diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2013-03-23 09:36:59 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2013-03-23 09:36:59 -0400 |
| commit | a1a1b04c98349f08d1022ec282abc552d199b2da (patch) | |
| tree | 54096268c5ca5f43a5ff265474c2f2a47478318b | |
| parent | Fix 3.8.2 -> 3.8.3 (diff) | |
| download | hardened-patchset-20130322.tar.gz hardened-patchset-20130322.tar.bz2 hardened-patchset-20130322.zip | |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.4}-20130322182320130322
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch) | 565 | ||||
| -rw-r--r-- | 3.2.40/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303221825.patch (renamed from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch) | 852 | ||||
| -rw-r--r-- | 3.8.3/1001_linux-3.8.2.patch | 3093 | ||||
| -rw-r--r-- | 3.8.3/1002_linux-3.8.3.patch | 4814 | ||||
| -rw-r--r-- | 3.8.4/0000_README (renamed from 3.8.3/0000_README) | 10 | ||||
| -rw-r--r-- | 3.8.4/1003_linux-3.8.4.patch | 2902 | ||||
| -rw-r--r-- | 3.8.4/4420_grsecurity-2.9.1-3.8.4-201303221826.patch (renamed from 3.8.3/4420_grsecurity-2.9.1-3.8.3-201303142235.patch) | 11692 | ||||
| -rw-r--r-- | 3.8.4/4425_grsec_remove_EI_PAX.patch (renamed from 3.8.3/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.8.4/4430_grsec-remove-localversion-grsec.patch (renamed from 3.8.3/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.8.4/4435_grsec-mute-warnings.patch (renamed from 3.8.3/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.8.4/4440_grsec-remove-protected-paths.patch (renamed from 3.8.3/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.8.4/4450_grsec-kconfig-default-gids.patch (renamed from 3.8.3/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.8.4/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.8.3/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.8.4/4470_disable-compat_vdso.patch (renamed from 3.8.3/4470_disable-compat_vdso.patch) | 0 |
15 files changed, 11173 insertions, 12757 deletions
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch index 966075e..27cb164 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch @@ -265,7 +265,7 @@ index 334258c..1e8f4ff 100644 M: Liam Girdwood <lrg@slimlogic.co.uk> M: Mark Brown <broonie@opensource.wolfsonmicro.com> diff --git a/Makefile b/Makefile -index b0e245e..1c8b6ed 100644 +index b0e245e..e2589d0 100644 --- a/Makefile +++ b/Makefile @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -358,7 +358,7 @@ index b0e245e..1c8b6ed 100644 +else + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least" +endif -+ $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure" ++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active." +endif +endif + @@ -2753,6 +2753,18 @@ index 285aae8..61dbab6 100644 .alloc_coherent = ia64_swiotlb_alloc_coherent, .free_coherent = swiotlb_free_coherent, .map_page = swiotlb_map_page, +diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c +index f178270..2dcff27 100644 +--- a/arch/ia64/kernel/perfmon.c ++++ b/arch/ia64/kernel/perfmon.c +@@ -2372,7 +2372,6 @@ pfm_smpl_buffer_alloc(struct task_struct *task, struct file *filp, pfm_context_t + */ + insert_vm_struct(mm, vma); + +- mm->total_vm += size >> PAGE_SHIFT; + vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file, + vma_pages(vma)); + up_write(&task->mm->mmap_sem); diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c index 609d500..acd0429 100644 --- a/arch/ia64/kernel/sys_ia64.c @@ -24038,7 +24050,7 @@ index e6d925f..6bde4d6 100644 .disabled_by_bios = vmx_disabled_by_bios, .hardware_setup = hardware_setup, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 271fddf..ea708b4 100644 +index 271fddf..fe56f44 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu); @@ -24050,7 +24062,19 @@ index 271fddf..ea708b4 100644 EXPORT_SYMBOL_GPL(kvm_x86_ops); int ignore_msrs = 0; -@@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, +@@ -925,6 +925,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data) + /* ...but clean it before doing the actual write */ + vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); + ++ /* Check that the address is 32-byte aligned. */ ++ if (vcpu->arch.time_offset & ++ (sizeof(struct pvclock_vcpu_time_info) - 1)) ++ break; ++ + vcpu->arch.time_page = + gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); + +@@ -1430,15 +1435,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -24074,7 +24098,7 @@ index 271fddf..ea708b4 100644 vcpu->arch.cpuid_nent = cpuid->nent; kvm_apic_set_version(vcpu); return 0; -@@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, +@@ -1451,16 +1461,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -24098,7 +24122,7 @@ index 271fddf..ea708b4 100644 return 0; out: -@@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -1678,7 +1692,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -24107,7 +24131,7 @@ index 271fddf..ea708b4 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -3300,10 +3309,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { +@@ -3300,10 +3314,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { .notifier_call = kvmclock_cpufreq_notifier }; @@ -48725,24 +48749,34 @@ index 032ebae..6a3532c 100644 q.int_ops = &sg_ops; diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c -index b6992b7..9fa7547 100644 +index b6992b7..ff830bd 100644 --- a/drivers/message/fusion/mptbase.c +++ b/drivers/message/fusion/mptbase.c -@@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo - len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth); +@@ -6710,7 +6710,12 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize); + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", +#ifdef CONFIG_GRKERNSEC_HIDESYM -+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", + NULL, NULL); +#else - len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma); +#endif + /* * Rounding UP to nearest 4-kB boundary here... */ +@@ -6723,7 +6728,11 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo + ioc->facts.GlobalCredits); + + len += sprintf(buf+len, " Frames @ 0x%p (Dma @ 0x%p)\n", ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, NULL); ++#else + (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma); ++#endif + sz = (ioc->reply_sz * ioc->reply_depth) + 128; + len += sprintf(buf+len, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n", + ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz); diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c index 83873e3..e360e9a 100644 --- a/drivers/message/fusion/mptsas.c @@ -75307,7 +75341,7 @@ index 0133b5a..3710d09 100644 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm); #ifdef __alpha__ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index a64fde6..621e25d 100644 +index a64fde6..f7af3a5e 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -31,6 +31,7 @@ @@ -75929,7 +75963,7 @@ index a64fde6..621e25d 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -877,17 +1300,43 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -877,17 +1300,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -75945,19 +75979,20 @@ index a64fde6..621e25d 100644 +#ifdef CONFIG_PAX_RANDMMAP + if (current->mm->pax_flags & MF_PAX_RANDMMAP) { -+ unsigned long start, size; ++ unsigned long start, size, flags, vm_flags; + + start = ELF_PAGEALIGN(elf_brk); + size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4); ++ flags = MAP_FIXED | MAP_PRIVATE; ++ vm_flags = VM_DONTEXPAND | VM_RESERVED; ++ + down_write(¤t->mm->mmap_sem); ++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags); + retval = -ENOMEM; -+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { -+ unsigned long prot = PROT_NONE; -+ -+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { +// if (current->personality & ADDR_NO_RANDOMIZE) +// prot = PROT_READ; -+ start = do_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0); ++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0); + retval = IS_ERR_VALUE(start) ? start : 0; + } + up_write(¤t->mm->mmap_sem); @@ -75979,7 +76014,7 @@ index a64fde6..621e25d 100644 load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1112,8 +1561,10 @@ static int dump_seek(struct file *file, loff_t off) +@@ -1112,8 +1562,10 @@ static int dump_seek(struct file *file, loff_t off) unsigned long n = off; if (n > PAGE_SIZE) n = PAGE_SIZE; @@ -75991,7 +76026,7 @@ index a64fde6..621e25d 100644 off -= n; } free_page((unsigned long)buf); -@@ -1125,7 +1576,7 @@ static int dump_seek(struct file *file, loff_t off) +@@ -1125,7 +1577,7 @@ static int dump_seek(struct file *file, loff_t off) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -76000,7 +76035,7 @@ index a64fde6..621e25d 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1159,7 +1610,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1159,7 +1611,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -76009,7 +76044,7 @@ index a64fde6..621e25d 100644 goto whole; /* -@@ -1255,8 +1706,11 @@ static int writenote(struct memelfnote *men, struct file *file, +@@ -1255,8 +1707,11 @@ static int writenote(struct memelfnote *men, struct file *file, #undef DUMP_WRITE #define DUMP_WRITE(addr, nr) \ @@ -76022,7 +76057,7 @@ index a64fde6..621e25d 100644 static void fill_elf_header(struct elfhdr *elf, int segs, u16 machine, u32 flags, u8 osabi) -@@ -1385,9 +1839,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1385,9 +1840,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -76034,7 +76069,7 @@ index a64fde6..621e25d 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1973,7 +2427,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -1973,7 +2428,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -76043,7 +76078,7 @@ index a64fde6..621e25d 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2006,7 +2460,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -2006,7 +2461,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un unsigned long addr; unsigned long end; @@ -76052,7 +76087,7 @@ index a64fde6..621e25d 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2015,6 +2469,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -2015,6 +2470,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -76060,7 +76095,7 @@ index a64fde6..621e25d 100644 stop = ((size += PAGE_SIZE) > limit) || !dump_write(file, kaddr, PAGE_SIZE); kunmap(page); -@@ -2042,6 +2497,97 @@ out: +@@ -2042,6 +2498,97 @@ out: #endif /* USE_ELF_CORE_DUMP */ @@ -77139,7 +77174,7 @@ index a5bf577..6d19845 100644 return hit; } diff --git a/fs/compat.c b/fs/compat.c -index 46b93d1..84978fe 100644 +index 46b93d1..191dbaa 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char __user *filename, struct compat_timeval _ @@ -77260,7 +77295,17 @@ index 46b93d1..84978fe 100644 goto out; if (!file->f_op) goto out; -@@ -1469,11 +1487,35 @@ int compat_do_execve(char * filename, +@@ -1460,6 +1478,9 @@ out: + return ret; + } + ++extern void gr_handle_exec_args_compat(struct linux_binprm *bprm, ++ compat_uptr_t __user *argv); ++ + /* + * compat_do_execve() is mostly a copy of do_execve(), with the exception + * that it processes 32 bit argv and envp pointers. +@@ -1469,11 +1490,35 @@ int compat_do_execve(char * filename, compat_uptr_t __user *envp, struct pt_regs * regs) { @@ -77296,7 +77341,7 @@ index 46b93d1..84978fe 100644 retval = unshare_files(&displaced); if (retval) -@@ -1499,12 +1541,26 @@ int compat_do_execve(char * filename, +@@ -1499,12 +1544,26 @@ int compat_do_execve(char * filename, if (IS_ERR(file)) goto out_unmark; @@ -77323,7 +77368,7 @@ index 46b93d1..84978fe 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1521,24 +1577,63 @@ int compat_do_execve(char * filename, +@@ -1521,24 +1580,63 @@ int compat_do_execve(char * filename, if (retval < 0) goto out; @@ -77391,7 +77436,7 @@ index 46b93d1..84978fe 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1547,6 +1642,14 @@ int compat_do_execve(char * filename, +@@ -1547,6 +1645,14 @@ int compat_do_execve(char * filename, put_files_struct(displaced); return retval; @@ -77406,7 +77451,7 @@ index 46b93d1..84978fe 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1717,6 +1820,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp, +@@ -1717,6 +1823,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp, struct fdtable *fdt; long stack_fds[SELECT_STACK_ALLOC/sizeof(long)]; @@ -77415,7 +77460,7 @@ index 46b93d1..84978fe 100644 if (n < 0) goto out_nofds; -@@ -2157,7 +2262,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd, +@@ -2157,7 +2265,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd, oldfs = get_fs(); set_fs(KERNEL_DS); /* The __user pointer casts are valid because of the set_fs() */ @@ -77702,7 +77747,7 @@ index ff57421..f65f88a 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 86fafc6..0f75c42 100644 +index 86fafc6..a435ef7 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,12 +56,34 @@ @@ -77909,7 +77954,7 @@ index 86fafc6..0f75c42 100644 #endif ret = expand_stack(vma, stack_base); + -+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR) ++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP) + if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) { + unsigned long size, flags, vm_flags; + @@ -77922,7 +77967,7 @@ index 86fafc6..0f75c42 100644 +#ifdef CONFIG_X86 + if (!ret) { + size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT)); -+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0); ++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0); + } +#endif + @@ -80998,7 +81043,7 @@ index fde92d1..6256b88 100644 lock_kernel(); diff --git a/fs/namei.c b/fs/namei.c -index b0afbd4..2b96439 100644 +index b0afbd4..a4dd3a0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask, @@ -81098,7 +81143,7 @@ index b0afbd4..2b96439 100644 path_put(&nd->path); return_err: return err; -@@ -1091,13 +1112,20 @@ static int do_path_lookup(int dfd, const char *name, +@@ -1091,13 +1112,22 @@ static int do_path_lookup(int dfd, const char *name, int retval = path_init(dfd, name, flags, nd); if (!retval) retval = path_walk(name, nd); @@ -81108,10 +81153,12 @@ index b0afbd4..2b96439 100644 + + if (likely(!retval)) { + if (nd->path.dentry && nd->path.dentry->d_inode) { -+ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) -+ retval = -ENOENT; + if (!audit_dummy_context()) + audit_inode(name, nd->path.dentry); ++ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) { ++ path_put(&nd->path); ++ retval = -ENOENT; ++ } + } + } if (nd->root.mnt) { @@ -81122,7 +81169,7 @@ index b0afbd4..2b96439 100644 return retval; } -@@ -1251,6 +1279,11 @@ static int __lookup_one_len(const char *name, struct qstr *this, +@@ -1251,6 +1281,11 @@ static int __lookup_one_len(const char *name, struct qstr *this, if (!len) return -EACCES; @@ -81134,7 +81181,7 @@ index b0afbd4..2b96439 100644 hash = init_name_hash(); while (len--) { c = *(const unsigned char *)name++; -@@ -1576,6 +1609,20 @@ int may_open(struct path *path, int acc_mode, int flag) +@@ -1576,6 +1611,20 @@ int may_open(struct path *path, int acc_mode, int flag) if (error) goto err_out; @@ -81155,7 +81202,7 @@ index b0afbd4..2b96439 100644 if (flag & O_TRUNC) { error = get_write_access(inode); if (error) -@@ -1620,6 +1667,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1620,6 +1669,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, { int error; struct dentry *dir = nd->path.dentry; @@ -81173,7 +81220,7 @@ index b0afbd4..2b96439 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); -@@ -1627,6 +1685,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1627,6 +1687,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, if (error) goto out_unlock; error = vfs_create(dir->d_inode, path->dentry, mode, nd); @@ -81182,7 +81229,7 @@ index b0afbd4..2b96439 100644 out_unlock: mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); -@@ -1684,6 +1744,7 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1684,6 +1746,7 @@ struct file *do_filp_open(int dfd, const char *pathname, struct nameidata nd; int error; struct path path; @@ -81190,7 +81237,7 @@ index b0afbd4..2b96439 100644 struct dentry *dir; int count = 0; int will_write; -@@ -1709,6 +1770,22 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1709,6 +1772,22 @@ struct file *do_filp_open(int dfd, const char *pathname, &nd, flag); if (error) return ERR_PTR(error); @@ -81213,7 +81260,7 @@ index b0afbd4..2b96439 100644 goto ok; } -@@ -1795,6 +1872,19 @@ do_last: +@@ -1795,6 +1874,19 @@ do_last: /* * It already exists. */ @@ -81233,7 +81280,7 @@ index b0afbd4..2b96439 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path.dentry); -@@ -1887,6 +1977,14 @@ do_link: +@@ -1887,6 +1979,14 @@ do_link: error = security_inode_follow_link(path.dentry, &nd); if (error) goto exit_dput; @@ -81248,7 +81295,7 @@ index b0afbd4..2b96439 100644 error = __do_follow_link(&path, &nd); if (error) { /* Does someone understand code flow here? Or it is only -@@ -1915,9 +2013,24 @@ do_link: +@@ -1915,9 +2015,24 @@ do_link: } dir = nd.path.dentry; mutex_lock(&dir->d_inode->i_mutex); @@ -81273,7 +81320,7 @@ index b0afbd4..2b96439 100644 goto do_last; } -@@ -1984,6 +2097,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) +@@ -1984,6 +2099,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) } return dentry; eexist: @@ -81284,7 +81331,7 @@ index b0afbd4..2b96439 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2061,6 +2178,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2061,6 +2180,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = may_mknod(mode); if (error) goto out_dput; @@ -81302,7 +81349,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2081,6 +2209,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2081,6 +2211,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(nd.path.mnt); @@ -81312,7 +81359,7 @@ index b0afbd4..2b96439 100644 out_dput: dput(dentry); out_unlock: -@@ -2134,6 +2265,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2134,6 +2267,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) if (IS_ERR(dentry)) goto out_unlock; @@ -81324,7 +81371,7 @@ index b0afbd4..2b96439 100644 if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current_umask(); error = mnt_want_write(nd.path.mnt); -@@ -2145,6 +2281,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2145,6 +2283,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); out_drop_write: mnt_drop_write(nd.path.mnt); @@ -81335,7 +81382,7 @@ index b0afbd4..2b96439 100644 out_dput: dput(dentry); out_unlock: -@@ -2226,6 +2366,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2226,6 +2368,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -81344,7 +81391,7 @@ index b0afbd4..2b96439 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2250,6 +2392,17 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2250,6 +2394,17 @@ static long do_rmdir(int dfd, const char __user *pathname) error = PTR_ERR(dentry); if (IS_ERR(dentry)) goto exit2; @@ -81362,7 +81409,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2257,6 +2410,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2257,6 +2412,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -81371,7 +81418,7 @@ index b0afbd4..2b96439 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2318,6 +2473,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2318,6 +2475,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -81380,7 +81427,7 @@ index b0afbd4..2b96439 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2337,8 +2494,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2337,8 +2496,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (nd.last.name[nd.last.len]) goto slashes; inode = dentry->d_inode; @@ -81401,7 +81448,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2346,6 +2514,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2346,6 +2516,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -81410,7 +81457,7 @@ index b0afbd4..2b96439 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2424,6 +2594,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2424,6 +2596,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (IS_ERR(dentry)) goto out_unlock; @@ -81422,7 +81469,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2431,6 +2606,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2431,6 +2608,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); @@ -81431,7 +81478,7 @@ index b0afbd4..2b96439 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2524,6 +2701,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2524,6 +2703,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -81452,7 +81499,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2531,6 +2722,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2531,6 +2724,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); @@ -81461,7 +81508,7 @@ index b0afbd4..2b96439 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2708,6 +2901,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2708,6 +2903,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, char *to; int error; @@ -81470,7 +81517,7 @@ index b0afbd4..2b96439 100644 error = user_path_parent(olddfd, oldname, &oldnd, &from); if (error) goto exit; -@@ -2764,6 +2959,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2764,6 +2961,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -81483,7 +81530,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -2773,6 +2974,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2773,6 +2976,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -81493,7 +81540,7 @@ index b0afbd4..2b96439 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -2798,6 +3002,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -2798,6 +3004,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -81502,7 +81549,7 @@ index b0afbd4..2b96439 100644 int len; len = PTR_ERR(link); -@@ -2807,7 +3013,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -2807,7 +3015,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -86042,10 +86089,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..5aba5a8 +index 0000000..1edd4b5 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4197 @@ +@@ -0,0 +1,4201 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -86071,6 +86118,7 @@ index 0000000..5aba5a8 +#include <linux/stop_machine.h> +#include <linux/fdtable.h> +#include <linux/percpu.h> ++#include <linux/posix-timers.h> + +#include <asm/uaccess.h> +#include <asm/errno.h> @@ -88348,6 +88396,9 @@ index 0000000..5aba5a8 + + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur; + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max; ++ ++ if (i == RLIMIT_CPU) ++ update_rlimit_cpu(task, proc->res[i].rlim_cur); + } + + return; @@ -96556,6 +96607,19 @@ index 78e9047..ff39f6b 100644 /* handle uniform packets for scsi type devices (scsi,atapi) */ int (*generic_packet) (struct cdrom_device_info *, struct packet_command *); +diff --git a/include/linux/compat.h b/include/linux/compat.h +index 510266f..9d64053 100644 +--- a/include/linux/compat.h ++++ b/include/linux/compat.h +@@ -271,7 +271,7 @@ extern int compat_ptrace_request(struct task_struct *child, + extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + compat_ulong_t addr, compat_ulong_t data); + asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +- compat_long_t addr, compat_long_t data); ++ compat_ulong_t addr, compat_ulong_t data); + + /* + * epoll (fs/eventpoll.c) compat bits follow ... diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h index 450fa59..16b904d 100644 --- a/include/linux/compiler-gcc4.h @@ -98104,17 +98168,16 @@ index 0000000..18863d1 +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..6e2f8bc +index 0000000..9ced8a0 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,226 @@ +@@ -0,0 +1,222 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> +#include <linux/fs_struct.h> +#include <linux/binfmts.h> +#include <linux/gracl.h> -+#include <linux/compat.h> + +/* notify of brain-dead configs */ +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP) @@ -98184,9 +98247,6 @@ index 0000000..6e2f8bc +void gr_log_chroot_exec(const struct dentry *dentry, + const struct vfsmount *mnt); +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv); -+#ifdef CONFIG_COMPAT -+void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv); -+#endif +void gr_log_remount(const char *devname, const int retval); +void gr_log_unmount(const char *devname, const int retval); +void gr_log_mount(const char *from, const char *to, const int retval); @@ -98900,7 +98960,7 @@ index 3797270..7765ede 100644 struct mca_bus { u64 default_dma_mask; diff --git a/include/linux/mm.h b/include/linux/mm.h -index 11e5be6..8ff8c91 100644 +index 11e5be6..8a2af3a 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void *objp); @@ -99023,7 +99083,19 @@ index 11e5be6..8ff8c91 100644 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr); int remap_pfn_range(struct vm_area_struct *, unsigned long addr, unsigned long pfn, unsigned long size, pgprot_t); -@@ -1332,7 +1365,13 @@ extern void memory_failure(unsigned long pfn, int trapno); +@@ -1263,6 +1296,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long); + static inline void vm_stat_account(struct mm_struct *mm, + unsigned long flags, struct file *file, long pages) + { ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ ++ mm->total_vm += pages; + } + #endif /* CONFIG_PROC_FS */ + +@@ -1332,7 +1370,13 @@ extern void memory_failure(unsigned long pfn, int trapno); extern int __memory_failure(unsigned long pfn, int trapno, int ref); extern int sysctl_memory_failure_early_kill; extern int sysctl_memory_failure_recovery; @@ -99039,7 +99111,7 @@ index 11e5be6..8ff8c91 100644 #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 9d12ed5..9d9dab3 100644 +index 9d12ed5..6d9707a 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -186,6 +186,8 @@ struct vm_area_struct { @@ -99051,15 +99123,6 @@ index 9d12ed5..9d9dab3 100644 }; struct core_thread { -@@ -235,7 +237,7 @@ struct mm_struct { - unsigned long total_vm, locked_vm, shared_vm, exec_vm; - unsigned long stack_vm, reserved_vm, def_flags, nr_ptes; - unsigned long start_code, end_code, start_data, end_data; -- unsigned long start_brk, brk, start_stack; -+ unsigned long brk_gap, start_brk, brk, start_stack; - unsigned long arg_start, arg_end, env_start, env_end; - - unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ @@ -287,6 +289,24 @@ struct mm_struct { #ifdef CONFIG_MMU_NOTIFIER struct mmu_notifier_mm *mmu_notifier_mm; @@ -99614,7 +99677,7 @@ index 34066ff..e95d744 100644 /********** include/linux/timer.h **********/ /* diff --git a/include/linux/posix-timers.h b/include/linux/posix-timers.h -index 4f71bf4..cd2f68e 100644 +index 4f71bf4..724d413 100644 --- a/include/linux/posix-timers.h +++ b/include/linux/posix-timers.h @@ -82,7 +82,8 @@ struct k_clock { @@ -99627,6 +99690,14 @@ index 4f71bf4..cd2f68e 100644 void register_posix_clock(const clockid_t clock_id, struct k_clock *new_clock); +@@ -117,6 +118,6 @@ void set_process_cpu_timer(struct task_struct *task, unsigned int clock_idx, + + long clock_nanosleep_restart(struct restart_block *restart_block); + +-void update_rlimit_cpu(unsigned long rlim_new); ++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new); + + #endif diff --git a/include/linux/prefetch.h b/include/linux/prefetch.h index af7c36a..a93005c 100644 --- a/include/linux/prefetch.h @@ -103473,7 +103544,7 @@ index a2a1659..df8479c 100644 get_task_struct(p); read_unlock(&tasklist_lock); diff --git a/kernel/fork.c b/kernel/fork.c -index c28f804..3a04506 100644 +index c28f804..4f038a3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -240,21 +240,26 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -103522,7 +103593,16 @@ index c28f804..3a04506 100644 mm->map_count = 0; cpumask_clear(mm_cpumask(mm)); mm->mm_rb = RB_ROOT; -@@ -319,7 +324,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -311,15 +316,13 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) + struct file *file; + + if (mpnt->vm_flags & VM_DONTCOPY) { +- long pages = vma_pages(mpnt); +- mm->total_vm -= pages; + vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file, +- -pages); ++ -vma_pages(mpnt)); + continue; } charge = 0; if (mpnt->vm_flags & VM_ACCOUNT) { @@ -103531,7 +103611,7 @@ index c28f804..3a04506 100644 if (security_vm_enough_memory(len)) goto fail_nomem; charge = len; -@@ -336,6 +341,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -336,6 +339,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) tmp->vm_flags &= ~VM_LOCKED; tmp->vm_mm = mm; tmp->vm_next = tmp->vm_prev = NULL; @@ -103539,7 +103619,7 @@ index c28f804..3a04506 100644 anon_vma_link(tmp); file = tmp->vm_file; if (file) { -@@ -385,6 +391,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -385,6 +389,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; } @@ -103571,7 +103651,7 @@ index c28f804..3a04506 100644 /* a new mm has just been created */ arch_dup_mmap(oldmm, mm); retval = 0; -@@ -735,13 +766,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) +@@ -735,13 +764,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) write_unlock(&fs->lock); return -EAGAIN; } @@ -103593,7 +103673,7 @@ index c28f804..3a04506 100644 return 0; } -@@ -913,6 +951,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk) +@@ -913,6 +949,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk) sig->oom_adj = current->signal->oom_adj; @@ -103602,7 +103682,7 @@ index c28f804..3a04506 100644 return 0; } -@@ -1036,12 +1076,16 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1036,12 +1074,16 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -103621,7 +103701,7 @@ index c28f804..3a04506 100644 retval = copy_creds(p, clone_flags); if (retval < 0) -@@ -1263,6 +1307,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1263,6 +1305,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -103633,7 +103713,7 @@ index c28f804..3a04506 100644 if (clone_flags & CLONE_THREAD) { atomic_inc(¤t->signal->count); atomic_inc(¤t->signal->live); -@@ -1337,6 +1386,8 @@ bad_fork_cleanup_count: +@@ -1337,6 +1384,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -103642,7 +103722,7 @@ index c28f804..3a04506 100644 return ERR_PTR(retval); } -@@ -1430,6 +1481,8 @@ long do_fork(unsigned long clone_flags, +@@ -1430,6 +1479,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -103651,7 +103731,7 @@ index c28f804..3a04506 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1562,7 +1615,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1562,7 +1613,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -103660,7 +103740,7 @@ index c28f804..3a04506 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1685,7 +1738,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1685,7 +1736,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; write_lock(&fs->lock); current->fs = new_fs; @@ -105747,10 +105827,10 @@ index fce7198..4f23a7e 100644 { struct pid *pid; diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c -index 5c9dc22..7652dca 100644 +index 5c9dc22..6971ae8 100644 --- a/kernel/posix-cpu-timers.c +++ b/kernel/posix-cpu-timers.c -@@ -6,9 +6,11 @@ +@@ -6,23 +6,25 @@ #include <linux/posix-timers.h> #include <linux/errno.h> #include <linux/math64.h> @@ -105762,6 +105842,25 @@ index 5c9dc22..7652dca 100644 /* * Called after updating RLIMIT_CPU to set timer expiration if necessary. + */ +-void update_rlimit_cpu(unsigned long rlim_new) ++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new) + { + cputime_t cputime = secs_to_cputime(rlim_new); +- struct signal_struct *const sig = current->signal; ++ struct signal_struct *const sig = task->signal; + + if (cputime_eq(sig->it[CPUCLOCK_PROF].expires, cputime_zero) || + cputime_gt(sig->it[CPUCLOCK_PROF].expires, cputime)) { +- spin_lock_irq(¤t->sighand->siglock); +- set_process_cpu_timer(current, CPUCLOCK_PROF, &cputime, NULL); +- spin_unlock_irq(¤t->sighand->siglock); ++ spin_lock_irq(&task->sighand->siglock); ++ set_process_cpu_timer(task, CPUCLOCK_PROF, &cputime, NULL); ++ spin_unlock_irq(&task->sighand->siglock); + } + } + @@ -516,6 +518,8 @@ static void cleanup_timers(struct list_head *head, */ void posix_cpu_timers_exit(struct task_struct *tsk) @@ -106232,7 +106331,7 @@ index dfadc5b..7f59404 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 05625f6..741869b 100644 +index 05625f6..123e351 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -56,7 +56,7 @@ static void ptrace_untrace(struct task_struct *child) @@ -106529,6 +106628,15 @@ index 05625f6..741869b 100644 switch (request) { case PTRACE_PEEKTEXT: case PTRACE_PEEKDATA: +@@ -720,7 +799,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, + } + + asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +- compat_long_t addr, compat_long_t data) ++ compat_ulong_t addr, compat_ulong_t data) + { + struct task_struct *child; + long ret; @@ -740,20 +819,30 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, goto out; } @@ -107282,7 +107390,7 @@ index 04a0252..4ee2bbb 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index e9512b1..f07185f 100644 +index e9512b1..dec4030 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -107444,6 +107552,15 @@ index e9512b1..f07185f 100644 if (gid != old_fsgid) { new->fsgid = gid; goto change_okay; +@@ -1282,7 +1323,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) + if (new_rlim.rlim_cur == RLIM_INFINITY) + goto out; + +- update_rlimit_cpu(new_rlim.rlim_cur); ++ update_rlimit_cpu(current, new_rlim.rlim_cur); + out: + return 0; + } @@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; @@ -110486,7 +110603,7 @@ index 2d846cf..8d5cdd8 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 4b80cbf..89f7b42 100644 +index 4b80cbf..abfd61a 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -29,6 +29,7 @@ @@ -110684,13 +110801,19 @@ index 4b80cbf..89f7b42 100644 return area; } -@@ -898,14 +979,11 @@ none: +@@ -898,15 +979,22 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { - const unsigned long stack_flags - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN); -- ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ ++ mm->total_vm += pages; + if (file) { mm->shared_vm += pages; if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC) @@ -110698,9 +110821,13 @@ index 4b80cbf..89f7b42 100644 - } else if (flags & stack_flags) + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN)) mm->stack_vm += pages; ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif if (flags & (VM_RESERVED|VM_IO)) mm->reserved_vm += pages; -@@ -932,7 +1010,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, + } +@@ -932,7 +1020,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -110709,7 +110836,7 @@ index 4b80cbf..89f7b42 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -958,7 +1036,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -958,7 +1046,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -110718,7 +110845,7 @@ index 4b80cbf..89f7b42 100644 if (addr & ~PAGE_MASK) return addr; -@@ -969,6 +1047,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -969,6 +1057,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -110755,7 +110882,7 @@ index 4b80cbf..89f7b42 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -980,6 +1088,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -980,6 +1098,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; @@ -110763,7 +110890,7 @@ index 4b80cbf..89f7b42 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1053,6 +1162,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1053,6 +1172,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, if (error) return error; @@ -110773,7 +110900,7 @@ index 4b80cbf..89f7b42 100644 return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1065,10 +1177,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); +@@ -1065,10 +1187,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -110786,7 +110913,7 @@ index 4b80cbf..89f7b42 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1117,14 +1229,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1117,17 +1239,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -110813,7 +110940,15 @@ index 4b80cbf..89f7b42 100644 } /* Check against address space limit. */ -@@ -1173,6 +1295,16 @@ munmap_back: ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ + if (!may_expand_vm(mm, len >> PAGE_SHIFT)) + return -ENOMEM; + +@@ -1173,6 +1310,16 @@ munmap_back: goto unacct_error; } @@ -110830,7 +110965,7 @@ index 4b80cbf..89f7b42 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1180,8 +1312,9 @@ munmap_back: +@@ -1180,8 +1327,9 @@ munmap_back: vma->vm_page_prot = vm_get_page_prot(vm_flags); vma->vm_pgoff = pgoff; @@ -110841,7 +110976,7 @@ index 4b80cbf..89f7b42 100644 if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP)) goto free_vma; if (vm_flags & VM_DENYWRITE) { -@@ -1195,6 +1328,19 @@ munmap_back: +@@ -1195,6 +1343,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -110861,7 +110996,7 @@ index 4b80cbf..89f7b42 100644 if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1207,6 +1353,8 @@ munmap_back: +@@ -1207,6 +1368,8 @@ munmap_back: pgoff = vma->vm_pgoff; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { @@ -110870,7 +111005,7 @@ index 4b80cbf..89f7b42 100644 error = shmem_zero_setup(vma); if (error) goto free_vma; -@@ -1218,6 +1366,11 @@ munmap_back: +@@ -1218,14 +1381,19 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -110882,15 +111017,16 @@ index 4b80cbf..89f7b42 100644 /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1226,6 +1379,7 @@ out: + out: + perf_event_mmap(vma); - mm->total_vm += len >> PAGE_SHIFT; +- mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); + track_exec_limit(mm, addr, addr + len, vm_flags); if (vm_flags & VM_LOCKED) { /* * makes pages present; downgrades, drops, reacquires mmap_sem -@@ -1248,6 +1402,12 @@ unmap_and_free_vma: +@@ -1248,6 +1416,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -110903,7 +111039,7 @@ index 4b80cbf..89f7b42 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1255,6 +1415,62 @@ unacct_error: +@@ -1255,6 +1429,62 @@ unacct_error: return error; } @@ -110966,7 +111102,7 @@ index 4b80cbf..89f7b42 100644 /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1274,6 +1490,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1274,6 +1504,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long start_addr; @@ -110974,7 +111110,7 @@ index 4b80cbf..89f7b42 100644 if (len > TASK_SIZE) return -ENOMEM; -@@ -1281,18 +1498,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1281,18 +1512,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -111005,7 +111141,7 @@ index 4b80cbf..89f7b42 100644 } full_search: -@@ -1303,34 +1525,40 @@ full_search: +@@ -1303,34 +1539,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -111057,7 +111193,7 @@ index 4b80cbf..89f7b42 100644 mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1348,7 +1576,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1348,7 +1590,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -111067,7 +111203,7 @@ index 4b80cbf..89f7b42 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1357,13 +1586,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1357,13 +1600,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -111090,7 +111226,7 @@ index 4b80cbf..89f7b42 100644 } /* check if free_area_cache is useful for us */ -@@ -1378,7 +1612,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1378,7 +1626,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); @@ -111099,7 +111235,7 @@ index 4b80cbf..89f7b42 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -1395,7 +1629,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1395,7 +1643,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); @@ -111108,7 +111244,7 @@ index 4b80cbf..89f7b42 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1404,8 +1638,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1404,8 +1652,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -111119,7 +111255,7 @@ index 4b80cbf..89f7b42 100644 bottomup: /* -@@ -1414,13 +1648,21 @@ bottomup: +@@ -1414,13 +1662,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -111143,7 +111279,7 @@ index 4b80cbf..89f7b42 100644 mm->cached_hole_size = ~0UL; return addr; -@@ -1429,6 +1671,12 @@ bottomup: +@@ -1429,6 +1685,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -111156,7 +111292,7 @@ index 4b80cbf..89f7b42 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1436,8 +1684,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1436,8 +1698,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -111168,7 +111304,7 @@ index 4b80cbf..89f7b42 100644 } unsigned long -@@ -1510,40 +1760,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) +@@ -1510,40 +1774,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) EXPORT_SYMBOL(find_vma); @@ -111243,7 +111379,7 @@ index 4b80cbf..89f7b42 100644 /* * Verify that the stack growth is acceptable and -@@ -1561,6 +1820,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1561,6 +1834,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -111251,7 +111387,7 @@ index 4b80cbf..89f7b42 100644 if (size > rlim[RLIMIT_STACK].rlim_cur) return -ENOMEM; -@@ -1570,6 +1830,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1570,6 +1844,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns unsigned long limit; locked = mm->locked_vm + grow; limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT; @@ -111259,7 +111395,15 @@ index 4b80cbf..89f7b42 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1600,37 +1861,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1588,7 +1863,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns + return -ENOMEM; + + /* Ok, everything looks good - let it rip */ +- mm->total_vm += grow; + if (vma->vm_flags & VM_LOCKED) + mm->locked_vm += grow; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow); +@@ -1600,37 +1874,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -111317,7 +111461,7 @@ index 4b80cbf..89f7b42 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -1643,6 +1915,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -1643,6 +1928,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) vma->vm_end = address; } } @@ -111326,7 +111470,7 @@ index 4b80cbf..89f7b42 100644 anon_vma_unlock(vma); return error; } -@@ -1655,6 +1929,8 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1655,6 +1942,8 @@ static int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -111335,7 +111479,7 @@ index 4b80cbf..89f7b42 100644 /* * We must make sure the anon_vma is allocated -@@ -1668,6 +1944,15 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1668,6 +1957,15 @@ static int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -111351,7 +111495,7 @@ index 4b80cbf..89f7b42 100644 anon_vma_lock(vma); /* -@@ -1677,9 +1962,17 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1677,9 +1975,17 @@ static int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -111370,7 +111514,7 @@ index 4b80cbf..89f7b42 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1689,21 +1982,60 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1689,21 +1995,60 @@ static int expand_downwards(struct vm_area_struct *vma, if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -111431,7 +111575,7 @@ index 4b80cbf..89f7b42 100644 return expand_upwards(vma, address); } -@@ -1727,6 +2059,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) +@@ -1727,6 +2072,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) #else int expand_stack(struct vm_area_struct *vma, unsigned long address) { @@ -111446,10 +111590,11 @@ index 4b80cbf..89f7b42 100644 return expand_downwards(vma, address); } -@@ -1768,6 +2108,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -1768,7 +2121,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); +- mm->total_vm -= nrpages; +#ifdef CONFIG_PAX_SEGMEXEC + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) { + vma = remove_vma(vma); @@ -111457,10 +111602,10 @@ index 4b80cbf..89f7b42 100644 + } +#endif + - mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1813,6 +2160,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + } while (vma); +@@ -1813,6 +2172,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -111477,7 +111622,7 @@ index 4b80cbf..89f7b42 100644 rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1840,10 +2197,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1840,10 +2209,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct mempolicy *pol; struct vm_area_struct *new; @@ -111503,7 +111648,7 @@ index 4b80cbf..89f7b42 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -1851,6 +2223,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1851,6 +2235,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, if (!new) return -ENOMEM; @@ -111520,7 +111665,7 @@ index 4b80cbf..89f7b42 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1861,8 +2243,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1861,8 +2255,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -111550,7 +111695,7 @@ index 4b80cbf..89f7b42 100644 kmem_cache_free(vm_area_cachep, new); return PTR_ERR(pol); } -@@ -1883,6 +2286,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1883,6 +2298,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -111579,7 +111724,7 @@ index 4b80cbf..89f7b42 100644 return 0; } -@@ -1891,11 +2316,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1891,11 +2328,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -111610,7 +111755,7 @@ index 4b80cbf..89f7b42 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -1959,6 +2403,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -1959,6 +2415,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -111619,7 +111764,7 @@ index 4b80cbf..89f7b42 100644 return 0; } -@@ -1971,22 +2417,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -1971,22 +2429,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) profile_munmap(addr); @@ -111648,7 +111793,7 @@ index 4b80cbf..89f7b42 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2000,6 +2442,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2000,6 +2454,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -111656,7 +111801,7 @@ index 4b80cbf..89f7b42 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2011,16 +2454,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2011,16 +2466,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -111688,7 +111833,7 @@ index 4b80cbf..89f7b42 100644 locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; -@@ -2037,22 +2494,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2037,22 +2506,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -111715,7 +111860,7 @@ index 4b80cbf..89f7b42 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2066,7 +2523,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2066,7 +2535,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -111724,7 +111869,7 @@ index 4b80cbf..89f7b42 100644 return -ENOMEM; } -@@ -2078,11 +2535,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2078,11 +2547,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) vma->vm_page_prot = vm_get_page_prot(flags); vma_link(mm, vma, prev, rb_link, rb_parent); out: @@ -111739,7 +111884,7 @@ index 4b80cbf..89f7b42 100644 return addr; } -@@ -2129,8 +2587,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2129,8 +2599,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -111751,7 +111896,7 @@ index 4b80cbf..89f7b42 100644 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2144,6 +2604,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2144,6 +2616,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -111762,7 +111907,7 @@ index 4b80cbf..89f7b42 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2166,7 +2630,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2166,7 +2642,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -111785,7 +111930,7 @@ index 4b80cbf..89f7b42 100644 return 0; } -@@ -2184,6 +2663,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2184,6 +2675,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -111794,7 +111939,7 @@ index 4b80cbf..89f7b42 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2227,6 +2708,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2227,6 +2720,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; } @@ -111830,20 +111975,15 @@ index 4b80cbf..89f7b42 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2238,6 +2748,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2238,6 +2760,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ cur -= mm->brk_gap; -+#endif -+ + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1); if (cur + npages > lim) return 0; return 1; -@@ -2307,6 +2823,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2307,6 +2830,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -112093,7 +112233,7 @@ index 1737c7e..c7faeb4 100644 if (nstart < prev->vm_end) diff --git a/mm/mremap.c b/mm/mremap.c -index 3e98d79..1706cec 100644 +index 3e98d79..36c2b5d 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, @@ -112109,7 +112249,15 @@ index 3e98d79..1706cec 100644 set_pte_at(mm, new_addr, new_pte, pte); } -@@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, +@@ -232,7 +238,6 @@ static unsigned long move_vma(struct vm_area_struct *vma, + * If this were a serious issue, we'd add a flag to do_munmap(). + */ + hiwater_vm = mm->hiwater_vm; +- mm->total_vm += new_len >> PAGE_SHIFT; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, new_len>>PAGE_SHIFT); + + if (do_munmap(mm, old_addr, old_len) < 0) { +@@ -271,6 +276,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, if (is_vm_hugetlb_page(vma)) goto Einval; @@ -112121,7 +112269,7 @@ index 3e98d79..1706cec 100644 /* We can't remap across vm area boundaries */ if (old_len > vma->vm_end - addr) goto Efault; -@@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned long addr, +@@ -327,20 +337,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long ret = -EINVAL; unsigned long charged = 0; unsigned long map_flags; @@ -112152,7 +112300,7 @@ index 3e98d79..1706cec 100644 goto out; ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1); -@@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long addr, +@@ -412,6 +427,7 @@ unsigned long do_mremap(unsigned long addr, struct vm_area_struct *vma; unsigned long ret = -EINVAL; unsigned long charged = 0; @@ -112160,7 +112308,7 @@ index 3e98d79..1706cec 100644 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE)) goto out; -@@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long addr, +@@ -430,6 +446,17 @@ unsigned long do_mremap(unsigned long addr, if (!new_len) goto out; @@ -112178,7 +112326,15 @@ index 3e98d79..1706cec 100644 if (flags & MREMAP_FIXED) { if (flags & MREMAP_MAYMOVE) ret = mremap_to(addr, old_len, new_addr, new_len); -@@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long addr, +@@ -468,7 +495,6 @@ unsigned long do_mremap(unsigned long addr, + vma_adjust(vma, vma->vm_start, + addr + new_len, vma->vm_pgoff, NULL); + +- mm->total_vm += pages; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, pages); + if (vma->vm_flags & VM_LOCKED) { + mm->locked_vm += pages; +@@ -476,6 +502,7 @@ unsigned long do_mremap(unsigned long addr, addr + new_len); } ret = addr; @@ -112186,7 +112342,7 @@ index 3e98d79..1706cec 100644 goto out; } } -@@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long addr, +@@ -502,7 +529,13 @@ unsigned long do_mremap(unsigned long addr, ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1); if (ret) goto out; @@ -120289,7 +120445,7 @@ index c4c6732..bc63d84 100644 int security_settime(struct timespec *ts, struct timezone *tz) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index a106754..ca3a589 100644 +index a106754..bdb434e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -76,6 +76,7 @@ @@ -120352,6 +120508,15 @@ index a106754..ca3a589 100644 default: rc = task_has_system(current, SYSTEM__SYSLOG_MOD); break; +@@ -2366,7 +2368,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) + initrlim = init_task.signal->rlim + i; + rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); + } +- update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur); ++ update_rlimit_cpu(current, current->signal->rlim[RLIMIT_CPU].rlim_cur); + } + } + @@ -5457,7 +5459,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif @@ -120397,6 +120562,19 @@ index ff17820..d68084c 100644 if (!ss_initialized) { avtab_cache_init(); if (policydb_read(&policydb, fp)) { +diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c +index f3cb9ed..22c91e3 100644 +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -309,7 +309,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, + + if (old_ctx) { + new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!new_ctx) + return -ENOMEM; + diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c33b6bb..b51f19e 100644 --- a/security/smack/smack_lsm.c @@ -127916,6 +128094,25 @@ index 83b3dde..835bee7 100644 } else break; } +diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c +index 9fe140b..69969ae 100644 +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -71,9 +71,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; + u64 redir_content; + +- ASSERT(redir_index < IOAPIC_NUM_PINS); ++ if (redir_index < IOAPIC_NUM_PINS) ++ redir_content = ++ ioapic->redirtbl[redir_index].bits; ++ else ++ redir_content = ~0ULL; + +- redir_content = ioapic->redirtbl[redir_index].bits; + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : + redir_content & 0xffffffff; diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 82b6fdc..57cc875 100644 --- a/virt/kvm/kvm_main.c diff --git a/3.2.40/0000_README b/3.2.40/0000_README index 6682017..da39e23 100644 --- a/3.2.40/0000_README +++ b/3.2.40/0000_README @@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch From: http://www.kernel.org Desc: Linux 3.2.40 -Patch: 4420_grsecurity-2.9.1-3.2.40-201303142234.patch +Patch: 4420_grsecurity-2.9.1-3.2.40-201303221825.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303221825.patch index c85236f..cd03fe7 100644 --- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch +++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303221825.patch @@ -194,7 +194,7 @@ index dfa6fc6..65f7dbe 100644 +zconf.lex.c zoffset.h diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index ddbf18e..2c5d501 100644 +index ddbf18e..53d74a7 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -853,6 +853,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted. @@ -207,7 +207,7 @@ index ddbf18e..2c5d501 100644 hashdist= [KNL,NUMA] Large hashes allocated during boot are distributed across NUMA nodes. Defaults on for 64-bit NUMA, off otherwise. -@@ -1940,6 +1943,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -1940,6 +1943,18 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. @@ -218,6 +218,11 @@ index ddbf18e..2c5d501 100644 + + pax_softmode= 0/1 to disable/enable PaX softmode on boot already. + ++ pax_extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ pcbit= [HW,ISDN] pcd. [PARIDE] @@ -255,7 +260,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index 47af1e9..e2ebb6d 100644 +index 47af1e9..4da6852 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -339,7 +344,7 @@ index 47af1e9..e2ebb6d 100644 +else + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least" +endif -+ $(Q)echo "PAX_MEMORY_STACKLEAK and other features will be less secure" ++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active." +endif +endif + @@ -2760,6 +2765,18 @@ index 77597e5..6f28f3f 100644 { .notifier_call = palinfo_cpu_callback, .priority = 0, +diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c +index 89accc6..e888968 100644 +--- a/arch/ia64/kernel/perfmon.c ++++ b/arch/ia64/kernel/perfmon.c +@@ -2370,7 +2370,6 @@ pfm_smpl_buffer_alloc(struct task_struct *task, struct file *filp, pfm_context_t + */ + insert_vm_struct(mm, vma); + +- mm->total_vm += size >> PAGE_SHIFT; + vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file, + vma_pages(vma)); + up_write(&task->mm->mmap_sem); diff --git a/arch/ia64/kernel/salinfo.c b/arch/ia64/kernel/salinfo.c index 79802e5..1a89ec5 100644 --- a/arch/ia64/kernel/salinfo.c @@ -21810,7 +21827,7 @@ index 407789b..5570a86 100644 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index f4063fd..3c40814 100644 +index f4063fd..b395ad7 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1348,8 +1348,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) @@ -21824,7 +21841,19 @@ index f4063fd..3c40814 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2168,6 +2168,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -1603,6 +1603,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data) + /* ...but clean it before doing the actual write */ + vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); + ++ /* Check that the address is 32-byte aligned. */ ++ if (vcpu->arch.time_offset & ++ (sizeof(struct pvclock_vcpu_time_info) - 1)) ++ break; ++ + vcpu->arch.time_page = + gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); + +@@ -2168,6 +2173,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -21833,7 +21862,7 @@ index f4063fd..3c40814 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -2343,15 +2345,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, +@@ -2343,15 +2350,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -21857,7 +21886,7 @@ index f4063fd..3c40814 100644 vcpu->arch.cpuid_nent = cpuid->nent; kvm_apic_set_version(vcpu); kvm_x86_ops->cpuid_update(vcpu); -@@ -2366,15 +2373,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, +@@ -2366,15 +2378,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -21880,7 +21909,7 @@ index f4063fd..3c40814 100644 return 0; out: -@@ -2749,7 +2760,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -2749,7 +2765,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -21889,7 +21918,7 @@ index f4063fd..3c40814 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -5191,7 +5202,7 @@ static void kvm_set_mmio_spte_mask(void) +@@ -5191,7 +5207,7 @@ static void kvm_set_mmio_spte_mask(void) kvm_mmu_set_mmio_spte_mask(mask); } @@ -32857,7 +32886,7 @@ index 012a9d2..3b2267c 100644 return container_of(adapter, struct intel_gmbus, adapter)->force_bit; } diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index 878b989..ea158f5 100644 +index 878b989..17fe410 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -189,7 +189,7 @@ i915_gem_object_set_to_gpu_domain(struct drm_i915_gem_object *obj, @@ -32869,7 +32898,7 @@ index 878b989..ea158f5 100644 /* The actual obj->write_domain will be updated with * pending_write_domain after we emit the accumulated flush for all -@@ -904,9 +904,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) +@@ -904,18 +904,23 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec, @@ -32877,10 +32906,28 @@ index 878b989..ea158f5 100644 + unsigned int count) { - int i; +- + unsigned int i; - ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); ++ for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; + int length; /* limited by fault_in_pages_readable() */ + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c index 93e74fb..4a1182d 100644 --- a/drivers/gpu/drm/i915/i915_irq.c @@ -36585,7 +36632,7 @@ index 668f5c6..65df5f2 100644 dev->req->sg.length : dev->req->data_len; diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c -index e9c6a60..daf6a33 100644 +index e9c6a60..a1d04d6 100644 --- a/drivers/message/fusion/mptbase.c +++ b/drivers/message/fusion/mptbase.c @@ -6753,8 +6753,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v) @@ -36602,6 +36649,18 @@ index e9c6a60..daf6a33 100644 /* * Rounding UP to nearest 4-kB boundary here... */ +@@ -6767,7 +6772,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v) + ioc->facts.GlobalCredits); + + seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n", ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, NULL); ++#else + (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma); ++#endif + sz = (ioc->reply_sz * ioc->reply_depth) + 128; + seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n", + ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz); diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c index 9d95042..b808101 100644 --- a/drivers/message/fusion/mptsas.c @@ -45278,7 +45337,7 @@ index a6395bd..f1e376a 100644 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm); #ifdef __alpha__ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 8dd615c..60fbfd2 100644 +index 8dd615c..0efdaed 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -32,6 +32,7 @@ @@ -45891,7 +45950,7 @@ index 8dd615c..60fbfd2 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -881,17 +1300,43 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -881,17 +1300,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -45907,19 +45966,20 @@ index 8dd615c..60fbfd2 100644 +#ifdef CONFIG_PAX_RANDMMAP + if (current->mm->pax_flags & MF_PAX_RANDMMAP) { -+ unsigned long start, size; ++ unsigned long start, size, flags, vm_flags; + + start = ELF_PAGEALIGN(elf_brk); + size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4); ++ flags = MAP_FIXED | MAP_PRIVATE; ++ vm_flags = VM_DONTEXPAND | VM_RESERVED; ++ + down_write(¤t->mm->mmap_sem); ++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags); + retval = -ENOMEM; -+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { -+ unsigned long prot = PROT_NONE; -+ -+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { +// if (current->personality & ADDR_NO_RANDOMIZE) +// prot = PROT_READ; -+ start = do_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0); ++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0); + retval = IS_ERR_VALUE(start) ? start : 0; + } + up_write(¤t->mm->mmap_sem); @@ -45941,7 +46001,7 @@ index 8dd615c..60fbfd2 100644 load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1098,7 +1543,7 @@ out: +@@ -1098,7 +1544,7 @@ out: * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -45950,7 +46010,7 @@ index 8dd615c..60fbfd2 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1132,7 +1577,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1132,7 +1578,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -45959,7 +46019,7 @@ index 8dd615c..60fbfd2 100644 goto whole; /* -@@ -1354,9 +1799,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1354,9 +1800,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -45971,7 +46031,7 @@ index 8dd615c..60fbfd2 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1851,14 +2296,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -1851,14 +2297,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -45988,7 +46048,7 @@ index 8dd615c..60fbfd2 100644 return size; } -@@ -1952,7 +2397,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1952,7 +2398,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -45997,7 +46057,7 @@ index 8dd615c..60fbfd2 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -1966,10 +2411,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1966,10 +2412,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -46010,7 +46070,7 @@ index 8dd615c..60fbfd2 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -1983,7 +2430,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1983,7 +2431,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -46019,7 +46079,7 @@ index 8dd615c..60fbfd2 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -1994,6 +2441,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1994,6 +2442,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -46027,7 +46087,7 @@ index 8dd615c..60fbfd2 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2018,7 +2466,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2018,7 +2467,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -46036,7 +46096,7 @@ index 8dd615c..60fbfd2 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2027,6 +2475,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2027,6 +2476,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -46044,7 +46104,7 @@ index 8dd615c..60fbfd2 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2044,6 +2493,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2044,6 +2494,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -46052,7 +46112,7 @@ index 8dd615c..60fbfd2 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2064,6 +2514,97 @@ out: +@@ -2064,6 +2515,97 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -47233,7 +47293,7 @@ index 451b9b8..12e5a03 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 312e297..4814b4e 100644 +index 312e297..6fe2fe2 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,34 @@ @@ -47345,28 +47405,22 @@ index 312e297..4814b4e 100644 return 0; err: up_write(&mm->mmap_sem); -@@ -396,19 +432,7 @@ err: - return err; - } - --struct user_arg_ptr { --#ifdef CONFIG_COMPAT -- bool is_compat; --#endif -- union { -- const char __user *const __user *native; --#ifdef CONFIG_COMPAT +@@ -403,12 +439,12 @@ struct user_arg_ptr { + union { + const char __user *const __user *native; + #ifdef CONFIG_COMPAT - compat_uptr_t __user *compat; --#endif -- } ptr; --}; -- ++ const compat_uptr_t __user *compat; + #endif + } ptr; + }; + -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) +const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) { const char __user *native; -@@ -417,14 +441,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) +@@ -417,14 +453,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) compat_uptr_t compat; if (get_user(compat, argv.ptr.compat + nr)) @@ -47383,7 +47437,7 @@ index 312e297..4814b4e 100644 return native; } -@@ -443,11 +467,12 @@ static int count(struct user_arg_ptr argv, int max) +@@ -443,11 +479,12 @@ static int count(struct user_arg_ptr argv, int max) if (!p) break; @@ -47398,7 +47452,7 @@ index 312e297..4814b4e 100644 if (fatal_signal_pending(current)) return -ERESTARTNOHAND; -@@ -477,7 +502,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, +@@ -477,7 +514,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, ret = -EFAULT; str = get_user_arg_ptr(argv, argc); @@ -47407,7 +47461,7 @@ index 312e297..4814b4e 100644 goto out; len = strnlen_user(str, MAX_ARG_STRLEN); -@@ -559,7 +584,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, +@@ -559,7 +596,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, int r; mm_segment_t oldfs = get_fs(); struct user_arg_ptr argv = { @@ -47416,7 +47470,7 @@ index 312e297..4814b4e 100644 }; set_fs(KERNEL_DS); -@@ -594,7 +619,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -594,7 +631,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) unsigned long new_end = old_end - shift; struct mmu_gather tlb; @@ -47426,7 +47480,7 @@ index 312e297..4814b4e 100644 /* * ensure there are no vmas between where we want to go -@@ -603,6 +629,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -603,6 +641,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) if (vma != find_vma(mm, new_start)) return -EFAULT; @@ -47437,7 +47491,7 @@ index 312e297..4814b4e 100644 /* * cover the whole range: [new_start, old_end) */ -@@ -683,10 +713,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -683,10 +725,6 @@ int setup_arg_pages(struct linux_binprm *bprm, stack_top = arch_align_stack(stack_top); stack_top = PAGE_ALIGN(stack_top); @@ -47448,7 +47502,7 @@ index 312e297..4814b4e 100644 stack_shift = vma->vm_end - stack_top; bprm->p -= stack_shift; -@@ -698,8 +724,28 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -698,8 +736,28 @@ int setup_arg_pages(struct linux_binprm *bprm, bprm->exec -= stack_shift; down_write(&mm->mmap_sem); @@ -47477,7 +47531,7 @@ index 312e297..4814b4e 100644 /* * Adjust stack execute permissions; explicitly enable for * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone -@@ -718,13 +764,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -718,13 +776,6 @@ int setup_arg_pages(struct linux_binprm *bprm, goto out_unlock; BUG_ON(prev != vma); @@ -47491,12 +47545,12 @@ index 312e297..4814b4e 100644 /* mprotect_fixup is overkill to remove the temporary stack flags */ vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP; -@@ -748,6 +787,27 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -748,6 +799,27 @@ int setup_arg_pages(struct linux_binprm *bprm, #endif current->mm->start_stack = bprm->p; ret = expand_stack(vma, stack_base); + -+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR) ++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP) + if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) { + unsigned long size, flags, vm_flags; + @@ -47509,7 +47563,7 @@ index 312e297..4814b4e 100644 +#ifdef CONFIG_X86 + if (!ret) { + size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT)); -+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0); ++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0); + } +#endif + @@ -47519,7 +47573,7 @@ index 312e297..4814b4e 100644 if (ret) ret = -EFAULT; -@@ -782,6 +842,8 @@ struct file *open_exec(const char *name) +@@ -782,6 +854,8 @@ struct file *open_exec(const char *name) fsnotify_open(file); @@ -47528,7 +47582,7 @@ index 312e297..4814b4e 100644 err = deny_write_access(file); if (err) goto exit; -@@ -805,7 +867,7 @@ int kernel_read(struct file *file, loff_t offset, +@@ -805,7 +879,7 @@ int kernel_read(struct file *file, loff_t offset, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -47537,7 +47591,7 @@ index 312e297..4814b4e 100644 set_fs(old_fs); return result; } -@@ -1070,6 +1132,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) +@@ -1070,6 +1144,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) perf_event_comm(tsk); } @@ -47559,7 +47613,7 @@ index 312e297..4814b4e 100644 int flush_old_exec(struct linux_binprm * bprm) { int retval; -@@ -1084,6 +1161,7 @@ int flush_old_exec(struct linux_binprm * bprm) +@@ -1084,6 +1173,7 @@ int flush_old_exec(struct linux_binprm * bprm) set_mm_exe_file(bprm->mm, bprm->file); @@ -47567,7 +47621,7 @@ index 312e297..4814b4e 100644 /* * Release all of the old mmap stuff */ -@@ -1116,10 +1194,6 @@ EXPORT_SYMBOL(would_dump); +@@ -1116,10 +1206,6 @@ EXPORT_SYMBOL(would_dump); void setup_new_exec(struct linux_binprm * bprm) { @@ -47578,7 +47632,7 @@ index 312e297..4814b4e 100644 arch_pick_mmap_layout(current->mm); /* This is the point of no return */ -@@ -1130,18 +1204,7 @@ void setup_new_exec(struct linux_binprm * bprm) +@@ -1130,18 +1216,7 @@ void setup_new_exec(struct linux_binprm * bprm) else set_dumpable(current->mm, suid_dumpable); @@ -47598,7 +47652,7 @@ index 312e297..4814b4e 100644 /* Set the new mm task size. We have to do that late because it may * depend on TIF_32BIT which is only updated in flush_thread() on -@@ -1266,7 +1329,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1266,7 +1341,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -47607,7 +47661,7 @@ index 312e297..4814b4e 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1461,6 +1524,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) +@@ -1461,6 +1536,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) EXPORT_SYMBOL(search_binary_handler); @@ -47633,10 +47687,13 @@ index 312e297..4814b4e 100644 +static inline void increment_exec_counter(void) {} +#endif + ++extern void gr_handle_exec_args(struct linux_binprm *bprm, ++ struct user_arg_ptr argv); ++ /* * sys_execve() executes a new program. */ -@@ -1469,6 +1554,11 @@ static int do_execve_common(const char *filename, +@@ -1469,6 +1569,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr envp, struct pt_regs *regs) { @@ -47648,7 +47705,7 @@ index 312e297..4814b4e 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1476,6 +1566,8 @@ static int do_execve_common(const char *filename, +@@ -1476,6 +1581,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -47657,7 +47714,7 @@ index 312e297..4814b4e 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1516,12 +1608,27 @@ static int do_execve_common(const char *filename, +@@ -1516,12 +1623,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -47685,7 +47742,7 @@ index 312e297..4814b4e 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1538,24 +1645,65 @@ static int do_execve_common(const char *filename, +@@ -1538,24 +1660,65 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -47755,7 +47812,7 @@ index 312e297..4814b4e 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1564,6 +1712,14 @@ static int do_execve_common(const char *filename, +@@ -1564,6 +1727,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -47770,7 +47827,7 @@ index 312e297..4814b4e 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1637,7 +1793,7 @@ static int expand_corename(struct core_name *cn) +@@ -1637,7 +1808,7 @@ static int expand_corename(struct core_name *cn) { char *old_corename = cn->corename; @@ -47779,7 +47836,7 @@ index 312e297..4814b4e 100644 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); if (!cn->corename) { -@@ -1734,7 +1890,7 @@ static int format_corename(struct core_name *cn, long signr) +@@ -1734,7 +1905,7 @@ static int format_corename(struct core_name *cn, long signr) int pid_in_pattern = 0; int err = 0; @@ -47788,7 +47845,7 @@ index 312e297..4814b4e 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1831,6 +1987,250 @@ out: +@@ -1831,6 +2002,250 @@ out: return ispipe; } @@ -48039,7 +48096,7 @@ index 312e297..4814b4e 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2004,17 +2404,17 @@ static void coredump_finish(struct mm_struct *mm) +@@ -2004,17 +2419,17 @@ static void coredump_finish(struct mm_struct *mm) void set_dumpable(struct mm_struct *mm, int value) { switch (value) { @@ -48060,7 +48117,7 @@ index 312e297..4814b4e 100644 set_bit(MMF_DUMP_SECURELY, &mm->flags); smp_wmb(); set_bit(MMF_DUMPABLE, &mm->flags); -@@ -2027,7 +2427,7 @@ static int __get_dumpable(unsigned long mm_flags) +@@ -2027,7 +2442,7 @@ static int __get_dumpable(unsigned long mm_flags) int ret; ret = mm_flags & MMF_DUMPABLE_MASK; @@ -48069,7 +48126,7 @@ index 312e297..4814b4e 100644 } int get_dumpable(struct mm_struct *mm) -@@ -2042,17 +2442,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2042,17 +2457,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -48092,7 +48149,7 @@ index 312e297..4814b4e 100644 pipe_unlock(pipe); } -@@ -2113,7 +2513,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2113,7 +2528,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -48102,7 +48159,7 @@ index 312e297..4814b4e 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2128,6 +2529,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2128,6 +2544,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -48112,7 +48169,7 @@ index 312e297..4814b4e 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2138,14 +2542,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2138,14 +2557,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) if (!cred) goto fail; /* @@ -48133,7 +48190,7 @@ index 312e297..4814b4e 100644 } retval = coredump_wait(exit_code, &core_state); -@@ -2195,7 +2601,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2195,7 +2616,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -48142,7 +48199,7 @@ index 312e297..4814b4e 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2222,9 +2628,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2222,9 +2643,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -48162,7 +48219,7 @@ index 312e297..4814b4e 100644 cprm.file = filp_open(cn.corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); -@@ -2265,7 +2681,7 @@ close_fail: +@@ -2265,7 +2696,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -48171,7 +48228,7 @@ index 312e297..4814b4e 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2284,7 +2700,7 @@ fail: +@@ -2284,7 +2715,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -48210,6 +48267,28 @@ index a203892..4e64db5 100644 return 0; } return 1; +diff --git a/fs/ext3/super.c b/fs/ext3/super.c +index 922d289..b7f314f 100644 +--- a/fs/ext3/super.c ++++ b/fs/ext3/super.c +@@ -374,7 +374,7 @@ static struct block_device *ext3_blkdev_get(dev_t dev, struct super_block *sb) + return bdev; + + fail: +- ext3_msg(sb, "error: failed to open journal device %s: %ld", ++ ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld", + __bdevname(dev, b), PTR_ERR(bdev)); + + return NULL; +@@ -902,7 +902,7 @@ static ext3_fsblk_t get_sb_block(void **data, struct super_block *sb) + /*todo: use simple_strtoll with >32bit ext3 */ + sb_block = simple_strtoul(options, &options, 0); + if (*options && *options != ',') { +- ext3_msg(sb, "error: invalid sb specification: %s", ++ ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s", + (char *) *data); + return 1; + } diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c index 484ffee..08d7602 100644 --- a/fs/ext4/balloc.c @@ -50251,7 +50330,7 @@ index fcc50ab..c3dacf26 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 9680cef..d943724 100644 +index 9680cef..36c9152 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask) @@ -50344,17 +50423,11 @@ index 9680cef..d943724 100644 put_link(nd, &link, cookie); } } -@@ -1624,6 +1644,19 @@ static int path_lookupat(int dfd, const char *name, +@@ -1624,6 +1644,13 @@ static int path_lookupat(int dfd, const char *name, if (!err) err = complete_walk(nd); + if (!err && !(nd->flags & LOOKUP_PARENT)) { -+#ifdef CONFIG_GRKERNSEC -+ if (flags & LOOKUP_RCU) { -+ path_put(&nd->path); -+ err = -ECHILD; -+ } else -+#endif + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { + path_put(&nd->path); + err = -ENOENT; @@ -50364,23 +50437,20 @@ index 9680cef..d943724 100644 if (!err && nd->flags & LOOKUP_DIRECTORY) { if (!nd->inode->i_op->lookup) { path_put(&nd->path); -@@ -1651,6 +1684,15 @@ static int do_path_lookup(int dfd, const char *name, - retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd); - - if (likely(!retval)) { +@@ -1655,6 +1682,12 @@ static int do_path_lookup(int dfd, const char *name, + if (nd->path.dentry && nd->inode) + audit_inode(name, nd->path.dentry); + } + if (*name != '/' && nd->path.dentry && nd->inode) { -+#ifdef CONFIG_GRKERNSEC -+ if (flags & LOOKUP_RCU) -+ return -ECHILD; -+#endif -+ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) ++ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) { ++ path_put(&nd->path); + return -ENOENT; ++ } + } -+ - if (unlikely(!audit_dummy_context())) { - if (nd->path.dentry && nd->inode) - audit_inode(name, nd->path.dentry); -@@ -1784,7 +1826,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) + } + return retval; + } +@@ -1784,7 +1817,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) if (!len) return ERR_PTR(-EACCES); @@ -50394,7 +50464,7 @@ index 9680cef..d943724 100644 while (len--) { c = *(const unsigned char *)name++; if (c == '/' || c == '\0') -@@ -2048,6 +2096,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2048,6 +2087,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -50408,7 +50478,7 @@ index 9680cef..d943724 100644 return 0; } -@@ -2083,7 +2138,7 @@ static inline int open_to_namei_flags(int flag) +@@ -2083,7 +2129,7 @@ static inline int open_to_namei_flags(int flag) /* * Handle the last step of open() */ @@ -50417,16 +50487,10 @@ index 9680cef..d943724 100644 const struct open_flags *op, const char *pathname) { struct dentry *dir = nd->path.dentry; -@@ -2109,16 +2164,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2109,16 +2155,32 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return ERR_PTR(error); -+#ifdef CONFIG_GRKERNSEC -+ if (nd->flags & LOOKUP_RCU) { -+ error = -ECHILD; -+ goto exit; -+ } -+#endif + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { + error = -ENOENT; + goto exit; @@ -50445,12 +50509,6 @@ index 9680cef..d943724 100644 error = complete_walk(nd); if (error) return ERR_PTR(error); -+#ifdef CONFIG_GRKERNSEC -+ if (nd->flags & LOOKUP_RCU) { -+ error = -ECHILD; -+ goto exit; -+ } -+#endif + if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) { + error = -ENOENT; + goto exit; @@ -50462,7 +50520,7 @@ index 9680cef..d943724 100644 audit_inode(pathname, dir); goto ok; } -@@ -2134,18 +2217,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2134,18 +2196,31 @@ static struct file *do_last(struct nameidata *nd, struct path *path, !symlink_ok); if (error < 0) return ERR_PTR(error); @@ -50478,12 +50536,6 @@ index 9680cef..d943724 100644 error = complete_walk(nd); if (error) return ERR_PTR(error); -+#ifdef CONFIG_GRKERNSEC -+ if (nd->flags & LOOKUP_RCU) { -+ error = -ECHILD; -+ goto exit; -+ } -+#endif + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { + error = -ENOENT; + goto exit; @@ -50501,7 +50553,7 @@ index 9680cef..d943724 100644 audit_inode(pathname, nd->path.dentry); goto ok; } -@@ -2180,6 +2282,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2180,6 +2255,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode) { int mode = op->mode; @@ -50519,7 +50571,7 @@ index 9680cef..d943724 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2203,6 +2316,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2203,6 +2289,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = vfs_create(dir->d_inode, dentry, mode, nd); if (error) goto exit_mutex_unlock; @@ -50528,7 +50580,7 @@ index 9680cef..d943724 100644 mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = dentry; -@@ -2212,6 +2327,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2212,6 +2300,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* * It already exists. */ @@ -50548,7 +50600,7 @@ index 9680cef..d943724 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path->dentry); -@@ -2230,11 +2358,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2230,11 +2331,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, if (!path->dentry->d_inode) goto exit_dput; @@ -50567,7 +50619,7 @@ index 9680cef..d943724 100644 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ error = complete_walk(nd); if (error) -@@ -2242,6 +2376,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2242,6 +2349,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = -EISDIR; if (S_ISDIR(nd->inode->i_mode)) goto exit; @@ -50580,7 +50632,7 @@ index 9680cef..d943724 100644 ok: if (!S_ISREG(nd->inode->i_mode)) will_truncate = 0; -@@ -2314,7 +2454,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2314,7 +2427,7 @@ static struct file *path_openat(int dfd, const char *pathname, if (unlikely(error)) goto out_filp; @@ -50589,7 +50641,7 @@ index 9680cef..d943724 100644 while (unlikely(!filp)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2329,8 +2469,9 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2329,8 +2442,9 @@ static struct file *path_openat(int dfd, const char *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) filp = ERR_PTR(error); @@ -50601,7 +50653,7 @@ index 9680cef..d943724 100644 put_link(nd, &link, cookie); } out: -@@ -2424,6 +2565,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -2424,6 +2538,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path *path = nd.path; return dentry; eexist: @@ -50613,7 +50665,7 @@ index 9680cef..d943724 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2446,6 +2592,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -2446,6 +2565,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -50634,7 +50686,7 @@ index 9680cef..d943724 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -2513,6 +2673,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2513,6 +2646,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -50652,7 +50704,7 @@ index 9680cef..d943724 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out_drop_write; -@@ -2530,6 +2701,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2530,6 +2674,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(path.mnt); @@ -50662,7 +50714,7 @@ index 9680cef..d943724 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2579,12 +2753,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2579,12 +2726,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -50684,7 +50736,7 @@ index 9680cef..d943724 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2664,6 +2847,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2664,6 +2820,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -50693,7 +50745,7 @@ index 9680cef..d943724 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2692,6 +2877,15 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2692,6 +2850,15 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -50709,7 +50761,7 @@ index 9680cef..d943724 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2699,6 +2893,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2699,6 +2866,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -50718,7 +50770,7 @@ index 9680cef..d943724 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2761,6 +2957,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2761,6 +2930,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -50727,7 +50779,7 @@ index 9680cef..d943724 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2783,6 +2981,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2783,6 +2954,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -50744,7 +50796,7 @@ index 9680cef..d943724 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2790,6 +2998,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2790,6 +2971,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -50753,7 +50805,7 @@ index 9680cef..d943724 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2865,10 +3075,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2865,10 +3048,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -50772,7 +50824,7 @@ index 9680cef..d943724 100644 out_drop_write: mnt_drop_write(path.mnt); out_dput: -@@ -2940,6 +3158,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2940,6 +3131,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -50780,7 +50832,7 @@ index 9680cef..d943724 100644 int how = 0; int error; -@@ -2963,7 +3182,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2963,7 +3155,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -50789,7 +50841,7 @@ index 9680cef..d943724 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -2974,13 +3193,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2974,13 +3166,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = mnt_want_write(new_path.mnt); if (error) goto out_dput; @@ -50820,7 +50872,7 @@ index 9680cef..d943724 100644 dput(new_dentry); mutex_unlock(&new_path.dentry->d_inode->i_mutex); path_put(&new_path); -@@ -3208,6 +3444,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3208,6 +3417,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -50833,7 +50885,7 @@ index 9680cef..d943724 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -3217,6 +3459,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3217,6 +3432,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -50843,7 +50895,7 @@ index 9680cef..d943724 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -3242,6 +3487,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3242,6 +3460,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -50852,7 +50904,7 @@ index 9680cef..d943724 100644 int len; len = PTR_ERR(link); -@@ -3251,7 +3498,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3251,7 +3471,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -54756,10 +54808,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..740ce0b +index 0000000..e3890d0 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4212 @@ +@@ -0,0 +1,4216 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -54785,6 +54837,7 @@ index 0000000..740ce0b +#include <linux/stop_machine.h> +#include <linux/fdtable.h> +#include <linux/percpu.h> ++#include <linux/posix-timers.h> + +#include <asm/uaccess.h> +#include <asm/errno.h> @@ -57078,6 +57131,9 @@ index 0000000..740ce0b + + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur; + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max; ++ ++ if (i == RLIMIT_CPU) ++ update_rlimit_cpu(task, proc->res[i].rlim_cur); + } + + return; @@ -61476,10 +61532,10 @@ index 0000000..b79fe50 +#endif diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c new file mode 100644 -index 0000000..2b05ada +index 0000000..ee1f60f --- /dev/null +++ b/grsecurity/grsec_exec.c -@@ -0,0 +1,146 @@ +@@ -0,0 +1,159 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -61491,6 +61547,7 @@ index 0000000..2b05ada +#include <linux/grinternal.h> +#include <linux/capability.h> +#include <linux/module.h> ++#include <linux/compat.h> + +#include <asm/uaccess.h> + @@ -61499,6 +61556,18 @@ index 0000000..2b05ada +static DEFINE_MUTEX(gr_exec_arg_mutex); +#endif + ++struct user_arg_ptr { ++#ifdef CONFIG_COMPAT ++ bool is_compat; ++#endif ++ union { ++ const char __user *const __user *native; ++#ifdef CONFIG_COMPAT ++ const compat_uptr_t __user *compat; ++#endif ++ } ptr; ++}; ++ +extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr); + +void @@ -64583,6 +64652,19 @@ index 04ffb2e..6799180 100644 extern struct cleancache_ops cleancache_register_ops(struct cleancache_ops *ops); +diff --git a/include/linux/compat.h b/include/linux/compat.h +index d42bd48..af682d2 100644 +--- a/include/linux/compat.h ++++ b/include/linux/compat.h +@@ -334,7 +334,7 @@ extern int compat_ptrace_request(struct task_struct *child, + extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + compat_ulong_t addr, compat_ulong_t data); + asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +- compat_long_t addr, compat_long_t data); ++ compat_ulong_t addr, compat_ulong_t data); + + /* + * epoll (fs/eventpoll.c) compat bits follow ... diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h index dfadc96..23c5182 100644 --- a/include/linux/compiler-gcc4.h @@ -65990,10 +66072,10 @@ index 0000000..2bd4c8d +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..88c3d04 +index 0000000..14100e6 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,236 @@ +@@ -0,0 +1,221 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -66015,20 +66097,6 @@ index 0000000..88c3d04 +#error "CONFIG_PAX enabled, but no PaX options are enabled." +#endif + -+#include <linux/compat.h> -+ -+struct user_arg_ptr { -+#ifdef CONFIG_COMPAT -+ bool is_compat; -+#endif -+ union { -+ const char __user *const __user *native; -+#ifdef CONFIG_COMPAT -+ compat_uptr_t __user *compat; -+#endif -+ } ptr; -+}; -+ +void gr_handle_brute_attach(unsigned long mm_flags); +void gr_handle_brute_check(void); +void gr_handle_kernel_exploit(void); @@ -66082,7 +66150,6 @@ index 0000000..88c3d04 + const struct vfsmount *mnt); +void gr_log_chroot_exec(const struct dentry *dentry, + const struct vfsmount *mnt); -+void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv); +void gr_log_remount(const char *devname, const int retval); +void gr_log_unmount(const char *devname, const int retval); +void gr_log_mount(const char *from, const char *to, const int retval); @@ -66626,7 +66693,7 @@ index 3797270..7765ede 100644 struct mca_bus { u64 default_dma_mask; diff --git a/include/linux/mm.h b/include/linux/mm.h -index 4baadd1..8699dc0 100644 +index 4baadd1..8745271 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -115,7 +115,14 @@ extern unsigned int kobjsize(const void *objp); @@ -66794,7 +66861,19 @@ index 4baadd1..8699dc0 100644 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr); int remap_pfn_range(struct vm_area_struct *, unsigned long addr, unsigned long pfn, unsigned long size, pgprot_t); -@@ -1614,7 +1625,7 @@ extern int unpoison_memory(unsigned long pfn); +@@ -1534,6 +1545,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long); + static inline void vm_stat_account(struct mm_struct *mm, + unsigned long flags, struct file *file, long pages) + { ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ ++ mm->total_vm += pages; + } + #endif /* CONFIG_PROC_FS */ + +@@ -1614,7 +1630,7 @@ extern int unpoison_memory(unsigned long pfn); extern int sysctl_memory_failure_early_kill; extern int sysctl_memory_failure_recovery; extern void shake_page(struct page *p, int access); @@ -66803,7 +66882,7 @@ index 4baadd1..8699dc0 100644 extern int soft_offline_page(struct page *page, int flags); extern void dump_page(struct page *page); -@@ -1628,5 +1639,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src, +@@ -1628,5 +1644,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src, unsigned int pages_per_huge_page); #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */ @@ -66816,7 +66895,7 @@ index 4baadd1..8699dc0 100644 #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 5b42f1b..9782147 100644 +index 5b42f1b..759e4b4 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -253,6 +253,8 @@ struct vm_area_struct { @@ -66828,15 +66907,6 @@ index 5b42f1b..9782147 100644 }; struct core_thread { -@@ -327,7 +329,7 @@ struct mm_struct { - unsigned long def_flags; - unsigned long nr_ptes; /* Page table pages */ - unsigned long start_code, end_code, start_data, end_data; -- unsigned long start_brk, brk, start_stack; -+ unsigned long brk_gap, start_brk, brk, start_stack; - unsigned long arg_start, arg_end, env_start, env_end; - - unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ @@ -389,6 +391,24 @@ struct mm_struct { #ifdef CONFIG_CPUMASK_OFFSTACK struct cpumask cpumask_allocation; @@ -69741,7 +69811,7 @@ index 2531811..040d4d4 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index 5d0eb1d..7b1084c 100644 +index 5d0eb1d..b462edb 100644 --- a/init/main.c +++ b/init/main.c @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { } @@ -69843,15 +69913,7 @@ index 5d0eb1d..7b1084c 100644 } return ret; -@@ -707,12 +765,22 @@ int __init_or_module do_one_initcall(initcall_t fn) - - extern initcall_t __initcall_start[], __initcall_end[], __early_initcall_end[]; - -+#ifdef CONFIG_PAX_LATENT_ENTROPY -+u64 latent_entropy; -+#endif -+ - static void __init do_initcalls(void) +@@ -711,8 +769,14 @@ static void __init do_initcalls(void) { initcall_t *fn; @@ -69859,15 +69921,15 @@ index 5d0eb1d..7b1084c 100644 + for (fn = __early_initcall_end; fn < __initcall_end; fn++) { do_one_initcall(*fn); + -+#ifdef CONFIG_PAX_LATENT_ENTROPY -+ add_device_randomness(&latent_entropy, sizeof(latent_entropy)); ++#ifdef LATENT_ENTROPY_PLUGIN ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +#endif + + } } /* -@@ -738,8 +806,14 @@ static void __init do_pre_smp_initcalls(void) +@@ -738,8 +802,14 @@ static void __init do_pre_smp_initcalls(void) { initcall_t *fn; @@ -69875,15 +69937,15 @@ index 5d0eb1d..7b1084c 100644 + for (fn = __initcall_start; fn < __early_initcall_end; fn++) { do_one_initcall(*fn); + -+#ifdef CONFIG_PAX_LATENT_ENTROPY -+ add_device_randomness(&latent_entropy, sizeof(latent_entropy)); ++#ifdef LATENT_ENTROPY_PLUGIN ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +#endif + + } } static void run_init_process(const char *init_filename) -@@ -821,7 +895,7 @@ static int __init kernel_init(void * unused) +@@ -821,7 +891,7 @@ static int __init kernel_init(void * unused) do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -69892,7 +69954,7 @@ index 5d0eb1d..7b1084c 100644 printk(KERN_WARNING "Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -834,11 +908,13 @@ static int __init kernel_init(void * unused) +@@ -834,11 +904,13 @@ static int __init kernel_init(void * unused) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -70831,7 +70893,7 @@ index 234e152..0ae0243 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index ce0c182..07a5f7a 100644 +index ce0c182..2d6bd03 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -270,19 +270,24 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -70955,17 +71017,18 @@ index ce0c182..07a5f7a 100644 mm->map_count = 0; cpumask_clear(mm_cpumask(mm)); mm->mm_rb = RB_ROOT; -@@ -341,8 +411,6 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -341,63 +411,16 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) prev = NULL; for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) { - struct file *file; - if (mpnt->vm_flags & VM_DONTCOPY) { - long pages = vma_pages(mpnt); - mm->total_vm -= pages; -@@ -350,54 +418,11 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) - -pages); +- long pages = vma_pages(mpnt); +- mm->total_vm -= pages; + vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file, +- -pages); ++ -vma_pages(mpnt)); continue; } - charge = 0; @@ -71023,7 +71086,7 @@ index ce0c182..07a5f7a 100644 /* * Link in the new vma and copy the page table entries. -@@ -420,6 +445,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -420,6 +443,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; } @@ -71055,7 +71118,7 @@ index ce0c182..07a5f7a 100644 /* a new mm has just been created */ arch_dup_mmap(oldmm, mm); retval = 0; -@@ -428,14 +478,6 @@ out: +@@ -428,14 +476,6 @@ out: flush_tlb_mm(oldmm); up_write(&oldmm->mmap_sem); return retval; @@ -71070,7 +71133,7 @@ index ce0c182..07a5f7a 100644 } static inline int mm_alloc_pgd(struct mm_struct *mm) -@@ -647,6 +689,26 @@ struct mm_struct *get_task_mm(struct task_struct *task) +@@ -647,6 +687,26 @@ struct mm_struct *get_task_mm(struct task_struct *task) } EXPORT_SYMBOL_GPL(get_task_mm); @@ -71097,7 +71160,7 @@ index ce0c182..07a5f7a 100644 /* Please note the differences between mmput and mm_release. * mmput is called whenever we stop holding onto a mm_struct, * error success whatever. -@@ -832,13 +894,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) +@@ -832,13 +892,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) spin_unlock(&fs->lock); return -EAGAIN; } @@ -71119,7 +71182,7 @@ index ce0c182..07a5f7a 100644 return 0; } -@@ -1104,6 +1173,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1104,6 +1171,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -71129,7 +71192,7 @@ index ce0c182..07a5f7a 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && -@@ -1341,6 +1413,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1341,6 +1411,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -71141,7 +71204,7 @@ index ce0c182..07a5f7a 100644 if (clone_flags & CLONE_THREAD) { current->signal->nr_threads++; atomic_inc(¤t->signal->live); -@@ -1421,6 +1498,8 @@ bad_fork_cleanup_count: +@@ -1421,6 +1496,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -71150,7 +71213,7 @@ index ce0c182..07a5f7a 100644 return ERR_PTR(retval); } -@@ -1521,6 +1600,8 @@ long do_fork(unsigned long clone_flags, +@@ -1521,6 +1598,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -71159,7 +71222,7 @@ index ce0c182..07a5f7a 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1630,7 +1711,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1630,7 +1709,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -71168,7 +71231,7 @@ index ce0c182..07a5f7a 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1719,7 +1800,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1719,7 +1798,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -73029,7 +73092,7 @@ index 76b8e77..a2930e8 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 67fedad..5333587 100644 +index 67fedad..32d32a04 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -211,7 +211,8 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state) @@ -73154,6 +73217,15 @@ index 67fedad..5333587 100644 } int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr, +@@ -1050,7 +1075,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, + } + + asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +- compat_long_t addr, compat_long_t data) ++ compat_ulong_t addr, compat_ulong_t data) + { + struct task_struct *child; + long ret; @@ -1066,14 +1091,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, goto out; } @@ -77223,7 +77295,7 @@ index 4f4f53b..de8e432 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index eae90af..0704837 100644 +index eae90af..b3c47a1 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -30,6 +30,7 @@ @@ -77423,13 +77495,19 @@ index eae90af..0704837 100644 if (err) return NULL; khugepaged_enter_vma_merge(area); -@@ -921,14 +1002,11 @@ none: +@@ -921,15 +1002,22 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { - const unsigned long stack_flags - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN); -- ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ ++ mm->total_vm += pages; + if (file) { mm->shared_vm += pages; if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC) @@ -77437,9 +77515,13 @@ index eae90af..0704837 100644 - } else if (flags & stack_flags) + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN)) mm->stack_vm += pages; ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif if (flags & (VM_RESERVED|VM_IO)) mm->reserved_vm += pages; -@@ -955,7 +1033,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, + } +@@ -955,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -77448,7 +77530,7 @@ index eae90af..0704837 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -981,7 +1059,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -981,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -77457,7 +77539,7 @@ index eae90af..0704837 100644 if (addr & ~PAGE_MASK) return addr; -@@ -992,6 +1070,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -992,6 +1080,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -77494,7 +77576,7 @@ index eae90af..0704837 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1003,6 +1111,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1003,6 +1121,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; @@ -77502,7 +77584,7 @@ index eae90af..0704837 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1073,6 +1182,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1073,6 +1192,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, if (error) return error; @@ -77512,7 +77594,7 @@ index eae90af..0704837 100644 return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1153,7 +1265,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) +@@ -1153,7 +1275,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) vm_flags_t vm_flags = vma->vm_flags; /* If it was private or non-writable, the write bit is already clear */ @@ -77521,7 +77603,7 @@ index eae90af..0704837 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1202,14 +1314,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1202,17 +1324,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -77548,7 +77630,15 @@ index eae90af..0704837 100644 } /* Check against address space limit. */ -@@ -1258,6 +1380,16 @@ munmap_back: ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ + if (!may_expand_vm(mm, len >> PAGE_SHIFT)) + return -ENOMEM; + +@@ -1258,6 +1395,16 @@ munmap_back: goto unacct_error; } @@ -77565,7 +77655,7 @@ index eae90af..0704837 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1266,8 +1398,9 @@ munmap_back: +@@ -1266,8 +1413,9 @@ munmap_back: vma->vm_pgoff = pgoff; INIT_LIST_HEAD(&vma->anon_vma_chain); @@ -77576,7 +77666,7 @@ index eae90af..0704837 100644 if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP)) goto free_vma; if (vm_flags & VM_DENYWRITE) { -@@ -1281,6 +1414,19 @@ munmap_back: +@@ -1281,6 +1429,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -77596,7 +77686,7 @@ index eae90af..0704837 100644 if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1293,6 +1439,8 @@ munmap_back: +@@ -1293,6 +1454,8 @@ munmap_back: pgoff = vma->vm_pgoff; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { @@ -77605,7 +77695,7 @@ index eae90af..0704837 100644 error = shmem_zero_setup(vma); if (error) goto free_vma; -@@ -1316,6 +1464,11 @@ munmap_back: +@@ -1316,14 +1479,19 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -77617,15 +77707,16 @@ index eae90af..0704837 100644 /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1324,6 +1477,7 @@ out: + out: + perf_event_mmap(vma); - mm->total_vm += len >> PAGE_SHIFT; +- mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); + track_exec_limit(mm, addr, addr + len, vm_flags); if (vm_flags & VM_LOCKED) { if (!mlock_vma_pages_range(vma, addr, addr + len)) mm->locked_vm += (len >> PAGE_SHIFT); -@@ -1341,6 +1495,12 @@ unmap_and_free_vma: +@@ -1341,6 +1509,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -77638,7 +77729,7 @@ index eae90af..0704837 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1348,6 +1508,62 @@ unacct_error: +@@ -1348,6 +1522,62 @@ unacct_error: return error; } @@ -77701,7 +77792,7 @@ index eae90af..0704837 100644 /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1367,6 +1583,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1367,6 +1597,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long start_addr; @@ -77709,7 +77800,7 @@ index eae90af..0704837 100644 if (len > TASK_SIZE) return -ENOMEM; -@@ -1374,18 +1591,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1374,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -77740,7 +77831,7 @@ index eae90af..0704837 100644 } full_search: -@@ -1396,34 +1618,40 @@ full_search: +@@ -1396,34 +1632,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -77792,7 +77883,7 @@ index eae90af..0704837 100644 mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1441,7 +1669,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1441,7 +1683,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -77802,7 +77893,7 @@ index eae90af..0704837 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1450,13 +1679,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1450,13 +1693,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -77825,7 +77916,7 @@ index eae90af..0704837 100644 } /* check if free_area_cache is useful for us */ -@@ -1471,7 +1705,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1471,7 +1719,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); @@ -77834,7 +77925,7 @@ index eae90af..0704837 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -1488,7 +1722,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1488,7 +1736,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); @@ -77843,7 +77934,7 @@ index eae90af..0704837 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1497,8 +1731,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1497,8 +1745,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -77854,7 +77945,7 @@ index eae90af..0704837 100644 bottomup: /* -@@ -1507,13 +1741,21 @@ bottomup: +@@ -1507,13 +1755,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -77878,7 +77969,7 @@ index eae90af..0704837 100644 mm->cached_hole_size = ~0UL; return addr; -@@ -1522,6 +1764,12 @@ bottomup: +@@ -1522,6 +1778,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -77891,7 +77982,7 @@ index eae90af..0704837 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1529,8 +1777,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1529,8 +1791,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -77903,7 +77994,7 @@ index eae90af..0704837 100644 } unsigned long -@@ -1603,40 +1853,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) +@@ -1603,40 +1867,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) EXPORT_SYMBOL(find_vma); @@ -77979,7 +78070,7 @@ index eae90af..0704837 100644 /* * Verify that the stack growth is acceptable and -@@ -1654,6 +1914,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1654,6 +1928,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -77987,7 +78078,7 @@ index eae90af..0704837 100644 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -1664,6 +1925,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1664,6 +1939,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -77995,7 +78086,15 @@ index eae90af..0704837 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1694,37 +1956,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1682,7 +1958,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns + return -ENOMEM; + + /* Ok, everything looks good - let it rip */ +- mm->total_vm += grow; + if (vma->vm_flags & VM_LOCKED) + mm->locked_vm += grow; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow); +@@ -1694,37 +1969,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -78053,7 +78152,7 @@ index eae90af..0704837 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -1739,6 +2012,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -1739,6 +2025,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -78062,7 +78161,7 @@ index eae90af..0704837 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma); return error; -@@ -1752,6 +2027,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1752,6 +2040,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -78071,7 +78170,7 @@ index eae90af..0704837 100644 /* * We must make sure the anon_vma is allocated -@@ -1765,6 +2042,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1765,6 +2055,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -78087,7 +78186,7 @@ index eae90af..0704837 100644 vma_lock_anon_vma(vma); /* -@@ -1774,9 +2060,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1774,9 +2073,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -78106,7 +78205,7 @@ index eae90af..0704837 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1786,18 +2080,48 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1786,18 +2093,48 @@ int expand_downwards(struct vm_area_struct *vma, if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -78155,7 +78254,7 @@ index eae90af..0704837 100644 return expand_upwards(vma, address); } -@@ -1820,6 +2144,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) +@@ -1820,6 +2157,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) #else int expand_stack(struct vm_area_struct *vma, unsigned long address) { @@ -78170,10 +78269,11 @@ index eae90af..0704837 100644 return expand_downwards(vma, address); } -@@ -1860,6 +2192,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -1860,7 +2205,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); +- mm->total_vm -= nrpages; +#ifdef CONFIG_PAX_SEGMEXEC + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) { + vma = remove_vma(vma); @@ -78181,10 +78281,10 @@ index eae90af..0704837 100644 + } +#endif + - mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1905,6 +2244,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + } while (vma); +@@ -1905,6 +2256,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -78201,7 +78301,7 @@ index eae90af..0704837 100644 rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1933,14 +2282,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1933,14 +2294,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -78235,7 +78335,7 @@ index eae90af..0704837 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1953,6 +2321,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1953,6 +2333,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -78258,7 +78358,7 @@ index eae90af..0704837 100644 pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -1978,6 +2362,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1978,6 +2374,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -78301,7 +78401,7 @@ index eae90af..0704837 100644 /* Success. */ if (!err) return 0; -@@ -1990,10 +2410,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1990,10 +2422,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, removed_exe_file_vma(mm); fput(new->vm_file); } @@ -78321,7 +78421,7 @@ index eae90af..0704837 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2006,6 +2434,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2006,6 +2446,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -78337,7 +78437,7 @@ index eae90af..0704837 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2017,11 +2454,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2017,11 +2466,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -78368,7 +78468,7 @@ index eae90af..0704837 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2096,6 +2552,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2096,6 +2564,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -78377,7 +78477,7 @@ index eae90af..0704837 100644 return 0; } -@@ -2108,22 +2566,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2108,22 +2578,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) profile_munmap(addr); @@ -78406,7 +78506,7 @@ index eae90af..0704837 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2137,6 +2591,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2137,6 +2603,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -78414,7 +78514,7 @@ index eae90af..0704837 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2148,16 +2603,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2148,16 +2615,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -78446,7 +78546,7 @@ index eae90af..0704837 100644 locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2174,22 +2643,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2174,22 +2655,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -78473,7 +78573,7 @@ index eae90af..0704837 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2203,7 +2672,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2203,7 +2684,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -78482,7 +78582,7 @@ index eae90af..0704837 100644 return -ENOMEM; } -@@ -2217,11 +2686,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2217,11 +2698,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -78497,7 +78597,7 @@ index eae90af..0704837 100644 return addr; } -@@ -2268,8 +2738,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2268,8 +2750,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -78509,7 +78609,7 @@ index eae90af..0704837 100644 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2283,6 +2755,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2283,6 +2767,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -78523,7 +78623,7 @@ index eae90af..0704837 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2305,7 +2784,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2305,7 +2796,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -78546,7 +78646,7 @@ index eae90af..0704837 100644 return 0; } -@@ -2323,6 +2817,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2323,6 +2829,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -78555,7 +78655,7 @@ index eae90af..0704837 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2373,6 +2869,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2373,6 +2881,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -78595,20 +78695,15 @@ index eae90af..0704837 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2384,6 +2913,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2384,6 +2925,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ cur -= mm->brk_gap; -+#endif -+ + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1); if (cur + npages > lim) return 0; return 1; -@@ -2454,6 +2989,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2454,6 +2996,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -78862,7 +78957,7 @@ index 5a688a2..27e031c 100644 if (nstart < prev->vm_end) diff --git a/mm/mremap.c b/mm/mremap.c -index d6959cb..18a402a 100644 +index d6959cb..c9e1e45 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, @@ -78878,7 +78973,15 @@ index d6959cb..18a402a 100644 set_pte_at(mm, new_addr, new_pte, pte); } -@@ -290,6 +296,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, +@@ -251,7 +257,6 @@ static unsigned long move_vma(struct vm_area_struct *vma, + * If this were a serious issue, we'd add a flag to do_munmap(). + */ + hiwater_vm = mm->hiwater_vm; +- mm->total_vm += new_len >> PAGE_SHIFT; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, new_len>>PAGE_SHIFT); + + if (do_munmap(mm, old_addr, old_len) < 0) { +@@ -290,6 +295,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, if (is_vm_hugetlb_page(vma)) goto Einval; @@ -78890,7 +78993,7 @@ index d6959cb..18a402a 100644 /* We can't remap across vm area boundaries */ if (old_len > vma->vm_end - addr) goto Efault; -@@ -346,20 +357,25 @@ static unsigned long mremap_to(unsigned long addr, +@@ -346,20 +356,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long ret = -EINVAL; unsigned long charged = 0; unsigned long map_flags; @@ -78921,7 +79024,7 @@ index d6959cb..18a402a 100644 goto out; ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1); -@@ -431,6 +447,7 @@ unsigned long do_mremap(unsigned long addr, +@@ -431,6 +446,7 @@ unsigned long do_mremap(unsigned long addr, struct vm_area_struct *vma; unsigned long ret = -EINVAL; unsigned long charged = 0; @@ -78929,7 +79032,7 @@ index d6959cb..18a402a 100644 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE)) goto out; -@@ -449,6 +466,17 @@ unsigned long do_mremap(unsigned long addr, +@@ -449,6 +465,17 @@ unsigned long do_mremap(unsigned long addr, if (!new_len) goto out; @@ -78947,7 +79050,15 @@ index d6959cb..18a402a 100644 if (flags & MREMAP_FIXED) { if (flags & MREMAP_MAYMOVE) ret = mremap_to(addr, old_len, new_addr, new_len); -@@ -498,6 +526,7 @@ unsigned long do_mremap(unsigned long addr, +@@ -490,7 +517,6 @@ unsigned long do_mremap(unsigned long addr, + goto out; + } + +- mm->total_vm += pages; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, pages); + if (vma->vm_flags & VM_LOCKED) { + mm->locked_vm += pages; +@@ -498,6 +524,7 @@ unsigned long do_mremap(unsigned long addr, addr + new_len); } ret = addr; @@ -78955,7 +79066,7 @@ index d6959cb..18a402a 100644 goto out; } } -@@ -524,7 +553,13 @@ unsigned long do_mremap(unsigned long addr, +@@ -524,7 +551,13 @@ unsigned long do_mremap(unsigned long addr, ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1); if (ret) goto out; @@ -79056,10 +79167,18 @@ index 50f0824..97710b4 100644 .next = NULL, }; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 5c028e2..4f0e54f 100644 +index 5c028e2..501e1e9 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c -@@ -341,7 +341,7 @@ out: +@@ -57,6 +57,7 @@ + #include <linux/ftrace_event.h> + #include <linux/memcontrol.h> + #include <linux/prefetch.h> ++#include <linux/random.h> + + #include <asm/tlbflush.h> + #include <asm/div64.h> +@@ -341,7 +342,7 @@ out: * This usage means that zero-order pages may not be compound. */ @@ -79068,7 +79187,7 @@ index 5c028e2..4f0e54f 100644 { __free_pages_ok(page, compound_order(page)); } -@@ -654,6 +654,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order) +@@ -654,6 +655,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order) int i; int bad = 0; @@ -79079,7 +79198,7 @@ index 5c028e2..4f0e54f 100644 trace_mm_page_free_direct(page, order); kmemcheck_free_shadow(page, order); -@@ -669,6 +673,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order) +@@ -669,6 +674,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order) debug_check_no_obj_freed(page_address(page), PAGE_SIZE << order); } @@ -79092,7 +79211,48 @@ index 5c028e2..4f0e54f 100644 arch_free_page(page, order); kernel_map_pages(page, 1 << order, 0); -@@ -784,8 +794,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags) +@@ -692,6 +703,19 @@ static void __free_pages_ok(struct page *page, unsigned int order) + local_irq_restore(flags); + } + ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_pax_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy); ++ ++volatile u64 latent_entropy; ++#endif ++ + /* + * permit the bootmem allocator to evade page validation on high-order frees + */ +@@ -715,6 +739,20 @@ void __meminit __free_pages_bootmem(struct page *page, unsigned int order) + set_page_count(p, 0); + } + ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned int nr_pages = 1 << order; ++ u64 hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const u64 *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++ } ++#endif ++ + set_page_refcounted(page); + __free_pages(page, order); + } +@@ -784,8 +822,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags) arch_alloc_page(page, order); kernel_map_pages(page, 1 << order, 1); @@ -79103,7 +79263,7 @@ index 5c028e2..4f0e54f 100644 if (order && (gfp_flags & __GFP_COMP)) prep_compound_page(page, order); -@@ -3395,7 +3407,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn) +@@ -3395,7 +3435,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn) unsigned long pfn; for (pfn = start_pfn; pfn < end_pfn; pfn++) { @@ -83195,6 +83355,23 @@ index 8c25419..47a51ae 100644 } int udp6_seq_show(struct seq_file *seq, void *v) +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index c24f25a..f4b49c5 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -2584,8 +2584,10 @@ bed: + NULL, NULL, NULL); + + /* Check if the we got some results */ +- if (!self->cachedaddr) +- return -EAGAIN; /* Didn't find any devices */ ++ if (!self->cachedaddr) { ++ err = -EAGAIN; /* Didn't find any devices */ ++ goto out; ++ } + daddr = self->cachedaddr; + /* Cleanup */ + self->cachedaddr = 0; diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c index 253695d..9481ce8 100644 --- a/net/irda/ircomm/ircomm_tty.c @@ -85953,10 +86130,10 @@ index 38f6617..e70b72b 100755 exuberant() diff --git a/security/Kconfig b/security/Kconfig -index 51bd5a0..595fa16 100644 +index 51bd5a0..cedcdeb 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,902 @@ +@@ -4,6 +4,907 @@ menu "Security options" @@ -86839,6 +87016,11 @@ index 51bd5a0..595fa16 100644 + there is little 'natural' source of entropy normally. The cost + is some slowdown of the boot process. + ++ When pax_extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that the implementation requires a gcc with plugin support, + i.e., gcc 4.5 or newer. You may need to install the supporting + headers explicitly in addition to the normal gcc package. @@ -86859,7 +87041,7 @@ index 51bd5a0..595fa16 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1065,7 @@ config INTEL_TXT +@@ -169,7 +1070,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -87275,6 +87457,19 @@ index b43813c..74be837 100644 } #else static inline int selinux_xfrm_enabled(void) +diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c +index 48665ec..8ab2951 100644 +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, + + if (old_ctx) { + new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!new_ctx) + return -ENOMEM; + diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 7db62b4..ee4d949 100644 --- a/security/smack/smack_lsm.c @@ -89311,10 +89506,10 @@ index 0000000..0408e06 +} diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c new file mode 100644 -index 0000000..1276616 +index 0000000..b5395ba --- /dev/null +++ b/tools/gcc/latent_entropy_plugin.c -@@ -0,0 +1,321 @@ +@@ -0,0 +1,327 @@ +/* + * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -89355,6 +89550,7 @@ index 0000000..1276616 +#include "rtl.h" +#include "emit-rtl.h" +#include "tree-flow.h" ++#include "langhooks.h" + +#if BUILDING_GCC_VERSION >= 4008 +#define TODO_dump_func 0 @@ -89365,7 +89561,7 @@ index 0000000..1276616 +static tree latent_entropy_decl; + +static struct plugin_info latent_entropy_plugin_info = { -+ .version = "201302112000", ++ .version = "201303102320", + .help = NULL +}; + @@ -89589,6 +89785,8 @@ index 0000000..1276616 + +static void start_unit_callback(void *gcc_data, void *user_data) +{ ++ tree latent_entropy_type; ++ +#if BUILDING_GCC_VERSION >= 4007 + seed = get_random_seed(false); +#else @@ -89599,16 +89797,19 @@ index 0000000..1276616 + if (in_lto_p) + return; + -+ // extern u64 latent_entropy -+ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), unsigned_intDI_type_node); ++ // extern volatile u64 latent_entropy ++ gcc_assert(TYPE_PRECISION(long_long_unsigned_type_node) == 64); ++ latent_entropy_type = build_qualified_type(long_long_unsigned_type_node, TYPE_QUALS(long_long_unsigned_type_node) | TYPE_QUAL_VOLATILE); ++ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), latent_entropy_type); + + TREE_STATIC(latent_entropy_decl) = 1; + TREE_PUBLIC(latent_entropy_decl) = 1; + TREE_USED(latent_entropy_decl) = 1; + TREE_THIS_VOLATILE(latent_entropy_decl) = 1; + DECL_EXTERNAL(latent_entropy_decl) = 1; -+ DECL_ARTIFICIAL(latent_entropy_decl) = 0; ++ DECL_ARTIFICIAL(latent_entropy_decl) = 1; + DECL_INITIAL(latent_entropy_decl) = NULL; ++ lang_hooks.decls.pushdecl(latent_entropy_decl); +// DECL_ASSEMBLER_NAME(latent_entropy_decl); +// varpool_finalize_decl(latent_entropy_decl); +// varpool_mark_needed_node(latent_entropy_decl); @@ -95320,6 +95521,25 @@ index 6789d78..4afd019e 100644 + .endm + #endif +diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c +index 3eed61e..79647cd 100644 +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -73,9 +73,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; + u64 redir_content; + +- ASSERT(redir_index < IOAPIC_NUM_PINS); ++ if (redir_index < IOAPIC_NUM_PINS) ++ redir_content = ++ ioapic->redirtbl[redir_index].bits; ++ else ++ redir_content = ~0ULL; + +- redir_content = ioapic->redirtbl[redir_index].bits; + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : + redir_content & 0xffffffff; diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index ec747dc..38a8e47 100644 --- a/virt/kvm/kvm_main.c diff --git a/3.8.3/1001_linux-3.8.2.patch b/3.8.3/1001_linux-3.8.2.patch deleted file mode 100644 index 0952288..0000000 --- a/3.8.3/1001_linux-3.8.2.patch +++ /dev/null @@ -1,3093 +0,0 @@ -diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 6c72381..986614d 100644 ---- a/Documentation/kernel-parameters.txt -+++ b/Documentation/kernel-parameters.txt -@@ -564,6 +564,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted. - UART at the specified I/O port or MMIO address, - switching to the matching ttyS device later. The - options are the same as for ttyS, above. -+ hvc<n> Use the hypervisor console device <n>. This is for -+ both Xen and PowerPC hypervisors. - - If the device connected to the port is not a TTY but a braille - device, prepend "brl," before the device type, for instance -@@ -754,6 +756,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. - - earlyprintk= [X86,SH,BLACKFIN] - earlyprintk=vga -+ earlyprintk=xen - earlyprintk=serial[,ttySn[,baudrate]] - earlyprintk=ttySn[,baudrate] - earlyprintk=dbgp[debugController#] -@@ -771,6 +774,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted. - The VGA output is eventually overwritten by the real - console. - -+ The xen output can only be used by Xen PV guests. -+ - ekgdboc= [X86,KGDB] Allow early kernel console debugging - ekgdboc=kbd - -diff --git a/Makefile b/Makefile -index 746c856..20d5318 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 8 --SUBLEVEL = 1 -+SUBLEVEL = 2 - EXTRAVERSION = - NAME = Unicycling Gorilla - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index f8fa411..c205035 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -19,23 +19,28 @@ - - static efi_system_table_t *sys_table; - -+static void efi_char16_printk(efi_char16_t *str) -+{ -+ struct efi_simple_text_output_protocol *out; -+ -+ out = (struct efi_simple_text_output_protocol *)sys_table->con_out; -+ efi_call_phys2(out->output_string, out, str); -+} -+ - static void efi_printk(char *str) - { - char *s8; - - for (s8 = str; *s8; s8++) { -- struct efi_simple_text_output_protocol *out; - efi_char16_t ch[2] = { 0 }; - - ch[0] = *s8; -- out = (struct efi_simple_text_output_protocol *)sys_table->con_out; -- - if (*s8 == '\n') { - efi_char16_t nl[2] = { '\r', 0 }; -- efi_call_phys2(out->output_string, out, nl); -+ efi_char16_printk(nl); - } - -- efi_call_phys2(out->output_string, out, ch); -+ efi_char16_printk(ch); - } - } - -@@ -709,7 +714,12 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image, - if ((u8 *)p >= (u8 *)filename_16 + sizeof(filename_16)) - break; - -- *p++ = *str++; -+ if (*str == '/') { -+ *p++ = '\\'; -+ *str++; -+ } else { -+ *p++ = *str++; -+ } - } - - *p = '\0'; -@@ -737,7 +747,9 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image, - status = efi_call_phys5(fh->open, fh, &h, filename_16, - EFI_FILE_MODE_READ, (u64)0); - if (status != EFI_SUCCESS) { -- efi_printk("Failed to open initrd file\n"); -+ efi_printk("Failed to open initrd file: "); -+ efi_char16_printk(filename_16); -+ efi_printk("\n"); - goto close_handles; - } - -diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c -index b994cc8..cbf5121 100644 ---- a/arch/x86/kernel/apic/apic.c -+++ b/arch/x86/kernel/apic/apic.c -@@ -131,7 +131,7 @@ static int __init parse_lapic(char *arg) - { - if (config_enabled(CONFIG_X86_32) && !arg) - force_enable_local_apic = 1; -- else if (!strncmp(arg, "notscdeadline", 13)) -+ else if (arg && !strncmp(arg, "notscdeadline", 13)) - setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); - return 0; - } -diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c -index 48d9d4e..992f442 100644 ---- a/arch/x86/kernel/head.c -+++ b/arch/x86/kernel/head.c -@@ -5,8 +5,6 @@ - #include <asm/setup.h> - #include <asm/bios_ebda.h> - --#define BIOS_LOWMEM_KILOBYTES 0x413 -- - /* - * The BIOS places the EBDA/XBDA at the top of conventional - * memory, and usually decreases the reported amount of -@@ -16,17 +14,30 @@ - * chipset: reserve a page before VGA to prevent PCI prefetch - * into it (errata #56). Usually the page is reserved anyways, - * unless you have no PS/2 mouse plugged in. -+ * -+ * This functions is deliberately very conservative. Losing -+ * memory in the bottom megabyte is rarely a problem, as long -+ * as we have enough memory to install the trampoline. Using -+ * memory that is in use by the BIOS or by some DMA device -+ * the BIOS didn't shut down *is* a big problem. - */ -+ -+#define BIOS_LOWMEM_KILOBYTES 0x413 -+#define LOWMEM_CAP 0x9f000U /* Absolute maximum */ -+#define INSANE_CUTOFF 0x20000U /* Less than this = insane */ -+ - void __init reserve_ebda_region(void) - { - unsigned int lowmem, ebda_addr; - -- /* To determine the position of the EBDA and the */ -- /* end of conventional memory, we need to look at */ -- /* the BIOS data area. In a paravirtual environment */ -- /* that area is absent. We'll just have to assume */ -- /* that the paravirt case can handle memory setup */ -- /* correctly, without our help. */ -+ /* -+ * To determine the position of the EBDA and the -+ * end of conventional memory, we need to look at -+ * the BIOS data area. In a paravirtual environment -+ * that area is absent. We'll just have to assume -+ * that the paravirt case can handle memory setup -+ * correctly, without our help. -+ */ - if (paravirt_enabled()) - return; - -@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void) - /* start of EBDA area */ - ebda_addr = get_bios_ebda(); - -- /* Fixup: bios puts an EBDA in the top 64K segment */ -- /* of conventional memory, but does not adjust lowmem. */ -- if ((lowmem - ebda_addr) <= 0x10000) -- lowmem = ebda_addr; -+ /* -+ * Note: some old Dells seem to need 4k EBDA without -+ * reporting so, so just consider the memory above 0x9f000 -+ * to be off limits (bugzilla 2990). -+ */ -+ -+ /* If the EBDA address is below 128K, assume it is bogus */ -+ if (ebda_addr < INSANE_CUTOFF) -+ ebda_addr = LOWMEM_CAP; - -- /* Fixup: bios does not report an EBDA at all. */ -- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */ -- if ((ebda_addr == 0) && (lowmem >= 0x9f000)) -- lowmem = 0x9f000; -+ /* If lowmem is less than 128K, assume it is bogus */ -+ if (lowmem < INSANE_CUTOFF) -+ lowmem = LOWMEM_CAP; - -- /* Paranoia: should never happen, but... */ -- if ((lowmem == 0) || (lowmem >= 0x100000)) -- lowmem = 0x9f000; -+ /* Use the lower of the lowmem and EBDA markers as the cutoff */ -+ lowmem = min(lowmem, ebda_addr); -+ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */ - - /* reserve all memory between lowmem and the 1MB mark */ - memblock_reserve(lowmem, 0x100000 - lowmem); -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 928bf83..e2cd38f 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -85,9 +85,10 @@ int efi_enabled(int facility) - } - EXPORT_SYMBOL(efi_enabled); - -+static bool disable_runtime = false; - static int __init setup_noefi(char *arg) - { -- clear_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility); -+ disable_runtime = true; - return 0; - } - early_param("noefi", setup_noefi); -@@ -734,7 +735,7 @@ void __init efi_init(void) - if (!efi_is_native()) - pr_info("No EFI runtime due to 32/64-bit mismatch with kernel\n"); - else { -- if (efi_runtime_init()) -+ if (disable_runtime || efi_runtime_init()) - return; - set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility); - } -diff --git a/block/genhd.c b/block/genhd.c -index 3993ebf..7dcfdd8 100644 ---- a/block/genhd.c -+++ b/block/genhd.c -@@ -25,7 +25,7 @@ static DEFINE_MUTEX(block_class_lock); - struct kobject *block_depr; - - /* for extended dynamic devt allocation, currently only one major is used */ --#define MAX_EXT_DEVT (1 << MINORBITS) -+#define NR_EXT_DEVT (1 << MINORBITS) - - /* For extended devt allocation. ext_devt_mutex prevents look up - * results from going away underneath its user. -@@ -422,17 +422,18 @@ int blk_alloc_devt(struct hd_struct *part, dev_t *devt) - do { - if (!idr_pre_get(&ext_devt_idr, GFP_KERNEL)) - return -ENOMEM; -+ mutex_lock(&ext_devt_mutex); - rc = idr_get_new(&ext_devt_idr, part, &idx); -+ if (!rc && idx >= NR_EXT_DEVT) { -+ idr_remove(&ext_devt_idr, idx); -+ rc = -EBUSY; -+ } -+ mutex_unlock(&ext_devt_mutex); - } while (rc == -EAGAIN); - - if (rc) - return rc; - -- if (idx > MAX_EXT_DEVT) { -- idr_remove(&ext_devt_idr, idx); -- return -EBUSY; -- } -- - *devt = MKDEV(BLOCK_EXT_MAJOR, blk_mangle_minor(idx)); - return 0; - } -@@ -646,7 +647,6 @@ void del_gendisk(struct gendisk *disk) - disk_part_iter_exit(&piter); - - invalidate_partition(disk, 0); -- blk_free_devt(disk_to_dev(disk)->devt); - set_capacity(disk, 0); - disk->flags &= ~GENHD_FL_UP; - -@@ -664,6 +664,7 @@ void del_gendisk(struct gendisk *disk) - if (!sysfs_deprecated) - sysfs_remove_link(block_depr, dev_name(disk_to_dev(disk))); - device_del(disk_to_dev(disk)); -+ blk_free_devt(disk_to_dev(disk)->devt); - } - EXPORT_SYMBOL(del_gendisk); - -diff --git a/block/partition-generic.c b/block/partition-generic.c -index f1d1451..1cb4dec 100644 ---- a/block/partition-generic.c -+++ b/block/partition-generic.c -@@ -249,11 +249,11 @@ void delete_partition(struct gendisk *disk, int partno) - if (!part) - return; - -- blk_free_devt(part_devt(part)); - rcu_assign_pointer(ptbl->part[partno], NULL); - rcu_assign_pointer(ptbl->last_lookup, NULL); - kobject_put(part->holder_dir); - device_del(part_to_dev(part)); -+ blk_free_devt(part_devt(part)); - - hd_struct_put(part); - } -diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig -index 38c5078..f5ae996 100644 ---- a/drivers/acpi/Kconfig -+++ b/drivers/acpi/Kconfig -@@ -268,7 +268,8 @@ config ACPI_CUSTOM_DSDT - default ACPI_CUSTOM_DSDT_FILE != "" - - config ACPI_INITRD_TABLE_OVERRIDE -- bool "ACPI tables can be passed via uncompressed cpio in initrd" -+ bool "ACPI tables override via initrd" -+ depends on BLK_DEV_INITRD && X86 - default n - help - This option provides functionality to override arbitrary ACPI tables -diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c -index 2fcc67d..df85051 100644 ---- a/drivers/acpi/sleep.c -+++ b/drivers/acpi/sleep.c -@@ -177,6 +177,14 @@ static struct dmi_system_id __initdata acpisleep_dmi_table[] = { - }, - { - .callback = init_nvs_nosave, -+ .ident = "Sony Vaio VGN-FW41E_H", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "VGN-FW41E_H"), -+ }, -+ }, -+ { -+ .callback = init_nvs_nosave, - .ident = "Sony Vaio VGN-FW21E", - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), -diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c -index 4979127..72e3e12 100644 ---- a/drivers/ata/ahci.c -+++ b/drivers/ata/ahci.c -@@ -265,6 +265,30 @@ static const struct pci_device_id ahci_pci_tbl[] = { - { PCI_VDEVICE(INTEL, 0x9c07), board_ahci }, /* Lynx Point-LP RAID */ - { PCI_VDEVICE(INTEL, 0x9c0e), board_ahci }, /* Lynx Point-LP RAID */ - { PCI_VDEVICE(INTEL, 0x9c0f), board_ahci }, /* Lynx Point-LP RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f22), board_ahci }, /* Avoton AHCI */ -+ { PCI_VDEVICE(INTEL, 0x1f23), board_ahci }, /* Avoton AHCI */ -+ { PCI_VDEVICE(INTEL, 0x1f24), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f25), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f26), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f27), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f2e), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f2f), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f32), board_ahci }, /* Avoton AHCI */ -+ { PCI_VDEVICE(INTEL, 0x1f33), board_ahci }, /* Avoton AHCI */ -+ { PCI_VDEVICE(INTEL, 0x1f34), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f35), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f36), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f37), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f3e), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x1f3f), board_ahci }, /* Avoton RAID */ -+ { PCI_VDEVICE(INTEL, 0x8d02), board_ahci }, /* Wellsburg AHCI */ -+ { PCI_VDEVICE(INTEL, 0x8d04), board_ahci }, /* Wellsburg RAID */ -+ { PCI_VDEVICE(INTEL, 0x8d06), board_ahci }, /* Wellsburg RAID */ -+ { PCI_VDEVICE(INTEL, 0x8d0e), board_ahci }, /* Wellsburg RAID */ -+ { PCI_VDEVICE(INTEL, 0x8d62), board_ahci }, /* Wellsburg AHCI */ -+ { PCI_VDEVICE(INTEL, 0x8d64), board_ahci }, /* Wellsburg RAID */ -+ { PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */ -+ { PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */ - - /* JMicron 360/1/3/5/6, match class to avoid IDE function */ - { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, -diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c -index 174eca6..d2ba439 100644 ---- a/drivers/ata/ata_piix.c -+++ b/drivers/ata/ata_piix.c -@@ -317,6 +317,23 @@ static const struct pci_device_id piix_pci_tbl[] = { - { 0x8086, 0x9c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, - /* SATA Controller IDE (DH89xxCC) */ - { 0x8086, 0x2326, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, -+ /* SATA Controller IDE (Avoton) */ -+ { 0x8086, 0x1f20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, -+ /* SATA Controller IDE (Avoton) */ -+ { 0x8086, 0x1f21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, -+ /* SATA Controller IDE (Avoton) */ -+ { 0x8086, 0x1f30, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, -+ /* SATA Controller IDE (Avoton) */ -+ { 0x8086, 0x1f31, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, -+ /* SATA Controller IDE (Wellsburg) */ -+ { 0x8086, 0x8d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, -+ /* SATA Controller IDE (Wellsburg) */ -+ { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, -+ /* SATA Controller IDE (Wellsburg) */ -+ { 0x8086, 0x8d60, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, -+ /* SATA Controller IDE (Wellsburg) */ -+ { 0x8086, 0x8d68, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, -+ - { } /* terminate list */ - }; - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 043ddcc..eb591fb 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -595,12 +595,20 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, - struct request sreq; - - dev_info(disk_to_dev(nbd->disk), "NBD_DISCONNECT\n"); -+ if (!nbd->sock) -+ return -EINVAL; - -+ mutex_unlock(&nbd->tx_lock); -+ fsync_bdev(bdev); -+ mutex_lock(&nbd->tx_lock); - blk_rq_init(NULL, &sreq); - sreq.cmd_type = REQ_TYPE_SPECIAL; - nbd_cmd(&sreq) = NBD_CMD_DISC; -+ -+ /* Check again after getting mutex back. */ - if (!nbd->sock) - return -EINVAL; -+ - nbd_send_req(nbd, &sreq); - return 0; - } -@@ -614,6 +622,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, - nbd_clear_que(nbd); - BUG_ON(!list_empty(&nbd->queue_head)); - BUG_ON(!list_empty(&nbd->waiting_queue)); -+ kill_bdev(bdev); - if (file) - fput(file); - return 0; -@@ -702,6 +711,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, - nbd->file = NULL; - nbd_clear_que(nbd); - dev_warn(disk_to_dev(nbd->disk), "queue cleared\n"); -+ kill_bdev(bdev); - queue_flag_clear_unlocked(QUEUE_FLAG_DISCARD, nbd->disk->queue); - if (file) - fput(file); -diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c -index 5ac841f..de1f319 100644 ---- a/drivers/block/xen-blkback/blkback.c -+++ b/drivers/block/xen-blkback/blkback.c -@@ -46,6 +46,7 @@ - #include <xen/xen.h> - #include <asm/xen/hypervisor.h> - #include <asm/xen/hypercall.h> -+#include <xen/balloon.h> - #include "common.h" - - /* -@@ -239,6 +240,7 @@ static void free_persistent_gnts(struct rb_root *root, unsigned int num) - ret = gnttab_unmap_refs(unmap, NULL, pages, - segs_to_unmap); - BUG_ON(ret); -+ free_xenballooned_pages(segs_to_unmap, pages); - segs_to_unmap = 0; - } - -@@ -527,8 +529,8 @@ static int xen_blkbk_map(struct blkif_request *req, - GFP_KERNEL); - if (!persistent_gnt) - return -ENOMEM; -- persistent_gnt->page = alloc_page(GFP_KERNEL); -- if (!persistent_gnt->page) { -+ if (alloc_xenballooned_pages(1, &persistent_gnt->page, -+ false)) { - kfree(persistent_gnt); - return -ENOMEM; - } -@@ -879,7 +881,6 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif, - goto fail_response; - } - -- preq.dev = req->u.rw.handle; - preq.sector_number = req->u.rw.sector_number; - preq.nr_sects = 0; - -diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c -index 6398072..5e237f6 100644 ---- a/drivers/block/xen-blkback/xenbus.c -+++ b/drivers/block/xen-blkback/xenbus.c -@@ -367,6 +367,7 @@ static int xen_blkbk_remove(struct xenbus_device *dev) - be->blkif = NULL; - } - -+ kfree(be->mode); - kfree(be); - dev_set_drvdata(&dev->dev, NULL); - return 0; -@@ -502,6 +503,7 @@ static void backend_changed(struct xenbus_watch *watch, - = container_of(watch, struct backend_info, backend_watch); - struct xenbus_device *dev = be->dev; - int cdrom = 0; -+ unsigned long handle; - char *device_type; - - DPRINTK(""); -@@ -521,10 +523,10 @@ static void backend_changed(struct xenbus_watch *watch, - return; - } - -- if ((be->major || be->minor) && -- ((be->major != major) || (be->minor != minor))) { -- pr_warn(DRV_PFX "changing physical device (from %x:%x to %x:%x) not supported.\n", -- be->major, be->minor, major, minor); -+ if (be->major | be->minor) { -+ if (be->major != major || be->minor != minor) -+ pr_warn(DRV_PFX "changing physical device (from %x:%x to %x:%x) not supported.\n", -+ be->major, be->minor, major, minor); - return; - } - -@@ -542,36 +544,33 @@ static void backend_changed(struct xenbus_watch *watch, - kfree(device_type); - } - -- if (be->major == 0 && be->minor == 0) { -- /* Front end dir is a number, which is used as the handle. */ -- -- char *p = strrchr(dev->otherend, '/') + 1; -- long handle; -- err = strict_strtoul(p, 0, &handle); -- if (err) -- return; -+ /* Front end dir is a number, which is used as the handle. */ -+ err = strict_strtoul(strrchr(dev->otherend, '/') + 1, 0, &handle); -+ if (err) -+ return; - -- be->major = major; -- be->minor = minor; -+ be->major = major; -+ be->minor = minor; - -- err = xen_vbd_create(be->blkif, handle, major, minor, -- (NULL == strchr(be->mode, 'w')), cdrom); -- if (err) { -- be->major = 0; -- be->minor = 0; -- xenbus_dev_fatal(dev, err, "creating vbd structure"); -- return; -- } -+ err = xen_vbd_create(be->blkif, handle, major, minor, -+ !strchr(be->mode, 'w'), cdrom); - -+ if (err) -+ xenbus_dev_fatal(dev, err, "creating vbd structure"); -+ else { - err = xenvbd_sysfs_addif(dev); - if (err) { - xen_vbd_free(&be->blkif->vbd); -- be->major = 0; -- be->minor = 0; - xenbus_dev_fatal(dev, err, "creating sysfs entries"); -- return; - } -+ } - -+ if (err) { -+ kfree(be->mode); -+ be->mode = NULL; -+ be->major = 0; -+ be->minor = 0; -+ } else { - /* We're potentially connected now */ - xen_update_blkif_status(be->blkif); - } -diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c -index 11043c1..c3dae2e 100644 ---- a/drivers/block/xen-blkfront.c -+++ b/drivers/block/xen-blkfront.c -@@ -791,7 +791,7 @@ static void blkif_restart_queue(struct work_struct *work) - static void blkif_free(struct blkfront_info *info, int suspend) - { - struct llist_node *all_gnts; -- struct grant *persistent_gnt; -+ struct grant *persistent_gnt, *tmp; - struct llist_node *n; - - /* Prevent new requests being issued until we fix things up. */ -@@ -805,10 +805,17 @@ static void blkif_free(struct blkfront_info *info, int suspend) - /* Remove all persistent grants */ - if (info->persistent_gnts_c) { - all_gnts = llist_del_all(&info->persistent_gnts); -- llist_for_each_entry_safe(persistent_gnt, n, all_gnts, node) { -+ persistent_gnt = llist_entry(all_gnts, typeof(*(persistent_gnt)), node); -+ while (persistent_gnt) { - gnttab_end_foreign_access(persistent_gnt->gref, 0, 0UL); - __free_page(pfn_to_page(persistent_gnt->pfn)); -- kfree(persistent_gnt); -+ tmp = persistent_gnt; -+ n = persistent_gnt->node.next; -+ if (n) -+ persistent_gnt = llist_entry(n, typeof(*(persistent_gnt)), node); -+ else -+ persistent_gnt = NULL; -+ kfree(tmp); - } - info->persistent_gnts_c = 0; - } -diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c -index 3873d53..af3e8aa 100644 ---- a/drivers/firewire/core-device.c -+++ b/drivers/firewire/core-device.c -@@ -1020,6 +1020,10 @@ static void fw_device_init(struct work_struct *work) - ret = idr_pre_get(&fw_device_idr, GFP_KERNEL) ? - idr_get_new(&fw_device_idr, device, &minor) : - -ENOMEM; -+ if (minor >= 1 << MINORBITS) { -+ idr_remove(&fw_device_idr, minor); -+ minor = -ENOSPC; -+ } - up_write(&fw_device_rwsem); - - if (ret < 0) -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index f5596db..bcb201c 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -79,6 +79,7 @@ - #include <linux/device.h> - #include <linux/slab.h> - #include <linux/pstore.h> -+#include <linux/ctype.h> - - #include <linux/fs.h> - #include <linux/ramfs.h> -@@ -900,6 +901,48 @@ static struct inode *efivarfs_get_inode(struct super_block *sb, - return inode; - } - -+/* -+ * Return true if 'str' is a valid efivarfs filename of the form, -+ * -+ * VariableName-12345678-1234-1234-1234-1234567891bc -+ */ -+static bool efivarfs_valid_name(const char *str, int len) -+{ -+ static const char dashes[GUID_LEN] = { -+ [8] = 1, [13] = 1, [18] = 1, [23] = 1 -+ }; -+ const char *s = str + len - GUID_LEN; -+ int i; -+ -+ /* -+ * We need a GUID, plus at least one letter for the variable name, -+ * plus the '-' separator -+ */ -+ if (len < GUID_LEN + 2) -+ return false; -+ -+ /* GUID should be right after the first '-' */ -+ if (s - 1 != strchr(str, '-')) -+ return false; -+ -+ /* -+ * Validate that 's' is of the correct format, e.g. -+ * -+ * 12345678-1234-1234-1234-123456789abc -+ */ -+ for (i = 0; i < GUID_LEN; i++) { -+ if (dashes[i]) { -+ if (*s++ != '-') -+ return false; -+ } else { -+ if (!isxdigit(*s++)) -+ return false; -+ } -+ } -+ -+ return true; -+} -+ - static void efivarfs_hex_to_guid(const char *str, efi_guid_t *guid) - { - guid->b[0] = hex_to_bin(str[6]) << 4 | hex_to_bin(str[7]); -@@ -928,11 +971,7 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - struct efivar_entry *var; - int namelen, i = 0, err = 0; - -- /* -- * We need a GUID, plus at least one letter for the variable name, -- * plus the '-' separator -- */ -- if (dentry->d_name.len < GUID_LEN + 2) -+ if (!efivarfs_valid_name(dentry->d_name.name, dentry->d_name.len)) - return -EINVAL; - - inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0); -@@ -1004,6 +1043,84 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry) - return -EINVAL; - }; - -+/* -+ * Compare two efivarfs file names. -+ * -+ * An efivarfs filename is composed of two parts, -+ * -+ * 1. A case-sensitive variable name -+ * 2. A case-insensitive GUID -+ * -+ * So we need to perform a case-sensitive match on part 1 and a -+ * case-insensitive match on part 2. -+ */ -+static int efivarfs_d_compare(const struct dentry *parent, const struct inode *pinode, -+ const struct dentry *dentry, const struct inode *inode, -+ unsigned int len, const char *str, -+ const struct qstr *name) -+{ -+ int guid = len - GUID_LEN; -+ -+ if (name->len != len) -+ return 1; -+ -+ /* Case-sensitive compare for the variable name */ -+ if (memcmp(str, name->name, guid)) -+ return 1; -+ -+ /* Case-insensitive compare for the GUID */ -+ return strncasecmp(name->name + guid, str + guid, GUID_LEN); -+} -+ -+static int efivarfs_d_hash(const struct dentry *dentry, -+ const struct inode *inode, struct qstr *qstr) -+{ -+ unsigned long hash = init_name_hash(); -+ const unsigned char *s = qstr->name; -+ unsigned int len = qstr->len; -+ -+ if (!efivarfs_valid_name(s, len)) -+ return -EINVAL; -+ -+ while (len-- > GUID_LEN) -+ hash = partial_name_hash(*s++, hash); -+ -+ /* GUID is case-insensitive. */ -+ while (len--) -+ hash = partial_name_hash(tolower(*s++), hash); -+ -+ qstr->hash = end_name_hash(hash); -+ return 0; -+} -+ -+/* -+ * Retaining negative dentries for an in-memory filesystem just wastes -+ * memory and lookup time: arrange for them to be deleted immediately. -+ */ -+static int efivarfs_delete_dentry(const struct dentry *dentry) -+{ -+ return 1; -+} -+ -+static struct dentry_operations efivarfs_d_ops = { -+ .d_compare = efivarfs_d_compare, -+ .d_hash = efivarfs_d_hash, -+ .d_delete = efivarfs_delete_dentry, -+}; -+ -+static struct dentry *efivarfs_alloc_dentry(struct dentry *parent, char *name) -+{ -+ struct qstr q; -+ -+ q.name = name; -+ q.len = strlen(name); -+ -+ if (efivarfs_d_hash(NULL, NULL, &q)) -+ return NULL; -+ -+ return d_alloc(parent, &q); -+} -+ - static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - { - struct inode *inode = NULL; -@@ -1019,6 +1136,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - sb->s_blocksize_bits = PAGE_CACHE_SHIFT; - sb->s_magic = EFIVARFS_MAGIC; - sb->s_op = &efivarfs_ops; -+ sb->s_d_op = &efivarfs_d_ops; - sb->s_time_gran = 1; - - inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0); -@@ -1059,7 +1177,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - if (!inode) - goto fail_name; - -- dentry = d_alloc_name(root, name); -+ dentry = efivarfs_alloc_dentry(root, name); - if (!dentry) - goto fail_inode; - -@@ -1109,8 +1227,20 @@ static struct file_system_type efivarfs_type = { - .kill_sb = efivarfs_kill_sb, - }; - -+/* -+ * Handle negative dentry. -+ */ -+static struct dentry *efivarfs_lookup(struct inode *dir, struct dentry *dentry, -+ unsigned int flags) -+{ -+ if (dentry->d_name.len > NAME_MAX) -+ return ERR_PTR(-ENAMETOOLONG); -+ d_add(dentry, NULL); -+ return NULL; -+} -+ - static const struct inode_operations efivarfs_dir_inode_operations = { -- .lookup = simple_lookup, -+ .lookup = efivarfs_lookup, - .unlink = efivarfs_unlink, - .create = efivarfs_create, - }; -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index eb2ee11..ceb3040 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1697,6 +1697,7 @@ static const struct hid_device_id hid_have_special_driver[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER) }, - { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS3_CONTROLLER) }, - { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) }, - { HID_USB_DEVICE(USB_VENDOR_ID_SUNPLUS, USB_DEVICE_ID_SUNPLUS_WDESKTOP) }, - { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb300) }, - { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304) }, -@@ -2070,6 +2071,7 @@ static const struct hid_device_id hid_ignore_list[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_HYBRID) }, - { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_HEATCONTROL) }, - { HID_USB_DEVICE(USB_VENDOR_ID_MADCATZ, USB_DEVICE_ID_MADCATZ_BEATPAD) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_MASTERKIT, USB_DEVICE_ID_MASTERKIT_MA901RADIO) }, - { HID_USB_DEVICE(USB_VENDOR_ID_MCC, USB_DEVICE_ID_MCC_PMD1024LS) }, - { HID_USB_DEVICE(USB_VENDOR_ID_MCC, USB_DEVICE_ID_MCC_PMD1208LS) }, - { HID_USB_DEVICE(USB_VENDOR_ID_MICROCHIP, USB_DEVICE_ID_PICKIT1) }, -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index 34e2547..266e2ae 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -554,6 +554,9 @@ - #define USB_VENDOR_ID_MADCATZ 0x0738 - #define USB_DEVICE_ID_MADCATZ_BEATPAD 0x4540 - -+#define USB_VENDOR_ID_MASTERKIT 0x16c0 -+#define USB_DEVICE_ID_MASTERKIT_MA901RADIO 0x05df -+ - #define USB_VENDOR_ID_MCC 0x09db - #define USB_DEVICE_ID_MCC_PMD1024LS 0x0076 - #define USB_DEVICE_ID_MCC_PMD1208LS 0x007a -@@ -709,6 +712,7 @@ - - #define USB_VENDOR_ID_SONY 0x054c - #define USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE 0x024b -+#define USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE 0x0374 - #define USB_DEVICE_ID_SONY_PS3_BDREMOTE 0x0306 - #define USB_DEVICE_ID_SONY_PS3_CONTROLLER 0x0268 - #define USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER 0x042f -diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c -index 7f33ebf..126d6ae 100644 ---- a/drivers/hid/hid-sony.c -+++ b/drivers/hid/hid-sony.c -@@ -43,9 +43,19 @@ static __u8 *sony_report_fixup(struct hid_device *hdev, __u8 *rdesc, - { - struct sony_sc *sc = hid_get_drvdata(hdev); - -- if ((sc->quirks & VAIO_RDESC_CONSTANT) && -- *rsize >= 56 && rdesc[54] == 0x81 && rdesc[55] == 0x07) { -- hid_info(hdev, "Fixing up Sony Vaio VGX report descriptor\n"); -+ /* -+ * Some Sony RF receivers wrongly declare the mouse pointer as a -+ * a constant non-data variable. -+ */ -+ if ((sc->quirks & VAIO_RDESC_CONSTANT) && *rsize >= 56 && -+ /* usage page: generic desktop controls */ -+ /* rdesc[0] == 0x05 && rdesc[1] == 0x01 && */ -+ /* usage: mouse */ -+ rdesc[2] == 0x09 && rdesc[3] == 0x02 && -+ /* input (usage page for x,y axes): constant, variable, relative */ -+ rdesc[54] == 0x81 && rdesc[55] == 0x07) { -+ hid_info(hdev, "Fixing up Sony RF Receiver report descriptor\n"); -+ /* input: data, variable, relative */ - rdesc[55] = 0x06; - } - -@@ -217,6 +227,8 @@ static const struct hid_device_id sony_devices[] = { - .driver_data = SIXAXIS_CONTROLLER_BT }, - { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE), - .driver_data = VAIO_RDESC_CONSTANT }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE), -+ .driver_data = VAIO_RDESC_CONSTANT }, - { } - }; - MODULE_DEVICE_TABLE(hid, sony_devices); -diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c -index d5088ce..7ccf328 100644 ---- a/drivers/infiniband/ulp/srp/ib_srp.c -+++ b/drivers/infiniband/ulp/srp/ib_srp.c -@@ -700,23 +700,24 @@ static int srp_reconnect_target(struct srp_target_port *target) - struct Scsi_Host *shost = target->scsi_host; - int i, ret; - -- if (target->state != SRP_TARGET_LIVE) -- return -EAGAIN; -- - scsi_target_block(&shost->shost_gendev); - - srp_disconnect_target(target); - /* -- * Now get a new local CM ID so that we avoid confusing the -- * target in case things are really fouled up. -+ * Now get a new local CM ID so that we avoid confusing the target in -+ * case things are really fouled up. Doing so also ensures that all CM -+ * callbacks will have finished before a new QP is allocated. - */ - ret = srp_new_cm_id(target); -- if (ret) -- goto unblock; -- -- ret = srp_create_target_ib(target); -- if (ret) -- goto unblock; -+ /* -+ * Whether or not creating a new CM ID succeeded, create a new -+ * QP. This guarantees that all completion callback function -+ * invocations have finished before request resetting starts. -+ */ -+ if (ret == 0) -+ ret = srp_create_target_ib(target); -+ else -+ srp_create_target_ib(target); - - for (i = 0; i < SRP_CMD_SQ_SIZE; ++i) { - struct srp_request *req = &target->req_ring[i]; -@@ -728,11 +729,12 @@ static int srp_reconnect_target(struct srp_target_port *target) - for (i = 0; i < SRP_SQ_SIZE; ++i) - list_add(&target->tx_ring[i]->list, &target->free_tx); - -- ret = srp_connect_target(target); -+ if (ret == 0) -+ ret = srp_connect_target(target); - --unblock: - scsi_target_unblock(&shost->shost_gendev, ret == 0 ? SDEV_RUNNING : - SDEV_TRANSPORT_OFFLINE); -+ target->transport_offline = !!ret; - - if (ret) - goto err; -@@ -1352,6 +1354,12 @@ static int srp_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd *scmnd) - unsigned long flags; - int len; - -+ if (unlikely(target->transport_offline)) { -+ scmnd->result = DID_NO_CONNECT << 16; -+ scmnd->scsi_done(scmnd); -+ return 0; -+ } -+ - spin_lock_irqsave(&target->lock, flags); - iu = __srp_get_tx_iu(target, SRP_IU_CMD); - if (!iu) -@@ -1695,6 +1703,9 @@ static int srp_send_tsk_mgmt(struct srp_target_port *target, - struct srp_iu *iu; - struct srp_tsk_mgmt *tsk_mgmt; - -+ if (!target->connected || target->qp_in_error) -+ return -1; -+ - init_completion(&target->tsk_mgmt_done); - - spin_lock_irq(&target->lock); -@@ -1736,7 +1747,7 @@ static int srp_abort(struct scsi_cmnd *scmnd) - - shost_printk(KERN_ERR, target->scsi_host, "SRP abort called\n"); - -- if (!req || target->qp_in_error || !srp_claim_req(target, req, scmnd)) -+ if (!req || !srp_claim_req(target, req, scmnd)) - return FAILED; - srp_send_tsk_mgmt(target, req->index, scmnd->device->lun, - SRP_TSK_ABORT_TASK); -@@ -1754,8 +1765,6 @@ static int srp_reset_device(struct scsi_cmnd *scmnd) - - shost_printk(KERN_ERR, target->scsi_host, "SRP reset_device called\n"); - -- if (target->qp_in_error) -- return FAILED; - if (srp_send_tsk_mgmt(target, SRP_TAG_NO_REQ, scmnd->device->lun, - SRP_TSK_LUN_RESET)) - return FAILED; -@@ -1972,7 +1981,6 @@ static int srp_add_target(struct srp_host *host, struct srp_target_port *target) - spin_unlock(&host->target_lock); - - target->state = SRP_TARGET_LIVE; -- target->connected = false; - - scsi_scan_target(&target->scsi_host->shost_gendev, - 0, target->scsi_id, SCAN_WILD_CARD, 0); -diff --git a/drivers/infiniband/ulp/srp/ib_srp.h b/drivers/infiniband/ulp/srp/ib_srp.h -index de2d0b3..66fbedd 100644 ---- a/drivers/infiniband/ulp/srp/ib_srp.h -+++ b/drivers/infiniband/ulp/srp/ib_srp.h -@@ -140,6 +140,7 @@ struct srp_target_port { - unsigned int cmd_sg_cnt; - unsigned int indirect_size; - bool allow_ext_sg; -+ bool transport_offline; - - /* Everything above this point is used in the hot path of - * command processing. Try to keep them packed into cachelines. -diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c -index faf10ba..b6ecddb 100644 ---- a/drivers/iommu/amd_iommu_init.c -+++ b/drivers/iommu/amd_iommu_init.c -@@ -1876,11 +1876,6 @@ static int amd_iommu_init_dma(void) - struct amd_iommu *iommu; - int ret; - -- init_device_table_dma(); -- -- for_each_iommu(iommu) -- iommu_flush_all_caches(iommu); -- - if (iommu_pass_through) - ret = amd_iommu_init_passthrough(); - else -@@ -1889,6 +1884,11 @@ static int amd_iommu_init_dma(void) - if (ret) - return ret; - -+ init_device_table_dma(); -+ -+ for_each_iommu(iommu) -+ iommu_flush_all_caches(iommu); -+ - amd_iommu_init_api(); - - amd_iommu_init_notifier(); -diff --git a/drivers/media/pci/cx18/cx18-alsa-main.c b/drivers/media/pci/cx18/cx18-alsa-main.c -index 8e971ff..b2c8c34 100644 ---- a/drivers/media/pci/cx18/cx18-alsa-main.c -+++ b/drivers/media/pci/cx18/cx18-alsa-main.c -@@ -197,7 +197,7 @@ err_exit: - return ret; - } - --static int __init cx18_alsa_load(struct cx18 *cx) -+static int cx18_alsa_load(struct cx18 *cx) - { - struct v4l2_device *v4l2_dev = &cx->v4l2_dev; - struct cx18_stream *s; -diff --git a/drivers/media/pci/cx18/cx18-alsa-pcm.h b/drivers/media/pci/cx18/cx18-alsa-pcm.h -index d26e51f..e2b2c5b 100644 ---- a/drivers/media/pci/cx18/cx18-alsa-pcm.h -+++ b/drivers/media/pci/cx18/cx18-alsa-pcm.h -@@ -20,7 +20,7 @@ - * 02111-1307 USA - */ - --int __init snd_cx18_pcm_create(struct snd_cx18_card *cxsc); -+int snd_cx18_pcm_create(struct snd_cx18_card *cxsc); - - /* Used by cx18-mailbox to announce the PCM data to the module */ - void cx18_alsa_announce_pcm_data(struct snd_cx18_card *card, u8 *pcm_data, -diff --git a/drivers/media/pci/ivtv/ivtv-alsa-main.c b/drivers/media/pci/ivtv/ivtv-alsa-main.c -index 4a221c6..e970cfa 100644 ---- a/drivers/media/pci/ivtv/ivtv-alsa-main.c -+++ b/drivers/media/pci/ivtv/ivtv-alsa-main.c -@@ -205,7 +205,7 @@ err_exit: - return ret; - } - --static int __init ivtv_alsa_load(struct ivtv *itv) -+static int ivtv_alsa_load(struct ivtv *itv) - { - struct v4l2_device *v4l2_dev = &itv->v4l2_dev; - struct ivtv_stream *s; -diff --git a/drivers/media/pci/ivtv/ivtv-alsa-pcm.h b/drivers/media/pci/ivtv/ivtv-alsa-pcm.h -index 23dfe0d..186814e 100644 ---- a/drivers/media/pci/ivtv/ivtv-alsa-pcm.h -+++ b/drivers/media/pci/ivtv/ivtv-alsa-pcm.h -@@ -20,4 +20,4 @@ - * 02111-1307 USA - */ - --int __init snd_ivtv_pcm_create(struct snd_ivtv_card *itvsc); -+int snd_ivtv_pcm_create(struct snd_ivtv_card *itvsc); -diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c -index 35cc526..8e9a668 100644 ---- a/drivers/media/platform/omap/omap_vout.c -+++ b/drivers/media/platform/omap/omap_vout.c -@@ -205,19 +205,21 @@ static u32 omap_vout_uservirt_to_phys(u32 virtp) - struct vm_area_struct *vma; - struct mm_struct *mm = current->mm; - -- vma = find_vma(mm, virtp); - /* For kernel direct-mapped memory, take the easy way */ -- if (virtp >= PAGE_OFFSET) { -- physp = virt_to_phys((void *) virtp); -- } else if (vma && (vma->vm_flags & VM_IO) && vma->vm_pgoff) { -+ if (virtp >= PAGE_OFFSET) -+ return virt_to_phys((void *) virtp); -+ -+ down_read(¤t->mm->mmap_sem); -+ vma = find_vma(mm, virtp); -+ if (vma && (vma->vm_flags & VM_IO) && vma->vm_pgoff) { - /* this will catch, kernel-allocated, mmaped-to-usermode - addresses */ - physp = (vma->vm_pgoff << PAGE_SHIFT) + (virtp - vma->vm_start); -+ up_read(¤t->mm->mmap_sem); - } else { - /* otherwise, use get_user_pages() for general userland pages */ - int res, nr_pages = 1; - struct page *pages; -- down_read(¤t->mm->mmap_sem); - - res = get_user_pages(current, current->mm, virtp, nr_pages, 1, - 0, &pages, NULL); -diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c -index 601d1ac1..d593bc6 100644 ---- a/drivers/media/rc/rc-main.c -+++ b/drivers/media/rc/rc-main.c -@@ -789,8 +789,10 @@ static ssize_t show_protocols(struct device *device, - } else if (dev->raw) { - enabled = dev->raw->enabled_protocols; - allowed = ir_raw_get_allowed_protocols(); -- } else -+ } else { -+ mutex_unlock(&dev->lock); - return -ENODEV; -+ } - - IR_dprintk(1, "allowed - 0x%llx, enabled - 0x%llx\n", - (long long)allowed, -diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c -index 513969f..98a7f5e 100644 ---- a/drivers/media/v4l2-core/v4l2-device.c -+++ b/drivers/media/v4l2-core/v4l2-device.c -@@ -159,31 +159,21 @@ int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev, - sd->v4l2_dev = v4l2_dev; - if (sd->internal_ops && sd->internal_ops->registered) { - err = sd->internal_ops->registered(sd); -- if (err) { -- module_put(sd->owner); -- return err; -- } -+ if (err) -+ goto error_module; - } - - /* This just returns 0 if either of the two args is NULL */ - err = v4l2_ctrl_add_handler(v4l2_dev->ctrl_handler, sd->ctrl_handler, NULL); -- if (err) { -- if (sd->internal_ops && sd->internal_ops->unregistered) -- sd->internal_ops->unregistered(sd); -- module_put(sd->owner); -- return err; -- } -+ if (err) -+ goto error_unregister; - - #if defined(CONFIG_MEDIA_CONTROLLER) - /* Register the entity. */ - if (v4l2_dev->mdev) { - err = media_device_register_entity(v4l2_dev->mdev, entity); -- if (err < 0) { -- if (sd->internal_ops && sd->internal_ops->unregistered) -- sd->internal_ops->unregistered(sd); -- module_put(sd->owner); -- return err; -- } -+ if (err < 0) -+ goto error_unregister; - } - #endif - -@@ -192,6 +182,14 @@ int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev, - spin_unlock(&v4l2_dev->lock); - - return 0; -+ -+error_unregister: -+ if (sd->internal_ops && sd->internal_ops->unregistered) -+ sd->internal_ops->unregistered(sd); -+error_module: -+ module_put(sd->owner); -+ sd->v4l2_dev = NULL; -+ return err; - } - EXPORT_SYMBOL_GPL(v4l2_device_register_subdev); - -diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c -index 806e34c..0568273 100644 ---- a/drivers/net/wireless/b43/main.c -+++ b/drivers/net/wireless/b43/main.c -@@ -4214,7 +4214,6 @@ redo: - mutex_unlock(&wl->mutex); - cancel_delayed_work_sync(&dev->periodic_work); - cancel_work_sync(&wl->tx_work); -- cancel_work_sync(&wl->firmware_load); - mutex_lock(&wl->mutex); - dev = wl->current_dev; - if (!dev || b43_status(dev) < B43_STAT_STARTED) { -@@ -5434,6 +5433,7 @@ static void b43_bcma_remove(struct bcma_device *core) - /* We must cancel any work here before unregistering from ieee80211, - * as the ieee80211 unreg will destroy the workqueue. */ - cancel_work_sync(&wldev->restart_work); -+ cancel_work_sync(&wl->firmware_load); - - B43_WARN_ON(!wl); - if (!wldev->fw.ucode.data) -@@ -5510,6 +5510,7 @@ static void b43_ssb_remove(struct ssb_device *sdev) - /* We must cancel any work here before unregistering from ieee80211, - * as the ieee80211 unreg will destroy the workqueue. */ - cancel_work_sync(&wldev->restart_work); -+ cancel_work_sync(&wl->firmware_load); - - B43_WARN_ON(!wl); - if (!wldev->fw.ucode.data) -diff --git a/drivers/power/ab8500_btemp.c b/drivers/power/ab8500_btemp.c -index 20e2a7d..056222e 100644 ---- a/drivers/power/ab8500_btemp.c -+++ b/drivers/power/ab8500_btemp.c -@@ -1123,7 +1123,7 @@ static void __exit ab8500_btemp_exit(void) - platform_driver_unregister(&ab8500_btemp_driver); - } - --subsys_initcall_sync(ab8500_btemp_init); -+device_initcall(ab8500_btemp_init); - module_exit(ab8500_btemp_exit); - - MODULE_LICENSE("GPL v2"); -diff --git a/drivers/power/abx500_chargalg.c b/drivers/power/abx500_chargalg.c -index 2970891..eb7b4a6 100644 ---- a/drivers/power/abx500_chargalg.c -+++ b/drivers/power/abx500_chargalg.c -@@ -1698,7 +1698,7 @@ static ssize_t abx500_chargalg_sysfs_charger(struct kobject *kobj, - static struct attribute abx500_chargalg_en_charger = \ - { - .name = "chargalg", -- .mode = S_IWUGO, -+ .mode = S_IWUSR, - }; - - static struct attribute *abx500_chargalg_chg[] = { -diff --git a/drivers/power/bq27x00_battery.c b/drivers/power/bq27x00_battery.c -index 36b34ef..7087d0d 100644 ---- a/drivers/power/bq27x00_battery.c -+++ b/drivers/power/bq27x00_battery.c -@@ -448,7 +448,6 @@ static void bq27x00_update(struct bq27x00_device_info *di) - cache.temperature = bq27x00_battery_read_temperature(di); - if (!is_bq27425) - cache.cycle_count = bq27x00_battery_read_cyct(di); -- cache.cycle_count = bq27x00_battery_read_cyct(di); - cache.power_avg = - bq27x00_battery_read_pwr_avg(di, BQ27x00_POWER_AVG); - -@@ -696,7 +695,6 @@ static int bq27x00_powersupply_init(struct bq27x00_device_info *di) - int ret; - - di->bat.type = POWER_SUPPLY_TYPE_BATTERY; -- di->chip = BQ27425; - if (di->chip == BQ27425) { - di->bat.properties = bq27425_battery_props; - di->bat.num_properties = ARRAY_SIZE(bq27425_battery_props); -diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c -index 8f14c42..6894b3e 100644 ---- a/drivers/staging/comedi/comedi_fops.c -+++ b/drivers/staging/comedi/comedi_fops.c -@@ -1779,7 +1779,7 @@ static unsigned int comedi_poll(struct file *file, poll_table *wait) - - mask = 0; - read_subdev = comedi_get_read_subdevice(dev_file_info); -- if (read_subdev) { -+ if (read_subdev && read_subdev->async) { - poll_wait(file, &read_subdev->async->wait_head, wait); - if (!read_subdev->busy - || comedi_buf_read_n_available(read_subdev->async) > 0 -@@ -1789,7 +1789,7 @@ static unsigned int comedi_poll(struct file *file, poll_table *wait) - } - } - write_subdev = comedi_get_write_subdevice(dev_file_info); -- if (write_subdev) { -+ if (write_subdev && write_subdev->async) { - poll_wait(file, &write_subdev->async->wait_head, wait); - comedi_buf_write_alloc(write_subdev->async, - write_subdev->async->prealloc_bufsz); -@@ -1831,7 +1831,7 @@ static ssize_t comedi_write(struct file *file, const char __user *buf, - } - - s = comedi_get_write_subdevice(dev_file_info); -- if (s == NULL) { -+ if (s == NULL || s->async == NULL) { - retval = -EIO; - goto done; - } -@@ -1942,7 +1942,7 @@ static ssize_t comedi_read(struct file *file, char __user *buf, size_t nbytes, - } - - s = comedi_get_read_subdevice(dev_file_info); -- if (s == NULL) { -+ if (s == NULL || s->async == NULL) { - retval = -EIO; - goto done; - } -diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index f2aa754..96f4981 100644 ---- a/drivers/target/target_core_device.c -+++ b/drivers/target/target_core_device.c -@@ -1182,24 +1182,18 @@ static struct se_lun *core_dev_get_lun(struct se_portal_group *tpg, u32 unpacked - - struct se_lun_acl *core_dev_init_initiator_node_lun_acl( - struct se_portal_group *tpg, -+ struct se_node_acl *nacl, - u32 mapped_lun, -- char *initiatorname, - int *ret) - { - struct se_lun_acl *lacl; -- struct se_node_acl *nacl; - -- if (strlen(initiatorname) >= TRANSPORT_IQN_LEN) { -+ if (strlen(nacl->initiatorname) >= TRANSPORT_IQN_LEN) { - pr_err("%s InitiatorName exceeds maximum size.\n", - tpg->se_tpg_tfo->get_fabric_name()); - *ret = -EOVERFLOW; - return NULL; - } -- nacl = core_tpg_get_initiator_node_acl(tpg, initiatorname); -- if (!nacl) { -- *ret = -EINVAL; -- return NULL; -- } - lacl = kzalloc(sizeof(struct se_lun_acl), GFP_KERNEL); - if (!lacl) { - pr_err("Unable to allocate memory for struct se_lun_acl.\n"); -@@ -1210,7 +1204,8 @@ struct se_lun_acl *core_dev_init_initiator_node_lun_acl( - INIT_LIST_HEAD(&lacl->lacl_list); - lacl->mapped_lun = mapped_lun; - lacl->se_lun_nacl = nacl; -- snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s", initiatorname); -+ snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s", -+ nacl->initiatorname); - - return lacl; - } -diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c -index c57bbbc..04c775c 100644 ---- a/drivers/target/target_core_fabric_configfs.c -+++ b/drivers/target/target_core_fabric_configfs.c -@@ -354,9 +354,17 @@ static struct config_group *target_fabric_make_mappedlun( - ret = -EINVAL; - goto out; - } -+ if (mapped_lun > (TRANSPORT_MAX_LUNS_PER_TPG-1)) { -+ pr_err("Mapped LUN: %lu exceeds TRANSPORT_MAX_LUNS_PER_TPG" -+ "-1: %u for Target Portal Group: %u\n", mapped_lun, -+ TRANSPORT_MAX_LUNS_PER_TPG-1, -+ se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg)); -+ ret = -EINVAL; -+ goto out; -+ } - -- lacl = core_dev_init_initiator_node_lun_acl(se_tpg, mapped_lun, -- config_item_name(acl_ci), &ret); -+ lacl = core_dev_init_initiator_node_lun_acl(se_tpg, se_nacl, -+ mapped_lun, &ret); - if (!lacl) { - ret = -EINVAL; - goto out; -diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h -index 93e9c1f..396e1eb 100644 ---- a/drivers/target/target_core_internal.h -+++ b/drivers/target/target_core_internal.h -@@ -45,7 +45,7 @@ struct se_lun *core_dev_add_lun(struct se_portal_group *, struct se_device *, u3 - int core_dev_del_lun(struct se_portal_group *, u32); - struct se_lun *core_get_lun_from_tpg(struct se_portal_group *, u32); - struct se_lun_acl *core_dev_init_initiator_node_lun_acl(struct se_portal_group *, -- u32, char *, int *); -+ struct se_node_acl *, u32, int *); - int core_dev_add_initiator_node_lun_acl(struct se_portal_group *, - struct se_lun_acl *, u32, u32); - int core_dev_del_initiator_node_lun_acl(struct se_portal_group *, -diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c -index 5192ac0..9169d6a 100644 ---- a/drivers/target/target_core_tpg.c -+++ b/drivers/target/target_core_tpg.c -@@ -111,16 +111,10 @@ struct se_node_acl *core_tpg_get_initiator_node_acl( - struct se_node_acl *acl; - - spin_lock_irq(&tpg->acl_node_lock); -- list_for_each_entry(acl, &tpg->acl_node_list, acl_list) { -- if (!strcmp(acl->initiatorname, initiatorname) && -- !acl->dynamic_node_acl) { -- spin_unlock_irq(&tpg->acl_node_lock); -- return acl; -- } -- } -+ acl = __core_tpg_get_initiator_node_acl(tpg, initiatorname); - spin_unlock_irq(&tpg->acl_node_lock); - -- return NULL; -+ return acl; - } - - /* core_tpg_add_node_to_devs(): -diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h -index 4999563..1dae91d 100644 ---- a/drivers/usb/dwc3/core.h -+++ b/drivers/usb/dwc3/core.h -@@ -405,7 +405,6 @@ struct dwc3_event_buffer { - * @number: endpoint number (1 - 15) - * @type: set to bmAttributes & USB_ENDPOINT_XFERTYPE_MASK - * @resource_index: Resource transfer index -- * @current_uf: Current uf received through last event parameter - * @interval: the intervall on which the ISOC transfer is started - * @name: a human readable name e.g. ep1out-bulk - * @direction: true for TX, false for RX -@@ -439,7 +438,6 @@ struct dwc3_ep { - u8 number; - u8 type; - u8 resource_index; -- u16 current_uf; - u32 interval; - - char name[20]; -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index 2fdd767..09835b6 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -754,21 +754,18 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep, - struct dwc3 *dwc = dep->dwc; - struct dwc3_trb *trb; - -- unsigned int cur_slot; -- - dev_vdbg(dwc->dev, "%s: req %p dma %08llx length %d%s%s\n", - dep->name, req, (unsigned long long) dma, - length, last ? " last" : "", - chain ? " chain" : ""); - -- trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK]; -- cur_slot = dep->free_slot; -- dep->free_slot++; -- - /* Skip the LINK-TRB on ISOC */ -- if (((cur_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) && -+ if (((dep->free_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) && - usb_endpoint_xfer_isoc(dep->endpoint.desc)) -- return; -+ dep->free_slot++; -+ -+ trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK]; -+ dep->free_slot++; - - if (!req->trb) { - dwc3_gadget_move_request_queued(req); -@@ -1091,7 +1088,10 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_request *req) - * notion of current microframe. - */ - if (usb_endpoint_xfer_isoc(dep->endpoint.desc)) { -- dwc3_stop_active_transfer(dwc, dep->number); -+ if (list_empty(&dep->req_queued)) { -+ dwc3_stop_active_transfer(dwc, dep->number); -+ dep->flags = DWC3_EP_ENABLED; -+ } - return 0; - } - -@@ -1117,16 +1117,6 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_request *req) - dep->name); - } - -- /* -- * 3. Missed ISOC Handling. We need to start isoc transfer on the saved -- * uframe number. -- */ -- if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && -- (dep->flags & DWC3_EP_MISSED_ISOC)) { -- __dwc3_gadget_start_isoc(dwc, dep, dep->current_uf); -- dep->flags &= ~DWC3_EP_MISSED_ISOC; -- } -- - return 0; - } - -@@ -1689,14 +1679,29 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, - if (trb_status == DWC3_TRBSTS_MISSED_ISOC) { - dev_dbg(dwc->dev, "incomplete IN transfer %s\n", - dep->name); -- dep->current_uf = event->parameters & -- ~(dep->interval - 1); -+ /* -+ * If missed isoc occurred and there is -+ * no request queued then issue END -+ * TRANSFER, so that core generates -+ * next xfernotready and we will issue -+ * a fresh START TRANSFER. -+ * If there are still queued request -+ * then wait, do not issue either END -+ * or UPDATE TRANSFER, just attach next -+ * request in request_list during -+ * giveback.If any future queued request -+ * is successfully transferred then we -+ * will issue UPDATE TRANSFER for all -+ * request in the request_list. -+ */ - dep->flags |= DWC3_EP_MISSED_ISOC; - } else { - dev_err(dwc->dev, "incomplete IN transfer %s\n", - dep->name); - status = -ECONNRESET; - } -+ } else { -+ dep->flags &= ~DWC3_EP_MISSED_ISOC; - } - } else { - if (count && (event->status & DEPEVT_STATUS_SHORT)) -@@ -1723,6 +1728,23 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, - break; - } while (1); - -+ if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && -+ list_empty(&dep->req_queued)) { -+ if (list_empty(&dep->request_list)) { -+ /* -+ * If there is no entry in request list then do -+ * not issue END TRANSFER now. Just set PENDING -+ * flag, so that END TRANSFER is issued when an -+ * entry is added into request list. -+ */ -+ dep->flags = DWC3_EP_PENDING_REQUEST; -+ } else { -+ dwc3_stop_active_transfer(dwc, dep->number); -+ dep->flags = DWC3_EP_ENABLED; -+ } -+ return 1; -+ } -+ - if ((event->status & DEPEVT_STATUS_IOC) && - (trb->ctrl & DWC3_TRB_CTRL_IOC)) - return 0; -@@ -2157,6 +2179,26 @@ static void dwc3_gadget_conndone_interrupt(struct dwc3 *dwc) - break; - } - -+ /* Enable USB2 LPM Capability */ -+ -+ if ((dwc->revision > DWC3_REVISION_194A) -+ && (speed != DWC3_DCFG_SUPERSPEED)) { -+ reg = dwc3_readl(dwc->regs, DWC3_DCFG); -+ reg |= DWC3_DCFG_LPM_CAP; -+ dwc3_writel(dwc->regs, DWC3_DCFG, reg); -+ -+ reg = dwc3_readl(dwc->regs, DWC3_DCTL); -+ reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN); -+ -+ /* -+ * TODO: This should be configurable. For now using -+ * maximum allowed HIRD threshold value of 0b1100 -+ */ -+ reg |= DWC3_DCTL_HIRD_THRES(12); -+ -+ dwc3_writel(dwc->regs, DWC3_DCTL, reg); -+ } -+ - /* Recent versions support automatic phy suspend and don't need this */ - if (dwc->revision < DWC3_REVISION_194A) { - /* Suspend unneeded PHY */ -@@ -2463,20 +2505,8 @@ int dwc3_gadget_init(struct dwc3 *dwc) - DWC3_DEVTEN_DISCONNEVTEN); - dwc3_writel(dwc->regs, DWC3_DEVTEN, reg); - -- /* Enable USB2 LPM and automatic phy suspend only on recent versions */ -+ /* automatic phy suspend only on recent versions */ - if (dwc->revision >= DWC3_REVISION_194A) { -- reg = dwc3_readl(dwc->regs, DWC3_DCFG); -- reg |= DWC3_DCFG_LPM_CAP; -- dwc3_writel(dwc->regs, DWC3_DCFG, reg); -- -- reg = dwc3_readl(dwc->regs, DWC3_DCTL); -- reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN); -- -- /* TODO: This should be configurable */ -- reg |= DWC3_DCTL_HIRD_THRES(28); -- -- dwc3_writel(dwc->regs, DWC3_DCTL, reg); -- - dwc3_gadget_usb2_phy_suspend(dwc, false); - dwc3_gadget_usb3_phy_suspend(dwc, false); - } -diff --git a/fs/direct-io.c b/fs/direct-io.c -index cf5b44b..f853263 100644 ---- a/fs/direct-io.c -+++ b/fs/direct-io.c -@@ -261,9 +261,9 @@ static ssize_t dio_complete(struct dio *dio, loff_t offset, ssize_t ret, bool is - dio->end_io(dio->iocb, offset, transferred, - dio->private, ret, is_async); - } else { -+ inode_dio_done(dio->inode); - if (is_async) - aio_complete(dio->iocb, ret, 0); -- inode_dio_done(dio->inode); - } - - return ret; -diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c -index cf18217..2f2e0da 100644 ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -358,7 +358,7 @@ void ext4_validate_block_bitmap(struct super_block *sb, - } - - /** -- * ext4_read_block_bitmap() -+ * ext4_read_block_bitmap_nowait() - * @sb: super block - * @block_group: given block group - * -@@ -457,6 +457,8 @@ ext4_read_block_bitmap(struct super_block *sb, ext4_group_t block_group) - struct buffer_head *bh; - - bh = ext4_read_block_bitmap_nowait(sb, block_group); -+ if (!bh) -+ return NULL; - if (ext4_wait_block_bitmap(sb, block_group, bh)) { - put_bh(bh); - return NULL; -@@ -482,11 +484,16 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi, - - free_clusters = percpu_counter_read_positive(fcc); - dirty_clusters = percpu_counter_read_positive(dcc); -- root_clusters = EXT4_B2C(sbi, ext4_r_blocks_count(sbi->s_es)); -+ -+ /* -+ * r_blocks_count should always be multiple of the cluster ratio so -+ * we are safe to do a plane bit shift only. -+ */ -+ root_clusters = ext4_r_blocks_count(sbi->s_es) >> sbi->s_cluster_bits; - - if (free_clusters - (nclusters + root_clusters + dirty_clusters) < - EXT4_FREECLUSTERS_WATERMARK) { -- free_clusters = EXT4_C2B(sbi, percpu_counter_sum_positive(fcc)); -+ free_clusters = percpu_counter_sum_positive(fcc); - dirty_clusters = percpu_counter_sum_positive(dcc); - } - /* Check whether we have space after accounting for current -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c -index 5ae1674..d42a8c4 100644 ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -725,6 +725,7 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block, - struct ext4_extent_header *eh; - struct buffer_head *bh; - short int depth, i, ppos = 0, alloc = 0; -+ int ret; - - eh = ext_inode_hdr(inode); - depth = ext_depth(inode); -@@ -752,12 +753,15 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block, - path[ppos].p_ext = NULL; - - bh = sb_getblk(inode->i_sb, path[ppos].p_block); -- if (unlikely(!bh)) -+ if (unlikely(!bh)) { -+ ret = -ENOMEM; - goto err; -+ } - if (!bh_uptodate_or_lock(bh)) { - trace_ext4_ext_load_extent(inode, block, - path[ppos].p_block); -- if (bh_submit_read(bh) < 0) { -+ ret = bh_submit_read(bh); -+ if (ret < 0) { - put_bh(bh); - goto err; - } -@@ -768,13 +772,15 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block, - put_bh(bh); - EXT4_ERROR_INODE(inode, - "ppos %d > depth %d", ppos, depth); -+ ret = -EIO; - goto err; - } - path[ppos].p_bh = bh; - path[ppos].p_hdr = eh; - i--; - -- if (ext4_ext_check_block(inode, eh, i, bh)) -+ ret = ext4_ext_check_block(inode, eh, i, bh); -+ if (ret < 0) - goto err; - } - -@@ -796,7 +802,7 @@ err: - ext4_ext_drop_refs(path); - if (alloc) - kfree(path); -- return ERR_PTR(-EIO); -+ return ERR_PTR(ret); - } - - /* -@@ -951,7 +957,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, - } - bh = sb_getblk(inode->i_sb, newblock); - if (!bh) { -- err = -EIO; -+ err = -ENOMEM; - goto cleanup; - } - lock_buffer(bh); -@@ -1024,7 +1030,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, - newblock = ablocks[--a]; - bh = sb_getblk(inode->i_sb, newblock); - if (!bh) { -- err = -EIO; -+ err = -ENOMEM; - goto cleanup; - } - lock_buffer(bh); -@@ -1136,11 +1142,8 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, - return err; - - bh = sb_getblk(inode->i_sb, newblock); -- if (!bh) { -- err = -EIO; -- ext4_std_error(inode->i_sb, err); -- return err; -- } -+ if (!bh) -+ return -ENOMEM; - lock_buffer(bh); - - err = ext4_journal_get_create_access(handle, bh); -diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c -index 20862f9..8d83d1e 100644 ---- a/fs/ext4/indirect.c -+++ b/fs/ext4/indirect.c -@@ -146,6 +146,7 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth, - struct super_block *sb = inode->i_sb; - Indirect *p = chain; - struct buffer_head *bh; -+ int ret = -EIO; - - *err = 0; - /* i_data is not going away, no lock needed */ -@@ -154,8 +155,10 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth, - goto no_block; - while (--depth) { - bh = sb_getblk(sb, le32_to_cpu(p->key)); -- if (unlikely(!bh)) -+ if (unlikely(!bh)) { -+ ret = -ENOMEM; - goto failure; -+ } - - if (!bh_uptodate_or_lock(bh)) { - if (bh_submit_read(bh) < 0) { -@@ -177,7 +180,7 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth, - return NULL; - - failure: -- *err = -EIO; -+ *err = ret; - no_block: - return p; - } -@@ -471,7 +474,7 @@ static int ext4_alloc_branch(handle_t *handle, struct inode *inode, - */ - bh = sb_getblk(inode->i_sb, new_blocks[n-1]); - if (unlikely(!bh)) { -- err = -EIO; -+ err = -ENOMEM; - goto failed; - } - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index 387c47c..93a3408 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -1188,7 +1188,7 @@ static int ext4_convert_inline_data_nolock(handle_t *handle, - - data_bh = sb_getblk(inode->i_sb, map.m_pblk); - if (!data_bh) { -- error = -EIO; -+ error = -ENOMEM; - goto out_restore; - } - -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index cbfe13b..39f1fa7 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -714,7 +714,7 @@ struct buffer_head *ext4_getblk(handle_t *handle, struct inode *inode, - - bh = sb_getblk(inode->i_sb, map.m_pblk); - if (!bh) { -- *errp = -EIO; -+ *errp = -ENOMEM; - return NULL; - } - if (map.m_flags & EXT4_MAP_NEW) { -@@ -2977,9 +2977,9 @@ static void ext4_end_io_dio(struct kiocb *iocb, loff_t offset, - if (!(io_end->flag & EXT4_IO_END_UNWRITTEN)) { - ext4_free_io_end(io_end); - out: -+ inode_dio_done(inode); - if (is_async) - aio_complete(iocb, ret, 0); -- inode_dio_done(inode); - return; - } - -@@ -3660,11 +3660,8 @@ static int __ext4_get_inode_loc(struct inode *inode, - iloc->offset = (inode_offset % inodes_per_block) * EXT4_INODE_SIZE(sb); - - bh = sb_getblk(sb, block); -- if (!bh) { -- EXT4_ERROR_INODE_BLOCK(inode, block, -- "unable to read itable block"); -- return -EIO; -- } -+ if (!bh) -+ return -ENOMEM; - if (!buffer_uptodate(bh)) { - lock_buffer(bh); - -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 1bf6fe7..061727a 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -4136,7 +4136,7 @@ static void ext4_mb_add_n_trim(struct ext4_allocation_context *ac) - /* The max size of hash table is PREALLOC_TB_SIZE */ - order = PREALLOC_TB_SIZE - 1; - /* Add the prealloc space to lg */ -- rcu_read_lock(); -+ spin_lock(&lg->lg_prealloc_lock); - list_for_each_entry_rcu(tmp_pa, &lg->lg_prealloc_list[order], - pa_inode_list) { - spin_lock(&tmp_pa->pa_lock); -@@ -4160,12 +4160,12 @@ static void ext4_mb_add_n_trim(struct ext4_allocation_context *ac) - if (!added) - list_add_tail_rcu(&pa->pa_inode_list, - &lg->lg_prealloc_list[order]); -- rcu_read_unlock(); -+ spin_unlock(&lg->lg_prealloc_lock); - - /* Now trim the list to be not more than 8 elements */ - if (lg_prealloc_count > 8) { - ext4_mb_discard_lg_preallocations(sb, lg, -- order, lg_prealloc_count); -+ order, lg_prealloc_count); - return; - } - return ; -diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c -index fe7c63f..44734f1 100644 ---- a/fs/ext4/mmp.c -+++ b/fs/ext4/mmp.c -@@ -80,6 +80,8 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh, - * is not blocked in the elevator. */ - if (!*bh) - *bh = sb_getblk(sb, mmp_block); -+ if (!*bh) -+ return -ENOMEM; - if (*bh) { - get_bh(*bh); - lock_buffer(*bh); -diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c -index 0016fbc..b42d04f 100644 ---- a/fs/ext4/page-io.c -+++ b/fs/ext4/page-io.c -@@ -103,14 +103,13 @@ static int ext4_end_io(ext4_io_end_t *io) - "(inode %lu, offset %llu, size %zd, error %d)", - inode->i_ino, offset, size, ret); - } -- if (io->iocb) -- aio_complete(io->iocb, io->result, 0); -- -- if (io->flag & EXT4_IO_END_DIRECT) -- inode_dio_done(inode); - /* Wake up anyone waiting on unwritten extent conversion */ - if (atomic_dec_and_test(&EXT4_I(inode)->i_unwritten)) - wake_up_all(ext4_ioend_wq(inode)); -+ if (io->flag & EXT4_IO_END_DIRECT) -+ inode_dio_done(inode); -+ if (io->iocb) -+ aio_complete(io->iocb, io->result, 0); - return ret; - } - -diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c -index d99387b..02824dc 100644 ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -334,7 +334,7 @@ static struct buffer_head *bclean(handle_t *handle, struct super_block *sb, - - bh = sb_getblk(sb, blk); - if (!bh) -- return ERR_PTR(-EIO); -+ return ERR_PTR(-ENOMEM); - if ((err = ext4_journal_get_write_access(handle, bh))) { - brelse(bh); - bh = ERR_PTR(err); -@@ -411,7 +411,7 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle, - - bh = sb_getblk(sb, flex_gd->groups[group].block_bitmap); - if (!bh) -- return -EIO; -+ return -ENOMEM; - - err = ext4_journal_get_write_access(handle, bh); - if (err) -@@ -501,7 +501,7 @@ static int setup_new_flex_group_blocks(struct super_block *sb, - - gdb = sb_getblk(sb, block); - if (!gdb) { -- err = -EIO; -+ err = -ENOMEM; - goto out; - } - -@@ -1065,7 +1065,7 @@ static void update_backups(struct super_block *sb, int blk_off, char *data, - - bh = sb_getblk(sb, backup_block); - if (!bh) { -- err = -EIO; -+ err = -ENOMEM; - break; - } - ext4_debug("update metadata backup %llu(+%llu)\n", -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 3d4fb81..0465f36 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -4008,7 +4008,7 @@ no_journal: - !(sb->s_flags & MS_RDONLY)) { - err = ext4_enable_quotas(sb); - if (err) -- goto failed_mount7; -+ goto failed_mount8; - } - #endif /* CONFIG_QUOTA */ - -@@ -4035,6 +4035,10 @@ cantfind_ext4: - ext4_msg(sb, KERN_ERR, "VFS: Can't find ext4 filesystem"); - goto failed_mount; - -+#ifdef CONFIG_QUOTA -+failed_mount8: -+ kobject_del(&sbi->s_kobj); -+#endif - failed_mount7: - ext4_unregister_li_request(sb); - failed_mount6: -@@ -5005,9 +5009,9 @@ static int ext4_enable_quotas(struct super_block *sb) - DQUOT_USAGE_ENABLED); - if (err) { - ext4_warning(sb, -- "Failed to enable quota (type=%d) " -- "tracking. Please run e2fsck to fix.", -- type); -+ "Failed to enable quota tracking " -+ "(type=%d, err=%d). Please run " -+ "e2fsck to fix.", type, err); - return err; - } - } -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index 3a91ebc..b93846b 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -549,7 +549,7 @@ ext4_xattr_release_block(handle_t *handle, struct inode *inode, - error = ext4_handle_dirty_xattr_block(handle, inode, bh); - if (IS_SYNC(inode)) - ext4_handle_sync(handle); -- dquot_free_block(inode, 1); -+ dquot_free_block(inode, EXT4_C2B(EXT4_SB(inode->i_sb), 1)); - ea_bdebug(bh, "refcount now=%d; releasing", - le32_to_cpu(BHDR(bh)->h_refcount)); - } -@@ -832,7 +832,8 @@ inserted: - else { - /* The old block is released after updating - the inode. */ -- error = dquot_alloc_block(inode, 1); -+ error = dquot_alloc_block(inode, -+ EXT4_C2B(EXT4_SB(sb), 1)); - if (error) - goto cleanup; - error = ext4_journal_get_write_access(handle, -@@ -887,16 +888,17 @@ inserted: - - new_bh = sb_getblk(sb, block); - if (!new_bh) { -+ error = -ENOMEM; - getblk_failed: - ext4_free_blocks(handle, inode, NULL, block, 1, - EXT4_FREE_BLOCKS_METADATA); -- error = -EIO; - goto cleanup; - } - lock_buffer(new_bh); - error = ext4_journal_get_create_access(handle, new_bh); - if (error) { - unlock_buffer(new_bh); -+ error = -EIO; - goto getblk_failed; - } - memcpy(new_bh->b_data, s->base, new_bh->b_size); -@@ -928,7 +930,7 @@ cleanup: - return error; - - cleanup_dquot: -- dquot_free_block(inode, 1); -+ dquot_free_block(inode, EXT4_C2B(EXT4_SB(sb), 1)); - goto cleanup; - - bad_block: -diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c -index b7c09f9..315e1f8 100644 ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -682,7 +682,14 @@ static int fuse_unlink(struct inode *dir, struct dentry *entry) - - spin_lock(&fc->lock); - fi->attr_version = ++fc->attr_version; -- drop_nlink(inode); -+ /* -+ * If i_nlink == 0 then unlink doesn't make sense, yet this can -+ * happen if userspace filesystem is careless. It would be -+ * difficult to enforce correct nlink usage so just ignore this -+ * condition here -+ */ -+ if (inode->i_nlink > 0) -+ drop_nlink(inode); - spin_unlock(&fc->lock); - fuse_invalidate_attr(inode); - fuse_invalidate_attr(dir); -diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c -index ac8ed96c..a8309c6 100644 ---- a/fs/nfsd/nfs4state.c -+++ b/fs/nfsd/nfs4state.c -@@ -1060,6 +1060,8 @@ free_client(struct nfs4_client *clp) - } - free_svc_cred(&clp->cl_cred); - kfree(clp->cl_name.data); -+ idr_remove_all(&clp->cl_stateids); -+ idr_destroy(&clp->cl_stateids); - kfree(clp); - } - -diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c -index 6577432..340bd02 100644 ---- a/fs/ocfs2/aops.c -+++ b/fs/ocfs2/aops.c -@@ -593,9 +593,9 @@ static void ocfs2_dio_end_io(struct kiocb *iocb, - level = ocfs2_iocb_rw_locked_level(iocb); - ocfs2_rw_unlock(inode, level); - -+ inode_dio_done(inode); - if (is_async) - aio_complete(iocb, ret, 0); -- inode_dio_done(inode); - } - - /* -diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c -index f169da4..b7e74b5 100644 ---- a/fs/ocfs2/suballoc.c -+++ b/fs/ocfs2/suballoc.c -@@ -642,7 +642,7 @@ ocfs2_block_group_alloc_discontig(handle_t *handle, - * cluster groups will be staying in cache for the duration of - * this operation. - */ -- ac->ac_allow_chain_relink = 0; -+ ac->ac_disable_chain_relink = 1; - - /* Claim the first region */ - status = ocfs2_block_group_claim_bits(osb, handle, ac, min_bits, -@@ -1823,7 +1823,7 @@ static int ocfs2_search_chain(struct ocfs2_alloc_context *ac, - * Do this *after* figuring out how many bits we're taking out - * of our target group. - */ -- if (ac->ac_allow_chain_relink && -+ if (!ac->ac_disable_chain_relink && - (prev_group_bh) && - (ocfs2_block_group_reasonably_empty(bg, res->sr_bits))) { - status = ocfs2_relink_block_group(handle, alloc_inode, -@@ -1928,7 +1928,6 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac, - - victim = ocfs2_find_victim_chain(cl); - ac->ac_chain = victim; -- ac->ac_allow_chain_relink = 1; - - status = ocfs2_search_chain(ac, handle, bits_wanted, min_bits, - res, &bits_left); -@@ -1947,7 +1946,7 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac, - * searching each chain in order. Don't allow chain relinking - * because we only calculate enough journal credits for one - * relink per alloc. */ -- ac->ac_allow_chain_relink = 0; -+ ac->ac_disable_chain_relink = 1; - for (i = 0; i < le16_to_cpu(cl->cl_next_free_rec); i ++) { - if (i == victim) - continue; -diff --git a/fs/ocfs2/suballoc.h b/fs/ocfs2/suballoc.h -index b8afabf..a36d0aa 100644 ---- a/fs/ocfs2/suballoc.h -+++ b/fs/ocfs2/suballoc.h -@@ -49,7 +49,7 @@ struct ocfs2_alloc_context { - - /* these are used by the chain search */ - u16 ac_chain; -- int ac_allow_chain_relink; -+ int ac_disable_chain_relink; - group_search_t *ac_group_search; - - u64 ac_last_group; -diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c -index 0ba9ea1..2e3ea30 100644 ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -7189,7 +7189,7 @@ int ocfs2_init_security_and_acl(struct inode *dir, - struct buffer_head *dir_bh = NULL; - - ret = ocfs2_init_security_get(inode, dir, qstr, NULL); -- if (!ret) { -+ if (ret) { - mlog_errno(ret); - goto leave; - } -diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c -index 5ea2e77..86d1038 100644 ---- a/fs/pstore/platform.c -+++ b/fs/pstore/platform.c -@@ -96,6 +96,27 @@ static const char *get_reason_str(enum kmsg_dump_reason reason) - } - } - -+bool pstore_cannot_block_path(enum kmsg_dump_reason reason) -+{ -+ /* -+ * In case of NMI path, pstore shouldn't be blocked -+ * regardless of reason. -+ */ -+ if (in_nmi()) -+ return true; -+ -+ switch (reason) { -+ /* In panic case, other cpus are stopped by smp_send_stop(). */ -+ case KMSG_DUMP_PANIC: -+ /* Emergency restart shouldn't be blocked by spin lock. */ -+ case KMSG_DUMP_EMERG: -+ return true; -+ default: -+ return false; -+ } -+} -+EXPORT_SYMBOL_GPL(pstore_cannot_block_path); -+ - /* - * callback from kmsg_dump. (s2,l2) has the most recently - * written bytes, older bytes are in (s1,l1). Save as much -@@ -114,10 +135,12 @@ static void pstore_dump(struct kmsg_dumper *dumper, - - why = get_reason_str(reason); - -- if (in_nmi()) { -- is_locked = spin_trylock(&psinfo->buf_lock); -- if (!is_locked) -- pr_err("pstore dump routine blocked in NMI, may corrupt error record\n"); -+ if (pstore_cannot_block_path(reason)) { -+ is_locked = spin_trylock_irqsave(&psinfo->buf_lock, flags); -+ if (!is_locked) { -+ pr_err("pstore dump routine blocked in %s path, may corrupt error record\n" -+ , in_nmi() ? "NMI" : why); -+ } - } else - spin_lock_irqsave(&psinfo->buf_lock, flags); - oopscount++; -@@ -143,9 +166,9 @@ static void pstore_dump(struct kmsg_dumper *dumper, - total += hsize + len; - part++; - } -- if (in_nmi()) { -+ if (pstore_cannot_block_path(reason)) { - if (is_locked) -- spin_unlock(&psinfo->buf_lock); -+ spin_unlock_irqrestore(&psinfo->buf_lock, flags); - } else - spin_unlock_irqrestore(&psinfo->buf_lock, flags); - } -diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c -index 769701c..ba32da3 100644 ---- a/fs/ubifs/orphan.c -+++ b/fs/ubifs/orphan.c -@@ -126,13 +126,14 @@ void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum) - else if (inum > o->inum) - p = p->rb_right; - else { -- if (o->dnext) { -+ if (o->del) { - spin_unlock(&c->orphan_lock); - dbg_gen("deleted twice ino %lu", - (unsigned long)inum); - return; - } -- if (o->cnext) { -+ if (o->cmt) { -+ o->del = 1; - o->dnext = c->orph_dnext; - c->orph_dnext = o; - spin_unlock(&c->orphan_lock); -@@ -172,7 +173,9 @@ int ubifs_orphan_start_commit(struct ubifs_info *c) - last = &c->orph_cnext; - list_for_each_entry(orphan, &c->orph_new, new_list) { - ubifs_assert(orphan->new); -+ ubifs_assert(!orphan->cmt); - orphan->new = 0; -+ orphan->cmt = 1; - *last = orphan; - last = &orphan->cnext; - } -@@ -299,7 +302,9 @@ static int write_orph_node(struct ubifs_info *c, int atomic) - cnext = c->orph_cnext; - for (i = 0; i < cnt; i++) { - orphan = cnext; -+ ubifs_assert(orphan->cmt); - orph->inos[i] = cpu_to_le64(orphan->inum); -+ orphan->cmt = 0; - cnext = orphan->cnext; - orphan->cnext = NULL; - } -@@ -378,6 +383,7 @@ static int consolidate(struct ubifs_info *c) - list_for_each_entry(orphan, &c->orph_list, list) { - if (orphan->new) - continue; -+ orphan->cmt = 1; - *last = orphan; - last = &orphan->cnext; - cnt += 1; -@@ -442,6 +448,7 @@ static void erase_deleted(struct ubifs_info *c) - orphan = dnext; - dnext = orphan->dnext; - ubifs_assert(!orphan->new); -+ ubifs_assert(orphan->del); - rb_erase(&orphan->rb, &c->orph_tree); - list_del(&orphan->list); - c->tot_orphans -= 1; -@@ -531,6 +538,7 @@ static int insert_dead_orphan(struct ubifs_info *c, ino_t inum) - rb_link_node(&orphan->rb, parent, p); - rb_insert_color(&orphan->rb, &c->orph_tree); - list_add_tail(&orphan->list, &c->orph_list); -+ orphan->del = 1; - orphan->dnext = c->orph_dnext; - c->orph_dnext = orphan; - dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum, -diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h -index d133c27..b2babce 100644 ---- a/fs/ubifs/ubifs.h -+++ b/fs/ubifs/ubifs.h -@@ -904,6 +904,8 @@ struct ubifs_budget_req { - * @dnext: next orphan to delete - * @inum: inode number - * @new: %1 => added since the last commit, otherwise %0 -+ * @cmt: %1 => commit pending, otherwise %0 -+ * @del: %1 => delete pending, otherwise %0 - */ - struct ubifs_orphan { - struct rb_node rb; -@@ -912,7 +914,9 @@ struct ubifs_orphan { - struct ubifs_orphan *cnext; - struct ubifs_orphan *dnext; - ino_t inum; -- int new; -+ unsigned new:1; -+ unsigned cmt:1; -+ unsigned del:1; - }; - - /** -diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c -index cdb2d33..572a858 100644 ---- a/fs/xfs/xfs_bmap.c -+++ b/fs/xfs/xfs_bmap.c -@@ -147,7 +147,10 @@ xfs_bmap_local_to_extents( - xfs_fsblock_t *firstblock, /* first block allocated in xaction */ - xfs_extlen_t total, /* total blocks needed by transaction */ - int *logflagsp, /* inode logging flags */ -- int whichfork); /* data or attr fork */ -+ int whichfork, /* data or attr fork */ -+ void (*init_fn)(struct xfs_buf *bp, -+ struct xfs_inode *ip, -+ struct xfs_ifork *ifp)); - - /* - * Search the extents list for the inode, for the extent containing bno. -@@ -357,7 +360,42 @@ xfs_bmap_add_attrfork_extents( - } - - /* -- * Called from xfs_bmap_add_attrfork to handle local format files. -+ * Block initialisation functions for local to extent format conversion. -+ * As these get more complex, they will be moved to the relevant files, -+ * but for now they are too simple to worry about. -+ */ -+STATIC void -+xfs_bmap_local_to_extents_init_fn( -+ struct xfs_buf *bp, -+ struct xfs_inode *ip, -+ struct xfs_ifork *ifp) -+{ -+ bp->b_ops = &xfs_bmbt_buf_ops; -+ memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes); -+} -+ -+STATIC void -+xfs_symlink_local_to_remote( -+ struct xfs_buf *bp, -+ struct xfs_inode *ip, -+ struct xfs_ifork *ifp) -+{ -+ /* remote symlink blocks are not verifiable until CRCs come along */ -+ bp->b_ops = NULL; -+ memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes); -+} -+ -+/* -+ * Called from xfs_bmap_add_attrfork to handle local format files. Each -+ * different data fork content type needs a different callout to do the -+ * conversion. Some are basic and only require special block initialisation -+ * callouts for the data formating, others (directories) are so specialised they -+ * handle everything themselves. -+ * -+ * XXX (dgc): investigate whether directory conversion can use the generic -+ * formatting callout. It should be possible - it's just a very complex -+ * formatter. it would also require passing the transaction through to the init -+ * function. - */ - STATIC int /* error */ - xfs_bmap_add_attrfork_local( -@@ -368,25 +406,29 @@ xfs_bmap_add_attrfork_local( - int *flags) /* inode logging flags */ - { - xfs_da_args_t dargs; /* args for dir/attr code */ -- int error; /* error return value */ -- xfs_mount_t *mp; /* mount structure pointer */ - - if (ip->i_df.if_bytes <= XFS_IFORK_DSIZE(ip)) - return 0; -+ - if (S_ISDIR(ip->i_d.di_mode)) { -- mp = ip->i_mount; - memset(&dargs, 0, sizeof(dargs)); - dargs.dp = ip; - dargs.firstblock = firstblock; - dargs.flist = flist; -- dargs.total = mp->m_dirblkfsbs; -+ dargs.total = ip->i_mount->m_dirblkfsbs; - dargs.whichfork = XFS_DATA_FORK; - dargs.trans = tp; -- error = xfs_dir2_sf_to_block(&dargs); -- } else -- error = xfs_bmap_local_to_extents(tp, ip, firstblock, 1, flags, -- XFS_DATA_FORK); -- return error; -+ return xfs_dir2_sf_to_block(&dargs); -+ } -+ -+ if (S_ISLNK(ip->i_d.di_mode)) -+ return xfs_bmap_local_to_extents(tp, ip, firstblock, 1, -+ flags, XFS_DATA_FORK, -+ xfs_symlink_local_to_remote); -+ -+ return xfs_bmap_local_to_extents(tp, ip, firstblock, 1, flags, -+ XFS_DATA_FORK, -+ xfs_bmap_local_to_extents_init_fn); - } - - /* -@@ -3221,7 +3263,10 @@ xfs_bmap_local_to_extents( - xfs_fsblock_t *firstblock, /* first block allocated in xaction */ - xfs_extlen_t total, /* total blocks needed by transaction */ - int *logflagsp, /* inode logging flags */ -- int whichfork) /* data or attr fork */ -+ int whichfork, -+ void (*init_fn)(struct xfs_buf *bp, -+ struct xfs_inode *ip, -+ struct xfs_ifork *ifp)) - { - int error; /* error return value */ - int flags; /* logging flags returned */ -@@ -3241,12 +3286,12 @@ xfs_bmap_local_to_extents( - xfs_buf_t *bp; /* buffer for extent block */ - xfs_bmbt_rec_host_t *ep;/* extent record pointer */ - -+ ASSERT((ifp->if_flags & -+ (XFS_IFINLINE|XFS_IFEXTENTS|XFS_IFEXTIREC)) == XFS_IFINLINE); - memset(&args, 0, sizeof(args)); - args.tp = tp; - args.mp = ip->i_mount; - args.firstblock = *firstblock; -- ASSERT((ifp->if_flags & -- (XFS_IFINLINE|XFS_IFEXTENTS|XFS_IFEXTIREC)) == XFS_IFINLINE); - /* - * Allocate a block. We know we need only one, since the - * file currently fits in an inode. -@@ -3262,17 +3307,20 @@ xfs_bmap_local_to_extents( - args.mod = args.minleft = args.alignment = args.wasdel = - args.isfl = args.minalignslop = 0; - args.minlen = args.maxlen = args.prod = 1; -- if ((error = xfs_alloc_vextent(&args))) -+ error = xfs_alloc_vextent(&args); -+ if (error) - goto done; -- /* -- * Can't fail, the space was reserved. -- */ -+ -+ /* Can't fail, the space was reserved. */ - ASSERT(args.fsbno != NULLFSBLOCK); - ASSERT(args.len == 1); - *firstblock = args.fsbno; - bp = xfs_btree_get_bufl(args.mp, tp, args.fsbno, 0); -- bp->b_ops = &xfs_bmbt_buf_ops; -- memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes); -+ -+ /* initialise the block and copy the data */ -+ init_fn(bp, ip, ifp); -+ -+ /* account for the change in fork size and log everything */ - xfs_trans_log_buf(tp, bp, 0, ifp->if_bytes - 1); - xfs_bmap_forkoff_reset(args.mp, ip, whichfork); - xfs_idata_realloc(ip, -ifp->if_bytes, whichfork); -@@ -4919,8 +4967,32 @@ xfs_bmapi_write( - XFS_STATS_INC(xs_blk_mapw); - - if (XFS_IFORK_FORMAT(ip, whichfork) == XFS_DINODE_FMT_LOCAL) { -+ /* -+ * XXX (dgc): This assumes we are only called for inodes that -+ * contain content neutral data in local format. Anything that -+ * contains caller-specific data in local format that needs -+ * transformation to move to a block format needs to do the -+ * conversion to extent format itself. -+ * -+ * Directory data forks and attribute forks handle this -+ * themselves, but with the addition of metadata verifiers every -+ * data fork in local format now contains caller specific data -+ * and as such conversion through this function is likely to be -+ * broken. -+ * -+ * The only likely user of this branch is for remote symlinks, -+ * but we cannot overwrite the data fork contents of the symlink -+ * (EEXIST occurs higher up the stack) and so it will never go -+ * from local format to extent format here. Hence I don't think -+ * this branch is ever executed intentionally and we should -+ * consider removing it and asserting that xfs_bmapi_write() -+ * cannot be called directly on local format forks. i.e. callers -+ * are completely responsible for local to extent format -+ * conversion, not xfs_bmapi_write(). -+ */ - error = xfs_bmap_local_to_extents(tp, ip, firstblock, total, -- &bma.logflags, whichfork); -+ &bma.logflags, whichfork, -+ xfs_bmap_local_to_extents_init_fn); - if (error) - goto error0; - } -diff --git a/include/linux/llist.h b/include/linux/llist.h -index d0ab98f..a5199f6 100644 ---- a/include/linux/llist.h -+++ b/include/linux/llist.h -@@ -125,31 +125,6 @@ static inline void init_llist_head(struct llist_head *list) - (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member)) - - /** -- * llist_for_each_entry_safe - iterate safely against remove over some entries -- * of lock-less list of given type. -- * @pos: the type * to use as a loop cursor. -- * @n: another type * to use as a temporary storage. -- * @node: the fist entry of deleted list entries. -- * @member: the name of the llist_node with the struct. -- * -- * In general, some entries of the lock-less list can be traversed -- * safely only after being removed from list, so start with an entry -- * instead of list head. This variant allows removal of entries -- * as we iterate. -- * -- * If being used on entries deleted from lock-less list directly, the -- * traverse order is from the newest to the oldest added entry. If -- * you want to traverse from the oldest to the newest, you must -- * reverse the order by yourself before traversing. -- */ --#define llist_for_each_entry_safe(pos, n, node, member) \ -- for ((pos) = llist_entry((node), typeof(*(pos)), member), \ -- (n) = (pos)->member.next; \ -- &(pos)->member != NULL; \ -- (pos) = llist_entry(n, typeof(*(pos)), member), \ -- (n) = (&(pos)->member != NULL) ? (pos)->member.next : NULL) -- --/** - * llist_empty - tests whether a lock-less list is empty - * @head: the list to test - * -diff --git a/include/linux/pstore.h b/include/linux/pstore.h -index 1788909..75d0176 100644 ---- a/include/linux/pstore.h -+++ b/include/linux/pstore.h -@@ -68,12 +68,18 @@ struct pstore_info { - - #ifdef CONFIG_PSTORE - extern int pstore_register(struct pstore_info *); -+extern bool pstore_cannot_block_path(enum kmsg_dump_reason reason); - #else - static inline int - pstore_register(struct pstore_info *psi) - { - return -ENODEV; - } -+static inline bool -+pstore_cannot_block_path(enum kmsg_dump_reason reason) -+{ -+ return false; -+} - #endif - - #endif /*_LINUX_PSTORE_H*/ -diff --git a/include/linux/quota.h b/include/linux/quota.h -index 58fdef12..d133711 100644 ---- a/include/linux/quota.h -+++ b/include/linux/quota.h -@@ -405,6 +405,7 @@ struct quota_module_name { - #define INIT_QUOTA_MODULE_NAMES {\ - {QFMT_VFS_OLD, "quota_v1"},\ - {QFMT_VFS_V0, "quota_v2"},\ -+ {QFMT_VFS_V1, "quota_v2"},\ - {0, NULL}} - - #endif /* _QUOTA_ */ -diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index 4855892..1e23664 100644 ---- a/kernel/cgroup.c -+++ b/kernel/cgroup.c -@@ -426,12 +426,20 @@ static void __put_css_set(struct css_set *cg, int taskexit) - struct cgroup *cgrp = link->cgrp; - list_del(&link->cg_link_list); - list_del(&link->cgrp_link_list); -+ -+ /* -+ * We may not be holding cgroup_mutex, and if cgrp->count is -+ * dropped to 0 the cgroup can be destroyed at any time, hence -+ * rcu_read_lock is used to keep it alive. -+ */ -+ rcu_read_lock(); - if (atomic_dec_and_test(&cgrp->count) && - notify_on_release(cgrp)) { - if (taskexit) - set_bit(CGRP_RELEASABLE, &cgrp->flags); - check_for_release(cgrp); - } -+ rcu_read_unlock(); - - kfree(link); - } -diff --git a/kernel/cpuset.c b/kernel/cpuset.c -index 7bb63ee..5bb9bf1 100644 ---- a/kernel/cpuset.c -+++ b/kernel/cpuset.c -@@ -2511,8 +2511,16 @@ void cpuset_print_task_mems_allowed(struct task_struct *tsk) - - dentry = task_cs(tsk)->css.cgroup->dentry; - spin_lock(&cpuset_buffer_lock); -- snprintf(cpuset_name, CPUSET_NAME_LEN, -- dentry ? (const char *)dentry->d_name.name : "/"); -+ -+ if (!dentry) { -+ strcpy(cpuset_name, "/"); -+ } else { -+ spin_lock(&dentry->d_lock); -+ strlcpy(cpuset_name, (const char *)dentry->d_name.name, -+ CPUSET_NAME_LEN); -+ spin_unlock(&dentry->d_lock); -+ } -+ - nodelist_scnprintf(cpuset_nodelist, CPUSET_NODELIST_LEN, - tsk->mems_allowed); - printk(KERN_INFO "%s cpuset=%s mems_allowed=%s\n", -diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c -index 69185ae..e885be1 100644 ---- a/kernel/posix-timers.c -+++ b/kernel/posix-timers.c -@@ -639,6 +639,13 @@ static struct k_itimer *__lock_timer(timer_t timer_id, unsigned long *flags) - { - struct k_itimer *timr; - -+ /* -+ * timer_t could be any type >= int and we want to make sure any -+ * @timer_id outside positive int range fails lookup. -+ */ -+ if ((unsigned long long)timer_id > INT_MAX) -+ return NULL; -+ - rcu_read_lock(); - timr = idr_find(&posix_timers_id, (int)timer_id); - if (timr) { -diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c -index 5a63844..0ddf3a0 100644 ---- a/kernel/sysctl_binary.c -+++ b/kernel/sysctl_binary.c -@@ -1194,9 +1194,10 @@ static ssize_t bin_dn_node_address(struct file *file, - - /* Convert the decnet address to binary */ - result = -EIO; -- nodep = strchr(buf, '.') + 1; -+ nodep = strchr(buf, '.'); - if (!nodep) - goto out; -+ ++nodep; - - area = simple_strtoul(buf, NULL, 10); - node = simple_strtoul(nodep, NULL, 10); -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 41473b4..43defd1 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -3970,37 +3970,51 @@ static void ftrace_init_module(struct module *mod, - ftrace_process_locs(mod, start, end); - } - --static int ftrace_module_notify(struct notifier_block *self, -- unsigned long val, void *data) -+static int ftrace_module_notify_enter(struct notifier_block *self, -+ unsigned long val, void *data) - { - struct module *mod = data; - -- switch (val) { -- case MODULE_STATE_COMING: -+ if (val == MODULE_STATE_COMING) - ftrace_init_module(mod, mod->ftrace_callsites, - mod->ftrace_callsites + - mod->num_ftrace_callsites); -- break; -- case MODULE_STATE_GOING: -+ return 0; -+} -+ -+static int ftrace_module_notify_exit(struct notifier_block *self, -+ unsigned long val, void *data) -+{ -+ struct module *mod = data; -+ -+ if (val == MODULE_STATE_GOING) - ftrace_release_mod(mod); -- break; -- } - - return 0; - } - #else --static int ftrace_module_notify(struct notifier_block *self, -- unsigned long val, void *data) -+static int ftrace_module_notify_enter(struct notifier_block *self, -+ unsigned long val, void *data) -+{ -+ return 0; -+} -+static int ftrace_module_notify_exit(struct notifier_block *self, -+ unsigned long val, void *data) - { - return 0; - } - #endif /* CONFIG_MODULES */ - --struct notifier_block ftrace_module_nb = { -- .notifier_call = ftrace_module_notify, -+struct notifier_block ftrace_module_enter_nb = { -+ .notifier_call = ftrace_module_notify_enter, - .priority = INT_MAX, /* Run before anything that can use kprobes */ - }; - -+struct notifier_block ftrace_module_exit_nb = { -+ .notifier_call = ftrace_module_notify_exit, -+ .priority = INT_MIN, /* Run after anything that can remove kprobes */ -+}; -+ - extern unsigned long __start_mcount_loc[]; - extern unsigned long __stop_mcount_loc[]; - -@@ -4032,9 +4046,13 @@ void __init ftrace_init(void) - __start_mcount_loc, - __stop_mcount_loc); - -- ret = register_module_notifier(&ftrace_module_nb); -+ ret = register_module_notifier(&ftrace_module_enter_nb); -+ if (ret) -+ pr_warning("Failed to register trace ftrace module enter notifier\n"); -+ -+ ret = register_module_notifier(&ftrace_module_exit_nb); - if (ret) -- pr_warning("Failed to register trace ftrace module notifier\n"); -+ pr_warning("Failed to register trace ftrace module exit notifier\n"); - - set_ftrace_early_filters(); - -diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index 033ad5b..3a3a98f 100644 ---- a/kernel/workqueue.c -+++ b/kernel/workqueue.c -@@ -138,6 +138,7 @@ struct worker { - }; - - struct work_struct *current_work; /* L: work being processed */ -+ work_func_t current_func; /* L: current_work's fn */ - struct cpu_workqueue_struct *current_cwq; /* L: current_work's cwq */ - struct list_head scheduled; /* L: scheduled works */ - struct task_struct *task; /* I: worker task */ -@@ -910,7 +911,8 @@ static struct worker *__find_worker_executing_work(struct global_cwq *gcwq, - struct hlist_node *tmp; - - hlist_for_each_entry(worker, tmp, bwh, hentry) -- if (worker->current_work == work) -+ if (worker->current_work == work && -+ worker->current_func == work->func) - return worker; - return NULL; - } -@@ -920,9 +922,27 @@ static struct worker *__find_worker_executing_work(struct global_cwq *gcwq, - * @gcwq: gcwq of interest - * @work: work to find worker for - * -- * Find a worker which is executing @work on @gcwq. This function is -- * identical to __find_worker_executing_work() except that this -- * function calculates @bwh itself. -+ * Find a worker which is executing @work on @gcwq by searching -+ * @gcwq->busy_hash which is keyed by the address of @work. For a worker -+ * to match, its current execution should match the address of @work and -+ * its work function. This is to avoid unwanted dependency between -+ * unrelated work executions through a work item being recycled while still -+ * being executed. -+ * -+ * This is a bit tricky. A work item may be freed once its execution -+ * starts and nothing prevents the freed area from being recycled for -+ * another work item. If the same work item address ends up being reused -+ * before the original execution finishes, workqueue will identify the -+ * recycled work item as currently executing and make it wait until the -+ * current execution finishes, introducing an unwanted dependency. -+ * -+ * This function checks the work item address, work function and workqueue -+ * to avoid false positives. Note that this isn't complete as one may -+ * construct a work function which can introduce dependency onto itself -+ * through a recycled work item. Well, if somebody wants to shoot oneself -+ * in the foot that badly, there's only so much we can do, and if such -+ * deadlock actually occurs, it should be easy to locate the culprit work -+ * function. - * - * CONTEXT: - * spin_lock_irq(gcwq->lock). -@@ -2168,7 +2188,6 @@ __acquires(&gcwq->lock) - struct global_cwq *gcwq = pool->gcwq; - struct hlist_head *bwh = busy_worker_head(gcwq, work); - bool cpu_intensive = cwq->wq->flags & WQ_CPU_INTENSIVE; -- work_func_t f = work->func; - int work_color; - struct worker *collision; - #ifdef CONFIG_LOCKDEP -@@ -2208,6 +2227,7 @@ __acquires(&gcwq->lock) - debug_work_deactivate(work); - hlist_add_head(&worker->hentry, bwh); - worker->current_work = work; -+ worker->current_func = work->func; - worker->current_cwq = cwq; - work_color = get_work_color(work); - -@@ -2240,7 +2260,7 @@ __acquires(&gcwq->lock) - lock_map_acquire_read(&cwq->wq->lockdep_map); - lock_map_acquire(&lockdep_map); - trace_workqueue_execute_start(work); -- f(work); -+ worker->current_func(work); - /* - * While we must be careful to not use "work" after this, the trace - * point will only record its address. -@@ -2252,7 +2272,8 @@ __acquires(&gcwq->lock) - if (unlikely(in_atomic() || lockdep_depth(current) > 0)) { - pr_err("BUG: workqueue leaked lock or atomic: %s/0x%08x/%d\n" - " last function: %pf\n", -- current->comm, preempt_count(), task_pid_nr(current), f); -+ current->comm, preempt_count(), task_pid_nr(current), -+ worker->current_func); - debug_show_held_locks(current); - dump_stack(); - } -@@ -2266,6 +2287,7 @@ __acquires(&gcwq->lock) - /* we're done with it, release */ - hlist_del_init(&worker->hentry); - worker->current_work = NULL; -+ worker->current_func = NULL; - worker->current_cwq = NULL; - cwq_dec_nr_in_flight(cwq, work_color); - } -diff --git a/lib/idr.c b/lib/idr.c -index 6482390..ca5aa00 100644 ---- a/lib/idr.c -+++ b/lib/idr.c -@@ -625,7 +625,14 @@ void *idr_get_next(struct idr *idp, int *nextidp) - return p; - } - -- id += 1 << n; -+ /* -+ * Proceed to the next layer at the current level. Unlike -+ * idr_for_each(), @id isn't guaranteed to be aligned to -+ * layer boundary at this point and adding 1 << n may -+ * incorrectly skip IDs. Make sure we jump to the -+ * beginning of the next layer using round_up(). -+ */ -+ id = round_up(id + 1, 1 << n); - while (n < fls(id)) { - n += IDR_BITS; - p = *--paa; -diff --git a/mm/mmap.c b/mm/mmap.c -index d1e4124..8832b87 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -2169,9 +2169,28 @@ int expand_downwards(struct vm_area_struct *vma, - return error; - } - -+/* -+ * Note how expand_stack() refuses to expand the stack all the way to -+ * abut the next virtual mapping, *unless* that mapping itself is also -+ * a stack mapping. We want to leave room for a guard page, after all -+ * (the guard page itself is not added here, that is done by the -+ * actual page faulting logic) -+ * -+ * This matches the behavior of the guard page logic (see mm/memory.c: -+ * check_stack_guard_page()), which only allows the guard page to be -+ * removed under these circumstances. -+ */ - #ifdef CONFIG_STACK_GROWSUP - int expand_stack(struct vm_area_struct *vma, unsigned long address) - { -+ struct vm_area_struct *next; -+ -+ address &= PAGE_MASK; -+ next = vma->vm_next; -+ if (next && next->vm_start == address + PAGE_SIZE) { -+ if (!(next->vm_flags & VM_GROWSUP)) -+ return -ENOMEM; -+ } - return expand_upwards(vma, address); - } - -@@ -2194,6 +2213,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) - #else - int expand_stack(struct vm_area_struct *vma, unsigned long address) - { -+ struct vm_area_struct *prev; -+ -+ address &= PAGE_MASK; -+ prev = vma->vm_prev; -+ if (prev && prev->vm_end == address) { -+ if (!(prev->vm_flags & VM_GROWSDOWN)) -+ return -ENOMEM; -+ } - return expand_downwards(vma, address); - } - -diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c -index dbf12ac..2d34b6b 100644 ---- a/net/sunrpc/svc.c -+++ b/net/sunrpc/svc.c -@@ -515,15 +515,6 @@ EXPORT_SYMBOL_GPL(svc_create_pooled); - - void svc_shutdown_net(struct svc_serv *serv, struct net *net) - { -- /* -- * The set of xprts (contained in the sv_tempsocks and -- * sv_permsocks lists) is now constant, since it is modified -- * only by accepting new sockets (done by service threads in -- * svc_recv) or aging old ones (done by sv_temptimer), or -- * configuration changes (excluded by whatever locking the -- * caller is using--nfsd_mutex in the case of nfsd). So it's -- * safe to traverse those lists and shut everything down: -- */ - svc_close_net(serv, net); - - if (serv->sv_shutdown) -diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c -index b8e47fa..ca71056 100644 ---- a/net/sunrpc/svc_xprt.c -+++ b/net/sunrpc/svc_xprt.c -@@ -856,7 +856,6 @@ static void svc_age_temp_xprts(unsigned long closure) - struct svc_serv *serv = (struct svc_serv *)closure; - struct svc_xprt *xprt; - struct list_head *le, *next; -- LIST_HEAD(to_be_aged); - - dprintk("svc_age_temp_xprts\n"); - -@@ -877,25 +876,15 @@ static void svc_age_temp_xprts(unsigned long closure) - if (atomic_read(&xprt->xpt_ref.refcount) > 1 || - test_bit(XPT_BUSY, &xprt->xpt_flags)) - continue; -- svc_xprt_get(xprt); -- list_move(le, &to_be_aged); -+ list_del_init(le); - set_bit(XPT_CLOSE, &xprt->xpt_flags); - set_bit(XPT_DETACHED, &xprt->xpt_flags); -- } -- spin_unlock_bh(&serv->sv_lock); -- -- while (!list_empty(&to_be_aged)) { -- le = to_be_aged.next; -- /* fiddling the xpt_list node is safe 'cos we're XPT_DETACHED */ -- list_del_init(le); -- xprt = list_entry(le, struct svc_xprt, xpt_list); -- - dprintk("queuing xprt %p for closing\n", xprt); - - /* a thread will dequeue and close it soon */ - svc_xprt_enqueue(xprt); -- svc_xprt_put(xprt); - } -+ spin_unlock_bh(&serv->sv_lock); - - mod_timer(&serv->sv_temptimer, jiffies + svc_conn_age_period * HZ); - } -@@ -959,21 +948,24 @@ void svc_close_xprt(struct svc_xprt *xprt) - } - EXPORT_SYMBOL_GPL(svc_close_xprt); - --static void svc_close_list(struct svc_serv *serv, struct list_head *xprt_list, struct net *net) -+static int svc_close_list(struct svc_serv *serv, struct list_head *xprt_list, struct net *net) - { - struct svc_xprt *xprt; -+ int ret = 0; - - spin_lock(&serv->sv_lock); - list_for_each_entry(xprt, xprt_list, xpt_list) { - if (xprt->xpt_net != net) - continue; -+ ret++; - set_bit(XPT_CLOSE, &xprt->xpt_flags); -- set_bit(XPT_BUSY, &xprt->xpt_flags); -+ svc_xprt_enqueue(xprt); - } - spin_unlock(&serv->sv_lock); -+ return ret; - } - --static void svc_clear_pools(struct svc_serv *serv, struct net *net) -+static struct svc_xprt *svc_dequeue_net(struct svc_serv *serv, struct net *net) - { - struct svc_pool *pool; - struct svc_xprt *xprt; -@@ -988,42 +980,46 @@ static void svc_clear_pools(struct svc_serv *serv, struct net *net) - if (xprt->xpt_net != net) - continue; - list_del_init(&xprt->xpt_ready); -+ spin_unlock_bh(&pool->sp_lock); -+ return xprt; - } - spin_unlock_bh(&pool->sp_lock); - } -+ return NULL; - } - --static void svc_clear_list(struct svc_serv *serv, struct list_head *xprt_list, struct net *net) -+static void svc_clean_up_xprts(struct svc_serv *serv, struct net *net) - { - struct svc_xprt *xprt; -- struct svc_xprt *tmp; -- LIST_HEAD(victims); -- -- spin_lock(&serv->sv_lock); -- list_for_each_entry_safe(xprt, tmp, xprt_list, xpt_list) { -- if (xprt->xpt_net != net) -- continue; -- list_move(&xprt->xpt_list, &victims); -- } -- spin_unlock(&serv->sv_lock); - -- list_for_each_entry_safe(xprt, tmp, &victims, xpt_list) -+ while ((xprt = svc_dequeue_net(serv, net))) { -+ set_bit(XPT_CLOSE, &xprt->xpt_flags); - svc_delete_xprt(xprt); -+ } - } - -+/* -+ * Server threads may still be running (especially in the case where the -+ * service is still running in other network namespaces). -+ * -+ * So we shut down sockets the same way we would on a running server, by -+ * setting XPT_CLOSE, enqueuing, and letting a thread pick it up to do -+ * the close. In the case there are no such other threads, -+ * threads running, svc_clean_up_xprts() does a simple version of a -+ * server's main event loop, and in the case where there are other -+ * threads, we may need to wait a little while and then check again to -+ * see if they're done. -+ */ - void svc_close_net(struct svc_serv *serv, struct net *net) - { -- svc_close_list(serv, &serv->sv_tempsocks, net); -- svc_close_list(serv, &serv->sv_permsocks, net); -+ int delay = 0; - -- svc_clear_pools(serv, net); -- /* -- * At this point the sp_sockets lists will stay empty, since -- * svc_xprt_enqueue will not add new entries without taking the -- * sp_lock and checking XPT_BUSY. -- */ -- svc_clear_list(serv, &serv->sv_tempsocks, net); -- svc_clear_list(serv, &serv->sv_permsocks, net); -+ while (svc_close_list(serv, &serv->sv_permsocks, net) + -+ svc_close_list(serv, &serv->sv_tempsocks, net)) { -+ -+ svc_clean_up_xprts(serv, net); -+ msleep(delay++); -+ } - } - - /* -diff --git a/sound/pci/bt87x.c b/sound/pci/bt87x.c -index cdd100d..9febe55 100644 ---- a/sound/pci/bt87x.c -+++ b/sound/pci/bt87x.c -@@ -836,6 +836,8 @@ static struct { - {0x7063, 0x2000}, /* pcHDTV HD-2000 TV */ - }; - -+static struct pci_driver driver; -+ - /* return the id of the card, or a negative value if it's blacklisted */ - static int snd_bt87x_detect_card(struct pci_dev *pci) - { -@@ -962,11 +964,24 @@ static DEFINE_PCI_DEVICE_TABLE(snd_bt87x_default_ids) = { - { } - }; - --static struct pci_driver bt87x_driver = { -+static struct pci_driver driver = { - .name = KBUILD_MODNAME, - .id_table = snd_bt87x_ids, - .probe = snd_bt87x_probe, - .remove = snd_bt87x_remove, - }; - --module_pci_driver(bt87x_driver); -+static int __init alsa_card_bt87x_init(void) -+{ -+ if (load_all) -+ driver.id_table = snd_bt87x_default_ids; -+ return pci_register_driver(&driver); -+} -+ -+static void __exit alsa_card_bt87x_exit(void) -+{ -+ pci_unregister_driver(&driver); -+} -+ -+module_init(alsa_card_bt87x_init) -+module_exit(alsa_card_bt87x_exit) -diff --git a/sound/pci/emu10k1/emu10k1_main.c b/sound/pci/emu10k1/emu10k1_main.c -index a7c296a..e6b0166 100644 ---- a/sound/pci/emu10k1/emu10k1_main.c -+++ b/sound/pci/emu10k1/emu10k1_main.c -@@ -862,6 +862,12 @@ static int snd_emu10k1_emu1010_init(struct snd_emu10k1 *emu) - filename, emu->firmware->size); - } - -+ err = snd_emu1010_load_firmware(emu); -+ if (err != 0) { -+ snd_printk(KERN_INFO "emu1010: Loading Firmware failed\n"); -+ return err; -+ } -+ - /* ID, should read & 0x7f = 0x55 when FPGA programmed. */ - snd_emu1010_fpga_read(emu, EMU_HANA_ID, ®); - if ((reg & 0x3f) != 0x15) { -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index b14813d..c690b2a 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -1573,6 +1573,9 @@ static int generic_hdmi_build_jack(struct hda_codec *codec, int pin_idx) - - if (pcmdev > 0) - sprintf(hdmi_str + strlen(hdmi_str), ",pcm=%d", pcmdev); -+ if (!is_jack_detectable(codec, per_pin->pin_nid)) -+ strncat(hdmi_str, " Phantom", -+ sizeof(hdmi_str) - strlen(hdmi_str) - 1); - - return snd_hda_jack_add_kctl(codec, per_pin->pin_nid, hdmi_str, 0); - } diff --git a/3.8.3/1002_linux-3.8.3.patch b/3.8.3/1002_linux-3.8.3.patch deleted file mode 100644 index 6b6c562..0000000 --- a/3.8.3/1002_linux-3.8.3.patch +++ /dev/null @@ -1,4814 +0,0 @@ -diff --git a/Makefile b/Makefile -index 20d5318..8c49fc9b 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 8 --SUBLEVEL = 2 -+SUBLEVEL = 3 - EXTRAVERSION = - NAME = Unicycling Gorilla - -diff --git a/arch/arm/boot/dts/kirkwood-dns320.dts b/arch/arm/boot/dts/kirkwood-dns320.dts -index 5bb0bf3..c9c44b2 100644 ---- a/arch/arm/boot/dts/kirkwood-dns320.dts -+++ b/arch/arm/boot/dts/kirkwood-dns320.dts -@@ -42,12 +42,10 @@ - - ocp@f1000000 { - serial@12000 { -- clock-frequency = <166666667>; - status = "okay"; - }; - - serial@12100 { -- clock-frequency = <166666667>; - status = "okay"; - }; - }; -diff --git a/arch/arm/boot/dts/kirkwood-dns325.dts b/arch/arm/boot/dts/kirkwood-dns325.dts -index d430713..e4e4930 100644 ---- a/arch/arm/boot/dts/kirkwood-dns325.dts -+++ b/arch/arm/boot/dts/kirkwood-dns325.dts -@@ -50,7 +50,6 @@ - }; - }; - serial@12000 { -- clock-frequency = <200000000>; - status = "okay"; - }; - }; -diff --git a/arch/arm/boot/dts/kirkwood-dockstar.dts b/arch/arm/boot/dts/kirkwood-dockstar.dts -index 2e3dd34..0196cf6 100644 ---- a/arch/arm/boot/dts/kirkwood-dockstar.dts -+++ b/arch/arm/boot/dts/kirkwood-dockstar.dts -@@ -37,7 +37,6 @@ - }; - }; - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-dreamplug.dts b/arch/arm/boot/dts/kirkwood-dreamplug.dts -index f2d386c..e21ae48 100644 ---- a/arch/arm/boot/dts/kirkwood-dreamplug.dts -+++ b/arch/arm/boot/dts/kirkwood-dreamplug.dts -@@ -38,7 +38,6 @@ - }; - }; - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-goflexnet.dts b/arch/arm/boot/dts/kirkwood-goflexnet.dts -index 1b133e0..bd83b8f 100644 ---- a/arch/arm/boot/dts/kirkwood-goflexnet.dts -+++ b/arch/arm/boot/dts/kirkwood-goflexnet.dts -@@ -73,7 +73,6 @@ - }; - }; - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-ib62x0.dts b/arch/arm/boot/dts/kirkwood-ib62x0.dts -index 71902da..5335b1a 100644 ---- a/arch/arm/boot/dts/kirkwood-ib62x0.dts -+++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts -@@ -51,7 +51,6 @@ - }; - }; - serial@12000 { -- clock-frequency = <200000000>; - status = "okay"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-iconnect.dts b/arch/arm/boot/dts/kirkwood-iconnect.dts -index 504f16b..12ccf74 100644 ---- a/arch/arm/boot/dts/kirkwood-iconnect.dts -+++ b/arch/arm/boot/dts/kirkwood-iconnect.dts -@@ -78,7 +78,6 @@ - }; - }; - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts b/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts -index 6cae459..93c3afb 100644 ---- a/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts -+++ b/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts -@@ -115,7 +115,6 @@ - }; - - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-km_kirkwood.dts b/arch/arm/boot/dts/kirkwood-km_kirkwood.dts -index 8db3123..5bbd054 100644 ---- a/arch/arm/boot/dts/kirkwood-km_kirkwood.dts -+++ b/arch/arm/boot/dts/kirkwood-km_kirkwood.dts -@@ -34,7 +34,6 @@ - }; - - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-lschlv2.dts b/arch/arm/boot/dts/kirkwood-lschlv2.dts -index 9510c9e..9f55d95 100644 ---- a/arch/arm/boot/dts/kirkwood-lschlv2.dts -+++ b/arch/arm/boot/dts/kirkwood-lschlv2.dts -@@ -13,7 +13,6 @@ - - ocp@f1000000 { - serial@12000 { -- clock-frequency = <166666667>; - status = "okay"; - }; - }; -diff --git a/arch/arm/boot/dts/kirkwood-lsxhl.dts b/arch/arm/boot/dts/kirkwood-lsxhl.dts -index 739019c..5c84c11 100644 ---- a/arch/arm/boot/dts/kirkwood-lsxhl.dts -+++ b/arch/arm/boot/dts/kirkwood-lsxhl.dts -@@ -13,7 +13,6 @@ - - ocp@f1000000 { - serial@12000 { -- clock-frequency = <200000000>; - status = "okay"; - }; - }; -diff --git a/arch/arm/boot/dts/kirkwood-mplcec4.dts b/arch/arm/boot/dts/kirkwood-mplcec4.dts -index 262c654..07be213 100644 ---- a/arch/arm/boot/dts/kirkwood-mplcec4.dts -+++ b/arch/arm/boot/dts/kirkwood-mplcec4.dts -@@ -91,7 +91,6 @@ - }; - - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-ns2-common.dtsi b/arch/arm/boot/dts/kirkwood-ns2-common.dtsi -index 77d21ab..f0245c1 100644 ---- a/arch/arm/boot/dts/kirkwood-ns2-common.dtsi -+++ b/arch/arm/boot/dts/kirkwood-ns2-common.dtsi -@@ -23,7 +23,6 @@ - }; - - serial@12000 { -- clock-frequency = <166666667>; - status = "okay"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-nsa310.dts b/arch/arm/boot/dts/kirkwood-nsa310.dts -index 5509f96..28d05e4 100644 ---- a/arch/arm/boot/dts/kirkwood-nsa310.dts -+++ b/arch/arm/boot/dts/kirkwood-nsa310.dts -@@ -18,7 +18,6 @@ - ocp@f1000000 { - - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-openblocks_a6.dts b/arch/arm/boot/dts/kirkwood-openblocks_a6.dts -index 49d3d74..f3cc7c4 100644 ---- a/arch/arm/boot/dts/kirkwood-openblocks_a6.dts -+++ b/arch/arm/boot/dts/kirkwood-openblocks_a6.dts -@@ -18,12 +18,10 @@ - - ocp@f1000000 { - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - - serial@12100 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood-topkick.dts b/arch/arm/boot/dts/kirkwood-topkick.dts -index cd15452..7dd19ff 100644 ---- a/arch/arm/boot/dts/kirkwood-topkick.dts -+++ b/arch/arm/boot/dts/kirkwood-topkick.dts -@@ -17,7 +17,6 @@ - - ocp@f1000000 { - serial@12000 { -- clock-frequency = <200000000>; - status = "ok"; - }; - -diff --git a/arch/arm/boot/dts/kirkwood.dtsi b/arch/arm/boot/dts/kirkwood.dtsi -index d6ab442..ad26d92 100644 ---- a/arch/arm/boot/dts/kirkwood.dtsi -+++ b/arch/arm/boot/dts/kirkwood.dtsi -@@ -38,6 +38,7 @@ - interrupt-controller; - #interrupt-cells = <2>; - interrupts = <35>, <36>, <37>, <38>; -+ clocks = <&gate_clk 7>; - }; - - gpio1: gpio@10140 { -@@ -49,6 +50,7 @@ - interrupt-controller; - #interrupt-cells = <2>; - interrupts = <39>, <40>, <41>; -+ clocks = <&gate_clk 7>; - }; - - serial@12000 { -@@ -57,7 +59,6 @@ - reg-shift = <2>; - interrupts = <33>; - clocks = <&gate_clk 7>; -- /* set clock-frequency in board dts */ - status = "disabled"; - }; - -@@ -67,7 +68,6 @@ - reg-shift = <2>; - interrupts = <34>; - clocks = <&gate_clk 7>; -- /* set clock-frequency in board dts */ - status = "disabled"; - }; - -@@ -75,6 +75,7 @@ - compatible = "marvell,kirkwood-rtc", "marvell,orion-rtc"; - reg = <0x10300 0x20>; - interrupts = <53>; -+ clocks = <&gate_clk 7>; - }; - - spi@10600 { -diff --git a/arch/arm/configs/mxs_defconfig b/arch/arm/configs/mxs_defconfig -index 7bf5351..a55b206 100644 ---- a/arch/arm/configs/mxs_defconfig -+++ b/arch/arm/configs/mxs_defconfig -@@ -118,6 +118,7 @@ CONFIG_FRAMEBUFFER_CONSOLE=y - CONFIG_FONTS=y - CONFIG_LOGO=y - CONFIG_USB=y -+CONFIG_USB_EHCI_HCD=y - CONFIG_USB_CHIPIDEA=y - CONFIG_USB_CHIPIDEA_HOST=y - CONFIG_USB_STORAGE=y -diff --git a/arch/arm/include/asm/delay.h b/arch/arm/include/asm/delay.h -index ab98fdd..720799f 100644 ---- a/arch/arm/include/asm/delay.h -+++ b/arch/arm/include/asm/delay.h -@@ -24,6 +24,7 @@ extern struct arm_delay_ops { - void (*delay)(unsigned long); - void (*const_udelay)(unsigned long); - void (*udelay)(unsigned long); -+ bool const_clock; - } arm_delay_ops; - - #define __delay(n) arm_delay_ops.delay(n) -diff --git a/arch/arm/include/asm/mmu.h b/arch/arm/include/asm/mmu.h -index 9f77e78..e3d5554 100644 ---- a/arch/arm/include/asm/mmu.h -+++ b/arch/arm/include/asm/mmu.h -@@ -5,15 +5,15 @@ - - typedef struct { - #ifdef CONFIG_CPU_HAS_ASID -- u64 id; -+ atomic64_t id; - #endif -- unsigned int vmalloc_seq; -+ unsigned int vmalloc_seq; - } mm_context_t; - - #ifdef CONFIG_CPU_HAS_ASID - #define ASID_BITS 8 - #define ASID_MASK ((~0ULL) << ASID_BITS) --#define ASID(mm) ((mm)->context.id & ~ASID_MASK) -+#define ASID(mm) ((mm)->context.id.counter & ~ASID_MASK) - #else - #define ASID(mm) (0) - #endif -@@ -26,7 +26,7 @@ typedef struct { - * modified for 2.6 by Hyok S. Choi <hyok.choi@samsung.com> - */ - typedef struct { -- unsigned long end_brk; -+ unsigned long end_brk; - } mm_context_t; - - #endif -diff --git a/arch/arm/include/asm/mmu_context.h b/arch/arm/include/asm/mmu_context.h -index e1f644b..863a661 100644 ---- a/arch/arm/include/asm/mmu_context.h -+++ b/arch/arm/include/asm/mmu_context.h -@@ -25,7 +25,7 @@ void __check_vmalloc_seq(struct mm_struct *mm); - #ifdef CONFIG_CPU_HAS_ASID - - void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk); --#define init_new_context(tsk,mm) ({ mm->context.id = 0; }) -+#define init_new_context(tsk,mm) ({ atomic64_set(&mm->context.id, 0); 0; }) - - #else /* !CONFIG_CPU_HAS_ASID */ - -diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h -index 9c82f988..c094749 100644 ---- a/arch/arm/include/asm/pgtable.h -+++ b/arch/arm/include/asm/pgtable.h -@@ -240,7 +240,8 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } - - static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) - { -- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE; -+ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | -+ L_PTE_NONE | L_PTE_VALID; - pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask); - return pte; - } -diff --git a/arch/arm/kernel/asm-offsets.c b/arch/arm/kernel/asm-offsets.c -index c985b48..cf10d18 100644 ---- a/arch/arm/kernel/asm-offsets.c -+++ b/arch/arm/kernel/asm-offsets.c -@@ -107,7 +107,7 @@ int main(void) - BLANK(); - #endif - #ifdef CONFIG_CPU_HAS_ASID -- DEFINE(MM_CONTEXT_ID, offsetof(struct mm_struct, context.id)); -+ DEFINE(MM_CONTEXT_ID, offsetof(struct mm_struct, context.id.counter)); - BLANK(); - #endif - DEFINE(VMA_VM_MM, offsetof(struct vm_area_struct, vm_mm)); -diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S -index 486a15a..e0eb9a1 100644 ---- a/arch/arm/kernel/head.S -+++ b/arch/arm/kernel/head.S -@@ -184,13 +184,22 @@ __create_page_tables: - orr r3, r3, #3 @ PGD block type - mov r6, #4 @ PTRS_PER_PGD - mov r7, #1 << (55 - 32) @ L_PGD_SWAPPER --1: str r3, [r0], #4 @ set bottom PGD entry bits -+1: -+#ifdef CONFIG_CPU_ENDIAN_BE8 - str r7, [r0], #4 @ set top PGD entry bits -+ str r3, [r0], #4 @ set bottom PGD entry bits -+#else -+ str r3, [r0], #4 @ set bottom PGD entry bits -+ str r7, [r0], #4 @ set top PGD entry bits -+#endif - add r3, r3, #0x1000 @ next PMD table - subs r6, r6, #1 - bne 1b - - add r4, r4, #0x1000 @ point to the PMD tables -+#ifdef CONFIG_CPU_ENDIAN_BE8 -+ add r4, r4, #4 @ we only write the bottom word -+#endif - #endif - - ldr r7, [r10, #PROCINFO_MM_MMUFLAGS] @ mm_mmuflags -@@ -258,6 +267,11 @@ __create_page_tables: - addne r6, r6, #1 << SECTION_SHIFT - strne r6, [r3] - -+#if defined(CONFIG_LPAE) && defined(CONFIG_CPU_ENDIAN_BE8) -+ sub r4, r4, #4 @ Fixup page table pointer -+ @ for 64-bit descriptors -+#endif -+ - #ifdef CONFIG_DEBUG_LL - #if !defined(CONFIG_DEBUG_ICEDCC) && !defined(CONFIG_DEBUG_SEMIHOSTING) - /* -@@ -276,13 +290,17 @@ __create_page_tables: - orr r3, r7, r3, lsl #SECTION_SHIFT - #ifdef CONFIG_ARM_LPAE - mov r7, #1 << (54 - 32) @ XN -+#ifdef CONFIG_CPU_ENDIAN_BE8 -+ str r7, [r0], #4 -+ str r3, [r0], #4 - #else -- orr r3, r3, #PMD_SECT_XN --#endif - str r3, [r0], #4 --#ifdef CONFIG_ARM_LPAE - str r7, [r0], #4 - #endif -+#else -+ orr r3, r3, #PMD_SECT_XN -+ str r3, [r0], #4 -+#endif - - #else /* CONFIG_DEBUG_ICEDCC || CONFIG_DEBUG_SEMIHOSTING */ - /* we don't need any serial debugging mappings */ -diff --git a/arch/arm/kernel/perf_event_v7.c b/arch/arm/kernel/perf_event_v7.c -index 4fbc757..89ede24 100644 ---- a/arch/arm/kernel/perf_event_v7.c -+++ b/arch/arm/kernel/perf_event_v7.c -@@ -774,7 +774,7 @@ static const unsigned armv7_a7_perf_cache_map[PERF_COUNT_HW_CACHE_MAX] - /* - * PMXEVTYPER: Event selection reg - */ --#define ARMV7_EVTYPE_MASK 0xc00000ff /* Mask for writable bits */ -+#define ARMV7_EVTYPE_MASK 0xc80000ff /* Mask for writable bits */ - #define ARMV7_EVTYPE_EVENT 0xff /* Mask for EVENT bits */ - - /* -diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c -index 84f4cbf..58af91c 100644 ---- a/arch/arm/kernel/smp.c -+++ b/arch/arm/kernel/smp.c -@@ -693,6 +693,9 @@ static int cpufreq_callback(struct notifier_block *nb, - if (freq->flags & CPUFREQ_CONST_LOOPS) - return NOTIFY_OK; - -+ if (arm_delay_ops.const_clock) -+ return NOTIFY_OK; -+ - if (!per_cpu(l_p_j_ref, cpu)) { - per_cpu(l_p_j_ref, cpu) = - per_cpu(cpu_data, cpu).loops_per_jiffy; -diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c -index 0dc5385..6b93f6a 100644 ---- a/arch/arm/lib/delay.c -+++ b/arch/arm/lib/delay.c -@@ -77,6 +77,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer) - arm_delay_ops.delay = __timer_delay; - arm_delay_ops.const_udelay = __timer_const_udelay; - arm_delay_ops.udelay = __timer_udelay; -+ arm_delay_ops.const_clock = true; - delay_calibrated = true; - } else { - pr_info("Ignoring duplicate/late registration of read_current_timer delay\n"); -diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c -index b820eda..db26e2e 100644 ---- a/arch/arm/mm/alignment.c -+++ b/arch/arm/mm/alignment.c -@@ -749,7 +749,6 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - unsigned long instr = 0, instrptr; - int (*handler)(unsigned long addr, unsigned long instr, struct pt_regs *regs); - unsigned int type; -- mm_segment_t fs; - unsigned int fault; - u16 tinstr = 0; - int isize = 4; -@@ -760,16 +759,15 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - - instrptr = instruction_pointer(regs); - -- fs = get_fs(); -- set_fs(KERNEL_DS); - if (thumb_mode(regs)) { -- fault = __get_user(tinstr, (u16 *)(instrptr & ~1)); -+ u16 *ptr = (u16 *)(instrptr & ~1); -+ fault = probe_kernel_address(ptr, tinstr); - if (!fault) { - if (cpu_architecture() >= CPU_ARCH_ARMv7 && - IS_T32(tinstr)) { - /* Thumb-2 32-bit */ - u16 tinst2 = 0; -- fault = __get_user(tinst2, (u16 *)(instrptr+2)); -+ fault = probe_kernel_address(ptr + 1, tinst2); - instr = (tinstr << 16) | tinst2; - thumb2_32b = 1; - } else { -@@ -778,8 +776,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - } - } - } else -- fault = __get_user(instr, (u32 *)instrptr); -- set_fs(fs); -+ fault = probe_kernel_address(instrptr, instr); - - if (fault) { - type = TYPE_FAULT; -diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c -index bc4a5e9..d07df17 100644 ---- a/arch/arm/mm/context.c -+++ b/arch/arm/mm/context.c -@@ -149,9 +149,9 @@ static int is_reserved_asid(u64 asid) - return 0; - } - --static void new_context(struct mm_struct *mm, unsigned int cpu) -+static u64 new_context(struct mm_struct *mm, unsigned int cpu) - { -- u64 asid = mm->context.id; -+ u64 asid = atomic64_read(&mm->context.id); - u64 generation = atomic64_read(&asid_generation); - - if (asid != 0 && is_reserved_asid(asid)) { -@@ -178,13 +178,14 @@ static void new_context(struct mm_struct *mm, unsigned int cpu) - cpumask_clear(mm_cpumask(mm)); - } - -- mm->context.id = asid; -+ return asid; - } - - void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk) - { - unsigned long flags; - unsigned int cpu = smp_processor_id(); -+ u64 asid; - - if (unlikely(mm->context.vmalloc_seq != init_mm.context.vmalloc_seq)) - __check_vmalloc_seq(mm); -@@ -195,20 +196,24 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk) - */ - cpu_set_reserved_ttbr0(); - -- if (!((mm->context.id ^ atomic64_read(&asid_generation)) >> ASID_BITS) -- && atomic64_xchg(&per_cpu(active_asids, cpu), mm->context.id)) -+ asid = atomic64_read(&mm->context.id); -+ if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) -+ && atomic64_xchg(&per_cpu(active_asids, cpu), asid)) - goto switch_mm_fastpath; - - raw_spin_lock_irqsave(&cpu_asid_lock, flags); - /* Check that our ASID belongs to the current generation. */ -- if ((mm->context.id ^ atomic64_read(&asid_generation)) >> ASID_BITS) -- new_context(mm, cpu); -- -- atomic64_set(&per_cpu(active_asids, cpu), mm->context.id); -- cpumask_set_cpu(cpu, mm_cpumask(mm)); -+ asid = atomic64_read(&mm->context.id); -+ if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) { -+ asid = new_context(mm, cpu); -+ atomic64_set(&mm->context.id, asid); -+ } - - if (cpumask_test_and_clear_cpu(cpu, &tlb_flush_pending)) - local_flush_tlb_all(); -+ -+ atomic64_set(&per_cpu(active_asids, cpu), asid); -+ cpumask_set_cpu(cpu, mm_cpumask(mm)); - raw_spin_unlock_irqrestore(&cpu_asid_lock, flags); - - switch_mm_fastpath: -diff --git a/arch/arm/vfp/vfpmodule.c b/arch/arm/vfp/vfpmodule.c -index 3b44e0d..5dfbb0b 100644 ---- a/arch/arm/vfp/vfpmodule.c -+++ b/arch/arm/vfp/vfpmodule.c -@@ -413,7 +413,7 @@ void VFP_bounce(u32 trigger, u32 fpexc, struct pt_regs *regs) - * If there isn't a second FP instruction, exit now. Note that - * the FPEXC.FP2V bit is valid only if FPEXC.EX is 1. - */ -- if (fpexc ^ (FPEXC_EX | FPEXC_FP2V)) -+ if ((fpexc & (FPEXC_EX | FPEXC_FP2V)) != (FPEXC_EX | FPEXC_FP2V)) - goto exit; - - /* -diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c -index 6da881b..8d97eb4 100644 ---- a/arch/powerpc/kernel/setup_64.c -+++ b/arch/powerpc/kernel/setup_64.c -@@ -156,6 +156,15 @@ early_param("smt-enabled", early_smt_enabled); - #define check_smt_enabled() - #endif /* CONFIG_SMP */ - -+/** Fix up paca fields required for the boot cpu */ -+static void fixup_boot_paca(void) -+{ -+ /* The boot cpu is started */ -+ get_paca()->cpu_start = 1; -+ /* Allow percpu accesses to work until we setup percpu data */ -+ get_paca()->data_offset = 0; -+} -+ - /* - * Early initialization entry point. This is called by head.S - * with MMU translation disabled. We rely on the "feature" of -@@ -185,6 +194,7 @@ void __init early_setup(unsigned long dt_ptr) - /* Assume we're on cpu 0 for now. Don't write to the paca yet! */ - initialise_paca(&boot_paca, 0); - setup_paca(&boot_paca); -+ fixup_boot_paca(); - - /* Initialize lockdep early or else spinlocks will blow */ - lockdep_init(); -@@ -205,11 +215,7 @@ void __init early_setup(unsigned long dt_ptr) - - /* Now we know the logical id of our boot cpu, setup the paca. */ - setup_paca(&paca[boot_cpuid]); -- -- /* Fix up paca fields required for the boot cpu */ -- get_paca()->cpu_start = 1; -- /* Allow percpu accesses to "work" until we setup percpu data */ -- get_paca()->data_offset = 0; -+ fixup_boot_paca(); - - /* Probe the machine type */ - probe_machine(); -diff --git a/arch/tile/include/asm/compat.h b/arch/tile/include/asm/compat.h -index 88f3c22..59e3574 100644 ---- a/arch/tile/include/asm/compat.h -+++ b/arch/tile/include/asm/compat.h -@@ -296,6 +296,9 @@ long compat_sys_sync_file_range2(int fd, unsigned int flags, - long compat_sys_fallocate(int fd, int mode, - u32 offset_lo, u32 offset_hi, - u32 len_lo, u32 len_hi); -+long compat_sys_llseek(unsigned int fd, unsigned int offset_high, -+ unsigned int offset_low, loff_t __user * result, -+ unsigned int origin); - - /* Assembly trampoline to avoid clobbering r0. */ - long _compat_sys_rt_sigreturn(void); -diff --git a/arch/tile/kernel/compat.c b/arch/tile/kernel/compat.c -index 7f72401..d8e3b7e 100644 ---- a/arch/tile/kernel/compat.c -+++ b/arch/tile/kernel/compat.c -@@ -76,6 +76,18 @@ long compat_sys_fallocate(int fd, int mode, - ((loff_t)len_hi << 32) | len_lo); - } - -+/* -+ * Avoid bug in generic sys_llseek() that specifies offset_high and -+ * offset_low as "unsigned long", thus making it possible to pass -+ * a sign-extended high 32 bits in offset_low. -+ */ -+long compat_sys_llseek(unsigned int fd, unsigned int offset_high, -+ unsigned int offset_low, loff_t __user * result, -+ unsigned int origin) -+{ -+ return sys_llseek(fd, offset_high, offset_low, result, origin); -+} -+ - /* Provide the compat syscall number to call mapping. */ - #undef __SYSCALL - #define __SYSCALL(nr, call) [nr] = (call), -@@ -83,6 +95,7 @@ long compat_sys_fallocate(int fd, int mode, - /* See comments in sys.c */ - #define compat_sys_fadvise64_64 sys32_fadvise64_64 - #define compat_sys_readahead sys32_readahead -+#define sys_llseek compat_sys_llseek - - /* Call the assembly trampolines where necessary. */ - #define compat_sys_rt_sigreturn _compat_sys_rt_sigreturn -diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c -index 220a360..5bedbdd 100644 ---- a/arch/x86/kernel/kvmclock.c -+++ b/arch/x86/kernel/kvmclock.c -@@ -218,6 +218,9 @@ static void kvm_shutdown(void) - void __init kvmclock_init(void) - { - unsigned long mem; -+ int size; -+ -+ size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS); - - if (!kvm_para_available()) - return; -@@ -231,16 +234,14 @@ void __init kvmclock_init(void) - printk(KERN_INFO "kvm-clock: Using msrs %x and %x", - msr_kvm_system_time, msr_kvm_wall_clock); - -- mem = memblock_alloc(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS, -- PAGE_SIZE); -+ mem = memblock_alloc(size, PAGE_SIZE); - if (!mem) - return; - hv_clock = __va(mem); - - if (kvm_register_clock("boot clock")) { - hv_clock = NULL; -- memblock_free(mem, -- sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS); -+ memblock_free(mem, size); - return; - } - pv_time_ops.sched_clock = kvm_clock_read; -@@ -275,7 +276,7 @@ int __init kvm_setup_vsyscall_timeinfo(void) - struct pvclock_vcpu_time_info *vcpu_time; - unsigned int size; - -- size = sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS; -+ size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS); - - preempt_disable(); - cpu = smp_processor_id(); -diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c -index 85c3959..2cb9470 100644 ---- a/arch/x86/kernel/pvclock.c -+++ b/arch/x86/kernel/pvclock.c -@@ -185,7 +185,7 @@ int __init pvclock_init_vsyscall(struct pvclock_vsyscall_time_info *i, - - for (idx = 0; idx <= (PVCLOCK_FIXMAP_END-PVCLOCK_FIXMAP_BEGIN); idx++) { - __set_fixmap(PVCLOCK_FIXMAP_BEGIN + idx, -- __pa_symbol(i) + (idx*PAGE_SIZE), -+ __pa(i) + (idx*PAGE_SIZE), - PAGE_KERNEL_VVAR); - } - -diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c -index 56ab749..94e7662 100644 ---- a/arch/x86/pci/xen.c -+++ b/arch/x86/pci/xen.c -@@ -162,6 +162,9 @@ static int xen_setup_msi_irqs(struct pci_dev *dev, int nvec, int type) - struct msi_desc *msidesc; - int *v; - -+ if (type == PCI_CAP_ID_MSI && nvec > 1) -+ return 1; -+ - v = kzalloc(sizeof(int) * max(1, nvec), GFP_KERNEL); - if (!v) - return -ENOMEM; -@@ -220,6 +223,9 @@ static int xen_hvm_setup_msi_irqs(struct pci_dev *dev, int nvec, int type) - struct msi_desc *msidesc; - struct msi_msg msg; - -+ if (type == PCI_CAP_ID_MSI && nvec > 1) -+ return 1; -+ - list_for_each_entry(msidesc, &dev->msi_list, list) { - __read_msi_msg(msidesc, &msg); - pirq = MSI_ADDR_EXT_DEST_ID(msg.address_hi) | -@@ -263,6 +269,9 @@ static int xen_initdom_setup_msi_irqs(struct pci_dev *dev, int nvec, int type) - int ret = 0; - struct msi_desc *msidesc; - -+ if (type == PCI_CAP_ID_MSI && nvec > 1) -+ return 1; -+ - list_for_each_entry(msidesc, &dev->msi_list, list) { - struct physdev_map_pirq map_irq; - domid_t domid; -diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index e014092..2262003 100644 ---- a/arch/x86/xen/enlighten.c -+++ b/arch/x86/xen/enlighten.c -@@ -67,6 +67,7 @@ - #include <asm/hypervisor.h> - #include <asm/mwait.h> - #include <asm/pci_x86.h> -+#include <asm/pat.h> - - #ifdef CONFIG_ACPI - #include <linux/acpi.h> -@@ -1417,7 +1418,14 @@ asmlinkage void __init xen_start_kernel(void) - */ - acpi_numa = -1; - #endif -- -+#ifdef CONFIG_X86_PAT -+ /* -+ * For right now disable the PAT. We should remove this once -+ * git commit 8eaffa67b43e99ae581622c5133e20b0f48bcef1 -+ * (xen/pat: Disable PAT support for now) is reverted. -+ */ -+ pat_enabled = 0; -+#endif - /* Don't do the full vcpu_info placement stuff until we have a - possible map and a non-dummy shared_info. */ - per_cpu(xen_vcpu, 0) = &HYPERVISOR_shared_info->vcpu_info[0]; -diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c -index 533de95..7d4a8d2 100644 ---- a/crypto/ablkcipher.c -+++ b/crypto/ablkcipher.c -@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "ablkcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_ablkcipher.geniv ?: "<default>"); -+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; -@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "givcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_ablkcipher.geniv ?: "<built-in>"); -+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; -diff --git a/crypto/aead.c b/crypto/aead.c -index 0b8121e..27bc487 100644 ---- a/crypto/aead.c -+++ b/crypto/aead.c -@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_aead raead; - struct aead_alg *aead = &alg->cra_aead; - -- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "aead"); -- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- aead->geniv ?: "<built-in>"); -+ strncpy(raead.type, "aead", sizeof(raead.type)); -+ strncpy(raead.geniv, aead->geniv ?: "<built-in>", sizeof(raead.geniv)); - - raead.blocksize = alg->cra_blocksize; - raead.maxauthsize = aead->maxauthsize; -@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_aead raead; - struct aead_alg *aead = &alg->cra_aead; - -- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "nivaead"); -- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", aead->geniv); -+ strncpy(raead.type, "nivaead", sizeof(raead.type)); -+ strncpy(raead.geniv, aead->geniv, sizeof(raead.geniv)); - - raead.blocksize = alg->cra_blocksize; - raead.maxauthsize = aead->maxauthsize; -diff --git a/crypto/ahash.c b/crypto/ahash.c -index 3887856..793a27f 100644 ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_hash rhash; - -- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "ahash"); -+ strncpy(rhash.type, "ahash", sizeof(rhash.type)); - - rhash.blocksize = alg->cra_blocksize; - rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize; -diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c -index a8d85a1..c44e014 100644 ---- a/crypto/blkcipher.c -+++ b/crypto/blkcipher.c -@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_blkcipher.geniv ?: "<default>"); -+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; -diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c -index 35d700a..f6d9baf 100644 ---- a/crypto/crypto_user.c -+++ b/crypto/crypto_user.c -@@ -75,7 +75,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_cipher rcipher; - -- snprintf(rcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "cipher"); -+ strncpy(rcipher.type, "cipher", sizeof(rcipher.type)); - - rcipher.blocksize = alg->cra_blocksize; - rcipher.min_keysize = alg->cra_cipher.cia_min_keysize; -@@ -94,8 +94,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_comp rcomp; - -- snprintf(rcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "compression"); -- -+ strncpy(rcomp.type, "compression", sizeof(rcomp.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, - sizeof(struct crypto_report_comp), &rcomp)) - goto nla_put_failure; -@@ -108,12 +107,14 @@ nla_put_failure: - static int crypto_report_one(struct crypto_alg *alg, - struct crypto_user_alg *ualg, struct sk_buff *skb) - { -- memcpy(&ualg->cru_name, &alg->cra_name, sizeof(ualg->cru_name)); -- memcpy(&ualg->cru_driver_name, &alg->cra_driver_name, -- sizeof(ualg->cru_driver_name)); -- memcpy(&ualg->cru_module_name, module_name(alg->cra_module), -- CRYPTO_MAX_ALG_NAME); -- -+ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name)); -+ strncpy(ualg->cru_driver_name, alg->cra_driver_name, -+ sizeof(ualg->cru_driver_name)); -+ strncpy(ualg->cru_module_name, module_name(alg->cra_module), -+ sizeof(ualg->cru_module_name)); -+ -+ ualg->cru_type = 0; -+ ualg->cru_mask = 0; - ualg->cru_flags = alg->cra_flags; - ualg->cru_refcnt = atomic_read(&alg->cra_refcnt); - -@@ -122,8 +123,7 @@ static int crypto_report_one(struct crypto_alg *alg, - if (alg->cra_flags & CRYPTO_ALG_LARVAL) { - struct crypto_report_larval rl; - -- snprintf(rl.type, CRYPTO_MAX_ALG_NAME, "%s", "larval"); -- -+ strncpy(rl.type, "larval", sizeof(rl.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL, - sizeof(struct crypto_report_larval), &rl)) - goto nla_put_failure; -diff --git a/crypto/pcompress.c b/crypto/pcompress.c -index 04e083f..7140fe7 100644 ---- a/crypto/pcompress.c -+++ b/crypto/pcompress.c -@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_comp rpcomp; - -- snprintf(rpcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "pcomp"); -- -+ strncpy(rpcomp.type, "pcomp", sizeof(rpcomp.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, - sizeof(struct crypto_report_comp), &rpcomp)) - goto nla_put_failure; -diff --git a/crypto/rng.c b/crypto/rng.c -index f3b7894..e0a25c2 100644 ---- a/crypto/rng.c -+++ b/crypto/rng.c -@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_rng rrng; - -- snprintf(rrng.type, CRYPTO_MAX_ALG_NAME, "%s", "rng"); -+ strncpy(rrng.type, "rng", sizeof(rrng.type)); - - rrng.seedsize = alg->cra_rng.seedsize; - -diff --git a/crypto/shash.c b/crypto/shash.c -index f426330f..929058a 100644 ---- a/crypto/shash.c -+++ b/crypto/shash.c -@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_hash rhash; - struct shash_alg *salg = __crypto_shash_alg(alg); - -- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "shash"); -+ strncpy(rhash.type, "shash", sizeof(rhash.type)); -+ - rhash.blocksize = alg->cra_blocksize; - rhash.digestsize = salg->digestsize; - -diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c -index de1f319..e34a7b4 100644 ---- a/drivers/block/xen-blkback/blkback.c -+++ b/drivers/block/xen-blkback/blkback.c -@@ -881,6 +881,7 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif, - goto fail_response; - } - -+ preq.dev = req->u.rw.handle; - preq.sector_number = req->u.rw.sector_number; - preq.nr_sects = 0; - -diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c -index 1bafb40..69ae597 100644 ---- a/drivers/char/hw_random/core.c -+++ b/drivers/char/hw_random/core.c -@@ -40,6 +40,7 @@ - #include <linux/init.h> - #include <linux/miscdevice.h> - #include <linux/delay.h> -+#include <linux/slab.h> - #include <asm/uaccess.h> - - -@@ -52,8 +53,12 @@ static struct hwrng *current_rng; - static LIST_HEAD(rng_list); - static DEFINE_MUTEX(rng_mutex); - static int data_avail; --static u8 rng_buffer[SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES] -- __cacheline_aligned; -+static u8 *rng_buffer; -+ -+static size_t rng_buffer_size(void) -+{ -+ return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES; -+} - - static inline int hwrng_init(struct hwrng *rng) - { -@@ -116,7 +121,7 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf, - - if (!data_avail) { - bytes_read = rng_get_data(current_rng, rng_buffer, -- sizeof(rng_buffer), -+ rng_buffer_size(), - !(filp->f_flags & O_NONBLOCK)); - if (bytes_read < 0) { - err = bytes_read; -@@ -307,6 +312,14 @@ int hwrng_register(struct hwrng *rng) - - mutex_lock(&rng_mutex); - -+ /* kmalloc makes this safe for virt_to_page() in virtio_rng.c */ -+ err = -ENOMEM; -+ if (!rng_buffer) { -+ rng_buffer = kmalloc(rng_buffer_size(), GFP_KERNEL); -+ if (!rng_buffer) -+ goto out_unlock; -+ } -+ - /* Must not register two RNGs with the same name. */ - err = -EEXIST; - list_for_each_entry(tmp, &rng_list, list) { -diff --git a/drivers/char/random.c b/drivers/char/random.c -index 85e81ec..57d4b15 100644 ---- a/drivers/char/random.c -+++ b/drivers/char/random.c -@@ -852,6 +852,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, - int reserved) - { - unsigned long flags; -+ int wakeup_write = 0; - - /* Hold lock while accounting */ - spin_lock_irqsave(&r->lock, flags); -@@ -873,10 +874,8 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, - else - r->entropy_count = reserved; - -- if (r->entropy_count < random_write_wakeup_thresh) { -- wake_up_interruptible(&random_write_wait); -- kill_fasync(&fasync, SIGIO, POLL_OUT); -- } -+ if (r->entropy_count < random_write_wakeup_thresh) -+ wakeup_write = 1; - } - - DEBUG_ENT("debiting %zu entropy credits from %s%s\n", -@@ -884,6 +883,11 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, - - spin_unlock_irqrestore(&r->lock, flags); - -+ if (wakeup_write) { -+ wake_up_interruptible(&random_write_wait); -+ kill_fasync(&fasync, SIGIO, POLL_OUT); -+ } -+ - return nbytes; - } - -diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c -index fce2000..1110478 100644 ---- a/drivers/connector/cn_proc.c -+++ b/drivers/connector/cn_proc.c -@@ -313,6 +313,12 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, - (task_active_pid_ns(current) != &init_pid_ns)) - return; - -+ /* Can only change if privileged. */ -+ if (!capable(CAP_NET_ADMIN)) { -+ err = EPERM; -+ goto out; -+ } -+ - mc_op = (enum proc_cn_mcast_op *)msg->data; - switch (*mc_op) { - case PROC_CN_MCAST_LISTEN: -@@ -325,6 +331,8 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, - err = EINVAL; - break; - } -+ -+out: - cn_proc_ack(err, msg->seq, msg->ack); - } - -diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index 982f1f5..4cd392d 100644 ---- a/drivers/firmware/dmi_scan.c -+++ b/drivers/firmware/dmi_scan.c -@@ -442,7 +442,6 @@ static int __init dmi_present(const char __iomem *p) - static int __init smbios_present(const char __iomem *p) - { - u8 buf[32]; -- int offset = 0; - - memcpy_fromio(buf, p, 32); - if ((buf[5] < 32) && dmi_checksum(buf, buf[5])) { -@@ -461,9 +460,9 @@ static int __init smbios_present(const char __iomem *p) - dmi_ver = 0x0206; - break; - } -- offset = 16; -+ return memcmp(p + 16, "_DMI_", 5) || dmi_present(p + 16); - } -- return dmi_present(buf + offset); -+ return 1; - } - - void __init dmi_scan_machine(void) -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index bcb201c..2a2e145 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -406,10 +406,11 @@ static efi_status_t - get_var_data(struct efivars *efivars, struct efi_variable *var) - { - efi_status_t status; -+ unsigned long flags; - -- spin_lock(&efivars->lock); -+ spin_lock_irqsave(&efivars->lock, flags); - status = get_var_data_locked(efivars, var); -- spin_unlock(&efivars->lock); -+ spin_unlock_irqrestore(&efivars->lock, flags); - - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: get_variable() failed 0x%lx!\n", -@@ -418,6 +419,44 @@ get_var_data(struct efivars *efivars, struct efi_variable *var) - return status; - } - -+static efi_status_t -+check_var_size_locked(struct efivars *efivars, u32 attributes, -+ unsigned long size) -+{ -+ u64 storage_size, remaining_size, max_size; -+ efi_status_t status; -+ const struct efivar_operations *fops = efivars->ops; -+ -+ if (!efivars->ops->query_variable_info) -+ return EFI_UNSUPPORTED; -+ -+ status = fops->query_variable_info(attributes, &storage_size, -+ &remaining_size, &max_size); -+ -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ if (!storage_size || size > remaining_size || size > max_size || -+ (remaining_size - size) < (storage_size / 2)) -+ return EFI_OUT_OF_RESOURCES; -+ -+ return status; -+} -+ -+ -+static efi_status_t -+check_var_size(struct efivars *efivars, u32 attributes, unsigned long size) -+{ -+ efi_status_t status; -+ unsigned long flags; -+ -+ spin_lock_irqsave(&efivars->lock, flags); -+ status = check_var_size_locked(efivars, attributes, size); -+ spin_unlock_irqrestore(&efivars->lock, flags); -+ -+ return status; -+} -+ - static ssize_t - efivar_guid_read(struct efivar_entry *entry, char *buf) - { -@@ -538,14 +577,19 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) - return -EINVAL; - } - -- spin_lock(&efivars->lock); -- status = efivars->ops->set_variable(new_var->VariableName, -- &new_var->VendorGuid, -- new_var->Attributes, -- new_var->DataSize, -- new_var->Data); -+ spin_lock_irq(&efivars->lock); -+ -+ status = check_var_size_locked(efivars, new_var->Attributes, -+ new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); - -- spin_unlock(&efivars->lock); -+ if (status == EFI_SUCCESS || status == EFI_UNSUPPORTED) -+ status = efivars->ops->set_variable(new_var->VariableName, -+ &new_var->VendorGuid, -+ new_var->Attributes, -+ new_var->DataSize, -+ new_var->Data); -+ -+ spin_unlock_irq(&efivars->lock); - - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n", -@@ -694,8 +738,7 @@ static ssize_t efivarfs_file_write(struct file *file, - u32 attributes; - struct inode *inode = file->f_mapping->host; - unsigned long datasize = count - sizeof(attributes); -- unsigned long newdatasize; -- u64 storage_size, remaining_size, max_size; -+ unsigned long newdatasize, varsize; - ssize_t bytes = 0; - - if (count < sizeof(attributes)) -@@ -714,28 +757,18 @@ static ssize_t efivarfs_file_write(struct file *file, - * amounts of memory. Pick a default size of 64K if - * QueryVariableInfo() isn't supported by the firmware. - */ -- spin_lock(&efivars->lock); - -- if (!efivars->ops->query_variable_info) -- status = EFI_UNSUPPORTED; -- else { -- const struct efivar_operations *fops = efivars->ops; -- status = fops->query_variable_info(attributes, &storage_size, -- &remaining_size, &max_size); -- } -- -- spin_unlock(&efivars->lock); -+ varsize = datasize + utf16_strsize(var->var.VariableName, 1024); -+ status = check_var_size(efivars, attributes, varsize); - - if (status != EFI_SUCCESS) { - if (status != EFI_UNSUPPORTED) - return efi_status_to_err(status); - -- remaining_size = 65536; -+ if (datasize > 65536) -+ return -ENOSPC; - } - -- if (datasize > remaining_size) -- return -ENOSPC; -- - data = kmalloc(datasize, GFP_KERNEL); - if (!data) - return -ENOMEM; -@@ -755,7 +788,20 @@ static ssize_t efivarfs_file_write(struct file *file, - * set_variable call, and removal of the variable from the efivars - * list (in the case of an authenticated delete). - */ -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); -+ -+ /* -+ * Ensure that the available space hasn't shrunk below the safe level -+ */ -+ -+ status = check_var_size_locked(efivars, attributes, varsize); -+ -+ if (status != EFI_SUCCESS && status != EFI_UNSUPPORTED) { -+ spin_unlock_irq(&efivars->lock); -+ kfree(data); -+ -+ return efi_status_to_err(status); -+ } - - status = efivars->ops->set_variable(var->var.VariableName, - &var->var.VendorGuid, -@@ -763,7 +809,7 @@ static ssize_t efivarfs_file_write(struct file *file, - data); - - if (status != EFI_SUCCESS) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - kfree(data); - - return efi_status_to_err(status); -@@ -784,21 +830,21 @@ static ssize_t efivarfs_file_write(struct file *file, - NULL); - - if (status == EFI_BUFFER_TOO_SMALL) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - mutex_lock(&inode->i_mutex); - i_size_write(inode, newdatasize + sizeof(attributes)); - mutex_unlock(&inode->i_mutex); - - } else if (status == EFI_NOT_FOUND) { - list_del(&var->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(var); - drop_nlink(inode); - d_delete(file->f_dentry); - dput(file->f_dentry); - - } else { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - pr_warn("efivarfs: inconsistent EFI variable implementation? " - "status = %lx\n", status); - } -@@ -820,11 +866,11 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf, - void *data; - ssize_t size = 0; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - status = efivars->ops->get_variable(var->var.VariableName, - &var->var.VendorGuid, - &attributes, &datasize, NULL); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (status != EFI_BUFFER_TOO_SMALL) - return efi_status_to_err(status); -@@ -834,12 +880,12 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf, - if (!data) - return -ENOMEM; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - status = efivars->ops->get_variable(var->var.VariableName, - &var->var.VendorGuid, - &attributes, &datasize, - (data + sizeof(attributes))); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (status != EFI_SUCCESS) { - size = efi_status_to_err(status); -@@ -921,8 +967,8 @@ static bool efivarfs_valid_name(const char *str, int len) - if (len < GUID_LEN + 2) - return false; - -- /* GUID should be right after the first '-' */ -- if (s - 1 != strchr(str, '-')) -+ /* GUID must be preceded by a '-' */ -+ if (*(s - 1) != '-') - return false; - - /* -@@ -1005,9 +1051,9 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - goto out; - - kobject_uevent(&var->kobj, KOBJ_ADD); -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - list_add(&var->list, &efivars->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - d_instantiate(dentry, inode); - dget(dentry); - out: -@@ -1024,7 +1070,7 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry) - struct efivars *efivars = var->efivars; - efi_status_t status; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - status = efivars->ops->set_variable(var->var.VariableName, - &var->var.VendorGuid, -@@ -1032,14 +1078,14 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry) - - if (status == EFI_SUCCESS || status == EFI_NOT_FOUND) { - list_del(&var->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(var); - drop_nlink(dentry->d_inode); - dput(dentry); - return 0; - } - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EINVAL; - }; - -@@ -1110,15 +1156,22 @@ static struct dentry_operations efivarfs_d_ops = { - - static struct dentry *efivarfs_alloc_dentry(struct dentry *parent, char *name) - { -+ struct dentry *d; - struct qstr q; -+ int err; - - q.name = name; - q.len = strlen(name); - -- if (efivarfs_d_hash(NULL, NULL, &q)) -- return NULL; -+ err = efivarfs_d_hash(NULL, NULL, &q); -+ if (err) -+ return ERR_PTR(err); - -- return d_alloc(parent, &q); -+ d = d_alloc(parent, &q); -+ if (d) -+ return d; -+ -+ return ERR_PTR(-ENOMEM); - } - - static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) -@@ -1128,6 +1181,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - struct efivar_entry *entry, *n; - struct efivars *efivars = &__efivars; - char *name; -+ int err = -ENOMEM; - - efivarfs_sb = sb; - -@@ -1178,19 +1232,21 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - goto fail_name; - - dentry = efivarfs_alloc_dentry(root, name); -- if (!dentry) -+ if (IS_ERR(dentry)) { -+ err = PTR_ERR(dentry); - goto fail_inode; -+ } - - /* copied by the above to local storage in the dentry. */ - kfree(name); - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - efivars->ops->get_variable(entry->var.VariableName, - &entry->var.VendorGuid, - &entry->var.Attributes, - &size, - NULL); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - mutex_lock(&inode->i_mutex); - inode->i_private = entry; -@@ -1206,7 +1262,7 @@ fail_inode: - fail_name: - kfree(name); - fail: -- return -ENOMEM; -+ return err; - } - - static struct dentry *efivarfs_mount(struct file_system_type *fs_type, -@@ -1253,7 +1309,7 @@ static int efi_pstore_open(struct pstore_info *psi) - { - struct efivars *efivars = psi->data; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - efivars->walk_entry = list_first_entry(&efivars->list, - struct efivar_entry, list); - return 0; -@@ -1263,7 +1319,7 @@ static int efi_pstore_close(struct pstore_info *psi) - { - struct efivars *efivars = psi->data; - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return 0; - } - -@@ -1337,22 +1393,22 @@ static int efi_pstore_write(enum pstore_type_id type, - efi_guid_t vendor = LINUX_EFI_CRASH_GUID; - struct efivars *efivars = psi->data; - int i, ret = 0; -- u64 storage_space, remaining_space, max_variable_size; - efi_status_t status = EFI_NOT_FOUND; -+ unsigned long flags; - -- spin_lock(&efivars->lock); -+ spin_lock_irqsave(&efivars->lock, flags); - - /* - * Check if there is a space enough to log. - * size: a size of logging data - * DUMP_NAME_LEN * 2: a maximum size of variable name - */ -- status = efivars->ops->query_variable_info(PSTORE_EFI_ATTRIBUTES, -- &storage_space, -- &remaining_space, -- &max_variable_size); -- if (status || remaining_space < size + DUMP_NAME_LEN * 2) { -- spin_unlock(&efivars->lock); -+ -+ status = check_var_size_locked(efivars, PSTORE_EFI_ATTRIBUTES, -+ size + DUMP_NAME_LEN * 2); -+ -+ if (status) { -+ spin_unlock_irqrestore(&efivars->lock, flags); - *id = part; - return -ENOSPC; - } -@@ -1366,7 +1422,7 @@ static int efi_pstore_write(enum pstore_type_id type, - efivars->ops->set_variable(efi_name, &vendor, PSTORE_EFI_ATTRIBUTES, - size, psi->buf); - -- spin_unlock(&efivars->lock); -+ spin_unlock_irqrestore(&efivars->lock, flags); - - if (size) - ret = efivar_create_sysfs_entry(efivars, -@@ -1393,7 +1449,7 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, - sprintf(name, "dump-type%u-%u-%d-%lu", type, (unsigned int)id, count, - time.tv_sec); - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - for (i = 0; i < DUMP_NAME_LEN; i++) - efi_name[i] = name[i]; -@@ -1437,7 +1493,7 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, - if (found) - list_del(&found->list); - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (found) - efivar_unregister(found); -@@ -1507,7 +1563,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - return -EINVAL; - } - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - /* - * Does this variable already exist? -@@ -1525,10 +1581,18 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - } - } - if (found) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EINVAL; - } - -+ status = check_var_size_locked(efivars, new_var->Attributes, -+ new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); -+ -+ if (status && status != EFI_UNSUPPORTED) { -+ spin_unlock_irq(&efivars->lock); -+ return efi_status_to_err(status); -+ } -+ - /* now *really* create the variable via EFI */ - status = efivars->ops->set_variable(new_var->VariableName, - &new_var->VendorGuid, -@@ -1539,10 +1603,10 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n", - status); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EIO; - } -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - /* Create the entry in sysfs. Locking is not required here */ - status = efivar_create_sysfs_entry(efivars, -@@ -1570,7 +1634,7 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - /* - * Does this variable already exist? -@@ -1588,7 +1652,7 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, - } - } - if (!found) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EINVAL; - } - /* force the Attributes/DataSize to 0 to ensure deletion */ -@@ -1604,12 +1668,12 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n", - status); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EIO; - } - list_del(&search_efivar->list); - /* We need to release this lock before unregistering. */ -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(search_efivar); - - /* It's dead Jim.... */ -@@ -1724,9 +1788,9 @@ efivar_create_sysfs_entry(struct efivars *efivars, - kfree(short_name); - short_name = NULL; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - list_add(&new_efivar->list, &efivars->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - return 0; - } -@@ -1795,9 +1859,9 @@ void unregister_efivars(struct efivars *efivars) - struct efivar_entry *entry, *n; - - list_for_each_entry_safe(entry, n, &efivars->list, list) { -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - list_del(&entry->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(entry); - } - if (efivars->new_var) -diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c -index 6819d63..456663c 100644 ---- a/drivers/gpio/gpio-mvebu.c -+++ b/drivers/gpio/gpio-mvebu.c -@@ -41,6 +41,7 @@ - #include <linux/io.h> - #include <linux/of_irq.h> - #include <linux/of_device.h> -+#include <linux/clk.h> - #include <linux/pinctrl/consumer.h> - - /* -@@ -495,6 +496,7 @@ static int mvebu_gpio_probe(struct platform_device *pdev) - struct resource *res; - struct irq_chip_generic *gc; - struct irq_chip_type *ct; -+ struct clk *clk; - unsigned int ngpios; - int soc_variant; - int i, cpu, id; -@@ -528,6 +530,11 @@ static int mvebu_gpio_probe(struct platform_device *pdev) - return id; - } - -+ clk = devm_clk_get(&pdev->dev, NULL); -+ /* Not all SoCs require a clock.*/ -+ if (!IS_ERR(clk)) -+ clk_prepare_enable(clk); -+ - mvchip->soc_variant = soc_variant; - mvchip->chip.label = dev_name(&pdev->dev); - mvchip->chip.dev = &pdev->dev; -diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index 99daa89..5206f24 100644 ---- a/drivers/gpu/drm/i915/i915_dma.c -+++ b/drivers/gpu/drm/i915/i915_dma.c -@@ -1297,19 +1297,21 @@ static int i915_load_modeset_init(struct drm_device *dev) - if (ret) - goto cleanup_vga_switcheroo; - -+ ret = drm_irq_install(dev); -+ if (ret) -+ goto cleanup_gem_stolen; -+ -+ /* Important: The output setup functions called by modeset_init need -+ * working irqs for e.g. gmbus and dp aux transfers. */ - intel_modeset_init(dev); - - ret = i915_gem_init(dev); - if (ret) -- goto cleanup_gem_stolen; -- -- intel_modeset_gem_init(dev); -+ goto cleanup_irq; - - INIT_WORK(&dev_priv->console_resume_work, intel_console_resume); - -- ret = drm_irq_install(dev); -- if (ret) -- goto cleanup_gem; -+ intel_modeset_gem_init(dev); - - /* Always safe in the mode setting case. */ - /* FIXME: do pre/post-mode set stuff in core KMS code */ -@@ -1317,7 +1319,10 @@ static int i915_load_modeset_init(struct drm_device *dev) - - ret = intel_fbdev_init(dev); - if (ret) -- goto cleanup_irq; -+ goto cleanup_gem; -+ -+ /* Only enable hotplug handling once the fbdev is fully set up. */ -+ dev_priv->enable_hotplug_processing = true; - - drm_kms_helper_poll_init(dev); - -@@ -1326,13 +1331,13 @@ static int i915_load_modeset_init(struct drm_device *dev) - - return 0; - --cleanup_irq: -- drm_irq_uninstall(dev); - cleanup_gem: - mutex_lock(&dev->struct_mutex); - i915_gem_cleanup_ringbuffer(dev); - mutex_unlock(&dev->struct_mutex); - i915_gem_cleanup_aliasing_ppgtt(dev); -+cleanup_irq: -+ drm_irq_uninstall(dev); - cleanup_gem_stolen: - i915_gem_cleanup_stolen(dev); - cleanup_vga_switcheroo: -diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c -index 1172658..fb6454c 100644 ---- a/drivers/gpu/drm/i915/i915_drv.c -+++ b/drivers/gpu/drm/i915/i915_drv.c -@@ -377,15 +377,15 @@ static const struct pci_device_id pciidlist[] = { /* aka */ - INTEL_VGA_DEVICE(0x0A06, &intel_haswell_m_info), /* ULT GT1 mobile */ - INTEL_VGA_DEVICE(0x0A16, &intel_haswell_m_info), /* ULT GT2 mobile */ - INTEL_VGA_DEVICE(0x0A26, &intel_haswell_m_info), /* ULT GT2 mobile */ -- INTEL_VGA_DEVICE(0x0D12, &intel_haswell_d_info), /* CRW GT1 desktop */ -+ INTEL_VGA_DEVICE(0x0D02, &intel_haswell_d_info), /* CRW GT1 desktop */ -+ INTEL_VGA_DEVICE(0x0D12, &intel_haswell_d_info), /* CRW GT2 desktop */ - INTEL_VGA_DEVICE(0x0D22, &intel_haswell_d_info), /* CRW GT2 desktop */ -- INTEL_VGA_DEVICE(0x0D32, &intel_haswell_d_info), /* CRW GT2 desktop */ -- INTEL_VGA_DEVICE(0x0D1A, &intel_haswell_d_info), /* CRW GT1 server */ -+ INTEL_VGA_DEVICE(0x0D0A, &intel_haswell_d_info), /* CRW GT1 server */ -+ INTEL_VGA_DEVICE(0x0D1A, &intel_haswell_d_info), /* CRW GT2 server */ - INTEL_VGA_DEVICE(0x0D2A, &intel_haswell_d_info), /* CRW GT2 server */ -- INTEL_VGA_DEVICE(0x0D3A, &intel_haswell_d_info), /* CRW GT2 server */ -- INTEL_VGA_DEVICE(0x0D16, &intel_haswell_m_info), /* CRW GT1 mobile */ -+ INTEL_VGA_DEVICE(0x0D06, &intel_haswell_m_info), /* CRW GT1 mobile */ -+ INTEL_VGA_DEVICE(0x0D16, &intel_haswell_m_info), /* CRW GT2 mobile */ - INTEL_VGA_DEVICE(0x0D26, &intel_haswell_m_info), /* CRW GT2 mobile */ -- INTEL_VGA_DEVICE(0x0D36, &intel_haswell_m_info), /* CRW GT2 mobile */ - INTEL_VGA_DEVICE(0x0f30, &intel_valleyview_m_info), - INTEL_VGA_DEVICE(0x0157, &intel_valleyview_m_info), - INTEL_VGA_DEVICE(0x0155, &intel_valleyview_d_info), -@@ -486,6 +486,7 @@ static int i915_drm_freeze(struct drm_device *dev) - intel_modeset_disable(dev); - - drm_irq_uninstall(dev); -+ dev_priv->enable_hotplug_processing = false; - } - - i915_save_state(dev); -@@ -562,9 +563,19 @@ static int __i915_drm_thaw(struct drm_device *dev) - error = i915_gem_init_hw(dev); - mutex_unlock(&dev->struct_mutex); - -+ /* We need working interrupts for modeset enabling ... */ -+ drm_irq_install(dev); -+ - intel_modeset_init_hw(dev); - intel_modeset_setup_hw_state(dev, false); -- drm_irq_install(dev); -+ -+ /* -+ * ... but also need to make sure that hotplug processing -+ * doesn't cause havoc. Like in the driver load code we don't -+ * bother with the tiny race here where we might loose hotplug -+ * notifications. -+ * */ -+ dev_priv->enable_hotplug_processing = true; - } - - intel_opregion_init(dev); -diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index 7339a4b..66ad64f 100644 ---- a/drivers/gpu/drm/i915/i915_drv.h -+++ b/drivers/gpu/drm/i915/i915_drv.h -@@ -672,6 +672,7 @@ typedef struct drm_i915_private { - - u32 hotplug_supported_mask; - struct work_struct hotplug_work; -+ bool enable_hotplug_processing; - - int num_pipe; - int num_pch_pll; -diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index fe84338..3c00403 100644 ---- a/drivers/gpu/drm/i915/i915_irq.c -+++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -287,6 +287,10 @@ static void i915_hotplug_work_func(struct work_struct *work) - struct drm_mode_config *mode_config = &dev->mode_config; - struct intel_encoder *encoder; - -+ /* HPD irq before everything is fully set up. */ -+ if (!dev_priv->enable_hotplug_processing) -+ return; -+ - mutex_lock(&mode_config->mutex); - DRM_DEBUG_KMS("running encoder hotplug functions\n"); - -diff --git a/drivers/gpu/drm/i915/intel_crt.c b/drivers/gpu/drm/i915/intel_crt.c -index 06b1786..b52ed09 100644 ---- a/drivers/gpu/drm/i915/intel_crt.c -+++ b/drivers/gpu/drm/i915/intel_crt.c -@@ -88,7 +88,7 @@ static void intel_disable_crt(struct intel_encoder *encoder) - u32 temp; - - temp = I915_READ(crt->adpa_reg); -- temp &= ~(ADPA_HSYNC_CNTL_DISABLE | ADPA_VSYNC_CNTL_DISABLE); -+ temp |= ADPA_HSYNC_CNTL_DISABLE | ADPA_VSYNC_CNTL_DISABLE; - temp &= ~ADPA_DAC_ENABLE; - I915_WRITE(crt->adpa_reg, temp); - } -diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c -index 3280cff..dde0ded 100644 ---- a/drivers/gpu/drm/i915/intel_pm.c -+++ b/drivers/gpu/drm/i915/intel_pm.c -@@ -2572,7 +2572,7 @@ static void gen6_enable_rps(struct drm_device *dev) - I915_WRITE(GEN6_RC_SLEEP, 0); - I915_WRITE(GEN6_RC1e_THRESHOLD, 1000); - I915_WRITE(GEN6_RC6_THRESHOLD, 50000); -- I915_WRITE(GEN6_RC6p_THRESHOLD, 100000); -+ I915_WRITE(GEN6_RC6p_THRESHOLD, 150000); - I915_WRITE(GEN6_RC6pp_THRESHOLD, 64000); /* unused */ - - /* Check if we are enabling RC6 */ -diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c -index 3e403bd..78edadc 100644 ---- a/drivers/gpu/drm/radeon/radeon_combios.c -+++ b/drivers/gpu/drm/radeon/radeon_combios.c -@@ -970,6 +970,15 @@ struct radeon_encoder_primary_dac *radeon_combios_get_primary_dac_info(struct - found = 1; - } - -+ /* quirks */ -+ /* Radeon 9100 (R200) */ -+ if ((dev->pdev->device == 0x514D) && -+ (dev->pdev->subsystem_vendor == 0x174B) && -+ (dev->pdev->subsystem_device == 0x7149)) { -+ /* vbios value is bad, use the default */ -+ found = 0; -+ } -+ - if (!found) /* fallback to defaults */ - radeon_legacy_get_primary_dac_info_from_table(rdev, p_dac); - -diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c -index 90374dd..48f80cd 100644 ---- a/drivers/gpu/drm/radeon/radeon_irq_kms.c -+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c -@@ -400,6 +400,9 @@ void radeon_irq_kms_enable_afmt(struct radeon_device *rdev, int block) - { - unsigned long irqflags; - -+ if (!rdev->ddev->irq_enabled) -+ return; -+ - spin_lock_irqsave(&rdev->irq.lock, irqflags); - rdev->irq.afmt[block] = true; - radeon_irq_set(rdev); -@@ -419,6 +422,9 @@ void radeon_irq_kms_disable_afmt(struct radeon_device *rdev, int block) - { - unsigned long irqflags; - -+ if (!rdev->ddev->irq_enabled) -+ return; -+ - spin_lock_irqsave(&rdev->irq.lock, irqflags); - rdev->irq.afmt[block] = false; - radeon_irq_set(rdev); -@@ -438,6 +444,9 @@ void radeon_irq_kms_enable_hpd(struct radeon_device *rdev, unsigned hpd_mask) - unsigned long irqflags; - int i; - -+ if (!rdev->ddev->irq_enabled) -+ return; -+ - spin_lock_irqsave(&rdev->irq.lock, irqflags); - for (i = 0; i < RADEON_MAX_HPD_PINS; ++i) - rdev->irq.hpd[i] |= !!(hpd_mask & (1 << i)); -@@ -458,6 +467,9 @@ void radeon_irq_kms_disable_hpd(struct radeon_device *rdev, unsigned hpd_mask) - unsigned long irqflags; - int i; - -+ if (!rdev->ddev->irq_enabled) -+ return; -+ - spin_lock_irqsave(&rdev->irq.lock, irqflags); - for (i = 0; i < RADEON_MAX_HPD_PINS; ++i) - rdev->irq.hpd[i] &= !(hpd_mask & (1 << i)); -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index 9500f2f..8758f38c 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -459,19 +459,25 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - struct dj_report *dj_report) - { - struct hid_device *hdev = djrcv_dev->hdev; -- int sent_bytes; -+ struct hid_report *report; -+ struct hid_report_enum *output_report_enum; -+ u8 *data = (u8 *)(&dj_report->device_index); -+ int i; - -- if (!hdev->hid_output_raw_report) { -- dev_err(&hdev->dev, "%s:" -- "hid_output_raw_report is null\n", __func__); -+ output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; -+ report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; -+ -+ if (!report) { -+ dev_err(&hdev->dev, "%s: unable to find dj report\n", __func__); - return -ENODEV; - } - -- sent_bytes = hdev->hid_output_raw_report(hdev, (u8 *) dj_report, -- sizeof(struct dj_report), -- HID_OUTPUT_REPORT); -+ for (i = 0; i < report->field[0]->report_count; i++) -+ report->field[0]->value[i] = data[i]; -+ -+ usbhid_submit_report(hdev, report, USB_DIR_OUT); - -- return (sent_bytes < 0) ? sent_bytes : 0; -+ return 0; - } - - static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) -diff --git a/drivers/hwmon/pmbus/ltc2978.c b/drivers/hwmon/pmbus/ltc2978.c -index 9652a2c..a58de38 100644 ---- a/drivers/hwmon/pmbus/ltc2978.c -+++ b/drivers/hwmon/pmbus/ltc2978.c -@@ -62,7 +62,7 @@ struct ltc2978_data { - int temp_min, temp_max; - int vout_min[8], vout_max[8]; - int iout_max[2]; -- int temp2_max[2]; -+ int temp2_max; - struct pmbus_driver_info info; - }; - -@@ -204,10 +204,9 @@ static int ltc3880_read_word_data(struct i2c_client *client, int page, int reg) - ret = pmbus_read_word_data(client, page, - LTC3880_MFR_TEMPERATURE2_PEAK); - if (ret >= 0) { -- if (lin11_to_val(ret) -- > lin11_to_val(data->temp2_max[page])) -- data->temp2_max[page] = ret; -- ret = data->temp2_max[page]; -+ if (lin11_to_val(ret) > lin11_to_val(data->temp2_max)) -+ data->temp2_max = ret; -+ ret = data->temp2_max; - } - break; - case PMBUS_VIRT_READ_VIN_MIN: -@@ -248,11 +247,11 @@ static int ltc2978_write_word_data(struct i2c_client *client, int page, - - switch (reg) { - case PMBUS_VIRT_RESET_IOUT_HISTORY: -- data->iout_max[page] = 0x7fff; -+ data->iout_max[page] = 0x7c00; - ret = ltc2978_clear_peaks(client, page, data->id); - break; - case PMBUS_VIRT_RESET_TEMP2_HISTORY: -- data->temp2_max[page] = 0x7fff; -+ data->temp2_max = 0x7c00; - ret = ltc2978_clear_peaks(client, page, data->id); - break; - case PMBUS_VIRT_RESET_VOUT_HISTORY: -@@ -262,12 +261,12 @@ static int ltc2978_write_word_data(struct i2c_client *client, int page, - break; - case PMBUS_VIRT_RESET_VIN_HISTORY: - data->vin_min = 0x7bff; -- data->vin_max = 0; -+ data->vin_max = 0x7c00; - ret = ltc2978_clear_peaks(client, page, data->id); - break; - case PMBUS_VIRT_RESET_TEMP_HISTORY: - data->temp_min = 0x7bff; -- data->temp_max = 0x7fff; -+ data->temp_max = 0x7c00; - ret = ltc2978_clear_peaks(client, page, data->id); - break; - default: -@@ -321,12 +320,13 @@ static int ltc2978_probe(struct i2c_client *client, - info = &data->info; - info->write_word_data = ltc2978_write_word_data; - -- data->vout_min[0] = 0xffff; - data->vin_min = 0x7bff; -+ data->vin_max = 0x7c00; - data->temp_min = 0x7bff; -- data->temp_max = 0x7fff; -+ data->temp_max = 0x7c00; -+ data->temp2_max = 0x7c00; - -- switch (id->driver_data) { -+ switch (data->id) { - case ltc2978: - info->read_word_data = ltc2978_read_word_data; - info->pages = 8; -@@ -336,7 +336,6 @@ static int ltc2978_probe(struct i2c_client *client, - for (i = 1; i < 8; i++) { - info->func[i] = PMBUS_HAVE_VOUT - | PMBUS_HAVE_STATUS_VOUT; -- data->vout_min[i] = 0xffff; - } - break; - case ltc3880: -@@ -352,11 +351,14 @@ static int ltc2978_probe(struct i2c_client *client, - | PMBUS_HAVE_IOUT | PMBUS_HAVE_STATUS_IOUT - | PMBUS_HAVE_POUT - | PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP; -- data->vout_min[1] = 0xffff; -+ data->iout_max[0] = 0x7c00; -+ data->iout_max[1] = 0x7c00; - break; - default: - return -ENODEV; - } -+ for (i = 0; i < info->pages; i++) -+ data->vout_min[i] = 0xffff; - - return pmbus_do_probe(client, id, info); - } -diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c -index 1c85d39..8047fed 100644 ---- a/drivers/hwmon/sht15.c -+++ b/drivers/hwmon/sht15.c -@@ -926,7 +926,13 @@ static int sht15_probe(struct platform_device *pdev) - if (voltage) - data->supply_uV = voltage; - -- regulator_enable(data->reg); -+ ret = regulator_enable(data->reg); -+ if (ret != 0) { -+ dev_err(&pdev->dev, -+ "failed to enable regulator: %d\n", ret); -+ return ret; -+ } -+ - /* - * Setup a notifier block to update this if another device - * causes the voltage to change -diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c -index f7369f9..2ae151e 100644 ---- a/drivers/md/dm-crypt.c -+++ b/drivers/md/dm-crypt.c -@@ -1234,20 +1234,6 @@ static int crypt_decode_key(u8 *key, char *hex, unsigned int size) - return 0; - } - --/* -- * Encode key into its hex representation -- */ --static void crypt_encode_key(char *hex, u8 *key, unsigned int size) --{ -- unsigned int i; -- -- for (i = 0; i < size; i++) { -- sprintf(hex, "%02x", *key); -- hex += 2; -- key++; -- } --} -- - static void crypt_free_tfms(struct crypt_config *cc) - { - unsigned i; -@@ -1717,11 +1703,11 @@ static int crypt_map(struct dm_target *ti, struct bio *bio) - return DM_MAPIO_SUBMITTED; - } - --static int crypt_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void crypt_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - struct crypt_config *cc = ti->private; -- unsigned int sz = 0; -+ unsigned i, sz = 0; - - switch (type) { - case STATUSTYPE_INFO: -@@ -1731,17 +1717,11 @@ static int crypt_status(struct dm_target *ti, status_type_t type, - case STATUSTYPE_TABLE: - DMEMIT("%s ", cc->cipher_string); - -- if (cc->key_size > 0) { -- if ((maxlen - sz) < ((cc->key_size << 1) + 1)) -- return -ENOMEM; -- -- crypt_encode_key(result + sz, cc->key, cc->key_size); -- sz += cc->key_size << 1; -- } else { -- if (sz >= maxlen) -- return -ENOMEM; -- result[sz++] = '-'; -- } -+ if (cc->key_size > 0) -+ for (i = 0; i < cc->key_size; i++) -+ DMEMIT("%02x", cc->key[i]); -+ else -+ DMEMIT("-"); - - DMEMIT(" %llu %s %llu", (unsigned long long)cc->iv_offset, - cc->dev->name, (unsigned long long)cc->start); -@@ -1751,7 +1731,6 @@ static int crypt_status(struct dm_target *ti, status_type_t type, - - break; - } -- return 0; - } - - static void crypt_postsuspend(struct dm_target *ti) -@@ -1845,7 +1824,7 @@ static int crypt_iterate_devices(struct dm_target *ti, - - static struct target_type crypt_target = { - .name = "crypt", -- .version = {1, 12, 0}, -+ .version = {1, 12, 1}, - .module = THIS_MODULE, - .ctr = crypt_ctr, - .dtr = crypt_dtr, -diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c -index cc1bd04..c0d03b0 100644 ---- a/drivers/md/dm-delay.c -+++ b/drivers/md/dm-delay.c -@@ -293,8 +293,8 @@ static int delay_map(struct dm_target *ti, struct bio *bio) - return delay_bio(dc, dc->read_delay, bio); - } - --static int delay_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void delay_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - struct delay_c *dc = ti->private; - int sz = 0; -@@ -314,8 +314,6 @@ static int delay_status(struct dm_target *ti, status_type_t type, - dc->write_delay); - break; - } -- -- return 0; - } - - static int delay_iterate_devices(struct dm_target *ti, -@@ -337,7 +335,7 @@ out: - - static struct target_type delay_target = { - .name = "delay", -- .version = {1, 2, 0}, -+ .version = {1, 2, 1}, - .module = THIS_MODULE, - .ctr = delay_ctr, - .dtr = delay_dtr, -diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c -index 9721f2f..5d6c04c 100644 ---- a/drivers/md/dm-flakey.c -+++ b/drivers/md/dm-flakey.c -@@ -337,8 +337,8 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, int error) - return error; - } - --static int flakey_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void flakey_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - unsigned sz = 0; - struct flakey_c *fc = ti->private; -@@ -368,7 +368,6 @@ static int flakey_status(struct dm_target *ti, status_type_t type, - - break; - } -- return 0; - } - - static int flakey_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg) -@@ -411,7 +410,7 @@ static int flakey_iterate_devices(struct dm_target *ti, iterate_devices_callout_ - - static struct target_type flakey_target = { - .name = "flakey", -- .version = {1, 3, 0}, -+ .version = {1, 3, 1}, - .module = THIS_MODULE, - .ctr = flakey_ctr, - .dtr = flakey_dtr, -diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c -index 0666b5d..eee353d 100644 ---- a/drivers/md/dm-ioctl.c -+++ b/drivers/md/dm-ioctl.c -@@ -1067,6 +1067,7 @@ static void retrieve_status(struct dm_table *table, - num_targets = dm_table_get_num_targets(table); - for (i = 0; i < num_targets; i++) { - struct dm_target *ti = dm_table_get_target(table, i); -+ size_t l; - - remaining = len - (outptr - outbuf); - if (remaining <= sizeof(struct dm_target_spec)) { -@@ -1093,14 +1094,17 @@ static void retrieve_status(struct dm_table *table, - if (ti->type->status) { - if (param->flags & DM_NOFLUSH_FLAG) - status_flags |= DM_STATUS_NOFLUSH_FLAG; -- if (ti->type->status(ti, type, status_flags, outptr, remaining)) { -- param->flags |= DM_BUFFER_FULL_FLAG; -- break; -- } -+ ti->type->status(ti, type, status_flags, outptr, remaining); - } else - outptr[0] = '\0'; - -- outptr += strlen(outptr) + 1; -+ l = strlen(outptr) + 1; -+ if (l == remaining) { -+ param->flags |= DM_BUFFER_FULL_FLAG; -+ break; -+ } -+ -+ outptr += l; - used = param->data_start + (outptr - outbuf); - - outptr = align_ptr(outptr); -diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c -index 328cad5..5be301c 100644 ---- a/drivers/md/dm-linear.c -+++ b/drivers/md/dm-linear.c -@@ -95,8 +95,8 @@ static int linear_map(struct dm_target *ti, struct bio *bio) - return DM_MAPIO_REMAPPED; - } - --static int linear_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void linear_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - struct linear_c *lc = (struct linear_c *) ti->private; - -@@ -110,7 +110,6 @@ static int linear_status(struct dm_target *ti, status_type_t type, - (unsigned long long)lc->start); - break; - } -- return 0; - } - - static int linear_ioctl(struct dm_target *ti, unsigned int cmd, -@@ -155,7 +154,7 @@ static int linear_iterate_devices(struct dm_target *ti, - - static struct target_type linear_target = { - .name = "linear", -- .version = {1, 2, 0}, -+ .version = {1, 2, 1}, - .module = THIS_MODULE, - .ctr = linear_ctr, - .dtr = linear_dtr, -diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c -index 573bd04..d267bb5 100644 ---- a/drivers/md/dm-mpath.c -+++ b/drivers/md/dm-mpath.c -@@ -1378,8 +1378,8 @@ static void multipath_resume(struct dm_target *ti) - * [priority selector-name num_ps_args [ps_args]* - * num_paths num_selector_args [path_dev [selector_args]* ]+ ]+ - */ --static int multipath_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void multipath_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - int sz = 0; - unsigned long flags; -@@ -1485,8 +1485,6 @@ static int multipath_status(struct dm_target *ti, status_type_t type, - } - - spin_unlock_irqrestore(&m->lock, flags); -- -- return 0; - } - - static int multipath_message(struct dm_target *ti, unsigned argc, char **argv) -@@ -1695,7 +1693,7 @@ out: - *---------------------------------------------------------------*/ - static struct target_type multipath_target = { - .name = "multipath", -- .version = {1, 5, 0}, -+ .version = {1, 5, 1}, - .module = THIS_MODULE, - .ctr = multipath_ctr, - .dtr = multipath_dtr, -diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c -index 9e58dbd..5a578d8 100644 ---- a/drivers/md/dm-raid.c -+++ b/drivers/md/dm-raid.c -@@ -1201,8 +1201,8 @@ static int raid_map(struct dm_target *ti, struct bio *bio) - return DM_MAPIO_SUBMITTED; - } - --static int raid_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void raid_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - struct raid_set *rs = ti->private; - unsigned raid_param_cnt = 1; /* at least 1 for chunksize */ -@@ -1344,8 +1344,6 @@ static int raid_status(struct dm_target *ti, status_type_t type, - DMEMIT(" -"); - } - } -- -- return 0; - } - - static int raid_iterate_devices(struct dm_target *ti, iterate_devices_callout_fn fn, void *data) -@@ -1405,7 +1403,7 @@ static void raid_resume(struct dm_target *ti) - - static struct target_type raid_target = { - .name = "raid", -- .version = {1, 4, 1}, -+ .version = {1, 4, 2}, - .module = THIS_MODULE, - .ctr = raid_ctr, - .dtr = raid_dtr, -diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c -index fa51918..7f24190 100644 ---- a/drivers/md/dm-raid1.c -+++ b/drivers/md/dm-raid1.c -@@ -1347,8 +1347,8 @@ static char device_status_char(struct mirror *m) - } - - --static int mirror_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void mirror_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - unsigned int m, sz = 0; - struct mirror_set *ms = (struct mirror_set *) ti->private; -@@ -1383,8 +1383,6 @@ static int mirror_status(struct dm_target *ti, status_type_t type, - if (ms->features & DM_RAID1_HANDLE_ERRORS) - DMEMIT(" 1 handle_errors"); - } -- -- return 0; - } - - static int mirror_iterate_devices(struct dm_target *ti, -@@ -1403,7 +1401,7 @@ static int mirror_iterate_devices(struct dm_target *ti, - - static struct target_type mirror_target = { - .name = "mirror", -- .version = {1, 13, 1}, -+ .version = {1, 13, 2}, - .module = THIS_MODULE, - .ctr = mirror_ctr, - .dtr = mirror_dtr, -diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c -index 59fc18a..df74f9f 100644 ---- a/drivers/md/dm-snap.c -+++ b/drivers/md/dm-snap.c -@@ -1837,8 +1837,8 @@ static void snapshot_merge_resume(struct dm_target *ti) - start_merge(s); - } - --static int snapshot_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void snapshot_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - unsigned sz = 0; - struct dm_snapshot *snap = ti->private; -@@ -1884,8 +1884,6 @@ static int snapshot_status(struct dm_target *ti, status_type_t type, - maxlen - sz); - break; - } -- -- return 0; - } - - static int snapshot_iterate_devices(struct dm_target *ti, -@@ -2139,8 +2137,8 @@ static void origin_resume(struct dm_target *ti) - ti->max_io_len = get_origin_minimum_chunksize(dev->bdev); - } - --static int origin_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void origin_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - struct dm_dev *dev = ti->private; - -@@ -2153,8 +2151,6 @@ static int origin_status(struct dm_target *ti, status_type_t type, - snprintf(result, maxlen, "%s", dev->name); - break; - } -- -- return 0; - } - - static int origin_merge(struct dm_target *ti, struct bvec_merge_data *bvm, -@@ -2181,7 +2177,7 @@ static int origin_iterate_devices(struct dm_target *ti, - - static struct target_type origin_target = { - .name = "snapshot-origin", -- .version = {1, 8, 0}, -+ .version = {1, 8, 1}, - .module = THIS_MODULE, - .ctr = origin_ctr, - .dtr = origin_dtr, -@@ -2194,7 +2190,7 @@ static struct target_type origin_target = { - - static struct target_type snapshot_target = { - .name = "snapshot", -- .version = {1, 11, 0}, -+ .version = {1, 11, 1}, - .module = THIS_MODULE, - .ctr = snapshot_ctr, - .dtr = snapshot_dtr, -@@ -2307,3 +2303,5 @@ module_exit(dm_snapshot_exit); - MODULE_DESCRIPTION(DM_NAME " snapshot target"); - MODULE_AUTHOR("Joe Thornber"); - MODULE_LICENSE("GPL"); -+MODULE_ALIAS("dm-snapshot-origin"); -+MODULE_ALIAS("dm-snapshot-merge"); -diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c -index c89cde8..aaecefa 100644 ---- a/drivers/md/dm-stripe.c -+++ b/drivers/md/dm-stripe.c -@@ -312,8 +312,8 @@ static int stripe_map(struct dm_target *ti, struct bio *bio) - * - */ - --static int stripe_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void stripe_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - struct stripe_c *sc = (struct stripe_c *) ti->private; - char buffer[sc->stripes + 1]; -@@ -340,7 +340,6 @@ static int stripe_status(struct dm_target *ti, status_type_t type, - (unsigned long long)sc->stripe[i].physical_start); - break; - } -- return 0; - } - - static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error) -@@ -428,7 +427,7 @@ static int stripe_merge(struct dm_target *ti, struct bvec_merge_data *bvm, - - static struct target_type stripe_target = { - .name = "striped", -- .version = {1, 5, 0}, -+ .version = {1, 5, 1}, - .module = THIS_MODULE, - .ctr = stripe_ctr, - .dtr = stripe_dtr, -diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c -index 5409607..7a66d73 100644 ---- a/drivers/md/dm-thin.c -+++ b/drivers/md/dm-thin.c -@@ -2299,8 +2299,8 @@ static void emit_flags(struct pool_features *pf, char *result, - * <transaction id> <used metadata sectors>/<total metadata sectors> - * <used data sectors>/<total data sectors> <held metadata root> - */ --static int pool_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void pool_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - int r; - unsigned sz = 0; -@@ -2326,32 +2326,41 @@ static int pool_status(struct dm_target *ti, status_type_t type, - if (!(status_flags & DM_STATUS_NOFLUSH_FLAG) && !dm_suspended(ti)) - (void) commit_or_fallback(pool); - -- r = dm_pool_get_metadata_transaction_id(pool->pmd, -- &transaction_id); -- if (r) -- return r; -+ r = dm_pool_get_metadata_transaction_id(pool->pmd, &transaction_id); -+ if (r) { -+ DMERR("dm_pool_get_metadata_transaction_id returned %d", r); -+ goto err; -+ } - -- r = dm_pool_get_free_metadata_block_count(pool->pmd, -- &nr_free_blocks_metadata); -- if (r) -- return r; -+ r = dm_pool_get_free_metadata_block_count(pool->pmd, &nr_free_blocks_metadata); -+ if (r) { -+ DMERR("dm_pool_get_free_metadata_block_count returned %d", r); -+ goto err; -+ } - - r = dm_pool_get_metadata_dev_size(pool->pmd, &nr_blocks_metadata); -- if (r) -- return r; -+ if (r) { -+ DMERR("dm_pool_get_metadata_dev_size returned %d", r); -+ goto err; -+ } - -- r = dm_pool_get_free_block_count(pool->pmd, -- &nr_free_blocks_data); -- if (r) -- return r; -+ r = dm_pool_get_free_block_count(pool->pmd, &nr_free_blocks_data); -+ if (r) { -+ DMERR("dm_pool_get_free_block_count returned %d", r); -+ goto err; -+ } - - r = dm_pool_get_data_dev_size(pool->pmd, &nr_blocks_data); -- if (r) -- return r; -+ if (r) { -+ DMERR("dm_pool_get_data_dev_size returned %d", r); -+ goto err; -+ } - - r = dm_pool_get_metadata_snap(pool->pmd, &held_root); -- if (r) -- return r; -+ if (r) { -+ DMERR("dm_pool_get_metadata_snap returned %d", r); -+ goto err; -+ } - - DMEMIT("%llu %llu/%llu %llu/%llu ", - (unsigned long long)transaction_id, -@@ -2388,8 +2397,10 @@ static int pool_status(struct dm_target *ti, status_type_t type, - emit_flags(&pt->requested_pf, result, sz, maxlen); - break; - } -+ return; - -- return 0; -+err: -+ DMEMIT("Error"); - } - - static int pool_iterate_devices(struct dm_target *ti, -@@ -2468,7 +2479,7 @@ static struct target_type pool_target = { - .name = "thin-pool", - .features = DM_TARGET_SINGLETON | DM_TARGET_ALWAYS_WRITEABLE | - DM_TARGET_IMMUTABLE, -- .version = {1, 6, 0}, -+ .version = {1, 6, 1}, - .module = THIS_MODULE, - .ctr = pool_ctr, - .dtr = pool_dtr, -@@ -2676,8 +2687,8 @@ static void thin_postsuspend(struct dm_target *ti) - /* - * <nr mapped sectors> <highest mapped sector> - */ --static int thin_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void thin_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - int r; - ssize_t sz = 0; -@@ -2687,7 +2698,7 @@ static int thin_status(struct dm_target *ti, status_type_t type, - - if (get_pool_mode(tc->pool) == PM_FAIL) { - DMEMIT("Fail"); -- return 0; -+ return; - } - - if (!tc->td) -@@ -2696,12 +2707,16 @@ static int thin_status(struct dm_target *ti, status_type_t type, - switch (type) { - case STATUSTYPE_INFO: - r = dm_thin_get_mapped_count(tc->td, &mapped); -- if (r) -- return r; -+ if (r) { -+ DMERR("dm_thin_get_mapped_count returned %d", r); -+ goto err; -+ } - - r = dm_thin_get_highest_mapped_block(tc->td, &highest); -- if (r < 0) -- return r; -+ if (r < 0) { -+ DMERR("dm_thin_get_highest_mapped_block returned %d", r); -+ goto err; -+ } - - DMEMIT("%llu ", mapped * tc->pool->sectors_per_block); - if (r) -@@ -2721,7 +2736,10 @@ static int thin_status(struct dm_target *ti, status_type_t type, - } - } - -- return 0; -+ return; -+ -+err: -+ DMEMIT("Error"); - } - - static int thin_iterate_devices(struct dm_target *ti, -@@ -2748,7 +2766,7 @@ static int thin_iterate_devices(struct dm_target *ti, - - static struct target_type thin_target = { - .name = "thin", -- .version = {1, 7, 0}, -+ .version = {1, 7, 1}, - .module = THIS_MODULE, - .ctr = thin_ctr, - .dtr = thin_dtr, -diff --git a/drivers/md/dm-verity.c b/drivers/md/dm-verity.c -index 52cde98..6ad5383 100644 ---- a/drivers/md/dm-verity.c -+++ b/drivers/md/dm-verity.c -@@ -508,8 +508,8 @@ static int verity_map(struct dm_target *ti, struct bio *bio) - /* - * Status: V (valid) or C (corruption found) - */ --static int verity_status(struct dm_target *ti, status_type_t type, -- unsigned status_flags, char *result, unsigned maxlen) -+static void verity_status(struct dm_target *ti, status_type_t type, -+ unsigned status_flags, char *result, unsigned maxlen) - { - struct dm_verity *v = ti->private; - unsigned sz = 0; -@@ -540,8 +540,6 @@ static int verity_status(struct dm_target *ti, status_type_t type, - DMEMIT("%02x", v->salt[x]); - break; - } -- -- return 0; - } - - static int verity_ioctl(struct dm_target *ti, unsigned cmd, -@@ -860,7 +858,7 @@ bad: - - static struct target_type verity_target = { - .name = "verity", -- .version = {1, 1, 0}, -+ .version = {1, 1, 1}, - .module = THIS_MODULE, - .ctr = verity_ctr, - .dtr = verity_dtr, -diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 314a0e2..0d8f086 100644 ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -1973,15 +1973,27 @@ static void __bind_mempools(struct mapped_device *md, struct dm_table *t) - { - struct dm_md_mempools *p = dm_table_get_md_mempools(t); - -- if (md->io_pool && (md->tio_pool || dm_table_get_type(t) == DM_TYPE_BIO_BASED) && md->bs) { -- /* -- * The md already has necessary mempools. Reload just the -- * bioset because front_pad may have changed because -- * a different table was loaded. -- */ -- bioset_free(md->bs); -- md->bs = p->bs; -- p->bs = NULL; -+ if (md->io_pool && md->bs) { -+ /* The md already has necessary mempools. */ -+ if (dm_table_get_type(t) == DM_TYPE_BIO_BASED) { -+ /* -+ * Reload bioset because front_pad may have changed -+ * because a different table was loaded. -+ */ -+ bioset_free(md->bs); -+ md->bs = p->bs; -+ p->bs = NULL; -+ } else if (dm_table_get_type(t) == DM_TYPE_REQUEST_BASED) { -+ BUG_ON(!md->tio_pool); -+ /* -+ * There's no need to reload with request-based dm -+ * because the size of front_pad doesn't change. -+ * Note for future: If you are to reload bioset, -+ * prep-ed requests in the queue may refer -+ * to bio from the old bioset, so you must walk -+ * through the queue to unprep. -+ */ -+ } - goto out; - } - -@@ -2421,7 +2433,7 @@ static void dm_queue_flush(struct mapped_device *md) - */ - struct dm_table *dm_swap_table(struct mapped_device *md, struct dm_table *table) - { -- struct dm_table *live_map, *map = ERR_PTR(-EINVAL); -+ struct dm_table *live_map = NULL, *map = ERR_PTR(-EINVAL); - struct queue_limits limits; - int r; - -@@ -2444,10 +2456,12 @@ struct dm_table *dm_swap_table(struct mapped_device *md, struct dm_table *table) - dm_table_put(live_map); - } - -- r = dm_calculate_queue_limits(table, &limits); -- if (r) { -- map = ERR_PTR(r); -- goto out; -+ if (!live_map) { -+ r = dm_calculate_queue_limits(table, &limits); -+ if (r) { -+ map = ERR_PTR(r); -+ goto out; -+ } - } - - map = __bind(md, table, &limits); -diff --git a/drivers/md/md.c b/drivers/md/md.c -index 3db3d1b..f363135 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -307,6 +307,10 @@ static void md_make_request(struct request_queue *q, struct bio *bio) - bio_io_error(bio); - return; - } -+ if (mddev->ro == 1 && unlikely(rw == WRITE)) { -+ bio_endio(bio, bio_sectors(bio) == 0 ? 0 : -EROFS); -+ return; -+ } - smp_rmb(); /* Ensure implications of 'active' are visible */ - rcu_read_lock(); - if (mddev->suspended) { -@@ -2994,6 +2998,9 @@ rdev_size_store(struct md_rdev *rdev, const char *buf, size_t len) - } else if (!sectors) - sectors = (i_size_read(rdev->bdev->bd_inode) >> 9) - - rdev->data_offset; -+ if (!my_mddev->pers->resize) -+ /* Cannot change size for RAID0 or Linear etc */ -+ return -EINVAL; - } - if (sectors < my_mddev->dev_sectors) - return -EINVAL; /* component must fit device */ -diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c -index 24b3597..d9babda 100644 ---- a/drivers/md/raid0.c -+++ b/drivers/md/raid0.c -@@ -289,7 +289,7 @@ abort: - kfree(conf->strip_zone); - kfree(conf->devlist); - kfree(conf); -- *private_conf = NULL; -+ *private_conf = ERR_PTR(err); - return err; - } - -@@ -411,7 +411,8 @@ static sector_t raid0_size(struct mddev *mddev, sector_t sectors, int raid_disks - "%s does not support generic reshape\n", __func__); - - rdev_for_each(rdev, mddev) -- array_sectors += rdev->sectors; -+ array_sectors += (rdev->sectors & -+ ~(sector_t)(mddev->chunk_sectors-1)); - - return array_sectors; - } -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index d5bddfc..75b1f89 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -967,6 +967,7 @@ static void raid1_unplug(struct blk_plug_cb *cb, bool from_schedule) - bio_list_merge(&conf->pending_bio_list, &plug->pending); - conf->pending_count += plug->pending_cnt; - spin_unlock_irq(&conf->device_lock); -+ wake_up(&conf->wait_barrier); - md_wakeup_thread(mddev->thread); - kfree(plug); - return; -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 64d4824..8d925dc 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1073,6 +1073,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) - bio_list_merge(&conf->pending_bio_list, &plug->pending); - conf->pending_count += plug->pending_cnt; - spin_unlock_irq(&conf->device_lock); -+ wake_up(&conf->wait_barrier); - md_wakeup_thread(mddev->thread); - kfree(plug); - return; -diff --git a/drivers/memstick/host/rtsx_pci_ms.c b/drivers/memstick/host/rtsx_pci_ms.c -index f5ddb82..64a779c 100644 ---- a/drivers/memstick/host/rtsx_pci_ms.c -+++ b/drivers/memstick/host/rtsx_pci_ms.c -@@ -426,6 +426,9 @@ static void rtsx_pci_ms_request(struct memstick_host *msh) - - dev_dbg(ms_dev(host), "--> %s\n", __func__); - -+ if (rtsx_pci_card_exclusive_check(host->pcr, RTSX_MS_CARD)) -+ return; -+ - schedule_work(&host->handle_req); - } - -@@ -441,6 +444,10 @@ static int rtsx_pci_ms_set_param(struct memstick_host *msh, - dev_dbg(ms_dev(host), "%s: param = %d, value = %d\n", - __func__, param, value); - -+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_MS_CARD); -+ if (err) -+ return err; -+ - switch (param) { - case MEMSTICK_POWER: - if (value == MEMSTICK_POWER_ON) -diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c -index 9fc5700..1e2d120 100644 ---- a/drivers/mfd/rtsx_pcr.c -+++ b/drivers/mfd/rtsx_pcr.c -@@ -713,6 +713,25 @@ int rtsx_pci_card_power_off(struct rtsx_pcr *pcr, int card) - } - EXPORT_SYMBOL_GPL(rtsx_pci_card_power_off); - -+int rtsx_pci_card_exclusive_check(struct rtsx_pcr *pcr, int card) -+{ -+ unsigned int cd_mask[] = { -+ [RTSX_SD_CARD] = SD_EXIST, -+ [RTSX_MS_CARD] = MS_EXIST -+ }; -+ -+ if (!pcr->ms_pmos) { -+ /* When using single PMOS, accessing card is not permitted -+ * if the existing card is not the designated one. -+ */ -+ if (pcr->card_exist & (~cd_mask[card])) -+ return -EIO; -+ } -+ -+ return 0; -+} -+EXPORT_SYMBOL_GPL(rtsx_pci_card_exclusive_check); -+ - int rtsx_pci_switch_output_voltage(struct rtsx_pcr *pcr, u8 voltage) - { - if (pcr->ops->switch_output_voltage) -@@ -758,7 +777,7 @@ static void rtsx_pci_card_detect(struct work_struct *work) - struct delayed_work *dwork; - struct rtsx_pcr *pcr; - unsigned long flags; -- unsigned int card_detect = 0; -+ unsigned int card_detect = 0, card_inserted, card_removed; - u32 irq_status; - - dwork = to_delayed_work(work); -@@ -766,25 +785,35 @@ static void rtsx_pci_card_detect(struct work_struct *work) - - dev_dbg(&(pcr->pci->dev), "--> %s\n", __func__); - -+ mutex_lock(&pcr->pcr_mutex); - spin_lock_irqsave(&pcr->lock, flags); - - irq_status = rtsx_pci_readl(pcr, RTSX_BIPR); - dev_dbg(&(pcr->pci->dev), "irq_status: 0x%08x\n", irq_status); - -- if (pcr->card_inserted || pcr->card_removed) { -+ irq_status &= CARD_EXIST; -+ card_inserted = pcr->card_inserted & irq_status; -+ card_removed = pcr->card_removed; -+ pcr->card_inserted = 0; -+ pcr->card_removed = 0; -+ -+ spin_unlock_irqrestore(&pcr->lock, flags); -+ -+ if (card_inserted || card_removed) { - dev_dbg(&(pcr->pci->dev), - "card_inserted: 0x%x, card_removed: 0x%x\n", -- pcr->card_inserted, pcr->card_removed); -+ card_inserted, card_removed); - - if (pcr->ops->cd_deglitch) -- pcr->card_inserted = pcr->ops->cd_deglitch(pcr); -+ card_inserted = pcr->ops->cd_deglitch(pcr); -+ -+ card_detect = card_inserted | card_removed; - -- card_detect = pcr->card_inserted | pcr->card_removed; -- pcr->card_inserted = 0; -- pcr->card_removed = 0; -+ pcr->card_exist |= card_inserted; -+ pcr->card_exist &= ~card_removed; - } - -- spin_unlock_irqrestore(&pcr->lock, flags); -+ mutex_unlock(&pcr->pcr_mutex); - - if ((card_detect & SD_EXIST) && pcr->slots[RTSX_SD_CARD].card_event) - pcr->slots[RTSX_SD_CARD].card_event( -@@ -836,10 +865,6 @@ static irqreturn_t rtsx_pci_isr(int irq, void *dev_id) - } - } - -- if (pcr->card_inserted || pcr->card_removed) -- schedule_delayed_work(&pcr->carddet_work, -- msecs_to_jiffies(200)); -- - if (int_reg & (NEED_COMPLETE_INT | DELINK_INT)) { - if (int_reg & (TRANS_FAIL_INT | DELINK_INT)) { - pcr->trans_result = TRANS_RESULT_FAIL; -@@ -852,6 +877,10 @@ static irqreturn_t rtsx_pci_isr(int irq, void *dev_id) - } - } - -+ if (pcr->card_inserted || pcr->card_removed) -+ schedule_delayed_work(&pcr->carddet_work, -+ msecs_to_jiffies(200)); -+ - spin_unlock(&pcr->lock); - return IRQ_HANDLED; - } -@@ -974,6 +1003,14 @@ static int rtsx_pci_init_hw(struct rtsx_pcr *pcr) - return err; - } - -+ /* No CD interrupt if probing driver with card inserted. -+ * So we need to initialize pcr->card_exist here. -+ */ -+ if (pcr->ops->cd_deglitch) -+ pcr->card_exist = pcr->ops->cd_deglitch(pcr); -+ else -+ pcr->card_exist = rtsx_pci_readl(pcr, RTSX_BIPR) & CARD_EXIST; -+ - return 0; - } - -diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c -index f74b5ad..468c923 100644 ---- a/drivers/mmc/host/rtsx_pci_sdmmc.c -+++ b/drivers/mmc/host/rtsx_pci_sdmmc.c -@@ -678,12 +678,19 @@ static void sdmmc_request(struct mmc_host *mmc, struct mmc_request *mrq) - struct mmc_command *cmd = mrq->cmd; - struct mmc_data *data = mrq->data; - unsigned int data_size = 0; -+ int err; - - if (host->eject) { - cmd->error = -ENOMEDIUM; - goto finish; - } - -+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD); -+ if (err) { -+ cmd->error = err; -+ goto finish; -+ } -+ - mutex_lock(&pcr->pcr_mutex); - - rtsx_pci_start_run(pcr); -@@ -901,6 +908,9 @@ static void sdmmc_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) - if (host->eject) - return; - -+ if (rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD)) -+ return; -+ - mutex_lock(&pcr->pcr_mutex); - - rtsx_pci_start_run(pcr); -@@ -1073,6 +1083,10 @@ static int sdmmc_switch_voltage(struct mmc_host *mmc, struct mmc_ios *ios) - if (host->eject) - return -ENOMEDIUM; - -+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD); -+ if (err) -+ return err; -+ - mutex_lock(&pcr->pcr_mutex); - - rtsx_pci_start_run(pcr); -@@ -1122,6 +1136,10 @@ static int sdmmc_execute_tuning(struct mmc_host *mmc, u32 opcode) - if (host->eject) - return -ENOMEDIUM; - -+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD); -+ if (err) -+ return err; -+ - mutex_lock(&pcr->pcr_mutex); - - rtsx_pci_start_run(pcr); -diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c -index bdb0869..f0b38fa 100644 ---- a/drivers/net/ethernet/broadcom/tg3.c -+++ b/drivers/net/ethernet/broadcom/tg3.c -@@ -1843,6 +1843,8 @@ static void tg3_link_report(struct tg3 *tp) - - tg3_ump_link_report(tp); - } -+ -+ tp->link_up = netif_carrier_ok(tp->dev); - } - - static u16 tg3_advert_flowctrl_1000X(u8 flow_ctrl) -@@ -2496,12 +2498,6 @@ static int tg3_phy_reset_5703_4_5(struct tg3 *tp) - return err; - } - --static void tg3_carrier_on(struct tg3 *tp) --{ -- netif_carrier_on(tp->dev); -- tp->link_up = true; --} -- - static void tg3_carrier_off(struct tg3 *tp) - { - netif_carrier_off(tp->dev); -@@ -2527,7 +2523,7 @@ static int tg3_phy_reset(struct tg3 *tp) - return -EBUSY; - - if (netif_running(tp->dev) && tp->link_up) { -- tg3_carrier_off(tp); -+ netif_carrier_off(tp->dev); - tg3_link_report(tp); - } - -@@ -4225,9 +4221,9 @@ static bool tg3_test_and_report_link_chg(struct tg3 *tp, int curr_link_up) - { - if (curr_link_up != tp->link_up) { - if (curr_link_up) { -- tg3_carrier_on(tp); -+ netif_carrier_on(tp->dev); - } else { -- tg3_carrier_off(tp); -+ netif_carrier_off(tp->dev); - if (tp->phy_flags & TG3_PHYFLG_MII_SERDES) - tp->phy_flags &= ~TG3_PHYFLG_PARALLEL_DETECT; - } -diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c -index 643c883..1f93880 100644 ---- a/drivers/net/ethernet/intel/e1000e/netdev.c -+++ b/drivers/net/ethernet/intel/e1000e/netdev.c -@@ -5549,7 +5549,7 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake, - */ - e1000e_release_hw_control(adapter); - -- pci_disable_device(pdev); -+ pci_clear_master(pdev); - - return 0; - } -diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c -index 9b73670..6214181 100644 ---- a/drivers/net/usb/smsc95xx.c -+++ b/drivers/net/usb/smsc95xx.c -@@ -1340,6 +1340,8 @@ static int smsc95xx_enter_suspend0(struct usbnet *dev) - ret = smsc95xx_read_reg_nopm(dev, PM_CTRL, &val); - if (ret < 0) - netdev_warn(dev->net, "Error reading PM_CTRL\n"); -+ else -+ ret = 0; - - return ret; - } -@@ -1392,6 +1394,8 @@ static int smsc95xx_enter_suspend1(struct usbnet *dev) - ret = smsc95xx_write_reg_nopm(dev, PM_CTRL, val); - if (ret < 0) - netdev_warn(dev->net, "Error writing PM_CTRL\n"); -+ else -+ ret = 0; - - return ret; - } -@@ -1413,6 +1417,8 @@ static int smsc95xx_enter_suspend2(struct usbnet *dev) - ret = smsc95xx_write_reg_nopm(dev, PM_CTRL, val); - if (ret < 0) - netdev_warn(dev->net, "Error writing PM_CTRL\n"); -+ else -+ ret = 0; - - return ret; - } -diff --git a/drivers/net/wireless/ath/ath9k/common.h b/drivers/net/wireless/ath/ath9k/common.h -index 5f845be..050ca4a 100644 ---- a/drivers/net/wireless/ath/ath9k/common.h -+++ b/drivers/net/wireless/ath/ath9k/common.h -@@ -27,7 +27,7 @@ - #define WME_MAX_BA WME_BA_BMP_SIZE - #define ATH_TID_MAX_BUFS (2 * WME_MAX_BA) - --#define ATH_RSSI_DUMMY_MARKER 0x127 -+#define ATH_RSSI_DUMMY_MARKER 127 - #define ATH_RSSI_LPF_LEN 10 - #define RSSI_LPF_THRESHOLD -20 - #define ATH_RSSI_EP_MULTIPLIER (1<<7) -diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h -index 96bfb18..d3b099d 100644 ---- a/drivers/net/wireless/ath/ath9k/htc.h -+++ b/drivers/net/wireless/ath/ath9k/htc.h -@@ -22,6 +22,7 @@ - #include <linux/firmware.h> - #include <linux/skbuff.h> - #include <linux/netdevice.h> -+#include <linux/etherdevice.h> - #include <linux/leds.h> - #include <linux/slab.h> - #include <net/mac80211.h> -diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c -index b6a5a08..8788621 100644 ---- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c -+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c -@@ -1067,15 +1067,19 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, - - last_rssi = priv->rx.last_rssi; - -- if (likely(last_rssi != ATH_RSSI_DUMMY_MARKER)) -- rxbuf->rxstatus.rs_rssi = ATH_EP_RND(last_rssi, -- ATH_RSSI_EP_MULTIPLIER); -+ if (ieee80211_is_beacon(hdr->frame_control) && -+ !is_zero_ether_addr(common->curbssid) && -+ ether_addr_equal(hdr->addr3, common->curbssid)) { -+ s8 rssi = rxbuf->rxstatus.rs_rssi; - -- if (rxbuf->rxstatus.rs_rssi < 0) -- rxbuf->rxstatus.rs_rssi = 0; -+ if (likely(last_rssi != ATH_RSSI_DUMMY_MARKER)) -+ rssi = ATH_EP_RND(last_rssi, ATH_RSSI_EP_MULTIPLIER); - -- if (ieee80211_is_beacon(fc)) -- priv->ah->stats.avgbrssi = rxbuf->rxstatus.rs_rssi; -+ if (rssi < 0) -+ rssi = 0; -+ -+ priv->ah->stats.avgbrssi = rssi; -+ } - - rx_status->mactime = be64_to_cpu(rxbuf->rxstatus.rs_tstamp); - rx_status->band = hw->conf.channel->band; -diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c -index 7cb7870..e26f92d 100644 ---- a/drivers/net/wireless/ath/ath9k/hw.c -+++ b/drivers/net/wireless/ath/ath9k/hw.c -@@ -1480,7 +1480,9 @@ static bool ath9k_hw_chip_reset(struct ath_hw *ah, - reset_type = ATH9K_RESET_POWER_ON; - else - reset_type = ATH9K_RESET_COLD; -- } -+ } else if (ah->chip_fullsleep || REG_READ(ah, AR_Q_TXE) || -+ (REG_READ(ah, AR_CR) & AR_CR_RXE)) -+ reset_type = ATH9K_RESET_COLD; - - if (!ath9k_hw_set_reset_reg(ah, reset_type)) - return false; -diff --git a/drivers/net/wireless/iwlwifi/iwl-devtrace.h b/drivers/net/wireless/iwlwifi/iwl-devtrace.h -index dc7e26b..c85eb37 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-devtrace.h -+++ b/drivers/net/wireless/iwlwifi/iwl-devtrace.h -@@ -349,25 +349,23 @@ TRACE_EVENT(iwlwifi_dev_rx_data, - TRACE_EVENT(iwlwifi_dev_hcmd, - TP_PROTO(const struct device *dev, - struct iwl_host_cmd *cmd, u16 total_size, -- const void *hdr, size_t hdr_len), -- TP_ARGS(dev, cmd, total_size, hdr, hdr_len), -+ struct iwl_cmd_header *hdr), -+ TP_ARGS(dev, cmd, total_size, hdr), - TP_STRUCT__entry( - DEV_ENTRY - __dynamic_array(u8, hcmd, total_size) - __field(u32, flags) - ), - TP_fast_assign( -- int i, offset = hdr_len; -+ int i, offset = sizeof(*hdr); - - DEV_ASSIGN; - __entry->flags = cmd->flags; -- memcpy(__get_dynamic_array(hcmd), hdr, hdr_len); -+ memcpy(__get_dynamic_array(hcmd), hdr, sizeof(*hdr)); - - for (i = 0; i < IWL_MAX_CMD_TFDS; i++) { - if (!cmd->len[i]) - continue; -- if (!(cmd->dataflags[i] & IWL_HCMD_DFL_NOCOPY)) -- continue; - memcpy((u8 *)__get_dynamic_array(hcmd) + offset, - cmd->data[i], cmd->len[i]); - offset += cmd->len[i]; -diff --git a/drivers/net/wireless/iwlwifi/pcie/internal.h b/drivers/net/wireless/iwlwifi/pcie/internal.h -index d91d2e8..bc5e9ec 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/internal.h -+++ b/drivers/net/wireless/iwlwifi/pcie/internal.h -@@ -182,6 +182,15 @@ struct iwl_queue { - #define TFD_TX_CMD_SLOTS 256 - #define TFD_CMD_SLOTS 32 - -+/* -+ * The FH will write back to the first TB only, so we need -+ * to copy some data into the buffer regardless of whether -+ * it should be mapped or not. This indicates how much to -+ * copy, even for HCMDs it must be big enough to fit the -+ * DRAM scratch from the TX cmd, at least 16 bytes. -+ */ -+#define IWL_HCMD_MIN_COPY_SIZE 16 -+ - struct iwl_pcie_txq_entry { - struct iwl_device_cmd *cmd; - struct iwl_device_cmd *copy_cmd; -diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c -index 6c5b867..c6cd922 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/tx.c -+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c -@@ -1131,10 +1131,12 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - void *dup_buf = NULL; - dma_addr_t phys_addr; - int idx; -- u16 copy_size, cmd_size; -+ u16 copy_size, cmd_size, dma_size; - bool had_nocopy = false; - int i; - u32 cmd_pos; -+ const u8 *cmddata[IWL_MAX_CMD_TFDS]; -+ u16 cmdlen[IWL_MAX_CMD_TFDS]; - - copy_size = sizeof(out_cmd->hdr); - cmd_size = sizeof(out_cmd->hdr); -@@ -1143,8 +1145,23 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - BUILD_BUG_ON(IWL_MAX_CMD_TFDS > IWL_NUM_OF_TBS - 1); - - for (i = 0; i < IWL_MAX_CMD_TFDS; i++) { -+ cmddata[i] = cmd->data[i]; -+ cmdlen[i] = cmd->len[i]; -+ - if (!cmd->len[i]) - continue; -+ -+ /* need at least IWL_HCMD_MIN_COPY_SIZE copied */ -+ if (copy_size < IWL_HCMD_MIN_COPY_SIZE) { -+ int copy = IWL_HCMD_MIN_COPY_SIZE - copy_size; -+ -+ if (copy > cmdlen[i]) -+ copy = cmdlen[i]; -+ cmdlen[i] -= copy; -+ cmddata[i] += copy; -+ copy_size += copy; -+ } -+ - if (cmd->dataflags[i] & IWL_HCMD_DFL_NOCOPY) { - had_nocopy = true; - if (WARN_ON(cmd->dataflags[i] & IWL_HCMD_DFL_DUP)) { -@@ -1164,7 +1181,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - goto free_dup_buf; - } - -- dup_buf = kmemdup(cmd->data[i], cmd->len[i], -+ dup_buf = kmemdup(cmddata[i], cmdlen[i], - GFP_ATOMIC); - if (!dup_buf) - return -ENOMEM; -@@ -1174,7 +1191,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - idx = -EINVAL; - goto free_dup_buf; - } -- copy_size += cmd->len[i]; -+ copy_size += cmdlen[i]; - } - cmd_size += cmd->len[i]; - } -@@ -1221,14 +1238,31 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - - /* and copy the data that needs to be copied */ - cmd_pos = offsetof(struct iwl_device_cmd, payload); -+ copy_size = sizeof(out_cmd->hdr); - for (i = 0; i < IWL_MAX_CMD_TFDS; i++) { -- if (!cmd->len[i]) -+ int copy = 0; -+ -+ if (!cmd->len) - continue; -- if (cmd->dataflags[i] & (IWL_HCMD_DFL_NOCOPY | -- IWL_HCMD_DFL_DUP)) -- break; -- memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], cmd->len[i]); -- cmd_pos += cmd->len[i]; -+ -+ /* need at least IWL_HCMD_MIN_COPY_SIZE copied */ -+ if (copy_size < IWL_HCMD_MIN_COPY_SIZE) { -+ copy = IWL_HCMD_MIN_COPY_SIZE - copy_size; -+ -+ if (copy > cmd->len[i]) -+ copy = cmd->len[i]; -+ } -+ -+ /* copy everything if not nocopy/dup */ -+ if (!(cmd->dataflags[i] & (IWL_HCMD_DFL_NOCOPY | -+ IWL_HCMD_DFL_DUP))) -+ copy = cmd->len[i]; -+ -+ if (copy) { -+ memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], copy); -+ cmd_pos += copy; -+ copy_size += copy; -+ } - } - - WARN_ON_ONCE(txq->entries[idx].copy_cmd); -@@ -1254,7 +1288,14 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - out_cmd->hdr.cmd, le16_to_cpu(out_cmd->hdr.sequence), - cmd_size, q->write_ptr, idx, trans_pcie->cmd_queue); - -- phys_addr = dma_map_single(trans->dev, &out_cmd->hdr, copy_size, -+ /* -+ * If the entire command is smaller than IWL_HCMD_MIN_COPY_SIZE, we must -+ * still map at least that many bytes for the hardware to write back to. -+ * We have enough space, so that's not a problem. -+ */ -+ dma_size = max_t(u16, copy_size, IWL_HCMD_MIN_COPY_SIZE); -+ -+ phys_addr = dma_map_single(trans->dev, &out_cmd->hdr, dma_size, - DMA_BIDIRECTIONAL); - if (unlikely(dma_mapping_error(trans->dev, phys_addr))) { - idx = -ENOMEM; -@@ -1262,14 +1303,15 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - } - - dma_unmap_addr_set(out_meta, mapping, phys_addr); -- dma_unmap_len_set(out_meta, len, copy_size); -+ dma_unmap_len_set(out_meta, len, dma_size); - - iwl_pcie_txq_build_tfd(trans, txq, phys_addr, copy_size, 1); - -+ /* map the remaining (adjusted) nocopy/dup fragments */ - for (i = 0; i < IWL_MAX_CMD_TFDS; i++) { -- const void *data = cmd->data[i]; -+ const void *data = cmddata[i]; - -- if (!cmd->len[i]) -+ if (!cmdlen[i]) - continue; - if (!(cmd->dataflags[i] & (IWL_HCMD_DFL_NOCOPY | - IWL_HCMD_DFL_DUP))) -@@ -1277,7 +1319,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - if (cmd->dataflags[i] & IWL_HCMD_DFL_DUP) - data = dup_buf; - phys_addr = dma_map_single(trans->dev, (void *)data, -- cmd->len[i], DMA_BIDIRECTIONAL); -+ cmdlen[i], DMA_BIDIRECTIONAL); - if (dma_mapping_error(trans->dev, phys_addr)) { - iwl_pcie_tfd_unmap(trans, out_meta, - &txq->tfds[q->write_ptr], -@@ -1286,7 +1328,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - goto out; - } - -- iwl_pcie_txq_build_tfd(trans, txq, phys_addr, cmd->len[i], 0); -+ iwl_pcie_txq_build_tfd(trans, txq, phys_addr, cmdlen[i], 0); - } - - out_meta->flags = cmd->flags; -@@ -1296,8 +1338,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans, - - txq->need_update = 1; - -- trace_iwlwifi_dev_hcmd(trans->dev, cmd, cmd_size, -- &out_cmd->hdr, copy_size); -+ trace_iwlwifi_dev_hcmd(trans->dev, cmd, cmd_size, &out_cmd->hdr); - - /* start timer if queue currently empty */ - if (q->read_ptr == q->write_ptr && trans_pcie->wd_timeout) -diff --git a/drivers/net/wireless/libertas/if_sdio.c b/drivers/net/wireless/libertas/if_sdio.c -index 739309e..4557833 100644 ---- a/drivers/net/wireless/libertas/if_sdio.c -+++ b/drivers/net/wireless/libertas/if_sdio.c -@@ -825,6 +825,11 @@ static void if_sdio_finish_power_on(struct if_sdio_card *card) - - sdio_release_host(func); - -+ /* Set fw_ready before queuing any commands so that -+ * lbs_thread won't block from sending them to firmware. -+ */ -+ priv->fw_ready = 1; -+ - /* - * FUNC_INIT is required for SD8688 WLAN/BT multiple functions - */ -@@ -839,7 +844,6 @@ static void if_sdio_finish_power_on(struct if_sdio_card *card) - netdev_alert(priv->dev, "CMD_FUNC_INIT cmd failed\n"); - } - -- priv->fw_ready = 1; - wake_up(&card->pwron_waitq); - - if (!card->started) { -diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c -index b879e13..0bbea88 100644 ---- a/drivers/net/wireless/mwifiex/pcie.c -+++ b/drivers/net/wireless/mwifiex/pcie.c -@@ -291,7 +291,7 @@ static int mwifiex_pm_wakeup_card(struct mwifiex_adapter *adapter) - i++; - usleep_range(10, 20); - /* 50ms max wait */ -- if (i == 50000) -+ if (i == 5000) - break; - } - -diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c -index afed701..684ce75 100644 ---- a/drivers/platform/x86/acer-wmi.c -+++ b/drivers/platform/x86/acer-wmi.c -@@ -1204,6 +1204,9 @@ static acpi_status WMID_set_capabilities(void) - devices = *((u32 *) obj->buffer.pointer); - } else if (obj->type == ACPI_TYPE_INTEGER) { - devices = (u32) obj->integer.value; -+ } else { -+ kfree(out.pointer); -+ return AE_ERROR; - } - } else { - kfree(out.pointer); -diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c -index b8ad71f..0fe987f 100644 ---- a/drivers/platform/x86/sony-laptop.c -+++ b/drivers/platform/x86/sony-laptop.c -@@ -1534,7 +1534,7 @@ static int sony_nc_rfkill_set(void *data, bool blocked) - int argument = sony_rfkill_address[(long) data] + 0x100; - - if (!blocked) -- argument |= 0x030000; -+ argument |= 0x070000; - - return sony_call_snc_handle(sony_rfkill_handle, argument, &result); - } -diff --git a/drivers/rtc/rtc-mv.c b/drivers/rtc/rtc-mv.c -index 57233c8..8f87fec 100644 ---- a/drivers/rtc/rtc-mv.c -+++ b/drivers/rtc/rtc-mv.c -@@ -14,6 +14,7 @@ - #include <linux/platform_device.h> - #include <linux/of.h> - #include <linux/delay.h> -+#include <linux/clk.h> - #include <linux/gfp.h> - #include <linux/module.h> - -@@ -41,6 +42,7 @@ struct rtc_plat_data { - struct rtc_device *rtc; - void __iomem *ioaddr; - int irq; -+ struct clk *clk; - }; - - static int mv_rtc_set_time(struct device *dev, struct rtc_time *tm) -@@ -221,6 +223,7 @@ static int mv_rtc_probe(struct platform_device *pdev) - struct rtc_plat_data *pdata; - resource_size_t size; - u32 rtc_time; -+ int ret = 0; - - res = platform_get_resource(pdev, IORESOURCE_MEM, 0); - if (!res) -@@ -239,11 +242,17 @@ static int mv_rtc_probe(struct platform_device *pdev) - if (!pdata->ioaddr) - return -ENOMEM; - -+ pdata->clk = devm_clk_get(&pdev->dev, NULL); -+ /* Not all SoCs require a clock.*/ -+ if (!IS_ERR(pdata->clk)) -+ clk_prepare_enable(pdata->clk); -+ - /* make sure the 24 hours mode is enabled */ - rtc_time = readl(pdata->ioaddr + RTC_TIME_REG_OFFS); - if (rtc_time & RTC_HOURS_12H_MODE) { - dev_err(&pdev->dev, "24 Hours mode not supported.\n"); -- return -EINVAL; -+ ret = -EINVAL; -+ goto out; - } - - /* make sure it is actually functional */ -@@ -252,7 +261,8 @@ static int mv_rtc_probe(struct platform_device *pdev) - rtc_time = readl(pdata->ioaddr + RTC_TIME_REG_OFFS); - if (rtc_time == 0x01000000) { - dev_err(&pdev->dev, "internal RTC not ticking\n"); -- return -ENODEV; -+ ret = -ENODEV; -+ goto out; - } - } - -@@ -268,8 +278,10 @@ static int mv_rtc_probe(struct platform_device *pdev) - } else - pdata->rtc = rtc_device_register(pdev->name, &pdev->dev, - &mv_rtc_ops, THIS_MODULE); -- if (IS_ERR(pdata->rtc)) -- return PTR_ERR(pdata->rtc); -+ if (IS_ERR(pdata->rtc)) { -+ ret = PTR_ERR(pdata->rtc); -+ goto out; -+ } - - if (pdata->irq >= 0) { - writel(0, pdata->ioaddr + RTC_ALARM_INTERRUPT_MASK_REG_OFFS); -@@ -282,6 +294,11 @@ static int mv_rtc_probe(struct platform_device *pdev) - } - - return 0; -+out: -+ if (!IS_ERR(pdata->clk)) -+ clk_disable_unprepare(pdata->clk); -+ -+ return ret; - } - - static int __exit mv_rtc_remove(struct platform_device *pdev) -@@ -292,6 +309,9 @@ static int __exit mv_rtc_remove(struct platform_device *pdev) - device_init_wakeup(&pdev->dev, 0); - - rtc_device_unregister(pdata->rtc); -+ if (!IS_ERR(pdata->clk)) -+ clk_disable_unprepare(pdata->clk); -+ - return 0; - } - -diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c -index 865c64f..fed486bf 100644 ---- a/drivers/scsi/dc395x.c -+++ b/drivers/scsi/dc395x.c -@@ -3747,13 +3747,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb, - dcb->max_command = 1; - dcb->target_id = target; - dcb->target_lun = lun; -+ dcb->dev_mode = eeprom->target[target].cfg0; - #ifndef DC395x_NO_DISCONNECT - dcb->identify_msg = - IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun); - #else - dcb->identify_msg = IDENTIFY(0, lun); - #endif -- dcb->dev_mode = eeprom->target[target].cfg0; - dcb->inquiry7 = 0; - dcb->sync_mode = 0; - dcb->min_nego_period = clock_period[period_index]; -diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c -index 0144078..9f4e560 100644 ---- a/drivers/scsi/storvsc_drv.c -+++ b/drivers/scsi/storvsc_drv.c -@@ -467,6 +467,7 @@ static struct scatterlist *create_bounce_buffer(struct scatterlist *sgl, - if (!bounce_sgl) - return NULL; - -+ sg_init_table(bounce_sgl, num_pages); - for (i = 0; i < num_pages; i++) { - page_buf = alloc_page(GFP_ATOMIC); - if (!page_buf) -diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index 339f97f..42a2bf7 100644 ---- a/drivers/target/iscsi/iscsi_target.c -+++ b/drivers/target/iscsi/iscsi_target.c -@@ -3570,6 +3570,10 @@ check_rsp_state: - spin_lock_bh(&cmd->istate_lock); - cmd->i_state = ISTATE_SENT_STATUS; - spin_unlock_bh(&cmd->istate_lock); -+ -+ if (atomic_read(&conn->check_immediate_queue)) -+ return 1; -+ - continue; - } else if (ret == 2) { - /* Still must send status, -@@ -3659,7 +3663,7 @@ check_rsp_state: - } - - if (atomic_read(&conn->check_immediate_queue)) -- break; -+ return 1; - } - - return 0; -@@ -3703,12 +3707,15 @@ restart: - signal_pending(current)) - goto transport_err; - -+get_immediate: - ret = handle_immediate_queue(conn); - if (ret < 0) - goto transport_err; - - ret = handle_response_queue(conn); -- if (ret == -EAGAIN) -+ if (ret == 1) -+ goto get_immediate; -+ else if (ret == -EAGAIN) - goto restart; - else if (ret < 0) - goto transport_err; -diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c -index 2bcfd79..55b9530 100644 ---- a/drivers/target/target_core_pscsi.c -+++ b/drivers/target/target_core_pscsi.c -@@ -940,7 +940,6 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, - bio = NULL; - } - -- page++; - len -= bytes; - data_len -= bytes; - off = 0; -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index cbf7168..2a89588 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -2538,70 +2538,35 @@ static int hub_port_wait_reset(struct usb_hub *hub, int port1, - if ((portstatus & USB_PORT_STAT_RESET)) - goto delay; - -- /* -- * Some buggy devices require a warm reset to be issued even -- * when the port appears not to be connected. -+ if (hub_port_warm_reset_required(hub, portstatus)) -+ return -ENOTCONN; -+ -+ /* Device went away? */ -+ if (!(portstatus & USB_PORT_STAT_CONNECTION)) -+ return -ENOTCONN; -+ -+ /* bomb out completely if the connection bounced. A USB 3.0 -+ * connection may bounce if multiple warm resets were issued, -+ * but the device may have successfully re-connected. Ignore it. - */ -- if (!warm) { -- /* -- * Some buggy devices can cause an NEC host controller -- * to transition to the "Error" state after a hot port -- * reset. This will show up as the port state in -- * "Inactive", and the port may also report a -- * disconnect. Forcing a warm port reset seems to make -- * the device work. -- * -- * See https://bugzilla.kernel.org/show_bug.cgi?id=41752 -- */ -- if (hub_port_warm_reset_required(hub, portstatus)) { -- int ret; -- -- if ((portchange & USB_PORT_STAT_C_CONNECTION)) -- clear_port_feature(hub->hdev, port1, -- USB_PORT_FEAT_C_CONNECTION); -- if (portchange & USB_PORT_STAT_C_LINK_STATE) -- clear_port_feature(hub->hdev, port1, -- USB_PORT_FEAT_C_PORT_LINK_STATE); -- if (portchange & USB_PORT_STAT_C_RESET) -- clear_port_feature(hub->hdev, port1, -- USB_PORT_FEAT_C_RESET); -- dev_dbg(hub->intfdev, "hot reset failed, warm reset port %d\n", -- port1); -- ret = hub_port_reset(hub, port1, -- udev, HUB_BH_RESET_TIME, -- true); -- if ((portchange & USB_PORT_STAT_C_CONNECTION)) -- clear_port_feature(hub->hdev, port1, -- USB_PORT_FEAT_C_CONNECTION); -- return ret; -- } -- /* Device went away? */ -- if (!(portstatus & USB_PORT_STAT_CONNECTION)) -- return -ENOTCONN; -- -- /* bomb out completely if the connection bounced */ -- if ((portchange & USB_PORT_STAT_C_CONNECTION)) -- return -ENOTCONN; -- -- if ((portstatus & USB_PORT_STAT_ENABLE)) { -- if (hub_is_wusb(hub)) -- udev->speed = USB_SPEED_WIRELESS; -- else if (hub_is_superspeed(hub->hdev)) -- udev->speed = USB_SPEED_SUPER; -- else if (portstatus & USB_PORT_STAT_HIGH_SPEED) -- udev->speed = USB_SPEED_HIGH; -- else if (portstatus & USB_PORT_STAT_LOW_SPEED) -- udev->speed = USB_SPEED_LOW; -- else -- udev->speed = USB_SPEED_FULL; -+ if (!hub_is_superspeed(hub->hdev) && -+ (portchange & USB_PORT_STAT_C_CONNECTION)) -+ return -ENOTCONN; -+ -+ if ((portstatus & USB_PORT_STAT_ENABLE)) { -+ if (!udev) - return 0; -- } -- } else { -- if (!(portstatus & USB_PORT_STAT_CONNECTION) || -- hub_port_warm_reset_required(hub, -- portstatus)) -- return -ENOTCONN; - -+ if (hub_is_wusb(hub)) -+ udev->speed = USB_SPEED_WIRELESS; -+ else if (hub_is_superspeed(hub->hdev)) -+ udev->speed = USB_SPEED_SUPER; -+ else if (portstatus & USB_PORT_STAT_HIGH_SPEED) -+ udev->speed = USB_SPEED_HIGH; -+ else if (portstatus & USB_PORT_STAT_LOW_SPEED) -+ udev->speed = USB_SPEED_LOW; -+ else -+ udev->speed = USB_SPEED_FULL; - return 0; - } - -@@ -2619,16 +2584,16 @@ delay: - } - - static void hub_port_finish_reset(struct usb_hub *hub, int port1, -- struct usb_device *udev, int *status, bool warm) -+ struct usb_device *udev, int *status) - { - switch (*status) { - case 0: -- if (!warm) { -- struct usb_hcd *hcd; -- /* TRSTRCY = 10 ms; plus some extra */ -- msleep(10 + 40); -+ /* TRSTRCY = 10 ms; plus some extra */ -+ msleep(10 + 40); -+ if (udev) { -+ struct usb_hcd *hcd = bus_to_hcd(udev->bus); -+ - update_devnum(udev, 0); -- hcd = bus_to_hcd(udev->bus); - /* The xHC may think the device is already reset, - * so ignore the status. - */ -@@ -2640,14 +2605,15 @@ static void hub_port_finish_reset(struct usb_hub *hub, int port1, - case -ENODEV: - clear_port_feature(hub->hdev, - port1, USB_PORT_FEAT_C_RESET); -- /* FIXME need disconnect() for NOTATTACHED device */ - if (hub_is_superspeed(hub->hdev)) { - clear_port_feature(hub->hdev, port1, - USB_PORT_FEAT_C_BH_PORT_RESET); - clear_port_feature(hub->hdev, port1, - USB_PORT_FEAT_C_PORT_LINK_STATE); -+ clear_port_feature(hub->hdev, port1, -+ USB_PORT_FEAT_C_CONNECTION); - } -- if (!warm) -+ if (udev) - usb_set_device_state(udev, *status - ? USB_STATE_NOTATTACHED - : USB_STATE_DEFAULT); -@@ -2660,18 +2626,30 @@ static int hub_port_reset(struct usb_hub *hub, int port1, - struct usb_device *udev, unsigned int delay, bool warm) - { - int i, status; -+ u16 portchange, portstatus; - -- if (!warm) { -- /* Block EHCI CF initialization during the port reset. -- * Some companion controllers don't like it when they mix. -- */ -- down_read(&ehci_cf_port_reset_rwsem); -- } else { -- if (!hub_is_superspeed(hub->hdev)) { -+ if (!hub_is_superspeed(hub->hdev)) { -+ if (warm) { - dev_err(hub->intfdev, "only USB3 hub support " - "warm reset\n"); - return -EINVAL; - } -+ /* Block EHCI CF initialization during the port reset. -+ * Some companion controllers don't like it when they mix. -+ */ -+ down_read(&ehci_cf_port_reset_rwsem); -+ } else if (!warm) { -+ /* -+ * If the caller hasn't explicitly requested a warm reset, -+ * double check and see if one is needed. -+ */ -+ status = hub_port_status(hub, port1, -+ &portstatus, &portchange); -+ if (status < 0) -+ goto done; -+ -+ if (hub_port_warm_reset_required(hub, portstatus)) -+ warm = true; - } - - /* Reset the port */ -@@ -2692,10 +2670,33 @@ static int hub_port_reset(struct usb_hub *hub, int port1, - status); - } - -- /* return on disconnect or reset */ -+ /* Check for disconnect or reset */ - if (status == 0 || status == -ENOTCONN || status == -ENODEV) { -- hub_port_finish_reset(hub, port1, udev, &status, warm); -- goto done; -+ hub_port_finish_reset(hub, port1, udev, &status); -+ -+ if (!hub_is_superspeed(hub->hdev)) -+ goto done; -+ -+ /* -+ * If a USB 3.0 device migrates from reset to an error -+ * state, re-issue the warm reset. -+ */ -+ if (hub_port_status(hub, port1, -+ &portstatus, &portchange) < 0) -+ goto done; -+ -+ if (!hub_port_warm_reset_required(hub, portstatus)) -+ goto done; -+ -+ /* -+ * If the port is in SS.Inactive or Compliance Mode, the -+ * hot or warm reset failed. Try another warm reset. -+ */ -+ if (!warm) { -+ dev_dbg(hub->intfdev, "hot reset failed, warm reset port %d\n", -+ port1); -+ warm = true; -+ } - } - - dev_dbg (hub->intfdev, -@@ -2709,7 +2710,7 @@ static int hub_port_reset(struct usb_hub *hub, int port1, - port1); - - done: -- if (!warm) -+ if (!hub_is_superspeed(hub->hdev)) - up_read(&ehci_cf_port_reset_rwsem); - - return status; -@@ -4740,12 +4741,21 @@ static void hub_events(void) - */ - if (hub_port_warm_reset_required(hub, portstatus)) { - int status; -+ struct usb_device *udev = -+ hub->ports[i - 1]->child; - - dev_dbg(hub_dev, "warm reset port %d\n", i); -- status = hub_port_reset(hub, i, NULL, -- HUB_BH_RESET_TIME, true); -- if (status < 0) -- hub_port_disable(hub, i, 1); -+ if (!udev) { -+ status = hub_port_reset(hub, i, -+ NULL, HUB_BH_RESET_TIME, -+ true); -+ if (status < 0) -+ hub_port_disable(hub, i, 1); -+ } else { -+ usb_lock_device(udev); -+ status = usb_reset_device(udev); -+ usb_unlock_device(udev); -+ } - connect_change = 0; - } - -diff --git a/drivers/usb/host/ehci-timer.c b/drivers/usb/host/ehci-timer.c -index f904071..20dbdcb 100644 ---- a/drivers/usb/host/ehci-timer.c -+++ b/drivers/usb/host/ehci-timer.c -@@ -113,15 +113,14 @@ static void ehci_poll_ASS(struct ehci_hcd *ehci) - - if (want != actual) { - -- /* Poll again later */ -- ehci_enable_event(ehci, EHCI_HRTIMER_POLL_ASS, true); -- ++ehci->ASS_poll_count; -- return; -+ /* Poll again later, but give up after about 20 ms */ -+ if (ehci->ASS_poll_count++ < 20) { -+ ehci_enable_event(ehci, EHCI_HRTIMER_POLL_ASS, true); -+ return; -+ } -+ ehci_dbg(ehci, "Waited too long for the async schedule status (%x/%x), giving up\n", -+ want, actual); - } -- -- if (ehci->ASS_poll_count > 20) -- ehci_dbg(ehci, "ASS poll count reached %d\n", -- ehci->ASS_poll_count); - ehci->ASS_poll_count = 0; - - /* The status is up-to-date; restart or stop the schedule as needed */ -@@ -160,14 +159,14 @@ static void ehci_poll_PSS(struct ehci_hcd *ehci) - - if (want != actual) { - -- /* Poll again later */ -- ehci_enable_event(ehci, EHCI_HRTIMER_POLL_PSS, true); -- return; -+ /* Poll again later, but give up after about 20 ms */ -+ if (ehci->PSS_poll_count++ < 20) { -+ ehci_enable_event(ehci, EHCI_HRTIMER_POLL_PSS, true); -+ return; -+ } -+ ehci_dbg(ehci, "Waited too long for the periodic schedule status (%x/%x), giving up\n", -+ want, actual); - } -- -- if (ehci->PSS_poll_count > 20) -- ehci_dbg(ehci, "PSS poll count reached %d\n", -- ehci->PSS_poll_count); - ehci->PSS_poll_count = 0; - - /* The status is up-to-date; restart or stop the schedule as needed */ -diff --git a/drivers/w1/masters/w1-gpio.c b/drivers/w1/masters/w1-gpio.c -index 85b363a..d39dfa4 100644 ---- a/drivers/w1/masters/w1-gpio.c -+++ b/drivers/w1/masters/w1-gpio.c -@@ -72,7 +72,7 @@ static int w1_gpio_probe_dt(struct platform_device *pdev) - return 0; - } - --static int __init w1_gpio_probe(struct platform_device *pdev) -+static int w1_gpio_probe(struct platform_device *pdev) - { - struct w1_bus_master *master; - struct w1_gpio_platform_data *pdata; -diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig -index 7f809fd..19fa73a 100644 ---- a/drivers/watchdog/Kconfig -+++ b/drivers/watchdog/Kconfig -@@ -79,6 +79,7 @@ config DA9052_WATCHDOG - config DA9055_WATCHDOG - tristate "Dialog Semiconductor DA9055 Watchdog" - depends on MFD_DA9055 -+ select WATCHDOG_CORE - help - If you say yes here you get support for watchdog on the Dialog - Semiconductor DA9055 PMIC. -diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c -index 2b0e000..e3b8f75 100644 ---- a/drivers/watchdog/sp5100_tco.c -+++ b/drivers/watchdog/sp5100_tco.c -@@ -361,7 +361,7 @@ static unsigned char sp5100_tco_setupdevice(void) - { - struct pci_dev *dev = NULL; - const char *dev_name = NULL; -- u32 val; -+ u32 val, tmp_val; - u32 index_reg, data_reg, base_addr; - - /* Match the PCI device */ -@@ -497,30 +497,19 @@ static unsigned char sp5100_tco_setupdevice(void) - pr_debug("Got 0x%04x from resource tree\n", val); - } - -- /* Restore to the low three bits, if chipset is SB8x0(or later) */ -- if (sp5100_tco_pci->revision >= 0x40) { -- u8 reserved_bit; -- reserved_bit = inb(base_addr) & 0x7; -- val |= (u32)reserved_bit; -- } -+ /* Restore to the low three bits */ -+ outb(base_addr+0, index_reg); -+ tmp_val = val | (inb(data_reg) & 0x7); - - /* Re-programming the watchdog timer base address */ - outb(base_addr+0, index_reg); -- /* Low three bits of BASE are reserved */ -- outb((val >> 0) & 0xf8, data_reg); -+ outb((tmp_val >> 0) & 0xff, data_reg); - outb(base_addr+1, index_reg); -- outb((val >> 8) & 0xff, data_reg); -+ outb((tmp_val >> 8) & 0xff, data_reg); - outb(base_addr+2, index_reg); -- outb((val >> 16) & 0xff, data_reg); -+ outb((tmp_val >> 16) & 0xff, data_reg); - outb(base_addr+3, index_reg); -- outb((val >> 24) & 0xff, data_reg); -- -- /* -- * Clear unnecessary the low three bits, -- * if chipset is SB8x0(or later) -- */ -- if (sp5100_tco_pci->revision >= 0x40) -- val &= ~0x7; -+ outb((tmp_val >> 24) & 0xff, data_reg); - - if (!request_mem_region_exclusive(val, SP5100_WDT_MEM_MAP_SIZE, - dev_name)) { -diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c -index bcf3ba4..61786be 100644 ---- a/drivers/xen/xenbus/xenbus_client.c -+++ b/drivers/xen/xenbus/xenbus_client.c -@@ -30,6 +30,7 @@ - * IN THE SOFTWARE. - */ - -+#include <linux/mm.h> - #include <linux/slab.h> - #include <linux/types.h> - #include <linux/spinlock.h> -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index cc93b23..659ea81 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -265,6 +265,7 @@ static noinline int cow_file_range_inline(struct btrfs_trans_handle *trans, - return 1; - } - -+ set_bit(BTRFS_INODE_NEEDS_FULL_SYNC, &BTRFS_I(inode)->runtime_flags); - btrfs_delalloc_release_metadata(inode, end + 1 - start); - btrfs_drop_extent_cache(inode, start, aligned_end - 1, 0); - return 0; -@@ -2469,6 +2470,7 @@ int btrfs_orphan_cleanup(struct btrfs_root *root) - */ - set_bit(BTRFS_INODE_HAS_ORPHAN_ITEM, - &BTRFS_I(inode)->runtime_flags); -+ atomic_inc(&root->orphan_inodes); - - /* if we have links, this was a truncate, lets do that */ - if (inode->i_nlink) { -@@ -2491,6 +2493,8 @@ int btrfs_orphan_cleanup(struct btrfs_root *root) - goto out; - - ret = btrfs_truncate(inode); -+ if (ret) -+ btrfs_orphan_del(NULL, inode); - } else { - nr_unlink++; - } -diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c -index 9027bb1..b6818ee 100644 ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -3281,6 +3281,7 @@ static int log_one_extent(struct btrfs_trans_handle *trans, - int ret; - bool skip_csum = BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM; - -+insert: - INIT_LIST_HEAD(&ordered_sums); - btrfs_init_map_token(&token); - key.objectid = btrfs_ino(inode); -@@ -3296,6 +3297,23 @@ static int log_one_extent(struct btrfs_trans_handle *trans, - leaf = path->nodes[0]; - fi = btrfs_item_ptr(leaf, path->slots[0], - struct btrfs_file_extent_item); -+ -+ /* -+ * If we are overwriting an inline extent with a real one then we need -+ * to just delete the inline extent as it may not be large enough to -+ * have the entire file_extent_item. -+ */ -+ if (ret && btrfs_token_file_extent_type(leaf, fi, &token) == -+ BTRFS_FILE_EXTENT_INLINE) { -+ ret = btrfs_del_item(trans, log, path); -+ btrfs_release_path(path); -+ if (ret) { -+ path->really_keep_locks = 0; -+ return ret; -+ } -+ goto insert; -+ } -+ - btrfs_set_token_file_extent_generation(leaf, fi, em->generation, - &token); - if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags)) { -diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c -index 5cbb7f4..ac8ff8d 100644 ---- a/fs/btrfs/volumes.c -+++ b/fs/btrfs/volumes.c -@@ -647,6 +647,7 @@ static int __btrfs_close_devices(struct btrfs_fs_devices *fs_devices) - new_device->writeable = 0; - new_device->in_fs_metadata = 0; - new_device->can_discard = 0; -+ spin_lock_init(&new_device->io_lock); - list_replace_rcu(&device->dev_list, &new_device->dev_list); - - call_rcu(&device->rcu, free_device); -diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c -index de7f916..e328339 100644 ---- a/fs/cifs/cifsfs.c -+++ b/fs/cifs/cifsfs.c -@@ -558,6 +558,11 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) - dentry = ERR_PTR(-ENOENT); - break; - } -+ if (!S_ISDIR(dir->i_mode)) { -+ dput(dentry); -+ dentry = ERR_PTR(-ENOTDIR); -+ break; -+ } - - /* skip separators */ - while (*s == sep) -diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c -index c9c7aa7..bceffe7 100644 ---- a/fs/cifs/smb2ops.c -+++ b/fs/cifs/smb2ops.c -@@ -744,4 +744,5 @@ struct smb_version_values smb30_values = { - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, - .cap_large_files = SMB2_LARGE_FILES, -+ .oplock_read = SMB2_OPLOCK_LEVEL_II, - }; -diff --git a/fs/compat.c b/fs/compat.c -index 015e1e1..a06dcbc 100644 ---- a/fs/compat.c -+++ b/fs/compat.c -@@ -558,6 +558,10 @@ ssize_t compat_rw_copy_check_uvector(int type, - } - *ret_pointer = iov; - -+ ret = -EFAULT; -+ if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector))) -+ goto out; -+ - /* - * Single unix specification: - * We should -EINVAL if an element length is not >= 0 and fitting an -@@ -1080,17 +1084,12 @@ static ssize_t compat_do_readv_writev(int type, struct file *file, - if (!file->f_op) - goto out; - -- ret = -EFAULT; -- if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector))) -- goto out; -- -- tot_len = compat_rw_copy_check_uvector(type, uvector, nr_segs, -+ ret = compat_rw_copy_check_uvector(type, uvector, nr_segs, - UIO_FASTIOV, iovstack, &iov); -- if (tot_len == 0) { -- ret = 0; -+ if (ret <= 0) - goto out; -- } - -+ tot_len = ret; - ret = rw_verify_area(type, file, pos, tot_len); - if (ret < 0) - goto out; -diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c -index 2f2e0da..92e68b3 100644 ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -635,7 +635,7 @@ ext4_fsblk_t ext4_count_free_clusters(struct super_block *sb) - brelse(bitmap_bh); - printk(KERN_DEBUG "ext4_count_free_clusters: stored = %llu" - ", computed = %llu, %llu\n", -- EXT4_B2C(EXT4_SB(sb), ext4_free_blocks_count(es)), -+ EXT4_NUM_B2C(EXT4_SB(sb), ext4_free_blocks_count(es)), - desc_count, bitmap_count); - return bitmap_count; - #else -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 061727a..28bbf9b 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -3444,7 +3444,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) - win = offs; - - ac->ac_b_ex.fe_logical = ac->ac_o_ex.fe_logical - -- EXT4_B2C(sbi, win); -+ EXT4_NUM_B2C(sbi, win); - BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical); - BUG_ON(ac->ac_o_ex.fe_len > ac->ac_b_ex.fe_len); - } -@@ -4590,7 +4590,7 @@ do_more: - EXT4_BLOCKS_PER_GROUP(sb); - count -= overflow; - } -- count_clusters = EXT4_B2C(sbi, count); -+ count_clusters = EXT4_NUM_B2C(sbi, count); - bitmap_bh = ext4_read_block_bitmap(sb, block_group); - if (!bitmap_bh) { - err = -EIO; -@@ -4832,11 +4832,11 @@ int ext4_group_add_blocks(handle_t *handle, struct super_block *sb, - ext4_group_desc_csum_set(sb, block_group, desc); - ext4_unlock_group(sb, block_group); - percpu_counter_add(&sbi->s_freeclusters_counter, -- EXT4_B2C(sbi, blocks_freed)); -+ EXT4_NUM_B2C(sbi, blocks_freed)); - - if (sbi->s_log_groups_per_flex) { - ext4_group_t flex_group = ext4_flex_group(sbi, block_group); -- atomic_add(EXT4_B2C(sbi, blocks_freed), -+ atomic_add(EXT4_NUM_B2C(sbi, blocks_freed), - &sbi->s_flex_groups[flex_group].free_clusters); - } - -diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c -index 02824dc..1aab70d 100644 ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -1247,7 +1247,7 @@ static int ext4_setup_new_descs(handle_t *handle, struct super_block *sb, - - ext4_inode_table_set(sb, gdp, group_data->inode_table); - ext4_free_group_clusters_set(sb, gdp, -- EXT4_B2C(sbi, group_data->free_blocks_count)); -+ EXT4_NUM_B2C(sbi, group_data->free_blocks_count)); - ext4_free_inodes_set(sb, gdp, EXT4_INODES_PER_GROUP(sb)); - if (ext4_has_group_desc_csum(sb)) - ext4_itable_unused_set(sb, gdp, -@@ -1349,7 +1349,7 @@ static void ext4_update_super(struct super_block *sb, - - /* Update the free space counts */ - percpu_counter_add(&sbi->s_freeclusters_counter, -- EXT4_B2C(sbi, free_blocks)); -+ EXT4_NUM_B2C(sbi, free_blocks)); - percpu_counter_add(&sbi->s_freeinodes_counter, - EXT4_INODES_PER_GROUP(sb) * flex_gd->count); - -@@ -1360,7 +1360,7 @@ static void ext4_update_super(struct super_block *sb, - sbi->s_log_groups_per_flex) { - ext4_group_t flex_group; - flex_group = ext4_flex_group(sbi, group_data[0].group); -- atomic_add(EXT4_B2C(sbi, free_blocks), -+ atomic_add(EXT4_NUM_B2C(sbi, free_blocks), - &sbi->s_flex_groups[flex_group].free_clusters); - atomic_add(EXT4_INODES_PER_GROUP(sb) * flex_gd->count, - &sbi->s_flex_groups[flex_group].free_inodes); -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 0465f36..5fa223d 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -3235,7 +3235,7 @@ int ext4_calculate_overhead(struct super_block *sb) - } - /* Add the journal blocks as well */ - if (sbi->s_journal) -- overhead += EXT4_B2C(sbi, sbi->s_journal->j_maxlen); -+ overhead += EXT4_NUM_B2C(sbi, sbi->s_journal->j_maxlen); - - sbi->s_overhead = overhead; - smp_wmb(); -diff --git a/fs/namei.c b/fs/namei.c -index 43a97ee..ec97aef 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -693,8 +693,6 @@ void nd_jump_link(struct nameidata *nd, struct path *path) - nd->path = *path; - nd->inode = nd->path.dentry->d_inode; - nd->flags |= LOOKUP_JUMPED; -- -- BUG_ON(nd->inode->i_op->follow_link); - } - - static inline void put_link(struct nameidata *nd, struct path *link, void *cookie) -diff --git a/fs/nfs/nfs4filelayout.c b/fs/nfs/nfs4filelayout.c -index 194c484..49eeb04 100644 ---- a/fs/nfs/nfs4filelayout.c -+++ b/fs/nfs/nfs4filelayout.c -@@ -99,7 +99,8 @@ static void filelayout_reset_write(struct nfs_write_data *data) - - task->tk_status = pnfs_write_done_resend_to_mds(hdr->inode, - &hdr->pages, -- hdr->completion_ops); -+ hdr->completion_ops, -+ hdr->dreq); - } - } - -@@ -119,7 +120,8 @@ static void filelayout_reset_read(struct nfs_read_data *data) - - task->tk_status = pnfs_read_done_resend_to_mds(hdr->inode, - &hdr->pages, -- hdr->completion_ops); -+ hdr->completion_ops, -+ hdr->dreq); - } - } - -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index efda60d..3cb5e77 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -6087,11 +6087,13 @@ static struct page **nfs4_alloc_pages(size_t size, gfp_t gfp_flags) - static void nfs4_layoutget_release(void *calldata) - { - struct nfs4_layoutget *lgp = calldata; -- struct nfs_server *server = NFS_SERVER(lgp->args.inode); -+ struct inode *inode = lgp->args.inode; -+ struct nfs_server *server = NFS_SERVER(inode); - size_t max_pages = max_response_pages(server); - - dprintk("--> %s\n", __func__); - nfs4_free_pages(lgp->args.layout.pages, max_pages); -+ pnfs_put_layout_hdr(NFS_I(inode)->layout); - put_nfs_open_context(lgp->args.ctx); - kfree(calldata); - dprintk("<-- %s\n", __func__); -@@ -6106,7 +6108,8 @@ static const struct rpc_call_ops nfs4_layoutget_call_ops = { - struct pnfs_layout_segment * - nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags) - { -- struct nfs_server *server = NFS_SERVER(lgp->args.inode); -+ struct inode *inode = lgp->args.inode; -+ struct nfs_server *server = NFS_SERVER(inode); - size_t max_pages = max_response_pages(server); - struct rpc_task *task; - struct rpc_message msg = { -@@ -6136,6 +6139,10 @@ nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags) - lgp->res.layoutp = &lgp->args.layout; - lgp->res.seq_res.sr_slot = NULL; - nfs41_init_sequence(&lgp->args.seq_args, &lgp->res.seq_res, 0); -+ -+ /* nfs4_layoutget_release calls pnfs_put_layout_hdr */ -+ pnfs_get_layout_hdr(NFS_I(inode)->layout); -+ - task = rpc_run_task(&task_setup_data); - if (IS_ERR(task)) - return ERR_CAST(task); -diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c -index 6be70f6..97767c8 100644 ---- a/fs/nfs/pnfs.c -+++ b/fs/nfs/pnfs.c -@@ -1422,13 +1422,15 @@ EXPORT_SYMBOL_GPL(pnfs_generic_pg_test); - - int pnfs_write_done_resend_to_mds(struct inode *inode, - struct list_head *head, -- const struct nfs_pgio_completion_ops *compl_ops) -+ const struct nfs_pgio_completion_ops *compl_ops, -+ struct nfs_direct_req *dreq) - { - struct nfs_pageio_descriptor pgio; - LIST_HEAD(failed); - - /* Resend all requests through the MDS */ - nfs_pageio_init_write(&pgio, inode, FLUSH_STABLE, compl_ops); -+ pgio.pg_dreq = dreq; - while (!list_empty(head)) { - struct nfs_page *req = nfs_list_entry(head->next); - -@@ -1463,7 +1465,8 @@ static void pnfs_ld_handle_write_error(struct nfs_write_data *data) - if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) - data->task.tk_status = pnfs_write_done_resend_to_mds(hdr->inode, - &hdr->pages, -- hdr->completion_ops); -+ hdr->completion_ops, -+ hdr->dreq); - } - - /* -@@ -1578,13 +1581,15 @@ EXPORT_SYMBOL_GPL(pnfs_generic_pg_writepages); - - int pnfs_read_done_resend_to_mds(struct inode *inode, - struct list_head *head, -- const struct nfs_pgio_completion_ops *compl_ops) -+ const struct nfs_pgio_completion_ops *compl_ops, -+ struct nfs_direct_req *dreq) - { - struct nfs_pageio_descriptor pgio; - LIST_HEAD(failed); - - /* Resend all requests through the MDS */ - nfs_pageio_init_read(&pgio, inode, compl_ops); -+ pgio.pg_dreq = dreq; - while (!list_empty(head)) { - struct nfs_page *req = nfs_list_entry(head->next); - -@@ -1615,7 +1620,8 @@ static void pnfs_ld_handle_read_error(struct nfs_read_data *data) - if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) - data->task.tk_status = pnfs_read_done_resend_to_mds(hdr->inode, - &hdr->pages, -- hdr->completion_ops); -+ hdr->completion_ops, -+ hdr->dreq); - } - - /* -diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h -index 97cb358..94ba804 100644 ---- a/fs/nfs/pnfs.h -+++ b/fs/nfs/pnfs.h -@@ -230,9 +230,11 @@ struct pnfs_layout_segment *pnfs_update_layout(struct inode *ino, - - void nfs4_deviceid_mark_client_invalid(struct nfs_client *clp); - int pnfs_read_done_resend_to_mds(struct inode *inode, struct list_head *head, -- const struct nfs_pgio_completion_ops *compl_ops); -+ const struct nfs_pgio_completion_ops *compl_ops, -+ struct nfs_direct_req *dreq); - int pnfs_write_done_resend_to_mds(struct inode *inode, struct list_head *head, -- const struct nfs_pgio_completion_ops *compl_ops); -+ const struct nfs_pgio_completion_ops *compl_ops, -+ struct nfs_direct_req *dreq); - struct nfs4_threshold *pnfs_mdsthreshold_alloc(void); - - /* nfs4_deviceid_flags */ -diff --git a/fs/nfs/unlink.c b/fs/nfs/unlink.c -index 3f79c77..6edc807 100644 ---- a/fs/nfs/unlink.c -+++ b/fs/nfs/unlink.c -@@ -336,20 +336,14 @@ static void nfs_async_rename_done(struct rpc_task *task, void *calldata) - struct inode *old_dir = data->old_dir; - struct inode *new_dir = data->new_dir; - struct dentry *old_dentry = data->old_dentry; -- struct dentry *new_dentry = data->new_dentry; - - if (!NFS_PROTO(old_dir)->rename_done(task, old_dir, new_dir)) { - rpc_restart_call_prepare(task); - return; - } - -- if (task->tk_status != 0) { -+ if (task->tk_status != 0) - nfs_cancel_async_unlink(old_dentry); -- return; -- } -- -- d_drop(old_dentry); -- d_drop(new_dentry); - } - - /** -@@ -550,6 +544,18 @@ nfs_sillyrename(struct inode *dir, struct dentry *dentry) - error = rpc_wait_for_completion_task(task); - if (error == 0) - error = task->tk_status; -+ switch (error) { -+ case 0: -+ /* The rename succeeded */ -+ nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); -+ d_move(dentry, sdentry); -+ break; -+ case -ERESTARTSYS: -+ /* The result of the rename is unknown. Play it safe by -+ * forcing a new lookup */ -+ d_drop(dentry); -+ d_drop(sdentry); -+ } - rpc_put_task(task); - out_dput: - dput(sdentry); -diff --git a/fs/pipe.c b/fs/pipe.c -index bd3479d..8e2e73f 100644 ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -863,6 +863,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) - { - int ret = -ENOENT; - -+ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE))) -+ return -EINVAL; -+ - mutex_lock(&inode->i_mutex); - - if (inode->i_pipe) { -diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c -index b7a4719..66b51c0 100644 ---- a/fs/proc/namespaces.c -+++ b/fs/proc/namespaces.c -@@ -118,7 +118,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd) - struct super_block *sb = inode->i_sb; - struct proc_inode *ei = PROC_I(inode); - struct task_struct *task; -- struct dentry *ns_dentry; -+ struct path ns_path; - void *error = ERR_PTR(-EACCES); - - task = get_proc_task(inode); -@@ -128,14 +128,14 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd) - if (!ptrace_may_access(task, PTRACE_MODE_READ)) - goto out_put_task; - -- ns_dentry = proc_ns_get_dentry(sb, task, ei->ns_ops); -- if (IS_ERR(ns_dentry)) { -- error = ERR_CAST(ns_dentry); -+ ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns_ops); -+ if (IS_ERR(ns_path.dentry)) { -+ error = ERR_CAST(ns_path.dentry); - goto out_put_task; - } - -- dput(nd->path.dentry); -- nd->path.dentry = ns_dentry; -+ ns_path.mnt = mntget(nd->path.mnt); -+ nd_jump_link(nd, &ns_path); - error = NULL; - - out_put_task: -diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h -index bf6afa2..a5cda3e 100644 ---- a/include/linux/device-mapper.h -+++ b/include/linux/device-mapper.h -@@ -68,8 +68,8 @@ typedef void (*dm_postsuspend_fn) (struct dm_target *ti); - typedef int (*dm_preresume_fn) (struct dm_target *ti); - typedef void (*dm_resume_fn) (struct dm_target *ti); - --typedef int (*dm_status_fn) (struct dm_target *ti, status_type_t status_type, -- unsigned status_flags, char *result, unsigned maxlen); -+typedef void (*dm_status_fn) (struct dm_target *ti, status_type_t status_type, -+ unsigned status_flags, char *result, unsigned maxlen); - - typedef int (*dm_message_fn) (struct dm_target *ti, unsigned argc, char **argv); - -diff --git a/include/linux/mfd/rtsx_pci.h b/include/linux/mfd/rtsx_pci.h -index 4b117a3..acf4d31 100644 ---- a/include/linux/mfd/rtsx_pci.h -+++ b/include/linux/mfd/rtsx_pci.h -@@ -735,6 +735,7 @@ struct rtsx_pcr { - - unsigned int card_inserted; - unsigned int card_removed; -+ unsigned int card_exist; - - struct delayed_work carddet_work; - struct delayed_work idle_work; -@@ -799,6 +800,7 @@ int rtsx_pci_switch_clock(struct rtsx_pcr *pcr, unsigned int card_clock, - u8 ssc_depth, bool initial_mode, bool double_clk, bool vpclk); - int rtsx_pci_card_power_on(struct rtsx_pcr *pcr, int card); - int rtsx_pci_card_power_off(struct rtsx_pcr *pcr, int card); -+int rtsx_pci_card_exclusive_check(struct rtsx_pcr *pcr, int card); - int rtsx_pci_switch_output_voltage(struct rtsx_pcr *pcr, u8 voltage); - unsigned int rtsx_pci_card_exist(struct rtsx_pcr *pcr); - void rtsx_pci_complete_unfinished_transfer(struct rtsx_pcr *pcr); -diff --git a/ipc/msg.c b/ipc/msg.c -index 950572f..31cd1bf 100644 ---- a/ipc/msg.c -+++ b/ipc/msg.c -@@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, - struct msg_msg *copy = NULL; - unsigned long copy_number = 0; - -+ ns = current->nsproxy->ipc_ns; -+ - if (msqid < 0 || (long) bufsz < 0) - return -EINVAL; - if (msgflg & MSG_COPY) { -- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number); -+ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax), -+ msgflg, &msgtyp, ©_number); - if (IS_ERR(copy)) - return PTR_ERR(copy); - } - mode = convert_mode(&msgtyp, msgflg); -- ns = current->nsproxy->ipc_ns; - - msq = msg_lock_check(ns, msqid); - if (IS_ERR(msq)) { -diff --git a/ipc/msgutil.c b/ipc/msgutil.c -index ebfcbfa..5df8e4b 100644 ---- a/ipc/msgutil.c -+++ b/ipc/msgutil.c -@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst) - if (alen > DATALEN_MSG) - alen = DATALEN_MSG; - -- dst->next = NULL; -- dst->security = NULL; -- - memcpy(dst + 1, src + 1, alen); - - len -= alen; -diff --git a/kernel/fork.c b/kernel/fork.c -index c535f33..5630e52 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -1141,6 +1141,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, - if ((clone_flags & (CLONE_NEWNS|CLONE_FS)) == (CLONE_NEWNS|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) -+ return ERR_PTR(-EINVAL); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -1801,7 +1804,7 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) - * If unsharing a user namespace must also unshare the thread. - */ - if (unshare_flags & CLONE_NEWUSER) -- unshare_flags |= CLONE_THREAD; -+ unshare_flags |= CLONE_THREAD | CLONE_FS; - /* - * If unsharing a pid namespace must also unshare the thread. - */ -diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c -index d58e552..e78feff 100644 ---- a/kernel/time/tick-sched.c -+++ b/kernel/time/tick-sched.c -@@ -564,14 +564,19 @@ void tick_nohz_idle_enter(void) - */ - void tick_nohz_irq_exit(void) - { -+ unsigned long flags; - struct tick_sched *ts = &__get_cpu_var(tick_cpu_sched); - - if (!ts->inidle) - return; - -- /* Cancel the timer because CPU already waken up from the C-states*/ -+ local_irq_save(flags); -+ -+ /* Cancel the timer because CPU already waken up from the C-states */ - menu_hrtimer_cancel(); - __tick_nohz_idle_enter(ts); -+ -+ local_irq_restore(flags); - } - - /** -diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig -index 5d89335..2747967 100644 ---- a/kernel/trace/Kconfig -+++ b/kernel/trace/Kconfig -@@ -416,24 +416,28 @@ config PROBE_EVENTS - def_bool n - - config DYNAMIC_FTRACE -- bool "enable/disable ftrace tracepoints dynamically" -+ bool "enable/disable function tracing dynamically" - depends on FUNCTION_TRACER - depends on HAVE_DYNAMIC_FTRACE - default y - help -- This option will modify all the calls to ftrace dynamically -- (will patch them out of the binary image and replace them -- with a No-Op instruction) as they are called. A table is -- created to dynamically enable them again. -+ This option will modify all the calls to function tracing -+ dynamically (will patch them out of the binary image and -+ replace them with a No-Op instruction) on boot up. During -+ compile time, a table is made of all the locations that ftrace -+ can function trace, and this table is linked into the kernel -+ image. When this is enabled, functions can be individually -+ enabled, and the functions not enabled will not affect -+ performance of the system. -+ -+ See the files in /sys/kernel/debug/tracing: -+ available_filter_functions -+ set_ftrace_filter -+ set_ftrace_notrace - - This way a CONFIG_FUNCTION_TRACER kernel is slightly larger, but - otherwise has native performance as long as no tracing is active. - -- The changes to the code are done by a kernel thread that -- wakes up once a second and checks to see if any ftrace calls -- were made. If so, it runs stop_machine (stops all CPUS) -- and modifies the code to jump over the call to ftrace. -- - config FUNCTION_PROFILER - bool "Kernel function profiler" - depends on FUNCTION_TRACER -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 2b042c4..dbfe36a7 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -21,6 +21,7 @@ - #include <linux/uaccess.h> - #include <linux/ctype.h> - #include <linux/projid.h> -+#include <linux/fs_struct.h> - - static struct kmem_cache *user_ns_cachep __read_mostly; - -@@ -803,6 +804,9 @@ static int userns_install(struct nsproxy *nsproxy, void *ns) - if (atomic_read(¤t->mm->mm_users) > 1) - return -EINVAL; - -+ if (current->fs->users != 1) -+ return -EINVAL; -+ - if (!ns_capable(user_ns, CAP_SYS_ADMIN)) - return -EPERM; - -diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index e2df1c1..3df6d12 100644 ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -2386,8 +2386,8 @@ restart: - *mpol_new = *n->policy; - atomic_set(&mpol_new->refcnt, 1); - sp_node_init(n_new, n->end, end, mpol_new); -- sp_insert(sp, n_new); - n->end = start; -+ sp_insert(sp, n_new); - n_new = NULL; - mpol_new = NULL; - break; -diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c -index 926b466..fd26d04 100644 ---- a/mm/process_vm_access.c -+++ b/mm/process_vm_access.c -@@ -429,12 +429,6 @@ compat_process_vm_rw(compat_pid_t pid, - if (flags != 0) - return -EINVAL; - -- if (!access_ok(VERIFY_READ, lvec, liovcnt * sizeof(*lvec))) -- goto out; -- -- if (!access_ok(VERIFY_READ, rvec, riovcnt * sizeof(*rvec))) -- goto out; -- - if (vm_write) - rc = compat_rw_copy_check_uvector(WRITE, lvec, liovcnt, - UIO_FASTIOV, iovstack_l, -@@ -459,8 +453,6 @@ free_iovecs: - kfree(iov_r); - if (iov_l != iovstack_l) - kfree(iov_l); -- --out: - return rc; - } - -diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c -index f651da6..76c3d0a 100644 ---- a/net/ieee802154/6lowpan.c -+++ b/net/ieee802154/6lowpan.c -@@ -1234,7 +1234,7 @@ static inline int __init lowpan_netlink_init(void) - return rtnl_link_register(&lowpan_link_ops); - } - --static inline void __init lowpan_netlink_fini(void) -+static inline void lowpan_netlink_fini(void) - { - rtnl_link_unregister(&lowpan_link_ops); - } -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c -index f75ba1a..9979bf8 100644 ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -4072,6 +4072,17 @@ void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata) - { - struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; - -+ /* -+ * Make sure some work items will not run after this, -+ * they will not do anything but might not have been -+ * cancelled when disconnecting. -+ */ -+ cancel_work_sync(&ifmgd->monitor_work); -+ cancel_work_sync(&ifmgd->beacon_connection_loss_work); -+ cancel_work_sync(&ifmgd->request_smps_work); -+ cancel_work_sync(&ifmgd->csa_connection_drop_work); -+ cancel_work_sync(&ifmgd->chswitch_work); -+ - mutex_lock(&ifmgd->mtx); - if (ifmgd->assoc_data) - ieee80211_destroy_assoc_data(sdata, false); -diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c -index 33811db..ab02588 100644 ---- a/net/sunrpc/xprt.c -+++ b/net/sunrpc/xprt.c -@@ -485,13 +485,17 @@ EXPORT_SYMBOL_GPL(xprt_wake_pending_tasks); - * xprt_wait_for_buffer_space - wait for transport output buffer to clear - * @task: task to be put to sleep - * @action: function pointer to be executed after wait -+ * -+ * Note that we only set the timer for the case of RPC_IS_SOFT(), since -+ * we don't in general want to force a socket disconnection due to -+ * an incomplete RPC call transmission. - */ - void xprt_wait_for_buffer_space(struct rpc_task *task, rpc_action action) - { - struct rpc_rqst *req = task->tk_rqstp; - struct rpc_xprt *xprt = req->rq_xprt; - -- task->tk_timeout = req->rq_timeout; -+ task->tk_timeout = RPC_IS_SOFT(task) ? req->rq_timeout : 0; - rpc_sleep_on(&xprt->pending, task, action); - } - EXPORT_SYMBOL_GPL(xprt_wait_for_buffer_space); -diff --git a/security/keys/compat.c b/security/keys/compat.c -index 1c26176..d65fa7f 100644 ---- a/security/keys/compat.c -+++ b/security/keys/compat.c -@@ -40,12 +40,12 @@ static long compat_keyctl_instantiate_key_iov( - ARRAY_SIZE(iovstack), - iovstack, &iov); - if (ret < 0) -- return ret; -+ goto err; - if (ret == 0) - goto no_payload_free; - - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid); -- -+err: - if (iov != iovstack) - kfree(iov); - return ret; -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 58dfe08..42defae 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -57,7 +57,7 @@ int install_user_keyrings(void) - - kenter("%p{%u}", user, uid); - -- if (user->uid_keyring) { -+ if (user->uid_keyring && user->session_keyring) { - kleave(" = 0 [exist]"); - return 0; - } -@@ -839,7 +839,7 @@ void key_change_session_keyring(struct callback_head *twork) - new-> sgid = old-> sgid; - new->fsgid = old->fsgid; - new->user = get_uid(old->user); -- new->user_ns = get_user_ns(new->user_ns); -+ new->user_ns = get_user_ns(old->user_ns); - new->group_info = get_group_info(old->group_info); - - new->securebits = old->securebits; -diff --git a/sound/core/vmaster.c b/sound/core/vmaster.c -index 8575861..0097f36 100644 ---- a/sound/core/vmaster.c -+++ b/sound/core/vmaster.c -@@ -213,7 +213,10 @@ static int slave_put(struct snd_kcontrol *kcontrol, - } - if (!changed) - return 0; -- return slave_put_val(slave, ucontrol); -+ err = slave_put_val(slave, ucontrol); -+ if (err < 0) -+ return err; -+ return 1; - } - - static int slave_tlv_cmd(struct snd_kcontrol *kcontrol, -diff --git a/sound/pci/ice1712/ice1712.c b/sound/pci/ice1712/ice1712.c -index 2ffdc35..806407a 100644 ---- a/sound/pci/ice1712/ice1712.c -+++ b/sound/pci/ice1712/ice1712.c -@@ -2594,6 +2594,8 @@ static int snd_ice1712_create(struct snd_card *card, - snd_ice1712_proc_init(ice); - synchronize_irq(pci->irq); - -+ card->private_data = ice; -+ - err = pci_request_regions(pci, "ICE1712"); - if (err < 0) { - kfree(ice); diff --git a/3.8.3/0000_README b/3.8.4/0000_README index 072a299..db5e01b 100644 --- a/3.8.3/0000_README +++ b/3.8.4/0000_README @@ -2,15 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1001_linux-3.8.2.patch +Patch: 1003_linux-3.8.4.patch From: http://www.kernel.org -Desc: Linux 3.8.2 +Desc: Linux 3.8.4 -Patch: 1002_linux-3.8.3.patch -From: http://www.kernel.org -Desc: Linux 3.8.3 - -Patch: 4420_grsecurity-2.9.1-3.8.3-201303142235.patch +Patch: 4420_grsecurity-2.9.1-3.8.4-201303221826.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.8.4/1003_linux-3.8.4.patch b/3.8.4/1003_linux-3.8.4.patch new file mode 100644 index 0000000..132702f --- /dev/null +++ b/3.8.4/1003_linux-3.8.4.patch @@ -0,0 +1,2902 @@ +diff --git a/Documentation/devicetree/bindings/tty/serial/of-serial.txt b/Documentation/devicetree/bindings/tty/serial/of-serial.txt +index 1e1145c..8f01cb1 100644 +--- a/Documentation/devicetree/bindings/tty/serial/of-serial.txt ++++ b/Documentation/devicetree/bindings/tty/serial/of-serial.txt +@@ -11,6 +11,9 @@ Required properties: + - "nvidia,tegra20-uart" + - "nxp,lpc3220-uart" + - "ibm,qpace-nwp-serial" ++ - "altr,16550-FIFO32" ++ - "altr,16550-FIFO64" ++ - "altr,16550-FIFO128" + - "serial" if the port type is unknown. + - reg : offset and length of the register set for the device. + - interrupts : should contain uart interrupt. +diff --git a/Makefile b/Makefile +index 8c49fc9b..e20f162 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 8 +-SUBLEVEL = 3 ++SUBLEVEL = 4 + EXTRAVERSION = + NAME = Unicycling Gorilla + +diff --git a/arch/arm/mach-at91/board-foxg20.c b/arch/arm/mach-at91/board-foxg20.c +index 191d37c..1478294 100644 +--- a/arch/arm/mach-at91/board-foxg20.c ++++ b/arch/arm/mach-at91/board-foxg20.c +@@ -176,6 +176,7 @@ static struct w1_gpio_platform_data w1_gpio_pdata = { + /* If you choose to use a pin other than PB16 it needs to be 3.3V */ + .pin = AT91_PIN_PB16, + .is_open_drain = 1, ++ .ext_pullup_enable_pin = -EINVAL, + }; + + static struct platform_device w1_device = { +diff --git a/arch/arm/mach-at91/board-stamp9g20.c b/arch/arm/mach-at91/board-stamp9g20.c +index 48a962b..58a6758 100644 +--- a/arch/arm/mach-at91/board-stamp9g20.c ++++ b/arch/arm/mach-at91/board-stamp9g20.c +@@ -188,6 +188,7 @@ static struct spi_board_info portuxg20_spi_devices[] = { + static struct w1_gpio_platform_data w1_gpio_pdata = { + .pin = AT91_PIN_PA29, + .is_open_drain = 1, ++ .ext_pullup_enable_pin = -EINVAL, + }; + + static struct platform_device w1_device = { +diff --git a/arch/arm/mach-davinci/dma.c b/arch/arm/mach-davinci/dma.c +index a685e97..45b7c71 100644 +--- a/arch/arm/mach-davinci/dma.c ++++ b/arch/arm/mach-davinci/dma.c +@@ -743,6 +743,9 @@ EXPORT_SYMBOL(edma_free_channel); + */ + int edma_alloc_slot(unsigned ctlr, int slot) + { ++ if (!edma_cc[ctlr]) ++ return -EINVAL; ++ + if (slot >= 0) + slot = EDMA_CHAN_SLOT(slot); + +diff --git a/arch/arm/mach-ixp4xx/vulcan-setup.c b/arch/arm/mach-ixp4xx/vulcan-setup.c +index 2798f43..1dddc1b 100644 +--- a/arch/arm/mach-ixp4xx/vulcan-setup.c ++++ b/arch/arm/mach-ixp4xx/vulcan-setup.c +@@ -163,6 +163,7 @@ static struct platform_device vulcan_max6369 = { + + static struct w1_gpio_platform_data vulcan_w1_gpio_pdata = { + .pin = 14, ++ .ext_pullup_enable_pin = -EINVAL, + }; + + static struct platform_device vulcan_w1_gpio = { +diff --git a/arch/arm/mach-kirkwood/board-dt.c b/arch/arm/mach-kirkwood/board-dt.c +index de4fd2b..e714ead 100644 +--- a/arch/arm/mach-kirkwood/board-dt.c ++++ b/arch/arm/mach-kirkwood/board-dt.c +@@ -41,16 +41,12 @@ static void __init kirkwood_legacy_clk_init(void) + + struct device_node *np = of_find_compatible_node( + NULL, NULL, "marvell,kirkwood-gating-clock"); +- + struct of_phandle_args clkspec; ++ struct clk *clk; + + clkspec.np = np; + clkspec.args_count = 1; + +- clkspec.args[0] = CGC_BIT_GE0; +- orion_clkdev_add(NULL, "mv643xx_eth_port.0", +- of_clk_get_from_provider(&clkspec)); +- + clkspec.args[0] = CGC_BIT_PEX0; + orion_clkdev_add("0", "pcie", + of_clk_get_from_provider(&clkspec)); +@@ -63,14 +59,24 @@ static void __init kirkwood_legacy_clk_init(void) + orion_clkdev_add("1", "pcie", + of_clk_get_from_provider(&clkspec)); + +- clkspec.args[0] = CGC_BIT_GE1; +- orion_clkdev_add(NULL, "mv643xx_eth_port.1", +- of_clk_get_from_provider(&clkspec)); +- + clkspec.args[0] = CGC_BIT_SDIO; + orion_clkdev_add(NULL, "mvsdio", + of_clk_get_from_provider(&clkspec)); + ++ /* ++ * The ethernet interfaces forget the MAC address assigned by ++ * u-boot if the clocks are turned off. Until proper DT support ++ * is available we always enable them for now. ++ */ ++ clkspec.args[0] = CGC_BIT_GE0; ++ clk = of_clk_get_from_provider(&clkspec); ++ orion_clkdev_add(NULL, "mv643xx_eth_port.0", clk); ++ clk_prepare_enable(clk); ++ ++ clkspec.args[0] = CGC_BIT_GE1; ++ clk = of_clk_get_from_provider(&clkspec); ++ orion_clkdev_add(NULL, "mv643xx_eth_port.1", clk); ++ clk_prepare_enable(clk); + } + + static void __init kirkwood_of_clk_init(void) +diff --git a/arch/arm/mach-pxa/raumfeld.c b/arch/arm/mach-pxa/raumfeld.c +index 25b08bfa..6283fcb 100644 +--- a/arch/arm/mach-pxa/raumfeld.c ++++ b/arch/arm/mach-pxa/raumfeld.c +@@ -505,6 +505,7 @@ static struct w1_gpio_platform_data w1_gpio_platform_data = { + .pin = GPIO_ONE_WIRE, + .is_open_drain = 0, + .enable_external_pullup = w1_enable_external_pullup, ++ .ext_pullup_enable_pin = -EINVAL, + }; + + struct platform_device raumfeld_w1_gpio_device = { +diff --git a/arch/powerpc/include/asm/mmu-hash64.h b/arch/powerpc/include/asm/mmu-hash64.h +index 2fdb47a..b59e06f 100644 +--- a/arch/powerpc/include/asm/mmu-hash64.h ++++ b/arch/powerpc/include/asm/mmu-hash64.h +@@ -343,17 +343,16 @@ extern void slb_set_size(u16 size); + /* + * VSID allocation (256MB segment) + * +- * We first generate a 38-bit "proto-VSID". For kernel addresses this +- * is equal to the ESID | 1 << 37, for user addresses it is: +- * (context << USER_ESID_BITS) | (esid & ((1U << USER_ESID_BITS) - 1) ++ * We first generate a 37-bit "proto-VSID". Proto-VSIDs are generated ++ * from mmu context id and effective segment id of the address. + * +- * This splits the proto-VSID into the below range +- * 0 - (2^(CONTEXT_BITS + USER_ESID_BITS) - 1) : User proto-VSID range +- * 2^(CONTEXT_BITS + USER_ESID_BITS) - 2^(VSID_BITS) : Kernel proto-VSID range +- * +- * We also have CONTEXT_BITS + USER_ESID_BITS = VSID_BITS - 1 +- * That is, we assign half of the space to user processes and half +- * to the kernel. ++ * For user processes max context id is limited to ((1ul << 19) - 5) ++ * for kernel space, we use the top 4 context ids to map address as below ++ * NOTE: each context only support 64TB now. ++ * 0x7fffc - [ 0xc000000000000000 - 0xc0003fffffffffff ] ++ * 0x7fffd - [ 0xd000000000000000 - 0xd0003fffffffffff ] ++ * 0x7fffe - [ 0xe000000000000000 - 0xe0003fffffffffff ] ++ * 0x7ffff - [ 0xf000000000000000 - 0xf0003fffffffffff ] + * + * The proto-VSIDs are then scrambled into real VSIDs with the + * multiplicative hash: +@@ -363,41 +362,49 @@ extern void slb_set_size(u16 size); + * VSID_MULTIPLIER is prime, so in particular it is + * co-prime to VSID_MODULUS, making this a 1:1 scrambling function. + * Because the modulus is 2^n-1 we can compute it efficiently without +- * a divide or extra multiply (see below). +- * +- * This scheme has several advantages over older methods: +- * +- * - We have VSIDs allocated for every kernel address +- * (i.e. everything above 0xC000000000000000), except the very top +- * segment, which simplifies several things. ++ * a divide or extra multiply (see below). The scramble function gives ++ * robust scattering in the hash table (at least based on some initial ++ * results). + * +- * - We allow for USER_ESID_BITS significant bits of ESID and +- * CONTEXT_BITS bits of context for user addresses. +- * i.e. 64T (46 bits) of address space for up to half a million contexts. ++ * We also consider VSID 0 special. We use VSID 0 for slb entries mapping ++ * bad address. This enables us to consolidate bad address handling in ++ * hash_page. + * +- * - The scramble function gives robust scattering in the hash +- * table (at least based on some initial results). The previous +- * method was more susceptible to pathological cases giving excessive +- * hash collisions. ++ * We also need to avoid the last segment of the last context, because that ++ * would give a protovsid of 0x1fffffffff. That will result in a VSID 0 ++ * because of the modulo operation in vsid scramble. But the vmemmap ++ * (which is what uses region 0xf) will never be close to 64TB in size ++ * (it's 56 bytes per page of system memory). + */ + ++#define CONTEXT_BITS 19 ++#define ESID_BITS 18 ++#define ESID_BITS_1T 6 ++ ++/* ++ * 256MB segment ++ * The proto-VSID space has 2^(CONTEX_BITS + ESID_BITS) - 1 segments ++ * available for user + kernel mapping. The top 4 contexts are used for ++ * kernel mapping. Each segment contains 2^28 bytes. Each ++ * context maps 2^46 bytes (64TB) so we can support 2^19-1 contexts ++ * (19 == 37 + 28 - 46). ++ */ ++#define MAX_USER_CONTEXT ((ASM_CONST(1) << CONTEXT_BITS) - 5) ++ + /* + * This should be computed such that protovosid * vsid_mulitplier + * doesn't overflow 64 bits. It should also be co-prime to vsid_modulus + */ + #define VSID_MULTIPLIER_256M ASM_CONST(12538073) /* 24-bit prime */ +-#define VSID_BITS_256M 38 ++#define VSID_BITS_256M (CONTEXT_BITS + ESID_BITS) + #define VSID_MODULUS_256M ((1UL<<VSID_BITS_256M)-1) + + #define VSID_MULTIPLIER_1T ASM_CONST(12538073) /* 24-bit prime */ +-#define VSID_BITS_1T 26 ++#define VSID_BITS_1T (CONTEXT_BITS + ESID_BITS_1T) + #define VSID_MODULUS_1T ((1UL<<VSID_BITS_1T)-1) + +-#define CONTEXT_BITS 19 +-#define USER_ESID_BITS 18 +-#define USER_ESID_BITS_1T 6 + +-#define USER_VSID_RANGE (1UL << (USER_ESID_BITS + SID_SHIFT)) ++#define USER_VSID_RANGE (1UL << (ESID_BITS + SID_SHIFT)) + + /* + * This macro generates asm code to compute the VSID scramble +@@ -421,7 +428,8 @@ extern void slb_set_size(u16 size); + srdi rx,rt,VSID_BITS_##size; \ + clrldi rt,rt,(64-VSID_BITS_##size); \ + add rt,rt,rx; /* add high and low bits */ \ +- /* Now, r3 == VSID (mod 2^36-1), and lies between 0 and \ ++ /* NOTE: explanation based on VSID_BITS_##size = 36 \ ++ * Now, r3 == VSID (mod 2^36-1), and lies between 0 and \ + * 2^36-1+2^28-1. That in particular means that if r3 >= \ + * 2^36-1, then r3+1 has the 2^36 bit set. So, if r3+1 has \ + * the bit clear, r3 already has the answer we want, if it \ +@@ -513,34 +521,6 @@ typedef struct { + }) + #endif /* 1 */ + +-/* +- * This is only valid for addresses >= PAGE_OFFSET +- * The proto-VSID space is divided into two class +- * User: 0 to 2^(CONTEXT_BITS + USER_ESID_BITS) -1 +- * kernel: 2^(CONTEXT_BITS + USER_ESID_BITS) to 2^(VSID_BITS) - 1 +- * +- * With KERNEL_START at 0xc000000000000000, the proto vsid for +- * the kernel ends up with 0xc00000000 (36 bits). With 64TB +- * support we need to have kernel proto-VSID in the +- * [2^37 to 2^38 - 1] range due to the increased USER_ESID_BITS. +- */ +-static inline unsigned long get_kernel_vsid(unsigned long ea, int ssize) +-{ +- unsigned long proto_vsid; +- /* +- * We need to make sure proto_vsid for the kernel is +- * >= 2^(CONTEXT_BITS + USER_ESID_BITS[_1T]) +- */ +- if (ssize == MMU_SEGSIZE_256M) { +- proto_vsid = ea >> SID_SHIFT; +- proto_vsid |= (1UL << (CONTEXT_BITS + USER_ESID_BITS)); +- return vsid_scramble(proto_vsid, 256M); +- } +- proto_vsid = ea >> SID_SHIFT_1T; +- proto_vsid |= (1UL << (CONTEXT_BITS + USER_ESID_BITS_1T)); +- return vsid_scramble(proto_vsid, 1T); +-} +- + /* Returns the segment size indicator for a user address */ + static inline int user_segment_size(unsigned long addr) + { +@@ -550,17 +530,41 @@ static inline int user_segment_size(unsigned long addr) + return MMU_SEGSIZE_256M; + } + +-/* This is only valid for user addresses (which are below 2^44) */ + static inline unsigned long get_vsid(unsigned long context, unsigned long ea, + int ssize) + { ++ /* ++ * Bad address. We return VSID 0 for that ++ */ ++ if ((ea & ~REGION_MASK) >= PGTABLE_RANGE) ++ return 0; ++ + if (ssize == MMU_SEGSIZE_256M) +- return vsid_scramble((context << USER_ESID_BITS) ++ return vsid_scramble((context << ESID_BITS) + | (ea >> SID_SHIFT), 256M); +- return vsid_scramble((context << USER_ESID_BITS_1T) ++ return vsid_scramble((context << ESID_BITS_1T) + | (ea >> SID_SHIFT_1T), 1T); + } + ++/* ++ * This is only valid for addresses >= PAGE_OFFSET ++ * ++ * For kernel space, we use the top 4 context ids to map address as below ++ * 0x7fffc - [ 0xc000000000000000 - 0xc0003fffffffffff ] ++ * 0x7fffd - [ 0xd000000000000000 - 0xd0003fffffffffff ] ++ * 0x7fffe - [ 0xe000000000000000 - 0xe0003fffffffffff ] ++ * 0x7ffff - [ 0xf000000000000000 - 0xf0003fffffffffff ] ++ */ ++static inline unsigned long get_kernel_vsid(unsigned long ea, int ssize) ++{ ++ unsigned long context; ++ ++ /* ++ * kernel take the top 4 context from the available range ++ */ ++ context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1; ++ return get_vsid(context, ea, ssize); ++} + #endif /* __ASSEMBLY__ */ + + #endif /* _ASM_POWERPC_MMU_HASH64_H_ */ +diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c +index 75a3d71..19599ef 100644 +--- a/arch/powerpc/kernel/cputable.c ++++ b/arch/powerpc/kernel/cputable.c +@@ -275,7 +275,7 @@ static struct cpu_spec __initdata cpu_specs[] = { + .cpu_features = CPU_FTRS_PPC970, + .cpu_user_features = COMMON_USER_POWER4 | + PPC_FEATURE_HAS_ALTIVEC_COMP, +- .mmu_features = MMU_FTR_HPTE_TABLE, ++ .mmu_features = MMU_FTRS_PPC970, + .icache_bsize = 128, + .dcache_bsize = 128, + .num_pmcs = 8, +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index 4665e82..3684cbd 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -1268,20 +1268,36 @@ do_ste_alloc: + _GLOBAL(do_stab_bolted) + stw r9,PACA_EXSLB+EX_CCR(r13) /* save CR in exc. frame */ + std r11,PACA_EXSLB+EX_SRR0(r13) /* save SRR0 in exc. frame */ ++ mfspr r11,SPRN_DAR /* ea */ + ++ /* ++ * check for bad kernel/user address ++ * (ea & ~REGION_MASK) >= PGTABLE_RANGE ++ */ ++ rldicr. r9,r11,4,(63 - 46 - 4) ++ li r9,0 /* VSID = 0 for bad address */ ++ bne- 0f ++ ++ /* ++ * Calculate VSID: ++ * This is the kernel vsid, we take the top for context from ++ * the range. context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1 ++ * Here we know that (ea >> 60) == 0xc ++ */ ++ lis r9,(MAX_USER_CONTEXT + 1)@ha ++ addi r9,r9,(MAX_USER_CONTEXT + 1)@l ++ ++ srdi r10,r11,SID_SHIFT ++ rldimi r10,r9,ESID_BITS,0 /* proto vsid */ ++ ASM_VSID_SCRAMBLE(r10, r9, 256M) ++ rldic r9,r10,12,16 /* r9 = vsid << 12 */ ++ ++0: + /* Hash to the primary group */ + ld r10,PACASTABVIRT(r13) +- mfspr r11,SPRN_DAR +- srdi r11,r11,28 ++ srdi r11,r11,SID_SHIFT + rldimi r10,r11,7,52 /* r10 = first ste of the group */ + +- /* Calculate VSID */ +- /* This is a kernel address, so protovsid = ESID | 1 << 37 */ +- li r9,0x1 +- rldimi r11,r9,(CONTEXT_BITS + USER_ESID_BITS),0 +- ASM_VSID_SCRAMBLE(r11, r9, 256M) +- rldic r9,r11,12,16 /* r9 = vsid << 12 */ +- + /* Search the primary group for a free entry */ + 1: ld r11,0(r10) /* Test valid bit of the current ste */ + andi. r11,r11,0x80 +diff --git a/arch/powerpc/kvm/book3s_64_mmu_host.c b/arch/powerpc/kvm/book3s_64_mmu_host.c +index ead58e3..5d7d29a 100644 +--- a/arch/powerpc/kvm/book3s_64_mmu_host.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c +@@ -326,8 +326,8 @@ int kvmppc_mmu_init(struct kvm_vcpu *vcpu) + vcpu3s->context_id[0] = err; + + vcpu3s->proto_vsid_max = ((vcpu3s->context_id[0] + 1) +- << USER_ESID_BITS) - 1; +- vcpu3s->proto_vsid_first = vcpu3s->context_id[0] << USER_ESID_BITS; ++ << ESID_BITS) - 1; ++ vcpu3s->proto_vsid_first = vcpu3s->context_id[0] << ESID_BITS; + vcpu3s->proto_vsid_next = vcpu3s->proto_vsid_first; + + kvmppc_mmu_hpte_init(vcpu); +diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c +index 3a292be..004630b 100644 +--- a/arch/powerpc/mm/hash_utils_64.c ++++ b/arch/powerpc/mm/hash_utils_64.c +@@ -194,6 +194,11 @@ int htab_bolt_mapping(unsigned long vstart, unsigned long vend, + unsigned long vpn = hpt_vpn(vaddr, vsid, ssize); + unsigned long tprot = prot; + ++ /* ++ * If we hit a bad address return error. ++ */ ++ if (!vsid) ++ return -1; + /* Make kernel text executable */ + if (overlaps_kernel_text(vaddr, vaddr + step)) + tprot &= ~HPTE_R_N; +@@ -758,6 +763,8 @@ void __init early_init_mmu(void) + /* Initialize stab / SLB management */ + if (mmu_has_feature(MMU_FTR_SLB)) + slb_initialize(); ++ else ++ stab_initialize(get_paca()->stab_real); + } + + #ifdef CONFIG_SMP +@@ -921,11 +928,6 @@ int hash_page(unsigned long ea, unsigned long access, unsigned long trap) + DBG_LOW("hash_page(ea=%016lx, access=%lx, trap=%lx\n", + ea, access, trap); + +- if ((ea & ~REGION_MASK) >= PGTABLE_RANGE) { +- DBG_LOW(" out of pgtable range !\n"); +- return 1; +- } +- + /* Get region & vsid */ + switch (REGION_ID(ea)) { + case USER_REGION_ID: +@@ -956,6 +958,11 @@ int hash_page(unsigned long ea, unsigned long access, unsigned long trap) + } + DBG_LOW(" mm=%p, mm->pgdir=%p, vsid=%016lx\n", mm, mm->pgd, vsid); + ++ /* Bad address. */ ++ if (!vsid) { ++ DBG_LOW("Bad address!\n"); ++ return 1; ++ } + /* Get pgdir */ + pgdir = mm->pgd; + if (pgdir == NULL) +@@ -1125,6 +1132,8 @@ void hash_preload(struct mm_struct *mm, unsigned long ea, + /* Get VSID */ + ssize = user_segment_size(ea); + vsid = get_vsid(mm->context.id, ea, ssize); ++ if (!vsid) ++ return; + + /* Hash doesn't like irqs */ + local_irq_save(flags); +@@ -1217,6 +1226,9 @@ static void kernel_map_linear_page(unsigned long vaddr, unsigned long lmi) + hash = hpt_hash(vpn, PAGE_SHIFT, mmu_kernel_ssize); + hpteg = ((hash & htab_hash_mask) * HPTES_PER_GROUP); + ++ /* Don't create HPTE entries for bad address */ ++ if (!vsid) ++ return; + ret = ppc_md.hpte_insert(hpteg, vpn, __pa(vaddr), + mode, HPTE_V_BOLTED, + mmu_linear_psize, mmu_kernel_ssize); +diff --git a/arch/powerpc/mm/mmu_context_hash64.c b/arch/powerpc/mm/mmu_context_hash64.c +index 40bc5b0..d1d1b92 100644 +--- a/arch/powerpc/mm/mmu_context_hash64.c ++++ b/arch/powerpc/mm/mmu_context_hash64.c +@@ -29,15 +29,6 @@ + static DEFINE_SPINLOCK(mmu_context_lock); + static DEFINE_IDA(mmu_context_ida); + +-/* +- * 256MB segment +- * The proto-VSID space has 2^(CONTEX_BITS + USER_ESID_BITS) - 1 segments +- * available for user mappings. Each segment contains 2^28 bytes. Each +- * context maps 2^46 bytes (64TB) so we can support 2^19-1 contexts +- * (19 == 37 + 28 - 46). +- */ +-#define MAX_CONTEXT ((1UL << CONTEXT_BITS) - 1) +- + int __init_new_context(void) + { + int index; +@@ -56,7 +47,7 @@ again: + else if (err) + return err; + +- if (index > MAX_CONTEXT) { ++ if (index > MAX_USER_CONTEXT) { + spin_lock(&mmu_context_lock); + ida_remove(&mmu_context_ida, index); + spin_unlock(&mmu_context_lock); +diff --git a/arch/powerpc/mm/pgtable_64.c b/arch/powerpc/mm/pgtable_64.c +index e212a27..654258f 100644 +--- a/arch/powerpc/mm/pgtable_64.c ++++ b/arch/powerpc/mm/pgtable_64.c +@@ -61,7 +61,7 @@ + #endif + + #ifdef CONFIG_PPC_STD_MMU_64 +-#if TASK_SIZE_USER64 > (1UL << (USER_ESID_BITS + SID_SHIFT)) ++#if TASK_SIZE_USER64 > (1UL << (ESID_BITS + SID_SHIFT)) + #error TASK_SIZE_USER64 exceeds user VSID range + #endif + #endif +diff --git a/arch/powerpc/mm/slb_low.S b/arch/powerpc/mm/slb_low.S +index 1a16ca2..17aa6df 100644 +--- a/arch/powerpc/mm/slb_low.S ++++ b/arch/powerpc/mm/slb_low.S +@@ -31,10 +31,15 @@ + * No other registers are examined or changed. + */ + _GLOBAL(slb_allocate_realmode) +- /* r3 = faulting address */ ++ /* ++ * check for bad kernel/user address ++ * (ea & ~REGION_MASK) >= PGTABLE_RANGE ++ */ ++ rldicr. r9,r3,4,(63 - 46 - 4) ++ bne- 8f + + srdi r9,r3,60 /* get region */ +- srdi r10,r3,28 /* get esid */ ++ srdi r10,r3,SID_SHIFT /* get esid */ + cmpldi cr7,r9,0xc /* cmp PAGE_OFFSET for later use */ + + /* r3 = address, r10 = esid, cr7 = <> PAGE_OFFSET */ +@@ -56,12 +61,14 @@ _GLOBAL(slb_allocate_realmode) + */ + _GLOBAL(slb_miss_kernel_load_linear) + li r11,0 +- li r9,0x1 + /* +- * for 1T we shift 12 bits more. slb_finish_load_1T will do +- * the necessary adjustment ++ * context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1 ++ * r9 = region id. + */ +- rldimi r10,r9,(CONTEXT_BITS + USER_ESID_BITS),0 ++ addis r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@ha ++ addi r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@l ++ ++ + BEGIN_FTR_SECTION + b slb_finish_load + END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT) +@@ -91,24 +98,19 @@ _GLOBAL(slb_miss_kernel_load_vmemmap) + _GLOBAL(slb_miss_kernel_load_io) + li r11,0 + 6: +- li r9,0x1 + /* +- * for 1T we shift 12 bits more. slb_finish_load_1T will do +- * the necessary adjustment ++ * context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1 ++ * r9 = region id. + */ +- rldimi r10,r9,(CONTEXT_BITS + USER_ESID_BITS),0 ++ addis r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@ha ++ addi r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@l ++ + BEGIN_FTR_SECTION + b slb_finish_load + END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT) + b slb_finish_load_1T + +-0: /* user address: proto-VSID = context << 15 | ESID. First check +- * if the address is within the boundaries of the user region +- */ +- srdi. r9,r10,USER_ESID_BITS +- bne- 8f /* invalid ea bits set */ +- +- ++0: + /* when using slices, we extract the psize off the slice bitmaps + * and then we need to get the sllp encoding off the mmu_psize_defs + * array. +@@ -164,15 +166,13 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT) + ld r9,PACACONTEXTID(r13) + BEGIN_FTR_SECTION + cmpldi r10,0x1000 +-END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT) +- rldimi r10,r9,USER_ESID_BITS,0 +-BEGIN_FTR_SECTION + bge slb_finish_load_1T + END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT) + b slb_finish_load + + 8: /* invalid EA */ + li r10,0 /* BAD_VSID */ ++ li r9,0 /* BAD_VSID */ + li r11,SLB_VSID_USER /* flags don't much matter */ + b slb_finish_load + +@@ -221,8 +221,6 @@ _GLOBAL(slb_allocate_user) + + /* get context to calculate proto-VSID */ + ld r9,PACACONTEXTID(r13) +- rldimi r10,r9,USER_ESID_BITS,0 +- + /* fall through slb_finish_load */ + + #endif /* __DISABLED__ */ +@@ -231,9 +229,10 @@ _GLOBAL(slb_allocate_user) + /* + * Finish loading of an SLB entry and return + * +- * r3 = EA, r10 = proto-VSID, r11 = flags, clobbers r9, cr7 = <> PAGE_OFFSET ++ * r3 = EA, r9 = context, r10 = ESID, r11 = flags, clobbers r9, cr7 = <> PAGE_OFFSET + */ + slb_finish_load: ++ rldimi r10,r9,ESID_BITS,0 + ASM_VSID_SCRAMBLE(r10,r9,256M) + /* + * bits above VSID_BITS_256M need to be ignored from r10 +@@ -298,10 +297,11 @@ _GLOBAL(slb_compare_rr_to_size) + /* + * Finish loading of a 1T SLB entry (for the kernel linear mapping) and return. + * +- * r3 = EA, r10 = proto-VSID, r11 = flags, clobbers r9 ++ * r3 = EA, r9 = context, r10 = ESID(256MB), r11 = flags, clobbers r9 + */ + slb_finish_load_1T: +- srdi r10,r10,40-28 /* get 1T ESID */ ++ srdi r10,r10,(SID_SHIFT_1T - SID_SHIFT) /* get 1T ESID */ ++ rldimi r10,r9,ESID_BITS_1T,0 + ASM_VSID_SCRAMBLE(r10,r9,1T) + /* + * bits above VSID_BITS_1T need to be ignored from r10 +diff --git a/arch/powerpc/mm/tlb_hash64.c b/arch/powerpc/mm/tlb_hash64.c +index 0d82ef5..023ec8a 100644 +--- a/arch/powerpc/mm/tlb_hash64.c ++++ b/arch/powerpc/mm/tlb_hash64.c +@@ -82,11 +82,11 @@ void hpte_need_flush(struct mm_struct *mm, unsigned long addr, + if (!is_kernel_addr(addr)) { + ssize = user_segment_size(addr); + vsid = get_vsid(mm->context.id, addr, ssize); +- WARN_ON(vsid == 0); + } else { + vsid = get_kernel_vsid(addr, mmu_kernel_ssize); + ssize = mmu_kernel_ssize; + } ++ WARN_ON(vsid == 0); + vpn = hpt_vpn(addr, vsid, ssize); + rpte = __real_pte(__pte(pte), ptep); + +diff --git a/arch/s390/include/asm/tlbflush.h b/arch/s390/include/asm/tlbflush.h +index 1d8fe2b..6b32af3 100644 +--- a/arch/s390/include/asm/tlbflush.h ++++ b/arch/s390/include/asm/tlbflush.h +@@ -74,8 +74,6 @@ static inline void __tlb_flush_idte(unsigned long asce) + + static inline void __tlb_flush_mm(struct mm_struct * mm) + { +- if (unlikely(cpumask_empty(mm_cpumask(mm)))) +- return; + /* + * If the machine has IDTE we prefer to do a per mm flush + * on all cpus instead of doing a local flush if the mm +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index 5502285..94feff7 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -636,7 +636,8 @@ ENTRY(mcck_int_handler) + UPDATE_VTIME %r14,%r15,__LC_MCCK_ENTER_TIMER + mcck_skip: + SWITCH_ASYNC __LC_GPREGS_SAVE_AREA+32,__LC_PANIC_STACK,PAGE_SHIFT +- mvc __PT_R0(64,%r11),__LC_GPREGS_SAVE_AREA ++ stm %r0,%r7,__PT_R0(%r11) ++ mvc __PT_R8(32,%r11),__LC_GPREGS_SAVE_AREA+32 + stm %r8,%r9,__PT_PSW(%r11) + xc __SF_BACKCHAIN(4,%r15),__SF_BACKCHAIN(%r15) + l %r1,BASED(.Ldo_machine_check) +diff --git a/arch/s390/kernel/entry64.S b/arch/s390/kernel/entry64.S +index 6d34e0c..082b845 100644 +--- a/arch/s390/kernel/entry64.S ++++ b/arch/s390/kernel/entry64.S +@@ -678,8 +678,9 @@ ENTRY(mcck_int_handler) + UPDATE_VTIME %r14,__LC_MCCK_ENTER_TIMER + LAST_BREAK %r14 + mcck_skip: +- lghi %r14,__LC_GPREGS_SAVE_AREA +- mvc __PT_R0(128,%r11),0(%r14) ++ lghi %r14,__LC_GPREGS_SAVE_AREA+64 ++ stmg %r0,%r7,__PT_R0(%r11) ++ mvc __PT_R8(64,%r11),0(%r14) + stmg %r8,%r9,__PT_PSW(%r11) + xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15) + lgr %r2,%r11 # pass pointer to pt_regs +diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c +index 826054a..b05a575 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c +@@ -729,3 +729,13 @@ void intel_ds_init(void) + } + } + } ++ ++void perf_restore_debug_store(void) ++{ ++ struct debug_store *ds = __this_cpu_read(cpu_hw_events.ds); ++ ++ if (!x86_pmu.bts && !x86_pmu.pebs) ++ return; ++ ++ wrmsrl(MSR_IA32_DS_AREA, (unsigned long)ds); ++} +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index 120cee1..3c68768 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -11,6 +11,7 @@ + #include <linux/suspend.h> + #include <linux/export.h> + #include <linux/smp.h> ++#include <linux/perf_event.h> + + #include <asm/pgtable.h> + #include <asm/proto.h> +@@ -228,6 +229,7 @@ static void __restore_processor_state(struct saved_context *ctxt) + do_fpu_end(); + x86_platform.restore_sched_clock_state(); + mtrr_bp_restore(); ++ perf_restore_debug_store(); + } + + /* Needed by apm.c */ +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index ae12512..8bc6d39 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1285,11 +1285,9 @@ static int loop_set_capacity(struct loop_device *lo, struct block_device *bdev) + /* the width of sector_t may be narrow for bit-shift */ + sz = sec; + sz <<= 9; +- mutex_lock(&bdev->bd_mutex); + bd_set_size(bdev, sz); + /* let user-space know about the new size */ + kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE); +- mutex_unlock(&bdev->bd_mutex); + + out: + return err; +@@ -1858,11 +1856,15 @@ static int __init loop_init(void) + max_part = (1UL << part_shift) - 1; + } + +- if ((1UL << part_shift) > DISK_MAX_PARTS) +- return -EINVAL; ++ if ((1UL << part_shift) > DISK_MAX_PARTS) { ++ err = -EINVAL; ++ goto misc_out; ++ } + +- if (max_loop > 1UL << (MINORBITS - part_shift)) +- return -EINVAL; ++ if (max_loop > 1UL << (MINORBITS - part_shift)) { ++ err = -EINVAL; ++ goto misc_out; ++ } + + /* + * If max_loop is specified, create that many devices upfront. +@@ -1880,8 +1882,10 @@ static int __init loop_init(void) + range = 1UL << MINORBITS; + } + +- if (register_blkdev(LOOP_MAJOR, "loop")) +- return -EIO; ++ if (register_blkdev(LOOP_MAJOR, "loop")) { ++ err = -EIO; ++ goto misc_out; ++ } + + blk_register_region(MKDEV(LOOP_MAJOR, 0), range, + THIS_MODULE, loop_probe, NULL, NULL); +@@ -1894,6 +1898,10 @@ static int __init loop_init(void) + + printk(KERN_INFO "loop: module loaded\n"); + return 0; ++ ++misc_out: ++ misc_deregister(&loop_misc); ++ return err; + } + + static int loop_exit_cb(int id, void *ptr, void *data) +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index b65c103..1acc4e0 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -92,14 +92,22 @@ static int probe_common(struct virtio_device *vdev) + { + int err; + ++ if (vq) { ++ /* We only support one device for now */ ++ return -EBUSY; ++ } + /* We expect a single virtqueue. */ + vq = virtio_find_single_vq(vdev, random_recv_done, "input"); +- if (IS_ERR(vq)) +- return PTR_ERR(vq); ++ if (IS_ERR(vq)) { ++ err = PTR_ERR(vq); ++ vq = NULL; ++ return err; ++ } + + err = hwrng_register(&virtio_hwrng); + if (err) { + vdev->config->del_vqs(vdev); ++ vq = NULL; + return err; + } + +@@ -112,6 +120,7 @@ static void remove_common(struct virtio_device *vdev) + busy = false; + hwrng_unregister(&virtio_hwrng); + vdev->config->del_vqs(vdev); ++ vq = NULL; + } + + static int virtrng_probe(struct virtio_device *vdev) +diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c +index 5206f24..99daa89 100644 +--- a/drivers/gpu/drm/i915/i915_dma.c ++++ b/drivers/gpu/drm/i915/i915_dma.c +@@ -1297,21 +1297,19 @@ static int i915_load_modeset_init(struct drm_device *dev) + if (ret) + goto cleanup_vga_switcheroo; + +- ret = drm_irq_install(dev); +- if (ret) +- goto cleanup_gem_stolen; +- +- /* Important: The output setup functions called by modeset_init need +- * working irqs for e.g. gmbus and dp aux transfers. */ + intel_modeset_init(dev); + + ret = i915_gem_init(dev); + if (ret) +- goto cleanup_irq; ++ goto cleanup_gem_stolen; ++ ++ intel_modeset_gem_init(dev); + + INIT_WORK(&dev_priv->console_resume_work, intel_console_resume); + +- intel_modeset_gem_init(dev); ++ ret = drm_irq_install(dev); ++ if (ret) ++ goto cleanup_gem; + + /* Always safe in the mode setting case. */ + /* FIXME: do pre/post-mode set stuff in core KMS code */ +@@ -1319,10 +1317,7 @@ static int i915_load_modeset_init(struct drm_device *dev) + + ret = intel_fbdev_init(dev); + if (ret) +- goto cleanup_gem; +- +- /* Only enable hotplug handling once the fbdev is fully set up. */ +- dev_priv->enable_hotplug_processing = true; ++ goto cleanup_irq; + + drm_kms_helper_poll_init(dev); + +@@ -1331,13 +1326,13 @@ static int i915_load_modeset_init(struct drm_device *dev) + + return 0; + ++cleanup_irq: ++ drm_irq_uninstall(dev); + cleanup_gem: + mutex_lock(&dev->struct_mutex); + i915_gem_cleanup_ringbuffer(dev); + mutex_unlock(&dev->struct_mutex); + i915_gem_cleanup_aliasing_ppgtt(dev); +-cleanup_irq: +- drm_irq_uninstall(dev); + cleanup_gem_stolen: + i915_gem_cleanup_stolen(dev); + cleanup_vga_switcheroo: +diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c +index fb6454c..79f5fc5 100644 +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -486,7 +486,6 @@ static int i915_drm_freeze(struct drm_device *dev) + intel_modeset_disable(dev); + + drm_irq_uninstall(dev); +- dev_priv->enable_hotplug_processing = false; + } + + i915_save_state(dev); +@@ -563,19 +562,9 @@ static int __i915_drm_thaw(struct drm_device *dev) + error = i915_gem_init_hw(dev); + mutex_unlock(&dev->struct_mutex); + +- /* We need working interrupts for modeset enabling ... */ +- drm_irq_install(dev); +- + intel_modeset_init_hw(dev); + intel_modeset_setup_hw_state(dev, false); +- +- /* +- * ... but also need to make sure that hotplug processing +- * doesn't cause havoc. Like in the driver load code we don't +- * bother with the tiny race here where we might loose hotplug +- * notifications. +- * */ +- dev_priv->enable_hotplug_processing = true; ++ drm_irq_install(dev); + } + + intel_opregion_init(dev); +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index 66ad64f..7339a4b 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -672,7 +672,6 @@ typedef struct drm_i915_private { + + u32 hotplug_supported_mask; + struct work_struct hotplug_work; +- bool enable_hotplug_processing; + + int num_pipe; + int num_pch_pll; +diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c +index 3c00403..fe84338 100644 +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -287,10 +287,6 @@ static void i915_hotplug_work_func(struct work_struct *work) + struct drm_mode_config *mode_config = &dev->mode_config; + struct intel_encoder *encoder; + +- /* HPD irq before everything is fully set up. */ +- if (!dev_priv->enable_hotplug_processing) +- return; +- + mutex_lock(&mode_config->mutex); + DRM_DEBUG_KMS("running encoder hotplug functions\n"); + +diff --git a/drivers/hwmon/lineage-pem.c b/drivers/hwmon/lineage-pem.c +index 41df29f..ebbb9f4 100644 +--- a/drivers/hwmon/lineage-pem.c ++++ b/drivers/hwmon/lineage-pem.c +@@ -422,6 +422,7 @@ static struct attribute *pem_input_attributes[] = { + &sensor_dev_attr_in2_input.dev_attr.attr, + &sensor_dev_attr_curr1_input.dev_attr.attr, + &sensor_dev_attr_power1_input.dev_attr.attr, ++ NULL + }; + + static const struct attribute_group pem_input_group = { +@@ -432,6 +433,7 @@ static struct attribute *pem_fan_attributes[] = { + &sensor_dev_attr_fan1_input.dev_attr.attr, + &sensor_dev_attr_fan2_input.dev_attr.attr, + &sensor_dev_attr_fan3_input.dev_attr.attr, ++ NULL + }; + + static const struct attribute_group pem_fan_group = { +diff --git a/drivers/hwmon/pmbus/ltc2978.c b/drivers/hwmon/pmbus/ltc2978.c +index a58de38..6d61307 100644 +--- a/drivers/hwmon/pmbus/ltc2978.c ++++ b/drivers/hwmon/pmbus/ltc2978.c +@@ -59,7 +59,7 @@ enum chips { ltc2978, ltc3880 }; + struct ltc2978_data { + enum chips id; + int vin_min, vin_max; +- int temp_min, temp_max; ++ int temp_min, temp_max[2]; + int vout_min[8], vout_max[8]; + int iout_max[2]; + int temp2_max; +@@ -113,9 +113,10 @@ static int ltc2978_read_word_data_common(struct i2c_client *client, int page, + ret = pmbus_read_word_data(client, page, + LTC2978_MFR_TEMPERATURE_PEAK); + if (ret >= 0) { +- if (lin11_to_val(ret) > lin11_to_val(data->temp_max)) +- data->temp_max = ret; +- ret = data->temp_max; ++ if (lin11_to_val(ret) ++ > lin11_to_val(data->temp_max[page])) ++ data->temp_max[page] = ret; ++ ret = data->temp_max[page]; + } + break; + case PMBUS_VIRT_RESET_VOUT_HISTORY: +@@ -266,7 +267,7 @@ static int ltc2978_write_word_data(struct i2c_client *client, int page, + break; + case PMBUS_VIRT_RESET_TEMP_HISTORY: + data->temp_min = 0x7bff; +- data->temp_max = 0x7c00; ++ data->temp_max[page] = 0x7c00; + ret = ltc2978_clear_peaks(client, page, data->id); + break; + default: +@@ -323,7 +324,8 @@ static int ltc2978_probe(struct i2c_client *client, + data->vin_min = 0x7bff; + data->vin_max = 0x7c00; + data->temp_min = 0x7bff; +- data->temp_max = 0x7c00; ++ for (i = 0; i < ARRAY_SIZE(data->temp_max); i++) ++ data->temp_max[i] = 0x7c00; + data->temp2_max = 0x7c00; + + switch (data->id) { +diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c +index 3766682..db04f53 100644 +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -1527,6 +1527,14 @@ static int nand_do_read_ops(struct mtd_info *mtd, loff_t from, + oobreadlen -= toread; + } + } ++ ++ if (chip->options & NAND_NEED_READRDY) { ++ /* Apply delay or wait for ready/busy pin */ ++ if (!chip->dev_ready) ++ udelay(chip->chip_delay); ++ else ++ nand_wait_ready(mtd); ++ } + } else { + memcpy(buf, chip->buffers->databuf + col, bytes); + buf += bytes; +@@ -1791,6 +1799,14 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from, + len = min(len, readlen); + buf = nand_transfer_oob(chip, buf, ops, len); + ++ if (chip->options & NAND_NEED_READRDY) { ++ /* Apply delay or wait for ready/busy pin */ ++ if (!chip->dev_ready) ++ udelay(chip->chip_delay); ++ else ++ nand_wait_ready(mtd); ++ } ++ + readlen -= len; + if (!readlen) + break; +diff --git a/drivers/mtd/nand/nand_ids.c b/drivers/mtd/nand/nand_ids.c +index e3aa274..9c61238 100644 +--- a/drivers/mtd/nand/nand_ids.c ++++ b/drivers/mtd/nand/nand_ids.c +@@ -22,49 +22,51 @@ + * 512 512 Byte page size + */ + struct nand_flash_dev nand_flash_ids[] = { ++#define SP_OPTIONS NAND_NEED_READRDY ++#define SP_OPTIONS16 (SP_OPTIONS | NAND_BUSWIDTH_16) + + #ifdef CONFIG_MTD_NAND_MUSEUM_IDS +- {"NAND 1MiB 5V 8-bit", 0x6e, 256, 1, 0x1000, 0}, +- {"NAND 2MiB 5V 8-bit", 0x64, 256, 2, 0x1000, 0}, +- {"NAND 4MiB 5V 8-bit", 0x6b, 512, 4, 0x2000, 0}, +- {"NAND 1MiB 3,3V 8-bit", 0xe8, 256, 1, 0x1000, 0}, +- {"NAND 1MiB 3,3V 8-bit", 0xec, 256, 1, 0x1000, 0}, +- {"NAND 2MiB 3,3V 8-bit", 0xea, 256, 2, 0x1000, 0}, +- {"NAND 4MiB 3,3V 8-bit", 0xd5, 512, 4, 0x2000, 0}, +- {"NAND 4MiB 3,3V 8-bit", 0xe3, 512, 4, 0x2000, 0}, +- {"NAND 4MiB 3,3V 8-bit", 0xe5, 512, 4, 0x2000, 0}, +- {"NAND 8MiB 3,3V 8-bit", 0xd6, 512, 8, 0x2000, 0}, +- +- {"NAND 8MiB 1,8V 8-bit", 0x39, 512, 8, 0x2000, 0}, +- {"NAND 8MiB 3,3V 8-bit", 0xe6, 512, 8, 0x2000, 0}, +- {"NAND 8MiB 1,8V 16-bit", 0x49, 512, 8, 0x2000, NAND_BUSWIDTH_16}, +- {"NAND 8MiB 3,3V 16-bit", 0x59, 512, 8, 0x2000, NAND_BUSWIDTH_16}, ++ {"NAND 1MiB 5V 8-bit", 0x6e, 256, 1, 0x1000, SP_OPTIONS}, ++ {"NAND 2MiB 5V 8-bit", 0x64, 256, 2, 0x1000, SP_OPTIONS}, ++ {"NAND 4MiB 5V 8-bit", 0x6b, 512, 4, 0x2000, SP_OPTIONS}, ++ {"NAND 1MiB 3,3V 8-bit", 0xe8, 256, 1, 0x1000, SP_OPTIONS}, ++ {"NAND 1MiB 3,3V 8-bit", 0xec, 256, 1, 0x1000, SP_OPTIONS}, ++ {"NAND 2MiB 3,3V 8-bit", 0xea, 256, 2, 0x1000, SP_OPTIONS}, ++ {"NAND 4MiB 3,3V 8-bit", 0xd5, 512, 4, 0x2000, SP_OPTIONS}, ++ {"NAND 4MiB 3,3V 8-bit", 0xe3, 512, 4, 0x2000, SP_OPTIONS}, ++ {"NAND 4MiB 3,3V 8-bit", 0xe5, 512, 4, 0x2000, SP_OPTIONS}, ++ {"NAND 8MiB 3,3V 8-bit", 0xd6, 512, 8, 0x2000, SP_OPTIONS}, ++ ++ {"NAND 8MiB 1,8V 8-bit", 0x39, 512, 8, 0x2000, SP_OPTIONS}, ++ {"NAND 8MiB 3,3V 8-bit", 0xe6, 512, 8, 0x2000, SP_OPTIONS}, ++ {"NAND 8MiB 1,8V 16-bit", 0x49, 512, 8, 0x2000, SP_OPTIONS16}, ++ {"NAND 8MiB 3,3V 16-bit", 0x59, 512, 8, 0x2000, SP_OPTIONS16}, + #endif + +- {"NAND 16MiB 1,8V 8-bit", 0x33, 512, 16, 0x4000, 0}, +- {"NAND 16MiB 3,3V 8-bit", 0x73, 512, 16, 0x4000, 0}, +- {"NAND 16MiB 1,8V 16-bit", 0x43, 512, 16, 0x4000, NAND_BUSWIDTH_16}, +- {"NAND 16MiB 3,3V 16-bit", 0x53, 512, 16, 0x4000, NAND_BUSWIDTH_16}, +- +- {"NAND 32MiB 1,8V 8-bit", 0x35, 512, 32, 0x4000, 0}, +- {"NAND 32MiB 3,3V 8-bit", 0x75, 512, 32, 0x4000, 0}, +- {"NAND 32MiB 1,8V 16-bit", 0x45, 512, 32, 0x4000, NAND_BUSWIDTH_16}, +- {"NAND 32MiB 3,3V 16-bit", 0x55, 512, 32, 0x4000, NAND_BUSWIDTH_16}, +- +- {"NAND 64MiB 1,8V 8-bit", 0x36, 512, 64, 0x4000, 0}, +- {"NAND 64MiB 3,3V 8-bit", 0x76, 512, 64, 0x4000, 0}, +- {"NAND 64MiB 1,8V 16-bit", 0x46, 512, 64, 0x4000, NAND_BUSWIDTH_16}, +- {"NAND 64MiB 3,3V 16-bit", 0x56, 512, 64, 0x4000, NAND_BUSWIDTH_16}, +- +- {"NAND 128MiB 1,8V 8-bit", 0x78, 512, 128, 0x4000, 0}, +- {"NAND 128MiB 1,8V 8-bit", 0x39, 512, 128, 0x4000, 0}, +- {"NAND 128MiB 3,3V 8-bit", 0x79, 512, 128, 0x4000, 0}, +- {"NAND 128MiB 1,8V 16-bit", 0x72, 512, 128, 0x4000, NAND_BUSWIDTH_16}, +- {"NAND 128MiB 1,8V 16-bit", 0x49, 512, 128, 0x4000, NAND_BUSWIDTH_16}, +- {"NAND 128MiB 3,3V 16-bit", 0x74, 512, 128, 0x4000, NAND_BUSWIDTH_16}, +- {"NAND 128MiB 3,3V 16-bit", 0x59, 512, 128, 0x4000, NAND_BUSWIDTH_16}, +- +- {"NAND 256MiB 3,3V 8-bit", 0x71, 512, 256, 0x4000, 0}, ++ {"NAND 16MiB 1,8V 8-bit", 0x33, 512, 16, 0x4000, SP_OPTIONS}, ++ {"NAND 16MiB 3,3V 8-bit", 0x73, 512, 16, 0x4000, SP_OPTIONS}, ++ {"NAND 16MiB 1,8V 16-bit", 0x43, 512, 16, 0x4000, SP_OPTIONS16}, ++ {"NAND 16MiB 3,3V 16-bit", 0x53, 512, 16, 0x4000, SP_OPTIONS16}, ++ ++ {"NAND 32MiB 1,8V 8-bit", 0x35, 512, 32, 0x4000, SP_OPTIONS}, ++ {"NAND 32MiB 3,3V 8-bit", 0x75, 512, 32, 0x4000, SP_OPTIONS}, ++ {"NAND 32MiB 1,8V 16-bit", 0x45, 512, 32, 0x4000, SP_OPTIONS16}, ++ {"NAND 32MiB 3,3V 16-bit", 0x55, 512, 32, 0x4000, SP_OPTIONS16}, ++ ++ {"NAND 64MiB 1,8V 8-bit", 0x36, 512, 64, 0x4000, SP_OPTIONS}, ++ {"NAND 64MiB 3,3V 8-bit", 0x76, 512, 64, 0x4000, SP_OPTIONS}, ++ {"NAND 64MiB 1,8V 16-bit", 0x46, 512, 64, 0x4000, SP_OPTIONS16}, ++ {"NAND 64MiB 3,3V 16-bit", 0x56, 512, 64, 0x4000, SP_OPTIONS16}, ++ ++ {"NAND 128MiB 1,8V 8-bit", 0x78, 512, 128, 0x4000, SP_OPTIONS}, ++ {"NAND 128MiB 1,8V 8-bit", 0x39, 512, 128, 0x4000, SP_OPTIONS}, ++ {"NAND 128MiB 3,3V 8-bit", 0x79, 512, 128, 0x4000, SP_OPTIONS}, ++ {"NAND 128MiB 1,8V 16-bit", 0x72, 512, 128, 0x4000, SP_OPTIONS16}, ++ {"NAND 128MiB 1,8V 16-bit", 0x49, 512, 128, 0x4000, SP_OPTIONS16}, ++ {"NAND 128MiB 3,3V 16-bit", 0x74, 512, 128, 0x4000, SP_OPTIONS16}, ++ {"NAND 128MiB 3,3V 16-bit", 0x59, 512, 128, 0x4000, SP_OPTIONS16}, ++ ++ {"NAND 256MiB 3,3V 8-bit", 0x71, 512, 256, 0x4000, SP_OPTIONS}, + + /* + * These are the new chips with large page size. The pagesize and the +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b7d45f3..a079da17 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1943,7 +1943,6 @@ int bond_release(struct net_device *bond_dev, struct net_device *slave_dev) + } + + block_netpoll_tx(); +- call_netdevice_notifiers(NETDEV_RELEASE, bond_dev); + write_lock_bh(&bond->lock); + + slave = bond_get_slave_by_dev(bond, slave_dev); +@@ -2047,8 +2046,10 @@ int bond_release(struct net_device *bond_dev, struct net_device *slave_dev) + write_unlock_bh(&bond->lock); + unblock_netpoll_tx(); + +- if (bond->slave_cnt == 0) ++ if (bond->slave_cnt == 0) { + call_netdevice_notifiers(NETDEV_CHANGEADDR, bond->dev); ++ call_netdevice_notifiers(NETDEV_RELEASE, bond->dev); ++ } + + bond_compute_features(bond); + if (!(bond_dev->features & NETIF_F_VLAN_CHALLENGED) && +diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +index 0035c01..bfcb8bc 100644 +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -2075,7 +2075,7 @@ static int atl1c_tx_map(struct atl1c_adapter *adapter, + if (unlikely(pci_dma_mapping_error(adapter->pdev, + buffer_info->dma))) + goto err_dma; +- ++ ATL1C_SET_BUFFER_STATE(buffer_info, ATL1C_BUFFER_BUSY); + ATL1C_SET_PCIMAP_TYPE(buffer_info, ATL1C_PCIMAP_SINGLE, + ATL1C_PCIMAP_TODEVICE); + mapped_len += map_len; +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +index 88291bb..bf3f4bc 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -1434,12 +1434,11 @@ int mlx4_en_alloc_resources(struct mlx4_en_priv *priv) + } + + #ifdef CONFIG_RFS_ACCEL +- priv->dev->rx_cpu_rmap = alloc_irq_cpu_rmap(priv->mdev->dev->caps.comp_pool); +- if (!priv->dev->rx_cpu_rmap) +- goto err; +- +- INIT_LIST_HEAD(&priv->filters); +- spin_lock_init(&priv->filters_lock); ++ if (priv->mdev->dev->caps.comp_pool) { ++ priv->dev->rx_cpu_rmap = alloc_irq_cpu_rmap(priv->mdev->dev->caps.comp_pool); ++ if (!priv->dev->rx_cpu_rmap) ++ goto err; ++ } + #endif + + return 0; +@@ -1634,6 +1633,11 @@ int mlx4_en_init_netdev(struct mlx4_en_dev *mdev, int port, + if (err) + goto out; + ++#ifdef CONFIG_RFS_ACCEL ++ INIT_LIST_HEAD(&priv->filters); ++ spin_lock_init(&priv->filters_lock); ++#endif ++ + /* Allocate page for receive rings */ + err = mlx4_alloc_hwq_res(mdev->dev, &priv->res, + MLX4_EN_PAGE_SIZE, MLX4_EN_PAGE_SIZE); +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index d3fb97d..e5cb723 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -628,6 +628,7 @@ void macvlan_common_setup(struct net_device *dev) + ether_setup(dev); + + dev->priv_flags &= ~(IFF_XMIT_DST_RELEASE | IFF_TX_SKB_SHARING); ++ dev->priv_flags |= IFF_UNICAST_FLT; + dev->netdev_ops = &macvlan_netdev_ops; + dev->destructor = free_netdev; + dev->header_ops = &macvlan_hard_header_ops, +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index ad86660..8efe47a 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1139,6 +1139,8 @@ static int team_port_del(struct team *team, struct net_device *port_dev) + netdev_set_master(port_dev, NULL); + team_port_disable_netpoll(port); + vlan_vids_del_by_dev(port_dev, dev); ++ dev_uc_unsync(port_dev, dev); ++ dev_mc_unsync(port_dev, dev); + dev_close(port_dev); + team_port_leave(team, port); + team_port_set_orig_dev_addr(port); +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 2917a86..cb95fe5 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -748,6 +748,8 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) + goto drop; + skb_orphan(skb); + ++ nf_reset(skb); ++ + /* Enqueue packet */ + skb_queue_tail(&tfile->socket.sk->sk_receive_queue, skb); + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 656230e..6993bfa 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1491,6 +1491,15 @@ static __net_init int vxlan_init_net(struct net *net) + static __net_exit void vxlan_exit_net(struct net *net) + { + struct vxlan_net *vn = net_generic(net, vxlan_net_id); ++ struct vxlan_dev *vxlan; ++ struct hlist_node *pos; ++ unsigned h; ++ ++ rtnl_lock(); ++ for (h = 0; h < VNI_HASH_SIZE; ++h) ++ hlist_for_each_entry(vxlan, pos, &vn->vni_list[h], hlist) ++ dev_close(vxlan->dev); ++ rtnl_unlock(); + + if (vn->sock) { + sk_release_kernel(vn->sock->sk); +diff --git a/drivers/staging/comedi/drivers/dt9812.c b/drivers/staging/comedi/drivers/dt9812.c +index 1767998..3e7f961 100644 +--- a/drivers/staging/comedi/drivers/dt9812.c ++++ b/drivers/staging/comedi/drivers/dt9812.c +@@ -948,12 +948,13 @@ static int dt9812_di_rinsn(struct comedi_device *dev, + unsigned int *data) + { + struct comedi_dt9812 *devpriv = dev->private; ++ unsigned int channel = CR_CHAN(insn->chanspec); + int n; + u8 bits = 0; + + dt9812_digital_in(devpriv->slot, &bits); + for (n = 0; n < insn->n; n++) +- data[n] = ((1 << insn->chanspec) & bits) != 0; ++ data[n] = ((1 << channel) & bits) != 0; + return n; + } + +@@ -962,12 +963,13 @@ static int dt9812_do_winsn(struct comedi_device *dev, + unsigned int *data) + { + struct comedi_dt9812 *devpriv = dev->private; ++ unsigned int channel = CR_CHAN(insn->chanspec); + int n; + u8 bits = 0; + + dt9812_digital_out_shadow(devpriv->slot, &bits); + for (n = 0; n < insn->n; n++) { +- u8 mask = 1 << insn->chanspec; ++ u8 mask = 1 << channel; + + bits &= ~mask; + if (data[n]) +@@ -982,13 +984,13 @@ static int dt9812_ai_rinsn(struct comedi_device *dev, + unsigned int *data) + { + struct comedi_dt9812 *devpriv = dev->private; ++ unsigned int channel = CR_CHAN(insn->chanspec); + int n; + + for (n = 0; n < insn->n; n++) { + u16 value = 0; + +- dt9812_analog_in(devpriv->slot, insn->chanspec, &value, +- DT9812_GAIN_1); ++ dt9812_analog_in(devpriv->slot, channel, &value, DT9812_GAIN_1); + data[n] = value; + } + return n; +@@ -999,12 +1001,13 @@ static int dt9812_ao_rinsn(struct comedi_device *dev, + unsigned int *data) + { + struct comedi_dt9812 *devpriv = dev->private; ++ unsigned int channel = CR_CHAN(insn->chanspec); + int n; + u16 value; + + for (n = 0; n < insn->n; n++) { + value = 0; +- dt9812_analog_out_shadow(devpriv->slot, insn->chanspec, &value); ++ dt9812_analog_out_shadow(devpriv->slot, channel, &value); + data[n] = value; + } + return n; +@@ -1015,10 +1018,11 @@ static int dt9812_ao_winsn(struct comedi_device *dev, + unsigned int *data) + { + struct comedi_dt9812 *devpriv = dev->private; ++ unsigned int channel = CR_CHAN(insn->chanspec); + int n; + + for (n = 0; n < insn->n; n++) +- dt9812_analog_out(devpriv->slot, insn->chanspec, data[n]); ++ dt9812_analog_out(devpriv->slot, channel, data[n]); + return n; + } + +diff --git a/drivers/staging/vt6656/main_usb.c b/drivers/staging/vt6656/main_usb.c +index f33086d..f726970 100644 +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -644,8 +644,6 @@ static int vt6656_suspend(struct usb_interface *intf, pm_message_t message) + if (device->flags & DEVICE_FLAGS_OPENED) + device_close(device->dev); + +- usb_put_dev(interface_to_usbdev(intf)); +- + return 0; + } + +@@ -656,8 +654,6 @@ static int vt6656_resume(struct usb_interface *intf) + if (!device || !device->dev) + return -ENODEV; + +- usb_get_dev(interface_to_usbdev(intf)); +- + if (!(device->flags & DEVICE_FLAGS_OPENED)) + device_open(device->dev); + +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 79ff3a5..ac35c90 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -47,7 +47,6 @@ static void pty_close(struct tty_struct *tty, struct file *filp) + /* Review - krefs on tty_link ?? */ + if (!tty->link) + return; +- tty->link->packet = 0; + set_bit(TTY_OTHER_CLOSED, &tty->link->flags); + wake_up_interruptible(&tty->link->read_wait); + wake_up_interruptible(&tty->link->write_wait); +diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c +index f932043..733f22c 100644 +--- a/drivers/tty/serial/8250/8250.c ++++ b/drivers/tty/serial/8250/8250.c +@@ -308,7 +308,28 @@ static const struct serial8250_config uart_config[] = { + }, + [PORT_8250_CIR] = { + .name = "CIR port" +- } ++ }, ++ [PORT_ALTR_16550_F32] = { ++ .name = "Altera 16550 FIFO32", ++ .fifo_size = 32, ++ .tx_loadsz = 32, ++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10, ++ .flags = UART_CAP_FIFO | UART_CAP_AFE, ++ }, ++ [PORT_ALTR_16550_F64] = { ++ .name = "Altera 16550 FIFO64", ++ .fifo_size = 64, ++ .tx_loadsz = 64, ++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10, ++ .flags = UART_CAP_FIFO | UART_CAP_AFE, ++ }, ++ [PORT_ALTR_16550_F128] = { ++ .name = "Altera 16550 FIFO128", ++ .fifo_size = 128, ++ .tx_loadsz = 128, ++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10, ++ .flags = UART_CAP_FIFO | UART_CAP_AFE, ++ }, + }; + + /* Uart divisor latch read */ +@@ -3430,3 +3451,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444); + MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA"); + #endif + MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR); ++ ++#ifndef MODULE ++/* This module was renamed to 8250_core in 3.7. Keep the old "8250" name ++ * working as well for the module options so we don't break people. We ++ * need to keep the names identical and the convenient macros will happily ++ * refuse to let us do that by failing the build with redefinition errors ++ * of global variables. So we stick them inside a dummy function to avoid ++ * those conflicts. The options still get parsed, and the redefined ++ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive. ++ * ++ * This is hacky. I'm sorry. ++ */ ++static void __used s8250_options(void) ++{ ++#undef MODULE_PARAM_PREFIX ++#define MODULE_PARAM_PREFIX "8250." ++ ++ module_param_cb(share_irqs, ¶m_ops_uint, &share_irqs, 0644); ++ module_param_cb(nr_uarts, ¶m_ops_uint, &nr_uarts, 0644); ++ module_param_cb(skip_txen_test, ¶m_ops_uint, &skip_txen_test, 0644); ++#ifdef CONFIG_SERIAL_8250_RSA ++ __module_param_call(MODULE_PARAM_PREFIX, probe_rsa, ++ ¶m_array_ops, .arr = &__param_arr_probe_rsa, ++ 0444, -1); ++#endif ++} ++#else ++MODULE_ALIAS("8250"); ++#endif +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index a27a98e..5cdb092 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1321,6 +1321,7 @@ pci_wch_ch353_setup(struct serial_private *priv, + + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */ + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584 ++#define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588 + + /* + * Master list of serial port init/setup/exit quirks. +@@ -1592,15 +1593,6 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = { + }, + { + .vendor = PCI_VENDOR_ID_PLX, +- .device = PCI_DEVICE_ID_PLX_9050, +- .subvendor = PCI_VENDOR_ID_PLX, +- .subdevice = PCI_SUBDEVICE_ID_UNKNOWN_0x1584, +- .init = pci_plx9050_init, +- .setup = pci_default_setup, +- .exit = pci_plx9050_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_PLX, + .device = PCI_DEVICE_ID_PLX_ROMULUS, + .subvendor = PCI_VENDOR_ID_PLX, + .subdevice = PCI_DEVICE_ID_PLX_ROMULUS, +@@ -3456,7 +3448,12 @@ static struct pci_device_id serial_pci_tbl[] = { + { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9050, + PCI_VENDOR_ID_PLX, + PCI_SUBDEVICE_ID_UNKNOWN_0x1584, 0, 0, +- pbn_b0_4_115200 }, ++ pbn_b2_4_115200 }, ++ /* Unknown card - subdevice 0x1588 */ ++ { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9050, ++ PCI_VENDOR_ID_PLX, ++ PCI_SUBDEVICE_ID_UNKNOWN_0x1588, 0, 0, ++ pbn_b2_8_115200 }, + { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9050, + PCI_SUBVENDOR_ID_KEYSPAN, + PCI_SUBDEVICE_ID_KEYSPAN_SX2, 0, 0, +@@ -4449,6 +4446,10 @@ static struct pci_device_id serial_pci_tbl[] = { + PCI_VENDOR_ID_IBM, 0x0299, + 0, 0, pbn_b0_bt_2_115200 }, + ++ { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835, ++ 0x1000, 0x0012, ++ 0, 0, pbn_b0_bt_2_115200 }, ++ + { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901, + 0xA000, 0x1000, + 0, 0, pbn_b0_1_115200 }, +diff --git a/drivers/tty/serial/8250/8250_pnp.c b/drivers/tty/serial/8250/8250_pnp.c +index 35d9ab9..b3455a9 100644 +--- a/drivers/tty/serial/8250/8250_pnp.c ++++ b/drivers/tty/serial/8250/8250_pnp.c +@@ -429,6 +429,7 @@ serial_pnp_probe(struct pnp_dev *dev, const struct pnp_device_id *dev_id) + { + struct uart_8250_port uart; + int ret, line, flags = dev_id->driver_data; ++ struct resource *res = NULL; + + if (flags & UNKNOWN_DEV) { + ret = serial_pnp_guess_board(dev); +@@ -439,11 +440,12 @@ serial_pnp_probe(struct pnp_dev *dev, const struct pnp_device_id *dev_id) + memset(&uart, 0, sizeof(uart)); + if (pnp_irq_valid(dev, 0)) + uart.port.irq = pnp_irq(dev, 0); +- if ((flags & CIR_PORT) && pnp_port_valid(dev, 2)) { +- uart.port.iobase = pnp_port_start(dev, 2); +- uart.port.iotype = UPIO_PORT; +- } else if (pnp_port_valid(dev, 0)) { +- uart.port.iobase = pnp_port_start(dev, 0); ++ if ((flags & CIR_PORT) && pnp_port_valid(dev, 2)) ++ res = pnp_get_resource(dev, IORESOURCE_IO, 2); ++ else if (pnp_port_valid(dev, 0)) ++ res = pnp_get_resource(dev, IORESOURCE_IO, 0); ++ if (pnp_resource_enabled(res)) { ++ uart.port.iobase = res->start; + uart.port.iotype = UPIO_PORT; + } else if (pnp_mem_valid(dev, 0)) { + uart.port.mapbase = pnp_mem_start(dev, 0); +diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig +index 59c23d0..02e706e 100644 +--- a/drivers/tty/serial/Kconfig ++++ b/drivers/tty/serial/Kconfig +@@ -209,14 +209,14 @@ config SERIAL_SAMSUNG + config SERIAL_SAMSUNG_UARTS_4 + bool + depends on PLAT_SAMSUNG +- default y if !(CPU_S3C2410 || SERIAL_S3C2412 || CPU_S3C2440 || CPU_S3C2442) ++ default y if !(CPU_S3C2410 || CPU_S3C2412 || CPU_S3C2440 || CPU_S3C2442) + help + Internal node for the common case of 4 Samsung compatible UARTs + + config SERIAL_SAMSUNG_UARTS + int + depends on PLAT_SAMSUNG +- default 6 if ARCH_S5P6450 ++ default 6 if CPU_S5P6450 + default 4 if SERIAL_SAMSUNG_UARTS_4 || CPU_S3C2416 + default 3 + help +diff --git a/drivers/tty/serial/of_serial.c b/drivers/tty/serial/of_serial.c +index e7cae1c..3490629 100644 +--- a/drivers/tty/serial/of_serial.c ++++ b/drivers/tty/serial/of_serial.c +@@ -240,6 +240,12 @@ static struct of_device_id of_platform_serial_table[] = { + { .compatible = "ns16850", .data = (void *)PORT_16850, }, + { .compatible = "nvidia,tegra20-uart", .data = (void *)PORT_TEGRA, }, + { .compatible = "nxp,lpc3220-uart", .data = (void *)PORT_LPC3220, }, ++ { .compatible = "altr,16550-FIFO32", ++ .data = (void *)PORT_ALTR_16550_F32, }, ++ { .compatible = "altr,16550-FIFO64", ++ .data = (void *)PORT_ALTR_16550_F64, }, ++ { .compatible = "altr,16550-FIFO128", ++ .data = (void *)PORT_ALTR_16550_F128, }, + #ifdef CONFIG_SERIAL_OF_PLATFORM_NWPSERIAL + { .compatible = "ibm,qpace-nwp-serial", + .data = (void *)PORT_NWPSERIAL, }, +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 45d9161..cd1f861 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -473,7 +473,7 @@ static void flush_to_ldisc(struct work_struct *work) + struct tty_ldisc *disc; + + tty = port->itty; +- if (WARN_RATELIMIT(tty == NULL, "tty is NULL\n")) ++ if (tty == NULL) + return; + + disc = tty_ldisc_ref(tty); +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index 5f0cb41..122d056 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); + #define WDM_RESPONDING 7 + #define WDM_SUSPENDING 8 + #define WDM_RESETTING 9 ++#define WDM_OVERFLOW 10 + + #define WDM_MAX 16 + +@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb) + { + struct wdm_device *desc = urb->context; + int status = urb->status; ++ int length = urb->actual_length; + + spin_lock(&desc->iuspin); + clear_bit(WDM_RESPONDING, &desc->flags); +@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb) + } + + desc->rerr = status; +- desc->reslength = urb->actual_length; +- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); +- desc->length += desc->reslength; ++ if (length + desc->length > desc->wMaxCommand) { ++ /* The buffer would overflow */ ++ set_bit(WDM_OVERFLOW, &desc->flags); ++ } else { ++ /* we may already be in overflow */ ++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { ++ memmove(desc->ubuf + desc->length, desc->inbuf, length); ++ desc->length += length; ++ desc->reslength = length; ++ } ++ } + skip_error: + wake_up(&desc->wait); + +@@ -435,6 +445,11 @@ retry: + rv = -ENODEV; + goto err; + } ++ if (test_bit(WDM_OVERFLOW, &desc->flags)) { ++ clear_bit(WDM_OVERFLOW, &desc->flags); ++ rv = -ENOBUFS; ++ goto err; ++ } + i++; + if (file->f_flags & O_NONBLOCK) { + if (!test_bit(WDM_READ, &desc->flags)) { +@@ -478,6 +493,7 @@ retry: + spin_unlock_irq(&desc->iuspin); + goto retry; + } ++ + if (!desc->reslength) { /* zero length read */ + dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); + clear_bit(WDM_READ, &desc->flags); +@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf) + struct wdm_device *desc = wdm_find_device(intf); + int rv; + ++ clear_bit(WDM_OVERFLOW, &desc->flags); + clear_bit(WDM_RESETTING, &desc->flags); + rv = recover_from_urb_loss(desc); + mutex_unlock(&desc->wlock); +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 3a4004a..f00c749 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -575,6 +575,7 @@ static int dwc3_remove(struct platform_device *pdev) + break; + } + ++ dwc3_free_event_buffers(dwc); + dwc3_core_exit(dwc); + + return 0; +diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c +index fd252f0..eda2cf4 100644 +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -135,7 +135,7 @@ qh_refresh (struct ehci_hcd *ehci, struct ehci_qh *qh) + * qtd is updated in qh_completions(). Update the QH + * overlay here. + */ +- if (cpu_to_hc32(ehci, qtd->qtd_dma) == qh->hw->hw_current) { ++ if (qh->hw->hw_token & ACTIVE_BIT(ehci)) { + qh->hw->hw_qtd_next = qtd->hw_next; + qtd = NULL; + } +@@ -449,11 +449,19 @@ qh_completions (struct ehci_hcd *ehci, struct ehci_qh *qh) + else if (last_status == -EINPROGRESS && !urb->unlinked) + continue; + +- /* qh unlinked; token in overlay may be most current */ +- if (state == QH_STATE_IDLE +- && cpu_to_hc32(ehci, qtd->qtd_dma) +- == hw->hw_current) { ++ /* ++ * If this was the active qtd when the qh was unlinked ++ * and the overlay's token is active, then the overlay ++ * hasn't been written back to the qtd yet so use its ++ * token instead of the qtd's. After the qtd is ++ * processed and removed, the overlay won't be valid ++ * any more. ++ */ ++ if (state == QH_STATE_IDLE && ++ qh->qtd_list.next == &qtd->qtd_list && ++ (hw->hw_token & ACTIVE_BIT(ehci))) { + token = hc32_to_cpu(ehci, hw->hw_token); ++ hw->hw_token &= ~ACTIVE_BIT(ehci); + + /* An unlink may leave an incomplete + * async transaction in the TT buffer. +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index edc0f0d..4747d1c 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -85,6 +85,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x813F) }, /* Tams Master Easy Control */ + { USB_DEVICE(0x10C4, 0x814A) }, /* West Mountain Radio RIGblaster P&P */ + { USB_DEVICE(0x10C4, 0x814B) }, /* West Mountain Radio RIGtalk */ ++ { USB_DEVICE(0x2405, 0x0003) }, /* West Mountain Radio RIGblaster Advantage */ + { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */ + { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */ + { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */ +@@ -150,6 +151,25 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */ + { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */ + { USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */ ++ { USB_DEVICE(0x1FB9, 0x0100) }, /* Lake Shore Model 121 Current Source */ ++ { USB_DEVICE(0x1FB9, 0x0200) }, /* Lake Shore Model 218A Temperature Monitor */ ++ { USB_DEVICE(0x1FB9, 0x0201) }, /* Lake Shore Model 219 Temperature Monitor */ ++ { USB_DEVICE(0x1FB9, 0x0202) }, /* Lake Shore Model 233 Temperature Transmitter */ ++ { USB_DEVICE(0x1FB9, 0x0203) }, /* Lake Shore Model 235 Temperature Transmitter */ ++ { USB_DEVICE(0x1FB9, 0x0300) }, /* Lake Shore Model 335 Temperature Controller */ ++ { USB_DEVICE(0x1FB9, 0x0301) }, /* Lake Shore Model 336 Temperature Controller */ ++ { USB_DEVICE(0x1FB9, 0x0302) }, /* Lake Shore Model 350 Temperature Controller */ ++ { USB_DEVICE(0x1FB9, 0x0303) }, /* Lake Shore Model 371 AC Bridge */ ++ { USB_DEVICE(0x1FB9, 0x0400) }, /* Lake Shore Model 411 Handheld Gaussmeter */ ++ { USB_DEVICE(0x1FB9, 0x0401) }, /* Lake Shore Model 425 Gaussmeter */ ++ { USB_DEVICE(0x1FB9, 0x0402) }, /* Lake Shore Model 455A Gaussmeter */ ++ { USB_DEVICE(0x1FB9, 0x0403) }, /* Lake Shore Model 475A Gaussmeter */ ++ { USB_DEVICE(0x1FB9, 0x0404) }, /* Lake Shore Model 465 Three Axis Gaussmeter */ ++ { USB_DEVICE(0x1FB9, 0x0600) }, /* Lake Shore Model 625A Superconducting MPS */ ++ { USB_DEVICE(0x1FB9, 0x0601) }, /* Lake Shore Model 642A Magnet Power Supply */ ++ { USB_DEVICE(0x1FB9, 0x0602) }, /* Lake Shore Model 648 Magnet Power Supply */ ++ { USB_DEVICE(0x1FB9, 0x0700) }, /* Lake Shore Model 737 VSM Controller */ ++ { USB_DEVICE(0x1FB9, 0x0701) }, /* Lake Shore Model 776 Hall Matrix */ + { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */ + { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */ + { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */ +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index f7d339d..558adfc 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -341,6 +341,8 @@ static void option_instat_callback(struct urb *urb); + #define CINTERION_PRODUCT_EU3_E 0x0051 + #define CINTERION_PRODUCT_EU3_P 0x0052 + #define CINTERION_PRODUCT_PH8 0x0053 ++#define CINTERION_PRODUCT_AH6 0x0055 ++#define CINTERION_PRODUCT_PLS8 0x0060 + + /* Olivetti products */ + #define OLIVETTI_VENDOR_ID 0x0b3c +@@ -579,6 +581,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c05, USB_CLASS_COMM, 0x02, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c1f, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, +@@ -1260,6 +1263,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_E) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_P) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8) }, ++ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AH6) }, ++ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLS8) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) }, + { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) }, +diff --git a/drivers/usb/serial/qcaux.c b/drivers/usb/serial/qcaux.c +index 9b1b96f..31f81c3 100644 +--- a/drivers/usb/serial/qcaux.c ++++ b/drivers/usb/serial/qcaux.c +@@ -69,6 +69,7 @@ static struct usb_device_id id_table[] = { + { USB_VENDOR_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, 0xff, 0xfd, 0xff) }, /* NMEA */ + { USB_VENDOR_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, 0xff, 0xfe, 0xff) }, /* WMC */ + { USB_VENDOR_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, 0xff, 0xff, 0xff) }, /* DIAG */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1fac, 0x0151, 0xff, 0xff, 0xff) }, + { }, + }; + MODULE_DEVICE_TABLE(usb, id_table); +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index 2466254..59b32b7 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -197,12 +197,15 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + + if (is_gobi1k) { + /* Gobi 1K USB layout: +- * 0: serial port (doesn't respond) ++ * 0: DM/DIAG (use libqcdm from ModemManager for communication) + * 1: serial port (doesn't respond) + * 2: AT-capable modem port + * 3: QMI/net + */ +- if (ifnum == 2) ++ if (ifnum == 0) { ++ dev_dbg(dev, "Gobi 1K DM/DIAG interface found\n"); ++ altsetting = 1; ++ } else if (ifnum == 2) + dev_dbg(dev, "Modem port found\n"); + else + altsetting = -1; +diff --git a/drivers/usb/storage/initializers.c b/drivers/usb/storage/initializers.c +index 7ab9046..105d900 100644 +--- a/drivers/usb/storage/initializers.c ++++ b/drivers/usb/storage/initializers.c +@@ -92,8 +92,8 @@ int usb_stor_ucr61s2b_init(struct us_data *us) + return 0; + } + +-/* This places the HUAWEI usb dongles in multi-port mode */ +-static int usb_stor_huawei_feature_init(struct us_data *us) ++/* This places the HUAWEI E220 devices in multi-port mode */ ++int usb_stor_huawei_e220_init(struct us_data *us) + { + int result; + +@@ -104,75 +104,3 @@ static int usb_stor_huawei_feature_init(struct us_data *us) + US_DEBUGP("Huawei mode set result is %d\n", result); + return 0; + } +- +-/* +- * It will send a scsi switch command called rewind' to huawei dongle. +- * When the dongle receives this command at the first time, +- * it will reboot immediately. After rebooted, it will ignore this command. +- * So it is unnecessary to read its response. +- */ +-static int usb_stor_huawei_scsi_init(struct us_data *us) +-{ +- int result = 0; +- int act_len = 0; +- struct bulk_cb_wrap *bcbw = (struct bulk_cb_wrap *) us->iobuf; +- char rewind_cmd[] = {0x11, 0x06, 0x20, 0x00, 0x00, 0x01, 0x01, 0x00, +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; +- +- bcbw->Signature = cpu_to_le32(US_BULK_CB_SIGN); +- bcbw->Tag = 0; +- bcbw->DataTransferLength = 0; +- bcbw->Flags = bcbw->Lun = 0; +- bcbw->Length = sizeof(rewind_cmd); +- memset(bcbw->CDB, 0, sizeof(bcbw->CDB)); +- memcpy(bcbw->CDB, rewind_cmd, sizeof(rewind_cmd)); +- +- result = usb_stor_bulk_transfer_buf(us, us->send_bulk_pipe, bcbw, +- US_BULK_CB_WRAP_LEN, &act_len); +- US_DEBUGP("transfer actual length=%d, result=%d\n", act_len, result); +- return result; +-} +- +-/* +- * It tries to find the supported Huawei USB dongles. +- * In Huawei, they assign the following product IDs +- * for all of their mobile broadband dongles, +- * including the new dongles in the future. +- * So if the product ID is not included in this list, +- * it means it is not Huawei's mobile broadband dongles. +- */ +-static int usb_stor_huawei_dongles_pid(struct us_data *us) +-{ +- struct usb_interface_descriptor *idesc; +- int idProduct; +- +- idesc = &us->pusb_intf->cur_altsetting->desc; +- idProduct = le16_to_cpu(us->pusb_dev->descriptor.idProduct); +- /* The first port is CDROM, +- * means the dongle in the single port mode, +- * and a switch command is required to be sent. */ +- if (idesc && idesc->bInterfaceNumber == 0) { +- if ((idProduct == 0x1001) +- || (idProduct == 0x1003) +- || (idProduct == 0x1004) +- || (idProduct >= 0x1401 && idProduct <= 0x1500) +- || (idProduct >= 0x1505 && idProduct <= 0x1600) +- || (idProduct >= 0x1c02 && idProduct <= 0x2202)) { +- return 1; +- } +- } +- return 0; +-} +- +-int usb_stor_huawei_init(struct us_data *us) +-{ +- int result = 0; +- +- if (usb_stor_huawei_dongles_pid(us)) { +- if (le16_to_cpu(us->pusb_dev->descriptor.idProduct) >= 0x1446) +- result = usb_stor_huawei_scsi_init(us); +- else +- result = usb_stor_huawei_feature_init(us); +- } +- return result; +-} +diff --git a/drivers/usb/storage/initializers.h b/drivers/usb/storage/initializers.h +index 5376d4f..529327f 100644 +--- a/drivers/usb/storage/initializers.h ++++ b/drivers/usb/storage/initializers.h +@@ -46,5 +46,5 @@ int usb_stor_euscsi_init(struct us_data *us); + * flash reader */ + int usb_stor_ucr61s2b_init(struct us_data *us); + +-/* This places the HUAWEI usb dongles in multi-port mode */ +-int usb_stor_huawei_init(struct us_data *us); ++/* This places the HUAWEI E220 devices in multi-port mode */ ++int usb_stor_huawei_e220_init(struct us_data *us); +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 72923b5..d305a5a 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1527,10 +1527,335 @@ UNUSUAL_DEV( 0x1210, 0x0003, 0x0100, 0x0100, + /* Reported by fangxiaozhi <huananhu@huawei.com> + * This brings the HUAWEI data card devices into multi-port mode + */ +-UNUSUAL_VENDOR_INTF(0x12d1, 0x08, 0x06, 0x50, ++UNUSUAL_DEV( 0x12d1, 0x1001, 0x0000, 0x0000, + "HUAWEI MOBILE", + "Mass Storage", +- USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_init, ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1003, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1004, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1401, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1402, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1403, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1404, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1405, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1406, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1407, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1408, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1409, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x140A, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x140B, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x140C, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x140D, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x140E, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x140F, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1410, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1411, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1412, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1413, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1414, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1415, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1416, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1417, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1418, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1419, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x141A, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x141B, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x141C, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x141D, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x141E, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x141F, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1420, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1421, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1422, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1423, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1424, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1425, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1426, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1427, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1428, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1429, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x142A, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x142B, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x142C, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x142D, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x142E, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x142F, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1430, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1431, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1432, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1433, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1434, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1435, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1436, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1437, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1438, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x1439, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x143A, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x143B, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x143C, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x143D, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x143E, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, ++ 0), ++UNUSUAL_DEV( 0x12d1, 0x143F, 0x0000, 0x0000, ++ "HUAWEI MOBILE", ++ "Mass Storage", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init, + 0), + + /* Reported by Vilius Bilinkevicius <vilisas AT xxx DOT lt) */ +diff --git a/drivers/video/atmel_lcdfb.c b/drivers/video/atmel_lcdfb.c +index 12cf5f3..025428e 100644 +--- a/drivers/video/atmel_lcdfb.c ++++ b/drivers/video/atmel_lcdfb.c +@@ -422,17 +422,22 @@ static int atmel_lcdfb_check_var(struct fb_var_screeninfo *var, + = var->bits_per_pixel; + break; + case 16: ++ /* Older SOCs use IBGR:555 rather than BGR:565. */ ++ if (sinfo->have_intensity_bit) ++ var->green.length = 5; ++ else ++ var->green.length = 6; ++ + if (sinfo->lcd_wiring_mode == ATMEL_LCDC_WIRING_RGB) { +- /* RGB:565 mode */ +- var->red.offset = 11; ++ /* RGB:5X5 mode */ ++ var->red.offset = var->green.length + 5; + var->blue.offset = 0; + } else { +- /* BGR:565 mode */ ++ /* BGR:5X5 mode */ + var->red.offset = 0; +- var->blue.offset = 11; ++ var->blue.offset = var->green.length + 5; + } + var->green.offset = 5; +- var->green.length = 6; + var->red.length = var->blue.length = 5; + break; + case 32: +@@ -679,8 +684,7 @@ static int atmel_lcdfb_setcolreg(unsigned int regno, unsigned int red, + + case FB_VISUAL_PSEUDOCOLOR: + if (regno < 256) { +- if (cpu_is_at91sam9261() || cpu_is_at91sam9263() +- || cpu_is_at91sam9rl()) { ++ if (sinfo->have_intensity_bit) { + /* old style I+BGR:555 */ + val = ((red >> 11) & 0x001f); + val |= ((green >> 6) & 0x03e0); +@@ -870,6 +874,10 @@ static int __init atmel_lcdfb_probe(struct platform_device *pdev) + } + sinfo->info = info; + sinfo->pdev = pdev; ++ if (cpu_is_at91sam9261() || cpu_is_at91sam9263() || ++ cpu_is_at91sam9rl()) { ++ sinfo->have_intensity_bit = true; ++ } + + strcpy(info->fix.id, sinfo->pdev->name); + info->flags = ATMEL_LCDFB_FBINFO_DEFAULT; +diff --git a/drivers/w1/masters/w1-gpio.c b/drivers/w1/masters/w1-gpio.c +index d39dfa4..012817a 100644 +--- a/drivers/w1/masters/w1-gpio.c ++++ b/drivers/w1/masters/w1-gpio.c +@@ -158,7 +158,7 @@ static int w1_gpio_probe(struct platform_device *pdev) + return err; + } + +-static int __exit w1_gpio_remove(struct platform_device *pdev) ++static int w1_gpio_remove(struct platform_device *pdev) + { + struct w1_bus_master *master = platform_get_drvdata(pdev); + struct w1_gpio_platform_data *pdata = pdev->dev.platform_data; +@@ -210,7 +210,7 @@ static struct platform_driver w1_gpio_driver = { + .of_match_table = of_match_ptr(w1_gpio_dt_ids), + }, + .probe = w1_gpio_probe, +- .remove = __exit_p(w1_gpio_remove), ++ .remove = w1_gpio_remove, + .suspend = w1_gpio_suspend, + .resume = w1_gpio_resume, + }; +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 7994d933..7ce277d 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -924,7 +924,8 @@ void w1_search(struct w1_master *dev, u8 search_type, w1_slave_found_callback cb + tmp64 = (triplet_ret >> 2); + rn |= (tmp64 << i); + +- if (kthread_should_stop()) { ++ /* ensure we're called from kthread and not by netlink callback */ ++ if (!dev->priv && kthread_should_stop()) { + mutex_unlock(&dev->bus_mutex); + dev_dbg(&dev->dev, "Abort w1_search\n"); + return; +diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c +index 37c1f82..b98cf0c 100644 +--- a/drivers/xen/xen-pciback/pciback_ops.c ++++ b/drivers/xen/xen-pciback/pciback_ops.c +@@ -113,7 +113,8 @@ void xen_pcibk_reset_device(struct pci_dev *dev) + if (dev->msi_enabled) + pci_disable_msi(dev); + #endif +- pci_disable_device(dev); ++ if (pci_is_enabled(dev)) ++ pci_disable_device(dev); + + pci_write_config_word(dev, PCI_COMMAND, 0); + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 78333a3..78edf76 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1033,7 +1033,9 @@ void bd_set_size(struct block_device *bdev, loff_t size) + { + unsigned bsize = bdev_logical_block_size(bdev); + +- bdev->bd_inode->i_size = size; ++ mutex_lock(&bdev->bd_inode->i_mutex); ++ i_size_write(bdev->bd_inode, size); ++ mutex_unlock(&bdev->bd_inode->i_mutex); + while (bsize < PAGE_CACHE_SIZE) { + if (size & bsize) + break; +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index ac8ff8d..1fd234a 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -681,6 +681,12 @@ int btrfs_close_devices(struct btrfs_fs_devices *fs_devices) + __btrfs_close_devices(fs_devices); + free_fs_devices(fs_devices); + } ++ /* ++ * Wait for rcu kworkers under __btrfs_close_devices ++ * to finish all blkdev_puts so device is really ++ * free when umount is done. ++ */ ++ rcu_barrier(); + return ret; + } + +diff --git a/fs/ext3/super.c b/fs/ext3/super.c +index 6e50223..0a7f2d0b 100644 +--- a/fs/ext3/super.c ++++ b/fs/ext3/super.c +@@ -353,7 +353,7 @@ static struct block_device *ext3_blkdev_get(dev_t dev, struct super_block *sb) + return bdev; + + fail: +- ext3_msg(sb, "error: failed to open journal device %s: %ld", ++ ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld", + __bdevname(dev, b), PTR_ERR(bdev)); + + return NULL; +@@ -887,7 +887,7 @@ static ext3_fsblk_t get_sb_block(void **data, struct super_block *sb) + /*todo: use simple_strtoll with >32bit ext3 */ + sb_block = simple_strtoul(options, &options, 0); + if (*options && *options != ',') { +- ext3_msg(sb, "error: invalid sb specification: %s", ++ ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s", + (char *) *data); + return 1; + } +diff --git a/include/linux/mtd/nand.h b/include/linux/mtd/nand.h +index 7ccb3c5..ef52d9c 100644 +--- a/include/linux/mtd/nand.h ++++ b/include/linux/mtd/nand.h +@@ -187,6 +187,13 @@ typedef enum { + * This happens with the Renesas AG-AND chips, possibly others. + */ + #define BBT_AUTO_REFRESH 0x00000080 ++/* ++ * Chip requires ready check on read (for auto-incremented sequential read). ++ * True only for small page devices; large page devices do not support ++ * autoincrement. ++ */ ++#define NAND_NEED_READRDY 0x00000100 ++ + /* Chip does not allow subpage writes */ + #define NAND_NO_SUBPAGE_WRITE 0x00000200 + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 6bfb2faa..a280650 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -794,6 +794,12 @@ static inline int __perf_event_disable(void *info) { return -1; } + static inline void perf_event_task_tick(void) { } + #endif + ++#if defined(CONFIG_PERF_EVENTS) && defined(CONFIG_CPU_SUP_INTEL) ++extern void perf_restore_debug_store(void); ++#else ++static inline void perf_restore_debug_store(void) { } ++#endif ++ + #define perf_output_put(handle, x) perf_output_copy((handle), &(x), sizeof(x)) + + /* +diff --git a/include/uapi/linux/serial_core.h b/include/uapi/linux/serial_core.h +index 8f6e50a..c019b24 100644 +--- a/include/uapi/linux/serial_core.h ++++ b/include/uapi/linux/serial_core.h +@@ -51,7 +51,10 @@ + #define PORT_8250_CIR 23 /* CIR infrared port, has its own driver */ + #define PORT_XR17V35X 24 /* Exar XR17V35x UARTs */ + #define PORT_BRCM_TRUMANAGE 25 +-#define PORT_MAX_8250 25 /* max port ID */ ++#define PORT_ALTR_16550_F32 26 /* Altera 16550 UART with 32 FIFOs */ ++#define PORT_ALTR_16550_F64 27 /* Altera 16550 UART with 64 FIFOs */ ++#define PORT_ALTR_16550_F128 28 /* Altera 16550 UART with 128 FIFOs */ ++#define PORT_MAX_8250 28 /* max port ID */ + + /* + * ARM specific type numbers. These are not currently guaranteed +diff --git a/include/video/atmel_lcdc.h b/include/video/atmel_lcdc.h +index 28447f1..5f0e234 100644 +--- a/include/video/atmel_lcdc.h ++++ b/include/video/atmel_lcdc.h +@@ -62,6 +62,7 @@ struct atmel_lcdfb_info { + void (*atmel_lcdfb_power_control)(int on); + struct fb_monspecs *default_monspecs; + u32 pseudo_palette[16]; ++ bool have_intensity_bit; + }; + + #define ATMEL_LCDC_DMABADDR1 0x00 +diff --git a/kernel/signal.c b/kernel/signal.c +index 3d09cf6..7591ccc 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; ++#ifdef SA_RESTORER ++ ka->sa.sa_restorer = NULL; ++#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c +index acc9f4c..2897e40 100644 +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb, + port = p->port; + if (port) { + struct br_mdb_entry e; ++ memset(&e, 0, sizeof(e)); + e.ifindex = port->dev->ifindex; + e.state = p->state; + if (p->addr.proto == htons(ETH_P_IP)) +@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb) + break; + + bpm = nlmsg_data(nlh); ++ memset(bpm, 0, sizeof(*bpm)); + bpm->ifindex = dev->ifindex; + if (br_mdb_fill_info(skb, cb, dev) < 0) + goto out; +@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + + bpm = nlmsg_data(nlh); ++ memset(bpm, 0, sizeof(*bpm)); + bpm->family = AF_BRIDGE; + bpm->ifindex = dev->ifindex; + nest = nla_nest_start(skb, MDBA_MDB); +@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port, + { + struct br_mdb_entry entry; + ++ memset(&entry, 0, sizeof(entry)); + entry.ifindex = port->dev->ifindex; + entry.addr.proto = group->proto; + entry.addr.u.ip4 = group->u.ip4; +diff --git a/net/core/dev.c b/net/core/dev.c +index f64e439..1339f77 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3419,6 +3419,7 @@ ncls: + } + switch (rx_handler(&skb)) { + case RX_HANDLER_CONSUMED: ++ ret = NET_RX_SUCCESS; + goto unlock; + case RX_HANDLER_ANOTHER: + goto another_round; +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 1868625..798f920 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -976,6 +976,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, + * report anything. + */ + ivi.spoofchk = -1; ++ memset(ivi.mac, 0, sizeof(ivi.mac)); + if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) + break; + vf_mac.vf = +diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c +index 1b588e2..21291f1 100644 +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh, + if (!netdev->dcbnl_ops->getpermhwaddr) + return -EOPNOTSUPP; + ++ memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr); +@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_getets(netdev, &ets); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets)) +@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getmaxrate) { + struct ieee_maxrate maxrate; ++ memset(&maxrate, 0, sizeof(maxrate)); + err = ops->ieee_getmaxrate(netdev, &maxrate); + if (!err) { + err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE, +@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc)) +@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + /* get peer info if available */ + if (ops->ieee_peer_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_peer_getets(netdev, &ets); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets)) +@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_peer_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_peer_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc)) +@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev) + /* peer info if available */ + if (ops->cee_peer_getpg) { + struct cee_pg pg; ++ memset(&pg, 0, sizeof(pg)); + err = ops->cee_peer_getpg(netdev, &pg); + if (!err && + nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg)) +@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->cee_peer_getpfc) { + struct cee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->cee_peer_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc)) +diff --git a/net/ieee802154/6lowpan.h b/net/ieee802154/6lowpan.h +index 8c2251f..bba5f83 100644 +--- a/net/ieee802154/6lowpan.h ++++ b/net/ieee802154/6lowpan.h +@@ -84,7 +84,7 @@ + (memcmp(addr1, addr2, length >> 3) == 0) + + /* local link, i.e. FE80::/10 */ +-#define is_addr_link_local(a) (((a)->s6_addr16[0]) == 0x80FE) ++#define is_addr_link_local(a) (((a)->s6_addr16[0]) == htons(0xFE80)) + + /* + * check whether we can compress the IID to 16 bits, +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ad70a96..66702d3 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5498,6 +5498,9 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb, + if (tcp_checksum_complete_user(sk, skb)) + goto csum_error; + ++ if ((int)skb->truesize > sk->sk_forward_alloc) ++ goto step5; ++ + /* Predicted packet is in window by definition. + * seq == rcv_nxt and rcv_wup <= rcv_nxt. + * Hence, check seq<=rcv_wup reduces to: +@@ -5509,9 +5512,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb, + + tcp_rcv_rtt_measure_ts(sk, skb); + +- if ((int)skb->truesize > sk->sk_forward_alloc) +- goto step5; +- + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS); + + /* Bulk data transfer: receiver */ +diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c +index a52d864..b196852 100644 +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -270,7 +270,8 @@ int ip6_mc_input(struct sk_buff *skb) + * IPv6 multicast router mode is now supported ;) + */ + if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding && +- !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) && ++ !(ipv6_addr_type(&hdr->daddr) & ++ (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) && + likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) { + /* + * Okay, we try to forward - split and duplicate +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 6f9f7b6..5845613 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1990,7 +1990,8 @@ void rt6_purge_dflt_routers(struct net *net) + restart: + read_lock_bh(&table->tb6_lock); + for (rt = table->tb6_root.leaf; rt; rt = rt->dst.rt6_next) { +- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) { ++ if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF) && ++ (!rt->rt6i_idev || rt->rt6i_idev->cnf.accept_ra != 2)) { + dst_hold(&rt->dst); + read_unlock_bh(&table->tb6_lock); + ip6_del_rt(rt); +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 716605c..044e9e1 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -355,6 +355,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh + l2tp_xmit_skb(session, skb, session->hdr_len); + + sock_put(ps->tunnel_sock); ++ sock_put(sk); + + return error; + +diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c +index 847d495..8a6c6ea 100644 +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1189,8 +1189,6 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb, + struct netlbl_unlhsh_walk_arg cb_arg; + u32 skip_bkt = cb->args[0]; + u32 skip_chain = cb->args[1]; +- u32 skip_addr4 = cb->args[2]; +- u32 skip_addr6 = cb->args[3]; + u32 iter_bkt; + u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_unlhsh_iface *iface; +@@ -1215,7 +1213,7 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb, + continue; + netlbl_af4list_foreach_rcu(addr4, + &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[2]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1231,7 +1229,7 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb, + #if IS_ENABLED(CONFIG_IPV6) + netlbl_af6list_foreach_rcu(addr6, + &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[3]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1250,10 +1248,10 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb, + + unlabel_staticlist_return: + rcu_read_unlock(); +- cb->args[0] = skip_bkt; +- cb->args[1] = skip_chain; +- cb->args[2] = skip_addr4; +- cb->args[3] = skip_addr6; ++ cb->args[0] = iter_bkt; ++ cb->args[1] = iter_chain; ++ cb->args[2] = iter_addr4; ++ cb->args[3] = iter_addr6; + return skb->len; + } + +@@ -1273,12 +1271,9 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb, + { + struct netlbl_unlhsh_walk_arg cb_arg; + struct netlbl_unlhsh_iface *iface; +- u32 skip_addr4 = cb->args[0]; +- u32 skip_addr6 = cb->args[1]; +- u32 iter_addr4 = 0; ++ u32 iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_af4list *addr4; + #if IS_ENABLED(CONFIG_IPV6) +- u32 iter_addr6 = 0; + struct netlbl_af6list *addr6; + #endif + +@@ -1292,7 +1287,7 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb, + goto unlabel_staticlistdef_return; + + netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[0]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1305,7 +1300,7 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb, + } + #if IS_ENABLED(CONFIG_IPV6) + netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[1]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1320,8 +1315,8 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb, + + unlabel_staticlistdef_return: + rcu_read_unlock(); +- cb->args[0] = skip_addr4; +- cb->args[1] = skip_addr6; ++ cb->args[0] = iter_addr4; ++ cb->args[1] = iter_addr6; + return skb->len; + } + +diff --git a/net/rds/message.c b/net/rds/message.c +index f0a4658..aff589c 100644 +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(unsigned int extra_len, gfp_t gfp) + { + struct rds_message *rm; + ++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message)) ++ return NULL; ++ + rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp); + if (!rm) + goto out; +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index cedd9bf..9ef5c73 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, + if (len < sizeof(sctp_assoc_t)) + return -EINVAL; + ++ /* Allow the struct to grow and fill in as much as possible */ ++ len = min_t(size_t, len, sizeof(sas)); ++ + if (copy_from_user(&sas, optval, len)) + return -EFAULT; + +@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, + /* Mark beginning of a new observation period */ + asoc->stats.max_obs_rto = asoc->rto_min; + +- /* Allow the struct to grow and fill in as much as possible */ +- len = min_t(size_t, len, sizeof(sas)); +- + if (put_user(len, optlen)) + return -EFAULT; + +diff --git a/scripts/Makefile.headersinst b/scripts/Makefile.headersinst +index 06ba4a7..e253917 100644 +--- a/scripts/Makefile.headersinst ++++ b/scripts/Makefile.headersinst +@@ -8,7 +8,7 @@ + # ========================================================================== + + # called may set destination dir (when installing to asm/) +-_dst := $(or $(destination-y),$(dst),$(obj)) ++_dst := $(if $(destination-y),$(destination-y),$(if $(dst),$(dst),$(obj))) + + # generated header directory + gen := $(if $(gen),$(gen),$(subst include/,include/generated/,$(obj))) +@@ -48,13 +48,14 @@ all-files := $(header-y) $(genhdr-y) $(wrapper-files) + output-files := $(addprefix $(installdir)/, $(all-files)) + + input-files := $(foreach hdr, $(header-y), \ +- $(or \ ++ $(if $(wildcard $(srcdir)/$(hdr)), \ + $(wildcard $(srcdir)/$(hdr)), \ +- $(wildcard $(oldsrcdir)/$(hdr)), \ +- $(error Missing UAPI file $(srcdir)/$(hdr)) \ ++ $(if $(wildcard $(oldsrcdir)/$(hdr)), \ ++ $(wildcard $(oldsrcdir)/$(hdr)), \ ++ $(error Missing UAPI file $(srcdir)/$(hdr))) \ + )) \ + $(foreach hdr, $(genhdr-y), \ +- $(or \ ++ $(if $(wildcard $(gendir)/$(hdr)), \ + $(wildcard $(gendir)/$(hdr)), \ + $(error Missing generated UAPI file $(gendir)/$(hdr)) \ + )) +diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c +index 48665ec..8ab2951 100644 +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, + + if (old_ctx) { + new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!new_ctx) + return -ENOMEM; + +diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c +index 160b1bd..24d44b2 100644 +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -290,10 +290,10 @@ int snd_seq_timer_open(struct snd_seq_queue *q) + tid.device = SNDRV_TIMER_GLOBAL_SYSTEM; + err = snd_timer_open(&t, str, &tid, q->queue); + } +- if (err < 0) { +- snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err); +- return err; +- } ++ } ++ if (err < 0) { ++ snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err); ++ return err; + } + t->callback = snd_seq_timer_interrupt; + t->callback_data = q; +diff --git a/tools/usb/ffs-test.c b/tools/usb/ffs-test.c +index 8674b9e..fe1e66b 100644 +--- a/tools/usb/ffs-test.c ++++ b/tools/usb/ffs-test.c +@@ -38,7 +38,7 @@ + #include <unistd.h> + #include <tools/le_byteshift.h> + +-#include "../../include/linux/usb/functionfs.h" ++#include "../../include/uapi/linux/usb/functionfs.h" + + + /******************** Little Endian Handling ********************************/ diff --git a/3.8.3/4420_grsecurity-2.9.1-3.8.3-201303142235.patch b/3.8.4/4420_grsecurity-2.9.1-3.8.4-201303221826.patch index ef25e2b..dc85ee6 100644 --- a/3.8.3/4420_grsecurity-2.9.1-3.8.3-201303142235.patch +++ b/3.8.4/4420_grsecurity-2.9.1-3.8.4-201303221826.patch @@ -259,7 +259,7 @@ index 986614d..e8bfedc 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 8c49fc9b..9a2af09 100644 +index e20f162..11365cc 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -341,7 +341,7 @@ index 8c49fc9b..9a2af09 100644 +else + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least" +endif -+ $(Q)echo "PAX_MEMORY_STACKLEAK and other features will be less secure" ++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active." +endif +endif + @@ -2838,7 +2838,7 @@ index 5f66206..dce492f 100644 }; diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index c6dec5f..f853532 100644 +index c6dec5f..e0fddd1 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -28,7 +28,6 @@ @@ -2885,6 +2885,18 @@ index c6dec5f..f853532 100644 #ifdef CONFIG_MMU /* * The vectors page is always readable from user space for the +@@ -470,9 +464,8 @@ static int __init gate_vma_init(void) + { + gate_vma.vm_start = 0xffff0000; + gate_vma.vm_end = 0xffff0000 + PAGE_SIZE; +- gate_vma.vm_page_prot = PAGE_READONLY_EXEC; +- gate_vma.vm_flags = VM_READ | VM_EXEC | +- VM_MAYREAD | VM_MAYEXEC; ++ gate_vma.vm_flags = VM_NONE; ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); + return 0; + } + arch_initcall(gate_vma_init); diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index 03deeff..741ce88 100644 --- a/arch/arm/kernel/ptrace.c @@ -2967,6 +2979,40 @@ index 3f6cbb2..6d856f5 100644 #endif #ifdef MULTI_TLB cpu_tlb = *list->tlb; +diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c +index 56f72d2..6924200 100644 +--- a/arch/arm/kernel/signal.c ++++ b/arch/arm/kernel/signal.c +@@ -433,22 +433,14 @@ setup_return(struct pt_regs *regs, struct k_sigaction *ka, + __put_user(sigreturn_codes[idx+1], rc+1)) + return 1; + +- if (cpsr & MODE32_BIT) { +- /* +- * 32-bit code can use the new high-page +- * signal return code support. +- */ +- retcode = KERN_SIGRETURN_CODE + (idx << 2) + thumb; +- } else { +- /* +- * Ensure that the instruction cache sees +- * the return code written onto the stack. +- */ +- flush_icache_range((unsigned long)rc, +- (unsigned long)(rc + 2)); ++ /* ++ * Ensure that the instruction cache sees ++ * the return code written onto the stack. ++ */ ++ flush_icache_range((unsigned long)rc, ++ (unsigned long)(rc + 2)); + +- retcode = ((unsigned long)rc) + thumb; +- } ++ retcode = ((unsigned long)rc) + thumb; + } + + regs->ARM_r0 = usig; diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c index 58af91c..343ce99 100644 --- a/arch/arm/kernel/smp.c @@ -2981,7 +3027,7 @@ index 58af91c..343ce99 100644 void __init smp_set_ops(struct smp_operations *ops) { diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index b0179b8..b7b16c7 100644 +index b0179b8..829510e 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -57,7 +57,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); @@ -3022,9 +3068,17 @@ index b0179b8..b7b16c7 100644 } return 0; -@@ -849,5 +856,9 @@ void __init early_trap_init(void *vectors_base) - sigreturn_codes, sizeof(sigreturn_codes)); +@@ -841,13 +848,10 @@ void __init early_trap_init(void *vectors_base) + */ + kuser_get_tls_init(vectors); +- /* +- * Copy signal return handlers into the vector page, and +- * set sigreturn to be a pointer to these. +- */ +- memcpy((void *)(vectors + KERN_SIGRETURN_CODE - CONFIG_VECTORS_BASE), +- sigreturn_codes, sizeof(sigreturn_codes)); +- flush_icache_range(vectors, vectors + PAGE_SIZE); - modify_domain(DOMAIN_USER, DOMAIN_CLIENT); + @@ -3488,8 +3542,73 @@ index 3fd629d..8b1aca9 100644 help This option enables or disables the use of domain switching via the set_fs() function. +diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c +index db26e2e..ee44569 100644 +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -211,10 +211,12 @@ union offset_union { + #define __get16_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v, a = addr; \ ++ pax_open_userland(); \ + __get8_unaligned_check(ins,v,a,err); \ + val = v << ((BE) ? 8 : 0); \ + __get8_unaligned_check(ins,v,a,err); \ + val |= v << ((BE) ? 0 : 8); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) +@@ -228,6 +230,7 @@ union offset_union { + #define __get32_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v, a = addr; \ ++ pax_open_userland(); \ + __get8_unaligned_check(ins,v,a,err); \ + val = v << ((BE) ? 24 : 0); \ + __get8_unaligned_check(ins,v,a,err); \ +@@ -236,6 +239,7 @@ union offset_union { + val |= v << ((BE) ? 8 : 16); \ + __get8_unaligned_check(ins,v,a,err); \ + val |= v << ((BE) ? 0 : 24); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) +@@ -249,6 +253,7 @@ union offset_union { + #define __put16_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v = val, a = addr; \ ++ pax_open_userland(); \ + __asm__( FIRST_BYTE_16 \ + ARM( "1: "ins" %1, [%2], #1\n" ) \ + THUMB( "1: "ins" %1, [%2]\n" ) \ +@@ -268,6 +273,7 @@ union offset_union { + " .popsection\n" \ + : "=r" (err), "=&r" (v), "=&r" (a) \ + : "0" (err), "1" (v), "2" (a)); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) +@@ -281,6 +287,7 @@ union offset_union { + #define __put32_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v = val, a = addr; \ ++ pax_open_userland(); \ + __asm__( FIRST_BYTE_32 \ + ARM( "1: "ins" %1, [%2], #1\n" ) \ + THUMB( "1: "ins" %1, [%2]\n" ) \ +@@ -310,6 +317,7 @@ union offset_union { + " .popsection\n" \ + : "=r" (err), "=&r" (v), "=&r" (a) \ + : "0" (err), "1" (v), "2" (a)); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c -index 5dbf13f..6393f55 100644 +index 5dbf13f..1a60561 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -25,6 +25,7 @@ @@ -3511,10 +3630,10 @@ index 5dbf13f..6393f55 100644 + { + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); + else + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); + } +#endif + @@ -3577,10 +3696,10 @@ index 5dbf13f..6393f55 100644 + if (addr < TASK_SIZE && is_domain_fault(fsr)) { + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()), addr); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); + else + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()), addr); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); + goto die; + } +#endif @@ -3592,19 +3711,30 @@ index 5dbf13f..6393f55 100644 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n", inf->name, fsr, addr); -@@ -575,9 +637,38 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) +@@ -575,9 +637,49 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr); struct siginfo info; ++ if (user_mode(regs)) { ++ if (addr == 0xffff0fe0UL) { ++ /* ++ * PaX: __kuser_get_tls emulation ++ */ ++ regs->ARM_r0 = current_thread_info()->tp_value; ++ regs->ARM_pc = regs->ARM_lr; ++ return; ++ } ++ } ++ +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) -+ if (!user_mode(regs) && (is_domain_fault(ifsr) || is_xn_fault(ifsr))) { ++ else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) { + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), + addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr); + else + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), + addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr); + goto die; + } @@ -3847,7 +3977,7 @@ index 10062ce..aa96dd7 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c -index ce328c7..f82bebb 100644 +index ce328c7..35b88dc 100644 --- a/arch/arm/mm/mmu.c +++ b/arch/arm/mm/mmu.c @@ -35,6 +35,23 @@ @@ -3924,7 +4054,8 @@ index ce328c7..f82bebb 100644 }, [MT_HIGH_VECTORS] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | - L_PTE_USER | L_PTE_RDONLY, +- L_PTE_USER | L_PTE_RDONLY, ++ L_PTE_RDONLY, .prot_l1 = PMD_TYPE_TABLE, - .domain = DOMAIN_USER, + .domain = DOMAIN_VECTORS, @@ -6535,7 +6666,7 @@ index 4684e33..acc4d19e 100644 ld r4,_DAR(r1) bl .bad_page_fault diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S -index 4665e82..080ea99 100644 +index 3684cbd..bc89eab 100644 --- a/arch/powerpc/kernel/exceptions-64s.S +++ b/arch/powerpc/kernel/exceptions-64s.S @@ -1206,10 +1206,10 @@ handle_page_fault: @@ -12655,7 +12786,7 @@ index 0e1cbfc..5623683 100644 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h -index 6dfd019..0c6699f 100644 +index 6dfd019..28e188d 100644 --- a/arch/x86/include/asm/bitops.h +++ b/arch/x86/include/asm/bitops.h @@ -40,7 +40,7 @@ @@ -12667,6 +12798,15 @@ index 6dfd019..0c6699f 100644 #define CONST_MASK(nr) (1 << ((nr) & 7)) /** +@@ -486,7 +486,7 @@ static inline int fls(int x) + * at position 64. + */ + #ifdef CONFIG_X86_64 +-static __always_inline int fls64(__u64 x) ++static __always_inline long fls64(__u64 x) + { + int bitpos = -1; + /* diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h index 4fa687a..60f2d39 100644 --- a/arch/x86/include/asm/boot.h @@ -12843,7 +12983,7 @@ index 2d9075e..b75a844 100644 "4:\n" ".previous\n" diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h -index 8bf1c06..f723dfd 100644 +index 8bf1c06..b6ae785 100644 --- a/arch/x86/include/asm/desc.h +++ b/arch/x86/include/asm/desc.h @@ -4,6 +4,7 @@ @@ -12951,6 +13091,15 @@ index 8bf1c06..f723dfd 100644 } #define _LDT_empty(info) \ +@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc) + preempt_enable(); + } + +-static inline unsigned long get_desc_base(const struct desc_struct *desc) ++static inline unsigned long __intentional_overflow(-1) get_desc_base(const struct desc_struct *desc) + { + return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); + } @@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) } @@ -13053,6 +13202,19 @@ index 278441f..b95a174 100644 }; } __attribute__((packed)); +diff --git a/arch/x86/include/asm/div64.h b/arch/x86/include/asm/div64.h +index ced283a..ffe04cc 100644 +--- a/arch/x86/include/asm/div64.h ++++ b/arch/x86/include/asm/div64.h +@@ -39,7 +39,7 @@ + __mod; \ + }) + +-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) ++static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) + { + union { + u64 v64; diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 9c999c1..3860cb8 100644 --- a/arch/x86/include/asm/elf.h @@ -13256,9 +13418,26 @@ index a203659..9889f1c 100644 extern struct legacy_pic *legacy_pic; extern struct legacy_pic null_legacy_pic; diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h -index d8e8eef..15b1179 100644 +index d8e8eef..1765f78 100644 --- a/arch/x86/include/asm/io.h +++ b/arch/x86/include/asm/io.h +@@ -51,12 +51,12 @@ static inline void name(type val, volatile void __iomem *addr) \ + "m" (*(volatile type __force *)addr) barrier); } + + build_mmio_read(readb, "b", unsigned char, "=q", :"memory") +-build_mmio_read(readw, "w", unsigned short, "=r", :"memory") +-build_mmio_read(readl, "l", unsigned int, "=r", :"memory") ++build_mmio_read(__intentional_overflow(-1) readw, "w", unsigned short, "=r", :"memory") ++build_mmio_read(__intentional_overflow(-1) readl, "l", unsigned int, "=r", :"memory") + + build_mmio_read(__readb, "b", unsigned char, "=q", ) +-build_mmio_read(__readw, "w", unsigned short, "=r", ) +-build_mmio_read(__readl, "l", unsigned int, "=r", ) ++build_mmio_read(__intentional_overflow(-1) __readw, "w", unsigned short, "=r", ) ++build_mmio_read(__intentional_overflow(-1) __readl, "l", unsigned int, "=r", ) + + build_mmio_write(writeb, "b", unsigned char, "q", :"memory") + build_mmio_write(writew, "w", unsigned short, "r", :"memory") @@ -184,7 +184,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size) return ioremap_nocache(offset, size); } @@ -13322,6 +13501,21 @@ index d3ddd17..c9fb0cc 100644 #define flush_insn_slot(p) do { } while (0) +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index dc87b65..85039f9 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -419,8 +419,8 @@ struct kvm_vcpu_arch { + gpa_t time; + struct pvclock_vcpu_time_info hv_clock; + unsigned int hw_tsc_khz; +- unsigned int time_offset; +- struct page *time_page; ++ struct gfn_to_hva_cache pv_time; ++ bool pv_time_enabled; + /* set guest stopped flag in pvclock flags field */ + bool pvclock_set_guest_stopped_request; + diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h index 2d89e39..baee879 100644 --- a/arch/x86/include/asm/local.h @@ -13795,9 +13989,18 @@ index 320f7bb..e89f8f8 100644 extern unsigned long __phys_addr(unsigned long); #define __phys_reloc_hide(x) (x) diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h -index 5edd174..9cf5821 100644 +index 5edd174..c395822 100644 --- a/arch/x86/include/asm/paravirt.h +++ b/arch/x86/include/asm/paravirt.h +@@ -564,7 +564,7 @@ static inline pmd_t __pmd(pmdval_t val) + return (pmd_t) { ret }; + } + +-static inline pmdval_t pmd_val(pmd_t pmd) ++static inline __intentional_overflow(-1) pmdval_t pmd_val(pmd_t pmd) + { + pmdval_t ret; + @@ -630,6 +630,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd) val); } @@ -17379,7 +17582,7 @@ index 4914e94..60b06e3 100644 intel_ds_init(); diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -index b43200d..7fdcdbb 100644 +index b43200d..d235b3e 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c @@ -2428,7 +2428,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) @@ -17387,10 +17590,37 @@ index b43200d..7fdcdbb 100644 { struct intel_uncore_pmu *pmus; - struct attribute_group *events_group; -+ attribute_group_no_const *events_group; ++ attribute_group_no_const *attr_group; struct attribute **attrs; int i, j; +@@ -2455,19 +2455,19 @@ static int __init uncore_type_init(struct intel_uncore_type *type) + while (type->event_descs[i].attr.attr.name) + i++; + +- events_group = kzalloc(sizeof(struct attribute *) * (i + 1) + +- sizeof(*events_group), GFP_KERNEL); +- if (!events_group) ++ attr_group = kzalloc(sizeof(struct attribute *) * (i + 1) + ++ sizeof(*attr_group), GFP_KERNEL); ++ if (!attr_group) + goto fail; + +- attrs = (struct attribute **)(events_group + 1); +- events_group->name = "events"; +- events_group->attrs = attrs; ++ attrs = (struct attribute **)(attr_group + 1); ++ attr_group->name = "events"; ++ attr_group->attrs = attrs; + + for (j = 0; j < i; j++) + attrs[j] = &type->event_descs[j].attr.attr; + +- type->events_group = events_group; ++ type->events_group = attr_group; + } + + type->pmu_group = &uncore_pmu_attr_group; @@ -2826,7 +2826,7 @@ static int return NOTIFY_OK; } @@ -22215,7 +22445,7 @@ index 8b24289..d37b58b 100644 bss_resource.start = virt_to_phys(&__bss_start); bss_resource.end = virt_to_phys(&__bss_stop)-1; diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c -index 5cdff03..5810740 100644 +index 5cdff03..80fa283 100644 --- a/arch/x86/kernel/setup_percpu.c +++ b/arch/x86/kernel/setup_percpu.c @@ -21,19 +21,17 @@ @@ -22242,6 +22472,15 @@ index 5cdff03..5810740 100644 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET, }; EXPORT_SYMBOL(__per_cpu_offset); +@@ -66,7 +64,7 @@ static bool __init pcpu_need_numa(void) + { + #ifdef CONFIG_NEED_MULTIPLE_NODES + pg_data_t *last = NULL; +- unsigned int cpu; ++ int cpu; + + for_each_possible_cpu(cpu) { + int node = early_cpu_to_node(cpu); @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu) { #ifdef CONFIG_X86_32 @@ -23748,10 +23987,64 @@ index 9120ae1..238abc0 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index c243b81..9eb193f 100644 +index c243b81..b692af3 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -1692,8 +1692,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) +@@ -1408,10 +1408,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) + unsigned long flags, this_tsc_khz; + struct kvm_vcpu_arch *vcpu = &v->arch; + struct kvm_arch *ka = &v->kvm->arch; +- void *shared_kaddr; + s64 kernel_ns, max_kernel_ns; + u64 tsc_timestamp, host_tsc; +- struct pvclock_vcpu_time_info *guest_hv_clock; ++ struct pvclock_vcpu_time_info guest_hv_clock; + u8 pvclock_flags; + bool use_master_clock; + +@@ -1465,7 +1464,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) + + local_irq_restore(flags); + +- if (!vcpu->time_page) ++ if (!vcpu->pv_time_enabled) + return 0; + + /* +@@ -1527,12 +1526,12 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) + */ + vcpu->hv_clock.version += 2; + +- shared_kaddr = kmap_atomic(vcpu->time_page); +- +- guest_hv_clock = shared_kaddr + vcpu->time_offset; ++ if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time, ++ &guest_hv_clock, sizeof(guest_hv_clock)))) ++ return 0; + + /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */ +- pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED); ++ pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED); + + if (vcpu->pvclock_set_guest_stopped_request) { + pvclock_flags |= PVCLOCK_GUEST_STOPPED; +@@ -1545,12 +1544,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) + + vcpu->hv_clock.flags = pvclock_flags; + +- memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock, +- sizeof(vcpu->hv_clock)); +- +- kunmap_atomic(shared_kaddr); +- +- mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT); ++ kvm_write_guest_cached(v->kvm, &vcpu->pv_time, ++ &vcpu->hv_clock, ++ sizeof(vcpu->hv_clock)); + return 0; + } + +@@ -1692,8 +1688,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) { struct kvm *kvm = vcpu->kvm; int lm = is_long_mode(vcpu); @@ -23762,7 +24055,51 @@ index c243b81..9eb193f 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2571,6 +2571,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -1839,10 +1835,7 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data) + + static void kvmclock_reset(struct kvm_vcpu *vcpu) + { +- if (vcpu->arch.time_page) { +- kvm_release_page_dirty(vcpu->arch.time_page); +- vcpu->arch.time_page = NULL; +- } ++ vcpu->arch.pv_time_enabled = false; + } + + static void accumulate_steal_time(struct kvm_vcpu *vcpu) +@@ -1948,6 +1941,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + break; + case MSR_KVM_SYSTEM_TIME_NEW: + case MSR_KVM_SYSTEM_TIME: { ++ u64 gpa_offset; + kvmclock_reset(vcpu); + + vcpu->arch.time = data; +@@ -1957,14 +1951,17 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + if (!(data & 1)) + break; + +- /* ...but clean it before doing the actual write */ +- vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); ++ gpa_offset = data & ~(PAGE_MASK | 1); + +- vcpu->arch.time_page = +- gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); ++ /* Check that the address is 32-byte aligned. */ ++ if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1)) ++ break; + +- if (is_error_page(vcpu->arch.time_page)) +- vcpu->arch.time_page = NULL; ++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ++ &vcpu->arch.pv_time, data & ~1ULL)) ++ vcpu->arch.pv_time_enabled = false; ++ else ++ vcpu->arch.pv_time_enabled = true; + + break; + } +@@ -2571,6 +2568,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -23771,7 +24108,7 @@ index c243b81..9eb193f 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -2700,7 +2702,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -2700,7 +2699,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -23780,7 +24117,16 @@ index c243b81..9eb193f 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -5213,7 +5215,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -2967,7 +2966,7 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu, + */ + static int kvm_set_guest_paused(struct kvm_vcpu *vcpu) + { +- if (!vcpu->arch.time_page) ++ if (!vcpu->arch.pv_time_enabled) + return -EINVAL; + vcpu->arch.pvclock_set_guest_stopped_request = true; + kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); +@@ -5213,7 +5212,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -23789,6 +24135,14 @@ index c243b81..9eb193f 100644 { int r; struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque; +@@ -6661,6 +6660,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) + goto fail_free_wbinvd_dirty_mask; + + vcpu->arch.ia32_tsc_adjust_msr = 0x0; ++ vcpu->arch.pv_time_enabled = false; + kvm_async_pf_hash_reset(vcpu); + kvm_pmu_init(vcpu); + diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c index df4176c..23ce092 100644 --- a/arch/x86/lguest/boot.c @@ -26731,7 +27085,7 @@ index 903ec1e..c4166b2 100644 } diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index fb674fd..272f369 100644 +index fb674fd..1be28b9 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -13,12 +13,19 @@ @@ -26917,7 +27271,7 @@ index fb674fd..272f369 100644 if (pte && pte_present(*pte) && !pte_exec(*pte)) - printk(nx_warning, from_kuid(&init_user_ns, current_uid())); -+ printk(nx_warning, from_kuid(&init_user_ns, current_uid()), current->comm, task_pid_nr(current)); ++ printk(nx_warning, from_kuid_munged(&init_user_ns, current_uid()), current->comm, task_pid_nr(current)); } +#ifdef CONFIG_PAX_KERNEXEC @@ -26925,10 +27279,10 @@ index fb674fd..272f369 100644 + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); + else + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); + } +#endif + @@ -28427,6 +28781,19 @@ index dc0b727..f612039 100644 { might_sleep(); if (is_enabled()) /* recheck and proper locking in *_core() */ +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index 8504f36..5fc68f2 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -478,7 +478,7 @@ static bool __init numa_meminfo_cover_memory(const struct numa_meminfo *mi) + return true; + } + +-static int __init numa_register_memblks(struct numa_meminfo *mi) ++static int __init __intentional_overflow(-1) numa_register_memblks(struct numa_meminfo *mi) + { + unsigned long uninitialized_var(pfn_align); + int i, nid; diff --git a/arch/x86/mm/pageattr-test.c b/arch/x86/mm/pageattr-test.c index b008656..773eac2 100644 --- a/arch/x86/mm/pageattr-test.c @@ -28907,6 +29274,28 @@ index a69bcb8..19068ab 100644 /* * It's enough to flush this one mapping. +diff --git a/arch/x86/mm/physaddr.c b/arch/x86/mm/physaddr.c +index d2e2735..5c6586f 100644 +--- a/arch/x86/mm/physaddr.c ++++ b/arch/x86/mm/physaddr.c +@@ -8,7 +8,7 @@ + + #ifdef CONFIG_X86_64 + +-unsigned long __phys_addr(unsigned long x) ++unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x) + { + if (x >= __START_KERNEL_map) { + x -= __START_KERNEL_map; +@@ -45,7 +45,7 @@ EXPORT_SYMBOL(__virt_addr_valid); + #else + + #ifdef CONFIG_DEBUG_VIRTUAL +-unsigned long __phys_addr(unsigned long x) ++unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x) + { + /* VMALLOC_* aren't constants */ + VIRTUAL_BUG_ON(x < PAGE_OFFSET); diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c index 410531d..0f16030 100644 --- a/arch/x86/mm/setup_nx.c @@ -30136,10 +30525,10 @@ index d6ee929..3637cb5 100644 .getproplen = olpc_dt_getproplen, .getproperty = olpc_dt_getproperty, diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c -index 120cee1..b2db75a 100644 +index 3c68768..07e82b8 100644 --- a/arch/x86/power/cpu.c +++ b/arch/x86/power/cpu.c -@@ -133,7 +133,7 @@ static void do_fpu_end(void) +@@ -134,7 +134,7 @@ static void do_fpu_end(void) static void fix_processor_context(void) { int cpu = smp_processor_id(); @@ -30148,7 +30537,7 @@ index 120cee1..b2db75a 100644 set_tss_desc(cpu, t); /* * This just modifies memory; should not be -@@ -143,8 +143,6 @@ static void fix_processor_context(void) +@@ -144,8 +144,6 @@ static void fix_processor_context(void) */ #ifdef CONFIG_X86_64 @@ -31417,6 +31806,19 @@ index ea61ca9..3fdd70d 100644 static void delete_gpe_attr_array(void) { +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index 6cd7805..07facb3 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -1230,7 +1230,7 @@ int ahci_kick_engine(struct ata_port *ap) + } + EXPORT_SYMBOL_GPL(ahci_kick_engine); + +-static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp, ++static int __intentional_overflow(-1) ahci_exec_polled_cmd(struct ata_port *ap, int pmp, + struct ata_taskfile *tf, int is_cmd, u16 flags, + unsigned long timeout_msec) + { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index 46cd3f4..0871ad0 100644 --- a/drivers/ata/libata-core.c @@ -33037,7 +33439,7 @@ index a9eccfc..f5efe87 100644 static struct asender_cmd asender_tbl[] = { [P_PING] = { 0, got_Ping }, diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index ae12512..37fa397 100644 +index 8bc6d39..f492563 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -226,7 +226,7 @@ static int __do_lo_send_write(struct file *file, @@ -34603,7 +35005,7 @@ index 8a7c48b..72effc2 100644 if (IS_GEN6(dev) || IS_GEN7(dev)) { seq_printf(m, diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index 5206f24..7af0a0a 100644 +index 99daa89..84ebd44 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1253,7 +1253,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) @@ -34616,7 +35018,7 @@ index 5206f24..7af0a0a 100644 return can_switch; } diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index 66ad64f..a865871 100644 +index 7339a4b..445aaba 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -656,7 +656,7 @@ typedef struct drm_i915_private { @@ -34628,7 +35030,7 @@ index 66ad64f..a865871 100644 /* protects the irq masks */ spinlock_t irq_lock; -@@ -1103,7 +1103,7 @@ struct drm_i915_gem_object { +@@ -1102,7 +1102,7 @@ struct drm_i915_gem_object { * will be page flipped away on the next vblank. When it * reaches 0, dev_priv->pending_flip_queue will be woken up. */ @@ -34637,7 +35039,7 @@ index 66ad64f..a865871 100644 }; #define to_gem_object(obj) (&((struct drm_i915_gem_object *)(obj))->base) -@@ -1634,7 +1634,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter( +@@ -1633,7 +1633,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter( struct drm_i915_private *dev_priv, unsigned port); extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed); extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit); @@ -34647,7 +35049,7 @@ index 66ad64f..a865871 100644 return container_of(adapter, struct intel_gmbus, adapter)->force_bit; } diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index 26d08bb..fccb984 100644 +index 26d08bb..e24fb51 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -672,7 +672,7 @@ i915_gem_execbuffer_move_to_gpu(struct intel_ring_buffer *ring, @@ -34659,7 +35061,7 @@ index 26d08bb..fccb984 100644 flush_domains |= obj->base.write_domain; } -@@ -703,9 +703,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) +@@ -703,18 +703,23 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec, @@ -34668,9 +35070,35 @@ index 26d08bb..fccb984 100644 { - int i; + unsigned int i; ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; + int length; /* limited by fault_in_pages_readable() */ + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); +@@ -1197,7 +1202,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, + return -ENOMEM; + } + ret = copy_from_user(exec2_list, +- (struct drm_i915_relocation_entry __user *) ++ (struct drm_i915_gem_exec_object2 __user *) + (uintptr_t) args->buffers_ptr, + sizeof(*exec2_list) * args->buffer_count); + if (ret != 0) { diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c index 3c59584..500f2e9 100644 --- a/drivers/gpu/drm/i915/i915_ioc32.c @@ -34707,10 +35135,10 @@ index 3c59584..500f2e9 100644 return ret; diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index 3c00403..5a5c6c9 100644 +index fe84338..a863190 100644 --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -539,7 +539,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) +@@ -535,7 +535,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) u32 pipe_stats[I915_MAX_PIPES]; bool blc_event; @@ -34719,7 +35147,7 @@ index 3c00403..5a5c6c9 100644 while (true) { iir = I915_READ(VLV_IIR); -@@ -692,7 +692,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) +@@ -688,7 +688,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) irqreturn_t ret = IRQ_NONE; int i; @@ -34728,7 +35156,7 @@ index 3c00403..5a5c6c9 100644 /* disable master interrupt before clearing iir */ de_ier = I915_READ(DEIER); -@@ -764,7 +764,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) +@@ -760,7 +760,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) int ret = IRQ_NONE; u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir; @@ -34737,7 +35165,7 @@ index 3c00403..5a5c6c9 100644 /* disable master interrupt before clearing iir */ de_ier = I915_READ(DEIER); -@@ -1791,7 +1791,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) +@@ -1787,7 +1787,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -34746,7 +35174,7 @@ index 3c00403..5a5c6c9 100644 I915_WRITE(HWSTAM, 0xeffe); -@@ -1817,7 +1817,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) +@@ -1813,7 +1813,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34755,7 +35183,7 @@ index 3c00403..5a5c6c9 100644 /* VLV magic */ I915_WRITE(VLV_IMR, 0); -@@ -2112,7 +2112,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) +@@ -2108,7 +2108,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34764,7 +35192,7 @@ index 3c00403..5a5c6c9 100644 for_each_pipe(pipe) I915_WRITE(PIPESTAT(pipe), 0); -@@ -2163,7 +2163,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) +@@ -2159,7 +2159,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; @@ -34773,7 +35201,7 @@ index 3c00403..5a5c6c9 100644 iir = I915_READ16(IIR); if (iir == 0) -@@ -2248,7 +2248,7 @@ static void i915_irq_preinstall(struct drm_device * dev) +@@ -2244,7 +2244,7 @@ static void i915_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34782,7 +35210,7 @@ index 3c00403..5a5c6c9 100644 if (I915_HAS_HOTPLUG(dev)) { I915_WRITE(PORT_HOTPLUG_EN, 0); -@@ -2343,7 +2343,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) +@@ -2339,7 +2339,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) }; int pipe, ret = IRQ_NONE; @@ -34791,7 +35219,7 @@ index 3c00403..5a5c6c9 100644 iir = I915_READ(IIR); do { -@@ -2469,7 +2469,7 @@ static void i965_irq_preinstall(struct drm_device * dev) +@@ -2465,7 +2465,7 @@ static void i965_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34800,7 +35228,7 @@ index 3c00403..5a5c6c9 100644 I915_WRITE(PORT_HOTPLUG_EN, 0); I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT)); -@@ -2576,7 +2576,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) +@@ -2572,7 +2572,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) int irq_received; int ret = IRQ_NONE, pipe; @@ -36214,6 +36642,32 @@ index 1f95bba..9530f87 100644 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr, sdata, wqe->wr.wr.atomic.swap); goto send_comp; +diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c +index 9d3e5c1..d9afe4a 100644 +--- a/drivers/infiniband/hw/mthca/mthca_cmd.c ++++ b/drivers/infiniband/hw/mthca/mthca_cmd.c +@@ -772,7 +772,7 @@ static void mthca_setup_cmd_doorbells(struct mthca_dev *dev, u64 base) + mthca_dbg(dev, "Mapped doorbell page for posting FW commands\n"); + } + +-int mthca_QUERY_FW(struct mthca_dev *dev) ++int __intentional_overflow(-1) mthca_QUERY_FW(struct mthca_dev *dev) + { + struct mthca_mailbox *mailbox; + u32 *outbox; +diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c +index ed9a989..e0c5871 100644 +--- a/drivers/infiniband/hw/mthca/mthca_mr.c ++++ b/drivers/infiniband/hw/mthca/mthca_mr.c +@@ -426,7 +426,7 @@ static inline u32 adjust_key(struct mthca_dev *dev, u32 key) + return key; + } + +-int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift, ++int __intentional_overflow(-1) mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift, + u64 iova, u64 total_size, u32 access, struct mthca_mr *mr) + { + struct mthca_mailbox *mailbox; diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c index 5b152a3..c1f3e83 100644 --- a/drivers/infiniband/hw/nes/nes.c @@ -37003,6 +37457,19 @@ index a5ebc00..982886f 100644 end_switcher_text - start_switcher_text); printk(KERN_INFO "lguest: mapped switcher at %p\n", +diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c +index 3b62be16..e33134a 100644 +--- a/drivers/lguest/page_tables.c ++++ b/drivers/lguest/page_tables.c +@@ -532,7 +532,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr) + /*:*/ + + #ifdef CONFIG_X86_PAE +-static void release_pmd(pmd_t *spmd) ++static void __intentional_overflow(-1) release_pmd(pmd_t *spmd) + { + /* If the entry's not present, there's nothing to release. */ + if (pmd_flags(*spmd) & _PAGE_PRESENT) { diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c index 4af12e1..0e89afe 100644 --- a/drivers/lguest/x86/core.c @@ -37928,7 +38395,7 @@ index 29b2172..a7c5b31 100644 dev->req->sg.length : dev->req->data_len; diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c -index fb69baa..cf7ad22 100644 +index fb69baa..3aeea2e 100644 --- a/drivers/message/fusion/mptbase.c +++ b/drivers/message/fusion/mptbase.c @@ -6755,8 +6755,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v) @@ -37945,6 +38412,18 @@ index fb69baa..cf7ad22 100644 /* * Rounding UP to nearest 4-kB boundary here... */ +@@ -6769,7 +6774,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v) + ioc->facts.GlobalCredits); + + seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n", ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, NULL); ++#else + (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma); ++#endif + sz = (ioc->reply_sz * ioc->reply_depth) + 128; + seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n", + ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz); diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c index fa43c39..daeb158 100644 --- a/drivers/message/fusion/mptsas.c @@ -38709,10 +39188,10 @@ index 8dd6ba5..419cc1d 100644 struct sm_sysfs_attribute *vendor_attribute; diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index b7d45f3..b5c89d9 100644 +index a079da17..f86ffd5 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c -@@ -4861,7 +4861,7 @@ static unsigned int bond_get_num_tx_queues(void) +@@ -4862,7 +4862,7 @@ static unsigned int bond_get_num_tx_queues(void) return tx_queues; } @@ -39022,10 +39501,10 @@ index 1e9cb0b..7839125 100644 priv = netdev_priv(dev); priv->phy = phy; diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c -index d3fb97d..19520c7 100644 +index e5cb723..1fc0461 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c -@@ -851,13 +851,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { +@@ -852,13 +852,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { int macvlan_link_register(struct rtnl_link_ops *ops) { /* common fields */ @@ -39048,7 +39527,7 @@ index d3fb97d..19520c7 100644 return rtnl_link_register(ops); }; -@@ -913,7 +915,7 @@ static int macvlan_device_event(struct notifier_block *unused, +@@ -914,7 +916,7 @@ static int macvlan_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -39105,10 +39584,10 @@ index 508570e..f706dc7 100644 err = 0; break; diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index ad86660..9fd0884 100644 +index 8efe47a..a8075c5 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c -@@ -2601,7 +2601,7 @@ static int team_device_event(struct notifier_block *unused, +@@ -2603,7 +2603,7 @@ static int team_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -39118,10 +39597,10 @@ index ad86660..9fd0884 100644 }; diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 2917a86..edd463f 100644 +index cb95fe5..a5bdab5 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c -@@ -1836,7 +1836,7 @@ unlock: +@@ -1838,7 +1838,7 @@ unlock: } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -39130,7 +39609,7 @@ index 2917a86..edd463f 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1848,6 +1848,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1850,6 +1850,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; @@ -39232,7 +39711,7 @@ index cd8ccb2..cff5144 100644 hso_start_serial_device(serial_table[i], GFP_NOIO); hso_kick_transmit(dev2ser(serial_table[i])); diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c -index 656230e..15525a8 100644 +index 6993bfa..9053a34 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1428,7 +1428,7 @@ nla_put_failure: @@ -39244,6 +39723,19 @@ index 656230e..15525a8 100644 .kind = "vxlan", .maxtype = IFLA_VXLAN_MAX, .policy = vxlan_policy, +diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c +index 77fa428..996b355 100644 +--- a/drivers/net/wireless/at76c50x-usb.c ++++ b/drivers/net/wireless/at76c50x-usb.c +@@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state) + } + + /* Convert timeout from the DFU status to jiffies */ +-static inline unsigned long at76_get_timeout(struct dfu_status *s) ++static inline unsigned long __intentional_overflow(-1) at76_get_timeout(struct dfu_status *s) + { + return msecs_to_jiffies((s->poll_timeout[2] << 16) + | (s->poll_timeout[1] << 8) diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c index 8d78253..bebbb68 100644 --- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c @@ -39848,6 +40340,19 @@ index ed2c3ec..deda85a 100644 start_switch_worker(); } +diff --git a/drivers/oprofile/oprofile_files.c b/drivers/oprofile/oprofile_files.c +index 84a208d..d61b0a1 100644 +--- a/drivers/oprofile/oprofile_files.c ++++ b/drivers/oprofile/oprofile_files.c +@@ -27,7 +27,7 @@ unsigned long oprofile_time_slice; + + #ifdef CONFIG_OPROFILE_EVENT_MULTIPLEX + +-static ssize_t timeout_read(struct file *file, char __user *buf, ++static ssize_t __intentional_overflow(-1) timeout_read(struct file *file, char __user *buf, + size_t count, loff_t *offset) + { + return oprofilefs_ulong_to_user(jiffies_to_msecs(oprofile_time_slice), diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c index 917d28e..d62d981 100644 --- a/drivers/oprofile/oprofile_stats.c @@ -40469,7 +40974,7 @@ index cc439fd..8fa30df 100644 #endif /* CONFIG_SYSFS */ diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c -index 8a7cfb3..493e0a2 100644 +index 8a7cfb3..72e6e9b 100644 --- a/drivers/power/power_supply_core.c +++ b/drivers/power/power_supply_core.c @@ -24,7 +24,10 @@ @@ -40484,11 +40989,12 @@ index 8a7cfb3..493e0a2 100644 static int __power_supply_changed_work(struct device *dev, void *data) { -@@ -393,7 +396,6 @@ static int __init power_supply_class_init(void) +@@ -393,7 +396,7 @@ static int __init power_supply_class_init(void) return PTR_ERR(power_supply_class); power_supply_class->dev_uevent = power_supply_uevent; - power_supply_init_attrs(&power_supply_dev_type); ++ power_supply_init_attrs(); return 0; } @@ -42429,10 +42935,10 @@ index 19083ef..6e34e97 100644 } EXPORT_SYMBOL_GPL(n_tty_inherit_ops); diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 79ff3a5..1fe9399 100644 +index ac35c90..c47deac 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c -@@ -791,8 +791,10 @@ static void __init unix98_pty_init(void) +@@ -790,8 +790,10 @@ static void __init unix98_pty_init(void) panic("Couldn't register Unix98 pts driver"); /* Now create the /dev/ptmx special device */ @@ -43436,75 +43942,6 @@ index 35f10bf..6a38a0b 100644 if (!left--) { if (instance->disconnected) -diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c -index 5f0cb41..122d056 100644 ---- a/drivers/usb/class/cdc-wdm.c -+++ b/drivers/usb/class/cdc-wdm.c -@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); - #define WDM_RESPONDING 7 - #define WDM_SUSPENDING 8 - #define WDM_RESETTING 9 -+#define WDM_OVERFLOW 10 - - #define WDM_MAX 16 - -@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb) - { - struct wdm_device *desc = urb->context; - int status = urb->status; -+ int length = urb->actual_length; - - spin_lock(&desc->iuspin); - clear_bit(WDM_RESPONDING, &desc->flags); -@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb) - } - - desc->rerr = status; -- desc->reslength = urb->actual_length; -- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); -- desc->length += desc->reslength; -+ if (length + desc->length > desc->wMaxCommand) { -+ /* The buffer would overflow */ -+ set_bit(WDM_OVERFLOW, &desc->flags); -+ } else { -+ /* we may already be in overflow */ -+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { -+ memmove(desc->ubuf + desc->length, desc->inbuf, length); -+ desc->length += length; -+ desc->reslength = length; -+ } -+ } - skip_error: - wake_up(&desc->wait); - -@@ -435,6 +445,11 @@ retry: - rv = -ENODEV; - goto err; - } -+ if (test_bit(WDM_OVERFLOW, &desc->flags)) { -+ clear_bit(WDM_OVERFLOW, &desc->flags); -+ rv = -ENOBUFS; -+ goto err; -+ } - i++; - if (file->f_flags & O_NONBLOCK) { - if (!test_bit(WDM_READ, &desc->flags)) { -@@ -478,6 +493,7 @@ retry: - spin_unlock_irq(&desc->iuspin); - goto retry; - } -+ - if (!desc->reslength) { /* zero length read */ - dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); - clear_bit(WDM_READ, &desc->flags); -@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf) - struct wdm_device *desc = wdm_find_device(intf); - int rv; - -+ clear_bit(WDM_OVERFLOW, &desc->flags); - clear_bit(WDM_RESETTING, &desc->flags); - rv = recover_from_urb_loss(desc); - mutex_unlock(&desc->wlock); diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c index cbacea9..246cccd 100644 --- a/drivers/usb/core/devices.c @@ -43558,6 +43995,19 @@ index 8e64adf..9a33a3c 100644 if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); usb_put_urb(urb); +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 131f736..99004c3 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -129,7 +129,7 @@ static int usb_internal_control_msg(struct usb_device *usb_dev, + * method can wait for it to complete. Since you don't have a handle on the + * URB used, you can't cancel the request. + */ +-int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request, ++int __intentional_overflow(-1) usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request, + __u8 requesttype, __u16 value, __u16 index, void *data, + __u16 size, int timeout) + { diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c index 818e4a0..0fc9589 100644 --- a/drivers/usb/core/sysfs.c @@ -47264,6 +47714,28 @@ index 03bc1d3..6205356 100644 else { qstr.len = autofs4_getpath(sbi, dentry, &name); if (!qstr.len) { +diff --git a/fs/befs/endian.h b/fs/befs/endian.h +index 2722387..c8dd2a7 100644 +--- a/fs/befs/endian.h ++++ b/fs/befs/endian.h +@@ -11,7 +11,7 @@ + + #include <asm/byteorder.h> + +-static inline u64 ++static inline u64 __intentional_overflow(-1) + fs64_to_cpu(const struct super_block *sb, fs64 n) + { + if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE) +@@ -29,7 +29,7 @@ cpu_to_fs64(const struct super_block *sb, u64 n) + return (__force fs64)cpu_to_be64(n); + } + +-static inline u32 ++static inline u32 __intentional_overflow(-1) + fs32_to_cpu(const struct super_block *sb, fs32 n) + { + if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE) diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c index 2b3bda8..6a2d4be 100644 --- a/fs/befs/linuxvfs.c @@ -47358,7 +47830,7 @@ index 6043567..16a9239 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 0c42cdb..9551bb8 100644 +index 0c42cdb..12478dd 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -33,6 +33,7 @@ @@ -47855,7 +48327,7 @@ index 0c42cdb..9551bb8 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -715,11 +1050,82 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -715,11 +1050,81 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; /* OK, This is the point of no return */ @@ -47876,7 +48348,6 @@ index 0c42cdb..9551bb8 100644 +#ifdef CONFIG_PAX_ASLR + current->mm->delta_mmap = 0UL; + current->mm->delta_stack = 0UL; -+ current->mm->aslr_gap = 0UL; +#endif + + current->mm->def_flags = 0; @@ -47939,7 +48410,7 @@ index 0c42cdb..9551bb8 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -810,6 +1216,20 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -810,6 +1215,20 @@ static int load_elf_binary(struct linux_binprm *bprm) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -47960,7 +48431,7 @@ index 0c42cdb..9551bb8 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -842,9 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -842,9 +1261,9 @@ static int load_elf_binary(struct linux_binprm *bprm) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -47973,7 +48444,7 @@ index 0c42cdb..9551bb8 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -883,17 +1303,44 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -883,17 +1302,45 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -47989,23 +48460,24 @@ index 0c42cdb..9551bb8 100644 +#ifdef CONFIG_PAX_RANDMMAP + if (current->mm->pax_flags & MF_PAX_RANDMMAP) { -+ unsigned long start, size; ++ unsigned long start, size, flags, vm_flags; + + start = ELF_PAGEALIGN(elf_brk); + size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4); -+ down_read(¤t->mm->mmap_sem); -+ retval = -ENOMEM; -+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { -+ unsigned long prot = PROT_NONE; ++ flags = MAP_FIXED | MAP_PRIVATE; ++ vm_flags = VM_DONTEXPAND | VM_DONTDUMP; + -+ up_read(¤t->mm->mmap_sem); -+ current->mm->aslr_gap += PAGE_ALIGN(size) >> PAGE_SHIFT; ++ down_write(¤t->mm->mmap_sem); ++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags); ++ retval = -ENOMEM; ++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { +// if (current->personality & ADDR_NO_RANDOMIZE) -+// prot = PROT_READ; -+ start = vm_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0); ++// vm_flags |= VM_READ | VM_MAYREAD; ++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0); ++ up_write(¤t->mm->mmap_sem); + retval = IS_ERR_VALUE(start) ? start : 0; + } else -+ up_read(¤t->mm->mmap_sem); ++ up_write(¤t->mm->mmap_sem); + if (retval == 0) + retval = set_brk(start + size, start + size + PAGE_SIZE); + if (retval < 0) { @@ -48301,7 +48773,7 @@ index b96fc6c..431d628 100644 __bio_for_each_segment(bvec, bio, i, 0) { char *addr = page_address(bvec->bv_page); diff --git a/fs/block_dev.c b/fs/block_dev.c -index 78333a3..23dcb4d 100644 +index 78edf76..da14f3f 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -651,7 +651,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole, @@ -49492,7 +49964,7 @@ index b2a34a1..162fa69 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 20df02c..81c9e78 100644 +index 20df02c..09b65a1 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,6 +55,17 @@ @@ -49617,28 +50089,16 @@ index 20df02c..81c9e78 100644 return 0; err: up_write(&mm->mmap_sem); -@@ -384,19 +421,7 @@ err: - return err; - } +@@ -396,7 +433,7 @@ struct user_arg_ptr { + } ptr; + }; --struct user_arg_ptr { --#ifdef CONFIG_COMPAT -- bool is_compat; --#endif -- union { -- const char __user *const __user *native; --#ifdef CONFIG_COMPAT -- const compat_uptr_t __user *compat; --#endif -- } ptr; --}; -- -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) +const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) { const char __user *native; -@@ -405,14 +430,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) +@@ -405,14 +442,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) compat_uptr_t compat; if (get_user(compat, argv.ptr.compat + nr)) @@ -49655,7 +50115,7 @@ index 20df02c..81c9e78 100644 return native; } -@@ -431,7 +456,7 @@ static int count(struct user_arg_ptr argv, int max) +@@ -431,7 +468,7 @@ static int count(struct user_arg_ptr argv, int max) if (!p) break; @@ -49664,7 +50124,7 @@ index 20df02c..81c9e78 100644 return -EFAULT; if (i >= max) -@@ -466,7 +491,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, +@@ -466,7 +503,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, ret = -EFAULT; str = get_user_arg_ptr(argv, argc); @@ -49673,7 +50133,7 @@ index 20df02c..81c9e78 100644 goto out; len = strnlen_user(str, MAX_ARG_STRLEN); -@@ -548,7 +573,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, +@@ -548,7 +585,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, int r; mm_segment_t oldfs = get_fs(); struct user_arg_ptr argv = { @@ -49682,7 +50142,7 @@ index 20df02c..81c9e78 100644 }; set_fs(KERNEL_DS); -@@ -583,7 +608,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -583,7 +620,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) unsigned long new_end = old_end - shift; struct mmu_gather tlb; @@ -49692,7 +50152,7 @@ index 20df02c..81c9e78 100644 /* * ensure there are no vmas between where we want to go -@@ -592,6 +618,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -592,6 +630,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) if (vma != find_vma(mm, new_start)) return -EFAULT; @@ -49703,7 +50163,7 @@ index 20df02c..81c9e78 100644 /* * cover the whole range: [new_start, old_end) */ -@@ -672,10 +702,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -672,10 +714,6 @@ int setup_arg_pages(struct linux_binprm *bprm, stack_top = arch_align_stack(stack_top); stack_top = PAGE_ALIGN(stack_top); @@ -49714,7 +50174,7 @@ index 20df02c..81c9e78 100644 stack_shift = vma->vm_end - stack_top; bprm->p -= stack_shift; -@@ -687,8 +713,28 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -687,8 +725,28 @@ int setup_arg_pages(struct linux_binprm *bprm, bprm->exec -= stack_shift; down_write(&mm->mmap_sem); @@ -49743,7 +50203,7 @@ index 20df02c..81c9e78 100644 /* * Adjust stack execute permissions; explicitly enable for * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone -@@ -707,13 +753,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -707,13 +765,6 @@ int setup_arg_pages(struct linux_binprm *bprm, goto out_unlock; BUG_ON(prev != vma); @@ -49757,12 +50217,12 @@ index 20df02c..81c9e78 100644 /* mprotect_fixup is overkill to remove the temporary stack flags */ vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP; -@@ -737,6 +776,30 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -737,6 +788,27 @@ int setup_arg_pages(struct linux_binprm *bprm, #endif current->mm->start_stack = bprm->p; ret = expand_stack(vma, stack_base); + -+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR) ++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP) + if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) { + unsigned long size, flags, vm_flags; + @@ -49774,11 +50234,8 @@ index 20df02c..81c9e78 100644 + +#ifdef CONFIG_X86 + if (!ret) { -+ current->mm->aslr_gap += size >> PAGE_SHIFT; + size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT)); -+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0); -+ if (!ret) -+ current->mm->aslr_gap += size >> PAGE_SHIFT; ++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0); + } +#endif + @@ -49788,7 +50245,7 @@ index 20df02c..81c9e78 100644 if (ret) ret = -EFAULT; -@@ -772,6 +835,8 @@ struct file *open_exec(const char *name) +@@ -772,6 +844,8 @@ struct file *open_exec(const char *name) fsnotify_open(file); @@ -49797,7 +50254,7 @@ index 20df02c..81c9e78 100644 err = deny_write_access(file); if (err) goto exit; -@@ -795,7 +860,7 @@ int kernel_read(struct file *file, loff_t offset, +@@ -795,7 +869,7 @@ int kernel_read(struct file *file, loff_t offset, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -49806,7 +50263,7 @@ index 20df02c..81c9e78 100644 set_fs(old_fs); return result; } -@@ -1247,7 +1312,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1247,7 +1321,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -49815,7 +50272,7 @@ index 20df02c..81c9e78 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1447,6 +1512,28 @@ int search_binary_handler(struct linux_binprm *bprm) +@@ -1447,6 +1521,31 @@ int search_binary_handler(struct linux_binprm *bprm) EXPORT_SYMBOL(search_binary_handler); @@ -49841,10 +50298,13 @@ index 20df02c..81c9e78 100644 +static inline void increment_exec_counter(void) {} +#endif + ++extern void gr_handle_exec_args(struct linux_binprm *bprm, ++ struct user_arg_ptr argv); ++ /* * sys_execve() executes a new program. */ -@@ -1454,6 +1541,11 @@ static int do_execve_common(const char *filename, +@@ -1454,6 +1553,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr argv, struct user_arg_ptr envp) { @@ -49856,7 +50316,7 @@ index 20df02c..81c9e78 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1461,6 +1553,8 @@ static int do_execve_common(const char *filename, +@@ -1461,6 +1565,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -49865,7 +50325,7 @@ index 20df02c..81c9e78 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1501,12 +1595,27 @@ static int do_execve_common(const char *filename, +@@ -1501,12 +1607,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -49893,7 +50353,7 @@ index 20df02c..81c9e78 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1523,24 +1632,65 @@ static int do_execve_common(const char *filename, +@@ -1523,24 +1644,65 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -49963,7 +50423,7 @@ index 20df02c..81c9e78 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1549,6 +1699,14 @@ static int do_execve_common(const char *filename, +@@ -1549,6 +1711,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -49978,7 +50438,7 @@ index 20df02c..81c9e78 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1697,3 +1855,253 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1697,3 +1867,253 @@ asmlinkage long compat_sys_execve(const char __user * filename, return error; } #endif @@ -50099,7 +50559,7 @@ index 20df02c..81c9e78 100644 + else + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), -+ from_kuid(&init_user_ns, task_uid(tsk)), from_kuid(&init_user_ns, task_euid(tsk)), pc, sp); ++ from_kuid_munged(&init_user_ns, task_uid(tsk)), from_kuid_munged(&init_user_ns, task_euid(tsk)), pc, sp); + free_page((unsigned long)buffer_exec); + free_page((unsigned long)buffer_fault); + pax_report_insns(regs, pc, sp); @@ -50118,10 +50578,10 @@ index 20df02c..81c9e78 100644 + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); + else + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), -+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); + show_regs(regs); + force_sig_info(SIGKILL, SEND_SIG_FORCED, current); @@ -52337,7 +52797,7 @@ index a94e331..060bce3 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index ec97aef..eedf4fe 100644 +index ec97aef..e67718d 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask) @@ -52440,17 +52900,11 @@ index ec97aef..eedf4fe 100644 put_link(nd, &link, cookie); } } -@@ -1984,6 +2002,19 @@ static int path_lookupat(int dfd, const char *name, +@@ -1984,6 +2002,13 @@ static int path_lookupat(int dfd, const char *name, if (!err) err = complete_walk(nd); + if (!err && !(nd->flags & LOOKUP_PARENT)) { -+#ifdef CONFIG_GRKERNSEC -+ if (flags & LOOKUP_RCU) { -+ path_put(&nd->path); -+ err = -ECHILD; -+ } else -+#endif + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { + path_put(&nd->path); + err = -ENOENT; @@ -52460,26 +52914,24 @@ index ec97aef..eedf4fe 100644 if (!err && nd->flags & LOOKUP_DIRECTORY) { if (!nd->inode->i_op->lookup) { path_put(&nd->path); -@@ -2011,8 +2042,17 @@ static int filename_lookup(int dfd, struct filename *name, +@@ -2011,8 +2036,15 @@ static int filename_lookup(int dfd, struct filename *name, retval = path_lookupat(dfd, name->name, flags | LOOKUP_REVAL, nd); - if (likely(!retval)) + if (likely(!retval)) { + audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT); + if (name->name[0] != '/' && nd->path.dentry && nd->inode) { -+#ifdef CONFIG_GRKERNSEC -+ if (flags & LOOKUP_RCU) -+ return -ECHILD; -+#endif -+ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) ++ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) { ++ path_put(&nd->path); + return -ENOENT; ++ } + } - audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT); + } return retval; } -@@ -2390,6 +2430,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2390,6 +2422,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -52493,7 +52945,7 @@ index ec97aef..eedf4fe 100644 return 0; } -@@ -2611,7 +2658,7 @@ looked_up: +@@ -2611,7 +2650,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -52502,7 +52954,7 @@ index ec97aef..eedf4fe 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2646,6 +2693,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2646,6 +2685,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -52520,7 +52972,7 @@ index ec97aef..eedf4fe 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2667,6 +2725,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2667,6 +2717,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -52529,7 +52981,7 @@ index ec97aef..eedf4fe 100644 } out_no_open: path->dentry = dentry; -@@ -2681,7 +2741,7 @@ out_dput: +@@ -2681,7 +2733,7 @@ out_dput: /* * Handle the last step of open() */ @@ -52538,16 +52990,10 @@ index ec97aef..eedf4fe 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2710,16 +2770,44 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2710,16 +2762,32 @@ static int do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return error; -+#ifdef CONFIG_GRKERNSEC -+ if (nd->flags & LOOKUP_RCU) { -+ error = -ECHILD; -+ goto out; -+ } -+#endif + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { + error = -ENOENT; + goto out; @@ -52566,12 +53012,6 @@ index ec97aef..eedf4fe 100644 error = complete_walk(nd); if (error) return error; -+#ifdef CONFIG_GRKERNSEC -+ if (nd->flags & LOOKUP_RCU) { -+ error = -ECHILD; -+ goto out; -+ } -+#endif + if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) { + error = -ENOENT; + goto out; @@ -52583,7 +53023,7 @@ index ec97aef..eedf4fe 100644 audit_inode(name, dir, 0); goto finish_open; } -@@ -2768,7 +2856,7 @@ retry_lookup: +@@ -2768,7 +2836,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -52592,7 +53032,7 @@ index ec97aef..eedf4fe 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2792,11 +2880,28 @@ retry_lookup: +@@ -2792,11 +2860,28 @@ retry_lookup: goto finish_open_created; } @@ -52622,7 +53062,7 @@ index ec97aef..eedf4fe 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2837,6 +2942,11 @@ finish_lookup: +@@ -2837,6 +2922,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -52634,7 +53074,7 @@ index ec97aef..eedf4fe 100644 return 1; } -@@ -2846,7 +2956,6 @@ finish_lookup: +@@ -2846,7 +2936,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -52642,17 +53082,11 @@ index ec97aef..eedf4fe 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -2855,6 +2964,22 @@ finish_lookup: +@@ -2855,6 +2944,16 @@ finish_lookup: path_put(&save_parent); return error; } + -+#ifdef CONFIG_GRKERNSEC -+ if (nd->flags & LOOKUP_RCU) { -+ error = -ECHILD; -+ goto out; -+ } -+#endif + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { + error = -ENOENT; + goto out; @@ -52665,7 +53099,7 @@ index ec97aef..eedf4fe 100644 error = -EISDIR; if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode)) goto out; -@@ -2953,7 +3078,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -2953,7 +3052,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -52674,7 +53108,7 @@ index ec97aef..eedf4fe 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2971,7 +3096,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -2971,7 +3070,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -52683,7 +53117,7 @@ index ec97aef..eedf4fe 100644 put_link(nd, &link, cookie); } out: -@@ -3071,8 +3196,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3071,8 +3170,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -52697,7 +53131,7 @@ index ec97aef..eedf4fe 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3124,6 +3253,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3124,6 +3227,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -52718,7 +53152,7 @@ index ec97aef..eedf4fe 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3186,6 +3329,17 @@ retry: +@@ -3186,6 +3303,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -52736,7 +53170,7 @@ index ec97aef..eedf4fe 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3202,6 +3356,8 @@ retry: +@@ -3202,6 +3330,8 @@ retry: break; } out: @@ -52745,7 +53179,7 @@ index ec97aef..eedf4fe 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3254,9 +3410,16 @@ retry: +@@ -3254,9 +3384,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -52762,7 +53196,7 @@ index ec97aef..eedf4fe 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3337,6 +3500,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3337,6 +3474,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -52771,7 +53205,7 @@ index ec97aef..eedf4fe 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3369,10 +3534,21 @@ retry: +@@ -3369,10 +3508,21 @@ retry: error = -ENOENT; goto exit3; } @@ -52793,7 +53227,7 @@ index ec97aef..eedf4fe 100644 exit3: dput(dentry); exit2: -@@ -3438,6 +3614,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3438,6 +3588,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -52802,7 +53236,7 @@ index ec97aef..eedf4fe 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3464,10 +3642,22 @@ retry: +@@ -3464,10 +3616,22 @@ retry: if (!inode) goto slashes; ihold(inode); @@ -52825,7 +53259,7 @@ index ec97aef..eedf4fe 100644 exit2: dput(dentry); } -@@ -3545,9 +3735,17 @@ retry: +@@ -3545,9 +3709,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -52843,7 +53277,7 @@ index ec97aef..eedf4fe 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3621,6 +3819,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3621,6 +3793,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -52851,7 +53285,7 @@ index ec97aef..eedf4fe 100644 int how = 0; int error; -@@ -3644,7 +3843,7 @@ retry: +@@ -3644,7 +3817,7 @@ retry: if (error) return error; @@ -52860,7 +53294,7 @@ index ec97aef..eedf4fe 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3656,11 +3855,28 @@ retry: +@@ -3656,11 +3829,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -52889,7 +53323,7 @@ index ec97aef..eedf4fe 100644 done_path_create(&new_path, new_dentry); if (retry_estale(error, how)) { how |= LOOKUP_REVAL; -@@ -3906,12 +4122,21 @@ retry: +@@ -3906,12 +4096,21 @@ retry: if (new_dentry == trap) goto exit5; @@ -52911,7 +53345,7 @@ index ec97aef..eedf4fe 100644 exit5: dput(new_dentry); exit4: -@@ -3943,6 +4168,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3943,6 +4142,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -52920,7 +53354,7 @@ index ec97aef..eedf4fe 100644 int len; len = PTR_ERR(link); -@@ -3952,7 +4179,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3952,7 +4153,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -54913,6 +55347,28 @@ index 1ccfa53..0848f95 100644 } else if (mm) { pid_t tid = vm_is_stack(priv->task, vma, is_pid); +diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h +index b00fcc9..e0c6381 100644 +--- a/fs/qnx6/qnx6.h ++++ b/fs/qnx6/qnx6.h +@@ -74,7 +74,7 @@ enum { + BYTESEX_BE, + }; + +-static inline __u64 fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n) ++static inline __u64 __intentional_overflow(-1) fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n) + { + if (sbi->s_bytesex == BYTESEX_LE) + return le64_to_cpu((__force __le64)n); +@@ -90,7 +90,7 @@ static inline __fs64 cpu_to_fs64(struct qnx6_sb_info *sbi, __u64 n) + return (__force __fs64)cpu_to_be64(n); + } + +-static inline __u32 fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n) ++static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n) + { + if (sbi->s_bytesex == BYTESEX_LE) + return le32_to_cpu((__force __le32)n); diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c index 16e8abb..2dcf914 100644 --- a/fs/quota/netlink.c @@ -55436,6 +55892,32 @@ index 3c9eb56..9dea5be 100644 if (!IS_ERR(page)) free_page((unsigned long)page); } +diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h +index 69d4889..a810bd4 100644 +--- a/fs/sysv/sysv.h ++++ b/fs/sysv/sysv.h +@@ -188,7 +188,7 @@ static inline u32 PDP_swab(u32 x) + #endif + } + +-static inline __u32 fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n) ++static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n) + { + if (sbi->s_bytesex == BYTESEX_PDP) + return PDP_swab((__force __u32)n); +diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c +index e18b988..f1d4ad0f 100644 +--- a/fs/ubifs/io.c ++++ b/fs/ubifs/io.c +@@ -155,7 +155,7 @@ int ubifs_leb_change(struct ubifs_info *c, int lnum, const void *buf, int len) + return err; + } + +-int ubifs_leb_unmap(struct ubifs_info *c, int lnum) ++int __intentional_overflow(-1) ubifs_leb_unmap(struct ubifs_info *c, int lnum) + { + int err; + diff --git a/fs/udf/misc.c b/fs/udf/misc.c index c175b4d..8f36a16 100644 --- a/fs/udf/misc.c @@ -55449,6 +55931,28 @@ index c175b4d..8f36a16 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) +diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h +index 8d974c4..b82f6ec 100644 +--- a/fs/ufs/swab.h ++++ b/fs/ufs/swab.h +@@ -22,7 +22,7 @@ enum { + BYTESEX_BE + }; + +-static inline u64 ++static inline u64 __intentional_overflow(-1) + fs64_to_cpu(struct super_block *sbp, __fs64 n) + { + if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE) +@@ -40,7 +40,7 @@ cpu_to_fs64(struct super_block *sbp, u64 n) + return (__force __fs64)cpu_to_be64(n); + } + +-static inline u32 ++static inline u32 __intentional_overflow(-1) + fs32_to_cpu(struct super_block *sbp, __fs32 n) + { + if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE) diff --git a/fs/utimes.c b/fs/utimes.c index f4fb7ec..3fe03c0 100644 --- a/fs/utimes.c @@ -56686,10 +57190,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..0767b2e +index 0000000..ab45812 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4067 @@ +@@ -0,0 +1,4071 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -56717,6 +57221,7 @@ index 0000000..0767b2e +#include <linux/percpu.h> +#include <linux/lglock.h> +#include <linux/hugetlb.h> ++#include <linux/posix-timers.h> +#include "../fs/mount.h" + +#include <asm/uaccess.h> @@ -59026,6 +59531,9 @@ index 0000000..0767b2e + + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur; + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max; ++ ++ if (i == RLIMIT_CPU) ++ update_rlimit_cpu(task, proc->res[i].rlim_cur); + } + + return; @@ -63283,10 +63791,10 @@ index 0000000..207d409 +#endif diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c new file mode 100644 -index 0000000..abfa971 +index 0000000..387032b --- /dev/null +++ b/grsecurity/grsec_exec.c -@@ -0,0 +1,174 @@ +@@ -0,0 +1,187 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -63298,6 +63806,7 @@ index 0000000..abfa971 +#include <linux/grinternal.h> +#include <linux/capability.h> +#include <linux/module.h> ++#include <linux/compat.h> + +#include <asm/uaccess.h> + @@ -63306,6 +63815,18 @@ index 0000000..abfa971 +static DEFINE_MUTEX(gr_exec_arg_mutex); +#endif + ++struct user_arg_ptr { ++#ifdef CONFIG_COMPAT ++ bool is_compat; ++#endif ++ union { ++ const char __user *const __user *native; ++#ifdef CONFIG_COMPAT ++ const compat_uptr_t __user *compat; ++#endif ++ } ptr; ++}; ++ +extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr); + +void @@ -66379,6 +66900,36 @@ index 42e55de..1cd0e66 100644 extern struct cleancache_ops cleancache_register_ops(struct cleancache_ops *ops); +diff --git a/include/linux/compat.h b/include/linux/compat.h +index dec7e2d..45db13f 100644 +--- a/include/linux/compat.h ++++ b/include/linux/compat.h +@@ -311,14 +311,14 @@ long compat_sys_msgsnd(int first, int second, int third, void __user *uptr); + long compat_sys_msgrcv(int first, int second, int msgtyp, int third, + int version, void __user *uptr); + long compat_sys_shmat(int first, int second, compat_uptr_t third, int version, +- void __user *uptr); ++ void __user *uptr) __intentional_overflow(0); + #else + long compat_sys_semctl(int semid, int semnum, int cmd, int arg); + long compat_sys_msgsnd(int msqid, struct compat_msgbuf __user *msgp, + compat_ssize_t msgsz, int msgflg); + long compat_sys_msgrcv(int msqid, struct compat_msgbuf __user *msgp, + compat_ssize_t msgsz, long msgtyp, int msgflg); +-long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg); ++long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg) __intentional_overflow(0); + #endif + long compat_sys_msgctl(int first, int second, void __user *uptr); + long compat_sys_shmctl(int first, int second, void __user *uptr); +@@ -414,7 +414,7 @@ extern int compat_ptrace_request(struct task_struct *child, + extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + compat_ulong_t addr, compat_ulong_t data); + asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +- compat_long_t addr, compat_long_t data); ++ compat_ulong_t addr, compat_ulong_t data); + + /* + * epoll (fs/eventpoll.c) compat bits follow ... diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h index 662fd1b..e801992 100644 --- a/include/linux/compiler-gcc4.h @@ -66554,6 +67105,27 @@ index dd852b7..72924c0 100644 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x)) #endif /* __LINUX_COMPILER_H */ +diff --git a/include/linux/completion.h b/include/linux/completion.h +index 51494e6..0fd1b61 100644 +--- a/include/linux/completion.h ++++ b/include/linux/completion.h +@@ -78,13 +78,13 @@ static inline void init_completion(struct completion *x) + + extern void wait_for_completion(struct completion *); + extern int wait_for_completion_interruptible(struct completion *x); +-extern int wait_for_completion_killable(struct completion *x); ++extern int wait_for_completion_killable(struct completion *x) __intentional_overflow(-1); + extern unsigned long wait_for_completion_timeout(struct completion *x, + unsigned long timeout); + extern long wait_for_completion_interruptible_timeout( +- struct completion *x, unsigned long timeout); ++ struct completion *x, unsigned long timeout) __intentional_overflow(-1); + extern long wait_for_completion_killable_timeout( +- struct completion *x, unsigned long timeout); ++ struct completion *x, unsigned long timeout) __intentional_overflow(-1); + extern bool try_wait_for_completion(struct completion *x); + extern bool completion_done(struct completion *x); + diff --git a/include/linux/configfs.h b/include/linux/configfs.h index 34025df..d94bbbc 100644 --- a/include/linux/configfs.h @@ -66624,6 +67196,58 @@ index 24cd1037..20a63aae 100644 #ifdef CONFIG_CPU_IDLE +diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h +index 0325602..5e9feff 100644 +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -118,17 +118,17 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp) + } + + /* Valid inputs for n are -1 and 0. */ +-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp) ++static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp) + { + return n+1; + } + +-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp) ++static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp) + { + return n+1; + } + +-static inline unsigned int cpumask_next_and(int n, ++static inline unsigned int __intentional_overflow(-1) cpumask_next_and(int n, + const struct cpumask *srcp, + const struct cpumask *andp) + { +@@ -167,7 +167,7 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp) + * + * Returns >= nr_cpu_ids if no further cpus set. + */ +-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp) ++static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp) + { + /* -1 is a legal arg here. */ + if (n != -1) +@@ -182,7 +182,7 @@ static inline unsigned int cpumask_next(int n, const struct cpumask *srcp) + * + * Returns >= nr_cpu_ids if no further cpus unset. + */ +-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp) ++static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp) + { + /* -1 is a legal arg here. */ + if (n != -1) +@@ -190,7 +190,7 @@ static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp) + return find_next_zero_bit(cpumask_bits(srcp), nr_cpumask_bits, n+1); + } + +-int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *); ++int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *) __intentional_overflow(-1); + int cpumask_any_but(const struct cpumask *mask, unsigned int cpu); + + /** diff --git a/include/linux/cred.h b/include/linux/cred.h index 04421e8..6bce4ef 100644 --- a/include/linux/cred.h @@ -66667,6 +67291,19 @@ index b92eadf..b4ecdc1 100644 #define crt_ablkcipher crt_u.ablkcipher #define crt_aead crt_u.aead +diff --git a/include/linux/ctype.h b/include/linux/ctype.h +index 8acfe31..6ffccd63 100644 +--- a/include/linux/ctype.h ++++ b/include/linux/ctype.h +@@ -56,7 +56,7 @@ static inline unsigned char __toupper(unsigned char c) + * Fast implementation of tolower() for internal usage. Do not use in your + * code. + */ +-static inline char _tolower(const char c) ++static inline unsigned char _tolower(const unsigned char c) + { + return c | 0x20; + } diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h index 7925bf0..d5143d2 100644 --- a/include/linux/decompress/mm.h @@ -66790,6 +67427,25 @@ index 8c9048e..16a4665 100644 #endif +diff --git a/include/linux/err.h b/include/linux/err.h +index f2edce2..cc2082c 100644 +--- a/include/linux/err.h ++++ b/include/linux/err.h +@@ -19,12 +19,12 @@ + + #define IS_ERR_VALUE(x) unlikely((x) >= (unsigned long)-MAX_ERRNO) + +-static inline void * __must_check ERR_PTR(long error) ++static inline void * __must_check __intentional_overflow(-1) ERR_PTR(long error) + { + return (void *) error; + } + +-static inline long __must_check PTR_ERR(const void *ptr) ++static inline long __must_check __intentional_overflow(-1) PTR_ERR(const void *ptr) + { + return (long) ptr; + } diff --git a/include/linux/extcon.h b/include/linux/extcon.h index fcb51c8..bdafcf6 100644 --- a/include/linux/extcon.h @@ -67870,10 +68526,10 @@ index 0000000..2bd4c8d +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..1ae241a +index 0000000..8da63a4 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,257 @@ +@@ -0,0 +1,242 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -67895,20 +68551,6 @@ index 0000000..1ae241a +#error "CONFIG_PAX enabled, but no PaX options are enabled." +#endif + -+#include <linux/compat.h> -+ -+struct user_arg_ptr { -+#ifdef CONFIG_COMPAT -+ bool is_compat; -+#endif -+ union { -+ const char __user *const __user *native; -+#ifdef CONFIG_COMPAT -+ const compat_uptr_t __user *compat; -+#endif -+ } ptr; -+}; -+ +void gr_handle_brute_attach(unsigned long mm_flags); +void gr_handle_brute_check(void); +void gr_handle_kernel_exploit(void); @@ -67962,7 +68604,6 @@ index 0000000..1ae241a + const struct vfsmount *mnt); +void gr_log_chroot_exec(const struct dentry *dentry, + const struct vfsmount *mnt); -+void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv); +void gr_log_remount(const char *devname, const int retval); +void gr_log_unmount(const char *devname, const int retval); +void gr_log_mount(const char *from, const char *to, const int retval); @@ -68585,8 +69226,39 @@ index cc6d2aa..c10ee83 100644 /** * list_move - delete from one list and add as another's head * @list: the entry to move +diff --git a/include/linux/math64.h b/include/linux/math64.h +index b8ba855..0148090 100644 +--- a/include/linux/math64.h ++++ b/include/linux/math64.h +@@ -14,7 +14,7 @@ + * This is commonly provided by 32bit archs to provide an optimized 64bit + * divide. + */ +-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) ++static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) + { + *remainder = dividend % divisor; + return dividend / divisor; +@@ -50,7 +50,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor) + #define div64_long(x,y) div_s64((x),(y)) + + #ifndef div_u64_rem +-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) ++static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) + { + *remainder = do_div(dividend, divisor); + return dividend; +@@ -79,7 +79,7 @@ extern s64 div64_s64(s64 dividend, s64 divisor); + * divide. + */ + #ifndef div_u64 +-static inline u64 div_u64(u64 dividend, u32 divisor) ++static inline u64 __intentional_overflow(-1) div_u64(u64 dividend, u32 divisor) + { + u32 remainder; + return div_u64_rem(dividend, divisor, &remainder); diff --git a/include/linux/mm.h b/include/linux/mm.h -index 66e2f7c..ea88001 100644 +index 66e2f7c..a398fb2 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -101,6 +101,11 @@ extern unsigned int kobjsize(const void *objp); @@ -68751,7 +69423,19 @@ index 66e2f7c..ea88001 100644 #ifdef CONFIG_ARCH_USES_NUMA_PROT_NONE unsigned long change_prot_numa(struct vm_area_struct *vma, unsigned long start, unsigned long end); -@@ -1721,7 +1730,7 @@ extern int unpoison_memory(unsigned long pfn); +@@ -1649,6 +1658,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long); + static inline void vm_stat_account(struct mm_struct *mm, + unsigned long flags, struct file *file, long pages) + { ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ + mm->total_vm += pages; + } + #endif /* CONFIG_PROC_FS */ +@@ -1721,7 +1735,7 @@ extern int unpoison_memory(unsigned long pfn); extern int sysctl_memory_failure_early_kill; extern int sysctl_memory_failure_recovery; extern void shake_page(struct page *p, int access); @@ -68760,7 +69444,7 @@ index 66e2f7c..ea88001 100644 extern int soft_offline_page(struct page *page, int flags); extern void dump_page(struct page *page); -@@ -1752,5 +1761,11 @@ static inline unsigned int debug_guardpage_minorder(void) { return 0; } +@@ -1752,5 +1766,11 @@ static inline unsigned int debug_guardpage_minorder(void) { return 0; } static inline bool page_is_guard(struct page *page) { return false; } #endif /* CONFIG_DEBUG_PAGEALLOC */ @@ -68773,7 +69457,7 @@ index 66e2f7c..ea88001 100644 #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index f8f5162..a039af9 100644 +index f8f5162..3aaf20f 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -288,6 +288,8 @@ struct vm_area_struct { @@ -68785,15 +69469,6 @@ index f8f5162..a039af9 100644 }; struct core_thread { -@@ -362,7 +364,7 @@ struct mm_struct { - unsigned long def_flags; - unsigned long nr_ptes; /* Page table pages */ - unsigned long start_code, end_code, start_data, end_data; -- unsigned long start_brk, brk, start_stack; -+ unsigned long aslr_gap, start_brk, brk, start_stack; - unsigned long arg_start, arg_end, env_start, env_end; - - unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ @@ -436,6 +438,24 @@ struct mm_struct { int first_nid; #endif @@ -69256,7 +69931,7 @@ index 45fc162..01a4068 100644 /** * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot |