summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-10-17 09:47:30 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-10-20 11:38:26 -0400
commit726eace4292f378d04635f804e58d2fa545c243d (patch)
treea5a11b4163066b0f6b3d59323d47bf96e169b1ba
parentGrsec/PaX: 2.9.1-3.11.3-201310012249 (diff)
downloadhardened-patchset-20131019.tar.gz
hardened-patchset-20131019.tar.bz2
hardened-patchset-20131019.zip
Grsec/PaX: 2.9.1-{3.2.51,3.11.6}-20131019125920131019
-rw-r--r--3.11.6/0000_README (renamed from 3.11.3/0000_README)6
-rw-r--r--3.11.6/1005_linux-3.11.6.patch2260
-rw-r--r--3.11.6/4420_grsecurity-2.9.1-3.11.6-201310191259.patch (renamed from 3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch)1386
-rw-r--r--3.11.6/4425_grsec_remove_EI_PAX.patch (renamed from 3.11.3/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--3.11.6/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.11.3/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--3.11.6/4430_grsec-remove-localversion-grsec.patch (renamed from 3.11.3/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--3.11.6/4435_grsec-mute-warnings.patch (renamed from 3.11.3/4435_grsec-mute-warnings.patch)0
-rw-r--r--3.11.6/4440_grsec-remove-protected-paths.patch (renamed from 3.11.3/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--3.11.6/4450_grsec-kconfig-default-gids.patch (renamed from 3.11.3/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--3.11.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.11.3/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--3.11.6/4470_disable-compat_vdso.patch (renamed from 3.11.3/4470_disable-compat_vdso.patch)0
-rw-r--r--3.11.6/4475_emutramp_default_on.patch (renamed from 3.11.3/4475_emutramp_default_on.patch)0
-rw-r--r--3.2.51/0000_README2
-rw-r--r--3.2.51/4420_grsecurity-2.9.1-3.2.51-201310191257.patch (renamed from 3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch)392
14 files changed, 3595 insertions, 451 deletions
diff --git a/3.11.3/0000_README b/3.11.6/0000_README
index b7b1adc..db9995c 100644
--- a/3.11.3/0000_README
+++ b/3.11.6/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.11.3-201310012249.patch
+Patch: 1005_linux-3.11.6.patch
+From: http://www.kernel.org
+Desc: Linux 3.11.6
+
+Patch: 4420_grsecurity-2.9.1-3.11.6-201310191259.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.11.6/1005_linux-3.11.6.patch b/3.11.6/1005_linux-3.11.6.patch
new file mode 100644
index 0000000..ad3cb53
--- /dev/null
+++ b/3.11.6/1005_linux-3.11.6.patch
@@ -0,0 +1,2260 @@
+diff --git a/Makefile b/Makefile
+index 83121b7..e87ba83 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 11
+-SUBLEVEL = 5
++SUBLEVEL = 6
+ EXTRAVERSION =
+ NAME = Linux for Workgroups
+
+diff --git a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h
+index 442ce5d..43de302 100644
+--- a/arch/arc/include/asm/delay.h
++++ b/arch/arc/include/asm/delay.h
+@@ -53,11 +53,10 @@ static inline void __udelay(unsigned long usecs)
+ {
+ unsigned long loops;
+
+- /* (long long) cast ensures 64 bit MPY - real or emulated
++ /* (u64) cast ensures 64 bit MPY - real or emulated
+ * HZ * 4295 is pre-evaluated by gcc - hence only 2 mpy ops
+ */
+- loops = ((long long)(usecs * 4295 * HZ) *
+- (long long)(loops_per_jiffy)) >> 32;
++ loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32;
+
+ __delay(loops);
+ }
+diff --git a/arch/arc/include/asm/spinlock.h b/arch/arc/include/asm/spinlock.h
+index f158197..b6a8c2d 100644
+--- a/arch/arc/include/asm/spinlock.h
++++ b/arch/arc/include/asm/spinlock.h
+@@ -45,7 +45,14 @@ static inline int arch_spin_trylock(arch_spinlock_t *lock)
+
+ static inline void arch_spin_unlock(arch_spinlock_t *lock)
+ {
+- lock->slock = __ARCH_SPIN_LOCK_UNLOCKED__;
++ unsigned int tmp = __ARCH_SPIN_LOCK_UNLOCKED__;
++
++ __asm__ __volatile__(
++ " ex %0, [%1] \n"
++ : "+r" (tmp)
++ : "r"(&(lock->slock))
++ : "memory");
++
+ smp_mb();
+ }
+
+diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
+index 3242082..30c9baf 100644
+--- a/arch/arc/include/asm/uaccess.h
++++ b/arch/arc/include/asm/uaccess.h
+@@ -43,7 +43,7 @@
+ * Because it essentially checks if buffer end is within limit and @len is
+ * non-ngeative, which implies that buffer start will be within limit too.
+ *
+- * The reason for rewriting being, for majorit yof cases, @len is generally
++ * The reason for rewriting being, for majority of cases, @len is generally
+ * compile time constant, causing first sub-expression to be compile time
+ * subsumed.
+ *
+@@ -53,7 +53,7 @@
+ *
+ */
+ #define __user_ok(addr, sz) (((sz) <= TASK_SIZE) && \
+- (((addr)+(sz)) <= get_fs()))
++ ((addr) <= (get_fs() - (sz))))
+ #define __access_ok(addr, sz) (unlikely(__kernel_ok) || \
+ likely(__user_ok((addr), (sz))))
+
+diff --git a/arch/arc/kernel/ptrace.c b/arch/arc/kernel/ptrace.c
+index 3332385..5d76706 100644
+--- a/arch/arc/kernel/ptrace.c
++++ b/arch/arc/kernel/ptrace.c
+@@ -102,7 +102,7 @@ static int genregs_set(struct task_struct *target,
+ REG_IGNORE_ONE(pad2);
+ REG_IN_CHUNK(callee, efa, cregs); /* callee_regs[r25..r13] */
+ REG_IGNORE_ONE(efa); /* efa update invalid */
+- REG_IN_ONE(stop_pc, &ptregs->ret); /* stop_pc: PC update */
++ REG_IGNORE_ONE(stop_pc); /* PC updated via @ret */
+
+ return ret;
+ }
+diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c
+index ee6ef2f..7e95e1a 100644
+--- a/arch/arc/kernel/signal.c
++++ b/arch/arc/kernel/signal.c
+@@ -101,7 +101,6 @@ SYSCALL_DEFINE0(rt_sigreturn)
+ {
+ struct rt_sigframe __user *sf;
+ unsigned int magic;
+- int err;
+ struct pt_regs *regs = current_pt_regs();
+
+ /* Always make any pending restarted system calls return -EINTR */
+@@ -119,15 +118,16 @@ SYSCALL_DEFINE0(rt_sigreturn)
+ if (!access_ok(VERIFY_READ, sf, sizeof(*sf)))
+ goto badframe;
+
+- err = restore_usr_regs(regs, sf);
+- err |= __get_user(magic, &sf->sigret_magic);
+- if (err)
++ if (__get_user(magic, &sf->sigret_magic))
+ goto badframe;
+
+ if (unlikely(is_do_ss_needed(magic)))
+ if (restore_altstack(&sf->uc.uc_stack))
+ goto badframe;
+
++ if (restore_usr_regs(regs, sf))
++ goto badframe;
++
+ /* Don't restart from sigreturn */
+ syscall_wont_restart(regs);
+
+@@ -191,6 +191,15 @@ setup_rt_frame(int signo, struct k_sigaction *ka, siginfo_t *info,
+ return 1;
+
+ /*
++ * w/o SA_SIGINFO, struct ucontext is partially populated (only
++ * uc_mcontext/uc_sigmask) for kernel's normal user state preservation
++ * during signal handler execution. This works for SA_SIGINFO as well
++ * although the semantics are now overloaded (the same reg state can be
++ * inspected by userland: but are they allowed to fiddle with it ?
++ */
++ err |= stash_usr_regs(sf, regs, set);
++
++ /*
+ * SA_SIGINFO requires 3 args to signal handler:
+ * #1: sig-no (common to any handler)
+ * #2: struct siginfo
+@@ -213,14 +222,6 @@ setup_rt_frame(int signo, struct k_sigaction *ka, siginfo_t *info,
+ magic = MAGIC_SIGALTSTK;
+ }
+
+- /*
+- * w/o SA_SIGINFO, struct ucontext is partially populated (only
+- * uc_mcontext/uc_sigmask) for kernel's normal user state preservation
+- * during signal handler execution. This works for SA_SIGINFO as well
+- * although the semantics are now overloaded (the same reg state can be
+- * inspected by userland: but are they allowed to fiddle with it ?
+- */
+- err |= stash_usr_regs(sf, regs, set);
+ err |= __put_user(magic, &sf->sigret_magic);
+ if (err)
+ return err;
+diff --git a/arch/arc/kernel/unaligned.c b/arch/arc/kernel/unaligned.c
+index c0f832f..00ad070 100644
+--- a/arch/arc/kernel/unaligned.c
++++ b/arch/arc/kernel/unaligned.c
+@@ -233,6 +233,12 @@ int misaligned_fixup(unsigned long address, struct pt_regs *regs,
+ regs->status32 &= ~STATUS_DE_MASK;
+ } else {
+ regs->ret += state.instr_len;
++
++ /* handle zero-overhead-loop */
++ if ((regs->ret == regs->lp_end) && (regs->lp_count)) {
++ regs->ret = regs->lp_start;
++ regs->lp_count--;
++ }
+ }
+
+ return 0;
+diff --git a/arch/arm/include/asm/jump_label.h b/arch/arm/include/asm/jump_label.h
+index bfc198c..863c892 100644
+--- a/arch/arm/include/asm/jump_label.h
++++ b/arch/arm/include/asm/jump_label.h
+@@ -16,7 +16,7 @@
+
+ static __always_inline bool arch_static_branch(struct static_key *key)
+ {
+- asm goto("1:\n\t"
++ asm_volatile_goto("1:\n\t"
+ JUMP_LABEL_NOP "\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
+ ".word 1b, %l[l_yes], %c0\n\t"
+diff --git a/arch/mips/include/asm/jump_label.h b/arch/mips/include/asm/jump_label.h
+index 4d6d77e..e194f95 100644
+--- a/arch/mips/include/asm/jump_label.h
++++ b/arch/mips/include/asm/jump_label.h
+@@ -22,7 +22,7 @@
+
+ static __always_inline bool arch_static_branch(struct static_key *key)
+ {
+- asm goto("1:\tnop\n\t"
++ asm_volatile_goto("1:\tnop\n\t"
+ "nop\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
+ WORD_INSN " 1b, %l[l_yes], %0\n\t"
+diff --git a/arch/mips/kernel/octeon_switch.S b/arch/mips/kernel/octeon_switch.S
+index 4204d76..029e002 100644
+--- a/arch/mips/kernel/octeon_switch.S
++++ b/arch/mips/kernel/octeon_switch.S
+@@ -73,7 +73,7 @@
+ 3:
+
+ #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
+- PTR_L t8, __stack_chk_guard
++ PTR_LA t8, __stack_chk_guard
+ LONG_L t9, TASK_STACK_CANARY(a1)
+ LONG_S t9, 0(t8)
+ #endif
+diff --git a/arch/mips/kernel/r2300_switch.S b/arch/mips/kernel/r2300_switch.S
+index 38af83f..20b7b04 100644
+--- a/arch/mips/kernel/r2300_switch.S
++++ b/arch/mips/kernel/r2300_switch.S
+@@ -67,7 +67,7 @@ LEAF(resume)
+ 1:
+
+ #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
+- PTR_L t8, __stack_chk_guard
++ PTR_LA t8, __stack_chk_guard
+ LONG_L t9, TASK_STACK_CANARY(a1)
+ LONG_S t9, 0(t8)
+ #endif
+diff --git a/arch/mips/kernel/r4k_switch.S b/arch/mips/kernel/r4k_switch.S
+index 921238a..078de5e 100644
+--- a/arch/mips/kernel/r4k_switch.S
++++ b/arch/mips/kernel/r4k_switch.S
+@@ -69,7 +69,7 @@
+ 1:
+
+ #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
+- PTR_L t8, __stack_chk_guard
++ PTR_LA t8, __stack_chk_guard
+ LONG_L t9, TASK_STACK_CANARY(a1)
+ LONG_S t9, 0(t8)
+ #endif
+diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
+index 04e47c6..b3f87a3 100644
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -805,14 +805,14 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
+ else {
+
+ /*
+- * The kernel should never fault on its own address space.
++ * The kernel should never fault on its own address space,
++ * unless pagefault_disable() was called before.
+ */
+
+- if (fault_space == 0)
++ if (fault_space == 0 && !in_atomic())
+ {
+ pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC);
+ parisc_terminate("Kernel Fault", regs, code, fault_address);
+-
+ }
+ }
+
+diff --git a/arch/powerpc/include/asm/jump_label.h b/arch/powerpc/include/asm/jump_label.h
+index ae098c4..f016bb6 100644
+--- a/arch/powerpc/include/asm/jump_label.h
++++ b/arch/powerpc/include/asm/jump_label.h
+@@ -19,7 +19,7 @@
+
+ static __always_inline bool arch_static_branch(struct static_key *key)
+ {
+- asm goto("1:\n\t"
++ asm_volatile_goto("1:\n\t"
+ "nop\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
+ JUMP_ENTRY_TYPE "1b, %l[l_yes], %c0\n\t"
+diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+index b02f91e..7bcd4d6 100644
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -1054,7 +1054,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_206)
+ BEGIN_FTR_SECTION
+ mfspr r8, SPRN_DSCR
+ ld r7, HSTATE_DSCR(r13)
+- std r8, VCPU_DSCR(r7)
++ std r8, VCPU_DSCR(r9)
+ mtspr SPRN_DSCR, r7
+ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_206)
+
+diff --git a/arch/s390/include/asm/jump_label.h b/arch/s390/include/asm/jump_label.h
+index 6c32190..346b1c8 100644
+--- a/arch/s390/include/asm/jump_label.h
++++ b/arch/s390/include/asm/jump_label.h
+@@ -15,7 +15,7 @@
+
+ static __always_inline bool arch_static_branch(struct static_key *key)
+ {
+- asm goto("0: brcl 0,0\n"
++ asm_volatile_goto("0: brcl 0,0\n"
+ ".pushsection __jump_table, \"aw\"\n"
+ ASM_ALIGN "\n"
+ ASM_PTR " 0b, %l[label], %0\n"
+diff --git a/arch/sparc/include/asm/jump_label.h b/arch/sparc/include/asm/jump_label.h
+index 5080d16..ec2e2e2 100644
+--- a/arch/sparc/include/asm/jump_label.h
++++ b/arch/sparc/include/asm/jump_label.h
+@@ -9,7 +9,7 @@
+
+ static __always_inline bool arch_static_branch(struct static_key *key)
+ {
+- asm goto("1:\n\t"
++ asm_volatile_goto("1:\n\t"
+ "nop\n\t"
+ "nop\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
+index 47538a6..7290585 100644
+--- a/arch/x86/include/asm/cpufeature.h
++++ b/arch/x86/include/asm/cpufeature.h
+@@ -373,7 +373,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
+ * Catch too early usage of this before alternatives
+ * have run.
