1 |
commit: e7156b6245475d4c9bb6eeeb88d03653df4da664 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Jul 29 15:29:36 2022 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Jul 29 15:29:36 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e7156b62 |
7 |
|
8 |
Linux patch 5.4.208 |
9 |
|
10 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
11 |
|
12 |
0000_README | 4 + |
13 |
1207_linux-5.4.208.patch | 4094 ++++++++++++++++++++++++++++++++++++++++++++++ |
14 |
2 files changed, 4098 insertions(+) |
15 |
|
16 |
diff --git a/0000_README b/0000_README |
17 |
index 50eda9b4..d4fe1a15 100644 |
18 |
--- a/0000_README |
19 |
+++ b/0000_README |
20 |
@@ -871,6 +871,10 @@ Patch: 1206_linux-5.4.207.patch |
21 |
From: http://www.kernel.org |
22 |
Desc: Linux 5.4.207 |
23 |
|
24 |
+Patch: 1207_linux-5.4.208.patch |
25 |
+From: http://www.kernel.org |
26 |
+Desc: Linux 5.4.208 |
27 |
+ |
28 |
Patch: 1500_XATTR_USER_PREFIX.patch |
29 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
30 |
Desc: Support for namespace user.pax.* on tmpfs. |
31 |
|
32 |
diff --git a/1207_linux-5.4.208.patch b/1207_linux-5.4.208.patch |
33 |
new file mode 100644 |
34 |
index 00000000..7b70b2ac |
35 |
--- /dev/null |
36 |
+++ b/1207_linux-5.4.208.patch |
37 |
@@ -0,0 +1,4094 @@ |
38 |
+diff --git a/Makefile b/Makefile |
39 |
+index 89d19f04faabf..884a3f314baf8 100644 |
40 |
+--- a/Makefile |
41 |
++++ b/Makefile |
42 |
+@@ -1,7 +1,7 @@ |
43 |
+ # SPDX-License-Identifier: GPL-2.0 |
44 |
+ VERSION = 5 |
45 |
+ PATCHLEVEL = 4 |
46 |
+-SUBLEVEL = 207 |
47 |
++SUBLEVEL = 208 |
48 |
+ EXTRAVERSION = |
49 |
+ NAME = Kleptomaniac Octopus |
50 |
+ |
51 |
+diff --git a/arch/Kconfig b/arch/Kconfig |
52 |
+index a8df66e645442..2219a07dca1ef 100644 |
53 |
+--- a/arch/Kconfig |
54 |
++++ b/arch/Kconfig |
55 |
+@@ -915,27 +915,6 @@ config STRICT_MODULE_RWX |
56 |
+ config ARCH_HAS_PHYS_TO_DMA |
57 |
+ bool |
58 |
+ |
59 |
+-config ARCH_HAS_REFCOUNT |
60 |
+- bool |
61 |
+- help |
62 |
+- An architecture selects this when it has implemented refcount_t |
63 |
+- using open coded assembly primitives that provide an optimized |
64 |
+- refcount_t implementation, possibly at the expense of some full |
65 |
+- refcount state checks of CONFIG_REFCOUNT_FULL=y. |
66 |
+- |
67 |
+- The refcount overflow check behavior, however, must be retained. |
68 |
+- Catching overflows is the primary security concern for protecting |
69 |
+- against bugs in reference counts. |
70 |
+- |
71 |
+-config REFCOUNT_FULL |
72 |
+- bool "Perform full reference count validation at the expense of speed" |
73 |
+- help |
74 |
+- Enabling this switches the refcounting infrastructure from a fast |
75 |
+- unchecked atomic_t implementation to a fully state checked |
76 |
+- implementation, which can be (slightly) slower but provides protections |
77 |
+- against various use-after-free conditions that can be used in |
78 |
+- security flaw exploits. |
79 |
+- |
80 |
+ config HAVE_ARCH_COMPILER_H |
81 |
+ bool |
82 |
+ help |
83 |
+diff --git a/arch/alpha/kernel/srmcons.c b/arch/alpha/kernel/srmcons.c |
84 |
+index 438b10c44d732..2b7a314b84522 100644 |
85 |
+--- a/arch/alpha/kernel/srmcons.c |
86 |
++++ b/arch/alpha/kernel/srmcons.c |
87 |
+@@ -59,7 +59,7 @@ srmcons_do_receive_chars(struct tty_port *port) |
88 |
+ } while((result.bits.status & 1) && (++loops < 10)); |
89 |
+ |
90 |
+ if (count) |
91 |
+- tty_schedule_flip(port); |
92 |
++ tty_flip_buffer_push(port); |
93 |
+ |
94 |
+ return count; |
95 |
+ } |
96 |
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig |
97 |
+index a1622b9290fd5..a4364cce85f8d 100644 |
98 |
+--- a/arch/arm/Kconfig |
99 |
++++ b/arch/arm/Kconfig |
100 |
+@@ -119,7 +119,6 @@ config ARM |
101 |
+ select OLD_SIGSUSPEND3 |
102 |
+ select PCI_SYSCALL if PCI |
103 |
+ select PERF_USE_VMALLOC |
104 |
+- select REFCOUNT_FULL |
105 |
+ select RTC_LIB |
106 |
+ select SYS_SUPPORTS_APM_EMULATION |
107 |
+ # Above selects are sorted alphabetically; please add new ones |
108 |
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig |
109 |
+index a1a828ca188cf..6b73143f0cf8c 100644 |
110 |
+--- a/arch/arm64/Kconfig |
111 |
++++ b/arch/arm64/Kconfig |
112 |
+@@ -181,7 +181,6 @@ config ARM64 |
113 |
+ select PCI_SYSCALL if PCI |
114 |
+ select POWER_RESET |
115 |
+ select POWER_SUPPLY |
116 |
+- select REFCOUNT_FULL |
117 |
+ select SPARSE_IRQ |
118 |
+ select SWIOTLB |
119 |
+ select SYSCTL_EXCEPTION_TRACE |
120 |
+diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile |
121 |
+index 7b579a003e30a..d1a9615391010 100644 |
122 |
+--- a/arch/riscv/Makefile |
123 |
++++ b/arch/riscv/Makefile |
124 |
+@@ -74,6 +74,7 @@ ifeq ($(CONFIG_PERF_EVENTS),y) |
125 |
+ endif |
126 |
+ |
127 |
+ KBUILD_CFLAGS_MODULE += $(call cc-option,-mno-relax) |
128 |
++KBUILD_AFLAGS_MODULE += $(call as-option,-Wa$(comma)-mno-relax) |
129 |
+ |
130 |
+ # GCC versions that support the "-mstrict-align" option default to allowing |
131 |
+ # unaligned accesses. While unaligned accesses are explicitly allowed in the |
132 |
+diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_defconfig |
133 |
+index 38d64030aacf6..2e60c80395ab0 100644 |
134 |
+--- a/arch/s390/configs/debug_defconfig |
135 |
++++ b/arch/s390/configs/debug_defconfig |
136 |
+@@ -62,7 +62,6 @@ CONFIG_OPROFILE=m |
137 |
+ CONFIG_KPROBES=y |
138 |
+ CONFIG_JUMP_LABEL=y |
139 |
+ CONFIG_STATIC_KEYS_SELFTEST=y |
140 |
+-CONFIG_REFCOUNT_FULL=y |
141 |
+ CONFIG_LOCK_EVENT_COUNTS=y |
142 |
+ CONFIG_MODULES=y |
143 |
+ CONFIG_MODULE_FORCE_LOAD=y |
144 |
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig |
145 |
+index c6c71592f6e46..6002252692af4 100644 |
146 |
+--- a/arch/x86/Kconfig |
147 |
++++ b/arch/x86/Kconfig |
148 |
+@@ -73,7 +73,6 @@ config X86 |
149 |
+ select ARCH_HAS_PMEM_API if X86_64 |
150 |
+ select ARCH_HAS_PTE_DEVMAP if X86_64 |
151 |
+ select ARCH_HAS_PTE_SPECIAL |
152 |
+- select ARCH_HAS_REFCOUNT |
153 |
+ select ARCH_HAS_UACCESS_FLUSHCACHE if X86_64 |
154 |
+ select ARCH_HAS_UACCESS_MCSAFE if X86_64 && X86_MCE |
155 |
+ select ARCH_HAS_SET_MEMORY |
156 |
+diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h |
157 |
+index 1b563f9167eae..cd339b88d5d46 100644 |
158 |
+--- a/arch/x86/include/asm/asm.h |
159 |
++++ b/arch/x86/include/asm/asm.h |
160 |
+@@ -141,9 +141,6 @@ |
161 |
+ # define _ASM_EXTABLE_EX(from, to) \ |
162 |
+ _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext) |
163 |
+ |
164 |
+-# define _ASM_EXTABLE_REFCOUNT(from, to) \ |
165 |
+- _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) |
166 |
+- |
167 |
+ # define _ASM_NOKPROBE(entry) \ |
168 |
+ .pushsection "_kprobe_blacklist","aw" ; \ |
169 |
+ _ASM_ALIGN ; \ |
170 |
+@@ -172,9 +169,6 @@ |
171 |
+ # define _ASM_EXTABLE_EX(from, to) \ |
172 |
+ _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext) |
173 |
+ |
174 |
+-# define _ASM_EXTABLE_REFCOUNT(from, to) \ |
175 |
+- _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) |
176 |
+- |
177 |
+ /* For C file, we already have NOKPROBE_SYMBOL macro */ |
178 |
+ #endif |
179 |
+ |
180 |
+diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h |
181 |
+deleted file mode 100644 |
182 |
+index 232f856e0db06..0000000000000 |
183 |
+--- a/arch/x86/include/asm/refcount.h |
184 |
++++ /dev/null |
185 |
+@@ -1,126 +0,0 @@ |
186 |
+-#ifndef __ASM_X86_REFCOUNT_H |
187 |
+-#define __ASM_X86_REFCOUNT_H |
188 |
+-/* |
189 |
+- * x86-specific implementation of refcount_t. Based on PAX_REFCOUNT from |
190 |
+- * PaX/grsecurity. |
191 |
+- */ |
192 |
+-#include <linux/refcount.h> |
193 |
+-#include <asm/bug.h> |
194 |
+- |
195 |
+-/* |
196 |
+- * This is the first portion of the refcount error handling, which lives in |
197 |
+- * .text.unlikely, and is jumped to from the CPU flag check (in the |
198 |
+- * following macros). This saves the refcount value location into CX for |
199 |
+- * the exception handler to use (in mm/extable.c), and then triggers the |
200 |
+- * central refcount exception. The fixup address for the exception points |
201 |
+- * back to the regular execution flow in .text. |
202 |
+- */ |
203 |
+-#define _REFCOUNT_EXCEPTION \ |
204 |
+- ".pushsection .text..refcount\n" \ |
205 |
+- "111:\tlea %[var], %%" _ASM_CX "\n" \ |
206 |
+- "112:\t" ASM_UD2 "\n" \ |
207 |
+- ASM_UNREACHABLE \ |
208 |
+- ".popsection\n" \ |
209 |
+- "113:\n" \ |
210 |
+- _ASM_EXTABLE_REFCOUNT(112b, 113b) |
211 |
+- |
212 |
+-/* Trigger refcount exception if refcount result is negative. */ |
213 |
+-#define REFCOUNT_CHECK_LT_ZERO \ |
214 |
+- "js 111f\n\t" \ |
215 |
+- _REFCOUNT_EXCEPTION |
216 |
+- |
217 |
+-/* Trigger refcount exception if refcount result is zero or negative. */ |
218 |
+-#define REFCOUNT_CHECK_LE_ZERO \ |
219 |
+- "jz 111f\n\t" \ |
220 |
+- REFCOUNT_CHECK_LT_ZERO |
221 |
+- |
222 |
+-/* Trigger refcount exception unconditionally. */ |
223 |
+-#define REFCOUNT_ERROR \ |
224 |
+- "jmp 111f\n\t" \ |
225 |
+- _REFCOUNT_EXCEPTION |
226 |
+- |
227 |
+-static __always_inline void refcount_add(unsigned int i, refcount_t *r) |
228 |
+-{ |
229 |
+- asm volatile(LOCK_PREFIX "addl %1,%0\n\t" |
230 |
+- REFCOUNT_CHECK_LT_ZERO |
231 |
+- : [var] "+m" (r->refs.counter) |
232 |
+- : "ir" (i) |
233 |
+- : "cc", "cx"); |
234 |
+-} |
235 |
+- |
236 |
+-static __always_inline void refcount_inc(refcount_t *r) |
237 |
+-{ |
238 |
+- asm volatile(LOCK_PREFIX "incl %0\n\t" |
239 |
+- REFCOUNT_CHECK_LT_ZERO |
240 |
+- : [var] "+m" (r->refs.counter) |
241 |
+- : : "cc", "cx"); |
242 |
+-} |
243 |
+- |
244 |
+-static __always_inline void refcount_dec(refcount_t *r) |
245 |
+-{ |
246 |
+- asm volatile(LOCK_PREFIX "decl %0\n\t" |
247 |
+- REFCOUNT_CHECK_LE_ZERO |
248 |
+- : [var] "+m" (r->refs.counter) |
249 |
+- : : "cc", "cx"); |
250 |
+-} |
251 |
+- |
252 |
+-static __always_inline __must_check |
253 |
+-bool refcount_sub_and_test(unsigned int i, refcount_t *r) |
254 |
+-{ |
255 |
+- bool ret = GEN_BINARY_SUFFIXED_RMWcc(LOCK_PREFIX "subl", |
256 |
+- REFCOUNT_CHECK_LT_ZERO, |
257 |
+- r->refs.counter, e, "er", i, "cx"); |
258 |
+- |
259 |
+- if (ret) { |
260 |
+- smp_acquire__after_ctrl_dep(); |
261 |
+- return true; |
262 |
+- } |
263 |
+- |
264 |
+- return false; |
265 |
+-} |
266 |
+- |
267 |
+-static __always_inline __must_check bool refcount_dec_and_test(refcount_t *r) |
268 |
+-{ |
269 |
+- bool ret = GEN_UNARY_SUFFIXED_RMWcc(LOCK_PREFIX "decl", |
270 |
+- REFCOUNT_CHECK_LT_ZERO, |
271 |
+- r->refs.counter, e, "cx"); |
272 |
+- |
273 |
+- if (ret) { |
274 |
+- smp_acquire__after_ctrl_dep(); |
275 |
+- return true; |
276 |
+- } |
277 |
+- |
278 |
+- return false; |
279 |
+-} |
280 |
+- |
281 |
+-static __always_inline __must_check |
282 |
+-bool refcount_add_not_zero(unsigned int i, refcount_t *r) |
283 |
+-{ |
284 |
+- int c, result; |
285 |
+- |
286 |
+- c = atomic_read(&(r->refs)); |
287 |
+- do { |
288 |
+- if (unlikely(c == 0)) |
289 |
+- return false; |
290 |
+- |
291 |
+- result = c + i; |
292 |
+- |
293 |
+- /* Did we try to increment from/to an undesirable state? */ |
294 |
+- if (unlikely(c < 0 || c == INT_MAX || result < c)) { |
295 |
+- asm volatile(REFCOUNT_ERROR |
296 |
+- : : [var] "m" (r->refs.counter) |
297 |
+- : "cc", "cx"); |
298 |
+- break; |
299 |
+- } |
300 |
+- |
301 |
+- } while (!atomic_try_cmpxchg(&(r->refs), &c, result)); |
302 |
+- |
303 |
+- return c != 0; |
304 |
+-} |
305 |
+- |
306 |
+-static __always_inline __must_check bool refcount_inc_not_zero(refcount_t *r) |
307 |
+-{ |
308 |
+- return refcount_add_not_zero(1, r); |
309 |
+-} |
310 |
+- |
311 |
+-#endif |
312 |
+diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h |
313 |
+index 61d93f062a36e..d6a0e57ecc073 100644 |
314 |
+--- a/arch/x86/include/asm/uaccess.h |
315 |
++++ b/arch/x86/include/asm/uaccess.h |
316 |
+@@ -378,18 +378,6 @@ do { \ |
317 |
+ : "=r" (err), ltype(x) \ |
318 |
+ : "m" (__m(addr)), "i" (errret), "0" (err)) |
319 |
+ |
320 |
+-#define __get_user_asm_nozero(x, addr, err, itype, rtype, ltype, errret) \ |
321 |
+- asm volatile("\n" \ |
322 |
+- "1: mov"itype" %2,%"rtype"1\n" \ |
323 |
+- "2:\n" \ |
324 |
+- ".section .fixup,\"ax\"\n" \ |
325 |
+- "3: mov %3,%0\n" \ |
326 |
+- " jmp 2b\n" \ |
327 |
+- ".previous\n" \ |
328 |
+- _ASM_EXTABLE_UA(1b, 3b) \ |
329 |
+- : "=r" (err), ltype(x) \ |
330 |
+- : "m" (__m(addr)), "i" (errret), "0" (err)) |
331 |
+- |
332 |
+ /* |
333 |
+ * This doesn't do __uaccess_begin/end - the exception handling |
334 |
+ * around it must do that. |
335 |
+@@ -453,6 +441,103 @@ __pu_label: \ |
336 |
+ __builtin_expect(__gu_err, 0); \ |
337 |
+ }) |
338 |
+ |
339 |
++#ifdef CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT |
340 |
++#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ |
341 |
++ bool success; \ |
342 |
++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
343 |
++ __typeof__(*(_ptr)) __old = *_old; \ |
344 |
++ __typeof__(*(_ptr)) __new = (_new); \ |
345 |
++ asm_volatile_goto("\n" \ |
346 |
++ "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\ |
347 |
++ _ASM_EXTABLE_UA(1b, %l[label]) \ |
348 |
++ : CC_OUT(z) (success), \ |
349 |
++ [ptr] "+m" (*_ptr), \ |
350 |
++ [old] "+a" (__old) \ |
351 |
++ : [new] ltype (__new) \ |
352 |
++ : "memory" \ |
353 |
++ : label); \ |
354 |
++ if (unlikely(!success)) \ |
355 |
++ *_old = __old; \ |
356 |
++ likely(success); }) |
357 |
++ |
358 |
++#ifdef CONFIG_X86_32 |
359 |
++#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \ |
360 |
++ bool success; \ |
361 |
++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
362 |
++ __typeof__(*(_ptr)) __old = *_old; \ |
363 |
++ __typeof__(*(_ptr)) __new = (_new); \ |
364 |
++ asm_volatile_goto("\n" \ |
365 |
++ "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \ |
366 |
++ _ASM_EXTABLE_UA(1b, %l[label]) \ |
367 |
++ : CC_OUT(z) (success), \ |
368 |
++ "+A" (__old), \ |
369 |
++ [ptr] "+m" (*_ptr) \ |
370 |
++ : "b" ((u32)__new), \ |
371 |
++ "c" ((u32)((u64)__new >> 32)) \ |
372 |
++ : "memory" \ |
373 |
++ : label); \ |
374 |
++ if (unlikely(!success)) \ |
375 |
++ *_old = __old; \ |
376 |
++ likely(success); }) |
377 |
++#endif // CONFIG_X86_32 |
378 |
++#else // !CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT |
379 |
++#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ |
380 |
++ int __err = 0; \ |
381 |
++ bool success; \ |
382 |
++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
383 |
++ __typeof__(*(_ptr)) __old = *_old; \ |
384 |
++ __typeof__(*(_ptr)) __new = (_new); \ |
385 |
++ asm volatile("\n" \ |
386 |
++ "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\ |
387 |
++ CC_SET(z) \ |
388 |
++ "2:\n" \ |
389 |
++ _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, \ |
390 |
++ %[errout]) \ |
391 |
++ : CC_OUT(z) (success), \ |
392 |
++ [errout] "+r" (__err), \ |
393 |
++ [ptr] "+m" (*_ptr), \ |
394 |
++ [old] "+a" (__old) \ |
395 |
++ : [new] ltype (__new) \ |
396 |
++ : "memory"); \ |
397 |
++ if (unlikely(__err)) \ |
398 |
++ goto label; \ |
399 |
++ if (unlikely(!success)) \ |
400 |
++ *_old = __old; \ |
401 |
++ likely(success); }) |
402 |
++ |
403 |
++#ifdef CONFIG_X86_32 |
404 |
++/* |
405 |
++ * Unlike the normal CMPXCHG, hardcode ECX for both success/fail and error. |
406 |
++ * There are only six GPRs available and four (EAX, EBX, ECX, and EDX) are |
407 |
++ * hardcoded by CMPXCHG8B, leaving only ESI and EDI. If the compiler uses |
408 |
++ * both ESI and EDI for the memory operand, compilation will fail if the error |
409 |
++ * is an input+output as there will be no register available for input. |
410 |
++ */ |
411 |
++#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \ |
412 |
++ int __result; \ |
413 |
++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \ |
414 |
++ __typeof__(*(_ptr)) __old = *_old; \ |
415 |
++ __typeof__(*(_ptr)) __new = (_new); \ |
416 |
++ asm volatile("\n" \ |
417 |
++ "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \ |
418 |
++ "mov $0, %%ecx\n\t" \ |
419 |
++ "setz %%cl\n" \ |
420 |
++ "2:\n" \ |
421 |
++ _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, %%ecx) \ |
422 |
++ : [result]"=c" (__result), \ |
423 |
++ "+A" (__old), \ |
424 |
++ [ptr] "+m" (*_ptr) \ |
425 |
++ : "b" ((u32)__new), \ |
426 |
++ "c" ((u32)((u64)__new >> 32)) \ |
427 |
++ : "memory", "cc"); \ |
428 |
++ if (unlikely(__result < 0)) \ |
429 |
++ goto label; \ |
430 |
++ if (unlikely(!__result)) \ |
431 |
++ *_old = __old; \ |
432 |
++ likely(__result); }) |
433 |
++#endif // CONFIG_X86_32 |
434 |
++#endif // CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT |
435 |
++ |
436 |
+ /* FIXME: this hack is definitely wrong -AK */ |
437 |
+ struct __large_struct { unsigned long buf[100]; }; |
438 |
+ #define __m(x) (*(struct __large_struct __user *)(x)) |
439 |
+@@ -734,6 +819,51 @@ do { \ |
440 |
+ if (unlikely(__gu_err)) goto err_label; \ |
441 |
+ } while (0) |
442 |
+ |
443 |
++extern void __try_cmpxchg_user_wrong_size(void); |
444 |
++ |
445 |
++#ifndef CONFIG_X86_32 |
446 |
++#define __try_cmpxchg64_user_asm(_ptr, _oldp, _nval, _label) \ |
447 |
++ __try_cmpxchg_user_asm("q", "r", (_ptr), (_oldp), (_nval), _label) |
448 |
++#endif |
449 |
++ |
450 |
++/* |
451 |
++ * Force the pointer to u<size> to match the size expected by the asm helper. |
452 |
++ * clang/LLVM compiles all cases and only discards the unused paths after |
453 |
++ * processing errors, which breaks i386 if the pointer is an 8-byte value. |
454 |
++ */ |
455 |
++#define unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \ |
456 |
++ bool __ret; \ |
457 |
++ __chk_user_ptr(_ptr); \ |
458 |
++ switch (sizeof(*(_ptr))) { \ |
459 |
++ case 1: __ret = __try_cmpxchg_user_asm("b", "q", \ |
460 |
++ (__force u8 *)(_ptr), (_oldp), \ |
461 |
++ (_nval), _label); \ |
462 |
++ break; \ |
463 |
++ case 2: __ret = __try_cmpxchg_user_asm("w", "r", \ |
464 |
++ (__force u16 *)(_ptr), (_oldp), \ |
465 |
++ (_nval), _label); \ |
466 |
++ break; \ |
467 |
++ case 4: __ret = __try_cmpxchg_user_asm("l", "r", \ |
468 |
++ (__force u32 *)(_ptr), (_oldp), \ |
469 |
++ (_nval), _label); \ |
470 |
++ break; \ |
471 |
++ case 8: __ret = __try_cmpxchg64_user_asm((__force u64 *)(_ptr), (_oldp),\ |
472 |
++ (_nval), _label); \ |
473 |
++ break; \ |
474 |
++ default: __try_cmpxchg_user_wrong_size(); \ |
475 |
++ } \ |
476 |
++ __ret; }) |
477 |
++ |
478 |
++/* "Returns" 0 on success, 1 on failure, -EFAULT if the access faults. */ |
479 |
++#define __try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \ |
480 |
++ int __ret = -EFAULT; \ |
481 |
++ __uaccess_begin_nospec(); \ |
482 |
++ __ret = !unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label); \ |
483 |
++_label: \ |
484 |
++ __uaccess_end(); \ |
485 |
++ __ret; \ |
486 |
++ }) |
487 |
++ |
488 |
+ /* |
489 |
+ * We want the unsafe accessors to always be inlined and use |
490 |
+ * the error labels - thus the macro games. |
491 |
+diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h |
492 |
+index ba2dc19306303..388a40660c7b5 100644 |
493 |
+--- a/arch/x86/include/asm/uaccess_32.h |
494 |
++++ b/arch/x86/include/asm/uaccess_32.h |
495 |
+@@ -23,33 +23,6 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n) |
496 |
+ static __always_inline unsigned long |
497 |
+ raw_copy_from_user(void *to, const void __user *from, unsigned long n) |
498 |
+ { |
499 |
+- if (__builtin_constant_p(n)) { |
500 |
+- unsigned long ret; |
501 |
+- |
502 |
+- switch (n) { |
503 |
+- case 1: |
504 |
+- ret = 0; |
505 |
+- __uaccess_begin_nospec(); |
506 |
+- __get_user_asm_nozero(*(u8 *)to, from, ret, |
507 |
+- "b", "b", "=q", 1); |
508 |
+- __uaccess_end(); |
509 |
+- return ret; |
510 |
+- case 2: |
511 |
+- ret = 0; |
512 |
+- __uaccess_begin_nospec(); |
513 |
+- __get_user_asm_nozero(*(u16 *)to, from, ret, |
514 |
+- "w", "w", "=r", 2); |
515 |
+- __uaccess_end(); |
516 |
+- return ret; |
517 |
+- case 4: |
518 |
+- ret = 0; |
519 |
+- __uaccess_begin_nospec(); |
520 |
+- __get_user_asm_nozero(*(u32 *)to, from, ret, |
521 |
+- "l", "k", "=r", 4); |
522 |
+- __uaccess_end(); |
523 |
+- return ret; |
524 |
+- } |
525 |
+- } |
526 |
+ return __copy_user_ll(to, (__force const void *)from, n); |
527 |
+ } |
528 |
+ |
529 |
+diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h |
530 |
+index 5cd1caa8bc653..bc10e3dc64fed 100644 |
531 |
+--- a/arch/x86/include/asm/uaccess_64.h |
532 |
++++ b/arch/x86/include/asm/uaccess_64.h |
533 |
+@@ -65,117 +65,13 @@ copy_to_user_mcsafe(void *to, const void *from, unsigned len) |
534 |
+ static __always_inline __must_check unsigned long |
535 |
+ raw_copy_from_user(void *dst, const void __user *src, unsigned long size) |
536 |
+ { |
537 |
+- int ret = 0; |
538 |
+- |
539 |
+- if (!__builtin_constant_p(size)) |
540 |
+- return copy_user_generic(dst, (__force void *)src, size); |
541 |
+- switch (size) { |
542 |
+- case 1: |
543 |
+- __uaccess_begin_nospec(); |
544 |
+- __get_user_asm_nozero(*(u8 *)dst, (u8 __user *)src, |
545 |
+- ret, "b", "b", "=q", 1); |
546 |
+- __uaccess_end(); |
547 |
+- return ret; |
548 |
+- case 2: |
549 |
+- __uaccess_begin_nospec(); |
550 |
+- __get_user_asm_nozero(*(u16 *)dst, (u16 __user *)src, |
551 |
+- ret, "w", "w", "=r", 2); |
552 |
+- __uaccess_end(); |
553 |
+- return ret; |
554 |
+- case 4: |
555 |
+- __uaccess_begin_nospec(); |
556 |
+- __get_user_asm_nozero(*(u32 *)dst, (u32 __user *)src, |
557 |
+- ret, "l", "k", "=r", 4); |
558 |
+- __uaccess_end(); |
559 |
+- return ret; |
560 |
+- case 8: |
561 |
+- __uaccess_begin_nospec(); |
562 |
+- __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, |
563 |
+- ret, "q", "", "=r", 8); |
564 |
+- __uaccess_end(); |
565 |
+- return ret; |
566 |
+- case 10: |
567 |
+- __uaccess_begin_nospec(); |
568 |
+- __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, |
569 |
+- ret, "q", "", "=r", 10); |
570 |
+- if (likely(!ret)) |
571 |
+- __get_user_asm_nozero(*(u16 *)(8 + (char *)dst), |
572 |
+- (u16 __user *)(8 + (char __user *)src), |
573 |
+- ret, "w", "w", "=r", 2); |
574 |
+- __uaccess_end(); |
575 |
+- return ret; |
576 |
+- case 16: |
577 |
+- __uaccess_begin_nospec(); |
578 |
+- __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, |
579 |
+- ret, "q", "", "=r", 16); |
580 |
+- if (likely(!ret)) |
581 |
+- __get_user_asm_nozero(*(u64 *)(8 + (char *)dst), |
582 |
+- (u64 __user *)(8 + (char __user *)src), |
583 |
+- ret, "q", "", "=r", 8); |
584 |
+- __uaccess_end(); |
585 |
+- return ret; |
586 |
+- default: |
587 |
+- return copy_user_generic(dst, (__force void *)src, size); |
588 |
+- } |
589 |
++ return copy_user_generic(dst, (__force void *)src, size); |
590 |
+ } |
591 |
+ |
592 |
+ static __always_inline __must_check unsigned long |
593 |
+ raw_copy_to_user(void __user *dst, const void *src, unsigned long size) |
594 |
+ { |
595 |
+- int ret = 0; |
596 |
+- |
597 |
+- if (!__builtin_constant_p(size)) |
598 |
+- return copy_user_generic((__force void *)dst, src, size); |
599 |
+- switch (size) { |
600 |
+- case 1: |
601 |
+- __uaccess_begin(); |
602 |
+- __put_user_asm(*(u8 *)src, (u8 __user *)dst, |
603 |
+- ret, "b", "b", "iq", 1); |
604 |
+- __uaccess_end(); |
605 |
+- return ret; |
606 |
+- case 2: |
607 |
+- __uaccess_begin(); |
608 |
+- __put_user_asm(*(u16 *)src, (u16 __user *)dst, |
609 |
+- ret, "w", "w", "ir", 2); |
610 |
+- __uaccess_end(); |
611 |
+- return ret; |
612 |
+- case 4: |
613 |
+- __uaccess_begin(); |
614 |
+- __put_user_asm(*(u32 *)src, (u32 __user *)dst, |
615 |
+- ret, "l", "k", "ir", 4); |
616 |
+- __uaccess_end(); |
617 |
+- return ret; |
618 |
+- case 8: |
619 |
+- __uaccess_begin(); |
620 |
+- __put_user_asm(*(u64 *)src, (u64 __user *)dst, |
621 |
+- ret, "q", "", "er", 8); |
622 |
+- __uaccess_end(); |
623 |
+- return ret; |
624 |
+- case 10: |
625 |
+- __uaccess_begin(); |
626 |
+- __put_user_asm(*(u64 *)src, (u64 __user *)dst, |
627 |
+- ret, "q", "", "er", 10); |
628 |
+- if (likely(!ret)) { |
629 |
+- asm("":::"memory"); |
630 |
+- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst, |
631 |
+- ret, "w", "w", "ir", 2); |
632 |
+- } |
633 |
+- __uaccess_end(); |
634 |
+- return ret; |
635 |
+- case 16: |
636 |
+- __uaccess_begin(); |
637 |
+- __put_user_asm(*(u64 *)src, (u64 __user *)dst, |
638 |
+- ret, "q", "", "er", 16); |
639 |
+- if (likely(!ret)) { |
640 |
+- asm("":::"memory"); |
641 |
+- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst, |
642 |
+- ret, "q", "", "er", 8); |
643 |
+- } |
644 |
+- __uaccess_end(); |
645 |
+- return ret; |
646 |
+- default: |
647 |
+- return copy_user_generic((__force void *)dst, src, size); |
648 |
+- } |
649 |
++ return copy_user_generic((__force void *)dst, src, size); |
650 |
+ } |
651 |
+ |
652 |
+ static __always_inline __must_check |
653 |
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c |
654 |
+index 8a2b8e7913149..9b98a7d8ac604 100644 |
655 |
+--- a/arch/x86/kernel/cpu/mce/core.c |
656 |
++++ b/arch/x86/kernel/cpu/mce/core.c |
657 |
+@@ -397,13 +397,16 @@ static int msr_to_offset(u32 msr) |
658 |
+ return -1; |
659 |
+ } |
660 |
+ |
661 |
+-__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, |
662 |
+- struct pt_regs *regs, int trapnr, |
663 |
+- unsigned long error_code, |
664 |
+- unsigned long fault_addr) |
665 |
++static void ex_handler_msr_mce(struct pt_regs *regs, bool wrmsr) |
666 |
+ { |
667 |
+- pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", |
668 |
+- (unsigned int)regs->cx, regs->ip, (void *)regs->ip); |
669 |
++ if (wrmsr) { |
670 |
++ pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n", |
671 |
++ (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, |
672 |
++ regs->ip, (void *)regs->ip); |
673 |
++ } else { |
674 |
++ pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", |
675 |
++ (unsigned int)regs->cx, regs->ip, (void *)regs->ip); |
676 |
++ } |
677 |
+ |
678 |
+ show_stack_regs(regs); |
679 |
+ |
680 |
+@@ -411,7 +414,14 @@ __visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, |
681 |
+ |
682 |
+ while (true) |
683 |
+ cpu_relax(); |
684 |
++} |
685 |
+ |
686 |
++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, |
687 |
++ struct pt_regs *regs, int trapnr, |
688 |
++ unsigned long error_code, |
689 |
++ unsigned long fault_addr) |
690 |
++{ |
691 |
++ ex_handler_msr_mce(regs, false); |
692 |
+ return true; |
693 |
+ } |
694 |
+ |
695 |
+@@ -447,17 +457,7 @@ __visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, |
696 |
+ unsigned long error_code, |
697 |
+ unsigned long fault_addr) |
698 |
+ { |
699 |
+- pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n", |
700 |
+- (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, |
701 |
+- regs->ip, (void *)regs->ip); |
702 |
+- |
703 |
+- show_stack_regs(regs); |
704 |
+- |
705 |
+- panic("MCA architectural violation!\n"); |
706 |
+- |
707 |
+- while (true) |
708 |
+- cpu_relax(); |
709 |
+- |
710 |
++ ex_handler_msr_mce(regs, true); |
711 |
+ return true; |
712 |
+ } |
713 |
+ |
714 |
+diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c |
715 |
+index 4d75bc656f971..30bb0bd3b1b88 100644 |
716 |
+--- a/arch/x86/mm/extable.c |
717 |
++++ b/arch/x86/mm/extable.c |
718 |
+@@ -44,55 +44,6 @@ __visible bool ex_handler_fault(const struct exception_table_entry *fixup, |
719 |
+ } |
720 |
+ EXPORT_SYMBOL_GPL(ex_handler_fault); |
721 |
+ |
722 |
+-/* |
723 |
+- * Handler for UD0 exception following a failed test against the |
724 |
+- * result of a refcount inc/dec/add/sub. |
725 |
+- */ |
726 |
+-__visible bool ex_handler_refcount(const struct exception_table_entry *fixup, |
727 |
+- struct pt_regs *regs, int trapnr, |
728 |
+- unsigned long error_code, |
729 |
+- unsigned long fault_addr) |
730 |
+-{ |
731 |
+- /* First unconditionally saturate the refcount. */ |
732 |
+- *(int *)regs->cx = INT_MIN / 2; |
733 |
+- |
734 |
+- /* |
735 |
+- * Strictly speaking, this reports the fixup destination, not |
736 |
+- * the fault location, and not the actually overflowing |
737 |
+- * instruction, which is the instruction before the "js", but |
738 |
+- * since that instruction could be a variety of lengths, just |
739 |
+- * report the location after the overflow, which should be close |
740 |
+- * enough for finding the overflow, as it's at least back in |
741 |
+- * the function, having returned from .text.unlikely. |
742 |
+- */ |
743 |
+- regs->ip = ex_fixup_addr(fixup); |
744 |
+- |
745 |
+- /* |
746 |
+- * This function has been called because either a negative refcount |
747 |
+- * value was seen by any of the refcount functions, or a zero |
748 |
+- * refcount value was seen by refcount_dec(). |
749 |
+- * |
750 |
+- * If we crossed from INT_MAX to INT_MIN, OF (Overflow Flag: result |
751 |
+- * wrapped around) will be set. Additionally, seeing the refcount |
752 |
+- * reach 0 will set ZF (Zero Flag: result was zero). In each of |
753 |
+- * these cases we want a report, since it's a boundary condition. |
754 |
+- * The SF case is not reported since it indicates post-boundary |
755 |
+- * manipulations below zero or above INT_MAX. And if none of the |
756 |
+- * flags are set, something has gone very wrong, so report it. |
757 |
+- */ |
758 |
+- if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_ZF)) { |
759 |
+- bool zero = regs->flags & X86_EFLAGS_ZF; |
760 |
+- |
761 |
+- refcount_error_report(regs, zero ? "hit zero" : "overflow"); |
762 |
+- } else if ((regs->flags & X86_EFLAGS_SF) == 0) { |
763 |
+- /* Report if none of OF, ZF, nor SF are set. */ |
764 |
+- refcount_error_report(regs, "unexpected saturation"); |
765 |
+- } |
766 |
+- |
767 |
+- return true; |
768 |
+-} |
769 |
+-EXPORT_SYMBOL(ex_handler_refcount); |
770 |
+- |
771 |
+ /* |
772 |
+ * Handler for when we fail to restore a task's FPU state. We should never get |
773 |
+ * here because the FPU state of a task using the FPU (task->thread.fpu.state) |
774 |
+diff --git a/drivers/crypto/chelsio/chtls/chtls_cm.c b/drivers/crypto/chelsio/chtls/chtls_cm.c |
775 |
+index 82b76df43ae57..3b79bcd03e7bc 100644 |
776 |
+--- a/drivers/crypto/chelsio/chtls/chtls_cm.c |
777 |
++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c |
778 |
+@@ -1103,8 +1103,8 @@ static struct sock *chtls_recv_sock(struct sock *lsk, |
779 |
+ csk->sndbuf = newsk->sk_sndbuf; |
780 |
+ csk->smac_idx = ((struct port_info *)netdev_priv(ndev))->smt_idx; |
781 |
+ RCV_WSCALE(tp) = select_rcv_wscale(tcp_full_space(newsk), |
782 |
+- sock_net(newsk)-> |
783 |
+- ipv4.sysctl_tcp_window_scaling, |
784 |
++ READ_ONCE(sock_net(newsk)-> |
785 |
++ ipv4.sysctl_tcp_window_scaling), |
786 |
+ tp->window_clamp); |
787 |
+ neigh_release(n); |
788 |
+ inet_inherit_port(&tcp_hashinfo, lsk, newsk); |
789 |
+@@ -1235,7 +1235,7 @@ static void chtls_pass_accept_request(struct sock *sk, |
790 |
+ chtls_set_req_addr(oreq, iph->daddr, iph->saddr); |
791 |
+ ip_dsfield = ipv4_get_dsfield(iph); |
792 |
+ if (req->tcpopt.wsf <= 14 && |
793 |
+- sock_net(sk)->ipv4.sysctl_tcp_window_scaling) { |
794 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) { |
795 |
+ inet_rsk(oreq)->wscale_ok = 1; |
796 |
+ inet_rsk(oreq)->snd_wscale = req->tcpopt.wsf; |
797 |
+ } |
798 |
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c |
799 |
+index 54da66d02b0e5..317f54f19477e 100644 |
800 |
+--- a/drivers/gpio/gpio-pca953x.c |
801 |
++++ b/drivers/gpio/gpio-pca953x.c |
802 |
+@@ -379,6 +379,9 @@ static const struct regmap_config pca953x_i2c_regmap = { |
803 |
+ .reg_bits = 8, |
804 |
+ .val_bits = 8, |
805 |
+ |
806 |
++ .use_single_read = true, |
807 |
++ .use_single_write = true, |
808 |
++ |
809 |
+ .readable_reg = pca953x_readable_register, |
810 |
+ .writeable_reg = pca953x_writeable_register, |
811 |
+ .volatile_reg = pca953x_volatile_register, |
812 |
+diff --git a/drivers/gpu/drm/i915/Kconfig.debug b/drivers/gpu/drm/i915/Kconfig.debug |
813 |
+index 41c8e39a73ba8..e4f03fcb125e4 100644 |
814 |
+--- a/drivers/gpu/drm/i915/Kconfig.debug |
815 |
++++ b/drivers/gpu/drm/i915/Kconfig.debug |
816 |
+@@ -21,7 +21,6 @@ config DRM_I915_DEBUG |
817 |
+ depends on DRM_I915 |
818 |
+ select DEBUG_FS |
819 |
+ select PREEMPT_COUNT |
820 |
+- select REFCOUNT_FULL |
821 |
+ select I2C_CHARDEV |
822 |
+ select STACKDEPOT |
823 |
+ select DRM_DP_AUX_CHARDEV |
824 |
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c |
825 |
+index 3a1bdc75275f4..8750e444f4492 100644 |
826 |
+--- a/drivers/i2c/busses/i2c-cadence.c |
827 |
++++ b/drivers/i2c/busses/i2c-cadence.c |
828 |
+@@ -198,9 +198,9 @@ static inline bool cdns_is_holdquirk(struct cdns_i2c *id, bool hold_wrkaround) |
829 |
+ */ |
830 |
+ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
831 |
+ { |
832 |
+- unsigned int isr_status, avail_bytes, updatetx; |
833 |
++ unsigned int isr_status, avail_bytes; |
834 |
+ unsigned int bytes_to_send; |
835 |
+- bool hold_quirk; |
836 |
++ bool updatetx; |
837 |
+ struct cdns_i2c *id = ptr; |
838 |
+ /* Signal completion only after everything is updated */ |
839 |
+ int done_flag = 0; |
840 |
+@@ -219,11 +219,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
841 |
+ * Check if transfer size register needs to be updated again for a |
842 |
+ * large data receive operation. |
843 |
+ */ |
844 |
+- updatetx = 0; |
845 |
+- if (id->recv_count > id->curr_recv_count) |
846 |
+- updatetx = 1; |
847 |
+- |
848 |
+- hold_quirk = (id->quirks & CDNS_I2C_BROKEN_HOLD_BIT) && updatetx; |
849 |
++ updatetx = id->recv_count > id->curr_recv_count; |
850 |
+ |
851 |
+ /* When receiving, handle data interrupt and completion interrupt */ |
852 |
+ if (id->p_recv_buf && |
853 |
+@@ -246,7 +242,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
854 |
+ id->recv_count--; |
855 |
+ id->curr_recv_count--; |
856 |
+ |
857 |
+- if (cdns_is_holdquirk(id, hold_quirk)) |
858 |
++ if (cdns_is_holdquirk(id, updatetx)) |
859 |
+ break; |
860 |
+ } |
861 |
+ |
862 |
+@@ -257,7 +253,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
863 |
+ * maintain transfer size non-zero while performing a large |
864 |
+ * receive operation. |
865 |
+ */ |
866 |
+- if (cdns_is_holdquirk(id, hold_quirk)) { |
867 |
++ if (cdns_is_holdquirk(id, updatetx)) { |
868 |
+ /* wait while fifo is full */ |
869 |
+ while (cdns_i2c_readreg(CDNS_I2C_XFER_SIZE_OFFSET) != |
870 |
+ (id->curr_recv_count - CDNS_I2C_FIFO_DEPTH)) |
871 |
+@@ -279,22 +275,6 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) |
872 |
+ CDNS_I2C_XFER_SIZE_OFFSET); |
873 |
+ id->curr_recv_count = id->recv_count; |
874 |
+ } |
875 |
+- } else if (id->recv_count && !hold_quirk && |
876 |
+- !id->curr_recv_count) { |
877 |
+- |
878 |
+- /* Set the slave address in address register*/ |
879 |
+- cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK, |
880 |
+- CDNS_I2C_ADDR_OFFSET); |
881 |
+- |
882 |
+- if (id->recv_count > CDNS_I2C_TRANSFER_SIZE) { |
883 |
+- cdns_i2c_writereg(CDNS_I2C_TRANSFER_SIZE, |
884 |
+- CDNS_I2C_XFER_SIZE_OFFSET); |
885 |
+- id->curr_recv_count = CDNS_I2C_TRANSFER_SIZE; |
886 |
+- } else { |
887 |
+- cdns_i2c_writereg(id->recv_count, |
888 |
+- CDNS_I2C_XFER_SIZE_OFFSET); |
889 |
+- id->curr_recv_count = id->recv_count; |
890 |
+- } |
891 |
+ } |
892 |
+ |
893 |
+ /* Clear hold (if not repeated start) and signal completion */ |
894 |
+diff --git a/drivers/misc/lkdtm/refcount.c b/drivers/misc/lkdtm/refcount.c |
895 |
+index 0a146b32da132..abf3b7c1f686c 100644 |
896 |
+--- a/drivers/misc/lkdtm/refcount.c |
897 |
++++ b/drivers/misc/lkdtm/refcount.c |
898 |
+@@ -6,14 +6,6 @@ |
899 |
+ #include "lkdtm.h" |
900 |
+ #include <linux/refcount.h> |
901 |
+ |
902 |
+-#ifdef CONFIG_REFCOUNT_FULL |
903 |
+-#define REFCOUNT_MAX (UINT_MAX - 1) |
904 |
+-#define REFCOUNT_SATURATED UINT_MAX |
905 |
+-#else |
906 |
+-#define REFCOUNT_MAX INT_MAX |
907 |
+-#define REFCOUNT_SATURATED (INT_MIN / 2) |
908 |
+-#endif |
909 |
+- |
910 |
+ static void overflow_check(refcount_t *ref) |
911 |
+ { |
912 |
+ switch (refcount_read(ref)) { |
913 |
+diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c |
914 |
+index 649c5c429bd7c..1288b5e3d2201 100644 |
915 |
+--- a/drivers/net/ethernet/emulex/benet/be_cmds.c |
916 |
++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c |
917 |
+@@ -2287,7 +2287,7 @@ err: |
918 |
+ |
919 |
+ /* Uses sync mcc */ |
920 |
+ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, |
921 |
+- u8 page_num, u8 *data) |
922 |
++ u8 page_num, u32 off, u32 len, u8 *data) |
923 |
+ { |
924 |
+ struct be_dma_mem cmd; |
925 |
+ struct be_mcc_wrb *wrb; |
926 |
+@@ -2321,10 +2321,10 @@ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, |
927 |
+ req->port = cpu_to_le32(adapter->hba_port_num); |
928 |
+ req->page_num = cpu_to_le32(page_num); |
929 |
+ status = be_mcc_notify_wait(adapter); |
930 |
+- if (!status) { |
931 |
++ if (!status && len > 0) { |
932 |
+ struct be_cmd_resp_port_type *resp = cmd.va; |
933 |
+ |
934 |
+- memcpy(data, resp->page_data, PAGE_DATA_LEN); |
935 |
++ memcpy(data, resp->page_data + off, len); |
936 |
+ } |
937 |
+ err: |
938 |
+ mutex_unlock(&adapter->mcc_lock); |
939 |
+@@ -2415,7 +2415,7 @@ int be_cmd_query_cable_type(struct be_adapter *adapter) |
940 |
+ int status; |
941 |
+ |
942 |
+ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
943 |
+- page_data); |
944 |
++ 0, PAGE_DATA_LEN, page_data); |
945 |
+ if (!status) { |
946 |
+ switch (adapter->phy.interface_type) { |
947 |
+ case PHY_TYPE_QSFP: |
948 |
+@@ -2440,7 +2440,7 @@ int be_cmd_query_sfp_info(struct be_adapter *adapter) |
949 |
+ int status; |
950 |
+ |
951 |
+ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
952 |
+- page_data); |
953 |
++ 0, PAGE_DATA_LEN, page_data); |
954 |
+ if (!status) { |
955 |
+ strlcpy(adapter->phy.vendor_name, page_data + |
956 |
+ SFP_VENDOR_NAME_OFFSET, SFP_VENDOR_NAME_LEN - 1); |
957 |
+diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.h b/drivers/net/ethernet/emulex/benet/be_cmds.h |
958 |
+index c30d6d6f0f3a0..9e17d6a7ab8cd 100644 |
959 |
+--- a/drivers/net/ethernet/emulex/benet/be_cmds.h |
960 |
++++ b/drivers/net/ethernet/emulex/benet/be_cmds.h |
961 |
+@@ -2427,7 +2427,7 @@ int be_cmd_set_beacon_state(struct be_adapter *adapter, u8 port_num, u8 beacon, |
962 |
+ int be_cmd_get_beacon_state(struct be_adapter *adapter, u8 port_num, |
963 |
+ u32 *state); |
964 |
+ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, |
965 |
+- u8 page_num, u8 *data); |
966 |
++ u8 page_num, u32 off, u32 len, u8 *data); |
967 |
+ int be_cmd_query_cable_type(struct be_adapter *adapter); |
968 |
+ int be_cmd_query_sfp_info(struct be_adapter *adapter); |
969 |
+ int lancer_cmd_read_object(struct be_adapter *adapter, struct be_dma_mem *cmd, |
970 |
+diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/ethernet/emulex/benet/be_ethtool.c |
971 |
+index 5bb5abf995887..7cc1f41971c57 100644 |
972 |
+--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c |
973 |
++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c |
974 |
+@@ -1339,7 +1339,7 @@ static int be_get_module_info(struct net_device *netdev, |
975 |
+ return -EOPNOTSUPP; |
976 |
+ |
977 |
+ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
978 |
+- page_data); |
979 |
++ 0, PAGE_DATA_LEN, page_data); |
980 |
+ if (!status) { |
981 |
+ if (!page_data[SFP_PLUS_SFF_8472_COMP]) { |
982 |
+ modinfo->type = ETH_MODULE_SFF_8079; |
983 |
+@@ -1357,25 +1357,32 @@ static int be_get_module_eeprom(struct net_device *netdev, |
984 |
+ { |
985 |
+ struct be_adapter *adapter = netdev_priv(netdev); |
986 |
+ int status; |
987 |
++ u32 begin, end; |
988 |
+ |
989 |
+ if (!check_privilege(adapter, MAX_PRIVILEGES)) |
990 |
+ return -EOPNOTSUPP; |
991 |
+ |
992 |
+- status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, |
993 |
+- data); |
994 |
+- if (status) |
995 |
+- goto err; |
996 |
++ begin = eeprom->offset; |
997 |
++ end = eeprom->offset + eeprom->len; |
998 |
++ |
999 |
++ if (begin < PAGE_DATA_LEN) { |
1000 |
++ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, begin, |
1001 |
++ min_t(u32, end, PAGE_DATA_LEN) - begin, |
1002 |
++ data); |
1003 |
++ if (status) |
1004 |
++ goto err; |
1005 |
++ |
1006 |
++ data += PAGE_DATA_LEN - begin; |
1007 |
++ begin = PAGE_DATA_LEN; |
1008 |
++ } |
1009 |
+ |
1010 |
+- if (eeprom->offset + eeprom->len > PAGE_DATA_LEN) { |
1011 |
+- status = be_cmd_read_port_transceiver_data(adapter, |
1012 |
+- TR_PAGE_A2, |
1013 |
+- data + |
1014 |
+- PAGE_DATA_LEN); |
1015 |
++ if (end > PAGE_DATA_LEN) { |
1016 |
++ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A2, |
1017 |
++ begin - PAGE_DATA_LEN, |
1018 |
++ end - begin, data); |
1019 |
+ if (status) |
1020 |
+ goto err; |
1021 |
+ } |
1022 |
+- if (eeprom->offset) |
1023 |
+- memcpy(data, data + eeprom->offset, eeprom->len); |
1024 |
+ err: |
1025 |
+ return be_cmd_status(status); |
1026 |
+ } |
1027 |
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c |
1028 |
+index 05442bbc218cd..0610d344fdbf0 100644 |
1029 |
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c |
1030 |
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c |
1031 |
+@@ -10068,7 +10068,7 @@ static int i40e_reset(struct i40e_pf *pf) |
1032 |
+ **/ |
1033 |
+ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) |
1034 |
+ { |
1035 |
+- int old_recovery_mode_bit = test_bit(__I40E_RECOVERY_MODE, pf->state); |
1036 |
++ const bool is_recovery_mode_reported = i40e_check_recovery_mode(pf); |
1037 |
+ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; |
1038 |
+ struct i40e_hw *hw = &pf->hw; |
1039 |
+ i40e_status ret; |
1040 |
+@@ -10076,13 +10076,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) |
1041 |
+ int v; |
1042 |
+ |
1043 |
+ if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && |
1044 |
+- i40e_check_recovery_mode(pf)) { |
1045 |
++ is_recovery_mode_reported) |
1046 |
+ i40e_set_ethtool_ops(pf->vsi[pf->lan_vsi]->netdev); |
1047 |
+- } |
1048 |
+ |
1049 |
+ if (test_bit(__I40E_DOWN, pf->state) && |
1050 |
+- !test_bit(__I40E_RECOVERY_MODE, pf->state) && |
1051 |
+- !old_recovery_mode_bit) |
1052 |
++ !test_bit(__I40E_RECOVERY_MODE, pf->state)) |
1053 |
+ goto clear_recovery; |
1054 |
+ dev_dbg(&pf->pdev->dev, "Rebuilding internal switch\n"); |
1055 |
+ |
1056 |
+@@ -10109,13 +10107,12 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) |
1057 |
+ * accordingly with regard to resources initialization |
1058 |
+ * and deinitialization |
1059 |
+ */ |
1060 |
+- if (test_bit(__I40E_RECOVERY_MODE, pf->state) || |
1061 |
+- old_recovery_mode_bit) { |
1062 |
++ if (test_bit(__I40E_RECOVERY_MODE, pf->state)) { |
1063 |
+ if (i40e_get_capabilities(pf, |
1064 |
+ i40e_aqc_opc_list_func_capabilities)) |
1065 |
+ goto end_unlock; |
1066 |
+ |
1067 |
+- if (test_bit(__I40E_RECOVERY_MODE, pf->state)) { |
1068 |
++ if (is_recovery_mode_reported) { |
1069 |
+ /* we're staying in recovery mode so we'll reinitialize |
1070 |
+ * misc vector here |
1071 |
+ */ |
1072 |
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c |
1073 |
+index 7a30d5d5ef53a..c6905d1b6182c 100644 |
1074 |
+--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c |
1075 |
++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c |
1076 |
+@@ -1263,11 +1263,10 @@ static struct iavf_rx_buffer *iavf_get_rx_buffer(struct iavf_ring *rx_ring, |
1077 |
+ { |
1078 |
+ struct iavf_rx_buffer *rx_buffer; |
1079 |
+ |
1080 |
+- if (!size) |
1081 |
+- return NULL; |
1082 |
+- |
1083 |
+ rx_buffer = &rx_ring->rx_bi[rx_ring->next_to_clean]; |
1084 |
+ prefetchw(rx_buffer->page); |
1085 |
++ if (!size) |
1086 |
++ return rx_buffer; |
1087 |
+ |
1088 |
+ /* we are reusing so sync this buffer for CPU use */ |
1089 |
+ dma_sync_single_range_for_cpu(rx_ring->dev, |
1090 |
+diff --git a/drivers/net/ethernet/intel/igc/igc_regs.h b/drivers/net/ethernet/intel/igc/igc_regs.h |
1091 |
+index 50d7c04dccf59..7bc7d7618fe1e 100644 |
1092 |
+--- a/drivers/net/ethernet/intel/igc/igc_regs.h |
1093 |
++++ b/drivers/net/ethernet/intel/igc/igc_regs.h |
1094 |
+@@ -236,4 +236,6 @@ do { \ |
1095 |
+ |
1096 |
+ #define array_rd32(reg, offset) (igc_rd32(hw, (reg) + ((offset) << 2))) |
1097 |
+ |
1098 |
++#define IGC_REMOVED(h) unlikely(!(h)) |
1099 |
++ |
1100 |
+ #endif |
1101 |
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h |
1102 |
+index 39e73ad60352f..fa49ef2afde5f 100644 |
1103 |
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h |
1104 |
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h |
1105 |
+@@ -773,6 +773,7 @@ struct ixgbe_adapter { |
1106 |
+ #ifdef CONFIG_IXGBE_IPSEC |
1107 |
+ struct ixgbe_ipsec *ipsec; |
1108 |
+ #endif /* CONFIG_IXGBE_IPSEC */ |
1109 |
++ spinlock_t vfs_lock; |
1110 |
+ }; |
1111 |
+ |
1112 |
+ static inline u8 ixgbe_max_rss_indices(struct ixgbe_adapter *adapter) |
1113 |
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
1114 |
+index 8a894e5d923f0..f8aa1a0b89c5d 100644 |
1115 |
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
1116 |
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |
1117 |
+@@ -6396,6 +6396,9 @@ static int ixgbe_sw_init(struct ixgbe_adapter *adapter, |
1118 |
+ /* n-tuple support exists, always init our spinlock */ |
1119 |
+ spin_lock_init(&adapter->fdir_perfect_lock); |
1120 |
+ |
1121 |
++ /* init spinlock to avoid concurrency of VF resources */ |
1122 |
++ spin_lock_init(&adapter->vfs_lock); |
1123 |
++ |
1124 |
+ #ifdef CONFIG_IXGBE_DCB |
1125 |
+ ixgbe_init_dcb(adapter); |
1126 |
+ #endif |
1127 |
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |
1128 |
+index cf5c2b9465eba..0e73e3b1af19a 100644 |
1129 |
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |
1130 |
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |
1131 |
+@@ -204,10 +204,13 @@ void ixgbe_enable_sriov(struct ixgbe_adapter *adapter, unsigned int max_vfs) |
1132 |
+ int ixgbe_disable_sriov(struct ixgbe_adapter *adapter) |
1133 |
+ { |
1134 |
+ unsigned int num_vfs = adapter->num_vfs, vf; |
1135 |
++ unsigned long flags; |
1136 |
+ int rss; |
1137 |
+ |
1138 |
++ spin_lock_irqsave(&adapter->vfs_lock, flags); |
1139 |
+ /* set num VFs to 0 to prevent access to vfinfo */ |
1140 |
+ adapter->num_vfs = 0; |
1141 |
++ spin_unlock_irqrestore(&adapter->vfs_lock, flags); |
1142 |
+ |
1143 |
+ /* put the reference to all of the vf devices */ |
1144 |
+ for (vf = 0; vf < num_vfs; ++vf) { |
1145 |
+@@ -1305,8 +1308,10 @@ static void ixgbe_rcv_ack_from_vf(struct ixgbe_adapter *adapter, u32 vf) |
1146 |
+ void ixgbe_msg_task(struct ixgbe_adapter *adapter) |
1147 |
+ { |
1148 |
+ struct ixgbe_hw *hw = &adapter->hw; |
1149 |
++ unsigned long flags; |
1150 |
+ u32 vf; |
1151 |
+ |
1152 |
++ spin_lock_irqsave(&adapter->vfs_lock, flags); |
1153 |
+ for (vf = 0; vf < adapter->num_vfs; vf++) { |
1154 |
+ /* process any reset requests */ |
1155 |
+ if (!ixgbe_check_for_rst(hw, vf)) |
1156 |
+@@ -1320,6 +1325,7 @@ void ixgbe_msg_task(struct ixgbe_adapter *adapter) |
1157 |
+ if (!ixgbe_check_for_ack(hw, vf)) |
1158 |
+ ixgbe_rcv_ack_from_vf(adapter, vf); |
1159 |
+ } |
1160 |
++ spin_unlock_irqrestore(&adapter->vfs_lock, flags); |
1161 |
+ } |
1162 |
+ |
1163 |
+ void ixgbe_disable_tx_rx(struct ixgbe_adapter *adapter) |
1164 |
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
1165 |
+index 2f013fc716985..91214cce874b1 100644 |
1166 |
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
1167 |
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
1168 |
+@@ -3871,7 +3871,7 @@ static bool mlxsw_sp_fi_is_gateway(const struct mlxsw_sp *mlxsw_sp, |
1169 |
+ { |
1170 |
+ const struct fib_nh *nh = fib_info_nh(fi, 0); |
1171 |
+ |
1172 |
+- return nh->fib_nh_scope == RT_SCOPE_LINK || |
1173 |
++ return nh->fib_nh_gw_family || |
1174 |
+ mlxsw_sp_nexthop4_ipip_type(mlxsw_sp, nh, NULL); |
1175 |
+ } |
1176 |
+ |
1177 |
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c |
1178 |
+index 66e60c7e98504..c440b192ec715 100644 |
1179 |
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c |
1180 |
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c |
1181 |
+@@ -215,6 +215,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan) |
1182 |
+ if (queue == 0 || queue == 4) { |
1183 |
+ value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK; |
1184 |
+ value |= MTL_RXQ_DMA_Q04MDMACH(chan); |
1185 |
++ } else if (queue > 4) { |
1186 |
++ value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4); |
1187 |
++ value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4); |
1188 |
+ } else { |
1189 |
+ value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue); |
1190 |
+ value |= MTL_RXQ_DMA_QXMDMACH(chan, queue); |
1191 |
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c |
1192 |
+index ea9c8361bf464..5ee3e457a79c7 100644 |
1193 |
+--- a/drivers/net/usb/ax88179_178a.c |
1194 |
++++ b/drivers/net/usb/ax88179_178a.c |
1195 |
+@@ -1690,7 +1690,7 @@ static const struct driver_info ax88179_info = { |
1196 |
+ .link_reset = ax88179_link_reset, |
1197 |
+ .reset = ax88179_reset, |
1198 |
+ .stop = ax88179_stop, |
1199 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1200 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1201 |
+ .rx_fixup = ax88179_rx_fixup, |
1202 |
+ .tx_fixup = ax88179_tx_fixup, |
1203 |
+ }; |
1204 |
+@@ -1703,7 +1703,7 @@ static const struct driver_info ax88178a_info = { |
1205 |
+ .link_reset = ax88179_link_reset, |
1206 |
+ .reset = ax88179_reset, |
1207 |
+ .stop = ax88179_stop, |
1208 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1209 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1210 |
+ .rx_fixup = ax88179_rx_fixup, |
1211 |
+ .tx_fixup = ax88179_tx_fixup, |
1212 |
+ }; |
1213 |
+@@ -1716,7 +1716,7 @@ static const struct driver_info cypress_GX3_info = { |
1214 |
+ .link_reset = ax88179_link_reset, |
1215 |
+ .reset = ax88179_reset, |
1216 |
+ .stop = ax88179_stop, |
1217 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1218 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1219 |
+ .rx_fixup = ax88179_rx_fixup, |
1220 |
+ .tx_fixup = ax88179_tx_fixup, |
1221 |
+ }; |
1222 |
+@@ -1729,7 +1729,7 @@ static const struct driver_info dlink_dub1312_info = { |
1223 |
+ .link_reset = ax88179_link_reset, |
1224 |
+ .reset = ax88179_reset, |
1225 |
+ .stop = ax88179_stop, |
1226 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1227 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1228 |
+ .rx_fixup = ax88179_rx_fixup, |
1229 |
+ .tx_fixup = ax88179_tx_fixup, |
1230 |
+ }; |
1231 |
+@@ -1742,7 +1742,7 @@ static const struct driver_info sitecom_info = { |
1232 |
+ .link_reset = ax88179_link_reset, |
1233 |
+ .reset = ax88179_reset, |
1234 |
+ .stop = ax88179_stop, |
1235 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1236 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1237 |
+ .rx_fixup = ax88179_rx_fixup, |
1238 |
+ .tx_fixup = ax88179_tx_fixup, |
1239 |
+ }; |
1240 |
+@@ -1755,7 +1755,7 @@ static const struct driver_info samsung_info = { |
1241 |
+ .link_reset = ax88179_link_reset, |
1242 |
+ .reset = ax88179_reset, |
1243 |
+ .stop = ax88179_stop, |
1244 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1245 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1246 |
+ .rx_fixup = ax88179_rx_fixup, |
1247 |
+ .tx_fixup = ax88179_tx_fixup, |
1248 |
+ }; |
1249 |
+@@ -1768,7 +1768,7 @@ static const struct driver_info lenovo_info = { |
1250 |
+ .link_reset = ax88179_link_reset, |
1251 |
+ .reset = ax88179_reset, |
1252 |
+ .stop = ax88179_stop, |
1253 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1254 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1255 |
+ .rx_fixup = ax88179_rx_fixup, |
1256 |
+ .tx_fixup = ax88179_tx_fixup, |
1257 |
+ }; |
1258 |
+@@ -1781,7 +1781,7 @@ static const struct driver_info belkin_info = { |
1259 |
+ .link_reset = ax88179_link_reset, |
1260 |
+ .reset = ax88179_reset, |
1261 |
+ .stop = ax88179_stop, |
1262 |
+- .flags = FLAG_ETHER | FLAG_FRAMING_AX, |
1263 |
++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, |
1264 |
+ .rx_fixup = ax88179_rx_fixup, |
1265 |
+ .tx_fixup = ax88179_tx_fixup, |
1266 |
+ }; |
1267 |
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c |
1268 |
+index 8c45d6c32c30e..3d48fa685aaae 100644 |
1269 |
+--- a/drivers/pci/controller/pci-hyperv.c |
1270 |
++++ b/drivers/pci/controller/pci-hyperv.c |
1271 |
+@@ -1110,6 +1110,10 @@ static void hv_int_desc_free(struct hv_pci_dev *hpdev, |
1272 |
+ u8 buffer[sizeof(struct pci_delete_interrupt)]; |
1273 |
+ } ctxt; |
1274 |
+ |
1275 |
++ if (!int_desc->vector_count) { |
1276 |
++ kfree(int_desc); |
1277 |
++ return; |
1278 |
++ } |
1279 |
+ memset(&ctxt, 0, sizeof(ctxt)); |
1280 |
+ int_pkt = (struct pci_delete_interrupt *)&ctxt.pkt.message; |
1281 |
+ int_pkt->message_type.type = |
1282 |
+@@ -1172,6 +1176,28 @@ static void hv_irq_mask(struct irq_data *data) |
1283 |
+ pci_msi_mask_irq(data); |
1284 |
+ } |
1285 |
+ |
1286 |
++static unsigned int hv_msi_get_int_vector(struct irq_data *data) |
1287 |
++{ |
1288 |
++ struct irq_cfg *cfg = irqd_cfg(data); |
1289 |
++ |
1290 |
++ return cfg->vector; |
1291 |
++} |
1292 |
++ |
1293 |
++static int hv_msi_prepare(struct irq_domain *domain, struct device *dev, |
1294 |
++ int nvec, msi_alloc_info_t *info) |
1295 |
++{ |
1296 |
++ int ret = pci_msi_prepare(domain, dev, nvec, info); |
1297 |
++ |
1298 |
++ /* |
1299 |
++ * By using the interrupt remapper in the hypervisor IOMMU, contiguous |
1300 |
++ * CPU vectors is not needed for multi-MSI |
1301 |
++ */ |
1302 |
++ if (info->type == X86_IRQ_ALLOC_TYPE_MSI) |
1303 |
++ info->flags &= ~X86_IRQ_ALLOC_CONTIGUOUS_VECTORS; |
1304 |
++ |
1305 |
++ return ret; |
1306 |
++} |
1307 |
++ |
1308 |
+ /** |
1309 |
+ * hv_irq_unmask() - "Unmask" the IRQ by setting its current |
1310 |
+ * affinity. |
1311 |
+@@ -1187,6 +1213,7 @@ static void hv_irq_unmask(struct irq_data *data) |
1312 |
+ struct msi_desc *msi_desc = irq_data_get_msi_desc(data); |
1313 |
+ struct irq_cfg *cfg = irqd_cfg(data); |
1314 |
+ struct retarget_msi_interrupt *params; |
1315 |
++ struct tran_int_desc *int_desc; |
1316 |
+ struct hv_pcibus_device *hbus; |
1317 |
+ struct cpumask *dest; |
1318 |
+ cpumask_var_t tmp; |
1319 |
+@@ -1201,6 +1228,7 @@ static void hv_irq_unmask(struct irq_data *data) |
1320 |
+ pdev = msi_desc_to_pci_dev(msi_desc); |
1321 |
+ pbus = pdev->bus; |
1322 |
+ hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); |
1323 |
++ int_desc = data->chip_data; |
1324 |
+ |
1325 |
+ spin_lock_irqsave(&hbus->retarget_msi_interrupt_lock, flags); |
1326 |
+ |
1327 |
+@@ -1208,8 +1236,8 @@ static void hv_irq_unmask(struct irq_data *data) |
1328 |
+ memset(params, 0, sizeof(*params)); |
1329 |
+ params->partition_id = HV_PARTITION_ID_SELF; |
1330 |
+ params->int_entry.source = 1; /* MSI(-X) */ |
1331 |
+- params->int_entry.address = msi_desc->msg.address_lo; |
1332 |
+- params->int_entry.data = msi_desc->msg.data; |
1333 |
++ params->int_entry.address = int_desc->address & 0xffffffff; |
1334 |
++ params->int_entry.data = int_desc->data; |
1335 |
+ params->device_id = (hbus->hdev->dev_instance.b[5] << 24) | |
1336 |
+ (hbus->hdev->dev_instance.b[4] << 16) | |
1337 |
+ (hbus->hdev->dev_instance.b[7] << 8) | |
1338 |
+@@ -1296,12 +1324,12 @@ static void hv_pci_compose_compl(void *context, struct pci_response *resp, |
1339 |
+ |
1340 |
+ static u32 hv_compose_msi_req_v1( |
1341 |
+ struct pci_create_interrupt *int_pkt, struct cpumask *affinity, |
1342 |
+- u32 slot, u8 vector) |
1343 |
++ u32 slot, u8 vector, u8 vector_count) |
1344 |
+ { |
1345 |
+ int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE; |
1346 |
+ int_pkt->wslot.slot = slot; |
1347 |
+ int_pkt->int_desc.vector = vector; |
1348 |
+- int_pkt->int_desc.vector_count = 1; |
1349 |
++ int_pkt->int_desc.vector_count = vector_count; |
1350 |
+ int_pkt->int_desc.delivery_mode = dest_Fixed; |
1351 |
+ |
1352 |
+ /* |
1353 |
+@@ -1315,14 +1343,14 @@ static u32 hv_compose_msi_req_v1( |
1354 |
+ |
1355 |
+ static u32 hv_compose_msi_req_v2( |
1356 |
+ struct pci_create_interrupt2 *int_pkt, struct cpumask *affinity, |
1357 |
+- u32 slot, u8 vector) |
1358 |
++ u32 slot, u8 vector, u8 vector_count) |
1359 |
+ { |
1360 |
+ int cpu; |
1361 |
+ |
1362 |
+ int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE2; |
1363 |
+ int_pkt->wslot.slot = slot; |
1364 |
+ int_pkt->int_desc.vector = vector; |
1365 |
+- int_pkt->int_desc.vector_count = 1; |
1366 |
++ int_pkt->int_desc.vector_count = vector_count; |
1367 |
+ int_pkt->int_desc.delivery_mode = dest_Fixed; |
1368 |
+ |
1369 |
+ /* |
1370 |
+@@ -1350,7 +1378,6 @@ static u32 hv_compose_msi_req_v2( |
1371 |
+ */ |
1372 |
+ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1373 |
+ { |
1374 |
+- struct irq_cfg *cfg = irqd_cfg(data); |
1375 |
+ struct hv_pcibus_device *hbus; |
1376 |
+ struct hv_pci_dev *hpdev; |
1377 |
+ struct pci_bus *pbus; |
1378 |
+@@ -1359,6 +1386,8 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1379 |
+ unsigned long flags; |
1380 |
+ struct compose_comp_ctxt comp; |
1381 |
+ struct tran_int_desc *int_desc; |
1382 |
++ struct msi_desc *msi_desc; |
1383 |
++ u8 vector, vector_count; |
1384 |
+ struct { |
1385 |
+ struct pci_packet pci_pkt; |
1386 |
+ union { |
1387 |
+@@ -1370,7 +1399,17 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1388 |
+ u32 size; |
1389 |
+ int ret; |
1390 |
+ |
1391 |
+- pdev = msi_desc_to_pci_dev(irq_data_get_msi_desc(data)); |
1392 |
++ /* Reuse the previous allocation */ |
1393 |
++ if (data->chip_data) { |
1394 |
++ int_desc = data->chip_data; |
1395 |
++ msg->address_hi = int_desc->address >> 32; |
1396 |
++ msg->address_lo = int_desc->address & 0xffffffff; |
1397 |
++ msg->data = int_desc->data; |
1398 |
++ return; |
1399 |
++ } |
1400 |
++ |
1401 |
++ msi_desc = irq_data_get_msi_desc(data); |
1402 |
++ pdev = msi_desc_to_pci_dev(msi_desc); |
1403 |
+ dest = irq_data_get_effective_affinity_mask(data); |
1404 |
+ pbus = pdev->bus; |
1405 |
+ hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); |
1406 |
+@@ -1378,17 +1417,40 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1407 |
+ if (!hpdev) |
1408 |
+ goto return_null_message; |
1409 |
+ |
1410 |
+- /* Free any previous message that might have already been composed. */ |
1411 |
+- if (data->chip_data) { |
1412 |
+- int_desc = data->chip_data; |
1413 |
+- data->chip_data = NULL; |
1414 |
+- hv_int_desc_free(hpdev, int_desc); |
1415 |
+- } |
1416 |
+- |
1417 |
+ int_desc = kzalloc(sizeof(*int_desc), GFP_ATOMIC); |
1418 |
+ if (!int_desc) |
1419 |
+ goto drop_reference; |
1420 |
+ |
1421 |
++ if (!msi_desc->msi_attrib.is_msix && msi_desc->nvec_used > 1) { |
1422 |
++ /* |
1423 |
++ * If this is not the first MSI of Multi MSI, we already have |
1424 |
++ * a mapping. Can exit early. |
1425 |
++ */ |
1426 |
++ if (msi_desc->irq != data->irq) { |
1427 |
++ data->chip_data = int_desc; |
1428 |
++ int_desc->address = msi_desc->msg.address_lo | |
1429 |
++ (u64)msi_desc->msg.address_hi << 32; |
1430 |
++ int_desc->data = msi_desc->msg.data + |
1431 |
++ (data->irq - msi_desc->irq); |
1432 |
++ msg->address_hi = msi_desc->msg.address_hi; |
1433 |
++ msg->address_lo = msi_desc->msg.address_lo; |
1434 |
++ msg->data = int_desc->data; |
1435 |
++ put_pcichild(hpdev); |
1436 |
++ return; |
1437 |
++ } |
1438 |
++ /* |
1439 |
++ * The vector we select here is a dummy value. The correct |
1440 |
++ * value gets sent to the hypervisor in unmask(). This needs |
1441 |
++ * to be aligned with the count, and also not zero. Multi-msi |
1442 |
++ * is powers of 2 up to 32, so 32 will always work here. |
1443 |
++ */ |
1444 |
++ vector = 32; |
1445 |
++ vector_count = msi_desc->nvec_used; |
1446 |
++ } else { |
1447 |
++ vector = hv_msi_get_int_vector(data); |
1448 |
++ vector_count = 1; |
1449 |
++ } |
1450 |
++ |
1451 |
+ memset(&ctxt, 0, sizeof(ctxt)); |
1452 |
+ init_completion(&comp.comp_pkt.host_event); |
1453 |
+ ctxt.pci_pkt.completion_func = hv_pci_compose_compl; |
1454 |
+@@ -1399,14 +1461,16 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) |
1455 |
+ size = hv_compose_msi_req_v1(&ctxt.int_pkts.v1, |
1456 |
+ dest, |
1457 |
+ hpdev->desc.win_slot.slot, |
1458 |
+- cfg->vector); |
1459 |
++ vector, |
1460 |
++ vector_count); |
1461 |
+ break; |
1462 |
+ |
1463 |
+ case PCI_PROTOCOL_VERSION_1_2: |
1464 |
+ size = hv_compose_msi_req_v2(&ctxt.int_pkts.v2, |
1465 |
+ dest, |
1466 |
+ hpdev->desc.win_slot.slot, |
1467 |
+- cfg->vector); |
1468 |
++ vector, |
1469 |
++ vector_count); |
1470 |
+ break; |
1471 |
+ |
1472 |
+ default: |
1473 |
+@@ -1518,7 +1582,7 @@ static irq_hw_number_t hv_msi_domain_ops_get_hwirq(struct msi_domain_info *info, |
1474 |
+ |
1475 |
+ static struct msi_domain_ops hv_msi_ops = { |
1476 |
+ .get_hwirq = hv_msi_domain_ops_get_hwirq, |
1477 |
+- .msi_prepare = pci_msi_prepare, |
1478 |
++ .msi_prepare = hv_msi_prepare, |
1479 |
+ .set_desc = pci_msi_set_desc, |
1480 |
+ .msi_free = hv_msi_free, |
1481 |
+ }; |
1482 |
+diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c |
1483 |
+index f9abd4364fbaa..e8149ff1d401c 100644 |
1484 |
+--- a/drivers/pinctrl/stm32/pinctrl-stm32.c |
1485 |
++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c |
1486 |
+@@ -1215,15 +1215,17 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, |
1487 |
+ bank->bank_ioport_nr = bank_ioport_nr; |
1488 |
+ spin_lock_init(&bank->lock); |
1489 |
+ |
1490 |
+- /* create irq hierarchical domain */ |
1491 |
+- bank->fwnode = of_node_to_fwnode(np); |
1492 |
++ if (pctl->domain) { |
1493 |
++ /* create irq hierarchical domain */ |
1494 |
++ bank->fwnode = of_node_to_fwnode(np); |
1495 |
+ |
1496 |
+- bank->domain = irq_domain_create_hierarchy(pctl->domain, 0, |
1497 |
+- STM32_GPIO_IRQ_LINE, bank->fwnode, |
1498 |
+- &stm32_gpio_domain_ops, bank); |
1499 |
++ bank->domain = irq_domain_create_hierarchy(pctl->domain, 0, STM32_GPIO_IRQ_LINE, |
1500 |
++ bank->fwnode, &stm32_gpio_domain_ops, |
1501 |
++ bank); |
1502 |
+ |
1503 |
+- if (!bank->domain) |
1504 |
+- return -ENODEV; |
1505 |
++ if (!bank->domain) |
1506 |
++ return -ENODEV; |
1507 |
++ } |
1508 |
+ |
1509 |
+ err = gpiochip_add_data(&bank->gpio_chip, bank); |
1510 |
+ if (err) { |
1511 |
+@@ -1393,6 +1395,8 @@ int stm32_pctl_probe(struct platform_device *pdev) |
1512 |
+ pctl->domain = stm32_pctrl_get_irq_domain(np); |
1513 |
+ if (IS_ERR(pctl->domain)) |
1514 |
+ return PTR_ERR(pctl->domain); |
1515 |
++ if (!pctl->domain) |
1516 |
++ dev_warn(dev, "pinctrl without interrupt support\n"); |
1517 |
+ |
1518 |
+ /* hwspinlock is optional */ |
1519 |
+ hwlock_id = of_hwspin_lock_get_id(pdev->dev.of_node, 0); |
1520 |
+diff --git a/drivers/power/reset/arm-versatile-reboot.c b/drivers/power/reset/arm-versatile-reboot.c |
1521 |
+index 08d0a07b58ef2..c7624d7611a7e 100644 |
1522 |
+--- a/drivers/power/reset/arm-versatile-reboot.c |
1523 |
++++ b/drivers/power/reset/arm-versatile-reboot.c |
1524 |
+@@ -146,6 +146,7 @@ static int __init versatile_reboot_probe(void) |
1525 |
+ versatile_reboot_type = (enum versatile_reboot)reboot_id->data; |
1526 |
+ |
1527 |
+ syscon_regmap = syscon_node_to_regmap(np); |
1528 |
++ of_node_put(np); |
1529 |
+ if (IS_ERR(syscon_regmap)) |
1530 |
+ return PTR_ERR(syscon_regmap); |
1531 |
+ |
1532 |
+diff --git a/drivers/s390/char/keyboard.h b/drivers/s390/char/keyboard.h |
1533 |
+index c467589c7f452..c06d399b9b1f1 100644 |
1534 |
+--- a/drivers/s390/char/keyboard.h |
1535 |
++++ b/drivers/s390/char/keyboard.h |
1536 |
+@@ -56,7 +56,7 @@ static inline void |
1537 |
+ kbd_put_queue(struct tty_port *port, int ch) |
1538 |
+ { |
1539 |
+ tty_insert_flip_char(port, ch, 0); |
1540 |
+- tty_schedule_flip(port); |
1541 |
++ tty_flip_buffer_push(port); |
1542 |
+ } |
1543 |
+ |
1544 |
+ static inline void |
1545 |
+@@ -64,5 +64,5 @@ kbd_puts_queue(struct tty_port *port, char *cp) |
1546 |
+ { |
1547 |
+ while (*cp) |
1548 |
+ tty_insert_flip_char(port, *cp++, 0); |
1549 |
+- tty_schedule_flip(port); |
1550 |
++ tty_flip_buffer_push(port); |
1551 |
+ } |
1552 |
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c |
1553 |
+index c86c3ac6097dd..b1003876cb350 100644 |
1554 |
+--- a/drivers/spi/spi-bcm2835.c |
1555 |
++++ b/drivers/spi/spi-bcm2835.c |
1556 |
+@@ -1159,10 +1159,14 @@ static void bcm2835_spi_handle_err(struct spi_controller *ctlr, |
1557 |
+ struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); |
1558 |
+ |
1559 |
+ /* if an error occurred and we have an active dma, then terminate */ |
1560 |
+- dmaengine_terminate_sync(ctlr->dma_tx); |
1561 |
+- bs->tx_dma_active = false; |
1562 |
+- dmaengine_terminate_sync(ctlr->dma_rx); |
1563 |
+- bs->rx_dma_active = false; |
1564 |
++ if (ctlr->dma_tx) { |
1565 |
++ dmaengine_terminate_sync(ctlr->dma_tx); |
1566 |
++ bs->tx_dma_active = false; |
1567 |
++ } |
1568 |
++ if (ctlr->dma_rx) { |
1569 |
++ dmaengine_terminate_sync(ctlr->dma_rx); |
1570 |
++ bs->rx_dma_active = false; |
1571 |
++ } |
1572 |
+ bcm2835_spi_undo_prologue(bs); |
1573 |
+ |
1574 |
+ /* and reset */ |
1575 |
+diff --git a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c |
1576 |
+index 0ba4e4e070a9f..7cfbdfb10e23e 100644 |
1577 |
+--- a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c |
1578 |
++++ b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c |
1579 |
+@@ -267,6 +267,8 @@ static int rt2880_pinmux_pins(struct rt2880_priv *p) |
1580 |
+ p->func[i]->pin_count, |
1581 |
+ sizeof(int), |
1582 |
+ GFP_KERNEL); |
1583 |
++ if (!p->func[i]->pins) |
1584 |
++ return -ENOMEM; |
1585 |
+ for (j = 0; j < p->func[i]->pin_count; j++) |
1586 |
+ p->func[i]->pins[j] = p->func[i]->pin_first + j; |
1587 |
+ |
1588 |
+diff --git a/drivers/staging/speakup/spk_ttyio.c b/drivers/staging/speakup/spk_ttyio.c |
1589 |
+index 472804c3f44dc..aec8222361743 100644 |
1590 |
+--- a/drivers/staging/speakup/spk_ttyio.c |
1591 |
++++ b/drivers/staging/speakup/spk_ttyio.c |
1592 |
+@@ -88,7 +88,7 @@ static int spk_ttyio_receive_buf2(struct tty_struct *tty, |
1593 |
+ } |
1594 |
+ |
1595 |
+ if (!ldisc_data->buf_free) |
1596 |
+- /* ttyio_in will tty_schedule_flip */ |
1597 |
++ /* ttyio_in will tty_flip_buffer_push */ |
1598 |
+ return 0; |
1599 |
+ |
1600 |
+ /* Make sure the consumer has read buf before we have seen |
1601 |
+@@ -325,7 +325,7 @@ static unsigned char ttyio_in(int timeout) |
1602 |
+ mb(); |
1603 |
+ ldisc_data->buf_free = true; |
1604 |
+ /* Let TTY push more characters */ |
1605 |
+- tty_schedule_flip(speakup_tty->port); |
1606 |
++ tty_flip_buffer_push(speakup_tty->port); |
1607 |
+ |
1608 |
+ return rv; |
1609 |
+ } |
1610 |
+diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c |
1611 |
+index 4562c8060d09e..26581d2456c8f 100644 |
1612 |
+--- a/drivers/tty/cyclades.c |
1613 |
++++ b/drivers/tty/cyclades.c |
1614 |
+@@ -556,7 +556,7 @@ static void cyy_chip_rx(struct cyclades_card *cinfo, int chip, |
1615 |
+ } |
1616 |
+ info->idle_stats.recv_idle = jiffies; |
1617 |
+ } |
1618 |
+- tty_schedule_flip(port); |
1619 |
++ tty_flip_buffer_push(port); |
1620 |
+ |
1621 |
+ /* end of service */ |
1622 |
+ cyy_writeb(info, CyRIR, save_xir & 0x3f); |
1623 |
+@@ -996,7 +996,7 @@ static void cyz_handle_rx(struct cyclades_port *info) |
1624 |
+ mod_timer(&info->rx_full_timer, jiffies + 1); |
1625 |
+ #endif |
1626 |
+ info->idle_stats.recv_idle = jiffies; |
1627 |
+- tty_schedule_flip(&info->port); |
1628 |
++ tty_flip_buffer_push(&info->port); |
1629 |
+ |
1630 |
+ /* Update rx_get */ |
1631 |
+ cy_writel(&buf_ctrl->rx_get, new_rx_get); |
1632 |
+@@ -1172,7 +1172,7 @@ static void cyz_handle_cmd(struct cyclades_card *cinfo) |
1633 |
+ if (delta_count) |
1634 |
+ wake_up_interruptible(&info->port.delta_msr_wait); |
1635 |
+ if (special_count) |
1636 |
+- tty_schedule_flip(&info->port); |
1637 |
++ tty_flip_buffer_push(&info->port); |
1638 |
+ } |
1639 |
+ } |
1640 |
+ |
1641 |
+diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c |
1642 |
+index 9180ca5e4dcd4..d6e82eb61fc2d 100644 |
1643 |
+--- a/drivers/tty/goldfish.c |
1644 |
++++ b/drivers/tty/goldfish.c |
1645 |
+@@ -151,7 +151,7 @@ static irqreturn_t goldfish_tty_interrupt(int irq, void *dev_id) |
1646 |
+ address = (unsigned long)(void *)buf; |
1647 |
+ goldfish_tty_rw(qtty, address, count, 0); |
1648 |
+ |
1649 |
+- tty_schedule_flip(&qtty->port); |
1650 |
++ tty_flip_buffer_push(&qtty->port); |
1651 |
+ return IRQ_HANDLED; |
1652 |
+ } |
1653 |
+ |
1654 |
+diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c |
1655 |
+index 1254b39074edb..e67a1aef1fd0d 100644 |
1656 |
+--- a/drivers/tty/moxa.c |
1657 |
++++ b/drivers/tty/moxa.c |
1658 |
+@@ -1385,7 +1385,7 @@ static int moxa_poll_port(struct moxa_port *p, unsigned int handle, |
1659 |
+ if (inited && !tty_throttled(tty) && |
1660 |
+ MoxaPortRxQueue(p) > 0) { /* RX */ |
1661 |
+ MoxaPortReadData(p); |
1662 |
+- tty_schedule_flip(&p->port); |
1663 |
++ tty_flip_buffer_push(&p->port); |
1664 |
+ } |
1665 |
+ } else { |
1666 |
+ clear_bit(EMPTYWAIT, &p->statusflags); |
1667 |
+@@ -1410,7 +1410,7 @@ static int moxa_poll_port(struct moxa_port *p, unsigned int handle, |
1668 |
+ |
1669 |
+ if (tty && (intr & IntrBreak) && !I_IGNBRK(tty)) { /* BREAK */ |
1670 |
+ tty_insert_flip_char(&p->port, 0, TTY_BREAK); |
1671 |
+- tty_schedule_flip(&p->port); |
1672 |
++ tty_flip_buffer_push(&p->port); |
1673 |
+ } |
1674 |
+ |
1675 |
+ if (intr & IntrLine) |
1676 |
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c |
1677 |
+index c6a1d8c4e6894..73226e482e919 100644 |
1678 |
+--- a/drivers/tty/pty.c |
1679 |
++++ b/drivers/tty/pty.c |
1680 |
+@@ -111,21 +111,11 @@ static void pty_unthrottle(struct tty_struct *tty) |
1681 |
+ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) |
1682 |
+ { |
1683 |
+ struct tty_struct *to = tty->link; |
1684 |
+- unsigned long flags; |
1685 |
+ |
1686 |
+- if (tty->stopped) |
1687 |
++ if (tty->stopped || !c) |
1688 |
+ return 0; |
1689 |
+ |
1690 |
+- if (c > 0) { |
1691 |
+- spin_lock_irqsave(&to->port->lock, flags); |
1692 |
+- /* Stuff the data into the input queue of the other end */ |
1693 |
+- c = tty_insert_flip_string(to->port, buf, c); |
1694 |
+- spin_unlock_irqrestore(&to->port->lock, flags); |
1695 |
+- /* And shovel */ |
1696 |
+- if (c) |
1697 |
+- tty_flip_buffer_push(to->port); |
1698 |
+- } |
1699 |
+- return c; |
1700 |
++ return tty_insert_flip_string_and_push_buffer(to->port, buf, c); |
1701 |
+ } |
1702 |
+ |
1703 |
+ /** |
1704 |
+diff --git a/drivers/tty/serial/lpc32xx_hs.c b/drivers/tty/serial/lpc32xx_hs.c |
1705 |
+index 9a836dcac157c..a03618f89c0dd 100644 |
1706 |
+--- a/drivers/tty/serial/lpc32xx_hs.c |
1707 |
++++ b/drivers/tty/serial/lpc32xx_hs.c |
1708 |
+@@ -345,7 +345,7 @@ static irqreturn_t serial_lpc32xx_interrupt(int irq, void *dev_id) |
1709 |
+ LPC32XX_HSUART_IIR(port->membase)); |
1710 |
+ port->icount.overrun++; |
1711 |
+ tty_insert_flip_char(tport, 0, TTY_OVERRUN); |
1712 |
+- tty_schedule_flip(tport); |
1713 |
++ tty_flip_buffer_push(tport); |
1714 |
+ } |
1715 |
+ |
1716 |
+ /* Data received? */ |
1717 |
+diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c |
1718 |
+index 13db15118cb94..2ce0d05be3681 100644 |
1719 |
+--- a/drivers/tty/serial/mvebu-uart.c |
1720 |
++++ b/drivers/tty/serial/mvebu-uart.c |
1721 |
+@@ -443,13 +443,13 @@ static void mvebu_uart_shutdown(struct uart_port *port) |
1722 |
+ } |
1723 |
+ } |
1724 |
+ |
1725 |
+-static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) |
1726 |
++static unsigned int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) |
1727 |
+ { |
1728 |
+ unsigned int d_divisor, m_divisor; |
1729 |
+ u32 brdv, osamp; |
1730 |
+ |
1731 |
+ if (!port->uartclk) |
1732 |
+- return -EOPNOTSUPP; |
1733 |
++ return 0; |
1734 |
+ |
1735 |
+ /* |
1736 |
+ * The baudrate is derived from the UART clock thanks to two divisors: |
1737 |
+@@ -473,7 +473,7 @@ static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud) |
1738 |
+ osamp &= ~OSAMP_DIVISORS_MASK; |
1739 |
+ writel(osamp, port->membase + UART_OSAMP); |
1740 |
+ |
1741 |
+- return 0; |
1742 |
++ return DIV_ROUND_CLOSEST(port->uartclk, d_divisor * m_divisor); |
1743 |
+ } |
1744 |
+ |
1745 |
+ static void mvebu_uart_set_termios(struct uart_port *port, |
1746 |
+@@ -510,15 +510,11 @@ static void mvebu_uart_set_termios(struct uart_port *port, |
1747 |
+ max_baud = 230400; |
1748 |
+ |
1749 |
+ baud = uart_get_baud_rate(port, termios, old, min_baud, max_baud); |
1750 |
+- if (mvebu_uart_baud_rate_set(port, baud)) { |
1751 |
+- /* No clock available, baudrate cannot be changed */ |
1752 |
+- if (old) |
1753 |
+- baud = uart_get_baud_rate(port, old, NULL, |
1754 |
+- min_baud, max_baud); |
1755 |
+- } else { |
1756 |
+- tty_termios_encode_baud_rate(termios, baud, baud); |
1757 |
+- uart_update_timeout(port, termios->c_cflag, baud); |
1758 |
+- } |
1759 |
++ baud = mvebu_uart_baud_rate_set(port, baud); |
1760 |
++ |
1761 |
++ /* In case baudrate cannot be changed, report previous old value */ |
1762 |
++ if (baud == 0 && old) |
1763 |
++ baud = tty_termios_baud_rate(old); |
1764 |
+ |
1765 |
+ /* Only the following flag changes are supported */ |
1766 |
+ if (old) { |
1767 |
+@@ -529,6 +525,11 @@ static void mvebu_uart_set_termios(struct uart_port *port, |
1768 |
+ termios->c_cflag |= CS8; |
1769 |
+ } |
1770 |
+ |
1771 |
++ if (baud != 0) { |
1772 |
++ tty_termios_encode_baud_rate(termios, baud, baud); |
1773 |
++ uart_update_timeout(port, termios->c_cflag, baud); |
1774 |
++ } |
1775 |
++ |
1776 |
+ spin_unlock_irqrestore(&port->lock, flags); |
1777 |
+ } |
1778 |
+ |
1779 |
+diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c |
1780 |
+index 47f2370ad85cb..49f39c041c351 100644 |
1781 |
+--- a/drivers/tty/tty_buffer.c |
1782 |
++++ b/drivers/tty/tty_buffer.c |
1783 |
+@@ -394,27 +394,6 @@ int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag) |
1784 |
+ } |
1785 |
+ EXPORT_SYMBOL(__tty_insert_flip_char); |
1786 |
+ |
1787 |
+-/** |
1788 |
+- * tty_schedule_flip - push characters to ldisc |
1789 |
+- * @port: tty port to push from |
1790 |
+- * |
1791 |
+- * Takes any pending buffers and transfers their ownership to the |
1792 |
+- * ldisc side of the queue. It then schedules those characters for |
1793 |
+- * processing by the line discipline. |
1794 |
+- */ |
1795 |
+- |
1796 |
+-void tty_schedule_flip(struct tty_port *port) |
1797 |
+-{ |
1798 |
+- struct tty_bufhead *buf = &port->buf; |
1799 |
+- |
1800 |
+- /* paired w/ acquire in flush_to_ldisc(); ensures |
1801 |
+- * flush_to_ldisc() sees buffer data. |
1802 |
+- */ |
1803 |
+- smp_store_release(&buf->tail->commit, buf->tail->used); |
1804 |
+- queue_work(system_unbound_wq, &buf->work); |
1805 |
+-} |
1806 |
+-EXPORT_SYMBOL(tty_schedule_flip); |
1807 |
+- |
1808 |
+ /** |
1809 |
+ * tty_prepare_flip_string - make room for characters |
1810 |
+ * @port: tty port |
1811 |
+@@ -544,6 +523,15 @@ static void flush_to_ldisc(struct work_struct *work) |
1812 |
+ |
1813 |
+ } |
1814 |
+ |
1815 |
++static inline void tty_flip_buffer_commit(struct tty_buffer *tail) |
1816 |
++{ |
1817 |
++ /* |
1818 |
++ * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees |
1819 |
++ * buffer data. |
1820 |
++ */ |
1821 |
++ smp_store_release(&tail->commit, tail->used); |
1822 |
++} |
1823 |
++ |
1824 |
+ /** |
1825 |
+ * tty_flip_buffer_push - terminal |
1826 |
+ * @port: tty port to push |
1827 |
+@@ -557,10 +545,44 @@ static void flush_to_ldisc(struct work_struct *work) |
1828 |
+ |
1829 |
+ void tty_flip_buffer_push(struct tty_port *port) |
1830 |
+ { |
1831 |
+- tty_schedule_flip(port); |
1832 |
++ struct tty_bufhead *buf = &port->buf; |
1833 |
++ |
1834 |
++ tty_flip_buffer_commit(buf->tail); |
1835 |
++ queue_work(system_unbound_wq, &buf->work); |
1836 |
+ } |
1837 |
+ EXPORT_SYMBOL(tty_flip_buffer_push); |
1838 |
+ |
1839 |
++/** |
1840 |
++ * tty_insert_flip_string_and_push_buffer - add characters to the tty buffer and |
1841 |
++ * push |
1842 |
++ * @port: tty port |
1843 |
++ * @chars: characters |
1844 |
++ * @size: size |
1845 |
++ * |
1846 |
++ * The function combines tty_insert_flip_string() and tty_flip_buffer_push() |
1847 |
++ * with the exception of properly holding the @port->lock. |
1848 |
++ * |
1849 |
++ * To be used only internally (by pty currently). |
1850 |
++ * |
1851 |
++ * Returns: the number added. |
1852 |
++ */ |
1853 |
++int tty_insert_flip_string_and_push_buffer(struct tty_port *port, |
1854 |
++ const unsigned char *chars, size_t size) |
1855 |
++{ |
1856 |
++ struct tty_bufhead *buf = &port->buf; |
1857 |
++ unsigned long flags; |
1858 |
++ |
1859 |
++ spin_lock_irqsave(&port->lock, flags); |
1860 |
++ size = tty_insert_flip_string(port, chars, size); |
1861 |
++ if (size) |
1862 |
++ tty_flip_buffer_commit(buf->tail); |
1863 |
++ spin_unlock_irqrestore(&port->lock, flags); |
1864 |
++ |
1865 |
++ queue_work(system_unbound_wq, &buf->work); |
1866 |
++ |
1867 |
++ return size; |
1868 |
++} |
1869 |
++ |
1870 |
+ /** |
1871 |
+ * tty_buffer_init - prepare a tty buffer structure |
1872 |
+ * @tty: tty to initialise |
1873 |
+diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c |
1874 |
+index b6e78fdbfdff9..68643f61f6f90 100644 |
1875 |
+--- a/drivers/tty/vt/keyboard.c |
1876 |
++++ b/drivers/tty/vt/keyboard.c |
1877 |
+@@ -310,7 +310,7 @@ int kbd_rate(struct kbd_repeat *rpt) |
1878 |
+ static void put_queue(struct vc_data *vc, int ch) |
1879 |
+ { |
1880 |
+ tty_insert_flip_char(&vc->port, ch, 0); |
1881 |
+- tty_schedule_flip(&vc->port); |
1882 |
++ tty_flip_buffer_push(&vc->port); |
1883 |
+ } |
1884 |
+ |
1885 |
+ static void puts_queue(struct vc_data *vc, char *cp) |
1886 |
+@@ -319,7 +319,7 @@ static void puts_queue(struct vc_data *vc, char *cp) |
1887 |
+ tty_insert_flip_char(&vc->port, *cp, 0); |
1888 |
+ cp++; |
1889 |
+ } |
1890 |
+- tty_schedule_flip(&vc->port); |
1891 |
++ tty_flip_buffer_push(&vc->port); |
1892 |
+ } |
1893 |
+ |
1894 |
+ static void applkey(struct vc_data *vc, int key, char mode) |
1895 |
+@@ -564,7 +564,7 @@ static void fn_inc_console(struct vc_data *vc) |
1896 |
+ static void fn_send_intr(struct vc_data *vc) |
1897 |
+ { |
1898 |
+ tty_insert_flip_char(&vc->port, 0, TTY_BREAK); |
1899 |
+- tty_schedule_flip(&vc->port); |
1900 |
++ tty_flip_buffer_push(&vc->port); |
1901 |
+ } |
1902 |
+ |
1903 |
+ static void fn_scroll_forw(struct vc_data *vc) |
1904 |
+diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c |
1905 |
+index c3df1660cb5c5..9d9e056f94ac8 100644 |
1906 |
+--- a/drivers/tty/vt/vt.c |
1907 |
++++ b/drivers/tty/vt/vt.c |
1908 |
+@@ -1837,7 +1837,7 @@ static void respond_string(const char *p, struct tty_port *port) |
1909 |
+ tty_insert_flip_char(port, *p, 0); |
1910 |
+ p++; |
1911 |
+ } |
1912 |
+- tty_schedule_flip(port); |
1913 |
++ tty_flip_buffer_push(port); |
1914 |
+ } |
1915 |
+ |
1916 |
+ static void cursor_report(struct vc_data *vc, struct tty_struct *tty) |
1917 |
+diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c |
1918 |
+index f464793477650..bba849e5d8a7b 100644 |
1919 |
+--- a/drivers/xen/gntdev.c |
1920 |
++++ b/drivers/xen/gntdev.c |
1921 |
+@@ -413,7 +413,8 @@ static void __unmap_grant_pages_done(int result, |
1922 |
+ unsigned int offset = data->unmap_ops - map->unmap_ops; |
1923 |
+ |
1924 |
+ for (i = 0; i < data->count; i++) { |
1925 |
+- WARN_ON(map->unmap_ops[offset+i].status); |
1926 |
++ WARN_ON(map->unmap_ops[offset+i].status && |
1927 |
++ map->unmap_ops[offset+i].handle != -1); |
1928 |
+ pr_debug("unmap handle=%d st=%d\n", |
1929 |
+ map->unmap_ops[offset+i].handle, |
1930 |
+ map->unmap_ops[offset+i].status); |
1931 |
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c |
1932 |
+index 4ae8becdb51db..9165bf56c6e8e 100644 |
1933 |
+--- a/fs/dlm/lock.c |
1934 |
++++ b/fs/dlm/lock.c |
1935 |
+@@ -4067,13 +4067,14 @@ static void send_repeat_remove(struct dlm_ls *ls, char *ms_name, int len) |
1936 |
+ rv = _create_message(ls, sizeof(struct dlm_message) + len, |
1937 |
+ dir_nodeid, DLM_MSG_REMOVE, &ms, &mh); |
1938 |
+ if (rv) |
1939 |
+- return; |
1940 |
++ goto out; |
1941 |
+ |
1942 |
+ memcpy(ms->m_extra, name, len); |
1943 |
+ ms->m_hash = hash; |
1944 |
+ |
1945 |
+ send_message(mh, ms); |
1946 |
+ |
1947 |
++out: |
1948 |
+ spin_lock(&ls->ls_remove_spin); |
1949 |
+ ls->ls_remove_len = 0; |
1950 |
+ memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN); |
1951 |
+diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h |
1952 |
+index 4c0224ff0a14b..4f1c0f8e1bb0b 100644 |
1953 |
+--- a/include/linux/bitfield.h |
1954 |
++++ b/include/linux/bitfield.h |
1955 |
+@@ -41,6 +41,22 @@ |
1956 |
+ |
1957 |
+ #define __bf_shf(x) (__builtin_ffsll(x) - 1) |
1958 |
+ |
1959 |
++#define __scalar_type_to_unsigned_cases(type) \ |
1960 |
++ unsigned type: (unsigned type)0, \ |
1961 |
++ signed type: (unsigned type)0 |
1962 |
++ |
1963 |
++#define __unsigned_scalar_typeof(x) typeof( \ |
1964 |
++ _Generic((x), \ |
1965 |
++ char: (unsigned char)0, \ |
1966 |
++ __scalar_type_to_unsigned_cases(char), \ |
1967 |
++ __scalar_type_to_unsigned_cases(short), \ |
1968 |
++ __scalar_type_to_unsigned_cases(int), \ |
1969 |
++ __scalar_type_to_unsigned_cases(long), \ |
1970 |
++ __scalar_type_to_unsigned_cases(long long), \ |
1971 |
++ default: (x))) |
1972 |
++ |
1973 |
++#define __bf_cast_unsigned(type, x) ((__unsigned_scalar_typeof(type))(x)) |
1974 |
++ |
1975 |
+ #define __BF_FIELD_CHECK(_mask, _reg, _val, _pfx) \ |
1976 |
+ ({ \ |
1977 |
+ BUILD_BUG_ON_MSG(!__builtin_constant_p(_mask), \ |
1978 |
+@@ -49,7 +65,8 @@ |
1979 |
+ BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ? \ |
1980 |
+ ~((_mask) >> __bf_shf(_mask)) & (_val) : 0, \ |
1981 |
+ _pfx "value too large for the field"); \ |
1982 |
+- BUILD_BUG_ON_MSG((_mask) > (typeof(_reg))~0ull, \ |
1983 |
++ BUILD_BUG_ON_MSG(__bf_cast_unsigned(_mask, _mask) > \ |
1984 |
++ __bf_cast_unsigned(_reg, ~0ull), \ |
1985 |
+ _pfx "type of reg too small for mask"); \ |
1986 |
+ __BUILD_BUG_ON_NOT_POWER_OF_2((_mask) + \ |
1987 |
+ (1ULL << __bf_shf(_mask))); \ |
1988 |
+diff --git a/include/linux/mm.h b/include/linux/mm.h |
1989 |
+index c125fea49752f..d35c29d322d83 100644 |
1990 |
+--- a/include/linux/mm.h |
1991 |
++++ b/include/linux/mm.h |
1992 |
+@@ -15,6 +15,7 @@ |
1993 |
+ #include <linux/atomic.h> |
1994 |
+ #include <linux/debug_locks.h> |
1995 |
+ #include <linux/mm_types.h> |
1996 |
++#include <linux/mmap_lock.h> |
1997 |
+ #include <linux/range.h> |
1998 |
+ #include <linux/pfn.h> |
1999 |
+ #include <linux/percpu-refcount.h> |
2000 |
+diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h |
2001 |
+new file mode 100644 |
2002 |
+index 0000000000000..97ac53b66052e |
2003 |
+--- /dev/null |
2004 |
++++ b/include/linux/mmap_lock.h |
2005 |
+@@ -0,0 +1,54 @@ |
2006 |
++#ifndef _LINUX_MMAP_LOCK_H |
2007 |
++#define _LINUX_MMAP_LOCK_H |
2008 |
++ |
2009 |
++static inline void mmap_init_lock(struct mm_struct *mm) |
2010 |
++{ |
2011 |
++ init_rwsem(&mm->mmap_sem); |
2012 |
++} |
2013 |
++ |
2014 |
++static inline void mmap_write_lock(struct mm_struct *mm) |
2015 |
++{ |
2016 |
++ down_write(&mm->mmap_sem); |
2017 |
++} |
2018 |
++ |
2019 |
++static inline int mmap_write_lock_killable(struct mm_struct *mm) |
2020 |
++{ |
2021 |
++ return down_write_killable(&mm->mmap_sem); |
2022 |
++} |
2023 |
++ |
2024 |
++static inline bool mmap_write_trylock(struct mm_struct *mm) |
2025 |
++{ |
2026 |
++ return down_write_trylock(&mm->mmap_sem) != 0; |
2027 |
++} |
2028 |
++ |
2029 |
++static inline void mmap_write_unlock(struct mm_struct *mm) |
2030 |
++{ |
2031 |
++ up_write(&mm->mmap_sem); |
2032 |
++} |
2033 |
++ |
2034 |
++static inline void mmap_write_downgrade(struct mm_struct *mm) |
2035 |
++{ |
2036 |
++ downgrade_write(&mm->mmap_sem); |
2037 |
++} |
2038 |
++ |
2039 |
++static inline void mmap_read_lock(struct mm_struct *mm) |
2040 |
++{ |
2041 |
++ down_read(&mm->mmap_sem); |
2042 |
++} |
2043 |
++ |
2044 |
++static inline int mmap_read_lock_killable(struct mm_struct *mm) |
2045 |
++{ |
2046 |
++ return down_read_killable(&mm->mmap_sem); |
2047 |
++} |
2048 |
++ |
2049 |
++static inline bool mmap_read_trylock(struct mm_struct *mm) |
2050 |
++{ |
2051 |
++ return down_read_trylock(&mm->mmap_sem) != 0; |
2052 |
++} |
2053 |
++ |
2054 |
++static inline void mmap_read_unlock(struct mm_struct *mm) |
2055 |
++{ |
2056 |
++ up_read(&mm->mmap_sem); |
2057 |
++} |
2058 |
++ |
2059 |
++#endif /* _LINUX_MMAP_LOCK_H */ |
2060 |
+diff --git a/include/linux/refcount.h b/include/linux/refcount.h |
2061 |
+index e28cce21bad6c..0ac50cf62d062 100644 |
2062 |
+--- a/include/linux/refcount.h |
2063 |
++++ b/include/linux/refcount.h |
2064 |
+@@ -1,9 +1,88 @@ |
2065 |
+ /* SPDX-License-Identifier: GPL-2.0 */ |
2066 |
++/* |
2067 |
++ * Variant of atomic_t specialized for reference counts. |
2068 |
++ * |
2069 |
++ * The interface matches the atomic_t interface (to aid in porting) but only |
2070 |
++ * provides the few functions one should use for reference counting. |
2071 |
++ * |
2072 |
++ * Saturation semantics |
2073 |
++ * ==================== |
2074 |
++ * |
2075 |
++ * refcount_t differs from atomic_t in that the counter saturates at |
2076 |
++ * REFCOUNT_SATURATED and will not move once there. This avoids wrapping the |
2077 |
++ * counter and causing 'spurious' use-after-free issues. In order to avoid the |
2078 |
++ * cost associated with introducing cmpxchg() loops into all of the saturating |
2079 |
++ * operations, we temporarily allow the counter to take on an unchecked value |
2080 |
++ * and then explicitly set it to REFCOUNT_SATURATED on detecting that underflow |
2081 |
++ * or overflow has occurred. Although this is racy when multiple threads |
2082 |
++ * access the refcount concurrently, by placing REFCOUNT_SATURATED roughly |
2083 |
++ * equidistant from 0 and INT_MAX we minimise the scope for error: |
2084 |
++ * |
2085 |
++ * INT_MAX REFCOUNT_SATURATED UINT_MAX |
2086 |
++ * 0 (0x7fff_ffff) (0xc000_0000) (0xffff_ffff) |
2087 |
++ * +--------------------------------+----------------+----------------+ |
2088 |
++ * <---------- bad value! ----------> |
2089 |
++ * |
2090 |
++ * (in a signed view of the world, the "bad value" range corresponds to |
2091 |
++ * a negative counter value). |
2092 |
++ * |
2093 |
++ * As an example, consider a refcount_inc() operation that causes the counter |
2094 |
++ * to overflow: |
2095 |
++ * |
2096 |
++ * int old = atomic_fetch_add_relaxed(r); |
2097 |
++ * // old is INT_MAX, refcount now INT_MIN (0x8000_0000) |
2098 |
++ * if (old < 0) |
2099 |
++ * atomic_set(r, REFCOUNT_SATURATED); |
2100 |
++ * |
2101 |
++ * If another thread also performs a refcount_inc() operation between the two |
2102 |
++ * atomic operations, then the count will continue to edge closer to 0. If it |
2103 |
++ * reaches a value of 1 before /any/ of the threads reset it to the saturated |
2104 |
++ * value, then a concurrent refcount_dec_and_test() may erroneously free the |
2105 |
++ * underlying object. Given the precise timing details involved with the |
2106 |
++ * round-robin scheduling of each thread manipulating the refcount and the need |
2107 |
++ * to hit the race multiple times in succession, there doesn't appear to be a |
2108 |
++ * practical avenue of attack even if using refcount_add() operations with |
2109 |
++ * larger increments. |
2110 |
++ * |
2111 |
++ * Memory ordering |
2112 |
++ * =============== |
2113 |
++ * |
2114 |
++ * Memory ordering rules are slightly relaxed wrt regular atomic_t functions |
2115 |
++ * and provide only what is strictly required for refcounts. |
2116 |
++ * |
2117 |
++ * The increments are fully relaxed; these will not provide ordering. The |
2118 |
++ * rationale is that whatever is used to obtain the object we're increasing the |
2119 |
++ * reference count on will provide the ordering. For locked data structures, |
2120 |
++ * its the lock acquire, for RCU/lockless data structures its the dependent |
2121 |
++ * load. |
2122 |
++ * |
2123 |
++ * Do note that inc_not_zero() provides a control dependency which will order |
2124 |
++ * future stores against the inc, this ensures we'll never modify the object |
2125 |
++ * if we did not in fact acquire a reference. |
2126 |
++ * |
2127 |
++ * The decrements will provide release order, such that all the prior loads and |
2128 |
++ * stores will be issued before, it also provides a control dependency, which |
2129 |
++ * will order us against the subsequent free(). |
2130 |
++ * |
2131 |
++ * The control dependency is against the load of the cmpxchg (ll/sc) that |
2132 |
++ * succeeded. This means the stores aren't fully ordered, but this is fine |
2133 |
++ * because the 1->0 transition indicates no concurrency. |
2134 |
++ * |
2135 |
++ * Note that the allocator is responsible for ordering things between free() |
2136 |
++ * and alloc(). |
2137 |
++ * |
2138 |
++ * The decrements dec_and_test() and sub_and_test() also provide acquire |
2139 |
++ * ordering on success. |
2140 |
++ * |
2141 |
++ */ |
2142 |
++ |
2143 |
+ #ifndef _LINUX_REFCOUNT_H |
2144 |
+ #define _LINUX_REFCOUNT_H |
2145 |
+ |
2146 |
+ #include <linux/atomic.h> |
2147 |
++#include <linux/bug.h> |
2148 |
+ #include <linux/compiler.h> |
2149 |
++#include <linux/limits.h> |
2150 |
+ #include <linux/spinlock_types.h> |
2151 |
+ |
2152 |
+ struct mutex; |
2153 |
+@@ -12,7 +91,7 @@ struct mutex; |
2154 |
+ * struct refcount_t - variant of atomic_t specialized for reference counts |
2155 |
+ * @refs: atomic_t counter field |
2156 |
+ * |
2157 |
+- * The counter saturates at UINT_MAX and will not move once |
2158 |
++ * The counter saturates at REFCOUNT_SATURATED and will not move once |
2159 |
+ * there. This avoids wrapping the counter and causing 'spurious' |
2160 |
+ * use-after-free bugs. |
2161 |
+ */ |
2162 |
+@@ -21,13 +100,25 @@ typedef struct refcount_struct { |
2163 |
+ } refcount_t; |
2164 |
+ |
2165 |
+ #define REFCOUNT_INIT(n) { .refs = ATOMIC_INIT(n), } |
2166 |
++#define REFCOUNT_MAX INT_MAX |
2167 |
++#define REFCOUNT_SATURATED (INT_MIN / 2) |
2168 |
++ |
2169 |
++enum refcount_saturation_type { |
2170 |
++ REFCOUNT_ADD_NOT_ZERO_OVF, |
2171 |
++ REFCOUNT_ADD_OVF, |
2172 |
++ REFCOUNT_ADD_UAF, |
2173 |
++ REFCOUNT_SUB_UAF, |
2174 |
++ REFCOUNT_DEC_LEAK, |
2175 |
++}; |
2176 |
++ |
2177 |
++void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t); |
2178 |
+ |
2179 |
+ /** |
2180 |
+ * refcount_set - set a refcount's value |
2181 |
+ * @r: the refcount |
2182 |
+ * @n: value to which the refcount will be set |
2183 |
+ */ |
2184 |
+-static inline void refcount_set(refcount_t *r, unsigned int n) |
2185 |
++static inline void refcount_set(refcount_t *r, int n) |
2186 |
+ { |
2187 |
+ atomic_set(&r->refs, n); |
2188 |
+ } |
2189 |
+@@ -43,70 +134,168 @@ static inline unsigned int refcount_read(const refcount_t *r) |
2190 |
+ return atomic_read(&r->refs); |
2191 |
+ } |
2192 |
+ |
2193 |
+-extern __must_check bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r); |
2194 |
+-extern void refcount_add_checked(unsigned int i, refcount_t *r); |
2195 |
+- |
2196 |
+-extern __must_check bool refcount_inc_not_zero_checked(refcount_t *r); |
2197 |
+-extern void refcount_inc_checked(refcount_t *r); |
2198 |
+- |
2199 |
+-extern __must_check bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r); |
2200 |
+- |
2201 |
+-extern __must_check bool refcount_dec_and_test_checked(refcount_t *r); |
2202 |
+-extern void refcount_dec_checked(refcount_t *r); |
2203 |
+- |
2204 |
+-#ifdef CONFIG_REFCOUNT_FULL |
2205 |
+- |
2206 |
+-#define refcount_add_not_zero refcount_add_not_zero_checked |
2207 |
+-#define refcount_add refcount_add_checked |
2208 |
+- |
2209 |
+-#define refcount_inc_not_zero refcount_inc_not_zero_checked |
2210 |
+-#define refcount_inc refcount_inc_checked |
2211 |
++/** |
2212 |
++ * refcount_add_not_zero - add a value to a refcount unless it is 0 |
2213 |
++ * @i: the value to add to the refcount |
2214 |
++ * @r: the refcount |
2215 |
++ * |
2216 |
++ * Will saturate at REFCOUNT_SATURATED and WARN. |
2217 |
++ * |
2218 |
++ * Provides no memory ordering, it is assumed the caller has guaranteed the |
2219 |
++ * object memory to be stable (RCU, etc.). It does provide a control dependency |
2220 |
++ * and thereby orders future stores. See the comment on top. |
2221 |
++ * |
2222 |
++ * Use of this function is not recommended for the normal reference counting |
2223 |
++ * use case in which references are taken and released one at a time. In these |
2224 |
++ * cases, refcount_inc(), or one of its variants, should instead be used to |
2225 |
++ * increment a reference count. |
2226 |
++ * |
2227 |
++ * Return: false if the passed refcount is 0, true otherwise |
2228 |
++ */ |
2229 |
++static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) |
2230 |
++{ |
2231 |
++ int old = refcount_read(r); |
2232 |
+ |
2233 |
+-#define refcount_sub_and_test refcount_sub_and_test_checked |
2234 |
++ do { |
2235 |
++ if (!old) |
2236 |
++ break; |
2237 |
++ } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i)); |
2238 |
+ |
2239 |
+-#define refcount_dec_and_test refcount_dec_and_test_checked |
2240 |
+-#define refcount_dec refcount_dec_checked |
2241 |
++ if (unlikely(old < 0 || old + i < 0)) |
2242 |
++ refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF); |
2243 |
+ |
2244 |
+-#else |
2245 |
+-# ifdef CONFIG_ARCH_HAS_REFCOUNT |
2246 |
+-# include <asm/refcount.h> |
2247 |
+-# else |
2248 |
+-static inline __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r) |
2249 |
+-{ |
2250 |
+- return atomic_add_unless(&r->refs, i, 0); |
2251 |
++ return old; |
2252 |
+ } |
2253 |
+ |
2254 |
+-static inline void refcount_add(unsigned int i, refcount_t *r) |
2255 |
++/** |
2256 |
++ * refcount_add - add a value to a refcount |
2257 |
++ * @i: the value to add to the refcount |
2258 |
++ * @r: the refcount |
2259 |
++ * |
2260 |
++ * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WARN. |
2261 |
++ * |
2262 |
++ * Provides no memory ordering, it is assumed the caller has guaranteed the |
2263 |
++ * object memory to be stable (RCU, etc.). It does provide a control dependency |
2264 |
++ * and thereby orders future stores. See the comment on top. |
2265 |
++ * |
2266 |
++ * Use of this function is not recommended for the normal reference counting |
2267 |
++ * use case in which references are taken and released one at a time. In these |
2268 |
++ * cases, refcount_inc(), or one of its variants, should instead be used to |
2269 |
++ * increment a reference count. |
2270 |
++ */ |
2271 |
++static inline void refcount_add(int i, refcount_t *r) |
2272 |
+ { |
2273 |
+- atomic_add(i, &r->refs); |
2274 |
++ int old = atomic_fetch_add_relaxed(i, &r->refs); |
2275 |
++ |
2276 |
++ if (unlikely(!old)) |
2277 |
++ refcount_warn_saturate(r, REFCOUNT_ADD_UAF); |
2278 |
++ else if (unlikely(old < 0 || old + i < 0)) |
2279 |
++ refcount_warn_saturate(r, REFCOUNT_ADD_OVF); |
2280 |
+ } |
2281 |
+ |
2282 |
++/** |
2283 |
++ * refcount_inc_not_zero - increment a refcount unless it is 0 |
2284 |
++ * @r: the refcount to increment |
2285 |
++ * |
2286 |
++ * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURATED |
2287 |
++ * and WARN. |
2288 |
++ * |
2289 |
++ * Provides no memory ordering, it is assumed the caller has guaranteed the |
2290 |
++ * object memory to be stable (RCU, etc.). It does provide a control dependency |
2291 |
++ * and thereby orders future stores. See the comment on top. |
2292 |
++ * |
2293 |
++ * Return: true if the increment was successful, false otherwise |
2294 |
++ */ |
2295 |
+ static inline __must_check bool refcount_inc_not_zero(refcount_t *r) |
2296 |
+ { |
2297 |
+- return atomic_add_unless(&r->refs, 1, 0); |
2298 |
++ return refcount_add_not_zero(1, r); |
2299 |
+ } |
2300 |
+ |
2301 |
++/** |
2302 |
++ * refcount_inc - increment a refcount |
2303 |
++ * @r: the refcount to increment |
2304 |
++ * |
2305 |
++ * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WARN. |
2306 |
++ * |
2307 |
++ * Provides no memory ordering, it is assumed the caller already has a |
2308 |
++ * reference on the object. |
2309 |
++ * |
2310 |
++ * Will WARN if the refcount is 0, as this represents a possible use-after-free |
2311 |
++ * condition. |
2312 |
++ */ |
2313 |
+ static inline void refcount_inc(refcount_t *r) |
2314 |
+ { |
2315 |
+- atomic_inc(&r->refs); |
2316 |
++ refcount_add(1, r); |
2317 |
+ } |
2318 |
+ |
2319 |
+-static inline __must_check bool refcount_sub_and_test(unsigned int i, refcount_t *r) |
2320 |
++/** |
2321 |
++ * refcount_sub_and_test - subtract from a refcount and test if it is 0 |
2322 |
++ * @i: amount to subtract from the refcount |
2323 |
++ * @r: the refcount |
2324 |
++ * |
2325 |
++ * Similar to atomic_dec_and_test(), but it will WARN, return false and |
2326 |
++ * ultimately leak on underflow and will fail to decrement when saturated |
2327 |
++ * at REFCOUNT_SATURATED. |
2328 |
++ * |
2329 |
++ * Provides release memory ordering, such that prior loads and stores are done |
2330 |
++ * before, and provides an acquire ordering on success such that free() |
2331 |
++ * must come after. |
2332 |
++ * |
2333 |
++ * Use of this function is not recommended for the normal reference counting |
2334 |
++ * use case in which references are taken and released one at a time. In these |
2335 |
++ * cases, refcount_dec(), or one of its variants, should instead be used to |
2336 |
++ * decrement a reference count. |
2337 |
++ * |
2338 |
++ * Return: true if the resulting refcount is 0, false otherwise |
2339 |
++ */ |
2340 |
++static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) |
2341 |
+ { |
2342 |
+- return atomic_sub_and_test(i, &r->refs); |
2343 |
++ int old = atomic_fetch_sub_release(i, &r->refs); |
2344 |
++ |
2345 |
++ if (old == i) { |
2346 |
++ smp_acquire__after_ctrl_dep(); |
2347 |
++ return true; |
2348 |
++ } |
2349 |
++ |
2350 |
++ if (unlikely(old < 0 || old - i < 0)) |
2351 |
++ refcount_warn_saturate(r, REFCOUNT_SUB_UAF); |
2352 |
++ |
2353 |
++ return false; |
2354 |
+ } |
2355 |
+ |
2356 |
++/** |
2357 |
++ * refcount_dec_and_test - decrement a refcount and test if it is 0 |
2358 |
++ * @r: the refcount |
2359 |
++ * |
2360 |
++ * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to |
2361 |
++ * decrement when saturated at REFCOUNT_SATURATED. |
2362 |
++ * |
2363 |
++ * Provides release memory ordering, such that prior loads and stores are done |
2364 |
++ * before, and provides an acquire ordering on success such that free() |
2365 |
++ * must come after. |
2366 |
++ * |
2367 |
++ * Return: true if the resulting refcount is 0, false otherwise |
2368 |
++ */ |
2369 |
+ static inline __must_check bool refcount_dec_and_test(refcount_t *r) |
2370 |
+ { |
2371 |
+- return atomic_dec_and_test(&r->refs); |
2372 |
++ return refcount_sub_and_test(1, r); |
2373 |
+ } |
2374 |
+ |
2375 |
++/** |
2376 |
++ * refcount_dec - decrement a refcount |
2377 |
++ * @r: the refcount |
2378 |
++ * |
2379 |
++ * Similar to atomic_dec(), it will WARN on underflow and fail to decrement |
2380 |
++ * when saturated at REFCOUNT_SATURATED. |
2381 |
++ * |
2382 |
++ * Provides release memory ordering, such that prior loads and stores are done |
2383 |
++ * before. |
2384 |
++ */ |
2385 |
+ static inline void refcount_dec(refcount_t *r) |
2386 |
+ { |
2387 |
+- atomic_dec(&r->refs); |
2388 |
++ if (unlikely(atomic_fetch_sub_release(1, &r->refs) <= 1)) |
2389 |
++ refcount_warn_saturate(r, REFCOUNT_DEC_LEAK); |
2390 |
+ } |
2391 |
+-# endif /* !CONFIG_ARCH_HAS_REFCOUNT */ |
2392 |
+-#endif /* CONFIG_REFCOUNT_FULL */ |
2393 |
+ |
2394 |
+ extern __must_check bool refcount_dec_if_one(refcount_t *r); |
2395 |
+ extern __must_check bool refcount_dec_not_one(refcount_t *r); |
2396 |
+diff --git a/include/linux/tty_flip.h b/include/linux/tty_flip.h |
2397 |
+index 767f62086bd9b..c326bfdb5ec2c 100644 |
2398 |
+--- a/include/linux/tty_flip.h |
2399 |
++++ b/include/linux/tty_flip.h |
2400 |
+@@ -12,7 +12,6 @@ extern int tty_insert_flip_string_fixed_flag(struct tty_port *port, |
2401 |
+ extern int tty_prepare_flip_string(struct tty_port *port, |
2402 |
+ unsigned char **chars, size_t size); |
2403 |
+ extern void tty_flip_buffer_push(struct tty_port *port); |
2404 |
+-void tty_schedule_flip(struct tty_port *port); |
2405 |
+ int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag); |
2406 |
+ |
2407 |
+ static inline int tty_insert_flip_char(struct tty_port *port, |
2408 |
+@@ -40,4 +39,7 @@ static inline int tty_insert_flip_string(struct tty_port *port, |
2409 |
+ extern void tty_buffer_lock_exclusive(struct tty_port *port); |
2410 |
+ extern void tty_buffer_unlock_exclusive(struct tty_port *port); |
2411 |
+ |
2412 |
++int tty_insert_flip_string_and_push_buffer(struct tty_port *port, |
2413 |
++ const unsigned char *chars, size_t cnt); |
2414 |
++ |
2415 |
+ #endif /* _LINUX_TTY_FLIP_H */ |
2416 |
+diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h |
2417 |
+index fabee6db0abb7..421d41ef4e9ca 100644 |
2418 |
+--- a/include/net/bluetooth/bluetooth.h |
2419 |
++++ b/include/net/bluetooth/bluetooth.h |
2420 |
+@@ -370,6 +370,71 @@ out: |
2421 |
+ return NULL; |
2422 |
+ } |
2423 |
+ |
2424 |
++/* Shall not be called with lock_sock held */ |
2425 |
++static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk, |
2426 |
++ struct msghdr *msg, |
2427 |
++ size_t len, size_t mtu, |
2428 |
++ size_t headroom, size_t tailroom) |
2429 |
++{ |
2430 |
++ struct sk_buff *skb; |
2431 |
++ size_t size = min_t(size_t, len, mtu); |
2432 |
++ int err; |
2433 |
++ |
2434 |
++ skb = bt_skb_send_alloc(sk, size + headroom + tailroom, |
2435 |
++ msg->msg_flags & MSG_DONTWAIT, &err); |
2436 |
++ if (!skb) |
2437 |
++ return ERR_PTR(err); |
2438 |
++ |
2439 |
++ skb_reserve(skb, headroom); |
2440 |
++ skb_tailroom_reserve(skb, mtu, tailroom); |
2441 |
++ |
2442 |
++ if (!copy_from_iter_full(skb_put(skb, size), size, &msg->msg_iter)) { |
2443 |
++ kfree_skb(skb); |
2444 |
++ return ERR_PTR(-EFAULT); |
2445 |
++ } |
2446 |
++ |
2447 |
++ skb->priority = sk->sk_priority; |
2448 |
++ |
2449 |
++ return skb; |
2450 |
++} |
2451 |
++ |
2452 |
++/* Similar to bt_skb_sendmsg but can split the msg into multiple fragments |
2453 |
++ * accourding to the MTU. |
2454 |
++ */ |
2455 |
++static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, |
2456 |
++ struct msghdr *msg, |
2457 |
++ size_t len, size_t mtu, |
2458 |
++ size_t headroom, size_t tailroom) |
2459 |
++{ |
2460 |
++ struct sk_buff *skb, **frag; |
2461 |
++ |
2462 |
++ skb = bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); |
2463 |
++ if (IS_ERR_OR_NULL(skb)) |
2464 |
++ return skb; |
2465 |
++ |
2466 |
++ len -= skb->len; |
2467 |
++ if (!len) |
2468 |
++ return skb; |
2469 |
++ |
2470 |
++ /* Add remaining data over MTU as continuation fragments */ |
2471 |
++ frag = &skb_shinfo(skb)->frag_list; |
2472 |
++ while (len) { |
2473 |
++ struct sk_buff *tmp; |
2474 |
++ |
2475 |
++ tmp = bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); |
2476 |
++ if (IS_ERR(tmp)) { |
2477 |
++ return skb; |
2478 |
++ } |
2479 |
++ |
2480 |
++ len -= tmp->len; |
2481 |
++ |
2482 |
++ *frag = tmp; |
2483 |
++ frag = &(*frag)->next; |
2484 |
++ } |
2485 |
++ |
2486 |
++ return skb; |
2487 |
++} |
2488 |
++ |
2489 |
+ int bt_to_errno(u16 code); |
2490 |
+ |
2491 |
+ void hci_sock_set_flag(struct sock *sk, int nr); |
2492 |
+diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h |
2493 |
+index 34c4436fd18ff..58db7c69c146d 100644 |
2494 |
+--- a/include/net/inet_sock.h |
2495 |
++++ b/include/net/inet_sock.h |
2496 |
+@@ -107,7 +107,8 @@ static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk) |
2497 |
+ |
2498 |
+ static inline u32 inet_request_mark(const struct sock *sk, struct sk_buff *skb) |
2499 |
+ { |
2500 |
+- if (!sk->sk_mark && sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept) |
2501 |
++ if (!sk->sk_mark && |
2502 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)) |
2503 |
+ return skb->mark; |
2504 |
+ |
2505 |
+ return sk->sk_mark; |
2506 |
+@@ -375,7 +376,7 @@ static inline bool inet_get_convert_csum(struct sock *sk) |
2507 |
+ static inline bool inet_can_nonlocal_bind(struct net *net, |
2508 |
+ struct inet_sock *inet) |
2509 |
+ { |
2510 |
+- return net->ipv4.sysctl_ip_nonlocal_bind || |
2511 |
++ return READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind) || |
2512 |
+ inet->freebind || inet->transparent; |
2513 |
+ } |
2514 |
+ |
2515 |
+diff --git a/include/net/ip.h b/include/net/ip.h |
2516 |
+index 3f3ea86b2173c..db841ab388c0e 100644 |
2517 |
+--- a/include/net/ip.h |
2518 |
++++ b/include/net/ip.h |
2519 |
+@@ -381,7 +381,7 @@ void ipfrag_init(void); |
2520 |
+ void ip_static_sysctl_init(void); |
2521 |
+ |
2522 |
+ #define IP4_REPLY_MARK(net, mark) \ |
2523 |
+- ((net)->ipv4.sysctl_fwmark_reflect ? (mark) : 0) |
2524 |
++ (READ_ONCE((net)->ipv4.sysctl_fwmark_reflect) ? (mark) : 0) |
2525 |
+ |
2526 |
+ static inline bool ip_is_fragment(const struct iphdr *iph) |
2527 |
+ { |
2528 |
+@@ -442,7 +442,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, |
2529 |
+ struct net *net = dev_net(dst->dev); |
2530 |
+ unsigned int mtu; |
2531 |
+ |
2532 |
+- if (net->ipv4.sysctl_ip_fwd_use_pmtu || |
2533 |
++ if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) || |
2534 |
+ ip_mtu_locked(dst) || |
2535 |
+ !forwarding) |
2536 |
+ return dst_mtu(dst); |
2537 |
+diff --git a/include/net/tcp.h b/include/net/tcp.h |
2538 |
+index 65be8bd1f0f4a..aaf1d5d5a13b0 100644 |
2539 |
+--- a/include/net/tcp.h |
2540 |
++++ b/include/net/tcp.h |
2541 |
+@@ -1373,8 +1373,8 @@ static inline void tcp_slow_start_after_idle_check(struct sock *sk) |
2542 |
+ struct tcp_sock *tp = tcp_sk(sk); |
2543 |
+ s32 delta; |
2544 |
+ |
2545 |
+- if (!sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle || tp->packets_out || |
2546 |
+- ca_ops->cong_control) |
2547 |
++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) || |
2548 |
++ tp->packets_out || ca_ops->cong_control) |
2549 |
+ return; |
2550 |
+ delta = tcp_jiffies32 - tp->lsndtime; |
2551 |
+ if (delta > inet_csk(sk)->icsk_rto) |
2552 |
+@@ -1465,7 +1465,8 @@ static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) |
2553 |
+ |
2554 |
+ static inline int tcp_fin_time(const struct sock *sk) |
2555 |
+ { |
2556 |
+- int fin_timeout = tcp_sk(sk)->linger2 ? : sock_net(sk)->ipv4.sysctl_tcp_fin_timeout; |
2557 |
++ int fin_timeout = tcp_sk(sk)->linger2 ? : |
2558 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fin_timeout); |
2559 |
+ const int rto = inet_csk(sk)->icsk_rto; |
2560 |
+ |
2561 |
+ if (fin_timeout < (rto << 2) - (rto >> 1)) |
2562 |
+@@ -1946,7 +1947,7 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); |
2563 |
+ static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) |
2564 |
+ { |
2565 |
+ struct net *net = sock_net((struct sock *)tp); |
2566 |
+- return tp->notsent_lowat ?: net->ipv4.sysctl_tcp_notsent_lowat; |
2567 |
++ return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); |
2568 |
+ } |
2569 |
+ |
2570 |
+ /* @wake is one when sk_stream_write_space() calls us. |
2571 |
+diff --git a/include/net/udp.h b/include/net/udp.h |
2572 |
+index 9787a42f7ed3e..e66854e767dcc 100644 |
2573 |
+--- a/include/net/udp.h |
2574 |
++++ b/include/net/udp.h |
2575 |
+@@ -252,7 +252,7 @@ static inline bool udp_sk_bound_dev_eq(struct net *net, int bound_dev_if, |
2576 |
+ int dif, int sdif) |
2577 |
+ { |
2578 |
+ #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) |
2579 |
+- return inet_bound_dev_eq(!!net->ipv4.sysctl_udp_l3mdev_accept, |
2580 |
++ return inet_bound_dev_eq(!!READ_ONCE(net->ipv4.sysctl_udp_l3mdev_accept), |
2581 |
+ bound_dev_if, dif, sdif); |
2582 |
+ #else |
2583 |
+ return inet_bound_dev_eq(true, bound_dev_if, dif, sdif); |
2584 |
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c |
2585 |
+index 1238ef9c569df..6b33a8a148b85 100644 |
2586 |
+--- a/kernel/bpf/core.c |
2587 |
++++ b/kernel/bpf/core.c |
2588 |
+@@ -64,11 +64,13 @@ void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, uns |
2589 |
+ { |
2590 |
+ u8 *ptr = NULL; |
2591 |
+ |
2592 |
+- if (k >= SKF_NET_OFF) |
2593 |
++ if (k >= SKF_NET_OFF) { |
2594 |
+ ptr = skb_network_header(skb) + k - SKF_NET_OFF; |
2595 |
+- else if (k >= SKF_LL_OFF) |
2596 |
++ } else if (k >= SKF_LL_OFF) { |
2597 |
++ if (unlikely(!skb_mac_header_was_set(skb))) |
2598 |
++ return NULL; |
2599 |
+ ptr = skb_mac_header(skb) + k - SKF_LL_OFF; |
2600 |
+- |
2601 |
++ } |
2602 |
+ if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb)) |
2603 |
+ return ptr; |
2604 |
+ |
2605 |
+diff --git a/kernel/events/core.c b/kernel/events/core.c |
2606 |
+index 8336dcb2bd432..0a54780e0942d 100644 |
2607 |
+--- a/kernel/events/core.c |
2608 |
++++ b/kernel/events/core.c |
2609 |
+@@ -5819,10 +5819,10 @@ again: |
2610 |
+ |
2611 |
+ if (!atomic_inc_not_zero(&event->rb->mmap_count)) { |
2612 |
+ /* |
2613 |
+- * Raced against perf_mmap_close() through |
2614 |
+- * perf_event_set_output(). Try again, hope for better |
2615 |
+- * luck. |
2616 |
++ * Raced against perf_mmap_close(); remove the |
2617 |
++ * event and try again. |
2618 |
+ */ |
2619 |
++ ring_buffer_attach(event, NULL); |
2620 |
+ mutex_unlock(&event->mmap_mutex); |
2621 |
+ goto again; |
2622 |
+ } |
2623 |
+@@ -10763,14 +10763,25 @@ err_size: |
2624 |
+ goto out; |
2625 |
+ } |
2626 |
+ |
2627 |
++static void mutex_lock_double(struct mutex *a, struct mutex *b) |
2628 |
++{ |
2629 |
++ if (b < a) |
2630 |
++ swap(a, b); |
2631 |
++ |
2632 |
++ mutex_lock(a); |
2633 |
++ mutex_lock_nested(b, SINGLE_DEPTH_NESTING); |
2634 |
++} |
2635 |
++ |
2636 |
+ static int |
2637 |
+ perf_event_set_output(struct perf_event *event, struct perf_event *output_event) |
2638 |
+ { |
2639 |
+ struct ring_buffer *rb = NULL; |
2640 |
+ int ret = -EINVAL; |
2641 |
+ |
2642 |
+- if (!output_event) |
2643 |
++ if (!output_event) { |
2644 |
++ mutex_lock(&event->mmap_mutex); |
2645 |
+ goto set; |
2646 |
++ } |
2647 |
+ |
2648 |
+ /* don't allow circular references */ |
2649 |
+ if (event == output_event) |
2650 |
+@@ -10808,8 +10819,15 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event) |
2651 |
+ event->pmu != output_event->pmu) |
2652 |
+ goto out; |
2653 |
+ |
2654 |
++ /* |
2655 |
++ * Hold both mmap_mutex to serialize against perf_mmap_close(). Since |
2656 |
++ * output_event is already on rb->event_list, and the list iteration |
2657 |
++ * restarts after every removal, it is guaranteed this new event is |
2658 |
++ * observed *OR* if output_event is already removed, it's guaranteed we |
2659 |
++ * observe !rb->mmap_count. |
2660 |
++ */ |
2661 |
++ mutex_lock_double(&event->mmap_mutex, &output_event->mmap_mutex); |
2662 |
+ set: |
2663 |
+- mutex_lock(&event->mmap_mutex); |
2664 |
+ /* Can't redirect output if we've got an active mmap() */ |
2665 |
+ if (atomic_read(&event->mmap_count)) |
2666 |
+ goto unlock; |
2667 |
+@@ -10819,6 +10837,12 @@ set: |
2668 |
+ rb = ring_buffer_get(output_event); |
2669 |
+ if (!rb) |
2670 |
+ goto unlock; |
2671 |
++ |
2672 |
++ /* did we race against perf_mmap_close() */ |
2673 |
++ if (!atomic_read(&rb->mmap_count)) { |
2674 |
++ ring_buffer_put(rb); |
2675 |
++ goto unlock; |
2676 |
++ } |
2677 |
+ } |
2678 |
+ |
2679 |
+ ring_buffer_attach(event, rb); |
2680 |
+@@ -10826,20 +10850,13 @@ set: |
2681 |
+ ret = 0; |
2682 |
+ unlock: |
2683 |
+ mutex_unlock(&event->mmap_mutex); |
2684 |
++ if (output_event) |
2685 |
++ mutex_unlock(&output_event->mmap_mutex); |
2686 |
+ |
2687 |
+ out: |
2688 |
+ return ret; |
2689 |
+ } |
2690 |
+ |
2691 |
+-static void mutex_lock_double(struct mutex *a, struct mutex *b) |
2692 |
+-{ |
2693 |
+- if (b < a) |
2694 |
+- swap(a, b); |
2695 |
+- |
2696 |
+- mutex_lock(a); |
2697 |
+- mutex_lock_nested(b, SINGLE_DEPTH_NESTING); |
2698 |
+-} |
2699 |
+- |
2700 |
+ static int perf_event_set_clock(struct perf_event *event, clockid_t clk_id) |
2701 |
+ { |
2702 |
+ bool nmi_safe = false; |
2703 |
+diff --git a/lib/refcount.c b/lib/refcount.c |
2704 |
+index 6e904af0fb3e1..ebac8b7d15a7c 100644 |
2705 |
+--- a/lib/refcount.c |
2706 |
++++ b/lib/refcount.c |
2707 |
+@@ -1,41 +1,6 @@ |
2708 |
+ // SPDX-License-Identifier: GPL-2.0 |
2709 |
+ /* |
2710 |
+- * Variant of atomic_t specialized for reference counts. |
2711 |
+- * |
2712 |
+- * The interface matches the atomic_t interface (to aid in porting) but only |
2713 |
+- * provides the few functions one should use for reference counting. |
2714 |
+- * |
2715 |
+- * It differs in that the counter saturates at UINT_MAX and will not move once |
2716 |
+- * there. This avoids wrapping the counter and causing 'spurious' |
2717 |
+- * use-after-free issues. |
2718 |
+- * |
2719 |
+- * Memory ordering rules are slightly relaxed wrt regular atomic_t functions |
2720 |
+- * and provide only what is strictly required for refcounts. |
2721 |
+- * |
2722 |
+- * The increments are fully relaxed; these will not provide ordering. The |
2723 |
+- * rationale is that whatever is used to obtain the object we're increasing the |
2724 |
+- * reference count on will provide the ordering. For locked data structures, |
2725 |
+- * its the lock acquire, for RCU/lockless data structures its the dependent |
2726 |
+- * load. |
2727 |
+- * |
2728 |
+- * Do note that inc_not_zero() provides a control dependency which will order |
2729 |
+- * future stores against the inc, this ensures we'll never modify the object |
2730 |
+- * if we did not in fact acquire a reference. |
2731 |
+- * |
2732 |
+- * The decrements will provide release order, such that all the prior loads and |
2733 |
+- * stores will be issued before, it also provides a control dependency, which |
2734 |
+- * will order us against the subsequent free(). |
2735 |
+- * |
2736 |
+- * The control dependency is against the load of the cmpxchg (ll/sc) that |
2737 |
+- * succeeded. This means the stores aren't fully ordered, but this is fine |
2738 |
+- * because the 1->0 transition indicates no concurrency. |
2739 |
+- * |
2740 |
+- * Note that the allocator is responsible for ordering things between free() |
2741 |
+- * and alloc(). |
2742 |
+- * |
2743 |
+- * The decrements dec_and_test() and sub_and_test() also provide acquire |
2744 |
+- * ordering on success. |
2745 |
+- * |
2746 |
++ * Out-of-line refcount functions. |
2747 |
+ */ |
2748 |
+ |
2749 |
+ #include <linux/mutex.h> |
2750 |
+@@ -43,199 +8,33 @@ |
2751 |
+ #include <linux/spinlock.h> |
2752 |
+ #include <linux/bug.h> |
2753 |
+ |
2754 |
+-/** |
2755 |
+- * refcount_add_not_zero_checked - add a value to a refcount unless it is 0 |
2756 |
+- * @i: the value to add to the refcount |
2757 |
+- * @r: the refcount |
2758 |
+- * |
2759 |
+- * Will saturate at UINT_MAX and WARN. |
2760 |
+- * |
2761 |
+- * Provides no memory ordering, it is assumed the caller has guaranteed the |
2762 |
+- * object memory to be stable (RCU, etc.). It does provide a control dependency |
2763 |
+- * and thereby orders future stores. See the comment on top. |
2764 |
+- * |
2765 |
+- * Use of this function is not recommended for the normal reference counting |
2766 |
+- * use case in which references are taken and released one at a time. In these |
2767 |
+- * cases, refcount_inc(), or one of its variants, should instead be used to |
2768 |
+- * increment a reference count. |
2769 |
+- * |
2770 |
+- * Return: false if the passed refcount is 0, true otherwise |
2771 |
+- */ |
2772 |
+-bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r) |
2773 |
+-{ |
2774 |
+- unsigned int new, val = atomic_read(&r->refs); |
2775 |
+- |
2776 |
+- do { |
2777 |
+- if (!val) |
2778 |
+- return false; |
2779 |
+- |
2780 |
+- if (unlikely(val == UINT_MAX)) |
2781 |
+- return true; |
2782 |
+- |
2783 |
+- new = val + i; |
2784 |
+- if (new < val) |
2785 |
+- new = UINT_MAX; |
2786 |
+- |
2787 |
+- } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); |
2788 |
+- |
2789 |
+- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); |
2790 |
+- |
2791 |
+- return true; |
2792 |
+-} |
2793 |
+-EXPORT_SYMBOL(refcount_add_not_zero_checked); |
2794 |
+- |
2795 |
+-/** |
2796 |
+- * refcount_add_checked - add a value to a refcount |
2797 |
+- * @i: the value to add to the refcount |
2798 |
+- * @r: the refcount |
2799 |
+- * |
2800 |
+- * Similar to atomic_add(), but will saturate at UINT_MAX and WARN. |
2801 |
+- * |
2802 |
+- * Provides no memory ordering, it is assumed the caller has guaranteed the |
2803 |
+- * object memory to be stable (RCU, etc.). It does provide a control dependency |
2804 |
+- * and thereby orders future stores. See the comment on top. |
2805 |
+- * |
2806 |
+- * Use of this function is not recommended for the normal reference counting |
2807 |
+- * use case in which references are taken and released one at a time. In these |
2808 |
+- * cases, refcount_inc(), or one of its variants, should instead be used to |
2809 |
+- * increment a reference count. |
2810 |
+- */ |
2811 |
+-void refcount_add_checked(unsigned int i, refcount_t *r) |
2812 |
+-{ |
2813 |
+- WARN_ONCE(!refcount_add_not_zero_checked(i, r), "refcount_t: addition on 0; use-after-free.\n"); |
2814 |
+-} |
2815 |
+-EXPORT_SYMBOL(refcount_add_checked); |
2816 |
+- |
2817 |
+-/** |
2818 |
+- * refcount_inc_not_zero_checked - increment a refcount unless it is 0 |
2819 |
+- * @r: the refcount to increment |
2820 |
+- * |
2821 |
+- * Similar to atomic_inc_not_zero(), but will saturate at UINT_MAX and WARN. |
2822 |
+- * |
2823 |
+- * Provides no memory ordering, it is assumed the caller has guaranteed the |
2824 |
+- * object memory to be stable (RCU, etc.). It does provide a control dependency |
2825 |
+- * and thereby orders future stores. See the comment on top. |
2826 |
+- * |
2827 |
+- * Return: true if the increment was successful, false otherwise |
2828 |
+- */ |
2829 |
+-bool refcount_inc_not_zero_checked(refcount_t *r) |
2830 |
+-{ |
2831 |
+- unsigned int new, val = atomic_read(&r->refs); |
2832 |
+- |
2833 |
+- do { |
2834 |
+- new = val + 1; |
2835 |
+- |
2836 |
+- if (!val) |
2837 |
+- return false; |
2838 |
+- |
2839 |
+- if (unlikely(!new)) |
2840 |
+- return true; |
2841 |
+- |
2842 |
+- } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); |
2843 |
++#define REFCOUNT_WARN(str) WARN_ONCE(1, "refcount_t: " str ".\n") |
2844 |
+ |
2845 |
+- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); |
2846 |
+- |
2847 |
+- return true; |
2848 |
+-} |
2849 |
+-EXPORT_SYMBOL(refcount_inc_not_zero_checked); |
2850 |
+- |
2851 |
+-/** |
2852 |
+- * refcount_inc_checked - increment a refcount |
2853 |
+- * @r: the refcount to increment |
2854 |
+- * |
2855 |
+- * Similar to atomic_inc(), but will saturate at UINT_MAX and WARN. |
2856 |
+- * |
2857 |
+- * Provides no memory ordering, it is assumed the caller already has a |
2858 |
+- * reference on the object. |
2859 |
+- * |
2860 |
+- * Will WARN if the refcount is 0, as this represents a possible use-after-free |
2861 |
+- * condition. |
2862 |
+- */ |
2863 |
+-void refcount_inc_checked(refcount_t *r) |
2864 |
++void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t) |
2865 |
+ { |
2866 |
+- WARN_ONCE(!refcount_inc_not_zero_checked(r), "refcount_t: increment on 0; use-after-free.\n"); |
2867 |
+-} |
2868 |
+-EXPORT_SYMBOL(refcount_inc_checked); |
2869 |
+- |
2870 |
+-/** |
2871 |
+- * refcount_sub_and_test_checked - subtract from a refcount and test if it is 0 |
2872 |
+- * @i: amount to subtract from the refcount |
2873 |
+- * @r: the refcount |
2874 |
+- * |
2875 |
+- * Similar to atomic_dec_and_test(), but it will WARN, return false and |
2876 |
+- * ultimately leak on underflow and will fail to decrement when saturated |
2877 |
+- * at UINT_MAX. |
2878 |
+- * |
2879 |
+- * Provides release memory ordering, such that prior loads and stores are done |
2880 |
+- * before, and provides an acquire ordering on success such that free() |
2881 |
+- * must come after. |
2882 |
+- * |
2883 |
+- * Use of this function is not recommended for the normal reference counting |
2884 |
+- * use case in which references are taken and released one at a time. In these |
2885 |
+- * cases, refcount_dec(), or one of its variants, should instead be used to |
2886 |
+- * decrement a reference count. |
2887 |
+- * |
2888 |
+- * Return: true if the resulting refcount is 0, false otherwise |
2889 |
+- */ |
2890 |
+-bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r) |
2891 |
+-{ |
2892 |
+- unsigned int new, val = atomic_read(&r->refs); |
2893 |
+- |
2894 |
+- do { |
2895 |
+- if (unlikely(val == UINT_MAX)) |
2896 |
+- return false; |
2897 |
+- |
2898 |
+- new = val - i; |
2899 |
+- if (new > val) { |
2900 |
+- WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); |
2901 |
+- return false; |
2902 |
+- } |
2903 |
+- |
2904 |
+- } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); |
2905 |
+- |
2906 |
+- if (!new) { |
2907 |
+- smp_acquire__after_ctrl_dep(); |
2908 |
+- return true; |
2909 |
++ refcount_set(r, REFCOUNT_SATURATED); |
2910 |
++ |
2911 |
++ switch (t) { |
2912 |
++ case REFCOUNT_ADD_NOT_ZERO_OVF: |
2913 |
++ REFCOUNT_WARN("saturated; leaking memory"); |
2914 |
++ break; |
2915 |
++ case REFCOUNT_ADD_OVF: |
2916 |
++ REFCOUNT_WARN("saturated; leaking memory"); |
2917 |
++ break; |
2918 |
++ case REFCOUNT_ADD_UAF: |
2919 |
++ REFCOUNT_WARN("addition on 0; use-after-free"); |
2920 |
++ break; |
2921 |
++ case REFCOUNT_SUB_UAF: |
2922 |
++ REFCOUNT_WARN("underflow; use-after-free"); |
2923 |
++ break; |
2924 |
++ case REFCOUNT_DEC_LEAK: |
2925 |
++ REFCOUNT_WARN("decrement hit 0; leaking memory"); |
2926 |
++ break; |
2927 |
++ default: |
2928 |
++ REFCOUNT_WARN("unknown saturation event!?"); |
2929 |
+ } |
2930 |
+- return false; |
2931 |
+- |
2932 |
+-} |
2933 |
+-EXPORT_SYMBOL(refcount_sub_and_test_checked); |
2934 |
+- |
2935 |
+-/** |
2936 |
+- * refcount_dec_and_test_checked - decrement a refcount and test if it is 0 |
2937 |
+- * @r: the refcount |
2938 |
+- * |
2939 |
+- * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to |
2940 |
+- * decrement when saturated at UINT_MAX. |
2941 |
+- * |
2942 |
+- * Provides release memory ordering, such that prior loads and stores are done |
2943 |
+- * before, and provides an acquire ordering on success such that free() |
2944 |
+- * must come after. |
2945 |
+- * |
2946 |
+- * Return: true if the resulting refcount is 0, false otherwise |
2947 |
+- */ |
2948 |
+-bool refcount_dec_and_test_checked(refcount_t *r) |
2949 |
+-{ |
2950 |
+- return refcount_sub_and_test_checked(1, r); |
2951 |
+-} |
2952 |
+-EXPORT_SYMBOL(refcount_dec_and_test_checked); |
2953 |
+- |
2954 |
+-/** |
2955 |
+- * refcount_dec_checked - decrement a refcount |
2956 |
+- * @r: the refcount |
2957 |
+- * |
2958 |
+- * Similar to atomic_dec(), it will WARN on underflow and fail to decrement |
2959 |
+- * when saturated at UINT_MAX. |
2960 |
+- * |
2961 |
+- * Provides release memory ordering, such that prior loads and stores are done |
2962 |
+- * before. |
2963 |
+- */ |
2964 |
+-void refcount_dec_checked(refcount_t *r) |
2965 |
+-{ |
2966 |
+- WARN_ONCE(refcount_dec_and_test_checked(r), "refcount_t: decrement hit 0; leaking memory.\n"); |
2967 |
+ } |
2968 |
+-EXPORT_SYMBOL(refcount_dec_checked); |
2969 |
++EXPORT_SYMBOL(refcount_warn_saturate); |
2970 |
+ |
2971 |
+ /** |
2972 |
+ * refcount_dec_if_one - decrement a refcount if it is 1 |
2973 |
+@@ -277,7 +76,7 @@ bool refcount_dec_not_one(refcount_t *r) |
2974 |
+ unsigned int new, val = atomic_read(&r->refs); |
2975 |
+ |
2976 |
+ do { |
2977 |
+- if (unlikely(val == UINT_MAX)) |
2978 |
++ if (unlikely(val == REFCOUNT_SATURATED)) |
2979 |
+ return true; |
2980 |
+ |
2981 |
+ if (val == 1) |
2982 |
+@@ -302,7 +101,7 @@ EXPORT_SYMBOL(refcount_dec_not_one); |
2983 |
+ * @lock: the mutex to be locked |
2984 |
+ * |
2985 |
+ * Similar to atomic_dec_and_mutex_lock(), it will WARN on underflow and fail |
2986 |
+- * to decrement when saturated at UINT_MAX. |
2987 |
++ * to decrement when saturated at REFCOUNT_SATURATED. |
2988 |
+ * |
2989 |
+ * Provides release memory ordering, such that prior loads and stores are done |
2990 |
+ * before, and provides a control dependency such that free() must come after. |
2991 |
+@@ -333,7 +132,7 @@ EXPORT_SYMBOL(refcount_dec_and_mutex_lock); |
2992 |
+ * @lock: the spinlock to be locked |
2993 |
+ * |
2994 |
+ * Similar to atomic_dec_and_lock(), it will WARN on underflow and fail to |
2995 |
+- * decrement when saturated at UINT_MAX. |
2996 |
++ * decrement when saturated at REFCOUNT_SATURATED. |
2997 |
+ * |
2998 |
+ * Provides release memory ordering, such that prior loads and stores are done |
2999 |
+ * before, and provides a control dependency such that free() must come after. |
3000 |
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c |
3001 |
+index d79ab5116a7be..f7b231f67156b 100644 |
3002 |
+--- a/mm/mempolicy.c |
3003 |
++++ b/mm/mempolicy.c |
3004 |
+@@ -348,7 +348,7 @@ static void mpol_rebind_preferred(struct mempolicy *pol, |
3005 |
+ */ |
3006 |
+ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask) |
3007 |
+ { |
3008 |
+- if (!pol) |
3009 |
++ if (!pol || pol->mode == MPOL_LOCAL) |
3010 |
+ return; |
3011 |
+ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) && |
3012 |
+ nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) |
3013 |
+diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c |
3014 |
+index 3a9e9d9670be4..83a8c48dfaa8b 100644 |
3015 |
+--- a/net/bluetooth/rfcomm/core.c |
3016 |
++++ b/net/bluetooth/rfcomm/core.c |
3017 |
+@@ -553,22 +553,58 @@ struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) |
3018 |
+ return dlc; |
3019 |
+ } |
3020 |
+ |
3021 |
++static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag) |
3022 |
++{ |
3023 |
++ int len = frag->len; |
3024 |
++ |
3025 |
++ BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); |
3026 |
++ |
3027 |
++ if (len > d->mtu) |
3028 |
++ return -EINVAL; |
3029 |
++ |
3030 |
++ rfcomm_make_uih(frag, d->addr); |
3031 |
++ __skb_queue_tail(&d->tx_queue, frag); |
3032 |
++ |
3033 |
++ return len; |
3034 |
++} |
3035 |
++ |
3036 |
+ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) |
3037 |
+ { |
3038 |
+- int len = skb->len; |
3039 |
++ unsigned long flags; |
3040 |
++ struct sk_buff *frag, *next; |
3041 |
++ int len; |
3042 |
+ |
3043 |
+ if (d->state != BT_CONNECTED) |
3044 |
+ return -ENOTCONN; |
3045 |
+ |
3046 |
+- BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); |
3047 |
++ frag = skb_shinfo(skb)->frag_list; |
3048 |
++ skb_shinfo(skb)->frag_list = NULL; |
3049 |
+ |
3050 |
+- if (len > d->mtu) |
3051 |
+- return -EINVAL; |
3052 |
++ /* Queue all fragments atomically. */ |
3053 |
++ spin_lock_irqsave(&d->tx_queue.lock, flags); |
3054 |
+ |
3055 |
+- rfcomm_make_uih(skb, d->addr); |
3056 |
+- skb_queue_tail(&d->tx_queue, skb); |
3057 |
++ len = rfcomm_dlc_send_frag(d, skb); |
3058 |
++ if (len < 0 || !frag) |
3059 |
++ goto unlock; |
3060 |
++ |
3061 |
++ for (; frag; frag = next) { |
3062 |
++ int ret; |
3063 |
++ |
3064 |
++ next = frag->next; |
3065 |
++ |
3066 |
++ ret = rfcomm_dlc_send_frag(d, frag); |
3067 |
++ if (ret < 0) { |
3068 |
++ kfree_skb(frag); |
3069 |
++ goto unlock; |
3070 |
++ } |
3071 |
++ |
3072 |
++ len += ret; |
3073 |
++ } |
3074 |
++ |
3075 |
++unlock: |
3076 |
++ spin_unlock_irqrestore(&d->tx_queue.lock, flags); |
3077 |
+ |
3078 |
+- if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) |
3079 |
++ if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) |
3080 |
+ rfcomm_schedule(); |
3081 |
+ return len; |
3082 |
+ } |
3083 |
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c |
3084 |
+index 90bb53aa4beed..e67310a749d27 100644 |
3085 |
+--- a/net/bluetooth/rfcomm/sock.c |
3086 |
++++ b/net/bluetooth/rfcomm/sock.c |
3087 |
+@@ -578,46 +578,20 @@ static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg, |
3088 |
+ lock_sock(sk); |
3089 |
+ |
3090 |
+ sent = bt_sock_wait_ready(sk, msg->msg_flags); |
3091 |
+- if (sent) |
3092 |
+- goto done; |
3093 |
+- |
3094 |
+- while (len) { |
3095 |
+- size_t size = min_t(size_t, len, d->mtu); |
3096 |
+- int err; |
3097 |
+- |
3098 |
+- skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, |
3099 |
+- msg->msg_flags & MSG_DONTWAIT, &err); |
3100 |
+- if (!skb) { |
3101 |
+- if (sent == 0) |
3102 |
+- sent = err; |
3103 |
+- break; |
3104 |
+- } |
3105 |
+- skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE); |
3106 |
+- |
3107 |
+- err = memcpy_from_msg(skb_put(skb, size), msg, size); |
3108 |
+- if (err) { |
3109 |
+- kfree_skb(skb); |
3110 |
+- if (sent == 0) |
3111 |
+- sent = err; |
3112 |
+- break; |
3113 |
+- } |
3114 |
+ |
3115 |
+- skb->priority = sk->sk_priority; |
3116 |
++ release_sock(sk); |
3117 |
+ |
3118 |
+- err = rfcomm_dlc_send(d, skb); |
3119 |
+- if (err < 0) { |
3120 |
+- kfree_skb(skb); |
3121 |
+- if (sent == 0) |
3122 |
+- sent = err; |
3123 |
+- break; |
3124 |
+- } |
3125 |
++ if (sent) |
3126 |
++ return sent; |
3127 |
+ |
3128 |
+- sent += size; |
3129 |
+- len -= size; |
3130 |
+- } |
3131 |
++ skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, |
3132 |
++ RFCOMM_SKB_TAIL_RESERVE); |
3133 |
++ if (IS_ERR(skb)) |
3134 |
++ return PTR_ERR(skb); |
3135 |
+ |
3136 |
+-done: |
3137 |
+- release_sock(sk); |
3138 |
++ sent = rfcomm_dlc_send(d, skb); |
3139 |
++ if (sent < 0) |
3140 |
++ kfree_skb(skb); |
3141 |
+ |
3142 |
+ return sent; |
3143 |
+ } |
3144 |
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c |
3145 |
+index fbfb12e430101..78a549e506b12 100644 |
3146 |
+--- a/net/bluetooth/sco.c |
3147 |
++++ b/net/bluetooth/sco.c |
3148 |
+@@ -279,12 +279,10 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk) |
3149 |
+ return err; |
3150 |
+ } |
3151 |
+ |
3152 |
+-static int sco_send_frame(struct sock *sk, void *buf, int len, |
3153 |
+- unsigned int msg_flags) |
3154 |
++static int sco_send_frame(struct sock *sk, struct sk_buff *skb) |
3155 |
+ { |
3156 |
+ struct sco_conn *conn = sco_pi(sk)->conn; |
3157 |
+- struct sk_buff *skb; |
3158 |
+- int err; |
3159 |
++ int len = skb->len; |
3160 |
+ |
3161 |
+ /* Check outgoing MTU */ |
3162 |
+ if (len > conn->mtu) |
3163 |
+@@ -292,11 +290,6 @@ static int sco_send_frame(struct sock *sk, void *buf, int len, |
3164 |
+ |
3165 |
+ BT_DBG("sk %p len %d", sk, len); |
3166 |
+ |
3167 |
+- skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); |
3168 |
+- if (!skb) |
3169 |
+- return err; |
3170 |
+- |
3171 |
+- memcpy(skb_put(skb, len), buf, len); |
3172 |
+ hci_send_sco(conn->hcon, skb); |
3173 |
+ |
3174 |
+ return len; |
3175 |
+@@ -715,7 +708,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, |
3176 |
+ size_t len) |
3177 |
+ { |
3178 |
+ struct sock *sk = sock->sk; |
3179 |
+- void *buf; |
3180 |
++ struct sk_buff *skb; |
3181 |
+ int err; |
3182 |
+ |
3183 |
+ BT_DBG("sock %p, sk %p", sock, sk); |
3184 |
+@@ -727,24 +720,21 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, |
3185 |
+ if (msg->msg_flags & MSG_OOB) |
3186 |
+ return -EOPNOTSUPP; |
3187 |
+ |
3188 |
+- buf = kmalloc(len, GFP_KERNEL); |
3189 |
+- if (!buf) |
3190 |
+- return -ENOMEM; |
3191 |
+- |
3192 |
+- if (memcpy_from_msg(buf, msg, len)) { |
3193 |
+- kfree(buf); |
3194 |
+- return -EFAULT; |
3195 |
+- } |
3196 |
++ skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0); |
3197 |
++ if (IS_ERR(skb)) |
3198 |
++ return PTR_ERR(skb); |
3199 |
+ |
3200 |
+ lock_sock(sk); |
3201 |
+ |
3202 |
+ if (sk->sk_state == BT_CONNECTED) |
3203 |
+- err = sco_send_frame(sk, buf, len, msg->msg_flags); |
3204 |
++ err = sco_send_frame(sk, skb); |
3205 |
+ else |
3206 |
+ err = -ENOTCONN; |
3207 |
+ |
3208 |
+ release_sock(sk); |
3209 |
+- kfree(buf); |
3210 |
++ |
3211 |
++ if (err < 0) |
3212 |
++ kfree_skb(skb); |
3213 |
+ return err; |
3214 |
+ } |
3215 |
+ |
3216 |
+diff --git a/net/core/filter.c b/net/core/filter.c |
3217 |
+index 75f53b5e63893..72bf78032f458 100644 |
3218 |
+--- a/net/core/filter.c |
3219 |
++++ b/net/core/filter.c |
3220 |
+@@ -5839,7 +5839,7 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len |
3221 |
+ if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN) |
3222 |
+ return -EINVAL; |
3223 |
+ |
3224 |
+- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies) |
3225 |
++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies)) |
3226 |
+ return -EINVAL; |
3227 |
+ |
3228 |
+ if (!th->ack || th->rst || th->syn) |
3229 |
+@@ -5914,7 +5914,7 @@ BPF_CALL_5(bpf_tcp_gen_syncookie, struct sock *, sk, void *, iph, u32, iph_len, |
3230 |
+ if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN) |
3231 |
+ return -EINVAL; |
3232 |
+ |
3233 |
+- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies) |
3234 |
++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies)) |
3235 |
+ return -ENOENT; |
3236 |
+ |
3237 |
+ if (!th->syn || th->ack || th->fin || th->rst) |
3238 |
+diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c |
3239 |
+index a1867c65ac632..6d86506e315f3 100644 |
3240 |
+--- a/net/core/secure_seq.c |
3241 |
++++ b/net/core/secure_seq.c |
3242 |
+@@ -65,7 +65,7 @@ u32 secure_tcpv6_ts_off(const struct net *net, |
3243 |
+ .daddr = *(struct in6_addr *)daddr, |
3244 |
+ }; |
3245 |
+ |
3246 |
+- if (net->ipv4.sysctl_tcp_timestamps != 1) |
3247 |
++ if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1) |
3248 |
+ return 0; |
3249 |
+ |
3250 |
+ ts_secret_init(); |
3251 |
+@@ -121,7 +121,7 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral); |
3252 |
+ #ifdef CONFIG_INET |
3253 |
+ u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr) |
3254 |
+ { |
3255 |
+- if (net->ipv4.sysctl_tcp_timestamps != 1) |
3256 |
++ if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1) |
3257 |
+ return 0; |
3258 |
+ |
3259 |
+ ts_secret_init(); |
3260 |
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c |
3261 |
+index 9ab73fcc7411c..d61ca7be6eda6 100644 |
3262 |
+--- a/net/ipv4/af_inet.c |
3263 |
++++ b/net/ipv4/af_inet.c |
3264 |
+@@ -219,7 +219,7 @@ int inet_listen(struct socket *sock, int backlog) |
3265 |
+ * because the socket was in TCP_LISTEN state previously but |
3266 |
+ * was shutdown() rather than close(). |
3267 |
+ */ |
3268 |
+- tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen; |
3269 |
++ tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); |
3270 |
+ if ((tcp_fastopen & TFO_SERVER_WO_SOCKOPT1) && |
3271 |
+ (tcp_fastopen & TFO_SERVER_ENABLE) && |
3272 |
+ !inet_csk(sk)->icsk_accept_queue.fastopenq.max_qlen) { |
3273 |
+@@ -337,7 +337,7 @@ lookup_protocol: |
3274 |
+ inet->hdrincl = 1; |
3275 |
+ } |
3276 |
+ |
3277 |
+- if (net->ipv4.sysctl_ip_no_pmtu_disc) |
3278 |
++ if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) |
3279 |
+ inet->pmtudisc = IP_PMTUDISC_DONT; |
3280 |
+ else |
3281 |
+ inet->pmtudisc = IP_PMTUDISC_WANT; |
3282 |
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c |
3283 |
+index 16fe034615635..28da0443f3e9e 100644 |
3284 |
+--- a/net/ipv4/fib_semantics.c |
3285 |
++++ b/net/ipv4/fib_semantics.c |
3286 |
+@@ -2209,7 +2209,7 @@ void fib_select_multipath(struct fib_result *res, int hash) |
3287 |
+ } |
3288 |
+ |
3289 |
+ change_nexthops(fi) { |
3290 |
+- if (net->ipv4.sysctl_fib_multipath_use_neigh) { |
3291 |
++ if (READ_ONCE(net->ipv4.sysctl_fib_multipath_use_neigh)) { |
3292 |
+ if (!fib_good_nh(nexthop_nh)) |
3293 |
+ continue; |
3294 |
+ if (!first) { |
3295 |
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c |
3296 |
+index 9bc01411be4cc..b44f51e404aee 100644 |
3297 |
+--- a/net/ipv4/icmp.c |
3298 |
++++ b/net/ipv4/icmp.c |
3299 |
+@@ -886,7 +886,7 @@ static bool icmp_unreach(struct sk_buff *skb) |
3300 |
+ * values please see |
3301 |
+ * Documentation/networking/ip-sysctl.txt |
3302 |
+ */ |
3303 |
+- switch (net->ipv4.sysctl_ip_no_pmtu_disc) { |
3304 |
++ switch (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) { |
3305 |
+ default: |
3306 |
+ net_dbg_ratelimited("%pI4: fragmentation needed and DF set\n", |
3307 |
+ &iph->daddr); |
3308 |
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c |
3309 |
+index cac2fdd08df05..660b41040c771 100644 |
3310 |
+--- a/net/ipv4/igmp.c |
3311 |
++++ b/net/ipv4/igmp.c |
3312 |
+@@ -469,7 +469,8 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, |
3313 |
+ |
3314 |
+ if (pmc->multiaddr == IGMP_ALL_HOSTS) |
3315 |
+ return skb; |
3316 |
+- if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) |
3317 |
++ if (ipv4_is_local_multicast(pmc->multiaddr) && |
3318 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3319 |
+ return skb; |
3320 |
+ |
3321 |
+ mtu = READ_ONCE(dev->mtu); |
3322 |
+@@ -595,7 +596,7 @@ static int igmpv3_send_report(struct in_device *in_dev, struct ip_mc_list *pmc) |
3323 |
+ if (pmc->multiaddr == IGMP_ALL_HOSTS) |
3324 |
+ continue; |
3325 |
+ if (ipv4_is_local_multicast(pmc->multiaddr) && |
3326 |
+- !net->ipv4.sysctl_igmp_llm_reports) |
3327 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3328 |
+ continue; |
3329 |
+ spin_lock_bh(&pmc->lock); |
3330 |
+ if (pmc->sfcount[MCAST_EXCLUDE]) |
3331 |
+@@ -738,7 +739,8 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc, |
3332 |
+ if (type == IGMPV3_HOST_MEMBERSHIP_REPORT) |
3333 |
+ return igmpv3_send_report(in_dev, pmc); |
3334 |
+ |
3335 |
+- if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) |
3336 |
++ if (ipv4_is_local_multicast(group) && |
3337 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3338 |
+ return 0; |
3339 |
+ |
3340 |
+ if (type == IGMP_HOST_LEAVE_MESSAGE) |
3341 |
+@@ -922,7 +924,8 @@ static bool igmp_heard_report(struct in_device *in_dev, __be32 group) |
3342 |
+ |
3343 |
+ if (group == IGMP_ALL_HOSTS) |
3344 |
+ return false; |
3345 |
+- if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) |
3346 |
++ if (ipv4_is_local_multicast(group) && |
3347 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3348 |
+ return false; |
3349 |
+ |
3350 |
+ rcu_read_lock(); |
3351 |
+@@ -1047,7 +1050,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, |
3352 |
+ if (im->multiaddr == IGMP_ALL_HOSTS) |
3353 |
+ continue; |
3354 |
+ if (ipv4_is_local_multicast(im->multiaddr) && |
3355 |
+- !net->ipv4.sysctl_igmp_llm_reports) |
3356 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3357 |
+ continue; |
3358 |
+ spin_lock_bh(&im->lock); |
3359 |
+ if (im->tm_running) |
3360 |
+@@ -1298,7 +1301,8 @@ static void __igmp_group_dropped(struct ip_mc_list *im, gfp_t gfp) |
3361 |
+ #ifdef CONFIG_IP_MULTICAST |
3362 |
+ if (im->multiaddr == IGMP_ALL_HOSTS) |
3363 |
+ return; |
3364 |
+- if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) |
3365 |
++ if (ipv4_is_local_multicast(im->multiaddr) && |
3366 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3367 |
+ return; |
3368 |
+ |
3369 |
+ reporter = im->reporter; |
3370 |
+@@ -1340,7 +1344,8 @@ static void igmp_group_added(struct ip_mc_list *im) |
3371 |
+ #ifdef CONFIG_IP_MULTICAST |
3372 |
+ if (im->multiaddr == IGMP_ALL_HOSTS) |
3373 |
+ return; |
3374 |
+- if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) |
3375 |
++ if (ipv4_is_local_multicast(im->multiaddr) && |
3376 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3377 |
+ return; |
3378 |
+ |
3379 |
+ if (in_dev->dead) |
3380 |
+@@ -1644,7 +1649,7 @@ static void ip_mc_rejoin_groups(struct in_device *in_dev) |
3381 |
+ if (im->multiaddr == IGMP_ALL_HOSTS) |
3382 |
+ continue; |
3383 |
+ if (ipv4_is_local_multicast(im->multiaddr) && |
3384 |
+- !net->ipv4.sysctl_igmp_llm_reports) |
3385 |
++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) |
3386 |
+ continue; |
3387 |
+ |
3388 |
+ /* a failover is happening and switches |
3389 |
+@@ -2194,7 +2199,7 @@ static int __ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr, |
3390 |
+ count++; |
3391 |
+ } |
3392 |
+ err = -ENOBUFS; |
3393 |
+- if (count >= net->ipv4.sysctl_igmp_max_memberships) |
3394 |
++ if (count >= READ_ONCE(net->ipv4.sysctl_igmp_max_memberships)) |
3395 |
+ goto done; |
3396 |
+ iml = sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL); |
3397 |
+ if (!iml) |
3398 |
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c |
3399 |
+index 9280e50871596..7004e379c325f 100644 |
3400 |
+--- a/net/ipv4/route.c |
3401 |
++++ b/net/ipv4/route.c |
3402 |
+@@ -1423,7 +1423,7 @@ u32 ip_mtu_from_fib_result(struct fib_result *res, __be32 daddr) |
3403 |
+ struct fib_info *fi = res->fi; |
3404 |
+ u32 mtu = 0; |
3405 |
+ |
3406 |
+- if (dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu || |
3407 |
++ if (READ_ONCE(dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu) || |
3408 |
+ fi->fib_metrics->metrics[RTAX_LOCK - 1] & (1 << RTAX_MTU)) |
3409 |
+ mtu = fi->fib_mtu; |
3410 |
+ |
3411 |
+diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c |
3412 |
+index 6811174ad5189..3f6c9514c7a93 100644 |
3413 |
+--- a/net/ipv4/syncookies.c |
3414 |
++++ b/net/ipv4/syncookies.c |
3415 |
+@@ -243,12 +243,12 @@ bool cookie_timestamp_decode(const struct net *net, |
3416 |
+ return true; |
3417 |
+ } |
3418 |
+ |
3419 |
+- if (!net->ipv4.sysctl_tcp_timestamps) |
3420 |
++ if (!READ_ONCE(net->ipv4.sysctl_tcp_timestamps)) |
3421 |
+ return false; |
3422 |
+ |
3423 |
+ tcp_opt->sack_ok = (options & TS_OPT_SACK) ? TCP_SACK_SEEN : 0; |
3424 |
+ |
3425 |
+- if (tcp_opt->sack_ok && !net->ipv4.sysctl_tcp_sack) |
3426 |
++ if (tcp_opt->sack_ok && !READ_ONCE(net->ipv4.sysctl_tcp_sack)) |
3427 |
+ return false; |
3428 |
+ |
3429 |
+ if ((options & TS_OPT_WSCALE_MASK) == TS_OPT_WSCALE_MASK) |
3430 |
+@@ -257,7 +257,7 @@ bool cookie_timestamp_decode(const struct net *net, |
3431 |
+ tcp_opt->wscale_ok = 1; |
3432 |
+ tcp_opt->snd_wscale = options & TS_OPT_WSCALE_MASK; |
3433 |
+ |
3434 |
+- return net->ipv4.sysctl_tcp_window_scaling != 0; |
3435 |
++ return READ_ONCE(net->ipv4.sysctl_tcp_window_scaling) != 0; |
3436 |
+ } |
3437 |
+ EXPORT_SYMBOL(cookie_timestamp_decode); |
3438 |
+ |
3439 |
+@@ -297,7 +297,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) |
3440 |
+ struct flowi4 fl4; |
3441 |
+ u32 tsoff = 0; |
3442 |
+ |
3443 |
+- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst) |
3444 |
++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) || |
3445 |
++ !th->ack || th->rst) |
3446 |
+ goto out; |
3447 |
+ |
3448 |
+ if (tcp_synq_no_recent_overflow(sk)) |
3449 |
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
3450 |
+index 4815cf72569e0..4b31f6e9ec61f 100644 |
3451 |
+--- a/net/ipv4/tcp.c |
3452 |
++++ b/net/ipv4/tcp.c |
3453 |
+@@ -437,7 +437,7 @@ void tcp_init_sock(struct sock *sk) |
3454 |
+ tp->snd_cwnd_clamp = ~0; |
3455 |
+ tp->mss_cache = TCP_MSS_DEFAULT; |
3456 |
+ |
3457 |
+- tp->reordering = sock_net(sk)->ipv4.sysctl_tcp_reordering; |
3458 |
++ tp->reordering = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering); |
3459 |
+ tcp_assign_congestion_control(sk); |
3460 |
+ |
3461 |
+ tp->tsoffset = 0; |
3462 |
+@@ -1148,7 +1148,8 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, |
3463 |
+ struct sockaddr *uaddr = msg->msg_name; |
3464 |
+ int err, flags; |
3465 |
+ |
3466 |
+- if (!(sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) || |
3467 |
++ if (!(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & |
3468 |
++ TFO_CLIENT_ENABLE) || |
3469 |
+ (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) && |
3470 |
+ uaddr->sa_family == AF_UNSPEC)) |
3471 |
+ return -EOPNOTSUPP; |
3472 |
+@@ -3127,7 +3128,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, |
3473 |
+ case TCP_FASTOPEN_CONNECT: |
3474 |
+ if (val > 1 || val < 0) { |
3475 |
+ err = -EINVAL; |
3476 |
+- } else if (net->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) { |
3477 |
++ } else if (READ_ONCE(net->ipv4.sysctl_tcp_fastopen) & |
3478 |
++ TFO_CLIENT_ENABLE) { |
3479 |
+ if (sk->sk_state == TCP_CLOSE) |
3480 |
+ tp->fastopen_connect = val; |
3481 |
+ else |
3482 |
+@@ -3466,7 +3468,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, |
3483 |
+ case TCP_LINGER2: |
3484 |
+ val = tp->linger2; |
3485 |
+ if (val >= 0) |
3486 |
+- val = (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ; |
3487 |
++ val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; |
3488 |
+ break; |
3489 |
+ case TCP_DEFER_ACCEPT: |
3490 |
+ val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, |
3491 |
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c |
3492 |
+index a5ec77a5ad6f5..21705b2ddaffa 100644 |
3493 |
+--- a/net/ipv4/tcp_fastopen.c |
3494 |
++++ b/net/ipv4/tcp_fastopen.c |
3495 |
+@@ -349,7 +349,7 @@ static bool tcp_fastopen_no_cookie(const struct sock *sk, |
3496 |
+ const struct dst_entry *dst, |
3497 |
+ int flag) |
3498 |
+ { |
3499 |
+- return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) || |
3500 |
++ return (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & flag) || |
3501 |
+ tcp_sk(sk)->fastopen_no_cookie || |
3502 |
+ (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE)); |
3503 |
+ } |
3504 |
+@@ -364,7 +364,7 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, |
3505 |
+ const struct dst_entry *dst) |
3506 |
+ { |
3507 |
+ bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1; |
3508 |
+- int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen; |
3509 |
++ int tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); |
3510 |
+ struct tcp_fastopen_cookie valid_foc = { .len = -1 }; |
3511 |
+ struct sock *child; |
3512 |
+ int ret = 0; |
3513 |
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c |
3514 |
+index 0808110451a0f..c151c4dd4ae63 100644 |
3515 |
+--- a/net/ipv4/tcp_input.c |
3516 |
++++ b/net/ipv4/tcp_input.c |
3517 |
+@@ -905,7 +905,7 @@ static void tcp_check_sack_reordering(struct sock *sk, const u32 low_seq, |
3518 |
+ tp->undo_marker ? tp->undo_retrans : 0); |
3519 |
+ #endif |
3520 |
+ tp->reordering = min_t(u32, (metric + mss - 1) / mss, |
3521 |
+- sock_net(sk)->ipv4.sysctl_tcp_max_reordering); |
3522 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); |
3523 |
+ } |
3524 |
+ |
3525 |
+ /* This exciting event is worth to be remembered. 8) */ |
3526 |
+@@ -1886,7 +1886,7 @@ static void tcp_check_reno_reordering(struct sock *sk, const int addend) |
3527 |
+ return; |
3528 |
+ |
3529 |
+ tp->reordering = min_t(u32, tp->packets_out + addend, |
3530 |
+- sock_net(sk)->ipv4.sysctl_tcp_max_reordering); |
3531 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); |
3532 |
+ tp->reord_seen++; |
3533 |
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRENOREORDER); |
3534 |
+ } |
3535 |
+@@ -1950,7 +1950,8 @@ static inline void tcp_init_undo(struct tcp_sock *tp) |
3536 |
+ |
3537 |
+ static bool tcp_is_rack(const struct sock *sk) |
3538 |
+ { |
3539 |
+- return sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_LOSS_DETECTION; |
3540 |
++ return READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & |
3541 |
++ TCP_RACK_LOSS_DETECTION; |
3542 |
+ } |
3543 |
+ |
3544 |
+ /* If we detect SACK reneging, forget all SACK information |
3545 |
+@@ -1994,6 +1995,7 @@ void tcp_enter_loss(struct sock *sk) |
3546 |
+ struct tcp_sock *tp = tcp_sk(sk); |
3547 |
+ struct net *net = sock_net(sk); |
3548 |
+ bool new_recovery = icsk->icsk_ca_state < TCP_CA_Recovery; |
3549 |
++ u8 reordering; |
3550 |
+ |
3551 |
+ tcp_timeout_mark_lost(sk); |
3552 |
+ |
3553 |
+@@ -2014,10 +2016,12 @@ void tcp_enter_loss(struct sock *sk) |
3554 |
+ /* Timeout in disordered state after receiving substantial DUPACKs |
3555 |
+ * suggests that the degree of reordering is over-estimated. |
3556 |
+ */ |
3557 |
++ reordering = READ_ONCE(net->ipv4.sysctl_tcp_reordering); |
3558 |
+ if (icsk->icsk_ca_state <= TCP_CA_Disorder && |
3559 |
+- tp->sacked_out >= net->ipv4.sysctl_tcp_reordering) |
3560 |
++ tp->sacked_out >= reordering) |
3561 |
+ tp->reordering = min_t(unsigned int, tp->reordering, |
3562 |
+- net->ipv4.sysctl_tcp_reordering); |
3563 |
++ reordering); |
3564 |
++ |
3565 |
+ tcp_set_ca_state(sk, TCP_CA_Loss); |
3566 |
+ tp->high_seq = tp->snd_nxt; |
3567 |
+ tcp_ecn_queue_cwr(tp); |
3568 |
+@@ -3319,7 +3323,8 @@ static inline bool tcp_may_raise_cwnd(const struct sock *sk, const int flag) |
3569 |
+ * new SACK or ECE mark may first advance cwnd here and later reduce |
3570 |
+ * cwnd in tcp_fastretrans_alert() based on more states. |
3571 |
+ */ |
3572 |
+- if (tcp_sk(sk)->reordering > sock_net(sk)->ipv4.sysctl_tcp_reordering) |
3573 |
++ if (tcp_sk(sk)->reordering > |
3574 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering)) |
3575 |
+ return flag & FLAG_FORWARD_PROGRESS; |
3576 |
+ |
3577 |
+ return flag & FLAG_DATA_ACKED; |
3578 |
+@@ -3902,7 +3907,7 @@ void tcp_parse_options(const struct net *net, |
3579 |
+ break; |
3580 |
+ case TCPOPT_WINDOW: |
3581 |
+ if (opsize == TCPOLEN_WINDOW && th->syn && |
3582 |
+- !estab && net->ipv4.sysctl_tcp_window_scaling) { |
3583 |
++ !estab && READ_ONCE(net->ipv4.sysctl_tcp_window_scaling)) { |
3584 |
+ __u8 snd_wscale = *(__u8 *)ptr; |
3585 |
+ opt_rx->wscale_ok = 1; |
3586 |
+ if (snd_wscale > TCP_MAX_WSCALE) { |
3587 |
+@@ -3918,7 +3923,7 @@ void tcp_parse_options(const struct net *net, |
3588 |
+ case TCPOPT_TIMESTAMP: |
3589 |
+ if ((opsize == TCPOLEN_TIMESTAMP) && |
3590 |
+ ((estab && opt_rx->tstamp_ok) || |
3591 |
+- (!estab && net->ipv4.sysctl_tcp_timestamps))) { |
3592 |
++ (!estab && READ_ONCE(net->ipv4.sysctl_tcp_timestamps)))) { |
3593 |
+ opt_rx->saw_tstamp = 1; |
3594 |
+ opt_rx->rcv_tsval = get_unaligned_be32(ptr); |
3595 |
+ opt_rx->rcv_tsecr = get_unaligned_be32(ptr + 4); |
3596 |
+@@ -3926,7 +3931,7 @@ void tcp_parse_options(const struct net *net, |
3597 |
+ break; |
3598 |
+ case TCPOPT_SACK_PERM: |
3599 |
+ if (opsize == TCPOLEN_SACK_PERM && th->syn && |
3600 |
+- !estab && net->ipv4.sysctl_tcp_sack) { |
3601 |
++ !estab && READ_ONCE(net->ipv4.sysctl_tcp_sack)) { |
3602 |
+ opt_rx->sack_ok = TCP_SACK_SEEN; |
3603 |
+ tcp_sack_reset(opt_rx); |
3604 |
+ } |
3605 |
+@@ -5351,7 +5356,7 @@ static void tcp_check_urg(struct sock *sk, const struct tcphdr *th) |
3606 |
+ struct tcp_sock *tp = tcp_sk(sk); |
3607 |
+ u32 ptr = ntohs(th->urg_ptr); |
3608 |
+ |
3609 |
+- if (ptr && !sock_net(sk)->ipv4.sysctl_tcp_stdurg) |
3610 |
++ if (ptr && !READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_stdurg)) |
3611 |
+ ptr--; |
3612 |
+ ptr += ntohl(th->seq); |
3613 |
+ |
3614 |
+@@ -6530,11 +6535,14 @@ static bool tcp_syn_flood_action(const struct sock *sk, const char *proto) |
3615 |
+ { |
3616 |
+ struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; |
3617 |
+ const char *msg = "Dropping request"; |
3618 |
+- bool want_cookie = false; |
3619 |
+ struct net *net = sock_net(sk); |
3620 |
++ bool want_cookie = false; |
3621 |
++ u8 syncookies; |
3622 |
++ |
3623 |
++ syncookies = READ_ONCE(net->ipv4.sysctl_tcp_syncookies); |
3624 |
+ |
3625 |
+ #ifdef CONFIG_SYN_COOKIES |
3626 |
+- if (net->ipv4.sysctl_tcp_syncookies) { |
3627 |
++ if (syncookies) { |
3628 |
+ msg = "Sending cookies"; |
3629 |
+ want_cookie = true; |
3630 |
+ __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES); |
3631 |
+@@ -6542,8 +6550,7 @@ static bool tcp_syn_flood_action(const struct sock *sk, const char *proto) |
3632 |
+ #endif |
3633 |
+ __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP); |
3634 |
+ |
3635 |
+- if (!queue->synflood_warned && |
3636 |
+- net->ipv4.sysctl_tcp_syncookies != 2 && |
3637 |
++ if (!queue->synflood_warned && syncookies != 2 && |
3638 |
+ xchg(&queue->synflood_warned, 1) == 0) |
3639 |
+ net_info_ratelimited("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n", |
3640 |
+ proto, sk->sk_num, msg); |
3641 |
+@@ -6578,7 +6585,7 @@ u16 tcp_get_syncookie_mss(struct request_sock_ops *rsk_ops, |
3642 |
+ struct tcp_sock *tp = tcp_sk(sk); |
3643 |
+ u16 mss; |
3644 |
+ |
3645 |
+- if (sock_net(sk)->ipv4.sysctl_tcp_syncookies != 2 && |
3646 |
++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) != 2 && |
3647 |
+ !inet_csk_reqsk_queue_is_full(sk)) |
3648 |
+ return 0; |
3649 |
+ |
3650 |
+@@ -6612,13 +6619,15 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, |
3651 |
+ bool want_cookie = false; |
3652 |
+ struct dst_entry *dst; |
3653 |
+ struct flowi fl; |
3654 |
++ u8 syncookies; |
3655 |
++ |
3656 |
++ syncookies = READ_ONCE(net->ipv4.sysctl_tcp_syncookies); |
3657 |
+ |
3658 |
+ /* TW buckets are converted to open requests without |
3659 |
+ * limitations, they conserve resources and peer is |
3660 |
+ * evidently real one. |
3661 |
+ */ |
3662 |
+- if ((net->ipv4.sysctl_tcp_syncookies == 2 || |
3663 |
+- inet_csk_reqsk_queue_is_full(sk)) && !isn) { |
3664 |
++ if ((syncookies == 2 || inet_csk_reqsk_queue_is_full(sk)) && !isn) { |
3665 |
+ want_cookie = tcp_syn_flood_action(sk, rsk_ops->slab_name); |
3666 |
+ if (!want_cookie) |
3667 |
+ goto drop; |
3668 |
+@@ -6668,10 +6677,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, |
3669 |
+ goto drop_and_free; |
3670 |
+ |
3671 |
+ if (!want_cookie && !isn) { |
3672 |
++ int max_syn_backlog = READ_ONCE(net->ipv4.sysctl_max_syn_backlog); |
3673 |
++ |
3674 |
+ /* Kill the following clause, if you dislike this way. */ |
3675 |
+- if (!net->ipv4.sysctl_tcp_syncookies && |
3676 |
+- (net->ipv4.sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) < |
3677 |
+- (net->ipv4.sysctl_max_syn_backlog >> 2)) && |
3678 |
++ if (!syncookies && |
3679 |
++ (max_syn_backlog - inet_csk_reqsk_queue_len(sk) < |
3680 |
++ (max_syn_backlog >> 2)) && |
3681 |
+ !tcp_peer_is_proven(req, dst)) { |
3682 |
+ /* Without syncookies last quarter of |
3683 |
+ * backlog is filled with destinations, |
3684 |
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c |
3685 |
+index 72fe93ace7d73..b95e1a3487c8b 100644 |
3686 |
+--- a/net/ipv4/tcp_ipv4.c |
3687 |
++++ b/net/ipv4/tcp_ipv4.c |
3688 |
+@@ -105,10 +105,10 @@ static u32 tcp_v4_init_ts_off(const struct net *net, const struct sk_buff *skb) |
3689 |
+ |
3690 |
+ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) |
3691 |
+ { |
3692 |
++ int reuse = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_tw_reuse); |
3693 |
+ const struct inet_timewait_sock *tw = inet_twsk(sktw); |
3694 |
+ const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw); |
3695 |
+ struct tcp_sock *tp = tcp_sk(sk); |
3696 |
+- int reuse = sock_net(sk)->ipv4.sysctl_tcp_tw_reuse; |
3697 |
+ |
3698 |
+ if (reuse == 2) { |
3699 |
+ /* Still does not detect *everything* that goes through |
3700 |
+diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c |
3701 |
+index c4848e7a0aad1..9a7d8a5998578 100644 |
3702 |
+--- a/net/ipv4/tcp_metrics.c |
3703 |
++++ b/net/ipv4/tcp_metrics.c |
3704 |
+@@ -425,7 +425,8 @@ void tcp_update_metrics(struct sock *sk) |
3705 |
+ if (!tcp_metric_locked(tm, TCP_METRIC_REORDERING)) { |
3706 |
+ val = tcp_metric_get(tm, TCP_METRIC_REORDERING); |
3707 |
+ if (val < tp->reordering && |
3708 |
+- tp->reordering != net->ipv4.sysctl_tcp_reordering) |
3709 |
++ tp->reordering != |
3710 |
++ READ_ONCE(net->ipv4.sysctl_tcp_reordering)) |
3711 |
+ tcp_metric_set(tm, TCP_METRIC_REORDERING, |
3712 |
+ tp->reordering); |
3713 |
+ } |
3714 |
+diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c |
3715 |
+index 9b038cb0a43d2..324f43fadb37a 100644 |
3716 |
+--- a/net/ipv4/tcp_minisocks.c |
3717 |
++++ b/net/ipv4/tcp_minisocks.c |
3718 |
+@@ -180,7 +180,7 @@ tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb, |
3719 |
+ * Oh well... nobody has a sufficient solution to this |
3720 |
+ * protocol bug yet. |
3721 |
+ */ |
3722 |
+- if (twsk_net(tw)->ipv4.sysctl_tcp_rfc1337 == 0) { |
3723 |
++ if (!READ_ONCE(twsk_net(tw)->ipv4.sysctl_tcp_rfc1337)) { |
3724 |
+ kill: |
3725 |
+ inet_twsk_deschedule_put(tw); |
3726 |
+ return TCP_TW_SUCCESS; |
3727 |
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c |
3728 |
+index 739fc69cdcc62..97f29ece38000 100644 |
3729 |
+--- a/net/ipv4/tcp_output.c |
3730 |
++++ b/net/ipv4/tcp_output.c |
3731 |
+@@ -620,18 +620,18 @@ static unsigned int tcp_syn_options(struct sock *sk, struct sk_buff *skb, |
3732 |
+ opts->mss = tcp_advertise_mss(sk); |
3733 |
+ remaining -= TCPOLEN_MSS_ALIGNED; |
3734 |
+ |
3735 |
+- if (likely(sock_net(sk)->ipv4.sysctl_tcp_timestamps && !*md5)) { |
3736 |
++ if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps) && !*md5)) { |
3737 |
+ opts->options |= OPTION_TS; |
3738 |
+ opts->tsval = tcp_skb_timestamp(skb) + tp->tsoffset; |
3739 |
+ opts->tsecr = tp->rx_opt.ts_recent; |
3740 |
+ remaining -= TCPOLEN_TSTAMP_ALIGNED; |
3741 |
+ } |
3742 |
+- if (likely(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) { |
3743 |
++ if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling))) { |
3744 |
+ opts->ws = tp->rx_opt.rcv_wscale; |
3745 |
+ opts->options |= OPTION_WSCALE; |
3746 |
+ remaining -= TCPOLEN_WSCALE_ALIGNED; |
3747 |
+ } |
3748 |
+- if (likely(sock_net(sk)->ipv4.sysctl_tcp_sack)) { |
3749 |
++ if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_sack))) { |
3750 |
+ opts->options |= OPTION_SACK_ADVERTISE; |
3751 |
+ if (unlikely(!(OPTION_TS & opts->options))) |
3752 |
+ remaining -= TCPOLEN_SACKPERM_ALIGNED; |
3753 |
+@@ -1494,7 +1494,8 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu) |
3754 |
+ mss_now -= icsk->icsk_ext_hdr_len; |
3755 |
+ |
3756 |
+ /* Then reserve room for full set of TCP options and 8 bytes of data */ |
3757 |
+- mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss); |
3758 |
++ mss_now = max(mss_now, |
3759 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss)); |
3760 |
+ return mss_now; |
3761 |
+ } |
3762 |
+ |
3763 |
+@@ -1537,10 +1538,10 @@ void tcp_mtup_init(struct sock *sk) |
3764 |
+ struct inet_connection_sock *icsk = inet_csk(sk); |
3765 |
+ struct net *net = sock_net(sk); |
3766 |
+ |
3767 |
+- icsk->icsk_mtup.enabled = net->ipv4.sysctl_tcp_mtu_probing > 1; |
3768 |
++ icsk->icsk_mtup.enabled = READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing) > 1; |
3769 |
+ icsk->icsk_mtup.search_high = tp->rx_opt.mss_clamp + sizeof(struct tcphdr) + |
3770 |
+ icsk->icsk_af_ops->net_header_len; |
3771 |
+- icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, net->ipv4.sysctl_tcp_base_mss); |
3772 |
++ icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, READ_ONCE(net->ipv4.sysctl_tcp_base_mss)); |
3773 |
+ icsk->icsk_mtup.probe_size = 0; |
3774 |
+ if (icsk->icsk_mtup.enabled) |
3775 |
+ icsk->icsk_mtup.probe_timestamp = tcp_jiffies32; |
3776 |
+@@ -1672,7 +1673,7 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited) |
3777 |
+ if (tp->packets_out > tp->snd_cwnd_used) |
3778 |
+ tp->snd_cwnd_used = tp->packets_out; |
3779 |
+ |
3780 |
+- if (sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle && |
3781 |
++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) && |
3782 |
+ (s32)(tcp_jiffies32 - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto && |
3783 |
+ !ca_ops->cong_control) |
3784 |
+ tcp_cwnd_application_limited(sk); |
3785 |
+@@ -2051,7 +2052,7 @@ static inline void tcp_mtu_check_reprobe(struct sock *sk) |
3786 |
+ u32 interval; |
3787 |
+ s32 delta; |
3788 |
+ |
3789 |
+- interval = net->ipv4.sysctl_tcp_probe_interval; |
3790 |
++ interval = READ_ONCE(net->ipv4.sysctl_tcp_probe_interval); |
3791 |
+ delta = tcp_jiffies32 - icsk->icsk_mtup.probe_timestamp; |
3792 |
+ if (unlikely(delta >= interval * HZ)) { |
3793 |
+ int mss = tcp_current_mss(sk); |
3794 |
+@@ -2133,7 +2134,7 @@ static int tcp_mtu_probe(struct sock *sk) |
3795 |
+ * probing process by not resetting search range to its orignal. |
3796 |
+ */ |
3797 |
+ if (probe_size > tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_high) || |
3798 |
+- interval < net->ipv4.sysctl_tcp_probe_threshold) { |
3799 |
++ interval < READ_ONCE(net->ipv4.sysctl_tcp_probe_threshold)) { |
3800 |
+ /* Check whether enough time has elaplased for |
3801 |
+ * another round of probing. |
3802 |
+ */ |
3803 |
+@@ -2508,7 +2509,7 @@ bool tcp_schedule_loss_probe(struct sock *sk, bool advancing_rto) |
3804 |
+ if (rcu_access_pointer(tp->fastopen_rsk)) |
3805 |
+ return false; |
3806 |
+ |
3807 |
+- early_retrans = sock_net(sk)->ipv4.sysctl_tcp_early_retrans; |
3808 |
++ early_retrans = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_early_retrans); |
3809 |
+ /* Schedule a loss probe in 2*RTT for SACK capable connections |
3810 |
+ * not in loss recovery, that are either limited by cwnd or application. |
3811 |
+ */ |
3812 |
+@@ -2870,7 +2871,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to, |
3813 |
+ struct sk_buff *skb = to, *tmp; |
3814 |
+ bool first = true; |
3815 |
+ |
3816 |
+- if (!sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse) |
3817 |
++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse)) |
3818 |
+ return; |
3819 |
+ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN) |
3820 |
+ return; |
3821 |
+@@ -3406,7 +3407,7 @@ static void tcp_connect_init(struct sock *sk) |
3822 |
+ * See tcp_input.c:tcp_rcv_state_process case TCP_SYN_SENT. |
3823 |
+ */ |
3824 |
+ tp->tcp_header_len = sizeof(struct tcphdr); |
3825 |
+- if (sock_net(sk)->ipv4.sysctl_tcp_timestamps) |
3826 |
++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps)) |
3827 |
+ tp->tcp_header_len += TCPOLEN_TSTAMP_ALIGNED; |
3828 |
+ |
3829 |
+ #ifdef CONFIG_TCP_MD5SIG |
3830 |
+@@ -3442,7 +3443,7 @@ static void tcp_connect_init(struct sock *sk) |
3831 |
+ tp->advmss - (tp->rx_opt.ts_recent_stamp ? tp->tcp_header_len - sizeof(struct tcphdr) : 0), |
3832 |
+ &tp->rcv_wnd, |
3833 |
+ &tp->window_clamp, |
3834 |
+- sock_net(sk)->ipv4.sysctl_tcp_window_scaling, |
3835 |
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling), |
3836 |
+ &rcv_wscale, |
3837 |
+ rcv_wnd); |
3838 |
+ |
3839 |
+@@ -3846,7 +3847,7 @@ void tcp_send_probe0(struct sock *sk) |
3840 |
+ |
3841 |
+ icsk->icsk_probes_out++; |
3842 |
+ if (err <= 0) { |
3843 |
+- if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2) |
3844 |
++ if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2)) |
3845 |
+ icsk->icsk_backoff++; |
3846 |
+ timeout = tcp_probe0_when(sk, TCP_RTO_MAX); |
3847 |
+ } else { |
3848 |
+diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c |
3849 |
+index 8757bb6cb1d93..22ec8dcc1428a 100644 |
3850 |
+--- a/net/ipv4/tcp_recovery.c |
3851 |
++++ b/net/ipv4/tcp_recovery.c |
3852 |
+@@ -33,7 +33,8 @@ static u32 tcp_rack_reo_wnd(const struct sock *sk) |
3853 |
+ return 0; |
3854 |
+ |
3855 |
+ if (tp->sacked_out >= tp->reordering && |
3856 |
+- !(sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_NO_DUPTHRESH)) |
3857 |
++ !(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & |
3858 |
++ TCP_RACK_NO_DUPTHRESH)) |
3859 |
+ return 0; |
3860 |
+ } |
3861 |
+ |
3862 |
+@@ -204,7 +205,8 @@ void tcp_rack_update_reo_wnd(struct sock *sk, struct rate_sample *rs) |
3863 |
+ { |
3864 |
+ struct tcp_sock *tp = tcp_sk(sk); |
3865 |
+ |
3866 |
+- if (sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_STATIC_REO_WND || |
3867 |
++ if ((READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & |
3868 |
++ TCP_RACK_STATIC_REO_WND) || |
3869 |
+ !rs->prior_delivered) |
3870 |
+ return; |
3871 |
+ |
3872 |
+diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c |
3873 |
+index fa2ae96ecdc40..a0107eb02ae4c 100644 |
3874 |
+--- a/net/ipv4/tcp_timer.c |
3875 |
++++ b/net/ipv4/tcp_timer.c |
3876 |
+@@ -143,7 +143,7 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset) |
3877 |
+ */ |
3878 |
+ static int tcp_orphan_retries(struct sock *sk, bool alive) |
3879 |
+ { |
3880 |
+- int retries = sock_net(sk)->ipv4.sysctl_tcp_orphan_retries; /* May be zero. */ |
3881 |
++ int retries = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_orphan_retries); /* May be zero. */ |
3882 |
+ |
3883 |
+ /* We know from an ICMP that something is wrong. */ |
3884 |
+ if (sk->sk_err_soft && !alive) |
3885 |
+@@ -163,7 +163,7 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk) |
3886 |
+ int mss; |
3887 |
+ |
3888 |
+ /* Black hole detection */ |
3889 |
+- if (!net->ipv4.sysctl_tcp_mtu_probing) |
3890 |
++ if (!READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing)) |
3891 |
+ return; |
3892 |
+ |
3893 |
+ if (!icsk->icsk_mtup.enabled) { |
3894 |
+@@ -171,9 +171,9 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk) |
3895 |
+ icsk->icsk_mtup.probe_timestamp = tcp_jiffies32; |
3896 |
+ } else { |
3897 |
+ mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; |
3898 |
+- mss = min(net->ipv4.sysctl_tcp_base_mss, mss); |
3899 |
+- mss = max(mss, net->ipv4.sysctl_tcp_mtu_probe_floor); |
3900 |
+- mss = max(mss, net->ipv4.sysctl_tcp_min_snd_mss); |
3901 |
++ mss = min(READ_ONCE(net->ipv4.sysctl_tcp_base_mss), mss); |
3902 |
++ mss = max(mss, READ_ONCE(net->ipv4.sysctl_tcp_mtu_probe_floor)); |
3903 |
++ mss = max(mss, READ_ONCE(net->ipv4.sysctl_tcp_min_snd_mss)); |
3904 |
+ icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss); |
3905 |
+ } |
3906 |
+ tcp_sync_mss(sk, icsk->icsk_pmtu_cookie); |
3907 |
+@@ -245,7 +245,7 @@ static int tcp_write_timeout(struct sock *sk) |
3908 |
+ retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; |
3909 |
+ expired = icsk->icsk_retransmits >= retry_until; |
3910 |
+ } else { |
3911 |
+- if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1, 0)) { |
3912 |
++ if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), 0)) { |
3913 |
+ /* Black hole detection */ |
3914 |
+ tcp_mtu_probing(icsk, sk); |
3915 |
+ |
3916 |
+@@ -254,7 +254,7 @@ static int tcp_write_timeout(struct sock *sk) |
3917 |
+ sk_rethink_txhash(sk); |
3918 |
+ } |
3919 |
+ |
3920 |
+- retry_until = net->ipv4.sysctl_tcp_retries2; |
3921 |
++ retry_until = READ_ONCE(net->ipv4.sysctl_tcp_retries2); |
3922 |
+ if (sock_flag(sk, SOCK_DEAD)) { |
3923 |
+ const bool alive = icsk->icsk_rto < TCP_RTO_MAX; |
3924 |
+ |
3925 |
+@@ -381,7 +381,7 @@ static void tcp_probe_timer(struct sock *sk) |
3926 |
+ msecs_to_jiffies(icsk->icsk_user_timeout)) |
3927 |
+ goto abort; |
3928 |
+ |
3929 |
+- max_probes = sock_net(sk)->ipv4.sysctl_tcp_retries2; |
3930 |
++ max_probes = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retries2); |
3931 |
+ if (sock_flag(sk, SOCK_DEAD)) { |
3932 |
+ const bool alive = inet_csk_rto_backoff(icsk, TCP_RTO_MAX) < TCP_RTO_MAX; |
3933 |
+ |
3934 |
+@@ -569,7 +569,7 @@ out_reset_timer: |
3935 |
+ * linear-timeout retransmissions into a black hole |
3936 |
+ */ |
3937 |
+ if (sk->sk_state == TCP_ESTABLISHED && |
3938 |
+- (tp->thin_lto || net->ipv4.sysctl_tcp_thin_linear_timeouts) && |
3939 |
++ (tp->thin_lto || READ_ONCE(net->ipv4.sysctl_tcp_thin_linear_timeouts)) && |
3940 |
+ tcp_stream_is_thin(tp) && |
3941 |
+ icsk->icsk_retransmits <= TCP_THIN_LINEAR_RETRIES) { |
3942 |
+ icsk->icsk_backoff = 0; |
3943 |
+@@ -580,7 +580,7 @@ out_reset_timer: |
3944 |
+ } |
3945 |
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, |
3946 |
+ tcp_clamp_rto_to_user_timeout(sk), TCP_RTO_MAX); |
3947 |
+- if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1 + 1, 0)) |
3948 |
++ if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1) + 1, 0)) |
3949 |
+ __sk_dst_reset(sk); |
3950 |
+ |
3951 |
+ out:; |
3952 |
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c |
3953 |
+index 942da168f18fb..56f396ecc26b7 100644 |
3954 |
+--- a/net/ipv6/af_inet6.c |
3955 |
++++ b/net/ipv6/af_inet6.c |
3956 |
+@@ -222,7 +222,7 @@ lookup_protocol: |
3957 |
+ inet->mc_list = NULL; |
3958 |
+ inet->rcv_tos = 0; |
3959 |
+ |
3960 |
+- if (net->ipv4.sysctl_ip_no_pmtu_disc) |
3961 |
++ if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) |
3962 |
+ inet->pmtudisc = IP_PMTUDISC_DONT; |
3963 |
+ else |
3964 |
+ inet->pmtudisc = IP_PMTUDISC_WANT; |
3965 |
+diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c |
3966 |
+index 37ab254f7b92d..7e55505465949 100644 |
3967 |
+--- a/net/ipv6/syncookies.c |
3968 |
++++ b/net/ipv6/syncookies.c |
3969 |
+@@ -141,7 +141,8 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) |
3970 |
+ __u8 rcv_wscale; |
3971 |
+ u32 tsoff = 0; |
3972 |
+ |
3973 |
+- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst) |
3974 |
++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) || |
3975 |
++ !th->ack || th->rst) |
3976 |
+ goto out; |
3977 |
+ |
3978 |
+ if (tcp_synq_no_recent_overflow(sk)) |
3979 |
+diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c |
3980 |
+index bb370a7948f42..363a64c124144 100644 |
3981 |
+--- a/net/sctp/protocol.c |
3982 |
++++ b/net/sctp/protocol.c |
3983 |
+@@ -358,7 +358,7 @@ static int sctp_v4_available(union sctp_addr *addr, struct sctp_sock *sp) |
3984 |
+ if (addr->v4.sin_addr.s_addr != htonl(INADDR_ANY) && |
3985 |
+ ret != RTN_LOCAL && |
3986 |
+ !sp->inet.freebind && |
3987 |
+- !net->ipv4.sysctl_ip_nonlocal_bind) |
3988 |
++ !READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind)) |
3989 |
+ return 0; |
3990 |
+ |
3991 |
+ if (ipv6_only_sock(sctp_opt2sk(sp))) |
3992 |
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c |
3993 |
+index abb93f7343c53..2c3cf47d730bb 100644 |
3994 |
+--- a/net/tls/tls_device.c |
3995 |
++++ b/net/tls/tls_device.c |
3996 |
+@@ -94,13 +94,16 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx) |
3997 |
+ unsigned long flags; |
3998 |
+ |
3999 |
+ spin_lock_irqsave(&tls_device_lock, flags); |
4000 |
++ if (unlikely(!refcount_dec_and_test(&ctx->refcount))) |
4001 |
++ goto unlock; |
4002 |
++ |
4003 |
+ list_move_tail(&ctx->list, &tls_device_gc_list); |
4004 |
+ |
4005 |
+ /* schedule_work inside the spinlock |
4006 |
+ * to make sure tls_device_down waits for that work. |
4007 |
+ */ |
4008 |
+ schedule_work(&tls_device_gc_work); |
4009 |
+- |
4010 |
++unlock: |
4011 |
+ spin_unlock_irqrestore(&tls_device_lock, flags); |
4012 |
+ } |
4013 |
+ |
4014 |
+@@ -191,8 +194,7 @@ static void tls_device_sk_destruct(struct sock *sk) |
4015 |
+ clean_acked_data_disable(inet_csk(sk)); |
4016 |
+ } |
4017 |
+ |
4018 |
+- if (refcount_dec_and_test(&tls_ctx->refcount)) |
4019 |
+- tls_device_queue_ctx_destruction(tls_ctx); |
4020 |
++ tls_device_queue_ctx_destruction(tls_ctx); |
4021 |
+ } |
4022 |
+ |
4023 |
+ void tls_device_free_resources_tx(struct sock *sk) |
4024 |
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c |
4025 |
+index 3ecb77c58c44e..28a8cdef8e51f 100644 |
4026 |
+--- a/net/xfrm/xfrm_policy.c |
4027 |
++++ b/net/xfrm/xfrm_policy.c |
4028 |
+@@ -2679,8 +2679,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, |
4029 |
+ *num_xfrms = 0; |
4030 |
+ return 0; |
4031 |
+ } |
4032 |
+- if (IS_ERR(pols[0])) |
4033 |
++ if (IS_ERR(pols[0])) { |
4034 |
++ *num_pols = 0; |
4035 |
+ return PTR_ERR(pols[0]); |
4036 |
++ } |
4037 |
+ |
4038 |
+ *num_xfrms = pols[0]->xfrm_nr; |
4039 |
+ |
4040 |
+@@ -2695,6 +2697,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, |
4041 |
+ if (pols[1]) { |
4042 |
+ if (IS_ERR(pols[1])) { |
4043 |
+ xfrm_pols_put(pols, *num_pols); |
4044 |
++ *num_pols = 0; |
4045 |
+ return PTR_ERR(pols[1]); |
4046 |
+ } |
4047 |
+ (*num_pols)++; |
4048 |
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c |
4049 |
+index 268bba29bb603..bee1a8143d75f 100644 |
4050 |
+--- a/net/xfrm/xfrm_state.c |
4051 |
++++ b/net/xfrm/xfrm_state.c |
4052 |
+@@ -2488,7 +2488,7 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) |
4053 |
+ int err; |
4054 |
+ |
4055 |
+ if (family == AF_INET && |
4056 |
+- xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc) |
4057 |
++ READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)) |
4058 |
+ x->props.flags |= XFRM_STATE_NOPMTUDISC; |
4059 |
+ |
4060 |
+ err = -EPROTONOSUPPORT; |
4061 |
+diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig |
4062 |
+index 748f3ee27b23d..44b3315f32352 100644 |
4063 |
+--- a/security/integrity/ima/Kconfig |
4064 |
++++ b/security/integrity/ima/Kconfig |
4065 |
+@@ -69,10 +69,9 @@ choice |
4066 |
+ hash, defined as 20 bytes, and a null terminated pathname, |
4067 |
+ limited to 255 characters. The 'ima-ng' measurement list |
4068 |
+ template permits both larger hash digests and longer |
4069 |
+- pathnames. |
4070 |
++ pathnames. The configured default template can be replaced |
4071 |
++ by specifying "ima_template=" on the boot command line. |
4072 |
+ |
4073 |
+- config IMA_TEMPLATE |
4074 |
+- bool "ima" |
4075 |
+ config IMA_NG_TEMPLATE |
4076 |
+ bool "ima-ng (default)" |
4077 |
+ config IMA_SIG_TEMPLATE |
4078 |
+@@ -82,7 +81,6 @@ endchoice |
4079 |
+ config IMA_DEFAULT_TEMPLATE |
4080 |
+ string |
4081 |
+ depends on IMA |
4082 |
+- default "ima" if IMA_TEMPLATE |
4083 |
+ default "ima-ng" if IMA_NG_TEMPLATE |
4084 |
+ default "ima-sig" if IMA_SIG_TEMPLATE |
4085 |
+ |
4086 |
+@@ -102,15 +100,15 @@ choice |
4087 |
+ |
4088 |
+ config IMA_DEFAULT_HASH_SHA256 |
4089 |
+ bool "SHA256" |
4090 |
+- depends on CRYPTO_SHA256=y && !IMA_TEMPLATE |
4091 |
++ depends on CRYPTO_SHA256=y |
4092 |
+ |
4093 |
+ config IMA_DEFAULT_HASH_SHA512 |
4094 |
+ bool "SHA512" |
4095 |
+- depends on CRYPTO_SHA512=y && !IMA_TEMPLATE |
4096 |
++ depends on CRYPTO_SHA512=y |
4097 |
+ |
4098 |
+ config IMA_DEFAULT_HASH_WP512 |
4099 |
+ bool "WP512" |
4100 |
+- depends on CRYPTO_WP512=y && !IMA_TEMPLATE |
4101 |
++ depends on CRYPTO_WP512=y |
4102 |
+ endchoice |
4103 |
+ |
4104 |
+ config IMA_DEFAULT_HASH |
4105 |
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c |
4106 |
+index a073e49d5cd7d..14aef74d3588a 100644 |
4107 |
+--- a/security/integrity/ima/ima_policy.c |
4108 |
++++ b/security/integrity/ima/ima_policy.c |
4109 |
+@@ -1542,6 +1542,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id) |
4110 |
+ if (id >= READING_MAX_ID) |
4111 |
+ return false; |
4112 |
+ |
4113 |
++ if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) |
4114 |
++ && security_locked_down(LOCKDOWN_KEXEC)) |
4115 |
++ return false; |
4116 |
++ |
4117 |
+ func = read_idmap[id] ?: FILE_CHECK; |
4118 |
+ |
4119 |
+ rcu_read_lock(); |
4120 |
+diff --git a/sound/core/memalloc.c b/sound/core/memalloc.c |
4121 |
+index fe1ea03582cbb..9fc7c81ec6ae5 100644 |
4122 |
+--- a/sound/core/memalloc.c |
4123 |
++++ b/sound/core/memalloc.c |
4124 |
+@@ -124,6 +124,7 @@ int snd_dma_alloc_pages(int type, struct device *device, size_t size, |
4125 |
+ if (WARN_ON(!device)) |
4126 |
+ return -EINVAL; |
4127 |
+ |
4128 |
++ size = PAGE_ALIGN(size); |
4129 |
+ dmab->dev.type = type; |
4130 |
+ dmab->dev.dev = device; |
4131 |
+ dmab->bytes = 0; |