; |
2997 |
+ } |
2998 |
+ case PACKET_LOSS: |
2999 |
+ { |
3000 |
+@@ -3338,6 +3343,8 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, |
3001 |
+ case PACKET_HDRLEN: |
3002 |
+ if (len > sizeof(int)) |
3003 |
+ len = sizeof(int); |
3004 |
++ if (len < sizeof(int)) |
3005 |
++ return -EINVAL; |
3006 |
+ if (copy_from_user(&val, optval, len)) |
3007 |
+ return -EFAULT; |
3008 |
+ switch (val) { |
3009 |
+diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c |
3010 |
+index 7633a752c65e..10e6e5de36e1 100644 |
3011 |
+--- a/net/rxrpc/ar-key.c |
3012 |
++++ b/net/rxrpc/ar-key.c |
3013 |
+@@ -213,7 +213,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, |
3014 |
+ unsigned int *_toklen) |
3015 |
+ { |
3016 |
+ const __be32 *xdr = *_xdr; |
3017 |
+- unsigned int toklen = *_toklen, n_parts, loop, tmp; |
3018 |
++ unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen; |
3019 |
+ |
3020 |
+ /* there must be at least one name, and at least #names+1 length |
3021 |
+ * words */ |
3022 |
+@@ -243,16 +243,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, |
3023 |
+ toklen -= 4; |
3024 |
+ if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) |
3025 |
+ return -EINVAL; |
3026 |
+- if (tmp > toklen) |
3027 |
++ paddedlen = (tmp + 3) & ~3; |
3028 |
++ if (paddedlen > toklen) |
3029 |
+ return -EINVAL; |
3030 |
+ princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); |
3031 |
+ if (!princ->name_parts[loop]) |
3032 |
+ return -ENOMEM; |
3033 |
+ memcpy(princ->name_parts[loop], xdr, tmp); |
3034 |
+ princ->name_parts[loop][tmp] = 0; |
3035 |
+- tmp = (tmp + 3) & ~3; |
3036 |
+- toklen -= tmp; |
3037 |
+- xdr += tmp >> 2; |
3038 |
++ toklen -= paddedlen; |
3039 |
++ xdr += paddedlen >> 2; |
3040 |
+ } |
3041 |
+ |
3042 |
+ if (toklen < 4) |
3043 |
+@@ -261,16 +261,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, |
3044 |
+ toklen -= 4; |
3045 |
+ if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX) |
3046 |
+ return -EINVAL; |
3047 |
+- if (tmp > toklen) |
3048 |
++ paddedlen = (tmp + 3) & ~3; |
3049 |
++ if (paddedlen > toklen) |
3050 |
+ return -EINVAL; |
3051 |
+ princ->realm = kmalloc(tmp + 1, GFP_KERNEL); |
3052 |
+ if (!princ->realm) |
3053 |
+ return -ENOMEM; |
3054 |
+ memcpy(princ->realm, xdr, tmp); |
3055 |
+ princ->realm[tmp] = 0; |
3056 |
+- tmp = (tmp + 3) & ~3; |
3057 |
+- toklen -= tmp; |
3058 |
+- xdr += tmp >> 2; |
3059 |
++ toklen -= paddedlen; |
3060 |
++ xdr += paddedlen >> 2; |
3061 |
+ |
3062 |
+ _debug("%s/...@%s", princ->name_parts[0], princ->realm); |
3063 |
+ |
3064 |
+@@ -289,7 +289,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, |
3065 |
+ unsigned int *_toklen) |
3066 |
+ { |
3067 |
+ const __be32 *xdr = *_xdr; |
3068 |
+- unsigned int toklen = *_toklen, len; |
3069 |
++ unsigned int toklen = *_toklen, len, paddedlen; |
3070 |
+ |
3071 |
+ /* there must be at least one tag and one length word */ |
3072 |
+ if (toklen <= 8) |
3073 |
+@@ -303,15 +303,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, |
3074 |
+ toklen -= 8; |
3075 |
+ if (len > max_data_size) |
3076 |
+ return -EINVAL; |
3077 |
++ paddedlen = (len + 3) & ~3; |
3078 |
++ if (paddedlen > toklen) |
3079 |
++ return -EINVAL; |
3080 |
+ td->data_len = len; |
3081 |
+ |
3082 |
+ if (len > 0) { |
3083 |
+ td->data = kmemdup(xdr, len, GFP_KERNEL); |
3084 |
+ if (!td->data) |
3085 |
+ return -ENOMEM; |
3086 |
+- len = (len + 3) & ~3; |
3087 |
+- toklen -= len; |
3088 |
+- xdr += len >> 2; |
3089 |
++ toklen -= paddedlen; |
3090 |
++ xdr += paddedlen >> 2; |
3091 |
+ } |
3092 |
+ |
3093 |
+ _debug("tag %x len %x", td->tag, td->data_len); |
3094 |
+@@ -383,7 +385,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, |
3095 |
+ const __be32 **_xdr, unsigned int *_toklen) |
3096 |
+ { |
3097 |
+ const __be32 *xdr = *_xdr; |
3098 |
+- unsigned int toklen = *_toklen, len; |
3099 |
++ unsigned int toklen = *_toklen, len, paddedlen; |
3100 |
+ |
3101 |
+ /* there must be at least one length word */ |
3102 |
+ if (toklen <= 4) |
3103 |
+@@ -395,6 +397,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, |
3104 |
+ toklen -= 4; |
3105 |
+ if (len > AFSTOKEN_K5_TIX_MAX) |
3106 |
+ return -EINVAL; |
3107 |
++ paddedlen = (len + 3) & ~3; |
3108 |
++ if (paddedlen > toklen) |
3109 |
++ return -EINVAL; |
3110 |
+ *_tktlen = len; |
3111 |
+ |
3112 |
+ _debug("ticket len %u", len); |
3113 |
+@@ -403,9 +408,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, |
3114 |
+ *_ticket = kmemdup(xdr, len, GFP_KERNEL); |
3115 |
+ if (!*_ticket) |
3116 |
+ return -ENOMEM; |
3117 |
+- len = (len + 3) & ~3; |
3118 |
+- toklen -= len; |
3119 |
+- xdr += len >> 2; |
3120 |
++ toklen -= paddedlen; |
3121 |
++ xdr += paddedlen >> 2; |
3122 |
+ } |
3123 |
+ |
3124 |
+ *_xdr = xdr; |
3125 |
+@@ -549,7 +553,7 @@ static int rxrpc_instantiate_xdr(struct key *key, const void *data, size_t datal |
3126 |
+ { |
3127 |
+ const __be32 *xdr = data, *token; |
3128 |
+ const char *cp; |
3129 |
+- unsigned int len, tmp, loop, ntoken, toklen, sec_ix; |
3130 |
++ unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix; |
3131 |
+ int ret; |
3132 |
+ |
3133 |
+ _enter(",{%x,%x,%x,%x},%zu", |
3134 |
+@@ -574,22 +578,21 @@ static int rxrpc_instantiate_xdr(struct key *key, const void *data, size_t datal |
3135 |
+ if (len < 1 || len > AFSTOKEN_CELL_MAX) |
3136 |
+ goto not_xdr; |
3137 |
+ datalen -= 4; |
3138 |
+- tmp = (len + 3) & ~3; |
3139 |
+- if (tmp > datalen) |
3140 |
++ paddedlen = (len + 3) & ~3; |
3141 |
++ if (paddedlen > datalen) |
3142 |
+ goto not_xdr; |
3143 |
+ |
3144 |
+ cp = (const char *) xdr; |
3145 |
+ for (loop = 0; loop < len; loop++) |
3146 |
+ if (!isprint(cp[loop])) |
3147 |
+ goto not_xdr; |
3148 |
+- if (len < tmp) |
3149 |
+- for (; loop < tmp; loop++) |
3150 |
+- if (cp[loop]) |
3151 |
+- goto not_xdr; |
3152 |
++ for (; loop < paddedlen; loop++) |
3153 |
++ if (cp[loop]) |
3154 |
++ goto not_xdr; |
3155 |
+ _debug("cellname: [%u/%u] '%*.*s'", |
3156 |
+- len, tmp, len, len, (const char *) xdr); |
3157 |
+- datalen -= tmp; |
3158 |
+- xdr += tmp >> 2; |
3159 |
++ len, paddedlen, len, len, (const char *) xdr); |
3160 |
++ datalen -= paddedlen; |
3161 |
++ xdr += paddedlen >> 2; |
3162 |
+ |
3163 |
+ /* get the token count */ |
3164 |
+ if (datalen < 12) |
3165 |
+@@ -610,10 +613,11 @@ static int rxrpc_instantiate_xdr(struct key *key, const void *data, size_t datal |
3166 |
+ sec_ix = ntohl(*xdr); |
3167 |
+ datalen -= 4; |
3168 |
+ _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); |
3169 |
+- if (toklen < 20 || toklen > datalen) |
3170 |
++ paddedlen = (toklen + 3) & ~3; |
3171 |
++ if (toklen < 20 || toklen > datalen || paddedlen > datalen) |
3172 |
+ goto not_xdr; |
3173 |
+- datalen -= (toklen + 3) & ~3; |
3174 |
+- xdr += (toklen + 3) >> 2; |
3175 |
++ datalen -= paddedlen; |
3176 |
++ xdr += paddedlen >> 2; |
3177 |
+ |
3178 |
+ } while (--loop > 0); |
3179 |
+ |
3180 |
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c |
3181 |
+index 10d3e2874dd1..7c2fea69c832 100644 |
3182 |
+--- a/net/sctp/ipv6.c |
3183 |
++++ b/net/sctp/ipv6.c |
3184 |
+@@ -492,7 +492,9 @@ static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr, |
3185 |
+ { |
3186 |
+ addr->sa.sa_family = AF_INET6; |
3187 |
+ addr->v6.sin6_port = port; |
3188 |
++ addr->v6.sin6_flowinfo = 0; |
3189 |
+ addr->v6.sin6_addr = *saddr; |
3190 |
++ addr->v6.sin6_scope_id = 0; |
3191 |
+ } |
3192 |
+ |
3193 |
+ /* Compare addresses exactly. |
3194 |
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c |
3195 |
+index dd3dbed89c8f..da79f9b86dfd 100644 |
3196 |
+--- a/net/wireless/nl80211.c |
3197 |
++++ b/net/wireless/nl80211.c |
3198 |
+@@ -310,8 +310,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = { |
3199 |
+ [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 }, |
3200 |
+ [NL80211_ATTR_PID] = { .type = NLA_U32 }, |
3201 |
+ [NL80211_ATTR_4ADDR] = { .type = NLA_U8 }, |
3202 |
+- [NL80211_ATTR_PMKID] = { .type = NLA_BINARY, |
3203 |
+- .len = WLAN_PMKID_LEN }, |
3204 |
++ [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN }, |
3205 |
+ [NL80211_ATTR_DURATION] = { .type = NLA_U32 }, |
3206 |
+ [NL80211_ATTR_COOKIE] = { .type = NLA_U64 }, |
3207 |
+ [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED }, |
3208 |
+@@ -5044,6 +5043,10 @@ static int validate_scan_freqs(struct nlattr *freqs) |
3209 |
+ struct nlattr *attr1, *attr2; |
3210 |
+ int n_channels = 0, tmp1, tmp2; |
3211 |
+ |
3212 |
++ nla_for_each_nested(attr1, freqs, tmp1) |
3213 |
++ if (nla_len(attr1) != sizeof(u32)) |
3214 |
++ return 0; |
3215 |
++ |
3216 |
+ nla_for_each_nested(attr1, freqs, tmp1) { |
3217 |
+ n_channels++; |
3218 |
+ /* |
3219 |
+@@ -8010,6 +8013,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) |
3220 |
+ if (err) |
3221 |
+ return err; |
3222 |
+ |
3223 |
++ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || |
3224 |
++ !tb[NL80211_REKEY_DATA_KCK]) |
3225 |
++ return -EINVAL; |
3226 |
+ if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) |
3227 |
+ return -ERANGE; |
3228 |
+ if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) |
3229 |
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c |
3230 |
+index ea970b8002a2..10c556e373b0 100644 |
3231 |
+--- a/net/xfrm/xfrm_policy.c |
3232 |
++++ b/net/xfrm/xfrm_policy.c |
3233 |
+@@ -3201,9 +3201,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, |
3234 |
+ struct xfrm_state *x_new[XFRM_MAX_DEPTH]; |
3235 |
+ struct xfrm_migrate *mp; |
3236 |
+ |
3237 |
++ /* Stage 0 - sanity checks */ |
3238 |
+ if ((err = xfrm_migrate_check(m, num_migrate)) < 0) |
3239 |
+ goto out; |
3240 |
+ |
3241 |
++ if (dir >= XFRM_POLICY_MAX) { |
3242 |
++ err = -EINVAL; |
3243 |
++ goto out; |
3244 |
++ } |
3245 |
++ |
3246 |
+ /* Stage 1 - find policy */ |
3247 |
+ if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) { |
3248 |
+ err = -ENOENT; |
3249 |
+diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c |
3250 |
+index c4c8df4b214d..b7d7cffe7349 100644 |
3251 |
+--- a/security/keys/encrypted-keys/encrypted.c |
3252 |
++++ b/security/keys/encrypted-keys/encrypted.c |
3253 |
+@@ -315,6 +315,13 @@ static struct key *request_user_key(const char *master_desc, u8 **master_key, |
3254 |
+ |
3255 |
+ down_read(&ukey->sem); |
3256 |
+ upayload = ukey->payload.data; |
3257 |
++ if (!upayload) { |
3258 |
++ /* key was revoked before we acquired its semaphore */ |
3259 |
++ up_read(&ukey->sem); |
3260 |
++ key_put(ukey); |
3261 |
++ ukey = ERR_PTR(-EKEYREVOKED); |
3262 |
++ goto error; |
3263 |
++ } |
3264 |
+ *master_key = upayload->data; |
3265 |
+ *master_keylen = upayload->datalen; |
3266 |
+ error: |
3267 |
+@@ -428,7 +435,7 @@ static int init_blkcipher_desc(struct blkcipher_desc *desc, const u8 *key, |
3268 |
+ static struct key *request_master_key(struct encrypted_key_payload *epayload, |
3269 |
+ u8 **master_key, size_t *master_keylen) |
3270 |
+ { |
3271 |
+- struct key *mkey = NULL; |
3272 |
++ struct key *mkey = ERR_PTR(-EINVAL); |
3273 |
+ |
3274 |
+ if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX, |
3275 |
+ KEY_TRUSTED_PREFIX_LEN)) { |
3276 |
+diff --git a/security/keys/internal.h b/security/keys/internal.h |
3277 |
+index d4f1468b9b50..ce6d4634a840 100644 |
3278 |
+--- a/security/keys/internal.h |
3279 |
++++ b/security/keys/internal.h |
3280 |
+@@ -126,7 +126,7 @@ extern key_ref_t search_process_keyrings(struct key_type *type, |
3281 |
+ key_match_func_t match, |
3282 |
+ const struct cred *cred); |
3283 |
+ |
3284 |
+-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); |
3285 |
++extern struct key *find_keyring_by_name(const char *name, bool uid_keyring); |
3286 |
+ |
3287 |
+ extern int install_user_keyrings(void); |
3288 |
+ extern int install_thread_keyring_to_cred(struct cred *); |
3289 |
+diff --git a/security/keys/key.c b/security/keys/key.c |
3290 |
+index 6595b2dd89fe..248c2e731375 100644 |
3291 |
+--- a/security/keys/key.c |
3292 |
++++ b/security/keys/key.c |
3293 |
+@@ -299,6 +299,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, |
3294 |
+ |
3295 |
+ if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) |
3296 |
+ key->flags |= 1 << KEY_FLAG_IN_QUOTA; |
3297 |
++ if (flags & KEY_ALLOC_UID_KEYRING) |
3298 |
++ key->flags |= 1 << KEY_FLAG_UID_KEYRING; |
3299 |
+ |
3300 |
+ memset(&key->type_data, 0, sizeof(key->type_data)); |
3301 |
+ |
3302 |
+@@ -897,6 +899,16 @@ error: |
3303 |
+ */ |
3304 |
+ __key_link_end(keyring, ktype, prealloc); |
3305 |
+ |
3306 |
++ key = key_ref_to_ptr(key_ref); |
3307 |
++ if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { |
3308 |
++ ret = wait_for_key_construction(key, true); |
3309 |
++ if (ret < 0) { |
3310 |
++ key_ref_put(key_ref); |
3311 |
++ key_ref = ERR_PTR(ret); |
3312 |
++ goto error_free_prep; |
3313 |
++ } |
3314 |
++ } |
3315 |
++ |
3316 |
+ key_ref = __key_update(key_ref, &prep); |
3317 |
+ goto error_free_prep; |
3318 |
+ } |
3319 |
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c |
3320 |
+index 066baa1926bb..7576f49eeb34 100644 |
3321 |
+--- a/security/keys/keyctl.c |
3322 |
++++ b/security/keys/keyctl.c |
3323 |
+@@ -93,7 +93,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, |
3324 |
+ payload = NULL; |
3325 |
+ |
3326 |
+ vm = false; |
3327 |
+- if (_payload) { |
3328 |
++ if (plen) { |
3329 |
+ ret = -ENOMEM; |
3330 |
+ payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); |
3331 |
+ if (!payload) { |
3332 |
+@@ -327,7 +327,7 @@ long keyctl_update_key(key_serial_t id, |
3333 |
+ |
3334 |
+ /* pull the payload in if one was supplied */ |
3335 |
+ payload = NULL; |
3336 |
+- if (_payload) { |
3337 |
++ if (plen) { |
3338 |
+ ret = -ENOMEM; |
3339 |
+ payload = kmalloc(plen, GFP_KERNEL); |
3340 |
+ if (!payload) |
3341 |
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c |
3342 |
+index 6ece7f2e5707..b0cabf68c678 100644 |
3343 |
+--- a/security/keys/keyring.c |
3344 |
++++ b/security/keys/keyring.c |
3345 |
+@@ -583,15 +583,15 @@ found: |
3346 |
+ /* |
3347 |
+ * Find a keyring with the specified name. |
3348 |
+ * |
3349 |
+- * All named keyrings in the current user namespace are searched, provided they |
3350 |
+- * grant Search permission directly to the caller (unless this check is |
3351 |
+- * skipped). Keyrings whose usage points have reached zero or who have been |
3352 |
+- * revoked are skipped. |
3353 |
++ * Only keyrings that have nonzero refcount, are not revoked, and are owned by a |
3354 |
++ * user in the current user namespace are considered. If @uid_keyring is %true, |
3355 |
++ * the keyring additionally must have been allocated as a user or user session |
3356 |
++ * keyring; otherwise, it must grant Search permission directly to the caller. |
3357 |
+ * |
3358 |
+ * Returns a pointer to the keyring with the keyring's refcount having being |
3359 |
+ * incremented on success. -ENOKEY is returned if a key could not be found. |
3360 |
+ */ |
3361 |
+-struct key *find_keyring_by_name(const char *name, bool skip_perm_check) |
