Push to branch refs/heads/wrapfs:
25e7033cb3dd129050fda4503bb2129799592096 -->
8f8d3e4f8fdc29bbad88c380e0eb4bebb43daf33
Documentation/kernel-parameters.txt | 4 +
Makefile | 2 +-
arch/arc/kernel/unaligned.c | 3 +-
arch/arm/kernel/ptrace.c | 2 +-
arch/arm/kvm/mmu.c | 12 +
arch/c6x/kernel/ptrace.c | 41 --
arch/metag/include/asm/uaccess.h | 15 +-
arch/metag/kernel/ptrace.c | 19 +-
arch/metag/lib/usercopy.c | 312 ++++------
arch/mips/cavium-octeon/octeon-memcpy.S | 20 +-
arch/mips/configs/ip27_defconfig | 1 -
arch/mips/dec/int-handler.S | 40 +-
arch/mips/include/asm/checksum.h | 2 +
arch/mips/kernel/crash.c | 16 +-
arch/mips/kernel/kgdb.c | 48 +-
arch/mips/kernel/process.c | 153 +++--
arch/mips/mm/sc-ip22.c | 54 +-
arch/mips/ralink/prom.c | 9 +-
arch/mips/sgi-ip22/Platform | 2 +-
arch/parisc/include/asm/bitops.h | 8 +-
arch/parisc/include/uapi/asm/bitsperlong.h | 2 -
arch/parisc/include/uapi/asm/swab.h | 5 +-
arch/powerpc/Makefile | 8 +
arch/powerpc/kernel/align.c | 28 +-
arch/powerpc/kernel/hw_breakpoint.c | 4 +-
arch/powerpc/kernel/setup_64.c | 9 +
arch/powerpc/kvm/emulate.c | 1 -
arch/s390/boot/compressed/misc.c | 35 +-
arch/s390/include/asm/processor.h | 3 +-
arch/s390/net/bpf_jit_comp.c | 2 +-
arch/s390/pci/pci_dma.c | 16 +-
arch/sparc/kernel/ptrace_64.c | 2 +-
arch/tile/kernel/ptrace.c | 2 +-
arch/x86/Kconfig | 2 +-
arch/x86/crypto/ghash-clmulni-intel_glue.c | 26 +
arch/x86/include/asm/elf.h | 2 +-
arch/x86/kernel/cpu/mcheck/mce_amd.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_lbr.c | 2 +
arch/x86/kernel/ftrace.c | 12 +
arch/x86/kvm/vmx.c | 2 +-
arch/x86/mm/init.c | 41 +-
arch/x86/net/bpf_jit_comp.c | 2 +-
arch/x86/pci/xen.c | 23 +-
arch/x86/platform/goldfish/goldfish.c | 14 +-
arch/x86/xen/time.c | 6 +-
arch/xtensa/kernel/setup.c | 4 +-
block/genhd.c | 1 -
block/scsi_ioctl.c | 3 +
crypto/Makefile | 2 +
crypto/algapi.c | 1 +
crypto/algif_hash.c | 2 +-
crypto/cryptd.c | 1 +
drivers/acpi/Makefile | 1 -
drivers/acpi/osl.c | 6 +-
drivers/acpi/power.c | 1 +
drivers/acpi/video.c | 3 +
drivers/ata/sata_mv.c | 3 +
drivers/bcma/main.c | 4 +
drivers/bluetooth/ath3k.c | 2 +
drivers/bluetooth/btusb.c | 1 +
drivers/char/Kconfig | 6 +-
drivers/char/mem.c | 82 ++-
drivers/char/virtio_console.c | 12 +-
drivers/cpufreq/cpufreq.c | 112 ++--
drivers/crypto/caam/caamhash.c | 1 +
drivers/gpu/drm/ast/ast_post.c | 8 +-
drivers/gpu/drm/i915/intel_crt.c | 9 +-
drivers/gpu/drm/i915/intel_display.c | 4 +-
drivers/gpu/drm/nouveau/dispnv04/hw.c | 3 +-
drivers/gpu/drm/nouveau/nv50_display.c | 2 +-
drivers/gpu/drm/ttm/ttm_bo.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 9 +-
drivers/hid/hid-ids.h | 3 +
drivers/hid/hid-lg.c | 2 +-
drivers/hid/i2c-hid/i2c-hid.c | 9 +
drivers/hid/usbhid/hid-quirks.c | 1 +
drivers/hv/channel.c | 17 +-
drivers/hv/hv.c | 11 +-
drivers/hv/hv_balloon.c | 4 +-
drivers/hv/hyperv_vmbus.h | 2 +-
drivers/hv/vmbus_drv.c | 4 +-
drivers/i2c/busses/i2c-at91.c | 36 +-
drivers/infiniband/core/cma.c | 3 +
drivers/infiniband/hw/mlx5/main.c | 2 +-
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 12 +-
drivers/infiniband/ulp/ipoib/ipoib_main.c | 6 +-
drivers/input/joydev.c | 18 +-
drivers/input/joystick/iforce/iforce-usb.c | 3 +
drivers/input/joystick/xpad.c | 2 +
drivers/input/keyboard/mpr121_touchkey.c | 24 +-
drivers/input/keyboard/tca8418_keypad.c | 6 +-
drivers/input/misc/cm109.c | 4 +
drivers/input/misc/ims-pcu.c | 4 +
drivers/input/misc/yealink.c | 4 +
drivers/input/mouse/elantech.c | 8 +
drivers/input/serio/i8042-x86ia64io.h | 14 +
drivers/input/tablet/hanwang.c | 3 +
drivers/input/tablet/kbtab.c | 3 +
drivers/isdn/gigaset/bas-gigaset.c | 3 +
drivers/isdn/hardware/eicon/message.c | 3 +-
drivers/md/dm.c | 55 ++
drivers/md/linear.c | 29 +-
drivers/md/linear.h | 1 +
drivers/md/raid1.c | 2 +-
drivers/media/i2c/Kconfig | 1 +
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +-
drivers/media/usb/siano/smsusb.c | 18 +-
drivers/media/usb/uvc/uvc_driver.c | 118 +++-
drivers/media/usb/uvc/uvc_queue.c | 2 +-
drivers/mfd/pm8921-core.c | 9 +-
drivers/mmc/host/sdhci.c | 4 +-
drivers/mmc/host/ushc.c | 3 +
drivers/mtd/bcm47xxpart.c | 10 +-
drivers/mtd/maps/pmcmsp-flash.c | 4 +-
drivers/mtd/ubi/upd.c | 8 +-
drivers/net/can/c_can/c_can_pci.c | 1 +
drivers/net/can/ti_hecc.c | 16 +-
drivers/net/can/usb/usb_8dev.c | 9 +-
drivers/net/ethernet/freescale/gianfar_ethtool.c | 3 +
drivers/net/ethernet/intel/igb/e1000_phy.c | 4 +
drivers/net/ethernet/mellanox/mlx4/cq.c | 38 +-
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 +-
drivers/net/ethernet/ti/cpmac.c | 2 +-
drivers/net/macvtap.c | 4 +-
drivers/net/phy/phy.c | 2 +-
drivers/net/tun.c | 20 +-
drivers/net/usb/catc.c | 56 +-
drivers/net/usb/cdc_ether.c | 8 +
drivers/net/usb/pegasus.c | 29 +-
drivers/net/usb/qmi_wwan.c | 9 +
drivers/net/usb/rtl8150.c | 34 +-
drivers/net/vxlan.c | 2 +-
drivers/net/wireless/ath/ath5k/mac80211-ops.c | 3 +-
drivers/net/wireless/ath/ath9k/ar9003_eeprom.h | 4 +-
drivers/net/wireless/hostap/hostap_hw.c | 15 +-
drivers/net/wireless/rtlwifi/usb.c | 18 +
drivers/pci/host/pci-mvebu.c | 88 ++-
drivers/platform/goldfish/pdev_bus.c | 13 +-
drivers/platform/x86/acer-wmi.c | 25 +-
drivers/platform/x86/intel_mid_powerbtn.c | 4 +-
drivers/rtc/interface.c | 16 +-
drivers/rtc/rtc-s35390a.c | 167 ++++--
drivers/s390/cio/qdio_thinint.c | 8 +-
drivers/s390/scsi/zfcp_fsf.c | 8 +-
drivers/scsi/aacraid/src.c | 21 +-
drivers/scsi/libsas/sas_ata.c | 2 +-
drivers/scsi/lpfc/lpfc_hw4.h | 2 +
drivers/scsi/lpfc/lpfc_init.c | 1 +
drivers/scsi/lpfc/lpfc_sli.c | 9 +-
drivers/scsi/mpt3sas/mpt3sas_base.h | 12 +
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 36 +-
drivers/scsi/mvsas/mv_sas.c | 4 +-
drivers/scsi/scsi_lib.c | 17 +-
drivers/scsi/sd.c | 29 +-
drivers/scsi/sr.c | 6 +-
drivers/scsi/storvsc_drv.c | 32 +-
drivers/staging/rtl8188eu/core/rtw_recv.c | 3 +
drivers/staging/rtl8712/rtl871x_recv.c | 7 +-
drivers/staging/vt6655/hostap.c | 3 +-
drivers/staging/vt6656/hostap.c | 3 +-
drivers/staging/zram/zram_drv.c | 6 +-
drivers/target/iscsi/iscsi_target_parameters.c | 16 -
drivers/target/iscsi/iscsi_target_util.c | 12 +-
drivers/target/target_core_pscsi.c | 47 +-
drivers/target/target_core_sbc.c | 8 +-
drivers/tty/n_hdlc.c | 143 +++--
drivers/tty/nozomi.c | 2 +-
drivers/tty/serial/8250/8250_pci.c | 13 +
drivers/tty/serial/atmel_serial.c | 5 +
drivers/tty/serial/msm_serial.c | 1 +
drivers/usb/class/cdc-acm.c | 17 +-
drivers/usb/class/usbtmc.c | 9 +-
drivers/usb/core/config.c | 10 +
drivers/usb/core/hcd.c | 7 +-
drivers/usb/core/hub.c | 13 +-
drivers/usb/core/quirks.c | 12 +
drivers/usb/dwc3/gadget.c | 21 +-
drivers/usb/dwc3/gadget.h | 14 +-
drivers/usb/gadget/f_acm.c | 4 +-
drivers/usb/host/ohci-q.c | 7 +-
drivers/usb/host/xhci-pci.c | 1 +
drivers/usb/host/xhci-plat.c | 2 +
drivers/usb/host/xhci.c | 6 +-
drivers/usb/host/xhci.h | 1 +
drivers/usb/misc/idmouse.c | 3 +
drivers/usb/misc/iowarrior.c | 21 +-
drivers/usb/misc/uss720.c | 5 +
drivers/usb/serial/ark3116.c | 13 +-
drivers/usb/serial/cp210x.c | 2 +
drivers/usb/serial/digi_acceleport.c | 14 +-
drivers/usb/serial/ftdi_sio.c | 31 +-
drivers/usb/serial/io_ti.c | 8 +-
drivers/usb/serial/mos7840.c | 4 +-
drivers/usb/serial/omninet.c | 6 -
drivers/usb/serial/opticon.c | 2 +-
drivers/usb/serial/option.c | 157 ++++-
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 1 +
drivers/usb/serial/qcserial.c | 50 ++
drivers/usb/serial/safe_serial.c | 5 +
drivers/usb/serial/spcp8x5.c | 8 +-
drivers/usb/wusbcore/wa-hc.c | 3 +
drivers/uwb/hwa-rc.c | 3 +
drivers/uwb/i1480/dfu/usb.c | 3 +
drivers/video/console/fbcon.c | 67 ++-
drivers/video/fbcmap.c | 26 +-
drivers/video/xen-fbfront.c | 4 +-
drivers/virtio/virtio_balloon.c | 2 +
fs/cifs/cifsglob.h | 1 -
fs/cifs/readdir.c | 1 +
fs/cifs/smb1ops.c | 10 +
fs/cifs/smb2pdu.c | 9 +-
fs/ext4/inline.c | 5 +-
fs/ext4/inode.c | 5 +-
fs/ext4/mballoc.c | 7 +
fs/ext4/super.c | 18 +-
fs/ext4/xattr.c | 32 +-
fs/fat/inode.c | 13 +-
fs/fuse/file.c | 1 +
fs/gfs2/dir.c | 4 +-
fs/jbd2/transaction.c | 4 +-
fs/nfs/nfs4proc.c | 10 +-
fs/nfs/nfs4xdr.c | 2 +-
fs/nfsd/nfssvc.c | 36 ++
fs/ocfs2/ioctl.c | 129 ++--
fs/splice.c | 1 +
fs/xfs/xfs_aops.c | 13 +-
fs/xfs/xfs_bmap_util.c | 9 +-
fs/xfs/xfs_buf.c | 1 +
fs/xfs/xfs_inode_buf.c | 8 +
fs/xfs/xfs_iomap.c | 8 +-
include/linux/can/core.h | 7 +-