+ */
+- asm goto("1: jmp %l[t_warn]\n"
++ asm_volatile_goto("1: jmp %l[t_warn]\n"
+ "2:\n"
+ ".section .altinstructions,\"a\"\n"
+ " .long 1b - .\n"
+@@ -386,7 +386,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
+ : : "i" (X86_FEATURE_ALWAYS) : : t_warn);
+ #endif
+
+- asm goto("1: jmp %l[t_no]\n"
++ asm_volatile_goto("1: jmp %l[t_no]\n"
+ "2:\n"
+ ".section .altinstructions,\"a\"\n"
+ " .long 1b - .\n"
+@@ -448,7 +448,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
+ * have. Thus, we force the jump to the widest, 4-byte, signed relative
+ * offset even though the last would often fit in less bytes.
+ */
+- asm goto("1: .byte 0xe9\n .long %l[t_dynamic] - 2f\n"
++ asm_volatile_goto("1: .byte 0xe9\n .long %l[t_dynamic] - 2f\n"
+ "2:\n"
+ ".section .altinstructions,\"a\"\n"
+ " .long 1b - .\n" /* src offset */
+diff --git a/arch/x86/include/asm/e820.h b/arch/x86/include/asm/e820.h
+index cccd07f..779c2ef 100644
+--- a/arch/x86/include/asm/e820.h
++++ b/arch/x86/include/asm/e820.h
+@@ -29,7 +29,7 @@ extern void e820_setup_gap(void);
+ extern int e820_search_gap(unsigned long *gapstart, unsigned long *gapsize,
+ unsigned long start_addr, unsigned long long end_addr);
+ struct setup_data;
+-extern void parse_e820_ext(struct setup_data *data);
++extern void parse_e820_ext(u64 phys_addr, u32 data_len);
+
+ #if defined(CONFIG_X86_64) || \
+ (defined(CONFIG_X86_32) && defined(CONFIG_HIBERNATION))
+diff --git a/arch/x86/include/asm/jump_label.h b/arch/x86/include/asm/jump_label.h
+index 3a16c14..0297669 100644
+--- a/arch/x86/include/asm/jump_label.h
++++ b/arch/x86/include/asm/jump_label.h
+@@ -13,7 +13,7 @@
+
+ static __always_inline bool arch_static_branch(struct static_key *key)
+ {
+- asm goto("1:"
++ asm_volatile_goto("1:"
+ STATIC_KEY_INITIAL_NOP
+ ".pushsection __jump_table, \"aw\" \n\t"
+ _ASM_ALIGN "\n\t"
+diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
+index d32abea..174da5f 100644
+--- a/arch/x86/kernel/e820.c
++++ b/arch/x86/kernel/e820.c
+@@ -658,15 +658,18 @@ __init void e820_setup_gap(void)
+ * boot_params.e820_map, others are passed via SETUP_E820_EXT node of
+ * linked list of struct setup_data, which is parsed here.
+ */
+-void __init parse_e820_ext(struct setup_data *sdata)
++void __init parse_e820_ext(u64 phys_addr, u32 data_len)
+ {
+ int entries;
+ struct e820entry *extmap;
++ struct setup_data *sdata;
+
++ sdata = early_memremap(phys_addr, data_len);
+ entries = sdata->len / sizeof(struct e820entry);
+ extmap = (struct e820entry *)(sdata->data);
+ __append_e820_map(extmap, entries);
+ sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
++ early_iounmap(sdata, data_len);
+ printk(KERN_INFO "e820: extended physical RAM map:\n");
+ e820_print_map("extended");
+ }
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index f8ec578..234e1e3 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -426,25 +426,23 @@ static void __init reserve_initrd(void)
+ static void __init parse_setup_data(void)
+ {
+ struct setup_data *data;
+- u64 pa_data;
++ u64 pa_data, pa_next;
+
+ pa_data = boot_params.hdr.setup_data;
+ while (pa_data) {
+- u32 data_len, map_len;
++ u32 data_len, map_len, data_type;
+
+ map_len = max(PAGE_SIZE - (pa_data & ~PAGE_MASK),
+ (u64)sizeof(struct setup_data));
+ data = early_memremap(pa_data, map_len);
+ data_len = data->len + sizeof(struct setup_data);
+- if (data_len > map_len) {
+- early_iounmap(data, map_len);
+- data = early_memremap(pa_data, data_len);
+- map_len = data_len;
+- }
++ data_type = data->type;
++ pa_next = data->next;
++ early_iounmap(data, map_len);
+
+- switch (data->type) {
++ switch (data_type) {
+ case SETUP_E820_EXT:
+- parse_e820_ext(data);
++ parse_e820_ext(pa_data, data_len);
+ break;
+ case SETUP_DTB:
+ add_dtb(pa_data);
+@@ -452,8 +450,7 @@ static void __init parse_setup_data(void)
+ default:
+ break;
+ }
+- pa_data = data->next;
+- early_iounmap(data, map_len);
++ pa_data = pa_next;
+ }
+ }
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 0d91fe5..92e6c67 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1462,12 +1462,11 @@ struct ctl_table random_table[] = {
+
+ static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
+
+-static int __init random_int_secret_init(void)
++int random_int_secret_init(void)
+ {
+ get_random_bytes(random_int_secret, sizeof(random_int_secret));
+ return 0;
+ }
+-late_initcall(random_int_secret_init);
+
+ /*
+ * Get a random word for internal kernel use only. Similar to urandom but
+diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
+index 342f1f3..c42d31c 100644
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -3791,6 +3791,9 @@
+ #define GEN7_SQ_CHICKEN_MBCUNIT_CONFIG 0x9030
+ #define GEN7_SQ_CHICKEN_MBCUNIT_SQINTMOB (1<<11)
+
++#define HSW_SCRATCH1 0xb038
++#define HSW_SCRATCH1_L3_DATA_ATOMICS_DISABLE (1<<27)
++
+ #define HSW_FUSE_STRAP 0x42014
+ #define HSW_CDCLK_LIMIT (1 << 24)
+
+@@ -4624,6 +4627,9 @@
+ #define GEN7_ROW_CHICKEN2_GT2 0xf4f4
+ #define DOP_CLOCK_GATING_DISABLE (1<<0)
+
++#define HSW_ROW_CHICKEN3 0xe49c
++#define HSW_ROW_CHICKEN3_L3_GLOBAL_ATOMICS_DISABLE (1 << 6)
++
+ #define G4X_AUD_VID_DID (dev_priv->info->display_mmio_offset + 0x62020)
+ #define INTEL_AUDIO_DEVCL 0x808629FB
+ #define INTEL_AUDIO_DEVBLC 0x80862801
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index 7fc8a76..90a7c17 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -3890,8 +3890,6 @@ static void intel_connector_check_state(struct intel_connector *connector)
+ * consider. */
+ void intel_connector_dpms(struct drm_connector *connector, int mode)
+ {
+- struct intel_encoder *encoder = intel_attached_encoder(connector);
+-
+ /* All the simple cases only support two dpms states. */
+ if (mode != DRM_MODE_DPMS_ON)
+ mode = DRM_MODE_DPMS_OFF;
+@@ -3902,10 +3900,8 @@ void intel_connector_dpms(struct drm_connector *connector, int mode)
+ connector->dpms = mode;
+
+ /* Only need to change hw state when actually enabled */
+- if (encoder->base.crtc)
+- intel_encoder_dpms(encoder, mode);
+- else
+- WARN_ON(encoder->connectors_active != false);
++ if (connector->encoder)
++ intel_encoder_dpms(to_intel_encoder(connector->encoder), mode);
+
+ intel_modeset_check_state(connector->dev);
+ }
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index b0e4a0b..cad0482 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -3603,8 +3603,6 @@ static void valleyview_enable_rps(struct drm_device *dev)
+ dev_priv->rps.rpe_delay),
+ dev_priv->rps.rpe_delay);
+
+- INIT_DELAYED_WORK(&dev_priv->rps.vlv_work, vlv_rps_timer_work);
+-
+ valleyview_set_rps(dev_priv->dev, dev_priv->rps.rpe_delay);
+
+ /* requires MSI enabled */
+@@ -4699,6 +4697,11 @@ static void haswell_init_clock_gating(struct drm_device *dev)
+ I915_WRITE(GEN7_L3_CHICKEN_MODE_REGISTER,
+ GEN7_WA_L3_CHICKEN_MODE);
+
++ /* L3 caching of data atomics doesn't work -- disable it. */
++ I915_WRITE(HSW_SCRATCH1, HSW_SCRATCH1_L3_DATA_ATOMICS_DISABLE);
++ I915_WRITE(HSW_ROW_CHICKEN3,
++ _MASKED_BIT_ENABLE(HSW_ROW_CHICKEN3_L3_GLOBAL_ATOMICS_DISABLE));
++
+ /* This is required by WaCatErrorRejectionIssue:hsw */
+ I915_WRITE(GEN7_SQ_CHICKEN_MBCUNIT_CONFIG,
+ I915_READ(GEN7_SQ_CHICKEN_MBCUNIT_CONFIG) |
+@@ -5562,6 +5565,8 @@ void intel_pm_init(struct drm_device *dev)
+
+ INIT_DELAYED_WORK(&dev_priv->rps.delayed_resume_work,
+ intel_gen6_powersave_work);
++
++ INIT_DELAYED_WORK(&dev_priv->rps.vlv_work, vlv_rps_timer_work);
+ }
+
+ int sandybridge_pcode_read(struct drm_i915_private *dev_priv, u8 mbox, u32 *val)
+diff --git a/drivers/gpu/drm/radeon/btc_dpm.c b/drivers/gpu/drm/radeon/btc_dpm.c
+index 084e694..639b9aa 100644
+--- a/drivers/gpu/drm/radeon/btc_dpm.c
++++ b/drivers/gpu/drm/radeon/btc_dpm.c
+@@ -1913,7 +1913,7 @@ static int btc_set_mc_special_registers(struct radeon_device *rdev,
+ }
+ j++;
+
+- if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+
+ tmp = RREG32(MC_PMG_CMD_MRS);
+@@ -1928,7 +1928,7 @@ static int btc_set_mc_special_registers(struct radeon_device *rdev,
+ }
+ j++;
+
+- if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+ break;
+ case MC_SEQ_RESERVE_M >> 2:
+@@ -1942,7 +1942,7 @@ static int btc_set_mc_special_registers(struct radeon_device *rdev,
+ }
+ j++;
+
+- if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+ break;
+ default:
+diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
+index 94dab1e..8307883 100644
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -3126,7 +3126,7 @@ static void evergreen_gpu_init(struct radeon_device *rdev)
+ rdev->config.evergreen.sx_max_export_size = 256;
+ rdev->config.evergreen.sx_max_export_pos_size = 64;
+ rdev->config.evergreen.sx_max_export_smx_size = 192;
+- rdev->config.evergreen.max_hw_contexts = 8;
++ rdev->config.evergreen.max_hw_contexts = 4;
+ rdev->config.evergreen.sq_num_cf_insts = 2;
+
+ rdev->config.evergreen.sc_prim_fifo_size = 0x40;
+diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h
+index 20fd17c..6be00c9 100644
+--- a/drivers/gpu/drm/radeon/evergreend.h
++++ b/drivers/gpu/drm/radeon/evergreend.h
+@@ -1494,7 +1494,7 @@
+ * 6. COMMAND [29:22] | BYTE_COUNT [20:0]
+ */
+ # define PACKET3_CP_DMA_DST_SEL(x) ((x) << 20)
+- /* 0 - SRC_ADDR
++ /* 0 - DST_ADDR
+ * 1 - GDS
+ */
+ # define PACKET3_CP_DMA_ENGINE(x) ((x) << 27)
+@@ -1509,7 +1509,7 @@
+ # define PACKET3_CP_DMA_CP_SYNC (1 << 31)
+ /* COMMAND */
+ # define PACKET3_CP_DMA_DIS_WC (1 << 21)
+-# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 23)
++# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 22)
+ /* 0 - none
+ * 1 - 8 in 16
+ * 2 - 8 in 32
+diff --git a/drivers/gpu/drm/radeon/r600d.h b/drivers/gpu/drm/radeon/r600d.h
+index 7c78083..d079cb1 100644
+--- a/drivers/gpu/drm/radeon/r600d.h
++++ b/drivers/gpu/drm/radeon/r600d.h
+@@ -1487,7 +1487,7 @@
+ */
+ # define PACKET3_CP_DMA_CP_SYNC (1 << 31)
+ /* COMMAND */
+-# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 23)
++# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 22)
+ /* 0 - none
+ * 1 - 8 in 16
+ * 2 - 8 in 32
+diff --git a/drivers/gpu/drm/radeon/radeon_test.c b/drivers/gpu/drm/radeon/radeon_test.c
+index f4d6bce..12e8099 100644
+--- a/drivers/gpu/drm/radeon/radeon_test.c
++++ b/drivers/gpu/drm/radeon/radeon_test.c
+@@ -36,8 +36,8 @@ static void radeon_do_test_moves(struct radeon_device *rdev, int flag)
+ struct radeon_bo *vram_obj = NULL;
+ struct radeon_bo **gtt_obj = NULL;
+ uint64_t gtt_addr, vram_addr;
+- unsigned i, n, size;
+- int r, ring;
++ unsigned n, size;
++ int i, r, ring;
+
+ switch (flag) {
+ case RADEON_TEST_COPY_DMA:
+diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
+index 1cfba39..1c23b61 100644
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -5174,7 +5174,7 @@ static int si_set_mc_special_registers(struct radeon_device *rdev,
+ table->mc_reg_table_entry[k].mc_data[j] |= 0x100;
+ }
+ j++;
+- if (j > SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+
+ if (!pi->mem_gddr5) {
+@@ -5184,7 +5184,7 @@ static int si_set_mc_special_registers(struct radeon_device *rdev,
+ table->mc_reg_table_entry[k].mc_data[j] =
+ (table->mc_reg_table_entry[k].mc_data[i] & 0xffff0000) >> 16;
+ j++;
+- if (j > SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+ }
+ break;
+@@ -5197,7 +5197,7 @@ static int si_set_mc_special_registers(struct radeon_device *rdev,
+ (temp_reg & 0xffff0000) |
+ (table->mc_reg_table_entry[k].mc_data[i] & 0x0000ffff);
+ j++;
+- if (j > SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+ break;
+ default:
+diff --git a/drivers/gpu/drm/radeon/sid.h b/drivers/gpu/drm/radeon/sid.h
+index 2010d6b..a75d25a 100644
+--- a/drivers/gpu/drm/radeon/sid.h
++++ b/drivers/gpu/drm/radeon/sid.h
+@@ -1490,7 +1490,7 @@
+ * 6. COMMAND [30:21] | BYTE_COUNT [20:0]
+ */
+ # define PACKET3_CP_DMA_DST_SEL(x) ((x) << 20)
+- /* 0 - SRC_ADDR
++ /* 0 - DST_ADDR
+ * 1 - GDS
+ */
+ # define PACKET3_CP_DMA_ENGINE(x) ((x) << 27)
+@@ -1505,7 +1505,7 @@
+ # define PACKET3_CP_DMA_CP_SYNC (1 << 31)
+ /* COMMAND */
+ # define PACKET3_CP_DMA_DIS_WC (1 << 21)
+-# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 23)
++# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 22)
+ /* 0 - none
+ * 1 - 8 in 16
+ * 2 - 8 in 32
+diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
+index 98814d1..3288f13 100644
+--- a/drivers/hwmon/applesmc.c
++++ b/drivers/hwmon/applesmc.c
+@@ -230,6 +230,7 @@ static int send_argument(const char *key)
+
+ static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len)
+ {
++ u8 status, data = 0;
+ int i;
+
+ if (send_command(cmd) || send_argument(key)) {
+@@ -237,6 +238,7 @@ static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len)
+ return -EIO;
+ }
+
++ /* This has no effect on newer (2012) SMCs */
+ if (send_byte(len, APPLESMC_DATA_PORT)) {
+ pr_warn("%.4s: read len fail\n", key);
+ return -EIO;
+@@ -250,6 +252,17 @@ static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len)
+ buffer[i] = inb(APPLESMC_DATA_PORT);
+ }
+
++ /* Read the data port until bit0 is cleared */
++ for (i = 0; i < 16; i++) {
++ udelay(APPLESMC_MIN_WAIT);
++ status = inb(APPLESMC_CMD_PORT);
++ if (!(status & 0x01))
++ break;
++ data = inb(APPLESMC_DATA_PORT);
++ }
++ if (i)
++ pr_warn("flushed %d bytes, last value is: %d\n", i, data);
++
+ return 0;
+ }
+
+diff --git a/drivers/i2c/busses/i2c-omap.c b/drivers/i2c/busses/i2c-omap.c
+index 142b694d..e6b8dcd 100644
+--- a/drivers/i2c/busses/i2c-omap.c
++++ b/drivers/i2c/busses/i2c-omap.c
+@@ -944,6 +944,9 @@ omap_i2c_isr_thread(int this_irq, void *dev_id)
+ /*
+ * ProDB0017052: Clear ARDY bit twice
+ */
++ if (stat & OMAP_I2C_STAT_ARDY)
++ omap_i2c_ack_stat(dev, OMAP_I2C_STAT_ARDY);
++
+ if (stat & (OMAP_I2C_STAT_ARDY | OMAP_I2C_STAT_NACK |
+ OMAP_I2C_STAT_AL)) {
+ omap_i2c_ack_stat(dev, (OMAP_I2C_STAT_RRDY |
+diff --git a/drivers/watchdog/kempld_wdt.c b/drivers/watchdog/kempld_wdt.c
+index 491419e..5c3d4df 100644
+--- a/drivers/watchdog/kempld_wdt.c
++++ b/drivers/watchdog/kempld_wdt.c
+@@ -35,7 +35,7 @@
+ #define KEMPLD_WDT_STAGE_TIMEOUT(x) (0x1b + (x) * 4)
+ #define KEMPLD_WDT_STAGE_CFG(x) (0x18 + (x))
+ #define STAGE_CFG_GET_PRESCALER(x) (((x) & 0x30) >> 4)
+-#define STAGE_CFG_SET_PRESCALER(x) (((x) & 0x30) << 4)
++#define STAGE_CFG_SET_PRESCALER(x) (((x) & 0x3) << 4)
+ #define STAGE_CFG_PRESCALER_MASK 0x30
+ #define STAGE_CFG_ACTION_MASK 0x7
+ #define STAGE_CFG_ASSERT (1 << 3)
+diff --git a/drivers/watchdog/ts72xx_wdt.c b/drivers/watchdog/ts72xx_wdt.c
+index 4da59b4..381999c 100644
+--- a/drivers/watchdog/ts72xx_wdt.c
++++ b/drivers/watchdog/ts72xx_wdt.c
+@@ -310,7 +310,8 @@ static long ts72xx_wdt_ioctl(struct file *file, unsigned int cmd,
+
+ case WDIOC_GETSTATUS:
+ case WDIOC_GETBOOTSTATUS:
+- return put_user(0, p);
++ error = put_user(0, p);
++ break;
+
+ case WDIOC_KEEPALIVE:
+ ts72xx_wdt_kick(wdt);
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index d3280b2..8220491 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -8036,7 +8036,7 @@ static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
+
+
+ /* check for collisions, even if the name isn't there */
+- ret = btrfs_check_dir_item_collision(root, new_dir->i_ino,
++ ret = btrfs_check_dir_item_collision(dest, new_dir->i_ino,
+ new_dentry->d_name.name,
+ new_dentry->d_name.len);
+
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index c081e34..03e9beb 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1350,6 +1350,8 @@ retry:
+ s_min_extra_isize) {
+ tried_min_extra_isize++;
+ new_extra_isize = s_min_extra_isize;
++ kfree(is); is = NULL;
++ kfree(bs); bs = NULL;
+ goto retry;
+ }
+ error = -1;
+diff --git a/fs/statfs.c b/fs/statfs.c
+index c219e733..083dc0a 100644
+--- a/fs/statfs.c
++++ b/fs/statfs.c
+@@ -94,7 +94,7 @@ retry:
+
+ int fd_statfs(int fd, struct kstatfs *st)
+ {
+- struct fd f = fdget(fd);
++ struct fd f = fdget_raw(fd);
+ int error = -EBADF;
+ if (f.file) {
+ error = vfs_statfs(&f.file->f_path, st);
+diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
+index 842de22..ded4299 100644
+--- a/include/linux/compiler-gcc4.h
++++ b/include/linux/compiler-gcc4.h
+@@ -65,6 +65,21 @@
+ #define __visible __attribute__((externally_visible))
+ #endif
+
++/*
++ * GCC 'asm goto' miscompiles certain code sequences:
++ *
++ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
++ *
++ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
++ * Fixed in GCC 4.8.2 and later versions.
++ *
++ * (asm goto is automatically volatile - the naming reflects this.)
++ */
++#if GCC_VERSION <= 40801
++# define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
++#else
++# define asm_volatile_goto(x...) do { asm goto(x); } while (0)
++#endif
+
+ #ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP
+ #if GCC_VERSION >= 40400
+diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
+index c4d870b..19c19a5 100644
+--- a/include/linux/ipc_namespace.h
++++ b/include/linux/ipc_namespace.h
+@@ -22,7 +22,7 @@ struct ipc_ids {
+ int in_use;
+ unsigned short seq;
+ unsigned short seq_max;
+- struct rw_semaphore rw_mutex;
++ struct rw_semaphore rwsem;
+ struct idr ipcs_idr;
+ int next_id;
+ };
+diff --git a/include/linux/random.h b/include/linux/random.h
+index 3b9377d..6312dd9 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -17,6 +17,7 @@ extern void add_interrupt_randomness(int irq, int irq_flags);
+ extern void get_random_bytes(void *buf, int nbytes);
+ extern void get_random_bytes_arch(void *buf, int nbytes);
+ void generate_random_uuid(unsigned char uuid_out[16]);
++extern int random_int_secret_init(void);
+
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+diff --git a/init/main.c b/init/main.c
+index d03d2ec..586cd33 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -75,6 +75,7 @@
+ #include <linux/blkdev.h>
+ #include <linux/elevator.h>
+ #include <linux/sched_clock.h>
++#include <linux/random.h>
+
+ #include <asm/io.h>
+ #include <asm/bugs.h>
+@@ -778,6 +779,7 @@ static void __init do_basic_setup(void)
+ do_ctors();
+ usermodehelper_enable();
+ do_initcalls();
++ random_int_secret_init();
+ }
+
+ static void __init do_pre_smp_initcalls(void)
+diff --git a/ipc/msg.c b/ipc/msg.c
+index a877c16..558aa91 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -70,8 +70,6 @@ struct msg_sender {
+
+ #define msg_ids(ns) ((ns)->ids[IPC_MSG_IDS])
+
+-#define msg_unlock(msq) ipc_unlock(&(msq)->q_perm)
+-
+ static void freeque(struct ipc_namespace *, struct kern_ipc_perm *);
+ static int newque(struct ipc_namespace *, struct ipc_params *);
+ #ifdef CONFIG_PROC_FS
+@@ -181,7 +179,7 @@ static void msg_rcu_free(struct rcu_head *head)
+ * @ns: namespace
+ * @params: ptr to the structure that contains the key and msgflg
+ *
+- * Called with msg_ids.rw_mutex held (writer)
++ * Called with msg_ids.rwsem held (writer)
+ */
+ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+ {
+@@ -267,8 +265,8 @@ static void expunge_all(struct msg_queue *msq, int res)
+ * removes the message queue from message queue ID IDR, and cleans up all the
+ * messages associated with this queue.
+ *
+- * msg_ids.rw_mutex (writer) and the spinlock for this message queue are held
+- * before freeque() is called. msg_ids.rw_mutex remains locked on exit.
++ * msg_ids.rwsem (writer) and the spinlock for this message queue are held
++ * before freeque() is called. msg_ids.rwsem remains locked on exit.
+ */
+ static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
+ {
+@@ -278,7 +276,8 @@ static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
+ expunge_all(msq, -EIDRM);
+ ss_wakeup(&msq->q_senders, 1);
+ msg_rmid(ns, msq);
+- msg_unlock(msq);
++ ipc_unlock_object(&msq->q_perm);
++ rcu_read_unlock();
+
+ list_for_each_entry_safe(msg, t, &msq->q_messages, m_list) {
+ atomic_dec(&ns->msg_hdrs);
+@@ -289,7 +288,7 @@ static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
+ }
+
+ /*
+- * Called with msg_ids.rw_mutex and ipcp locked.
++ * Called with msg_ids.rwsem and ipcp locked.
+ */
+ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
+ {
+@@ -393,9 +392,9 @@ copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version)
+ }
+
+ /*
+- * This function handles some msgctl commands which require the rw_mutex
++ * This function handles some msgctl commands which require the rwsem
+ * to be held in write mode.
+- * NOTE: no locks must be held, the rw_mutex is taken inside this function.
++ * NOTE: no locks must be held, the rwsem is taken inside this function.
+ */
+ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+ struct msqid_ds __user *buf, int version)
+@@ -410,7 +409,7 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+ return -EFAULT;
+ }
+
+- down_write(&msg_ids(ns).rw_mutex);
++ down_write(&msg_ids(ns).rwsem);
+ rcu_read_lock();
+
+ ipcp = ipcctl_pre_down_nolock(ns, &msg_ids(ns), msqid, cmd,
+@@ -466,7 +465,7 @@ out_unlock0:
+ out_unlock1:
+ rcu_read_unlock();
+ out_up:
+- up_write(&msg_ids(ns).rw_mutex);
++ up_write(&msg_ids(ns).rwsem);
+ return err;
+ }
+
+@@ -501,7 +500,7 @@ static int msgctl_nolock(struct ipc_namespace *ns, int msqid,
+ msginfo.msgmnb = ns->msg_ctlmnb;
+ msginfo.msgssz = MSGSSZ;
+ msginfo.msgseg = MSGSEG;
+- down_read(&msg_ids(ns).rw_mutex);
++ down_read(&msg_ids(ns).rwsem);
+ if (cmd == MSG_INFO) {
+ msginfo.msgpool = msg_ids(ns).in_use;
+ msginfo.msgmap = atomic_read(&ns->msg_hdrs);
+@@ -512,7 +511,7 @@ static int msgctl_nolock(struct ipc_namespace *ns, int msqid,
+ msginfo.msgtql = MSGTQL;
+ }
+ max_id = ipc_get_maxid(&msg_ids(ns));
+- up_read(&msg_ids(ns).rw_mutex);
++ up_read(&msg_ids(ns).rwsem);
+ if (copy_to_user(buf, &msginfo, sizeof(struct msginfo)))
+ return -EFAULT;
+ return (max_id < 0) ? 0 : max_id;
+diff --git a/ipc/namespace.c b/ipc/namespace.c
+index 7ee61bf..aba9a58 100644
+--- a/ipc/namespace.c
++++ b/ipc/namespace.c
+@@ -81,7 +81,7 @@ void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids,
+ int next_id;
+ int total, in_use;
+
+- down_write(&ids->rw_mutex);
++ down_write(&ids->rwsem);
+
+ in_use = ids->in_use;
+
+@@ -89,11 +89,12 @@ void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids,
+ perm = idr_find(&ids->ipcs_idr, next_id);
+ if (perm == NULL)
+ continue;
+- ipc_lock_by_ptr(perm);
++ rcu_read_lock();
++ ipc_lock_object(perm);
+ free(ns, perm);
+ total++;
+ }
+- up_write(&ids->rw_mutex);
++ up_write(&ids->rwsem);
+ }
+
+ static void free_ipc_ns(struct ipc_namespace *ns)
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 87614511..8e2bf30 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -248,12 +248,20 @@ static void merge_queues(struct sem_array *sma)
+ * Caller must own sem_perm.lock.