3362 |
++struct key *find_keyring_by_name(const char *name, bool uid_keyring) |
3363 |
+ { |
3364 |
+ struct key *keyring; |
3365 |
+ int bucket; |
3366 |
+@@ -619,10 +619,15 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check) |
3367 |
+ if (strcmp(keyring->description, name) != 0) |
3368 |
+ continue; |
3369 |
+ |
3370 |
+- if (!skip_perm_check && |
3371 |
+- key_permission(make_key_ref(keyring, 0), |
3372 |
+- KEY_SEARCH) < 0) |
3373 |
+- continue; |
3374 |
++ if (uid_keyring) { |
3375 |
++ if (!test_bit(KEY_FLAG_UID_KEYRING, |
3376 |
++ &keyring->flags)) |
3377 |
++ continue; |
3378 |
++ } else { |
3379 |
++ if (key_permission(make_key_ref(keyring, 0), |
3380 |
++ KEY_SEARCH) < 0) |
3381 |
++ continue; |
3382 |
++ } |
3383 |
+ |
3384 |
+ /* we've got a match but we might end up racing with |
3385 |
+ * key_cleanup() if the keyring is currently 'dead' |
3386 |
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c |
3387 |
+index 33384662fc82..f58a5aa05fa4 100644 |
3388 |
+--- a/security/keys/process_keys.c |
3389 |
++++ b/security/keys/process_keys.c |
3390 |
+@@ -76,7 +76,9 @@ int install_user_keyrings(void) |
3391 |
+ if (IS_ERR(uid_keyring)) { |
3392 |
+ uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID, |
3393 |
+ cred, user_keyring_perm, |
3394 |
+- KEY_ALLOC_IN_QUOTA, NULL); |
3395 |
++ KEY_ALLOC_UID_KEYRING | |
3396 |
++ KEY_ALLOC_IN_QUOTA, |
3397 |
++ NULL); |
3398 |
+ if (IS_ERR(uid_keyring)) { |
3399 |
+ ret = PTR_ERR(uid_keyring); |
3400 |
+ goto error; |
3401 |
+@@ -92,7 +94,9 @@ int install_user_keyrings(void) |
3402 |
+ session_keyring = |
3403 |
+ keyring_alloc(buf, user->uid, INVALID_GID, |
3404 |
+ cred, user_keyring_perm, |
3405 |
+- KEY_ALLOC_IN_QUOTA, NULL); |
3406 |
++ KEY_ALLOC_UID_KEYRING | |
3407 |
++ KEY_ALLOC_IN_QUOTA, |
3408 |
++ NULL); |
3409 |
+ if (IS_ERR(session_keyring)) { |
3410 |
+ ret = PTR_ERR(session_keyring); |
3411 |
+ goto error_release; |
3412 |
+diff --git a/sound/core/control.c b/sound/core/control.c |
3413 |
+index 251bc575f5c3..c39282611368 100644 |
3414 |
+--- a/sound/core/control.c |
3415 |
++++ b/sound/core/control.c |
3416 |
+@@ -1088,7 +1088,7 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol, |
3417 |
+ mutex_lock(&ue->card->user_ctl_lock); |
3418 |
+ change = ue->tlv_data_size != size; |
3419 |
+ if (!change) |
3420 |
+- change = memcmp(ue->tlv_data, new_data, size); |
3421 |
++ change = memcmp(ue->tlv_data, new_data, size) != 0; |
3422 |
+ kfree(ue->tlv_data); |
3423 |
+ ue->tlv_data = new_data; |
3424 |
+ ue->tlv_data_size = size; |
3425 |
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c |
3426 |
+index d449dde1bf50..7b5a7902b7a2 100644 |
3427 |
+--- a/sound/core/seq/seq_clientmgr.c |
3428 |
++++ b/sound/core/seq/seq_clientmgr.c |
3429 |
+@@ -1248,6 +1248,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, |
3430 |
+ struct snd_seq_client_port *port; |
3431 |
+ struct snd_seq_port_info info; |
3432 |
+ struct snd_seq_port_callback *callback; |
3433 |
++ int port_idx; |
3434 |
+ |
3435 |
+ if (copy_from_user(&info, arg, sizeof(info))) |
3436 |
+ return -EFAULT; |
3437 |
+@@ -1261,7 +1262,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, |
3438 |
+ return -ENOMEM; |
3439 |
+ |
3440 |
+ if (client->type == USER_CLIENT && info.kernel) { |
3441 |
+- snd_seq_delete_port(client, port->addr.port); |
3442 |
++ port_idx = port->addr.port; |
3443 |
++ snd_seq_port_unlock(port); |
3444 |
++ snd_seq_delete_port(client, port_idx); |
3445 |
+ return -EINVAL; |
3446 |
+ } |
3447 |
+ if (client->type == KERNEL_CLIENT) { |
3448 |
+@@ -1283,6 +1286,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, |
3449 |
+ |
3450 |
+ snd_seq_set_port_info(port, &info); |
3451 |
+ snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port); |
3452 |
++ snd_seq_port_unlock(port); |
3453 |
+ |
3454 |
+ if (copy_to_user(arg, &info, sizeof(info))) |
3455 |
+ return -EFAULT; |
3456 |
+diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c |
3457 |
+index ee0522a8f730..a28d1acad574 100644 |
3458 |
+--- a/sound/core/seq/seq_ports.c |
3459 |
++++ b/sound/core/seq/seq_ports.c |
3460 |
+@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp) |
3461 |
+ } |
3462 |
+ |
3463 |
+ |
3464 |
+-/* create a port, port number is returned (-1 on failure) */ |
3465 |
++/* create a port, port number is returned (-1 on failure); |
3466 |
++ * the caller needs to unref the port via snd_seq_port_unlock() appropriately |
3467 |
++ */ |
3468 |
+ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, |
3469 |
+ int port) |
3470 |
+ { |
3471 |
+@@ -153,6 +155,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, |
3472 |
+ snd_use_lock_init(&new_port->use_lock); |
3473 |
+ port_subs_info_init(&new_port->c_src); |
3474 |
+ port_subs_info_init(&new_port->c_dest); |
3475 |
++ snd_use_lock_use(&new_port->use_lock); |
3476 |
+ |
3477 |
+ num = port >= 0 ? port : 0; |
3478 |
+ mutex_lock(&client->ports_mutex); |
3479 |
+@@ -167,9 +170,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, |
3480 |
+ list_add_tail(&new_port->list, &p->list); |
3481 |
+ client->num_ports++; |
3482 |
+ new_port->addr.port = num; /* store the port number in the port */ |
3483 |
++ sprintf(new_port->name, "port-%d", num); |
3484 |
+ write_unlock_irqrestore(&client->ports_lock, flags); |
3485 |
+ mutex_unlock(&client->ports_mutex); |
3486 |
+- sprintf(new_port->name, "port-%d", num); |
3487 |
+ |
3488 |
+ return new_port; |
3489 |
+ } |
3490 |
+diff --git a/tools/perf/ui/browser.c b/tools/perf/ui/browser.c |
3491 |
+index bbc782e364b0..9118fb8cc100 100644 |
3492 |
+--- a/tools/perf/ui/browser.c |
3493 |
++++ b/tools/perf/ui/browser.c |
3494 |
+@@ -672,7 +672,7 @@ static void __ui_browser__line_arrow_down(struct ui_browser *browser, |
3495 |
+ ui_browser__gotorc(browser, row, column + 1); |
3496 |
+ SLsmg_draw_hline(2); |
3497 |
+ |
3498 |
+- if (row++ == 0) |
3499 |
++ if (++row == 0) |
3500 |
+ goto out; |
3501 |
+ } else |
3502 |
+ row = 0; |