diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-06-11 13:20:12 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-06-11 13:20:12 -0400 |
commit | 0c7fc784d8e6edb554e33face94e389a9da725a0 (patch) | |
tree | b2f74cd0b029eba8be3a939bda2ad8a2af47e8ae | |
parent | Fix 3.2.45 -> 3.2.46 (diff) | |
download | hardened-patchset-0c7fc784d8e6edb554e33face94e389a9da725a0.tar.gz hardened-patchset-0c7fc784d8e6edb554e33face94e389a9da725a0.tar.bz2 hardened-patchset-0c7fc784d8e6edb554e33face94e389a9da725a0.zip |
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.45,3.9.5}-201306102218
-rw-r--r-- | 2.6.32/0000_README | 8 | ||||
-rw-r--r-- | 2.6.32/1060_linux-2.6.32.61.patch | 7150 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch) | 1736 | ||||
-rw-r--r-- | 3.2.46/0000_README | 2 | ||||
-rw-r--r-- | 3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch (renamed from 3.2.46/4420_grsecurity-2.9.1-3.2.46-201306041947.patch) | 76 | ||||
-rw-r--r-- | 3.9.5/0000_README (renamed from 3.9.4/0000_README) | 2 | ||||
-rw-r--r-- | 3.9.5/4420_grsecurity-2.9.1-3.9.5-201306102218.patch (renamed from 3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch) | 735 | ||||
-rw-r--r-- | 3.9.5/4425_grsec_remove_EI_PAX.patch (renamed from 3.9.4/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.9.5/4430_grsec-remove-localversion-grsec.patch (renamed from 3.9.4/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.9.5/4435_grsec-mute-warnings.patch (renamed from 3.9.4/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.9.5/4440_grsec-remove-protected-paths.patch (renamed from 3.9.4/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.9.5/4450_grsec-kconfig-default-gids.patch (renamed from 3.9.4/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.9.5/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.9.4/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.9.5/4470_disable-compat_vdso.patch (renamed from 3.9.4/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.9.5/4475_emutramp_default_on.patch (renamed from 3.9.4/4475_emutramp_default_on.patch) | 0 |
15 files changed, 7726 insertions, 1983 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 797feaa..4d58a67 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -32,9 +32,13 @@ Desc: Linux 2.6.32.59 Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org -Desc: Linux 2.6.32.59 +Desc: Linux 2.6.32.60 + +Patch: 1060_linux-2.6.32.61.patch +From: http://www.kernel.org +Desc: Linux 2.6.32.61 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/1060_linux-2.6.32.61.patch b/2.6.32/1060_linux-2.6.32.61.patch new file mode 100644 index 0000000..aa8db39 --- /dev/null +++ b/2.6.32/1060_linux-2.6.32.61.patch @@ -0,0 +1,7150 @@ +diff --git a/Makefile b/Makefile +index e5a279c..b0e245e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + VERSION = 2 + PATCHLEVEL = 6 + SUBLEVEL = 32 +-EXTRAVERSION = .61 ++EXTRAVERSION = .60 + NAME = Man-Eating Seals of Antiquity + + # *DOCUMENTATION* +diff --git a/arch/alpha/kernel/sys_nautilus.c b/arch/alpha/kernel/sys_nautilus.c +index dc616b3..99c0f46 100644 +--- a/arch/alpha/kernel/sys_nautilus.c ++++ b/arch/alpha/kernel/sys_nautilus.c +@@ -189,10 +189,6 @@ nautilus_machine_check(unsigned long vector, unsigned long la_ptr) + extern void free_reserved_mem(void *, void *); + extern void pcibios_claim_one_bus(struct pci_bus *); + +-static struct resource irongate_io = { +- .name = "Irongate PCI IO", +- .flags = IORESOURCE_IO, +-}; + static struct resource irongate_mem = { + .name = "Irongate PCI MEM", + .flags = IORESOURCE_MEM, +@@ -214,7 +210,6 @@ nautilus_init_pci(void) + + irongate = pci_get_bus_and_slot(0, 0); + bus->self = irongate; +- bus->resource[0] = &irongate_io; + bus->resource[1] = &irongate_mem; + + pci_bus_size_bridges(bus); +diff --git a/arch/arm/include/asm/signal.h b/arch/arm/include/asm/signal.h +index 559ee24..43ba0fb 100644 +--- a/arch/arm/include/asm/signal.h ++++ b/arch/arm/include/asm/signal.h +@@ -127,7 +127,6 @@ struct sigaction { + __sigrestore_t sa_restorer; + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/avr32/include/asm/signal.h b/arch/avr32/include/asm/signal.h +index e6952a0..8790dfc 100644 +--- a/arch/avr32/include/asm/signal.h ++++ b/arch/avr32/include/asm/signal.h +@@ -128,7 +128,6 @@ struct sigaction { + __sigrestore_t sa_restorer; + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/cris/include/asm/signal.h b/arch/cris/include/asm/signal.h +index 057fea2..ea6af9a 100644 +--- a/arch/cris/include/asm/signal.h ++++ b/arch/cris/include/asm/signal.h +@@ -122,7 +122,6 @@ struct sigaction { + void (*sa_restorer)(void); + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/h8300/include/asm/signal.h b/arch/h8300/include/asm/signal.h +index 8695707..fd8b66e 100644 +--- a/arch/h8300/include/asm/signal.h ++++ b/arch/h8300/include/asm/signal.h +@@ -121,7 +121,6 @@ struct sigaction { + void (*sa_restorer)(void); + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/m32r/include/asm/signal.h b/arch/m32r/include/asm/signal.h +index a96a9f4..9c1acb2 100644 +--- a/arch/m32r/include/asm/signal.h ++++ b/arch/m32r/include/asm/signal.h +@@ -123,7 +123,6 @@ struct sigaction { + __sigrestore_t sa_restorer; + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/m68k/include/asm/signal.h b/arch/m68k/include/asm/signal.h +index 01a492a..5bc09c7 100644 +--- a/arch/m68k/include/asm/signal.h ++++ b/arch/m68k/include/asm/signal.h +@@ -119,7 +119,6 @@ struct sigaction { + __sigrestore_t sa_restorer; + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/mips/Makefile b/arch/mips/Makefile +index 57ff855..77f5021 100644 +--- a/arch/mips/Makefile ++++ b/arch/mips/Makefile +@@ -657,7 +657,7 @@ KBUILD_CPPFLAGS += -D"DATAOFFSET=$(if $(dataoffset-y),$(dataoffset-y),0)" + LDFLAGS += -m $(ld-emul) + + ifdef CONFIG_MIPS +-CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \ ++CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -xc /dev/null | \ + egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \ + sed -e 's/^\#define /-D/' -e "s/ /='/" -e "s/$$/'/") + ifdef CONFIG_64BIT +diff --git a/arch/mips/kernel/Makefile b/arch/mips/kernel/Makefile +index 700dc14..eecd2a9 100644 +--- a/arch/mips/kernel/Makefile ++++ b/arch/mips/kernel/Makefile +@@ -88,7 +88,7 @@ obj-$(CONFIG_GPIO_TXX9) += gpio_txx9.o + obj-$(CONFIG_KEXEC) += machine_kexec.o relocate_kernel.o + obj-$(CONFIG_EARLY_PRINTK) += early_printk.o + +-CFLAGS_cpu-bugs64.o = $(shell if $(CC) $(KBUILD_CFLAGS) -Wa,-mdaddi -c -o /dev/null -x c /dev/null >/dev/null 2>&1; then echo "-DHAVE_AS_SET_DADDI"; fi) ++CFLAGS_cpu-bugs64.o = $(shell if $(CC) $(KBUILD_CFLAGS) -Wa,-mdaddi -c -o /dev/null -xc /dev/null >/dev/null 2>&1; then echo "-DHAVE_AS_SET_DADDI"; fi) + + obj-$(CONFIG_HAVE_STD_PC_SERIAL_PORT) += 8250-platform.o + +diff --git a/arch/mn10300/include/asm/signal.h b/arch/mn10300/include/asm/signal.h +index 045d6a2..7e891fc 100644 +--- a/arch/mn10300/include/asm/signal.h ++++ b/arch/mn10300/include/asm/signal.h +@@ -131,7 +131,6 @@ struct sigaction { + __sigrestore_t sa_restorer; + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c +index 32d43e7..fb59852 100644 +--- a/arch/parisc/kernel/signal32.c ++++ b/arch/parisc/kernel/signal32.c +@@ -68,8 +68,7 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) + { + compat_sigset_t s; + +- if (sz != sizeof *set) +- return -EINVAL; ++ if (sz != sizeof *set) panic("put_sigset32()"); + sigset_64to32(&s, set); + + return copy_to_user(up, &s, sizeof s); +@@ -81,8 +80,7 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) + compat_sigset_t s; + int r; + +- if (sz != sizeof *set) +- return -EINVAL; ++ if (sz != sizeof *set) panic("put_sigset32()"); + + if ((r = copy_from_user(&s, up, sz)) == 0) { + sigset_32to64(set, &s); +diff --git a/arch/powerpc/include/asm/signal.h b/arch/powerpc/include/asm/signal.h +index ec63a0a..3eb13be 100644 +--- a/arch/powerpc/include/asm/signal.h ++++ b/arch/powerpc/include/asm/signal.h +@@ -109,7 +109,6 @@ struct sigaction { + __sigrestore_t sa_restorer; + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/s390/include/asm/signal.h b/arch/s390/include/asm/signal.h +index c872626..cdf5cb2 100644 +--- a/arch/s390/include/asm/signal.h ++++ b/arch/s390/include/asm/signal.h +@@ -131,7 +131,6 @@ struct sigaction { + void (*sa_restorer)(void); + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/arch/sparc/include/asm/signal.h b/arch/sparc/include/asm/signal.h +index 4929431..e49b828 100644 +--- a/arch/sparc/include/asm/signal.h ++++ b/arch/sparc/include/asm/signal.h +@@ -191,7 +191,6 @@ struct __old_sigaction { + unsigned long sa_flags; + void (*sa_restorer)(void); /* not used by Linux/SPARC yet */ + }; +-#define __ARCH_HAS_SA_RESTORER + + typedef struct sigaltstack { + void __user *ss_sp; +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index ee0168d..aa889d6 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1430,7 +1430,7 @@ config ARCH_USES_PG_UNCACHED + + config ARCH_RANDOM + def_bool y +- prompt "x86 architectural random number generator" if EMBEDDED ++ prompt "x86 architectural random number generator" if EXPERT + ---help--- + Enable the x86 architectural RDRAND instruction + (Intel Bull Mountain technology) to generate random numbers. +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 1cce9d2..af6fd36 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -130,11 +130,6 @@ static inline unsigned long pmd_pfn(pmd_t pmd) + return (pmd_val(pmd) & PTE_PFN_MASK) >> PAGE_SHIFT; + } + +-static inline unsigned long pud_pfn(pud_t pud) +-{ +- return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT; +-} +- + #define pte_page(pte) pfn_to_page(pte_pfn(pte)) + + static inline int pmd_large(pmd_t pte) +diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h +index e668d72..0f0d908 100644 +--- a/arch/x86/include/asm/ptrace.h ++++ b/arch/x86/include/asm/ptrace.h +@@ -2,7 +2,6 @@ + #define _ASM_X86_PTRACE_H + + #include <linux/compiler.h> /* For __user */ +-#include <linux/linkage.h> /* For asmregparm */ + #include <asm/ptrace-abi.h> + #include <asm/processor-flags.h> + +@@ -143,8 +142,8 @@ extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, + int error_code, int si_code); + void signal_fault(struct pt_regs *regs, void __user *frame, char *where); + +-extern asmregparm long syscall_trace_enter(struct pt_regs *); +-extern asmregparm void syscall_trace_leave(struct pt_regs *); ++extern long syscall_trace_enter(struct pt_regs *); ++extern void syscall_trace_leave(struct pt_regs *); + + static inline unsigned long regs_return_value(struct pt_regs *regs) + { +diff --git a/arch/x86/include/asm/signal.h b/arch/x86/include/asm/signal.h +index 6cbc795..598457c 100644 +--- a/arch/x86/include/asm/signal.h ++++ b/arch/x86/include/asm/signal.h +@@ -125,8 +125,6 @@ typedef unsigned long sigset_t; + extern void do_notify_resume(struct pt_regs *, void *, __u32); + # endif /* __KERNEL__ */ + +-#define __ARCH_HAS_SA_RESTORER +- + #ifdef __i386__ + # ifdef __KERNEL__ + struct old_sigaction { +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index d256bc3..8928d97 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -4262,7 +4262,6 @@ static int bad_ioapic(unsigned long address) + void __init mp_register_ioapic(int id, u32 address, u32 gsi_base) + { + int idx = 0; +- int entries; + + if (bad_ioapic(address)) + return; +@@ -4281,14 +4280,10 @@ void __init mp_register_ioapic(int id, u32 address, u32 gsi_base) + * Build basic GSI lookup table to facilitate gsi->io_apic lookups + * and to prevent reprogramming of IOAPIC pins (PCI GSIs). + */ +- entries = io_apic_get_redir_entries(idx); + mp_gsi_routing[idx].gsi_base = gsi_base; +- mp_gsi_routing[idx].gsi_end = gsi_base + entries; ++ mp_gsi_routing[idx].gsi_end = gsi_base + ++ io_apic_get_redir_entries(idx); + +- /* +- * The number of IO-APIC IRQ registers (== #pins): +- */ +- nr_ioapic_registers[idx] = entries + 1; + printk(KERN_INFO "IOAPIC[%d]: apic_id %d, version %d, address 0x%x, " + "GSI %d-%d\n", idx, mp_ioapics[idx].apicid, + mp_ioapics[idx].apicver, mp_ioapics[idx].apicaddr, +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 28a7e4c8..0f16a2b 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -431,13 +431,6 @@ static inline void mce_get_rip(struct mce *m, struct pt_regs *regs) + if (regs && (m->mcgstatus & (MCG_STATUS_RIPV|MCG_STATUS_EIPV))) { + m->ip = regs->ip; + m->cs = regs->cs; +- /* +- * When in VM86 mode make the cs look like ring 3 +- * always. This is a lie, but it's better than passing +- * the additional vm86 bit around everywhere. +- */ +- if (v8086_mode(regs)) +- m->cs |= 3; + } else { + m->ip = 0; + m->cs = 0; +@@ -975,7 +968,6 @@ void do_machine_check(struct pt_regs *regs, long error_code) + */ + add_taint(TAINT_MACHINE_CHECK); + +- mce_get_rip(&m, regs); + severity = mce_severity(&m, tolerant, NULL); + + /* +@@ -1014,6 +1006,7 @@ void do_machine_check(struct pt_regs *regs, long error_code) + if (severity == MCE_AO_SEVERITY && mce_usable_address(&m)) + mce_ring_add(m.addr >> PAGE_SHIFT); + ++ mce_get_rip(&m, regs); + mce_log(&m); + + if (severity > worst) { +diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c +index a3e77af..cdcfb12 100644 +--- a/arch/x86/kernel/efi.c ++++ b/arch/x86/kernel/efi.c +@@ -459,6 +459,9 @@ void __init efi_init(void) + x86_platform.set_wallclock = efi_set_rtc_mmss; + #endif + ++ /* Setup for EFI runtime service */ ++ reboot_type = BOOT_EFI; ++ + #if EFI_DEBUG + print_efi_memmap(); + #endif +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 63a053b..5eaeb5e 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -176,9 +176,6 @@ static int msr_open(struct inode *inode, struct file *file) + struct cpuinfo_x86 *c = &cpu_data(cpu); + int ret = 0; + +- if (!capable(CAP_SYS_RAWIO)) +- return -EPERM; +- + lock_kernel(); + cpu = iminor(file->f_path.dentry->d_inode); + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index cdee77e..271fddf 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -925,12 +925,6 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data) + /* ...but clean it before doing the actual write */ + vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); + +- /* Check that address+len does not cross page boundary */ +- if ((vcpu->arch.time_offset + +- sizeof(struct pvclock_vcpu_time_info) - 1) +- & PAGE_MASK) +- break; +- + vcpu->arch.time_page = + gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); + +@@ -4719,9 +4713,6 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu, + int pending_vec, max_bits; + struct descriptor_table dt; + +- if (sregs->cr4 & X86_CR4_OSXSAVE) +- return -EINVAL; +- + vcpu_load(vcpu); + + dt.limit = sregs->idt.limit; +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index df87450..249ad57 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -376,12 +376,10 @@ static noinline int vmalloc_fault(unsigned long address) + if (pgd_none(*pgd_ref)) + return -1; + +- if (pgd_none(*pgd)) { ++ if (pgd_none(*pgd)) + set_pgd(pgd, *pgd_ref); +- arch_flush_lazy_mmu_mode(); +- } else { ++ else + BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); +- } + + /* + * Below here mismatches are bugs because these lower tables +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index ccbc61b..7d095ad 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -839,9 +839,6 @@ int kern_addr_valid(unsigned long addr) + if (pud_none(*pud)) + return 0; + +- if (pud_large(*pud)) +- return pfn_valid(pud_pfn(*pud)); +- + pmd = pmd_offset(pud, addr); + if (pmd_none(*pmd)) + return 0; +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 126a093..d52f895 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -776,16 +776,7 @@ static void xen_write_cr4(unsigned long cr4) + + native_write_cr4(cr4); + } +-#ifdef CONFIG_X86_64 +-static inline unsigned long xen_read_cr8(void) +-{ +- return 0; +-} +-static inline void xen_write_cr8(unsigned long val) +-{ +- BUG_ON(val); +-} +-#endif ++ + static int xen_write_msr_safe(unsigned int msr, unsigned low, unsigned high) + { + int ret; +@@ -951,11 +942,6 @@ static const struct pv_cpu_ops xen_cpu_ops __initdata = { + .read_cr4_safe = native_read_cr4_safe, + .write_cr4 = xen_write_cr4, + +-#ifdef CONFIG_X86_64 +- .read_cr8 = xen_read_cr8, +- .write_cr8 = xen_write_cr8, +-#endif +- + .wbinvd = native_wbinvd, + + .read_msr = native_read_msr_safe, +@@ -966,8 +952,6 @@ static const struct pv_cpu_ops xen_cpu_ops __initdata = { + .read_tsc = native_read_tsc, + .read_pmc = native_read_pmc, + +- .read_tscp = native_read_tscp, +- + .iret = xen_iret, + .irq_enable_sysexit = xen_sysexit, + #ifdef CONFIG_X86_64 +diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S +index d05bd11..9a95a9c 100644 +--- a/arch/x86/xen/xen-asm_32.S ++++ b/arch/x86/xen/xen-asm_32.S +@@ -88,11 +88,11 @@ ENTRY(xen_iret) + */ + #ifdef CONFIG_SMP + GET_THREAD_INFO(%eax) +- movl %ss:TI_cpu(%eax), %eax +- movl %ss:__per_cpu_offset(,%eax,4), %eax +- mov %ss:per_cpu__xen_vcpu(%eax), %eax ++ movl TI_cpu(%eax), %eax ++ movl __per_cpu_offset(,%eax,4), %eax ++ mov per_cpu__xen_vcpu(%eax), %eax + #else +- movl %ss:per_cpu__xen_vcpu, %eax ++ movl per_cpu__xen_vcpu, %eax + #endif + + /* check IF state we're restoring */ +@@ -105,11 +105,11 @@ ENTRY(xen_iret) + * resuming the code, so we don't have to be worried about + * being preempted to another CPU. + */ +- setz %ss:XEN_vcpu_info_mask(%eax) ++ setz XEN_vcpu_info_mask(%eax) + xen_iret_start_crit: + + /* check for unmasked and pending */ +- cmpw $0x0001, %ss:XEN_vcpu_info_pending(%eax) ++ cmpw $0x0001, XEN_vcpu_info_pending(%eax) + + /* + * If there's something pending, mask events again so we can +@@ -117,7 +117,7 @@ xen_iret_start_crit: + * touch XEN_vcpu_info_mask. + */ + jne 1f +- movb $1, %ss:XEN_vcpu_info_mask(%eax) ++ movb $1, XEN_vcpu_info_mask(%eax) + + 1: popl %eax + +diff --git a/arch/xtensa/include/asm/signal.h b/arch/xtensa/include/asm/signal.h +index 75edf8a..633ba73 100644 +--- a/arch/xtensa/include/asm/signal.h ++++ b/arch/xtensa/include/asm/signal.h +@@ -133,7 +133,6 @@ struct sigaction { + void (*sa_restorer)(void); + sigset_t sa_mask; /* mask last for extensibility */ + }; +-#define __ARCH_HAS_SA_RESTORER + + struct k_sigaction { + struct sigaction sa; +diff --git a/block/blk-core.c b/block/blk-core.c +index 4058f46..cffd737 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -865,9 +865,6 @@ struct request *blk_get_request(struct request_queue *q, int rw, gfp_t gfp_mask) + { + struct request *rq; + +- if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) +- return NULL; +- + BUG_ON(rw != READ && rw != WRITE); + + spin_lock_irq(q->queue_lock); +@@ -1152,7 +1149,7 @@ void init_request_from_bio(struct request *req, struct bio *bio) + */ + static inline bool queue_should_plug(struct request_queue *q) + { +- return !(blk_queue_nonrot(q) && blk_queue_tagged(q)); ++ return !(blk_queue_nonrot(q) && blk_queue_queuing(q)); + } + + static int __make_request(struct request_queue *q, struct bio *bio) +@@ -1864,8 +1861,15 @@ void blk_dequeue_request(struct request *rq) + * and to it is freed is accounted as io that is in progress at + * the driver side. + */ +- if (blk_account_rq(rq)) ++ if (blk_account_rq(rq)) { + q->in_flight[rq_is_sync(rq)]++; ++ /* ++ * Mark this device as supporting hardware queuing, if ++ * we have more IOs in flight than 4. ++ */ ++ if (!blk_queue_queuing(q) && queue_in_flight(q) > 4) ++ set_bit(QUEUE_FLAG_CQ, &q->queue_flags); ++ } + } + + /** +diff --git a/block/blk-exec.c b/block/blk-exec.c +index 85bd7b4..49557e9 100644 +--- a/block/blk-exec.c ++++ b/block/blk-exec.c +@@ -50,13 +50,6 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk, + { + int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK; + +- if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) { +- rq->errors = -ENXIO; +- if (rq->end_io) +- rq->end_io(rq, rq->errors); +- return; +- } +- + rq->rq_disk = bd_disk; + rq->end_io = done; + WARN_ON(irqs_disabled()); +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c +index 123eb17..2be0a97 100644 +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -720,14 +720,11 @@ int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd) + break; + } + +- if (capable(CAP_SYS_RAWIO)) +- return 0; +- + /* In particular, rule out all resets and host-specific ioctls. */ + printk_ratelimited(KERN_WARNING + "%s: sending ioctl %x to a partition!\n", current->comm, cmd); + +- return -ENOTTY; ++ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY; + } + EXPORT_SYMBOL(scsi_verify_blk_ioctl); + +diff --git a/crypto/cryptd.c b/crypto/cryptd.c +index 9e1bf69..3533582 100644 +--- a/crypto/cryptd.c ++++ b/crypto/cryptd.c +@@ -116,18 +116,13 @@ static void cryptd_queue_worker(struct work_struct *work) + struct crypto_async_request *req, *backlog; + + cpu_queue = container_of(work, struct cryptd_cpu_queue, work); +- /* +- * Only handle one request at a time to avoid hogging crypto workqueue. +- * preempt_disable/enable is used to prevent being preempted by +- * cryptd_enqueue_request(). local_bh_disable/enable is used to prevent +- * cryptd_enqueue_request() being accessed from software interrupts. +- */ +- local_bh_disable(); ++ /* Only handle one request at a time to avoid hogging crypto ++ * workqueue. preempt_disable/enable is used to prevent ++ * being preempted by cryptd_enqueue_request() */ + preempt_disable(); + backlog = crypto_get_backlog(&cpu_queue->queue); + req = crypto_dequeue_request(&cpu_queue->queue); + preempt_enable(); +- local_bh_enable(); + + if (!req) + return; +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 70e9ed1..a6ad608 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -1071,9 +1071,6 @@ static int acpi_processor_setup_cpuidle(struct acpi_processor *pr) + return -EINVAL; + } + +- if (!dev) +- return -EINVAL; +- + dev->cpu = pr->id; + for (i = 0; i < CPUIDLE_STATE_MAX; i++) { + dev->states[i].name[0] = '\0'; +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 57e895a1..553edcc 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -338,8 +338,7 @@ ata_scsi_activity_show(struct device *dev, struct device_attribute *attr, + struct ata_port *ap = ata_shost_to_port(sdev->host); + struct ata_device *atadev = ata_scsi_find_dev(ap, sdev); + +- if (atadev && ap->ops->sw_activity_show && +- (ap->flags & ATA_FLAG_SW_ACTIVITY)) ++ if (ap->ops->sw_activity_show && (ap->flags & ATA_FLAG_SW_ACTIVITY)) + return ap->ops->sw_activity_show(atadev, buf); + return -EINVAL; + } +@@ -354,8 +353,7 @@ ata_scsi_activity_store(struct device *dev, struct device_attribute *attr, + enum sw_activity val; + int rc; + +- if (atadev && ap->ops->sw_activity_store && +- (ap->flags & ATA_FLAG_SW_ACTIVITY)) { ++ if (ap->ops->sw_activity_store && (ap->flags & ATA_FLAG_SW_ACTIVITY)) { + val = simple_strtoul(buf, NULL, 0); + switch (val) { + case OFF: case BLINK_ON: case BLINK_OFF: +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index 6f1ba10..63c143e 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -289,7 +289,7 @@ int bus_for_each_dev(struct bus_type *bus, struct device *start, + struct device *dev; + int error = 0; + +- if (!bus || !bus->p) ++ if (!bus) + return -EINVAL; + + klist_iter_init_node(&bus->p->klist_devices, &i, +@@ -323,7 +323,7 @@ struct device *bus_find_device(struct bus_type *bus, + struct klist_iter i; + struct device *dev; + +- if (!bus || !bus->p) ++ if (!bus) + return NULL; + + klist_iter_init_node(&bus->p->klist_devices, &i, +diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c +index a65a574..7b98c06 100644 +--- a/drivers/char/ipmi/ipmi_bt_sm.c ++++ b/drivers/char/ipmi/ipmi_bt_sm.c +@@ -95,9 +95,9 @@ struct si_sm_data { + enum bt_states state; + unsigned char seq; /* BT sequence number */ + struct si_sm_io *io; +- unsigned char write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ ++ unsigned char write_data[IPMI_MAX_MSG_LENGTH]; + int write_count; +- unsigned char read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ ++ unsigned char read_data[IPMI_MAX_MSG_LENGTH]; + int read_count; + int truncated; + long timeout; /* microseconds countdown */ +diff --git a/drivers/firmware/pcdp.c b/drivers/firmware/pcdp.c +index 51e0e2d..a330492 100644 +--- a/drivers/firmware/pcdp.c ++++ b/drivers/firmware/pcdp.c +@@ -95,7 +95,7 @@ efi_setup_pcdp_console(char *cmdline) + if (efi.hcdp == EFI_INVALID_TABLE_ADDR) + return -ENODEV; + +- pcdp = ioremap(efi.hcdp, 4096); ++ pcdp = early_ioremap(efi.hcdp, 4096); + printk(KERN_INFO "PCDP: v%d at 0x%lx\n", pcdp->rev, efi.hcdp); + + if (strstr(cmdline, "console=hcdp")) { +@@ -131,6 +131,6 @@ efi_setup_pcdp_console(char *cmdline) + } + + out: +- iounmap(pcdp); ++ early_iounmap(pcdp, 4096); + return rc; + } +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index f6a23ec..b4b2257 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -157,7 +157,7 @@ static int ipoib_stop(struct net_device *dev) + + netif_stop_queue(dev); + +- ipoib_ib_dev_down(dev, 1); ++ ipoib_ib_dev_down(dev, 0); + ipoib_ib_dev_stop(dev, 0); + + if (!test_bit(IPOIB_FLAG_SUBINTERFACE, &priv->flags)) { +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +index bd656a7..8763c1e 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -188,9 +188,7 @@ static int ipoib_mcast_join_finish(struct ipoib_mcast *mcast, + + mcast->mcmember = *mcmember; + +- /* Set the multicast MTU and cached Q_Key before we attach if it's +- * the broadcast group. +- */ ++ /* Set the cached Q_Key before we attach if it's the broadcast group */ + if (!memcmp(mcast->mcmember.mgid.raw, priv->dev->broadcast + 4, + sizeof (union ib_gid))) { + spin_lock_irq(&priv->lock); +@@ -198,17 +196,10 @@ static int ipoib_mcast_join_finish(struct ipoib_mcast *mcast, + spin_unlock_irq(&priv->lock); + return -EAGAIN; + } +- priv->mcast_mtu = IPOIB_UD_MTU(ib_mtu_enum_to_int(priv->broadcast->mcmember.mtu)); + priv->qkey = be32_to_cpu(priv->broadcast->mcmember.qkey); + spin_unlock_irq(&priv->lock); + priv->tx_wr.wr.ud.remote_qkey = priv->qkey; + set_qkey = 1; +- +- if (!ipoib_cm_admin_enabled(dev)) { +- rtnl_lock(); +- dev_set_mtu(dev, min(priv->mcast_mtu, priv->admin_mtu)); +- rtnl_unlock(); +- } + } + + if (!test_bit(IPOIB_MCAST_FLAG_SENDONLY, &mcast->flags)) { +@@ -597,6 +588,14 @@ void ipoib_mcast_join_task(struct work_struct *work) + return; + } + ++ priv->mcast_mtu = IPOIB_UD_MTU(ib_mtu_enum_to_int(priv->broadcast->mcmember.mtu)); ++ ++ if (!ipoib_cm_admin_enabled(dev)) { ++ rtnl_lock(); ++ dev_set_mtu(dev, min(priv->mcast_mtu, priv->admin_mtu)); ++ rtnl_unlock(); ++ } ++ + ipoib_dbg_mcast(priv, "successfully joined all multicast groups\n"); + + clear_bit(IPOIB_MCAST_RUN, &priv->flags); +diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c +index 22446f7..a335c85 100644 +--- a/drivers/isdn/isdnloop/isdnloop.c ++++ b/drivers/isdn/isdnloop/isdnloop.c +@@ -15,6 +15,7 @@ + #include <linux/sched.h> + #include "isdnloop.h" + ++static char *revision = "$Revision: 1.11.6.7 $"; + static char *isdnloop_id = "loop0"; + + MODULE_DESCRIPTION("ISDN4Linux: Pseudo Driver that simulates an ISDN card"); +@@ -1492,6 +1493,17 @@ isdnloop_addcard(char *id1) + static int __init + isdnloop_init(void) + { ++ char *p; ++ char rev[10]; ++ ++ if ((p = strchr(revision, ':'))) { ++ strcpy(rev, p + 1); ++ p = strchr(rev, '$'); ++ *p = 0; ++ } else ++ strcpy(rev, " ??? "); ++ printk(KERN_NOTICE "isdnloop-ISDN-driver Rev%s\n", rev); ++ + if (isdnloop_id) + return (isdnloop_addcard(isdnloop_id)); + +diff --git a/drivers/net/bonding/bonding.h b/drivers/net/bonding/bonding.h +index 5d127fc..6824771 100644 +--- a/drivers/net/bonding/bonding.h ++++ b/drivers/net/bonding/bonding.h +@@ -236,11 +236,11 @@ static inline struct slave *bond_get_slave_by_dev(struct bonding *bond, struct n + + bond_for_each_slave(bond, slave, i) { + if (slave->dev == slave_dev) { +- return slave; ++ break; + } + } + +- return 0; ++ return slave; + } + + static inline struct bonding *bond_get_bond_by_slave(struct slave *slave) +diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c +index 7ddbb8e..3ebe50c 100644 +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -176,7 +176,6 @@ static struct pci_device_id rtl8169_pci_tbl[] = { + { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8168), 0, 0, RTL_CFG_1 }, + { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8169), 0, 0, RTL_CFG_0 }, + { PCI_DEVICE(PCI_VENDOR_ID_DLINK, 0x4300), 0, 0, RTL_CFG_0 }, +- { PCI_DEVICE(PCI_VENDOR_ID_DLINK, 0x4302), 0, 0, RTL_CFG_0 }, + { PCI_DEVICE(PCI_VENDOR_ID_AT, 0xc107), 0, 0, RTL_CFG_0 }, + { PCI_DEVICE(0x16ec, 0x0116), 0, 0, RTL_CFG_0 }, + { PCI_VENDOR_ID_LINKSYS, 0x1032, +@@ -1307,7 +1306,7 @@ static void rtl8169_get_mac_version(struct rtl8169_private *tp, + { 0x7c800000, 0x28000000, RTL_GIGA_MAC_VER_26 }, + + /* 8168C family. */ +- { 0x7cf00000, 0x3cb00000, RTL_GIGA_MAC_VER_24 }, ++ { 0x7cf00000, 0x3ca00000, RTL_GIGA_MAC_VER_24 }, + { 0x7cf00000, 0x3c900000, RTL_GIGA_MAC_VER_23 }, + { 0x7cf00000, 0x3c800000, RTL_GIGA_MAC_VER_18 }, + { 0x7c800000, 0x3c800000, RTL_GIGA_MAC_VER_24 }, +@@ -3077,7 +3076,7 @@ rtl8169_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + goto err_out_mwi_3; + } + +- tp->cp_cmd = RxChkSum; ++ tp->cp_cmd = PCIMulRW | RxChkSum; + + if ((sizeof(dma_addr_t) > 4) && + !pci_set_dma_mask(pdev, DMA_BIT_MASK(64)) && use_dac) { +@@ -3825,7 +3824,8 @@ static void rtl_hw_start_8168(struct net_device *dev) + Cxpl_dbg_sel | \ + ASF | \ + PktCntrDisable | \ +- Mac_dbgo_sel) ++ PCIDAC | \ ++ PCIMulRW) + + static void rtl_hw_start_8102e_1(void __iomem *ioaddr, struct pci_dev *pdev) + { +@@ -3855,6 +3855,8 @@ static void rtl_hw_start_8102e_1(void __iomem *ioaddr, struct pci_dev *pdev) + if ((cfg1 & LEDS0) && (cfg1 & LEDS1)) + RTL_W8(Config1, cfg1 & ~LEDS0); + ++ RTL_W16(CPlusCmd, RTL_R16(CPlusCmd) & ~R810X_CPCMD_QUIRK_MASK); ++ + rtl_ephy_init(ioaddr, e_info_8102e_1, ARRAY_SIZE(e_info_8102e_1)); + } + +@@ -3866,6 +3868,8 @@ static void rtl_hw_start_8102e_2(void __iomem *ioaddr, struct pci_dev *pdev) + + RTL_W8(Config1, MEMMAP | IOMAP | VPD | PMEnable); + RTL_W8(Config3, RTL_R8(Config3) & ~Beacon_en); ++ ++ RTL_W16(CPlusCmd, RTL_R16(CPlusCmd) & ~R810X_CPCMD_QUIRK_MASK); + } + + static void rtl_hw_start_8102e_3(void __iomem *ioaddr, struct pci_dev *pdev) +@@ -3891,8 +3895,6 @@ static void rtl_hw_start_8101(struct net_device *dev) + } + } + +- RTL_W8(Cfg9346, Cfg9346_Unlock); +- + switch (tp->mac_version) { + case RTL_GIGA_MAC_VER_07: + rtl_hw_start_8102e_1(ioaddr, pdev); +@@ -3907,13 +3909,14 @@ static void rtl_hw_start_8101(struct net_device *dev) + break; + } + +- RTL_W8(Cfg9346, Cfg9346_Lock); ++ RTL_W8(Cfg9346, Cfg9346_Unlock); + + RTL_W8(EarlyTxThres, EarlyTxThld); + + rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz); + +- tp->cp_cmd &= ~R810X_CPCMD_QUIRK_MASK; ++ tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW; ++ + RTL_W16(CPlusCmd, tp->cp_cmd); + + RTL_W16(IntrMitigate, 0x0000); +@@ -3923,10 +3926,14 @@ static void rtl_hw_start_8101(struct net_device *dev) + RTL_W8(ChipCmd, CmdTxEnb | CmdRxEnb); + rtl_set_rx_tx_config_registers(tp); + ++ RTL_W8(Cfg9346, Cfg9346_Lock); ++ + RTL_R8(IntrMask); + + rtl_set_rx_mode(dev); + ++ RTL_W8(ChipCmd, CmdTxEnb | CmdRxEnb); ++ + RTL_W16(MultiIntr, RTL_R16(MultiIntr) & 0xf000); + + RTL_W16(IntrMask, tp->intr_event); +@@ -4572,6 +4579,13 @@ static int rtl8169_rx_interrupt(struct net_device *dev, + dev->stats.rx_bytes += pkt_size; + dev->stats.rx_packets++; + } ++ ++ /* Work around for AMD plateform. */ ++ if ((desc->opts2 & cpu_to_le32(0xfffe000)) && ++ (tp->mac_version == RTL_GIGA_MAC_VER_05)) { ++ desc->opts2 = 0; ++ cur_rx++; ++ } + } + + count = cur_rx - tp->cur_rx; +diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c +index 89aa69c..fd6622c 100644 +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -4994,9 +4994,6 @@ static void tg3_poll_controller(struct net_device *dev) + int i; + struct tg3 *tp = netdev_priv(dev); + +- if (tg3_irq_sync(tp)) +- return; +- + for (i = 0; i < tp->irq_cnt; i++) + tg3_interrupt(tp->napi[i].irq_vec, &tp->napi[i]); + } +@@ -13891,7 +13888,6 @@ static int __devinit tg3_init_one(struct pci_dev *pdev, + tp->pm_cap = pm_cap; + tp->rx_mode = TG3_DEF_RX_MODE; + tp->tx_mode = TG3_DEF_TX_MODE; +- tp->irq_sync = 1; + + if (tg3_debug > 0) + tp->msg_enable = tg3_debug; +diff --git a/drivers/net/wireless/b43legacy/main.c b/drivers/net/wireless/b43legacy/main.c +index fc0fc85..c3968fad 100644 +--- a/drivers/net/wireless/b43legacy/main.c ++++ b/drivers/net/wireless/b43legacy/main.c +@@ -3870,8 +3870,6 @@ static void b43legacy_remove(struct ssb_device *dev) + cancel_work_sync(&wldev->restart_work); + + B43legacy_WARN_ON(!wl); +- if (!wldev->fw.ucode) +- return; /* NULL if fw never loaded */ + if (wl->current_dev == wldev) + ieee80211_unregister_hw(wl->hw); + +diff --git a/drivers/scsi/bnx2i/bnx2i_hwi.c b/drivers/scsi/bnx2i/bnx2i_hwi.c +index 1ab55d6..5c8d763 100644 +--- a/drivers/scsi/bnx2i/bnx2i_hwi.c ++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c +@@ -1156,9 +1156,6 @@ int bnx2i_send_fw_iscsi_init_msg(struct bnx2i_hba *hba) + int rc = 0; + u64 mask64; + +- memset(&iscsi_init, 0x00, sizeof(struct iscsi_kwqe_init1)); +- memset(&iscsi_init2, 0x00, sizeof(struct iscsi_kwqe_init2)); +- + bnx2i_adjust_qp_size(hba); + + iscsi_init.flags = +diff --git a/drivers/scsi/mpt2sas/mpt2sas_ctl.c b/drivers/scsi/mpt2sas/mpt2sas_ctl.c +index 48ae81b..7767b8f 100644 +--- a/drivers/scsi/mpt2sas/mpt2sas_ctl.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_ctl.c +@@ -750,11 +750,8 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc, + (u32)mpt2sas_base_get_sense_buffer_dma(ioc, smid); + priv_sense = mpt2sas_base_get_sense_buffer(ioc, smid); + memset(priv_sense, 0, SCSI_SENSE_BUFFERSIZE); +- if (mpi_request->Function == MPI2_FUNCTION_SCSI_IO_REQUEST) +- mpt2sas_base_put_smid_scsi_io(ioc, smid, +- le16_to_cpu(mpi_request->FunctionDependent1)); +- else +- mpt2sas_base_put_smid_default(ioc, smid); ++ mpt2sas_base_put_smid_scsi_io(ioc, smid, ++ le16_to_cpu(mpi_request->FunctionDependent1)); + break; + } + case MPI2_FUNCTION_SCSI_TASK_MGMT: +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 933f1c5..e28f9b0 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -215,8 +215,6 @@ int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, + int ret = DRIVER_ERROR << 24; + + req = blk_get_request(sdev->request_queue, write, __GFP_WAIT); +- if (!req) +- return ret; + + if (bufflen && blk_rq_map_kern(sdev->request_queue, req, + buffer, bufflen, __GFP_WAIT)) +diff --git a/drivers/serial/8250.c b/drivers/serial/8250.c +index 12e1e9e..6a451e8 100644 +--- a/drivers/serial/8250.c ++++ b/drivers/serial/8250.c +@@ -81,7 +81,7 @@ static unsigned int skip_txen_test; /* force skip of txen test at init time */ + #define DEBUG_INTR(fmt...) do { } while (0) + #endif + +-#define PASS_LIMIT 512 ++#define PASS_LIMIT 256 + + #define BOTH_EMPTY (UART_LSR_TEMT | UART_LSR_THRE) + +diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c +index 90810e8..908f25a 100644 +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -809,7 +809,7 @@ static int parse_insn(struct comedi_device *dev, struct comedi_insn *insn, + ret = -EAGAIN; + break; + } +- ret = s->async->inttrig(dev, s, data[0]); ++ ret = s->async->inttrig(dev, s, insn->data[0]); + if (ret >= 0) + ret = 1; + break; +@@ -1035,6 +1035,7 @@ static int do_cmd_ioctl(struct comedi_device *dev, void *arg, void *file) + goto cleanup; + } + ++ kfree(async->cmd.chanlist); + async->cmd = user_cmd; + async->cmd.data = NULL; + /* load channel/gain list */ +@@ -1498,7 +1499,7 @@ static unsigned int comedi_poll(struct file *file, poll_table * wait) + + mask = 0; + read_subdev = comedi_get_read_subdevice(dev_file_info); +- if (read_subdev && read_subdev->async) { ++ if (read_subdev) { + poll_wait(file, &read_subdev->async->wait_head, wait); + if (!read_subdev->busy + || comedi_buf_read_n_available(read_subdev->async) > 0 +@@ -1508,7 +1509,7 @@ static unsigned int comedi_poll(struct file *file, poll_table * wait) + } + } + write_subdev = comedi_get_write_subdevice(dev_file_info); +- if (write_subdev && write_subdev->async) { ++ if (write_subdev) { + poll_wait(file, &write_subdev->async->wait_head, wait); + comedi_buf_write_alloc(write_subdev->async, + write_subdev->async->prealloc_bufsz); +@@ -1550,7 +1551,7 @@ static ssize_t comedi_write(struct file *file, const char *buf, size_t nbytes, + } + + s = comedi_get_write_subdevice(dev_file_info); +- if (s == NULL || s->async == NULL) { ++ if (s == NULL) { + retval = -EIO; + goto done; + } +@@ -1658,7 +1659,7 @@ static ssize_t comedi_read(struct file *file, char *buf, size_t nbytes, + } + + s = comedi_get_read_subdevice(dev_file_info); +- if (s == NULL || s->async == NULL) { ++ if (s == NULL) { + retval = -EIO; + goto done; + } +@@ -1758,8 +1759,6 @@ void do_become_nonbusy(struct comedi_device *dev, struct comedi_subdevice *s) + if (async) { + comedi_reset_async_buf(async); + async->inttrig = NULL; +- kfree(async->cmd.chanlist); +- async->cmd.chanlist = NULL; + } else { + printk(KERN_ERR + "BUG: (?) do_become_nonbusy called with async=0\n"); +diff --git a/drivers/staging/comedi/drivers/comedi_test.c b/drivers/staging/comedi/drivers/comedi_test.c +index 7a1e2e8..ef83a1a 100644 +--- a/drivers/staging/comedi/drivers/comedi_test.c ++++ b/drivers/staging/comedi/drivers/comedi_test.c +@@ -450,7 +450,7 @@ static int waveform_ai_cancel(struct comedi_device *dev, + struct comedi_subdevice *s) + { + devpriv->timer_running = 0; +- del_timer_sync(&devpriv->timer); ++ del_timer(&devpriv->timer); + return 0; + } + +diff --git a/drivers/staging/comedi/drivers/das08.c b/drivers/staging/comedi/drivers/das08.c +index c05cb4b..f425833 100644 +--- a/drivers/staging/comedi/drivers/das08.c ++++ b/drivers/staging/comedi/drivers/das08.c +@@ -652,7 +652,7 @@ static int das08jr_ao_winsn(struct comedi_device *dev, + int chan; + + lsb = data[0] & 0xff; +- msb = (data[0] >> 8) & 0xff; ++ msb = (data[0] >> 8) & 0xf; + + chan = CR_CHAN(insn->chanspec); + +diff --git a/drivers/staging/comedi/drivers/jr3_pci.c b/drivers/staging/comedi/drivers/jr3_pci.c +index ae6f40c..1d6385a 100644 +--- a/drivers/staging/comedi/drivers/jr3_pci.c ++++ b/drivers/staging/comedi/drivers/jr3_pci.c +@@ -917,7 +917,7 @@ static int jr3_pci_attach(struct comedi_device *dev, + } + + /* Reset DSP card */ +- writel(0, &devpriv->iobase->channel[0].reset); ++ devpriv->iobase->channel[0].reset = 0; + + result = comedi_load_firmware(dev, "jr3pci.idm", jr3_download_firmware); + printk("Firmare load %d\n", result); +diff --git a/drivers/staging/comedi/drivers/ni_labpc.c b/drivers/staging/comedi/drivers/ni_labpc.c +index 76ca73a..4ac745a 100644 +--- a/drivers/staging/comedi/drivers/ni_labpc.c ++++ b/drivers/staging/comedi/drivers/ni_labpc.c +@@ -1178,9 +1178,7 @@ static int labpc_ai_cmd(struct comedi_device *dev, struct comedi_subdevice *s) + else + channel = CR_CHAN(cmd->chanlist[0]); + /* munge channel bits for differential / scan disabled mode */ +- if ((labpc_ai_scan_mode(cmd) == MODE_SINGLE_CHAN || +- labpc_ai_scan_mode(cmd) == MODE_SINGLE_CHAN_INTERVAL) && +- aref == AREF_DIFF) ++ if (labpc_ai_scan_mode(cmd) != MODE_SINGLE_CHAN && aref == AREF_DIFF) + channel *= 2; + devpriv->command1_bits |= ADC_CHAN_BITS(channel); + devpriv->command1_bits |= thisboard->ai_range_code[range]; +@@ -1195,6 +1193,21 @@ static int labpc_ai_cmd(struct comedi_device *dev, struct comedi_subdevice *s) + devpriv->write_byte(devpriv->command1_bits, + dev->iobase + COMMAND1_REG); + } ++ /* setup any external triggering/pacing (command4 register) */ ++ devpriv->command4_bits = 0; ++ if (cmd->convert_src != TRIG_EXT) ++ devpriv->command4_bits |= EXT_CONVERT_DISABLE_BIT; ++ /* XXX should discard first scan when using interval scanning ++ * since manual says it is not synced with scan clock */ ++ if (labpc_use_continuous_mode(cmd) == 0) { ++ devpriv->command4_bits |= INTERVAL_SCAN_EN_BIT; ++ if (cmd->scan_begin_src == TRIG_EXT) ++ devpriv->command4_bits |= EXT_SCAN_EN_BIT; ++ } ++ /* single-ended/differential */ ++ if (aref == AREF_DIFF) ++ devpriv->command4_bits |= ADC_DIFF_BIT; ++ devpriv->write_byte(devpriv->command4_bits, dev->iobase + COMMAND4_REG); + + devpriv->write_byte(cmd->chanlist_len, + dev->iobase + INTERVAL_COUNT_REG); +@@ -1272,22 +1285,6 @@ static int labpc_ai_cmd(struct comedi_device *dev, struct comedi_subdevice *s) + devpriv->command3_bits &= ~ADC_FNE_INTR_EN_BIT; + devpriv->write_byte(devpriv->command3_bits, dev->iobase + COMMAND3_REG); + +- /* setup any external triggering/pacing (command4 register) */ +- devpriv->command4_bits = 0; +- if (cmd->convert_src != TRIG_EXT) +- devpriv->command4_bits |= EXT_CONVERT_DISABLE_BIT; +- /* XXX should discard first scan when using interval scanning +- * since manual says it is not synced with scan clock */ +- if (labpc_use_continuous_mode(cmd) == 0) { +- devpriv->command4_bits |= INTERVAL_SCAN_EN_BIT; +- if (cmd->scan_begin_src == TRIG_EXT) +- devpriv->command4_bits |= EXT_SCAN_EN_BIT; +- } +- /* single-ended/differential */ +- if (aref == AREF_DIFF) +- devpriv->command4_bits |= ADC_DIFF_BIT; +- devpriv->write_byte(devpriv->command4_bits, dev->iobase + COMMAND4_REG); +- + /* startup aquisition */ + + /* command2 reg */ +diff --git a/drivers/staging/comedi/drivers/s626.c b/drivers/staging/comedi/drivers/s626.c +index 7a7c29f..80d2787 100644 +--- a/drivers/staging/comedi/drivers/s626.c ++++ b/drivers/staging/comedi/drivers/s626.c +@@ -2330,7 +2330,7 @@ static int s626_enc_insn_config(struct comedi_device *dev, + /* (data==NULL) ? (Preloadvalue=0) : (Preloadvalue=data[0]); */ + + k->SetMode(dev, k, Setup, TRUE); +- Preload(dev, k, data[0]); ++ Preload(dev, k, *(insn->data)); + k->PulseIndex(dev, k); + SetLatchSource(dev, k, valueSrclatch); + k->SetEnable(dev, k, (uint16_t) (enab != 0)); +diff --git a/drivers/staging/vt6656/rf.c b/drivers/staging/vt6656/rf.c +index 9d059de..405c4f7 100644 +--- a/drivers/staging/vt6656/rf.c ++++ b/drivers/staging/vt6656/rf.c +@@ -769,9 +769,6 @@ BYTE byPwr = pDevice->byCCKPwr; + return TRUE; + } + +- if (uCH == 0) +- return -EINVAL; +- + switch (uRATE) { + case RATE_1M: + case RATE_2M: +diff --git a/drivers/telephony/ixj.c b/drivers/telephony/ixj.c +index 56eb6cc..40de151 100644 +--- a/drivers/telephony/ixj.c ++++ b/drivers/telephony/ixj.c +@@ -3190,12 +3190,12 @@ static void ixj_write_cid(IXJ *j) + + ixj_fsk_alloc(j); + +- strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1)); +- strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1)); +- strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1)); +- strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1)); +- strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2)); +- strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3)); ++ strcpy(sdmf1, j->cid_send.month); ++ strcat(sdmf1, j->cid_send.day); ++ strcat(sdmf1, j->cid_send.hour); ++ strcat(sdmf1, j->cid_send.min); ++ strcpy(sdmf2, j->cid_send.number); ++ strcpy(sdmf3, j->cid_send.name); + + len1 = strlen(sdmf1); + len2 = strlen(sdmf2); +@@ -3340,12 +3340,12 @@ static void ixj_write_cidcw(IXJ *j) + ixj_pre_cid(j); + } + j->flags.cidcw_ack = 0; +- strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1)); +- strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1)); +- strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1)); +- strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1)); +- strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2)); +- strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3)); ++ strcpy(sdmf1, j->cid_send.month); ++ strcat(sdmf1, j->cid_send.day); ++ strcat(sdmf1, j->cid_send.hour); ++ strcat(sdmf1, j->cid_send.min); ++ strcpy(sdmf2, j->cid_send.number); ++ strcpy(sdmf3, j->cid_send.name); + + len1 = strlen(sdmf1); + len2 = strlen(sdmf2); +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index 01ae519..37f2899 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -52,7 +52,6 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); + #define WDM_READ 4 + #define WDM_INT_STALL 5 + #define WDM_POLL_RUNNING 6 +-#define WDM_OVERFLOW 10 + + + #define WDM_MAX 16 +@@ -116,7 +115,6 @@ static void wdm_in_callback(struct urb *urb) + { + struct wdm_device *desc = urb->context; + int status = urb->status; +- int length = urb->actual_length; + + spin_lock(&desc->iuspin); + +@@ -146,17 +144,9 @@ static void wdm_in_callback(struct urb *urb) + } + + desc->rerr = status; +- if (length + desc->length > desc->wMaxCommand) { +- /* The buffer would overflow */ +- set_bit(WDM_OVERFLOW, &desc->flags); +- } else { +- /* we may already be in overflow */ +- if (!test_bit(WDM_OVERFLOW, &desc->flags)) { +- memmove(desc->ubuf + desc->length, desc->inbuf, length); +- desc->length += length; +- desc->reslength = length; +- } +- } ++ desc->reslength = urb->actual_length; ++ memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); ++ desc->length += desc->reslength; + wake_up(&desc->wait); + + set_bit(WDM_READ, &desc->flags); +@@ -408,11 +398,6 @@ retry: + rv = -ENODEV; + goto err; + } +- if (test_bit(WDM_OVERFLOW, &desc->flags)) { +- clear_bit(WDM_OVERFLOW, &desc->flags); +- rv = -ENOBUFS; +- goto err; +- } + i++; + if (file->f_flags & O_NONBLOCK) { + if (!test_bit(WDM_READ, &desc->flags)) { +@@ -455,7 +440,6 @@ retry: + spin_unlock_irq(&desc->iuspin); + goto retry; + } +- + if (!desc->reslength) { /* zero length read */ + dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); + clear_bit(WDM_READ, &desc->flags); +@@ -860,7 +844,6 @@ static int wdm_post_reset(struct usb_interface *intf) + struct wdm_device *desc = usb_get_intfdata(intf); + int rv; + +- clear_bit(WDM_OVERFLOW, &desc->flags); + rv = recover_from_urb_loss(desc); + mutex_unlock(&desc->plock); + return 0; +diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c +index 8d17f780..7b2e99c 100644 +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -84,8 +84,7 @@ static const char hcd_name [] = "ehci_hcd"; + #define EHCI_IAA_MSECS 10 /* arbitrary */ + #define EHCI_IO_JIFFIES (HZ/10) /* io watchdog > irq_thresh */ + #define EHCI_ASYNC_JIFFIES (HZ/20) /* async idle timeout */ +-#define EHCI_SHRINK_JIFFIES (DIV_ROUND_UP(HZ, 200) + 1) +- /* 200-ms async qh unlink delay */ ++#define EHCI_SHRINK_FRAMES 5 /* async qh unlink delay */ + + /* Initial IRQ latency: faster than hw default */ + static int log2_irq_thresh = 0; // 0 to 6 +@@ -140,7 +139,10 @@ timer_action(struct ehci_hcd *ehci, enum ehci_timer_action action) + break; + /* case TIMER_ASYNC_SHRINK: */ + default: +- t = EHCI_SHRINK_JIFFIES; ++ /* add a jiffie since we synch against the ++ * 8 KHz uframe counter. ++ */ ++ t = DIV_ROUND_UP(EHCI_SHRINK_FRAMES * HZ, 1000) + 1; + break; + } + mod_timer(&ehci->watchdog, t + jiffies); +diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c +index 3b8fa18..0ee5b4b 100644 +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -1204,8 +1204,6 @@ static void start_unlink_async (struct ehci_hcd *ehci, struct ehci_qh *qh) + + prev->hw->hw_next = qh->hw->hw_next; + prev->qh_next = qh->qh_next; +- if (ehci->qh_scan_next == qh) +- ehci->qh_scan_next = qh->qh_next.qh; + wmb (); + + /* If the controller isn't running, we don't have to wait for it */ +@@ -1231,49 +1229,53 @@ static void scan_async (struct ehci_hcd *ehci) + struct ehci_qh *qh; + enum ehci_timer_action action = TIMER_IO_WATCHDOG; + ++ ehci->stamp = ehci_readl(ehci, &ehci->regs->frame_index); + timer_action_done (ehci, TIMER_ASYNC_SHRINK); ++rescan: + stopped = !HC_IS_RUNNING(ehci_to_hcd(ehci)->state); ++ qh = ehci->async->qh_next.qh; ++ if (likely (qh != NULL)) { ++ do { ++ /* clean any finished work for this qh */ ++ if (!list_empty(&qh->qtd_list) && (stopped || ++ qh->stamp != ehci->stamp)) { ++ int temp; ++ ++ /* unlinks could happen here; completion ++ * reporting drops the lock. rescan using ++ * the latest schedule, but don't rescan ++ * qhs we already finished (no looping) ++ * unless the controller is stopped. ++ */ ++ qh = qh_get (qh); ++ qh->stamp = ehci->stamp; ++ temp = qh_completions (ehci, qh); ++ if (qh->needs_rescan) ++ unlink_async(ehci, qh); ++ qh_put (qh); ++ if (temp != 0) { ++ goto rescan; ++ } ++ } + +- ehci->qh_scan_next = ehci->async->qh_next.qh; +- while (ehci->qh_scan_next) { +- qh = ehci->qh_scan_next; +- ehci->qh_scan_next = qh->qh_next.qh; +- rescan: +- /* clean any finished work for this qh */ +- if (!list_empty(&qh->qtd_list)) { +- int temp; +- +- /* +- * Unlinks could happen here; completion reporting +- * drops the lock. That's why ehci->qh_scan_next +- * always holds the next qh to scan; if the next qh +- * gets unlinked then ehci->qh_scan_next is adjusted +- * in start_unlink_async(). ++ /* unlink idle entries, reducing DMA usage as well ++ * as HCD schedule-scanning costs. delay for any qh ++ * we just scanned, there's a not-unusual case that it ++ * doesn't stay idle for long. ++ * (plus, avoids some kind of re-activation race.) + */ +- qh = qh_get(qh); +- temp = qh_completions(ehci, qh); +- if (qh->needs_rescan) +- unlink_async(ehci, qh); +- qh->unlink_time = jiffies + EHCI_SHRINK_JIFFIES; +- qh_put(qh); +- if (temp != 0) +- goto rescan; +- } ++ if (list_empty(&qh->qtd_list) ++ && qh->qh_state == QH_STATE_LINKED) { ++ if (!ehci->reclaim && (stopped || ++ ((ehci->stamp - qh->stamp) & 0x1fff) ++ >= EHCI_SHRINK_FRAMES * 8)) ++ start_unlink_async(ehci, qh); ++ else ++ action = TIMER_ASYNC_SHRINK; ++ } + +- /* unlink idle entries, reducing DMA usage as well +- * as HCD schedule-scanning costs. delay for any qh +- * we just scanned, there's a not-unusual case that it +- * doesn't stay idle for long. +- * (plus, avoids some kind of re-activation race.) +- */ +- if (list_empty(&qh->qtd_list) +- && qh->qh_state == QH_STATE_LINKED) { +- if (!ehci->reclaim && (stopped || +- time_after_eq(jiffies, qh->unlink_time))) +- start_unlink_async(ehci, qh); +- else +- action = TIMER_ASYNC_SHRINK; +- } ++ qh = qh->qh_next.qh; ++ } while (qh); + } + if (action == TIMER_ASYNC_SHRINK) + timer_action (ehci, TIMER_ASYNC_SHRINK); +diff --git a/drivers/usb/host/ehci.h b/drivers/usb/host/ehci.h +index b2b3416..5b3ca74 100644 +--- a/drivers/usb/host/ehci.h ++++ b/drivers/usb/host/ehci.h +@@ -74,7 +74,6 @@ struct ehci_hcd { /* one per controller */ + /* async schedule support */ + struct ehci_qh *async; + struct ehci_qh *reclaim; +- struct ehci_qh *qh_scan_next; + unsigned scanning : 1; + + /* periodic schedule support */ +@@ -117,6 +116,7 @@ struct ehci_hcd { /* one per controller */ + struct timer_list iaa_watchdog; + struct timer_list watchdog; + unsigned long actions; ++ unsigned stamp; + unsigned random_frame; + unsigned long next_statechange; + ktime_t last_periodic_enable; +@@ -335,7 +335,6 @@ struct ehci_qh { + struct ehci_qh *reclaim; /* next to reclaim */ + + struct ehci_hcd *ehci; +- unsigned long unlink_time; + + /* + * Do NOT use atomic operations for QH refcounting. On some CPUs +diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c +index 01e7fae..981b604 100644 +--- a/drivers/usb/host/pci-quirks.c ++++ b/drivers/usb/host/pci-quirks.c +@@ -418,12 +418,12 @@ static void __devinit quirk_usb_handoff_xhci(struct pci_dev *pdev) + void __iomem *op_reg_base; + u32 val; + int timeout; +- int len = pci_resource_len(pdev, 0); + + if (!mmio_resource_enabled(pdev, 0)) + return; + +- base = ioremap_nocache(pci_resource_start(pdev, 0), len); ++ base = ioremap_nocache(pci_resource_start(pdev, 0), ++ pci_resource_len(pdev, 0)); + if (base == NULL) + return; + +@@ -433,17 +433,9 @@ static void __devinit quirk_usb_handoff_xhci(struct pci_dev *pdev) + */ + ext_cap_offset = xhci_find_next_cap_offset(base, XHCI_HCC_PARAMS_OFFSET); + do { +- if ((ext_cap_offset + sizeof(val)) > len) { +- /* We're reading garbage from the controller */ +- dev_warn(&pdev->dev, +- "xHCI controller failing to respond"); +- return; +- } +- + if (!ext_cap_offset) + /* We've reached the end of the extended capabilities */ + goto hc_init; +- + val = readl(base + ext_cap_offset); + if (XHCI_EXT_CAPS_ID(val) == XHCI_EXT_CAPS_LEGACY) + break; +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index dd958e9..c374beb 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2364,9 +2364,6 @@ static void ftdi_set_termios(struct tty_struct *tty, + + cflag = termios->c_cflag; + +- if (!old_termios) +- goto no_skip; +- + if (old_termios->c_cflag == termios->c_cflag + && old_termios->c_ispeed == termios->c_ispeed + && old_termios->c_ospeed == termios->c_ospeed) +@@ -2380,7 +2377,6 @@ static void ftdi_set_termios(struct tty_struct *tty, + (termios->c_cflag & (CSIZE|PARODD|PARENB|CMSPAR|CSTOPB))) + goto no_data_parity_stop_changes; + +-no_skip: + /* Set number of data bits, parity, stop bits */ + + termios->c_cflag &= ~CMSPAR; +diff --git a/drivers/usb/serial/garmin_gps.c b/drivers/usb/serial/garmin_gps.c +index 7c3ac7b..867d97b 100644 +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -974,7 +974,10 @@ static void garmin_close(struct usb_serial_port *port) + if (!serial) + return; + +- garmin_clear(garmin_data_p); ++ mutex_lock(&port->serial->disc_mutex); ++ ++ if (!port->serial->disconnected) ++ garmin_clear(garmin_data_p); + + /* shutdown our urbs */ + usb_kill_urb(port->read_urb); +@@ -983,6 +986,8 @@ static void garmin_close(struct usb_serial_port *port) + /* keep reset state so we know that we must start a new session */ + if (garmin_data_p->state != STATE_RESET) + garmin_data_p->state = STATE_DISCONNECTED; ++ ++ mutex_unlock(&port->serial->disc_mutex); + } + + +diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c +index cf515f0..14d51e6 100644 +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -574,9 +574,6 @@ static void chase_port(struct edgeport_port *port, unsigned long timeout, + wait_queue_t wait; + unsigned long flags; + +- if (!tty) +- return; +- + if (!timeout) + timeout = (HZ * EDGE_CLOSING_WAIT)/100; + +diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c +index c802c77..61829b8 100644 +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -2569,6 +2569,7 @@ error: + kfree(mos7840_port->ctrl_buf); + usb_free_urb(mos7840_port->control_urb); + kfree(mos7840_port); ++ serial->port[i] = NULL; + } + return status; + } +@@ -2635,7 +2636,6 @@ static void mos7840_release(struct usb_serial *serial) + mos7840_port = mos7840_get_port_private(serial->port[i]); + dbg("mos7840_port %d = %p", i, mos7840_port); + if (mos7840_port) { +- usb_free_urb(mos7840_port->control_urb); + kfree(mos7840_port->ctrl_buf); + kfree(mos7840_port->dr); + kfree(mos7840_port); +diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c +index 0cbf847..1b5c9f8 100644 +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -925,7 +925,6 @@ static void sierra_release(struct usb_serial *serial) + continue; + kfree(portdata); + } +- kfree(serial->private); + } + + #ifdef CONFIG_PM +diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c +index 1247be1..1093d2e 100644 +--- a/drivers/usb/serial/whiteheat.c ++++ b/drivers/usb/serial/whiteheat.c +@@ -576,7 +576,6 @@ no_firmware: + "%s: please contact support@connecttech.com\n", + serial->type->description); + kfree(result); +- kfree(command); + return -ENODEV; + + no_command_private: +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 74284bd..acc7e3b 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -918,8 +918,7 @@ void w1_search(struct w1_master *dev, u8 search_type, w1_slave_found_callback cb + tmp64 = (triplet_ret >> 2); + rn |= (tmp64 << i); + +- /* ensure we're called from kthread and not by netlink callback */ +- if (!dev->priv && kthread_should_stop()) { ++ if (kthread_should_stop()) { + dev_dbg(&dev->dev, "Abort w1_search\n"); + return; + } +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index c564293..a64fde6 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1699,19 +1699,30 @@ static int elf_note_info_init(struct elf_note_info *info) + return 0; + info->psinfo = kmalloc(sizeof(*info->psinfo), GFP_KERNEL); + if (!info->psinfo) +- return 0; ++ goto notes_free; + info->prstatus = kmalloc(sizeof(*info->prstatus), GFP_KERNEL); + if (!info->prstatus) +- return 0; ++ goto psinfo_free; + info->fpu = kmalloc(sizeof(*info->fpu), GFP_KERNEL); + if (!info->fpu) +- return 0; ++ goto prstatus_free; + #ifdef ELF_CORE_COPY_XFPREGS + info->xfpu = kmalloc(sizeof(*info->xfpu), GFP_KERNEL); + if (!info->xfpu) +- return 0; ++ goto fpu_free; + #endif + return 1; ++#ifdef ELF_CORE_COPY_XFPREGS ++ fpu_free: ++ kfree(info->fpu); ++#endif ++ prstatus_free: ++ kfree(info->prstatus); ++ psinfo_free: ++ kfree(info->psinfo); ++ notes_free: ++ kfree(info->notes); ++ return 0; + } + + static int fill_note_info(struct elfhdr *elf, int phdrs, +diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c +index 416dcae..32fb00b 100644 +--- a/fs/binfmt_em86.c ++++ b/fs/binfmt_em86.c +@@ -43,6 +43,7 @@ static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs) + return -ENOEXEC; + } + ++ bprm->recursion_depth++; /* Well, the bang-shell is implicit... */ + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 258c5ca..42b60b0 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -116,6 +116,10 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + if (!enabled) + goto _ret; + ++ retval = -ENOEXEC; ++ if (bprm->recursion_depth > BINPRM_MAX_RECURSION) ++ goto _ret; ++ + /* to keep locking time low, we copy the interpreter string */ + read_lock(&entries_lock); + fmt = check_file(bprm); +@@ -172,10 +176,7 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + goto _error; + bprm->argc ++; + +- /* Update interp in case binfmt_script needs it. */ +- retval = bprm_change_interp(iname, bprm); +- if (retval < 0) +- goto _error; ++ bprm->interp = iname; /* for binfmt_script */ + + interp_file = open_exec (iname); + retval = PTR_ERR (interp_file); +@@ -196,6 +197,8 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + if (retval < 0) + goto _error; + ++ bprm->recursion_depth++; ++ + retval = search_binary_handler (bprm, regs); + if (retval < 0) + goto _error; +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index 4fe6b8a..0834350 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -22,13 +22,15 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) + char interp[BINPRM_BUF_SIZE]; + int retval; + +- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) ++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || ++ (bprm->recursion_depth > BINPRM_MAX_RECURSION)) + return -ENOEXEC; + /* + * This section does the #! interpretation. + * Sorta complicated, but hopefully it will work. -TYT + */ + ++ bprm->recursion_depth++; + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +@@ -80,9 +82,7 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) + retval = copy_strings_kernel(1, &i_name, bprm); + if (retval) return retval; + bprm->argc++; +- retval = bprm_change_interp(interp, bprm); +- if (retval < 0) +- return retval; ++ bprm->interp = interp; + + /* + * OK, now restart the process with the interpreter's dentry. +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 6190a10..5d56a8d 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -557,12 +557,6 @@ int btrfs_close_devices(struct btrfs_fs_devices *fs_devices) + __btrfs_close_devices(fs_devices); + free_fs_devices(fs_devices); + } +- /* +- * Wait for rcu kworkers under __btrfs_close_devices +- * to finish all blkdev_puts so device is really +- * free when umount is done. +- */ +- rcu_barrier(); + return ret; + } + +diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c +index b36a8aa..fea9e89 100644 +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -226,8 +226,6 @@ compose_mount_options_out: + compose_mount_options_err: + kfree(mountdata); + mountdata = ERR_PTR(rc); +- kfree(*devname); +- *devname = NULL; + goto compose_mount_options_out; + } + +diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c +index 98d3c58..d84e705 100644 +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -234,8 +234,6 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd, unsigned + up = (struct compat_video_spu_palette __user *) arg; + err = get_user(palp, &up->palette); + err |= get_user(length, &up->length); +- if (err) +- return -EFAULT; + + up_native = compat_alloc_user_space(sizeof(struct video_spu_palette)); + err = put_user(compat_ptr(palp), &up_native->palette); +@@ -352,7 +350,6 @@ static int dev_ifconf(unsigned int fd, unsigned int cmd, unsigned long arg) + if (copy_from_user(&ifc32, compat_ptr(arg), sizeof(struct ifconf32))) + return -EFAULT; + +- memset(&ifc, 0, sizeof(ifc)); + if (ifc32.ifcbuf == 0) { + ifc32.ifc_len = 0; + ifc.ifc_len = 0; +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 83fbd64..ff57421 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1183,30 +1183,10 @@ static int ep_modify(struct eventpoll *ep, struct epitem *epi, struct epoll_even + * otherwise we might miss an event that happens between the + * f_op->poll() call and the new event set registering. + */ +- epi->event.events = event->events; /* need barrier below */ ++ epi->event.events = event->events; + epi->event.data = event->data; /* protected by mtx */ + + /* +- * The following barrier has two effects: +- * +- * 1) Flush epi changes above to other CPUs. This ensures +- * we do not miss events from ep_poll_callback if an +- * event occurs immediately after we call f_op->poll(). +- * We need this because we did not take ep->lock while +- * changing epi above (but ep_poll_callback does take +- * ep->lock). +- * +- * 2) We also need to ensure we do not miss _past_ events +- * when calling f_op->poll(). This barrier also +- * pairs with the barrier in wq_has_sleeper (see +- * comments for wq_has_sleeper). +- * +- * This barrier will now guarantee ep_poll_callback or f_op->poll +- * (or both) will notice the readiness of an item. +- */ +- smp_mb(); +- +- /* + * Get current event bits. We can safely use the file* here because + * its usage count has been increased by the caller of this function. + */ +diff --git a/fs/exec.c b/fs/exec.c +index feb2435..86fafc6 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1108,24 +1108,9 @@ void free_bprm(struct linux_binprm *bprm) + mutex_unlock(¤t->cred_guard_mutex); + abort_creds(bprm->cred); + } +- /* If a binfmt changed the interp, free it. */ +- if (bprm->interp != bprm->filename) +- kfree(bprm->interp); + kfree(bprm); + } + +-int bprm_change_interp(char *interp, struct linux_binprm *bprm) +-{ +- /* If a binfmt changed the interp, free it first. */ +- if (bprm->interp != bprm->filename) +- kfree(bprm->interp); +- bprm->interp = kstrdup(interp, GFP_KERNEL); +- if (!bprm->interp) +- return -ENOMEM; +- return 0; +-} +-EXPORT_SYMBOL(bprm_change_interp); +- + /* + * install the new credentials for this executable + */ +@@ -1285,10 +1270,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + int try,retval; + struct linux_binfmt *fmt; + +- /* This allows 4 levels of binfmt rewrites before failing hard. */ +- if (depth > 5) +- return -ELOOP; +- + retval = security_bprm_check(bprm); + if (retval) + return retval; +@@ -1310,8 +1291,12 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + if (!try_module_get(fmt->module)) + continue; + read_unlock(&binfmt_lock); +- bprm->recursion_depth = depth + 1; + retval = fn(bprm, regs); ++ /* ++ * Restore the depth counter to its starting value ++ * in this call, so we don't have to rely on every ++ * load_binary function to restore it on return. ++ */ + bprm->recursion_depth = depth; + if (retval >= 0) { + if (depth == 0) +diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c +index d29a06b..0df88b2 100644 +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -454,10 +454,8 @@ ext4_xattr_set_acl(struct inode *inode, int type, const void *value, + + retry: + handle = ext4_journal_start(inode, EXT4_DATA_TRANS_BLOCKS(inode->i_sb)); +- if (IS_ERR(handle)) { +- error = PTR_ERR(handle); +- goto release_and_out; +- } ++ if (IS_ERR(handle)) ++ return PTR_ERR(handle); + error = ext4_set_acl(handle, inode, type, acl); + ext4_journal_stop(handle); + if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries)) +diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h +index 24fa647..bdb6ce7 100644 +--- a/fs/ext4/ext4_extents.h ++++ b/fs/ext4/ext4_extents.h +@@ -137,11 +137,8 @@ typedef int (*ext_prepare_callback)(struct inode *, struct ext4_ext_path *, + #define EXT_BREAK 1 + #define EXT_REPEAT 2 + +-/* +- * Maximum number of logical blocks in a file; ext4_extent's ee_block is +- * __le32. +- */ +-#define EXT_MAX_BLOCKS 0xffffffff ++/* Maximum logical block in a file; ext4_extent's ee_block is __le32 */ ++#define EXT_MAX_BLOCK 0xffffffff + + /* + * EXT_INIT_MAX_LEN is the maximum number of blocks we can have in an +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 3f022ea..b4402c8 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -62,7 +62,6 @@ ext4_fsblk_t ext_pblock(struct ext4_extent *ex) + * idx_pblock: + * combine low and high parts of a leaf physical block number into ext4_fsblk_t + */ +-#define EXT4_EXT_DATA_VALID 0x8 /* extent contains valid data */ + ext4_fsblk_t idx_pblock(struct ext4_extent_idx *ix) + { + ext4_fsblk_t block; +@@ -1332,7 +1331,7 @@ got_index: + + /* + * ext4_ext_next_allocated_block: +- * returns allocated block in subsequent extent or EXT_MAX_BLOCKS. ++ * returns allocated block in subsequent extent or EXT_MAX_BLOCK. + * NOTE: it considers block number from index entry as + * allocated block. Thus, index entries have to be consistent + * with leaves. +@@ -1346,7 +1345,7 @@ ext4_ext_next_allocated_block(struct ext4_ext_path *path) + depth = path->p_depth; + + if (depth == 0 && path->p_ext == NULL) +- return EXT_MAX_BLOCKS; ++ return EXT_MAX_BLOCK; + + while (depth >= 0) { + if (depth == path->p_depth) { +@@ -1363,12 +1362,12 @@ ext4_ext_next_allocated_block(struct ext4_ext_path *path) + depth--; + } + +- return EXT_MAX_BLOCKS; ++ return EXT_MAX_BLOCK; + } + + /* + * ext4_ext_next_leaf_block: +- * returns first allocated block from next leaf or EXT_MAX_BLOCKS ++ * returns first allocated block from next leaf or EXT_MAX_BLOCK + */ + static ext4_lblk_t ext4_ext_next_leaf_block(struct inode *inode, + struct ext4_ext_path *path) +@@ -1380,7 +1379,7 @@ static ext4_lblk_t ext4_ext_next_leaf_block(struct inode *inode, + + /* zero-tree has no leaf blocks at all */ + if (depth == 0) +- return EXT_MAX_BLOCKS; ++ return EXT_MAX_BLOCK; + + /* go to index block */ + depth--; +@@ -1393,7 +1392,7 @@ static ext4_lblk_t ext4_ext_next_leaf_block(struct inode *inode, + depth--; + } + +- return EXT_MAX_BLOCKS; ++ return EXT_MAX_BLOCK; + } + + /* +@@ -1573,13 +1572,13 @@ unsigned int ext4_ext_check_overlap(struct inode *inode, + */ + if (b2 < b1) { + b2 = ext4_ext_next_allocated_block(path); +- if (b2 == EXT_MAX_BLOCKS) ++ if (b2 == EXT_MAX_BLOCK) + goto out; + } + + /* check for wrap through zero on extent logical start block*/ + if (b1 + len1 < b1) { +- len1 = EXT_MAX_BLOCKS - b1; ++ len1 = EXT_MAX_BLOCK - b1; + newext->ee_len = cpu_to_le16(len1); + ret = 1; + } +@@ -1655,7 +1654,7 @@ repeat: + fex = EXT_LAST_EXTENT(eh); + next = ext4_ext_next_leaf_block(inode, path); + if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block) +- && next != EXT_MAX_BLOCKS) { ++ && next != EXT_MAX_BLOCK) { + ext_debug("next leaf block - %d\n", next); + BUG_ON(npath != NULL); + npath = ext4_ext_find_extent(inode, next, NULL); +@@ -1773,7 +1772,7 @@ int ext4_ext_walk_space(struct inode *inode, ext4_lblk_t block, + BUG_ON(func == NULL); + BUG_ON(inode == NULL); + +- while (block < last && block != EXT_MAX_BLOCKS) { ++ while (block < last && block != EXT_MAX_BLOCK) { + num = last - block; + /* find extent for this block */ + down_read(&EXT4_I(inode)->i_data_sem); +@@ -1901,7 +1900,7 @@ ext4_ext_put_gap_in_cache(struct inode *inode, struct ext4_ext_path *path, + if (ex == NULL) { + /* there is no extent yet, so gap is [0;-] */ + lblock = 0; +- len = EXT_MAX_BLOCKS; ++ len = EXT_MAX_BLOCK; + ext_debug("cache gap(whole file):"); + } else if (block < le32_to_cpu(ex->ee_block)) { + lblock = block; +@@ -2146,8 +2145,8 @@ ext4_ext_rm_leaf(handle_t *handle, struct inode *inode, + path[depth].p_ext = ex; + + a = ex_ee_block > start ? ex_ee_block : start; +- b = ex_ee_block + ex_ee_len - 1 < EXT_MAX_BLOCKS ? +- ex_ee_block + ex_ee_len - 1 : EXT_MAX_BLOCKS; ++ b = ex_ee_block + ex_ee_len - 1 < EXT_MAX_BLOCK ? ++ ex_ee_block + ex_ee_len - 1 : EXT_MAX_BLOCK; + + ext_debug(" border %u:%u\n", a, b); + +@@ -2934,30 +2933,6 @@ static int ext4_split_unwritten_extents(handle_t *handle, + ext4_ext_mark_uninitialized(ex3); + err = ext4_ext_insert_extent(handle, inode, path, ex3, flags); + if (err == -ENOSPC && may_zeroout) { +- /* +- * This is different from the upstream, because we +- * need only a flag to say that the extent contains +- * the actual data. +- * +- * If the extent contains valid data, which can only +- * happen if AIO races with fallocate, then we got +- * here from ext4_convert_unwritten_extents_dio(). +- * So we have to be careful not to zeroout valid data +- * in the extent. +- * +- * To avoid it, we only zeroout the ex3 and extend the +- * extent which is going to become initialized to cover +- * ex3 as well. and continue as we would if only +- * split in two was required. +- */ +- if (flags & EXT4_EXT_DATA_VALID) { +- err = ext4_ext_zeroout(inode, ex3); +- if (err) +- goto fix_extent_len; +- max_blocks = allocated; +- ex2->ee_len = cpu_to_le16(max_blocks); +- goto skip; +- } + err = ext4_ext_zeroout(inode, &orig_ex); + if (err) + goto fix_extent_len; +@@ -3003,7 +2978,6 @@ static int ext4_split_unwritten_extents(handle_t *handle, + + allocated = max_blocks; + } +-skip: + /* + * If there was a change of depth as part of the + * insertion of ex3 above, we need to update the length +@@ -3056,16 +3030,11 @@ fix_extent_len: + ext4_ext_dirty(handle, inode, path + depth); + return err; + } +- + static int ext4_convert_unwritten_extents_dio(handle_t *handle, + struct inode *inode, +- ext4_lblk_t iblock, +- unsigned int max_blocks, + struct ext4_ext_path *path) + { + struct ext4_extent *ex; +- ext4_lblk_t ee_block; +- unsigned int ee_len; + struct ext4_extent_header *eh; + int depth; + int err = 0; +@@ -3074,30 +3043,6 @@ static int ext4_convert_unwritten_extents_dio(handle_t *handle, + depth = ext_depth(inode); + eh = path[depth].p_hdr; + ex = path[depth].p_ext; +- ee_block = le32_to_cpu(ex->ee_block); +- ee_len = ext4_ext_get_actual_len(ex); +- +- ext_debug("ext4_convert_unwritten_extents_endio: inode %lu, logical" +- "block %llu, max_blocks %u\n", inode->i_ino, +- (unsigned long long)ee_block, ee_len); +- +- /* If extent is larger than requested then split is required */ +- +- if (ee_block != iblock || ee_len > max_blocks) { +- err = ext4_split_unwritten_extents(handle, inode, path, +- iblock, max_blocks, +- EXT4_EXT_DATA_VALID); +- if (err < 0) +- goto out; +- ext4_ext_drop_refs(path); +- path = ext4_ext_find_extent(inode, iblock, path); +- if (IS_ERR(path)) { +- err = PTR_ERR(path); +- goto out; +- } +- depth = ext_depth(inode); +- ex = path[depth].p_ext; +- } + + err = ext4_ext_get_access(handle, inode, path + depth); + if (err) +@@ -3184,8 +3129,7 @@ ext4_ext_handle_uninitialized_extents(handle_t *handle, struct inode *inode, + /* async DIO end_io complete, convert the filled extent to written */ + if (flags == EXT4_GET_BLOCKS_DIO_CONVERT_EXT) { + ret = ext4_convert_unwritten_extents_dio(handle, inode, +- iblock, max_blocks, +- path); ++ path); + if (ret >= 0) + ext4_update_inode_fsync_trans(handle, inode, 1); + goto out2; +@@ -3554,12 +3498,6 @@ void ext4_ext_truncate(struct inode *inode) + int err = 0; + + /* +- * finish any pending end_io work so we won't run the risk of +- * converting any truncated blocks to initialized later +- */ +- flush_aio_dio_completed_IO(inode); +- +- /* + * probably first extent we're gonna free will be last in block + */ + err = ext4_writepage_trans_blocks(inode); +@@ -3692,9 +3630,6 @@ long ext4_fallocate(struct inode *inode, int mode, loff_t offset, loff_t len) + mutex_unlock(&inode->i_mutex); + return ret; + } +- +- /* Prevent race condition between unwritten */ +- flush_aio_dio_completed_IO(inode); + retry: + while (ret >= 0 && ret < max_blocks) { + block = block + ret; +@@ -3848,14 +3783,15 @@ static int ext4_ext_fiemap_cb(struct inode *inode, struct ext4_ext_path *path, + flags |= FIEMAP_EXTENT_UNWRITTEN; + + /* +- * If this extent reaches EXT_MAX_BLOCKS, it must be last. ++ * If this extent reaches EXT_MAX_BLOCK, it must be last. + * +- * Or if ext4_ext_next_allocated_block is EXT_MAX_BLOCKS, ++ * Or if ext4_ext_next_allocated_block is EXT_MAX_BLOCK, + * this also indicates no more allocated blocks. + * ++ * XXX this might miss a single-block extent at EXT_MAX_BLOCK + */ +- if (ext4_ext_next_allocated_block(path) == EXT_MAX_BLOCKS || +- newex->ec_block + newex->ec_len == EXT_MAX_BLOCKS) { ++ if (ext4_ext_next_allocated_block(path) == EXT_MAX_BLOCK || ++ newex->ec_block + newex->ec_len - 1 == EXT_MAX_BLOCK) { + loff_t size = i_size_read(inode); + loff_t bs = EXT4_BLOCK_SIZE(inode->i_sb); + +@@ -3935,8 +3871,8 @@ int ext4_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, + + start_blk = start >> inode->i_sb->s_blocksize_bits; + last_blk = (start + len - 1) >> inode->i_sb->s_blocksize_bits; +- if (last_blk >= EXT_MAX_BLOCKS) +- last_blk = EXT_MAX_BLOCKS-1; ++ if (last_blk >= EXT_MAX_BLOCK) ++ last_blk = EXT_MAX_BLOCK-1; + len_blks = ((ext4_lblk_t) last_blk) - start_blk + 1; + + /* +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index babf448..efe6363 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5121,7 +5121,6 @@ static int ext4_do_update_inode(handle_t *handle, + struct ext4_inode_info *ei = EXT4_I(inode); + struct buffer_head *bh = iloc->bh; + int err = 0, rc, block; +- int need_datasync = 0; + + /* For fields not not tracking in the in-memory inode, + * initialise them to zero for new inodes. */ +@@ -5170,10 +5169,7 @@ static int ext4_do_update_inode(handle_t *handle, + raw_inode->i_file_acl_high = + cpu_to_le16(ei->i_file_acl >> 32); + raw_inode->i_file_acl_lo = cpu_to_le32(ei->i_file_acl); +- if (ei->i_disksize != ext4_isize(raw_inode)) { +- ext4_isize_set(raw_inode, ei->i_disksize); +- need_datasync = 1; +- } ++ ext4_isize_set(raw_inode, ei->i_disksize); + if (ei->i_disksize > 0x7fffffffULL) { + struct super_block *sb = inode->i_sb; + if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +@@ -5226,7 +5222,7 @@ static int ext4_do_update_inode(handle_t *handle, + err = rc; + ext4_clear_inode_state(inode, EXT4_STATE_NEW); + +- ext4_update_inode_fsync_trans(handle, inode, need_datasync); ++ ext4_update_inode_fsync_trans(handle, inode, 0); + out_brelse: + brelse(bh); + ext4_std_error(inode->i_sb, err); +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index cecf2a5..42bac1b 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2070,11 +2070,7 @@ repeat: + group = ac->ac_g_ex.fe_group; + + for (i = 0; i < ngroups; group++, i++) { +- /* +- * Artificially restricted ngroups for non-extent +- * files makes group > ngroups possible on first loop. +- */ +- if (group >= ngroups) ++ if (group == ngroups) + group = 0; + + /* This now checks without needing the buddy page */ +@@ -4167,7 +4163,7 @@ static void ext4_mb_add_n_trim(struct ext4_allocation_context *ac) + /* The max size of hash table is PREALLOC_TB_SIZE */ + order = PREALLOC_TB_SIZE - 1; + /* Add the prealloc space to lg */ +- spin_lock(&lg->lg_prealloc_lock); ++ rcu_read_lock(); + list_for_each_entry_rcu(tmp_pa, &lg->lg_prealloc_list[order], + pa_inode_list) { + spin_lock(&tmp_pa->pa_lock); +@@ -4191,12 +4187,12 @@ static void ext4_mb_add_n_trim(struct ext4_allocation_context *ac) + if (!added) + list_add_tail_rcu(&pa->pa_inode_list, + &lg->lg_prealloc_list[order]); +- spin_unlock(&lg->lg_prealloc_lock); ++ rcu_read_unlock(); + + /* Now trim the list to be not more than 8 elements */ + if (lg_prealloc_count > 8) { + ext4_mb_discard_lg_preallocations(sb, lg, +- order, lg_prealloc_count); ++ order, lg_prealloc_count); + return; + } + return ; +diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c +index da25617..a73ed78 100644 +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -1001,12 +1001,12 @@ mext_check_arguments(struct inode *orig_inode, + return -EINVAL; + } + +- if ((orig_start >= EXT_MAX_BLOCKS) || +- (donor_start >= EXT_MAX_BLOCKS) || +- (*len > EXT_MAX_BLOCKS) || +- (orig_start + *len >= EXT_MAX_BLOCKS)) { ++ if ((orig_start > EXT_MAX_BLOCK) || ++ (donor_start > EXT_MAX_BLOCK) || ++ (*len > EXT_MAX_BLOCK) || ++ (orig_start + *len > EXT_MAX_BLOCK)) { + ext4_debug("ext4 move extent: Can't handle over [%u] blocks " +- "[ino:orig %lu, donor %lu]\n", EXT_MAX_BLOCKS, ++ "[ino:orig %lu, donor %lu]\n", EXT_MAX_BLOCK, + orig_inode->i_ino, donor_inode->i_ino); + return -EINVAL; + } +@@ -1208,12 +1208,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, + orig_inode->i_ino, donor_inode->i_ino); + return -EINVAL; + } +- /* TODO: This is non obvious task to swap blocks for inodes with full +- jornaling enabled */ +- if (ext4_should_journal_data(orig_inode) || +- ext4_should_journal_data(donor_inode)) { +- return -EINVAL; +- } ++ + /* Protect orig and donor inodes against a truncate */ + ret1 = mext_inode_double_lock(orig_inode, donor_inode); + if (ret1 < 0) +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 3a1af19..c3b6ad0 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1457,22 +1457,10 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, + frame->at = entries; + frame->bh = bh; + bh = bh2; +- +- ext4_handle_dirty_metadata(handle, dir, frame->bh); +- ext4_handle_dirty_metadata(handle, dir, bh); +- + de = do_split(handle,dir, &bh, frame, &hinfo, &retval); +- if (!de) { +- /* +- * Even if the block split failed, we have to properly write +- * out all the changes we did so far. Otherwise we can end up +- * with corrupted filesystem. +- */ +- ext4_mark_inode_dirty(handle, dir); +- dx_release(frames); ++ dx_release (frames); ++ if (!(de)) + return retval; +- } +- dx_release(frames); + + retval = add_dirent_to_buf(handle, dentry, inode, de, bh); + brelse(bh); +@@ -1828,7 +1816,9 @@ retry: + err = PTR_ERR(inode); + if (!IS_ERR(inode)) { + init_special_inode(inode, inode->i_mode, rdev); ++#ifdef CONFIG_EXT4_FS_XATTR + inode->i_op = &ext4_special_inode_operations; ++#endif + err = ext4_add_nondir(handle, dentry, inode); + } + ext4_journal_stop(handle); +@@ -2001,7 +1991,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode) + struct ext4_iloc iloc; + int err = 0, rc; + +- if (!EXT4_SB(sb)->s_journal) ++ if (!ext4_handle_valid(handle)) + return 0; + + mutex_lock(&EXT4_SB(sb)->s_orphan_lock); +@@ -2082,8 +2072,8 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode) + struct ext4_iloc iloc; + int err = 0; + +- if ((!EXT4_SB(inode->i_sb)->s_journal) && +- !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS)) ++ /* ext4_handle_valid() assumes a valid handle_t pointer */ ++ if (handle && !ext4_handle_valid(handle)) + return 0; + + mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock); +@@ -2102,7 +2092,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode) + * transaction handle with which to update the orphan list on + * disk, but we still need to remove the inode from the linked + * list in memory. */ +- if (!handle) ++ if (sbi->s_journal && !handle) + goto out; + + err = ext4_reserve_inode_write(handle, inode, &iloc); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 108515f..f1e7077 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1937,9 +1937,7 @@ static void ext4_orphan_cleanup(struct super_block *sb, + __func__, inode->i_ino, inode->i_size); + jbd_debug(2, "truncating inode %lu to %lld bytes\n", + inode->i_ino, inode->i_size); +- mutex_lock(&inode->i_mutex); + ext4_truncate(inode); +- mutex_unlock(&inode->i_mutex); + nr_truncates++; + } else { + ext4_msg(sb, KERN_DEBUG, +@@ -1977,12 +1975,6 @@ static void ext4_orphan_cleanup(struct super_block *sb, + * in the vfs. ext4 inode has 48 bits of i_block in fsblock units, + * so that won't be a limiting factor. + * +- * However there is other limiting factor. We do store extents in the form +- * of starting block and length, hence the resulting length of the extent +- * covering maximum file size must fit into on-disk format containers as +- * well. Given that length is always by 1 unit bigger than max unit (because +- * we count 0 as well) we have to lower the s_maxbytes by one fs block. +- * + * Note, this does *not* consider any metadata overhead for vfs i_blocks. + */ + static loff_t ext4_max_size(int blkbits, int has_huge_files) +@@ -2004,13 +1996,10 @@ static loff_t ext4_max_size(int blkbits, int has_huge_files) + upper_limit <<= blkbits; + } + +- /* +- * 32-bit extent-start container, ee_block. We lower the maxbytes +- * by one fs block, so ee_len can cover the extent of maximum file +- * size +- */ +- res = (1LL << 32) - 1; ++ /* 32-bit extent-start container, ee_block */ ++ res = 1LL << 32; + res <<= blkbits; ++ res -= 1; + + /* Sanity check against vm- & vfs- imposed limits */ + if (res > upper_limit) +diff --git a/fs/fat/inode.c b/fs/fat/inode.c +index c187e92..76b7961 100644 +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -558,7 +558,7 @@ static int fat_statfs(struct dentry *dentry, struct kstatfs *buf) + buf->f_bavail = sbi->free_clusters; + buf->f_fsid.val[0] = (u32)id; + buf->f_fsid.val[1] = (u32)(id >> 32); +- buf->f_namelen = sbi->options.isvfat ? FAT_LFN_LEN : 12; ++ buf->f_namelen = sbi->options.isvfat ? 260 : 12; + + return 0; + } +diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c +index 4251f35..72646e2 100644 +--- a/fs/fat/namei_vfat.c ++++ b/fs/fat/namei_vfat.c +@@ -499,18 +499,17 @@ xlate_to_uni(const unsigned char *name, int len, unsigned char *outname, + int charlen; + + if (utf8) { +- *outlen = utf8s_to_utf16s(name, len, UTF16_HOST_ENDIAN, +- (wchar_t *) outname, FAT_LFN_LEN + 2); ++ *outlen = utf8s_to_utf16s(name, len, (wchar_t *)outname); + if (*outlen < 0) + return *outlen; +- else if (*outlen > FAT_LFN_LEN) ++ else if (*outlen > 255) + return -ENAMETOOLONG; + + op = &outname[*outlen * sizeof(wchar_t)]; + } else { + if (nls) { + for (i = 0, ip = name, op = outname, *outlen = 0; +- i < len && *outlen <= FAT_LFN_LEN; ++ i < len && *outlen <= 255; + *outlen += 1) + { + if (escape && (*ip == ':')) { +@@ -550,7 +549,7 @@ xlate_to_uni(const unsigned char *name, int len, unsigned char *outname, + return -ENAMETOOLONG; + } else { + for (i = 0, ip = name, op = outname, *outlen = 0; +- i < len && *outlen <= FAT_LFN_LEN; ++ i < len && *outlen <= 255; + i++, *outlen += 1) + { + *op++ = *ip++; +diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c +index 4fd7e1c..46435f3a 100644 +--- a/fs/fscache/stats.c ++++ b/fs/fscache/stats.c +@@ -276,5 +276,5 @@ const struct file_operations fscache_stats_fops = { + .open = fscache_stats_open, + .read = seq_read, + .llseek = seq_lseek, +- .release = single_release, ++ .release = seq_release, + }; +diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c +index b3d234e..0022eec 100644 +--- a/fs/hfsplus/extents.c ++++ b/fs/hfsplus/extents.c +@@ -447,7 +447,7 @@ void hfsplus_file_truncate(struct inode *inode) + struct address_space *mapping = inode->i_mapping; + struct page *page; + void *fsdata; +- loff_t size = inode->i_size; ++ u32 size = inode->i_size; + int res; + + res = pagecache_write_begin(NULL, mapping, size, 0, +diff --git a/fs/isofs/export.c b/fs/isofs/export.c +index caec670..e81a305 100644 +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -131,7 +131,6 @@ isofs_export_encode_fh(struct dentry *dentry, + len = 3; + fh32[0] = ei->i_iget5_block; + fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ +- fh16[3] = 0; /* avoid leaking uninitialized data */ + fh32[2] = inode->i_generation; + if (connectable && !S_ISDIR(inode->i_mode)) { + struct inode *parent; +diff --git a/fs/jbd/commit.c b/fs/jbd/commit.c +index 1060d48..17d29a8 100644 +--- a/fs/jbd/commit.c ++++ b/fs/jbd/commit.c +@@ -85,12 +85,7 @@ nope: + static void release_data_buffer(struct buffer_head *bh) + { + if (buffer_freed(bh)) { +- WARN_ON_ONCE(buffer_dirty(bh)); + clear_buffer_freed(bh); +- clear_buffer_mapped(bh); +- clear_buffer_new(bh); +- clear_buffer_req(bh); +- bh->b_bdev = NULL; + release_buffer_page(bh); + } else + put_bh(bh); +@@ -869,35 +864,17 @@ restart_loop: + * there's no point in keeping a checkpoint record for + * it. */ + +- /* +- * A buffer which has been freed while still being journaled by +- * a previous transaction. +- */ ++ /* A buffer which has been freed while still being ++ * journaled by a previous transaction may end up still ++ * being dirty here, but we want to avoid writing back ++ * that buffer in the future now that the last use has ++ * been committed. That's not only a performance gain, ++ * it also stops aliasing problems if the buffer is left ++ * behind for writeback and gets reallocated for another ++ * use in a different page. */ + if (buffer_freed(bh)) { +- /* +- * If the running transaction is the one containing +- * "add to orphan" operation (b_next_transaction != +- * NULL), we have to wait for that transaction to +- * commit before we can really get rid of the buffer. +- * So just clear b_modified to not confuse transaction +- * credit accounting and refile the buffer to +- * BJ_Forget of the running transaction. If the just +- * committed transaction contains "add to orphan" +- * operation, we can completely invalidate the buffer +- * now. We are rather throughout in that since the +- * buffer may be still accessible when blocksize < +- * pagesize and it is attached to the last partial +- * page. +- */ +- jh->b_modified = 0; +- if (!jh->b_next_transaction) { +- clear_buffer_freed(bh); +- clear_buffer_jbddirty(bh); +- clear_buffer_mapped(bh); +- clear_buffer_new(bh); +- clear_buffer_req(bh); +- bh->b_bdev = NULL; +- } ++ clear_buffer_freed(bh); ++ clear_buffer_jbddirty(bh); + } + + if (buffer_jbddirty(bh)) { +diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c +index 1352e60..006f9ad 100644 +--- a/fs/jbd/transaction.c ++++ b/fs/jbd/transaction.c +@@ -1838,16 +1838,15 @@ static int __dispose_buffer(struct journal_head *jh, transaction_t *transaction) + * We're outside-transaction here. Either or both of j_running_transaction + * and j_committing_transaction may be NULL. + */ +-static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, +- int partial_page) ++static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh) + { + transaction_t *transaction; + struct journal_head *jh; + int may_free = 1; ++ int ret; + + BUFFER_TRACE(bh, "entry"); + +-retry: + /* + * It is safe to proceed here without the j_list_lock because the + * buffers cannot be stolen by try_to_free_buffers as long as we are +@@ -1865,29 +1864,6 @@ retry: + if (!jh) + goto zap_buffer_no_jh; + +- /* +- * We cannot remove the buffer from checkpoint lists until the +- * transaction adding inode to orphan list (let's call it T) +- * is committed. Otherwise if the transaction changing the +- * buffer would be cleaned from the journal before T is +- * committed, a crash will cause that the correct contents of +- * the buffer will be lost. On the other hand we have to +- * clear the buffer dirty bit at latest at the moment when the +- * transaction marking the buffer as freed in the filesystem +- * structures is committed because from that moment on the +- * block can be reallocated and used by a different page. +- * Since the block hasn't been freed yet but the inode has +- * already been added to orphan list, it is safe for us to add +- * the buffer to BJ_Forget list of the newest transaction. +- * +- * Also we have to clear buffer_mapped flag of a truncated buffer +- * because the buffer_head may be attached to the page straddling +- * i_size (can happen only when blocksize < pagesize) and thus the +- * buffer_head can be reused when the file is extended again. So we end +- * up keeping around invalidated buffers attached to transactions' +- * BJ_Forget list just to stop checkpointing code from cleaning up +- * the transaction this buffer was modified in. +- */ + transaction = jh->b_transaction; + if (transaction == NULL) { + /* First case: not on any transaction. If it +@@ -1913,9 +1889,13 @@ retry: + * committed, the buffer won't be needed any + * longer. */ + JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget"); +- may_free = __dispose_buffer(jh, ++ ret = __dispose_buffer(jh, + journal->j_running_transaction); +- goto zap_buffer; ++ journal_put_journal_head(jh); ++ spin_unlock(&journal->j_list_lock); ++ jbd_unlock_bh_state(bh); ++ spin_unlock(&journal->j_state_lock); ++ return ret; + } else { + /* There is no currently-running transaction. So the + * orphan record which we wrote for this file must have +@@ -1923,9 +1903,13 @@ retry: + * the committing transaction, if it exists. */ + if (journal->j_committing_transaction) { + JBUFFER_TRACE(jh, "give to committing trans"); +- may_free = __dispose_buffer(jh, ++ ret = __dispose_buffer(jh, + journal->j_committing_transaction); +- goto zap_buffer; ++ journal_put_journal_head(jh); ++ spin_unlock(&journal->j_list_lock); ++ jbd_unlock_bh_state(bh); ++ spin_unlock(&journal->j_state_lock); ++ return ret; + } else { + /* The orphan record's transaction has + * committed. We can cleanse this buffer */ +@@ -1945,31 +1929,16 @@ retry: + goto zap_buffer; + } + /* +- * The buffer is committing, we simply cannot touch +- * it. If the page is straddling i_size we have to wait +- * for commit and try again. +- */ +- if (partial_page) { +- tid_t tid = journal->j_committing_transaction->t_tid; +- +- journal_put_journal_head(jh); +- spin_unlock(&journal->j_list_lock); +- jbd_unlock_bh_state(bh); +- spin_unlock(&journal->j_state_lock); +- unlock_buffer(bh); +- log_wait_commit(journal, tid); +- lock_buffer(bh); +- goto retry; +- } +- /* +- * OK, buffer won't be reachable after truncate. We just set +- * j_next_transaction to the running transaction (if there is +- * one) and mark buffer as freed so that commit code knows it +- * should clear dirty bits when it is done with the buffer. +- */ ++ * If it is committing, we simply cannot touch it. We ++ * can remove it's next_transaction pointer from the ++ * running transaction if that is set, but nothing ++ * else. */ + set_buffer_freed(bh); +- if (journal->j_running_transaction && buffer_jbddirty(bh)) +- jh->b_next_transaction = journal->j_running_transaction; ++ if (jh->b_next_transaction) { ++ J_ASSERT(jh->b_next_transaction == ++ journal->j_running_transaction); ++ jh->b_next_transaction = NULL; ++ } + journal_put_journal_head(jh); + spin_unlock(&journal->j_list_lock); + jbd_unlock_bh_state(bh); +@@ -1988,14 +1957,6 @@ retry: + } + + zap_buffer: +- /* +- * This is tricky. Although the buffer is truncated, it may be reused +- * if blocksize < pagesize and it is attached to the page straddling +- * EOF. Since the buffer might have been added to BJ_Forget list of the +- * running transaction, journal_get_write_access() won't clear +- * b_modified and credit accounting gets confused. So clear b_modified +- * here. */ +- jh->b_modified = 0; + journal_put_journal_head(jh); + zap_buffer_no_jh: + spin_unlock(&journal->j_list_lock); +@@ -2044,8 +2005,7 @@ void journal_invalidatepage(journal_t *journal, + if (offset <= curr_off) { + /* This block is wholly outside the truncation point */ + lock_buffer(bh); +- may_free &= journal_unmap_buffer(journal, bh, +- offset > 0); ++ may_free &= journal_unmap_buffer(journal, bh); + unlock_buffer(bh); + } + curr_off = next_off; +@@ -2160,7 +2120,7 @@ void journal_file_buffer(struct journal_head *jh, + */ + void __journal_refile_buffer(struct journal_head *jh) + { +- int was_dirty, jlist; ++ int was_dirty; + struct buffer_head *bh = jh2bh(jh); + + J_ASSERT_JH(jh, jbd_is_locked_bh_state(bh)); +@@ -2182,13 +2142,8 @@ void __journal_refile_buffer(struct journal_head *jh) + __journal_temp_unlink_buffer(jh); + jh->b_transaction = jh->b_next_transaction; + jh->b_next_transaction = NULL; +- if (buffer_freed(bh)) +- jlist = BJ_Forget; +- else if (jh->b_modified) +- jlist = BJ_Metadata; +- else +- jlist = BJ_Reserved; +- __journal_file_buffer(jh, jh->b_transaction, jlist); ++ __journal_file_buffer(jh, jh->b_transaction, ++ jh->b_modified ? BJ_Metadata : BJ_Reserved); + J_ASSERT_JH(jh, jh->b_transaction->t_state == T_RUNNING); + + if (was_dirty) +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index ab87b05..6d27757 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2610,16 +2610,11 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr, + len = maxcount; + v = 0; + while (len > 0) { +- pn = resp->rqstp->rq_resused; +- if (!resp->rqstp->rq_respages[pn]) { /* ran out of pages */ +- maxcount -= len; +- break; +- } ++ pn = resp->rqstp->rq_resused++; + resp->rqstp->rq_vec[v].iov_base = + page_address(resp->rqstp->rq_respages[pn]); + resp->rqstp->rq_vec[v].iov_len = + len < PAGE_SIZE ? len : PAGE_SIZE; +- resp->rqstp->rq_resused++; + v++; + len -= PAGE_SIZE; + } +@@ -2667,8 +2662,6 @@ nfsd4_encode_readlink(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd + return nfserr; + if (resp->xbuf->page_len) + return nfserr_resource; +- if (!resp->rqstp->rq_respages[resp->rqstp->rq_resused]) +- return nfserr_resource; + + page = page_address(resp->rqstp->rq_respages[resp->rqstp->rq_resused++]); + +@@ -2718,8 +2711,6 @@ nfsd4_encode_readdir(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4 + return nfserr; + if (resp->xbuf->page_len) + return nfserr_resource; +- if (!resp->rqstp->rq_respages[resp->rqstp->rq_resused]) +- return nfserr_resource; + + RESERVE_SPACE(8); /* verifier */ + savep = p; +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 0eb059e..44a88a9 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -114,57 +114,34 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen) + } + EXPORT_SYMBOL(utf32_to_utf8); + +-static inline void put_utf16(wchar_t *s, unsigned c, enum utf16_endian endian) +-{ +- switch (endian) { +- default: +- *s = (wchar_t) c; +- break; +- case UTF16_LITTLE_ENDIAN: +- *s = __cpu_to_le16(c); +- break; +- case UTF16_BIG_ENDIAN: +- *s = __cpu_to_be16(c); +- break; +- } +-} +- +-int utf8s_to_utf16s(const u8 *s, int len, enum utf16_endian endian, +- wchar_t *pwcs, int maxlen) ++int utf8s_to_utf16s(const u8 *s, int len, wchar_t *pwcs) + { + u16 *op; + int size; + unicode_t u; + + op = pwcs; +- while (len > 0 && maxlen > 0 && *s) { ++ while (*s && len > 0) { + if (*s & 0x80) { + size = utf8_to_utf32(s, len, &u); + if (size < 0) + return -EINVAL; +- s += size; +- len -= size; + + if (u >= PLANE_SIZE) { +- if (maxlen < 2) +- break; + u -= PLANE_SIZE; +- put_utf16(op++, SURROGATE_PAIR | +- ((u >> 10) & SURROGATE_BITS), +- endian); +- put_utf16(op++, SURROGATE_PAIR | ++ *op++ = (wchar_t) (SURROGATE_PAIR | ++ ((u >> 10) & SURROGATE_BITS)); ++ *op++ = (wchar_t) (SURROGATE_PAIR | + SURROGATE_LOW | +- (u & SURROGATE_BITS), +- endian); +- maxlen -= 2; ++ (u & SURROGATE_BITS)); + } else { +- put_utf16(op++, u, endian); +- maxlen--; ++ *op++ = (wchar_t) u; + } ++ s += size; ++ len -= size; + } else { +- put_utf16(op++, *s++, endian); ++ *op++ = *s++; + len--; +- maxlen--; + } + } + return op - pwcs; +diff --git a/fs/splice.c b/fs/splice.c +index cdad986..bb92b7c5 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -30,7 +30,6 @@ + #include <linux/syscalls.h> + #include <linux/uio.h> + #include <linux/security.h> +-#include <linux/socket.h> + + /* + * Attempt to steal a page from a pipe buffer. This should perhaps go into +@@ -638,11 +637,7 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe, + + ret = buf->ops->confirm(pipe, buf); + if (!ret) { +- more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0; +- +- if (sd->len < sd->total_len && pipe->nrbufs > 1) +- more |= MSG_SENDPAGE_NOTLAST; +- ++ more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len; + if (file->f_op && file->f_op->sendpage) + ret = file->f_op->sendpage(file, buf->page, buf->offset, + sd->len, &pos, more); +diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c +index 5e7279a..e020183 100644 +--- a/fs/sysfs/dir.c ++++ b/fs/sysfs/dir.c +@@ -440,18 +440,20 @@ int __sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd) + /** + * sysfs_pathname - return full path to sysfs dirent + * @sd: sysfs_dirent whose path we want +- * @path: caller allocated buffer of size PATH_MAX ++ * @path: caller allocated buffer + * + * Gives the name "/" to the sysfs_root entry; any path returned + * is relative to wherever sysfs is mounted. ++ * ++ * XXX: does no error checking on @path size + */ + static char *sysfs_pathname(struct sysfs_dirent *sd, char *path) + { + if (sd->s_parent) { + sysfs_pathname(sd->s_parent, path); +- strlcat(path, "/", PATH_MAX); ++ strcat(path, "/"); + } +- strlcat(path, sd->s_name, PATH_MAX); ++ strcat(path, sd->s_name); + return path; + } + +@@ -484,11 +486,9 @@ int sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd) + char *path = kzalloc(PATH_MAX, GFP_KERNEL); + WARN(1, KERN_WARNING + "sysfs: cannot create duplicate filename '%s'\n", +- (path == NULL) ? sd->s_name +- : (sysfs_pathname(acxt->parent_sd, path), +- strlcat(path, "/", PATH_MAX), +- strlcat(path, sd->s_name, PATH_MAX), +- path)); ++ (path == NULL) ? sd->s_name : ++ strcat(strcat(sysfs_pathname(acxt->parent_sd, path), "/"), ++ sd->s_name)); + kfree(path); + } + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 3c4ffb2..6d24c2c 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -648,8 +648,6 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block, + goal, err); + if (!newblocknum) { + brelse(prev_epos.bh); +- brelse(cur_epos.bh); +- brelse(next_epos.bh); + *err = -ENOSPC; + return NULL; + } +@@ -680,8 +678,6 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block, + udf_update_extents(inode, laarr, startnum, endnum, &prev_epos); + + brelse(prev_epos.bh); +- brelse(cur_epos.bh); +- brelse(next_epos.bh); + + newblock = udf_get_pblock(inode->i_sb, newblocknum, + iinfo->i_location.partitionReferenceNum, 0); +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index b754151..21dad8c 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1331,7 +1331,6 @@ static int udf_encode_fh(struct dentry *de, __u32 *fh, int *lenp, + *lenp = 3; + fid->udf.block = location.logicalBlockNum; + fid->udf.partref = location.partitionReferenceNum; +- fid->udf.parent_partref = 0; + fid->udf.generation = inode->i_generation; + + if (connectable && !S_ISDIR(inode->i_mode)) { +diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h +index efa82c9..d113b72 100644 +--- a/fs/udf/udf_sb.h ++++ b/fs/udf/udf_sb.h +@@ -78,7 +78,7 @@ struct udf_virtual_data { + struct udf_bitmap { + __u32 s_extLength; + __u32 s_extPosition; +- int s_nr_groups; ++ __u16 s_nr_groups; + struct buffer_head **s_block_bitmap; + }; + +diff --git a/include/asm-generic/signal.h b/include/asm-generic/signal.h +index 743f7a5..555c0ae 100644 +--- a/include/asm-generic/signal.h ++++ b/include/asm-generic/signal.h +@@ -99,10 +99,6 @@ typedef unsigned long old_sigset_t; + + #include <asm-generic/signal-defs.h> + +-#ifdef SA_RESTORER +-#define __ARCH_HAS_SA_RESTORER +-#endif +- + struct sigaction { + __sighandler_t sa_handler; + unsigned long sa_flags; +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index 9ffffec..a3d802e 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -71,6 +71,8 @@ extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, + #define BINPRM_FLAGS_EXECFD_BIT 1 + #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT) + ++#define BINPRM_MAX_RECURSION 4 ++ + /* + * This structure defines the functions that are used to load the binary formats that + * linux accepts. +@@ -120,7 +122,6 @@ extern int setup_arg_pages(struct linux_binprm * bprm, + unsigned long stack_top, + int executable_stack); + extern int bprm_mm_init(struct linux_binprm *bprm); +-extern int bprm_change_interp(char *interp, struct linux_binprm *bprm); + extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm); + extern int prepare_bprm_creds(struct linux_binprm *bprm); + extern void install_exec_creds(struct linux_binprm *bprm); +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index ec9c10b..5eb6cb0 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -456,7 +456,8 @@ struct request_queue + #define QUEUE_FLAG_NONROT 14 /* non-rotational device (SSD) */ + #define QUEUE_FLAG_VIRT QUEUE_FLAG_NONROT /* paravirt device */ + #define QUEUE_FLAG_IO_STAT 15 /* do IO stats */ +-#define QUEUE_FLAG_DISCARD 16 /* supports DISCARD */ ++#define QUEUE_FLAG_CQ 16 /* hardware does queuing */ ++#define QUEUE_FLAG_DISCARD 17 /* supports DISCARD */ + + #define QUEUE_FLAG_DEFAULT ((1 << QUEUE_FLAG_IO_STAT) | \ + (1 << QUEUE_FLAG_STACKABLE) | \ +@@ -579,6 +580,7 @@ enum { + + #define blk_queue_plugged(q) test_bit(QUEUE_FLAG_PLUGGED, &(q)->queue_flags) + #define blk_queue_tagged(q) test_bit(QUEUE_FLAG_QUEUED, &(q)->queue_flags) ++#define blk_queue_queuing(q) test_bit(QUEUE_FLAG_CQ, &(q)->queue_flags) + #define blk_queue_stopped(q) test_bit(QUEUE_FLAG_STOPPED, &(q)->queue_flags) + #define blk_queue_nomerges(q) test_bit(QUEUE_FLAG_NOMERGES, &(q)->queue_flags) + #define blk_queue_nonrot(q) test_bit(QUEUE_FLAG_NONROT, &(q)->queue_flags) +diff --git a/include/linux/kmod.h b/include/linux/kmod.h +index 93e732e..0546fe7 100644 +--- a/include/linux/kmod.h ++++ b/include/linux/kmod.h +@@ -64,8 +64,6 @@ enum umh_wait { + UMH_WAIT_PROC = 1, /* wait for the process to complete */ + }; + +-#define UMH_KILLABLE 4 /* wait for EXEC/PROC killable */ +- + /* Actually execute the sub-process */ + int call_usermodehelper_exec(struct subprocess_info *info, enum umh_wait wait); + +diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h +index e68b592..085c903 100644 +--- a/include/linux/mempolicy.h ++++ b/include/linux/mempolicy.h +@@ -180,7 +180,7 @@ struct sp_node { + + struct shared_policy { + struct rb_root root; +- struct mutex mutex; ++ spinlock_t lock; + }; + + void mpol_shared_policy_init(struct shared_policy *sp, struct mempolicy *mpol); +diff --git a/include/linux/msdos_fs.h b/include/linux/msdos_fs.h +index 34066e6..ce38f1c 100644 +--- a/include/linux/msdos_fs.h ++++ b/include/linux/msdos_fs.h +@@ -15,7 +15,6 @@ + #define MSDOS_DPB_BITS 4 /* log2(MSDOS_DPB) */ + #define MSDOS_DPS (SECTOR_SIZE / sizeof(struct msdos_dir_entry)) + #define MSDOS_DPS_BITS 4 /* log2(MSDOS_DPS) */ +-#define MSDOS_LONGNAME 256 /* maximum name length */ + #define CF_LE_W(v) le16_to_cpu(v) + #define CF_LE_L(v) le32_to_cpu(v) + #define CT_LE_W(v) cpu_to_le16(v) +@@ -48,8 +47,8 @@ + #define DELETED_FLAG 0xe5 /* marks file as deleted when in name[0] */ + #define IS_FREE(n) (!*(n) || *(n) == DELETED_FLAG) + +-#define FAT_LFN_LEN 255 /* maximum long name length */ + #define MSDOS_NAME 11 /* maximum name length */ ++#define MSDOS_LONGNAME 256 /* maximum name length */ + #define MSDOS_SLOTS 21 /* max # of slots for short and long names */ + #define MSDOS_DOT ". " /* ".", padded to MSDOS_NAME chars */ + #define MSDOS_DOTDOT ".. " /* "..", padded to MSDOS_NAME chars */ +diff --git a/include/linux/nls.h b/include/linux/nls.h +index 5dc635f..d47beef 100644 +--- a/include/linux/nls.h ++++ b/include/linux/nls.h +@@ -43,7 +43,7 @@ enum utf16_endian { + UTF16_BIG_ENDIAN + }; + +-/* nls_base.c */ ++/* nls.c */ + extern int register_nls(struct nls_table *); + extern int unregister_nls(struct nls_table *); + extern struct nls_table *load_nls(char *); +@@ -52,8 +52,7 @@ extern struct nls_table *load_nls_default(void); + + extern int utf8_to_utf32(const u8 *s, int len, unicode_t *pu); + extern int utf32_to_utf8(unicode_t u, u8 *s, int maxlen); +-extern int utf8s_to_utf16s(const u8 *s, int len, +- enum utf16_endian endian, wchar_t *pwcs, int maxlen); ++extern int utf8s_to_utf16s(const u8 *s, int len, wchar_t *pwcs); + extern int utf16s_to_utf8s(const wchar_t *pwcs, int len, + enum utf16_endian endian, u8 *s, int maxlen); + +diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h +index f451772..6b202b1 100644 +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -362,7 +362,7 @@ static inline int PageCompound(struct page *page) + * pages on the LRU and/or pagecache. + */ + TESTPAGEFLAG(Compound, compound) +-__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound) ++__PAGEFLAG(Head, compound) + + /* + * PG_reclaim is used in combination with PG_compound to mark the +@@ -374,14 +374,8 @@ __SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound) + * PG_compound & PG_reclaim => Tail page + * PG_compound & ~PG_reclaim => Head page + */ +-#define PG_head_mask ((1L << PG_compound)) + #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim)) + +-static inline int PageHead(struct page *page) +-{ +- return ((page->flags & PG_head_tail_mask) == PG_head_mask); +-} +- + static inline int PageTail(struct page *page) + { + return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask); +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 73c3b9b..71849bf 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -2459,16 +2459,7 @@ static inline void thread_group_cputime_free(struct signal_struct *sig) + extern void recalc_sigpending_and_wake(struct task_struct *t); + extern void recalc_sigpending(void); + +-extern void signal_wake_up_state(struct task_struct *t, unsigned int state); +- +-static inline void signal_wake_up(struct task_struct *t, bool resume) +-{ +- signal_wake_up_state(t, resume ? TASK_WAKEKILL : 0); +-} +-static inline void ptrace_signal_wake_up(struct task_struct *t, bool resume) +-{ +- signal_wake_up_state(t, resume ? __TASK_TRACED : 0); +-} ++extern void signal_wake_up(struct task_struct *t, int resume_stopped); + + /* + * Wrappers for p->thread_info->cpu access. No-op on UP. +diff --git a/include/linux/socket.h b/include/linux/socket.h +index 3124c51..3273a0c 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -246,7 +246,7 @@ struct ucred { + #define MSG_ERRQUEUE 0x2000 /* Fetch message from error queue */ + #define MSG_NOSIGNAL 0x4000 /* Do not generate SIGPIPE */ + #define MSG_MORE 0x8000 /* Sender will send more */ +-#define MSG_SENDPAGE_NOTLAST 0x20000 /* sendpage() internal : not the last page */ ++ + #define MSG_EOF MSG_FIN + + #define MSG_CMSG_CLOEXEC 0x40000000 /* Set close_on_exit for file +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h +index cf65e77..47004f3 100644 +--- a/include/net/inet_sock.h ++++ b/include/net/inet_sock.h +@@ -56,15 +56,7 @@ struct ip_options { + unsigned char __data[0]; + }; + +-struct ip_options_rcu { +- struct rcu_head rcu; +- struct ip_options opt; +-}; +- +-struct ip_options_data { +- struct ip_options_rcu opt; +- char data[40]; +-}; ++#define optlength(opt) (sizeof(struct ip_options) + opt->optlen) + + struct inet_request_sock { + struct request_sock req; +@@ -85,7 +77,7 @@ struct inet_request_sock { + acked : 1, + no_srccheck: 1; + kmemcheck_bitfield_end(flags); +- struct ip_options_rcu *opt; ++ struct ip_options *opt; + }; + + static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk) +@@ -130,7 +122,7 @@ struct inet_sock { + __be32 saddr; + __s16 uc_ttl; + __u16 cmsg_flags; +- struct ip_options_rcu *inet_opt; ++ struct ip_options *opt; + __be16 sport; + __u16 id; + __u8 tos; +diff --git a/include/net/ip.h b/include/net/ip.h +index a7d4675..69db943 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -54,7 +54,7 @@ struct ipcm_cookie + { + __be32 addr; + int oif; +- struct ip_options_rcu *opt; ++ struct ip_options *opt; + union skb_shared_tx shtx; + }; + +@@ -92,7 +92,7 @@ extern int igmp_mc_proc_init(void); + + extern int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, + __be32 saddr, __be32 daddr, +- struct ip_options_rcu *opt); ++ struct ip_options *opt); + extern int ip_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *pt, struct net_device *orig_dev); + extern int ip_local_deliver(struct sk_buff *skb); +@@ -362,15 +362,14 @@ extern int ip_forward(struct sk_buff *skb); + * Functions provided by ip_options.c + */ + +-extern void ip_options_build(struct sk_buff *skb, struct ip_options *opt, +- __be32 daddr, struct rtable *rt, int is_frag); ++extern void ip_options_build(struct sk_buff *skb, struct ip_options *opt, __be32 daddr, struct rtable *rt, int is_frag); + extern int ip_options_echo(struct ip_options *dopt, struct sk_buff *skb); + extern void ip_options_fragment(struct sk_buff *skb); + extern int ip_options_compile(struct net *net, + struct ip_options *opt, struct sk_buff *skb); +-extern int ip_options_get(struct net *net, struct ip_options_rcu **optp, ++extern int ip_options_get(struct net *net, struct ip_options **optp, + unsigned char *data, int optlen); +-extern int ip_options_get_from_user(struct net *net, struct ip_options_rcu **optp, ++extern int ip_options_get_from_user(struct net *net, struct ip_options **optp, + unsigned char __user *data, int optlen); + extern void ip_options_undo(struct ip_options * opt); + extern void ip_forward_options(struct sk_buff *skb); +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 52d86da..639bbf0 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -449,7 +449,17 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add + return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); + } + +-extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); ++static __inline__ void ipv6_select_ident(struct frag_hdr *fhdr) ++{ ++ static u32 ipv6_fragmentation_id = 1; ++ static DEFINE_SPINLOCK(ip6_id_lock); ++ ++ spin_lock_bh(&ip6_id_lock); ++ fhdr->identification = htonl(ipv6_fragmentation_id); ++ if (++ipv6_fragmentation_id == 0) ++ ipv6_fragmentation_id = 1; ++ spin_unlock_bh(&ip6_id_lock); ++} + + /* + * Prototypes exported by ipv6 +diff --git a/include/net/transp_v6.h b/include/net/transp_v6.h +index 8beefe1..d65381c 100644 +--- a/include/net/transp_v6.h ++++ b/include/net/transp_v6.h +@@ -16,8 +16,6 @@ extern struct proto tcpv6_prot; + + struct flowi; + +-extern void initialize_hashidentrnd(void); +- + /* extention headers */ + extern int ipv6_exthdrs_init(void); + extern void ipv6_exthdrs_exit(void); +diff --git a/include/scsi/scsi.h b/include/scsi/scsi.h +index b3cffec..34c46ab 100644 +--- a/include/scsi/scsi.h ++++ b/include/scsi/scsi.h +@@ -145,10 +145,10 @@ struct scsi_cmnd; + + /* defined in T10 SCSI Primary Commands-2 (SPC2) */ + struct scsi_varlen_cdb_hdr { +- __u8 opcode; /* opcode always == VARIABLE_LENGTH_CMD */ +- __u8 control; +- __u8 misc[5]; +- __u8 additional_cdb_length; /* total cdb length - 8 */ ++ u8 opcode; /* opcode always == VARIABLE_LENGTH_CMD */ ++ u8 control; ++ u8 misc[5]; ++ u8 additional_cdb_length; /* total cdb length - 8 */ + __be16 service_action; + /* service specific data follows */ + }; +diff --git a/include/scsi/scsi_netlink.h b/include/scsi/scsi_netlink.h +index 58ce8fe..536752c 100644 +--- a/include/scsi/scsi_netlink.h ++++ b/include/scsi/scsi_netlink.h +@@ -105,8 +105,8 @@ struct scsi_nl_host_vendor_msg { + * PCI : ID data is the 16 bit PCI Registered Vendor ID + */ + #define SCSI_NL_VID_TYPE_SHIFT 56 +-#define SCSI_NL_VID_TYPE_MASK ((__u64)0xFF << SCSI_NL_VID_TYPE_SHIFT) +-#define SCSI_NL_VID_TYPE_PCI ((__u64)0x01 << SCSI_NL_VID_TYPE_SHIFT) ++#define SCSI_NL_VID_TYPE_MASK ((u64)0xFF << SCSI_NL_VID_TYPE_SHIFT) ++#define SCSI_NL_VID_TYPE_PCI ((u64)0x01 << SCSI_NL_VID_TYPE_SHIFT) + #define SCSI_NL_VID_ID_MASK (~ SCSI_NL_VID_TYPE_MASK) + + +diff --git a/include/trace/events/kmem.h b/include/trace/events/kmem.h +index a8dc32a..eaf46bd 100644 +--- a/include/trace/events/kmem.h ++++ b/include/trace/events/kmem.h +@@ -293,7 +293,7 @@ TRACE_EVENT(mm_page_alloc, + + TP_printk("page=%p pfn=%lu order=%d migratetype=%d gfp_flags=%s", + __entry->page, +- __entry->page ? page_to_pfn(__entry->page) : 0, ++ page_to_pfn(__entry->page), + __entry->order, + __entry->migratetype, + show_gfp_flags(__entry->gfp_flags)) +@@ -319,7 +319,7 @@ TRACE_EVENT(mm_page_alloc_zone_locked, + + TP_printk("page=%p pfn=%lu order=%u migratetype=%d percpu_refill=%d", + __entry->page, +- __entry->page ? page_to_pfn(__entry->page) : 0, ++ page_to_pfn(__entry->page), + __entry->order, + __entry->migratetype, + __entry->order == 0) +diff --git a/kernel/async.c b/kernel/async.c +index 397a7c7..27235f5 100644 +--- a/kernel/async.c ++++ b/kernel/async.c +@@ -93,13 +93,6 @@ static async_cookie_t __lowest_in_progress(struct list_head *running) + { + struct async_entry *entry; + +- if (!running) { /* just check the entry count */ +- if (atomic_read(&entry_count)) +- return 0; /* smaller than any cookie */ +- else +- return next_cookie; +- } +- + if (!list_empty(running)) { + entry = list_first_entry(running, + struct async_entry, list); +@@ -255,7 +248,9 @@ EXPORT_SYMBOL_GPL(async_schedule_domain); + */ + void async_synchronize_full(void) + { +- async_synchronize_cookie_domain(next_cookie, NULL); ++ do { ++ async_synchronize_cookie(next_cookie); ++ } while (!list_empty(&async_running) || !list_empty(&async_pending)); + } + EXPORT_SYMBOL_GPL(async_synchronize_full); + +@@ -275,7 +270,7 @@ EXPORT_SYMBOL_GPL(async_synchronize_full_domain); + /** + * async_synchronize_cookie_domain - synchronize asynchronous function calls within a certain domain with cookie checkpointing + * @cookie: async_cookie_t to use as checkpoint +- * @running: running list to synchronize on, NULL indicates all lists ++ * @running: running list to synchronize on + * + * This function waits until all asynchronous function calls for the + * synchronization domain specified by the running list @list submitted +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index 04a9704..1fbcc74 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -1992,7 +1992,9 @@ static int cgroup_create_dir(struct cgroup *cgrp, struct dentry *dentry, + dentry->d_fsdata = cgrp; + inc_nlink(parent->d_inode); + rcu_assign_pointer(cgrp->dentry, dentry); ++ dget(dentry); + } ++ dput(dentry); + + return error; + } +diff --git a/kernel/kmod.c b/kernel/kmod.c +index 8ecc509..a061472 100644 +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -53,50 +53,6 @@ static DECLARE_RWSEM(umhelper_sem); + */ + char modprobe_path[KMOD_PATH_LEN] = "/sbin/modprobe"; + +-static void free_modprobe_argv(char **argv, char **envp) +-{ +- kfree(argv[3]); /* check call_modprobe() */ +- kfree(argv); +-} +- +-static int call_modprobe(char *module_name, int wait) +-{ +- static char *envp[] = { "HOME=/", +- "TERM=linux", +- "PATH=/sbin:/usr/sbin:/bin:/usr/bin", +- NULL }; +- struct subprocess_info *info; +- +- char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL); +- if (!argv) +- goto out; +- +- module_name = kstrdup(module_name, GFP_KERNEL); +- if (!module_name) +- goto free_argv; +- +- argv[0] = modprobe_path; +- argv[1] = "-q"; +- argv[2] = "--"; +- argv[3] = module_name; /* check free_modprobe_argv() */ +- argv[4] = NULL; +- +- info = call_usermodehelper_setup(argv[0], argv, envp, GFP_ATOMIC); +- if (!info) +- goto free_module_name; +- +- call_usermodehelper_setcleanup(info, free_modprobe_argv); +- +- return call_usermodehelper_exec(info, wait | UMH_KILLABLE); +- +-free_module_name: +- kfree(module_name); +-free_argv: +- kfree(argv); +-out: +- return -ENOMEM; +-} +- + /** + * __request_module - try to load a kernel module + * @wait: wait (or not) for the operation to complete +@@ -118,6 +74,11 @@ int __request_module(bool wait, const char *fmt, ...) + char module_name[MODULE_NAME_LEN]; + unsigned int max_modprobes; + int ret; ++ char *argv[] = { modprobe_path, "-q", "--", module_name, NULL }; ++ static char *envp[] = { "HOME=/", ++ "TERM=linux", ++ "PATH=/sbin:/usr/sbin:/bin:/usr/bin", ++ NULL }; + static atomic_t kmod_concurrent = ATOMIC_INIT(0); + #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */ + static int kmod_loop_msg; +@@ -160,8 +121,8 @@ int __request_module(bool wait, const char *fmt, ...) + + trace_module_request(module_name, wait, _RET_IP_); + +- ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC); +- ++ ret = call_usermodehelper(modprobe_path, argv, envp, ++ wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC); + atomic_dec(&kmod_concurrent); + return ret; + } +@@ -232,7 +193,7 @@ static int ____call_usermodehelper(void *data) + + /* Exec failed? */ + sub_info->retval = retval; +- return 0; ++ do_exit(0); + } + + void call_usermodehelper_freeinfo(struct subprocess_info *info) +@@ -245,19 +206,6 @@ void call_usermodehelper_freeinfo(struct subprocess_info *info) + } + EXPORT_SYMBOL(call_usermodehelper_freeinfo); + +-static void umh_complete(struct subprocess_info *sub_info) +-{ +- struct completion *comp = xchg(&sub_info->complete, NULL); +- /* +- * See call_usermodehelper_exec(). If xchg() returns NULL +- * we own sub_info, the UMH_KILLABLE caller has gone away. +- */ +- if (comp) +- complete(comp); +- else +- call_usermodehelper_freeinfo(sub_info); +-} +- + /* Keventd can't block, but this (a child) can. */ + static int wait_for_helper(void *data) + { +@@ -297,7 +245,7 @@ static int wait_for_helper(void *data) + if (sub_info->wait == UMH_NO_WAIT) + call_usermodehelper_freeinfo(sub_info); + else +- umh_complete(sub_info); ++ complete(sub_info->complete); + return 0; + } + +@@ -311,9 +259,6 @@ static void __call_usermodehelper(struct work_struct *work) + + BUG_ON(atomic_read(&sub_info->cred->usage) != 1); + +- if (wait != UMH_NO_WAIT) +- wait &= ~UMH_KILLABLE; +- + /* CLONE_VFORK: wait until the usermode helper has execve'd + * successfully We need the data structures to stay around + * until that is done. */ +@@ -335,7 +280,7 @@ static void __call_usermodehelper(struct work_struct *work) + /* FALLTHROUGH */ + + case UMH_WAIT_EXEC: +- umh_complete(sub_info); ++ complete(sub_info->complete); + } + } + +@@ -575,21 +520,9 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, + queue_work(khelper_wq, &sub_info->work); + if (wait == UMH_NO_WAIT) /* task has freed sub_info */ + goto unlock; +- +- if (wait & UMH_KILLABLE) { +- retval = wait_for_completion_killable(&done); +- if (!retval) +- goto wait_done; +- +- /* umh_complete() will see NULL and free sub_info */ +- if (xchg(&sub_info->complete, NULL)) +- goto unlock; +- /* fallthrough, umh_complete() was already called */ +- } +- + wait_for_completion(&done); +-wait_done: + retval = sub_info->retval; ++ + out: + call_usermodehelper_freeinfo(sub_info); + unlock: +diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c +index ea83f5d..5c9dc22 100644 +--- a/kernel/posix-cpu-timers.c ++++ b/kernel/posix-cpu-timers.c +@@ -1537,10 +1537,8 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags, + while (!signal_pending(current)) { + if (timer.it.cpu.expires.sched == 0) { + /* +- * Our timer fired and was reset, below +- * deletion can not fail. ++ * Our timer fired and was reset. + */ +- posix_cpu_timer_del(&timer); + spin_unlock_irq(&timer.it_lock); + return 0; + } +@@ -1558,26 +1556,9 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags, + * We were interrupted by a signal. + */ + sample_to_timespec(which_clock, timer.it.cpu.expires, rqtp); +- error = posix_cpu_timer_set(&timer, 0, &zero_it, it); +- if (!error) { +- /* +- * Timer is now unarmed, deletion can not fail. +- */ +- posix_cpu_timer_del(&timer); +- } ++ posix_cpu_timer_set(&timer, 0, &zero_it, it); + spin_unlock_irq(&timer.it_lock); + +- while (error == TIMER_RETRY) { +- /* +- * We need to handle case when timer was or is in the +- * middle of firing. In other cases we already freed +- * resources. +- */ +- spin_lock_irq(&timer.it_lock); +- error = posix_cpu_timer_del(&timer); +- spin_unlock_irq(&timer.it_lock); +- } +- + if ((it->it_value.tv_sec | it->it_value.tv_nsec) == 0) { + /* + * It actually did fire already. +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index d9c8c47..05625f6 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -56,7 +56,7 @@ static void ptrace_untrace(struct task_struct *child) + child->signal->group_stop_count) + __set_task_state(child, TASK_STOPPED); + else +- ptrace_signal_wake_up(child, true); ++ signal_wake_up(child, 1); + } + spin_unlock(&child->sighand->siglock); + } +@@ -80,40 +80,6 @@ void __ptrace_unlink(struct task_struct *child) + ptrace_untrace(child); + } + +-/* Ensure that nothing can wake it up, even SIGKILL */ +-static bool ptrace_freeze_traced(struct task_struct *task, int kill) +-{ +- bool ret = true; +- +- spin_lock_irq(&task->sighand->siglock); +- if (task_is_stopped(task) && !__fatal_signal_pending(task)) +- task->state = __TASK_TRACED; +- else if (!kill) { +- if (task_is_traced(task) && !__fatal_signal_pending(task)) +- task->state = __TASK_TRACED; +- else +- ret = false; +- } +- spin_unlock_irq(&task->sighand->siglock); +- +- return ret; +-} +- +-static void ptrace_unfreeze_traced(struct task_struct *task) +-{ +- if (task->state != __TASK_TRACED) +- return; +- +- WARN_ON(!task->ptrace || task->parent != current); +- +- spin_lock_irq(&task->sighand->siglock); +- if (__fatal_signal_pending(task)) +- wake_up_state(task, __TASK_TRACED); +- else +- task->state = TASK_TRACED; +- spin_unlock_irq(&task->sighand->siglock); +-} +- + /* + * Check that we have indeed attached to the thing.. + */ +@@ -129,29 +95,25 @@ int ptrace_check_attach(struct task_struct *child, int kill) + * be changed by us so it's not changing right after this. + */ + read_lock(&tasklist_lock); +- if (child->ptrace && child->parent == current) { +- WARN_ON(child->state == __TASK_TRACED); ++ if ((child->ptrace & PT_PTRACED) && child->parent == current) { ++ ret = 0; + /* + * child->sighand can't be NULL, release_task() + * does ptrace_unlink() before __exit_signal(). + */ +- if (ptrace_freeze_traced(child, kill)) +- ret = 0; ++ spin_lock_irq(&child->sighand->siglock); ++ if (task_is_stopped(child)) ++ child->state = TASK_TRACED; ++ else if (!task_is_traced(child) && !kill) ++ ret = -ESRCH; ++ spin_unlock_irq(&child->sighand->siglock); + } + read_unlock(&tasklist_lock); + +- if (!ret && !kill) { +- if (!wait_task_inactive(child, __TASK_TRACED)) { +- /* +- * This can only happen if may_ptrace_stop() fails and +- * ptrace_stop() changes ->state back to TASK_RUNNING, +- * so we should not worry about leaking __TASK_TRACED. +- */ +- WARN_ON(child->state == __TASK_TRACED); +- ret = -ESRCH; +- } +- } ++ if (!ret && !kill) ++ ret = wait_task_inactive(child, TASK_TRACED) ? 0 : -ESRCH; + ++ /* All systems go.. */ + return ret; + } + +@@ -544,7 +506,7 @@ static int ptrace_resume(struct task_struct *child, long request, long data) + } + + child->exit_code = data; +- wake_up_state(child, __TASK_TRACED); ++ wake_up_process(child); + + return 0; + } +@@ -675,8 +637,6 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, long, addr, long, data) + goto out_put_task_struct; + + ret = arch_ptrace(child, request, addr, data); +- if (ret || request != PTRACE_DETACH) +- ptrace_unfreeze_traced(child); + + out_put_task_struct: + put_task_struct(child); +@@ -792,11 +752,8 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, + } + + ret = ptrace_check_attach(child, request == PTRACE_KILL); +- if (!ret) { ++ if (!ret) + ret = compat_arch_ptrace(child, request, addr, data); +- if (ret || request != PTRACE_DETACH) +- ptrace_unfreeze_traced(child); +- } + + out_put_task_struct: + put_task_struct(child); +diff --git a/kernel/resource.c b/kernel/resource.c +index 207915a..fb11a58 100644 +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -533,7 +533,6 @@ static void __init __reserve_region_with_split(struct resource *root, + struct resource *parent = root; + struct resource *conflict; + struct resource *res = kzalloc(sizeof(*res), GFP_ATOMIC); +- struct resource *next_res = NULL; + + if (!res) + return; +@@ -543,46 +542,21 @@ static void __init __reserve_region_with_split(struct resource *root, + res->end = end; + res->flags = IORESOURCE_BUSY; + +- while (1) { +- +- conflict = __request_resource(parent, res); +- if (!conflict) { +- if (!next_res) +- break; +- res = next_res; +- next_res = NULL; +- continue; +- } ++ conflict = __request_resource(parent, res); ++ if (!conflict) ++ return; + +- /* conflict covered whole area */ +- if (conflict->start <= res->start && +- conflict->end >= res->end) { +- kfree(res); +- WARN_ON(next_res); +- break; +- } ++ /* failed, split and try again */ ++ kfree(res); + +- /* failed, split and try again */ +- if (conflict->start > res->start) { +- end = res->end; +- res->end = conflict->start - 1; +- if (conflict->end < end) { +- next_res = kzalloc(sizeof(*next_res), +- GFP_ATOMIC); +- if (!next_res) { +- kfree(res); +- break; +- } +- next_res->name = name; +- next_res->start = conflict->end + 1; +- next_res->end = end; +- next_res->flags = IORESOURCE_BUSY; +- } +- } else { +- res->start = conflict->end + 1; +- } +- } ++ /* conflict covered whole area */ ++ if (conflict->start <= start && conflict->end >= end) ++ return; + ++ if (conflict->start > start) ++ __reserve_region_with_split(root, start, conflict->start-1, name); ++ if (conflict->end < end) ++ __reserve_region_with_split(root, conflict->end+1, end, name); + } + + void __init reserve_region_with_split(struct resource *root, +diff --git a/kernel/sched.c b/kernel/sched.c +index 42bf6a6..0591df8 100644 +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -2618,8 +2618,7 @@ out: + */ + int wake_up_process(struct task_struct *p) + { +- WARN_ON(task_is_stopped_or_traced(p)); +- return try_to_wake_up(p, TASK_NORMAL, 0); ++ return try_to_wake_up(p, TASK_ALL, 0); + } + EXPORT_SYMBOL(wake_up_process); + +diff --git a/kernel/signal.c b/kernel/signal.c +index fb7e242..2494827 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -320,9 +320,6 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; +-#ifdef __ARCH_HAS_SA_RESTORER +- ka->sa.sa_restorer = NULL; +-#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +@@ -516,17 +513,23 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) + * No need to set need_resched since signal event passing + * goes through ->blocked + */ +-void signal_wake_up_state(struct task_struct *t, unsigned int state) ++void signal_wake_up(struct task_struct *t, int resume) + { ++ unsigned int mask; ++ + set_tsk_thread_flag(t, TIF_SIGPENDING); ++ + /* +- * TASK_WAKEKILL also means wake it up in the stopped/traced/killable ++ * For SIGKILL, we want to wake it up in the stopped/traced/killable + * case. We don't check t->state here because there is a race with it + * executing another processor and just now entering stopped state. + * By using wake_up_state, we ensure the process will wake up and + * handle its death signal. + */ +- if (!wake_up_state(t, state | TASK_INTERRUPTIBLE)) ++ mask = TASK_INTERRUPTIBLE; ++ if (resume) ++ mask |= TASK_WAKEKILL; ++ if (!wake_up_state(t, mask)) + kick_process(t); + } + +@@ -1527,10 +1530,6 @@ static inline int may_ptrace_stop(void) + * If SIGKILL was already sent before the caller unlocked + * ->siglock we must see ->core_state != NULL. Otherwise it + * is safe to enter schedule(). +- * +- * This is almost outdated, a task with the pending SIGKILL can't +- * block in TASK_TRACED. But PTRACE_EVENT_EXIT can be reported +- * after SIGKILL was already dequeued. + */ + if (unlikely(current->mm->core_state) && + unlikely(current->mm == current->parent->mm)) +@@ -2301,7 +2300,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) + + static int do_tkill(pid_t tgid, pid_t pid, int sig) + { +- struct siginfo info = {}; ++ struct siginfo info; + + info.si_signo = sig; + info.si_errno = 0; +diff --git a/kernel/softirq.c b/kernel/softirq.c +index d75c136..04a0252 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -194,21 +194,21 @@ void local_bh_enable_ip(unsigned long ip) + EXPORT_SYMBOL(local_bh_enable_ip); + + /* +- * We restart softirq processing for at most 2 ms, +- * and if need_resched() is not set. ++ * We restart softirq processing MAX_SOFTIRQ_RESTART times, ++ * and we fall back to softirqd after that. + * +- * These limits have been established via experimentation. ++ * This number has been established via experimentation. + * The two things to balance is latency against fairness - + * we want to handle softirqs as soon as possible, but they + * should not be able to lock up the box. + */ +-#define MAX_SOFTIRQ_TIME msecs_to_jiffies(2) ++#define MAX_SOFTIRQ_RESTART 10 + + asmlinkage void __do_softirq(void) + { + struct softirq_action *h; + __u32 pending; +- unsigned long end = jiffies + MAX_SOFTIRQ_TIME; ++ int max_restart = MAX_SOFTIRQ_RESTART; + int cpu; + + pending = local_softirq_pending(); +@@ -253,12 +253,11 @@ restart: + local_irq_disable(); + + pending = local_softirq_pending(); +- if (pending) { +- if (time_before(jiffies, end) && !need_resched()) +- goto restart; ++ if (pending && --max_restart) ++ goto restart; + ++ if (pending) + wakeup_softirqd(); +- } + + lockdep_softirq_exit(); + +diff --git a/kernel/sys.c b/kernel/sys.c +index 5a381e6..e9512b1 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -303,7 +303,6 @@ void kernel_restart_prepare(char *cmd) + void kernel_restart(char *cmd) + { + kernel_restart_prepare(cmd); +- disable_nonboot_cpus(); + if (!cmd) + printk(KERN_EMERG "Restarting system.\n"); + else +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index 67fe3d9..57b953f 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -67,8 +67,7 @@ static void tick_broadcast_start_periodic(struct clock_event_device *bc) + */ + int tick_check_broadcast_device(struct clock_event_device *dev) + { +- if ((dev->features & CLOCK_EVT_FEAT_DUMMY) || +- (tick_broadcast_device.evtdev && ++ if ((tick_broadcast_device.evtdev && + tick_broadcast_device.evtdev->rating >= dev->rating) || + (dev->features & CLOCK_EVT_FEAT_C3STOP)) + return 0; +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 9f0fd18..b63cfeb 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -765,7 +765,7 @@ void tick_cancel_sched_timer(int cpu) + hrtimer_cancel(&ts->sched_timer); + # endif + +- memset(ts, 0, sizeof(*ts)); ++ ts->nohz_mode = NOHZ_MODE_INACTIVE; + } + #endif + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index f65a0fb..3d35af3 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -809,7 +809,7 @@ void update_wall_time(void) + #endif + /* Check if there's really nothing to do */ + if (offset < timekeeper.cycle_interval) +- goto out; ++ return; + + timekeeper.xtime_nsec = (s64)xtime.tv_nsec << timekeeper.shift; + +@@ -881,7 +881,6 @@ void update_wall_time(void) + timekeeper.ntp_error += timekeeper.xtime_nsec << + timekeeper.ntp_error_shift; + +-out: + nsecs = clocksource_cyc2ns(offset, timekeeper.mult, timekeeper.shift); + update_xtime_cache(nsecs); + +diff --git a/kernel/timer.c b/kernel/timer.c +index 8123679..cb3c1f1 100644 +--- a/kernel/timer.c ++++ b/kernel/timer.c +@@ -1553,12 +1553,12 @@ static int __cpuinit init_timers_cpu(int cpu) + boot_done = 1; + base = &boot_tvec_bases; + } +- spin_lock_init(&base->lock); + tvec_base_done[cpu] = 1; + } else { + base = per_cpu(tvec_bases, cpu); + } + ++ spin_lock_init(&base->lock); + + for (j = 0; j < TVN_SIZE; j++) { + INIT_LIST_HEAD(base->tv5.vec + j); +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index c5f8ab9..4872937 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -469,6 +469,7 @@ int ftrace_profile_pages_init(struct ftrace_profile_stat *stat) + free_page(tmp); + } + ++ free_page((unsigned long)stat->pages); + stat->pages = NULL; + stat->start = NULL; + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 6024960..e749a05 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2876,8 +2876,6 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) + * Splice the empty reader page into the list around the head. + */ + reader = rb_set_head_page(cpu_buffer); +- if (!reader) +- goto out; + cpu_buffer->reader_page->list.next = reader->list.next; + cpu_buffer->reader_page->list.prev = reader->list.prev; + +diff --git a/lib/genalloc.c b/lib/genalloc.c +index c1fb257..eed2bdb 100644 +--- a/lib/genalloc.c ++++ b/lib/genalloc.c +@@ -52,7 +52,7 @@ int gen_pool_add(struct gen_pool *pool, unsigned long addr, size_t size, + struct gen_pool_chunk *chunk; + int nbits = size >> pool->min_alloc_order; + int nbytes = sizeof(struct gen_pool_chunk) + +- BITS_TO_LONGS(nbits) * sizeof(long); ++ (nbits + BITS_PER_BYTE - 1) / BITS_PER_BYTE; + + chunk = kmalloc_node(nbytes, GFP_KERNEL | __GFP_ZERO, nid); + if (unlikely(chunk == NULL)) +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index b435d1f..20f9240 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1772,15 +1772,6 @@ static void hugetlb_vm_op_open(struct vm_area_struct *vma) + kref_get(&reservations->refs); + } + +-static void resv_map_put(struct vm_area_struct *vma) +-{ +- struct resv_map *reservations = vma_resv_map(vma); +- +- if (!reservations) +- return; +- kref_put(&reservations->refs, resv_map_release); +-} +- + static void hugetlb_vm_op_close(struct vm_area_struct *vma) + { + struct hstate *h = hstate_vma(vma); +@@ -1797,7 +1788,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma) + reserve = (end - start) - + region_count(&reservations->regions, start, end); + +- resv_map_put(vma); ++ kref_put(&reservations->refs, resv_map_release); + + if (reserve) { + hugetlb_acct_memory(h, -reserve); +@@ -2481,16 +2472,12 @@ int hugetlb_reserve_pages(struct inode *inode, + set_vma_resv_flags(vma, HPAGE_RESV_OWNER); + } + +- if (chg < 0) { +- ret = chg; +- goto out_err; +- } ++ if (chg < 0) ++ return chg; + + /* There must be enough pages in the subpool for the mapping */ +- if (hugepage_subpool_get_pages(spool, chg)) { +- ret = -ENOSPC; +- goto out_err; +- } ++ if (hugepage_subpool_get_pages(spool, chg)) ++ return -ENOSPC; + + /* + * Check enough hugepages are available for the reservation. +@@ -2499,7 +2486,7 @@ int hugetlb_reserve_pages(struct inode *inode, + ret = hugetlb_acct_memory(h, chg); + if (ret < 0) { + hugepage_subpool_put_pages(spool, chg); +- goto out_err; ++ return ret; + } + + /* +@@ -2516,10 +2503,6 @@ int hugetlb_reserve_pages(struct inode *inode, + if (!vma || vma->vm_flags & VM_MAYSHARE) + region_add(&inode->i_mapping->private_list, from, to); + return 0; +-out_err: +- if (vma) +- resv_map_put(vma); +- return ret; + } + + void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed) +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index df6602f..a6563fb 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1759,7 +1759,7 @@ int __mpol_equal(struct mempolicy *a, struct mempolicy *b) + */ + + /* lookup first element intersecting start-end */ +-/* Caller holds sp->mutex */ ++/* Caller holds sp->lock */ + static struct sp_node * + sp_lookup(struct shared_policy *sp, unsigned long start, unsigned long end) + { +@@ -1823,13 +1823,13 @@ mpol_shared_policy_lookup(struct shared_policy *sp, unsigned long idx) + + if (!sp->root.rb_node) + return NULL; +- mutex_lock(&sp->mutex); ++ spin_lock(&sp->lock); + sn = sp_lookup(sp, idx, idx+1); + if (sn) { + mpol_get(sn->policy); + pol = sn->policy; + } +- mutex_unlock(&sp->mutex); ++ spin_unlock(&sp->lock); + return pol; + } + +@@ -1860,10 +1860,10 @@ static struct sp_node *sp_alloc(unsigned long start, unsigned long end, + static int shared_policy_replace(struct shared_policy *sp, unsigned long start, + unsigned long end, struct sp_node *new) + { +- struct sp_node *n; +- int ret = 0; ++ struct sp_node *n, *new2 = NULL; + +- mutex_lock(&sp->mutex); ++restart: ++ spin_lock(&sp->lock); + n = sp_lookup(sp, start, end); + /* Take care of old policies in the same range. */ + while (n && n->start < end) { +@@ -1876,14 +1876,16 @@ static int shared_policy_replace(struct shared_policy *sp, unsigned long start, + } else { + /* Old policy spanning whole new range. */ + if (n->end > end) { +- struct sp_node *new2; +- new2 = sp_alloc(end, n->end, n->policy); + if (!new2) { +- ret = -ENOMEM; +- goto out; ++ spin_unlock(&sp->lock); ++ new2 = sp_alloc(end, n->end, n->policy); ++ if (!new2) ++ return -ENOMEM; ++ goto restart; + } + n->end = start; + sp_insert(sp, new2); ++ new2 = NULL; + break; + } else + n->end = start; +@@ -1894,9 +1896,12 @@ static int shared_policy_replace(struct shared_policy *sp, unsigned long start, + } + if (new) + sp_insert(sp, new); +-out: +- mutex_unlock(&sp->mutex); +- return ret; ++ spin_unlock(&sp->lock); ++ if (new2) { ++ mpol_put(new2->policy); ++ kmem_cache_free(sn_cache, new2); ++ } ++ return 0; + } + + /** +@@ -1914,7 +1919,7 @@ void mpol_shared_policy_init(struct shared_policy *sp, struct mempolicy *mpol) + int ret; + + sp->root = RB_ROOT; /* empty tree == default mempolicy */ +- mutex_init(&sp->mutex); ++ spin_lock_init(&sp->lock); + + if (mpol) { + struct vm_area_struct pvma; +@@ -1982,7 +1987,7 @@ void mpol_free_shared_policy(struct shared_policy *p) + + if (!p->root.rb_node) + return; +- mutex_lock(&p->mutex); ++ spin_lock(&p->lock); + next = rb_first(&p->root); + while (next) { + n = rb_entry(next, struct sp_node, nd); +@@ -1991,7 +1996,7 @@ void mpol_free_shared_policy(struct shared_policy *p) + mpol_put(n->policy); + kmem_cache_free(sn_cache, n); + } +- mutex_unlock(&p->mutex); ++ spin_unlock(&p->lock); + } + + /* assumes fs == KERNEL_DS */ +diff --git a/mm/shmem.c b/mm/shmem.c +index e6a0c72..3e0005b 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2242,7 +2242,6 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) + unsigned long inodes; + int error = -EINVAL; + +- config.mpol = NULL; + if (shmem_parse_options(data, &config, true)) + return error; + +@@ -2270,13 +2269,8 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) + sbinfo->max_inodes = config.max_inodes; + sbinfo->free_inodes = config.max_inodes - inodes; + +- /* +- * Preserve previous mempolicy unless mpol remount option was specified. +- */ +- if (config.mpol) { +- mpol_put(sbinfo->mpol); +- sbinfo->mpol = config.mpol; /* transfers initial ref */ +- } ++ mpol_put(sbinfo->mpol); ++ sbinfo->mpol = config.mpol; /* transfers initial ref */ + out: + spin_unlock(&sbinfo->stat_lock); + return error; +diff --git a/mm/truncate.c b/mm/truncate.c +index b41d26d..258bda7 100644 +--- a/mm/truncate.c ++++ b/mm/truncate.c +@@ -376,12 +376,11 @@ invalidate_complete_page2(struct address_space *mapping, struct page *page) + if (page_has_private(page) && !try_to_release_page(page, GFP_KERNEL)) + return 0; + +- clear_page_mlock(page); +- + spin_lock_irq(&mapping->tree_lock); + if (PageDirty(page)) + goto failed; + ++ clear_page_mlock(page); + BUG_ON(page_has_private(page)); + __remove_from_page_cache(page); + spin_unlock_irq(&mapping->tree_lock); +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 738db2b..4649929 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2241,8 +2241,6 @@ static int kswapd(void *p) + balance_pgdat(pgdat, order); + } + } +- +- current->reclaim_state = NULL; + return 0; + } + +diff --git a/net/atm/common.c b/net/atm/common.c +index 65737b8..950bd16 100644 +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -473,8 +473,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + struct sk_buff *skb; + int copied, error = -EINVAL; + +- msg->msg_namelen = 0; +- + if (sock->state != SS_CONNECTED) + return -ENOTCONN; + if (flags & ~MSG_DONTWAIT) /* only handle MSG_DONTWAIT */ +@@ -751,7 +749,6 @@ int vcc_getsockopt(struct socket *sock, int level, int optname, + if (!vcc->dev || + !test_bit(ATM_VF_ADDR,&vcc->flags)) + return -ENOTCONN; +- memset(&pvc, 0, sizeof(pvc)); + pvc.sap_family = AF_ATMPVC; + pvc.sap_addr.itf = vcc->dev->number; + pvc.sap_addr.vpi = vcc->vpi; +diff --git a/net/atm/pvc.c b/net/atm/pvc.c +index 523c21a..d4c0245 100644 +--- a/net/atm/pvc.c ++++ b/net/atm/pvc.c +@@ -93,7 +93,6 @@ static int pvc_getname(struct socket *sock,struct sockaddr *sockaddr, + if (!vcc->dev || !test_bit(ATM_VF_ADDR,&vcc->flags)) return -ENOTCONN; + *sockaddr_len = sizeof(struct sockaddr_atmpvc); + addr = (struct sockaddr_atmpvc *) sockaddr; +- memset(addr, 0, sizeof(*addr)); + addr->sap_family = AF_ATMPVC; + addr->sap_addr.itf = vcc->dev->number; + addr->sap_addr.vpi = vcc->vpi; +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 8613bd1..1e9f3e42 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1654,7 +1654,6 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, + ax25_address src; + const unsigned char *mac = skb_mac_header(skb); + +- memset(sax, 0, sizeof(struct full_sockaddr_ax25)); + ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, + &digi, NULL, NULL); + sax->sax25_family = AF_AX25; +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index d7239dd..8cfb5a8 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -240,14 +240,14 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags & (MSG_OOB)) + return -EOPNOTSUPP; + +- msg->msg_namelen = 0; +- + if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) { + if (sk->sk_shutdown & RCV_SHUTDOWN) + return 0; + return err; + } + ++ msg->msg_namelen = 0; ++ + copied = skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 45caaaa..75302a9 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -576,7 +576,6 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char + { + struct hci_filter *f = &hci_pi(sk)->filter; + +- memset(&uf, 0, sizeof(uf)); + uf.type_mask = f->type_mask; + uf.opcode = f->opcode; + uf.event_mask[0] = *((u32 *) f->event_mask + 0); +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 0c2c59d..49d8495 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -778,7 +778,7 @@ static int hidp_setup_hid(struct hidp_session *session, + hid->version = req->version; + hid->country = req->country; + +- strncpy(hid->name, req->name, sizeof(req->name) - 1); ++ strncpy(hid->name, req->name, 128); + strncpy(hid->phys, batostr(&src), 64); + strncpy(hid->uniq, batostr(&dst), 64); + +diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c +index 1c20bd9..71120ee 100644 +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -1184,7 +1184,6 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l + + BT_DBG("sock %p, sk %p", sock, sk); + +- memset(la, 0, sizeof(struct sockaddr_l2)); + addr->sa_family = AF_BLUETOOTH; + *len = sizeof(struct sockaddr_l2); + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 1db0132..1ae3f80 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -543,7 +543,6 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int * + + BT_DBG("sock %p, sk %p", sock, sk); + +- memset(sa, 0, sizeof(*sa)); + sa->rc_family = AF_BLUETOOTH; + sa->rc_channel = rfcomm_pi(sk)->channel; + if (peer) +@@ -652,7 +651,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + + if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { + rfcomm_dlc_accept(d); +- msg->msg_namelen = 0; + return 0; + } + +diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c +index 108215b..81ae40b 100644 +--- a/net/bridge/br_stp_bpdu.c ++++ b/net/bridge/br_stp_bpdu.c +@@ -15,7 +15,6 @@ + #include <linux/netfilter_bridge.h> + #include <linux/etherdevice.h> + #include <linux/llc.h> +-#include <linux/pkt_sched.h> + #include <net/net_namespace.h> + #include <net/llc.h> + #include <net/llc_pdu.h> +@@ -40,7 +39,6 @@ static void br_send_bpdu(struct net_bridge_port *p, + + skb->dev = p->dev; + skb->protocol = htons(ETH_P_802_2); +- skb->priority = TC_PRIO_CONTROL; + + skb_reserve(skb, LLC_RESERVE); + memcpy(__skb_put(skb, length), data, length); +diff --git a/net/core/dev.c b/net/core/dev.c +index d775563..46e2a29 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -967,8 +967,6 @@ rollback: + */ + int dev_set_alias(struct net_device *dev, const char *alias, size_t len) + { +- char *new_ifalias; +- + ASSERT_RTNL(); + + if (len >= IFALIASZ) +@@ -982,10 +980,9 @@ int dev_set_alias(struct net_device *dev, const char *alias, size_t len) + return 0; + } + +- new_ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL); +- if (!new_ifalias) ++ dev->ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL); ++ if (!dev->ifalias) + return -ENOMEM; +- dev->ifalias = new_ifalias; + + strlcpy(dev->ifalias, alias, len+1); + return len; +@@ -2848,7 +2845,7 @@ static void net_rx_action(struct softirq_action *h) + * Allow this to run for 2 jiffies since which will allow + * an average latency of 1.5/HZ. + */ +- if (unlikely(budget <= 0 || time_after_eq(jiffies, time_limit))) ++ if (unlikely(budget <= 0 || time_after(jiffies, time_limit))) + goto softnet_break; + + local_irq_enable(); +diff --git a/net/core/sock.c b/net/core/sock.c +index eafa660..4538a34 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -562,8 +562,7 @@ set_rcvbuf: + + case SO_KEEPALIVE: + #ifdef CONFIG_INET +- if (sk->sk_protocol == IPPROTO_TCP && +- sk->sk_type == SOCK_STREAM) ++ if (sk->sk_protocol == IPPROTO_TCP) + tcp_set_keepalive(sk, valbool); + #endif + sock_valbool_flag(sk, SOCK_KEEPOPEN, valbool); +diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c +index 813fe4b..ac1205d 100644 +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -307,7 +307,6 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb, + dcb->dcb_family = AF_UNSPEC; + dcb->cmd = DCB_CMD_GPERM_HWADDR; + +- memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index cef3656..d14c0a3 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -47,7 +47,6 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + __be32 daddr, nexthop; + int tmp; + int err; +- struct ip_options_rcu *inet_opt; + + dp->dccps_role = DCCP_ROLE_CLIENT; + +@@ -58,12 +57,10 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + return -EAFNOSUPPORT; + + nexthop = daddr = usin->sin_addr.s_addr; +- +- inet_opt = inet->inet_opt; +- if (inet_opt != NULL && inet_opt->opt.srr) { ++ if (inet->opt != NULL && inet->opt->srr) { + if (daddr == 0) + return -EINVAL; +- nexthop = inet_opt->opt.faddr; ++ nexthop = inet->opt->faddr; + } + + tmp = ip_route_connect(&rt, nexthop, inet->saddr, +@@ -78,7 +75,7 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + return -ENETUNREACH; + } + +- if (inet_opt == NULL || !inet_opt->opt.srr) ++ if (inet->opt == NULL || !inet->opt->srr) + daddr = rt->rt_dst; + + if (inet->saddr == 0) +@@ -89,8 +86,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + inet->daddr = daddr; + + inet_csk(sk)->icsk_ext_hdr_len = 0; +- if (inet_opt) +- inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen; ++ if (inet->opt != NULL) ++ inet_csk(sk)->icsk_ext_hdr_len = inet->opt->optlen; + /* + * Socket identity is still unknown (sport may be zero). + * However we set state to DCCP_REQUESTING and not releasing socket +@@ -400,7 +397,7 @@ struct sock *dccp_v4_request_recv_sock(struct sock *sk, struct sk_buff *skb, + newinet->daddr = ireq->rmt_addr; + newinet->rcv_saddr = ireq->loc_addr; + newinet->saddr = ireq->loc_addr; +- newinet->inet_opt = ireq->opt; ++ newinet->opt = ireq->opt; + ireq->opt = NULL; + newinet->mc_index = inet_iif(skb); + newinet->mc_ttl = ip_hdr(skb)->ttl; +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 2f11de7..9ed1962 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -600,7 +600,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk, + + First: no IPv4 options. + */ +- newinet->inet_opt = NULL; ++ newinet->opt = NULL; + + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index d1992a4..a289878 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -152,7 +152,7 @@ void inet_sock_destruct(struct sock *sk) + WARN_ON(sk->sk_wmem_queued); + WARN_ON(sk->sk_forward_alloc); + +- kfree(inet->inet_opt); ++ kfree(inet->opt); + dst_release(sk->sk_dst_cache); + sk_refcnt_debug_dec(sk); + } +@@ -1065,11 +1065,9 @@ static int inet_sk_reselect_saddr(struct sock *sk) + __be32 old_saddr = inet->saddr; + __be32 new_saddr; + __be32 daddr = inet->daddr; +- struct ip_options_rcu *inet_opt; + +- inet_opt = inet->inet_opt; +- if (inet_opt && inet_opt->opt.srr) +- daddr = inet_opt->opt.faddr; ++ if (inet->opt && inet->opt->srr) ++ daddr = inet->opt->faddr; + + /* Query new route. */ + err = ip_route_connect(&rt, daddr, 0, +@@ -1111,7 +1109,6 @@ int inet_sk_rebuild_header(struct sock *sk) + struct inet_sock *inet = inet_sk(sk); + struct rtable *rt = (struct rtable *)__sk_dst_check(sk, 0); + __be32 daddr; +- struct ip_options_rcu *inet_opt; + int err; + + /* Route is OK, nothing to do. */ +@@ -1119,12 +1116,9 @@ int inet_sk_rebuild_header(struct sock *sk) + return 0; + + /* Reroute. */ +- rcu_read_lock(); +- inet_opt = rcu_dereference(inet->inet_opt); + daddr = inet->daddr; +- if (inet_opt && inet_opt->opt.srr) +- daddr = inet_opt->opt.faddr; +- rcu_read_unlock(); ++ if (inet->opt && inet->opt->srr) ++ daddr = inet->opt->faddr; + { + struct flowi fl = { + .oif = sk->sk_bound_dev_if, +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index b6d06d6..10f8f8d 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1860,11 +1860,6 @@ static int cipso_v4_genopt(unsigned char *buf, u32 buf_len, + return CIPSO_V4_HDR_LEN + ret_val; + } + +-static void opt_kfree_rcu(struct rcu_head *head) +-{ +- kfree(container_of(head, struct ip_options_rcu, rcu)); +-} +- + /** + * cipso_v4_sock_setattr - Add a CIPSO option to a socket + * @sk: the socket +@@ -1887,7 +1882,7 @@ int cipso_v4_sock_setattr(struct sock *sk, + unsigned char *buf = NULL; + u32 buf_len; + u32 opt_len; +- struct ip_options_rcu *old, *opt = NULL; ++ struct ip_options *opt = NULL; + struct inet_sock *sk_inet; + struct inet_connection_sock *sk_conn; + +@@ -1923,25 +1918,22 @@ int cipso_v4_sock_setattr(struct sock *sk, + ret_val = -ENOMEM; + goto socket_setattr_failure; + } +- memcpy(opt->opt.__data, buf, buf_len); +- opt->opt.optlen = opt_len; +- opt->opt.cipso = sizeof(struct iphdr); ++ memcpy(opt->__data, buf, buf_len); ++ opt->optlen = opt_len; ++ opt->cipso = sizeof(struct iphdr); + kfree(buf); + buf = NULL; + + sk_inet = inet_sk(sk); +- +- old = sk_inet->inet_opt; + if (sk_inet->is_icsk) { + sk_conn = inet_csk(sk); +- if (old) +- sk_conn->icsk_ext_hdr_len -= old->opt.optlen; +- sk_conn->icsk_ext_hdr_len += opt->opt.optlen; ++ if (sk_inet->opt) ++ sk_conn->icsk_ext_hdr_len -= sk_inet->opt->optlen; ++ sk_conn->icsk_ext_hdr_len += opt->optlen; + sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie); + } +- rcu_assign_pointer(sk_inet->inet_opt, opt); +- if (old) +- call_rcu(&old->rcu, opt_kfree_rcu); ++ opt = xchg(&sk_inet->opt, opt); ++ kfree(opt); + + return 0; + +@@ -1971,7 +1963,7 @@ int cipso_v4_req_setattr(struct request_sock *req, + unsigned char *buf = NULL; + u32 buf_len; + u32 opt_len; +- struct ip_options_rcu *opt = NULL; ++ struct ip_options *opt = NULL; + struct inet_request_sock *req_inet; + + /* We allocate the maximum CIPSO option size here so we are probably +@@ -1999,16 +1991,15 @@ int cipso_v4_req_setattr(struct request_sock *req, + ret_val = -ENOMEM; + goto req_setattr_failure; + } +- memcpy(opt->opt.__data, buf, buf_len); +- opt->opt.optlen = opt_len; +- opt->opt.cipso = sizeof(struct iphdr); ++ memcpy(opt->__data, buf, buf_len); ++ opt->optlen = opt_len; ++ opt->cipso = sizeof(struct iphdr); + kfree(buf); + buf = NULL; + + req_inet = inet_rsk(req); + opt = xchg(&req_inet->opt, opt); +- if (opt) +- call_rcu(&opt->rcu, opt_kfree_rcu); ++ kfree(opt); + + return 0; + +@@ -2028,34 +2019,34 @@ req_setattr_failure: + * values on failure. + * + */ +-int cipso_v4_delopt(struct ip_options_rcu **opt_ptr) ++int cipso_v4_delopt(struct ip_options **opt_ptr) + { + int hdr_delta = 0; +- struct ip_options_rcu *opt = *opt_ptr; ++ struct ip_options *opt = *opt_ptr; + +- if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) { ++ if (opt->srr || opt->rr || opt->ts || opt->router_alert) { + u8 cipso_len; + u8 cipso_off; + unsigned char *cipso_ptr; + int iter; + int optlen_new; + +- cipso_off = opt->opt.cipso - sizeof(struct iphdr); +- cipso_ptr = &opt->opt.__data[cipso_off]; ++ cipso_off = opt->cipso - sizeof(struct iphdr); ++ cipso_ptr = &opt->__data[cipso_off]; + cipso_len = cipso_ptr[1]; + +- if (opt->opt.srr > opt->opt.cipso) +- opt->opt.srr -= cipso_len; +- if (opt->opt.rr > opt->opt.cipso) +- opt->opt.rr -= cipso_len; +- if (opt->opt.ts > opt->opt.cipso) +- opt->opt.ts -= cipso_len; +- if (opt->opt.router_alert > opt->opt.cipso) +- opt->opt.router_alert -= cipso_len; +- opt->opt.cipso = 0; ++ if (opt->srr > opt->cipso) ++ opt->srr -= cipso_len; ++ if (opt->rr > opt->cipso) ++ opt->rr -= cipso_len; ++ if (opt->ts > opt->cipso) ++ opt->ts -= cipso_len; ++ if (opt->router_alert > opt->cipso) ++ opt->router_alert -= cipso_len; ++ opt->cipso = 0; + + memmove(cipso_ptr, cipso_ptr + cipso_len, +- opt->opt.optlen - cipso_off - cipso_len); ++ opt->optlen - cipso_off - cipso_len); + + /* determining the new total option length is tricky because of + * the padding necessary, the only thing i can think to do at +@@ -2064,21 +2055,21 @@ int cipso_v4_delopt(struct ip_options_rcu **opt_ptr) + * from there we can determine the new total option length */ + iter = 0; + optlen_new = 0; +- while (iter < opt->opt.optlen) +- if (opt->opt.__data[iter] != IPOPT_NOP) { +- iter += opt->opt.__data[iter + 1]; ++ while (iter < opt->optlen) ++ if (opt->__data[iter] != IPOPT_NOP) { ++ iter += opt->__data[iter + 1]; + optlen_new = iter; + } else + iter++; +- hdr_delta = opt->opt.optlen; +- opt->opt.optlen = (optlen_new + 3) & ~3; +- hdr_delta -= opt->opt.optlen; ++ hdr_delta = opt->optlen; ++ opt->optlen = (optlen_new + 3) & ~3; ++ hdr_delta -= opt->optlen; + } else { + /* only the cipso option was present on the socket so we can + * remove the entire option struct */ + *opt_ptr = NULL; +- hdr_delta = opt->opt.optlen; +- call_rcu(&opt->rcu, opt_kfree_rcu); ++ hdr_delta = opt->optlen; ++ kfree(opt); + } + + return hdr_delta; +@@ -2095,15 +2086,15 @@ int cipso_v4_delopt(struct ip_options_rcu **opt_ptr) + void cipso_v4_sock_delattr(struct sock *sk) + { + int hdr_delta; +- struct ip_options_rcu *opt; ++ struct ip_options *opt; + struct inet_sock *sk_inet; + + sk_inet = inet_sk(sk); +- opt = sk_inet->inet_opt; +- if (opt == NULL || opt->opt.cipso == 0) ++ opt = sk_inet->opt; ++ if (opt == NULL || opt->cipso == 0) + return; + +- hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt); ++ hdr_delta = cipso_v4_delopt(&sk_inet->opt); + if (sk_inet->is_icsk && hdr_delta > 0) { + struct inet_connection_sock *sk_conn = inet_csk(sk); + sk_conn->icsk_ext_hdr_len -= hdr_delta; +@@ -2121,12 +2112,12 @@ void cipso_v4_sock_delattr(struct sock *sk) + */ + void cipso_v4_req_delattr(struct request_sock *req) + { +- struct ip_options_rcu *opt; ++ struct ip_options *opt; + struct inet_request_sock *req_inet; + + req_inet = inet_rsk(req); + opt = req_inet->opt; +- if (opt == NULL || opt->opt.cipso == 0) ++ if (opt == NULL || opt->cipso == 0) + return; + + cipso_v4_delopt(&req_inet->opt); +@@ -2196,18 +2187,14 @@ getattr_return: + */ + int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) + { +- struct ip_options_rcu *opt; +- int res = -ENOMSG; ++ struct ip_options *opt; + +- rcu_read_lock(); +- opt = rcu_dereference(inet_sk(sk)->inet_opt); +- if (opt && opt->opt.cipso) +- res = cipso_v4_getattr(opt->opt.__data + +- opt->opt.cipso - +- sizeof(struct iphdr), +- secattr); +- rcu_read_unlock(); +- return res; ++ opt = inet_sk(sk)->opt; ++ if (opt == NULL || opt->cipso == 0) ++ return -ENOMSG; ++ ++ return cipso_v4_getattr(opt->__data + opt->cipso - sizeof(struct iphdr), ++ secattr); + } + + /** +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 859d781..5bc13fe 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -107,7 +107,8 @@ struct icmp_bxm { + __be32 times[3]; + } data; + int head_len; +- struct ip_options_data replyopts; ++ struct ip_options replyopts; ++ unsigned char optbuf[40]; + }; + + /* An array of errno for error messages from dest unreach. */ +@@ -361,7 +362,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) + struct inet_sock *inet; + __be32 daddr; + +- if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb)) ++ if (ip_options_echo(&icmp_param->replyopts, skb)) + return; + + sk = icmp_xmit_lock(net); +@@ -375,10 +376,10 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) + daddr = ipc.addr = rt->rt_src; + ipc.opt = NULL; + ipc.shtx.flags = 0; +- if (icmp_param->replyopts.opt.opt.optlen) { +- ipc.opt = &icmp_param->replyopts.opt; +- if (ipc.opt->opt.srr) +- daddr = icmp_param->replyopts.opt.opt.faddr; ++ if (icmp_param->replyopts.optlen) { ++ ipc.opt = &icmp_param->replyopts; ++ if (ipc.opt->srr) ++ daddr = icmp_param->replyopts.faddr; + } + { + struct flowi fl = { .nl_u = { .ip4_u = +@@ -515,7 +516,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) + IPTOS_PREC_INTERNETCONTROL) : + iph->tos; + +- if (ip_options_echo(&icmp_param.replyopts.opt.opt, skb_in)) ++ if (ip_options_echo(&icmp_param.replyopts, skb_in)) + goto out_unlock; + + +@@ -531,15 +532,15 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) + icmp_param.offset = skb_network_offset(skb_in); + inet_sk(sk)->tos = tos; + ipc.addr = iph->saddr; +- ipc.opt = &icmp_param.replyopts.opt; ++ ipc.opt = &icmp_param.replyopts; + ipc.shtx.flags = 0; + + { + struct flowi fl = { + .nl_u = { + .ip4_u = { +- .daddr = icmp_param.replyopts.opt.opt.srr ? +- icmp_param.replyopts.opt.opt.faddr : ++ .daddr = icmp_param.replyopts.srr ? ++ icmp_param.replyopts.faddr : + iph->saddr, + .saddr = saddr, + .tos = RT_TOS(tos) +@@ -628,7 +629,7 @@ route_done: + room = dst_mtu(&rt->u.dst); + if (room > 576) + room = 576; +- room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen; ++ room -= sizeof(struct iphdr) + icmp_param.replyopts.optlen; + room -= sizeof(struct icmphdr); + + icmp_param.data_len = skb_in->len - icmp_param.offset; +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index a3bf986..537731b 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -356,11 +356,11 @@ struct dst_entry *inet_csk_route_req(struct sock *sk, + { + struct rtable *rt; + const struct inet_request_sock *ireq = inet_rsk(req); +- struct ip_options_rcu *opt = inet_rsk(req)->opt; ++ struct ip_options *opt = inet_rsk(req)->opt; + struct flowi fl = { .oif = sk->sk_bound_dev_if, + .nl_u = { .ip4_u = +- { .daddr = ((opt && opt->opt.srr) ? +- opt->opt.faddr : ++ { .daddr = ((opt && opt->srr) ? ++ opt->faddr : + ireq->rmt_addr), + .saddr = ireq->loc_addr, + .tos = RT_CONN_FLAGS(sk) } }, +@@ -374,7 +374,7 @@ struct dst_entry *inet_csk_route_req(struct sock *sk, + security_req_classify_flow(req, &fl); + if (ip_route_output_flow(net, &rt, &fl, sk, 0)) + goto no_route; +- if (opt && opt->opt.is_strictroute && rt->rt_dst != rt->rt_gateway) ++ if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway) + goto route_err; + return &rt->u.dst; + +diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c +index 8a95972..94bf105 100644 +--- a/net/ipv4/ip_options.c ++++ b/net/ipv4/ip_options.c +@@ -35,7 +35,7 @@ + * saddr is address of outgoing interface. + */ + +-void ip_options_build(struct sk_buff *skb, struct ip_options *opt, ++void ip_options_build(struct sk_buff * skb, struct ip_options * opt, + __be32 daddr, struct rtable *rt, int is_frag) + { + unsigned char *iph = skb_network_header(skb); +@@ -82,9 +82,9 @@ void ip_options_build(struct sk_buff *skb, struct ip_options *opt, + * NOTE: dopt cannot point to skb. + */ + +-int ip_options_echo(struct ip_options *dopt, struct sk_buff *skb) ++int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb) + { +- const struct ip_options *sopt; ++ struct ip_options *sopt; + unsigned char *sptr, *dptr; + int soffset, doffset; + int optlen; +@@ -94,8 +94,10 @@ int ip_options_echo(struct ip_options *dopt, struct sk_buff *skb) + + sopt = &(IPCB(skb)->opt); + +- if (sopt->optlen == 0) ++ if (sopt->optlen == 0) { ++ dopt->optlen = 0; + return 0; ++ } + + sptr = skb_network_header(skb); + dptr = dopt->__data; +@@ -154,7 +156,7 @@ int ip_options_echo(struct ip_options *dopt, struct sk_buff *skb) + dopt->optlen += optlen; + } + if (sopt->srr) { +- unsigned char *start = sptr+sopt->srr; ++ unsigned char * start = sptr+sopt->srr; + __be32 faddr; + + optlen = start[1]; +@@ -497,19 +499,19 @@ void ip_options_undo(struct ip_options * opt) + } + } + +-static struct ip_options_rcu *ip_options_get_alloc(const int optlen) ++static struct ip_options *ip_options_get_alloc(const int optlen) + { +- return kzalloc(sizeof(struct ip_options_rcu) + ((optlen + 3) & ~3), ++ return kzalloc(sizeof(struct ip_options) + ((optlen + 3) & ~3), + GFP_KERNEL); + } + +-static int ip_options_get_finish(struct net *net, struct ip_options_rcu **optp, +- struct ip_options_rcu *opt, int optlen) ++static int ip_options_get_finish(struct net *net, struct ip_options **optp, ++ struct ip_options *opt, int optlen) + { + while (optlen & 3) +- opt->opt.__data[optlen++] = IPOPT_END; +- opt->opt.optlen = optlen; +- if (optlen && ip_options_compile(net, &opt->opt, NULL)) { ++ opt->__data[optlen++] = IPOPT_END; ++ opt->optlen = optlen; ++ if (optlen && ip_options_compile(net, opt, NULL)) { + kfree(opt); + return -EINVAL; + } +@@ -518,29 +520,29 @@ static int ip_options_get_finish(struct net *net, struct ip_options_rcu **optp, + return 0; + } + +-int ip_options_get_from_user(struct net *net, struct ip_options_rcu **optp, ++int ip_options_get_from_user(struct net *net, struct ip_options **optp, + unsigned char __user *data, int optlen) + { +- struct ip_options_rcu *opt = ip_options_get_alloc(optlen); ++ struct ip_options *opt = ip_options_get_alloc(optlen); + + if (!opt) + return -ENOMEM; +- if (optlen && copy_from_user(opt->opt.__data, data, optlen)) { ++ if (optlen && copy_from_user(opt->__data, data, optlen)) { + kfree(opt); + return -EFAULT; + } + return ip_options_get_finish(net, optp, opt, optlen); + } + +-int ip_options_get(struct net *net, struct ip_options_rcu **optp, ++int ip_options_get(struct net *net, struct ip_options **optp, + unsigned char *data, int optlen) + { +- struct ip_options_rcu *opt = ip_options_get_alloc(optlen); ++ struct ip_options *opt = ip_options_get_alloc(optlen); + + if (!opt) + return -ENOMEM; + if (optlen) +- memcpy(opt->opt.__data, data, optlen); ++ memcpy(opt->__data, data, optlen); + return ip_options_get_finish(net, optp, opt, optlen); + } + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 7dde039..44b7910 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -137,14 +137,14 @@ static inline int ip_select_ttl(struct inet_sock *inet, struct dst_entry *dst) + * + */ + int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, +- __be32 saddr, __be32 daddr, struct ip_options_rcu *opt) ++ __be32 saddr, __be32 daddr, struct ip_options *opt) + { + struct inet_sock *inet = inet_sk(sk); + struct rtable *rt = skb_rtable(skb); + struct iphdr *iph; + + /* Build the IP header. */ +- skb_push(skb, sizeof(struct iphdr) + (opt ? opt->opt.optlen : 0)); ++ skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0)); + skb_reset_network_header(skb); + iph = ip_hdr(skb); + iph->version = 4; +@@ -160,9 +160,9 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, + iph->protocol = sk->sk_protocol; + ip_select_ident(iph, &rt->u.dst, sk); + +- if (opt && opt->opt.optlen) { +- iph->ihl += opt->opt.optlen>>2; +- ip_options_build(skb, &opt->opt, daddr, rt, 0); ++ if (opt && opt->optlen) { ++ iph->ihl += opt->optlen>>2; ++ ip_options_build(skb, opt, daddr, rt, 0); + } + + skb->priority = sk->sk_priority; +@@ -312,10 +312,9 @@ int ip_queue_xmit(struct sk_buff *skb, int ipfragok) + { + struct sock *sk = skb->sk; + struct inet_sock *inet = inet_sk(sk); +- struct ip_options_rcu *inet_opt = NULL; ++ struct ip_options *opt = inet->opt; + struct rtable *rt; + struct iphdr *iph; +- int res; + + /* Skip all of this if the packet is already routed, + * f.e. by something like SCTP. +@@ -326,15 +325,13 @@ int ip_queue_xmit(struct sk_buff *skb, int ipfragok) + + /* Make sure we can route this packet. */ + rt = (struct rtable *)__sk_dst_check(sk, 0); +- rcu_read_lock(); +- inet_opt = rcu_dereference(inet->inet_opt); + if (rt == NULL) { + __be32 daddr; + + /* Use correct destination address if we have options. */ + daddr = inet->daddr; +- if (inet_opt && inet_opt->opt.srr) +- daddr = inet_opt->opt.faddr; ++ if(opt && opt->srr) ++ daddr = opt->faddr; + + { + struct flowi fl = { .oif = sk->sk_bound_dev_if, +@@ -362,11 +359,11 @@ int ip_queue_xmit(struct sk_buff *skb, int ipfragok) + skb_dst_set(skb, dst_clone(&rt->u.dst)); + + packet_routed: +- if (inet_opt && inet_opt->opt.is_strictroute && rt->rt_dst != rt->rt_gateway) ++ if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway) + goto no_route; + + /* OK, we know where to send it, allocate and build IP header. */ +- skb_push(skb, sizeof(struct iphdr) + (inet_opt ? inet_opt->opt.optlen : 0)); ++ skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0)); + skb_reset_network_header(skb); + iph = ip_hdr(skb); + *((__be16 *)iph) = htons((4 << 12) | (5 << 8) | (inet->tos & 0xff)); +@@ -380,9 +377,9 @@ packet_routed: + iph->daddr = rt->rt_dst; + /* Transport layer set skb->h.foo itself. */ + +- if (inet_opt && inet_opt->opt.optlen) { +- iph->ihl += inet_opt->opt.optlen >> 2; +- ip_options_build(skb, &inet_opt->opt, inet->daddr, rt, 0); ++ if (opt && opt->optlen) { ++ iph->ihl += opt->optlen >> 2; ++ ip_options_build(skb, opt, inet->daddr, rt, 0); + } + + ip_select_ident_more(iph, &rt->u.dst, sk, +@@ -390,12 +387,10 @@ packet_routed: + + skb->priority = sk->sk_priority; + skb->mark = sk->sk_mark; +- res = ip_local_out(skb); +- rcu_read_unlock(); +- return res; ++ ++ return ip_local_out(skb); + + no_route: +- rcu_read_unlock(); + IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); + kfree_skb(skb); + return -EHOSTUNREACH; +@@ -814,7 +809,7 @@ int ip_append_data(struct sock *sk, + /* + * setup for corking. + */ +- opt = ipc->opt ? &ipc->opt->opt : NULL; ++ opt = ipc->opt; + if (opt) { + if (inet->cork.opt == NULL) { + inet->cork.opt = kmalloc(sizeof(struct ip_options) + 40, sk->sk_allocation); +@@ -1372,23 +1367,26 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar + unsigned int len) + { + struct inet_sock *inet = inet_sk(sk); +- struct ip_options_data replyopts; ++ struct { ++ struct ip_options opt; ++ char data[40]; ++ } replyopts; + struct ipcm_cookie ipc; + __be32 daddr; + struct rtable *rt = skb_rtable(skb); + +- if (ip_options_echo(&replyopts.opt.opt, skb)) ++ if (ip_options_echo(&replyopts.opt, skb)) + return; + + daddr = ipc.addr = rt->rt_src; + ipc.opt = NULL; + ipc.shtx.flags = 0; + +- if (replyopts.opt.opt.optlen) { ++ if (replyopts.opt.optlen) { + ipc.opt = &replyopts.opt; + +- if (replyopts.opt.opt.srr) +- daddr = replyopts.opt.opt.faddr; ++ if (ipc.opt->srr) ++ daddr = replyopts.opt.faddr; + } + + { +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 099e6c3..e982b5c 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -434,11 +434,6 @@ out: + } + + +-static void opt_kfree_rcu(struct rcu_head *head) +-{ +- kfree(container_of(head, struct ip_options_rcu, rcu)); +-} +- + /* + * Socket option code for IP. This is the end of the line after any + * TCP,UDP etc options on an IP socket. +@@ -484,15 +479,13 @@ static int do_ip_setsockopt(struct sock *sk, int level, + switch (optname) { + case IP_OPTIONS: + { +- struct ip_options_rcu *old, *opt = NULL; +- ++ struct ip_options *opt = NULL; + if (optlen > 40 || optlen < 0) + goto e_inval; + err = ip_options_get_from_user(sock_net(sk), &opt, + optval, optlen); + if (err) + break; +- old = inet->inet_opt; + if (inet->is_icsk) { + struct inet_connection_sock *icsk = inet_csk(sk); + #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) +@@ -501,18 +494,17 @@ static int do_ip_setsockopt(struct sock *sk, int level, + (TCPF_LISTEN | TCPF_CLOSE)) && + inet->daddr != LOOPBACK4_IPV6)) { + #endif +- if (old) +- icsk->icsk_ext_hdr_len -= old->opt.optlen; ++ if (inet->opt) ++ icsk->icsk_ext_hdr_len -= inet->opt->optlen; + if (opt) +- icsk->icsk_ext_hdr_len += opt->opt.optlen; ++ icsk->icsk_ext_hdr_len += opt->optlen; + icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie); + #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) + } + #endif + } +- rcu_assign_pointer(inet->inet_opt, opt); +- if (old) +- call_rcu(&old->rcu, opt_kfree_rcu); ++ opt = xchg(&inet->opt, opt); ++ kfree(opt); + break; + } + case IP_PKTINFO: +@@ -571,7 +563,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, + case IP_TTL: + if (optlen < 1) + goto e_inval; +- if (val != -1 && (val < 1 || val > 255)) ++ if (val != -1 && (val < 0 || val > 255)) + goto e_inval; + inet->uc_ttl = val; + break; +@@ -1040,15 +1032,12 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + case IP_OPTIONS: + { + unsigned char optbuf[sizeof(struct ip_options)+40]; +- struct ip_options *opt = (struct ip_options *)optbuf; +- struct ip_options_rcu *inet_opt; +- +- inet_opt = inet->inet_opt; ++ struct ip_options * opt = (struct ip_options *)optbuf; + opt->optlen = 0; +- if (inet_opt) +- memcpy(optbuf, &inet_opt->opt, +- sizeof(struct ip_options) + +- inet_opt->opt.optlen); ++ if (inet->opt) ++ memcpy(optbuf, inet->opt, ++ sizeof(struct ip_options)+ ++ inet->opt->optlen); + release_sock(sk); + + if (opt->optlen == 0) +diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +index c6437d5..1032a15 100644 +--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c ++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +@@ -83,14 +83,6 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, + *dataoff = nhoff + (iph->ihl << 2); + *protonum = iph->protocol; + +- /* Check bogus IP headers */ +- if (*dataoff > skb->len) { +- pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: " +- "nhoff %u, ihl %u, skblen %u\n", +- nhoff, iph->ihl << 2, skb->len); +- return -NF_ACCEPT; +- } +- + return NF_ACCEPT; + } + +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 07ab583..ab996f9 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -459,7 +459,6 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + __be32 saddr; + u8 tos; + int err; +- struct ip_options_data opt_copy; + + err = -EMSGSIZE; + if (len > 0xFFFF) +@@ -520,18 +519,8 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + saddr = ipc.addr; + ipc.addr = daddr; + +- if (!ipc.opt) { +- struct ip_options_rcu *inet_opt; +- +- rcu_read_lock(); +- inet_opt = rcu_dereference(inet->inet_opt); +- if (inet_opt) { +- memcpy(&opt_copy, inet_opt, +- sizeof(*inet_opt) + inet_opt->opt.optlen); +- ipc.opt = &opt_copy.opt; +- } +- rcu_read_unlock(); +- } ++ if (!ipc.opt) ++ ipc.opt = inet->opt; + + if (ipc.opt) { + err = -EINVAL; +@@ -540,10 +529,10 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + */ + if (inet->hdrincl) + goto done; +- if (ipc.opt->opt.srr) { ++ if (ipc.opt->srr) { + if (!daddr) + goto done; +- daddr = ipc.opt->opt.faddr; ++ daddr = ipc.opt->faddr; + } + } + tos = RT_CONN_FLAGS(sk); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index f16d19b..58f141b 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1412,7 +1412,7 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw, + dev_hold(rt->u.dst.dev); + if (rt->idev) + in_dev_hold(rt->idev); +- rt->u.dst.obsolete = -1; ++ rt->u.dst.obsolete = 0; + rt->u.dst.lastuse = jiffies; + rt->u.dst.path = &rt->u.dst; + rt->u.dst.neighbour = NULL; +@@ -1477,7 +1477,7 @@ static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst) + struct dst_entry *ret = dst; + + if (rt) { +- if (dst->obsolete > 0) { ++ if (dst->obsolete) { + ip_rt_put(rt); + ret = NULL; + } else if ((rt->rt_flags & RTCF_REDIRECTED) || +@@ -1700,9 +1700,7 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu) + + static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + { +- if (rt_is_expired((struct rtable *)dst)) +- return NULL; +- return dst; ++ return NULL; + } + + static void ipv4_dst_destroy(struct dst_entry *dst) +@@ -1864,8 +1862,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + if (!rth) + goto e_nobufs; + +- rth->u.dst.output = ip_rt_bug; +- rth->u.dst.obsolete = -1; ++ rth->u.dst.output= ip_rt_bug; + + atomic_set(&rth->u.dst.__refcnt, 1); + rth->u.dst.flags= DST_HOST; +@@ -2026,7 +2023,6 @@ static int __mkroute_input(struct sk_buff *skb, + rth->fl.oif = 0; + rth->rt_spec_dst= spec_dst; + +- rth->u.dst.obsolete = -1; + rth->u.dst.input = ip_forward; + rth->u.dst.output = ip_output; + rth->rt_genid = rt_genid(dev_net(rth->u.dst.dev)); +@@ -2191,7 +2187,6 @@ local_input: + goto e_nobufs; + + rth->u.dst.output= ip_rt_bug; +- rth->u.dst.obsolete = -1; + rth->rt_genid = rt_genid(net); + + atomic_set(&rth->u.dst.__refcnt, 1); +@@ -2416,8 +2411,7 @@ static int __mkroute_output(struct rtable **result, + rth->rt_gateway = fl->fl4_dst; + rth->rt_spec_dst= fl->fl4_src; + +- rth->u.dst.output = ip_output; +- rth->u.dst.obsolete = -1; ++ rth->u.dst.output=ip_output; + rth->rt_genid = rt_genid(dev_net(dev_out)); + + RT_CACHE_STAT_INC(out_slow_tot); +@@ -2747,7 +2741,6 @@ static int ipv4_dst_blackhole(struct net *net, struct rtable **rp, struct flowi + if (rt) { + struct dst_entry *new = &rt->u.dst; + +- new->obsolete = -1; + atomic_set(&new->__refcnt, 1); + new->__use = 1; + new->input = dst_discard; +diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c +index 0a94b64..a6e0e07 100644 +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -309,10 +309,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, + * the ACK carries the same options again (see RFC1122 4.2.3.8) + */ + if (opt && opt->optlen) { +- int opt_size = sizeof(struct ip_options_rcu) + opt->optlen; ++ int opt_size = sizeof(struct ip_options) + opt->optlen; + + ireq->opt = kmalloc(opt_size, GFP_ATOMIC); +- if (ireq->opt != NULL && ip_options_echo(&ireq->opt->opt, skb)) { ++ if (ireq->opt != NULL && ip_options_echo(ireq->opt, skb)) { + kfree(ireq->opt); + ireq->opt = NULL; + } +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 6232462..b9644d8 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -847,7 +847,7 @@ wait_for_memory: + } + + out: +- if (copied && !(flags & MSG_SENDPAGE_NOTLAST)) ++ if (copied) + tcp_push(sk, flags, mss_now, tp->nonagle); + return copied; + +diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c +index c35d91f..1eba160 100644 +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -313,13 +313,11 @@ static void tcp_illinois_info(struct sock *sk, u32 ext, + .tcpv_rttcnt = ca->cnt_rtt, + .tcpv_minrtt = ca->base_rtt, + }; ++ u64 t = ca->sum_rtt; + +- if (info.tcpv_rttcnt > 0) { +- u64 t = ca->sum_rtt; ++ do_div(t, ca->cnt_rtt); ++ info.tcpv_rtt = t; + +- do_div(t, info.tcpv_rttcnt); +- info.tcpv_rtt = t; +- } + nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); + } + } +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index d746d3b3..6a4e832 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -152,7 +152,6 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + __be32 daddr, nexthop; + int tmp; + int err; +- struct ip_options_rcu *inet_opt; + + if (addr_len < sizeof(struct sockaddr_in)) + return -EINVAL; +@@ -161,11 +160,10 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + return -EAFNOSUPPORT; + + nexthop = daddr = usin->sin_addr.s_addr; +- inet_opt = inet->inet_opt; +- if (inet_opt && inet_opt->opt.srr) { ++ if (inet->opt && inet->opt->srr) { + if (!daddr) + return -EINVAL; +- nexthop = inet_opt->opt.faddr; ++ nexthop = inet->opt->faddr; + } + + tmp = ip_route_connect(&rt, nexthop, inet->saddr, +@@ -183,7 +181,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + return -ENETUNREACH; + } + +- if (!inet_opt || !inet_opt->opt.srr) ++ if (!inet->opt || !inet->opt->srr) + daddr = rt->rt_dst; + + if (!inet->saddr) +@@ -217,8 +215,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + inet->daddr = daddr; + + inet_csk(sk)->icsk_ext_hdr_len = 0; +- if (inet_opt) +- inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen; ++ if (inet->opt) ++ inet_csk(sk)->icsk_ext_hdr_len = inet->opt->optlen; + + tp->rx_opt.mss_clamp = 536; + +@@ -804,18 +802,17 @@ static void syn_flood_warning(struct sk_buff *skb) + /* + * Save and compile IPv4 options into the request_sock if needed. + */ +-static struct ip_options_rcu *tcp_v4_save_options(struct sock *sk, +- struct sk_buff *skb) ++static struct ip_options *tcp_v4_save_options(struct sock *sk, ++ struct sk_buff *skb) + { +- const struct ip_options *opt = &(IPCB(skb)->opt); +- struct ip_options_rcu *dopt = NULL; ++ struct ip_options *opt = &(IPCB(skb)->opt); ++ struct ip_options *dopt = NULL; + + if (opt && opt->optlen) { +- int opt_size = sizeof(*dopt) + opt->optlen; +- ++ int opt_size = optlength(opt); + dopt = kmalloc(opt_size, GFP_ATOMIC); + if (dopt) { +- if (ip_options_echo(&dopt->opt, skb)) { ++ if (ip_options_echo(dopt, skb)) { + kfree(dopt); + dopt = NULL; + } +@@ -1365,7 +1362,6 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + #ifdef CONFIG_TCP_MD5SIG + struct tcp_md5sig_key *key; + #endif +- struct ip_options_rcu *inet_opt; + + if (sk_acceptq_is_full(sk)) + goto exit_overflow; +@@ -1386,14 +1382,13 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + newinet->daddr = ireq->rmt_addr; + newinet->rcv_saddr = ireq->loc_addr; + newinet->saddr = ireq->loc_addr; +- inet_opt = ireq->opt; +- rcu_assign_pointer(newinet->inet_opt, inet_opt); ++ newinet->opt = ireq->opt; + ireq->opt = NULL; + newinet->mc_index = inet_iif(skb); + newinet->mc_ttl = ip_hdr(skb)->ttl; + inet_csk(newsk)->icsk_ext_hdr_len = 0; +- if (inet_opt) +- inet_csk(newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen; ++ if (newinet->opt) ++ inet_csk(newsk)->icsk_ext_hdr_len = newinet->opt->optlen; + newinet->id = newtp->write_seq ^ jiffies; + + tcp_mtup_init(newsk); +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 38a23e4..af83bdf 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1391,11 +1391,8 @@ static int tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb) + goto send_now; + } + +- /* Ok, it looks like it is advisable to defer. +- * Do not rearm the timer if already set to not break TCP ACK clocking. +- */ +- if (!tp->tso_deferred) +- tp->tso_deferred = 1 | (jiffies << 1); ++ /* Ok, it looks like it is advisable to defer. */ ++ tp->tso_deferred = 1 | (jiffies << 1); + + return 1; + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index af559e0..8e28770 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -592,7 +592,6 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + int err, is_udplite = IS_UDPLITE(sk); + int corkreq = up->corkflag || msg->msg_flags&MSG_MORE; + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); +- struct ip_options_data opt_copy; + + if (len > 0xFFFF) + return -EMSGSIZE; +@@ -664,32 +663,22 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + free = 1; + connected = 0; + } +- if (!ipc.opt) { +- struct ip_options_rcu *inet_opt; +- +- rcu_read_lock(); +- inet_opt = rcu_dereference(inet->inet_opt); +- if (inet_opt) { +- memcpy(&opt_copy, inet_opt, +- sizeof(*inet_opt) + inet_opt->opt.optlen); +- ipc.opt = &opt_copy.opt; +- } +- rcu_read_unlock(); +- } ++ if (!ipc.opt) ++ ipc.opt = inet->opt; + + saddr = ipc.addr; + ipc.addr = faddr = daddr; + +- if (ipc.opt && ipc.opt->opt.srr) { ++ if (ipc.opt && ipc.opt->srr) { + if (!daddr) + return -EINVAL; +- faddr = ipc.opt->opt.faddr; ++ faddr = ipc.opt->faddr; + connected = 0; + } + tos = RT_TOS(inet->tos); + if (sock_flag(sk, SOCK_LOCALROUTE) || + (msg->msg_flags & MSG_DONTROUTE) || +- (ipc.opt && ipc.opt->opt.is_strictroute)) { ++ (ipc.opt && ipc.opt->is_strictroute)) { + tos |= RTO_ONLINK; + connected = 0; + } +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 835590d..e127a32 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -1073,8 +1073,6 @@ static int __init inet6_init(void) + goto out; + } + +- initialize_hashidentrnd(); +- + err = proto_register(&tcpv6_prot, 1); + if (err) + goto out; +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 6ba0fe2..9ad5792 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -604,35 +604,6 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + return offset; + } + +-static u32 hashidentrnd __read_mostly; +-#define FID_HASH_SZ 16 +-static u32 ipv6_fragmentation_id[FID_HASH_SZ]; +- +-void __init initialize_hashidentrnd(void) +-{ +- get_random_bytes(&hashidentrnd, sizeof(hashidentrnd)); +-} +- +-static u32 __ipv6_select_ident(const struct in6_addr *addr) +-{ +- u32 newid, oldid, hash = jhash2((u32 *)addr, 4, hashidentrnd); +- u32 *pid = &ipv6_fragmentation_id[hash % FID_HASH_SZ]; +- +- do { +- oldid = *pid; +- newid = oldid + 1; +- if (!(hash + newid)) +- newid++; +- } while (cmpxchg(pid, oldid, newid) != oldid); +- +- return hash + newid; +-} +- +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) +-{ +- fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr)); +-} +- + static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) + { + struct sk_buff *frag; +@@ -718,7 +689,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) + skb_reset_network_header(skb); + memcpy(skb_network_header(skb), tmp_hdr, hlen); + +- ipv6_select_ident(fh, rt); ++ ipv6_select_ident(fh); + fh->nexthdr = nexthdr; + fh->reserved = 0; + fh->frag_off = htons(IP6_MF); +@@ -864,7 +835,7 @@ slow_path: + fh->nexthdr = nexthdr; + fh->reserved = 0; + if (!frag_id) { +- ipv6_select_ident(fh, rt); ++ ipv6_select_ident(fh); + frag_id = fh->identification; + } else + fh->identification = frag_id; +@@ -1068,8 +1039,7 @@ static inline int ip6_ufo_append_data(struct sock *sk, + int getfrag(void *from, char *to, int offset, int len, + int odd, struct sk_buff *skb), + void *from, int length, int hh_len, int fragheaderlen, +- int transhdrlen, int mtu,unsigned int flags, +- struct rt6_info *rt) ++ int transhdrlen, int mtu,unsigned int flags) + + { + struct sk_buff *skb; +@@ -1114,7 +1084,7 @@ static inline int ip6_ufo_append_data(struct sock *sk, + skb_shinfo(skb)->gso_size = (mtu - fragheaderlen - + sizeof(struct frag_hdr)) & ~7; + skb_shinfo(skb)->gso_type = SKB_GSO_UDP; +- ipv6_select_ident(&fhdr, rt); ++ ipv6_select_ident(&fhdr); + skb_shinfo(skb)->ip6_frag_id = fhdr.identification; + __skb_queue_tail(&sk->sk_write_queue, skb); + +@@ -1263,7 +1233,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + + err = ip6_ufo_append_data(sk, getfrag, from, length, hh_len, + fragheaderlen, transhdrlen, mtu, +- flags, rt); ++ flags); + if (err) + goto error; + return 0; +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index 105de22..4d18699 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -148,6 +148,16 @@ int ip6_frag_match(struct inet_frag_queue *q, void *a) + } + EXPORT_SYMBOL(ip6_frag_match); + ++/* Memory Tracking Functions. */ ++static inline void frag_kfree_skb(struct netns_frags *nf, ++ struct sk_buff *skb, int *work) ++{ ++ if (work) ++ *work -= skb->truesize; ++ atomic_sub(skb->truesize, &nf->mem); ++ kfree_skb(skb); ++} ++ + void ip6_frag_init(struct inet_frag_queue *q, void *a) + { + struct frag_queue *fq = container_of(q, struct frag_queue, q); +@@ -338,22 +348,58 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb, + prev = next; + } + +- /* RFC5722, Section 4: +- * When reassembling an IPv6 datagram, if +- * one or more its constituent fragments is determined to be an +- * overlapping fragment, the entire datagram (and any constituent +- * fragments, including those not yet received) MUST be silently +- * discarded. ++ /* We found where to put this one. Check for overlap with ++ * preceding fragment, and, if needed, align things so that ++ * any overlaps are eliminated. + */ ++ if (prev) { ++ int i = (FRAG6_CB(prev)->offset + prev->len) - offset; + +- /* Check for overlap with preceding fragment. */ +- if (prev && +- (FRAG6_CB(prev)->offset + prev->len) - offset > 0) +- goto discard_fq; ++ if (i > 0) { ++ offset += i; ++ if (end <= offset) ++ goto err; ++ if (!pskb_pull(skb, i)) ++ goto err; ++ if (skb->ip_summed != CHECKSUM_UNNECESSARY) ++ skb->ip_summed = CHECKSUM_NONE; ++ } ++ } + +- /* Look for overlap with succeeding segment. */ +- if (next && FRAG6_CB(next)->offset < end) +- goto discard_fq; ++ /* Look for overlap with succeeding segments. ++ * If we can merge fragments, do it. ++ */ ++ while (next && FRAG6_CB(next)->offset < end) { ++ int i = end - FRAG6_CB(next)->offset; /* overlap is 'i' bytes */ ++ ++ if (i < next->len) { ++ /* Eat head of the next overlapped fragment ++ * and leave the loop. The next ones cannot overlap. ++ */ ++ if (!pskb_pull(next, i)) ++ goto err; ++ FRAG6_CB(next)->offset += i; /* next fragment */ ++ fq->q.meat -= i; ++ if (next->ip_summed != CHECKSUM_UNNECESSARY) ++ next->ip_summed = CHECKSUM_NONE; ++ break; ++ } else { ++ struct sk_buff *free_it = next; ++ ++ /* Old fragment is completely overridden with ++ * new one drop it. ++ */ ++ next = next->next; ++ ++ if (prev) ++ prev->next = next; ++ else ++ fq->q.fragments = next; ++ ++ fq->q.meat -= free_it->len; ++ frag_kfree_skb(fq->q.net, free_it, NULL); ++ } ++ } + + FRAG6_CB(skb)->offset = offset; + +@@ -390,8 +436,6 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb, + write_unlock(&ip6_frags.lock); + return -1; + +-discard_fq: +- fq_kill(fq); + err: + IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), + IPSTATS_MIB_REASMFAILS); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 1b25191..faae6df 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1391,7 +1391,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + + First: no IPv4 options. + */ +- newinet->inet_opt = NULL; ++ newinet->opt = NULL; + newnp->ipv6_fl_list = NULL; + + /* Clone RX bits */ +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index d8c0374..9cc6289 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1162,7 +1162,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, int features) + fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); + fptr->nexthdr = nexthdr; + fptr->reserved = 0; +- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb)); ++ ipv6_select_ident(fptr); + + /* Fragment the skb. ipv6 header and the remaining fields of the + * fragment header are updated in ipv6_gso_segment() +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index bfb325d..476b24e 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1338,8 +1338,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock, + if ((err = sock_error(sk)) < 0) + return err; + +- msg->msg_namelen = 0; +- + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &err); + if (!skb) +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index f605b23..bada1b9 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -1160,8 +1160,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + struct sk_buff *skb, *rskb, *cskb; + int err = 0; + +- msg->msg_namelen = 0; +- + if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) && + skb_queue_empty(&iucv->backlog_skb_q) && + skb_queue_empty(&sk->sk_receive_queue) && +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 8a814a5..2da8d14 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -674,8 +674,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, + int target; /* Read at least this many bytes */ + long timeo; + +- msg->msg_namelen = 0; +- + lock_sock(sk); + copied = -ENOTCONN; + if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) +@@ -914,13 +912,14 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr, + struct sockaddr_llc sllc; + struct sock *sk = sock->sk; + struct llc_sock *llc = llc_sk(sk); +- int rc = -EBADF; ++ int rc = 0; + + memset(&sllc, 0, sizeof(sllc)); + lock_sock(sk); + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; + *uaddrlen = sizeof(sllc); ++ memset(uaddr, 0, *uaddrlen); + if (peer) { + rc = -ENOTCONN; + if (sk->sk_state != TCP_ESTABLISHED) +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 9bcd972..02b2610 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2455,7 +2455,6 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + { + struct ip_vs_timeout_user t; + +- memset(&t, 0, sizeof(t)); + __ip_vs_get_timeouts(&t); + if (copy_to_user(user, &t, sizeof(t)) != 0) + ret = -EFAULT; +diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c +index 5be9140..30b3189 100644 +--- a/net/netfilter/ipvs/ip_vs_xmit.c ++++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -64,15 +64,6 @@ __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos, u32 cookie) + return dst; + } + +-static inline bool +-__mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu) +-{ +- if (skb->len > mtu && !skb_is_gso(skb)) { +- return true; /* Packet size violate MTU size */ +- } +- return false; +-} +- + static struct rtable * + __ip_vs_get_out_rt(struct ip_vs_conn *cp, u32 rtos) + { +@@ -254,8 +245,7 @@ ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF)) && +- !skb_is_gso(skb)) { ++ if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) { + ip_rt_put(rt); + icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu)); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +@@ -319,7 +309,7 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if (__mtu_check_toobig_v6(skb, mtu)) { ++ if (skb->len > mtu) { + dst_release(&rt->u.dst); + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +@@ -386,7 +376,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF)) && !skb_is_gso(skb)) { ++ if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) { + ip_rt_put(rt); + icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu)); + IP_VS_DBG_RL_PKT(0, pp, skb, 0, "ip_vs_nat_xmit(): frag needed for"); +@@ -462,7 +452,7 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if (__mtu_check_toobig_v6(skb, mtu)) { ++ if (skb->len > mtu) { + dst_release(&rt->u.dst); + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev); + IP_VS_DBG_RL_PKT(0, pp, skb, 0, +@@ -571,8 +561,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + + df |= (old_iph->frag_off & htons(IP_DF)); + +- if ((old_iph->frag_off & htons(IP_DF) && +- mtu < ntohs(old_iph->tot_len) && !skb_is_gso(skb))) { ++ if ((old_iph->frag_off & htons(IP_DF)) ++ && mtu < ntohs(old_iph->tot_len)) { + icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu)); + ip_rt_put(rt); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +@@ -681,8 +671,7 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, + if (skb_dst(skb)) + skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu); + +- /* MTU checking: Notice that 'mtu' have been adjusted before hand */ +- if (__mtu_check_toobig_v6(skb, mtu)) { ++ if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr)) { + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev); + dst_release(&rt->u.dst); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +@@ -771,7 +760,7 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu && !skb_is_gso(skb)) { ++ if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu) { + icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu)); + ip_rt_put(rt); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +@@ -824,7 +813,7 @@ ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if (__mtu_check_toobig_v6(skb, mtu)) { ++ if (skb->len > mtu) { + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev); + dst_release(&rt->u.dst); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +@@ -899,7 +888,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF)) && !skb_is_gso(skb)) { ++ if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF))) { + ip_rt_put(rt); + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +@@ -974,7 +963,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, + + /* MTU checking */ + mtu = dst_mtu(&rt->u.dst); +- if (__mtu_check_toobig_v6(skb, mtu)) { ++ if (skb->len > mtu) { + dst_release(&rt->u.dst); + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev); + IP_VS_DBG_RL("%s(): frag needed\n", __func__); +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 728c080..35cfa79 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -828,6 +828,7 @@ static void tpacket_destruct_skb(struct sk_buff *skb) + + if (likely(po->tx_ring.pg_vec)) { + ph = skb_shinfo(skb)->destructor_arg; ++ BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING); + BUG_ON(atomic_read(&po->tx_ring.pending) == 0); + atomic_dec(&po->tx_ring.pending); + __packet_set_status(po, ph, TP_STATUS_AVAILABLE); +diff --git a/net/rds/recv.c b/net/rds/recv.c +index c45a881c..6a2654a 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + + rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); + +- msg->msg_namelen = 0; +- + if (msg_flags & MSG_OOB) + goto out; + +@@ -488,7 +486,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + sin->sin_port = inc->i_hdr.h_sport; + sin->sin_addr.s_addr = inc->i_saddr; + memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); +- msg->msg_namelen = sizeof(*sin); + } + break; + } +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 2984999..523efbb 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1275,7 +1275,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, + skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); + + if (srose != NULL) { +- memset(srose, 0, msg->msg_namelen); + srose->srose_family = AF_ROSE; + srose->srose_addr = rose->dest_addr; + srose->srose_call = rose->dest_call; +diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c +index faebd8a..f9fc6ec 100644 +--- a/net/sched/act_gact.c ++++ b/net/sched/act_gact.c +@@ -67,9 +67,6 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est, + struct tcf_common *pc; + int ret = 0; + int err; +-#ifdef CONFIG_GACT_PROB +- struct tc_gact_p *p_parm = NULL; +-#endif + + if (nla == NULL) + return -EINVAL; +@@ -85,12 +82,6 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est, + #ifndef CONFIG_GACT_PROB + if (tb[TCA_GACT_PROB] != NULL) + return -EOPNOTSUPP; +-#else +- if (tb[TCA_GACT_PROB]) { +- p_parm = nla_data(tb[TCA_GACT_PROB]); +- if (p_parm->ptype >= MAX_RAND) +- return -EINVAL; +- } + #endif + + pc = tcf_hash_check(parm->index, a, bind, &gact_hash_info); +@@ -112,7 +103,8 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est, + spin_lock_bh(&gact->tcf_lock); + gact->tcf_action = parm->action; + #ifdef CONFIG_GACT_PROB +- if (p_parm) { ++ if (tb[TCA_GACT_PROB] != NULL) { ++ struct tc_gact_p *p_parm = nla_data(tb[TCA_GACT_PROB]); + gact->tcfg_paction = p_parm->paction; + gact->tcfg_pval = p_parm->pval; + gact->tcfg_ptype = p_parm->ptype; +@@ -140,7 +132,7 @@ static int tcf_gact(struct sk_buff *skb, struct tc_action *a, struct tcf_result + + spin_lock(&gact->tcf_lock); + #ifdef CONFIG_GACT_PROB +- if (gact->tcfg_ptype) ++ if (gact->tcfg_ptype && gact_rand[gact->tcfg_ptype] != NULL) + action = gact_rand[gact->tcfg_ptype](gact); + else + action = gact->tcf_action; +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c +index 2f074d6..85acab9 100644 +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -865,7 +865,7 @@ static struct sk_buff *htb_dequeue(struct Qdisc *sch) + q->now = psched_get_time(); + start_at = jiffies; + +- next_event = q->now + 5LLU * PSCHED_TICKS_PER_SEC; ++ next_event = q->now + 5 * PSCHED_TICKS_PER_SEC; + + for (level = 0; level < TC_HTB_MAXDEPTH; level++) { + /* common case optimization - skip event handler quickly */ +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 7363b9f..914c419 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -70,7 +70,7 @@ void sctp_auth_key_put(struct sctp_auth_bytes *key) + return; + + if (atomic_dec_and_test(&key->refcnt)) { +- kzfree(key); ++ kfree(key); + SCTP_DBG_OBJCNT_DEC(keys); + } + } +diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c +index b29621d..acf7c4d 100644 +--- a/net/sctp/chunk.c ++++ b/net/sctp/chunk.c +@@ -272,7 +272,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + goto errout; + err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); + if (err < 0) +- goto errout_chunk_free; ++ goto errout; + + offset += len; + +@@ -308,7 +308,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr + - (__u8 *)chunk->skb->data); + if (err < 0) +- goto errout_chunk_free; ++ goto errout; + + sctp_datamsg_assign(msg, chunk); + list_add_tail(&chunk->frag_list, &msg->chunks); +@@ -316,9 +316,6 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + + return msg; + +-errout_chunk_free: +- sctp_chunk_free(chunk); +- + errout: + list_for_each_safe(pos, temp, &msg->chunks) { + list_del_init(pos); +diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c +index ca48660..905fda5 100644 +--- a/net/sctp/endpointola.c ++++ b/net/sctp/endpointola.c +@@ -249,8 +249,6 @@ void sctp_endpoint_free(struct sctp_endpoint *ep) + /* Final destructor for endpoint. */ + static void sctp_endpoint_destroy(struct sctp_endpoint *ep) + { +- int i; +- + SCTP_ASSERT(ep->base.dead, "Endpoint is not dead", return); + + /* Free up the HMAC transform. */ +@@ -273,9 +271,6 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep) + sctp_inq_free(&ep->base.inqueue); + sctp_bind_addr_free(&ep->base.bind_addr); + +- for (i = 0; i < SCTP_HOW_MANY_SECRETS; ++i) +- memset(&ep->secret_key[i], 0, SCTP_SECRET_SIZE); +- + /* Remove and free the port */ + if (sctp_sk(ep->base.sk)->bind_hash) + sctp_put_port(ep->base.sk); +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 26ffae2..1f9843e 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -3271,7 +3271,7 @@ static int sctp_setsockopt_auth_key(struct sock *sk, + + ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey); + out: +- kzfree(authkey); ++ kfree(authkey); + return ret; + } + +diff --git a/net/socket.c b/net/socket.c +index bf9fc68..d449812 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -732,9 +732,9 @@ static ssize_t sock_sendpage(struct file *file, struct page *page, + + sock = file->private_data; + +- flags = (file->f_flags & O_NONBLOCK) ? MSG_DONTWAIT : 0; +- /* more is a combination of MSG_MORE and MSG_SENDPAGE_NOTLAST */ +- flags |= more; ++ flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT; ++ if (more) ++ flags |= MSG_MORE; + + return kernel_sendpage(sock, page, offset, size, flags); + } +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index 43aa601..ea1e6de 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -459,7 +459,7 @@ static int __rpc_create_common(struct inode *dir, struct dentry *dentry, + { + struct inode *inode; + +- d_drop(dentry); ++ BUG_ON(!d_unhashed(dentry)); + inode = rpc_get_inode(dir->i_sb, mode); + if (!inode) + goto out_err; +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index eccb86b..8ebf4975 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -800,7 +800,6 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg) + if (addr) { + addr->family = AF_TIPC; + addr->addrtype = TIPC_ADDR_ID; +- memset(&addr->addr, 0, sizeof(addr->addr)); + addr->addr.id.ref = msg_origport(msg); + addr->addr.id.node = msg_orignode(msg); + addr->addr.name.domain = 0; /* could leave uninitialized */ +@@ -917,9 +916,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock, + goto exit; + } + +- /* will be updated in set_orig_addr() if needed */ +- m->msg_namelen = 0; +- + restart: + + /* Look for a message in receive queue; wait if necessary */ +@@ -1053,9 +1049,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock, + goto exit; + } + +- /* will be updated in set_orig_addr() if needed */ +- m->msg_namelen = 0; +- + restart: + + /* Look for a message in receive queue; wait if necessary */ +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index d146b76..db8d51a 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -370,7 +370,7 @@ static void unix_sock_destructor(struct sock *sk) + #endif + } + +-static void unix_release_sock(struct sock *sk, int embrion) ++static int unix_release_sock(struct sock *sk, int embrion) + { + struct unix_sock *u = unix_sk(sk); + struct dentry *dentry; +@@ -445,6 +445,8 @@ static void unix_release_sock(struct sock *sk, int embrion) + + if (unix_tot_inflight) + unix_gc(); /* Garbage collect fds */ ++ ++ return 0; + } + + static int unix_listen(struct socket *sock, int backlog) +@@ -658,10 +660,9 @@ static int unix_release(struct socket *sock) + if (!sk) + return 0; + +- unix_release_sock(sk, 0); + sock->sk = NULL; + +- return 0; ++ return unix_release_sock(sk, 0); + } + + static int unix_autobind(struct socket *sock) +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 06f42f6..b95a2d6 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -506,7 +506,6 @@ out: + + static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) + { +- memset(p, 0, sizeof(*p)); + memcpy(&p->id, &x->id, sizeof(p->id)); + memcpy(&p->sel, &x->sel, sizeof(p->sel)); + memcpy(&p->lft, &x->lft, sizeof(p->lft)); +@@ -647,7 +646,6 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, + { + struct xfrm_dump_info info; + struct sk_buff *skb; +- int err; + + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); + if (!skb) +@@ -658,10 +656,9 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, + info.nlmsg_seq = seq; + info.nlmsg_flags = 0; + +- err = dump_one_state(x, 0, &info); +- if (err) { ++ if (dump_one_state(x, 0, &info)) { + kfree_skb(skb); +- return ERR_PTR(err); ++ return NULL; + } + + return skb; +@@ -1078,7 +1075,6 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy + + static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) + { +- memset(p, 0, sizeof(*p)); + memcpy(&p->sel, &xp->selector, sizeof(p->sel)); + memcpy(&p->lft, &xp->lft, sizeof(p->lft)); + memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); +@@ -1180,7 +1176,6 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) + struct xfrm_user_tmpl *up = &vec[i]; + struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; + +- memset(up, 0, sizeof(*up)); + memcpy(&up->id, &kp->id, sizeof(up->id)); + up->family = kp->encap_family; + memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); +@@ -1306,7 +1301,6 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, + { + struct xfrm_dump_info info; + struct sk_buff *skb; +- int err; + + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!skb) +@@ -1317,10 +1311,9 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, + info.nlmsg_seq = seq; + info.nlmsg_flags = 0; + +- err = dump_one_policy(xp, dir, 0, &info); +- if (err) { ++ if (dump_one_policy(xp, dir, 0, &info) < 0) { + kfree_skb(skb); +- return ERR_PTR(err); ++ return NULL; + } + + return skb; +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index 5405ff17..92b62a8 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -94,24 +94,24 @@ try-run = $(shell set -e; \ + # Usage: cflags-y += $(call as-option,-Wa$(comma)-isa=foo,) + + as-option = $(call try-run,\ +- $(CC) $(KBUILD_CFLAGS) $(1) -c -x assembler /dev/null -o "$$TMP",$(1),$(2)) ++ $(CC) $(KBUILD_CFLAGS) $(1) -c -xassembler /dev/null -o "$$TMP",$(1),$(2)) + + # as-instr + # Usage: cflags-y += $(call as-instr,instr,option1,option2) + + as-instr = $(call try-run,\ +- /bin/echo -e "$(1)" | $(CC) $(KBUILD_AFLAGS) -c -x assembler -o "$$TMP" -,$(2),$(3)) ++ /bin/echo -e "$(1)" | $(CC) $(KBUILD_AFLAGS) -c -xassembler -o "$$TMP" -,$(2),$(3)) + + # cc-option + # Usage: cflags-y += $(call cc-option,-march=winchip-c6,-march=i586) + + cc-option = $(call try-run,\ +- $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",$(1),$(2)) ++ $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",$(1),$(2)) + + # cc-option-yn + # Usage: flag := $(call cc-option-yn,-march=winchip-c6) + cc-option-yn = $(call try-run,\ +- $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",y,n) ++ $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",y,n) + + # cc-option-align + # Prefix align with either -falign or -malign +@@ -121,7 +121,7 @@ cc-option-align = $(subst -functions=0,,\ + # cc-disable-warning + # Usage: cflags-y += $(call cc-disable-warning,unused-but-set-variable) + cc-disable-warning = $(call try-run,\ +- $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1))) ++ $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -W$(strip $(1)) -c -xc /dev/null -o "$$TMP",-Wno-$(strip $(1))) + + # cc-version + # Usage gcc-ver := $(call cc-version) +@@ -139,7 +139,7 @@ cc-ifversion = $(shell [ $(call cc-version, $(CC)) $(1) $(2) ] && echo $(3)) + # cc-ldoption + # Usage: ldflags += $(call cc-ldoption, -Wl$(comma)--hash-style=both) + cc-ldoption = $(call try-run,\ +- $(CC) $(1) -nostdlib -x c /dev/null -o "$$TMP",$(1),$(2)) ++ $(CC) $(1) -nostdlib -xc /dev/null -o "$$TMP",$(1),$(2)) + + # ld-option + # Usage: LDFLAGS += $(call ld-option, -X) +diff --git a/scripts/gcc-version.sh b/scripts/gcc-version.sh +index 7f2126d..debecb5 100644 +--- a/scripts/gcc-version.sh ++++ b/scripts/gcc-version.sh +@@ -22,10 +22,10 @@ if [ ${#compiler} -eq 0 ]; then + exit 1 + fi + +-MAJOR=$(echo __GNUC__ | $compiler -E -x c - | tail -n 1) +-MINOR=$(echo __GNUC_MINOR__ | $compiler -E -x c - | tail -n 1) ++MAJOR=$(echo __GNUC__ | $compiler -E -xc - | tail -n 1) ++MINOR=$(echo __GNUC_MINOR__ | $compiler -E -xc - | tail -n 1) + if [ "x$with_patchlevel" != "x" ] ; then +- PATCHLEVEL=$(echo __GNUC_PATCHLEVEL__ | $compiler -E -x c - | tail -n 1) ++ PATCHLEVEL=$(echo __GNUC_PATCHLEVEL__ | $compiler -E -xc - | tail -n 1) + printf "%02d%02d%02d\\n" $MAJOR $MINOR $PATCHLEVEL + else + printf "%02d%02d\\n" $MAJOR $MINOR +diff --git a/scripts/gcc-x86_32-has-stack-protector.sh b/scripts/gcc-x86_32-has-stack-protector.sh +index 12dbd0b..29493dc 100644 +--- a/scripts/gcc-x86_32-has-stack-protector.sh ++++ b/scripts/gcc-x86_32-has-stack-protector.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs" ++echo "int foo(void) { char X[200]; return 3; }" | $* -S -xc -c -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs" + if [ "$?" -eq "0" ] ; then + echo y + else +diff --git a/scripts/gcc-x86_64-has-stack-protector.sh b/scripts/gcc-x86_64-has-stack-protector.sh +index 973e8c1..afaec61 100644 +--- a/scripts/gcc-x86_64-has-stack-protector.sh ++++ b/scripts/gcc-x86_64-has-stack-protector.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -mcmodel=kernel -fstack-protector - -o - 2> /dev/null | grep -q "%gs" ++echo "int foo(void) { char X[200]; return 3; }" | $* -S -xc -c -O0 -mcmodel=kernel -fstack-protector - -o - 2> /dev/null | grep -q "%gs" + if [ "$?" -eq "0" ] ; then + echo y + else +diff --git a/scripts/kconfig/check.sh b/scripts/kconfig/check.sh +index 854d9c7..fa59cbf 100755 +--- a/scripts/kconfig/check.sh ++++ b/scripts/kconfig/check.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + # Needed for systems without gettext +-$* -x c -o /dev/null - > /dev/null 2>&1 << EOF ++$* -xc -o /dev/null - > /dev/null 2>&1 << EOF + #include <libintl.h> + int main() + { +diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh +index 4bab9e2..fcef0f5 100644 +--- a/scripts/kconfig/lxdialog/check-lxdialog.sh ++++ b/scripts/kconfig/lxdialog/check-lxdialog.sh +@@ -36,7 +36,7 @@ trap "rm -f $tmp" 0 1 2 3 15 + + # Check if we can link to ncurses + check() { +- $cc -x c - -o $tmp 2>/dev/null <<'EOF' ++ $cc -xc - -o $tmp 2>/dev/null <<'EOF' + #include CURSES_LOC + main() {} + EOF +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 75fb18c..931cfda 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -56,7 +56,7 @@ int install_user_keyrings(void) + + kenter("%p{%u}", user, user->uid); + +- if (user->uid_keyring && user->session_keyring) { ++ if (user->uid_keyring) { + kleave(" = 0 [exist]"); + return 0; + } +diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c +index c2ec4ef..f745c31 100644 +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -291,10 +291,10 @@ int snd_seq_timer_open(struct snd_seq_queue *q) + tid.device = SNDRV_TIMER_GLOBAL_SYSTEM; + err = snd_timer_open(&t, str, &tid, q->queue); + } +- } +- if (err < 0) { +- snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err); +- return err; ++ if (err < 0) { ++ snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err); ++ return err; ++ } + } + t->callback = snd_seq_timer_interrupt; + t->callback_data = q; +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index 5f295f7..78288db 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -1252,8 +1252,6 @@ static int snd_ac97_cvol_new(struct snd_card *card, char *name, int reg, unsigne + tmp.index = ac97->num; + kctl = snd_ctl_new1(&tmp, ac97); + } +- if (!kctl) +- return -ENOMEM; + if (reg >= AC97_PHONE && reg <= AC97_PCM) + set_tlv_db_scale(kctl, db_scale_5bit_12db_max); + else +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index d9b4453..6419095 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -131,8 +131,8 @@ enum { + enum { + ALC269_BASIC, + ALC269_QUANTA_FL1, +- ALC269_ASUS_AMIC, +- ALC269_ASUS_DMIC, ++ ALC269_ASUS_EEEPC_P703, ++ ALC269_ASUS_EEEPC_P901, + ALC269_FUJITSU, + ALC269_LIFEBOOK, + ALC269_AUTO, +@@ -188,8 +188,6 @@ enum { + ALC663_ASUS_MODE4, + ALC663_ASUS_MODE5, + ALC663_ASUS_MODE6, +- ALC663_ASUS_MODE7, +- ALC663_ASUS_MODE8, + ALC272_DELL, + ALC272_DELL_ZM1, + ALC272_SAMSUNG_NC10, +@@ -13236,12 +13234,10 @@ static struct hda_verb alc269_eeepc_amic_init_verbs[] = { + /* toggle speaker-output according to the hp-jack state */ + static void alc269_speaker_automute(struct hda_codec *codec) + { +- struct alc_spec *spec = codec->spec; +- unsigned int nid = spec->autocfg.hp_pins[0]; + unsigned int present; + unsigned char bits; + +- present = snd_hda_codec_read(codec, nid, 0, ++ present = snd_hda_codec_read(codec, 0x15, 0, + AC_VERB_GET_PIN_SENSE, 0) & 0x80000000; + bits = present ? AMP_IN_MUTE(0) : 0; + snd_hda_codec_amp_stereo(codec, 0x0c, HDA_INPUT, 0, +@@ -13467,8 +13463,8 @@ static void alc269_auto_init(struct hda_codec *codec) + static const char *alc269_models[ALC269_MODEL_LAST] = { + [ALC269_BASIC] = "basic", + [ALC269_QUANTA_FL1] = "quanta", +- [ALC269_ASUS_AMIC] = "asus-amic", +- [ALC269_ASUS_DMIC] = "asus-dmic", ++ [ALC269_ASUS_EEEPC_P703] = "eeepc-p703", ++ [ALC269_ASUS_EEEPC_P901] = "eeepc-p901", + [ALC269_FUJITSU] = "fujitsu", + [ALC269_LIFEBOOK] = "lifebook", + [ALC269_AUTO] = "auto", +@@ -13477,41 +13473,18 @@ static const char *alc269_models[ALC269_MODEL_LAST] = { + static struct snd_pci_quirk alc269_cfg_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_QUANTA_FL1), + SND_PCI_QUIRK(0x1043, 0x8330, "ASUS Eeepc P703 P900A", +- ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1133, "ASUS UJ20ft", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1273, "ASUS UL80JT", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1283, "ASUS U53Jc", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x12b3, "ASUS N82Jv", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x13a3, "ASUS UL30Vt", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1373, "ASUS G73JX", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1383, "ASUS UJ30Jc", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x13d3, "ASUS N61JA", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1413, "ASUS UL50", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1443, "ASUS UL30", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1453, "ASUS M60Jv", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1483, "ASUS UL80", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x14f3, "ASUS F83Vf", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS UL20", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1513, "ASUS UX30", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x15a3, "ASUS N60Jv", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x15b3, "ASUS N60Dp", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x15c3, "ASUS N70De", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x15e3, "ASUS F83T", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1643, "ASUS M60J", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1653, "ASUS U50", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1693, "ASUS F50N", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x16a3, "ASUS F5Q", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_ASUS_DMIC), +- SND_PCI_QUIRK(0x1043, 0x1723, "ASUS P80", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1743, "ASUS U80", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1773, "ASUS U20A", ALC269_ASUS_AMIC), +- SND_PCI_QUIRK(0x1043, 0x1883, "ASUS F81Se", ALC269_ASUS_AMIC), ++ ALC269_ASUS_EEEPC_P703), ++ SND_PCI_QUIRK(0x1043, 0x1883, "ASUS F81Se", ALC269_ASUS_EEEPC_P703), ++ SND_PCI_QUIRK(0x1043, 0x16a3, "ASUS F5Q", ALC269_ASUS_EEEPC_P703), ++ SND_PCI_QUIRK(0x1043, 0x1723, "ASUS P80", ALC269_ASUS_EEEPC_P703), ++ SND_PCI_QUIRK(0x1043, 0x1773, "ASUS U20A", ALC269_ASUS_EEEPC_P703), ++ SND_PCI_QUIRK(0x1043, 0x1743, "ASUS U80", ALC269_ASUS_EEEPC_P703), ++ SND_PCI_QUIRK(0x1043, 0x1653, "ASUS U50", ALC269_ASUS_EEEPC_P703), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS Eeepc P901", +- ALC269_ASUS_DMIC), ++ ALC269_ASUS_EEEPC_P901), + SND_PCI_QUIRK(0x1043, 0x834a, "ASUS Eeepc S101", +- ALC269_ASUS_DMIC), +- SND_PCI_QUIRK(0x1043, 0x8398, "ASUS P1005HA", ALC269_ASUS_DMIC), +- SND_PCI_QUIRK(0x1043, 0x83ce, "ASUS P1005HA", ALC269_ASUS_DMIC), ++ ALC269_ASUS_EEEPC_P901), ++ SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_ASUS_EEEPC_P901), + SND_PCI_QUIRK(0x1734, 0x115d, "FSC Amilo", ALC269_FUJITSU), + SND_PCI_QUIRK(0x10cf, 0x1475, "Lifebook ICH9M-based", ALC269_LIFEBOOK), + {} +@@ -13541,7 +13514,7 @@ static struct alc_config_preset alc269_presets[] = { + .setup = alc269_quanta_fl1_setup, + .init_hook = alc269_quanta_fl1_init_hook, + }, +- [ALC269_ASUS_AMIC] = { ++ [ALC269_ASUS_EEEPC_P703] = { + .mixers = { alc269_eeepc_mixer }, + .cap_mixer = alc269_epc_capture_mixer, + .init_verbs = { alc269_init_verbs, +@@ -13555,7 +13528,7 @@ static struct alc_config_preset alc269_presets[] = { + .setup = alc269_eeepc_amic_setup, + .init_hook = alc269_eeepc_inithook, + }, +- [ALC269_ASUS_DMIC] = { ++ [ALC269_ASUS_EEEPC_P901] = { + .mixers = { alc269_eeepc_mixer }, + .cap_mixer = alc269_epc_capture_mixer, + .init_verbs = { alc269_init_verbs, +@@ -14713,27 +14686,6 @@ static struct alc_config_preset alc861_presets[] = { + }, + }; + +-/* Pin config fixes */ +-enum { +- PINFIX_FSC_AMILO_PI1505, +-}; +- +-static struct alc_pincfg alc861_fsc_amilo_pi1505_pinfix[] = { +- { 0x0b, 0x0221101f }, /* HP */ +- { 0x0f, 0x90170310 }, /* speaker */ +- { } +-}; +- +-static const struct alc_fixup alc861_fixups[] = { +- [PINFIX_FSC_AMILO_PI1505] = { +- .pins = alc861_fsc_amilo_pi1505_pinfix +- }, +-}; +- +-static struct snd_pci_quirk alc861_fixup_tbl[] = { +- SND_PCI_QUIRK(0x1734, 0x10c7, "FSC Amilo Pi1505", PINFIX_FSC_AMILO_PI1505), +- {} +-}; + + static int patch_alc861(struct hda_codec *codec) + { +@@ -14757,8 +14709,6 @@ static int patch_alc861(struct hda_codec *codec) + board_config = ALC861_AUTO; + } + +- alc_pick_fixup(codec, alc861_fixup_tbl, alc861_fixups); +- + if (board_config == ALC861_AUTO) { + /* automatic parse from the BIOS config */ + err = alc861_parse_auto_config(codec); +@@ -16194,52 +16144,6 @@ static struct snd_kcontrol_new alc663_g50v_mixer[] = { + { } /* end */ + }; + +-static struct hda_bind_ctls alc663_asus_mode7_8_all_bind_switch = { +- .ops = &snd_hda_bind_sw, +- .values = { +- HDA_COMPOSE_AMP_VAL(0x14, 3, 0, HDA_OUTPUT), +- HDA_COMPOSE_AMP_VAL(0x15, 3, 0, HDA_OUTPUT), +- HDA_COMPOSE_AMP_VAL(0x17, 3, 0, HDA_OUTPUT), +- HDA_COMPOSE_AMP_VAL(0x1b, 3, 0, HDA_OUTPUT), +- HDA_COMPOSE_AMP_VAL(0x21, 3, 0, HDA_OUTPUT), +- 0 +- }, +-}; +- +-static struct hda_bind_ctls alc663_asus_mode7_8_sp_bind_switch = { +- .ops = &snd_hda_bind_sw, +- .values = { +- HDA_COMPOSE_AMP_VAL(0x14, 3, 0, HDA_OUTPUT), +- HDA_COMPOSE_AMP_VAL(0x17, 3, 0, HDA_OUTPUT), +- 0 +- }, +-}; +- +-static struct snd_kcontrol_new alc663_mode7_mixer[] = { +- HDA_BIND_SW("Master Playback Switch", &alc663_asus_mode7_8_all_bind_switch), +- HDA_BIND_VOL("Speaker Playback Volume", &alc663_asus_bind_master_vol), +- HDA_BIND_SW("Speaker Playback Switch", &alc663_asus_mode7_8_sp_bind_switch), +- HDA_CODEC_MUTE("Headphone1 Playback Switch", 0x1b, 0x0, HDA_OUTPUT), +- HDA_CODEC_MUTE("Headphone2 Playback Switch", 0x21, 0x0, HDA_OUTPUT), +- HDA_CODEC_VOLUME("IntMic Playback Volume", 0x0b, 0x0, HDA_INPUT), +- HDA_CODEC_MUTE("IntMic Playback Switch", 0x0b, 0x0, HDA_INPUT), +- HDA_CODEC_VOLUME("Mic Playback Volume", 0x0b, 0x1, HDA_INPUT), +- HDA_CODEC_MUTE("Mic Playback Switch", 0x0b, 0x1, HDA_INPUT), +- { } /* end */ +-}; +- +-static struct snd_kcontrol_new alc663_mode8_mixer[] = { +- HDA_BIND_SW("Master Playback Switch", &alc663_asus_mode7_8_all_bind_switch), +- HDA_BIND_VOL("Speaker Playback Volume", &alc663_asus_bind_master_vol), +- HDA_BIND_SW("Speaker Playback Switch", &alc663_asus_mode7_8_sp_bind_switch), +- HDA_CODEC_MUTE("Headphone1 Playback Switch", 0x15, 0x0, HDA_OUTPUT), +- HDA_CODEC_MUTE("Headphone2 Playback Switch", 0x21, 0x0, HDA_OUTPUT), +- HDA_CODEC_VOLUME("Mic Playback Volume", 0x0b, 0x0, HDA_INPUT), +- HDA_CODEC_MUTE("Mic Playback Switch", 0x0b, 0x0, HDA_INPUT), +- { } /* end */ +-}; +- +- + static struct snd_kcontrol_new alc662_chmode_mixer[] = { + { + .iface = SNDRV_CTL_ELEM_IFACE_MIXER, +@@ -16527,45 +16431,6 @@ static struct hda_verb alc272_dell_init_verbs[] = { + {} + }; + +-static struct hda_verb alc663_mode7_init_verbs[] = { +- {0x15, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_IN}, +- {0x16, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_IN}, +- {0x17, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT}, +- {0x17, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, +- {0x1b, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_HP}, +- {0x1b, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, +- {0x1b, AC_VERB_SET_CONNECT_SEL, 0x01}, +- {0x21, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_HP}, +- {0x21, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, +- {0x21, AC_VERB_SET_CONNECT_SEL, 0x01}, /* Headphone */ +- {0x22, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0)}, +- {0x22, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_UNMUTE(9)}, +- {0x19, AC_VERB_SET_UNSOLICITED_ENABLE, AC_USRSP_EN | ALC880_MIC_EVENT}, +- {0x1b, AC_VERB_SET_UNSOLICITED_ENABLE, AC_USRSP_EN | ALC880_HP_EVENT}, +- {0x21, AC_VERB_SET_UNSOLICITED_ENABLE, AC_USRSP_EN | ALC880_HP_EVENT}, +- {} +-}; +- +-static struct hda_verb alc663_mode8_init_verbs[] = { +- {0x12, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_IN}, +- {0x15, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_HP}, +- {0x15, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, +- {0x15, AC_VERB_SET_CONNECT_SEL, 0x01}, +- {0x16, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_IN}, +- {0x17, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT}, +- {0x17, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, +- {0x1b, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_IN}, +- {0x21, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_HP}, +- {0x21, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, +- {0x21, AC_VERB_SET_CONNECT_SEL, 0x01}, /* Headphone */ +- {0x22, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0)}, +- {0x22, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_UNMUTE(9)}, +- {0x15, AC_VERB_SET_UNSOLICITED_ENABLE, AC_USRSP_EN | ALC880_HP_EVENT}, +- {0x18, AC_VERB_SET_UNSOLICITED_ENABLE, AC_USRSP_EN | ALC880_MIC_EVENT}, +- {0x21, AC_VERB_SET_UNSOLICITED_ENABLE, AC_USRSP_EN | ALC880_HP_EVENT}, +- {} +-}; +- + static struct snd_kcontrol_new alc662_auto_capture_mixer[] = { + HDA_CODEC_VOLUME("Capture Volume", 0x09, 0x0, HDA_INPUT), + HDA_CODEC_MUTE("Capture Switch", 0x09, 0x0, HDA_INPUT), +@@ -16761,54 +16626,6 @@ static void alc663_two_hp_m2_speaker_automute(struct hda_codec *codec) + } + } + +-static void alc663_two_hp_m7_speaker_automute(struct hda_codec *codec) +-{ +- unsigned int present1, present2; +- +- present1 = snd_hda_codec_read(codec, 0x1b, 0, +- AC_VERB_GET_PIN_SENSE, 0) +- & AC_PINSENSE_PRESENCE; +- present2 = snd_hda_codec_read(codec, 0x21, 0, +- AC_VERB_GET_PIN_SENSE, 0) +- & AC_PINSENSE_PRESENCE; +- +- if (present1 || present2) { +- snd_hda_codec_write_cache(codec, 0x14, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0); +- snd_hda_codec_write_cache(codec, 0x17, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0); +- } else { +- snd_hda_codec_write_cache(codec, 0x14, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); +- snd_hda_codec_write_cache(codec, 0x17, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); +- } +-} +- +-static void alc663_two_hp_m8_speaker_automute(struct hda_codec *codec) +-{ +- unsigned int present1, present2; +- +- present1 = snd_hda_codec_read(codec, 0x21, 0, +- AC_VERB_GET_PIN_SENSE, 0) +- & AC_PINSENSE_PRESENCE; +- present2 = snd_hda_codec_read(codec, 0x15, 0, +- AC_VERB_GET_PIN_SENSE, 0) +- & AC_PINSENSE_PRESENCE; +- +- if (present1 || present2) { +- snd_hda_codec_write_cache(codec, 0x14, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0); +- snd_hda_codec_write_cache(codec, 0x17, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0); +- } else { +- snd_hda_codec_write_cache(codec, 0x14, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); +- snd_hda_codec_write_cache(codec, 0x17, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); +- } +-} +- + static void alc663_m51va_unsol_event(struct hda_codec *codec, + unsigned int res) + { +@@ -16828,7 +16645,7 @@ static void alc663_m51va_setup(struct hda_codec *codec) + spec->ext_mic.pin = 0x18; + spec->ext_mic.mux_idx = 0; + spec->int_mic.pin = 0x12; +- spec->int_mic.mux_idx = 9; ++ spec->int_mic.mux_idx = 1; + spec->auto_mic = 1; + } + +@@ -16840,17 +16657,7 @@ static void alc663_m51va_inithook(struct hda_codec *codec) + + /* ***************** Mode1 ******************************/ + #define alc663_mode1_unsol_event alc663_m51va_unsol_event +- +-static void alc663_mode1_setup(struct hda_codec *codec) +-{ +- struct alc_spec *spec = codec->spec; +- spec->ext_mic.pin = 0x18; +- spec->ext_mic.mux_idx = 0; +- spec->int_mic.pin = 0x19; +- spec->int_mic.mux_idx = 1; +- spec->auto_mic = 1; +-} +- ++#define alc663_mode1_setup alc663_m51va_setup + #define alc663_mode1_inithook alc663_m51va_inithook + + /* ***************** Mode2 ******************************/ +@@ -16867,7 +16674,7 @@ static void alc662_mode2_unsol_event(struct hda_codec *codec, + } + } + +-#define alc662_mode2_setup alc663_mode1_setup ++#define alc662_mode2_setup alc663_m51va_setup + + static void alc662_mode2_inithook(struct hda_codec *codec) + { +@@ -16888,7 +16695,7 @@ static void alc663_mode3_unsol_event(struct hda_codec *codec, + } + } + +-#define alc663_mode3_setup alc663_mode1_setup ++#define alc663_mode3_setup alc663_m51va_setup + + static void alc663_mode3_inithook(struct hda_codec *codec) + { +@@ -16909,7 +16716,7 @@ static void alc663_mode4_unsol_event(struct hda_codec *codec, + } + } + +-#define alc663_mode4_setup alc663_mode1_setup ++#define alc663_mode4_setup alc663_m51va_setup + + static void alc663_mode4_inithook(struct hda_codec *codec) + { +@@ -16930,7 +16737,7 @@ static void alc663_mode5_unsol_event(struct hda_codec *codec, + } + } + +-#define alc663_mode5_setup alc663_mode1_setup ++#define alc663_mode5_setup alc663_m51va_setup + + static void alc663_mode5_inithook(struct hda_codec *codec) + { +@@ -16951,7 +16758,7 @@ static void alc663_mode6_unsol_event(struct hda_codec *codec, + } + } + +-#define alc663_mode6_setup alc663_mode1_setup ++#define alc663_mode6_setup alc663_m51va_setup + + static void alc663_mode6_inithook(struct hda_codec *codec) + { +@@ -16959,50 +16766,6 @@ static void alc663_mode6_inithook(struct hda_codec *codec) + alc_mic_automute(codec); + } + +-/* ***************** Mode7 ******************************/ +-static void alc663_mode7_unsol_event(struct hda_codec *codec, +- unsigned int res) +-{ +- switch (res >> 26) { +- case ALC880_HP_EVENT: +- alc663_two_hp_m7_speaker_automute(codec); +- break; +- case ALC880_MIC_EVENT: +- alc_mic_automute(codec); +- break; +- } +-} +- +-#define alc663_mode7_setup alc663_mode1_setup +- +-static void alc663_mode7_inithook(struct hda_codec *codec) +-{ +- alc663_two_hp_m7_speaker_automute(codec); +- alc_mic_automute(codec); +-} +- +-/* ***************** Mode8 ******************************/ +-static void alc663_mode8_unsol_event(struct hda_codec *codec, +- unsigned int res) +-{ +- switch (res >> 26) { +- case ALC880_HP_EVENT: +- alc663_two_hp_m8_speaker_automute(codec); +- break; +- case ALC880_MIC_EVENT: +- alc_mic_automute(codec); +- break; +- } +-} +- +-#define alc663_mode8_setup alc663_m51va_setup +- +-static void alc663_mode8_inithook(struct hda_codec *codec) +-{ +- alc663_two_hp_m8_speaker_automute(codec); +- alc_mic_automute(codec); +-} +- + static void alc663_g71v_hp_automute(struct hda_codec *codec) + { + unsigned int present; +@@ -17141,8 +16904,6 @@ static const char *alc662_models[ALC662_MODEL_LAST] = { + [ALC663_ASUS_MODE4] = "asus-mode4", + [ALC663_ASUS_MODE5] = "asus-mode5", + [ALC663_ASUS_MODE6] = "asus-mode6", +- [ALC663_ASUS_MODE7] = "asus-mode7", +- [ALC663_ASUS_MODE8] = "asus-mode8", + [ALC272_DELL] = "dell", + [ALC272_DELL_ZM1] = "dell-zm1", + [ALC272_SAMSUNG_NC10] = "samsung-nc10", +@@ -17159,22 +16920,12 @@ static struct snd_pci_quirk alc662_cfg_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x11d3, "ASUS NB", ALC663_ASUS_MODE1), + SND_PCI_QUIRK(0x1043, 0x11f3, "ASUS NB", ALC662_ASUS_MODE2), + SND_PCI_QUIRK(0x1043, 0x1203, "ASUS NB", ALC663_ASUS_MODE1), +- SND_PCI_QUIRK(0x1043, 0x1303, "ASUS G60J", ALC663_ASUS_MODE1), +- SND_PCI_QUIRK(0x1043, 0x1333, "ASUS G60Jx", ALC663_ASUS_MODE1), + SND_PCI_QUIRK(0x1043, 0x1339, "ASUS NB", ALC662_ASUS_MODE2), +- SND_PCI_QUIRK(0x1043, 0x13e3, "ASUS N71JA", ALC663_ASUS_MODE7), +- SND_PCI_QUIRK(0x1043, 0x1463, "ASUS N71", ALC663_ASUS_MODE7), +- SND_PCI_QUIRK(0x1043, 0x14d3, "ASUS G72", ALC663_ASUS_MODE8), +- SND_PCI_QUIRK(0x1043, 0x1563, "ASUS N90", ALC663_ASUS_MODE3), +- SND_PCI_QUIRK(0x1043, 0x15d3, "ASUS N50SF F50SF", ALC663_ASUS_MODE1), + SND_PCI_QUIRK(0x1043, 0x16c3, "ASUS NB", ALC662_ASUS_MODE2), +- SND_PCI_QUIRK(0x1043, 0x16f3, "ASUS K40C K50C", ALC662_ASUS_MODE2), +- SND_PCI_QUIRK(0x1043, 0x1733, "ASUS N81De", ALC663_ASUS_MODE1), + SND_PCI_QUIRK(0x1043, 0x1753, "ASUS NB", ALC662_ASUS_MODE2), + SND_PCI_QUIRK(0x1043, 0x1763, "ASUS NB", ALC663_ASUS_MODE6), + SND_PCI_QUIRK(0x1043, 0x1765, "ASUS NB", ALC663_ASUS_MODE6), + SND_PCI_QUIRK(0x1043, 0x1783, "ASUS NB", ALC662_ASUS_MODE2), +- SND_PCI_QUIRK(0x1043, 0x1793, "ASUS F50GX", ALC663_ASUS_MODE1), + SND_PCI_QUIRK(0x1043, 0x17b3, "ASUS F70SL", ALC663_ASUS_MODE3), + SND_PCI_QUIRK(0x1043, 0x17c3, "ASUS UX20", ALC663_ASUS_M51VA), + SND_PCI_QUIRK(0x1043, 0x17f3, "ASUS X58LE", ALC662_ASUS_MODE2), +@@ -17457,36 +17208,6 @@ static struct alc_config_preset alc662_presets[] = { + .setup = alc663_mode6_setup, + .init_hook = alc663_mode6_inithook, + }, +- [ALC663_ASUS_MODE7] = { +- .mixers = { alc663_mode7_mixer }, +- .cap_mixer = alc662_auto_capture_mixer, +- .init_verbs = { alc662_init_verbs, +- alc663_mode7_init_verbs }, +- .num_dacs = ARRAY_SIZE(alc662_dac_nids), +- .hp_nid = 0x03, +- .dac_nids = alc662_dac_nids, +- .dig_out_nid = ALC662_DIGOUT_NID, +- .num_channel_mode = ARRAY_SIZE(alc662_3ST_2ch_modes), +- .channel_mode = alc662_3ST_2ch_modes, +- .unsol_event = alc663_mode7_unsol_event, +- .setup = alc663_mode7_setup, +- .init_hook = alc663_mode7_inithook, +- }, +- [ALC663_ASUS_MODE8] = { +- .mixers = { alc663_mode8_mixer }, +- .cap_mixer = alc662_auto_capture_mixer, +- .init_verbs = { alc662_init_verbs, +- alc663_mode8_init_verbs }, +- .num_dacs = ARRAY_SIZE(alc662_dac_nids), +- .hp_nid = 0x03, +- .dac_nids = alc662_dac_nids, +- .dig_out_nid = ALC662_DIGOUT_NID, +- .num_channel_mode = ARRAY_SIZE(alc662_3ST_2ch_modes), +- .channel_mode = alc662_3ST_2ch_modes, +- .unsol_event = alc663_mode8_unsol_event, +- .setup = alc663_mode8_setup, +- .init_hook = alc663_mode8_inithook, +- }, + [ALC272_DELL] = { + .mixers = { alc663_m51va_mixer }, + .cap_mixer = alc272_auto_capture_mixer, +@@ -17955,9 +17676,7 @@ static struct hda_codec_preset snd_hda_preset_realtek[] = { + { .id = 0x10ec0267, .name = "ALC267", .patch = patch_alc268 }, + { .id = 0x10ec0268, .name = "ALC268", .patch = patch_alc268 }, + { .id = 0x10ec0269, .name = "ALC269", .patch = patch_alc269 }, +- { .id = 0x10ec0270, .name = "ALC270", .patch = patch_alc269 }, + { .id = 0x10ec0272, .name = "ALC272", .patch = patch_alc662 }, +- { .id = 0x10ec0275, .name = "ALC275", .patch = patch_alc269 }, + { .id = 0x10ec0861, .rev = 0x100340, .name = "ALC660", + .patch = patch_alc861 }, + { .id = 0x10ec0660, .name = "ALC660-VD", .patch = patch_alc861vd }, +diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c +index 13cd679..83b3dde 100644 +--- a/usr/gen_init_cpio.c ++++ b/usr/gen_init_cpio.c +@@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name, const char *location, + int retval; + int rc = -1; + int namesize; +- unsigned int i; ++ int i; + + mode |= S_IFREG; + +@@ -372,28 +372,25 @@ error: + + static char *cpio_replace_env(char *new_location) + { +- char expanded[PATH_MAX + 1]; +- char env_var[PATH_MAX + 1]; +- char *start; +- char *end; +- +- for (start = NULL; (start = strstr(new_location, "${")); ) { +- end = strchr(start, '}'); +- if (start < end) { +- *env_var = *expanded = '\0'; +- strncat(env_var, start + 2, end - start - 2); +- strncat(expanded, new_location, start - new_location); +- strncat(expanded, getenv(env_var), +- PATH_MAX - strlen(expanded)); +- strncat(expanded, end + 1, +- PATH_MAX - strlen(expanded)); +- strncpy(new_location, expanded, PATH_MAX); +- new_location[PATH_MAX] = 0; +- } else +- break; +- } +- +- return new_location; ++ char expanded[PATH_MAX + 1]; ++ char env_var[PATH_MAX + 1]; ++ char *start; ++ char *end; ++ ++ for (start = NULL; (start = strstr(new_location, "${")); ) { ++ end = strchr(start, '}'); ++ if (start < end) { ++ *env_var = *expanded = '\0'; ++ strncat(env_var, start + 2, end - start - 2); ++ strncat(expanded, new_location, start - new_location); ++ strncat(expanded, getenv(env_var), PATH_MAX); ++ strncat(expanded, end + 1, PATH_MAX); ++ strncpy(new_location, expanded, PATH_MAX); ++ } else ++ break; ++ } ++ ++ return new_location; + } + + +diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c +index 69969ae..9fe140b 100644 +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -71,12 +71,9 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; + u64 redir_content; + +- if (redir_index < IOAPIC_NUM_PINS) +- redir_content = +- ioapic->redirtbl[redir_index].bits; +- else +- redir_content = ~0ULL; ++ ASSERT(redir_index < IOAPIC_NUM_PINS); + ++ redir_content = ioapic->redirtbl[redir_index].bits; + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : + redir_content & 0xffffffff; diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch index 8e09bd0..7ee0064 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch @@ -265,7 +265,7 @@ index 334258c..1e8f4ff 100644 M: Liam Girdwood <lrg@slimlogic.co.uk> M: Mark Brown <broonie@opensource.wolfsonmicro.com> diff --git a/Makefile b/Makefile -index b0e245e..e2589d0 100644 +index e5a279c..2289941 100644 --- a/Makefile +++ b/Makefile @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3029,7 +3029,7 @@ index fd7620f..63d73a6 100644 select EMBEDDED select RTC_LIB if !LEMOTE_FULOONG2E diff --git a/arch/mips/Makefile b/arch/mips/Makefile -index 77f5021..2b1db8a 100644 +index 57ff855..b603951 100644 --- a/arch/mips/Makefile +++ b/arch/mips/Makefile @@ -51,6 +51,8 @@ endif @@ -3735,30 +3735,6 @@ index cb71f3d..306f0c0 100644 #ifdef CONFIG_BLK_DEV_INITRD if (boot_args[2] != 0) /* did palo pass us a ramdisk? */ -diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c -index fb59852..32d43e7 100644 ---- a/arch/parisc/kernel/signal32.c -+++ b/arch/parisc/kernel/signal32.c -@@ -68,7 +68,8 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) - { - compat_sigset_t s; - -- if (sz != sizeof *set) panic("put_sigset32()"); -+ if (sz != sizeof *set) -+ return -EINVAL; - sigset_64to32(&s, set); - - return copy_to_user(up, &s, sizeof s); -@@ -80,7 +81,8 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) - compat_sigset_t s; - int r; - -- if (sz != sizeof *set) panic("put_sigset32()"); -+ if (sz != sizeof *set) -+ return -EINVAL; - - if ((r = copy_from_user(&s, up, sz)) == 0) { - sigset_32to64(set, &s); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c index 9147391..d09f456 100644 --- a/arch/parisc/kernel/sys_parisc.c @@ -8967,7 +8943,7 @@ index d1b93c4..ae1b7fd 100644 void default_idle(void); diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index aa889d6..5b677d1 100644 +index ee0168d..096ed0e 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -223,7 +223,7 @@ config X86_TRAMPOLINE @@ -13431,7 +13407,7 @@ index 33927d2..ccde329 100644 /* diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index af6fd36..a7c3e4d 100644 +index 1cce9d2..a7c3e4d 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -39,6 +39,7 @@ extern struct list_head pgd_list; @@ -13494,16 +13470,7 @@ index af6fd36..a7c3e4d 100644 static inline int pte_dirty(pte_t pte) { return pte_flags(pte) & _PAGE_DIRTY; -@@ -130,12 +170,16 @@ static inline unsigned long pmd_pfn(pmd_t pmd) - return (pmd_val(pmd) & PTE_PFN_MASK) >> PAGE_SHIFT; - } - -+static inline unsigned long pud_pfn(pud_t pud) -+{ -+ return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT; -+} -+ - #define pte_page(pte) pfn_to_page(pte_pfn(pte)) +@@ -139,8 +179,7 @@ static inline unsigned long pud_pfn(pud_t pud) static inline int pmd_large(pmd_t pte) { @@ -13513,7 +13480,7 @@ index af6fd36..a7c3e4d 100644 } static inline pte_t pte_set_flags(pte_t pte, pteval_t set) -@@ -167,9 +211,29 @@ static inline pte_t pte_wrprotect(pte_t pte) +@@ -172,9 +211,29 @@ static inline pte_t pte_wrprotect(pte_t pte) return pte_clear_flags(pte, _PAGE_RW); } @@ -13544,7 +13511,7 @@ index af6fd36..a7c3e4d 100644 } static inline pte_t pte_mkdirty(pte_t pte) -@@ -302,6 +366,15 @@ pte_t *populate_extra_pte(unsigned long vaddr); +@@ -307,6 +366,15 @@ pte_t *populate_extra_pte(unsigned long vaddr); #endif #ifndef __ASSEMBLY__ @@ -13560,7 +13527,7 @@ index af6fd36..a7c3e4d 100644 #include <linux/mm_types.h> static inline int pte_none(pte_t pte) -@@ -327,7 +400,13 @@ static inline int pte_hidden(pte_t pte) +@@ -332,7 +400,13 @@ static inline int pte_hidden(pte_t pte) static inline int pmd_present(pmd_t pmd) { @@ -13575,7 +13542,7 @@ index af6fd36..a7c3e4d 100644 } static inline int pmd_none(pmd_t pmd) -@@ -472,7 +551,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) +@@ -477,7 +551,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) static inline int pgd_bad(pgd_t pgd) { @@ -13584,7 +13551,7 @@ index af6fd36..a7c3e4d 100644 } static inline int pgd_none(pgd_t pgd) -@@ -495,7 +574,12 @@ static inline int pgd_none(pgd_t pgd) +@@ -500,7 +574,12 @@ static inline int pgd_none(pgd_t pgd) * pgd_offset() returns a (pgd_t *) * pgd_index() is used get the offset into the pgd page's array of pgd_t's; */ @@ -13598,7 +13565,7 @@ index af6fd36..a7c3e4d 100644 /* * a shortcut which implies the use of the kernel's pgd, instead * of a process's -@@ -506,6 +590,20 @@ static inline int pgd_none(pgd_t pgd) +@@ -511,6 +590,20 @@ static inline int pgd_none(pgd_t pgd) #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) @@ -13619,7 +13586,7 @@ index af6fd36..a7c3e4d 100644 #ifndef __ASSEMBLY__ extern int direct_gbpages; -@@ -611,11 +709,23 @@ static inline void ptep_set_wrprotect(struct mm_struct *mm, +@@ -616,11 +709,23 @@ static inline void ptep_set_wrprotect(struct mm_struct *mm, * dst and src can be on the same page, but the range must not overlap, * and must not cross a page boundary. */ @@ -14045,10 +14012,10 @@ index 621f56d..f1094fd 100644 - #endif /* _ASM_X86_PROTO_H */ diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h -index 0f0d908..f2e3da2 100644 +index e668d72..5792fad 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h -@@ -151,28 +151,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs) +@@ -152,28 +152,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs) } /* @@ -15859,7 +15826,7 @@ index 1d2d670..8e3f477 100644 bitmap_zero(clustermap, NUM_APIC_CLUSTERS); diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c -index 8928d97..f799cea 100644 +index d256bc3..627a02d 100644 --- a/arch/x86/kernel/apic/io_apic.c +++ b/arch/x86/kernel/apic/io_apic.c @@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapic_entries(void) @@ -16344,7 +16311,7 @@ index 472763d..9831e11 100644 return 0; } diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index 0f16a2b..a4a4382 100644 +index 28a7e4c8..3c94ef2 100644 --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -43,6 +43,7 @@ @@ -16395,7 +16362,7 @@ index 0f16a2b..a4a4382 100644 return; } print_mce_head(); -@@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t) +@@ -623,7 +624,7 @@ static int mce_timed_out(u64 *t) * might have been modified by someone else. */ rmb(); @@ -16404,7 +16371,7 @@ index 0f16a2b..a4a4382 100644 wait_for_panic(); if (!monarch_timeout) goto out; -@@ -1394,7 +1395,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code) +@@ -1401,7 +1402,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code) } /* Call the installed machine check handler for this CPU setup. */ @@ -16413,7 +16380,7 @@ index 0f16a2b..a4a4382 100644 unexpected_machine_check; /* -@@ -1416,7 +1417,9 @@ void __cpuinit mcheck_init(struct cpuinfo_x86 *c) +@@ -1423,7 +1424,9 @@ void __cpuinit mcheck_init(struct cpuinfo_x86 *c) return; } @@ -16423,7 +16390,7 @@ index 0f16a2b..a4a4382 100644 mce_init(); mce_cpu_features(c); -@@ -1429,14 +1432,14 @@ void __cpuinit mcheck_init(struct cpuinfo_x86 *c) +@@ -1436,14 +1439,14 @@ void __cpuinit mcheck_init(struct cpuinfo_x86 *c) */ static DEFINE_SPINLOCK(mce_state_lock); @@ -16440,7 +16407,7 @@ index 0f16a2b..a4a4382 100644 spin_unlock(&mce_state_lock); return -EBUSY; -@@ -1444,7 +1447,7 @@ static int mce_open(struct inode *inode, struct file *file) +@@ -1451,7 +1454,7 @@ static int mce_open(struct inode *inode, struct file *file) if (file->f_flags & O_EXCL) open_exclu = 1; @@ -16449,7 +16416,7 @@ index 0f16a2b..a4a4382 100644 spin_unlock(&mce_state_lock); -@@ -1455,7 +1458,7 @@ static int mce_release(struct inode *inode, struct file *file) +@@ -1462,7 +1465,7 @@ static int mce_release(struct inode *inode, struct file *file) { spin_lock(&mce_state_lock); @@ -16458,7 +16425,7 @@ index 0f16a2b..a4a4382 100644 open_exclu = 0; spin_unlock(&mce_state_lock); -@@ -2007,7 +2010,7 @@ mce_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu) +@@ -2014,7 +2017,7 @@ mce_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu) return NOTIFY_OK; } @@ -16467,7 +16434,7 @@ index 0f16a2b..a4a4382 100644 .notifier_call = mce_cpu_callback, }; -@@ -2082,7 +2085,7 @@ struct dentry *mce_get_debugfs_dir(void) +@@ -2089,7 +2092,7 @@ struct dentry *mce_get_debugfs_dir(void) static void mce_reset(void) { cpu_missing = 0; @@ -21133,20 +21100,6 @@ index 89f386f..9028f51 100644 #if 0 if ((s64)val != *(s32 *)loc) goto overflow; -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 5eaeb5e..63a053b 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -176,6 +176,9 @@ static int msr_open(struct inode *inode, struct file *file) - struct cpuinfo_x86 *c = &cpu_data(cpu); - int ret = 0; - -+ if (!capable(CAP_SYS_RAWIO)) -+ return -EPERM; -+ - lock_kernel(); - cpu = iminor(file->f_path.dentry->d_inode); - diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c index 3a7c5a4..9191528 100644 --- a/arch/x86/kernel/paravirt-spinlocks.c @@ -21694,7 +21647,7 @@ index 39493bc..196816d 100644 ip = *(u64 *)(fp+8); if (!in_sched_functions(ip)) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c -index c06acdd..2404a26 100644 +index c06acdd..00810d8 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -925,7 +925,7 @@ static const struct user_regset_view user_x86_32_view; /* Initialized below. */ @@ -21765,7 +21718,7 @@ index c06acdd..2404a26 100644 /* Send us the fake SIGTRAP */ force_sig_info(SIGTRAP, &info, tsk); -@@ -1465,14 +1465,23 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, +@@ -1465,6 +1465,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, # define IS_IA32 0 #endif @@ -21776,9 +21729,7 @@ index c06acdd..2404a26 100644 /* * We must return the syscall number to actually look up in the table. * This can be -1L to skip running any syscall at all. - */ --asmregparm long syscall_trace_enter(struct pt_regs *regs) -+long syscall_trace_enter(struct pt_regs *regs) +@@ -1473,6 +1477,11 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs) { long ret = 0; @@ -21790,12 +21741,9 @@ index c06acdd..2404a26 100644 /* * If we stepped into a sysenter/syscall insn, it trapped in * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP. -@@ -1514,8 +1523,13 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs) - return ret ?: regs->orig_ax; - } +@@ -1516,6 +1525,11 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs) --asmregparm void syscall_trace_leave(struct pt_regs *regs) -+void syscall_trace_leave(struct pt_regs *regs) + asmregparm void syscall_trace_leave(struct pt_regs *regs) { +#ifdef CONFIG_GRKERNSEC_SETXID + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) @@ -24156,7 +24104,7 @@ index e6d925f..6bde4d6 100644 .disabled_by_bios = vmx_disabled_by_bios, .hardware_setup = hardware_setup, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 271fddf..fe56f44 100644 +index cdee77e..4d06778 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu); @@ -24168,19 +24116,7 @@ index 271fddf..fe56f44 100644 EXPORT_SYMBOL_GPL(kvm_x86_ops); int ignore_msrs = 0; -@@ -925,6 +925,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data) - /* ...but clean it before doing the actual write */ - vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); - -+ /* Check that the address is 32-byte aligned. */ -+ if (vcpu->arch.time_offset & -+ (sizeof(struct pvclock_vcpu_time_info) - 1)) -+ break; -+ - vcpu->arch.time_page = - gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); - -@@ -1430,15 +1435,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, +@@ -1436,15 +1436,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -24204,7 +24140,7 @@ index 271fddf..fe56f44 100644 vcpu->arch.cpuid_nent = cpuid->nent; kvm_apic_set_version(vcpu); return 0; -@@ -1451,16 +1461,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, +@@ -1457,16 +1462,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -24228,7 +24164,7 @@ index 271fddf..fe56f44 100644 return 0; out: -@@ -1678,7 +1692,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -1684,7 +1693,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -24237,7 +24173,7 @@ index 271fddf..fe56f44 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -3300,10 +3314,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { +@@ -3306,10 +3315,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { .notifier_call = kvmclock_cpufreq_notifier }; @@ -26775,7 +26711,7 @@ index 61b41ca..5fef66a 100644 extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 249ad57..da3a8c4 100644 +index df87450..2cbcfc3 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -11,10 +11,19 @@ @@ -26946,7 +26882,7 @@ index 249ad57..da3a8c4 100644 pgd_ref = pgd_offset_k(address); if (pgd_none(*pgd_ref)) return -1; -@@ -533,7 +612,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) +@@ -535,7 +614,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) static int is_errata100(struct pt_regs *regs, unsigned long address) { #ifdef CONFIG_X86_64 @@ -26955,7 +26891,7 @@ index 249ad57..da3a8c4 100644 return 1; #endif return 0; -@@ -560,7 +639,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) +@@ -562,7 +641,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) } static const char nx_warning[] = KERN_CRIT @@ -26964,7 +26900,7 @@ index 249ad57..da3a8c4 100644 static void show_fault_oops(struct pt_regs *regs, unsigned long error_code, -@@ -569,15 +648,26 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, +@@ -571,15 +650,26 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, if (!oops_may_print()) return; @@ -26993,7 +26929,7 @@ index 249ad57..da3a8c4 100644 printk(KERN_ALERT "BUG: unable to handle kernel "); if (address < PAGE_SIZE) printk(KERN_CONT "NULL pointer dereference"); -@@ -703,6 +793,23 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, +@@ -705,6 +795,23 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, { struct task_struct *tsk = current; @@ -27017,7 +26953,7 @@ index 249ad57..da3a8c4 100644 /* User mode accesses just cause a SIGSEGV */ if (error_code & PF_USER) { /* -@@ -720,12 +827,30 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, +@@ -722,12 +829,30 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, if (is_errata100(regs, address)) return; @@ -27051,7 +26987,7 @@ index 249ad57..da3a8c4 100644 tsk->thread.trap_no = 14; force_sig_info_fault(SIGSEGV, si_code, address, tsk); -@@ -816,7 +941,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, +@@ -818,7 +943,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, if (fault & VM_FAULT_HWPOISON) { printk(KERN_ERR "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", @@ -27060,7 +26996,7 @@ index 249ad57..da3a8c4 100644 code = BUS_MCEERR_AR; } #endif -@@ -855,6 +980,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) +@@ -857,6 +982,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) return 1; } @@ -27160,7 +27096,7 @@ index 249ad57..da3a8c4 100644 /* * Handle a spurious fault caused by a stale TLB entry. * -@@ -921,6 +1139,9 @@ int show_unhandled_signals = 1; +@@ -923,6 +1141,9 @@ int show_unhandled_signals = 1; static inline int access_error(unsigned long error_code, int write, struct vm_area_struct *vma) { @@ -27170,7 +27106,7 @@ index 249ad57..da3a8c4 100644 if (write) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -954,16 +1175,30 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -956,16 +1177,30 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) { struct vm_area_struct *vma; struct task_struct *tsk; @@ -27206,7 +27142,7 @@ index 249ad57..da3a8c4 100644 /* * Detect and handle instructions that would cause a page fault for -@@ -1024,7 +1259,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1026,7 +1261,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) * User-mode registers count as a user access even for any * potential system fault or CPU buglet: */ @@ -27215,7 +27151,7 @@ index 249ad57..da3a8c4 100644 local_irq_enable(); error_code |= PF_USER; } else { -@@ -1078,6 +1313,11 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1080,6 +1315,11 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) might_sleep(); } @@ -27227,7 +27163,7 @@ index 249ad57..da3a8c4 100644 vma = find_vma(mm, address); if (unlikely(!vma)) { bad_area(regs, error_code, address); -@@ -1089,18 +1329,24 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1091,18 +1331,24 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) bad_area(regs, error_code, address); return; } @@ -27263,7 +27199,7 @@ index 249ad57..da3a8c4 100644 if (unlikely(expand_stack(vma, address))) { bad_area(regs, error_code, address); return; -@@ -1144,3 +1390,292 @@ good_area: +@@ -1146,3 +1392,292 @@ good_area: up_read(&mm->mmap_sem); } @@ -28310,7 +28246,7 @@ index 30938c1..bda3d5d 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 7d095ad..704b879 100644 +index ccbc61b..704b879 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -123,7 +123,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) @@ -28389,17 +28325,7 @@ index 7d095ad..704b879 100644 /* clear_bss() already clear the empty_zero_page */ reservedpages = 0; -@@ -839,6 +845,9 @@ int kern_addr_valid(unsigned long addr) - if (pud_none(*pud)) - return 0; - -+ if (pud_large(*pud)) -+ return pfn_valid(pud_pfn(*pud)); -+ - pmd = pmd_offset(pud, addr); - if (pmd_none(*pmd)) - return 0; -@@ -861,8 +870,8 @@ int kern_addr_valid(unsigned long addr) +@@ -864,8 +870,8 @@ int kern_addr_valid(unsigned long addr) static struct vm_area_struct gate_vma = { .vm_start = VSYSCALL_START, .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), @@ -28410,7 +28336,7 @@ index 7d095ad..704b879 100644 }; struct vm_area_struct *get_gate_vma(struct task_struct *tsk) -@@ -896,7 +905,7 @@ int in_gate_area_no_task(unsigned long addr) +@@ -899,7 +905,7 @@ int in_gate_area_no_task(unsigned long addr) const char *arch_vma_name(struct vm_area_struct *vma) { @@ -30037,7 +29963,7 @@ index 21e1aeb..2c0b3c4 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index d52f895..3bcb11b 100644 +index 126a093..c9313db 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -30087,7 +30013,7 @@ index d52f895..3bcb11b 100644 end = start + __get_cpu_var(idt_desc).size + 1; xen_mc_flush(); -@@ -996,25 +992,25 @@ static const struct pv_apic_ops xen_apic_ops __initdata = { +@@ -1012,25 +1008,25 @@ static const struct pv_apic_ops xen_apic_ops __initdata = { #endif }; @@ -30119,7 +30045,7 @@ index d52f895..3bcb11b 100644 { xen_reboot(SHUTDOWN_poweroff); } -@@ -1062,10 +1058,10 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1078,10 +1074,10 @@ asmlinkage void __init xen_start_kernel(void) /* Install Xen paravirt ops */ pv_info = xen_info; @@ -30134,7 +30060,7 @@ index d52f895..3bcb11b 100644 x86_init.resources.memory_setup = xen_memory_setup; x86_init.oem.arch_setup = xen_arch_setup; -@@ -1098,9 +1094,20 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1114,9 +1110,20 @@ asmlinkage void __init xen_start_kernel(void) */ __userpte_alloc_gfp &= ~__GFP_HIGHMEM; @@ -30157,7 +30083,7 @@ index d52f895..3bcb11b 100644 #endif xen_setup_features(); -@@ -1132,13 +1139,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1148,13 +1155,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -30291,7 +30217,7 @@ index a96204a..4d2ebba 100644 xen_init_spinlocks(); } diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S -index 9a95a9c..c457aa7 100644 +index d05bd11..c457aa7 100644 --- a/arch/x86/xen/xen-asm_32.S +++ b/arch/x86/xen/xen-asm_32.S @@ -83,16 +83,16 @@ ENTRY(xen_iret) @@ -30304,43 +30230,20 @@ index 9a95a9c..c457aa7 100644 */ #ifdef CONFIG_SMP - GET_THREAD_INFO(%eax) -- movl TI_cpu(%eax), %eax -- movl __per_cpu_offset(,%eax,4), %eax -- mov per_cpu__xen_vcpu(%eax), %eax +- movl %ss:TI_cpu(%eax), %eax +- movl %ss:__per_cpu_offset(,%eax,4), %eax +- mov %ss:per_cpu__xen_vcpu(%eax), %eax + push %fs + mov $(__KERNEL_PERCPU), %eax + mov %eax, %fs + mov PER_CPU_VAR(xen_vcpu), %eax + pop %fs #else -- movl per_cpu__xen_vcpu, %eax +- movl %ss:per_cpu__xen_vcpu, %eax + movl %ss:xen_vcpu, %eax #endif /* check IF state we're restoring */ -@@ -105,11 +105,11 @@ ENTRY(xen_iret) - * resuming the code, so we don't have to be worried about - * being preempted to another CPU. - */ -- setz XEN_vcpu_info_mask(%eax) -+ setz %ss:XEN_vcpu_info_mask(%eax) - xen_iret_start_crit: - - /* check for unmasked and pending */ -- cmpw $0x0001, XEN_vcpu_info_pending(%eax) -+ cmpw $0x0001, %ss:XEN_vcpu_info_pending(%eax) - - /* - * If there's something pending, mask events again so we can -@@ -117,7 +117,7 @@ xen_iret_start_crit: - * touch XEN_vcpu_info_mask. - */ - jne 1f -- movb $1, XEN_vcpu_info_mask(%eax) -+ movb $1, %ss:XEN_vcpu_info_mask(%eax) - - 1: popl %eax - diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S index 1a5ff24..a187d40 100644 --- a/arch/x86/xen/xen-head.S @@ -30616,7 +30519,7 @@ index a847046..75a1746 100644 .store = elv_attr_store, }; diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c -index 2be0a97..bded3fd 100644 +index 123eb17..614fbd1 100644 --- a/block/scsi_ioctl.c +++ b/block/scsi_ioctl.c @@ -221,8 +221,20 @@ EXPORT_SYMBOL(blk_verify_command); @@ -30671,7 +30574,7 @@ index 2be0a97..bded3fd 100644 goto error; diff --git a/crypto/cryptd.c b/crypto/cryptd.c -index 3533582..0efffdb 100644 +index 9e1bf69..0efffdb 100644 --- a/crypto/cryptd.c +++ b/crypto/cryptd.c @@ -50,7 +50,7 @@ struct cryptd_blkcipher_ctx { @@ -30683,28 +30586,6 @@ index 3533582..0efffdb 100644 struct cryptd_hash_ctx { struct crypto_shash *child; -@@ -116,13 +116,18 @@ static void cryptd_queue_worker(struct work_struct *work) - struct crypto_async_request *req, *backlog; - - cpu_queue = container_of(work, struct cryptd_cpu_queue, work); -- /* Only handle one request at a time to avoid hogging crypto -- * workqueue. preempt_disable/enable is used to prevent -- * being preempted by cryptd_enqueue_request() */ -+ /* -+ * Only handle one request at a time to avoid hogging crypto workqueue. -+ * preempt_disable/enable is used to prevent being preempted by -+ * cryptd_enqueue_request(). local_bh_disable/enable is used to prevent -+ * cryptd_enqueue_request() being accessed from software interrupts. -+ */ -+ local_bh_disable(); - preempt_disable(); - backlog = crypto_get_backlog(&cpu_queue->queue); - req = crypto_dequeue_request(&cpu_queue->queue); - preempt_enable(); -+ local_bh_enable(); - - if (!req) - return; diff --git a/crypto/gf128mul.c b/crypto/gf128mul.c index a90d260..7a9765e 100644 --- a/crypto/gf128mul.c @@ -33595,7 +33476,7 @@ index 2e9635b..32927b4 100644 } diff --git a/drivers/base/bus.c b/drivers/base/bus.c -index 63c143e..fece183 100644 +index 6f1ba10..2c26804 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kobject *kobj, struct attribute *attr, @@ -42457,7 +42338,7 @@ index a5d585d..d087be3 100644 .store = kobj_pkt_store }; diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index a4592ec..432659a 100644 +index a4592ec..9236a27 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -410,7 +410,6 @@ int register_cdrom(struct cdrom_device_info *cdi) @@ -42490,6 +42371,24 @@ index a4592ec..432659a 100644 cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name); } +@@ -2047,7 +2048,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf, + */ + nr = nframes; + do { +- cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); ++ cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); + if (cgc.buffer) + break; + +@@ -2822,7 +2823,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c index a762283..57cb232 100644 --- a/drivers/cdrom/gdrom.c @@ -42885,22 +42784,6 @@ index 266b858..f3ee0bb 100644 return 0; return HVCS_BUFF_LEN - hvcsd->chars_in_buffer; -diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c -index 7b98c06..a65a574 100644 ---- a/drivers/char/ipmi/ipmi_bt_sm.c -+++ b/drivers/char/ipmi/ipmi_bt_sm.c -@@ -95,9 +95,9 @@ struct si_sm_data { - enum bt_states state; - unsigned char seq; /* BT sequence number */ - struct si_sm_io *io; -- unsigned char write_data[IPMI_MAX_MSG_LENGTH]; -+ unsigned char write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ - int write_count; -- unsigned char read_data[IPMI_MAX_MSG_LENGTH]; -+ unsigned char read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ - int read_count; - int truncated; - long timeout; /* microseconds countdown */ diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index ec5e3f8..02455ba 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c @@ -43229,6 +43112,18 @@ index 918711a..4ffaf5e 100644 .res = 0, .clock_set = sgi_clock_set, .clock_get = sgi_clock_get, +diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c +index c689697..04e6d6a 100644 +--- a/drivers/char/mwave/tp3780i.c ++++ b/drivers/char/mwave/tp3780i.c +@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities + PRINTK_2(TRACE_TP3780I, + "tp3780i::tp3780I_QueryAbilities entry pBDData %p\n", pBDData); + ++ memset(pAbilities, 0, sizeof(*pAbilities)); + /* fill out standard constant fields */ + pAbilities->instr_per_sec = pBDData->rDspSettings.uIps; + pAbilities->data_size = pBDData->rDspSettings.uDStoreSize; diff --git a/drivers/char/pcmcia/ipwireless/tty.c b/drivers/char/pcmcia/ipwireless/tty.c index 674b3ab..a8d1970 100644 --- a/drivers/char/pcmcia/ipwireless/tty.c @@ -68617,10 +68512,10 @@ index bc3e363..e1a8e50 100644 return errsts; memset(arr, 0, sizeof(arr)); diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index e28f9b0..030e4b5 100644 +index 933f1c5..268b9fc 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1400,7 +1400,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -1402,7 +1402,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -68629,7 +68524,7 @@ index e28f9b0..030e4b5 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1431,9 +1431,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1433,9 +1433,9 @@ static void scsi_softirq_done(struct request *rq) */ cmd->serial_number = 0; @@ -70685,10 +70580,10 @@ index cda26bb4..39fed3f 100644 .open = b3dfg_open, .release = b3dfg_release, diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c -index 908f25a..c9a579b 100644 +index 90810e8..e0b398d 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c -@@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct *area) +@@ -1388,7 +1388,7 @@ void comedi_unmap(struct vm_area_struct *area) mutex_unlock(&dev->mutex); } @@ -71369,7 +71264,7 @@ index 0c8267a..db1f363 100644 }; diff --git a/drivers/telephony/ixj.c b/drivers/telephony/ixj.c -index 40de151..924f268 100644 +index 56eb6cc..fabe98a 100644 --- a/drivers/telephony/ixj.c +++ b/drivers/telephony/ixj.c @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j) @@ -71591,76 +71486,6 @@ index fbea856..06efea6 100644 if (!left--) { if (instance->disconnected) -diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c -index 37f2899..6ca1363 100644 ---- a/drivers/usb/class/cdc-wdm.c -+++ b/drivers/usb/class/cdc-wdm.c -@@ -52,7 +52,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); - #define WDM_READ 4 - #define WDM_INT_STALL 5 - #define WDM_POLL_RUNNING 6 -- -+#define WDM_OVERFLOW 10 - - #define WDM_MAX 16 - -@@ -115,6 +115,7 @@ static void wdm_in_callback(struct urb *urb) - { - struct wdm_device *desc = urb->context; - int status = urb->status; -+ int length = urb->actual_length; - - spin_lock(&desc->iuspin); - -@@ -144,9 +145,17 @@ static void wdm_in_callback(struct urb *urb) - } - - desc->rerr = status; -- desc->reslength = urb->actual_length; -- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); -- desc->length += desc->reslength; -+ if (length + desc->length > desc->wMaxCommand) { -+ /* The buffer would overflow */ -+ set_bit(WDM_OVERFLOW, &desc->flags); -+ } else { -+ /* we may already be in overflow */ -+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { -+ memmove(desc->ubuf + desc->length, desc->inbuf, length); -+ desc->length += length; -+ desc->reslength = length; -+ } -+ } - wake_up(&desc->wait); - - set_bit(WDM_READ, &desc->flags); -@@ -398,6 +407,11 @@ retry: - rv = -ENODEV; - goto err; - } -+ if (test_bit(WDM_OVERFLOW, &desc->flags)) { -+ clear_bit(WDM_OVERFLOW, &desc->flags); -+ rv = -ENOBUFS; -+ goto err; -+ } - i++; - if (file->f_flags & O_NONBLOCK) { - if (!test_bit(WDM_READ, &desc->flags)) { -@@ -440,6 +454,7 @@ retry: - spin_unlock_irq(&desc->iuspin); - goto retry; - } -+ - if (!desc->reslength) { /* zero length read */ - dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); - clear_bit(WDM_READ, &desc->flags); -@@ -844,6 +859,7 @@ static int wdm_post_reset(struct usb_interface *intf) - struct wdm_device *desc = usb_get_intfdata(intf); - int rv; - -+ clear_bit(WDM_OVERFLOW, &desc->flags); - rv = recover_from_urb_loss(desc); - mutex_unlock(&desc->plock); - return 0; diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c index 24e6205..b94523b 100644 --- a/drivers/usb/core/hcd.c @@ -75614,7 +75439,7 @@ index 0133b5a..3710d09 100644 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm); #ifdef __alpha__ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index a64fde6..f7af3a5e 100644 +index c564293..ff3b755 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -31,6 +31,7 @@ @@ -76342,7 +76167,7 @@ index a64fde6..f7af3a5e 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1973,7 +2428,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -1962,7 +2417,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -76351,7 +76176,7 @@ index a64fde6..f7af3a5e 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2006,7 +2461,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -1995,7 +2450,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un unsigned long addr; unsigned long end; @@ -76360,7 +76185,7 @@ index a64fde6..f7af3a5e 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2015,6 +2470,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -2004,6 +2459,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -76368,7 +76193,7 @@ index a64fde6..f7af3a5e 100644 stop = ((size += PAGE_SIZE) > limit) || !dump_write(file, kaddr, PAGE_SIZE); kunmap(page); -@@ -2042,6 +2498,97 @@ out: +@@ -2031,6 +2487,97 @@ out: #endif /* USE_ELF_CORE_DUMP */ @@ -77942,19 +77767,10 @@ index 0adced2..bbb1b0d 100644 /* diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c -index d84e705..d8c364c 100644 +index 98d3c58..cca44ae 100644 --- a/fs/compat_ioctl.c +++ b/fs/compat_ioctl.c -@@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd, unsigned - up = (struct compat_video_spu_palette __user *) arg; - err = get_user(palp, &up->palette); - err |= get_user(length, &up->length); -+ if (err) -+ return -EFAULT; - - up_native = compat_alloc_user_space(sizeof(struct video_spu_palette)); - err = put_user(compat_ptr(palp), &up_native->palette); -@@ -1513,7 +1515,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, unsigned long arg) +@@ -1516,7 +1516,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, unsigned long arg) return -EFAULT; if (__get_user(udata, &ss32->iomem_base)) return -EFAULT; @@ -77963,7 +77779,7 @@ index d84e705..d8c364c 100644 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || __get_user(ss.port_high, &ss32->port_high)) return -EFAULT; -@@ -1809,7 +1811,7 @@ static int compat_ioctl_preallocate(struct file *file, unsigned long arg) +@@ -1812,7 +1812,7 @@ static int compat_ioctl_preallocate(struct file *file, unsigned long arg) copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) || @@ -78188,10 +78004,10 @@ index 3c1dbc0..250e1b4 100644 if (rc < 0) goto out_free; diff --git a/fs/eventpoll.c b/fs/eventpoll.c -index ff57421..f65f88a 100644 +index 83fbd64..8353dce 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c -@@ -1488,8 +1488,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags) +@@ -1508,8 +1508,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags) error = PTR_ERR(file); goto out_free_fd; } @@ -78202,7 +78018,7 @@ index ff57421..f65f88a 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 86fafc6..a435ef7 100644 +index feb2435..4f60348 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,12 +56,34 @@ @@ -78536,8 +78352,8 @@ index 86fafc6..a435ef7 100644 + mutex_unlock(¤t->signal->cred_guard_mutex); abort_creds(bprm->cred); } - kfree(bprm); -@@ -1126,13 +1201,13 @@ void install_exec_creds(struct linux_binprm *bprm) + /* If a binfmt changed the interp, free it. */ +@@ -1141,13 +1216,13 @@ void install_exec_creds(struct linux_binprm *bprm) * credentials; any time after this it may be unlocked. */ security_bprm_committed_creds(bprm); @@ -78553,7 +78369,7 @@ index 86fafc6..a435ef7 100644 * PTRACE_ATTACH */ int check_unsafe_exec(struct linux_binprm *bprm) -@@ -1152,7 +1227,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1167,7 +1242,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -78562,7 +78378,7 @@ index 86fafc6..a435ef7 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1339,6 +1414,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) +@@ -1354,6 +1429,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) EXPORT_SYMBOL(search_binary_handler); @@ -78584,7 +78400,7 @@ index 86fafc6..a435ef7 100644 /* * sys_execve() executes a new program. */ -@@ -1347,11 +1437,35 @@ int do_execve(char * filename, +@@ -1362,11 +1452,35 @@ int do_execve(char * filename, char __user *__user *envp, struct pt_regs * regs) { @@ -78620,7 +78436,7 @@ index 86fafc6..a435ef7 100644 retval = unshare_files(&displaced); if (retval) -@@ -1377,12 +1491,27 @@ int do_execve(char * filename, +@@ -1392,12 +1506,27 @@ int do_execve(char * filename, if (IS_ERR(file)) goto out_unmark; @@ -78648,7 +78464,7 @@ index 86fafc6..a435ef7 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1399,25 +1528,66 @@ int do_execve(char * filename, +@@ -1414,25 +1543,66 @@ int do_execve(char * filename, if (retval < 0) goto out; @@ -78719,7 +78535,7 @@ index 86fafc6..a435ef7 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1426,6 +1596,14 @@ int do_execve(char * filename, +@@ -1441,6 +1611,14 @@ int do_execve(char * filename, put_files_struct(displaced); return retval; @@ -78734,7 +78550,7 @@ index 86fafc6..a435ef7 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1591,6 +1769,251 @@ out: +@@ -1606,6 +1784,251 @@ out: return ispipe; } @@ -78986,7 +78802,7 @@ index 86fafc6..a435ef7 100644 static int zap_process(struct task_struct *start) { struct task_struct *t; -@@ -1793,17 +2216,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -1808,17 +2231,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -79009,7 +78825,7 @@ index 86fafc6..a435ef7 100644 pipe_unlock(pipe); } -@@ -1826,10 +2249,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1841,10 +2264,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) char **helper_argv = NULL; int helper_argc = 0; int dump_count = 0; @@ -79024,7 +78840,7 @@ index 86fafc6..a435ef7 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -1874,6 +2300,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1889,6 +2315,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) */ clear_thread_flag(TIF_SIGPENDING); @@ -79033,7 +78849,7 @@ index 86fafc6..a435ef7 100644 /* * lock_kernel() because format_corename() is controlled by sysctl, which * uses lock_kernel() -@@ -1908,7 +2336,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1923,7 +2351,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) goto fail_unlock; } @@ -79042,7 +78858,7 @@ index 86fafc6..a435ef7 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -1972,7 +2400,7 @@ close_fail: +@@ -1987,7 +2415,7 @@ close_fail: filp_close(file, NULL); fail_dropcount: if (dump_count) @@ -79140,7 +78956,7 @@ index 2a60541..7439d61 100644 } } diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index efe6363..f9e1b6e 100644 +index babf448..4200057 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -2179,6 +2179,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd, @@ -79152,7 +78968,7 @@ index efe6363..f9e1b6e 100644 nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE); if (nr_pages == 0) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 42bac1b..0aab9d8 100644 +index cecf2a5..a79685e 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, @@ -79164,7 +78980,7 @@ index 42bac1b..0aab9d8 100644 break; } -@@ -2131,7 +2131,7 @@ repeat: +@@ -2135,7 +2135,7 @@ repeat: ac->ac_status = AC_STATUS_CONTINUE; ac->ac_flags |= EXT4_MB_HINT_FIRST; cr = 3; @@ -79173,7 +78989,7 @@ index 42bac1b..0aab9d8 100644 goto repeat; } } -@@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v) +@@ -2178,6 +2178,8 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v) ext4_grpblk_t counters[16]; } sg; @@ -79182,7 +78998,7 @@ index 42bac1b..0aab9d8 100644 group--; if (group == 0) seq_printf(seq, "#%-5s: %-5s %-5s %-5s " -@@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *sb) +@@ -2538,25 +2540,25 @@ int ext4_mb_release(struct super_block *sb) if (sbi->s_mb_stats) { printk(KERN_INFO "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n", @@ -79218,7 +79034,7 @@ index 42bac1b..0aab9d8 100644 } free_percpu(sbi->s_locality_groups); -@@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac) +@@ -3038,16 +3040,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac) struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb); if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) { @@ -79241,7 +79057,7 @@ index 42bac1b..0aab9d8 100644 } if (ac->ac_op == EXT4_MB_HISTORY_ALLOC) -@@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) +@@ -3447,7 +3449,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) trace_ext4_mb_new_inode_pa(ac, pa); ext4_mb_use_inode_pa(ac, pa); @@ -79250,7 +79066,7 @@ index 42bac1b..0aab9d8 100644 ei = EXT4_I(ac->ac_inode); grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group); -@@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac) +@@ -3507,7 +3509,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac) trace_ext4_mb_new_group_pa(ac, pa); ext4_mb_use_group_pa(ac, pa); @@ -79259,7 +79075,7 @@ index 42bac1b..0aab9d8 100644 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group); lg = ac->ac_lg; -@@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh, +@@ -3611,7 +3613,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh, * from the bitmap and continue. */ } @@ -79268,7 +79084,7 @@ index 42bac1b..0aab9d8 100644 return err; } -@@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b, +@@ -3630,7 +3632,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b, ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit); BUG_ON(group != e4b->bd_group && pa->pa_len != 0); mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len); @@ -79278,10 +79094,10 @@ index 42bac1b..0aab9d8 100644 if (ac) { ac->ac_sb = sb; diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index f1e7077..edd86b2 100644 +index 108515f..c53b6bd 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c -@@ -2286,7 +2286,7 @@ static void ext4_sb_release(struct kobject *kobj) +@@ -2297,7 +2297,7 @@ static void ext4_sb_release(struct kobject *kobj) } @@ -79291,18 +79107,9 @@ index f1e7077..edd86b2 100644 .store = ext4_attr_store, }; diff --git a/fs/fat/inode.c b/fs/fat/inode.c -index 76b7961..ca5f1c9 100644 +index c187e92..ca5f1c9 100644 --- a/fs/fat/inode.c +++ b/fs/fat/inode.c -@@ -558,7 +558,7 @@ static int fat_statfs(struct dentry *dentry, struct kstatfs *buf) - buf->f_bavail = sbi->free_clusters; - buf->f_fsid.val[0] = (u32)id; - buf->f_fsid.val[1] = (u32)(id >> 32); -- buf->f_namelen = sbi->options.isvfat ? 260 : 12; -+ buf->f_namelen = sbi->options.isvfat ? FAT_LFN_LEN : 12; - - return 0; - } @@ -1206,6 +1206,19 @@ static int fat_read_root(struct inode *inode) return 0; } @@ -79332,41 +79139,6 @@ index 76b7961..ca5f1c9 100644 total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT); if (total_clusters > MAX_FAT(sb)) { if (!silent) -diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c -index 72646e2..4251f35 100644 ---- a/fs/fat/namei_vfat.c -+++ b/fs/fat/namei_vfat.c -@@ -499,17 +499,18 @@ xlate_to_uni(const unsigned char *name, int len, unsigned char *outname, - int charlen; - - if (utf8) { -- *outlen = utf8s_to_utf16s(name, len, (wchar_t *)outname); -+ *outlen = utf8s_to_utf16s(name, len, UTF16_HOST_ENDIAN, -+ (wchar_t *) outname, FAT_LFN_LEN + 2); - if (*outlen < 0) - return *outlen; -- else if (*outlen > 255) -+ else if (*outlen > FAT_LFN_LEN) - return -ENAMETOOLONG; - - op = &outname[*outlen * sizeof(wchar_t)]; - } else { - if (nls) { - for (i = 0, ip = name, op = outname, *outlen = 0; -- i < len && *outlen <= 255; -+ i < len && *outlen <= FAT_LFN_LEN; - *outlen += 1) - { - if (escape && (*ip == ':')) { -@@ -549,7 +550,7 @@ xlate_to_uni(const unsigned char *name, int len, unsigned char *outname, - return -ENAMETOOLONG; - } else { - for (i = 0, ip = name, op = outname, *outlen = 0; -- i < len && *outlen <= 255; -+ i < len && *outlen <= FAT_LFN_LEN; - i++, *outlen += 1) - { - *op++ = *ip++; diff --git a/fs/fcntl.c b/fs/fcntl.c index 97e01dc..e9aab2d 100644 --- a/fs/fcntl.c @@ -80586,7 +80358,7 @@ index c598ea4..6aac13e 100644 for (loop = 0; loop < pagevec->nr; loop++) { diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c -index 46435f3a..8cddf18 100644 +index 4fd7e1c..85f33b3 100644 --- a/fs/fscache/stats.c +++ b/fs/fscache/stats.c @@ -18,95 +18,95 @@ @@ -81125,19 +80897,6 @@ index f4300ff7..6ec38b2 100644 if (filp->f_pos >= inode->i_size) return 0; -diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c -index 0022eec..b3d234e 100644 ---- a/fs/hfsplus/extents.c -+++ b/fs/hfsplus/extents.c -@@ -447,7 +447,7 @@ void hfsplus_file_truncate(struct inode *inode) - struct address_space *mapping = inode->i_mapping; - struct page *page; - void *fsdata; -- u32 size = inode->i_size; -+ loff_t size = inode->i_size; - int res; - - res = pagecache_write_begin(NULL, mapping, size, 0, diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c index 1bcf597..905a251 100644 --- a/fs/hfsplus/inode.c @@ -81285,18 +81044,6 @@ index 6c75110..19d2c3c 100644 error = -EFAULT; return error; -diff --git a/fs/isofs/export.c b/fs/isofs/export.c -index e81a305..caec670 100644 ---- a/fs/isofs/export.c -+++ b/fs/isofs/export.c -@@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry, - len = 3; - fh32[0] = ei->i_iget5_block; - fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ -+ fh16[3] = 0; /* avoid leaking uninitialized data */ - fh32[2] = inode->i_generation; - if (connectable && !S_ISDIR(inode->i_mode)) { - struct inode *parent; diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c index b0435dd..81ee0be 100644 --- a/fs/jbd/checkpoint.c @@ -82275,7 +82022,7 @@ index cfc3391..dcc083a 100644 (long long) lock->lk_offset, (long long) lock->lk_length); diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 6d27757..616507d 100644 +index ab87b05..40e41fe 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -268,7 +268,7 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval, @@ -82350,78 +82097,6 @@ index f6af760..d0adf34 100644 len = argv[n].v_size * argv[n].v_nmembs; base = (void __user *)(unsigned long)argv[n].v_base; if (len == 0) { -diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c -index 44a88a9..0eb059ec 100644 ---- a/fs/nls/nls_base.c -+++ b/fs/nls/nls_base.c -@@ -114,34 +114,57 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen) - } - EXPORT_SYMBOL(utf32_to_utf8); - --int utf8s_to_utf16s(const u8 *s, int len, wchar_t *pwcs) -+static inline void put_utf16(wchar_t *s, unsigned c, enum utf16_endian endian) -+{ -+ switch (endian) { -+ default: -+ *s = (wchar_t) c; -+ break; -+ case UTF16_LITTLE_ENDIAN: -+ *s = __cpu_to_le16(c); -+ break; -+ case UTF16_BIG_ENDIAN: -+ *s = __cpu_to_be16(c); -+ break; -+ } -+} -+ -+int utf8s_to_utf16s(const u8 *s, int len, enum utf16_endian endian, -+ wchar_t *pwcs, int maxlen) - { - u16 *op; - int size; - unicode_t u; - - op = pwcs; -- while (*s && len > 0) { -+ while (len > 0 && maxlen > 0 && *s) { - if (*s & 0x80) { - size = utf8_to_utf32(s, len, &u); - if (size < 0) - return -EINVAL; -+ s += size; -+ len -= size; - - if (u >= PLANE_SIZE) { -+ if (maxlen < 2) -+ break; - u -= PLANE_SIZE; -- *op++ = (wchar_t) (SURROGATE_PAIR | -- ((u >> 10) & SURROGATE_BITS)); -- *op++ = (wchar_t) (SURROGATE_PAIR | -+ put_utf16(op++, SURROGATE_PAIR | -+ ((u >> 10) & SURROGATE_BITS), -+ endian); -+ put_utf16(op++, SURROGATE_PAIR | - SURROGATE_LOW | -- (u & SURROGATE_BITS)); -+ (u & SURROGATE_BITS), -+ endian); -+ maxlen -= 2; - } else { -- *op++ = (wchar_t) u; -+ put_utf16(op++, u, endian); -+ maxlen--; - } -- s += size; -- len -= size; - } else { -- *op++ = *s++; -+ put_utf16(op++, *s++, endian); - len--; -+ maxlen--; - } - } - return op - pwcs; diff --git a/fs/notify/dnotify/dnotify.c b/fs/notify/dnotify/dnotify.c index 7e54e52..9337248 100644 --- a/fs/notify/dnotify/dnotify.c @@ -84995,10 +84670,10 @@ index 00b2909..2ace383 100644 __putname(s); } diff --git a/fs/splice.c b/fs/splice.c -index bb92b7c5..5aa72b0 100644 +index cdad986..a0ea75c 100644 --- a/fs/splice.c +++ b/fs/splice.c -@@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, +@@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, pipe_lock(pipe); for (;;) { @@ -85007,7 +84682,7 @@ index bb92b7c5..5aa72b0 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, +@@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, do_wakeup = 0; } @@ -85019,7 +84694,7 @@ index bb92b7c5..5aa72b0 100644 } pipe_unlock(pipe); -@@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *in, loff_t *ppos, +@@ -286,6 +286,8 @@ __generic_file_splice_read(struct file *in, loff_t *ppos, .spd_release = spd_release_page, }; @@ -85028,7 +84703,7 @@ index bb92b7c5..5aa72b0 100644 index = *ppos >> PAGE_CACHE_SHIFT; loff = *ppos & ~PAGE_CACHE_MASK; req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; -@@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec, +@@ -522,7 +524,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -85037,7 +84712,7 @@ index bb92b7c5..5aa72b0 100644 set_fs(old_fs); return res; -@@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count, +@@ -537,7 +539,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -85046,7 +84721,7 @@ index bb92b7c5..5aa72b0 100644 set_fs(old_fs); return res; -@@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, +@@ -566,6 +568,8 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, .spd_release = spd_release_page, }; @@ -85055,7 +84730,7 @@ index bb92b7c5..5aa72b0 100644 index = *ppos >> PAGE_CACHE_SHIFT; offset = *ppos & ~PAGE_CACHE_MASK; nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; -@@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, +@@ -579,7 +583,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, goto err; this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset); @@ -85064,7 +84739,7 @@ index bb92b7c5..5aa72b0 100644 vec[i].iov_len = this_len; pages[i] = page; spd.nr_pages++; -@@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed); +@@ -805,10 +809,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed); int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd) { while (!pipe->nrbufs) { @@ -85077,7 +84752,7 @@ index bb92b7c5..5aa72b0 100644 return 0; if (sd->flags & SPLICE_F_NONBLOCK) -@@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, +@@ -1145,7 +1149,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, * out of the pipe right after the splice_to_pipe(). So set * PIPE_READERS appropriately. */ @@ -85086,7 +84761,7 @@ index bb92b7c5..5aa72b0 100644 current->splice_pipe = pipe; } -@@ -1593,6 +1597,8 @@ static long vmsplice_to_pipe(struct file *file, const struct iovec __user *iov, +@@ -1598,6 +1602,8 @@ static long vmsplice_to_pipe(struct file *file, const struct iovec __user *iov, .spd_release = spd_release_page, }; @@ -85095,7 +84770,7 @@ index bb92b7c5..5aa72b0 100644 pipe = pipe_info(file->f_path.dentry->d_inode); if (!pipe) return -EBADF; -@@ -1701,9 +1707,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1706,9 +1712,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -85107,7 +84782,7 @@ index bb92b7c5..5aa72b0 100644 if (flags & SPLICE_F_NONBLOCK) { ret = -EAGAIN; break; -@@ -1735,7 +1741,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1740,7 +1746,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) pipe_lock(pipe); while (pipe->nrbufs >= PIPE_BUFFERS) { @@ -85116,7 +84791,7 @@ index bb92b7c5..5aa72b0 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; break; -@@ -1748,9 +1754,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1753,9 +1759,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -85128,7 +84803,7 @@ index bb92b7c5..5aa72b0 100644 } pipe_unlock(pipe); -@@ -1786,14 +1792,14 @@ retry: +@@ -1791,14 +1797,14 @@ retry: pipe_double_lock(ipipe, opipe); do { @@ -85145,7 +84820,7 @@ index bb92b7c5..5aa72b0 100644 break; /* -@@ -1893,7 +1899,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1898,7 +1904,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, pipe_double_lock(ipipe, opipe); do { @@ -85154,7 +84829,7 @@ index bb92b7c5..5aa72b0 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -1938,7 +1944,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1943,7 +1949,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, * return EAGAIN if we have the potential of some data in the * future, otherwise just return 0 */ @@ -85202,7 +84877,7 @@ index c4ecd52..a8fca7d 100644 generic_fillattr(inode, stat); return 0; diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c -index e020183..18d64b4 100644 +index 5e7279a..8d792b4 100644 --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -678,6 +678,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd, @@ -85349,7 +85024,7 @@ index 1e06853..b06d325 100644 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count, partmap->s_partition_len); diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index 6d24c2c..fff470f 100644 +index 3c4ffb2..d0a9d92 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block, @@ -85374,18 +85049,6 @@ index 9215700..bf1f68e 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) -diff --git a/fs/udf/namei.c b/fs/udf/namei.c -index 21dad8c..b754151 100644 ---- a/fs/udf/namei.c -+++ b/fs/udf/namei.c -@@ -1331,6 +1331,7 @@ static int udf_encode_fh(struct dentry *de, __u32 *fh, int *lenp, - *lenp = 3; - fid->udf.block = location.logicalBlockNum; - fid->udf.partref = location.partitionReferenceNum; -+ fid->udf.parent_partref = 0; - fid->udf.generation = inode->i_generation; - - if (connectable && !S_ISDIR(inode->i_mode)) { diff --git a/fs/udf/super.c b/fs/udf/super.c index 0045ebc..d069fda 100644 --- a/fs/udf/super.c @@ -96738,7 +96401,7 @@ index 0f5f578..8c4f884 100644 extern void backlight_force_update(struct backlight_device *bd, enum backlight_update_reason reason); diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index a3d802e..93a2ef4 100644 +index 9ffffec..2c35c79 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -18,7 +18,7 @@ struct pt_regs; @@ -96758,7 +96421,7 @@ index a3d802e..93a2ef4 100644 }; extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages); -@@ -83,6 +84,7 @@ struct linux_binfmt { +@@ -81,6 +82,7 @@ struct linux_binfmt { int (*load_binary)(struct linux_binprm *, struct pt_regs * regs); int (*load_shlib)(struct file *); int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit); @@ -96767,10 +96430,10 @@ index a3d802e..93a2ef4 100644 int hasvdso; }; diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index 5eb6cb0..a2906d2 100644 +index ec9c10b..dc26428 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h -@@ -1281,7 +1281,7 @@ struct block_device_operations { +@@ -1279,7 +1279,7 @@ struct block_device_operations { int (*revalidate_disk) (struct gendisk *); int (*getgeo)(struct block_device *, struct hd_geometry *); struct module *owner; @@ -99340,7 +99003,7 @@ index 6adcc29..13369e8 100644 extern int kgdb_hex2long(char **ptr, unsigned long *long_val); extern int kgdb_mem2hex(char *mem, char *buf, int count); diff --git a/include/linux/kmod.h b/include/linux/kmod.h -index 0546fe7..2a22bc1 100644 +index 93e732e..e86feaf 100644 --- a/include/linux/kmod.h +++ b/include/linux/kmod.h @@ -31,6 +31,8 @@ @@ -100020,28 +99683,6 @@ index 82a9124..8a5f622 100644 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\ sizeof(array[0]), array }; \ __module_param_call(MODULE_PARAM_PREFIX, name, \ -diff --git a/include/linux/msdos_fs.h b/include/linux/msdos_fs.h -index ce38f1c..34066e6 100644 ---- a/include/linux/msdos_fs.h -+++ b/include/linux/msdos_fs.h -@@ -15,6 +15,7 @@ - #define MSDOS_DPB_BITS 4 /* log2(MSDOS_DPB) */ - #define MSDOS_DPS (SECTOR_SIZE / sizeof(struct msdos_dir_entry)) - #define MSDOS_DPS_BITS 4 /* log2(MSDOS_DPS) */ -+#define MSDOS_LONGNAME 256 /* maximum name length */ - #define CF_LE_W(v) le16_to_cpu(v) - #define CF_LE_L(v) le32_to_cpu(v) - #define CT_LE_W(v) cpu_to_le16(v) -@@ -47,8 +48,8 @@ - #define DELETED_FLAG 0xe5 /* marks file as deleted when in name[0] */ - #define IS_FREE(n) (!*(n) || *(n) == DELETED_FLAG) - -+#define FAT_LFN_LEN 255 /* maximum long name length */ - #define MSDOS_NAME 11 /* maximum name length */ --#define MSDOS_LONGNAME 256 /* maximum name length */ - #define MSDOS_SLOTS 21 /* max # of slots for short and long names */ - #define MSDOS_DOT ". " /* ".", padded to MSDOS_NAME chars */ - #define MSDOS_DOTDOT ".. " /* "..", padded to MSDOS_NAME chars */ diff --git a/include/linux/mutex.h b/include/linux/mutex.h index 878cab4..c92cb3e 100644 --- a/include/linux/mutex.h @@ -100132,29 +99773,6 @@ index 0000000..33f4af8 +}; + +#endif -diff --git a/include/linux/nls.h b/include/linux/nls.h -index d47beef..5dc635f 100644 ---- a/include/linux/nls.h -+++ b/include/linux/nls.h -@@ -43,7 +43,7 @@ enum utf16_endian { - UTF16_BIG_ENDIAN - }; - --/* nls.c */ -+/* nls_base.c */ - extern int register_nls(struct nls_table *); - extern int unregister_nls(struct nls_table *); - extern struct nls_table *load_nls(char *); -@@ -52,7 +52,8 @@ extern struct nls_table *load_nls_default(void); - - extern int utf8_to_utf32(const u8 *s, int len, unicode_t *pu); - extern int utf32_to_utf8(unicode_t u, u8 *s, int maxlen); --extern int utf8s_to_utf16s(const u8 *s, int len, wchar_t *pwcs); -+extern int utf8s_to_utf16s(const u8 *s, int len, -+ enum utf16_endian endian, wchar_t *pwcs, int maxlen); - extern int utf16s_to_utf8s(const wchar_t *pwcs, int len, - enum utf16_endian endian, u8 *s, int maxlen); - diff --git a/include/linux/nodemask.h b/include/linux/nodemask.h index b359c4a..c08b334 100644 --- a/include/linux/nodemask.h @@ -100205,34 +99823,6 @@ index 5171639..7cf4235 100644 /** create a directory */ struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root, -diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h -index 6b202b1..f451772 100644 ---- a/include/linux/page-flags.h -+++ b/include/linux/page-flags.h -@@ -362,7 +362,7 @@ static inline int PageCompound(struct page *page) - * pages on the LRU and/or pagecache. - */ - TESTPAGEFLAG(Compound, compound) --__PAGEFLAG(Head, compound) -+__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound) - - /* - * PG_reclaim is used in combination with PG_compound to mark the -@@ -374,8 +374,14 @@ __PAGEFLAG(Head, compound) - * PG_compound & PG_reclaim => Tail page - * PG_compound & ~PG_reclaim => Head page - */ -+#define PG_head_mask ((1L << PG_compound)) - #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim)) - -+static inline int PageHead(struct page *page) -+{ -+ return ((page->flags & PG_head_tail_mask) == PG_head_mask); -+} -+ - static inline int PageTail(struct page *page) - { - return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask); diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h index 3c62ed4..8924c7c 100644 --- a/include/linux/pagemap.h @@ -100383,18 +99973,9 @@ index 379eaed..3471a57 100644 mode_t mode, struct proc_dir_entry *base, read_proc_t *read_proc, void * data) diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h -index 7456d7d..0021b34 100644 +index 7456d7d..6c1cfc9 100644 --- a/include/linux/ptrace.h +++ b/include/linux/ptrace.h -@@ -87,7 +87,7 @@ extern int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned - extern int ptrace_attach(struct task_struct *tsk); - extern int ptrace_detach(struct task_struct *, unsigned int); - extern void ptrace_disable(struct task_struct *); --extern int ptrace_check_attach(struct task_struct *task, int kill); -+extern int ptrace_check_attach(struct task_struct *task, bool ignore_state); - extern int ptrace_request(struct task_struct *child, long request, long addr, long data); - extern void ptrace_notify(int exit_code); - extern void __ptrace_link(struct task_struct *child, @@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_struct *child); extern void exit_ptrace(struct task_struct *tracer); #define PTRACE_MODE_READ 1 @@ -100553,7 +100134,7 @@ index 14a86bc..17d0700 100644 /* * CONFIG_RELAY kernel API, kernel/relay.c diff --git a/include/linux/sched.h b/include/linux/sched.h -index 71849bf..9dc8027 100644 +index 73c3b9b..9dc8027 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio; @@ -100824,25 +100405,7 @@ index 71849bf..9dc8027 100644 return (obj >= stack) && (obj < (stack + THREAD_SIZE)); } -@@ -2459,7 +2568,16 @@ static inline void thread_group_cputime_free(struct signal_struct *sig) - extern void recalc_sigpending_and_wake(struct task_struct *t); - extern void recalc_sigpending(void); - --extern void signal_wake_up(struct task_struct *t, int resume_stopped); -+extern void signal_wake_up_state(struct task_struct *t, unsigned int state); -+ -+static inline void signal_wake_up(struct task_struct *t, bool resume) -+{ -+ signal_wake_up_state(t, resume ? TASK_WAKEKILL : 0); -+} -+static inline void ptrace_signal_wake_up(struct task_struct *t, bool resume) -+{ -+ signal_wake_up_state(t, resume ? __TASK_TRACED : 0); -+} - - /* - * Wrappers for p->thread_info->cpu access. No-op on UP. -@@ -2616,6 +2734,23 @@ static inline unsigned long rlimit_max(unsigned int limit) +@@ -2625,6 +2734,23 @@ static inline unsigned long rlimit_max(unsigned int limit) return task_rlimit_max(current, limit); } @@ -103600,7 +103163,7 @@ index 8a944f5..7c9e099 100644 EXPORT_SYMBOL(capable); +EXPORT_SYMBOL(capable_nolog); diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index 1fbcc74..ceecd77 100644 +index 04a9704..76c3dd1 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -536,6 +536,8 @@ static struct css_set *find_css_set( @@ -103612,7 +103175,7 @@ index 1fbcc74..ceecd77 100644 /* First see if we already have a cgroup group that matches * the desired set */ read_lock(&css_set_lock); -@@ -4124,7 +4126,7 @@ static int cgroup_css_links_read(struct cgroup *cont, +@@ -4122,7 +4124,7 @@ static int cgroup_css_links_read(struct cgroup *cont, struct css_set *cg = link->cg; struct task_struct *task; int count = 0; @@ -104926,10 +104489,10 @@ index 53dae4b..9ba3743 100644 EXPORT_SYMBOL_GPL(kgdb_breakpoint); diff --git a/kernel/kmod.c b/kernel/kmod.c -index a061472..e928a83 100644 +index 8ecc509..8eaf7f6 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c -@@ -68,13 +68,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sbin/modprobe"; +@@ -112,9 +112,8 @@ out: * If module auto-loading support is disabled then this function * becomes a no-operation. */ @@ -104940,12 +104503,7 @@ index a061472..e928a83 100644 char module_name[MODULE_NAME_LEN]; unsigned int max_modprobes; int ret; -- char *argv[] = { modprobe_path, "-q", "--", module_name, NULL }; -+ char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL }; - static char *envp[] = { "HOME=/", - "TERM=linux", - "PATH=/sbin:/usr/sbin:/bin:/usr/bin", -@@ -87,12 +86,24 @@ int __request_module(bool wait, const char *fmt, ...) +@@ -126,12 +125,24 @@ int __request_module(bool wait, const char *fmt, ...) if (ret) return ret; @@ -104973,7 +104531,7 @@ index a061472..e928a83 100644 /* If modprobe needs a service that is in a module, we get a recursive * loop. Limit the number of running kmod threads to max_threads/2 or * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method -@@ -126,6 +137,48 @@ int __request_module(bool wait, const char *fmt, ...) +@@ -165,6 +176,48 @@ int __request_module(bool wait, const char *fmt, ...) atomic_dec(&kmod_concurrent); return ret; } @@ -105022,7 +104580,7 @@ index a061472..e928a83 100644 EXPORT_SYMBOL(__request_module); #endif /* CONFIG_MODULES */ -@@ -231,7 +284,7 @@ static int wait_for_helper(void *data) +@@ -283,7 +336,7 @@ static int wait_for_helper(void *data) * * Thus the __user pointer cast is valid here. */ @@ -105031,7 +104589,7 @@ index a061472..e928a83 100644 /* * If ret is 0, either ____call_usermodehelper failed and the -@@ -506,6 +559,11 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, +@@ -561,6 +614,11 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, validate_creds(sub_info->cred); helper_lock(); @@ -106509,7 +106067,7 @@ index fce7198..4f23a7e 100644 { struct pid *pid; diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c -index 5c9dc22..6971ae8 100644 +index ea83f5d..daca15b 100644 --- a/kernel/posix-cpu-timers.c +++ b/kernel/posix-cpu-timers.c @@ -6,23 +6,25 @@ @@ -106552,7 +106110,7 @@ index 5c9dc22..6971ae8 100644 cleanup_timers(tsk->cpu_timers, tsk->utime, tsk->stime, tsk->se.sum_exec_runtime); -@@ -1697,7 +1701,7 @@ static long thread_cpu_nsleep_restart(struct restart_block *restart_block) +@@ -1716,7 +1720,7 @@ static long thread_cpu_nsleep_restart(struct restart_block *restart_block) static __init int init_posix_cpu_timers(void) { @@ -106561,7 +106119,7 @@ index 5c9dc22..6971ae8 100644 .clock_getres = process_cpu_clock_getres, .clock_get = process_cpu_clock_get, .clock_set = do_posix_clock_nosettime, -@@ -1705,7 +1709,7 @@ static __init int init_posix_cpu_timers(void) +@@ -1724,7 +1728,7 @@ static __init int init_posix_cpu_timers(void) .nsleep = process_cpu_nsleep, .nsleep_restart = process_cpu_nsleep_restart, }; @@ -107013,114 +106571,10 @@ index dfadc5b..7f59404 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 05625f6..123e351 100644 +index d9c8c47..2617b8c 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c -@@ -56,7 +56,7 @@ static void ptrace_untrace(struct task_struct *child) - child->signal->group_stop_count) - __set_task_state(child, TASK_STOPPED); - else -- signal_wake_up(child, 1); -+ ptrace_signal_wake_up(child, true); - } - spin_unlock(&child->sighand->siglock); - } -@@ -80,10 +80,54 @@ void __ptrace_unlink(struct task_struct *child) - ptrace_untrace(child); - } - --/* -- * Check that we have indeed attached to the thing.. -+/* Ensure that nothing can wake it up, even SIGKILL */ -+static bool ptrace_freeze_traced(struct task_struct *task) -+{ -+ bool ret = false; -+ -+ spin_lock_irq(&task->sighand->siglock); -+ if (task_is_traced(task) && !__fatal_signal_pending(task)) { -+ task->state = __TASK_TRACED; -+ ret = true; -+ } -+ spin_unlock_irq(&task->sighand->siglock); -+ -+ return ret; -+} -+ -+static void ptrace_unfreeze_traced(struct task_struct *task) -+{ -+ if (task->state != __TASK_TRACED) -+ return; -+ -+ WARN_ON(!task->ptrace || task->parent != current); -+ -+ spin_lock_irq(&task->sighand->siglock); -+ if (__fatal_signal_pending(task)) -+ wake_up_state(task, __TASK_TRACED); -+ else -+ task->state = TASK_TRACED; -+ spin_unlock_irq(&task->sighand->siglock); -+} -+ -+/** -+ * ptrace_check_attach - check whether ptracee is ready for ptrace operation -+ * @child: ptracee to check for -+ * @ignore_state: don't check whether @child is currently %TASK_TRACED -+ * -+ * Check whether @child is being ptraced by %current and ready for further -+ * ptrace operations. If @ignore_state is %false, @child also should be in -+ * %TASK_TRACED state and on return the child is guaranteed to be traced -+ * and not executing. If @ignore_state is %true, @child can be in any -+ * state. -+ * -+ * CONTEXT: -+ * Grabs and releases tasklist_lock and @child->sighand->siglock. -+ * -+ * RETURNS: -+ * 0 on success, -ESRCH if %child is not ready. - */ --int ptrace_check_attach(struct task_struct *child, int kill) -+int ptrace_check_attach(struct task_struct *child, bool ignore_state) - { - int ret = -ESRCH; - -@@ -95,29 +139,34 @@ int ptrace_check_attach(struct task_struct *child, int kill) - * be changed by us so it's not changing right after this. - */ - read_lock(&tasklist_lock); -- if ((child->ptrace & PT_PTRACED) && child->parent == current) { -- ret = 0; -+ if (child->ptrace && child->parent == current) { -+ WARN_ON(child->state == __TASK_TRACED); - /* - * child->sighand can't be NULL, release_task() - * does ptrace_unlink() before __exit_signal(). - */ -- spin_lock_irq(&child->sighand->siglock); -- if (task_is_stopped(child)) -- child->state = TASK_TRACED; -- else if (!task_is_traced(child) && !kill) -- ret = -ESRCH; -- spin_unlock_irq(&child->sighand->siglock); -+ if (ignore_state || ptrace_freeze_traced(child)) -+ ret = 0; - } - read_unlock(&tasklist_lock); - -- if (!ret && !kill) -- ret = wait_task_inactive(child, TASK_TRACED) ? 0 : -ESRCH; -+ if (!ret && !ignore_state) { -+ if (!wait_task_inactive(child, __TASK_TRACED)) { -+ /* -+ * This can only happen if may_ptrace_stop() fails and -+ * ptrace_stop() changes ->state back to TASK_RUNNING, -+ * so we should not worry about leaking __TASK_TRACED. -+ */ -+ WARN_ON(child->state == __TASK_TRACED); -+ ret = -ESRCH; -+ } -+ } - -- /* All systems go.. */ +@@ -155,7 +155,8 @@ int ptrace_check_attach(struct task_struct *child, int kill) return ret; } @@ -107130,7 +106584,7 @@ index 05625f6..123e351 100644 { const struct cred *cred = current_cred(), *tcred; -@@ -141,7 +190,9 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) +@@ -179,7 +180,9 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) cred->gid != tcred->egid || cred->gid != tcred->sgid || cred->gid != tcred->gid) && @@ -107141,7 +106595,7 @@ index 05625f6..123e351 100644 rcu_read_unlock(); return -EPERM; } -@@ -149,7 +200,9 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) +@@ -187,7 +190,9 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) smp_rmb(); if (task->mm) dumpable = get_dumpable(task->mm); @@ -107152,7 +106606,7 @@ index 05625f6..123e351 100644 return -EPERM; return security_ptrace_access_check(task, mode); -@@ -159,7 +212,16 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode) +@@ -197,7 +202,16 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode) { int err; task_lock(task); @@ -107170,7 +106624,7 @@ index 05625f6..123e351 100644 task_unlock(task); return !err; } -@@ -182,11 +244,11 @@ int ptrace_attach(struct task_struct *task) +@@ -220,11 +234,11 @@ int ptrace_attach(struct task_struct *task) * under ptrace. */ retval = -ERESTARTNOINTR; @@ -107184,7 +106638,7 @@ index 05625f6..123e351 100644 task_unlock(task); if (retval) goto unlock_creds; -@@ -199,7 +261,7 @@ int ptrace_attach(struct task_struct *task) +@@ -237,7 +251,7 @@ int ptrace_attach(struct task_struct *task) goto unlock_tasklist; task->ptrace = PT_PTRACED; @@ -107193,7 +106647,7 @@ index 05625f6..123e351 100644 task->ptrace |= PT_PTRACE_CAP; __ptrace_link(task, current); -@@ -209,7 +271,7 @@ int ptrace_attach(struct task_struct *task) +@@ -247,7 +261,7 @@ int ptrace_attach(struct task_struct *task) unlock_tasklist: write_unlock_irq(&tasklist_lock); unlock_creds: @@ -107202,7 +106656,7 @@ index 05625f6..123e351 100644 out: return retval; } -@@ -351,6 +413,8 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst +@@ -389,6 +403,8 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst { int copied = 0; @@ -107211,7 +106665,7 @@ index 05625f6..123e351 100644 while (len > 0) { char buf[128]; int this_len, retval; -@@ -376,6 +440,8 @@ int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long ds +@@ -414,6 +430,8 @@ int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long ds { int copied = 0; @@ -107220,16 +106674,7 @@ index 05625f6..123e351 100644 while (len > 0) { char buf[128]; int this_len, retval; -@@ -506,7 +572,7 @@ static int ptrace_resume(struct task_struct *child, long request, long data) - } - - child->exit_code = data; -- wake_up_process(child); -+ wake_up_state(child, __TASK_TRACED); - - return 0; - } -@@ -517,6 +583,8 @@ int ptrace_request(struct task_struct *child, long request, +@@ -555,6 +573,8 @@ int ptrace_request(struct task_struct *child, long request, int ret = -EIO; siginfo_t siginfo; @@ -107238,7 +106683,7 @@ index 05625f6..123e351 100644 switch (request) { case PTRACE_PEEKTEXT: case PTRACE_PEEKDATA: -@@ -532,18 +600,18 @@ int ptrace_request(struct task_struct *child, long request, +@@ -570,18 +590,18 @@ int ptrace_request(struct task_struct *child, long request, ret = ptrace_setoptions(child, data); break; case PTRACE_GETEVENTMSG: @@ -107260,7 +106705,7 @@ index 05625f6..123e351 100644 sizeof siginfo)) ret = -EFAULT; else -@@ -621,14 +689,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, long, addr, long, data) +@@ -659,14 +679,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, long, addr, long, data) goto out; } @@ -107283,16 +106728,7 @@ index 05625f6..123e351 100644 goto out_put_task_struct; } -@@ -637,6 +712,8 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, long, addr, long, data) - goto out_put_task_struct; - - ret = arch_ptrace(child, request, addr, data); -+ if (ret || request != PTRACE_DETACH) -+ ptrace_unfreeze_traced(child); - - out_put_task_struct: - put_task_struct(child); -@@ -653,7 +730,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, long addr, long data) +@@ -693,7 +720,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, long addr, long data) copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0); if (copied != sizeof(tmp)) return -EIO; @@ -107301,7 +106737,7 @@ index 05625f6..123e351 100644 } int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data) -@@ -675,6 +752,8 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, +@@ -715,6 +742,8 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, siginfo_t siginfo; int ret; @@ -107310,7 +106746,7 @@ index 05625f6..123e351 100644 switch (request) { case PTRACE_PEEKTEXT: case PTRACE_PEEKDATA: -@@ -720,7 +799,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, +@@ -760,7 +789,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, } asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, @@ -107319,7 +106755,7 @@ index 05625f6..123e351 100644 { struct task_struct *child; long ret; -@@ -740,20 +819,30 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +@@ -780,14 +809,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, goto out; } @@ -107342,16 +106778,6 @@ index 05625f6..123e351 100644 goto out_put_task_struct; } - ret = ptrace_check_attach(child, request == PTRACE_KILL); -- if (!ret) -+ if (!ret) { - ret = compat_arch_ptrace(child, request, addr, data); -+ if (ret || request != PTRACE_DETACH) -+ ptrace_unfreeze_traced(child); -+ } - - out_put_task_struct: - put_task_struct(child); diff --git a/kernel/rcutorture.c b/kernel/rcutorture.c index 697c0a0..2402696 100644 --- a/kernel/rcutorture.c @@ -107564,7 +106990,7 @@ index bf343f5..908e9ee 100644 if (rbuf->subbufs_produced == rbuf->subbufs_consumed) return 0; diff --git a/kernel/resource.c b/kernel/resource.c -index fb11a58..4e61ae1 100644 +index 207915a..ab64869 100644 --- a/kernel/resource.c +++ b/kernel/resource.c @@ -132,8 +132,18 @@ static const struct file_operations proc_iomem_operations = { @@ -107694,20 +107120,10 @@ index 29bd4ba..8c5de90 100644 WARN_ON(pendowner->pi_blocked_on->lock != lock); diff --git a/kernel/sched.c b/kernel/sched.c -index 0591df8..dcf3f9f 100644 +index 42bf6a6..dcf3f9f 100644 --- a/kernel/sched.c +++ b/kernel/sched.c -@@ -2618,7 +2618,8 @@ out: - */ - int wake_up_process(struct task_struct *p) - { -- return try_to_wake_up(p, TASK_ALL, 0); -+ WARN_ON(task_is_stopped_or_traced(p)); -+ return try_to_wake_up(p, TASK_NORMAL, 0); - } - EXPORT_SYMBOL(wake_up_process); - -@@ -5043,7 +5044,7 @@ out: +@@ -5044,7 +5044,7 @@ out: * In CONFIG_NO_HZ case, the idle load balance owner will do the * rebalancing for all the cpus for whom scheduler ticks are stopped. */ @@ -107716,7 +107132,7 @@ index 0591df8..dcf3f9f 100644 { int this_cpu = smp_processor_id(); struct rq *this_rq = cpu_rq(this_cpu); -@@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void) +@@ -5701,6 +5701,8 @@ asmlinkage void __sched schedule(void) struct rq *rq; int cpu; @@ -107725,7 +107141,7 @@ index 0591df8..dcf3f9f 100644 need_resched: preempt_disable(); cpu = smp_processor_id(); -@@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule); +@@ -5771,7 +5773,7 @@ EXPORT_SYMBOL(schedule); * Look out! "owner" is an entirely speculative pointer * access and not reliable. */ @@ -107734,7 +107150,7 @@ index 0591df8..dcf3f9f 100644 { unsigned int cpu; struct rq *rq; -@@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) +@@ -5785,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) * DEBUG_PAGEALLOC could have unmapped it if * the mutex owner just released it and exited. */ @@ -107747,7 +107163,7 @@ index 0591df8..dcf3f9f 100644 #endif /* -@@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) +@@ -5817,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) /* * Is that owner really running on that cpu? */ @@ -107756,7 +107172,7 @@ index 0591df8..dcf3f9f 100644 return 0; cpu_relax(); -@@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -6360,6 +6362,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -107765,7 +107181,7 @@ index 0591df8..dcf3f9f 100644 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur || capable(CAP_SYS_NICE)); } -@@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -6393,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment) if (nice > 19) nice = 19; @@ -107775,7 +107191,7 @@ index 0591df8..dcf3f9f 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int cpu, struct sched_domain *sd) +@@ -8775,7 +8780,7 @@ static void init_sched_groups_power(int cpu, struct sched_domain *sd) long power; int weight; @@ -107785,7 +107201,7 @@ index 0591df8..dcf3f9f 100644 if (cpu != group_first_cpu(sd->groups)) return; diff --git a/kernel/signal.c b/kernel/signal.c -index 2494827..873d447 100644 +index fb7e242..c97ee29 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -41,12 +41,12 @@ @@ -107822,17 +107238,7 @@ index 2494827..873d447 100644 if (override_rlimit || atomic_read(&user->sigpending) <= t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) -@@ -320,6 +323,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) - if (force_default || ka->sa.sa_handler != SIG_IGN) - ka->sa.sa_handler = SIG_DFL; - ka->sa.sa_flags = 0; -+#ifdef SA_RESTORER -+ ka->sa.sa_restorer = NULL; -+#endif - sigemptyset(&ka->sa.sa_mask); - ka++; - } -@@ -327,7 +333,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) +@@ -330,7 +333,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) int unhandled_signal(struct task_struct *tsk, int sig) { @@ -107841,34 +107247,7 @@ index 2494827..873d447 100644 if (is_global_init(tsk)) return 1; if (handler != SIG_IGN && handler != SIG_DFL) -@@ -513,23 +519,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) - * No need to set need_resched since signal event passing - * goes through ->blocked - */ --void signal_wake_up(struct task_struct *t, int resume) -+void signal_wake_up_state(struct task_struct *t, unsigned int state) - { -- unsigned int mask; -- - set_tsk_thread_flag(t, TIF_SIGPENDING); -- - /* -- * For SIGKILL, we want to wake it up in the stopped/traced/killable -+ * TASK_WAKEKILL also means wake it up in the stopped/traced/killable - * case. We don't check t->state here because there is a race with it - * executing another processor and just now entering stopped state. - * By using wake_up_state, we ensure the process will wake up and - * handle its death signal. - */ -- mask = TASK_INTERRUPTIBLE; -- if (resume) -- mask |= TASK_WAKEKILL; -- if (!wake_up_state(t, mask)) -+ if (!wake_up_state(t, state | TASK_INTERRUPTIBLE)) - kick_process(t); - } - -@@ -627,6 +627,13 @@ static int check_kill_permission(int sig, struct siginfo *info, +@@ -624,6 +627,13 @@ static int check_kill_permission(int sig, struct siginfo *info, } } @@ -107882,7 +107261,7 @@ index 2494827..873d447 100644 return security_task_kill(t, info, sig, 0); } -@@ -968,7 +975,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -965,7 +975,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) return send_signal(sig, info, p, 1); } @@ -107891,7 +107270,7 @@ index 2494827..873d447 100644 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { return send_signal(sig, info, t, 0); -@@ -1005,6 +1012,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1002,6 +1012,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) unsigned long int flags; int ret, blocked, ignored; struct k_sigaction *action; @@ -107899,7 +107278,7 @@ index 2494827..873d447 100644 spin_lock_irqsave(&t->sighand->siglock, flags); action = &t->sighand->action[sig-1]; -@@ -1019,9 +1027,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1016,9 +1027,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) } if (action->sa.sa_handler == SIG_DFL) t->signal->flags &= ~SIGNAL_UNKILLABLE; @@ -107918,7 +107297,7 @@ index 2494827..873d447 100644 return ret; } -@@ -1081,8 +1098,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1078,8 +1098,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) { int ret = check_kill_permission(sig, info, p); @@ -107931,18 +107310,7 @@ index 2494827..873d447 100644 return ret; } -@@ -1530,6 +1550,10 @@ static inline int may_ptrace_stop(void) - * If SIGKILL was already sent before the caller unlocked - * ->siglock we must see ->core_state != NULL. Otherwise it - * is safe to enter schedule(). -+ * -+ * This is almost outdated, a task with the pending SIGKILL can't -+ * block in TASK_TRACED. But PTRACE_EVENT_EXIT can be reported -+ * after SIGKILL was already dequeued. - */ - if (unlikely(current->mm->core_state) && - unlikely(current->mm == current->parent->mm)) -@@ -1611,6 +1635,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info) +@@ -1612,6 +1635,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info) * By the time we got the lock, our tracer went away. * Don't drop the lock yet, another tracer may come. */ @@ -107951,7 +107319,7 @@ index 2494827..873d447 100644 __set_current_state(TASK_RUNNING); if (clear_code) current->exit_code = 0; -@@ -1644,6 +1670,8 @@ void ptrace_notify(int exit_code) +@@ -1645,6 +1670,8 @@ void ptrace_notify(int exit_code) { siginfo_t info; @@ -107960,7 +107328,7 @@ index 2494827..873d447 100644 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP); memset(&info, 0, sizeof info); -@@ -2275,7 +2303,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -2276,7 +2303,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -107977,15 +107345,6 @@ index 2494827..873d447 100644 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) { error = check_kill_permission(sig, info, p); /* -@@ -2300,7 +2336,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) - - static int do_tkill(pid_t tgid, pid_t pid, int sig) - { -- struct siginfo info; -+ struct siginfo info = {}; - - info.si_signo = sig; - info.si_errno = 0; diff --git a/kernel/smp.c b/kernel/smp.c index aa9cff3..631a0de 100644 --- a/kernel/smp.c @@ -108018,7 +107377,7 @@ index aa9cff3..631a0de 100644 spin_unlock_irq(&call_function.lock); } diff --git a/kernel/softirq.c b/kernel/softirq.c -index 04a0252..4ee2bbb 100644 +index d75c136..d935240 100644 --- a/kernel/softirq.c +++ b/kernel/softirq.c @@ -52,11 +52,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; @@ -108042,7 +107401,7 @@ index 04a0252..4ee2bbb 100644 - struct softirq_action *h; + const struct softirq_action *h; __u32 pending; - int max_restart = MAX_SOFTIRQ_RESTART; + unsigned long end = jiffies + MAX_SOFTIRQ_TIME; int cpu; @@ -233,7 +233,7 @@ restart: kstat_incr_softirqs_this_cpu(h - softirq_vec); @@ -108053,7 +107412,7 @@ index 04a0252..4ee2bbb 100644 trace_softirq_exit(h, softirq_vec); if (unlikely(prev_count != preempt_count())) { printk(KERN_ERR "huh, entered softirq %td %s %p" -@@ -363,7 +363,7 @@ void raise_softirq(unsigned int nr) +@@ -364,7 +364,7 @@ void raise_softirq(unsigned int nr) local_irq_restore(flags); } @@ -108062,7 +107421,7 @@ index 04a0252..4ee2bbb 100644 { softirq_vec[nr].action = action; } -@@ -419,7 +419,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) +@@ -420,7 +420,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) EXPORT_SYMBOL(__tasklet_hi_schedule_first); @@ -108071,7 +107430,7 @@ index 04a0252..4ee2bbb 100644 { struct tasklet_struct *list; -@@ -454,7 +454,7 @@ static void tasklet_action(struct softirq_action *a) +@@ -455,7 +455,7 @@ static void tasklet_action(struct softirq_action *a) } } @@ -108081,7 +107440,7 @@ index 04a0252..4ee2bbb 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index e9512b1..892ee9e 100644 +index 5a381e6..5d65044 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -108126,7 +107485,7 @@ index e9512b1..892ee9e 100644 if (who != cred->uid) free_uid(user); /* for find_user() */ break; -@@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) +@@ -510,6 +516,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) goto error; } @@ -108136,7 +107495,7 @@ index e9512b1..892ee9e 100644 if (rgid != (gid_t) -1 || (egid != (gid_t) -1 && egid != old->gid)) new->sgid = new->egid; -@@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) +@@ -543,6 +552,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) goto error; retval = -EPERM; @@ -108147,7 +107506,7 @@ index e9512b1..892ee9e 100644 if (capable(CAP_SETGID)) new->gid = new->egid = new->sgid = new->fsgid = gid; else if (gid == old->gid || gid == old->sgid) -@@ -559,7 +572,7 @@ error: +@@ -560,7 +573,7 @@ error: /* * change the user struct in a credentials set to match the new UID */ @@ -108156,7 +107515,7 @@ index e9512b1..892ee9e 100644 { struct user_struct *new_user; -@@ -567,12 +580,19 @@ static int set_user(struct cred *new) +@@ -568,12 +581,19 @@ static int set_user(struct cred *new) if (!new_user) return -EAGAIN; @@ -108180,7 +107539,7 @@ index e9512b1..892ee9e 100644 free_uid(new->user); new->user = new_user; -@@ -627,6 +647,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) +@@ -628,6 +648,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) goto error; } @@ -108190,7 +107549,7 @@ index e9512b1..892ee9e 100644 if (new->uid != old->uid) { retval = set_user(new); if (retval < 0) -@@ -675,6 +698,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) +@@ -676,6 +699,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) goto error; retval = -EPERM; @@ -108203,7 +107562,7 @@ index e9512b1..892ee9e 100644 if (capable(CAP_SETUID)) { new->suid = new->uid = uid; if (uid != old->uid) { -@@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) +@@ -733,6 +762,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) goto error; } @@ -108213,7 +107572,7 @@ index e9512b1..892ee9e 100644 if (ruid != (uid_t) -1) { new->uid = ruid; if (ruid != old->uid) { -@@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) +@@ -801,6 +833,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) goto error; } @@ -108223,7 +107582,7 @@ index e9512b1..892ee9e 100644 if (rgid != (gid_t) -1) new->gid = rgid; if (egid != (gid_t) -1) -@@ -853,6 +888,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) +@@ -854,6 +889,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) uid == old->suid || uid == old->fsuid || capable(CAP_SETUID)) { if (uid != old_fsuid) { @@ -108233,7 +107592,7 @@ index e9512b1..892ee9e 100644 new->fsuid = uid; if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0) goto change_okay; -@@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) +@@ -890,6 +928,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) if (gid == old->gid || gid == old->egid || gid == old->sgid || gid == old->fsgid || capable(CAP_SETGID)) { @@ -108243,7 +107602,7 @@ index e9512b1..892ee9e 100644 if (gid != old_fsgid) { new->fsgid = gid; goto change_okay; -@@ -1273,6 +1314,14 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) +@@ -1274,6 +1315,14 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) if (resource != RLIMIT_CPU) goto out; @@ -108258,7 +107617,7 @@ index e9512b1..892ee9e 100644 /* * RLIMIT_CPU handling. Note that the kernel fails to return an error * code if it rejected the user's attempt to set RLIMIT_CPU. This is a -@@ -1282,7 +1331,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) +@@ -1283,7 +1332,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) if (new_rlim.rlim_cur == RLIM_INFINITY) goto out; @@ -108267,7 +107626,7 @@ index e9512b1..892ee9e 100644 out: return 0; } -@@ -1454,7 +1503,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, +@@ -1455,7 +1504,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; case PR_SET_DUMPABLE: @@ -108593,10 +107952,10 @@ index 33df60e..ca768bd 100644 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ) return (USEC_PER_SEC / HZ) * j; diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c -index 57b953f..06f149f 100644 +index 67fe3d9..1196e5f 100644 --- a/kernel/time/tick-broadcast.c +++ b/kernel/time/tick-broadcast.c -@@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct clock_event_device *dev, int cpu) +@@ -117,7 +117,7 @@ int tick_device_uses_broadcast(struct clock_event_device *dev, int cpu) * then clear the broadcast bit. */ if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) { @@ -108606,7 +107965,7 @@ index 57b953f..06f149f 100644 cpumask_clear_cpu(cpu, tick_get_broadcast_mask()); tick_broadcast_clear_oneshot(cpu); diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c -index 3d35af3..7936e72 100644 +index f65a0fb..39e0ff0 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -14,6 +14,7 @@ @@ -108754,7 +108113,7 @@ index ee5681f..862e921 100644 return -ENOMEM; return 0; diff --git a/kernel/timer.c b/kernel/timer.c -index cb3c1f1..e643008 100644 +index 8123679..8fbf105 100644 --- a/kernel/timer.c +++ b/kernel/timer.c @@ -1213,7 +1213,7 @@ void update_process_times(int user_tick) @@ -108807,18 +108166,10 @@ index d9d6206..f19467e 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 4872937..9c613c4 100644 +index c5f8ab9..9c613c4 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c -@@ -469,7 +469,6 @@ int ftrace_profile_pages_init(struct ftrace_profile_stat *stat) - free_page(tmp); - } - -- free_page((unsigned long)stat->pages); - stat->pages = NULL; - stat->start = NULL; - -@@ -1100,13 +1099,18 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) +@@ -1099,13 +1099,18 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) ip = rec->ip; @@ -108839,7 +108190,7 @@ index 4872937..9c613c4 100644 } /* -@@ -2726,7 +2730,7 @@ static int ftrace_module_notify(struct notifier_block *self, +@@ -2725,7 +2730,7 @@ static int ftrace_module_notify(struct notifier_block *self, struct notifier_block ftrace_module_nb = { .notifier_call = ftrace_module_notify, @@ -108848,7 +108199,7 @@ index 4872937..9c613c4 100644 }; extern unsigned long __start_mcount_loc[]; -@@ -3068,8 +3072,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, +@@ -3067,8 +3072,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, #ifdef CONFIG_FUNCTION_GRAPH_TRACER static int ftrace_graph_active; @@ -108857,7 +108208,7 @@ index 4872937..9c613c4 100644 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) { return 0; -@@ -3213,6 +3215,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, +@@ -3212,6 +3215,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, return NOTIFY_DONE; } @@ -108868,7 +108219,7 @@ index 4872937..9c613c4 100644 int register_ftrace_graph(trace_func_graph_ret_t retfunc, trace_func_graph_ent_t entryfunc) { -@@ -3226,7 +3232,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, +@@ -3225,7 +3232,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, goto out; } @@ -108877,7 +108228,7 @@ index 4872937..9c613c4 100644 ftrace_graph_active++; diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index e749a05..029a15b 100644 +index 6024960..854be1f 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -325,9 +325,9 @@ struct buffer_data_page { @@ -109116,7 +108467,7 @@ index e749a05..029a15b 100644 local_set(&cpu_buffer->reader_page->page->commit, 0); spin: -@@ -3360,8 +3360,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3362,8 +3362,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) cpu_buffer->head_page = list_entry(cpu_buffer->pages, struct buffer_page, list); @@ -109127,7 +108478,7 @@ index e749a05..029a15b 100644 local_set(&cpu_buffer->head_page->page->commit, 0); cpu_buffer->head_page->read = 0; -@@ -3370,13 +3370,13 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3372,13 +3372,13 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) cpu_buffer->commit_page = cpu_buffer->head_page; INIT_LIST_HEAD(&cpu_buffer->reader_page->list); @@ -109145,7 +108496,7 @@ index e749a05..029a15b 100644 local_set(&cpu_buffer->entries, 0); local_set(&cpu_buffer->committing, 0); local_set(&cpu_buffer->commits, 0); -@@ -3752,8 +3752,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, +@@ -3754,8 +3754,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, rb_init_page(bpage); bpage = reader->page; reader->page = *data_page; @@ -110110,35 +109461,10 @@ index 9c1e627..5ca9447 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 20f9240..0c488e1 100644 +index b435d1f..0c488e1 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c -@@ -1772,6 +1772,15 @@ static void hugetlb_vm_op_open(struct vm_area_struct *vma) - kref_get(&reservations->refs); - } - -+static void resv_map_put(struct vm_area_struct *vma) -+{ -+ struct resv_map *reservations = vma_resv_map(vma); -+ -+ if (!reservations) -+ return; -+ kref_put(&reservations->refs, resv_map_release); -+} -+ - static void hugetlb_vm_op_close(struct vm_area_struct *vma) - { - struct hstate *h = hstate_vma(vma); -@@ -1788,7 +1797,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma) - reserve = (end - start) - - region_count(&reservations->regions, start, end); - -- kref_put(&reservations->refs, resv_map_release); -+ resv_map_put(vma); - - if (reserve) { - hugetlb_acct_memory(h, -reserve); -@@ -2012,6 +2021,26 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2021,6 +2021,26 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -110165,7 +109491,7 @@ index 20f9240..0c488e1 100644 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long address, pte_t *ptep, pte_t pte, struct page *pagecache_page) -@@ -2083,6 +2112,11 @@ retry_avoidcopy: +@@ -2092,6 +2112,11 @@ retry_avoidcopy: huge_ptep_clear_flush(vma, address, ptep); set_huge_pte_at(mm, address, ptep, make_huge_pte(vma, new_page, 1)); @@ -110177,7 +109503,7 @@ index 20f9240..0c488e1 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -2214,6 +2248,10 @@ retry: +@@ -2223,6 +2248,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -110188,7 +109514,7 @@ index 20f9240..0c488e1 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page); -@@ -2242,6 +2280,28 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2251,6 +2280,28 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -110217,47 +109543,6 @@ index 20f9240..0c488e1 100644 ptep = huge_pte_alloc(mm, address, huge_page_size(h)); if (!ptep) return VM_FAULT_OOM; -@@ -2472,12 +2532,16 @@ int hugetlb_reserve_pages(struct inode *inode, - set_vma_resv_flags(vma, HPAGE_RESV_OWNER); - } - -- if (chg < 0) -- return chg; -+ if (chg < 0) { -+ ret = chg; -+ goto out_err; -+ } - - /* There must be enough pages in the subpool for the mapping */ -- if (hugepage_subpool_get_pages(spool, chg)) -- return -ENOSPC; -+ if (hugepage_subpool_get_pages(spool, chg)) { -+ ret = -ENOSPC; -+ goto out_err; -+ } - - /* - * Check enough hugepages are available for the reservation. -@@ -2486,7 +2550,7 @@ int hugetlb_reserve_pages(struct inode *inode, - ret = hugetlb_acct_memory(h, chg); - if (ret < 0) { - hugepage_subpool_put_pages(spool, chg); -- return ret; -+ goto out_err; - } - - /* -@@ -2503,6 +2567,10 @@ int hugetlb_reserve_pages(struct inode *inode, - if (!vma || vma->vm_flags & VM_MAYSHARE) - region_add(&inode->i_mapping->private_list, from, to); - return 0; -+out_err: -+ if (vma) -+ resv_map_put(vma); -+ return ret; - } - - void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed) diff --git a/mm/internal.h b/mm/internal.h index f03e8e2..7354343 100644 --- a/mm/internal.h @@ -111069,7 +110354,7 @@ index 6c836d3..b2296e1 100644 * Make sure the vDSO gets into every core dump. * Dumping its contents makes post-mortem fully interpretable later diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index a6563fb..a99e912 100644 +index df6602f..72643c6 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_struct *vma, unsigned long start, @@ -111143,7 +110428,7 @@ index a6563fb..a99e912 100644 rcu_read_unlock(); err = -EPERM; goto out; -@@ -2367,6 +2399,12 @@ static inline void check_huge_range(struct vm_area_struct *vma, +@@ -2362,6 +2394,12 @@ static inline void check_huge_range(struct vm_area_struct *vma, } #endif @@ -111156,7 +110441,7 @@ index a6563fb..a99e912 100644 /* * Display pages allocated per node and memory policy via /proc. */ -@@ -2381,6 +2419,13 @@ int show_numa_map(struct seq_file *m, void *v) +@@ -2376,6 +2414,13 @@ int show_numa_map(struct seq_file *m, void *v) int n; char buffer[50]; @@ -111170,7 +110455,7 @@ index a6563fb..a99e912 100644 if (!mm) return 0; -@@ -2392,11 +2437,15 @@ int show_numa_map(struct seq_file *m, void *v) +@@ -2387,11 +2432,15 @@ int show_numa_map(struct seq_file *m, void *v) mpol_to_str(buffer, sizeof(buffer), pol, 0); mpol_cond_put(pol); @@ -113296,7 +112581,7 @@ index dd43373..d848cd7 100644 list_add_tail(&vma->anon_vma_node, &anon_vma->head); allocated = NULL; diff --git a/mm/shmem.c b/mm/shmem.c -index 3e0005b..eac2525 100644 +index e6a0c72..eac2525 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -31,7 +31,7 @@ @@ -113335,31 +112620,7 @@ index 3e0005b..eac2525 100644 /* do it inline */ memcpy(info, symname, len); inode->i_op = &shmem_symlink_inline_operations; -@@ -2242,6 +2246,7 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) - unsigned long inodes; - int error = -EINVAL; - -+ config.mpol = NULL; - if (shmem_parse_options(data, &config, true)) - return error; - -@@ -2269,8 +2274,13 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) - sbinfo->max_inodes = config.max_inodes; - sbinfo->free_inodes = config.max_inodes - inodes; - -- mpol_put(sbinfo->mpol); -- sbinfo->mpol = config.mpol; /* transfers initial ref */ -+ /* -+ * Preserve previous mempolicy unless mpol remount option was specified. -+ */ -+ if (config.mpol) { -+ mpol_put(sbinfo->mpol); -+ sbinfo->mpol = config.mpol; /* transfers initial ref */ -+ } - out: - spin_unlock(&sbinfo->stat_lock); - return error; -@@ -2310,8 +2320,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2316,8 +2320,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -114545,19 +113806,6 @@ index f34ffd0..1251316 100644 v->addr, v->addr + v->size, v->size); if (v->caller) { -diff --git a/mm/vmscan.c b/mm/vmscan.c -index 4649929..738db2b 100644 ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -2241,6 +2241,8 @@ static int kswapd(void *p) - balance_pgdat(pgdat, order); - } - } -+ -+ current->reclaim_state = NULL; - return 0; - } - diff --git a/mm/vmstat.c b/mm/vmstat.c index 42d76c6..5643dc4 100644 --- a/mm/vmstat.c @@ -114690,18 +113938,6 @@ index 02cc7e7..4514f1b 100644 __SONET_ITEMS #undef __HANDLE_ITEM } -diff --git a/net/atm/common.c b/net/atm/common.c -index 950bd16..0baf05e 100644 ---- a/net/atm/common.c -+++ b/net/atm/common.c -@@ -749,6 +749,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname, - if (!vcc->dev || - !test_bit(ATM_VF_ADDR,&vcc->flags)) - return -ENOTCONN; -+ memset(&pvc, 0, sizeof(pvc)); - pvc.sap_family = AF_ATMPVC; - pvc.sap_addr.itf = vcc->dev->number; - pvc.sap_addr.vpi = vcc->vpi; diff --git a/net/atm/lec.h b/net/atm/lec.h index 9d14d19..5c145f3 100644 --- a/net/atm/lec.h @@ -114770,20 +114006,6 @@ index ab8419a..aa91497 100644 else seq_printf(seq, "%3d %3d %5d ", vcc->dev->number, vcc->vpi, vcc->vci); -diff --git a/net/atm/pvc.c b/net/atm/pvc.c -index d4c0245..5f6d1fb 100644 ---- a/net/atm/pvc.c -+++ b/net/atm/pvc.c -@@ -92,7 +92,8 @@ static int pvc_getname(struct socket *sock,struct sockaddr *sockaddr, - - if (!vcc->dev || !test_bit(ATM_VF_ADDR,&vcc->flags)) return -ENOTCONN; - *sockaddr_len = sizeof(struct sockaddr_atmpvc); -- addr = (struct sockaddr_atmpvc *) sockaddr; -+ addr = (struct sockaddr_atmpvc *)sockaddr; -+ memset(addr, 0, sizeof(*addr)); - addr->sap_family = AF_ATMPVC; - addr->sap_addr.itf = vcc->dev->number; - addr->sap_addr.vpi = vcc->vpi; diff --git a/net/atm/resources.c b/net/atm/resources.c index 56b7322..c48b84e 100644 --- a/net/atm/resources.c @@ -114807,7 +114029,7 @@ index 56b7322..c48b84e 100644 #undef __HANDLE_ITEM } diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c -index 75302a9..09e36d3 100644 +index 45caaaa..09e36d3 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -511,7 +511,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char @@ -114819,23 +114041,15 @@ index 75302a9..09e36d3 100644 if (copy_from_user(&uf, optval, len)) { err = -EFAULT; break; -@@ -576,6 +576,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char - { - struct hci_filter *f = &hci_pi(sk)->filter; - -+ memset(&uf, 0, sizeof(uf)); - uf.type_mask = f->type_mask; - uf.opcode = f->opcode; - uf.event_mask[0] = *((u32 *) f->event_mask + 0); diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c -index 49d8495..6b0a111 100644 +index 0c2c59d..6b0a111 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -778,9 +778,9 @@ static int hidp_setup_hid(struct hidp_session *session, hid->version = req->version; hid->country = req->country; -- strncpy(hid->name, req->name, 128); +- strncpy(hid->name, req->name, sizeof(req->name) - 1); - strncpy(hid->phys, batostr(&src), 64); - strncpy(hid->uniq, batostr(&dst), 64); + strncpy(hid->name, req->name, sizeof(hid->name) - 1); @@ -114845,18 +114059,10 @@ index 49d8495..6b0a111 100644 hid->dev.parent = hidp_get_device(session); hid->ll_driver = &hidp_hid_driver; diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c -index 1ae3f80..c5d763b 100644 +index 1db0132..5e0453d 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c -@@ -543,6 +543,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int * - - BT_DBG("sock %p, sk %p", sock, sk); - -+ memset(sa, 0, sizeof(*sa)); - sa->rc_family = AF_BLUETOOTH; - sa->rc_channel = rfcomm_pi(sk)->channel; - if (peer) -@@ -792,7 +793,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c +@@ -794,7 +794,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c sec.level = BT_SECURITY_LOW; @@ -115088,10 +114294,10 @@ index 9559afc..6c62f69 100644 a0 = a[0]; a1 = a[1]; diff --git a/net/core/dev.c b/net/core/dev.c -index 46e2a29..ab7b15e 100644 +index d775563..7eb1c8d 100644 --- a/net/core/dev.c +++ b/net/core/dev.c -@@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const char *name) +@@ -1050,10 +1050,14 @@ void dev_load(struct net *net, const char *name) if (no_module && capable(CAP_NET_ADMIN)) no_module = request_module("netdev-%s", name); if (no_module && capable(CAP_SYS_MODULE)) { @@ -115106,7 +114312,7 @@ index 46e2a29..ab7b15e 100644 } } EXPORT_SYMBOL(dev_load); -@@ -1655,7 +1659,7 @@ static inline int illegal_highdma(struct net_device *dev, struct sk_buff *skb) +@@ -1658,7 +1662,7 @@ static inline int illegal_highdma(struct net_device *dev, struct sk_buff *skb) struct dev_gso_cb { void (*destructor)(struct sk_buff *skb); @@ -115115,7 +114321,7 @@ index 46e2a29..ab7b15e 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -2064,7 +2068,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -2067,7 +2071,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -115124,7 +114330,7 @@ index 46e2a29..ab7b15e 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -2828,7 +2832,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -2831,7 +2835,7 @@ void netif_napi_del(struct napi_struct *napi) EXPORT_SYMBOL(netif_napi_del); @@ -115133,7 +114339,7 @@ index 46e2a29..ab7b15e 100644 { struct list_head *list = &__get_cpu_var(softnet_data).poll_list; unsigned long time_limit = jiffies + 2; -@@ -3264,8 +3268,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) +@@ -3267,8 +3271,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) else seq_printf(seq, "%04x", ntohs(pt->type)); @@ -115298,20 +114504,10 @@ index 72ff527..a014894 100644 * __skb_splice_bits() only fails if the output has no room left, * so no point in going over the frag_list for the error case. diff --git a/net/core/sock.c b/net/core/sock.c -index 4538a34..d53ed34 100644 +index eafa660..d53ed34 100644 --- a/net/core/sock.c +++ b/net/core/sock.c -@@ -562,7 +562,8 @@ set_rcvbuf: - - case SO_KEEPALIVE: - #ifdef CONFIG_INET -- if (sk->sk_protocol == IPPROTO_TCP) -+ if (sk->sk_protocol == IPPROTO_TCP && -+ sk->sk_type == SOCK_STREAM) - tcp_set_keepalive(sk, valbool); - #endif - sock_valbool_flag(sk, SOCK_KEEPOPEN, valbool); -@@ -864,11 +865,15 @@ int sock_getsockopt(struct socket *sock, int level, int optname, +@@ -865,11 +865,15 @@ int sock_getsockopt(struct socket *sock, int level, int optname, break; case SO_PEERCRED: @@ -115328,7 +114524,7 @@ index 4538a34..d53ed34 100644 case SO_PEERNAME: { -@@ -1895,7 +1900,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) +@@ -1896,7 +1900,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) */ smp_wmb(); atomic_set(&sk->sk_refcnt, 1); @@ -115337,18 +114533,6 @@ index 4538a34..d53ed34 100644 } EXPORT_SYMBOL(sock_init_data); -diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c -index ac1205d..813fe4b 100644 ---- a/net/dcb/dcbnl.c -+++ b/net/dcb/dcbnl.c -@@ -307,6 +307,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb, - dcb->dcb_family = AF_UNSPEC; - dcb->cmd = DCB_CMD_GPERM_HWADDR; - -+ memset(perm_addr, 0, sizeof(perm_addr)); - netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); - - ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c index 34dcc79..f51ed45 100644 --- a/net/dccp/ccids/ccid3.c @@ -115631,10 +114815,10 @@ index d3fe10b..feeafc9 100644 rc = qp->q.fragments && (end - start) > max; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index e982b5c..f079d75 100644 +index 099e6c3..57092e1 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1023,6 +1023,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, int val; int len; @@ -115643,7 +114827,7 @@ index e982b5c..f079d75 100644 if (level != SOL_IP) return -EOPNOTSUPP; -@@ -1173,7 +1175,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1184,7 +1186,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -115843,7 +115027,7 @@ index f25542c..5a0b902 100644 }; diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index ab996f9..3da5f96 100644 +index 07ab583..a4ef948 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk, struct sk_buff * skb) @@ -115864,7 +115048,7 @@ index ab996f9..3da5f96 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -724,16 +724,23 @@ static int raw_init(struct sock *sk) +@@ -735,16 +735,23 @@ static int raw_init(struct sock *sk) static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen) { @@ -115889,7 +115073,7 @@ index ab996f9..3da5f96 100644 if (get_user(len, optlen)) goto out; -@@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o +@@ -754,8 +761,9 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o if (len > sizeof(struct icmp_filter)) len = sizeof(struct icmp_filter); ret = -EFAULT; @@ -115901,7 +115085,7 @@ index ab996f9..3da5f96 100644 goto out; ret = 0; out: return ret; -@@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) +@@ -965,7 +973,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -115917,7 +115101,7 @@ index ab996f9..3da5f96 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 58f141b..b759702 100644 +index f16d19b..9734113 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -269,7 +269,7 @@ static inline unsigned int rt_hash(__be32 daddr, __be32 saddr, int idx, @@ -115938,7 +115122,7 @@ index 58f141b..b759702 100644 } /* -@@ -3357,7 +3357,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { +@@ -3364,7 +3364,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { static __net_init int rt_secret_timer_init(struct net *net) { @@ -115966,7 +115150,7 @@ index 2dcf04d..4656638 100644 { .ctl_name = NET_TCP_DMA_COPYBREAK, diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index b9644d8..8e66b8e 100644 +index 6232462..2973061 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2084,6 +2084,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, @@ -116000,27 +115184,6 @@ index b9644d8..8e66b8e 100644 if (crypto_hash_update(desc, &sg, f->size)) return 1; } -diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c -index 1eba160b..c35d91f 100644 ---- a/net/ipv4/tcp_illinois.c -+++ b/net/ipv4/tcp_illinois.c -@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext, - .tcpv_rttcnt = ca->cnt_rtt, - .tcpv_minrtt = ca->base_rtt, - }; -- u64 t = ca->sum_rtt; - -- do_div(t, ca->cnt_rtt); -- info.tcpv_rtt = t; -+ if (info.tcpv_rttcnt > 0) { -+ u64 t = ca->sum_rtt; - -+ do_div(t, info.tcpv_rttcnt); -+ info.tcpv_rtt = t; -+ } - nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); - } - } diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index db755c4..4cf3b9d 100644 --- a/net/ipv4/tcp_input.c @@ -116265,7 +115428,7 @@ index db755c4..4cf3b9d 100644 /* step 6: check the URG bit */ tcp_urg(sk, skb, th); diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index 6a4e832..7eb316b 100644 +index d746d3b3..6eafd4a 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -85,6 +85,9 @@ @@ -116278,7 +115441,7 @@ index 6a4e832..7eb316b 100644 #ifdef CONFIG_TCP_MD5SIG static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk, -@@ -1541,6 +1544,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) +@@ -1546,6 +1549,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) return 0; reset: @@ -116288,7 +115451,7 @@ index 6a4e832..7eb316b 100644 tcp_v4_send_reset(rsk, skb); discard: kfree_skb(skb); -@@ -1602,12 +1608,20 @@ int tcp_v4_rcv(struct sk_buff *skb) +@@ -1607,12 +1613,20 @@ int tcp_v4_rcv(struct sk_buff *skb) TCP_SKB_CB(skb)->sacked = 0; sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest); @@ -116311,7 +115474,7 @@ index 6a4e832..7eb316b 100644 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_and_relse; -@@ -1649,6 +1663,10 @@ no_tcp_socket: +@@ -1654,6 +1668,10 @@ no_tcp_socket: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { @@ -116322,7 +115485,7 @@ index 6a4e832..7eb316b 100644 tcp_v4_send_reset(NULL, skb); } -@@ -2236,7 +2254,11 @@ static void get_openreq4(struct sock *sk, struct request_sock *req, +@@ -2241,7 +2259,11 @@ static void get_openreq4(struct sock *sk, struct request_sock *req, 0, /* non standard timer */ 0, /* open_requests have no inode */ atomic_read(&sk->sk_refcnt), @@ -116334,7 +115497,7 @@ index 6a4e832..7eb316b 100644 len); } -@@ -2278,7 +2300,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len) +@@ -2283,7 +2305,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len) sock_i_uid(sk), icsk->icsk_probes_out, sock_i_ino(sk), @@ -116348,7 +115511,7 @@ index 6a4e832..7eb316b 100644 jiffies_to_clock_t(icsk->icsk_rto), jiffies_to_clock_t(icsk->icsk_ack.ato), (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong, -@@ -2306,7 +2333,13 @@ static void get_timewait4_sock(struct inet_timewait_sock *tw, +@@ -2311,7 +2338,13 @@ static void get_timewait4_sock(struct inet_timewait_sock *tw, " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n", i, src, srcp, dest, destp, tw->tw_substate, 0, 0, 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0, @@ -116390,10 +115553,10 @@ index 4c03598..e09a8e8 100644 req->rsk_ops->send_reset(sk, skb); diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index af83bdf..ec91cb2 100644 +index 38a23e4..24f71b0 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c -@@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst, +@@ -2237,6 +2237,8 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst, __u8 *md5_hash_location; int mss; @@ -116445,7 +115608,7 @@ index 57d5501..a9ed13a 100644 /* Has it gone just too far? */ tcp_write_err(sk); diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 8e28770..72105c8 100644 +index af559e0..00f5a91 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -86,6 +86,7 @@ @@ -116477,7 +115640,7 @@ index 8e28770..72105c8 100644 /* * This routine is called by the ICMP module when it gets some * sort of error condition. If err < 0 then the socket should -@@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -640,9 +648,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, dport = usin->sin_port; if (dport == 0) return -EINVAL; @@ -116496,7 +115659,7 @@ index 8e28770..72105c8 100644 daddr = inet->daddr; dport = inet->dport; /* Open fast path for connected socket. -@@ -945,6 +962,10 @@ try_again: +@@ -956,6 +973,10 @@ try_again: if (!skb) goto out; @@ -116507,7 +115670,7 @@ index 8e28770..72105c8 100644 ulen = skb->len - sizeof(struct udphdr); copied = len; if (copied > ulen) -@@ -1068,7 +1089,7 @@ static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +@@ -1079,7 +1100,7 @@ static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) if (rc == -ENOMEM) { UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, is_udplite); @@ -116516,7 +115679,7 @@ index 8e28770..72105c8 100644 } goto drop; } -@@ -1338,6 +1359,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -1349,6 +1370,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, goto csum_error; UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -116526,7 +115689,7 @@ index 8e28770..72105c8 100644 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* -@@ -1758,8 +1782,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, +@@ -1769,8 +1793,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -116615,10 +115778,10 @@ index 093e9b2..f72cddb 100644 const struct in6_addr *daddr, const int dif) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 9ad5792..fa406b9 100644 +index 6ba0fe2..503c7c6 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c -@@ -1138,7 +1138,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, +@@ -1168,7 +1168,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, if (WARN_ON(np->cork.opt)) return -EINVAL; @@ -116858,7 +116021,7 @@ index 4f24570..b813b34 100644 static int raw6_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index faae6df..d4430c1 100644 +index 1b25191..34c509c 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -89,6 +89,10 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk, @@ -116961,7 +116124,7 @@ index faae6df..d4430c1 100644 static int tcp6_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 9cc6289..052c521 100644 +index d8c0374..b82b590 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -49,6 +49,10 @@ @@ -117193,7 +116356,7 @@ index 9cb79f9..d35d057 100644 } diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c -index bada1b9..f325943 100644 +index f605b23..9e339dc 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct sock *sk) @@ -117301,26 +116464,6 @@ index bda96d1..c038b72 100644 used = 1; } -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index 2da8d14..606b6ad 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -912,14 +912,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr, - struct sockaddr_llc sllc; - struct sock *sk = sock->sk; - struct llc_sock *llc = llc_sk(sk); -- int rc = 0; -+ int rc = -EBADF; - - memset(&sllc, 0, sizeof(sllc)); - lock_sock(sk); - if (sock_flag(sk, SOCK_ZAPPED)) - goto out; - *uaddrlen = sizeof(sllc); -- memset(uaddr, 0, *uaddrlen); - if (peer) { - rc = -ENOTCONN; - if (sk->sk_state != TCP_ESTABLISHED) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index fe2d3f8..e57f683 100644 --- a/net/mac80211/cfg.c @@ -117657,7 +116800,7 @@ index b95699f..5fee919 100644 (ip_vs_sync_state & IP_VS_STATE_MASTER) && (((cp->protocol != IPPROTO_TCP || diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c -index 02b2610..2d89424 100644 +index 9bcd972..1cdb215 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, @@ -117723,7 +116866,7 @@ index 02b2610..2d89424 100644 if (!capable(CAP_NET_ADMIN)) return -EPERM; -@@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) +@@ -2803,7 +2805,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port); NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD, @@ -117746,10 +116889,10 @@ index e177f0d..55e8581 100644 cp->old_state = cp->state; /* diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c -index 30b3189..e2e4b55 100644 +index 5be9140..660bb6d 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c -@@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, +@@ -886,7 +886,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, else rc = NF_ACCEPT; /* do not touch skb anymore */ @@ -117758,7 +116901,7 @@ index 30b3189..e2e4b55 100644 goto out; } -@@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, +@@ -960,7 +960,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, else rc = NF_ACCEPT; /* do not touch skb anymore */ @@ -117995,10 +117138,10 @@ index 7a83495..ab0062f 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 35cfa79..8ad1123 100644 +index 728c080..02b775c 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1724,7 +1724,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv +@@ -1723,7 +1723,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv case PACKET_DROP_MEMBERSHIP: { struct packet_mreq_max mreq; @@ -118007,7 +117150,7 @@ index 35cfa79..8ad1123 100644 memset(&mreq, 0, sizeof(mreq)); if (len < sizeof(struct packet_mreq)) return -EINVAL; -@@ -1895,7 +1895,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -1894,7 +1894,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -118016,7 +117159,7 @@ index 35cfa79..8ad1123 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -2429,7 +2429,11 @@ static int packet_seq_show(struct seq_file *seq, void *v) +@@ -2428,7 +2428,11 @@ static int packet_seq_show(struct seq_file *seq, void *v) seq_printf(seq, "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n", @@ -118168,27 +117311,6 @@ index de4a1b1..94ec861 100644 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; -diff --git a/net/rds/recv.c b/net/rds/recv.c -index 6a2654a..c45a881c 100644 ---- a/net/rds/recv.c -+++ b/net/rds/recv.c -@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - - rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); - -+ msg->msg_namelen = 0; -+ - if (msg_flags & MSG_OOB) - goto out; - -@@ -486,6 +488,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - sin->sin_port = inc->i_hdr.h_sport; - sin->sin_addr.s_addr = inc->i_saddr; - memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ msg->msg_namelen = sizeof(*sin); - } - break; - } diff --git a/net/rds/tcp.c b/net/rds/tcp.c index b5198ae..8b9fb90 100644 --- a/net/rds/tcp.c @@ -118552,18 +117674,9 @@ index 713ac59..306f6ae 100644 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); diff --git a/net/sctp/auth.c b/net/sctp/auth.c -index 914c419..1b055b5 100644 +index 7363b9f..1b055b5 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c -@@ -70,7 +70,7 @@ void sctp_auth_key_put(struct sctp_auth_bytes *key) - return; - - if (atomic_dec_and_test(&key->refcnt)) { -- kfree(key); -+ kzfree(key); - SCTP_DBG_OBJCNT_DEC(keys); - } - } @@ -81,7 +81,7 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp) struct sctp_auth_bytes *key; @@ -118573,61 +117686,6 @@ index 914c419..1b055b5 100644 return NULL; /* Allocate the shared key */ -diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c -index acf7c4d..b29621d 100644 ---- a/net/sctp/chunk.c -+++ b/net/sctp/chunk.c -@@ -272,7 +272,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, - goto errout; - err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); - if (err < 0) -- goto errout; -+ goto errout_chunk_free; - - offset += len; - -@@ -308,7 +308,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, - __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr - - (__u8 *)chunk->skb->data); - if (err < 0) -- goto errout; -+ goto errout_chunk_free; - - sctp_datamsg_assign(msg, chunk); - list_add_tail(&chunk->frag_list, &msg->chunks); -@@ -316,6 +316,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, - - return msg; - -+errout_chunk_free: -+ sctp_chunk_free(chunk); -+ - errout: - list_for_each_safe(pos, temp, &msg->chunks) { - list_del_init(pos); -diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c -index 905fda5..ca48660 100644 ---- a/net/sctp/endpointola.c -+++ b/net/sctp/endpointola.c -@@ -249,6 +249,8 @@ void sctp_endpoint_free(struct sctp_endpoint *ep) - /* Final destructor for endpoint. */ - static void sctp_endpoint_destroy(struct sctp_endpoint *ep) - { -+ int i; -+ - SCTP_ASSERT(ep->base.dead, "Endpoint is not dead", return); - - /* Free up the HMAC transform. */ -@@ -271,6 +273,9 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep) - sctp_inq_free(&ep->base.inqueue); - sctp_bind_addr_free(&ep->base.bind_addr); - -+ for (i = 0; i < SCTP_HOW_MANY_SECRETS; ++i) -+ memset(&ep->secret_key[i], 0, SCTP_SECRET_SIZE); -+ - /* Remove and free the port */ - if (sctp_sk(ep->base.sk)->bind_hash) - sctp_put_port(ep->base.sk); diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index bb280e6..747720f 100644 --- a/net/sctp/ipv6.c @@ -118700,18 +117758,9 @@ index 619f965..bed845a 100644 static int sctp_v4_protosw_init(void) diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 1f9843e..5e9fd60 100644 +index 26ffae2..5e9fd60 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -3271,7 +3271,7 @@ static int sctp_setsockopt_auth_key(struct sock *sk, - - ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey); - out: -- kfree(authkey); -+ kzfree(authkey); - return ret; - } - @@ -5810,7 +5810,6 @@ pp_found: */ int reuse = sk->sk_reuse; @@ -118774,7 +117823,7 @@ index e04c9f8..51bc18e 100644 + (rtt >> sctp_rto_alpha); } else { diff --git a/net/socket.c b/net/socket.c -index d449812..4965545 100644 +index bf9fc68..0ea7e39 100644 --- a/net/socket.c +++ b/net/socket.c @@ -87,6 +87,7 @@ @@ -119345,40 +118394,10 @@ index 0747d8a..e8bf3f3 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index db8d51a..621ceb3 100644 +index d146b76..621ceb3 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c -@@ -370,7 +370,7 @@ static void unix_sock_destructor(struct sock *sk) - #endif - } - --static int unix_release_sock(struct sock *sk, int embrion) -+static void unix_release_sock(struct sock *sk, int embrion) - { - struct unix_sock *u = unix_sk(sk); - struct dentry *dentry; -@@ -445,8 +445,6 @@ static int unix_release_sock(struct sock *sk, int embrion) - - if (unix_tot_inflight) - unix_gc(); /* Garbage collect fds */ -- -- return 0; - } - - static int unix_listen(struct socket *sock, int backlog) -@@ -660,9 +658,10 @@ static int unix_release(struct socket *sock) - if (!sk) - return 0; - -+ unix_release_sock(sk, 0); - sock->sk = NULL; - -- return unix_release_sock(sk, 0); -+ return 0; - } - - static int unix_autobind(struct socket *sock) -@@ -745,6 +744,12 @@ static struct sock *unix_find_other(struct net *net, +@@ -744,6 +744,12 @@ static struct sock *unix_find_other(struct net *net, err = -ECONNREFUSED; if (!S_ISSOCK(inode->i_mode)) goto put_fail; @@ -119391,7 +118410,7 @@ index db8d51a..621ceb3 100644 u = unix_find_socket_byinode(net, inode); if (!u) goto put_fail; -@@ -765,6 +770,13 @@ static struct sock *unix_find_other(struct net *net, +@@ -764,6 +770,13 @@ static struct sock *unix_find_other(struct net *net, if (u) { struct dentry *dentry; dentry = unix_sk(u)->dentry; @@ -119405,7 +118424,7 @@ index db8d51a..621ceb3 100644 if (dentry) touch_atime(unix_sk(u)->mnt, dentry); } else -@@ -850,11 +862,18 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) +@@ -849,11 +862,18 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) err = security_path_mknod(&nd.path, dentry, mode, 0); if (err) goto out_mknod_drop_write; @@ -119424,7 +118443,7 @@ index db8d51a..621ceb3 100644 mutex_unlock(&nd.path.dentry->d_inode->i_mutex); dput(nd.path.dentry); nd.path.dentry = dentry; -@@ -2206,12 +2225,20 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2205,12 +2225,20 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -119446,7 +118465,7 @@ index db8d51a..621ceb3 100644 atomic_read(&s->sk_refcnt), 0, s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0, -@@ -2235,8 +2262,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2234,8 +2262,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) } for ( ; i < len; i++) seq_putc(seq, u->addr->name->sun_path[i]); @@ -119618,7 +118637,7 @@ index f2f7c63..9e0e8cf 100644 x->km.state = XFRM_STATE_VALID; diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index b95a2d6..f6a9e08 100644 +index 06f42f6..5f968fb 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -224,7 +224,7 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, @@ -119630,44 +118649,7 @@ index b95a2d6..f6a9e08 100644 *algpp = p; return 0; } -@@ -506,6 +506,7 @@ out: - - static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) - { -+ memset(p, 0, sizeof(*p)); - memcpy(&p->id, &x->id, sizeof(p->id)); - memcpy(&p->sel, &x->sel, sizeof(p->sel)); - memcpy(&p->lft, &x->lft, sizeof(p->lft)); -@@ -646,6 +647,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, - { - struct xfrm_dump_info info; - struct sk_buff *skb; -+ int err; - - skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); - if (!skb) -@@ -656,9 +658,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, - info.nlmsg_seq = seq; - info.nlmsg_flags = 0; - -- if (dump_one_state(x, 0, &info)) { -+ err = dump_one_state(x, 0, &info); -+ if (err) { - kfree_skb(skb); -- return NULL; -+ return ERR_PTR(err); - } - - return skb; -@@ -1075,6 +1078,7 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy - - static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) - { -+ memset(p, 0, sizeof(*p)); - memcpy(&p->sel, &xp->selector, sizeof(p->sel)); - memcpy(&p->lft, &xp->lft, sizeof(p->lft)); - memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); -@@ -1169,6 +1173,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) +@@ -1173,6 +1173,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; int i; @@ -119676,15 +118658,7 @@ index b95a2d6..f6a9e08 100644 if (xp->xfrm_nr == 0) return 0; -@@ -1176,6 +1182,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) - struct xfrm_user_tmpl *up = &vec[i]; - struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; - -+ memset(up, 0, sizeof(*up)); - memcpy(&up->id, &kp->id, sizeof(up->id)); - up->family = kp->encap_family; - memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); -@@ -1784,6 +1791,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -1791,6 +1793,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, int err; int n = 0; @@ -121249,18 +120223,9 @@ index e031952..c9a535d 100644 buflen -= tmp; diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 931cfda..01983fb 100644 +index 75fb18c..01983fb 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c -@@ -56,7 +56,7 @@ int install_user_keyrings(void) - - kenter("%p{%u}", user, user->uid); - -- if (user->uid_keyring) { -+ if (user->uid_keyring && user->session_keyring) { - kleave(" = 0 [exist]"); - return 0; - } @@ -208,7 +208,7 @@ static int install_process_keyring(void) ret = install_process_keyring_to_cred(new); if (ret < 0) { @@ -121805,10 +120770,10 @@ index 3136c88..28ad950 100644 list_add(&s->list, &cs4297a_devs); diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c -index 78288db..0406809 100644 +index 5f295f7..c5e763c 100644 --- a/sound/pci/ac97/ac97_codec.c +++ b/sound/pci/ac97/ac97_codec.c -@@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struct snd_device *device) +@@ -1954,7 +1954,7 @@ static int snd_ac97_dev_disconnect(struct snd_device *device) } /* build_ops to do nothing */ @@ -128974,51 +127939,6 @@ index 0000000..ac2901e + + return 0; +} -diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c -index 83b3dde..835bee7 100644 ---- a/usr/gen_init_cpio.c -+++ b/usr/gen_init_cpio.c -@@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name, const char *location, - int retval; - int rc = -1; - int namesize; -- int i; -+ unsigned int i; - - mode |= S_IFREG; - -@@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_location) - *env_var = *expanded = '\0'; - strncat(env_var, start + 2, end - start - 2); - strncat(expanded, new_location, start - new_location); -- strncat(expanded, getenv(env_var), PATH_MAX); -- strncat(expanded, end + 1, PATH_MAX); -+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded)); -+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded)); - strncpy(new_location, expanded, PATH_MAX); -+ new_location[PATH_MAX] = 0; - } else - break; - } -diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c -index 9fe140b..69969ae 100644 ---- a/virt/kvm/ioapic.c -+++ b/virt/kvm/ioapic.c -@@ -71,9 +71,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, - u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; - u64 redir_content; - -- ASSERT(redir_index < IOAPIC_NUM_PINS); -+ if (redir_index < IOAPIC_NUM_PINS) -+ redir_content = -+ ioapic->redirtbl[redir_index].bits; -+ else -+ redir_content = ~0ULL; - -- redir_content = ioapic->redirtbl[redir_index].bits; - result = (ioapic->ioregsel & 0x1) ? - (redir_content >> 32) & 0xffffffff : - redir_content & 0xffffffff; diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 82b6fdc..57cc875 100644 --- a/virt/kvm/kvm_main.c diff --git a/3.2.46/0000_README b/3.2.46/0000_README index 7c63717..a0ae244 100644 --- a/3.2.46/0000_README +++ b/3.2.46/0000_README @@ -102,7 +102,7 @@ Patch: 1045_linux-3.2.46.patch From: http://www.kernel.org Desc: Linux 3.2.46 -Patch: 4420_grsecurity-2.9.1-3.2.46-201306041947.patch +Patch: 4420_grsecurity-2.9.1-3.2.46-201306102217.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306041947.patch b/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch index bf3ae8a..b788f3b 100644 --- a/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306041947.patch +++ b/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch @@ -32046,7 +32046,7 @@ index a63b0a2..30228d1 100644 static DEFINE_MUTEX(pktcdvd_mutex); static struct pktcdvd_device *pkt_devs[MAX_WRITERS]; diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index 2678b6f..374ae19 100644 +index 2678b6f..d82ca54 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -419,7 +419,6 @@ int register_cdrom(struct cdrom_device_info *cdi) @@ -32079,6 +32079,24 @@ index 2678b6f..374ae19 100644 cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name); } +@@ -2110,7 +2111,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf, + */ + nr = nframes; + do { +- cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); ++ cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); + if (cgc.buffer) + break; + +@@ -2885,7 +2886,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c index 3ceaf00..e3c3d38 100644 --- a/drivers/cdrom/gdrom.c @@ -32425,6 +32443,18 @@ index 1451790..d42d89d 100644 }; static int memory_open(struct inode *inode, struct file *filp) +diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c +index c689697..04e6d6a 100644 +--- a/drivers/char/mwave/tp3780i.c ++++ b/drivers/char/mwave/tp3780i.c +@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities + PRINTK_2(TRACE_TP3780I, + "tp3780i::tp3780I_QueryAbilities entry pBDData %p\n", pBDData); + ++ memset(pAbilities, 0, sizeof(*pAbilities)); + /* fill out standard constant fields */ + pAbilities->instr_per_sec = pBDData->rDspSettings.uIps; + pAbilities->data_size = pBDData->rDspSettings.uDStoreSize; diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c index da3cfee..a5a6606 100644 --- a/drivers/char/nvram.c @@ -53982,10 +54012,18 @@ index e7bc1d7..06bd4bb 100644 } diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 9fde1c0..14e8827 100644 +index 9fde1c0..55df672 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c -@@ -276,7 +276,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, +@@ -118,6 +118,7 @@ static int fill_event_metadata(struct fsnotify_group *group, + metadata->event_len = FAN_EVENT_METADATA_LEN; + metadata->metadata_len = FAN_EVENT_METADATA_LEN; + metadata->vers = FANOTIFY_METADATA_VERSION; ++ metadata->reserved = 0; + metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS; + metadata->pid = pid_vnr(event->tgid); + if (unlikely(event->mask & FAN_Q_OVERFLOW)) +@@ -276,7 +277,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, goto out_close_fd; ret = -EFAULT; @@ -78920,7 +78958,7 @@ index be5fa8b..a8c2090 100644 break; } diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index ea7ec7f..a823e62 100644 +index ea7ec7f..798623e 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -86,6 +86,13 @@ @@ -78937,6 +78975,34 @@ index ea7ec7f..a823e62 100644 /* External variables not in a header file. */ extern int sysctl_overcommit_memory; +@@ -112,18 +119,18 @@ extern int blk_iopoll_enabled; + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-static int neg_one = -1; ++static int sixty __read_only = 60; + #endif + +-static int zero; +-static int __maybe_unused one = 1; +-static int __maybe_unused two = 2; +-static int __maybe_unused three = 3; +-static unsigned long one_ul = 1; +-static int one_hundred = 100; ++static int neg_one __read_only = -1; ++static int zero __read_only = 0; ++static int __maybe_unused one __read_only = 1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused three __read_only = 3; ++static unsigned long one_ul __read_only = 1; ++static int one_hundred __read_only = 100; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ @@ -165,10 +172,13 @@ static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); #endif @@ -79057,7 +79123,7 @@ index ea7ec7f..a823e62 100644 - .proc_handler = proc_dointvec, + /* go ahead, be a hero */ + .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = &zero, ++ .extra1 = &neg_one, +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN + .extra2 = &three, +#else diff --git a/3.9.4/0000_README b/3.9.5/0000_README index 517433d..c01830f 100644 --- a/3.9.4/0000_README +++ b/3.9.5/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.9.4-201306041949.patch +Patch: 4420_grsecurity-2.9.1-3.9.5-201306102218.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch b/3.9.5/4420_grsecurity-2.9.1-3.9.5-201306102218.patch index 55d122a..49e438f 100644 --- a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch +++ b/3.9.5/4420_grsecurity-2.9.1-3.9.5-201306102218.patch @@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index bfbfaf9..d0b1bb8 100644 +index 8818c95..ced0bb1 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3390,7 +3390,7 @@ index 044c31d..2ee0861 100644 struct omap_device *omap_device_alloc(struct platform_device *pdev, struct omap_hwmod **ohs, int oh_cnt); diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c -index a202a47..c430564 100644 +index 3a750de..4c9b88f 100644 --- a/arch/arm/mach-omap2/omap_hwmod.c +++ b/arch/arm/mach-omap2/omap_hwmod.c @@ -191,10 +191,10 @@ struct omap_hwmod_soc_ops { @@ -6380,10 +6380,10 @@ index 4aad413..85d86bf 100644 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index c9c67fc..e10c012 100644 +index 3b097a8..8f8c774 100644 --- a/arch/powerpc/include/asm/reg.h +++ b/arch/powerpc/include/asm/reg.h -@@ -245,6 +245,7 @@ +@@ -234,6 +234,7 @@ #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */ #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */ #define DSISR_NOHPTE 0x40000000 /* no translation found */ @@ -6817,10 +6817,10 @@ index f9b30c6..d72e7a3 100644 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index 95068bf..9ba1814 100644 +index 201385c..0f01828 100644 --- a/arch/powerpc/kernel/signal_32.c +++ b/arch/powerpc/kernel/signal_32.c -@@ -982,7 +982,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, +@@ -976,7 +976,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, /* Save user registers on the stack */ frame = &rt_sf->uc.uc_mcontext; addr = frame; @@ -6830,10 +6830,10 @@ index 95068bf..9ba1814 100644 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp; } else { diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index c179428..58acdaa 100644 +index 3459473..2d40783 100644 --- a/arch/powerpc/kernel/signal_64.c +++ b/arch/powerpc/kernel/signal_64.c -@@ -758,7 +758,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info, +@@ -749,7 +749,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info, #endif /* Set up to return from userspace. */ @@ -6856,10 +6856,10 @@ index 3ce1f86..c30e629 100644 }; diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c -index 83efa2f..6bb5839 100644 +index 1c22b2d..3b56e67 100644 --- a/arch/powerpc/kernel/traps.c +++ b/arch/powerpc/kernel/traps.c -@@ -141,6 +141,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) +@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) return flags; } @@ -6868,7 +6868,7 @@ index 83efa2f..6bb5839 100644 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) { -@@ -190,6 +192,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, +@@ -191,6 +193,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); @@ -20502,7 +20502,7 @@ index 73afd11..d1670f5 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 08f7e80..40cbed5 100644 +index 321d65e..e9437f7 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -20543,7 +20543,7 @@ index 08f7e80..40cbed5 100644 /* * Set up the identity mapping for the switchover. These -@@ -175,8 +187,8 @@ ENTRY(secondary_startup_64) +@@ -177,8 +189,8 @@ ENTRY(secondary_startup_64) movq $(init_level4_pgt - __START_KERNEL_map), %rax 1: @@ -20554,7 +20554,7 @@ index 08f7e80..40cbed5 100644 movq %rcx, %cr4 /* Setup early boot stage 4 level pagetables. */ -@@ -197,10 +209,18 @@ ENTRY(secondary_startup_64) +@@ -199,10 +211,18 @@ ENTRY(secondary_startup_64) movl $MSR_EFER, %ecx rdmsr btsl $_EFER_SCE, %eax /* Enable System Call */ @@ -20574,7 +20574,7 @@ index 08f7e80..40cbed5 100644 1: wrmsr /* Make changes effective */ /* Setup cr0 */ -@@ -280,6 +300,7 @@ ENTRY(secondary_startup_64) +@@ -282,6 +302,7 @@ ENTRY(secondary_startup_64) * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, * address given in m16:64. */ @@ -20582,7 +20582,7 @@ index 08f7e80..40cbed5 100644 movq initial_code(%rip),%rax pushq $0 # fake return address to stop unwinder pushq $__KERNEL_CS # set correct cs -@@ -386,7 +407,7 @@ ENTRY(early_idt_handler) +@@ -388,7 +409,7 @@ ENTRY(early_idt_handler) call dump_stack #ifdef CONFIG_KALLSYMS leaq early_idt_ripmsg(%rip),%rdi @@ -20591,7 +20591,7 @@ index 08f7e80..40cbed5 100644 call __print_symbol #endif #endif /* EARLY_PRINTK */ -@@ -414,6 +435,7 @@ ENDPROC(early_idt_handler) +@@ -416,6 +437,7 @@ ENDPROC(early_idt_handler) early_recursion_flag: .long 0 @@ -20599,7 +20599,7 @@ index 08f7e80..40cbed5 100644 #ifdef CONFIG_EARLY_PRINTK early_idt_msg: .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" -@@ -443,27 +465,50 @@ NEXT_PAGE(early_dynamic_pgts) +@@ -445,27 +467,50 @@ NEXT_PAGE(early_dynamic_pgts) .data @@ -20658,7 +20658,7 @@ index 08f7e80..40cbed5 100644 NEXT_PAGE(level3_kernel_pgt) .fill L3_START_KERNEL,8,0 -@@ -471,6 +516,9 @@ NEXT_PAGE(level3_kernel_pgt) +@@ -473,6 +518,9 @@ NEXT_PAGE(level3_kernel_pgt) .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE @@ -20668,7 +20668,7 @@ index 08f7e80..40cbed5 100644 NEXT_PAGE(level2_kernel_pgt) /* * 512 MB kernel mapping. We spend a full page on this pagetable -@@ -486,38 +534,64 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -488,38 +536,64 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -20770,10 +20770,10 @@ index 0fa6912..37fce70 100644 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR); +#endif diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c -index 245a71d..89d9ce4 100644 +index cb33909..1163b40 100644 --- a/arch/x86/kernel/i387.c +++ b/arch/x86/kernel/i387.c -@@ -55,7 +55,7 @@ static inline bool interrupted_kernel_fpu_idle(void) +@@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void) static inline bool interrupted_user_mode(void) { struct pt_regs *regs = get_irq_regs(); @@ -23970,7 +23970,7 @@ index a20ecb5..d0e2194 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 59622c9..f338414 100644 +index 698eece..776b682 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -328,6 +328,7 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt) @@ -31909,10 +31909,10 @@ index 34c8216..f56c828 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 63c743b..0422dc6 100644 +index cf15aee..e0b7078 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c -@@ -4786,7 +4786,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) +@@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -31921,7 +31921,7 @@ index 63c743b..0422dc6 100644 ap = qc->ap; qc->flags = 0; -@@ -4802,7 +4802,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) +@@ -4808,7 +4808,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) struct ata_port *ap; struct ata_link *link; @@ -31930,7 +31930,7 @@ index 63c743b..0422dc6 100644 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); ap = qc->ap; link = qc->dev->link; -@@ -5920,6 +5920,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5926,6 +5926,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) return; spin_lock(&lock); @@ -31938,7 +31938,7 @@ index 63c743b..0422dc6 100644 for (cur = ops->inherits; cur; cur = cur->inherits) { void **inherit = (void **)cur; -@@ -5933,8 +5934,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5939,8 +5940,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) if (IS_ERR(*pp)) *pp = NULL; @@ -33247,7 +33247,7 @@ index 7fda30e..eb5dfe0 100644 /* queue and queue Info */ struct list_head reqQ; diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c -index 3f08713..56a586a 100644 +index 3f08713..87d4b4a 100644 --- a/drivers/block/cpqarray.c +++ b/drivers/block/cpqarray.c @@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev) @@ -33322,7 +33322,15 @@ index 3f08713..56a586a 100644 a1 = a; a &= ~3; if ((c = h->cmpQ) == NULL) { -@@ -1449,11 +1449,11 @@ static int sendcmd( +@@ -1195,6 +1195,7 @@ out_passthru: + ida_pci_info_struct pciinfo; + + if (!arg) return -EINVAL; ++ memset(&pciinfo, 0, sizeof(pciinfo)); + pciinfo.bus = host->pci_dev->bus->number; + pciinfo.dev_fn = host->pci_dev->devfn; + pciinfo.board_id = host->board_id; +@@ -1449,11 +1450,11 @@ static int sendcmd( /* * Disable interrupt */ @@ -33336,7 +33344,7 @@ index 3f08713..56a586a 100644 if (temp != 0) { break; } -@@ -1466,7 +1466,7 @@ DBG( +@@ -1466,7 +1467,7 @@ DBG( /* * Send the cmd */ @@ -33345,7 +33353,7 @@ index 3f08713..56a586a 100644 complete = pollcomplete(ctlr); pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr, -@@ -1549,9 +1549,9 @@ static int revalidate_allvol(ctlr_info_t *host) +@@ -1549,9 +1550,9 @@ static int revalidate_allvol(ctlr_info_t *host) * we check the new geometry. Then turn interrupts back on when * we're done. */ @@ -33357,7 +33365,7 @@ index 3f08713..56a586a 100644 for(i=0; i<NWD; i++) { struct gendisk *disk = ida_gendisk[ctlr][i]; -@@ -1591,7 +1591,7 @@ static int pollcomplete(int ctlr) +@@ -1591,7 +1592,7 @@ static int pollcomplete(int ctlr) /* Wait (up to 2 seconds) for a command to complete */ for (i = 200000; i > 0; i--) { @@ -33569,7 +33577,7 @@ index 2e7de7a..ed86dc0 100644 static DEFINE_MUTEX(pktcdvd_mutex); static struct pktcdvd_device *pkt_devs[MAX_WRITERS]; diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index d620b44..587561e 100644 +index d620b44..e9abc80 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -416,7 +416,6 @@ int register_cdrom(struct cdrom_device_info *cdi) @@ -33602,6 +33610,24 @@ index d620b44..587561e 100644 cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name); } +@@ -2107,7 +2108,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf, + */ + nr = nframes; + do { +- cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); ++ cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); + if (cgc.buffer) + break; + +@@ -2882,7 +2883,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c index d59cdcb..11afddf 100644 --- a/drivers/cdrom/gdrom.c @@ -33909,6 +33935,18 @@ index 2c644af..d4d7f17 100644 }; static int memory_open(struct inode *inode, struct file *filp) +diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c +index c689697..04e6d6a 100644 +--- a/drivers/char/mwave/tp3780i.c ++++ b/drivers/char/mwave/tp3780i.c +@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities + PRINTK_2(TRACE_TP3780I, + "tp3780i::tp3780I_QueryAbilities entry pBDData %p\n", pBDData); + ++ memset(pAbilities, 0, sizeof(*pAbilities)); + /* fill out standard constant fields */ + pAbilities->instr_per_sec = pBDData->rDspSettings.uIps; + pAbilities->data_size = pBDData->rDspSettings.uDStoreSize; diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c index 9df78e2..01ba9ae 100644 --- a/drivers/char/nvram.c @@ -33998,7 +34036,7 @@ index 5c5cc00..ac9edb7 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index 32a6c57..98038d5 100644 +index eccd7cc..98038d5 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -272,8 +272,13 @@ @@ -34044,85 +34082,7 @@ index 32a6c57..98038d5 100644 smp_wmb(); if (out) -@@ -865,16 +877,24 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, - if (r->entropy_count / 8 < min + reserved) { - nbytes = 0; - } else { -+ int entropy_count, orig; -+retry: -+ entropy_count = orig = ACCESS_ONCE(r->entropy_count); - /* If limited, never pull more than available */ -- if (r->limit && nbytes + reserved >= r->entropy_count / 8) -- nbytes = r->entropy_count/8 - reserved; -+ if (r->limit && nbytes + reserved >= entropy_count / 8) -+ nbytes = entropy_count/8 - reserved; - -- if (r->entropy_count / 8 >= nbytes + reserved) -- r->entropy_count -= nbytes*8; -- else -- r->entropy_count = reserved; -+ if (entropy_count / 8 >= nbytes + reserved) { -+ entropy_count -= nbytes*8; -+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) -+ goto retry; -+ } else { -+ entropy_count = reserved; -+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) -+ goto retry; -+ } - -- if (r->entropy_count < random_write_wakeup_thresh) -+ if (entropy_count < random_write_wakeup_thresh) - wakeup_write = 1; - } - -@@ -957,10 +977,23 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, - { - ssize_t ret = 0, i; - __u8 tmp[EXTRACT_SIZE]; -+ unsigned long flags; - - /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ -- if (fips_enabled && !r->last_data_init) -- nbytes += EXTRACT_SIZE; -+ if (fips_enabled) { -+ spin_lock_irqsave(&r->lock, flags); -+ if (!r->last_data_init) { -+ r->last_data_init = true; -+ spin_unlock_irqrestore(&r->lock, flags); -+ trace_extract_entropy(r->name, EXTRACT_SIZE, -+ r->entropy_count, _RET_IP_); -+ xfer_secondary_pool(r, EXTRACT_SIZE); -+ extract_buf(r, tmp); -+ spin_lock_irqsave(&r->lock, flags); -+ memcpy(r->last_data, tmp, EXTRACT_SIZE); -+ } -+ spin_unlock_irqrestore(&r->lock, flags); -+ } - - trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_); - xfer_secondary_pool(r, nbytes); -@@ -970,19 +1003,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, - extract_buf(r, tmp); - - if (fips_enabled) { -- unsigned long flags; -- -- -- /* prime last_data value if need be, per fips 140-2 */ -- if (!r->last_data_init) { -- spin_lock_irqsave(&r->lock, flags); -- memcpy(r->last_data, tmp, EXTRACT_SIZE); -- r->last_data_init = true; -- nbytes -= EXTRACT_SIZE; -- spin_unlock_irqrestore(&r->lock, flags); -- extract_buf(r, tmp); -- } -- - spin_lock_irqsave(&r->lock, flags); - if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) - panic("Hardware RNG duplicated output!\n"); -@@ -1024,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1032,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -34131,7 +34091,7 @@ index 32a6c57..98038d5 100644 ret = -EFAULT; break; } -@@ -1360,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1368,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -34140,7 +34100,7 @@ index 32a6c57..98038d5 100644 static int max_write_thresh = INPUT_POOL_WORDS * 32; static char sysctl_bootid[16]; -@@ -1376,7 +1396,7 @@ static char sysctl_bootid[16]; +@@ -1384,7 +1396,7 @@ static char sysctl_bootid[16]; static int proc_do_uuid(ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -35770,10 +35730,10 @@ index 5a82b6b..9e69c73 100644 if (regcomp (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 44b8034..cc722fd 100644 +index 5073665..31d15a6 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c -@@ -977,7 +977,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) +@@ -976,7 +976,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) bool can_switch; spin_lock(&dev->count_lock); @@ -39655,7 +39615,7 @@ index ff90760..08d8aed 100644 /** * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters. diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h -index 8d7d4c2..95f7681 100644 +index 25309bf..fcfd54c 100644 --- a/drivers/net/ethernet/broadcom/tg3.h +++ b/drivers/net/ethernet/broadcom/tg3.h @@ -147,6 +147,7 @@ @@ -40564,10 +40524,10 @@ index 12c4f31..484d948 100644 memset(buf, 0, sizeof(buf)); diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c -index cffdf4f..7cefb69 100644 +index 2b49f48..14fc244 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c -@@ -2144,25 +2144,19 @@ static int __init init_mac80211_hwsim(void) +@@ -2143,25 +2143,19 @@ static int __init init_mac80211_hwsim(void) if (channels > 1) { hwsim_if_comb.num_different_channels = channels; @@ -42738,7 +42698,7 @@ index 5f13890..36a044b 100644 pDevice->apdev->type = ARPHRD_IEEE80211; diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c -index bc5e9da..dacd556 100644 +index a94e66f..31984d0 100644 --- a/drivers/staging/vt6656/hostap.c +++ b/drivers/staging/vt6656/hostap.c @@ -60,14 +60,13 @@ static int msglevel =MSG_LEVEL_INFO; @@ -42809,48 +42769,6 @@ index adbe5a8..d387359 100644 extern void tmem_register_hostops(struct tmem_hostops *m); /* core tmem accessor functions */ -diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c -index ca2be40..93ae910 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.c -+++ b/drivers/target/iscsi/iscsi_target_parameters.c -@@ -712,9 +712,9 @@ static int iscsi_add_notunderstood_response( - } - INIT_LIST_HEAD(&extra_response->er_list); - -- strncpy(extra_response->key, key, strlen(key) + 1); -- strncpy(extra_response->value, NOTUNDERSTOOD, -- strlen(NOTUNDERSTOOD) + 1); -+ strlcpy(extra_response->key, key, sizeof(extra_response->key)); -+ strlcpy(extra_response->value, NOTUNDERSTOOD, -+ sizeof(extra_response->value)); - - list_add_tail(&extra_response->er_list, - ¶m_list->extra_response_list); -@@ -1583,8 +1583,6 @@ int iscsi_decode_text_input( - - if (phase & PHASE_SECURITY) { - if (iscsi_check_for_auth_key(key) > 0) { -- char *tmpptr = key + strlen(key); -- *tmpptr = '='; - kfree(tmpbuf); - return 1; - } -diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h -index 1e1b750..2c536a0 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.h -+++ b/drivers/target/iscsi/iscsi_target_parameters.h -@@ -1,8 +1,10 @@ - #ifndef ISCSI_PARAMETERS_H - #define ISCSI_PARAMETERS_H - -+#include <scsi/iscsi_proto.h> -+ - struct iscsi_extra_response { -- char key[64]; -+ char key[KEY_MAXLEN]; - char value[32]; - struct list_head er_list; - } ____cacheline_aligned; diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c index 2e4d655..fd72e68 100644 --- a/drivers/target/target_core_device.c @@ -42865,10 +42783,10 @@ index 2e4d655..fd72e68 100644 spin_lock_init(&dev->t10_wwn.t10_vpd_lock); INIT_LIST_HEAD(&dev->t10_pr.registration_list); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index 0d46276..f327cab5 100644 +index fc9a5a0..1d5975e 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c -@@ -1080,7 +1080,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) +@@ -1081,7 +1081,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) * Used to determine when ORDERED commands should go from * Dormant to Active status. */ @@ -43211,10 +43129,10 @@ index 4a43ef5d7..aa71f27 100644 dlci_get(dlci->gsm->dlci[0]); mux_get(dlci->gsm); diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 05e72be..67f6a0f 100644 +index 1f8cba6..47b06c2 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c -@@ -2197,6 +2197,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -2205,6 +2205,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -44136,7 +44054,7 @@ index c8b9262..7e824e6 100644 ret = uio_get_minor(idev); if (ret) diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c -index b7eb86a..c00402f 100644 +index 8a7eb77..c00402f 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, @@ -44148,16 +44066,6 @@ index b7eb86a..c00402f 100644 return -EINVAL; pos += tmp; -@@ -686,7 +686,8 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ - { - int ret, len; - __le32 *buf; -- int offb, offd; -+ int offb; -+ unsigned int offd; - const int stride = CMD_PACKET_SIZE / (4 * 2) - 1; - int buflen = ((size - 1) / stride + 1 + size * 2) * 4; - diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c index 35f10bf..6a38a0b 100644 --- a/drivers/usb/atm/usbatm.c @@ -51219,39 +51127,6 @@ index febbe0e..782c4fd 100644 static int parse_strtoul(const char *buf, unsigned long max, unsigned long *value) -diff --git a/fs/fat/inode.c b/fs/fat/inode.c -index acf6e47..e7a7fde 100644 ---- a/fs/fat/inode.c -+++ b/fs/fat/inode.c -@@ -1223,6 +1223,19 @@ static int fat_read_root(struct inode *inode) - return 0; - } - -+static unsigned long calc_fat_clusters(struct super_block *sb) -+{ -+ struct msdos_sb_info *sbi = MSDOS_SB(sb); -+ -+ /* Divide first to avoid overflow */ -+ if (sbi->fat_bits != 12) { -+ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits; -+ return ent_per_sec * sbi->fat_length; -+ } -+ -+ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; -+} -+ - /* - * Read the super block of an MS-DOS FS. - */ -@@ -1427,7 +1440,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat, - sbi->dirty = b->fat16.state & FAT_STATE_DIRTY; - - /* check that FAT table does not overflow */ -- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; -+ fat_clusters = calc_fat_clusters(sb); - total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT); - if (total_clusters > MAX_FAT(sb)) { - if (!silent) diff --git a/fs/fcntl.c b/fs/fcntl.c index 6599222..e7bf0de 100644 --- a/fs/fcntl.c @@ -52902,10 +52777,10 @@ index 11dfa0c..6f64416 100644 if (!ret) ret = -EPIPE; diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c -index ff15522..092a0f6 100644 +index 185c479..51b9986 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c -@@ -1409,7 +1409,7 @@ static char *read_link(struct dentry *dentry) +@@ -1415,7 +1415,7 @@ static char *read_link(struct dentry *dentry) return link; } @@ -53816,19 +53691,6 @@ index 1f94167..79c4ce4 100644 } void nfs_fattr_init(struct nfs_fattr *fattr) -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 0086401..261e9b9 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -1022,7 +1022,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) - struct nfs4_state *state = opendata->state; - struct nfs_inode *nfsi = NFS_I(state->inode); - struct nfs_delegation *delegation; -- int open_mode = opendata->o_arg.open_flags & (O_EXCL|O_TRUNC); -+ int open_mode = opendata->o_arg.open_flags; - fmode_t fmode = opendata->o_arg.fmode; - nfs4_stateid stateid; - int ret = -EAGAIN; diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index d401d01..10b3e62 100644 --- a/fs/nfsd/nfs4proc.c @@ -54011,10 +53873,18 @@ index e7bc1d7..06bd4bb 100644 } diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 5d84442..bf24453 100644 +index 5d84442..2c034ba 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c -@@ -251,8 +251,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, +@@ -121,6 +121,7 @@ static int fill_event_metadata(struct fsnotify_group *group, + metadata->event_len = FAN_EVENT_METADATA_LEN; + metadata->metadata_len = FAN_EVENT_METADATA_LEN; + metadata->vers = FANOTIFY_METADATA_VERSION; ++ metadata->reserved = 0; + metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS; + metadata->pid = pid_vnr(event->tgid); + if (unlikely(event->mask & FAN_Q_OVERFLOW)) +@@ -251,8 +252,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, fd = fanotify_event_metadata.fd; ret = -EFAULT; @@ -55927,19 +55797,6 @@ index fee38e0..12fdf47 100644 if (__put_user(d_off, &lastdirent->d_off)) error = -EFAULT; else -diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c -index 66c53b6..6c2d136 100644 ---- a/fs/reiserfs/dir.c -+++ b/fs/reiserfs/dir.c -@@ -204,6 +204,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent, - next_pos = deh_offset(deh) + 1; - - if (item_moved(&tmp_ih, &path_to_entry)) { -+ set_cpu_key_k_offset(&pos_key, -+ next_pos); - goto research; - } - } /* for */ diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c index 2b7882b..1c5ef48 100644 --- a/fs/reiserfs/do_balan.c @@ -55953,29 +55810,6 @@ index 2b7882b..1c5ef48 100644 do_balance_starts(tb); /* balance leaf returns 0 except if combining L R and S into -diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c -index ea5061f..c3a9de6 100644 ---- a/fs/reiserfs/inode.c -+++ b/fs/reiserfs/inode.c -@@ -1810,11 +1810,16 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, - TYPE_STAT_DATA, SD_SIZE, MAX_US_INT); - memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE); - args.dirid = le32_to_cpu(ih.ih_key.k_dir_id); -- if (insert_inode_locked4(inode, args.objectid, -- reiserfs_find_actor, &args) < 0) { -+ -+ reiserfs_write_unlock(inode->i_sb); -+ err = insert_inode_locked4(inode, args.objectid, -+ reiserfs_find_actor, &args); -+ reiserfs_write_lock(inode->i_sb); -+ if (err) { - err = -EINVAL; - goto out_bad_inode; - } -+ - if (old_format_only(sb)) - /* not a perfect generation count, as object ids can be reused, but - ** this is as good as reiserfs can do right now. diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c index 9cc0740a..46bf953 100644 --- a/fs/reiserfs/procfs.c @@ -56011,45 +55845,6 @@ index 157e474..65a6114 100644 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen) #define __fs_changed(gen,s) (gen != get_generation (s)) #define fs_changed(gen,s) \ -diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c -index 4cce1d9..821bcf7 100644 ---- a/fs/reiserfs/xattr.c -+++ b/fs/reiserfs/xattr.c -@@ -318,7 +318,19 @@ static int delete_one_xattr(struct dentry *dentry, void *data) - static int chown_one_xattr(struct dentry *dentry, void *data) - { - struct iattr *attrs = data; -- return reiserfs_setattr(dentry, attrs); -+ int ia_valid = attrs->ia_valid; -+ int err; -+ -+ /* -+ * We only want the ownership bits. Otherwise, we'll do -+ * things like change a directory to a regular file if -+ * ATTR_MODE is set. -+ */ -+ attrs->ia_valid &= (ATTR_UID|ATTR_GID); -+ err = reiserfs_setattr(dentry, attrs); -+ attrs->ia_valid = ia_valid; -+ -+ return err; - } - - /* No i_mutex, but the inode is unconnected. */ -diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c -index d7c01ef..6c8767f 100644 ---- a/fs/reiserfs/xattr_acl.c -+++ b/fs/reiserfs/xattr_acl.c -@@ -443,6 +443,9 @@ int reiserfs_acl_chmod(struct inode *inode) - int depth; - int error; - -+ if (IS_PRIVATE(inode)) -+ return 0; -+ - if (S_ISLNK(inode->i_mode)) - return -EOPNOTSUPP; - diff --git a/fs/select.c b/fs/select.c index 8c1c96c..a0f9b6d 100644 --- a/fs/select.c @@ -56672,7 +56467,7 @@ index d681e34..2a3f5ab 100644 goto out_put; diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c -index d82efaa..60100c7 100644 +index ca9ecaa..60100c7 100644 --- a/fs/xfs/xfs_iops.c +++ b/fs/xfs/xfs_iops.c @@ -395,7 +395,7 @@ xfs_vn_put_link( @@ -56684,81 +56479,6 @@ index d82efaa..60100c7 100644 if (!IS_ERR(s)) kfree(s); -@@ -455,6 +455,28 @@ xfs_vn_getattr( - return 0; - } - -+static void -+xfs_setattr_mode( -+ struct xfs_trans *tp, -+ struct xfs_inode *ip, -+ struct iattr *iattr) -+{ -+ struct inode *inode = VFS_I(ip); -+ umode_t mode = iattr->ia_mode; -+ -+ ASSERT(tp); -+ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); -+ -+ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) -+ mode &= ~S_ISGID; -+ -+ ip->i_d.di_mode &= S_IFMT; -+ ip->i_d.di_mode |= mode & ~S_IFMT; -+ -+ inode->i_mode &= S_IFMT; -+ inode->i_mode |= mode & ~S_IFMT; -+} -+ - int - xfs_setattr_nonsize( - struct xfs_inode *ip, -@@ -606,18 +628,8 @@ xfs_setattr_nonsize( - /* - * Change file access modes. - */ -- if (mask & ATTR_MODE) { -- umode_t mode = iattr->ia_mode; -- -- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) -- mode &= ~S_ISGID; -- -- ip->i_d.di_mode &= S_IFMT; -- ip->i_d.di_mode |= mode & ~S_IFMT; -- -- inode->i_mode &= S_IFMT; -- inode->i_mode |= mode & ~S_IFMT; -- } -+ if (mask & ATTR_MODE) -+ xfs_setattr_mode(tp, ip, iattr); - - /* - * Change file access or modified times. -@@ -714,9 +726,8 @@ xfs_setattr_size( - return XFS_ERROR(error); - - ASSERT(S_ISREG(ip->i_d.di_mode)); -- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| -- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID| -- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); -+ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| -+ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); - - if (!(flags & XFS_ATTR_NOLOCK)) { - lock_flags |= XFS_IOLOCK_EXCL; -@@ -860,6 +871,12 @@ xfs_setattr_size( - xfs_inode_clear_eofblocks_tag(ip); - } - -+ /* -+ * Change file access modes. -+ */ -+ if (mask & ATTR_MODE) -+ xfs_setattr_mode(tp, ip, iattr); -+ - if (mask & ATTR_CTIME) { - inode->i_ctime = iattr->ia_ctime; - ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 index 0000000..ba9c5e3 @@ -73156,10 +72876,10 @@ index a6a059c..2243336 100644 struct snd_soc_platform { const char *name; diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h -index c4af592..20c52d2 100644 +index f8640f3..b72d113 100644 --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h -@@ -657,7 +657,7 @@ struct se_device { +@@ -658,7 +658,7 @@ struct se_device { spinlock_t stats_lock; /* Active commands on this virtual SE device */ atomic_t simple_cmds; @@ -74459,10 +74179,10 @@ index f6c2ce5..982c0f9 100644 + return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid); +} diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index ba1f977..f840d9c 100644 +index a48de6a..df24bfe 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -5569,7 +5569,7 @@ static int cgroup_css_links_read(struct cgroup *cont, +@@ -5567,7 +5567,7 @@ static int cgroup_css_links_read(struct cgroup *cont, struct css_set *cg = link->cg; struct task_struct *task; int count = 0; @@ -76057,7 +75777,7 @@ index b2c71c5..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 0925c9a..6b044ac 100644 +index 97f202c..109575f 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -61,6 +61,7 @@ @@ -76222,7 +75942,7 @@ index 0925c9a..6b044ac 100644 set_memory_ro); } } -@@ -1881,16 +1883,19 @@ static void free_module(struct module *mod) +@@ -1886,16 +1888,19 @@ static void free_module(struct module *mod) /* This may be NULL, but that's OK */ unset_module_init_ro_nx(mod); @@ -76245,7 +75965,7 @@ index 0925c9a..6b044ac 100644 #ifdef CONFIG_MPU update_protections(current->mm); -@@ -1960,9 +1965,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) +@@ -1965,9 +1970,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) int ret = 0; const struct kernel_symbol *ksym; @@ -76277,7 +75997,7 @@ index 0925c9a..6b044ac 100644 switch (sym[i].st_shndx) { case SHN_COMMON: /* We compiled with -fno-common. These are not -@@ -1983,7 +2010,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) +@@ -1988,7 +2015,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) ksym = resolve_symbol_wait(mod, info, name); /* Ok if resolved. */ if (ksym && !IS_ERR(ksym)) { @@ -76287,7 +76007,7 @@ index 0925c9a..6b044ac 100644 break; } -@@ -2002,11 +2031,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) +@@ -2007,11 +2036,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) secbase = (unsigned long)mod_percpu(mod); else secbase = info->sechdrs[sym[i].st_shndx].sh_addr; @@ -76308,7 +76028,7 @@ index 0925c9a..6b044ac 100644 return ret; } -@@ -2090,22 +2128,12 @@ static void layout_sections(struct module *mod, struct load_info *info) +@@ -2095,22 +2133,12 @@ static void layout_sections(struct module *mod, struct load_info *info) || s->sh_entsize != ~0UL || strstarts(sname, ".init")) continue; @@ -76335,7 +76055,7 @@ index 0925c9a..6b044ac 100644 } pr_debug("Init section allocation order:\n"); -@@ -2119,23 +2147,13 @@ static void layout_sections(struct module *mod, struct load_info *info) +@@ -2124,23 +2152,13 @@ static void layout_sections(struct module *mod, struct load_info *info) || s->sh_entsize != ~0UL || !strstarts(sname, ".init")) continue; @@ -76364,7 +76084,7 @@ index 0925c9a..6b044ac 100644 } } -@@ -2308,7 +2326,7 @@ static void layout_symtab(struct module *mod, struct load_info *info) +@@ -2313,7 +2331,7 @@ static void layout_symtab(struct module *mod, struct load_info *info) /* Put symbol section at end of init part of module. */ symsect->sh_flags |= SHF_ALLOC; @@ -76373,7 +76093,7 @@ index 0925c9a..6b044ac 100644 info->index.sym) | INIT_OFFSET_MASK; pr_debug("\t%s\n", info->secstrings + symsect->sh_name); -@@ -2325,13 +2343,13 @@ static void layout_symtab(struct module *mod, struct load_info *info) +@@ -2330,13 +2348,13 @@ static void layout_symtab(struct module *mod, struct load_info *info) } /* Append room for core symbols at end of core part. */ @@ -76391,7 +76111,7 @@ index 0925c9a..6b044ac 100644 info->index.str) | INIT_OFFSET_MASK; pr_debug("\t%s\n", info->secstrings + strsect->sh_name); } -@@ -2349,12 +2367,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) +@@ -2354,12 +2372,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) /* Make sure we get permanent strtab: don't use info->strtab. */ mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr; @@ -76408,7 +76128,7 @@ index 0925c9a..6b044ac 100644 src = mod->symtab; for (ndst = i = 0; i < mod->num_symtab; i++) { if (i == 0 || -@@ -2366,6 +2386,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) +@@ -2371,6 +2391,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) } } mod->core_num_syms = ndst; @@ -76417,7 +76137,7 @@ index 0925c9a..6b044ac 100644 } #else static inline void layout_symtab(struct module *mod, struct load_info *info) -@@ -2399,17 +2421,33 @@ void * __weak module_alloc(unsigned long size) +@@ -2404,17 +2426,33 @@ void * __weak module_alloc(unsigned long size) return vmalloc_exec(size); } @@ -76456,7 +76176,7 @@ index 0925c9a..6b044ac 100644 mutex_unlock(&module_mutex); } return ret; -@@ -2685,8 +2723,14 @@ static struct module *setup_load_info(struct load_info *info, int flags) +@@ -2690,8 +2728,14 @@ static struct module *setup_load_info(struct load_info *info, int flags) static int check_modinfo(struct module *mod, struct load_info *info, int flags) { const char *modmagic = get_modinfo(info, "vermagic"); @@ -76471,7 +76191,7 @@ index 0925c9a..6b044ac 100644 if (flags & MODULE_INIT_IGNORE_VERMAGIC) modmagic = NULL; -@@ -2712,7 +2756,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags) +@@ -2717,7 +2761,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags) } /* Set up license info based on the info section */ @@ -76480,7 +76200,7 @@ index 0925c9a..6b044ac 100644 return 0; } -@@ -2806,7 +2850,7 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2811,7 +2855,7 @@ static int move_module(struct module *mod, struct load_info *info) void *ptr; /* Do the allocs. */ @@ -76489,7 +76209,7 @@ index 0925c9a..6b044ac 100644 /* * The pointer to this block is stored in the module structure * which is inside the block. Just mark it as not being a -@@ -2816,11 +2860,11 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2821,11 +2865,11 @@ static int move_module(struct module *mod, struct load_info *info) if (!ptr) return -ENOMEM; @@ -76505,7 +76225,7 @@ index 0925c9a..6b044ac 100644 /* * The pointer to this block is stored in the module structure * which is inside the block. This block doesn't need to be -@@ -2829,13 +2873,45 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2834,13 +2878,45 @@ static int move_module(struct module *mod, struct load_info *info) */ kmemleak_ignore(ptr); if (!ptr) { @@ -76555,7 +76275,7 @@ index 0925c9a..6b044ac 100644 /* Transfer each section which specifies SHF_ALLOC */ pr_debug("final section addresses:\n"); -@@ -2846,16 +2922,45 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2851,16 +2927,45 @@ static int move_module(struct module *mod, struct load_info *info) if (!(shdr->sh_flags & SHF_ALLOC)) continue; @@ -76608,7 +76328,7 @@ index 0925c9a..6b044ac 100644 pr_debug("\t0x%lx %s\n", (long)shdr->sh_addr, info->secstrings + shdr->sh_name); } -@@ -2912,12 +3017,12 @@ static void flush_module_icache(const struct module *mod) +@@ -2917,12 +3022,12 @@ static void flush_module_icache(const struct module *mod) * Do it before processing of module parameters, so the module * can provide parameter accessor functions of its own. */ @@ -76627,7 +76347,7 @@ index 0925c9a..6b044ac 100644 set_fs(old_fs); } -@@ -2987,8 +3092,10 @@ out: +@@ -2992,8 +3097,10 @@ out: static void module_deallocate(struct module *mod, struct load_info *info) { percpu_modfree(mod); @@ -76640,7 +76360,7 @@ index 0925c9a..6b044ac 100644 } int __weak module_finalize(const Elf_Ehdr *hdr, -@@ -3001,7 +3108,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, +@@ -3006,7 +3113,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, static int post_relocation(struct module *mod, const struct load_info *info) { /* Sort exception table now relocations are done. */ @@ -76650,7 +76370,7 @@ index 0925c9a..6b044ac 100644 /* Copy relocated percpu area over. */ percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, -@@ -3055,16 +3164,16 @@ static int do_init_module(struct module *mod) +@@ -3060,16 +3169,16 @@ static int do_init_module(struct module *mod) MODULE_STATE_COMING, mod); /* Set RO and NX regions for core */ @@ -76675,7 +76395,7 @@ index 0925c9a..6b044ac 100644 do_mod_ctors(mod); /* Start the module */ -@@ -3126,11 +3235,12 @@ static int do_init_module(struct module *mod) +@@ -3131,11 +3240,12 @@ static int do_init_module(struct module *mod) mod->strtab = mod->core_strtab; #endif unset_module_init_ro_nx(mod); @@ -76693,7 +76413,7 @@ index 0925c9a..6b044ac 100644 mutex_unlock(&module_mutex); wake_up_all(&module_wq); -@@ -3257,9 +3367,38 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3262,9 +3372,38 @@ static int load_module(struct load_info *info, const char __user *uargs, if (err) goto free_unload; @@ -76732,7 +76452,7 @@ index 0925c9a..6b044ac 100644 /* Fix up syms, so that st_value is a pointer to location. */ err = simplify_symbols(mod, info); if (err < 0) -@@ -3275,13 +3414,6 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3280,13 +3419,6 @@ static int load_module(struct load_info *info, const char __user *uargs, flush_module_icache(mod); @@ -76746,7 +76466,7 @@ index 0925c9a..6b044ac 100644 dynamic_debug_setup(info->debug, info->num_debug); /* Finally it's fully formed, ready to start executing. */ -@@ -3316,11 +3448,10 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3321,11 +3453,10 @@ static int load_module(struct load_info *info, const char __user *uargs, ddebug_cleanup: dynamic_debug_remove(info->debug); synchronize_sched(); @@ -76759,7 +76479,7 @@ index 0925c9a..6b044ac 100644 free_unload: module_unload_free(mod); unlink_mod: -@@ -3403,10 +3534,16 @@ static const char *get_ksymbol(struct module *mod, +@@ -3408,10 +3539,16 @@ static const char *get_ksymbol(struct module *mod, unsigned long nextval; /* At worse, next value is at end of module */ @@ -76779,7 +76499,7 @@ index 0925c9a..6b044ac 100644 /* Scan for closest preceding symbol, and next symbol. (ELF starts real symbols at 1). */ -@@ -3659,7 +3796,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3664,7 +3801,7 @@ static int m_show(struct seq_file *m, void *p) return 0; seq_printf(m, "%s %u", @@ -76788,7 +76508,7 @@ index 0925c9a..6b044ac 100644 print_unload_info(m, mod); /* Informative for users. */ -@@ -3668,7 +3805,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3673,7 +3810,7 @@ static int m_show(struct seq_file *m, void *p) mod->state == MODULE_STATE_COMING ? "Loading": "Live"); /* Used by oprofile and other similar tools. */ @@ -76797,7 +76517,7 @@ index 0925c9a..6b044ac 100644 /* Taints info */ if (mod->taints) -@@ -3704,7 +3841,17 @@ static const struct file_operations proc_modules_operations = { +@@ -3709,7 +3846,17 @@ static const struct file_operations proc_modules_operations = { static int __init proc_modules_init(void) { @@ -76815,7 +76535,7 @@ index 0925c9a..6b044ac 100644 return 0; } module_init(proc_modules_init); -@@ -3765,14 +3912,14 @@ struct module *__module_address(unsigned long addr) +@@ -3770,14 +3917,14 @@ struct module *__module_address(unsigned long addr) { struct module *mod; @@ -76833,7 +76553,7 @@ index 0925c9a..6b044ac 100644 return mod; } return NULL; -@@ -3807,11 +3954,20 @@ bool is_module_text_address(unsigned long addr) +@@ -3812,11 +3959,20 @@ bool is_module_text_address(unsigned long addr) */ struct module *__module_text_address(unsigned long addr) { @@ -78851,7 +78571,7 @@ index 0da73cf..5c2af3c 100644 if (!retval) { if (old_rlim) diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index afc1dc6..fb0671d 100644 +index afc1dc6..f6cf355 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -93,7 +93,6 @@ @@ -78862,6 +78582,34 @@ index afc1dc6..fb0671d 100644 /* External variables not in a header file. */ extern int sysctl_overcommit_memory; extern int sysctl_overcommit_ratio; +@@ -120,18 +119,18 @@ extern int blk_iopoll_enabled; + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-static int neg_one = -1; ++static int sixty __read_only = 60; + #endif + +-static int zero; +-static int __maybe_unused one = 1; +-static int __maybe_unused two = 2; +-static int __maybe_unused three = 3; +-static unsigned long one_ul = 1; +-static int one_hundred = 100; ++static int neg_one __read_only = -1; ++static int zero __read_only = 0; ++static int __maybe_unused one __read_only = 1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused three __read_only = 3; ++static unsigned long one_ul __read_only = 1; ++static int one_hundred __read_only = 100; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ @@ -178,10 +177,8 @@ static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); #endif @@ -78969,7 +78717,7 @@ index afc1dc6..fb0671d 100644 - .proc_handler = proc_dointvec, + /* go ahead, be a hero */ + .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = &zero, ++ .extra1 = &neg_one, +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN + .extra2 = &three, +#else @@ -80643,24 +80391,6 @@ index b32b70c..e512eb0 100644 pkmap_count[last_pkmap_nr] = 1; set_page_address(page, (void *)vaddr); -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index e2f7f5aa..a4510d4 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -2318,7 +2318,12 @@ static void collapse_huge_page(struct mm_struct *mm, - pte_unmap(pte); - spin_lock(&mm->page_table_lock); - BUG_ON(!pmd_none(*pmd)); -- set_pmd_at(mm, address, pmd, _pmd); -+ /* -+ * We can only use set_pmd_at when establishing -+ * hugepmds and never for establishing regular pmds that -+ * points to regular pagetables. Use pmd_populate for that -+ */ -+ pmd_populate(mm, pmd, pmd_pgtable(_pmd)); - spin_unlock(&mm->page_table_lock); - anon_vma_unlock_write(vma->anon_vma); - goto out; diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 1a12f5b..a85b8fc 100644 --- a/mm/hugetlb.c @@ -81829,7 +81559,7 @@ index 7431001..0f8344e 100644 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); diff --git a/mm/migrate.c b/mm/migrate.c -index 3bbaf5d..299b0e9 100644 +index 22ed5c1..87c424c 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -1382,8 +1382,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, @@ -83125,133 +82855,6 @@ index 0dceed8..671951c 100644 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND; vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); -diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c -index be04122..6725ff1 100644 ---- a/mm/mmu_notifier.c -+++ b/mm/mmu_notifier.c -@@ -40,48 +40,44 @@ void __mmu_notifier_release(struct mm_struct *mm) - int id; - - /* -- * srcu_read_lock() here will block synchronize_srcu() in -- * mmu_notifier_unregister() until all registered -- * ->release() callouts this function makes have -- * returned. -+ * SRCU here will block mmu_notifier_unregister until -+ * ->release returns. - */ - id = srcu_read_lock(&srcu); -+ hlist_for_each_entry_rcu(mn, &mm->mmu_notifier_mm->list, hlist) -+ /* -+ * If ->release runs before mmu_notifier_unregister it must be -+ * handled, as it's the only way for the driver to flush all -+ * existing sptes and stop the driver from establishing any more -+ * sptes before all the pages in the mm are freed. -+ */ -+ if (mn->ops->release) -+ mn->ops->release(mn, mm); -+ srcu_read_unlock(&srcu, id); -+ - spin_lock(&mm->mmu_notifier_mm->lock); - while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) { - mn = hlist_entry(mm->mmu_notifier_mm->list.first, - struct mmu_notifier, - hlist); -- - /* -- * Unlink. This will prevent mmu_notifier_unregister() -- * from also making the ->release() callout. -+ * We arrived before mmu_notifier_unregister so -+ * mmu_notifier_unregister will do nothing other than to wait -+ * for ->release to finish and for mmu_notifier_unregister to -+ * return. - */ - hlist_del_init_rcu(&mn->hlist); -- spin_unlock(&mm->mmu_notifier_mm->lock); -- -- /* -- * Clear sptes. (see 'release' description in mmu_notifier.h) -- */ -- if (mn->ops->release) -- mn->ops->release(mn, mm); -- -- spin_lock(&mm->mmu_notifier_mm->lock); - } - spin_unlock(&mm->mmu_notifier_mm->lock); - - /* -- * All callouts to ->release() which we have done are complete. -- * Allow synchronize_srcu() in mmu_notifier_unregister() to complete -- */ -- srcu_read_unlock(&srcu, id); -- -- /* -- * mmu_notifier_unregister() may have unlinked a notifier and may -- * still be calling out to it. Additionally, other notifiers -- * may have been active via vmtruncate() et. al. Block here -- * to ensure that all notifier callouts for this mm have been -- * completed and the sptes are really cleaned up before returning -- * to exit_mmap(). -+ * synchronize_srcu here prevents mmu_notifier_release from returning to -+ * exit_mmap (which would proceed with freeing all pages in the mm) -+ * until the ->release method returns, if it was invoked by -+ * mmu_notifier_unregister. -+ * -+ * The mmu_notifier_mm can't go away from under us because one mm_count -+ * is held by exit_mmap. - */ - synchronize_srcu(&srcu); - } -@@ -292,31 +288,34 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm) - { - BUG_ON(atomic_read(&mm->mm_count) <= 0); - -- spin_lock(&mm->mmu_notifier_mm->lock); - if (!hlist_unhashed(&mn->hlist)) { -+ /* -+ * SRCU here will force exit_mmap to wait for ->release to -+ * finish before freeing the pages. -+ */ - int id; - -- /* -- * Ensure we synchronize up with __mmu_notifier_release(). -- */ - id = srcu_read_lock(&srcu); -- -- hlist_del_rcu(&mn->hlist); -- spin_unlock(&mm->mmu_notifier_mm->lock); -- -- if (mn->ops->release) -- mn->ops->release(mn, mm); -- - /* -- * Allow __mmu_notifier_release() to complete. -+ * exit_mmap will block in mmu_notifier_release to guarantee -+ * that ->release is called before freeing the pages. - */ -+ if (mn->ops->release) -+ mn->ops->release(mn, mm); - srcu_read_unlock(&srcu, id); -- } else -+ -+ spin_lock(&mm->mmu_notifier_mm->lock); -+ /* -+ * Can not use list_del_rcu() since __mmu_notifier_release -+ * can delete it before we hold the lock. -+ */ -+ hlist_del_init_rcu(&mn->hlist); - spin_unlock(&mm->mmu_notifier_mm->lock); -+ } - - /* -- * Wait for any running method to finish, including ->release() if it -- * was run by __mmu_notifier_release() instead of us. -+ * Wait for any running method to finish, of course including -+ * ->release if it was run by mmu_notifier_relase instead of us. - */ - synchronize_srcu(&srcu); - diff --git a/mm/mprotect.c b/mm/mprotect.c index 94722a4..07d9926 100644 --- a/mm/mprotect.c @@ -88483,7 +88086,7 @@ index 5672533..6738c93 100644 /* number of interfaces with corresponding FIF_ flags */ int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll, diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c -index d51ca9d..042c35f 100644 +index 9cbebc2..14879bb 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -495,7 +495,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up) @@ -90269,7 +89872,7 @@ index d5f35f1..da2680b5 100644 task->tk_action = call_reserve; } diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c -index f8529fc..ce8c643 100644 +index 5356b12..c0f4c29 100644 --- a/net/sunrpc/sched.c +++ b/net/sunrpc/sched.c @@ -261,9 +261,9 @@ static int rpc_wait_bit_killable(void *word) diff --git a/3.9.4/4425_grsec_remove_EI_PAX.patch b/3.9.5/4425_grsec_remove_EI_PAX.patch index 415fda5..415fda5 100644 --- a/3.9.4/4425_grsec_remove_EI_PAX.patch +++ b/3.9.5/4425_grsec_remove_EI_PAX.patch diff --git a/3.9.4/4430_grsec-remove-localversion-grsec.patch b/3.9.5/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.9.4/4430_grsec-remove-localversion-grsec.patch +++ b/3.9.5/4430_grsec-remove-localversion-grsec.patch diff --git a/3.9.4/4435_grsec-mute-warnings.patch b/3.9.5/4435_grsec-mute-warnings.patch index ed941d5..ed941d5 100644 --- a/3.9.4/4435_grsec-mute-warnings.patch +++ b/3.9.5/4435_grsec-mute-warnings.patch diff --git a/3.9.4/4440_grsec-remove-protected-paths.patch b/3.9.5/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.9.4/4440_grsec-remove-protected-paths.patch +++ b/3.9.5/4440_grsec-remove-protected-paths.patch diff --git a/3.9.4/4450_grsec-kconfig-default-gids.patch b/3.9.5/4450_grsec-kconfig-default-gids.patch index 190e85d..190e85d 100644 --- a/3.9.4/4450_grsec-kconfig-default-gids.patch +++ b/3.9.5/4450_grsec-kconfig-default-gids.patch diff --git a/3.9.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.9.5/4465_selinux-avc_audit-log-curr_ip.patch index b25a23f..b25a23f 100644 --- a/3.9.4/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.9.5/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.9.4/4470_disable-compat_vdso.patch b/3.9.5/4470_disable-compat_vdso.patch index 424d91f..424d91f 100644 --- a/3.9.4/4470_disable-compat_vdso.patch +++ b/3.9.5/4470_disable-compat_vdso.patch diff --git a/3.9.4/4475_emutramp_default_on.patch b/3.9.5/4475_emutramp_default_on.patch index 27bfc2d..27bfc2d 100644 --- a/3.9.4/4475_emutramp_default_on.patch +++ b/3.9.5/4475_emutramp_default_on.patch |