include/linux/jump_label.h | 16 +
include/linux/kvm_host.h | 4 +-
include/linux/lockd/lockd.h | 3 +-
include/linux/log2.h | 13 +-
include/linux/nfs4.h | 3 +-
include/linux/sunrpc/clnt.h | 1 +
include/linux/usb/quirks.h | 6 +
include/net/cipso_ipv4.h | 4 +
include/net/if_inet6.h | 1 -
include/net/sock.h | 1 +
include/rdma/ib_sa.h | 6 +-
include/trace/events/syscalls.h | 1 +
include/uapi/linux/netlink.h | 4 +
include/uapi/linux/netlink_diag.h | 2 +
include/uapi/linux/packet_diag.h | 2 +-
ipc/shm.c | 13 +-
kernel/events/core.c | 5 +-
kernel/fork.c | 15 +-
kernel/futex.c | 24 +-
kernel/padata.c | 5 +-
kernel/printk/printk.c | 2 +-
kernel/ptrace.c | 14 +-
kernel/sched/core.c | 9 +-
kernel/sched/rt.c | 3 +-
kernel/sysctl.c | 1 +
kernel/trace/ring_buffer.c | 24 +-
kernel/trace/trace.c | 8 +-
mm/filemap.c | 5 +
mm/huge_memory.c | 19 +-
mm/hugetlb.c | 6 +-
mm/memory_hotplug.c | 12 +-
mm/mempolicy.c | 20 +-
mm/vmpressure.c | 10 +-
net/9p/client.c | 4 +
net/can/af_can.c | 12 +-
net/can/af_can.h | 3 +-
net/can/bcm.c | 27 +-
net/can/gw.c | 2 +-
net/can/raw.c | 4 +-
net/ceph/messenger.c | 6 +
net/ceph/osdmap.c | 1 -
net/core/dev.c | 54 +-
net/core/dst.c | 3 +-
net/core/neighbour.c | 3 +-
net/core/sock.c | 16 +-
net/dccp/ccids/ccid2.c | 1 +
net/dccp/input.c | 3 +-
net/dccp/ipv4.c | 3 +-
net/dccp/ipv6.c | 8 +-
net/dccp/minisocks.c | 1 +
net/ieee802154/6lowpan.c | 6 +-
net/ipv4/cipso_ipv4.c | 4 +
net/ipv4/fib_frontend.c | 3 +-
net/ipv4/igmp.c | 6 +-
net/ipv4/ip_sockglue.c | 9 +-
net/ipv4/ip_vti.c | 1 -
net/ipv4/netfilter/arp_tables.c | 4 +-
net/ipv4/ping.c | 7 +-
net/ipv4/route.c | 1 +
net/ipv4/tcp.c | 6 +
net/ipv4/tcp_input.c | 2 +-
net/ipv4/tcp_ipv4.c | 11 +-
net/ipv4/tcp_minisocks.c | 1 +
net/ipv4/tcp_output.c | 6 +-
net/ipv4/tcp_timer.c | 6 +-
net/ipv6/addrconf.c | 42 +-
net/ipv6/ip6_gre.c | 41 +-
net/ipv6/ip6_output.c | 7 +-
net/ipv6/ip6_tunnel.c | 55 +-
net/ipv6/ip6mr.c | 13 +-
net/ipv6/raw.c | 3 +-
net/ipv6/route.c | 2 +
net/ipv6/tcp_ipv6.c | 8 +-
net/irda/irqueue.c | 34 +-
net/l2tp/l2tp_core.c | 8 +-
net/l2tp/l2tp_core.h | 4 +-
net/l2tp/l2tp_debugfs.c | 10 +-
net/l2tp/l2tp_ip.c | 29 +-
net/l2tp/l2tp_ip6.c | 2 +-
net/l2tp/l2tp_netlink.c | 7 +-
net/l2tp/l2tp_ppp.c | 10 +-
net/llc/llc_conn.c | 3 +
net/llc/llc_sap.c | 3 +
net/mac80211/mesh.c | 2 +-
net/mac80211/pm.c | 1 +
net/netlink/Kconfig | 9 -
net/netlink/af_netlink.c | 726 +----------------------
net/netlink/af_netlink.h | 15 -
net/netlink/diag.c | 39 --
net/packet/af_packet.c | 71 ++-
net/rds/cong.c | 4 +-
net/sched/act_api.c | 5 +-
net/sched/em_meta.c | 9 +-
net/sctp/associola.c | 129 ++--
net/sctp/socket.c | 10 +-
net/socket.c | 4 +-
net/sunrpc/auth_gss/gss_rpc_xdr.c | 2 +-
net/sunrpc/clnt.c | 5 +
net/sunrpc/sunrpc_syms.c | 1 +
net/unix/af_unix.c | 27 +-
net/unix/garbage.c | 18 +-
net/wireless/nl80211.c | 52 +-
net/xfrm/xfrm_user.c | 9 +-
samples/seccomp/bpf-helper.h | 125 ++--
security/keys/gc.c | 2 +-
security/keys/keyctl.c | 20 +-
security/keys/process_keys.c | 44 +-
security/selinux/hooks.c | 2 +-
sound/core/seq/seq_clientmgr.c | 1 +
sound/core/seq/seq_fifo.c | 10 +
sound/core/seq/seq_lock.c | 9 +-
sound/core/seq/seq_memory.c | 26 +-
sound/core/seq/seq_memory.h | 1 +
sound/core/seq/seq_queue.c | 33 +-
sound/core/timer.c | 18 +-
sound/pci/ctxfi/cthw20k1.c | 19 +-
sound/pci/ctxfi/cthw20k2.c | 18 +-
sound/pci/hda/hda_intel.c | 4 +-
tools/perf/builtin-trace.c | 4 +-
tools/testing/ktest/ktest.pl | 2 +-
virt/kvm/eventfd.c | 3 +-
virt/kvm/kvm_main.c | 40 +-
355 files changed, 3476 insertions(+), 2550 deletions(-)
commit 8f8d3e4f8fdc29bbad88c380e0eb4bebb43daf33
Merge: 25e7033 8c26eee
Author: Rohit Kumar <rokku...@cs.stonybrook.edu>
Date: Fri May 11 14:05:49 2018 -0400
Merge branch 'master' into wrapfs
commit 8c26eee9ed5d108328b4f533268cc1849968dd8e
Author: Jiri Slaby <jsl...@suse.cz>
Date: Thu May 4 11:03:43 2017 +0200
Linux 3.12.74
commit fda92b86ad13946a273ff571e17161e6ab4a7299
Author: Josh Poimboeuf <jpoim...@redhat.com>
Date: Thu Apr 13 17:53:55 2017 -0500
ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
commit 34a477e5297cbaa6ecc6e17c042a866e1cbe80d6 upstream.
On x86-32, with CONFIG_FIRMWARE and multiple CPUs, if you enable function
graph tracing and then suspend to RAM, it will triple fault and reboot when
it resumes.
The first fault happens when booting a secondary CPU:
startup_32_smp()
load_ucode_ap()
prepare_ftrace_return()
ftrace_graph_is_dead()
(accesses 'kill_ftrace_graph')
The early head_32.S code calls into load_ucode_ap(), which has an an
ftrace hook, so it calls prepare_ftrace_return(), which calls
ftrace_graph_is_dead(), which tries to access the global
'kill_ftrace_graph' variable with a virtual address, causing a fault
because the CPU is still in real mode.
The fix is to add a check in prepare_ftrace_return() to make sure it's
running in protected mode before continuing. The check makes sure the
stack pointer is a virtual kernel address. It's a bit of a hack, but
it's not very intrusive and it works well enough.
For reference, here are a few other (more difficult) ways this could
have potentially been fixed:
- Move startup_32_smp()'s call to load_ucode_ap() down to *after* paging
is enabled. (No idea what that would break.)
- Track down load_ucode_ap()'s entire callee tree and mark all the
functions 'notrace'. (Probably not realistic.)
- Pause graph tracing in ftrace_suspend_notifier_call() or bringup_cpu()
or __cpu_up(), and ensure that the pause facility can be queried from
real mode.
Reported-by: Paul Menzel <pmen...@molgen.mpg.de>
Signed-off-by: Josh Poimboeuf <jpoim...@redhat.com>
Tested-by: Paul Menzel <pmen...@molgen.mpg.de>
Reviewed-by: Steven Rostedt (VMware) <rost...@goodmis.org>
Cc: "Rafael J . Wysocki" <r...@rjwysocki.net>
Cc: linux-a...@vger.kernel.org
Cc: Borislav Petkov <b...@alien8.de>
Cc: Len Brown <l...@kernel.org>
Link:
http://lkml.kernel.org/r/5c1272269a580660703ed2eccf44308e790c7a98.1492123841.git.jpoim...@redhat.com
Signed-off-by: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 7a6875988a7fce567e4ee22481d6e7dd82a33eff
Author: J. Bruce Fields <bfie...@redhat.com>
Date: Fri Apr 21 16:10:18 2017 -0400
nfsd: check for oversized NFSv2/v3 arguments
commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.
A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.
Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply. This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE). But a client that sends an incorrectly long reply
can violate those assumptions. This was observed to cause crashes.
Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.
So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.
As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.
We may also consider rejecting calls that have any extra garbage
appended. That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.
Reported-by: Tuomas Haanpää <th...@synopsys.com>
Reported-by: Ari Kauppi <a...@synopsys.com>
Reviewed-by: NeilBrown <ne...@suse.com>
Signed-off-by: J. Bruce Fields <bfie...@redhat.com>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 2d8c6eef0612ceb5a827c532c62dca0d3a218a4e
Author: Dmitry Torokhov <dmitry.torok...@gmail.com>
Date: Thu Apr 13 15:36:31 2017 -0700
Input: i8042 - add Clevo P650RS to the i8042 reset list
commit 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 upstream.
Clevo P650RS and other similar devices require i8042 to be reset in order
to detect Synaptics touchpad.
Reported-by: PaweÅ Bylica <chf...@gmail.com>
Tested-by: Ed Bordin <edbor...@gmail.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301
Signed-off-by: Dmitry Torokhov <dmitry.torok...@gmail.com>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit a8ece68c56153be505ef9b3ef55e4bcd3cef9331
Author: Al Viro <v...@zeniv.linux.org.uk>
Date: Fri Apr 14 17:22:18 2017 -0400
p9_client_readdir() fix
commit 71d6ad08379304128e4bdfaf0b4185d54375423e upstream.
Don't assume that server is sane and won't return more data than
asked for.
Signed-off-by: Al Viro <v...@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit eff3cc735c263d86c83045eef67590770d248c37
Author: James Hogan <james.ho...@imgtec.com>
Date: Thu Mar 30 16:06:02 2017 +0100
MIPS: KGDB: Use kernel context for sleeping threads
commit 162b270c664dca2e0944308e92f9fcc887151a72 upstream.
KGDB is a kernel debug stub and it can't be used to debug userland as it
can only safely access kernel memory.
On MIPS however KGDB has always got the register state of sleeping
processes from the userland register context at the beginning of the
kernel stack. This is meaningless for kernel threads (which never enter
userland), and for user threads it prevents the user seeing what it is
doing while in the kernel:
(gdb) info threads
Id Target Id Frame
...
3 Thread 2 (kthreadd) 0x0000000000000000 in ?? ()
2 Thread 1 (init) 0x000000007705c4b4 in ?? ()
1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint ()
at arch/mips/kernel/kgdb.c:201
Get the register state instead from the (partial) kernel register
context stored in the task's thread_struct for resume() to restore. All
threads now correctly appear to be in context_switch():
(gdb) info threads
Id Target Id Frame
...
3 Thread 2 (kthreadd) context_switch (rq=<optimized out>, cookie=...,
next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
2 Thread 1 (init) context_switch (rq=<optimized out>, cookie=...,
next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint ()
at arch/mips/kernel/kgdb.c:201
Call clobbered registers which aren't saved and exception registers
(BadVAddr & Cause) which can't be easily determined without stack
unwinding are reported as 0. The PC is taken from the return address,
such that the state presented matches that found immediately after
returning from resume().
Fixes: 8854700115ec ("[MIPS] kgdb: add arch support for the kernel's kgdb
core")
Signed-off-by: James Hogan <james.ho...@imgtec.com>
Cc: Jason Wessel <jason.wes...@windriver.com>
Cc: linux-m...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15829/
Signed-off-by: Ralf Baechle <r...@linux-mips.org>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 47da45deafcf8f83a93c81558e2b60486e14b0de
Author: Takashi Iwai <ti...@suse.de>
Date: Sun Apr 9 10:41:27 2017 +0200
ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
commit 4e7655fd4f47c23e5249ea260dc802f909a64611 upstream.
The snd_use_lock_sync() (thus its implementation
snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of
the sync loop. It was introduced from the beginning, just to be
"safer", in terms of avoiding the stupid bugs.
However, as Ben Hutchings suggested, this timeout rather introduces a
potential leak or use-after-free that was apparently fixed by the
commit 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize"):
for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() ->
copy_from_user() could block for a long time, and snd_use_lock_sync()
goes timeout and still leaves the cell at releasing the pool.
For fixing such a problem, we remove the break by the timeout while
still keeping the warning.
Suggested-by: Ben Hutchings <ben.hutchi...@codethink.co.uk>
Signed-off-by: Takashi Iwai <ti...@suse.de>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 97254930bc706c411f49084a7fc30123ab9fb099
Author: Stefano Stabellini <sstabell...@kernel.org>
Date: Fri Apr 15 18:23:00 2016 -0700
xen/x86: don't lose event interrupts
commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream.
On slow platforms with unreliable TSC, such as QEMU emulated machines,
it is possible for the kernel to request the next event in the past. In
that case, in the current implementation of xen_vcpuop_clockevent, we
simply return -ETIME. To be precise the Xen returns -ETIME and we pass
it on. However the result of this is a missed event, which simply causes
the kernel to hang.
Instead it is better to always ask the hypervisor for a timer event,
even if the timeout is in the past. That way there are no lost
interrupts and the kernel survives. To do that, remove the
VCPU_SSHOTTMR_future flag.
Signed-off-by: Stefano Stabellini <sstabell...@kernel.org>
Acked-by: Juergen Gross <jgr...@suse.com>
Cc: Julia Lawall <julia.law...@lip6.fr>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit bf7a633d28b46b79d293f0262d8eb701251833d0
Author: santosh.shilim...@oracle.com <santosh.shilim...@oracle.com>
Date: Thu Apr 14 10:43:27 2016 -0700
RDS: Fix the atomicity for congestion map update
commit e47db94e10447fc467777a40302f2b393e9af2fa upstream.
Two different threads with different rds sockets may be in
rds_recv_rcvbuf_delta() via receive path. If their ports
both map to the same word in the congestion map, then
using non-atomic ops to update it could cause the map to
be incorrect. Lets use atomics to avoid such an issue.
Full credit to Wengang <wen.gang.w...@oracle.com> for
finding the issue, analysing it and also pointing out
to offending code with spin lock based fix.
Reviewed-by: Leon Romanovsky <l...@leon.nu>
Signed-off-by: Wengang Wang <wen.gang.w...@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilim...@oracle.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Cc: Julia Lawall <julia.law...@lip6.fr>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit a2c54e187e64b883e156fcf5a93e4c8b304227db
Author: Corey Minyard <cminy...@mvista.com>
Date: Mon Apr 11 09:10:19 2016 -0500
MIPS: Fix crash registers on non-crashing CPUs
commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream.
As part of handling a crash on an SMP system, an IPI is send to
all other CPUs to save their current registers and stop. It was
using task_pt_regs(current) to get the registers, but that will
only be accurate if the CPU was interrupted running in userland.
Instead allow the architecture to pass in the registers (all
pass NULL now, but allow for the future) and then use get_irq_regs()
which should be accurate as we are in an interrupt. Fall back to
task_pt_regs(current) if nothing else is available.
Signed-off-by: Corey Minyard <cminy...@mvista.com>
Cc: David Daney <dda...@caviumnetworks.com>
Cc: linux-m...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13050/
Signed-off-by: Ralf Baechle <r...@linux-mips.org>
Cc: Julia Lawall <julia.law...@lip6.fr>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 204c56d845fcec43176160f831b86444d745cf67
Author: Wei Fang <fangw...@huawei.com>
Date: Mon Mar 21 19:18:32 2016 +0800
md:raid1: fix a dead loop when read from a WriteMostly disk
commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream.
If first_bad == this_sector when we get the WriteMostly disk
in read_balance(), valid disk will be returned with zero
max_sectors. It'll lead to a dead loop in make_request(), and
OOM will happen because of endless allocation of struct bio.
Since we can't get data from this disk in this case, so
continue for another disk.
Signed-off-by: Wei Fang <fangw...@huawei.com>
Signed-off-by: Shaohua Li <s...@fb.com>
Cc: Julia Lawall <julia.law...@lip6.fr>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 2021b2605e8a25a1683f9c62012c835b83c9af5f
Author: Theodore Ts'o <ty...@mit.edu>
Date: Tue Mar 22 16:13:15 2016 -0400
ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.
We aren't checking to see if the in-inode extended attribute is
corrupted before we try to expand the inode's extra isize fields.
This can lead to potential crashes caused by the BUG_ON() check in
ext4_xattr_shift_entries().
[js] use EIO instead of undefined EFSCORRUPTED in 3.12
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Cc: Julia Lawall <julia.law...@lip6.fr>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit dafd35deb3caa7f312b37d815302b959d427a9a2
Author: Jamie Bainbridge <jbain...@redhat.com>
Date: Wed Apr 26 10:43:27 2017 +1000
ipv6: check raw payload size correctly in ioctl
[ Upstream commit 105f5528b9bbaa08b526d3405a5bcd2ff0c953c8 ]
In situations where an skb is paged, the transport header pointer and
tail pointer can be the same because the skb contents are in frags.
This results in ioctl(SIOCINQ/FIONREAD) incorrectly returning a
length of 0 when the length to receive is actually greater than zero.
skb->len is already correctly set in ip6_input_finish() with
pskb_pull(), so use skb->len as it always returns the correct result
for both linear and paged data.
Signed-off-by: Jamie Bainbridge <jbain...@redhat.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
commit 791e4bc1efe094ba4eb7ecce8fe5afe65e7f2070
Author: Nikolay Aleksandrov <niko...@cumulusnetworks.com>
Date: Fri Apr 21 20:42:16 2017 +0300
ip6mr: fix notification device destruction
[ Upstream commit 723b929ca0f79c0796f160c2eeda4597ee98d2b8 ]
Andrey Konovalov reported a BUG caused by the ip6mr code which is caused
because we call unregister_netdevice_many for a device that is already
being destroyed. In IPv4's ipmr that has been resolved by two commits
long time ago by introducing the "notify" parameter to the delete
function and avoiding the unregister when called from a notifier, so
let's do the same for ip6mr.
The trace from Andrey:
------------[ cut here ]------------
kernel BUG at net/core/dev.c:6813!
invalid opcode: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 1165 Comm: kworker/u4:3 Not tainted 4.11.0-rc7+ #251
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
Workqueue: netns cleanup_net
task: ffff880069208000 task.stack: ffff8800692d8000
RIP: 0010:rollback_registered_many+0x348/0xeb0 net/core/dev.c:6813
RSP: 0018:ffff8800692de7f0 EFLAGS: 00010297
RAX: ffff880069208000 RBX: 0000000000000002 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88006af90569
RBP: ffff8800692de9f0 R08: ffff8800692dec60 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff88006af90070
R13: ffff8800692debf0 R14: dffffc0000000000 R15: ffff88006af90000
FS: 0000000000000000(0000) GS:ffff88006cb00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe7e897d870 CR3: 00000000657e7000 CR4: 00000000000006e0
Call Trace:
unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
unregister_netdevice_many+0xc8/0x120 net/core/dev.c:7880
ip6mr_device_event+0x362/0x3f0 net/ipv6/ip6mr.c:1346
notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663
rollback_registered_many+0x919/0xeb0 net/core/dev.c:6841
unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
unregister_netdevice_many net/core/dev.c:7880
default_device_exit_batch+0x4fa/0x640 net/core/dev.c:8333
ops_exit_list.isra.4+0x100/0x150 net/core/net_namespace.c:144
cleanup_net+0x5a8/0xb40 net/core/net_namespace.c:463
process_one_work+0xc04/0x1c10 kernel/workqueue.c:2097
worker_thread+0x223/0x19c0 kernel/workqueue.c:2231
kthread+0x35e/0x430 kernel/kthread.c:231
ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
Code: 3c 32 00 0f 85 70 0b 00 00 48 b8 00 02 00 00 00 00 ad de 49 89
47 78 e9 93 fe ff ff 49 8d 57 70 49 8d 5f 78 eb 9e e8 88 7a 14 fe <0f>
0b 48 8b 9d 28 fe ff ff e8 7a 7a 14 fe 48 b8 00 00 00 00 00
RIP: rollback_registered_many+0x348/0xeb0 RSP: ffff8800692de7f0
---[ end trace e0b29c57e9b3292c ]---
Reported-by: Andrey Konovalov <andreyk...@google.com>
Signed-off-by: Nikolay Aleksandrov <niko...@cumulusnetworks.com>
Tested-by: Andrey Konovalov <andreyk...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
commit 82e52ffaaaa6175e7417cb2cb7ea99f20e430076
Author: Xin Long <lucien....@gmail.com>
Date: Thu Apr 6 13:10:52 2017 +0800
sctp: listen on the sock only when it's state is listening or closed
[ Upstream commit 34b2789f1d9bf8dcca9b5cb553d076ca2cd898ee ]
Now sctp doesn't check sock's state before listening on it. It could
even cause changing a sock with any state to become a listening sock
when doing sctp_listen.
This patch is to fix it by checking sock's state in sctp_listen, so
that it will listen on the sock with right state.
Reported-by: Andrey Konovalov <andreyk...@google.com>
Tested-by: Andrey Konovalov <andreyk...@google.com>
Signed-off-by: Xin Long <lucien....@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
commit 3101698fc8f411a14e4df3b7da1329fcf25094e4
Author: Guillaume Nault <g.na...@alphalink.fr>
Date: Mon Apr 3 12:03:13 2017 +0200
l2tp: take reference on sessions being dumped
[ Upstream commit e08293a4ccbcc993ded0fdc46f1e57926b833d63 ]
Take a reference on the sessions returned by l2tp_session_find_nth()
(and rename it l2tp_session_get_nth() to reflect this change), so that
caller is assured that the session isn't going to disappear while
processing it.
For procfs and debugfs handlers, the session is held in the .start()
callback and dropped in .show(). Given that pppol2tp_seq_session_show()
dereferences the associated PPPoL2TP socket and that
l2tp_dfs_seq_session_show() might call pppol2tp_show(), we also need to
call the session's .ref() callback to prevent the socket from going
away from under us.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp
parts")
Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info")
Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.na...@alphalink.fr>
Signed-off-by: David S. Miller <da...@davemloft.net>
commit 3253561151693de7bf23ff6269893da4835aeefb
Author: Nathan Sullivan <nathan.sulli...@ni.com>
Date: Wed Mar 22 15:27:01 2017 -0500
net: phy: handle state correctly in phy_stop_machine
[ Upstream commit 49d52e8108a21749dc2114b924c907db43358984 ]
If the PHY is halted on stop, then do not set the state to PHY_UP. This
ensures the phy will be restarted later in phy_start when the machine is
started again.
Fixes: 00db8189d984 ("This patch adds a PHY Abstraction Layer to the Linux
Kernel, enabling ethernet drivers to remain as ignorant as is reasonable of the
connected PHY's design and operation details.")
Signed-off-by: Nathan Sullivan <nathan.sulli...@ni.com>
Signed-off-by: Brad Mouring <brad.mour...@ni.com>
Acked-by: Xander Huff <xander.h...@ni.com>
Acked-by: Kyle Roeschley <kyle.roesch...@ni.com>
Reviewed-by: Florian Fainelli <f.faine...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
commit 1337a4ffe5bcf18979e516c3d65e5b110e7edc2a
Author: Eric Dumazet <eduma...@google.com>
Date: Thu Mar 23 12:39:21 2017 -0700
net: neigh: guard against NULL solicit() method
[ Upstream commit 48481c8fa16410ffa45939b13b6c53c2ca609e5f ]
Dmitry posted a nice reproducer of a bug triggering in neigh_probe()
when dereferencing a NULL neigh->ops->solicit method.
This can happen for arp_direct_ops/ndisc_direct_ops and similar,
which can be used for NUD_NOARP neighbours (created when dev->header_ops
is NULL). Admin can then force changing nud_state to some other state
that would fire neigh timer.
Signed-off-by: Eric Dumazet <eduma...@google.com>
Reported-by: Dmitry Vyukov <dvyu...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
commit 6e33ef16755a6936b6105868e12712ebdaebd7d0
Author: Arnd Bergmann <a...@arndb.de>
Date: Tue Jan 26 13:08:10 2016 -0500
gfs2: avoid uninitialized variable warning
commit 67893f12e5374bbcaaffbc6e570acbc2714ea884 upstream.
We get a bogus warning about a potential uninitialized variable
use in gfs2, because the compiler does not figure out that we
never use the leaf number if get_leaf_nr() returns an error:
fs/gfs2/dir.c: In function 'get_first_leaf':
fs/gfs2/dir.c:802:9: warning: 'leaf_no' may be used uninitialized in this
function [-Wmaybe-uninitialized]
fs/gfs2/dir.c: In function 'dir_split_leaf':
fs/gfs2/dir.c:1021:8: warning: 'leaf_no' may be used uninitialized in this
function [-Wmaybe-uninitialized]
Changing the 'if (!error)' to 'if (!IS_ERR_VALUE(error))' is
sufficient to let gcc understand that this is exactly the same
condition as in IS_ERR() so it can optimize the code path enough
to understand it.
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by: Bob Peterson <rpete...@redhat.com>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 81e06f6e802e89047ec35f893cc953fbdc63988e
Author: Arnd Bergmann <a...@arndb.de>
Date: Thu Jan 28 22:58:28 2016 +0100
hostap: avoid uninitialized variable use in hfa384x_get_rid
commit 48dc5fb3ba53b20418de8514700f63d88c5de3a3 upstream.
The driver reads a value from hfa384x_from_bap(), which may fail,
and then assigns the value to a local variable. gcc detects that
in in the failure case, the 'rlen' variable now contains
uninitialized data:
In file included from
../drivers/net/wireless/intersil/hostap/hostap_pci.c:220:0:
drivers/net/wireless/intersil/hostap/hostap_hw.c: In function
'hfa384x_get_rid':
drivers/net/wireless/intersil/hostap/hostap_hw.c:842:5: warning: 'rec' may
be used uninitialized in this function [-Wmaybe-uninitialized]
if (le16_to_cpu(rec.len) == 0) {
This restructures the function as suggested by Russell King, to
make it more readable and get more reliable error handling, by
handling each failure mode using a goto.
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 070d8f38c897946759a3e95f3e4e65f9ccd95b25
Author: Arnd Bergmann <a...@arndb.de>
Date: Mon Jan 25 22:54:56 2016 +0100
tty: nozomi: avoid a harmless gcc warning
commit a4f642a8a3c2838ad09fe8313d45db46600e1478 upstream.
The nozomi wireless data driver has its own helper function to
transfer data from a FIFO, doing an extra byte swap on big-endian
architectures, presumably to bring the data back into byte-serial
order after readw() or readl() perform their implicit byteswap.
This helper function is used in the receive_data() function to
first read the length into a 32-bit variable, which causes
a compile-time warning:
drivers/tty/nozomi.c: In function 'receive_data':
drivers/tty/nozomi.c:857:9: warning: 'size' may be used uninitialized in
this function [-Wmaybe-uninitialized]
The problem is that gcc is unsure whether the data was actually
read or not. We know that it is at this point, so we can replace
it with a single readl() to shut up that warning.
I am leaving the byteswap in there, to preserve the existing
behavior, even though this seems fishy: Reading the length of
the data into a cpu-endian variable should normally not use
a second byteswap on big-endian systems, unless the hardware
is aware of the CPU endianess.
There appears to be a lot more confusion about endianess in this
driver, so it probably has not worked on big-endian systems in
a long time, if ever, and I have no way to test it. It's well
possible that this driver has not been used by anyone in a while,
the last patch that looks like it was tested on the hardware is
from 2008.
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 36c65fa1834ed4bc54497a4ffae65058b6c6bb63
Author: Hongxu Jia <hongxu....@windriver.com>
Date: Tue Nov 29 21:56:26 2016 -0500
netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed
in 64bit kernel
commit 17a49cd549d9dc8707dc9262210166455c612dde upstream.
Since 09d9686047db ("netfilter: x_tables: do compat validation via
translate_table"), it used compatr structure to assign newinfo
structure. In translate_compat_table of ip_tables.c and ip6_tables.c,
it used compatr->hook_entry to replace info->hook_entry and
compatr->underflow to replace info->underflow, but not do the same
replacement in arp_tables.c.
It caused invoking 32-bit "arptbale -P INPUT ACCEPT" failed in 64bit
kernel.
--------------------------------------
root@qemux86-64:~# arptables -P INPUT ACCEPT
root@qemux86-64:~# arptables -P INPUT ACCEPT
ERROR: Policy for `INPUT' offset 448 != underflow 0
arptables: Incompatible with this kernel
--------------------------------------
Fixes: 09d9686047db ("netfilter: x_tables: do compat validation via
translate_table")
Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 915ff058627e270b93b3d398b4b0f2c42d27a362
Author: Andrey Konovalov <andreyk...@google.com>
Date: Wed Mar 29 16:11:22 2017 +0200
net/packet: fix overflow in check for tp_reserve
commit bcc5364bdcfe131e6379363f089e7b4108d35b70 upstream.
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
Fix by checking that tp_reserve <= INT_MAX on assign.
Signed-off-by: Andrey Konovalov <andreyk...@google.com>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 1bfb6e1bc972137a4aa7df3397d5e0fe90e13025
Author: Andrey Konovalov <andreyk...@google.com>
Date: Wed Mar 29 16:11:21 2017 +0200
net/packet: fix overflow in check for tp_frame_nr
commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b upstream.
When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.
Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
Since frames_per_block <= tp_block_size, the expression would
never overflow.
Signed-off-by: Andrey Konovalov <andreyk...@google.com>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 10e710684943bfd0653d7f0bcf430cdaf25a0d2f
Author: Eric Dumazet <eduma...@google.com>
Date: Fri Mar 24 19:36:13 2017 -0700
ping: implement proper locking
commit 43a6684519ab0a6c52024b5e25322476cabad893 upstream.
We got a report of yet another bug in ping
http://www.openwall.com/lists/oss-security/2017/03/24/6
->disconnect() is not called with socket lock held.
Fix this by acquiring ping rwlock earlier.
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: Eric Dumazet <eduma...@google.com>
Reported-by: Daniel Jiang <danieljiang0...@gmail.com>
Reported-by: Solar Designer <so...@openwall.com>
Reported-by: Andrey Konovalov <andreyk...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 3bd7a64caab850def8988a5f4ff5550b97bb1e93
Author: Michael Ellerman <m...@ellerman.id.au>
Date: Thu Apr 23 17:27:12 2015 +1000
powerpc: Reject binutils 2.24 when building little endian
commit 60e065f70bdb0b0e916389024922ad40f3270c96 upstream.
There is a bug in binutils 2.24 which causes miscompilation if we're
building little endian and using weak symbols (which the kernel does).
It is fixed in binutils commit 57fa7b8c7e59 "Correct elf_merge_st_other
arguments for weak symbols", which is in binutils 2.25 and has been
backported to the binutils 2.24 branch and has been picked up by most
distros it seems.
However if we're running stock 2.24 (no extra version) then the bug is
present, so check for that and bail.
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 36d08048a7d5b5c56d3f2f9d1b90997f5c44a25e
Author: Dan Williams <dan.j.willi...@intel.com>
Date: Tue Dec 29 14:02:29 2015 -0800
block: fix del_gendisk() vs blkdev_ioctl crash
commit ac34f15e0c6d2fd58480052b6985f6991fb53bcc upstream.
When tearing down a block device early in its lifetime, userspace may
still be performing discovery actions like blkdev_ioctl() to re-read
partitions.
The nvdimm_revalidate_disk() implementation depends on
disk->driverfs_dev to be valid at entry. However, it is set to NULL in
del_gendisk() and fatally this is happening *before* the disk device is
deleted from userspace view.
There's no reason for del_gendisk() to clear ->driverfs_dev. That
device is the parent of the disk. It is guaranteed to not be freed
until the disk, as a child, drops its ->parent reference.
We could also fix this issue locally in nvdimm_revalidate_disk() by
using disk_to_dev(disk)->parent, but lets fix it globally since
->driverfs_dev follows the lifetime of the parent. Longer term we
should probably just add a @parent parameter to add_disk(), and stop
carrying this pointer in the gendisk.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffffa00340a8>] nvdimm_revalidate_disk+0x18/0x90 [libnvdimm]
CPU: 2 PID: 538 Comm: systemd-udevd Tainted: G O 4.4.0-rc5
#2257
[..]
Call Trace:
[<ffffffff8143e5c7>] rescan_partitions+0x87/0x2c0
[<ffffffff810f37f9>] ? __lock_is_held+0x49/0x70
[<ffffffff81438c62>] __blkdev_reread_part+0x72/0xb0
[<ffffffff81438cc5>] blkdev_reread_part+0x25/0x40
[<ffffffff8143982d>] blkdev_ioctl+0x4fd/0x9c0
[<ffffffff811246c9>] ? current_kernel_time64+0x69/0xd0
[<ffffffff812916dd>] block_ioctl+0x3d/0x50
[<ffffffff81264c38>] do_vfs_ioctl+0x308/0x560
[<ffffffff8115dbd1>] ? __audit_syscall_entry+0xb1/0x100
[<ffffffff810031d6>] ? do_audit_syscall_entry+0x66/0x70
[<ffffffff81264f09>] SyS_ioctl+0x79/0x90
[<ffffffff81902672>] entry_SYSCALL_64_fastpath+0x12/0x76
Cc: Jan Kara <j...@suse.cz>
Cc: Jens Axboe <ax...@fb.com>
Reported-by: Robert Hu <robert...@intel.com>
Signed-off-by: Dan Williams <dan.j.willi...@intel.com>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit c3c936aa02581ccd90eac393765c45258b385b11
Author: Suzuki K Poulose <suzuki.poul...@arm.com>
Date: Mon Apr 3 15:12:43 2017 +0100
kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd
commit 8b3405e345b5a098101b0c31b264c812bba045d9 upstream.
In kvm_free_stage2_pgd() we don't hold the kvm->mmu_lock while calling
unmap_stage2_range() on the entire memory range for the guest. This could
cause problems with other callers (e.g, munmap on a memslot) trying to
unmap a range. And since we have to unmap the entire Guest memory range
holding a spinlock, make sure we yield the lock if necessary, after we
unmap each PUD range.
[skp] provided backport for 3.12
Fixes: commit d5d8184d35c9 ("KVM: ARM: Memory virtualization setup")
Cc: Paolo Bonzini <pbon...@redhat.com>
Cc: Marc Zyngier <marc.zyng...@arm.com>
Cc: Christoffer Dall <christoffer.d...@linaro.org>
Cc: Mark Rutland <mark.rutl...@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poul...@arm.com>
[ Avoid vCPU starvation and lockup detector warnings ]
Signed-off-by: Marc Zyngier <marc.zyng...@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poul...@arm.com>
Signed-off-by: Christoffer Dall <cd...@linaro.org>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 64b69f5bfad4f66b2d4e0461ca3ef8a0908fe080
Author: Yazen Ghannam <yazen.ghan...@amd.com>
Date: Thu Mar 30 13:17:14 2017 +0200
x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
commit 29f72ce3e4d18066ec75c79c857bee0618a3504b upstream.
MCA bank 3 is reserved on systems pre-Fam17h, so it didn't have a name.
However, MCA bank 3 is defined on Fam17h systems and can be accessed
using legacy MSRs. Without a name we get a stack trace on Fam17h systems
when trying to register sysfs files for bank 3 on kernels that don't
recognize Scalable MCA.
Call MCA bank 3 "decode_unit" since this is what it represents on
Fam17h. This will allow kernels without SMCA support to see this bank on
Fam17h+ and prevent the stack trace. This will not affect older systems
since this bank is reserved on them, i.e. it'll be ignored.
Tested on AMD Fam15h and Fam17h systems.
WARNING: CPU: 26 PID: 1 at lib/kobject.c:210 kobject_add_internal
kobject: (ffff88085bb256c0): attempted to be registered with empty name!
...
Call Trace:
kobject_add_internal
kobject_add
kobject_create_and_add
threshold_create_device
threshold_init_device
Signed-off-by: Yazen Ghannam <yazen.ghan...@amd.com>
Signed-off-by: Borislav Petkov <b...@suse.de>
Link:
http://lkml.kernel.org/r/1490102285-3659-1-git-send-email-yazen.ghan...@amd.com
Signed-off-by: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 5f398d3cdcf29ac2460b65a8d4a77a38a304e90f
Author: Sebastian Siewior <bige...@linutronix.de>
Date: Wed Feb 22 17:15:21 2017 +0100
ubi/upd: Always flush after prepared for an update
commit 9cd9a21ce070be8a918ffd3381468315a7a76ba6 upstream.
In commit 6afaf8a484cb ("UBI: flush wl before clearing update marker") I
managed to trigger and fix a similar bug. Now here is another version of
which I assumed it wouldn't matter back then but it turns out UBI has a
check for it and will error out like this:
|ubi0 warning: validate_vid_hdr: inconsistent used_ebs
|ubi0 error: validate_vid_hdr: inconsistent VID header at PEB 592
All you need to trigger this is? "ubiupdatevol /dev/ubi0_0 file" + a
powercut in the middle of the operation.
ubi_start_update() sets the update-marker and puts all EBs on the erase
list. After that userland can proceed to write new data while the old EB
aren't erased completely. A powercut at this point is usually not that
much of a tragedy. UBI won't give read access to the static volume
because it has the update marker. It will most likely set the corrupted
flag because it misses some EBs.
So we are all good. Unless the size of the image that has been written
differs from the old image in the magnitude of at least one EB. In that
case UBI will find two different values for `used_ebs' and refuse to
attach the image with the error message mentioned above.
So in order not to get in the situation, the patch will ensure that we
wait until everything is removed before it tries to write any data.
The alternative would be to detect such a case and remove all EBs at the
attached time after we processed the volume-table and see the
update-marker set. The patch looks bigger and I doubt it is worth it
since usually the write() will wait from time to time for a new EB since
usually there not that many spare EB that can be used.
Signed-off-by: Sebastian Andrzej Siewior <bige...@linutronix.de>
Signed-off-by: Richard Weinberger <rich...@nod.at>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 555caacaef2fe1627e1bf821b9ec721e3a12077a
Author: Arnd Bergmann <a...@arndb.de>
Date: Wed Apr 19 19:47:04 2017 +0200
ACPI / power: Avoid maybe-uninitialized warning
commit fe8c470ab87d90e4b5115902dd94eced7e3305c3 upstream.
gcc -O2 cannot always prove that the loop in acpi_power_get_inferred_state()
is enterered at least once, so it assumes that cur_state might not get
initialized:
drivers/acpi/power.c: In function 'acpi_power_get_inferred_state':
drivers/acpi/power.c:222:9: error: 'cur_state' may be used uninitialized in
this function [-Werror=maybe-uninitialized]
This sets the variable to zero at the start of the loop, to ensure that
there is well-defined behavior even for an empty list. This gets rid of
the warning.
The warning first showed up when the -Os flag got removed in a bug fix
patch in linux-4.11-rc5.
I would suggest merging this addon patch on top of that bug fix to avoid
introducing a new warning in the stable kernels.
Fixes: 61b79e16c68d (ACPI: Fix incompatibility with mcount-based function
graph tracing)
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wyso...@intel.com>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 4031b47843949da2aea56f8c8dcb4eb8e77dedbf
Author: Thorsten Leemhuis <li...@leemhuis.info>
Date: Tue Apr 18 11:14:28 2017 -0700
Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
commit 704de489e0e3640a2ee2d0daf173e9f7375582ba upstream.
Temporary got a Lifebook E547 into my hands and noticed the touchpad
only works after running:
echo "1" > /sys/devices/platform/i8042/serio2/crc_enabled
Add it to the list of machines that need this workaround.
Signed-off-by: Thorsten Leemhuis <li...@leemhuis.info>
Reviewed-by: Ulrik De Bie <ulrik.debie...@e2big.org>
Signed-off-by: Dmitry Torokhov <dmitry.torok...@gmail.com>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 157c1df068bccf4d908236d3f55689143e113753
Author: Vitaly Kuznetsov <vkuzn...@redhat.com>
Date: Thu Jun 9 17:08:56 2016 -0700
Drivers: hv: get rid of timeout in vmbus_open()
commit 396e287fa2ff46e83ae016cdcb300c3faa3b02f6 upstream.
vmbus_teardown_gpadl() can result in infinite wait when it is called on 5
second timeout in vmbus_open(). The issue is caused by the fact that gpadl
teardown operation won't ever succeed for an opened channel and the timeout
isn't always enough. As a guest, we can always trust the host to respond to
our request (and there is nothing we can do if it doesn't).
Signed-off-by: Vitaly Kuznetsov <vkuzn...@redhat.com>
Signed-off-by: K. Y. Srinivasan <k...@microsoft.com>
Signed-off-by: Sumit Semwal <sumit.sem...@linaro.org>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit cf42508f7b9768728d95ac8bfb9d06aa421d8a3a
Author: Vitaly Kuznetsov <vkuzn...@redhat.com>
Date: Fri Jun 3 17:09:24 2016 -0700
Drivers: hv: don't leak memory in vmbus_establish_gpadl()
commit 7cc80c98070ccc7940fc28811c92cca0a681015d upstream.
In some cases create_gpadl_header() allocates submessages but we never
free them.
[sumits] Note for stable:
Upstream commit 4d63763296ab7865a98bc29cc7d77145815ef89f:
(Drivers: hv: get rid of redundant messagecount in create_gpadl_header())
changes the list usage to initialize list header in all cases; that patch
isn't added to stable, so the current patch is modified a little bit from
the upstream commit to check if the list is valid or not.
Signed-off-by: Vitaly Kuznetsov <vkuzn...@redhat.com>
Signed-off-by: K. Y. Srinivasan <k...@microsoft.com>
Signed-off-by: Sumit Semwal <sumit.sem...@linaro.org>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 52626ef387185ebbeafc8a947b60cf3866cc4a7b
Author: Germano Percossi <germano.perco...@citrix.com>
Date: Fri Apr 7 12:29:37 2017 +0100
CIFS: remove bad_network_name flag
commit a0918f1ce6a43ac980b42b300ec443c154970979 upstream.
STATUS_BAD_NETWORK_NAME can be received during node failover,
causing the flag to be set and making the reconnect thread
always unsuccessful, thereafter.
Once the only place where it is set is removed, the remaining
bits are rendered moot.
Removing it does not prevent "mount" from failing when a non
existent share is passed.
What happens when the share really ceases to exist while the
share is mounted is undefined now as much as it was before.
Signed-off-by: Germano Percossi <germano.perco...@citrix.com>
Reviewed-by: Pavel Shilovsky <pshi...@microsoft.com>
Signed-off-by: Steve French <smfre...@gmail.com>
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
commit 83cd1464bcd40ee4554fc87a624f59c64d2c425f
Author: Sachin Prabhu <spra...@redhat.com>
Date: Sun Apr 16 20:37:24 2017 +0100
cifs: Do not send echoes before Negotiate is complete
commit 62a6cfddcc0a5313e7da3e8311ba16226fe0ac10 upstream.
diff --git a/Documentation/kernel-parameters.txt
b/Documentation/kernel-parameters.txt
index 64c6734..1ebce86 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1013,6 +1013,10 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
When zero, profiling data is discarded and associated
debugfs files are removed at module unload time.
+ goldfish [X86] Enable the goldfish android emulator platform.
+ Don't use this when you are not running on the
+ android emulator
+
gpt [EFI] Forces disk with valid GPT signature but
invalid Protective MBR to be treated as GPT.
diff --git a/Makefile b/Makefile
index d0e6e38..28b1d91 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
VERSION = 3
PATCHLEVEL = 12
-SUBLEVEL = 70
+SUBLEVEL = 74
EXTRAVERSION =
NAME = One Giant Leap for Frogkind
diff --git a/arch/arc/kernel/unaligned.c b/arch/arc/kernel/unaligned.c
index 7ff5b5c..2cc82b6 100644
--- a/arch/arc/kernel/unaligned.c
+++ b/arch/arc/kernel/unaligned.c
@@ -240,8 +240,9 @@ int misaligned_fixup(unsigned long address, struct pt_regs
*regs,
if (state.fault)
goto fault;
+ /* clear any remanants of delay slot */
if (delay_mode(regs)) {
- regs->ret = regs->bta;
+ regs->ret = regs->bta & ~1U;
regs->status32 &= ~STATUS_DE_MASK;
} else {
regs->ret += state.instr_len;
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index ec33df5..93e6b7e 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -600,7 +600,7 @@ static int gpr_set(struct task_struct *target,
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct pt_regs newregs;
+ struct pt_regs newregs = *task_pt_regs(target);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&newregs,
diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
index 683cac9..84f18dc 100644
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -181,6 +181,14 @@ static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
do {
next = kvm_pgd_addr_end(addr, end);
unmap_puds(kvm, pgd, addr, next);
+ /*
+ * If we are dealing with a large range in
+ * stage2 table, release the kvm->mmu_lock
+ * to prevent starvation and lockup detector
+ * warnings.
+ */
+ if (kvm && (next != end))
+ cond_resched_lock(&kvm->mmu_lock);
} while (pgd++, addr = next, addr != end);
}
@@ -525,6 +533,7 @@ int kvm_alloc_stage2_pgd(struct kvm *kvm)
*/
static void unmap_stage2_range(struct kvm *kvm, phys_addr_t start, u64 size)
{
+ assert_spin_locked(&kvm->mmu_lock);
unmap_range(kvm, kvm->arch.pgd, start, size);
}
@@ -609,7 +618,10 @@ void kvm_free_stage2_pgd(struct kvm *kvm)
if (kvm->arch.pgd == NULL)
return;
+ spin_lock(&kvm->mmu_lock);
unmap_stage2_range(kvm, 0, KVM_PHYS_SIZE);
+ spin_unlock(&kvm->mmu_lock);
+
free_pages((unsigned long)kvm->arch.pgd, S2_PGD_ORDER);
kvm->arch.pgd = NULL;
}
diff --git a/arch/c6x/kernel/ptrace.c b/arch/c6x/kernel/ptrace.c
index 3c494e8..a511ac1 100644
--- a/arch/c6x/kernel/ptrace.c
+++ b/arch/c6x/kernel/ptrace.c
@@ -69,46 +69,6 @@ static int gpr_get(struct task_struct *target,
0, sizeof(*regs));
}
-static int gpr_set(struct task_struct *target,
- const struct user_regset *regset,
- unsigned int pos, unsigned int count,
- const void *kbuf, const void __user *ubuf)
-{
- int ret;
- struct pt_regs *regs = task_pt_regs(target);
-
- /* Don't copyin TSR or CSR */
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- ®s,
- 0, PT_TSR * sizeof(long));
- if (ret)
- return ret;
-
- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
- PT_TSR * sizeof(long),
- (PT_TSR + 1) * sizeof(long));
- if (ret)
- return ret;
-
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- ®s,
- (PT_TSR + 1) * sizeof(long),
- PT_CSR * sizeof(long));
- if (ret)
- return ret;
-
- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
- PT_CSR * sizeof(long),
- (PT_CSR + 1) * sizeof(long));
- if (ret)
- return ret;
-
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- ®s,
- (PT_CSR + 1) * sizeof(long), -1);
- return ret;
-}
-
enum c6x_regset {
REGSET_GPR,
};
@@ -120,7 +80,6 @@ static const struct user_regset c6x_regsets[] = {
.size = sizeof(u32),
.align = sizeof(u32),
.get = gpr_get,
- .set = gpr_set
},
};
diff --git a/arch/metag/include/asm/uaccess.h b/arch/metag/include/asm/uaccess.h
index 7841f22..9d52337 100644
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -192,20 +192,21 @@ extern long __must_check strnlen_user(const char __user
*src, long count);
#define strlen_user(str) strnlen_user(str, 32767)
-extern unsigned long __must_check __copy_user_zeroing(void *to,
- const void __user *from,
- unsigned long n);
+extern unsigned long raw_copy_from_user(void *to, const void __user *from,
+ unsigned long n);
static inline unsigned long
copy_from_user(void *to, const void __user *from, unsigned long n)
{
+ unsigned long res = n;
if (likely(access_ok(VERIFY_READ, from, n)))
- return __copy_user_zeroing(to, from, n);
- memset(to, 0, n);
- return n;
+ res = raw_copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
-#define __copy_from_user(to, from, n) __copy_user_zeroing(to, from, n)
+#define __copy_from_user(to, from, n) raw_copy_from_user(to, from, n)
#define __copy_from_user_inatomic __copy_from_user
extern unsigned long __must_check __copy_user(void __user *to,
diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c
index 7563628..5e2dc7d 100644
--- a/arch/metag/kernel/ptrace.c
+++ b/arch/metag/kernel/ptrace.c
@@ -24,6 +24,16 @@
* user_regset definitions.
*/
+static unsigned long user_txstatus(const struct pt_regs *regs)
+{
+ unsigned long data = (unsigned long)regs->ctx.Flags;
+
+ if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
+ data |= USER_GP_REGS_STATUS_CATCH_BIT;
+
+ return data;
+}
+
int metag_gp_regs_copyout(const struct pt_regs *regs,
unsigned int pos, unsigned int count,
void *kbuf, void __user *ubuf)
@@ -62,9 +72,7 @@ int metag_gp_regs_copyout(const struct pt_regs *regs,
if (ret)
goto out;
/* TXSTATUS */
- data = (unsigned long)regs->ctx.Flags;
- if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
- data |= USER_GP_REGS_STATUS_CATCH_BIT;
+ data = user_txstatus(regs);
ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
&data, 4*25, 4*26);
if (ret)
@@ -119,6 +127,7 @@ int metag_gp_regs_copyin(struct pt_regs *regs,
if (ret)
goto out;
/* TXSTATUS */
+ data = user_txstatus(regs);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&data, 4*25, 4*26);
if (ret)
@@ -244,6 +253,8 @@ int metag_rp_state_copyin(struct pt_regs *regs,
unsigned long long *ptr;
int ret, i;
+ if (count < 4*13)
+ return -EINVAL;
/* Read the entire pipeline before making any changes */
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&rp, 0, 4*13);
@@ -303,7 +314,7 @@ static int metag_tls_set(struct task_struct *target,
const void *kbuf, const void __user *ubuf)
{
int ret;
- void __user *tls;
+ void __user *tls = target->thread.tls_ptr;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
if (ret)
diff --git a/arch/metag/lib/usercopy.c b/arch/metag/lib/usercopy.c
index b3ebfe9..2792fc6 100644
--- a/arch/metag/lib/usercopy.c
+++ b/arch/metag/lib/usercopy.c
@@ -29,7 +29,6 @@
COPY \
"1:\n" \
" .section .fixup,\"ax\"\n" \
- " MOV D1Ar1,#0\n" \
FIXUP \
" MOVT D1Ar1,#HI(1b)\n" \
" JUMP D1Ar1,#LO(1b)\n" \
@@ -260,27 +259,31 @@
"MGETL D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
"22:\n" \
"MSETL [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
- "SUB %3, %3, #32\n" \
"23:\n" \
- "MGETL D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
+ "SUB %3, %3, #32\n" \
"24:\n" \
+ "MGETL D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
+ "25:\n" \
"MSETL [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "26:\n" \
"SUB %3, %3, #32\n" \
"DCACHE [%1+#-64], D0Ar6\n" \
"BR $Lloop"id"\n" \
\
"MOV RAPF, %1\n" \
- "25:\n" \
+ "27:\n" \
"MGETL D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "26:\n" \
+ "28:\n" \
"MSETL [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "29:\n" \
"SUB %3, %3, #32\n" \
- "27:\n" \
+ "30:\n" \
"MGETL D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "28:\n" \
+ "31:\n" \
"MSETL [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "32:\n" \
"SUB %0, %0, #8\n" \
- "29:\n" \
+ "33:\n" \
"SETL [%0++], D0.7, D1.7\n" \
"SUB %3, %3, #32\n" \
"1:" \
@@ -312,11 +315,15 @@
" .long 26b,3b\n" \
" .long 27b,3b\n" \
" .long 28b,3b\n" \
- " .long 29b,4b\n" \
+ " .long 29b,3b\n" \
+ " .long 30b,3b\n" \
+ " .long 31b,3b\n" \
+ " .long 32b,3b\n" \
+ " .long 33b,4b\n" \
" .previous\n" \
: "=r" (to), "=r" (from), "=r" (ret), "=d" (n) \
: "0" (to), "1" (from), "2" (ret), "3" (n) \
- : "D1Ar1", "D0Ar2", "memory")
+ : "D1Ar1", "D0Ar2", "cc", "memory")
/* rewind 'to' and 'from' pointers when a fault occurs
*
@@ -342,7 +349,7 @@
#define __asm_copy_to_user_64bit_rapf_loop(to, from, ret, n, id)\
__asm_copy_user_64bit_rapf_loop(to, from, ret, n, id, \
"LSR D0Ar2, D0Ar2, #8\n" \
- "AND D0Ar2, D0Ar2, #0x7\n" \
+ "ANDS D0Ar2, D0Ar2, #0x7\n" \
"ADDZ D0Ar2, D0Ar2, #4\n" \
"SUB D0Ar2, D0Ar2, #1\n" \
"MOV D1Ar1, #4\n" \
@@ -403,47 +410,55 @@
"MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
"22:\n" \
"MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
- "SUB %3, %3, #16\n" \
"23:\n" \
- "MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "24:\n" \
- "MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
"SUB %3, %3, #16\n" \
- "25:\n" \
+ "24:\n" \
"MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "26:\n" \
+ "25:\n" \
"MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "26:\n" \
"SUB %3, %3, #16\n" \
"27:\n" \
"MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
"28:\n" \
"MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "29:\n" \
+ "SUB %3, %3, #16\n" \
+ "30:\n" \
+ "MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
+ "31:\n" \
+ "MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "32:\n" \
"SUB %3, %3, #16\n" \
"DCACHE [%1+#-64], D0Ar6\n" \
"BR $Lloop"id"\n" \
\
"MOV RAPF, %1\n" \
- "29:\n" \
+ "33:\n" \
"MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "30:\n" \
+ "34:\n" \
"MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "35:\n" \
"SUB %3, %3, #16\n" \
- "31:\n" \
+ "36:\n" \
"MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "32:\n" \
+ "37:\n" \
"MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "38:\n" \
"SUB %3, %3, #16\n" \
- "33:\n" \
+ "39:\n" \
"MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "34:\n" \
+ "40:\n" \
"MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "41:\n" \
"SUB %3, %3, #16\n" \
- "35:\n" \
+ "42:\n" \
"MGETD D0FrT, D0.5, D0.6, D0.7, [%1++]\n" \
- "36:\n" \
+ "43:\n" \
"MSETD [%0++], D0FrT, D0.5, D0.6, D0.7\n" \
+ "44:\n" \
"SUB %0, %0, #4\n" \
- "37:\n" \
+ "45:\n" \
"SETD [%0++], D0.7\n" \
"SUB %3, %3, #16\n" \
"1:" \
@@ -483,11 +498,19 @@
" .long 34b,3b\n" \
" .long 35b,3b\n" \
" .long 36b,3b\n" \
- " .long 37b,4b\n" \
+ " .long 37b,3b\n" \
+ " .long 38b,3b\n" \
+ " .long 39b,3b\n" \
+ " .long 40b,3b\n" \
+ " .long 41b,3b\n" \
+ " .long 42b,3b\n" \
+ " .long 43b,3b\n" \
+ " .long 44b,3b\n" \
+ " .long 45b,4b\n" \
" .previous\n" \
: "=r" (to), "=r" (from), "=r" (ret), "=d" (n) \
: "0" (to), "1" (from), "2" (ret), "3" (n) \
- : "D1Ar1", "D0Ar2", "memory")
+ : "D1Ar1", "D0Ar2", "cc", "memory")
/* rewind 'to' and 'from' pointers when a fault occurs
*
@@ -513,7 +536,7 @@
#define __asm_copy_to_user_32bit_rapf_loop(to, from, ret, n, id)\
__asm_copy_user_32bit_rapf_loop(to, from, ret, n, id, \
"LSR D0Ar2, D0Ar2, #8\n" \
- "AND D0Ar2, D0Ar2, #0x7\n" \
+ "ANDS D0Ar2, D0Ar2, #0x7\n" \
"ADDZ D0Ar2, D0Ar2, #4\n" \
"SUB D0Ar2, D0Ar2, #1\n" \
"MOV D1Ar1, #4\n" \
@@ -538,23 +561,31 @@ unsigned long __copy_user(void __user *pdst, const void
*psrc,
if ((unsigned long) src & 1) {
__asm_copy_to_user_1(dst, src, retn);
n--;
+ if (retn)
+ return retn + n;
}
if ((unsigned long) dst & 1) {
/* Worst case - byte copy */
while (n > 0) {
__asm_copy_to_user_1(dst, src, retn);
n--;
+ if (retn)
+ return retn + n;
}
}
if (((unsigned long) src & 2) && n >= 2) {
__asm_copy_to_user_2(dst, src, retn);
n -= 2;
+ if (retn)
+ return retn + n;
}
if ((unsigned long) dst & 2) {
/* Second worst case - word copy */
while (n >= 2) {
__asm_copy_to_user_2(dst, src, retn);
n -= 2;
+ if (retn)
+ return retn + n;
}
}
@@ -569,6 +600,8 @@ unsigned long __copy_user(void __user *pdst, const void
*psrc,
while (n >= 8) {
__asm_copy_to_user_8x64(dst, src, retn);
n -= 8;
+ if (retn)
+ return retn + n;
}
}
if (n >= RAPF_MIN_BUF_SIZE) {
@@ -581,6 +614,8 @@ unsigned long __copy_user(void __user *pdst, const void
*psrc,
while (n >= 8) {
__asm_copy_to_user_8x64(dst, src, retn);
n -= 8;
+ if (retn)
+ return retn + n;
}
}
#endif
@@ -588,11 +623,15 @@ unsigned long __copy_user(void __user *pdst, const void
*psrc,
while (n >= 16) {
__asm_copy_to_user_16(dst, src, retn);
n -= 16;
+ if (retn)
+ return retn + n;
}
while (n >= 4) {
__asm_copy_to_user_4(dst, src, retn);
n -= 4;
+ if (retn)
+ return retn + n;
}
switch (n) {
@@ -609,6 +648,10 @@ unsigned long __copy_user(void __user *pdst, const void
*psrc,
break;
}
+ /*
+ * If we get here, retn correctly reflects the number of failing
+ * bytes.
+ */
return retn;
}
EXPORT_SYMBOL(__copy_user);
@@ -617,16 +660,14 @@ EXPORT_SYMBOL(__copy_user);
__asm_copy_user_cont(to, from, ret, \
" GETB D1Ar1,[%1++]\n" \
"2: SETB [%0++],D1Ar1\n", \
- "3: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
+ "3: ADD %2,%2,#1\n", \
" .long 2b,3b\n")
#define __asm_copy_from_user_2x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
__asm_copy_user_cont(to, from, ret, \
" GETW D1Ar1,[%1++]\n" \
"2: SETW [%0++],D1Ar1\n" COPY, \
- "3: ADD %2,%2,#2\n" \
- " SETW [%0++],D1Ar1\n" FIXUP, \
+ "3: ADD %2,%2,#2\n" FIXUP, \
" .long 2b,3b\n" TENTRY)
#define __asm_copy_from_user_2(to, from, ret) \
@@ -636,145 +677,26 @@ EXPORT_SYMBOL(__copy_user);
__asm_copy_from_user_2x_cont(to, from, ret, \
" GETB D1Ar1,[%1++]\n" \
"4: SETB [%0++],D1Ar1\n", \
- "5: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
+ "5: ADD %2,%2,#1\n", \
" .long 4b,5b\n")
#define __asm_copy_from_user_4x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
__asm_copy_user_cont(to, from, ret, \
" GETD D1Ar1,[%1++]\n" \
"2: SETD [%0++],D1Ar1\n" COPY, \
- "3: ADD %2,%2,#4\n" \
- " SETD [%0++],D1Ar1\n" FIXUP, \
+ "3: ADD %2,%2,#4\n" FIXUP, \
" .long 2b,3b\n" TENTRY)
#define __asm_copy_from_user_4(to, from, ret) \
__asm_copy_from_user_4x_cont(to, from, ret, "", "", "")
-#define __asm_copy_from_user_5(to, from, ret) \
- __asm_copy_from_user_4x_cont(to, from, ret, \
- " GETB D1Ar1,[%1++]\n" \
- "4: SETB [%0++],D1Ar1\n", \
- "5: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
- " .long 4b,5b\n")
-
-#define __asm_copy_from_user_6x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
- __asm_copy_from_user_4x_cont(to, from, ret, \
- " GETW D1Ar1,[%1++]\n" \
- "4: SETW [%0++],D1Ar1\n" COPY, \
- "5: ADD %2,%2,#2\n" \
- " SETW [%0++],D1Ar1\n" FIXUP, \
- " .long 4b,5b\n" TENTRY)
-
-#define __asm_copy_from_user_6(to, from, ret) \
- __asm_copy_from_user_6x_cont(to, from, ret, "", "", "")
-
-#define __asm_copy_from_user_7(to, from, ret) \
- __asm_copy_from_user_6x_cont(to, from, ret, \
- " GETB D1Ar1,[%1++]\n" \
- "6: SETB [%0++],D1Ar1\n", \
- "7: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
- " .long 6b,7b\n")
-
-#define __asm_copy_from_user_8x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
- __asm_copy_from_user_4x_cont(to, from, ret, \
- " GETD D1Ar1,[%1++]\n" \
- "4: SETD [%0++],D1Ar1\n" COPY, \
- "5: ADD %2,%2,#4\n" \
- " SETD [%0++],D1Ar1\n" FIXUP, \
- " .long 4b,5b\n" TENTRY)
-
-#define __asm_copy_from_user_8(to, from, ret) \
- __asm_copy_from_user_8x_cont(to, from, ret, "", "", "")
-
-#define __asm_copy_from_user_9(to, from, ret) \
- __asm_copy_from_user_8x_cont(to, from, ret, \
- " GETB D1Ar1,[%1++]\n" \
- "6: SETB [%0++],D1Ar1\n", \
- "7: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
- " .long 6b,7b\n")
-
-#define __asm_copy_from_user_10x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
- __asm_copy_from_user_8x_cont(to, from, ret, \
- " GETW D1Ar1,[%1++]\n" \
- "6: SETW [%0++],D1Ar1\n" COPY, \
- "7: ADD %2,%2,#2\n" \
- " SETW [%0++],D1Ar1\n" FIXUP, \
- " .long 6b,7b\n" TENTRY)
-
-#define __asm_copy_from_user_10(to, from, ret) \
- __asm_copy_from_user_10x_cont(to, from, ret, "", "", "")
-
-#define __asm_copy_from_user_11(to, from, ret) \
- __asm_copy_from_user_10x_cont(to, from, ret, \
- " GETB D1Ar1,[%1++]\n" \
- "8: SETB [%0++],D1Ar1\n", \
- "9: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
- " .long 8b,9b\n")
-
-#define __asm_copy_from_user_12x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
- __asm_copy_from_user_8x_cont(to, from, ret, \
- " GETD D1Ar1,[%1++]\n" \
- "6: SETD [%0++],D1Ar1\n" COPY, \
- "7: ADD %2,%2,#4\n" \
- " SETD [%0++],D1Ar1\n" FIXUP, \
- " .long 6b,7b\n" TENTRY)
-
-#define __asm_copy_from_user_12(to, from, ret) \
- __asm_copy_from_user_12x_cont(to, from, ret, "", "", "")
-
-#define __asm_copy_from_user_13(to, from, ret) \
- __asm_copy_from_user_12x_cont(to, from, ret, \
- " GETB D1Ar1,[%1++]\n" \
- "8: SETB [%0++],D1Ar1\n", \
- "9: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
- " .long 8b,9b\n")
-
-#define __asm_copy_from_user_14x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
- __asm_copy_from_user_12x_cont(to, from, ret, \
- " GETW D1Ar1,[%1++]\n" \
- "8: SETW [%0++],D1Ar1\n" COPY, \
- "9: ADD %2,%2,#2\n" \
- " SETW [%0++],D1Ar1\n" FIXUP, \
- " .long 8b,9b\n" TENTRY)
-
-#define __asm_copy_from_user_14(to, from, ret) \
- __asm_copy_from_user_14x_cont(to, from, ret, "", "", "")
-
-#define __asm_copy_from_user_15(to, from, ret) \
- __asm_copy_from_user_14x_cont(to, from, ret, \
- " GETB D1Ar1,[%1++]\n" \
- "10: SETB [%0++],D1Ar1\n", \
- "11: ADD %2,%2,#1\n" \
- " SETB [%0++],D1Ar1\n", \
- " .long 10b,11b\n")
-
-#define __asm_copy_from_user_16x_cont(to, from, ret, COPY, FIXUP, TENTRY) \
- __asm_copy_from_user_12x_cont(to, from, ret, \
- " GETD D1Ar1,[%1++]\n" \
- "8: SETD [%0++],D1Ar1\n" COPY, \
- "9: ADD %2,%2,#4\n" \
- " SETD [%0++],D1Ar1\n" FIXUP, \
- " .long 8b,9b\n" TENTRY)
-
-#define __asm_copy_from_user_16(to, from, ret) \
- __asm_copy_from_user_16x_cont(to, from, ret, "", "", "")
-
#define __asm_copy_from_user_8x64(to, from, ret) \
asm volatile ( \
" GETL D0Ar2,D1Ar1,[%1++]\n" \
"2: SETL [%0++],D0Ar2,D1Ar1\n" \
"1:\n" \
" .section .fixup,\"ax\"\n" \
- " MOV D1Ar1,#0\n" \
- " MOV D0Ar2,#0\n" \
"3: ADD %2,%2,#8\n" \
- " SETL [%0++],D0Ar2,D1Ar1\n" \
" MOVT D0Ar2,#HI(1b)\n" \
" JUMP D0Ar2,#LO(1b)\n" \
" .previous\n" \
@@ -789,36 +711,57 @@ EXPORT_SYMBOL(__copy_user);
*
* Rationale:
* A fault occurs while reading from user buffer, which is the
- * source. Since the fault is at a single address, we only
- * need to rewind by 8 bytes.
+ * source.
* Since we don't write to kernel buffer until we read first,
* the kernel buffer is at the right state and needn't be
- * corrected.
+ * corrected, but the source must be rewound to the beginning of
+ * the block, which is LSM_STEP*8 bytes.
+ * LSM_STEP is bits 10:8 in TXSTATUS which is already read
+ * and stored in D0Ar2
+ *
+ * NOTE: If a fault occurs at the last operation in M{G,S}ETL
+ * LSM_STEP will be 0. ie: we do 4 writes in our case, if
+ * a fault happens at the 4th write, LSM_STEP will be 0
+ * instead of 4. The code copes with that.
*/
#define __asm_copy_from_user_64bit_rapf_loop(to, from, ret, n, id) \
__asm_copy_user_64bit_rapf_loop(to, from, ret, n, id, \
- "SUB %1, %1, #8\n")
+ "LSR D0Ar2, D0Ar2, #5\n" \
+ "ANDS D0Ar2, D0Ar2, #0x38\n" \
+ "ADDZ D0Ar2, D0Ar2, #32\n" \
+ "SUB %1, %1, D0Ar2\n")
/* rewind 'from' pointer when a fault occurs
*
* Rationale:
* A fault occurs while reading from user buffer, which is the
- * source. Since the fault is at a single address, we only
- * need to rewind by 4 bytes.
+ * source.
* Since we don't write to kernel buffer until we read first,
* the kernel buffer is at the right state and needn't be
- * corrected.
+ * corrected, but the source must be rewound to the beginning of
+ * the block, which is LSM_STEP*4 bytes.
+ * LSM_STEP is bits 10:8 in TXSTATUS which is already read
+ * and stored in D0Ar2
+ *
+ * NOTE: If a fault occurs at the last operation in M{G,S}ETL
+ * LSM_STEP will be 0. ie: we do 4 writes in our case, if
+ * a fault happens at the 4th write, LSM_STEP will be 0
+ * instead of 4. The code copes with that.
*/
#define __asm_copy_from_user_32bit_rapf_loop(to, from, ret, n, id) \
__asm_copy_user_32bit_rapf_loop(to, from, ret, n, id, \
- "SUB %1, %1, #4\n")
+ "LSR D0Ar2, D0Ar2, #6\n" \
+ "ANDS D0Ar2, D0Ar2, #0x1c\n" \
+ "ADDZ D0Ar2, D0Ar2, #16\n" \
+ "SUB %1, %1, D0Ar2\n")
-/* Copy from user to kernel, zeroing the bytes that were inaccessible in
- userland. The return-value is the number of bytes that were
- inaccessible. */
-unsigned long __copy_user_zeroing(void *pdst, const void __user *psrc,
- unsigned long n)
+/*
+ * Copy from user to kernel. The return-value is the number of bytes that were
+ * inaccessible.
+ */
+unsigned long raw_copy_from_user(void *pdst, const void __user *psrc,
+ unsigned long n)
{
register char *dst asm ("A0.2") = pdst;
register const char __user *src asm ("A1.2") = psrc;
@@ -830,6 +773,8 @@ unsigned long __copy_user_zeroing(void *pdst, const void
__user *psrc,
if ((unsigned long) src & 1) {
__asm_copy_from_user_1(dst, src, retn);
n--;
+ if (retn)
+ return retn + n;
}
if ((unsigned long) dst & 1) {
/* Worst case - byte copy */
@@ -837,12 +782,14 @@ unsigned long __copy_user_zeroing(void *pdst, const void
__user *psrc,
__asm_copy_from_user_1(dst, src, retn);
n--;
if (retn)
- goto copy_exception_bytes;
+ return retn + n;
}
}
if (((unsigned long) src & 2) && n >= 2) {
__asm_copy_from_user_2(dst, src, retn);
n -= 2;
+ if (retn)
+ return retn + n;
}
if ((unsigned long) dst & 2) {
/* Second worst case - word copy */
@@ -850,16 +797,10 @@ unsigned long __copy_user_zeroing(void *pdst, const void
__user *psrc,
__asm_copy_from_user_2(dst, src, retn);
n -= 2;
if (retn)
- goto copy_exception_bytes;
+ return retn + n;
}
}
- /* We only need one check after the unalignment-adjustments,
- because if both adjustments were done, either both or
- neither reference had an exception. */
- if (retn != 0)
- goto copy_exception_bytes;
-
#ifdef USE_RAPF
/* 64 bit copy loop */
if (!(((unsigned long) src | (unsigned long) dst) & 7)) {
@@ -872,7 +813,7 @@ unsigned long __copy_user_zeroing(void *pdst, const void
__user *psrc,
__asm_copy_from_user_8x64(dst, src, retn);
n -= 8;
if (retn)
- goto copy_exception_bytes;
+ return retn + n;
}
}
@@ -888,7 +829,7 @@ unsigned long __copy_user_zeroing(void *pdst, const void
__user *psrc,
__asm_copy_from_user_8x64(dst, src, retn);
n -= 8;
if (retn)
- goto copy_exception_bytes;
+ return retn + n;
}
}
#endif
@@ -898,7 +839,7 @@ unsigned long __copy_user_zeroing(void *pdst, const void
__user *psrc,
n -= 4;
if (retn)
- goto copy_exception_bytes;
+ return retn + n;
}
/* If we get here, there were no memory read faults. */
@@ -924,21 +865,8 @@ unsigned long __copy_user_zeroing(void *pdst, const void
__user *psrc,
/* If we get here, retn correctly reflects the number of failing
bytes. */
return retn;
-
- copy_exception_bytes:
- /* We already have "retn" bytes cleared, and need to clear the
- remaining "n" bytes. A non-optimized simple byte-for-byte in-line
- memset is preferred here, since this isn't speed-critical code and
- we'd rather have this a leaf-function than calling memset. */
- {
- char *endp;
- for (endp = dst + n; dst < endp; dst++)
- *dst = 0;
- }
-
- return retn + n;
}
-EXPORT_SYMBOL(__copy_user_zeroing);
+EXPORT_SYMBOL(raw_copy_from_user);
#define __asm_clear_8x64(to, ret) \
asm volatile ( \
diff --git a/arch/mips/cavium-octeon/octeon-memcpy.S
b/arch/mips/cavium-octeon/octeon-memcpy.S
index 64e08df..8b70041 100644
--- a/arch/mips/cavium-octeon/octeon-memcpy.S
+++ b/arch/mips/cavium-octeon/octeon-memcpy.S
@@ -208,18 +208,18 @@ EXC( STORE t2, UNIT(6)(dst), s_exc_p10u)
ADD src, src, 16*NBYTES
EXC( STORE t3, UNIT(7)(dst), s_exc_p9u)
ADD dst, dst, 16*NBYTES
-EXC( LOAD t0, UNIT(-8)(src), l_exc_copy)
-EXC( LOAD t1, UNIT(-7)(src), l_exc_copy)
-EXC( LOAD t2, UNIT(-6)(src), l_exc_copy)
-EXC( LOAD t3, UNIT(-5)(src), l_exc_copy)
+EXC( LOAD t0, UNIT(-8)(src), l_exc_copy_rewind16)
+EXC( LOAD t1, UNIT(-7)(src), l_exc_copy_rewind16)
+EXC( LOAD t2, UNIT(-6)(src), l_exc_copy_rewind16)
+EXC( LOAD t3, UNIT(-5)(src), l_exc_copy_rewind16)
EXC( STORE t0, UNIT(-8)(dst), s_exc_p8u)
EXC( STORE t1, UNIT(-7)(dst), s_exc_p7u)
EXC( STORE t2, UNIT(-6)(dst), s_exc_p6u)
EXC( STORE t3, UNIT(-5)(dst), s_exc_p5u)
-EXC( LOAD t0, UNIT(-4)(src), l_exc_copy)
-EXC( LOAD t1, UNIT(-3)(src), l_exc_copy)
-EXC( LOAD t2, UNIT(-2)(src), l_exc_copy)
-EXC( LOAD t3, UNIT(-1)(src), l_exc_copy)
+EXC( LOAD t0, UNIT(-4)(src), l_exc_copy_rewind16)
+EXC( LOAD t1, UNIT(-3)(src), l_exc_copy_rewind16)
+EXC( LOAD t2, UNIT(-2)(src), l_exc_copy_rewind16)
+EXC( LOAD t3, UNIT(-1)(src), l_exc_copy_rewind16)
EXC( STORE t0, UNIT(-4)(dst), s_exc_p4u)
EXC( STORE t1, UNIT(-3)(dst), s_exc_p3u)
EXC( STORE t2, UNIT(-2)(dst), s_exc_p2u)
@@ -383,6 +383,10 @@ done:
nop
END(memcpy)
+l_exc_copy_rewind16:
+ /* Rewind src and dst by 16*NBYTES for l_exc_copy */
+ SUB src, src, 16*NBYTES
+ SUB dst, dst, 16*NBYTES
l_exc_copy:
/*
* Copy bytes from src until faulting load address (or until a
diff --git a/arch/mips/configs/ip27_defconfig b/arch/mips/configs/ip27_defconfig
index 0e36abc..7446284 100644
--- a/arch/mips/configs/ip27_defconfig
+++ b/arch/mips/configs/ip27_defconfig
@@ -206,7 +206,6 @@ CONFIG_MLX4_EN=m
# CONFIG_MLX4_DEBUG is not set
CONFIG_TEHUTI=m
CONFIG_BNX2X=m
-CONFIG_QLGE=m
CONFIG_SFC=m
CONFIG_BE2NET=m
CONFIG_LIBERTAS_THINFIRM=m
diff --git a/arch/mips/dec/int-handler.S b/arch/mips/dec/int-handler.S
index 22afed1..a6087a0 100644
--- a/arch/mips/dec/int-handler.S
+++ b/arch/mips/dec/int-handler.S
@@ -146,7 +146,25 @@
/*
* Find irq with highest priority
*/
- PTR_LA t1,cpu_mask_nr_tbl
+ # open coded PTR_LA t1, cpu_mask_nr_tbl
+#if (_MIPS_SZPTR == 32)
+ # open coded la t1, cpu_mask_nr_tbl
+ lui t1, %hi(cpu_mask_nr_tbl)
+ addiu t1, %lo(cpu_mask_nr_tbl)
+
+#endif
+#if (_MIPS_SZPTR == 64)
+ # open coded dla t1, cpu_mask_nr_tbl
+ .set push
+ .set noat
+ lui t1, %highest(cpu_mask_nr_tbl)
+ lui AT, %hi(cpu_mask_nr_tbl)
+ daddiu t1, t1, %higher(cpu_mask_nr_tbl)
+ daddiu AT, AT, %lo(cpu_mask_nr_tbl)
+ dsll t1, 32
+ daddu t1, t1, AT
+ .set pop
+#endif
1: lw t2,(t1)
nop
and t2,t0
@@ -195,7 +213,25 @@
/*
* Find irq with highest priority
*/
- PTR_LA t1,asic_mask_nr_tbl
+ # open coded PTR_LA t1,asic_mask_nr_tbl
+#if (_MIPS_SZPTR == 32)
+ # open coded la t1, asic_mask_nr_tbl
+ lui t1, %hi(asic_mask_nr_tbl)
+ addiu t1, %lo(asic_mask_nr_tbl)
+
+#endif
+#if (_MIPS_SZPTR == 64)
+ # open coded dla t1, asic_mask_nr_tbl
+ .set push
+ .set noat
+ lui t1, %highest(asic_mask_nr_tbl)
+ lui AT, %hi(asic_mask_nr_tbl)
+ daddiu t1, t1, %higher(asic_mask_nr_tbl)
+ daddiu AT, AT, %lo(asic_mask_nr_tbl)
+ dsll t1, 32
+ daddu t1, t1, AT
+ .set pop
+#endif
2: lw t2,(t1)
nop
and t2,t0
diff --git a/arch/mips/include/asm/checksum.h b/arch/mips/include/asm/checksum.h
index ac3d2b8..d48cf44 100644
--- a/arch/mips/include/asm/checksum.h
+++ b/arch/mips/include/asm/checksum.h
@@ -155,7 +155,9 @@ static inline __wsum csum_tcpudp_nofold(__be32 saddr,
" daddu %0, %4 \n"
" dsll32 $1, %0, 0 \n"
" daddu %0, $1 \n"
+ " sltu $1, %0, $1 \n"
" dsra32 %0, %0, 0 \n"
+ " addu %0, $1 \n"
#endif
" .set pop"
: "=r" (sum)
diff --git a/arch/mips/kernel/crash.c b/arch/mips/kernel/crash.c
index 93aa302..c683129 100644
--- a/arch/mips/kernel/crash.c
+++ b/arch/mips/kernel/crash.c
@@ -15,12 +15,22 @@ static int crashing_cpu = -1;
static cpumask_t cpus_in_crash = CPU_MASK_NONE;
#ifdef CONFIG_SMP
-static void crash_shutdown_secondary(void *ignore)
+static void crash_shutdown_secondary(void *passed_regs)
{
- struct pt_regs *regs;
+ struct pt_regs *regs = passed_regs;
int cpu = smp_processor_id();
- regs = task_pt_regs(current);
+ /*
+ * If we are passed registers, use those. Otherwise get the
+ * regs from the last interrupt, which should be correct, as
+ * we are in an interrupt. But if the regs are not there,
+ * pull them from the top of the stack. They are probably
+ * wrong, but we need something to keep from crashing again.
+ */
+ if (!regs)
+ regs = get_irq_regs();
+ if (!regs)
+ regs = task_pt_regs(current);
if (!cpu_online(cpu))
return;
diff --git a/arch/mips/kernel/kgdb.c b/arch/mips/kernel/kgdb.c
index fcaac2f..910db38 100644
--- a/arch/mips/kernel/kgdb.c
+++ b/arch/mips/kernel/kgdb.c
@@ -236,9 +236,6 @@ static int compute_signal(int tt)
void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct
*p)
{
int reg;
- struct thread_info *ti = task_thread_info(p);
- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32;
- struct pt_regs *regs = (struct pt_regs *)ksp - 1;
#if (KGDB_GDB_REG_SIZE == 32)
u32 *ptr = (u32 *)gdb_regs;
_______________________________________________
unionfs-cvs mailing list: http://unionfs.filesystems.org/
unionfs-cvs@fsl.cs.sunysb.edu
http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs-cvs
