diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2012-07-13 18:59:58 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2012-07-13 18:59:58 -0400 |
| commit | ff053b334213df2a39bf3ffcbff1ba214a14dd28 (patch) | |
| tree | 7105ca8cfd1a92ac77f9b1a6bf00b3d74f18497b | |
| parent | Add linux patch for 3.2.21 -> 3.2.22 (diff) | |
| download | hardened-patchset-ff053b334213df2a39bf3ffcbff1ba214a14dd28.tar.gz hardened-patchset-ff053b334213df2a39bf3ffcbff1ba214a14dd28.tar.bz2 hardened-patchset-ff053b334213df2a39bf3ffcbff1ba214a14dd28.zip | |
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.23,3.4.4}-201207122200
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207122159.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207080923.patch) | 93 | ||||
| -rw-r--r-- | 3.2.23/0000_README (renamed from 3.2.22/0000_README) | 6 | ||||
| -rw-r--r-- | 3.2.23/1021_linux-3.2.22.patch (renamed from 3.2.22/1021_linux-3.2.22.patch) | 0 | ||||
| -rw-r--r-- | 3.2.23/1022_linux-3.2.23.patch | 1862 | ||||
| -rw-r--r-- | 3.2.23/4420_grsecurity-2.9.1-3.2.23-201207122159.patch (renamed from 3.2.22/4420_grsecurity-2.9.1-3.2.22-201207080924.patch) | 363 | ||||
| -rw-r--r-- | 3.2.23/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.22/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.2.23/4435_grsec-mute-warnings.patch (renamed from 3.2.22/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.2.23/4440_grsec-remove-protected-paths.patch (renamed from 3.2.22/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.2.23/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.22/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.2.23/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.22/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.2.23/4470_disable-compat_vdso.patch (renamed from 3.2.22/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.4.4/0000_README | 2 | ||||
| -rw-r--r-- | 3.4.4/4420_grsecurity-2.9.1-3.4.4-201207122200.patch (renamed from 3.4.4/4420_grsecurity-2.9.1-3.4.4-201207080925.patch) | 87 |
14 files changed, 2058 insertions, 357 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index a0df600..3cd1e97 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.59-201207080923.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.59-201207122159.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207080923.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207122159.patch index 2ebb2bb..614255d 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207080923.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207122159.patch @@ -471,7 +471,7 @@ index 3a9a721..b81a4d5 100644 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) $(@:.ko=.o) diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h -index 610dff4..f396854 100644 +index 610dff44..f396854 100644 --- a/arch/alpha/include/asm/atomic.h +++ b/arch/alpha/include/asm/atomic.h @@ -251,6 +251,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) @@ -62906,7 +62906,7 @@ index cbad67e8..3cf900e 100644 .update_status = omapbl_update_status, }; diff --git a/drivers/video/backlight/progear_bl.c b/drivers/video/backlight/progear_bl.c -index 9edaf24..075786e 100644 +index 9edaf24f..075786e 100644 --- a/drivers/video/backlight/progear_bl.c +++ b/drivers/video/backlight/progear_bl.c @@ -54,7 +54,7 @@ static int progearbl_get_intensity(struct backlight_device *bd) @@ -76690,7 +76690,7 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..8c9aeb7 +index 0000000..109cc56 --- /dev/null +++ b/grsecurity/gracl.c @@ -0,0 +1,4175 @@ @@ -76716,6 +76716,7 @@ index 0000000..8c9aeb7 +#include <linux/security.h> +#include <linux/grinternal.h> +#include <linux/pid_namespace.h> ++#include <linux/stop_machine.h> +#include <linux/fdtable.h> +#include <linux/percpu.h> + @@ -78957,18 +78958,17 @@ index 0000000..8c9aeb7 +void +gr_copy_label(struct task_struct *tsk) +{ -+ /* plain copying of fields is already done by dup_task_struct */ + tsk->signal->used_accept = 0; + tsk->acl_sp_role = 0; -+ //tsk->acl_role_id = current->acl_role_id; -+ //tsk->acl = current->acl; -+ //tsk->role = current->role; ++ tsk->acl_role_id = current->acl_role_id; ++ tsk->acl = current->acl; ++ tsk->role = current->role; + tsk->signal->curr_ip = current->signal->curr_ip; + tsk->signal->saved_ip = current->signal->saved_ip; + if (current->exec_file) + get_file(current->exec_file); -+ //tsk->exec_file = current->exec_file; -+ //tsk->is_writable = current->is_writable; ++ tsk->exec_file = current->exec_file; ++ tsk->is_writable = current->is_writable; + if (unlikely(current->signal->used_accept)) { + current->signal->curr_ip = 0; + current->signal->saved_ip = 0; @@ -79777,6 +79777,15 @@ index 0000000..8c9aeb7 + return 1; +} + ++static int gr_rbac_disable(void *unused) ++{ ++ pax_open_kernel(); ++ gr_status &= ~GR_READY; ++ pax_close_kernel(); ++ ++ return 0; ++} ++ +ssize_t +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos) +{ @@ -79861,15 +79870,12 @@ index 0000000..8c9aeb7 + case GR_SHUTDOWN: + if ((gr_status & GR_READY) + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { -+ pax_open_kernel(); -+ gr_status &= ~GR_READY; -+ pax_close_kernel(); -+ -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); ++ stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(); + memset(gr_usermode, 0, sizeof (struct gr_arg)); + memset(gr_system_salt, 0, GR_SALT_LEN); + memset(gr_system_sum, 0, GR_SHA_LEN); ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); + } else if (gr_status & GR_READY) { + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG); + error = -EPERM; @@ -79894,20 +79900,14 @@ index 0000000..8c9aeb7 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION); + error = -EAGAIN; + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { -+ lock_kernel(); -+ -+ pax_open_kernel(); -+ gr_status &= ~GR_READY; -+ pax_close_kernel(); -+ ++ stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(); -+ if (!(error2 = gracl_init(gr_usermode))) { -+ unlock_kernel(); ++ error2 = gracl_init(gr_usermode); ++ if (!error2) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION); -+ } else { -+ unlock_kernel(); -+ error = error2; ++ else { + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION); ++ error = error2; + } + } else { + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION); @@ -91616,7 +91616,7 @@ index 0993a22..32ba2fe 100644 void *pmi_pal; u8 *vbe_state_orig; /* diff --git a/init/Kconfig b/init/Kconfig -index d72691b..3996e54 100644 +index d72691b..b21f901 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1004,7 +1004,7 @@ config SLUB_DEBUG @@ -91628,6 +91628,15 @@ index d72691b..3996e54 100644 help Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). +@@ -1190,7 +1190,7 @@ config INIT_ALL_POSSIBLE + config STOP_MACHINE + bool + default y +- depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU ++ depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU || GRKERNSEC + help + Need stop_machine() primitive. + diff --git a/init/do_mounts.c b/init/do_mounts.c index bb008d0..4fa3933 100644 --- a/init/do_mounts.c @@ -93056,7 +93065,7 @@ index 0f8fae3..66af9b1 100644 get_task_struct(p); read_unlock(&tasklist_lock); diff --git a/kernel/fork.c b/kernel/fork.c -index 4bde56f..8f14dad 100644 +index 4bde56f..21a5033 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -253,7 +253,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -93163,16 +93172,17 @@ index 4bde56f..8f14dad 100644 retval = copy_creds(p, clone_flags); if (retval < 0) -@@ -1183,6 +1214,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, - goto bad_fork_free_pid; - } +@@ -1233,6 +1264,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, + /* Need tasklist lock for parent etc handling! */ + write_lock_irq(&tasklist_lock); ++ /* synchronizes with gr_set_acls() */ + gr_copy_label(p); + - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; - /* - * Clear TID on mm_release()? -@@ -1299,7 +1332,8 @@ bad_fork_free_pid: + /* CLONE_PARENT re-uses the old parent */ + if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) { + p->real_parent = current->real_parent; +@@ -1299,7 +1333,8 @@ bad_fork_free_pid: if (pid != &init_struct_pid) free_pid(pid); bad_fork_cleanup_io: @@ -93182,7 +93192,7 @@ index 4bde56f..8f14dad 100644 bad_fork_cleanup_namespaces: exit_task_namespaces(p); bad_fork_cleanup_mm: -@@ -1333,6 +1367,8 @@ bad_fork_cleanup_count: +@@ -1333,6 +1368,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -93191,7 +93201,7 @@ index 4bde56f..8f14dad 100644 return ERR_PTR(retval); } -@@ -1426,6 +1462,8 @@ long do_fork(unsigned long clone_flags, +@@ -1426,6 +1463,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -93200,7 +93210,7 @@ index 4bde56f..8f14dad 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1558,7 +1596,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1558,7 +1597,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -93209,7 +93219,7 @@ index 4bde56f..8f14dad 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1681,7 +1719,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1681,7 +1720,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; write_lock(&fs->lock); current->fs = new_fs; @@ -106188,10 +106198,10 @@ index d52f7a0..b66cdd9 100755 rm -f tags xtags ctags diff --git a/security/Kconfig b/security/Kconfig -index fb363cd..6ef754f 100644 +index fb363cd..b6ce7c6 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,854 @@ +@@ -4,6 +4,855 @@ menu "Security options" @@ -106220,6 +106230,7 @@ index fb363cd..6ef754f 100644 + bool "Grsecurity" + select CRYPTO + select CRYPTO_SHA256 ++ select STOP_MACHINE + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly @@ -107046,7 +107057,7 @@ index fb363cd..6ef754f 100644 config KEYS bool "Enable access key retention support" help -@@ -146,7 +994,7 @@ config INTEL_TXT +@@ -146,7 +995,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.2.22/0000_README b/3.2.23/0000_README index 7a8a57c..79f060b 100644 --- a/3.2.22/0000_README +++ b/3.2.23/0000_README @@ -6,7 +6,11 @@ Patch: 1021_linux-3.2.22.patch From: http://www.kernel.org Desc: Linux 3.2.22 -Patch: 4420_grsecurity-2.9.1-3.2.22-201207080924.patch +Patch: 1022_linux-3.2.23.patch +From: http://www.kernel.org +Desc: Linux 3.2.23 + +Patch: 4420_grsecurity-2.9.1-3.2.23-201207122159.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.22/1021_linux-3.2.22.patch b/3.2.23/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.22/1021_linux-3.2.22.patch +++ b/3.2.23/1021_linux-3.2.22.patch diff --git a/3.2.23/1022_linux-3.2.23.patch b/3.2.23/1022_linux-3.2.23.patch new file mode 100644 index 0000000..3d796d0 --- /dev/null +++ b/3.2.23/1022_linux-3.2.23.patch @@ -0,0 +1,1862 @@ +diff --git a/Makefile b/Makefile +index 9a7d921..40d1e3b 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 22 ++SUBLEVEL = 23 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index e10e59a..1d1710e 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -471,9 +471,7 @@ static DEFINE_PER_CPU(struct clock_event_device, percpu_clockevent); + static void ipi_timer(void) + { + struct clock_event_device *evt = &__get_cpu_var(percpu_clockevent); +- irq_enter(); + evt->event_handler(evt); +- irq_exit(); + } + + #ifdef CONFIG_GENERIC_CLOCKEVENTS_BROADCAST +@@ -572,7 +570,9 @@ void handle_IPI(int ipinr, struct pt_regs *regs) + + switch (ipinr) { + case IPI_TIMER: ++ irq_enter(); + ipi_timer(); ++ irq_exit(); + break; + + case IPI_RESCHEDULE: +@@ -580,15 +580,21 @@ void handle_IPI(int ipinr, struct pt_regs *regs) + break; + + case IPI_CALL_FUNC: ++ irq_enter(); + generic_smp_call_function_interrupt(); ++ irq_exit(); + break; + + case IPI_CALL_FUNC_SINGLE: ++ irq_enter(); + generic_smp_call_function_single_interrupt(); ++ irq_exit(); + break; + + case IPI_CPU_STOP: ++ irq_enter(); + ipi_cpu_stop(cpu); ++ irq_exit(); + break; + + default: +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index 44d8829..5e8dc08 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -763,7 +763,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_201) + lwz r3,VCORE_NAPPING_THREADS(r5) + lwz r4,VCPU_PTID(r9) + li r0,1 +- sldi r0,r0,r4 ++ sld r0,r0,r4 + andc. r3,r3,r0 /* no sense IPI'ing ourselves */ + beq 43f + mulli r4,r4,PACA_SIZE /* get paca for thread 0 */ +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index 03a217a..b7e63d8 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -975,7 +975,7 @@ static int cpu_cmd(void) + /* print cpus waiting or in xmon */ + printf("cpus stopped:"); + count = 0; +- for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ for_each_possible_cpu(cpu) { + if (cpumask_test_cpu(cpu, &cpus_in_xmon)) { + if (count == 0) + printf(" %x", cpu); +diff --git a/drivers/block/umem.c b/drivers/block/umem.c +index aa27120..9a72277 100644 +--- a/drivers/block/umem.c ++++ b/drivers/block/umem.c +@@ -513,6 +513,44 @@ static void process_page(unsigned long data) + } + } + ++struct mm_plug_cb { ++ struct blk_plug_cb cb; ++ struct cardinfo *card; ++}; ++ ++static void mm_unplug(struct blk_plug_cb *cb) ++{ ++ struct mm_plug_cb *mmcb = container_of(cb, struct mm_plug_cb, cb); ++ ++ spin_lock_irq(&mmcb->card->lock); ++ activate(mmcb->card); ++ spin_unlock_irq(&mmcb->card->lock); ++ kfree(mmcb); ++} ++ ++static int mm_check_plugged(struct cardinfo *card) ++{ ++ struct blk_plug *plug = current->plug; ++ struct mm_plug_cb *mmcb; ++ ++ if (!plug) ++ return 0; ++ ++ list_for_each_entry(mmcb, &plug->cb_list, cb.list) { ++ if (mmcb->cb.callback == mm_unplug && mmcb->card == card) ++ return 1; ++ } ++ /* Not currently on the callback list */ ++ mmcb = kmalloc(sizeof(*mmcb), GFP_ATOMIC); ++ if (!mmcb) ++ return 0; ++ ++ mmcb->card = card; ++ mmcb->cb.callback = mm_unplug; ++ list_add(&mmcb->cb.list, &plug->cb_list); ++ return 1; ++} ++ + static void mm_make_request(struct request_queue *q, struct bio *bio) + { + struct cardinfo *card = q->queuedata; +@@ -523,6 +561,8 @@ static void mm_make_request(struct request_queue *q, struct bio *bio) + *card->biotail = bio; + bio->bi_next = NULL; + card->biotail = &bio->bi_next; ++ if (bio->bi_rw & REQ_SYNC || !mm_check_plugged(card)) ++ activate(card); + spin_unlock_irq(&card->lock); + + return; +diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c +index c4da951..ca67338 100644 +--- a/drivers/gpu/drm/i915/i915_dma.c ++++ b/drivers/gpu/drm/i915/i915_dma.c +@@ -1890,6 +1890,27 @@ ips_ping_for_i915_load(void) + } + } + ++static void i915_kick_out_firmware_fb(struct drm_i915_private *dev_priv) ++{ ++ struct apertures_struct *ap; ++ struct pci_dev *pdev = dev_priv->dev->pdev; ++ bool primary; ++ ++ ap = alloc_apertures(1); ++ if (!ap) ++ return; ++ ++ ap->ranges[0].base = dev_priv->dev->agp->base; ++ ap->ranges[0].size = ++ dev_priv->mm.gtt->gtt_mappable_entries << PAGE_SHIFT; ++ primary = ++ pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW; ++ ++ remove_conflicting_framebuffers(ap, "inteldrmfb", primary); ++ ++ kfree(ap); ++} ++ + /** + * i915_driver_load - setup chip and create an initial config + * @dev: DRM device +@@ -1927,6 +1948,15 @@ int i915_driver_load(struct drm_device *dev, unsigned long flags) + goto free_priv; + } + ++ dev_priv->mm.gtt = intel_gtt_get(); ++ if (!dev_priv->mm.gtt) { ++ DRM_ERROR("Failed to initialize GTT\n"); ++ ret = -ENODEV; ++ goto put_bridge; ++ } ++ ++ i915_kick_out_firmware_fb(dev_priv); ++ + /* overlay on gen2 is broken and can't address above 1G */ + if (IS_GEN2(dev)) + dma_set_coherent_mask(&dev->pdev->dev, DMA_BIT_MASK(30)); +@@ -1950,13 +1980,6 @@ int i915_driver_load(struct drm_device *dev, unsigned long flags) + goto put_bridge; + } + +- dev_priv->mm.gtt = intel_gtt_get(); +- if (!dev_priv->mm.gtt) { +- DRM_ERROR("Failed to initialize GTT\n"); +- ret = -ENODEV; +- goto out_rmmap; +- } +- + agp_size = dev_priv->mm.gtt->gtt_mappable_entries << PAGE_SHIFT; + + dev_priv->mm.gtt_mapping = +diff --git a/drivers/md/persistent-data/dm-space-map-checker.c b/drivers/md/persistent-data/dm-space-map-checker.c +index 50ed53b..fc90c11 100644 +--- a/drivers/md/persistent-data/dm-space-map-checker.c ++++ b/drivers/md/persistent-data/dm-space-map-checker.c +@@ -8,6 +8,7 @@ + + #include <linux/device-mapper.h> + #include <linux/export.h> ++#include <linux/vmalloc.h> + + #ifdef CONFIG_DM_DEBUG_SPACE_MAPS + +@@ -89,13 +90,23 @@ static int ca_create(struct count_array *ca, struct dm_space_map *sm) + + ca->nr = nr_blocks; + ca->nr_free = nr_blocks; +- ca->counts = kzalloc(sizeof(*ca->counts) * nr_blocks, GFP_KERNEL); +- if (!ca->counts) +- return -ENOMEM; ++ ++ if (!nr_blocks) ++ ca->counts = NULL; ++ else { ++ ca->counts = vzalloc(sizeof(*ca->counts) * nr_blocks); ++ if (!ca->counts) ++ return -ENOMEM; ++ } + + return 0; + } + ++static void ca_destroy(struct count_array *ca) ++{ ++ vfree(ca->counts); ++} ++ + static int ca_load(struct count_array *ca, struct dm_space_map *sm) + { + int r; +@@ -126,12 +137,14 @@ static int ca_load(struct count_array *ca, struct dm_space_map *sm) + static int ca_extend(struct count_array *ca, dm_block_t extra_blocks) + { + dm_block_t nr_blocks = ca->nr + extra_blocks; +- uint32_t *counts = kzalloc(sizeof(*counts) * nr_blocks, GFP_KERNEL); ++ uint32_t *counts = vzalloc(sizeof(*counts) * nr_blocks); + if (!counts) + return -ENOMEM; + +- memcpy(counts, ca->counts, sizeof(*counts) * ca->nr); +- kfree(ca->counts); ++ if (ca->counts) { ++ memcpy(counts, ca->counts, sizeof(*counts) * ca->nr); ++ ca_destroy(ca); ++ } + ca->nr = nr_blocks; + ca->nr_free += extra_blocks; + ca->counts = counts; +@@ -151,11 +164,6 @@ static int ca_commit(struct count_array *old, struct count_array *new) + return 0; + } + +-static void ca_destroy(struct count_array *ca) +-{ +- kfree(ca->counts); +-} +- + /*----------------------------------------------------------------*/ + + struct sm_checker { +@@ -343,25 +351,25 @@ struct dm_space_map *dm_sm_checker_create(struct dm_space_map *sm) + int r; + struct sm_checker *smc; + +- if (!sm) +- return NULL; ++ if (IS_ERR_OR_NULL(sm)) ++ return ERR_PTR(-EINVAL); + + smc = kmalloc(sizeof(*smc), GFP_KERNEL); + if (!smc) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + memcpy(&smc->sm, &ops_, sizeof(smc->sm)); + r = ca_create(&smc->old_counts, sm); + if (r) { + kfree(smc); +- return NULL; ++ return ERR_PTR(r); + } + + r = ca_create(&smc->counts, sm); + if (r) { + ca_destroy(&smc->old_counts); + kfree(smc); +- return NULL; ++ return ERR_PTR(r); + } + + smc->real_sm = sm; +@@ -371,7 +379,7 @@ struct dm_space_map *dm_sm_checker_create(struct dm_space_map *sm) + ca_destroy(&smc->counts); + ca_destroy(&smc->old_counts); + kfree(smc); +- return NULL; ++ return ERR_PTR(r); + } + + r = ca_commit(&smc->old_counts, &smc->counts); +@@ -379,7 +387,7 @@ struct dm_space_map *dm_sm_checker_create(struct dm_space_map *sm) + ca_destroy(&smc->counts); + ca_destroy(&smc->old_counts); + kfree(smc); +- return NULL; ++ return ERR_PTR(r); + } + + return &smc->sm; +@@ -391,25 +399,25 @@ struct dm_space_map *dm_sm_checker_create_fresh(struct dm_space_map *sm) + int r; + struct sm_checker *smc; + +- if (!sm) +- return NULL; ++ if (IS_ERR_OR_NULL(sm)) ++ return ERR_PTR(-EINVAL); + + smc = kmalloc(sizeof(*smc), GFP_KERNEL); + if (!smc) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + memcpy(&smc->sm, &ops_, sizeof(smc->sm)); + r = ca_create(&smc->old_counts, sm); + if (r) { + kfree(smc); +- return NULL; ++ return ERR_PTR(r); + } + + r = ca_create(&smc->counts, sm); + if (r) { + ca_destroy(&smc->old_counts); + kfree(smc); +- return NULL; ++ return ERR_PTR(r); + } + + smc->real_sm = sm; +diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c +index fc469ba..3d0ed53 100644 +--- a/drivers/md/persistent-data/dm-space-map-disk.c ++++ b/drivers/md/persistent-data/dm-space-map-disk.c +@@ -290,7 +290,16 @@ struct dm_space_map *dm_sm_disk_create(struct dm_transaction_manager *tm, + dm_block_t nr_blocks) + { + struct dm_space_map *sm = dm_sm_disk_create_real(tm, nr_blocks); +- return dm_sm_checker_create_fresh(sm); ++ struct dm_space_map *smc; ++ ++ if (IS_ERR_OR_NULL(sm)) ++ return sm; ++ ++ smc = dm_sm_checker_create_fresh(sm); ++ if (IS_ERR(smc)) ++ dm_sm_destroy(sm); ++ ++ return smc; + } + EXPORT_SYMBOL_GPL(dm_sm_disk_create); + +diff --git a/drivers/md/persistent-data/dm-transaction-manager.c b/drivers/md/persistent-data/dm-transaction-manager.c +index 6f8d387..ba54aac 100644 +--- a/drivers/md/persistent-data/dm-transaction-manager.c ++++ b/drivers/md/persistent-data/dm-transaction-manager.c +@@ -138,6 +138,9 @@ EXPORT_SYMBOL_GPL(dm_tm_create_non_blocking_clone); + + void dm_tm_destroy(struct dm_transaction_manager *tm) + { ++ if (!tm->is_clone) ++ wipe_shadow_table(tm); ++ + kfree(tm); + } + EXPORT_SYMBOL_GPL(dm_tm_destroy); +@@ -342,8 +345,10 @@ static int dm_tm_create_internal(struct dm_block_manager *bm, + } + + *sm = dm_sm_checker_create(inner); +- if (!*sm) ++ if (IS_ERR(*sm)) { ++ r = PTR_ERR(*sm); + goto bad2; ++ } + + } else { + r = dm_bm_write_lock(dm_tm_get_bm(*tm), sb_location, +@@ -362,8 +367,10 @@ static int dm_tm_create_internal(struct dm_block_manager *bm, + } + + *sm = dm_sm_checker_create(inner); +- if (!*sm) ++ if (IS_ERR(*sm)) { ++ r = PTR_ERR(*sm); + goto bad2; ++ } + } + + return 0; +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index b219449..7a9eef6 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1919,7 +1919,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 + if (r10_sync_page_io(rdev, + r10_bio->devs[sl].addr + + sect, +- s<<9, conf->tmppage, WRITE) ++ s, conf->tmppage, WRITE) + == 0) { + /* Well, this device is dead */ + printk(KERN_NOTICE +@@ -1956,7 +1956,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 + switch (r10_sync_page_io(rdev, + r10_bio->devs[sl].addr + + sect, +- s<<9, conf->tmppage, ++ s, conf->tmppage, + READ)) { + case 0: + /* Well, this device is dead */ +@@ -2119,7 +2119,7 @@ read_more: + rdev = conf->mirrors[mirror].rdev; + printk_ratelimited( + KERN_ERR +- "md/raid10:%s: %s: redirecting" ++ "md/raid10:%s: %s: redirecting " + "sector %llu to another mirror\n", + mdname(mddev), + bdevname(rdev->bdev, b), +@@ -2436,6 +2436,12 @@ static sector_t sync_request(struct mddev *mddev, sector_t sector_nr, + /* want to reconstruct this device */ + rb2 = r10_bio; + sect = raid10_find_virt(conf, sector_nr, i); ++ if (sect >= mddev->resync_max_sectors) { ++ /* last stripe is not complete - don't ++ * try to recover this sector. ++ */ ++ continue; ++ } + /* Unless we are doing a full sync, we only need + * to recover the block if it is set in the bitmap + */ +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 858fdbb..6ba4954 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -542,6 +542,12 @@ static void ops_run_io(struct stripe_head *sh, struct stripe_head_state *s) + * a chance*/ + md_check_recovery(conf->mddev); + } ++ /* ++ * Because md_wait_for_blocked_rdev ++ * will dec nr_pending, we must ++ * increment it first. ++ */ ++ atomic_inc(&rdev->nr_pending); + md_wait_for_blocked_rdev(rdev, conf->mddev); + } else { + /* Acknowledged bad block - skip the write */ +@@ -3621,7 +3627,6 @@ static int chunk_aligned_read(struct mddev *mddev, struct bio * raid_bio) + raid_bio->bi_next = (void*)rdev; + align_bi->bi_bdev = rdev->bdev; + align_bi->bi_flags &= ~(1 << BIO_SEG_VALID); +- align_bi->bi_sector += rdev->data_offset; + + if (!bio_fits_rdev(align_bi) || + is_badblock(rdev, align_bi->bi_sector, align_bi->bi_size>>9, +@@ -3632,6 +3637,9 @@ static int chunk_aligned_read(struct mddev *mddev, struct bio * raid_bio) + return 0; + } + ++ /* No reshape active, so we can trust rdev->data_offset */ ++ align_bi->bi_sector += rdev->data_offset; ++ + spin_lock_irq(&conf->device_lock); + wait_event_lock_irq(conf->wait_for_stripe, + conf->quiesce == 0, +diff --git a/drivers/mtd/nand/cafe_nand.c b/drivers/mtd/nand/cafe_nand.c +index 72d3f23..68ecf48 100644 +--- a/drivers/mtd/nand/cafe_nand.c ++++ b/drivers/mtd/nand/cafe_nand.c +@@ -102,7 +102,7 @@ static const char *part_probes[] = { "cmdlinepart", "RedBoot", NULL }; + static int cafe_device_ready(struct mtd_info *mtd) + { + struct cafe_priv *cafe = mtd->priv; +- int result = !!(cafe_readl(cafe, NAND_STATUS) | 0x40000000); ++ int result = !!(cafe_readl(cafe, NAND_STATUS) & 0x40000000); + uint32_t irqs = cafe_readl(cafe, NAND_IRQ); + + cafe_writel(cafe, irqs, NAND_IRQ); +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index f65e0b9..1a88e38 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -77,6 +77,7 @@ + #include <net/route.h> + #include <net/net_namespace.h> + #include <net/netns/generic.h> ++#include <net/pkt_sched.h> + #include "bonding.h" + #include "bond_3ad.h" + #include "bond_alb.h" +@@ -382,8 +383,6 @@ struct vlan_entry *bond_next_vlan(struct bonding *bond, struct vlan_entry *curr) + return next; + } + +-#define bond_queue_mapping(skb) (*(u16 *)((skb)->cb)) +- + /** + * bond_dev_queue_xmit - Prepare skb for xmit. + * +@@ -396,7 +395,9 @@ int bond_dev_queue_xmit(struct bonding *bond, struct sk_buff *skb, + { + skb->dev = slave_dev; + +- skb->queue_mapping = bond_queue_mapping(skb); ++ BUILD_BUG_ON(sizeof(skb->queue_mapping) != ++ sizeof(qdisc_skb_cb(skb)->bond_queue_mapping)); ++ skb->queue_mapping = qdisc_skb_cb(skb)->bond_queue_mapping; + + if (unlikely(netpoll_tx_running(slave_dev))) + bond_netpoll_send_skb(bond_get_slave_by_dev(bond, slave_dev), skb); +@@ -4151,7 +4152,7 @@ static u16 bond_select_queue(struct net_device *dev, struct sk_buff *skb) + /* + * Save the original txq to restore before passing to the driver + */ +- bond_queue_mapping(skb) = skb->queue_mapping; ++ qdisc_skb_cb(skb)->bond_queue_mapping = skb->queue_mapping; + + if (unlikely(txq >= dev->real_num_tx_queues)) { + do { +diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c +index eeac9ca..68fe73c 100644 +--- a/drivers/net/dummy.c ++++ b/drivers/net/dummy.c +@@ -37,6 +37,7 @@ + #include <linux/rtnetlink.h> + #include <net/rtnetlink.h> + #include <linux/u64_stats_sync.h> ++#include <linux/sched.h> + + static int numdummies = 1; + +@@ -186,8 +187,10 @@ static int __init dummy_init_module(void) + rtnl_lock(); + err = __rtnl_link_register(&dummy_link_ops); + +- for (i = 0; i < numdummies && !err; i++) ++ for (i = 0; i < numdummies && !err; i++) { + err = dummy_init_one(); ++ cond_resched(); ++ } + if (err < 0) + __rtnl_link_unregister(&dummy_link_ops); + rtnl_unlock(); +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index bf266a0..36c7c4e 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -696,6 +696,8 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, + + copied = make_tx_wrbs(adapter, txq, skb, wrb_cnt, dummy_wrb); + if (copied) { ++ int gso_segs = skb_shinfo(skb)->gso_segs; ++ + /* record the sent skb in the sent_skb table */ + BUG_ON(txo->sent_skb_list[start]); + txo->sent_skb_list[start] = skb; +@@ -713,8 +715,7 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, + + be_txq_notify(adapter, txq->id, wrb_cnt); + +- be_tx_stats_update(txo, wrb_cnt, copied, +- skb_shinfo(skb)->gso_segs, stopped); ++ be_tx_stats_update(txo, wrb_cnt, copied, gso_segs, stopped); + } else { + txq->head = start; + dev_kfree_skb_any(skb); +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index 65c51ff..11ddd838 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4361,10 +4361,12 @@ static int sky2_set_features(struct net_device *dev, u32 features) + struct sky2_port *sky2 = netdev_priv(dev); + u32 changed = dev->features ^ features; + +- if (changed & NETIF_F_RXCSUM) { +- u32 on = features & NETIF_F_RXCSUM; +- sky2_write32(sky2->hw, Q_ADDR(rxqaddr[sky2->port], Q_CSR), +- on ? BMU_ENA_RX_CHKSUM : BMU_DIS_RX_CHKSUM); ++ if ((changed & NETIF_F_RXCSUM) && ++ !(sky2->hw->flags & SKY2_HW_NEW_LE)) { ++ sky2_write32(sky2->hw, ++ Q_ADDR(rxqaddr[sky2->port], Q_CSR), ++ (features & NETIF_F_RXCSUM) ++ ? BMU_ENA_RX_CHKSUM : BMU_DIS_RX_CHKSUM); + } + + if (changed & NETIF_F_RXHASH) +diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h +index 0f9ee46..4cc4a8b 100644 +--- a/drivers/net/wireless/ath/ath.h ++++ b/drivers/net/wireless/ath/ath.h +@@ -143,6 +143,7 @@ struct ath_common { + u32 keymax; + DECLARE_BITMAP(keymap, ATH_KEYMAX); + DECLARE_BITMAP(tkip_keymap, ATH_KEYMAX); ++ DECLARE_BITMAP(ccmp_keymap, ATH_KEYMAX); + enum ath_crypt_caps crypt_caps; + + unsigned int clockrate; +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 6973620..7f97164 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -557,7 +557,7 @@ static int __ath9k_hw_init(struct ath_hw *ah) + + if (ah->config.serialize_regmode == SER_REG_MODE_AUTO) { + if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCI || +- ((AR_SREV_9160(ah) || AR_SREV_9280(ah)) && ++ ((AR_SREV_9160(ah) || AR_SREV_9280(ah) || AR_SREV_9287(ah)) && + !ah->is_pciexpress)) { + ah->config.serialize_regmode = + SER_REG_MODE_ON; +diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c +index 2f3aeac..e6d791c 100644 +--- a/drivers/net/wireless/ath/ath9k/recv.c ++++ b/drivers/net/wireless/ath/ath9k/recv.c +@@ -829,7 +829,8 @@ static bool ath9k_rx_accept(struct ath_common *common, + * descriptor does contain a valid key index. This has been observed + * mostly with CCMP encryption. + */ +- if (rx_stats->rs_keyix == ATH9K_RXKEYIX_INVALID) ++ if (rx_stats->rs_keyix == ATH9K_RXKEYIX_INVALID || ++ !test_bit(rx_stats->rs_keyix, common->ccmp_keymap)) + rx_stats->rs_status &= ~ATH9K_RXERR_KEYMISS; + + if (!rx_stats->rs_datalen) +diff --git a/drivers/net/wireless/ath/key.c b/drivers/net/wireless/ath/key.c +index 4cf7c5e..1ec3fa5 100644 +--- a/drivers/net/wireless/ath/key.c ++++ b/drivers/net/wireless/ath/key.c +@@ -556,6 +556,9 @@ int ath_key_config(struct ath_common *common, + return -EIO; + + set_bit(idx, common->keymap); ++ if (key->cipher == WLAN_CIPHER_SUITE_CCMP) ++ set_bit(idx, common->ccmp_keymap); ++ + if (key->cipher == WLAN_CIPHER_SUITE_TKIP) { + set_bit(idx + 64, common->keymap); + set_bit(idx, common->tkip_keymap); +@@ -582,6 +585,7 @@ void ath_key_delete(struct ath_common *common, struct ieee80211_key_conf *key) + return; + + clear_bit(key->hw_key_idx, common->keymap); ++ clear_bit(key->hw_key_idx, common->ccmp_keymap); + if (key->cipher != WLAN_CIPHER_SUITE_TKIP) + return; + +diff --git a/drivers/net/wireless/mwifiex/11n_rxreorder.c b/drivers/net/wireless/mwifiex/11n_rxreorder.c +index 7aa9aa0..39fd4d5 100644 +--- a/drivers/net/wireless/mwifiex/11n_rxreorder.c ++++ b/drivers/net/wireless/mwifiex/11n_rxreorder.c +@@ -267,7 +267,8 @@ mwifiex_11n_create_rx_reorder_tbl(struct mwifiex_private *priv, u8 *ta, + else + last_seq = priv->rx_seq[tid]; + +- if (last_seq >= new_node->start_win) ++ if (last_seq != MWIFIEX_DEF_11N_RX_SEQ_NUM && ++ last_seq >= new_node->start_win) + new_node->start_win = last_seq + 1; + + new_node->win_size = win_size; +@@ -611,5 +612,5 @@ void mwifiex_11n_cleanup_reorder_tbl(struct mwifiex_private *priv) + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + + INIT_LIST_HEAD(&priv->rx_reorder_tbl_ptr); +- memset(priv->rx_seq, 0, sizeof(priv->rx_seq)); ++ mwifiex_reset_11n_rx_seq_num(priv); + } +diff --git a/drivers/net/wireless/mwifiex/11n_rxreorder.h b/drivers/net/wireless/mwifiex/11n_rxreorder.h +index 033c8ad..7128baa 100644 +--- a/drivers/net/wireless/mwifiex/11n_rxreorder.h ++++ b/drivers/net/wireless/mwifiex/11n_rxreorder.h +@@ -37,6 +37,13 @@ + + #define ADDBA_RSP_STATUS_ACCEPT 0 + ++#define MWIFIEX_DEF_11N_RX_SEQ_NUM 0xffff ++ ++static inline void mwifiex_reset_11n_rx_seq_num(struct mwifiex_private *priv) ++{ ++ memset(priv->rx_seq, 0xff, sizeof(priv->rx_seq)); ++} ++ + int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *, + u16 seqNum, + u16 tid, u8 *ta, +diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c +index 462c710..01dcb1a 100644 +--- a/drivers/net/wireless/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/mwifiex/cfg80211.c +@@ -1177,11 +1177,11 @@ struct net_device *mwifiex_add_virtual_intf(struct wiphy *wiphy, + void *mdev_priv; + + if (!priv) +- return NULL; ++ return ERR_PTR(-EFAULT); + + adapter = priv->adapter; + if (!adapter) +- return NULL; ++ return ERR_PTR(-EFAULT); + + switch (type) { + case NL80211_IFTYPE_UNSPECIFIED: +@@ -1190,7 +1190,7 @@ struct net_device *mwifiex_add_virtual_intf(struct wiphy *wiphy, + if (priv->bss_mode) { + wiphy_err(wiphy, "cannot create multiple" + " station/adhoc interfaces\n"); +- return NULL; ++ return ERR_PTR(-EINVAL); + } + + if (type == NL80211_IFTYPE_UNSPECIFIED) +@@ -1208,14 +1208,15 @@ struct net_device *mwifiex_add_virtual_intf(struct wiphy *wiphy, + break; + default: + wiphy_err(wiphy, "type not supported\n"); +- return NULL; ++ return ERR_PTR(-EINVAL); + } + + dev = alloc_netdev_mq(sizeof(struct mwifiex_private *), name, + ether_setup, 1); + if (!dev) { + wiphy_err(wiphy, "no memory available for netdevice\n"); +- goto error; ++ priv->bss_mode = NL80211_IFTYPE_UNSPECIFIED; ++ return ERR_PTR(-ENOMEM); + } + + dev_net_set(dev, wiphy_net(wiphy)); +@@ -1240,7 +1241,9 @@ struct net_device *mwifiex_add_virtual_intf(struct wiphy *wiphy, + /* Register network device */ + if (register_netdevice(dev)) { + wiphy_err(wiphy, "cannot register virtual network device\n"); +- goto error; ++ free_netdev(dev); ++ priv->bss_mode = NL80211_IFTYPE_UNSPECIFIED; ++ return ERR_PTR(-EFAULT); + } + + sema_init(&priv->async_sem, 1); +@@ -1252,12 +1255,6 @@ struct net_device *mwifiex_add_virtual_intf(struct wiphy *wiphy, + mwifiex_dev_debugfs_init(priv); + #endif + return dev; +-error: +- if (dev && (dev->reg_state == NETREG_UNREGISTERED)) +- free_netdev(dev); +- priv->bss_mode = NL80211_IFTYPE_UNSPECIFIED; +- +- return NULL; + } + EXPORT_SYMBOL_GPL(mwifiex_add_virtual_intf); + +diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c +index 6c239c3..06fcf1e 100644 +--- a/drivers/net/wireless/mwifiex/wmm.c ++++ b/drivers/net/wireless/mwifiex/wmm.c +@@ -406,6 +406,8 @@ mwifiex_wmm_init(struct mwifiex_adapter *adapter) + priv->add_ba_param.tx_win_size = MWIFIEX_AMPDU_DEF_TXWINSIZE; + priv->add_ba_param.rx_win_size = MWIFIEX_AMPDU_DEF_RXWINSIZE; + ++ mwifiex_reset_11n_rx_seq_num(priv); ++ + atomic_set(&priv->wmm.tx_pkts_queued, 0); + atomic_set(&priv->wmm.highest_queued_prio, HIGH_PRIO_TID); + } +@@ -1209,10 +1211,12 @@ mwifiex_dequeue_tx_packet(struct mwifiex_adapter *adapter) + return 0; + } + +- if (!ptr->is_11n_enabled || mwifiex_is_ba_stream_setup(priv, ptr, tid) +- || ((priv->sec_info.wpa_enabled +- || priv->sec_info.wpa2_enabled) && !priv->wpa_is_gtk_set) +- ) { ++ if (!ptr->is_11n_enabled || ++ mwifiex_is_ba_stream_setup(priv, ptr, tid) || ++ priv->wps.session_enable || ++ ((priv->sec_info.wpa_enabled || ++ priv->sec_info.wpa2_enabled) && ++ !priv->wpa_is_gtk_set)) { + mwifiex_send_single_packet(priv, ptr, ptr_index, flags); + /* ra_list_spinlock has been freed in + mwifiex_send_single_packet() */ +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +index 94a3e17..0302148 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -311,9 +311,11 @@ static struct usb_device_id rtl8192c_usb_ids[] = { + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ + {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/ ++ {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ + {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ + {RTL_USB_DEVICE(0x0eb0, 0x9071, rtl92cu_hal_cfg)}, /*NO Brand - Etop*/ ++ {RTL_USB_DEVICE(0x4856, 0x0091, rtl92cu_hal_cfg)}, /*NetweeN - Feixun*/ + /* HP - Lite-On ,8188CUS Slim Combo */ + {RTL_USB_DEVICE(0x103c, 0x1629, rtl92cu_hal_cfg)}, + {RTL_USB_DEVICE(0x13d3, 0x3357, rtl92cu_hal_cfg)}, /* AzureWave */ +@@ -355,6 +357,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = { + {RTL_USB_DEVICE(0x07b8, 0x8178, rtl92cu_hal_cfg)}, /*Funai -Abocom*/ + {RTL_USB_DEVICE(0x0846, 0x9021, rtl92cu_hal_cfg)}, /*Netgear-Sercomm*/ + {RTL_USB_DEVICE(0x0b05, 0x17ab, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/ ++ {RTL_USB_DEVICE(0x0bda, 0x8186, rtl92cu_hal_cfg)}, /*Realtek 92CE-VAU*/ + {RTL_USB_DEVICE(0x0df6, 0x0061, rtl92cu_hal_cfg)}, /*Sitecom-Edimax*/ + {RTL_USB_DEVICE(0x0e66, 0x0019, rtl92cu_hal_cfg)}, /*Hawking-Edimax*/ + {RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/ +diff --git a/drivers/target/tcm_fc/tfc_sess.c b/drivers/target/tcm_fc/tfc_sess.c +index 3269213..64ddb63 100644 +--- a/drivers/target/tcm_fc/tfc_sess.c ++++ b/drivers/target/tcm_fc/tfc_sess.c +@@ -61,7 +61,8 @@ static struct ft_tport *ft_tport_create(struct fc_lport *lport) + struct ft_tport *tport; + int i; + +- tport = rcu_dereference(lport->prov[FC_TYPE_FCP]); ++ tport = rcu_dereference_protected(lport->prov[FC_TYPE_FCP], ++ lockdep_is_held(&ft_lport_lock)); + if (tport && tport->tpg) + return tport; + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 3568374..19b127c 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -692,6 +692,8 @@ static noinline int drop_one_dir_item(struct btrfs_trans_handle *trans, + kfree(name); + + iput(inode); ++ ++ btrfs_run_delayed_items(trans, root); + return ret; + } + +@@ -897,6 +899,7 @@ again: + ret = btrfs_unlink_inode(trans, root, dir, + inode, victim_name, + victim_name_len); ++ btrfs_run_delayed_items(trans, root); + } + kfree(victim_name); + ptr = (unsigned long)(victim_ref + 1) + victim_name_len; +@@ -1477,6 +1480,9 @@ again: + ret = btrfs_unlink_inode(trans, root, dir, inode, + name, name_len); + BUG_ON(ret); ++ ++ btrfs_run_delayed_items(trans, root); ++ + kfree(name); + iput(inode); + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 9e0675a..b21670c 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2975,18 +2975,15 @@ cifs_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *pvolume_info) + * MS-CIFS indicates that servers are only limited by the client's + * bufsize for reads, testing against win98se shows that it throws + * INVALID_PARAMETER errors if you try to request too large a read. ++ * OS/2 just sends back short reads. + * +- * If the server advertises a MaxBufferSize of less than one page, +- * assume that it also can't satisfy reads larger than that either. +- * +- * FIXME: Is there a better heuristic for this? ++ * If the server doesn't advertise CAP_LARGE_READ_X, then assume that ++ * it can't handle a read request larger than its MaxBufferSize either. + */ + if (tcon->unix_ext && (unix_cap & CIFS_UNIX_LARGE_READ_CAP)) + defsize = CIFS_DEFAULT_IOSIZE; + else if (server->capabilities & CAP_LARGE_READ_X) + defsize = CIFS_DEFAULT_NON_POSIX_RSIZE; +- else if (server->maxBuf >= PAGE_CACHE_SIZE) +- defsize = CIFSMaxBufSize; + else + defsize = server->maxBuf - sizeof(READ_RSP); + +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c +index 6e39668..07ee5b4 100644 +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2422,8 +2422,10 @@ out_dio: + unaligned_dio = 0; + } + +- if (unaligned_dio) ++ if (unaligned_dio) { ++ ocfs2_iocb_clear_unaligned_aio(iocb); + atomic_dec(&OCFS2_I(inode)->ip_unaligned_aio); ++ } + + out: + if (rw_level != -1) +diff --git a/fs/open.c b/fs/open.c +index 22c41b5..e2b5d51 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -396,10 +396,10 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd) + { + struct file *file; + struct inode *inode; +- int error; ++ int error, fput_needed; + + error = -EBADF; +- file = fget(fd); ++ file = fget_raw_light(fd, &fput_needed); + if (!file) + goto out; + +@@ -413,7 +413,7 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd) + if (!error) + set_fs_pwd(current->fs, &file->f_path); + out_putf: +- fput(file); ++ fput_light(file, fput_needed); + out: + return error; + } +diff --git a/fs/splice.c b/fs/splice.c +index 6d0dfb8..014fcb4 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -274,13 +274,16 @@ void spd_release_page(struct splice_pipe_desc *spd, unsigned int i) + * Check if we need to grow the arrays holding pages and partial page + * descriptions. + */ +-int splice_grow_spd(struct pipe_inode_info *pipe, struct splice_pipe_desc *spd) ++int splice_grow_spd(const struct pipe_inode_info *pipe, struct splice_pipe_desc *spd) + { +- if (pipe->buffers <= PIPE_DEF_BUFFERS) ++ unsigned int buffers = ACCESS_ONCE(pipe->buffers); ++ ++ spd->nr_pages_max = buffers; ++ if (buffers <= PIPE_DEF_BUFFERS) + return 0; + +- spd->pages = kmalloc(pipe->buffers * sizeof(struct page *), GFP_KERNEL); +- spd->partial = kmalloc(pipe->buffers * sizeof(struct partial_page), GFP_KERNEL); ++ spd->pages = kmalloc(buffers * sizeof(struct page *), GFP_KERNEL); ++ spd->partial = kmalloc(buffers * sizeof(struct partial_page), GFP_KERNEL); + + if (spd->pages && spd->partial) + return 0; +@@ -290,10 +293,9 @@ int splice_grow_spd(struct pipe_inode_info *pipe, struct splice_pipe_desc *spd) + return -ENOMEM; + } + +-void splice_shrink_spd(struct pipe_inode_info *pipe, +- struct splice_pipe_desc *spd) ++void splice_shrink_spd(struct splice_pipe_desc *spd) + { +- if (pipe->buffers <= PIPE_DEF_BUFFERS) ++ if (spd->nr_pages_max <= PIPE_DEF_BUFFERS) + return; + + kfree(spd->pages); +@@ -316,6 +318,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos, + struct splice_pipe_desc spd = { + .pages = pages, + .partial = partial, ++ .nr_pages_max = PIPE_DEF_BUFFERS, + .flags = flags, + .ops = &page_cache_pipe_buf_ops, + .spd_release = spd_release_page, +@@ -327,7 +330,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos, + index = *ppos >> PAGE_CACHE_SHIFT; + loff = *ppos & ~PAGE_CACHE_MASK; + req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; +- nr_pages = min(req_pages, pipe->buffers); ++ nr_pages = min(req_pages, spd.nr_pages_max); + + /* + * Lookup the (hopefully) full range of pages we need. +@@ -498,7 +501,7 @@ fill_it: + if (spd.nr_pages) + error = splice_to_pipe(pipe, &spd); + +- splice_shrink_spd(pipe, &spd); ++ splice_shrink_spd(&spd); + return error; + } + +@@ -599,6 +602,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, + struct splice_pipe_desc spd = { + .pages = pages, + .partial = partial, ++ .nr_pages_max = PIPE_DEF_BUFFERS, + .flags = flags, + .ops = &default_pipe_buf_ops, + .spd_release = spd_release_page, +@@ -609,8 +613,8 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, + + res = -ENOMEM; + vec = __vec; +- if (pipe->buffers > PIPE_DEF_BUFFERS) { +- vec = kmalloc(pipe->buffers * sizeof(struct iovec), GFP_KERNEL); ++ if (spd.nr_pages_max > PIPE_DEF_BUFFERS) { ++ vec = kmalloc(spd.nr_pages_max * sizeof(struct iovec), GFP_KERNEL); + if (!vec) + goto shrink_ret; + } +@@ -618,7 +622,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, + offset = *ppos & ~PAGE_CACHE_MASK; + nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; + +- for (i = 0; i < nr_pages && i < pipe->buffers && len; i++) { ++ for (i = 0; i < nr_pages && i < spd.nr_pages_max && len; i++) { + struct page *page; + + page = alloc_page(GFP_USER); +@@ -666,7 +670,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, + shrink_ret: + if (vec != __vec) + kfree(vec); +- splice_shrink_spd(pipe, &spd); ++ splice_shrink_spd(&spd); + return res; + + err: +@@ -1616,6 +1620,7 @@ static long vmsplice_to_pipe(struct file *file, const struct iovec __user *iov, + struct splice_pipe_desc spd = { + .pages = pages, + .partial = partial, ++ .nr_pages_max = PIPE_DEF_BUFFERS, + .flags = flags, + .ops = &user_page_pipe_buf_ops, + .spd_release = spd_release_page, +@@ -1631,13 +1636,13 @@ static long vmsplice_to_pipe(struct file *file, const struct iovec __user *iov, + + spd.nr_pages = get_iovec_page_array(iov, nr_segs, spd.pages, + spd.partial, flags & SPLICE_F_GIFT, +- pipe->buffers); ++ spd.nr_pages_max); + if (spd.nr_pages <= 0) + ret = spd.nr_pages; + else + ret = splice_to_pipe(pipe, &spd); + +- splice_shrink_spd(pipe, &spd); ++ splice_shrink_spd(&spd); + return ret; + } + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 87cb24a..270e135 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -56,6 +56,7 @@ + #include <linux/seq_file.h> + #include <linux/bitmap.h> + #include <linux/crc-itu-t.h> ++#include <linux/log2.h> + #include <asm/byteorder.h> + + #include "udf_sb.h" +@@ -1217,16 +1218,65 @@ out_bh: + return ret; + } + ++static int udf_load_sparable_map(struct super_block *sb, ++ struct udf_part_map *map, ++ struct sparablePartitionMap *spm) ++{ ++ uint32_t loc; ++ uint16_t ident; ++ struct sparingTable *st; ++ struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing; ++ int i; ++ struct buffer_head *bh; ++ ++ map->s_partition_type = UDF_SPARABLE_MAP15; ++ sdata->s_packet_len = le16_to_cpu(spm->packetLength); ++ if (!is_power_of_2(sdata->s_packet_len)) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Invalid packet length %u\n", ++ (unsigned)sdata->s_packet_len); ++ return -EIO; ++ } ++ if (spm->numSparingTables > 4) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too many sparing tables (%d)\n", ++ (int)spm->numSparingTables); ++ return -EIO; ++ } ++ ++ for (i = 0; i < spm->numSparingTables; i++) { ++ loc = le32_to_cpu(spm->locSparingTable[i]); ++ bh = udf_read_tagged(sb, loc, loc, &ident); ++ if (!bh) ++ continue; ++ ++ st = (struct sparingTable *)bh->b_data; ++ if (ident != 0 || ++ strncmp(st->sparingIdent.ident, UDF_ID_SPARING, ++ strlen(UDF_ID_SPARING)) || ++ sizeof(*st) + le16_to_cpu(st->reallocationTableLen) > ++ sb->s_blocksize) { ++ brelse(bh); ++ continue; ++ } ++ ++ sdata->s_spar_map[i] = bh; ++ } ++ map->s_partition_func = udf_get_pblock_spar15; ++ return 0; ++} ++ + static int udf_load_logicalvol(struct super_block *sb, sector_t block, + struct kernel_lb_addr *fileset) + { + struct logicalVolDesc *lvd; +- int i, j, offset; ++ int i, offset; + uint8_t type; + struct udf_sb_info *sbi = UDF_SB(sb); + struct genericPartitionMap *gpm; + uint16_t ident; + struct buffer_head *bh; ++ unsigned int table_len; + int ret = 0; + + bh = udf_read_tagged(sb, block, block, &ident); +@@ -1234,15 +1284,20 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + return 1; + BUG_ON(ident != TAG_IDENT_LVD); + lvd = (struct logicalVolDesc *)bh->b_data; +- +- i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); +- if (i != 0) { +- ret = i; ++ table_len = le32_to_cpu(lvd->mapTableLength); ++ if (sizeof(*lvd) + table_len > sb->s_blocksize) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Partition table too long (%u > %lu)\n", table_len, ++ sb->s_blocksize - sizeof(*lvd)); + goto out_bh; + } + ++ ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); ++ if (ret) ++ goto out_bh; ++ + for (i = 0, offset = 0; +- i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength); ++ i < sbi->s_partitions && offset < table_len; + i++, offset += gpm->partitionMapLength) { + struct udf_part_map *map = &sbi->s_partmaps[i]; + gpm = (struct genericPartitionMap *) +@@ -1277,38 +1332,9 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + } else if (!strncmp(upm2->partIdent.ident, + UDF_ID_SPARABLE, + strlen(UDF_ID_SPARABLE))) { +- uint32_t loc; +- struct sparingTable *st; +- struct sparablePartitionMap *spm = +- (struct sparablePartitionMap *)gpm; +- +- map->s_partition_type = UDF_SPARABLE_MAP15; +- map->s_type_specific.s_sparing.s_packet_len = +- le16_to_cpu(spm->packetLength); +- for (j = 0; j < spm->numSparingTables; j++) { +- struct buffer_head *bh2; +- +- loc = le32_to_cpu( +- spm->locSparingTable[j]); +- bh2 = udf_read_tagged(sb, loc, loc, +- &ident); +- map->s_type_specific.s_sparing. +- s_spar_map[j] = bh2; +- +- if (bh2 == NULL) +- continue; +- +- st = (struct sparingTable *)bh2->b_data; +- if (ident != 0 || strncmp( +- st->sparingIdent.ident, +- UDF_ID_SPARING, +- strlen(UDF_ID_SPARING))) { +- brelse(bh2); +- map->s_type_specific.s_sparing. +- s_spar_map[j] = NULL; +- } +- } +- map->s_partition_func = udf_get_pblock_spar15; ++ if (udf_load_sparable_map(sb, map, ++ (struct sparablePartitionMap *)gpm) < 0) ++ goto out_bh; + } else if (!strncmp(upm2->partIdent.ident, + UDF_ID_METADATA, + strlen(UDF_ID_METADATA))) { +diff --git a/include/linux/aio.h b/include/linux/aio.h +index 2314ad8..b1a520e 100644 +--- a/include/linux/aio.h ++++ b/include/linux/aio.h +@@ -140,6 +140,7 @@ struct kiocb { + (x)->ki_dtor = NULL; \ + (x)->ki_obj.tsk = tsk; \ + (x)->ki_user_data = 0; \ ++ (x)->private = NULL; \ + } while (0) + + #define AIO_RING_MAGIC 0xa10a10a1 +diff --git a/include/linux/splice.h b/include/linux/splice.h +index 26e5b61..09a545a 100644 +--- a/include/linux/splice.h ++++ b/include/linux/splice.h +@@ -51,7 +51,8 @@ struct partial_page { + struct splice_pipe_desc { + struct page **pages; /* page map */ + struct partial_page *partial; /* pages[] may not be contig */ +- int nr_pages; /* number of pages in map */ ++ int nr_pages; /* number of populated pages in map */ ++ unsigned int nr_pages_max; /* pages[] & partial[] arrays size */ + unsigned int flags; /* splice flags */ + const struct pipe_buf_operations *ops;/* ops associated with output pipe */ + void (*spd_release)(struct splice_pipe_desc *, unsigned int); +@@ -85,9 +86,8 @@ extern ssize_t splice_direct_to_actor(struct file *, struct splice_desc *, + /* + * for dynamic pipe sizing + */ +-extern int splice_grow_spd(struct pipe_inode_info *, struct splice_pipe_desc *); +-extern void splice_shrink_spd(struct pipe_inode_info *, +- struct splice_pipe_desc *); ++extern int splice_grow_spd(const struct pipe_inode_info *, struct splice_pipe_desc *); ++extern void splice_shrink_spd(struct splice_pipe_desc *); + extern void spd_release_page(struct splice_pipe_desc *, unsigned int); + + extern const struct pipe_buf_operations page_cache_pipe_buf_ops; +diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h +index 9808877..a7a683e 100644 +--- a/include/net/cipso_ipv4.h ++++ b/include/net/cipso_ipv4.h +@@ -42,6 +42,7 @@ + #include <net/netlabel.h> + #include <net/request_sock.h> + #include <linux/atomic.h> ++#include <asm/unaligned.h> + + /* known doi values */ + #define CIPSO_V4_DOI_UNKNOWN 0x00000000 +@@ -285,7 +286,33 @@ static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, + static inline int cipso_v4_validate(const struct sk_buff *skb, + unsigned char **option) + { +- return -ENOSYS; ++ unsigned char *opt = *option; ++ unsigned char err_offset = 0; ++ u8 opt_len = opt[1]; ++ u8 opt_iter; ++ ++ if (opt_len < 8) { ++ err_offset = 1; ++ goto out; ++ } ++ ++ if (get_unaligned_be32(&opt[2]) == 0) { ++ err_offset = 2; ++ goto out; ++ } ++ ++ for (opt_iter = 6; opt_iter < opt_len;) { ++ if (opt[opt_iter + 1] > (opt_len - opt_iter)) { ++ err_offset = opt_iter + 1; ++ goto out; ++ } ++ opt_iter += opt[opt_iter + 1]; ++ } ++ ++out: ++ *option = opt + err_offset; ++ return err_offset; ++ + } + #endif /* CONFIG_NETLABEL */ + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 55ce96b..9d7d54a 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -220,13 +220,16 @@ struct tcf_proto { + + struct qdisc_skb_cb { + unsigned int pkt_len; +- unsigned char data[24]; ++ u16 bond_queue_mapping; ++ u16 _pad; ++ unsigned char data[20]; + }; + + static inline void qdisc_cb_private_validate(const struct sk_buff *skb, int sz) + { + struct qdisc_skb_cb *qcb; +- BUILD_BUG_ON(sizeof(skb->cb) < sizeof(unsigned int) + sz); ++ ++ BUILD_BUG_ON(sizeof(skb->cb) < offsetof(struct qdisc_skb_cb, data) + sz); + BUILD_BUG_ON(sizeof(qcb->data) < sz); + } + +diff --git a/kernel/relay.c b/kernel/relay.c +index b6f803a..a535fc9 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -1235,6 +1235,7 @@ static ssize_t subbuf_splice_actor(struct file *in, + struct splice_pipe_desc spd = { + .pages = pages, + .nr_pages = 0, ++ .nr_pages_max = PIPE_DEF_BUFFERS, + .partial = partial, + .flags = flags, + .ops = &relay_pipe_buf_ops, +@@ -1302,8 +1303,8 @@ static ssize_t subbuf_splice_actor(struct file *in, + ret += padding; + + out: +- splice_shrink_spd(pipe, &spd); +- return ret; ++ splice_shrink_spd(&spd); ++ return ret; + } + + static ssize_t relay_file_splice_read(struct file *in, +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 697e49d..5638104 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2541,10 +2541,12 @@ tracing_cpumask_write(struct file *filp, const char __user *ubuf, + if (cpumask_test_cpu(cpu, tracing_cpumask) && + !cpumask_test_cpu(cpu, tracing_cpumask_new)) { + atomic_inc(&global_trace.data[cpu]->disabled); ++ ring_buffer_record_disable_cpu(global_trace.buffer, cpu); + } + if (!cpumask_test_cpu(cpu, tracing_cpumask) && + cpumask_test_cpu(cpu, tracing_cpumask_new)) { + atomic_dec(&global_trace.data[cpu]->disabled); ++ ring_buffer_record_enable_cpu(global_trace.buffer, cpu); + } + } + arch_spin_unlock(&ftrace_max_lock); +@@ -3456,6 +3458,7 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, + .pages = pages_def, + .partial = partial_def, + .nr_pages = 0, /* This gets updated below. */ ++ .nr_pages_max = PIPE_DEF_BUFFERS, + .flags = flags, + .ops = &tracing_pipe_buf_ops, + .spd_release = tracing_spd_release_pipe, +@@ -3527,7 +3530,7 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, + + ret = splice_to_pipe(pipe, &spd); + out: +- splice_shrink_spd(pipe, &spd); ++ splice_shrink_spd(&spd); + return ret; + + out_err: +@@ -4017,6 +4020,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + struct splice_pipe_desc spd = { + .pages = pages_def, + .partial = partial_def, ++ .nr_pages_max = PIPE_DEF_BUFFERS, + .flags = flags, + .ops = &buffer_pipe_buf_ops, + .spd_release = buffer_spd_release, +@@ -4104,7 +4108,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + } + + ret = splice_to_pipe(pipe, &spd); +- splice_shrink_spd(pipe, &spd); ++ splice_shrink_spd(&spd); + out: + return ret; + } +diff --git a/mm/madvise.c b/mm/madvise.c +index 74bf193..23d3a6b 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -13,6 +13,7 @@ + #include <linux/hugetlb.h> + #include <linux/sched.h> + #include <linux/ksm.h> ++#include <linux/file.h> + + /* + * Any behaviour which results in changes to the vma->vm_flags needs to +@@ -197,14 +198,16 @@ static long madvise_remove(struct vm_area_struct *vma, + struct address_space *mapping; + loff_t offset, endoff; + int error; ++ struct file *f; + + *prev = NULL; /* tell sys_madvise we drop mmap_sem */ + + if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) + return -EINVAL; + +- if (!vma->vm_file || !vma->vm_file->f_mapping +- || !vma->vm_file->f_mapping->host) { ++ f = vma->vm_file; ++ ++ if (!f || !f->f_mapping || !f->f_mapping->host) { + return -EINVAL; + } + +@@ -218,9 +221,16 @@ static long madvise_remove(struct vm_area_struct *vma, + endoff = (loff_t)(end - vma->vm_start - 1) + + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); + +- /* vmtruncate_range needs to take i_mutex */ ++ /* ++ * vmtruncate_range may need to take i_mutex. We need to ++ * explicitly grab a reference because the vma (and hence the ++ * vma's reference to the file) can go away as soon as we drop ++ * mmap_sem. ++ */ ++ get_file(f); + up_read(¤t->mm->mmap_sem); + error = vmtruncate_range(mapping->host, offset, endoff); ++ fput(f); + down_read(¤t->mm->mmap_sem); + return error; + } +diff --git a/mm/shmem.c b/mm/shmem.c +index 6c253f7..7a82174 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1359,6 +1359,7 @@ static ssize_t shmem_file_splice_read(struct file *in, loff_t *ppos, + struct splice_pipe_desc spd = { + .pages = pages, + .partial = partial, ++ .nr_pages_max = PIPE_DEF_BUFFERS, + .flags = flags, + .ops = &page_cache_pipe_buf_ops, + .spd_release = spd_release_page, +@@ -1447,7 +1448,7 @@ static ssize_t shmem_file_splice_read(struct file *in, loff_t *ppos, + if (spd.nr_pages) + error = splice_to_pipe(pipe, &spd); + +- splice_shrink_spd(pipe, &spd); ++ splice_shrink_spd(&spd); + + if (error > 0) { + *ppos += error; +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index f603e5b..f3f75ad 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -240,6 +240,7 @@ int br_add_bridge(struct net *net, const char *name) + return -ENOMEM; + + dev_net_set(dev, net); ++ dev->rtnl_link_ops = &br_link_ops; + + res = register_netdev(dev); + if (res) +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c +index a1daf82..cbf9ccd 100644 +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -211,7 +211,7 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[]) + return 0; + } + +-static struct rtnl_link_ops br_link_ops __read_mostly = { ++struct rtnl_link_ops br_link_ops __read_mostly = { + .kind = "bridge", + .priv_size = sizeof(struct net_bridge), + .setup = br_dev_setup, +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 93264df..b9bba8f 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -536,6 +536,7 @@ extern int (*br_fdb_test_addr_hook)(struct net_device *dev, unsigned char *addr) + #endif + + /* br_netlink.c */ ++extern struct rtnl_link_ops br_link_ops; + extern int br_netlink_init(void); + extern void br_netlink_fini(void); + extern void br_ifinfo_notify(int event, struct net_bridge_port *port); +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index 2b587ec..2367246 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1672,6 +1672,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr) + case ETHTOOL_GRXCSUM: + case ETHTOOL_GTXCSUM: + case ETHTOOL_GSG: ++ case ETHTOOL_GSSET_INFO: + case ETHTOOL_GSTRINGS: + case ETHTOOL_GTSO: + case ETHTOOL_GPERMADDR: +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index ab0633f..db4bb7a 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -351,22 +351,23 @@ EXPORT_SYMBOL(netpoll_send_skb_on_dev); + + void netpoll_send_udp(struct netpoll *np, const char *msg, int len) + { +- int total_len, eth_len, ip_len, udp_len; ++ int total_len, ip_len, udp_len; + struct sk_buff *skb; + struct udphdr *udph; + struct iphdr *iph; + struct ethhdr *eth; + + udp_len = len + sizeof(*udph); +- ip_len = eth_len = udp_len + sizeof(*iph); +- total_len = eth_len + ETH_HLEN + NET_IP_ALIGN; ++ ip_len = udp_len + sizeof(*iph); ++ total_len = ip_len + LL_RESERVED_SPACE(np->dev); + +- skb = find_skb(np, total_len, total_len - len); ++ skb = find_skb(np, total_len + np->dev->needed_tailroom, ++ total_len - len); + if (!skb) + return; + + skb_copy_to_linear_data(skb, msg, len); +- skb->len += len; ++ skb_put(skb, len); + + skb_push(skb, sizeof(*udph)); + skb_reset_transport_header(skb); +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 2ec200de..af9c3c6 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -1663,6 +1663,7 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset, + struct splice_pipe_desc spd = { + .pages = pages, + .partial = partial, ++ .nr_pages_max = MAX_SKB_FRAGS, + .flags = flags, + .ops = &sock_pipe_buf_ops, + .spd_release = sock_spd_release, +@@ -1709,7 +1710,7 @@ done: + lock_sock(sk); + } + +- splice_shrink_spd(pipe, &spd); ++ splice_shrink_spd(&spd); + return ret; + } + +diff --git a/net/core/sock.c b/net/core/sock.c +index b23f174..8d095b9 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1497,6 +1497,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + gfp_t gfp_mask; + long timeo; + int err; ++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; ++ ++ err = -EMSGSIZE; ++ if (npages > MAX_SKB_FRAGS) ++ goto failure; + + gfp_mask = sk->sk_allocation; + if (gfp_mask & __GFP_WAIT) +@@ -1515,14 +1520,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) { + skb = alloc_skb(header_len, gfp_mask); + if (skb) { +- int npages; + int i; + + /* No pages, we're done... */ + if (!data_len) + break; + +- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT; + skb->truesize += data_len; + skb_shinfo(skb)->nr_frags = npages; + for (i = 0; i < npages; i++) { +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 059b9d9..2e21751 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2881,10 +2881,6 @@ static int __net_init ip6_route_net_init(struct net *net) + net->ipv6.sysctl.ip6_rt_mtu_expires = 10*60*HZ; + net->ipv6.sysctl.ip6_rt_min_advmss = IPV6_MIN_MTU - 20 - 40; + +-#ifdef CONFIG_PROC_FS +- proc_net_fops_create(net, "ipv6_route", 0, &ipv6_route_proc_fops); +- proc_net_fops_create(net, "rt6_stats", S_IRUGO, &rt6_stats_seq_fops); +-#endif + net->ipv6.ip6_rt_gc_expire = 30*HZ; + + ret = 0; +@@ -2905,10 +2901,6 @@ out_ip6_dst_ops: + + static void __net_exit ip6_route_net_exit(struct net *net) + { +-#ifdef CONFIG_PROC_FS +- proc_net_remove(net, "ipv6_route"); +- proc_net_remove(net, "rt6_stats"); +-#endif + kfree(net->ipv6.ip6_null_entry); + #ifdef CONFIG_IPV6_MULTIPLE_TABLES + kfree(net->ipv6.ip6_prohibit_entry); +@@ -2917,11 +2909,33 @@ static void __net_exit ip6_route_net_exit(struct net *net) + dst_entries_destroy(&net->ipv6.ip6_dst_ops); + } + ++static int __net_init ip6_route_net_init_late(struct net *net) ++{ ++#ifdef CONFIG_PROC_FS ++ proc_net_fops_create(net, "ipv6_route", 0, &ipv6_route_proc_fops); ++ proc_net_fops_create(net, "rt6_stats", S_IRUGO, &rt6_stats_seq_fops); ++#endif ++ return 0; ++} ++ ++static void __net_exit ip6_route_net_exit_late(struct net *net) ++{ ++#ifdef CONFIG_PROC_FS ++ proc_net_remove(net, "ipv6_route"); ++ proc_net_remove(net, "rt6_stats"); ++#endif ++} ++ + static struct pernet_operations ip6_route_net_ops = { + .init = ip6_route_net_init, + .exit = ip6_route_net_exit, + }; + ++static struct pernet_operations ip6_route_net_late_ops = { ++ .init = ip6_route_net_init_late, ++ .exit = ip6_route_net_exit_late, ++}; ++ + static struct notifier_block ip6_route_dev_notifier = { + .notifier_call = ip6_route_dev_notify, + .priority = 0, +@@ -2971,19 +2985,25 @@ int __init ip6_route_init(void) + if (ret) + goto xfrm6_init; + ++ ret = register_pernet_subsys(&ip6_route_net_late_ops); ++ if (ret) ++ goto fib6_rules_init; ++ + ret = -ENOBUFS; + if (__rtnl_register(PF_INET6, RTM_NEWROUTE, inet6_rtm_newroute, NULL, NULL) || + __rtnl_register(PF_INET6, RTM_DELROUTE, inet6_rtm_delroute, NULL, NULL) || + __rtnl_register(PF_INET6, RTM_GETROUTE, inet6_rtm_getroute, NULL, NULL)) +- goto fib6_rules_init; ++ goto out_register_late_subsys; + + ret = register_netdevice_notifier(&ip6_route_dev_notifier); + if (ret) +- goto fib6_rules_init; ++ goto out_register_late_subsys; + + out: + return ret; + ++out_register_late_subsys: ++ unregister_pernet_subsys(&ip6_route_net_late_ops); + fib6_rules_init: + fib6_rules_cleanup(); + xfrm6_init: +@@ -3002,6 +3022,7 @@ out_kmem_cache: + void ip6_route_cleanup(void) + { + unregister_netdevice_notifier(&ip6_route_dev_notifier); ++ unregister_pernet_subsys(&ip6_route_net_late_ops); + fib6_rules_cleanup(); + xfrm6_fini(); + fib6_gc_cleanup(); +diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c +index d2726a7..3c55f63 100644 +--- a/net/l2tp/l2tp_eth.c ++++ b/net/l2tp/l2tp_eth.c +@@ -167,6 +167,7 @@ static void l2tp_eth_delete(struct l2tp_session *session) + if (dev) { + unregister_netdev(dev); + spriv->dev = NULL; ++ module_put(THIS_MODULE); + } + } + } +@@ -254,6 +255,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p + if (rc < 0) + goto out_del_dev; + ++ __module_get(THIS_MODULE); + /* Must be done after register_netdev() */ + strlcpy(session->ifname, dev->name, IFNAMSIZ); + +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 2fbbe1f..6c7e609 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -515,10 +515,12 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m + sk->sk_bound_dev_if); + if (IS_ERR(rt)) + goto no_route; +- if (connected) ++ if (connected) { + sk_setup_caps(sk, &rt->dst); +- else +- dst_release(&rt->dst); /* safe since we hold rcu_read_lock */ ++ } else { ++ skb_dst_set(skb, &rt->dst); ++ goto xmit; ++ } + } + + /* We dont need to clone dst here, it is guaranteed to not disappear. +@@ -526,6 +528,7 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m + */ + skb_dst_set_noref(skb, &rt->dst); + ++xmit: + /* Queue the packet to IP for output */ + rc = ip_queue_xmit(skb, &inet->cork.fl); + rcu_read_unlock(); +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 064d20f..cda4875 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2389,7 +2389,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) + * frames that we didn't handle, including returning unknown + * ones. For all other modes we will return them to the sender, + * setting the 0x80 bit in the action category, as required by +- * 802.11-2007 7.3.1.11. ++ * 802.11-2012 9.24.4. + * Newer versions of hostapd shall also use the management frame + * registration mechanisms, but older ones still use cooked + * monitor interfaces so push all frames there. +@@ -2399,6 +2399,9 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) + sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) + return RX_DROP_MONITOR; + ++ if (is_multicast_ether_addr(mgmt->da)) ++ return RX_DROP_MONITOR; ++ + /* do not return rejected action frames */ + if (mgmt->u.action.category & 0x80) + return RX_DROP_UNUSABLE; +diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c +index 96633f5..12b6a80 100644 +--- a/net/nfc/nci/ntf.c ++++ b/net/nfc/nci/ntf.c +@@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev, + nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); + data += 2; + +- nfca_poll->nfcid1_len = *data++; ++ nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1)); + + nfc_dbg("sens_res 0x%x, nfcid1_len %d", + nfca_poll->sens_res, +@@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev, + + switch (ntf->rf_interface_type) { + case NCI_RF_INTERFACE_ISO_DEP: +- nfca_poll_iso_dep->rats_res_len = *data++; ++ nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20); + if (nfca_poll_iso_dep->rats_res_len > 0) { + memcpy(nfca_poll_iso_dep->rats_res, + data, +diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c +index ee7b2b3..7a167fc 100644 +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -52,7 +52,10 @@ static int rawsock_release(struct socket *sock) + { + struct sock *sk = sock->sk; + +- nfc_dbg("sock=%p", sock); ++ nfc_dbg("sock=%p sk=%p", sock, sk); ++ ++ if (!sk) ++ return 0; + + sock_orphan(sk); + sock_put(sk); +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 7b7a516..2b973f5 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -4457,7 +4457,7 @@ static int stac92xx_init(struct hda_codec *codec) + AC_PINCTL_IN_EN); + for (i = 0; i < spec->num_pwrs; i++) { + hda_nid_t nid = spec->pwr_nids[i]; +- int pinctl, def_conf; ++ unsigned int pinctl, def_conf; + + /* power on when no jack detection is available */ + /* or when the VREF is used for controlling LED */ +@@ -4484,7 +4484,7 @@ static int stac92xx_init(struct hda_codec *codec) + def_conf = get_defcfg_connect(def_conf); + /* skip any ports that don't have jacks since presence + * detection is useless */ +- if (def_conf != AC_JACK_PORT_NONE && ++ if (def_conf != AC_JACK_PORT_COMPLEX || + !is_jack_detectable(codec, nid)) { + stac_toggle_power_map(codec, nid, 1); + continue; +diff --git a/sound/soc/codecs/tlv320aic3x.c b/sound/soc/codecs/tlv320aic3x.c +index 87d5ef1..8b48801 100644 +--- a/sound/soc/codecs/tlv320aic3x.c ++++ b/sound/soc/codecs/tlv320aic3x.c +@@ -963,9 +963,7 @@ static int aic3x_hw_params(struct snd_pcm_substream *substream, + } + + found: +- data = snd_soc_read(codec, AIC3X_PLL_PROGA_REG); +- snd_soc_write(codec, AIC3X_PLL_PROGA_REG, +- data | (pll_p << PLLP_SHIFT)); ++ snd_soc_update_bits(codec, AIC3X_PLL_PROGA_REG, PLLP_MASK, pll_p); + snd_soc_write(codec, AIC3X_OVRF_STATUS_AND_PLLR_REG, + pll_r << PLLR_SHIFT); + snd_soc_write(codec, AIC3X_PLL_PROGB_REG, pll_j << PLLJ_SHIFT); +diff --git a/sound/soc/codecs/tlv320aic3x.h b/sound/soc/codecs/tlv320aic3x.h +index 06a1978..16d9999 100644 +--- a/sound/soc/codecs/tlv320aic3x.h ++++ b/sound/soc/codecs/tlv320aic3x.h +@@ -166,6 +166,7 @@ + + /* PLL registers bitfields */ + #define PLLP_SHIFT 0 ++#define PLLP_MASK 7 + #define PLLQ_SHIFT 3 + #define PLLR_SHIFT 0 + #define PLLJ_SHIFT 2 diff --git a/3.2.22/4420_grsecurity-2.9.1-3.2.22-201207080924.patch b/3.2.23/4420_grsecurity-2.9.1-3.2.23-201207122159.patch index 166b633..7052c62 100644 --- a/3.2.22/4420_grsecurity-2.9.1-3.2.22-201207080924.patch +++ b/3.2.23/4420_grsecurity-2.9.1-3.2.23-201207122159.patch @@ -205,7 +205,7 @@ index 81c287f..d456d02 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 9a7d921..c10f64e 100644 +index 40d1e3b..bf02dfb 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -30753,7 +30753,7 @@ index b2e3c97..58cf079 100644 mutex_unlock(&dev->struct_mutex); diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index c4da951..3c59c5c 100644 +index ca67338..0003ba7 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1172,7 +1172,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) @@ -33970,10 +33970,10 @@ index cf742d9..7c7c745 100644 struct md_personality diff --git a/drivers/md/persistent-data/dm-space-map-checker.c b/drivers/md/persistent-data/dm-space-map-checker.c -index 50ed53b..4f29d7d 100644 +index fc90c11..c8cd9a9 100644 --- a/drivers/md/persistent-data/dm-space-map-checker.c +++ b/drivers/md/persistent-data/dm-space-map-checker.c -@@ -159,7 +159,7 @@ static void ca_destroy(struct count_array *ca) +@@ -167,7 +167,7 @@ static int ca_commit(struct count_array *old, struct count_array *new) /*----------------------------------------------------------------*/ struct sm_checker { @@ -33983,7 +33983,7 @@ index 50ed53b..4f29d7d 100644 struct count_array old_counts; struct count_array counts; diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c -index fc469ba..2d91555 100644 +index 3d0ed53..35dc592 100644 --- a/drivers/md/persistent-data/dm-space-map-disk.c +++ b/drivers/md/persistent-data/dm-space-map-disk.c @@ -23,7 +23,7 @@ @@ -34043,7 +34043,7 @@ index 7af60ec..10a4a5d 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index b219449..40bfcc2 100644 +index 7a9eef6..707cb03 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -1453,7 +1453,7 @@ static void end_sync_read(struct bio *bio, int error) @@ -34106,10 +34106,10 @@ index b219449..40bfcc2 100644 rdev_dec_pending(rdev, mddev); diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 858fdbb..b2dac95 100644 +index 6ba4954..5ce122a 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c -@@ -1610,19 +1610,19 @@ static void raid5_end_read_request(struct bio * bi, int error) +@@ -1616,19 +1616,19 @@ static void raid5_end_read_request(struct bio * bi, int error) (unsigned long long)(sh->sector + rdev->data_offset), bdevname(rdev->bdev, b)); @@ -34133,7 +34133,7 @@ index 858fdbb..b2dac95 100644 if (conf->mddev->degraded >= conf->max_degraded) printk_ratelimited( KERN_WARNING -@@ -1642,7 +1642,7 @@ static void raid5_end_read_request(struct bio * bi, int error) +@@ -1648,7 +1648,7 @@ static void raid5_end_read_request(struct bio * bi, int error) (unsigned long long)(sh->sector + rdev->data_offset), bdn); @@ -35007,19 +35007,6 @@ index a3f7a27..234016e 100644 return -EINVAL; /* Don't allow a single read to cross a 512-byte block boundary */ -diff --git a/drivers/mtd/nand/cafe_nand.c b/drivers/mtd/nand/cafe_nand.c -index 72d3f23..68ecf48 100644 ---- a/drivers/mtd/nand/cafe_nand.c -+++ b/drivers/mtd/nand/cafe_nand.c -@@ -102,7 +102,7 @@ static const char *part_probes[] = { "cmdlinepart", "RedBoot", NULL }; - static int cafe_device_ready(struct mtd_info *mtd) - { - struct cafe_priv *cafe = mtd->priv; -- int result = !!(cafe_readl(cafe, NAND_STATUS) | 0x40000000); -+ int result = !!(cafe_readl(cafe, NAND_STATUS) & 0x40000000); - uint32_t irqs = cafe_readl(cafe, NAND_IRQ); - - cafe_writel(cafe, irqs, NAND_IRQ); diff --git a/drivers/mtd/nand/denali.c b/drivers/mtd/nand/denali.c index 3984d48..28aa897 100644 --- a/drivers/mtd/nand/denali.c @@ -35157,7 +35144,7 @@ index dcd7f7a..ecb7fb3 100644 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"}, {"D-Link DFE-580TX 4 port Server Adapter"}, diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c -index bf266a0..e024af7 100644 +index 36c7c4e..7de1382 100644 --- a/drivers/net/ethernet/emulex/benet/be_main.c +++ b/drivers/net/ethernet/emulex/benet/be_main.c @@ -397,7 +397,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) @@ -35901,7 +35888,7 @@ index e662cbc..8d4a102 100644 } diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h -index 0f9ee46..e2d6e65 100644 +index 4cc4a8b..a7dc55a 100644 --- a/drivers/net/wireless/ath/ath.h +++ b/drivers/net/wireless/ath/ath.h @@ -119,6 +119,7 @@ struct ath_ops { @@ -48086,7 +48073,7 @@ index 5d22872..523db20 100644 kfree(link); } diff --git a/fs/open.c b/fs/open.c -index 22c41b5..070cb15 100644 +index e2b5d51..2c5708d 100644 --- a/fs/open.c +++ b/fs/open.c @@ -31,6 +31,8 @@ @@ -49750,7 +49737,7 @@ index dba43c3..4b3f701 100644 if (op) { diff --git a/fs/splice.c b/fs/splice.c -index 6d0dfb8..115bb3a 100644 +index 014fcb4..980206f 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -195,7 +195,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, @@ -49774,7 +49761,7 @@ index 6d0dfb8..115bb3a 100644 } pipe_unlock(pipe); -@@ -561,7 +561,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec, +@@ -564,7 +564,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -49783,7 +49770,7 @@ index 6d0dfb8..115bb3a 100644 set_fs(old_fs); return res; -@@ -576,7 +576,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count, +@@ -579,7 +579,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -49792,7 +49779,7 @@ index 6d0dfb8..115bb3a 100644 set_fs(old_fs); return res; -@@ -627,7 +627,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, +@@ -631,7 +631,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, goto err; this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset); @@ -49801,7 +49788,7 @@ index 6d0dfb8..115bb3a 100644 vec[i].iov_len = this_len; spd.pages[i] = page; spd.nr_pages++; -@@ -849,10 +849,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed); +@@ -853,10 +853,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed); int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd) { while (!pipe->nrbufs) { @@ -49814,7 +49801,7 @@ index 6d0dfb8..115bb3a 100644 return 0; if (sd->flags & SPLICE_F_NONBLOCK) -@@ -1185,7 +1185,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, +@@ -1189,7 +1189,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, * out of the pipe right after the splice_to_pipe(). So set * PIPE_READERS appropriately. */ @@ -49823,7 +49810,7 @@ index 6d0dfb8..115bb3a 100644 current->splice_pipe = pipe; } -@@ -1737,9 +1737,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1742,9 +1742,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -49835,7 +49822,7 @@ index 6d0dfb8..115bb3a 100644 if (flags & SPLICE_F_NONBLOCK) { ret = -EAGAIN; break; -@@ -1771,7 +1771,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1776,7 +1776,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) pipe_lock(pipe); while (pipe->nrbufs >= pipe->buffers) { @@ -49844,7 +49831,7 @@ index 6d0dfb8..115bb3a 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; break; -@@ -1784,9 +1784,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1789,9 +1789,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -49856,7 +49843,7 @@ index 6d0dfb8..115bb3a 100644 } pipe_unlock(pipe); -@@ -1822,14 +1822,14 @@ retry: +@@ -1827,14 +1827,14 @@ retry: pipe_double_lock(ipipe, opipe); do { @@ -49873,7 +49860,7 @@ index 6d0dfb8..115bb3a 100644 break; /* -@@ -1926,7 +1926,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1931,7 +1931,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, pipe_double_lock(ipipe, opipe); do { @@ -49882,7 +49869,7 @@ index 6d0dfb8..115bb3a 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -1971,7 +1971,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1976,7 +1976,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, * return EAGAIN if we have the potential of some data in the * future, otherwise just return 0 */ @@ -49989,150 +49976,6 @@ index c175b4d..8f36a16 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) -diff --git a/fs/udf/super.c b/fs/udf/super.c -index 87cb24a..ce8efeb 100644 ---- a/fs/udf/super.c -+++ b/fs/udf/super.c -@@ -56,6 +56,7 @@ - #include <linux/seq_file.h> - #include <linux/bitmap.h> - #include <linux/crc-itu-t.h> -+#include <linux/log2.h> - #include <asm/byteorder.h> - - #include "udf_sb.h" -@@ -1217,16 +1218,65 @@ out_bh: - return ret; - } - -+static int udf_load_sparable_map(struct super_block *sb, -+ struct udf_part_map *map, -+ struct sparablePartitionMap *spm) -+{ -+ uint32_t loc; -+ uint16_t ident; -+ struct sparingTable *st; -+ struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing; -+ int i; -+ struct buffer_head *bh; -+ -+ map->s_partition_type = UDF_SPARABLE_MAP15; -+ sdata->s_packet_len = le16_to_cpu(spm->packetLength); -+ if (!is_power_of_2(sdata->s_packet_len)) { -+ udf_err(sb, "error loading logical volume descriptor: " -+ "Invalid packet length %u\n", -+ (unsigned)sdata->s_packet_len); -+ return -EIO; -+ } -+ if (spm->numSparingTables > 4) { -+ udf_err(sb, "error loading logical volume descriptor: " -+ "Too many sparing tables (%d)\n", -+ (int)spm->numSparingTables); -+ return -EIO; -+ } -+ -+ for (i = 0; i < spm->numSparingTables; i++) { -+ loc = le32_to_cpu(spm->locSparingTable[i]); -+ bh = udf_read_tagged(sb, loc, loc, &ident); -+ if (!bh) -+ continue; -+ -+ st = (struct sparingTable *)bh->b_data; -+ if (ident != 0 || -+ strncmp(st->sparingIdent.ident, UDF_ID_SPARING, -+ strlen(UDF_ID_SPARING)) || -+ sizeof(*st) + le16_to_cpu(st->reallocationTableLen) > -+ sb->s_blocksize) { -+ brelse(bh); -+ continue; -+ } -+ -+ sdata->s_spar_map[i] = bh; -+ } -+ map->s_partition_func = udf_get_pblock_spar15; -+ return 0; -+} -+ - static int udf_load_logicalvol(struct super_block *sb, sector_t block, - struct kernel_lb_addr *fileset) - { - struct logicalVolDesc *lvd; -- int i, j, offset; -+ int i, offset; - uint8_t type; - struct udf_sb_info *sbi = UDF_SB(sb); - struct genericPartitionMap *gpm; - uint16_t ident; - struct buffer_head *bh; -+ unsigned int table_len; - int ret = 0; - - bh = udf_read_tagged(sb, block, block, &ident); -@@ -1234,6 +1284,13 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, - return 1; - BUG_ON(ident != TAG_IDENT_LVD); - lvd = (struct logicalVolDesc *)bh->b_data; -+ table_len = le32_to_cpu(lvd->mapTableLength); -+ if (sizeof(*lvd) + table_len > sb->s_blocksize) { -+ udf_err(sb, "error loading logical volume descriptor: " -+ "Partition table too long (%u > %lu)\n", table_len, -+ sb->s_blocksize - sizeof(*lvd)); -+ goto out_bh; -+ } - - i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); - if (i != 0) { -@@ -1242,7 +1299,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, - } - - for (i = 0, offset = 0; -- i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength); -+ i < sbi->s_partitions && offset < table_len; - i++, offset += gpm->partitionMapLength) { - struct udf_part_map *map = &sbi->s_partmaps[i]; - gpm = (struct genericPartitionMap *) -@@ -1277,38 +1334,9 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, - } else if (!strncmp(upm2->partIdent.ident, - UDF_ID_SPARABLE, - strlen(UDF_ID_SPARABLE))) { -- uint32_t loc; -- struct sparingTable *st; -- struct sparablePartitionMap *spm = -- (struct sparablePartitionMap *)gpm; -- -- map->s_partition_type = UDF_SPARABLE_MAP15; -- map->s_type_specific.s_sparing.s_packet_len = -- le16_to_cpu(spm->packetLength); -- for (j = 0; j < spm->numSparingTables; j++) { -- struct buffer_head *bh2; -- -- loc = le32_to_cpu( -- spm->locSparingTable[j]); -- bh2 = udf_read_tagged(sb, loc, loc, -- &ident); -- map->s_type_specific.s_sparing. -- s_spar_map[j] = bh2; -- -- if (bh2 == NULL) -- continue; -- -- st = (struct sparingTable *)bh2->b_data; -- if (ident != 0 || strncmp( -- st->sparingIdent.ident, -- UDF_ID_SPARING, -- strlen(UDF_ID_SPARING))) { -- brelse(bh2); -- map->s_type_specific.s_sparing. -- s_spar_map[j] = NULL; -- } -- } -- map->s_partition_func = udf_get_pblock_spar15; -+ if (udf_load_sparable_map(sb, map, -+ (struct sparablePartitionMap *)gpm) < 0) -+ goto out_bh; - } else if (!strncmp(upm2->partIdent.ident, - UDF_ID_METADATA, - strlen(UDF_ID_METADATA))) { diff --git a/fs/utimes.c b/fs/utimes.c index ba653f3..06ea4b1 100644 --- a/fs/utimes.c @@ -51291,7 +51134,7 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..71152c3 +index 0000000..2b8f968 --- /dev/null +++ b/grsecurity/gracl.c @@ -0,0 +1,4190 @@ @@ -51317,6 +51160,7 @@ index 0000000..71152c3 +#include <linux/security.h> +#include <linux/grinternal.h> +#include <linux/pid_namespace.h> ++#include <linux/stop_machine.h> +#include <linux/fdtable.h> +#include <linux/percpu.h> + @@ -53574,18 +53418,17 @@ index 0000000..71152c3 +void +gr_copy_label(struct task_struct *tsk) +{ -+ /* plain copying of fields is already done by dup_task_struct */ + tsk->signal->used_accept = 0; + tsk->acl_sp_role = 0; -+ //tsk->acl_role_id = current->acl_role_id; -+ //tsk->acl = current->acl; -+ //tsk->role = current->role; ++ tsk->acl_role_id = current->acl_role_id; ++ tsk->acl = current->acl; ++ tsk->role = current->role; + tsk->signal->curr_ip = current->signal->curr_ip; + tsk->signal->saved_ip = current->signal->saved_ip; + if (current->exec_file) + get_file(current->exec_file); -+ //tsk->exec_file = current->exec_file; -+ //tsk->is_writable = current->is_writable; ++ tsk->exec_file = current->exec_file; ++ tsk->is_writable = current->is_writable; + if (unlikely(current->signal->used_accept)) { + current->signal->curr_ip = 0; + current->signal->saved_ip = 0; @@ -54394,6 +54237,15 @@ index 0000000..71152c3 + return 1; +} + ++static int gr_rbac_disable(void *unused) ++{ ++ pax_open_kernel(); ++ gr_status &= ~GR_READY; ++ pax_close_kernel(); ++ ++ return 0; ++} ++ +ssize_t +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos) +{ @@ -54478,15 +54330,12 @@ index 0000000..71152c3 + case GR_SHUTDOWN: + if ((gr_status & GR_READY) + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { -+ pax_open_kernel(); -+ gr_status &= ~GR_READY; -+ pax_close_kernel(); -+ -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); ++ stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(); + memset(gr_usermode, 0, sizeof (struct gr_arg)); + memset(gr_system_salt, 0, GR_SALT_LEN); + memset(gr_system_sum, 0, GR_SHA_LEN); ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); + } else if (gr_status & GR_READY) { + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG); + error = -EPERM; @@ -54511,20 +54360,14 @@ index 0000000..71152c3 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION); + error = -EAGAIN; + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { -+ preempt_disable(); -+ -+ pax_open_kernel(); -+ gr_status &= ~GR_READY; -+ pax_close_kernel(); -+ ++ stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(); -+ if (!(error2 = gracl_init(gr_usermode))) { -+ preempt_enable(); ++ error2 = gracl_init(gr_usermode); ++ if (!error2) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION); -+ } else { -+ preempt_enable(); -+ error = error2; ++ else { + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION); ++ error = error2; + } + } else { + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION); @@ -65468,7 +65311,7 @@ index 0993a22..32ba2fe 100644 void *pmi_pal; u8 *vbe_state_orig; /* diff --git a/init/Kconfig b/init/Kconfig -index 43298f9..2f56c12 100644 +index 43298f9..7e4816c 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1214,7 +1214,7 @@ config SLUB_DEBUG @@ -65480,6 +65323,15 @@ index 43298f9..2f56c12 100644 help Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). +@@ -1397,7 +1397,7 @@ config INIT_ALL_POSSIBLE + config STOP_MACHINE + bool + default y +- depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU ++ depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU || GRKERNSEC + help + Need stop_machine() primitive. + diff --git a/init/do_mounts.c b/init/do_mounts.c index d6c229f..4746631 100644 --- a/init/do_mounts.c @@ -66827,7 +66679,7 @@ index 5a8a66e..ded4680 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index 79ee71f..94d79d4 100644 +index 79ee71f..2101311 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -282,7 +282,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -67099,16 +66951,17 @@ index 79ee71f..94d79d4 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && -@@ -1261,6 +1322,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, - if (clone_flags & CLONE_THREAD) - p->tgid = current->tgid; +@@ -1318,6 +1379,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, + /* Need tasklist lock for parent etc handling! */ + write_lock_irq(&tasklist_lock); ++ /* synchronizes with gr_set_acls() */ + gr_copy_label(p); + - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; - /* - * Clear TID on mm_release()? -@@ -1425,6 +1488,8 @@ bad_fork_cleanup_count: + /* CLONE_PARENT re-uses the old parent */ + if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) { + p->real_parent = current->real_parent; +@@ -1425,6 +1489,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -67117,7 +66970,7 @@ index 79ee71f..94d79d4 100644 return ERR_PTR(retval); } -@@ -1525,6 +1590,8 @@ long do_fork(unsigned long clone_flags, +@@ -1525,6 +1591,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -67126,7 +66979,7 @@ index 79ee71f..94d79d4 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1634,7 +1701,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1634,7 +1702,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -67135,7 +66988,7 @@ index 79ee71f..94d79d4 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1723,7 +1790,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1723,7 +1791,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -70501,10 +70354,10 @@ index 25b4f4d..6f4772d 100644 struct ftrace_func_probe *entry; struct ftrace_page *pg; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 697e49d..7f77a66 100644 +index 5638104..f047453 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c -@@ -4205,10 +4205,9 @@ static const struct file_operations tracing_dyn_info_fops = { +@@ -4209,10 +4209,9 @@ static const struct file_operations tracing_dyn_info_fops = { }; #endif @@ -70516,7 +70369,7 @@ index 697e49d..7f77a66 100644 static int once; if (d_tracer) -@@ -4228,10 +4227,9 @@ struct dentry *tracing_init_dentry(void) +@@ -4232,10 +4231,9 @@ struct dentry *tracing_init_dentry(void) return d_tracer; } @@ -71296,19 +71149,10 @@ index d53adf9..03a24bf 100644 set_fs(old_fs); diff --git a/mm/madvise.c b/mm/madvise.c -index 74bf193..4041aaa 100644 +index 23d3a6b..7b519b7 100644 --- a/mm/madvise.c +++ b/mm/madvise.c -@@ -13,6 +13,8 @@ - #include <linux/hugetlb.h> - #include <linux/sched.h> - #include <linux/ksm.h> -+#include <linux/fs.h> -+#include <linux/file.h> - - /* - * Any behaviour which results in changes to the vma->vm_flags needs to -@@ -45,6 +47,10 @@ static long madvise_behavior(struct vm_area_struct * vma, +@@ -46,6 +46,10 @@ static long madvise_behavior(struct vm_area_struct * vma, pgoff_t pgoff; unsigned long new_flags = vma->vm_flags; @@ -71319,7 +71163,7 @@ index 74bf193..4041aaa 100644 switch (behavior) { case MADV_NORMAL: new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ; -@@ -110,6 +116,13 @@ success: +@@ -111,6 +115,13 @@ success: /* * vm_flags is protected by the mmap_sem held in write mode. */ @@ -71333,7 +71177,7 @@ index 74bf193..4041aaa 100644 vma->vm_flags = new_flags; out: -@@ -168,6 +181,11 @@ static long madvise_dontneed(struct vm_area_struct * vma, +@@ -169,6 +180,11 @@ static long madvise_dontneed(struct vm_area_struct * vma, struct vm_area_struct ** prev, unsigned long start, unsigned long end) { @@ -71345,7 +71189,7 @@ index 74bf193..4041aaa 100644 *prev = vma; if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP)) return -EINVAL; -@@ -180,6 +198,21 @@ static long madvise_dontneed(struct vm_area_struct * vma, +@@ -181,6 +197,21 @@ static long madvise_dontneed(struct vm_area_struct * vma, zap_page_range(vma, start, end - start, &details); } else zap_page_range(vma, start, end - start, NULL); @@ -71367,47 +71211,15 @@ index 74bf193..4041aaa 100644 return 0; } -@@ -197,16 +230,17 @@ static long madvise_remove(struct vm_area_struct *vma, - struct address_space *mapping; - loff_t offset, endoff; - int error; -+ struct file *f; - - *prev = NULL; /* tell sys_madvise we drop mmap_sem */ - - if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) - return -EINVAL; - -- if (!vma->vm_file || !vma->vm_file->f_mapping -- || !vma->vm_file->f_mapping->host) { -- return -EINVAL; -- } -+ f = vma->vm_file; -+ -+ if (!f || !f->f_mapping || !f->f_mapping->host) -+ return -EINVAL; - - if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE)) - return -EACCES; -@@ -218,10 +252,16 @@ static long madvise_remove(struct vm_area_struct *vma, - endoff = (loff_t)(end - vma->vm_start - 1) - + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); - -- /* vmtruncate_range needs to take i_mutex */ -+ /* vmtruncate_range needs to take i_mutex. We need to -+ * explicitly grab a reference because the vma (and hence the -+ * vma's reference to the file) can go away as soon as we drop -+ * mmap_sem. -+ */ -+ get_file(f); - up_read(¤t->mm->mmap_sem); +@@ -232,6 +263,7 @@ static long madvise_remove(struct vm_area_struct *vma, error = vmtruncate_range(mapping->host, offset, endoff); + fput(f); down_read(¤t->mm->mmap_sem); + fput(f); return error; } -@@ -376,6 +416,16 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior) +@@ -386,6 +418,16 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior) if (end < start) goto out; @@ -74320,7 +74132,7 @@ index a4fd368..e0ffec7 100644 struct anon_vma_chain *avc; struct anon_vma *anon_vma; diff --git a/mm/shmem.c b/mm/shmem.c -index 6c253f7..367e20a 100644 +index 7a82174..75d1c8b 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -31,7 +31,7 @@ @@ -74341,7 +74153,7 @@ index 6c253f7..367e20a 100644 struct shmem_xattr { struct list_head list; /* anchored by shmem_inode_info->xattr_list */ -@@ -2180,8 +2180,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2181,8 +2181,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -76322,7 +76134,7 @@ index ff52ad0..aff1c0f 100644 { int new_fd; diff --git a/net/core/sock.c b/net/core/sock.c -index b23f174..b9a0d26 100644 +index 8d095b9..315c541 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -289,7 +289,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -76397,7 +76209,7 @@ index b23f174..b9a0d26 100644 return -EFAULT; lenout: if (put_user(len, optlen)) -@@ -2020,7 +2020,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) +@@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) */ smp_wmb(); atomic_set(&sk->sk_refcnt, 1); @@ -79759,10 +79571,10 @@ index 38f6617..e70b72b 100755 exuberant() diff --git a/security/Kconfig b/security/Kconfig -index 51bd5a0..5a02ed0 100644 +index 51bd5a0..d660068 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,860 @@ +@@ -4,6 +4,861 @@ menu "Security options" @@ -79791,6 +79603,7 @@ index 51bd5a0..5a02ed0 100644 + bool "Grsecurity" + select CRYPTO + select CRYPTO_SHA256 ++ select STOP_MACHINE + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly @@ -80623,7 +80436,7 @@ index 51bd5a0..5a02ed0 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1023,7 @@ config INTEL_TXT +@@ -169,7 +1024,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.2.22/4430_grsec-remove-localversion-grsec.patch b/3.2.23/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.22/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.23/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.22/4435_grsec-mute-warnings.patch b/3.2.23/4435_grsec-mute-warnings.patch index e85abd6..e85abd6 100644 --- a/3.2.22/4435_grsec-mute-warnings.patch +++ b/3.2.23/4435_grsec-mute-warnings.patch diff --git a/3.2.22/4440_grsec-remove-protected-paths.patch b/3.2.23/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.2.22/4440_grsec-remove-protected-paths.patch +++ b/3.2.23/4440_grsec-remove-protected-paths.patch diff --git a/3.2.22/4450_grsec-kconfig-default-gids.patch b/3.2.23/4450_grsec-kconfig-default-gids.patch index 545e82e..545e82e 100644 --- a/3.2.22/4450_grsec-kconfig-default-gids.patch +++ b/3.2.23/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.22/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.23/4465_selinux-avc_audit-log-curr_ip.patch index 48acad7..48acad7 100644 --- a/3.2.22/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.23/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.22/4470_disable-compat_vdso.patch b/3.2.23/4470_disable-compat_vdso.patch index 4742d01..4742d01 100644 --- a/3.2.22/4470_disable-compat_vdso.patch +++ b/3.2.23/4470_disable-compat_vdso.patch diff --git a/3.4.4/0000_README b/3.4.4/0000_README index 6e60159..f73a168 100644 --- a/3.4.4/0000_README +++ b/3.4.4/0000_README @@ -6,7 +6,7 @@ Patch: 2600_FW_MIPS_FILE_06_regression.patch From: Anthony G. Basile <blueness@gentoo.org> Desc: Fix regressions against bnx2 firmware -Patch: 4420_grsecurity-2.9.1-3.4.4-201207080925.patch +Patch: 4420_grsecurity-2.9.1-3.4.4-201207122200.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207080925.patch b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207122200.patch index 1035f85..826a3d4 100644 --- a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207080925.patch +++ b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207122200.patch @@ -50133,7 +50133,7 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..dc0417e +index 0000000..7a5922f --- /dev/null +++ b/grsecurity/gracl.c @@ -0,0 +1,4016 @@ @@ -50159,6 +50159,7 @@ index 0000000..dc0417e +#include <linux/security.h> +#include <linux/grinternal.h> +#include <linux/pid_namespace.h> ++#include <linux/stop_machine.h> +#include <linux/fdtable.h> +#include <linux/percpu.h> +#include "../fs/mount.h" @@ -52409,18 +52410,17 @@ index 0000000..dc0417e +void +gr_copy_label(struct task_struct *tsk) +{ -+ /* plain copying of fields is already done by dup_task_struct */ + tsk->signal->used_accept = 0; + tsk->acl_sp_role = 0; -+ //tsk->acl_role_id = current->acl_role_id; -+ //tsk->acl = current->acl; -+ //tsk->role = current->role; ++ tsk->acl_role_id = current->acl_role_id; ++ tsk->acl = current->acl; ++ tsk->role = current->role; + tsk->signal->curr_ip = current->signal->curr_ip; + tsk->signal->saved_ip = current->signal->saved_ip; + if (current->exec_file) + get_file(current->exec_file); -+ //tsk->exec_file = current->exec_file; -+ //tsk->is_writable = current->is_writable; ++ tsk->exec_file = current->exec_file; ++ tsk->is_writable = current->is_writable; + if (unlikely(current->signal->used_accept)) { + current->signal->curr_ip = 0; + current->signal->saved_ip = 0; @@ -53229,6 +53229,15 @@ index 0000000..dc0417e + return 1; +} + ++static int gr_rbac_disable(void *unused) ++{ ++ pax_open_kernel(); ++ gr_status &= ~GR_READY; ++ pax_close_kernel(); ++ ++ return 0; ++} ++ +ssize_t +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos) +{ @@ -53313,15 +53322,12 @@ index 0000000..dc0417e + case GR_SHUTDOWN: + if ((gr_status & GR_READY) + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { -+ pax_open_kernel(); -+ gr_status &= ~GR_READY; -+ pax_close_kernel(); -+ -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); ++ stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(); + memset(gr_usermode, 0, sizeof (struct gr_arg)); + memset(gr_system_salt, 0, GR_SALT_LEN); + memset(gr_system_sum, 0, GR_SHA_LEN); ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); + } else if (gr_status & GR_READY) { + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG); + error = -EPERM; @@ -53346,20 +53352,14 @@ index 0000000..dc0417e + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION); + error = -EAGAIN; + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { -+ preempt_disable(); -+ -+ pax_open_kernel(); -+ gr_status &= ~GR_READY; -+ pax_close_kernel(); -+ ++ stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(); -+ if (!(error2 = gracl_init(gr_usermode))) { -+ preempt_enable(); ++ error2 = gracl_init(gr_usermode); ++ if (!error2) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION); -+ } else { -+ preempt_enable(); -+ error = error2; ++ else { + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION); ++ error = error2; + } + } else { + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION); @@ -63979,7 +63979,7 @@ index 0993a22..32ba2fe 100644 void *pmi_pal; u8 *vbe_state_orig; /* diff --git a/init/Kconfig b/init/Kconfig -index 6cfd71d..73cb68d 100644 +index 6cfd71d..16006e6 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -790,6 +790,7 @@ endif # CGROUPS @@ -63999,6 +63999,15 @@ index 6cfd71d..73cb68d 100644 help Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). +@@ -1423,7 +1424,7 @@ config INIT_ALL_POSSIBLE + config STOP_MACHINE + bool + default y +- depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU ++ depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU || GRKERNSEC + help + Need stop_machine() primitive. + diff --git a/init/do_mounts.c b/init/do_mounts.c index 42b0707..c06eef4 100644 --- a/init/do_mounts.c @@ -65340,7 +65349,7 @@ index d8bd3b42..26bd8dc 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index 8163333..efb4692 100644 +index 8163333..42d41de 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -286,7 +286,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -65596,16 +65605,17 @@ index 8163333..efb4692 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && -@@ -1328,6 +1369,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, - if (clone_flags & CLONE_THREAD) - p->tgid = current->tgid; +@@ -1392,6 +1433,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, + /* Need tasklist lock for parent etc handling! */ + write_lock_irq(&tasklist_lock); ++ /* synchronizes with gr_set_acls() */ + gr_copy_label(p); + - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; - /* - * Clear TID on mm_release()? -@@ -1502,6 +1545,8 @@ bad_fork_cleanup_count: + /* CLONE_PARENT re-uses the old parent */ + if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) { + p->real_parent = current->real_parent; +@@ -1502,6 +1546,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -65614,7 +65624,7 @@ index 8163333..efb4692 100644 return ERR_PTR(retval); } -@@ -1602,6 +1647,8 @@ long do_fork(unsigned long clone_flags, +@@ -1602,6 +1648,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -65623,7 +65633,7 @@ index 8163333..efb4692 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1700,7 +1747,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1700,7 +1748,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -65632,7 +65642,7 @@ index 8163333..efb4692 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1789,7 +1836,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1789,7 +1837,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -77756,10 +77766,10 @@ index 5c11312..72742b5 100644 write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff --git a/security/Kconfig b/security/Kconfig -index ccc61f8..bac65f2 100644 +index ccc61f8..7244cf1 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,860 @@ +@@ -4,6 +4,861 @@ menu "Security options" @@ -77788,6 +77798,7 @@ index ccc61f8..bac65f2 100644 + bool "Grsecurity" + select CRYPTO + select CRYPTO_SHA256 ++ select STOP_MACHINE + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly @@ -78620,7 +78631,7 @@ index ccc61f8..bac65f2 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1023,7 @@ config INTEL_TXT +@@ -169,7 +1024,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX |