1 |
commit: 0047162d944ddd8439be87b3e2f073680c16ea29 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed May 3 17:41:36 2017 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed May 3 17:41:36 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=0047162d |
7 |
|
8 |
Linux patch 4.4.66 |
9 |
|
10 |
0000_README | 4 + |
11 |
1065_linux-4.4.66.patch | 1309 +++++++++++++++++++++++++++++++++++++++++++++++ |
12 |
2 files changed, 1313 insertions(+) |
13 |
|
14 |
diff --git a/0000_README b/0000_README |
15 |
index 3008fb4..d08d290 100644 |
16 |
--- a/0000_README |
17 |
+++ b/0000_README |
18 |
@@ -303,6 +303,10 @@ Patch: 1064_linux-4.4.65.patch |
19 |
From: http://www.kernel.org |
20 |
Desc: Linux 4.4.65 |
21 |
|
22 |
+Patch: 1065_linux-4.4.66.patch |
23 |
+From: http://www.kernel.org |
24 |
+Desc: Linux 4.4.66 |
25 |
+ |
26 |
Patch: 1500_XATTR_USER_PREFIX.patch |
27 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
28 |
Desc: Support for namespace user.pax.* on tmpfs. |
29 |
|
30 |
diff --git a/1065_linux-4.4.66.patch b/1065_linux-4.4.66.patch |
31 |
new file mode 100644 |
32 |
index 0000000..1fe8b7a |
33 |
--- /dev/null |
34 |
+++ b/1065_linux-4.4.66.patch |
35 |
@@ -0,0 +1,1309 @@ |
36 |
+diff --git a/Documentation/devicetree/bindings/clock/sunxi.txt b/Documentation/devicetree/bindings/clock/sunxi.txt |
37 |
+index 8a47b77abfca..e8c74a6e738b 100644 |
38 |
+--- a/Documentation/devicetree/bindings/clock/sunxi.txt |
39 |
++++ b/Documentation/devicetree/bindings/clock/sunxi.txt |
40 |
+@@ -18,6 +18,7 @@ Required properties: |
41 |
+ "allwinner,sun4i-a10-cpu-clk" - for the CPU multiplexer clock |
42 |
+ "allwinner,sun4i-a10-axi-clk" - for the AXI clock |
43 |
+ "allwinner,sun8i-a23-axi-clk" - for the AXI clock on A23 |
44 |
++ "allwinner,sun4i-a10-gates-clk" - for generic gates on all compatible SoCs |
45 |
+ "allwinner,sun4i-a10-axi-gates-clk" - for the AXI gates |
46 |
+ "allwinner,sun4i-a10-ahb-clk" - for the AHB clock |
47 |
+ "allwinner,sun5i-a13-ahb-clk" - for the AHB clock on A13 |
48 |
+@@ -43,6 +44,7 @@ Required properties: |
49 |
+ "allwinner,sun6i-a31-apb0-gates-clk" - for the APB0 gates on A31 |
50 |
+ "allwinner,sun7i-a20-apb0-gates-clk" - for the APB0 gates on A20 |
51 |
+ "allwinner,sun8i-a23-apb0-gates-clk" - for the APB0 gates on A23 |
52 |
++ "allwinner,sun8i-h3-apb0-gates-clk" - for the APB0 gates on H3 |
53 |
+ "allwinner,sun9i-a80-apb0-gates-clk" - for the APB0 gates on A80 |
54 |
+ "allwinner,sun4i-a10-apb1-clk" - for the APB1 clock |
55 |
+ "allwinner,sun9i-a80-apb1-clk" - for the APB1 bus clock on A80 |
56 |
+diff --git a/Makefile b/Makefile |
57 |
+index ddaef04f528a..1cd052823c03 100644 |
58 |
+--- a/Makefile |
59 |
++++ b/Makefile |
60 |
+@@ -1,6 +1,6 @@ |
61 |
+ VERSION = 4 |
62 |
+ PATCHLEVEL = 4 |
63 |
+-SUBLEVEL = 65 |
64 |
++SUBLEVEL = 66 |
65 |
+ EXTRAVERSION = |
66 |
+ NAME = Blurry Fish Butt |
67 |
+ |
68 |
+diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h |
69 |
+index b5ff87e6f4b7..aee1a77934cf 100644 |
70 |
+--- a/arch/arc/include/asm/entry-arcv2.h |
71 |
++++ b/arch/arc/include/asm/entry-arcv2.h |
72 |
+@@ -16,6 +16,7 @@ |
73 |
+ ; |
74 |
+ ; Now manually save: r12, sp, fp, gp, r25 |
75 |
+ |
76 |
++ PUSH r30 |
77 |
+ PUSH r12 |
78 |
+ |
79 |
+ ; Saving pt_regs->sp correctly requires some extra work due to the way |
80 |
+@@ -72,6 +73,7 @@ |
81 |
+ POPAX AUX_USER_SP |
82 |
+ 1: |
83 |
+ POP r12 |
84 |
++ POP r30 |
85 |
+ |
86 |
+ .endm |
87 |
+ |
88 |
+diff --git a/arch/arc/include/asm/ptrace.h b/arch/arc/include/asm/ptrace.h |
89 |
+index 69095da1fcfd..47111d565a95 100644 |
90 |
+--- a/arch/arc/include/asm/ptrace.h |
91 |
++++ b/arch/arc/include/asm/ptrace.h |
92 |
+@@ -84,7 +84,7 @@ struct pt_regs { |
93 |
+ unsigned long fp; |
94 |
+ unsigned long sp; /* user/kernel sp depending on where we came from */ |
95 |
+ |
96 |
+- unsigned long r12; |
97 |
++ unsigned long r12, r30; |
98 |
+ |
99 |
+ /*------- Below list auto saved by h/w -----------*/ |
100 |
+ unsigned long r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11; |
101 |
+diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c |
102 |
+index f86692dbcfd5..83fc403aec3c 100644 |
103 |
+--- a/arch/arm/mach-omap2/timer.c |
104 |
++++ b/arch/arm/mach-omap2/timer.c |
105 |
+@@ -496,8 +496,7 @@ void __init omap_init_time(void) |
106 |
+ __omap_sync32k_timer_init(1, "timer_32k_ck", "ti,timer-alwon", |
107 |
+ 2, "timer_sys_ck", NULL, false); |
108 |
+ |
109 |
+- if (of_have_populated_dt()) |
110 |
+- clocksource_probe(); |
111 |
++ clocksource_probe(); |
112 |
+ } |
113 |
+ |
114 |
+ #if defined(CONFIG_ARCH_OMAP3) || defined(CONFIG_SOC_AM43XX) |
115 |
+@@ -505,6 +504,8 @@ void __init omap3_secure_sync32k_timer_init(void) |
116 |
+ { |
117 |
+ __omap_sync32k_timer_init(12, "secure_32k_fck", "ti,timer-secure", |
118 |
+ 2, "timer_sys_ck", NULL, false); |
119 |
++ |
120 |
++ clocksource_probe(); |
121 |
+ } |
122 |
+ #endif /* CONFIG_ARCH_OMAP3 */ |
123 |
+ |
124 |
+@@ -513,6 +514,8 @@ void __init omap3_gptimer_timer_init(void) |
125 |
+ { |
126 |
+ __omap_sync32k_timer_init(2, "timer_sys_ck", NULL, |
127 |
+ 1, "timer_sys_ck", "ti,timer-alwon", true); |
128 |
++ |
129 |
++ clocksource_probe(); |
130 |
+ } |
131 |
+ #endif |
132 |
+ |
133 |
+diff --git a/arch/mips/kernel/crash.c b/arch/mips/kernel/crash.c |
134 |
+index d434d5d5ae6e..610f0f3bdb34 100644 |
135 |
+--- a/arch/mips/kernel/crash.c |
136 |
++++ b/arch/mips/kernel/crash.c |
137 |
+@@ -14,12 +14,22 @@ static int crashing_cpu = -1; |
138 |
+ static cpumask_t cpus_in_crash = CPU_MASK_NONE; |
139 |
+ |
140 |
+ #ifdef CONFIG_SMP |
141 |
+-static void crash_shutdown_secondary(void *ignore) |
142 |
++static void crash_shutdown_secondary(void *passed_regs) |
143 |
+ { |
144 |
+- struct pt_regs *regs; |
145 |
++ struct pt_regs *regs = passed_regs; |
146 |
+ int cpu = smp_processor_id(); |
147 |
+ |
148 |
+- regs = task_pt_regs(current); |
149 |
++ /* |
150 |
++ * If we are passed registers, use those. Otherwise get the |
151 |
++ * regs from the last interrupt, which should be correct, as |
152 |
++ * we are in an interrupt. But if the regs are not there, |
153 |
++ * pull them from the top of the stack. They are probably |
154 |
++ * wrong, but we need something to keep from crashing again. |
155 |
++ */ |
156 |
++ if (!regs) |
157 |
++ regs = get_irq_regs(); |
158 |
++ if (!regs) |
159 |
++ regs = task_pt_regs(current); |
160 |
+ |
161 |
+ if (!cpu_online(cpu)) |
162 |
+ return; |
163 |
+diff --git a/arch/mips/kernel/elf.c b/arch/mips/kernel/elf.c |
164 |
+index 4a4d9e067c89..3afffc30ee12 100644 |
165 |
+--- a/arch/mips/kernel/elf.c |
166 |
++++ b/arch/mips/kernel/elf.c |
167 |
+@@ -206,7 +206,7 @@ int arch_check_elf(void *_ehdr, bool has_interpreter, |
168 |
+ else if ((prog_req.fr1 && prog_req.frdefault) || |
169 |
+ (prog_req.single && !prog_req.frdefault)) |
170 |
+ /* Make sure 64-bit MIPS III/IV/64R1 will not pick FR1 */ |
171 |
+- state->overall_fp_mode = ((current_cpu_data.fpu_id & MIPS_FPIR_F64) && |
172 |
++ state->overall_fp_mode = ((raw_current_cpu_data.fpu_id & MIPS_FPIR_F64) && |
173 |
+ cpu_has_mips_r2_r6) ? |
174 |
+ FP_FR1 : FP_FR0; |
175 |
+ else if (prog_req.fr1) |
176 |
+diff --git a/arch/mips/kernel/kgdb.c b/arch/mips/kernel/kgdb.c |
177 |
+index de63d36af895..732d6171ac6a 100644 |
178 |
+--- a/arch/mips/kernel/kgdb.c |
179 |
++++ b/arch/mips/kernel/kgdb.c |
180 |
+@@ -244,9 +244,6 @@ static int compute_signal(int tt) |
181 |
+ void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p) |
182 |
+ { |
183 |
+ int reg; |
184 |
+- struct thread_info *ti = task_thread_info(p); |
185 |
+- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32; |
186 |
+- struct pt_regs *regs = (struct pt_regs *)ksp - 1; |
187 |
+ #if (KGDB_GDB_REG_SIZE == 32) |
188 |
+ u32 *ptr = (u32 *)gdb_regs; |
189 |
+ #else |
190 |
+@@ -254,25 +251,46 @@ void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p) |
191 |
+ #endif |
192 |
+ |
193 |
+ for (reg = 0; reg < 16; reg++) |
194 |
+- *(ptr++) = regs->regs[reg]; |
195 |
++ *(ptr++) = 0; |
196 |
+ |
197 |
+ /* S0 - S7 */ |
198 |
+- for (reg = 16; reg < 24; reg++) |
199 |
+- *(ptr++) = regs->regs[reg]; |
200 |
++ *(ptr++) = p->thread.reg16; |
201 |
++ *(ptr++) = p->thread.reg17; |
202 |
++ *(ptr++) = p->thread.reg18; |
203 |
++ *(ptr++) = p->thread.reg19; |
204 |
++ *(ptr++) = p->thread.reg20; |
205 |
++ *(ptr++) = p->thread.reg21; |
206 |
++ *(ptr++) = p->thread.reg22; |
207 |
++ *(ptr++) = p->thread.reg23; |
208 |
+ |
209 |
+ for (reg = 24; reg < 28; reg++) |
210 |
+ *(ptr++) = 0; |
211 |
+ |
212 |
+ /* GP, SP, FP, RA */ |
213 |
+- for (reg = 28; reg < 32; reg++) |
214 |
+- *(ptr++) = regs->regs[reg]; |
215 |
+- |
216 |
+- *(ptr++) = regs->cp0_status; |
217 |
+- *(ptr++) = regs->lo; |
218 |
+- *(ptr++) = regs->hi; |
219 |
+- *(ptr++) = regs->cp0_badvaddr; |
220 |
+- *(ptr++) = regs->cp0_cause; |
221 |
+- *(ptr++) = regs->cp0_epc; |
222 |
++ *(ptr++) = (long)p; |
223 |
++ *(ptr++) = p->thread.reg29; |
224 |
++ *(ptr++) = p->thread.reg30; |
225 |
++ *(ptr++) = p->thread.reg31; |
226 |
++ |
227 |
++ *(ptr++) = p->thread.cp0_status; |
228 |
++ |
229 |
++ /* lo, hi */ |
230 |
++ *(ptr++) = 0; |
231 |
++ *(ptr++) = 0; |
232 |
++ |
233 |
++ /* |
234 |
++ * BadVAddr, Cause |
235 |
++ * Ideally these would come from the last exception frame up the stack |
236 |
++ * but that requires unwinding, otherwise we can't know much for sure. |
237 |
++ */ |
238 |
++ *(ptr++) = 0; |
239 |
++ *(ptr++) = 0; |
240 |
++ |
241 |
++ /* |
242 |
++ * PC |
243 |
++ * use return address (RA), i.e. the moment after return from resume() |
244 |
++ */ |
245 |
++ *(ptr++) = p->thread.reg31; |
246 |
+ } |
247 |
+ |
248 |
+ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc) |
249 |
+diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h |
250 |
+index 408b715c95a5..9d81579f3d54 100644 |
251 |
+--- a/arch/sparc/include/asm/pgtable_64.h |
252 |
++++ b/arch/sparc/include/asm/pgtable_64.h |
253 |
+@@ -668,26 +668,27 @@ static inline unsigned long pmd_pfn(pmd_t pmd) |
254 |
+ return pte_pfn(pte); |
255 |
+ } |
256 |
+ |
257 |
+-#ifdef CONFIG_TRANSPARENT_HUGEPAGE |
258 |
+-static inline unsigned long pmd_dirty(pmd_t pmd) |
259 |
++#define __HAVE_ARCH_PMD_WRITE |
260 |
++static inline unsigned long pmd_write(pmd_t pmd) |
261 |
+ { |
262 |
+ pte_t pte = __pte(pmd_val(pmd)); |
263 |
+ |
264 |
+- return pte_dirty(pte); |
265 |
++ return pte_write(pte); |
266 |
+ } |
267 |
+ |
268 |
+-static inline unsigned long pmd_young(pmd_t pmd) |
269 |
++#ifdef CONFIG_TRANSPARENT_HUGEPAGE |
270 |
++static inline unsigned long pmd_dirty(pmd_t pmd) |
271 |
+ { |
272 |
+ pte_t pte = __pte(pmd_val(pmd)); |
273 |
+ |
274 |
+- return pte_young(pte); |
275 |
++ return pte_dirty(pte); |
276 |
+ } |
277 |
+ |
278 |
+-static inline unsigned long pmd_write(pmd_t pmd) |
279 |
++static inline unsigned long pmd_young(pmd_t pmd) |
280 |
+ { |
281 |
+ pte_t pte = __pte(pmd_val(pmd)); |
282 |
+ |
283 |
+- return pte_write(pte); |
284 |
++ return pte_young(pte); |
285 |
+ } |
286 |
+ |
287 |
+ static inline unsigned long pmd_trans_huge(pmd_t pmd) |
288 |
+diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c |
289 |
+index 3d3414c14792..965655afdbb6 100644 |
290 |
+--- a/arch/sparc/mm/init_64.c |
291 |
++++ b/arch/sparc/mm/init_64.c |
292 |
+@@ -1493,7 +1493,7 @@ bool kern_addr_valid(unsigned long addr) |
293 |
+ if ((long)addr < 0L) { |
294 |
+ unsigned long pa = __pa(addr); |
295 |
+ |
296 |
+- if ((addr >> max_phys_bits) != 0UL) |
297 |
++ if ((pa >> max_phys_bits) != 0UL) |
298 |
+ return false; |
299 |
+ |
300 |
+ return pfn_valid(pa >> PAGE_SHIFT); |
301 |
+diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c |
302 |
+index 311bcf338f07..bfc587579dc3 100644 |
303 |
+--- a/arch/x86/kernel/ftrace.c |
304 |
++++ b/arch/x86/kernel/ftrace.c |
305 |
+@@ -977,6 +977,18 @@ void prepare_ftrace_return(unsigned long self_addr, unsigned long *parent, |
306 |
+ unsigned long return_hooker = (unsigned long) |
307 |
+ &return_to_handler; |
308 |
+ |
309 |
++ /* |
310 |
++ * When resuming from suspend-to-ram, this function can be indirectly |
311 |
++ * called from early CPU startup code while the CPU is in real mode, |
312 |
++ * which would fail miserably. Make sure the stack pointer is a |
313 |
++ * virtual address. |
314 |
++ * |
315 |
++ * This check isn't as accurate as virt_addr_valid(), but it should be |
316 |
++ * good enough for this purpose, and it's fast. |
317 |
++ */ |
318 |
++ if (unlikely((long)__builtin_frame_address(0) >= 0)) |
319 |
++ return; |
320 |
++ |
321 |
+ if (unlikely(ftrace_graph_is_dead())) |
322 |
+ return; |
323 |
+ |
324 |
+diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c |
325 |
+index f1ba6a092854..8846257d8792 100644 |
326 |
+--- a/arch/x86/xen/time.c |
327 |
++++ b/arch/x86/xen/time.c |
328 |
+@@ -343,11 +343,11 @@ static int xen_vcpuop_set_next_event(unsigned long delta, |
329 |
+ WARN_ON(!clockevent_state_oneshot(evt)); |
330 |
+ |
331 |
+ single.timeout_abs_ns = get_abs_timeout(delta); |
332 |
+- single.flags = VCPU_SSHOTTMR_future; |
333 |
++ /* Get an event anyway, even if the timeout is already expired */ |
334 |
++ single.flags = 0; |
335 |
+ |
336 |
+ ret = HYPERVISOR_vcpu_op(VCPUOP_set_singleshot_timer, cpu, &single); |
337 |
+- |
338 |
+- BUG_ON(ret != 0 && ret != -ETIME); |
339 |
++ BUG_ON(ret != 0); |
340 |
+ |
341 |
+ return ret; |
342 |
+ } |
343 |
+diff --git a/crypto/testmgr.c b/crypto/testmgr.c |
344 |
+index d4944318ca1f..5f15f45fcc9f 100644 |
345 |
+--- a/crypto/testmgr.c |
346 |
++++ b/crypto/testmgr.c |
347 |
+@@ -488,6 +488,8 @@ static int __test_aead(struct crypto_aead *tfm, int enc, |
348 |
+ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
349 |
+ tcrypt_complete, &result); |
350 |
+ |
351 |
++ iv_len = crypto_aead_ivsize(tfm); |
352 |
++ |
353 |
+ for (i = 0, j = 0; i < tcount; i++) { |
354 |
+ if (template[i].np) |
355 |
+ continue; |
356 |
+@@ -508,7 +510,6 @@ static int __test_aead(struct crypto_aead *tfm, int enc, |
357 |
+ |
358 |
+ memcpy(input, template[i].input, template[i].ilen); |
359 |
+ memcpy(assoc, template[i].assoc, template[i].alen); |
360 |
+- iv_len = crypto_aead_ivsize(tfm); |
361 |
+ if (template[i].iv) |
362 |
+ memcpy(iv, template[i].iv, iv_len); |
363 |
+ else |
364 |
+@@ -617,7 +618,7 @@ static int __test_aead(struct crypto_aead *tfm, int enc, |
365 |
+ j++; |
366 |
+ |
367 |
+ if (template[i].iv) |
368 |
+- memcpy(iv, template[i].iv, MAX_IVLEN); |
369 |
++ memcpy(iv, template[i].iv, iv_len); |
370 |
+ else |
371 |
+ memset(iv, 0, MAX_IVLEN); |
372 |
+ |
373 |
+diff --git a/drivers/clk/sunxi/clk-simple-gates.c b/drivers/clk/sunxi/clk-simple-gates.c |
374 |
+index 0214c6548afd..97cb4221de25 100644 |
375 |
+--- a/drivers/clk/sunxi/clk-simple-gates.c |
376 |
++++ b/drivers/clk/sunxi/clk-simple-gates.c |
377 |
+@@ -98,6 +98,8 @@ static void __init sunxi_simple_gates_init(struct device_node *node) |
378 |
+ sunxi_simple_gates_setup(node, NULL, 0); |
379 |
+ } |
380 |
+ |
381 |
++CLK_OF_DECLARE(sun4i_a10_gates, "allwinner,sun4i-a10-gates-clk", |
382 |
++ sunxi_simple_gates_init); |
383 |
+ CLK_OF_DECLARE(sun4i_a10_apb0, "allwinner,sun4i-a10-apb0-gates-clk", |
384 |
+ sunxi_simple_gates_init); |
385 |
+ CLK_OF_DECLARE(sun4i_a10_apb1, "allwinner,sun4i-a10-apb1-gates-clk", |
386 |
+diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c |
387 |
+index 7e9154c7f1db..d1c9525d81eb 100644 |
388 |
+--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c |
389 |
++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c |
390 |
+@@ -2258,7 +2258,7 @@ static void kv_apply_state_adjust_rules(struct amdgpu_device *adev, |
391 |
+ if (pi->caps_stable_p_state) { |
392 |
+ stable_p_state_sclk = (max_limits->sclk * 75) / 100; |
393 |
+ |
394 |
+- for (i = table->count - 1; i >= 0; i++) { |
395 |
++ for (i = table->count - 1; i >= 0; i--) { |
396 |
+ if (stable_p_state_sclk >= table->entries[i].clk) { |
397 |
+ stable_p_state_sclk = table->entries[i].clk; |
398 |
+ break; |
399 |
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h |
400 |
+index 25eab453f2b2..e7b96f1ac2c5 100644 |
401 |
+--- a/drivers/input/serio/i8042-x86ia64io.h |
402 |
++++ b/drivers/input/serio/i8042-x86ia64io.h |
403 |
+@@ -685,6 +685,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { |
404 |
+ DMI_MATCH(DMI_PRODUCT_NAME, "20046"), |
405 |
+ }, |
406 |
+ }, |
407 |
++ { |
408 |
++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ |
409 |
++ .matches = { |
410 |
++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), |
411 |
++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), |
412 |
++ }, |
413 |
++ }, |
414 |
+ { } |
415 |
+ }; |
416 |
+ |
417 |
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c |
418 |
+index 9be39988bf06..d81be5e471d0 100644 |
419 |
+--- a/drivers/md/raid1.c |
420 |
++++ b/drivers/md/raid1.c |
421 |
+@@ -570,7 +570,7 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect |
422 |
+ if (best_dist_disk < 0) { |
423 |
+ if (is_badblock(rdev, this_sector, sectors, |
424 |
+ &first_bad, &bad_sectors)) { |
425 |
+- if (first_bad < this_sector) |
426 |
++ if (first_bad <= this_sector) |
427 |
+ /* Cannot use this */ |
428 |
+ continue; |
429 |
+ best_good_sectors = first_bad - this_sector; |
430 |
+diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c |
431 |
+index 082ff5608455..317ef63ee789 100644 |
432 |
+--- a/drivers/media/tuners/tuner-xc2028.c |
433 |
++++ b/drivers/media/tuners/tuner-xc2028.c |
434 |
+@@ -1407,8 +1407,10 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg) |
435 |
+ memcpy(&priv->ctrl, p, sizeof(priv->ctrl)); |
436 |
+ if (p->fname) { |
437 |
+ priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL); |
438 |
+- if (priv->ctrl.fname == NULL) |
439 |
+- return -ENOMEM; |
440 |
++ if (priv->ctrl.fname == NULL) { |
441 |
++ rc = -ENOMEM; |
442 |
++ goto unlock; |
443 |
++ } |
444 |
+ } |
445 |
+ |
446 |
+ /* |
447 |
+@@ -1440,6 +1442,7 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg) |
448 |
+ } else |
449 |
+ priv->state = XC2028_WAITING_FIRMWARE; |
450 |
+ } |
451 |
++unlock: |
452 |
+ mutex_unlock(&priv->lock); |
453 |
+ |
454 |
+ return rc; |
455 |
+diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c |
456 |
+index 7445da218bd9..cc1725616f9d 100644 |
457 |
+--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c |
458 |
++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c |
459 |
+@@ -2823,7 +2823,7 @@ static int liquidio_xmit(struct sk_buff *skb, struct net_device *netdev) |
460 |
+ if (!g) { |
461 |
+ netif_info(lio, tx_err, lio->netdev, |
462 |
+ "Transmit scatter gather: glist null!\n"); |
463 |
+- goto lio_xmit_failed; |
464 |
++ goto lio_xmit_dma_failed; |
465 |
+ } |
466 |
+ |
467 |
+ cmdsetup.s.gather = 1; |
468 |
+@@ -2894,7 +2894,7 @@ static int liquidio_xmit(struct sk_buff *skb, struct net_device *netdev) |
469 |
+ else |
470 |
+ status = octnet_send_nic_data_pkt(oct, &ndata, xmit_more); |
471 |
+ if (status == IQ_SEND_FAILED) |
472 |
+- goto lio_xmit_failed; |
473 |
++ goto lio_xmit_dma_failed; |
474 |
+ |
475 |
+ netif_info(lio, tx_queued, lio->netdev, "Transmit queued successfully\n"); |
476 |
+ |
477 |
+@@ -2908,12 +2908,13 @@ static int liquidio_xmit(struct sk_buff *skb, struct net_device *netdev) |
478 |
+ |
479 |
+ return NETDEV_TX_OK; |
480 |
+ |
481 |
++lio_xmit_dma_failed: |
482 |
++ dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr, |
483 |
++ ndata.datasize, DMA_TO_DEVICE); |
484 |
+ lio_xmit_failed: |
485 |
+ stats->tx_dropped++; |
486 |
+ netif_info(lio, tx_err, lio->netdev, "IQ%d Transmit dropped:%llu\n", |
487 |
+ iq_no, stats->tx_dropped); |
488 |
+- dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr, |
489 |
+- ndata.datasize, DMA_TO_DEVICE); |
490 |
+ recv_buffer_free(skb); |
491 |
+ return NETDEV_TX_OK; |
492 |
+ } |
493 |
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c |
494 |
+index 06c8bfeaccd6..40cd86614677 100644 |
495 |
+--- a/drivers/net/macvlan.c |
496 |
++++ b/drivers/net/macvlan.c |
497 |
+@@ -1110,6 +1110,7 @@ static int macvlan_port_create(struct net_device *dev) |
498 |
+ static void macvlan_port_destroy(struct net_device *dev) |
499 |
+ { |
500 |
+ struct macvlan_port *port = macvlan_port_get_rtnl(dev); |
501 |
++ struct sk_buff *skb; |
502 |
+ |
503 |
+ dev->priv_flags &= ~IFF_MACVLAN_PORT; |
504 |
+ netdev_rx_handler_unregister(dev); |
505 |
+@@ -1118,7 +1119,15 @@ static void macvlan_port_destroy(struct net_device *dev) |
506 |
+ * but we need to cancel it and purge left skbs if any. |
507 |
+ */ |
508 |
+ cancel_work_sync(&port->bc_work); |
509 |
+- __skb_queue_purge(&port->bc_queue); |
510 |
++ |
511 |
++ while ((skb = __skb_dequeue(&port->bc_queue))) { |
512 |
++ const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src; |
513 |
++ |
514 |
++ if (src) |
515 |
++ dev_put(src->dev); |
516 |
++ |
517 |
++ kfree_skb(skb); |
518 |
++ } |
519 |
+ |
520 |
+ kfree_rcu(port, rcu); |
521 |
+ } |
522 |
+diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c |
523 |
+index e6cefd0e3262..84b9cca152eb 100644 |
524 |
+--- a/drivers/net/phy/dp83640.c |
525 |
++++ b/drivers/net/phy/dp83640.c |
526 |
+@@ -1436,8 +1436,6 @@ static bool dp83640_rxtstamp(struct phy_device *phydev, |
527 |
+ skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT; |
528 |
+ skb_queue_tail(&dp83640->rx_queue, skb); |
529 |
+ schedule_delayed_work(&dp83640->ts_work, SKB_TIMESTAMP_TIMEOUT); |
530 |
+- } else { |
531 |
+- netif_rx_ni(skb); |
532 |
+ } |
533 |
+ |
534 |
+ return true; |
535 |
+diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c |
536 |
+index bba0ca786aaa..851c0e121807 100644 |
537 |
+--- a/drivers/net/phy/phy.c |
538 |
++++ b/drivers/net/phy/phy.c |
539 |
+@@ -538,7 +538,7 @@ void phy_stop_machine(struct phy_device *phydev) |
540 |
+ cancel_delayed_work_sync(&phydev->state_queue); |
541 |
+ |
542 |
+ mutex_lock(&phydev->lock); |
543 |
+- if (phydev->state > PHY_UP) |
544 |
++ if (phydev->state > PHY_UP && phydev->state != PHY_HALTED) |
545 |
+ phydev->state = PHY_UP; |
546 |
+ mutex_unlock(&phydev->lock); |
547 |
+ } |
548 |
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c |
549 |
+index 88dbbeb8569b..f9b8c44677eb 100644 |
550 |
+--- a/drivers/regulator/core.c |
551 |
++++ b/drivers/regulator/core.c |
552 |
+@@ -1519,6 +1519,7 @@ static int regulator_resolve_supply(struct regulator_dev *rdev) |
553 |
+ ret = regulator_enable(rdev->supply); |
554 |
+ if (ret < 0) { |
555 |
+ _regulator_put(rdev->supply); |
556 |
++ rdev->supply = NULL; |
557 |
+ return ret; |
558 |
+ } |
559 |
+ } |
560 |
+diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c |
561 |
+index 898a570319f1..af60cc3714c1 100644 |
562 |
+--- a/drivers/usb/gadget/function/f_midi.c |
563 |
++++ b/drivers/usb/gadget/function/f_midi.c |
564 |
+@@ -361,7 +361,9 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt) |
565 |
+ /* allocate a bunch of read buffers and queue them all at once. */ |
566 |
+ for (i = 0; i < midi->qlen && err == 0; i++) { |
567 |
+ struct usb_request *req = |
568 |
+- midi_alloc_ep_req(midi->out_ep, midi->buflen); |
569 |
++ midi_alloc_ep_req(midi->out_ep, |
570 |
++ max_t(unsigned, midi->buflen, |
571 |
++ bulk_out_desc.wMaxPacketSize)); |
572 |
+ if (req == NULL) |
573 |
+ return -ENOMEM; |
574 |
+ |
575 |
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c |
576 |
+index 263002f0389d..7c23363ecf19 100644 |
577 |
+--- a/fs/ext4/xattr.c |
578 |
++++ b/fs/ext4/xattr.c |
579 |
+@@ -233,6 +233,27 @@ ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh) |
580 |
+ return error; |
581 |
+ } |
582 |
+ |
583 |
++static int |
584 |
++__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header, |
585 |
++ void *end, const char *function, unsigned int line) |
586 |
++{ |
587 |
++ struct ext4_xattr_entry *entry = IFIRST(header); |
588 |
++ int error = -EFSCORRUPTED; |
589 |
++ |
590 |
++ if (((void *) header >= end) || |
591 |
++ (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC))) |
592 |
++ goto errout; |
593 |
++ error = ext4_xattr_check_names(entry, end, entry); |
594 |
++errout: |
595 |
++ if (error) |
596 |
++ __ext4_error_inode(inode, function, line, 0, |
597 |
++ "corrupted in-inode xattr"); |
598 |
++ return error; |
599 |
++} |
600 |
++ |
601 |
++#define xattr_check_inode(inode, header, end) \ |
602 |
++ __xattr_check_inode((inode), (header), (end), __func__, __LINE__) |
603 |
++ |
604 |
+ static inline int |
605 |
+ ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size) |
606 |
+ { |
607 |
+@@ -344,7 +365,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, |
608 |
+ header = IHDR(inode, raw_inode); |
609 |
+ entry = IFIRST(header); |
610 |
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; |
611 |
+- error = ext4_xattr_check_names(entry, end, entry); |
612 |
++ error = xattr_check_inode(inode, header, end); |
613 |
+ if (error) |
614 |
+ goto cleanup; |
615 |
+ error = ext4_xattr_find_entry(&entry, name_index, name, |
616 |
+@@ -475,7 +496,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size) |
617 |
+ raw_inode = ext4_raw_inode(&iloc); |
618 |
+ header = IHDR(inode, raw_inode); |
619 |
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; |
620 |
+- error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header)); |
621 |
++ error = xattr_check_inode(inode, header, end); |
622 |
+ if (error) |
623 |
+ goto cleanup; |
624 |
+ error = ext4_xattr_list_entries(dentry, IFIRST(header), |
625 |
+@@ -991,8 +1012,7 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i, |
626 |
+ is->s.here = is->s.first; |
627 |
+ is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; |
628 |
+ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) { |
629 |
+- error = ext4_xattr_check_names(IFIRST(header), is->s.end, |
630 |
+- IFIRST(header)); |
631 |
++ error = xattr_check_inode(inode, header, is->s.end); |
632 |
+ if (error) |
633 |
+ return error; |
634 |
+ /* Find the named attribute. */ |
635 |
+@@ -1293,6 +1313,10 @@ retry: |
636 |
+ last = entry; |
637 |
+ total_ino = sizeof(struct ext4_xattr_ibody_header); |
638 |
+ |
639 |
++ error = xattr_check_inode(inode, header, end); |
640 |
++ if (error) |
641 |
++ goto cleanup; |
642 |
++ |
643 |
+ free = ext4_xattr_free_space(last, &min_offs, base, &total_ino); |
644 |
+ if (free >= isize_diff) { |
645 |
+ entry = IFIRST(header); |
646 |
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c |
647 |
+index 3a65e0132352..16462e702f96 100644 |
648 |
+--- a/fs/f2fs/super.c |
649 |
++++ b/fs/f2fs/super.c |
650 |
+@@ -918,6 +918,79 @@ static loff_t max_file_size(unsigned bits) |
651 |
+ return result; |
652 |
+ } |
653 |
+ |
654 |
++static inline bool sanity_check_area_boundary(struct super_block *sb, |
655 |
++ struct f2fs_super_block *raw_super) |
656 |
++{ |
657 |
++ u32 segment0_blkaddr = le32_to_cpu(raw_super->segment0_blkaddr); |
658 |
++ u32 cp_blkaddr = le32_to_cpu(raw_super->cp_blkaddr); |
659 |
++ u32 sit_blkaddr = le32_to_cpu(raw_super->sit_blkaddr); |
660 |
++ u32 nat_blkaddr = le32_to_cpu(raw_super->nat_blkaddr); |
661 |
++ u32 ssa_blkaddr = le32_to_cpu(raw_super->ssa_blkaddr); |
662 |
++ u32 main_blkaddr = le32_to_cpu(raw_super->main_blkaddr); |
663 |
++ u32 segment_count_ckpt = le32_to_cpu(raw_super->segment_count_ckpt); |
664 |
++ u32 segment_count_sit = le32_to_cpu(raw_super->segment_count_sit); |
665 |
++ u32 segment_count_nat = le32_to_cpu(raw_super->segment_count_nat); |
666 |
++ u32 segment_count_ssa = le32_to_cpu(raw_super->segment_count_ssa); |
667 |
++ u32 segment_count_main = le32_to_cpu(raw_super->segment_count_main); |
668 |
++ u32 segment_count = le32_to_cpu(raw_super->segment_count); |
669 |
++ u32 log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); |
670 |
++ |
671 |
++ if (segment0_blkaddr != cp_blkaddr) { |
672 |
++ f2fs_msg(sb, KERN_INFO, |
673 |
++ "Mismatch start address, segment0(%u) cp_blkaddr(%u)", |
674 |
++ segment0_blkaddr, cp_blkaddr); |
675 |
++ return true; |
676 |
++ } |
677 |
++ |
678 |
++ if (cp_blkaddr + (segment_count_ckpt << log_blocks_per_seg) != |
679 |
++ sit_blkaddr) { |
680 |
++ f2fs_msg(sb, KERN_INFO, |
681 |
++ "Wrong CP boundary, start(%u) end(%u) blocks(%u)", |
682 |
++ cp_blkaddr, sit_blkaddr, |
683 |
++ segment_count_ckpt << log_blocks_per_seg); |
684 |
++ return true; |
685 |
++ } |
686 |
++ |
687 |
++ if (sit_blkaddr + (segment_count_sit << log_blocks_per_seg) != |
688 |
++ nat_blkaddr) { |
689 |
++ f2fs_msg(sb, KERN_INFO, |
690 |
++ "Wrong SIT boundary, start(%u) end(%u) blocks(%u)", |
691 |
++ sit_blkaddr, nat_blkaddr, |
692 |
++ segment_count_sit << log_blocks_per_seg); |
693 |
++ return true; |
694 |
++ } |
695 |
++ |
696 |
++ if (nat_blkaddr + (segment_count_nat << log_blocks_per_seg) != |
697 |
++ ssa_blkaddr) { |
698 |
++ f2fs_msg(sb, KERN_INFO, |
699 |
++ "Wrong NAT boundary, start(%u) end(%u) blocks(%u)", |
700 |
++ nat_blkaddr, ssa_blkaddr, |
701 |
++ segment_count_nat << log_blocks_per_seg); |
702 |
++ return true; |
703 |
++ } |
704 |
++ |
705 |
++ if (ssa_blkaddr + (segment_count_ssa << log_blocks_per_seg) != |
706 |
++ main_blkaddr) { |
707 |
++ f2fs_msg(sb, KERN_INFO, |
708 |
++ "Wrong SSA boundary, start(%u) end(%u) blocks(%u)", |
709 |
++ ssa_blkaddr, main_blkaddr, |
710 |
++ segment_count_ssa << log_blocks_per_seg); |
711 |
++ return true; |
712 |
++ } |
713 |
++ |
714 |
++ if (main_blkaddr + (segment_count_main << log_blocks_per_seg) != |
715 |
++ segment0_blkaddr + (segment_count << log_blocks_per_seg)) { |
716 |
++ f2fs_msg(sb, KERN_INFO, |
717 |
++ "Wrong MAIN_AREA boundary, start(%u) end(%u) blocks(%u)", |
718 |
++ main_blkaddr, |
719 |
++ segment0_blkaddr + (segment_count << log_blocks_per_seg), |
720 |
++ segment_count_main << log_blocks_per_seg); |
721 |
++ return true; |
722 |
++ } |
723 |
++ |
724 |
++ return false; |
725 |
++} |
726 |
++ |
727 |
+ static int sanity_check_raw_super(struct super_block *sb, |
728 |
+ struct f2fs_super_block *raw_super) |
729 |
+ { |
730 |
+@@ -947,6 +1020,14 @@ static int sanity_check_raw_super(struct super_block *sb, |
731 |
+ return 1; |
732 |
+ } |
733 |
+ |
734 |
++ /* check log blocks per segment */ |
735 |
++ if (le32_to_cpu(raw_super->log_blocks_per_seg) != 9) { |
736 |
++ f2fs_msg(sb, KERN_INFO, |
737 |
++ "Invalid log blocks per segment (%u)\n", |
738 |
++ le32_to_cpu(raw_super->log_blocks_per_seg)); |
739 |
++ return 1; |
740 |
++ } |
741 |
++ |
742 |
+ /* Currently, support 512/1024/2048/4096 bytes sector size */ |
743 |
+ if (le32_to_cpu(raw_super->log_sectorsize) > |
744 |
+ F2FS_MAX_LOG_SECTOR_SIZE || |
745 |
+@@ -965,6 +1046,23 @@ static int sanity_check_raw_super(struct super_block *sb, |
746 |
+ le32_to_cpu(raw_super->log_sectorsize)); |
747 |
+ return 1; |
748 |
+ } |
749 |
++ |
750 |
++ /* check reserved ino info */ |
751 |
++ if (le32_to_cpu(raw_super->node_ino) != 1 || |
752 |
++ le32_to_cpu(raw_super->meta_ino) != 2 || |
753 |
++ le32_to_cpu(raw_super->root_ino) != 3) { |
754 |
++ f2fs_msg(sb, KERN_INFO, |
755 |
++ "Invalid Fs Meta Ino: node(%u) meta(%u) root(%u)", |
756 |
++ le32_to_cpu(raw_super->node_ino), |
757 |
++ le32_to_cpu(raw_super->meta_ino), |
758 |
++ le32_to_cpu(raw_super->root_ino)); |
759 |
++ return 1; |
760 |
++ } |
761 |
++ |
762 |
++ /* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */ |
763 |
++ if (sanity_check_area_boundary(sb, raw_super)) |
764 |
++ return 1; |
765 |
++ |
766 |
+ return 0; |
767 |
+ } |
768 |
+ |
769 |
+diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c |
770 |
+index ad4e2377dd63..5be1fa6b676d 100644 |
771 |
+--- a/fs/nfsd/nfssvc.c |
772 |
++++ b/fs/nfsd/nfssvc.c |
773 |
+@@ -656,6 +656,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr) |
774 |
+ return nfserr; |
775 |
+ } |
776 |
+ |
777 |
++/* |
778 |
++ * A write procedure can have a large argument, and a read procedure can |
779 |
++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and |
780 |
++ * reply that can both be larger than a page. The xdr code has taken |
781 |
++ * advantage of this assumption to be a sloppy about bounds checking in |
782 |
++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that |
783 |
++ * problem, we enforce these assumptions here: |
784 |
++ */ |
785 |
++static bool nfs_request_too_big(struct svc_rqst *rqstp, |
786 |
++ struct svc_procedure *proc) |
787 |
++{ |
788 |
++ /* |
789 |
++ * The ACL code has more careful bounds-checking and is not |
790 |
++ * susceptible to this problem: |
791 |
++ */ |
792 |
++ if (rqstp->rq_prog != NFS_PROGRAM) |
793 |
++ return false; |
794 |
++ /* |
795 |
++ * Ditto NFSv4 (which can in theory have argument and reply both |
796 |
++ * more than a page): |
797 |
++ */ |
798 |
++ if (rqstp->rq_vers >= 4) |
799 |
++ return false; |
800 |
++ /* The reply will be small, we're OK: */ |
801 |
++ if (proc->pc_xdrressize > 0 && |
802 |
++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE)) |
803 |
++ return false; |
804 |
++ |
805 |
++ return rqstp->rq_arg.len > PAGE_SIZE; |
806 |
++} |
807 |
++ |
808 |
+ int |
809 |
+ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) |
810 |
+ { |
811 |
+@@ -668,6 +699,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) |
812 |
+ rqstp->rq_vers, rqstp->rq_proc); |
813 |
+ proc = rqstp->rq_procinfo; |
814 |
+ |
815 |
++ if (nfs_request_too_big(rqstp, proc)) { |
816 |
++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers); |
817 |
++ *statp = rpc_garbage_args; |
818 |
++ return 1; |
819 |
++ } |
820 |
+ /* |
821 |
+ * Give the xdr decoder a chance to change this if it wants |
822 |
+ * (necessary in the NFSv4.0 compound case) |
823 |
+diff --git a/include/uapi/linux/ipv6_route.h b/include/uapi/linux/ipv6_route.h |
824 |
+index f6598d1c886e..316e838b7470 100644 |
825 |
+--- a/include/uapi/linux/ipv6_route.h |
826 |
++++ b/include/uapi/linux/ipv6_route.h |
827 |
+@@ -34,7 +34,7 @@ |
828 |
+ #define RTF_PREF(pref) ((pref) << 27) |
829 |
+ #define RTF_PREF_MASK 0x18000000 |
830 |
+ |
831 |
+-#define RTF_PCPU 0x40000000 |
832 |
++#define RTF_PCPU 0x40000000 /* read-only: can not be set by user */ |
833 |
+ #define RTF_LOCAL 0x80000000 |
834 |
+ |
835 |
+ |
836 |
+diff --git a/net/9p/client.c b/net/9p/client.c |
837 |
+index ea79ee9a7348..f5feac4ff4ec 100644 |
838 |
+--- a/net/9p/client.c |
839 |
++++ b/net/9p/client.c |
840 |
+@@ -2101,6 +2101,10 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset) |
841 |
+ trace_9p_protocol_dump(clnt, req->rc); |
842 |
+ goto free_and_error; |
843 |
+ } |
844 |
++ if (rsize < count) { |
845 |
++ pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize); |
846 |
++ count = rsize; |
847 |
++ } |
848 |
+ |
849 |
+ p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count); |
850 |
+ |
851 |
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c |
852 |
+index 769cece9b00b..ae92131c4f89 100644 |
853 |
+--- a/net/core/neighbour.c |
854 |
++++ b/net/core/neighbour.c |
855 |
+@@ -859,7 +859,8 @@ static void neigh_probe(struct neighbour *neigh) |
856 |
+ if (skb) |
857 |
+ skb = skb_clone(skb, GFP_ATOMIC); |
858 |
+ write_unlock(&neigh->lock); |
859 |
+- neigh->ops->solicit(neigh, skb); |
860 |
++ if (neigh->ops->solicit) |
861 |
++ neigh->ops->solicit(neigh, skb); |
862 |
+ atomic_inc(&neigh->probes); |
863 |
+ kfree_skb(skb); |
864 |
+ } |
865 |
+diff --git a/net/core/netpoll.c b/net/core/netpoll.c |
866 |
+index 94acfc89ad97..440aa9f6e0a8 100644 |
867 |
+--- a/net/core/netpoll.c |
868 |
++++ b/net/core/netpoll.c |
869 |
+@@ -105,15 +105,21 @@ static void queue_process(struct work_struct *work) |
870 |
+ while ((skb = skb_dequeue(&npinfo->txq))) { |
871 |
+ struct net_device *dev = skb->dev; |
872 |
+ struct netdev_queue *txq; |
873 |
++ unsigned int q_index; |
874 |
+ |
875 |
+ if (!netif_device_present(dev) || !netif_running(dev)) { |
876 |
+ kfree_skb(skb); |
877 |
+ continue; |
878 |
+ } |
879 |
+ |
880 |
+- txq = skb_get_tx_queue(dev, skb); |
881 |
+- |
882 |
+ local_irq_save(flags); |
883 |
++ /* check if skb->queue_mapping is still valid */ |
884 |
++ q_index = skb_get_queue_mapping(skb); |
885 |
++ if (unlikely(q_index >= dev->real_num_tx_queues)) { |
886 |
++ q_index = q_index % dev->real_num_tx_queues; |
887 |
++ skb_set_queue_mapping(skb, q_index); |
888 |
++ } |
889 |
++ txq = netdev_get_tx_queue(dev, q_index); |
890 |
+ HARD_TX_LOCK(dev, txq, smp_processor_id()); |
891 |
+ if (netif_xmit_frozen_or_stopped(txq) || |
892 |
+ netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) { |
893 |
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c |
894 |
+index da4d68d78590..375248b900ba 100644 |
895 |
+--- a/net/ipv4/route.c |
896 |
++++ b/net/ipv4/route.c |
897 |
+@@ -2559,7 +2559,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh) |
898 |
+ skb_reset_network_header(skb); |
899 |
+ |
900 |
+ /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ |
901 |
+- ip_hdr(skb)->protocol = IPPROTO_ICMP; |
902 |
++ ip_hdr(skb)->protocol = IPPROTO_UDP; |
903 |
+ skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); |
904 |
+ |
905 |
+ src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0; |
906 |
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
907 |
+index 600dcda840d1..e1d51370977b 100644 |
908 |
+--- a/net/ipv4/tcp.c |
909 |
++++ b/net/ipv4/tcp.c |
910 |
+@@ -2260,6 +2260,7 @@ int tcp_disconnect(struct sock *sk, int flags) |
911 |
+ tcp_init_send_head(sk); |
912 |
+ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); |
913 |
+ __sk_dst_reset(sk); |
914 |
++ tcp_saved_syn_free(tp); |
915 |
+ |
916 |
+ WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); |
917 |
+ |
918 |
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c |
919 |
+index 6c6161763c2f..97cb02dc5f02 100644 |
920 |
+--- a/net/ipv6/ip6_tunnel.c |
921 |
++++ b/net/ipv6/ip6_tunnel.c |
922 |
+@@ -1049,7 +1049,7 @@ static int ip6_tnl_xmit2(struct sk_buff *skb, |
923 |
+ struct ip6_tnl *t = netdev_priv(dev); |
924 |
+ struct net *net = t->net; |
925 |
+ struct net_device_stats *stats = &t->dev->stats; |
926 |
+- struct ipv6hdr *ipv6h = ipv6_hdr(skb); |
927 |
++ struct ipv6hdr *ipv6h; |
928 |
+ struct ipv6_tel_txoption opt; |
929 |
+ struct dst_entry *dst = NULL, *ndst = NULL; |
930 |
+ struct net_device *tdev; |
931 |
+@@ -1061,26 +1061,28 @@ static int ip6_tnl_xmit2(struct sk_buff *skb, |
932 |
+ |
933 |
+ /* NBMA tunnel */ |
934 |
+ if (ipv6_addr_any(&t->parms.raddr)) { |
935 |
+- struct in6_addr *addr6; |
936 |
+- struct neighbour *neigh; |
937 |
+- int addr_type; |
938 |
++ if (skb->protocol == htons(ETH_P_IPV6)) { |
939 |
++ struct in6_addr *addr6; |
940 |
++ struct neighbour *neigh; |
941 |
++ int addr_type; |
942 |
+ |
943 |
+- if (!skb_dst(skb)) |
944 |
+- goto tx_err_link_failure; |
945 |
++ if (!skb_dst(skb)) |
946 |
++ goto tx_err_link_failure; |
947 |
+ |
948 |
+- neigh = dst_neigh_lookup(skb_dst(skb), |
949 |
+- &ipv6_hdr(skb)->daddr); |
950 |
+- if (!neigh) |
951 |
+- goto tx_err_link_failure; |
952 |
++ neigh = dst_neigh_lookup(skb_dst(skb), |
953 |
++ &ipv6_hdr(skb)->daddr); |
954 |
++ if (!neigh) |
955 |
++ goto tx_err_link_failure; |
956 |
+ |
957 |
+- addr6 = (struct in6_addr *)&neigh->primary_key; |
958 |
+- addr_type = ipv6_addr_type(addr6); |
959 |
++ addr6 = (struct in6_addr *)&neigh->primary_key; |
960 |
++ addr_type = ipv6_addr_type(addr6); |
961 |
+ |
962 |
+- if (addr_type == IPV6_ADDR_ANY) |
963 |
+- addr6 = &ipv6_hdr(skb)->daddr; |
964 |
++ if (addr_type == IPV6_ADDR_ANY) |
965 |
++ addr6 = &ipv6_hdr(skb)->daddr; |
966 |
+ |
967 |
+- memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr)); |
968 |
+- neigh_release(neigh); |
969 |
++ memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr)); |
970 |
++ neigh_release(neigh); |
971 |
++ } |
972 |
+ } else if (!(t->parms.flags & |
973 |
+ (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) { |
974 |
+ /* enable the cache only only if the routing decision does |
975 |
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c |
976 |
+index d9843e5a667f..8361d73ab653 100644 |
977 |
+--- a/net/ipv6/ip6mr.c |
978 |
++++ b/net/ipv6/ip6mr.c |
979 |
+@@ -774,7 +774,8 @@ failure: |
980 |
+ * Delete a VIF entry |
981 |
+ */ |
982 |
+ |
983 |
+-static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head) |
984 |
++static int mif6_delete(struct mr6_table *mrt, int vifi, int notify, |
985 |
++ struct list_head *head) |
986 |
+ { |
987 |
+ struct mif_device *v; |
988 |
+ struct net_device *dev; |
989 |
+@@ -820,7 +821,7 @@ static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head) |
990 |
+ dev->ifindex, &in6_dev->cnf); |
991 |
+ } |
992 |
+ |
993 |
+- if (v->flags & MIFF_REGISTER) |
994 |
++ if ((v->flags & MIFF_REGISTER) && !notify) |
995 |
+ unregister_netdevice_queue(dev, head); |
996 |
+ |
997 |
+ dev_put(dev); |
998 |
+@@ -1330,7 +1331,6 @@ static int ip6mr_device_event(struct notifier_block *this, |
999 |
+ struct mr6_table *mrt; |
1000 |
+ struct mif_device *v; |
1001 |
+ int ct; |
1002 |
+- LIST_HEAD(list); |
1003 |
+ |
1004 |
+ if (event != NETDEV_UNREGISTER) |
1005 |
+ return NOTIFY_DONE; |
1006 |
+@@ -1339,10 +1339,9 @@ static int ip6mr_device_event(struct notifier_block *this, |
1007 |
+ v = &mrt->vif6_table[0]; |
1008 |
+ for (ct = 0; ct < mrt->maxvif; ct++, v++) { |
1009 |
+ if (v->dev == dev) |
1010 |
+- mif6_delete(mrt, ct, &list); |
1011 |
++ mif6_delete(mrt, ct, 1, NULL); |
1012 |
+ } |
1013 |
+ } |
1014 |
+- unregister_netdevice_many(&list); |
1015 |
+ |
1016 |
+ return NOTIFY_DONE; |
1017 |
+ } |
1018 |
+@@ -1551,7 +1550,7 @@ static void mroute_clean_tables(struct mr6_table *mrt, bool all) |
1019 |
+ for (i = 0; i < mrt->maxvif; i++) { |
1020 |
+ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC)) |
1021 |
+ continue; |
1022 |
+- mif6_delete(mrt, i, &list); |
1023 |
++ mif6_delete(mrt, i, 0, &list); |
1024 |
+ } |
1025 |
+ unregister_netdevice_many(&list); |
1026 |
+ |
1027 |
+@@ -1704,7 +1703,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns |
1028 |
+ if (copy_from_user(&mifi, optval, sizeof(mifi_t))) |
1029 |
+ return -EFAULT; |
1030 |
+ rtnl_lock(); |
1031 |
+- ret = mif6_delete(mrt, mifi, NULL); |
1032 |
++ ret = mif6_delete(mrt, mifi, 0, NULL); |
1033 |
+ rtnl_unlock(); |
1034 |
+ return ret; |
1035 |
+ |
1036 |
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c |
1037 |
+index 8bca90d6d915..a625f69a28dd 100644 |
1038 |
+--- a/net/ipv6/raw.c |
1039 |
++++ b/net/ipv6/raw.c |
1040 |
+@@ -1144,8 +1144,7 @@ static int rawv6_ioctl(struct sock *sk, int cmd, unsigned long arg) |
1041 |
+ spin_lock_bh(&sk->sk_receive_queue.lock); |
1042 |
+ skb = skb_peek(&sk->sk_receive_queue); |
1043 |
+ if (skb) |
1044 |
+- amount = skb_tail_pointer(skb) - |
1045 |
+- skb_transport_header(skb); |
1046 |
++ amount = skb->len; |
1047 |
+ spin_unlock_bh(&sk->sk_receive_queue.lock); |
1048 |
+ return put_user(amount, (int __user *)arg); |
1049 |
+ } |
1050 |
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c |
1051 |
+index 9f0aa255e288..6c91d5c4a92c 100644 |
1052 |
+--- a/net/ipv6/route.c |
1053 |
++++ b/net/ipv6/route.c |
1054 |
+@@ -1758,6 +1758,10 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg) |
1055 |
+ int addr_type; |
1056 |
+ int err = -EINVAL; |
1057 |
+ |
1058 |
++ /* RTF_PCPU is an internal flag; can not be set by userspace */ |
1059 |
++ if (cfg->fc_flags & RTF_PCPU) |
1060 |
++ goto out; |
1061 |
++ |
1062 |
+ if (cfg->fc_dst_len > 128 || cfg->fc_src_len > 128) |
1063 |
+ goto out; |
1064 |
+ #ifndef CONFIG_IPV6_SUBTREES |
1065 |
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c |
1066 |
+index ec17cbe8a02b..d3dec414fd44 100644 |
1067 |
+--- a/net/l2tp/l2tp_core.c |
1068 |
++++ b/net/l2tp/l2tp_core.c |
1069 |
+@@ -278,7 +278,8 @@ struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunn |
1070 |
+ } |
1071 |
+ EXPORT_SYMBOL_GPL(l2tp_session_find); |
1072 |
+ |
1073 |
+-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth) |
1074 |
++struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth, |
1075 |
++ bool do_ref) |
1076 |
+ { |
1077 |
+ int hash; |
1078 |
+ struct l2tp_session *session; |
1079 |
+@@ -288,6 +289,9 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth) |
1080 |
+ for (hash = 0; hash < L2TP_HASH_SIZE; hash++) { |
1081 |
+ hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) { |
1082 |
+ if (++count > nth) { |
1083 |
++ l2tp_session_inc_refcount(session); |
1084 |
++ if (do_ref && session->ref) |
1085 |
++ session->ref(session); |
1086 |
+ read_unlock_bh(&tunnel->hlist_lock); |
1087 |
+ return session; |
1088 |
+ } |
1089 |
+@@ -298,7 +302,7 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth) |
1090 |
+ |
1091 |
+ return NULL; |
1092 |
+ } |
1093 |
+-EXPORT_SYMBOL_GPL(l2tp_session_find_nth); |
1094 |
++EXPORT_SYMBOL_GPL(l2tp_session_get_nth); |
1095 |
+ |
1096 |
+ /* Lookup a session by interface name. |
1097 |
+ * This is very inefficient but is only used by management interfaces. |
1098 |
+diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h |
1099 |
+index 763e8e241ce3..555d962a62d2 100644 |
1100 |
+--- a/net/l2tp/l2tp_core.h |
1101 |
++++ b/net/l2tp/l2tp_core.h |
1102 |
+@@ -243,7 +243,8 @@ out: |
1103 |
+ struct l2tp_session *l2tp_session_find(struct net *net, |
1104 |
+ struct l2tp_tunnel *tunnel, |
1105 |
+ u32 session_id); |
1106 |
+-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth); |
1107 |
++struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth, |
1108 |
++ bool do_ref); |
1109 |
+ struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname); |
1110 |
+ struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id); |
1111 |
+ struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth); |
1112 |
+diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c |
1113 |
+index 2d6760a2ae34..d100aed3d06f 100644 |
1114 |
+--- a/net/l2tp/l2tp_debugfs.c |
1115 |
++++ b/net/l2tp/l2tp_debugfs.c |
1116 |
+@@ -53,7 +53,7 @@ static void l2tp_dfs_next_tunnel(struct l2tp_dfs_seq_data *pd) |
1117 |
+ |
1118 |
+ static void l2tp_dfs_next_session(struct l2tp_dfs_seq_data *pd) |
1119 |
+ { |
1120 |
+- pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx); |
1121 |
++ pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true); |
1122 |
+ pd->session_idx++; |
1123 |
+ |
1124 |
+ if (pd->session == NULL) { |
1125 |
+@@ -238,10 +238,14 @@ static int l2tp_dfs_seq_show(struct seq_file *m, void *v) |
1126 |
+ } |
1127 |
+ |
1128 |
+ /* Show the tunnel or session context */ |
1129 |
+- if (pd->session == NULL) |
1130 |
++ if (!pd->session) { |
1131 |
+ l2tp_dfs_seq_tunnel_show(m, pd->tunnel); |
1132 |
+- else |
1133 |
++ } else { |
1134 |
+ l2tp_dfs_seq_session_show(m, pd->session); |
1135 |
++ if (pd->session->deref) |
1136 |
++ pd->session->deref(pd->session); |
1137 |
++ l2tp_session_dec_refcount(pd->session); |
1138 |
++ } |
1139 |
+ |
1140 |
+ out: |
1141 |
+ return 0; |
1142 |
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c |
1143 |
+index 2caaa84ce92d..665cc74df5c5 100644 |
1144 |
+--- a/net/l2tp/l2tp_netlink.c |
1145 |
++++ b/net/l2tp/l2tp_netlink.c |
1146 |
+@@ -827,7 +827,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback |
1147 |
+ goto out; |
1148 |
+ } |
1149 |
+ |
1150 |
+- session = l2tp_session_find_nth(tunnel, si); |
1151 |
++ session = l2tp_session_get_nth(tunnel, si, false); |
1152 |
+ if (session == NULL) { |
1153 |
+ ti++; |
1154 |
+ tunnel = NULL; |
1155 |
+@@ -837,8 +837,11 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback |
1156 |
+ |
1157 |
+ if (l2tp_nl_session_send(skb, NETLINK_CB(cb->skb).portid, |
1158 |
+ cb->nlh->nlmsg_seq, NLM_F_MULTI, |
1159 |
+- session, L2TP_CMD_SESSION_GET) < 0) |
1160 |
++ session, L2TP_CMD_SESSION_GET) < 0) { |
1161 |
++ l2tp_session_dec_refcount(session); |
1162 |
+ break; |
1163 |
++ } |
1164 |
++ l2tp_session_dec_refcount(session); |
1165 |
+ |
1166 |
+ si++; |
1167 |
+ } |
1168 |
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c |
1169 |
+index 1ad18c55064c..8ab9c5d74416 100644 |
1170 |
+--- a/net/l2tp/l2tp_ppp.c |
1171 |
++++ b/net/l2tp/l2tp_ppp.c |
1172 |
+@@ -467,6 +467,10 @@ static void pppol2tp_session_close(struct l2tp_session *session) |
1173 |
+ static void pppol2tp_session_destruct(struct sock *sk) |
1174 |
+ { |
1175 |
+ struct l2tp_session *session = sk->sk_user_data; |
1176 |
++ |
1177 |
++ skb_queue_purge(&sk->sk_receive_queue); |
1178 |
++ skb_queue_purge(&sk->sk_write_queue); |
1179 |
++ |
1180 |
+ if (session) { |
1181 |
+ sk->sk_user_data = NULL; |
1182 |
+ BUG_ON(session->magic != L2TP_SESSION_MAGIC); |
1183 |
+@@ -505,9 +509,6 @@ static int pppol2tp_release(struct socket *sock) |
1184 |
+ l2tp_session_queue_purge(session); |
1185 |
+ sock_put(sk); |
1186 |
+ } |
1187 |
+- skb_queue_purge(&sk->sk_receive_queue); |
1188 |
+- skb_queue_purge(&sk->sk_write_queue); |
1189 |
+- |
1190 |
+ release_sock(sk); |
1191 |
+ |
1192 |
+ /* This will delete the session context via |
1193 |
+@@ -1574,7 +1575,7 @@ static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd) |
1194 |
+ |
1195 |
+ static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd) |
1196 |
+ { |
1197 |
+- pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx); |
1198 |
++ pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true); |
1199 |
+ pd->session_idx++; |
1200 |
+ |
1201 |
+ if (pd->session == NULL) { |
1202 |
+@@ -1701,10 +1702,14 @@ static int pppol2tp_seq_show(struct seq_file *m, void *v) |
1203 |
+ |
1204 |
+ /* Show the tunnel or session context. |
1205 |
+ */ |
1206 |
+- if (pd->session == NULL) |
1207 |
++ if (!pd->session) { |
1208 |
+ pppol2tp_seq_tunnel_show(m, pd->tunnel); |
1209 |
+- else |
1210 |
++ } else { |
1211 |
+ pppol2tp_seq_session_show(m, pd->session); |
1212 |
++ if (pd->session->deref) |
1213 |
++ pd->session->deref(pd->session); |
1214 |
++ l2tp_session_dec_refcount(pd->session); |
1215 |
++ } |
1216 |
+ |
1217 |
+ out: |
1218 |
+ return 0; |
1219 |
+@@ -1863,4 +1868,4 @@ MODULE_DESCRIPTION("PPP over L2TP over UDP"); |
1220 |
+ MODULE_LICENSE("GPL"); |
1221 |
+ MODULE_VERSION(PPPOL2TP_DRV_VERSION); |
1222 |
+ MODULE_ALIAS("pppox-proto-" __stringify(PX_PROTO_OL2TP)); |
1223 |
+-MODULE_ALIAS_L2TP_PWTYPE(11); |
1224 |
++MODULE_ALIAS_L2TP_PWTYPE(7); |
1225 |
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
1226 |
+index d76800108ddb..f8d6a0ca9c03 100644 |
1227 |
+--- a/net/packet/af_packet.c |
1228 |
++++ b/net/packet/af_packet.c |
1229 |
+@@ -3626,6 +3626,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv |
1230 |
+ return -EBUSY; |
1231 |
+ if (copy_from_user(&val, optval, sizeof(val))) |
1232 |
+ return -EFAULT; |
1233 |
++ if (val > INT_MAX) |
1234 |
++ return -EINVAL; |
1235 |
+ po->tp_reserve = val; |
1236 |
+ return 0; |
1237 |
+ } |
1238 |
+@@ -4150,6 +4152,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, |
1239 |
+ rb->frames_per_block = req->tp_block_size / req->tp_frame_size; |
1240 |
+ if (unlikely(rb->frames_per_block == 0)) |
1241 |
+ goto out; |
1242 |
++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) |
1243 |
++ goto out; |
1244 |
+ if (unlikely((rb->frames_per_block * req->tp_block_nr) != |
1245 |
+ req->tp_frame_nr)) |
1246 |
+ goto out; |
1247 |
+diff --git a/net/rds/cong.c b/net/rds/cong.c |
1248 |
+index e6144b8246fd..6641bcf7c185 100644 |
1249 |
+--- a/net/rds/cong.c |
1250 |
++++ b/net/rds/cong.c |
1251 |
+@@ -299,7 +299,7 @@ void rds_cong_set_bit(struct rds_cong_map *map, __be16 port) |
1252 |
+ i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; |
1253 |
+ off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; |
1254 |
+ |
1255 |
+- __set_bit_le(off, (void *)map->m_page_addrs[i]); |
1256 |
++ set_bit_le(off, (void *)map->m_page_addrs[i]); |
1257 |
+ } |
1258 |
+ |
1259 |
+ void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port) |
1260 |
+@@ -313,7 +313,7 @@ void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port) |
1261 |
+ i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; |
1262 |
+ off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; |
1263 |
+ |
1264 |
+- __clear_bit_le(off, (void *)map->m_page_addrs[i]); |
1265 |
++ clear_bit_le(off, (void *)map->m_page_addrs[i]); |
1266 |
+ } |
1267 |
+ |
1268 |
+ static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port) |
1269 |
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c |
1270 |
+index e384d6aefa3a..1090a52c03cd 100644 |
1271 |
+--- a/net/sched/act_mirred.c |
1272 |
++++ b/net/sched/act_mirred.c |
1273 |
+@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock); |
1274 |
+ static void tcf_mirred_release(struct tc_action *a, int bind) |
1275 |
+ { |
1276 |
+ struct tcf_mirred *m = to_mirred(a); |
1277 |
+- struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1); |
1278 |
++ struct net_device *dev; |
1279 |
+ |
1280 |
+ /* We could be called either in a RCU callback or with RTNL lock held. */ |
1281 |
+ spin_lock_bh(&mirred_list_lock); |
1282 |
+ list_del(&m->tcfm_list); |
1283 |
+- spin_unlock_bh(&mirred_list_lock); |
1284 |
++ dev = rcu_dereference_protected(m->tcfm_dev, 1); |
1285 |
+ if (dev) |
1286 |
+ dev_put(dev); |
1287 |
++ spin_unlock_bh(&mirred_list_lock); |
1288 |
+ } |
1289 |
+ |
1290 |
+ static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = { |
1291 |
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c |
1292 |
+index 5758818435f3..c96d666cef29 100644 |
1293 |
+--- a/net/sctp/socket.c |
1294 |
++++ b/net/sctp/socket.c |
1295 |
+@@ -6394,6 +6394,9 @@ int sctp_inet_listen(struct socket *sock, int backlog) |
1296 |
+ if (sock->state != SS_UNCONNECTED) |
1297 |
+ goto out; |
1298 |
+ |
1299 |
++ if (!sctp_sstate(sk, LISTENING) && !sctp_sstate(sk, CLOSED)) |
1300 |
++ goto out; |
1301 |
++ |
1302 |
+ /* If backlog is zero, disable listening. */ |
1303 |
+ if (!backlog) { |
1304 |
+ if (sctp_sstate(sk, CLOSED)) |
1305 |
+diff --git a/sound/core/seq/seq_lock.c b/sound/core/seq/seq_lock.c |
1306 |
+index 3b693e924db7..12ba83367b1b 100644 |
1307 |
+--- a/sound/core/seq/seq_lock.c |
1308 |
++++ b/sound/core/seq/seq_lock.c |
1309 |
+@@ -28,19 +28,16 @@ |
1310 |
+ /* wait until all locks are released */ |
1311 |
+ void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line) |
1312 |
+ { |
1313 |
+- int max_count = 5 * HZ; |
1314 |
++ int warn_count = 5 * HZ; |
1315 |
+ |
1316 |
+ if (atomic_read(lockp) < 0) { |
1317 |
+ pr_warn("ALSA: seq_lock: lock trouble [counter = %d] in %s:%d\n", atomic_read(lockp), file, line); |
1318 |
+ return; |
1319 |
+ } |
1320 |
+ while (atomic_read(lockp) > 0) { |
1321 |
+- if (max_count == 0) { |
1322 |
+- pr_warn("ALSA: seq_lock: timeout [%d left] in %s:%d\n", atomic_read(lockp), file, line); |
1323 |
+- break; |
1324 |
+- } |
1325 |
++ if (warn_count-- == 0) |
1326 |
++ pr_warn("ALSA: seq_lock: waiting [%d left] in %s:%d\n", atomic_read(lockp), file, line); |
1327 |
+ schedule_timeout_uninterruptible(1); |
1328 |
+- max_count--; |
1329 |
+ } |
1330 |
+ } |
1331 |
+ |
1332 |
+diff --git a/sound/firewire/lib.h b/sound/firewire/lib.h |
1333 |
+index f3f6f84c48d6..bb5f8cdea3e2 100644 |
1334 |
+--- a/sound/firewire/lib.h |
1335 |
++++ b/sound/firewire/lib.h |
1336 |
+@@ -42,7 +42,7 @@ struct snd_fw_async_midi_port { |
1337 |
+ |
1338 |
+ struct snd_rawmidi_substream *substream; |
1339 |
+ snd_fw_async_midi_port_fill fill; |
1340 |
+- unsigned int consume_bytes; |
1341 |
++ int consume_bytes; |
1342 |
+ }; |
1343 |
+ |
1344 |
+ int snd_fw_async_midi_port_init(struct snd_fw_async_midi_port *port, |