mirror of
https://github.com/Fishwaldo/build.git
synced 2025-03-31 19:21:43 +00:00
1208 lines
40 KiB
Diff
1208 lines
40 KiB
Diff
diff --git a/Makefile b/Makefile
|
|
index 7e4c46b375b3..ca5aaaf4aef7 100644
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -1,6 +1,6 @@
|
|
VERSION = 4
|
|
PATCHLEVEL = 4
|
|
-SUBLEVEL = 89
|
|
+SUBLEVEL = 90
|
|
EXTRAVERSION =
|
|
NAME = Blurry Fish Butt
|
|
|
|
diff --git a/arch/arm/boot/dts/pxa27x.dtsi b/arch/arm/boot/dts/pxa27x.dtsi
|
|
index 7f68a1ee7073..210192c38df3 100644
|
|
--- a/arch/arm/boot/dts/pxa27x.dtsi
|
|
+++ b/arch/arm/boot/dts/pxa27x.dtsi
|
|
@@ -13,6 +13,7 @@
|
|
interrupts = <25>;
|
|
#dma-channels = <32>;
|
|
#dma-cells = <2>;
|
|
+ #dma-requests = <75>;
|
|
status = "okay";
|
|
};
|
|
|
|
diff --git a/arch/arm/boot/dts/pxa3xx.dtsi b/arch/arm/boot/dts/pxa3xx.dtsi
|
|
index 564341af7e97..fec47bcd8292 100644
|
|
--- a/arch/arm/boot/dts/pxa3xx.dtsi
|
|
+++ b/arch/arm/boot/dts/pxa3xx.dtsi
|
|
@@ -12,6 +12,7 @@
|
|
interrupts = <25>;
|
|
#dma-channels = <32>;
|
|
#dma-cells = <2>;
|
|
+ #dma-requests = <100>;
|
|
status = "okay";
|
|
};
|
|
|
|
diff --git a/arch/arm/mach-pxa/devices.c b/arch/arm/mach-pxa/devices.c
|
|
index 2a6e0ae2b920..614e9d8f0a54 100644
|
|
--- a/arch/arm/mach-pxa/devices.c
|
|
+++ b/arch/arm/mach-pxa/devices.c
|
|
@@ -1203,6 +1203,7 @@ void __init pxa2xx_set_spi_info(unsigned id, struct pxa2xx_spi_master *info)
|
|
|
|
static struct mmp_dma_platdata pxa_dma_pdata = {
|
|
.dma_channels = 0,
|
|
+ .nb_requestors = 0,
|
|
};
|
|
|
|
static struct resource pxa_dma_resource[] = {
|
|
@@ -1231,8 +1232,9 @@ static struct platform_device pxa2xx_pxa_dma = {
|
|
.resource = pxa_dma_resource,
|
|
};
|
|
|
|
-void __init pxa2xx_set_dmac_info(int nb_channels)
|
|
+void __init pxa2xx_set_dmac_info(int nb_channels, int nb_requestors)
|
|
{
|
|
pxa_dma_pdata.dma_channels = nb_channels;
|
|
+ pxa_dma_pdata.nb_requestors = nb_requestors;
|
|
pxa_register_device(&pxa2xx_pxa_dma, &pxa_dma_pdata);
|
|
}
|
|
diff --git a/arch/arm/mach-pxa/pxa25x.c b/arch/arm/mach-pxa/pxa25x.c
|
|
index 1dc85ffc3e20..049b9cc22720 100644
|
|
--- a/arch/arm/mach-pxa/pxa25x.c
|
|
+++ b/arch/arm/mach-pxa/pxa25x.c
|
|
@@ -206,7 +206,7 @@ static int __init pxa25x_init(void)
|
|
register_syscore_ops(&pxa_irq_syscore_ops);
|
|
register_syscore_ops(&pxa2xx_mfp_syscore_ops);
|
|
|
|
- pxa2xx_set_dmac_info(16);
|
|
+ pxa2xx_set_dmac_info(16, 40);
|
|
pxa_register_device(&pxa25x_device_gpio, &pxa25x_gpio_info);
|
|
ret = platform_add_devices(pxa25x_devices,
|
|
ARRAY_SIZE(pxa25x_devices));
|
|
diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c
|
|
index ffc424028557..2fb6430b7a34 100644
|
|
--- a/arch/arm/mach-pxa/pxa27x.c
|
|
+++ b/arch/arm/mach-pxa/pxa27x.c
|
|
@@ -309,7 +309,7 @@ static int __init pxa27x_init(void)
|
|
if (!of_have_populated_dt()) {
|
|
pxa_register_device(&pxa27x_device_gpio,
|
|
&pxa27x_gpio_info);
|
|
- pxa2xx_set_dmac_info(32);
|
|
+ pxa2xx_set_dmac_info(32, 75);
|
|
ret = platform_add_devices(devices,
|
|
ARRAY_SIZE(devices));
|
|
}
|
|
diff --git a/arch/arm/mach-pxa/pxa3xx.c b/arch/arm/mach-pxa/pxa3xx.c
|
|
index 20ce2d386f17..ca06f082497c 100644
|
|
--- a/arch/arm/mach-pxa/pxa3xx.c
|
|
+++ b/arch/arm/mach-pxa/pxa3xx.c
|
|
@@ -450,7 +450,7 @@ static int __init pxa3xx_init(void)
|
|
if (of_have_populated_dt())
|
|
return 0;
|
|
|
|
- pxa2xx_set_dmac_info(32);
|
|
+ pxa2xx_set_dmac_info(32, 100);
|
|
ret = platform_add_devices(devices, ARRAY_SIZE(devices));
|
|
if (ret)
|
|
return ret;
|
|
diff --git a/arch/arm/plat-pxa/include/plat/dma.h b/arch/arm/plat-pxa/include/plat/dma.h
|
|
index 28848b344e2d..ceba3e4184fc 100644
|
|
--- a/arch/arm/plat-pxa/include/plat/dma.h
|
|
+++ b/arch/arm/plat-pxa/include/plat/dma.h
|
|
@@ -95,6 +95,6 @@ static inline int pxad_toggle_reserved_channel(int legacy_channel)
|
|
}
|
|
#endif
|
|
|
|
-extern void __init pxa2xx_set_dmac_info(int nb_channels);
|
|
+extern void __init pxa2xx_set_dmac_info(int nb_channels, int nb_requestors);
|
|
|
|
#endif /* __PLAT_DMA_H */
|
|
diff --git a/arch/arm/xen/mm.c b/arch/arm/xen/mm.c
|
|
index c5f9a9e3d1f3..28d83f536e93 100644
|
|
--- a/arch/arm/xen/mm.c
|
|
+++ b/arch/arm/xen/mm.c
|
|
@@ -199,6 +199,7 @@ static struct dma_map_ops xen_swiotlb_dma_ops = {
|
|
.unmap_page = xen_swiotlb_unmap_page,
|
|
.dma_supported = xen_swiotlb_dma_supported,
|
|
.set_dma_mask = xen_swiotlb_set_dma_mask,
|
|
+ .mmap = xen_swiotlb_dma_mmap,
|
|
};
|
|
|
|
int __init xen_mm_init(void)
|
|
diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
|
|
index 20ceb5edf7b8..d019c3a58cc2 100644
|
|
--- a/arch/arm64/kernel/head.S
|
|
+++ b/arch/arm64/kernel/head.S
|
|
@@ -446,6 +446,7 @@ ENDPROC(__mmap_switched)
|
|
* booted in EL1 or EL2 respectively.
|
|
*/
|
|
ENTRY(el2_setup)
|
|
+ msr SPsel, #1 // We want to use SP_EL{1,2}
|
|
mrs x0, CurrentEL
|
|
cmp x0, #CurrentEL_EL2
|
|
b.ne 1f
|
|
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
|
|
index 7fabf49f2aeb..86485415c5f0 100644
|
|
--- a/arch/arm64/mm/fault.c
|
|
+++ b/arch/arm64/mm/fault.c
|
|
@@ -447,7 +447,7 @@ static struct fault_info {
|
|
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 0 translation fault" },
|
|
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation fault" },
|
|
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation fault" },
|
|
- { do_page_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
|
|
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
|
|
{ do_bad, SIGBUS, 0, "unknown 8" },
|
|
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 access flag fault" },
|
|
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 access flag fault" },
|
|
diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
|
|
index 54cf9bc94dad..3a095670b0c4 100644
|
|
--- a/arch/powerpc/kvm/book3s_64_vio.c
|
|
+++ b/arch/powerpc/kvm/book3s_64_vio.c
|
|
@@ -101,22 +101,17 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
|
|
struct kvm_create_spapr_tce *args)
|
|
{
|
|
struct kvmppc_spapr_tce_table *stt = NULL;
|
|
+ struct kvmppc_spapr_tce_table *siter;
|
|
long npages;
|
|
int ret = -ENOMEM;
|
|
int i;
|
|
|
|
- /* Check this LIOBN hasn't been previously allocated */
|
|
- list_for_each_entry(stt, &kvm->arch.spapr_tce_tables, list) {
|
|
- if (stt->liobn == args->liobn)
|
|
- return -EBUSY;
|
|
- }
|
|
-
|
|
npages = kvmppc_stt_npages(args->window_size);
|
|
|
|
stt = kzalloc(sizeof(*stt) + npages * sizeof(struct page *),
|
|
GFP_KERNEL);
|
|
if (!stt)
|
|
- goto fail;
|
|
+ return ret;
|
|
|
|
stt->liobn = args->liobn;
|
|
stt->window_size = args->window_size;
|
|
@@ -128,23 +123,36 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
|
|
goto fail;
|
|
}
|
|
|
|
- kvm_get_kvm(kvm);
|
|
-
|
|
mutex_lock(&kvm->lock);
|
|
- list_add(&stt->list, &kvm->arch.spapr_tce_tables);
|
|
+
|
|
+ /* Check this LIOBN hasn't been previously allocated */
|
|
+ ret = 0;
|
|
+ list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
|
|
+ if (siter->liobn == args->liobn) {
|
|
+ ret = -EBUSY;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!ret)
|
|
+ ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
|
|
+ stt, O_RDWR | O_CLOEXEC);
|
|
+
|
|
+ if (ret >= 0) {
|
|
+ list_add(&stt->list, &kvm->arch.spapr_tce_tables);
|
|
+ kvm_get_kvm(kvm);
|
|
+ }
|
|
|
|
mutex_unlock(&kvm->lock);
|
|
|
|
- return anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
|
|
- stt, O_RDWR | O_CLOEXEC);
|
|
+ if (ret >= 0)
|
|
+ return ret;
|
|
|
|
-fail:
|
|
- if (stt) {
|
|
- for (i = 0; i < npages; i++)
|
|
- if (stt->pages[i])
|
|
- __free_page(stt->pages[i]);
|
|
+ fail:
|
|
+ for (i = 0; i < npages; i++)
|
|
+ if (stt->pages[i])
|
|
+ __free_page(stt->pages[i]);
|
|
|
|
- kfree(stt);
|
|
- }
|
|
+ kfree(stt);
|
|
return ret;
|
|
}
|
|
diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c
|
|
index ceb18d349459..8dd0c8edefd6 100644
|
|
--- a/arch/powerpc/platforms/pseries/mobility.c
|
|
+++ b/arch/powerpc/platforms/pseries/mobility.c
|
|
@@ -225,8 +225,10 @@ static int add_dt_node(__be32 parent_phandle, __be32 drc_index)
|
|
return -ENOENT;
|
|
|
|
dn = dlpar_configure_connector(drc_index, parent_dn);
|
|
- if (!dn)
|
|
+ if (!dn) {
|
|
+ of_node_put(parent_dn);
|
|
return -ENOENT;
|
|
+ }
|
|
|
|
rc = dlpar_attach_node(dn);
|
|
if (rc)
|
|
diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
|
|
index 0bc3490420c5..72a483c295f2 100644
|
|
--- a/arch/x86/kernel/fpu/regset.c
|
|
+++ b/arch/x86/kernel/fpu/regset.c
|
|
@@ -116,6 +116,11 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
|
|
xsave = &fpu->state.xsave;
|
|
|
|
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
|
|
+
|
|
+ /* xcomp_bv must be 0 when using uncompacted format */
|
|
+ if (!ret && xsave->header.xcomp_bv)
|
|
+ ret = -EINVAL;
|
|
+
|
|
/*
|
|
* mxcsr reserved bits must be masked to zero for security reasons.
|
|
*/
|
|
@@ -126,6 +131,12 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
|
|
*/
|
|
memset(&xsave->header.reserved, 0, 48);
|
|
|
|
+ /*
|
|
+ * In case of failure, mark all states as init:
|
|
+ */
|
|
+ if (ret)
|
|
+ fpstate_init(&fpu->state);
|
|
+
|
|
return ret;
|
|
}
|
|
|
|
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
|
|
index 31c6a60505e6..3de077116218 100644
|
|
--- a/arch/x86/kernel/fpu/signal.c
|
|
+++ b/arch/x86/kernel/fpu/signal.c
|
|
@@ -309,7 +309,9 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
|
|
fpu__drop(fpu);
|
|
|
|
if (__copy_from_user(&fpu->state.xsave, buf_fx, state_size) ||
|
|
- __copy_from_user(&env, buf, sizeof(env))) {
|
|
+ __copy_from_user(&env, buf, sizeof(env)) ||
|
|
+ (state_size > offsetof(struct xregs_state, header) &&
|
|
+ fpu->state.xsave.header.xcomp_bv)) {
|
|
fpstate_init(&fpu->state);
|
|
err = -1;
|
|
} else {
|
|
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
|
index b12391119ce8..a018dff00808 100644
|
|
--- a/arch/x86/kvm/vmx.c
|
|
+++ b/arch/x86/kvm/vmx.c
|
|
@@ -2029,8 +2029,8 @@ static void vmx_vcpu_pi_load(struct kvm_vcpu *vcpu, int cpu)
|
|
|
|
/* Allow posting non-urgent interrupts */
|
|
new.sn = 0;
|
|
- } while (cmpxchg(&pi_desc->control, old.control,
|
|
- new.control) != old.control);
|
|
+ } while (cmpxchg64(&pi_desc->control, old.control,
|
|
+ new.control) != old.control);
|
|
}
|
|
/*
|
|
* Switches to specified vcpu, until a matching vcpu_put(), but assumes
|
|
@@ -4541,21 +4541,30 @@ static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu)
|
|
{
|
|
#ifdef CONFIG_SMP
|
|
if (vcpu->mode == IN_GUEST_MODE) {
|
|
- struct vcpu_vmx *vmx = to_vmx(vcpu);
|
|
-
|
|
/*
|
|
- * Currently, we don't support urgent interrupt,
|
|
- * all interrupts are recognized as non-urgent
|
|
- * interrupt, so we cannot post interrupts when
|
|
- * 'SN' is set.
|
|
+ * The vector of interrupt to be delivered to vcpu had
|
|
+ * been set in PIR before this function.
|
|
+ *
|
|
+ * Following cases will be reached in this block, and
|
|
+ * we always send a notification event in all cases as
|
|
+ * explained below.
|
|
*
|
|
- * If the vcpu is in guest mode, it means it is
|
|
- * running instead of being scheduled out and
|
|
- * waiting in the run queue, and that's the only
|
|
- * case when 'SN' is set currently, warning if
|
|
- * 'SN' is set.
|
|
+ * Case 1: vcpu keeps in non-root mode. Sending a
|
|
+ * notification event posts the interrupt to vcpu.
|
|
+ *
|
|
+ * Case 2: vcpu exits to root mode and is still
|
|
+ * runnable. PIR will be synced to vIRR before the
|
|
+ * next vcpu entry. Sending a notification event in
|
|
+ * this case has no effect, as vcpu is not in root
|
|
+ * mode.
|
|
+ *
|
|
+ * Case 3: vcpu exits to root mode and is blocked.
|
|
+ * vcpu_block() has already synced PIR to vIRR and
|
|
+ * never blocks vcpu if vIRR is not cleared. Therefore,
|
|
+ * a blocked vcpu here does not wait for any requested
|
|
+ * interrupts in PIR, and sending a notification event
|
|
+ * which has no effect is safe here.
|
|
*/
|
|
- WARN_ON_ONCE(pi_test_sn(&vmx->pi_desc));
|
|
|
|
apic->send_IPI_mask(get_cpu_mask(vcpu->cpu),
|
|
POSTED_INTR_VECTOR);
|
|
@@ -9683,6 +9692,11 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
|
|
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
|
|
page_to_phys(vmx->nested.virtual_apic_page));
|
|
vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
|
|
+ } else {
|
|
+#ifdef CONFIG_X86_64
|
|
+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
|
|
+ CPU_BASED_CR8_STORE_EXITING;
|
|
+#endif
|
|
}
|
|
|
|
if (cpu_has_vmx_msr_bitmap() &&
|
|
@@ -10691,8 +10705,8 @@ static int vmx_pre_block(struct kvm_vcpu *vcpu)
|
|
|
|
/* set 'NV' to 'wakeup vector' */
|
|
new.nv = POSTED_INTR_WAKEUP_VECTOR;
|
|
- } while (cmpxchg(&pi_desc->control, old.control,
|
|
- new.control) != old.control);
|
|
+ } while (cmpxchg64(&pi_desc->control, old.control,
|
|
+ new.control) != old.control);
|
|
|
|
return 0;
|
|
}
|
|
@@ -10723,8 +10737,8 @@ static void vmx_post_block(struct kvm_vcpu *vcpu)
|
|
|
|
/* set 'NV' to 'notification vector' */
|
|
new.nv = POSTED_INTR_VECTOR;
|
|
- } while (cmpxchg(&pi_desc->control, old.control,
|
|
- new.control) != old.control);
|
|
+ } while (cmpxchg64(&pi_desc->control, old.control,
|
|
+ new.control) != old.control);
|
|
|
|
if(vcpu->pre_pcpu != -1) {
|
|
spin_lock_irqsave(
|
|
@@ -10755,7 +10769,7 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
|
|
struct kvm_lapic_irq irq;
|
|
struct kvm_vcpu *vcpu;
|
|
struct vcpu_data vcpu_info;
|
|
- int idx, ret = -EINVAL;
|
|
+ int idx, ret = 0;
|
|
|
|
if (!kvm_arch_has_assigned_device(kvm) ||
|
|
!irq_remapping_cap(IRQ_POSTING_CAP))
|
|
@@ -10763,7 +10777,12 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
|
|
|
|
idx = srcu_read_lock(&kvm->irq_srcu);
|
|
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
|
|
- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
|
|
+ if (guest_irq >= irq_rt->nr_rt_entries ||
|
|
+ hlist_empty(&irq_rt->map[guest_irq])) {
|
|
+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
|
|
+ guest_irq, irq_rt->nr_rt_entries);
|
|
+ goto out;
|
|
+ }
|
|
|
|
hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
|
|
if (e->type != KVM_IRQ_ROUTING_MSI)
|
|
@@ -10793,12 +10812,8 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
|
|
|
|
if (set)
|
|
ret = irq_set_vcpu_affinity(host_irq, &vcpu_info);
|
|
- else {
|
|
- /* suppress notification event before unposting */
|
|
- pi_set_sn(vcpu_to_pi_desc(vcpu));
|
|
+ else
|
|
ret = irq_set_vcpu_affinity(host_irq, NULL);
|
|
- pi_clear_sn(vcpu_to_pi_desc(vcpu));
|
|
- }
|
|
|
|
if (ret < 0) {
|
|
printk(KERN_INFO "%s: failed to update PI IRTE\n",
|
|
diff --git a/block/bsg-lib.c b/block/bsg-lib.c
|
|
index 650f427d915b..341b8d858e67 100644
|
|
--- a/block/bsg-lib.c
|
|
+++ b/block/bsg-lib.c
|
|
@@ -147,7 +147,6 @@ static int bsg_create_job(struct device *dev, struct request *req)
|
|
failjob_rls_rqst_payload:
|
|
kfree(job->request_payload.sg_list);
|
|
failjob_rls_job:
|
|
- kfree(job);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
|
|
index 6a60936b46e0..62ce93568e11 100644
|
|
--- a/drivers/crypto/talitos.c
|
|
+++ b/drivers/crypto/talitos.c
|
|
@@ -1749,9 +1749,9 @@ static int common_nonsnoop_hash(struct talitos_edesc *edesc,
|
|
req_ctx->swinit = 0;
|
|
} else {
|
|
desc->ptr[1] = zero_entry;
|
|
- /* Indicate next op is not the first. */
|
|
- req_ctx->first = 0;
|
|
}
|
|
+ /* Indicate next op is not the first. */
|
|
+ req_ctx->first = 0;
|
|
|
|
/* HMAC key */
|
|
if (ctx->keylen)
|
|
@@ -2770,7 +2770,8 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
|
|
t_alg->algt.alg.hash.final = ahash_final;
|
|
t_alg->algt.alg.hash.finup = ahash_finup;
|
|
t_alg->algt.alg.hash.digest = ahash_digest;
|
|
- t_alg->algt.alg.hash.setkey = ahash_setkey;
|
|
+ if (!strncmp(alg->cra_name, "hmac", 4))
|
|
+ t_alg->algt.alg.hash.setkey = ahash_setkey;
|
|
t_alg->algt.alg.hash.import = ahash_import;
|
|
t_alg->algt.alg.hash.export = ahash_export;
|
|
|
|
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
|
|
index 5eac08ffc697..d55bf85b76ce 100644
|
|
--- a/drivers/md/raid5.c
|
|
+++ b/drivers/md/raid5.c
|
|
@@ -818,6 +818,14 @@ static void stripe_add_to_batch_list(struct r5conf *conf, struct stripe_head *sh
|
|
spin_unlock(&head->batch_head->batch_lock);
|
|
goto unlock_out;
|
|
}
|
|
+ /*
|
|
+ * We must assign batch_head of this stripe within the
|
|
+ * batch_lock, otherwise clear_batch_ready of batch head
|
|
+ * stripe could clear BATCH_READY bit of this stripe and
|
|
+ * this stripe->batch_head doesn't get assigned, which
|
|
+ * could confuse clear_batch_ready for this stripe
|
|
+ */
|
|
+ sh->batch_head = head->batch_head;
|
|
|
|
/*
|
|
* at this point, head's BATCH_READY could be cleared, but we
|
|
@@ -825,8 +833,6 @@ static void stripe_add_to_batch_list(struct r5conf *conf, struct stripe_head *sh
|
|
*/
|
|
list_add(&sh->batch_list, &head->batch_list);
|
|
spin_unlock(&head->batch_head->batch_lock);
|
|
-
|
|
- sh->batch_head = head->batch_head;
|
|
} else {
|
|
head->batch_head = head;
|
|
sh->batch_head = head->batch_head;
|
|
@@ -4258,7 +4264,8 @@ static void break_stripe_batch_list(struct stripe_head *head_sh,
|
|
|
|
set_mask_bits(&sh->state, ~(STRIPE_EXPAND_SYNC_FLAGS |
|
|
(1 << STRIPE_PREREAD_ACTIVE) |
|
|
- (1 << STRIPE_DEGRADED)),
|
|
+ (1 << STRIPE_DEGRADED) |
|
|
+ (1 << STRIPE_ON_UNPLUG_LIST)),
|
|
head_sh->state & (1 << STRIPE_INSYNC));
|
|
|
|
sh->check_state = head_sh->check_state;
|
|
diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c
|
|
index ea3eeb7011e1..690eb1a18caf 100644
|
|
--- a/drivers/misc/cxl/api.c
|
|
+++ b/drivers/misc/cxl/api.c
|
|
@@ -176,6 +176,10 @@ int cxl_start_context(struct cxl_context *ctx, u64 wed,
|
|
kernel = false;
|
|
}
|
|
|
|
+ /*
|
|
+ * Increment driver use count. Enables global TLBIs for hash
|
|
+ * and callbacks to handle the segment table
|
|
+ */
|
|
cxl_ctx_get();
|
|
|
|
if ((rc = cxl_attach_process(ctx, kernel, wed , 0))) {
|
|
diff --git a/drivers/misc/cxl/file.c b/drivers/misc/cxl/file.c
|
|
index 10a02934bfc0..013558f4da4f 100644
|
|
--- a/drivers/misc/cxl/file.c
|
|
+++ b/drivers/misc/cxl/file.c
|
|
@@ -94,7 +94,6 @@ static int __afu_open(struct inode *inode, struct file *file, bool master)
|
|
|
|
pr_devel("afu_open pe: %i\n", ctx->pe);
|
|
file->private_data = ctx;
|
|
- cxl_ctx_get();
|
|
|
|
/* indicate success */
|
|
rc = 0;
|
|
@@ -205,11 +204,18 @@ static long afu_ioctl_start_work(struct cxl_context *ctx,
|
|
ctx->pid = get_task_pid(current, PIDTYPE_PID);
|
|
ctx->glpid = get_task_pid(current->group_leader, PIDTYPE_PID);
|
|
|
|
+ /*
|
|
+ * Increment driver use count. Enables global TLBIs for hash
|
|
+ * and callbacks to handle the segment table
|
|
+ */
|
|
+ cxl_ctx_get();
|
|
+
|
|
trace_cxl_attach(ctx, work.work_element_descriptor, work.num_interrupts, amr);
|
|
|
|
if ((rc = cxl_attach_process(ctx, false, work.work_element_descriptor,
|
|
amr))) {
|
|
afu_release_irqs(ctx, ctx);
|
|
+ cxl_ctx_put();
|
|
goto out;
|
|
}
|
|
|
|
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
|
|
index f8b2b5987ea9..ec91cd17bf34 100644
|
|
--- a/drivers/pci/pci-sysfs.c
|
|
+++ b/drivers/pci/pci-sysfs.c
|
|
@@ -522,7 +522,7 @@ static ssize_t driver_override_store(struct device *dev,
|
|
const char *buf, size_t count)
|
|
{
|
|
struct pci_dev *pdev = to_pci_dev(dev);
|
|
- char *driver_override, *old = pdev->driver_override, *cp;
|
|
+ char *driver_override, *old, *cp;
|
|
|
|
/* We need to keep extra room for a newline */
|
|
if (count >= (PAGE_SIZE - 1))
|
|
@@ -536,12 +536,15 @@ static ssize_t driver_override_store(struct device *dev,
|
|
if (cp)
|
|
*cp = '\0';
|
|
|
|
+ device_lock(dev);
|
|
+ old = pdev->driver_override;
|
|
if (strlen(driver_override)) {
|
|
pdev->driver_override = driver_override;
|
|
} else {
|
|
kfree(driver_override);
|
|
pdev->driver_override = NULL;
|
|
}
|
|
+ device_unlock(dev);
|
|
|
|
kfree(old);
|
|
|
|
@@ -552,8 +555,12 @@ static ssize_t driver_override_show(struct device *dev,
|
|
struct device_attribute *attr, char *buf)
|
|
{
|
|
struct pci_dev *pdev = to_pci_dev(dev);
|
|
+ ssize_t len;
|
|
|
|
- return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
|
|
+ device_lock(dev);
|
|
+ len = snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
|
|
+ device_unlock(dev);
|
|
+ return len;
|
|
}
|
|
static DEVICE_ATTR_RW(driver_override);
|
|
|
|
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
|
|
index e4b3d8f4fd85..bb4ed7b1f5df 100644
|
|
--- a/drivers/scsi/scsi_transport_iscsi.c
|
|
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
|
@@ -3697,7 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb)
|
|
uint32_t group;
|
|
|
|
nlh = nlmsg_hdr(skb);
|
|
- if (nlh->nlmsg_len < sizeof(*nlh) ||
|
|
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
|
|
skb->len < nlh->nlmsg_len) {
|
|
break;
|
|
}
|
|
diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
|
|
index f34ed47fcaf8..7f658fa4d22a 100644
|
|
--- a/drivers/video/fbdev/aty/atyfb_base.c
|
|
+++ b/drivers/video/fbdev/aty/atyfb_base.c
|
|
@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
|
|
#if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
|
|
case ATYIO_CLKR:
|
|
if (M64_HAS(INTEGRATED)) {
|
|
- struct atyclk clk;
|
|
+ struct atyclk clk = { 0 };
|
|
union aty_pll *pll = &par->pll;
|
|
u32 dsp_config = pll->ct.dsp_config;
|
|
u32 dsp_on_off = pll->ct.dsp_on_off;
|
|
diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
|
|
index 8a58bbc14de2..f7b19c25c3a4 100644
|
|
--- a/drivers/xen/swiotlb-xen.c
|
|
+++ b/drivers/xen/swiotlb-xen.c
|
|
@@ -680,3 +680,22 @@ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask)
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(xen_swiotlb_set_dma_mask);
|
|
+
|
|
+/*
|
|
+ * Create userspace mapping for the DMA-coherent memory.
|
|
+ * This function should be called with the pages from the current domain only,
|
|
+ * passing pages mapped from other domains would lead to memory corruption.
|
|
+ */
|
|
+int
|
|
+xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
|
|
+ void *cpu_addr, dma_addr_t dma_addr, size_t size,
|
|
+ struct dma_attrs *attrs)
|
|
+{
|
|
+#if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
|
|
+ if (__generic_dma_ops(dev)->mmap)
|
|
+ return __generic_dma_ops(dev)->mmap(dev, vma, cpu_addr,
|
|
+ dma_addr, size, attrs);
|
|
+#endif
|
|
+ return dma_common_mmap(dev, vma, cpu_addr, dma_addr, size);
|
|
+}
|
|
+EXPORT_SYMBOL_GPL(xen_swiotlb_dma_mmap);
|
|
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
|
|
index 317b99acdf4b..9c3b9d07f341 100644
|
|
--- a/fs/btrfs/ioctl.c
|
|
+++ b/fs/btrfs/ioctl.c
|
|
@@ -2984,7 +2984,7 @@ static int btrfs_cmp_data_prepare(struct inode *src, u64 loff,
|
|
out:
|
|
if (ret)
|
|
btrfs_cmp_data_free(cmp);
|
|
- return 0;
|
|
+ return ret;
|
|
}
|
|
|
|
static int btrfs_cmp_data(struct inode *src, u64 loff, struct inode *dst,
|
|
@@ -4118,6 +4118,10 @@ static long btrfs_ioctl_default_subvol(struct file *file, void __user *argp)
|
|
ret = PTR_ERR(new_root);
|
|
goto out;
|
|
}
|
|
+ if (!is_fstree(new_root->objectid)) {
|
|
+ ret = -ENOENT;
|
|
+ goto out;
|
|
+ }
|
|
|
|
path = btrfs_alloc_path();
|
|
if (!path) {
|
|
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
|
|
index 8ca9aa92972d..9ebe027cc4b7 100644
|
|
--- a/fs/btrfs/relocation.c
|
|
+++ b/fs/btrfs/relocation.c
|
|
@@ -2350,11 +2350,11 @@ void free_reloc_roots(struct list_head *list)
|
|
while (!list_empty(list)) {
|
|
reloc_root = list_entry(list->next, struct btrfs_root,
|
|
root_list);
|
|
+ __del_reloc_root(reloc_root);
|
|
free_extent_buffer(reloc_root->node);
|
|
free_extent_buffer(reloc_root->commit_root);
|
|
reloc_root->node = NULL;
|
|
reloc_root->commit_root = NULL;
|
|
- __del_reloc_root(reloc_root);
|
|
}
|
|
}
|
|
|
|
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
|
|
index 53a827c6d8b1..b377aa8f266f 100644
|
|
--- a/fs/cifs/connect.c
|
|
+++ b/fs/cifs/connect.c
|
|
@@ -4060,6 +4060,14 @@ cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
|
|
cifs_dbg(FYI, "Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d\n",
|
|
server->sec_mode, server->capabilities, server->timeAdj);
|
|
|
|
+ if (ses->auth_key.response) {
|
|
+ cifs_dbg(VFS, "Free previous auth_key.response = %p\n",
|
|
+ ses->auth_key.response);
|
|
+ kfree(ses->auth_key.response);
|
|
+ ses->auth_key.response = NULL;
|
|
+ ses->auth_key.len = 0;
|
|
+ }
|
|
+
|
|
if (server->ops->sess_setup)
|
|
rc = server->ops->sess_setup(xid, ses, nls_info);
|
|
|
|
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
|
|
index a0c0a49b6620..ec2d07bb9beb 100644
|
|
--- a/fs/cifs/file.c
|
|
+++ b/fs/cifs/file.c
|
|
@@ -224,6 +224,13 @@ cifs_nt_open(char *full_path, struct inode *inode, struct cifs_sb_info *cifs_sb,
|
|
if (backup_cred(cifs_sb))
|
|
create_options |= CREATE_OPEN_BACKUP_INTENT;
|
|
|
|
+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
|
|
+ if (f_flags & O_SYNC)
|
|
+ create_options |= CREATE_WRITE_THROUGH;
|
|
+
|
|
+ if (f_flags & O_DIRECT)
|
|
+ create_options |= CREATE_NO_BUFFER;
|
|
+
|
|
oparms.tcon = tcon;
|
|
oparms.cifs_sb = cifs_sb;
|
|
oparms.desired_access = desired_access;
|
|
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
|
|
index 6c484ddf26a9..f2ff60e58ec8 100644
|
|
--- a/fs/cifs/smb2pdu.c
|
|
+++ b/fs/cifs/smb2pdu.c
|
|
@@ -361,7 +361,7 @@ assemble_neg_contexts(struct smb2_negotiate_req *req)
|
|
build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt);
|
|
req->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT);
|
|
req->NegotiateContextCount = cpu_to_le16(2);
|
|
- inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + 2
|
|
+ inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context)
|
|
+ sizeof(struct smb2_encryption_neg_context)); /* calculate hash */
|
|
}
|
|
#else
|
|
@@ -526,15 +526,22 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
|
|
|
|
/*
|
|
* validation ioctl must be signed, so no point sending this if we
|
|
- * can not sign it. We could eventually change this to selectively
|
|
+ * can not sign it (ie are not known user). Even if signing is not
|
|
+ * required (enabled but not negotiated), in those cases we selectively
|
|
* sign just this, the first and only signed request on a connection.
|
|
- * This is good enough for now since a user who wants better security
|
|
- * would also enable signing on the mount. Having validation of
|
|
- * negotiate info for signed connections helps reduce attack vectors
|
|
+ * Having validation of negotiate info helps reduce attack vectors.
|
|
*/
|
|
- if (tcon->ses->server->sign == false)
|
|
+ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
|
|
return 0; /* validation requires signing */
|
|
|
|
+ if (tcon->ses->user_name == NULL) {
|
|
+ cifs_dbg(FYI, "Can't validate negotiate: null user mount\n");
|
|
+ return 0; /* validation requires signing */
|
|
+ }
|
|
+
|
|
+ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
|
|
+ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
|
|
+
|
|
vneg_inbuf.Capabilities =
|
|
cpu_to_le32(tcon->ses->server->vals->req_capabilities);
|
|
memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
|
|
diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
|
|
index 070901e76653..ff36f5475d7e 100644
|
|
--- a/fs/gfs2/glock.c
|
|
+++ b/fs/gfs2/glock.c
|
|
@@ -1814,13 +1814,10 @@ static void *gfs2_glock_seq_start(struct seq_file *seq, loff_t *pos)
|
|
{
|
|
struct gfs2_glock_iter *gi = seq->private;
|
|
loff_t n = *pos;
|
|
- int ret;
|
|
-
|
|
- if (gi->last_pos <= *pos)
|
|
- n = (*pos - gi->last_pos);
|
|
|
|
- ret = rhashtable_walk_start(&gi->hti);
|
|
- if (ret)
|
|
+ if (rhashtable_walk_init(&gl_hash_table, &gi->hti) != 0)
|
|
+ return NULL;
|
|
+ if (rhashtable_walk_start(&gi->hti) != 0)
|
|
return NULL;
|
|
|
|
do {
|
|
@@ -1828,6 +1825,7 @@ static void *gfs2_glock_seq_start(struct seq_file *seq, loff_t *pos)
|
|
} while (gi->gl && n--);
|
|
|
|
gi->last_pos = *pos;
|
|
+
|
|
return gi->gl;
|
|
}
|
|
|
|
@@ -1839,6 +1837,7 @@ static void *gfs2_glock_seq_next(struct seq_file *seq, void *iter_ptr,
|
|
(*pos)++;
|
|
gi->last_pos = *pos;
|
|
gfs2_glock_iter_next(gi);
|
|
+
|
|
return gi->gl;
|
|
}
|
|
|
|
@@ -1847,7 +1846,10 @@ static void gfs2_glock_seq_stop(struct seq_file *seq, void *iter_ptr)
|
|
struct gfs2_glock_iter *gi = seq->private;
|
|
|
|
gi->gl = NULL;
|
|
- rhashtable_walk_stop(&gi->hti);
|
|
+ if (gi->hti.walker) {
|
|
+ rhashtable_walk_stop(&gi->hti);
|
|
+ rhashtable_walk_exit(&gi->hti);
|
|
+ }
|
|
}
|
|
|
|
static int gfs2_glock_seq_show(struct seq_file *seq, void *iter_ptr)
|
|
@@ -1910,12 +1912,10 @@ static int gfs2_glocks_open(struct inode *inode, struct file *file)
|
|
struct gfs2_glock_iter *gi = seq->private;
|
|
|
|
gi->sdp = inode->i_private;
|
|
- gi->last_pos = 0;
|
|
seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
|
|
if (seq->buf)
|
|
seq->size = GFS2_SEQ_GOODSIZE;
|
|
gi->gl = NULL;
|
|
- ret = rhashtable_walk_init(&gl_hash_table, &gi->hti);
|
|
}
|
|
return ret;
|
|
}
|
|
@@ -1926,7 +1926,6 @@ static int gfs2_glocks_release(struct inode *inode, struct file *file)
|
|
struct gfs2_glock_iter *gi = seq->private;
|
|
|
|
gi->gl = NULL;
|
|
- rhashtable_walk_exit(&gi->hti);
|
|
return seq_release_private(inode, file);
|
|
}
|
|
|
|
@@ -1938,12 +1937,10 @@ static int gfs2_glstats_open(struct inode *inode, struct file *file)
|
|
struct seq_file *seq = file->private_data;
|
|
struct gfs2_glock_iter *gi = seq->private;
|
|
gi->sdp = inode->i_private;
|
|
- gi->last_pos = 0;
|
|
seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
|
|
if (seq->buf)
|
|
seq->size = GFS2_SEQ_GOODSIZE;
|
|
gi->gl = NULL;
|
|
- ret = rhashtable_walk_init(&gl_hash_table, &gi->hti);
|
|
}
|
|
return ret;
|
|
}
|
|
diff --git a/fs/read_write.c b/fs/read_write.c
|
|
index 819ef3faf1bb..bfd1a5dddf6e 100644
|
|
--- a/fs/read_write.c
|
|
+++ b/fs/read_write.c
|
|
@@ -112,7 +112,7 @@ generic_file_llseek_size(struct file *file, loff_t offset, int whence,
|
|
* In the generic case the entire file is data, so as long as
|
|
* offset isn't at the end of the file then the offset is data.
|
|
*/
|
|
- if (offset >= eof)
|
|
+ if ((unsigned long long)offset >= eof)
|
|
return -ENXIO;
|
|
break;
|
|
case SEEK_HOLE:
|
|
@@ -120,7 +120,7 @@ generic_file_llseek_size(struct file *file, loff_t offset, int whence,
|
|
* There is a virtual hole at the end of the file, so as long as
|
|
* offset isn't i_size or larger, return i_size.
|
|
*/
|
|
- if (offset >= eof)
|
|
+ if ((unsigned long long)offset >= eof)
|
|
return -ENXIO;
|
|
offset = eof;
|
|
break;
|
|
diff --git a/include/linux/key.h b/include/linux/key.h
|
|
index 66f705243985..dcc115e8dd03 100644
|
|
--- a/include/linux/key.h
|
|
+++ b/include/linux/key.h
|
|
@@ -177,6 +177,7 @@ struct key {
|
|
#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
|
|
#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
|
|
#define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
|
|
+#define KEY_FLAG_UID_KEYRING 12 /* set if key is a user or user session keyring */
|
|
|
|
/* the key type and key description string
|
|
* - the desc is used to match a key against search criteria
|
|
@@ -218,6 +219,7 @@ extern struct key *key_alloc(struct key_type *type,
|
|
#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
|
|
#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
|
|
#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */
|
|
+#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */
|
|
|
|
extern void key_revoke(struct key *key);
|
|
extern void key_invalidate(struct key *key);
|
|
diff --git a/include/linux/platform_data/mmp_dma.h b/include/linux/platform_data/mmp_dma.h
|
|
index 2a330ec9e2af..d1397c8ed94e 100644
|
|
--- a/include/linux/platform_data/mmp_dma.h
|
|
+++ b/include/linux/platform_data/mmp_dma.h
|
|
@@ -14,6 +14,7 @@
|
|
|
|
struct mmp_dma_platdata {
|
|
int dma_channels;
|
|
+ int nb_requestors;
|
|
};
|
|
|
|
#endif /* MMP_DMA_H */
|
|
diff --git a/include/xen/swiotlb-xen.h b/include/xen/swiotlb-xen.h
|
|
index 8b2eb93ae8ba..4d7fdbf20eff 100644
|
|
--- a/include/xen/swiotlb-xen.h
|
|
+++ b/include/xen/swiotlb-xen.h
|
|
@@ -58,4 +58,9 @@ xen_swiotlb_dma_supported(struct device *hwdev, u64 mask);
|
|
|
|
extern int
|
|
xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask);
|
|
+
|
|
+extern int
|
|
+xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
|
|
+ void *cpu_addr, dma_addr_t dma_addr, size_t size,
|
|
+ struct dma_attrs *attrs);
|
|
#endif /* __LINUX_SWIOTLB_XEN_H */
|
|
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
|
|
index 15a1795bbba1..efd384f3f852 100644
|
|
--- a/kernel/seccomp.c
|
|
+++ b/kernel/seccomp.c
|
|
@@ -457,14 +457,19 @@ static long seccomp_attach_filter(unsigned int flags,
|
|
return 0;
|
|
}
|
|
|
|
+void __get_seccomp_filter(struct seccomp_filter *filter)
|
|
+{
|
|
+ /* Reference count is bounded by the number of total processes. */
|
|
+ atomic_inc(&filter->usage);
|
|
+}
|
|
+
|
|
/* get_seccomp_filter - increments the reference count of the filter on @tsk */
|
|
void get_seccomp_filter(struct task_struct *tsk)
|
|
{
|
|
struct seccomp_filter *orig = tsk->seccomp.filter;
|
|
if (!orig)
|
|
return;
|
|
- /* Reference count is bounded by the number of total processes. */
|
|
- atomic_inc(&orig->usage);
|
|
+ __get_seccomp_filter(orig);
|
|
}
|
|
|
|
static inline void seccomp_filter_free(struct seccomp_filter *filter)
|
|
@@ -475,10 +480,8 @@ static inline void seccomp_filter_free(struct seccomp_filter *filter)
|
|
}
|
|
}
|
|
|
|
-/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
|
|
-void put_seccomp_filter(struct task_struct *tsk)
|
|
+static void __put_seccomp_filter(struct seccomp_filter *orig)
|
|
{
|
|
- struct seccomp_filter *orig = tsk->seccomp.filter;
|
|
/* Clean up single-reference branches iteratively. */
|
|
while (orig && atomic_dec_and_test(&orig->usage)) {
|
|
struct seccomp_filter *freeme = orig;
|
|
@@ -487,6 +490,12 @@ void put_seccomp_filter(struct task_struct *tsk)
|
|
}
|
|
}
|
|
|
|
+/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
|
|
+void put_seccomp_filter(struct task_struct *tsk)
|
|
+{
|
|
+ __put_seccomp_filter(tsk->seccomp.filter);
|
|
+}
|
|
+
|
|
/**
|
|
* seccomp_send_sigsys - signals the task to allow in-process syscall emulation
|
|
* @syscall: syscall number to send to userland
|
|
@@ -927,13 +936,13 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
|
|
if (!data)
|
|
goto out;
|
|
|
|
- get_seccomp_filter(task);
|
|
+ __get_seccomp_filter(filter);
|
|
spin_unlock_irq(&task->sighand->siglock);
|
|
|
|
if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
|
|
ret = -EFAULT;
|
|
|
|
- put_seccomp_filter(task);
|
|
+ __put_seccomp_filter(filter);
|
|
return ret;
|
|
|
|
out:
|
|
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
|
|
index 002ec084124b..17c59e78661b 100644
|
|
--- a/kernel/sysctl.c
|
|
+++ b/kernel/sysctl.c
|
|
@@ -1159,6 +1159,8 @@ static struct ctl_table kern_table[] = {
|
|
.maxlen = sizeof(unsigned int),
|
|
.mode = 0644,
|
|
.proc_handler = timer_migration_handler,
|
|
+ .extra1 = &zero,
|
|
+ .extra2 = &one,
|
|
},
|
|
#endif
|
|
#ifdef CONFIG_BPF_SYSCALL
|
|
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
|
|
index bbc5d1114583..125407144c01 100644
|
|
--- a/kernel/time/timer.c
|
|
+++ b/kernel/time/timer.c
|
|
@@ -127,7 +127,7 @@ int timer_migration_handler(struct ctl_table *table, int write,
|
|
int ret;
|
|
|
|
mutex_lock(&mutex);
|
|
- ret = proc_dointvec(table, write, buffer, lenp, ppos);
|
|
+ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
|
|
if (!ret && write)
|
|
timers_update_migration(false);
|
|
mutex_unlock(&mutex);
|
|
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
|
|
index 4743066010c4..b64f35afee4e 100644
|
|
--- a/kernel/trace/trace.c
|
|
+++ b/kernel/trace/trace.c
|
|
@@ -3226,11 +3226,17 @@ static int tracing_open(struct inode *inode, struct file *file)
|
|
/* If this file was open for write, then erase contents */
|
|
if ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) {
|
|
int cpu = tracing_get_cpu(inode);
|
|
+ struct trace_buffer *trace_buf = &tr->trace_buffer;
|
|
+
|
|
+#ifdef CONFIG_TRACER_MAX_TRACE
|
|
+ if (tr->current_trace->print_max)
|
|
+ trace_buf = &tr->max_buffer;
|
|
+#endif
|
|
|
|
if (cpu == RING_BUFFER_ALL_CPUS)
|
|
- tracing_reset_online_cpus(&tr->trace_buffer);
|
|
+ tracing_reset_online_cpus(trace_buf);
|
|
else
|
|
- tracing_reset(&tr->trace_buffer, cpu);
|
|
+ tracing_reset(trace_buf, cpu);
|
|
}
|
|
|
|
if (file->f_mode & FMODE_READ) {
|
|
@@ -4701,7 +4707,7 @@ static int tracing_wait_pipe(struct file *filp)
|
|
*
|
|
* iter->pos will be 0 if we haven't read anything.
|
|
*/
|
|
- if (!tracing_is_on() && iter->pos)
|
|
+ if (!tracer_tracing_is_on(iter->tr) && iter->pos)
|
|
break;
|
|
|
|
mutex_unlock(&iter->mutex);
|
|
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
|
|
index 04401037140e..b6be51940ead 100644
|
|
--- a/net/mac80211/offchannel.c
|
|
+++ b/net/mac80211/offchannel.c
|
|
@@ -469,6 +469,8 @@ void ieee80211_roc_purge(struct ieee80211_local *local,
|
|
struct ieee80211_roc_work *roc, *tmp;
|
|
LIST_HEAD(tmp_list);
|
|
|
|
+ flush_work(&local->hw_roc_start);
|
|
+
|
|
mutex_lock(&local->mtx);
|
|
list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
|
|
if (sdata && roc->sdata != sdata)
|
|
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
|
|
index de10e3c0e2a4..8ece212aa3d2 100644
|
|
--- a/net/wireless/nl80211.c
|
|
+++ b/net/wireless/nl80211.c
|
|
@@ -9786,6 +9786,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
|
|
if (err)
|
|
return err;
|
|
|
|
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
|
|
+ !tb[NL80211_REKEY_DATA_KCK])
|
|
+ return -EINVAL;
|
|
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
|
|
return -ERANGE;
|
|
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
|
|
diff --git a/security/keys/internal.h b/security/keys/internal.h
|
|
index 5105c2c2da75..51ffb9cde073 100644
|
|
--- a/security/keys/internal.h
|
|
+++ b/security/keys/internal.h
|
|
@@ -136,7 +136,7 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
|
|
extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
|
|
extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
|
|
|
|
-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
|
|
+extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
|
|
|
|
extern int install_user_keyrings(void);
|
|
extern int install_thread_keyring_to_cred(struct cred *);
|
|
diff --git a/security/keys/key.c b/security/keys/key.c
|
|
index 09c10b181881..51d23c623424 100644
|
|
--- a/security/keys/key.c
|
|
+++ b/security/keys/key.c
|
|
@@ -296,6 +296,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
|
|
key->flags |= 1 << KEY_FLAG_IN_QUOTA;
|
|
if (flags & KEY_ALLOC_TRUSTED)
|
|
key->flags |= 1 << KEY_FLAG_TRUSTED;
|
|
+ if (flags & KEY_ALLOC_UID_KEYRING)
|
|
+ key->flags |= 1 << KEY_FLAG_UID_KEYRING;
|
|
|
|
#ifdef KEY_DEBUGGING
|
|
key->magic = KEY_DEBUG_MAGIC;
|
|
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
|
index 671709d8610d..a009dc66eb8f 100644
|
|
--- a/security/keys/keyctl.c
|
|
+++ b/security/keys/keyctl.c
|
|
@@ -738,6 +738,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
|
|
|
|
key = key_ref_to_ptr(key_ref);
|
|
|
|
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
|
|
+ ret = -ENOKEY;
|
|
+ goto error2;
|
|
+ }
|
|
+
|
|
/* see if we can read it directly */
|
|
ret = key_permission(key_ref, KEY_NEED_READ);
|
|
if (ret == 0)
|
|
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
|
|
index f931ccfeefb0..0c8dd4fbe130 100644
|
|
--- a/security/keys/keyring.c
|
|
+++ b/security/keys/keyring.c
|
|
@@ -416,7 +416,7 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m)
|
|
}
|
|
|
|
struct keyring_read_iterator_context {
|
|
- size_t qty;
|
|
+ size_t buflen;
|
|
size_t count;
|
|
key_serial_t __user *buffer;
|
|
};
|
|
@@ -428,9 +428,9 @@ static int keyring_read_iterator(const void *object, void *data)
|
|
int ret;
|
|
|
|
kenter("{%s,%d},,{%zu/%zu}",
|
|
- key->type->name, key->serial, ctx->count, ctx->qty);
|
|
+ key->type->name, key->serial, ctx->count, ctx->buflen);
|
|
|
|
- if (ctx->count >= ctx->qty)
|
|
+ if (ctx->count >= ctx->buflen)
|
|
return 1;
|
|
|
|
ret = put_user(key->serial, ctx->buffer);
|
|
@@ -465,16 +465,12 @@ static long keyring_read(const struct key *keyring,
|
|
return 0;
|
|
|
|
/* Calculate how much data we could return */
|
|
- ctx.qty = nr_keys * sizeof(key_serial_t);
|
|
-
|
|
if (!buffer || !buflen)
|
|
- return ctx.qty;
|
|
-
|
|
- if (buflen > ctx.qty)
|
|
- ctx.qty = buflen;
|
|
+ return nr_keys * sizeof(key_serial_t);
|
|
|
|
/* Copy the IDs of the subscribed keys into the buffer */
|
|
ctx.buffer = (key_serial_t __user *)buffer;
|
|
+ ctx.buflen = buflen;
|
|
ctx.count = 0;
|
|
ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
|
|
if (ret < 0) {
|
|
@@ -965,15 +961,15 @@ found:
|
|
/*
|
|
* Find a keyring with the specified name.
|
|
*
|
|
- * All named keyrings in the current user namespace are searched, provided they
|
|
- * grant Search permission directly to the caller (unless this check is
|
|
- * skipped). Keyrings whose usage points have reached zero or who have been
|
|
- * revoked are skipped.
|
|
+ * Only keyrings that have nonzero refcount, are not revoked, and are owned by a
|
|
+ * user in the current user namespace are considered. If @uid_keyring is %true,
|
|
+ * the keyring additionally must have been allocated as a user or user session
|
|
+ * keyring; otherwise, it must grant Search permission directly to the caller.
|
|
*
|
|
* Returns a pointer to the keyring with the keyring's refcount having being
|
|
* incremented on success. -ENOKEY is returned if a key could not be found.
|
|
*/
|
|
-struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
|
|
+struct key *find_keyring_by_name(const char *name, bool uid_keyring)
|
|
{
|
|
struct key *keyring;
|
|
int bucket;
|
|
@@ -1001,10 +997,15 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
|
|
if (strcmp(keyring->description, name) != 0)
|
|
continue;
|
|
|
|
- if (!skip_perm_check &&
|
|
- key_permission(make_key_ref(keyring, 0),
|
|
- KEY_NEED_SEARCH) < 0)
|
|
- continue;
|
|
+ if (uid_keyring) {
|
|
+ if (!test_bit(KEY_FLAG_UID_KEYRING,
|
|
+ &keyring->flags))
|
|
+ continue;
|
|
+ } else {
|
|
+ if (key_permission(make_key_ref(keyring, 0),
|
|
+ KEY_NEED_SEARCH) < 0)
|
|
+ continue;
|
|
+ }
|
|
|
|
/* we've got a match but we might end up racing with
|
|
* key_cleanup() if the keyring is currently 'dead'
|
|
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
|
|
index 4ed909142956..7dd050f24261 100644
|
|
--- a/security/keys/process_keys.c
|
|
+++ b/security/keys/process_keys.c
|
|
@@ -76,7 +76,9 @@ int install_user_keyrings(void)
|
|
if (IS_ERR(uid_keyring)) {
|
|
uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
|
|
cred, user_keyring_perm,
|
|
- KEY_ALLOC_IN_QUOTA, NULL);
|
|
+ KEY_ALLOC_UID_KEYRING |
|
|
+ KEY_ALLOC_IN_QUOTA,
|
|
+ NULL);
|
|
if (IS_ERR(uid_keyring)) {
|
|
ret = PTR_ERR(uid_keyring);
|
|
goto error;
|
|
@@ -92,7 +94,9 @@ int install_user_keyrings(void)
|
|
session_keyring =
|
|
keyring_alloc(buf, user->uid, INVALID_GID,
|
|
cred, user_keyring_perm,
|
|
- KEY_ALLOC_IN_QUOTA, NULL);
|
|
+ KEY_ALLOC_UID_KEYRING |
|
|
+ KEY_ALLOC_IN_QUOTA,
|
|
+ NULL);
|
|
if (IS_ERR(session_keyring)) {
|
|
ret = PTR_ERR(session_keyring);
|
|
goto error_release;
|