+ * New simple ops cannot start, because simple ops first check
+ * that sem_perm.lock is free.
++ * that a) sem_perm.lock is free and b) complex_count is 0.
+ */
+ static void sem_wait_array(struct sem_array *sma)
+ {
+ int i;
+ struct sem *sem;
+
++ if (sma->complex_count) {
++ /* The thread that increased sma->complex_count waited on
++ * all sem->lock locks. Thus we don't need to wait again.
++ */
++ return;
++ }
++
+ for (i = 0; i < sma->sem_nsems; i++) {
+ sem = sma->sem_base + i;
+ spin_unlock_wait(&sem->lock);
+@@ -365,7 +373,7 @@ static inline void sem_unlock(struct sem_array *sma, int locknum)
+ }
+
+ /*
+- * sem_lock_(check_) routines are called in the paths where the rw_mutex
++ * sem_lock_(check_) routines are called in the paths where the rwsem
+ * is not held.
+ *
+ * The caller holds the RCU read lock.
+@@ -464,7 +472,7 @@ static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
+ * @ns: namespace
+ * @params: ptr to the structure that contains key, semflg and nsems
+ *
+- * Called with sem_ids.rw_mutex held (as a writer)
++ * Called with sem_ids.rwsem held (as a writer)
+ */
+
+ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+@@ -529,7 +537,7 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+
+
+ /*
+- * Called with sem_ids.rw_mutex and ipcp locked.
++ * Called with sem_ids.rwsem and ipcp locked.
+ */
+ static inline int sem_security(struct kern_ipc_perm *ipcp, int semflg)
+ {
+@@ -540,7 +548,7 @@ static inline int sem_security(struct kern_ipc_perm *ipcp, int semflg)
+ }
+
+ /*
+- * Called with sem_ids.rw_mutex and ipcp locked.
++ * Called with sem_ids.rwsem and ipcp locked.
+ */
+ static inline int sem_more_checks(struct kern_ipc_perm *ipcp,
+ struct ipc_params *params)
+@@ -910,6 +918,24 @@ again:
+ }
+
+ /**
++ * set_semotime(sma, sops) - set sem_otime
++ * @sma: semaphore array
++ * @sops: operations that modified the array, may be NULL
++ *
++ * sem_otime is replicated to avoid cache line trashing.
++ * This function sets one instance to the current time.
++ */
++static void set_semotime(struct sem_array *sma, struct sembuf *sops)
++{
++ if (sops == NULL) {
++ sma->sem_base[0].sem_otime = get_seconds();
++ } else {
++ sma->sem_base[sops[0].sem_num].sem_otime =
++ get_seconds();
++ }
++}
++
++/**
+ * do_smart_update(sma, sops, nsops, otime, pt) - optimized update_queue
+ * @sma: semaphore array
+ * @sops: operations that were performed
+@@ -959,17 +985,10 @@ static void do_smart_update(struct sem_array *sma, struct sembuf *sops, int nsop
+ }
+ }
+ }
+- if (otime) {
+- if (sops == NULL) {
+- sma->sem_base[0].sem_otime = get_seconds();
+- } else {
+- sma->sem_base[sops[0].sem_num].sem_otime =
+- get_seconds();
+- }
+- }
++ if (otime)
++ set_semotime(sma, sops);
+ }
+
+-
+ /* The following counts are associated to each semaphore:
+ * semncnt number of tasks waiting on semval being nonzero
+ * semzcnt number of tasks waiting on semval being zero
+@@ -1031,8 +1050,8 @@ static int count_semzcnt (struct sem_array * sma, ushort semnum)
+ return semzcnt;
+ }
+
+-/* Free a semaphore set. freeary() is called with sem_ids.rw_mutex locked
+- * as a writer and the spinlock for this semaphore set hold. sem_ids.rw_mutex
++/* Free a semaphore set. freeary() is called with sem_ids.rwsem locked
++ * as a writer and the spinlock for this semaphore set hold. sem_ids.rwsem
+ * remains locked on exit.
+ */
+ static void freeary(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
+@@ -1152,7 +1171,7 @@ static int semctl_nolock(struct ipc_namespace *ns, int semid,
+ seminfo.semmnu = SEMMNU;
+ seminfo.semmap = SEMMAP;
+ seminfo.semume = SEMUME;
+- down_read(&sem_ids(ns).rw_mutex);
++ down_read(&sem_ids(ns).rwsem);
+ if (cmd == SEM_INFO) {
+ seminfo.semusz = sem_ids(ns).in_use;
+ seminfo.semaem = ns->used_sems;
+@@ -1161,7 +1180,7 @@ static int semctl_nolock(struct ipc_namespace *ns, int semid,
+ seminfo.semaem = SEMAEM;
+ }
+ max_id = ipc_get_maxid(&sem_ids(ns));
+- up_read(&sem_ids(ns).rw_mutex);
++ up_read(&sem_ids(ns).rwsem);
+ if (copy_to_user(p, &seminfo, sizeof(struct seminfo)))
+ return -EFAULT;
+ return (max_id < 0) ? 0: max_id;
+@@ -1467,9 +1486,9 @@ copy_semid_from_user(struct semid64_ds *out, void __user *buf, int version)
+ }
+
+ /*
+- * This function handles some semctl commands which require the rw_mutex
++ * This function handles some semctl commands which require the rwsem
+ * to be held in write mode.
+- * NOTE: no locks must be held, the rw_mutex is taken inside this function.
++ * NOTE: no locks must be held, the rwsem is taken inside this function.
+ */
+ static int semctl_down(struct ipc_namespace *ns, int semid,
+ int cmd, int version, void __user *p)
+@@ -1484,7 +1503,7 @@ static int semctl_down(struct ipc_namespace *ns, int semid,
+ return -EFAULT;
+ }
+
+- down_write(&sem_ids(ns).rw_mutex);
++ down_write(&sem_ids(ns).rwsem);
+ rcu_read_lock();
+
+ ipcp = ipcctl_pre_down_nolock(ns, &sem_ids(ns), semid, cmd,
+@@ -1523,7 +1542,7 @@ out_unlock0:
+ out_unlock1:
+ rcu_read_unlock();
+ out_up:
+- up_write(&sem_ids(ns).rw_mutex);
++ up_write(&sem_ids(ns).rwsem);
+ return err;
+ }
+
+@@ -1831,12 +1850,17 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
+
+ error = perform_atomic_semop(sma, sops, nsops, un,
+ task_tgid_vnr(current));
+- if (error <= 0) {
+- if (alter && error == 0)
++ if (error == 0) {
++ /* If the operation was successful, then do
++ * the required updates.
++ */
++ if (alter)
+ do_smart_update(sma, sops, nsops, 1, &tasks);
+-
+- goto out_unlock_free;
++ else
++ set_semotime(sma, sops);
+ }
++ if (error <= 0)
++ goto out_unlock_free;
+
+ /* We need to sleep on this operation, so we put the current
+ * task into the pending queue and go to sleep.
+@@ -2095,6 +2119,14 @@ static int sysvipc_sem_proc_show(struct seq_file *s, void *it)
+ struct sem_array *sma = it;
+ time_t sem_otime;
+
++ /*
++ * The proc interface isn't aware of sem_lock(), it calls
++ * ipc_lock_object() directly (in sysvipc_find_ipc).
++ * In order to stay compatible with sem_lock(), we must wait until
++ * all simple semop() calls have left their critical regions.
++ */
++ sem_wait_array(sma);
++
+ sem_otime = get_semotime(sma);
+
+ return seq_printf(s,
+diff --git a/ipc/shm.c b/ipc/shm.c
+index 2d6833d..d697396 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -19,6 +19,9 @@
+ * namespaces support
+ * OpenVZ, SWsoft Inc.
+ * Pavel Emelianov <xemul@openvz.org>
++ *
++ * Better ipc lock (kern_ipc_perm.lock) handling
++ * Davidlohr Bueso <davidlohr.bueso@hp.com>, June 2013.
+ */
+
+ #include <linux/slab.h>
+@@ -80,8 +83,8 @@ void shm_init_ns(struct ipc_namespace *ns)
+ }
+
+ /*
+- * Called with shm_ids.rw_mutex (writer) and the shp structure locked.
+- * Only shm_ids.rw_mutex remains locked on exit.
++ * Called with shm_ids.rwsem (writer) and the shp structure locked.
++ * Only shm_ids.rwsem remains locked on exit.
+ */
+ static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
+ {
+@@ -124,8 +127,28 @@ void __init shm_init (void)
+ IPC_SHM_IDS, sysvipc_shm_proc_show);
+ }
+
++static inline struct shmid_kernel *shm_obtain_object(struct ipc_namespace *ns, int id)
++{
++ struct kern_ipc_perm *ipcp = ipc_obtain_object(&shm_ids(ns), id);
++
++ if (IS_ERR(ipcp))
++ return ERR_CAST(ipcp);
++
++ return container_of(ipcp, struct shmid_kernel, shm_perm);
++}
++
++static inline struct shmid_kernel *shm_obtain_object_check(struct ipc_namespace *ns, int id)
++{
++ struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&shm_ids(ns), id);
++
++ if (IS_ERR(ipcp))
++ return ERR_CAST(ipcp);
++
++ return container_of(ipcp, struct shmid_kernel, shm_perm);
++}
++
+ /*
+- * shm_lock_(check_) routines are called in the paths where the rw_mutex
++ * shm_lock_(check_) routines are called in the paths where the rwsem
+ * is not necessarily held.
+ */
+ static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
+@@ -144,17 +167,6 @@ static inline void shm_lock_by_ptr(struct shmid_kernel *ipcp)
+ ipc_lock_object(&ipcp->shm_perm);
+ }
+
+-static inline struct shmid_kernel *shm_lock_check(struct ipc_namespace *ns,
+- int id)
+-{
+- struct kern_ipc_perm *ipcp = ipc_lock_check(&shm_ids(ns), id);
+-
+- if (IS_ERR(ipcp))
+- return (struct shmid_kernel *)ipcp;
+-
+- return container_of(ipcp, struct shmid_kernel, shm_perm);
+-}
+-
+ static void shm_rcu_free(struct rcu_head *head)
+ {
+ struct ipc_rcu *p = container_of(head, struct ipc_rcu, rcu);
+@@ -191,7 +203,7 @@ static void shm_open(struct vm_area_struct *vma)
+ * @ns: namespace
+ * @shp: struct to free
+ *
+- * It has to be called with shp and shm_ids.rw_mutex (writer) locked,
++ * It has to be called with shp and shm_ids.rwsem (writer) locked,
+ * but returns with shp unlocked and freed.
+ */
+ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
+@@ -238,7 +250,7 @@ static void shm_close(struct vm_area_struct *vma)
+ struct shmid_kernel *shp;
+ struct ipc_namespace *ns = sfd->ns;
+
+- down_write(&shm_ids(ns).rw_mutex);
++ down_write(&shm_ids(ns).rwsem);
+ /* remove from the list of attaches of the shm segment */
+ shp = shm_lock(ns, sfd->id);
+ BUG_ON(IS_ERR(shp));
+@@ -249,10 +261,10 @@ static void shm_close(struct vm_area_struct *vma)
+ shm_destroy(ns, shp);
+ else
+ shm_unlock(shp);
+- up_write(&shm_ids(ns).rw_mutex);
++ up_write(&shm_ids(ns).rwsem);
+ }
+
+-/* Called with ns->shm_ids(ns).rw_mutex locked */
++/* Called with ns->shm_ids(ns).rwsem locked */
+ static int shm_try_destroy_current(int id, void *p, void *data)
+ {
+ struct ipc_namespace *ns = data;
+@@ -283,7 +295,7 @@ static int shm_try_destroy_current(int id, void *p, void *data)
+ return 0;
+ }
+
+-/* Called with ns->shm_ids(ns).rw_mutex locked */
++/* Called with ns->shm_ids(ns).rwsem locked */
+ static int shm_try_destroy_orphaned(int id, void *p, void *data)
+ {
+ struct ipc_namespace *ns = data;
+@@ -294,7 +306,7 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data)
+ * We want to destroy segments without users and with already
+ * exit'ed originating process.
+ *
+- * As shp->* are changed under rw_mutex, it's safe to skip shp locking.
++ * As shp->* are changed under rwsem, it's safe to skip shp locking.
+ */
+ if (shp->shm_creator != NULL)
+ return 0;
+@@ -308,10 +320,10 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data)
+
+ void shm_destroy_orphaned(struct ipc_namespace *ns)
+ {
+- down_write(&shm_ids(ns).rw_mutex);
++ down_write(&shm_ids(ns).rwsem);
+ if (shm_ids(ns).in_use)
+ idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
+- up_write(&shm_ids(ns).rw_mutex);
++ up_write(&shm_ids(ns).rwsem);
+ }
+
+
+@@ -323,10 +335,10 @@ void exit_shm(struct task_struct *task)
+ return;
+
+ /* Destroy all already created segments, but not mapped yet */
+- down_write(&shm_ids(ns).rw_mutex);
++ down_write(&shm_ids(ns).rwsem);
+ if (shm_ids(ns).in_use)
+ idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_current, ns);
+- up_write(&shm_ids(ns).rw_mutex);
++ up_write(&shm_ids(ns).rwsem);
+ }
+
+ static int shm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
+@@ -460,7 +472,7 @@ static const struct vm_operations_struct shm_vm_ops = {
+ * @ns: namespace
+ * @params: ptr to the structure that contains key, size and shmflg
+ *
+- * Called with shm_ids.rw_mutex held as a writer.
++ * Called with shm_ids.rwsem held as a writer.
+ */
+
+ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+@@ -567,7 +579,7 @@ no_file:
+ }
+
+ /*
+- * Called with shm_ids.rw_mutex and ipcp locked.
++ * Called with shm_ids.rwsem and ipcp locked.
+ */
+ static inline int shm_security(struct kern_ipc_perm *ipcp, int shmflg)
+ {
+@@ -578,7 +590,7 @@ static inline int shm_security(struct kern_ipc_perm *ipcp, int shmflg)
+ }
+
+ /*
+- * Called with shm_ids.rw_mutex and ipcp locked.
++ * Called with shm_ids.rwsem and ipcp locked.
+ */
+ static inline int shm_more_checks(struct kern_ipc_perm *ipcp,
+ struct ipc_params *params)
+@@ -691,7 +703,7 @@ static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminf
+
+ /*
+ * Calculate and add used RSS and swap pages of a shm.
+- * Called with shm_ids.rw_mutex held as a reader
++ * Called with shm_ids.rwsem held as a reader
+ */
+ static void shm_add_rss_swap(struct shmid_kernel *shp,
+ unsigned long *rss_add, unsigned long *swp_add)
+@@ -718,7 +730,7 @@ static void shm_add_rss_swap(struct shmid_kernel *shp,
+ }
+
+ /*
+- * Called with shm_ids.rw_mutex held as a reader
++ * Called with shm_ids.rwsem held as a reader
+ */
+ static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss,
+ unsigned long *swp)
+@@ -747,9 +759,9 @@ static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss,
+ }
+
+ /*
+- * This function handles some shmctl commands which require the rw_mutex
++ * This function handles some shmctl commands which require the rwsem
+ * to be held in write mode.
+- * NOTE: no locks must be held, the rw_mutex is taken inside this function.
++ * NOTE: no locks must be held, the rwsem is taken inside this function.
+ */
+ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
+ struct shmid_ds __user *buf, int version)
+@@ -764,14 +776,13 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
+ return -EFAULT;
+ }
+
+- down_write(&shm_ids(ns).rw_mutex);
++ down_write(&shm_ids(ns).rwsem);
+ rcu_read_lock();
+
+- ipcp = ipcctl_pre_down(ns, &shm_ids(ns), shmid, cmd,
+- &shmid64.shm_perm, 0);
++ ipcp = ipcctl_pre_down_nolock(ns, &shm_ids(ns), shmid, cmd,
++ &shmid64.shm_perm, 0);
+ if (IS_ERR(ipcp)) {
+ err = PTR_ERR(ipcp);
+- /* the ipc lock is not held upon failure */
+ goto out_unlock1;
+ }
+
+@@ -779,14 +790,16 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
+
+ err = security_shm_shmctl(shp, cmd);
+ if (err)
+- goto out_unlock0;
++ goto out_unlock1;
+
+ switch (cmd) {
+ case IPC_RMID:
++ ipc_lock_object(&shp->shm_perm);
+ /* do_shm_rmid unlocks the ipc object and rcu */
+ do_shm_rmid(ns, ipcp);
+ goto out_up;
+ case IPC_SET:
++ ipc_lock_object(&shp->shm_perm);
+ err = ipc_update_perm(&shmid64.shm_perm, ipcp);
+ if (err)
+ goto out_unlock0;
+@@ -794,6 +807,7 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
+ break;
+ default:
+ err = -EINVAL;
++ goto out_unlock1;
+ }
+
+ out_unlock0:
+@@ -801,33 +815,28 @@ out_unlock0:
+ out_unlock1:
+ rcu_read_unlock();
+ out_up:
+- up_write(&shm_ids(ns).rw_mutex);
++ up_write(&shm_ids(ns).rwsem);
+ return err;
+ }
+
+-SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
++static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
++ int cmd, int version, void __user *buf)
+ {
++ int err;
+ struct shmid_kernel *shp;
+- int err, version;
+- struct ipc_namespace *ns;
+
+- if (cmd < 0 || shmid < 0) {
+- err = -EINVAL;
+- goto out;
++ /* preliminary security checks for *_INFO */
++ if (cmd == IPC_INFO || cmd == SHM_INFO) {
++ err = security_shm_shmctl(NULL, cmd);
++ if (err)
++ return err;
+ }
+
+- version = ipc_parse_version(&cmd);
+- ns = current->nsproxy->ipc_ns;
+-
+- switch (cmd) { /* replace with proc interface ? */
++ switch (cmd) {
+ case IPC_INFO:
+ {
+ struct shminfo64 shminfo;
+
+- err = security_shm_shmctl(NULL, cmd);
+- if (err)
+- return err;
+-
+ memset(&shminfo, 0, sizeof(shminfo));
+ shminfo.shmmni = shminfo.shmseg = ns->shm_ctlmni;
+ shminfo.shmmax = ns->shm_ctlmax;
+@@ -837,9 +846,9 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ if(copy_shminfo_to_user (buf, &shminfo, version))
+ return -EFAULT;
+
+- down_read(&shm_ids(ns).rw_mutex);
++ down_read(&shm_ids(ns).rwsem);
+ err = ipc_get_maxid(&shm_ids(ns));
+- up_read(&shm_ids(ns).rw_mutex);
++ up_read(&shm_ids(ns).rwsem);
+
+ if(err<0)
+ err = 0;
+@@ -849,19 +858,15 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ {
+ struct shm_info shm_info;
+
+- err = security_shm_shmctl(NULL, cmd);
+- if (err)
+- return err;
+-
+ memset(&shm_info, 0, sizeof(shm_info));
+- down_read(&shm_ids(ns).rw_mutex);
++ down_read(&shm_ids(ns).rwsem);
+ shm_info.used_ids = shm_ids(ns).in_use;
+ shm_get_stat (ns, &shm_info.shm_rss, &shm_info.shm_swp);
+ shm_info.shm_tot = ns->shm_tot;
+ shm_info.swap_attempts = 0;
+ shm_info.swap_successes = 0;
+ err = ipc_get_maxid(&shm_ids(ns));
+- up_read(&shm_ids(ns).rw_mutex);
++ up_read(&shm_ids(ns).rwsem);
+ if (copy_to_user(buf, &shm_info, sizeof(shm_info))) {
+ err = -EFAULT;
+ goto out;
+@@ -876,27 +881,31 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ struct shmid64_ds tbuf;
+ int result;
+
++ rcu_read_lock();
+ if (cmd == SHM_STAT) {
+- shp = shm_lock(ns, shmid);
++ shp = shm_obtain_object(ns, shmid);
+ if (IS_ERR(shp)) {
+ err = PTR_ERR(shp);
+- goto out;
++ goto out_unlock;
+ }
+ result = shp->shm_perm.id;
+ } else {
+- shp = shm_lock_check(ns, shmid);
++ shp = shm_obtain_object_check(ns, shmid);
+ if (IS_ERR(shp)) {
+ err = PTR_ERR(shp);
+- goto out;
++ goto out_unlock;
+ }
+ result = 0;
+ }
++
+ err = -EACCES;
+ if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
+ goto out_unlock;
++
+ err = security_shm_shmctl(shp, cmd);
+ if (err)
+ goto out_unlock;
++
+ memset(&tbuf, 0, sizeof(tbuf));
+ kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm);
+ tbuf.shm_segsz = shp->shm_segsz;
+@@ -906,43 +915,76 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ tbuf.shm_cpid = shp->shm_cprid;
+ tbuf.shm_lpid = shp->shm_lprid;
+ tbuf.shm_nattch = shp->shm_nattch;
+- shm_unlock(shp);
+- if(copy_shmid_to_user (buf, &tbuf, version))
++ rcu_read_unlock();
++
++ if (copy_shmid_to_user(buf, &tbuf, version))
+ err = -EFAULT;
+ else
+ err = result;
+ goto out;
+ }
++ default:
++ return -EINVAL;
++ }
++
++out_unlock:
++ rcu_read_unlock();
++out:
++ return err;
++}
++
++SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
++{
++ struct shmid_kernel *shp;
++ int err, version;
++ struct ipc_namespace *ns;
++
++ if (cmd < 0 || shmid < 0)
++ return -EINVAL;
++
++ version = ipc_parse_version(&cmd);
++ ns = current->nsproxy->ipc_ns;
++
++ switch (cmd) {
++ case IPC_INFO:
++ case SHM_INFO:
++ case SHM_STAT:
++ case IPC_STAT:
++ return shmctl_nolock(ns, shmid, cmd, version, buf);
++ case IPC_RMID:
++ case IPC_SET:
++ return shmctl_down(ns, shmid, cmd, buf, version);
+ case SHM_LOCK:
+ case SHM_UNLOCK:
+ {
+ struct file *shm_file;
+
+- shp = shm_lock_check(ns, shmid);
++ rcu_read_lock();
++ shp = shm_obtain_object_check(ns, shmid);
+ if (IS_ERR(shp)) {
+ err = PTR_ERR(shp);
+- goto out;
++ goto out_unlock1;
+ }
+
+ audit_ipc_obj(&(shp->shm_perm));
++ err = security_shm_shmctl(shp, cmd);
++ if (err)
++ goto out_unlock1;
+
++ ipc_lock_object(&shp->shm_perm);
+ if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
+ kuid_t euid = current_euid();
+ err = -EPERM;
+ if (!uid_eq(euid, shp->shm_perm.uid) &&
+ !uid_eq(euid, shp->shm_perm.cuid))
+- goto out_unlock;
++ goto out_unlock0;
+ if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK))
+- goto out_unlock;
++ goto out_unlock0;
+ }
+
+- err = security_shm_shmctl(shp, cmd);
+- if (err)
+- goto out_unlock;
+-
+ shm_file = shp->shm_file;
+ if (is_file_hugepages(shm_file))
+- goto out_unlock;
++ goto out_unlock0;
+
+ if (cmd == SHM_LOCK) {
+ struct user_struct *user = current_user();
+@@ -951,32 +993,31 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ shp->shm_perm.mode |= SHM_LOCKED;
+ shp->mlock_user = user;
+ }
+- goto out_unlock;
++ goto out_unlock0;
+ }
+
+ /* SHM_UNLOCK */
+ if (!(shp->shm_perm.mode & SHM_LOCKED))
+- goto out_unlock;
++ goto out_unlock0;
+ shmem_lock(shm_file, 0, shp->mlock_user);
+ shp->shm_perm.mode &= ~SHM_LOCKED;
+ shp->mlock_user = NULL;
+ get_file(shm_file);
+- shm_unlock(shp);
++ ipc_unlock_object(&shp->shm_perm);
++ rcu_read_unlock();
+ shmem_unlock_mapping(shm_file->f_mapping);
++
+ fput(shm_file);
+- goto out;
+- }
+- case IPC_RMID:
+- case IPC_SET:
+- err = shmctl_down(ns, shmid, cmd, buf, version);
+ return err;
++ }
+ default:
+ return -EINVAL;
+ }
+
+-out_unlock:
+- shm_unlock(shp);
+-out:
++out_unlock0:
++ ipc_unlock_object(&shp->shm_perm);
++out_unlock1:
++ rcu_read_unlock();
+ return err;
+ }
+
+@@ -1044,10 +1085,11 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+ * additional creator id...
+ */
+ ns = current->nsproxy->ipc_ns;
+- shp = shm_lock_check(ns, shmid);
++ rcu_read_lock();
++ shp = shm_obtain_object_check(ns, shmid);
+ if (IS_ERR(shp)) {
+ err = PTR_ERR(shp);
+- goto out;
++ goto out_unlock;
+ }
+
+ err = -EACCES;
+@@ -1058,24 +1100,31 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+ if (err)
+ goto out_unlock;
+
++ ipc_lock_object(&shp->shm_perm);
+ path = shp->shm_file->f_path;
+ path_get(&path);
+ shp->shm_nattch++;
+ size = i_size_read(path.dentry->d_inode);
+- shm_unlock(shp);
++ ipc_unlock_object(&shp->shm_perm);
++ rcu_read_unlock();
+
+ err = -ENOMEM;
+ sfd = kzalloc(sizeof(*sfd), GFP_KERNEL);
+- if (!sfd)
+- goto out_put_dentry;
++ if (!sfd) {
++ path_put(&path);
++ goto out_nattch;
++ }
+
+ file = alloc_file(&path, f_mode,
+ is_file_hugepages(shp->shm_file) ?
+ &shm_file_operations_huge :
+ &shm_file_operations);
+ err = PTR_ERR(file);
+- if (IS_ERR(file))
+- goto out_free;
++ if (IS_ERR(file)) {
++ kfree(sfd);
++ path_put(&path);
++ goto out_nattch;
++ }
+
+ file->private_data = sfd;
+ file->f_mapping = shp->shm_file->f_mapping;
+@@ -1101,7 +1150,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+ addr > current->mm->start_stack - size - PAGE_SIZE * 5)
+ goto invalid;
+ }
+-
++
+ addr = do_mmap_pgoff(file, addr, size, prot, flags, 0, &populate);
+ *raddr = addr;
+ err = 0;
+@@ -1116,7 +1165,7 @@ out_fput:
+ fput(file);
+
+ out_nattch:
+- down_write(&shm_ids(ns).rw_mutex);
++ down_write(&shm_ids(ns).rwsem);
+ shp = shm_lock(ns, shmid);
+ BUG_ON(IS_ERR(shp));
+ shp->shm_nattch--;
+@@ -1124,20 +1173,13 @@ out_nattch:
+ shm_destroy(ns, shp);
+ else
+ shm_unlock(shp);
+- up_write(&shm_ids(ns).rw_mutex);
+-
+-out:
++ up_write(&shm_ids(ns).rwsem);
+ return err;
+
+ out_unlock:
+- shm_unlock(shp);
+- goto out;
+-
+-out_free:
+- kfree(sfd);
+-out_put_dentry:
+- path_put(&path);
+- goto out_nattch;
++ rcu_read_unlock();
++out:
++ return err;
+ }
+
+ SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg)
+@@ -1242,8 +1284,7 @@ SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)
+ #else /* CONFIG_MMU */
+ /* under NOMMU conditions, the exact address to be destroyed must be
+ * given */
+- retval = -EINVAL;
+- if (vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) {
++ if (vma && vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) {
+ do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start);
+ retval = 0;
+ }
+diff --git a/ipc/util.c b/ipc/util.c
+index 0c6566b..fdb8ae7 100644
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -15,6 +15,14 @@
+ * Jun 2006 - namespaces ssupport
+ * OpenVZ, SWsoft Inc.
+ * Pavel Emelianov <xemul@openvz.org>
++ *
++ * General sysv ipc locking scheme:
++ * when doing ipc id lookups, take the ids->rwsem
++ * rcu_read_lock()
++ * obtain the ipc object (kern_ipc_perm)
++ * perform security, capabilities, auditing and permission checks, etc.
++ * acquire the ipc lock (kern_ipc_perm.lock) throught ipc_lock_object()
++ * perform data updates (ie: SET, RMID, LOCK/UNLOCK commands)
+ */
+
+ #include <linux/mm.h>
+@@ -119,7 +127,7 @@ __initcall(ipc_init);
+
+ void ipc_init_ids(struct ipc_ids *ids)
+ {
+- init_rwsem(&ids->rw_mutex);
++ init_rwsem(&ids->rwsem);
+
+ ids->in_use = 0;
+ ids->seq = 0;
+@@ -174,7 +182,7 @@ void __init ipc_init_proc_interface(const char *path, const char *header,
+ * @ids: Identifier set
+ * @key: The key to find
+ *
+- * Requires ipc_ids.rw_mutex locked.
++ * Requires ipc_ids.rwsem locked.
+ * Returns the LOCKED pointer to the ipc structure if found or NULL
+ * if not.
+ * If key is found ipc points to the owning ipc structure
+@@ -197,7 +205,8 @@ static struct kern_ipc_perm *ipc_findkey(struct ipc_ids *ids, key_t key)
+ continue;
+ }
+
+- ipc_lock_by_ptr(ipc);
++ rcu_read_lock();
++ ipc_lock_object(ipc);
+ return ipc;
+ }
+
+@@ -208,7 +217,7 @@ static struct kern_ipc_perm *ipc_findkey(struct ipc_ids *ids, key_t key)
+ * ipc_get_maxid - get the last assigned id
+ * @ids: IPC identifier set
+ *
+- * Called with ipc_ids.rw_mutex held.
++ * Called with ipc_ids.rwsem held.
+ */
+
+ int ipc_get_maxid(struct ipc_ids *ids)
+@@ -246,7 +255,7 @@ int ipc_get_maxid(struct ipc_ids *ids)
+ * is returned. The 'new' entry is returned in a locked state on success.
+ * On failure the entry is not locked and a negative err-code is returned.
+ *
+- * Called with writer ipc_ids.rw_mutex held.
++ * Called with writer ipc_ids.rwsem held.
+ */
+ int ipc_addid(struct ipc_ids* ids, struct kern_ipc_perm* new, int size)
+ {
+@@ -312,9 +321,9 @@ static int ipcget_new(struct ipc_namespace *ns, struct ipc_ids *ids,
+ {
+ int err;
+
+- down_write(&ids->rw_mutex);
++ down_write(&ids->rwsem);
+ err = ops->getnew(ns, params);
+- up_write(&ids->rw_mutex);
++ up_write(&ids->rwsem);
+ return err;
+ }
+
+@@ -331,7 +340,7 @@ static int ipcget_new(struct ipc_namespace *ns, struct ipc_ids *ids,
+ *
+ * On success, the IPC id is returned.
+ *
+- * It is called with ipc_ids.rw_mutex and ipcp->lock held.
++ * It is called with ipc_ids.rwsem and ipcp->lock held.
+ */
+ static int ipc_check_perms(struct ipc_namespace *ns,
+ struct kern_ipc_perm *ipcp,
+@@ -376,7 +385,7 @@ static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids,
+ * Take the lock as a writer since we are potentially going to add
+ * a new entry + read locks are not "upgradable"
+ */
+- down_write(&ids->rw_mutex);
++ down_write(&ids->rwsem);
+ ipcp = ipc_findkey(ids, params->key);
+ if (ipcp == NULL) {
+ /* key not used */
+@@ -402,7 +411,7 @@ static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids,
+ }
+ ipc_unlock(ipcp);
+ }
+- up_write(&ids->rw_mutex);
++ up_write(&ids->rwsem);
+
+ return err;
+ }
+@@ -413,7 +422,7 @@ static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids,
+ * @ids: IPC identifier set
+ * @ipcp: ipc perm structure containing the identifier to remove
+ *
+- * ipc_ids.rw_mutex (as a writer) and the spinlock for this ID are held
++ * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held
+ * before this function is called, and remain locked on the exit.
+ */
+
+@@ -613,7 +622,7 @@ struct kern_ipc_perm *ipc_obtain_object(struct ipc_ids *ids, int id)
+ }
+
+ /**
+- * ipc_lock - Lock an ipc structure without rw_mutex held
++ * ipc_lock - Lock an ipc structure without rwsem held
+ * @ids: IPC identifier set
+ * @id: ipc id to look for
+ *
+@@ -669,22 +678,6 @@ out:
+ return out;
+ }
+
+-struct kern_ipc_perm *ipc_lock_check(struct ipc_ids *ids, int id)
+-{
+- struct kern_ipc_perm *out;
+-
+- out = ipc_lock(ids, id);
+- if (IS_ERR(out))
+- return out;
+-
+- if (ipc_checkid(out, id)) {
+- ipc_unlock(out);
+- return ERR_PTR(-EIDRM);
+- }
+-
+- return out;
+-}
+-
+ /**
+ * ipcget - Common sys_*get() code
+ * @ns : namsepace
+@@ -725,7 +718,7 @@ int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out)
+ }
+
+ /**
+- * ipcctl_pre_down - retrieve an ipc and check permissions for some IPC_XXX cmd
++ * ipcctl_pre_down_nolock - retrieve an ipc and check permissions for some IPC_XXX cmd
+ * @ns: the ipc namespace
+ * @ids: the table of ids where to look for the ipc
+ * @id: the id of the ipc to retrieve
+@@ -738,29 +731,13 @@ int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out)
+ * It must be called without any lock held and
+ * - retrieves the ipc with the given id in the given table.
+ * - performs some audit and permission check, depending on the given cmd
+- * - returns the ipc with the ipc lock held in case of success
+- * or an err-code without any lock held otherwise.
++ * - returns a pointer to the ipc object or otherwise, the corresponding error.
+ *
+- * Call holding the both the rw_mutex and the rcu read lock.
++ * Call holding the both the rwsem and the rcu read lock.
+ */
+-struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns,
+- struct ipc_ids *ids, int id, int cmd,
+- struct ipc64_perm *perm, int extra_perm)
+-{
+- struct kern_ipc_perm *ipcp;
+-
+- ipcp = ipcctl_pre_down_nolock(ns, ids, id, cmd, perm, extra_perm);
+- if (IS_ERR(ipcp))
+- goto out;
+-
+- spin_lock(&ipcp->lock);
+-out:
+- return ipcp;
+-}
+-
+ struct kern_ipc_perm *ipcctl_pre_down_nolock(struct ipc_namespace *ns,
+- struct ipc_ids *ids, int id, int cmd,
+- struct ipc64_perm *perm, int extra_perm)
++ struct ipc_ids *ids, int id, int cmd,
++ struct ipc64_perm *perm, int extra_perm)
+ {
+ kuid_t euid;
+ int err = -EPERM;
+@@ -838,7 +815,8 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos,
+ ipc = idr_find(&ids->ipcs_idr, pos);
+ if (ipc != NULL) {
+ *new_pos = pos + 1;
+- ipc_lock_by_ptr(ipc);
++ rcu_read_lock();
++ ipc_lock_object(ipc);
+ return ipc;
+ }
+ }
+@@ -876,7 +854,7 @@ static void *sysvipc_proc_start(struct seq_file *s, loff_t *pos)
+ * Take the lock - this will be released by the corresponding
+ * call to stop().
+ */
+- down_read(&ids->rw_mutex);
++ down_read(&ids->rwsem);
+
+ /* pos < 0 is invalid */
+ if (*pos < 0)
+@@ -903,7 +881,7 @@ static void sysvipc_proc_stop(struct seq_file *s, void *it)
+
+ ids = &iter->ns->ids[iface->ids];
+ /* Release the lock we took in start() */
+- up_read(&ids->rw_mutex);
++ up_read(&ids->rwsem);
+ }
+
+ static int sysvipc_proc_show(struct seq_file *s, void *it)
+diff --git a/ipc/util.h b/ipc/util.h
+index 25299e7..f2f5036 100644
+--- a/ipc/util.h
++++ b/ipc/util.h
+@@ -101,10 +101,10 @@ void __init ipc_init_proc_interface(const char *path, const char *header,
+ #define ipcid_to_idx(id) ((id) % SEQ_MULTIPLIER)
+ #define ipcid_to_seqx(id) ((id) / SEQ_MULTIPLIER)
+
+-/* must be called with ids->rw_mutex acquired for writing */
++/* must be called with ids->rwsem acquired for writing */
+ int ipc_addid(struct ipc_ids *, struct kern_ipc_perm *, int);
+
+-/* must be called with ids->rw_mutex acquired for reading */
++/* must be called with ids->rwsem acquired for reading */
+ int ipc_get_maxid(struct ipc_ids *);
+
+ /* must be called with both locks acquired. */
+@@ -139,9 +139,6 @@ int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out);
+ struct kern_ipc_perm *ipcctl_pre_down_nolock(struct ipc_namespace *ns,
+ struct ipc_ids *ids, int id, int cmd,
+ struct ipc64_perm *perm, int extra_perm);
+-struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns,
+- struct ipc_ids *ids, int id, int cmd,
+- struct ipc64_perm *perm, int extra_perm);
+
+ #ifndef CONFIG_ARCH_WANT_IPC_PARSE_VERSION
+ /* On IA-64, we always use the "64-bit version" of the IPC structures. */
+@@ -182,19 +179,12 @@ static inline void ipc_assert_locked_object(struct kern_ipc_perm *perm)
+ assert_spin_locked(&perm->lock);
+ }
+
+-static inline void ipc_lock_by_ptr(struct kern_ipc_perm *perm)
+-{
+- rcu_read_lock();
+- ipc_lock_object(perm);
+-}
+-
+ static inline void ipc_unlock(struct kern_ipc_perm *perm)
+ {
+ ipc_unlock_object(perm);
+ rcu_read_unlock();
+ }
+
+-struct kern_ipc_perm *ipc_lock_check(struct ipc_ids *ids, int id);
+ struct kern_ipc_perm *ipc_obtain_object_check(struct ipc_ids *ids, int id);
+ int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids,
+ struct ipc_ops *ops, struct ipc_params *params);
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index 45850f6..4865756 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -930,6 +930,14 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec,
+ }
+
+ /*
++ * always configure channel mapping, it may have been changed by the
++ * user in the meantime
++ */
++ hdmi_setup_channel_mapping(codec, pin_nid, non_pcm, ca,
++ channels, per_pin->chmap,
++ per_pin->chmap_set);
++
++ /*
+ * sizeof(ai) is used instead of sizeof(*hdmi_ai) or
+ * sizeof(*dp_ai) to avoid partial match/update problems when
+ * the user switches between HDMI/DP monitors.
+@@ -940,20 +948,10 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec,
+ "pin=%d channels=%d\n",
+ pin_nid,
+ channels);
+- hdmi_setup_channel_mapping(codec, pin_nid, non_pcm, ca,
+- channels, per_pin->chmap,
+- per_pin->chmap_set);
+ hdmi_stop_infoframe_trans(codec, pin_nid);
+ hdmi_fill_audio_infoframe(codec, pin_nid,
+ ai.bytes, sizeof(ai));
+ hdmi_start_infoframe_trans(codec, pin_nid);
+- } else {
+- /* For non-pcm audio switch, setup new channel mapping
+- * accordingly */
+- if (per_pin->non_pcm != non_pcm)
+- hdmi_setup_channel_mapping(codec, pin_nid, non_pcm, ca,
+- channels, per_pin->chmap,
+- per_pin->chmap_set);
+ }
+
+ per_pin->non_pcm = non_pcm;
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 389db4c..1383f38 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3308,6 +3308,15 @@ static void alc269_fixup_limit_int_mic_boost(struct hda_codec *codec,
+ }
+ }
+
++static void alc290_fixup_mono_speakers(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ if (action == HDA_FIXUP_ACT_PRE_PROBE)
++ /* Remove DAC node 0x03, as it seems to be
++ giving mono output */
++ snd_hda_override_wcaps(codec, 0x03, 0);
++}
++
+ enum {
+ ALC269_FIXUP_SONY_VAIO,
+ ALC275_FIXUP_SONY_VAIO_GPIO2,
+@@ -3331,9 +3340,12 @@ enum {
+ ALC269_FIXUP_HP_GPIO_LED,
+ ALC269_FIXUP_INV_DMIC,
+ ALC269_FIXUP_LENOVO_DOCK,
++ ALC286_FIXUP_SONY_MIC_NO_PRESENCE,
+ ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT,
+ ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC269_FIXUP_DELL2_MIC_NO_PRESENCE,
++ ALC269_FIXUP_DELL3_MIC_NO_PRESENCE,
++ ALC290_FIXUP_MONO_SPEAKERS,
+ ALC269_FIXUP_HEADSET_MODE,
+ ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC,
+ ALC269_FIXUP_ASUS_X101_FUNC,
+@@ -3521,6 +3533,15 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
+ },
++ [ALC269_FIXUP_DELL3_MIC_NO_PRESENCE] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x1a, 0x01a1913c }, /* use as headset mic, without its own jack detect */
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
++ },
+ [ALC269_FIXUP_HEADSET_MODE] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_headset_mode,
+@@ -3529,6 +3550,13 @@ static const struct hda_fixup alc269_fixups[] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_headset_mode_no_hp_mic,
+ },
++ [ALC286_FIXUP_SONY_MIC_NO_PRESENCE] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x18, 0x01a1913c }, /* use as headset mic, without its own jack detect */
++ { }
++ },
++ },
+ [ALC269_FIXUP_ASUS_X101_FUNC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc269_fixup_x101_headset_mic,
+@@ -3595,6 +3623,12 @@ static const struct hda_fixup alc269_fixups[] = {
+ { }
+ },
+ },
++ [ALC290_FIXUP_MONO_SPEAKERS] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc290_fixup_mono_speakers,
++ .chained = true,
++ .chain_id = ALC269_FIXUP_DELL3_MIC_NO_PRESENCE,
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -3631,6 +3665,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1028, 0x0608, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x0609, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x0613, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_MONO_SPEAKERS),
+ SND_PCI_QUIRK(0x1028, 0x15cc, "Dell X5 Precision", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x15cd, "Dell X5 Precision", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
+@@ -3651,6 +3686,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x8398, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x1043, 0x83ce, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x1043, 0x8516, "ASUS X101CH", ALC269_FIXUP_ASUS_X101),
++ SND_PCI_QUIRK(0x104d, 0x90b6, "Sony VAIO Pro 13", ALC286_FIXUP_SONY_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x104d, 0x9073, "Sony VAIO", ALC275_FIXUP_SONY_VAIO_GPIO2),
+ SND_PCI_QUIRK(0x104d, 0x907b, "Sony VAIO", ALC275_FIXUP_SONY_HWEQ),
+ SND_PCI_QUIRK(0x104d, 0x9084, "Sony VAIO", ALC275_FIXUP_SONY_HWEQ),
+@@ -4345,6 +4381,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1028, 0x05d8, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
++ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_ASUS_MODE4),
+ SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
+ SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2),
+ SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
+diff --git a/sound/usb/usx2y/usbusx2yaudio.c b/sound/usb/usx2y/usbusx2yaudio.c
+index 63fb521..6234a51 100644
+--- a/sound/usb/usx2y/usbusx2yaudio.c
++++ b/sound/usb/usx2y/usbusx2yaudio.c
+@@ -299,19 +299,6 @@ static void usX2Y_error_urb_status(struct usX2Ydev *usX2Y,
+ usX2Y_clients_stop(usX2Y);
+ }
+
+-static void usX2Y_error_sequence(struct usX2Ydev *usX2Y,
+- struct snd_usX2Y_substream *subs, struct urb *urb)
+-{
+- snd_printk(KERN_ERR
+-"Sequence Error!(hcd_frame=%i ep=%i%s;wait=%i,frame=%i).\n"
+-"Most probably some urb of usb-frame %i is still missing.\n"
+-"Cause could be too long delays in usb-hcd interrupt handling.\n",
+- usb_get_current_frame_number(usX2Y->dev),
+- subs->endpoint, usb_pipein(urb->pipe) ? "in" : "out",
+- usX2Y->wait_iso_frame, urb->start_frame, usX2Y->wait_iso_frame);
+- usX2Y_clients_stop(usX2Y);
+-}
+-
+ static void i_usX2Y_urb_complete(struct urb *urb)
+ {
+ struct snd_usX2Y_substream *subs = urb->context;
+@@ -328,12 +315,9 @@ static void i_usX2Y_urb_complete(struct urb *urb)
+ usX2Y_error_urb_status(usX2Y, subs, urb);
+ return;
+ }
+- if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF)))
+- subs->completed_urb = urb;
+- else {
+- usX2Y_error_sequence(usX2Y, subs, urb);
+- return;
+- }
++
++ subs->completed_urb = urb;
++
+ {
+ struct snd_usX2Y_substream *capsubs = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE],
+ *playbacksubs = usX2Y->subs[SNDRV_PCM_STREAM_PLAYBACK];
+diff --git a/sound/usb/usx2y/usx2yhwdeppcm.c b/sound/usb/usx2y/usx2yhwdeppcm.c
+index f2a1acd..814d0e8 100644
+--- a/sound/usb/usx2y/usx2yhwdeppcm.c
++++ b/sound/usb/usx2y/usx2yhwdeppcm.c
+@@ -244,13 +244,8 @@ static void i_usX2Y_usbpcm_urb_complete(struct urb *urb)
+ usX2Y_error_urb_status(usX2Y, subs, urb);
+ return;
+ }
+- if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF)))
+- subs->completed_urb = urb;
+- else {
+- usX2Y_error_sequence(usX2Y, subs, urb);
+- return;
+- }
+
++ subs->completed_urb = urb;
+ capsubs = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE];
+ capsubs2 = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE + 2];
+ playbacksubs = usX2Y->subs[SNDRV_PCM_STREAM_PLAYBACK];
diff --git a/3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch b/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310191259.patch
index bfc60cf..46b1e15 100644
--- a/3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch
+++ b/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310191259.patch
@@ -281,7 +281,7 @@ index 7f9d4f5..6d1afd6 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 4f91b99..cb9dcfc 100644
+index e87ba83..ee3c7b7 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -2091,6 +2091,30 @@ index a8cae71c..65dd797 100644
/*
* set platform specific SMP operations
+diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h
+index f1d96d4..73ddd72 100644
+--- a/arch/arm/include/asm/syscall.h
++++ b/arch/arm/include/asm/syscall.h
+@@ -57,6 +57,9 @@ static inline void syscall_get_arguments(struct task_struct *task,
+ unsigned int i, unsigned int n,
+ unsigned long *args)
+ {
++ if (n == 0)
++ return;
++
+ if (i + n > SYSCALL_MAX_ARGS) {
+ unsigned long *args_bad = args + SYSCALL_MAX_ARGS - i;
+ unsigned int n_bad = n + i - SYSCALL_MAX_ARGS;
+@@ -81,6 +84,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
+ unsigned int i, unsigned int n,
+ const unsigned long *args)
+ {
++ if (n == 0)
++ return;
++
+ if (i + n > SYSCALL_MAX_ARGS) {
+ pr_warning("%s called with max args %d, handling only %d\n",
+ __func__, i + n, SYSCALL_MAX_ARGS);
diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
index 2b8114f..8fe9bcf 100644
--- a/arch/arm/include/asm/thread_info.h
@@ -7254,7 +7278,7 @@ index 5dfd248..64914ac 100644
return addr;
}
diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
-index 04e47c6..7a8faf6 100644
+index b3f87a3..5d5d03d 100644
--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -727,9 +727,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
@@ -9442,24 +9466,6 @@ index d432fb2..6056af1 100644
extra-y := head_$(BITS).o
-diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c
-index 62d6b15..9231031 100644
---- a/arch/sparc/kernel/ds.c
-+++ b/arch/sparc/kernel/ds.c
-@@ -849,10 +849,9 @@ void ldom_reboot(const char *boot_command)
- if (boot_command && strlen(boot_command)) {
- unsigned long len;
-
-- strcpy(full_boot_str, "boot ");
-- strlcpy(full_boot_str + strlen("boot "), boot_command,
-- sizeof(full_boot_str + strlen("boot ")));
-- len = strlen(full_boot_str);
-+ len = snprintf(full_boot_str, sizeof(full_boot_str), "boot %s", boot_command);
-+ if (len >= sizeof(full_boot_str))
-+ len = sizeof(full_boot_str) - 1;
-
- if (reboot_data_supported) {
- unsigned long ra = kimage_addr_to_ra(full_boot_str);
diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c
index fdd819d..5af08c8 100644
--- a/arch/sparc/kernel/process_32.c
@@ -9820,7 +9826,7 @@ index 51561b8..8256764 100644
}
}
diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
-index 22a1098..6255eb9 100644
+index 73ec8a7..4611979 100644
--- a/arch/sparc/kernel/syscalls.S
+++ b/arch/sparc/kernel/syscalls.S
@@ -52,7 +52,7 @@ sys32_rt_sigreturn:
@@ -9834,13 +9840,13 @@ index 22a1098..6255eb9 100644
call syscall_trace_leave
@@ -184,7 +184,7 @@ linux_sparc_syscall32:
- srl %i5, 0, %o5 ! IEU1
+ srl %i3, 0, %o3 ! IEU0
srl %i2, 0, %o2 ! IEU0 Group
- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
+ andcc %l0, _TIF_WORK_SYSCALL, %g0
bne,pn %icc, linux_syscall_trace32 ! CTI
mov %i0, %l5 ! IEU1
- call %l7 ! CTI Group brk forced
+ 5: call %l7 ! CTI Group brk forced
@@ -207,7 +207,7 @@ linux_sparc_syscall:
mov %i3, %o3 ! IEU1
@@ -10323,10 +10329,10 @@ index 85c233d..68500e0 100644
cmp %g1, %g7
bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
-index 0c4e35e..745d3e4 100644
+index 323335b..ed85ea2 100644
--- a/arch/sparc/lib/ksyms.c
+++ b/arch/sparc/lib/ksyms.c
-@@ -109,12 +109,18 @@ EXPORT_SYMBOL(__downgrade_write);
+@@ -100,12 +100,18 @@ EXPORT_SYMBOL(__clear_user);
/* Atomic counter implementation. */
EXPORT_SYMBOL(atomic_add);
@@ -14874,7 +14880,7 @@ index 59c6c40..5e0b22c 100644
struct compat_timespec {
compat_time_t tv_sec;
diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
-index 47538a6..44902d1 100644
+index 7290585..717e89e 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -203,7 +203,7 @@
@@ -20503,10 +20509,10 @@ index addb207..99635fa 100644
+EXPORT_SYMBOL(pax_check_alloca);
+#endif
diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
-index d32abea..74daf4f 100644
+index 174da5f..5e55606 100644
--- a/arch/x86/kernel/e820.c
+++ b/arch/x86/kernel/e820.c
-@@ -800,8 +800,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void)
+@@ -803,8 +803,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void)
static void early_panic(char *msg)
{
@@ -24912,7 +24918,7 @@ index 2cb9470..ff1fd80 100644
return ret;
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
-index 563ed91..b9c3313 100644
+index 5f4ad27..9d96c99 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -68,6 +68,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d)
@@ -24958,7 +24964,7 @@ index 563ed91..b9c3313 100644
"rm" (real_mode_header->machine_real_restart_asm),
"a" (type));
#else
-@@ -442,7 +469,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
+@@ -458,7 +485,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
* try to force a triple fault and then cycle between hitting the keyboard
* controller and doing that
*/
@@ -24967,7 +24973,7 @@ index 563ed91..b9c3313 100644
{
int i;
int attempt = 0;
-@@ -551,13 +578,13 @@ void native_machine_shutdown(void)
+@@ -567,13 +594,13 @@ void native_machine_shutdown(void)
#endif
}
@@ -24983,7 +24989,7 @@ index 563ed91..b9c3313 100644
{
pr_notice("machine restart\n");
-@@ -566,7 +593,7 @@ static void native_machine_restart(char *__unused)
+@@ -582,7 +609,7 @@ static void native_machine_restart(char *__unused)
__machine_emergency_restart(0);
}
@@ -24992,7 +24998,7 @@ index 563ed91..b9c3313 100644
{
/* Stop other cpus and apics */
machine_shutdown();
-@@ -576,7 +603,7 @@ static void native_machine_halt(void)
+@@ -592,7 +619,7 @@ static void native_machine_halt(void)
stop_this_cpu(NULL);
}
@@ -25001,7 +25007,7 @@ index 563ed91..b9c3313 100644
{
if (pm_power_off) {
if (!reboot_force)
-@@ -585,9 +612,10 @@ static void native_machine_power_off(void)
+@@ -601,9 +628,10 @@ static void native_machine_power_off(void)
}
/* A fallback in case there is no PM info available */
tboot_shutdown(TB_SHUTDOWN_HALT);
@@ -25057,7 +25063,7 @@ index 3fd2c69..16ef367 100644
1:
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f8ec578..0cc110a 100644
+index 234e1e3..1246d05 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -110,6 +110,7 @@
@@ -25122,16 +25128,16 @@ index f8ec578..0cc110a 100644
/* Boot loader ID and version as integers, for the benefit of proc_dointvec */
int bootloader_type, bootloader_version;
-@@ -444,7 +483,7 @@ static void __init parse_setup_data(void)
+@@ -442,7 +481,7 @@ static void __init parse_setup_data(void)
- switch (data->type) {
+ switch (data_type) {
case SETUP_E820_EXT:
-- parse_e820_ext(data);
-+ parse_e820_ext((struct setup_data __force_kernel *)data);
+- parse_e820_ext(pa_data, data_len);
++ parse_e820_ext((struct setup_data __force_kernel *)pa_data, data_len);
break;
case SETUP_DTB:
add_dtb(pa_data);
-@@ -771,7 +810,7 @@ static void __init trim_bios_range(void)
+@@ -768,7 +807,7 @@ static void __init trim_bios_range(void)
* area (640->1Mb) as ram even though it is not.
* take them out.
*/
@@ -25140,7 +25146,7 @@ index f8ec578..0cc110a 100644
sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
}
-@@ -779,7 +818,7 @@ static void __init trim_bios_range(void)
+@@ -776,7 +815,7 @@ static void __init trim_bios_range(void)
/* called before trim_bios_range() to spare extra sanitize */
static void __init e820_add_kernel_range(void)
{
@@ -25149,7 +25155,7 @@ index f8ec578..0cc110a 100644
u64 size = __pa_symbol(_end) - start;
/*
-@@ -841,8 +880,12 @@ static void __init trim_low_memory_range(void)
+@@ -838,8 +877,12 @@ static void __init trim_low_memory_range(void)
void __init setup_arch(char **cmdline_p)
{
@@ -25162,7 +25168,7 @@ index f8ec578..0cc110a 100644
early_reserve_initrd();
-@@ -934,14 +977,14 @@ void __init setup_arch(char **cmdline_p)
+@@ -931,14 +974,14 @@ void __init setup_arch(char **cmdline_p)
if (!boot_params.hdr.root_flags)
root_mountflags &= ~MS_RDONLY;
@@ -35953,18 +35959,10 @@ index e8d11b6..7b1b36f 100644
}
EXPORT_SYMBOL_GPL(unregister_syscore_ops);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
-index 62b6c2c..002d10f 100644
+index 90a4e6b..002d10f 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
-@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
- int err;
- u32 cp;
-
-+ memset(&arg64, 0, sizeof(arg64));
- err = 0;
- err |=
- copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
-@@ -3010,7 +3011,7 @@ static void start_io(ctlr_info_t *h)
+@@ -3011,7 +3011,7 @@ static void start_io(ctlr_info_t *h)
while (!list_empty(&h->reqQ)) {
c = list_entry(h->reqQ.next, CommandList_struct, list);
/* can't do anything if fifo is full */
@@ -35973,7 +35971,7 @@ index 62b6c2c..002d10f 100644
dev_warn(&h->pdev->dev, "fifo full\n");
break;
}
-@@ -3020,7 +3021,7 @@ static void start_io(ctlr_info_t *h)
+@@ -3021,7 +3021,7 @@ static void start_io(ctlr_info_t *h)
h->Qdepth--;
/* Tell the controller execute command */
@@ -35982,7 +35980,7 @@ index 62b6c2c..002d10f 100644
/* Put job onto the completed Q */
addQ(&h->cmpQ, c);
-@@ -3446,17 +3447,17 @@ startio:
+@@ -3447,17 +3447,17 @@ startio:
static inline unsigned long get_next_completion(ctlr_info_t *h)
{
@@ -36003,7 +36001,7 @@ index 62b6c2c..002d10f 100644
(h->interrupts_enabled == 0));
}
-@@ -3489,7 +3490,7 @@ static inline u32 next_command(ctlr_info_t *h)
+@@ -3490,7 +3490,7 @@ static inline u32 next_command(ctlr_info_t *h)
u32 a;
if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
@@ -36012,7 +36010,7 @@ index 62b6c2c..002d10f 100644
if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
a = *(h->reply_pool_head); /* Next cmd in ring buffer */
-@@ -4046,7 +4047,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
+@@ -4047,7 +4047,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
trans_support & CFGTBL_Trans_use_short_tags);
/* Change the access methods to the performant access methods */
@@ -36021,7 +36019,7 @@ index 62b6c2c..002d10f 100644
h->transMethod = CFGTBL_Trans_Performant;
return;
-@@ -4319,7 +4320,7 @@ static int cciss_pci_init(ctlr_info_t *h)
+@@ -4320,7 +4320,7 @@ static int cciss_pci_init(ctlr_info_t *h)
if (prod_index < 0)
return -ENODEV;
h->product_name = products[prod_index].product_name;
@@ -36030,7 +36028,7 @@ index 62b6c2c..002d10f 100644
if (cciss_board_disabled(h)) {
dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
-@@ -5051,7 +5052,7 @@ reinit_after_soft_reset:
+@@ -5052,7 +5052,7 @@ reinit_after_soft_reset:
}
/* make sure the board interrupts are off */
@@ -36039,7 +36037,7 @@ index 62b6c2c..002d10f 100644
rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
if (rc)
goto clean2;
-@@ -5101,7 +5102,7 @@ reinit_after_soft_reset:
+@@ -5102,7 +5102,7 @@ reinit_after_soft_reset:
* fake ones to scoop up any residual completions.
*/
spin_lock_irqsave(&h->lock, flags);
@@ -36048,7 +36046,7 @@ index 62b6c2c..002d10f 100644
spin_unlock_irqrestore(&h->lock, flags);
free_irq(h->intr[h->intr_mode], h);
rc = cciss_request_irq(h, cciss_msix_discard_completions,
-@@ -5121,9 +5122,9 @@ reinit_after_soft_reset:
+@@ -5122,9 +5122,9 @@ reinit_after_soft_reset:
dev_info(&h->pdev->dev, "Board READY.\n");
dev_info(&h->pdev->dev,
"Waiting for stale completions to drain.\n");
@@ -36060,7 +36058,7 @@ index 62b6c2c..002d10f 100644
rc = controller_reset_failed(h->cfgtable);
if (rc)
-@@ -5146,7 +5147,7 @@ reinit_after_soft_reset:
+@@ -5147,7 +5147,7 @@ reinit_after_soft_reset:
cciss_scsi_setup(h);
/* Turn the interrupts on so we can service requests */
@@ -36069,7 +36067,7 @@ index 62b6c2c..002d10f 100644
/* Get the firmware version */
inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
-@@ -5218,7 +5219,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
+@@ -5219,7 +5219,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
kfree(flush_buf);
if (return_code != IO_OK)
dev_warn(&h->pdev->dev, "Error flushing cache\n");
@@ -36092,7 +36090,7 @@ index 7fda30e..eb5dfe0 100644
/* queue and queue Info */
struct list_head reqQ;
diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
-index 639d26b..fd6ad1f 100644
+index 2b94403..fd6ad1f 100644
--- a/drivers/block/cpqarray.c
+++ b/drivers/block/cpqarray.c
@@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
@@ -36167,15 +36165,7 @@ index 639d26b..fd6ad1f 100644
a1 = a; a &= ~3;
if ((c = h->cmpQ) == NULL)
{
-@@ -1193,6 +1193,7 @@ out_passthru:
- ida_pci_info_struct pciinfo;
-
- if (!arg) return -EINVAL;
-+ memset(&pciinfo, 0, sizeof(pciinfo));
- pciinfo.bus = host->pci_dev->bus->number;
- pciinfo.dev_fn = host->pci_dev->devfn;
- pciinfo.board_id = host->board_id;
-@@ -1447,11 +1448,11 @@ static int sendcmd(
+@@ -1448,11 +1448,11 @@ static int sendcmd(
/*
* Disable interrupt
*/
@@ -36189,7 +36179,7 @@ index 639d26b..fd6ad1f 100644
if (temp != 0) {
break;
}
-@@ -1464,7 +1465,7 @@ DBG(
+@@ -1465,7 +1465,7 @@ DBG(
/*
* Send the cmd
*/
@@ -36198,7 +36188,7 @@ index 639d26b..fd6ad1f 100644
complete = pollcomplete(ctlr);
pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
-@@ -1547,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host)
+@@ -1548,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host)
* we check the new geometry. Then turn interrupts back on when
* we're done.
*/
@@ -36210,7 +36200,7 @@ index 639d26b..fd6ad1f 100644
for(i=0; i<NWD; i++) {
struct gendisk *disk = ida_gendisk[ctlr][i];
-@@ -1589,7 +1590,7 @@ static int pollcomplete(int ctlr)
+@@ -1590,7 +1590,7 @@ static int pollcomplete(int ctlr)
/* Wait (up to 2 seconds) for a command to complete */
for (i = 200000; i > 0; i--) {
@@ -36917,7 +36907,7 @@ index 5c5cc00..ac9edb7 100644
if (cmd != SIOCWANDEV)
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 0d91fe5..f8e37b0 100644
+index 92e6c67..c640ec3 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -272,8 +272,13 @@
@@ -37151,6 +37141,180 @@ index 5bb848c..f1d4fc9 100644
.recalc_rate = socfpga_clk_recalc_rate,
.get_parent = socfpga_clk_get_parent,
.set_parent = socfpga_clk_set_parent,
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 08ae128..c73fc2b 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ /* If cn_netlink_send() failed, the data is not sent */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ ev->what = which_id;
+ ev->event_data.id.process_pid = task->pid;
+ ev->event_data.id.process_tgid = task->tgid;
+@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ msg->seq = rcvd_seq;
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = rcvd_ack + 1;
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index 6ecfa75..0daa11e 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb)
+ static void cn_rx_skb(struct sk_buff *__skb)
+ {
+ struct nlmsghdr *nlh;
+- int err;
+ struct sk_buff *skb;
++ int len, err;
+
+ skb = skb_get(__skb);
+
+ if (skb->len >= NLMSG_HDRLEN) {
+ nlh = nlmsg_hdr(skb);
++ len = nlmsg_len(nlh);
+
+- if (nlh->nlmsg_len < sizeof(struct cn_msg) ||
++ if (len < (int)sizeof(struct cn_msg) ||
+ skb->len < nlh->nlmsg_len ||
+- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
++ len > CONNECTOR_MAX_MSG_SIZE) {
+ kfree_skb(skb);
+ return;
+ }
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
index 3926402..37b580d 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
@@ -38534,7 +38698,7 @@ index 46d46ba..6e49848 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index bedf15a..d02d1e6 100644
+index 90a7c17..ecedc6a 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -9424,13 +9424,13 @@ struct intel_quirk {
@@ -38921,7 +39085,7 @@ index af85299..ed9ac8d 100644
if (regcomp
(&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index 63398ae..669e045 100644
+index d15f27e..ef11ffc 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1105,7 +1105,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
@@ -39410,10 +39574,10 @@ index 5360e5a..c2c0d26 100644
err = drm_debugfs_create_files(dc->debugfs_files,
ARRAY_SIZE(debugfs_files),
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index ee75486..65621fd 100644
+index 9f60d63..c89e0b7 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
-@@ -2351,7 +2351,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
+@@ -2370,7 +2370,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
int hid_add_device(struct hid_device *hdev)
{
@@ -39422,7 +39586,7 @@ index ee75486..65621fd 100644
int ret;
if (WARN_ON(hdev->status & HID_STAT_ADDED))
-@@ -2385,7 +2385,7 @@ int hid_add_device(struct hid_device *hdev)
+@@ -2404,7 +2404,7 @@ int hid_add_device(struct hid_device *hdev)
/* XXX hack, any other cleaner solution after the driver core
* is converted to allow more than 20 bytes as the device name? */
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -39445,7 +39609,7 @@ index c13fb5b..55a3802 100644
*off += size;
diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
-index fc307e0..2b255e8 100644
+index 145a4cb..2353a3e 100644
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -47,7 +47,7 @@ struct uhid_device {
@@ -39641,10 +39805,10 @@ index 6351aba..dc4aaf4 100644
int res = 0;
diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
-index 62c2e32..8f2859a 100644
+index 3288f13..71cfb4e 100644
--- a/drivers/hwmon/applesmc.c
+++ b/drivers/hwmon/applesmc.c
-@@ -1084,7 +1084,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
+@@ -1106,7 +1106,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
{
struct applesmc_node_group *grp;
struct applesmc_dev_attr *node;
@@ -42096,7 +42260,7 @@ index 60bce43..9b997d0 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 9e39d2b..fb879a7 100644
+index 995e1fc..2468cec 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -178,9 +178,9 @@ struct mapped_device {
@@ -42131,7 +42295,7 @@ index 9e39d2b..fb879a7 100644
wake_up(&md->eventq);
}
-@@ -2716,18 +2716,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2727,18 +2727,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
uint32_t dm_next_uevent_seq(struct mapped_device *md)
{
@@ -43686,10 +43850,10 @@ index f9d5615..99dd95f 100644
struct sm_sysfs_attribute *vendor_attribute;
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index e48cb33..72e73fc 100644
+index 5e31046..82f8ddc 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
-@@ -4832,7 +4832,7 @@ static unsigned int bond_get_num_tx_queues(void)
+@@ -4839,7 +4839,7 @@ static unsigned int bond_get_num_tx_queues(void)
return tx_queues;
}
@@ -43698,7 +43862,7 @@ index e48cb33..72e73fc 100644
.kind = "bond",
.priv_size = sizeof(struct bonding),
.setup = bond_setup,
-@@ -4957,8 +4957,8 @@ static void __exit bonding_exit(void)
+@@ -4964,8 +4964,8 @@ static void __exit bonding_exit(void)
bond_destroy_debugfs();
@@ -43961,7 +44125,7 @@ index 599d1fd..59868fe 100644
default:
dev_err(&adapter->pdev->dev, "Invalid Virtual NIC opmode\n");
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
-index 85e5c97..76f97ec 100644
+index 7ba68e0..618c73d 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -759,22 +759,22 @@ struct rtl8169_private {
@@ -44177,38 +44341,10 @@ index bff7e0b..7315137 100644
};
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 71af122..b3c20f3 100644
+index 68b9aa3..b3c20f3 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
-@@ -1691,11 +1691,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
- INIT_LIST_HEAD(&tun->disabled);
- err = tun_attach(tun, file);
- if (err < 0)
-- goto err_free_dev;
-+ goto err_free_flow;
-
- err = register_netdevice(tun->dev);
- if (err < 0)
-- goto err_free_dev;
-+ goto err_detach;
-
- if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) ||
- device_create_file(&tun->dev->dev, &dev_attr_owner) ||
-@@ -1739,7 +1739,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
- strcpy(ifr->ifr_name, tun->dev->name);
- return 0;
-
-- err_free_dev:
-+err_detach:
-+ tun_detach_all(dev);
-+err_free_flow:
-+ tun_flow_uninit(tun);
-+ security_tun_dev_free_security(tun->security);
-+err_free_dev:
- free_netdev(dev);
- return err;
- }
-@@ -1869,7 +1874,7 @@ unlock:
+@@ -1874,7 +1874,7 @@ unlock:
}
static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -44217,7 +44353,7 @@ index 71af122..b3c20f3 100644
{
struct tun_file *tfile = file->private_data;
struct tun_struct *tun;
-@@ -1881,6 +1886,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1886,6 +1886,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
int vnet_hdr_sz;
int ret;
@@ -44341,10 +44477,10 @@ index a79e9d3..78cd4fa 100644
/* we will have to manufacture ethernet headers, prepare template */
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index 767f7af..8162b9d 100644
+index 8a05d77..ba8b9c5 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
-@@ -1868,7 +1868,7 @@ nla_put_failure:
+@@ -1870,7 +1870,7 @@ nla_put_failure:
return -EMSGSIZE;
}
@@ -44353,6 +44489,18 @@ index 767f7af..8162b9d 100644
.kind = "vxlan",
.maxtype = IFLA_VXLAN_MAX,
.policy = vxlan_policy,
+diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
+index 3f0c4f2..bcfff0d 100644
+--- a/drivers/net/wan/farsync.c
++++ b/drivers/net/wan/farsync.c
+@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card, struct fst_port_info *port,
+ }
+
+ i = port->index;
++ memset(&sync, 0, sizeof(sync));
+ sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed);
+ /* Lucky card and linux use same encoding here */
+ sync.clock_type = FST_RDB(card, portConfig[i].internalClock) ==
diff --git a/drivers/net/wimax/i2400m/rx.c b/drivers/net/wimax/i2400m/rx.c
index 0b60295..b8bfa5b 100644
--- a/drivers/net/wimax/i2400m/rx.c
@@ -52050,7 +52198,7 @@ index 89dec7f..361b0d75 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex)) {
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 100edcc..244db37 100644
+index 4c94a79..f428019 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -34,6 +34,7 @@
@@ -52778,7 +52926,7 @@ index 100edcc..244db37 100644
set_fs(old_fs);
fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
}
-@@ -2017,14 +2474,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -2023,14 +2480,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
}
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -52795,7 +52943,7 @@ index 100edcc..244db37 100644
return size;
}
-@@ -2117,7 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2123,7 +2580,7 @@ static int elf_core_dump(struct coredump_params *cprm)
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
@@ -52804,7 +52952,7 @@ index 100edcc..244db37 100644
offset += elf_core_extra_data_size();
e_shoff = offset;
-@@ -2131,10 +2588,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2137,10 +2594,12 @@ static int elf_core_dump(struct coredump_params *cprm)
offset = dataoff;
size += sizeof(*elf);
@@ -52817,7 +52965,7 @@ index 100edcc..244db37 100644
if (size > cprm->limit
|| !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
goto end_coredump;
-@@ -2148,7 +2607,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2154,7 +2613,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -52826,7 +52974,7 @@ index 100edcc..244db37 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2159,6 +2618,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2165,6 +2624,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_align = ELF_EXEC_PAGESIZE;
size += sizeof(phdr);
@@ -52834,7 +52982,7 @@ index 100edcc..244db37 100644
if (size > cprm->limit
|| !dump_write(cprm->file, &phdr, sizeof(phdr)))
goto end_coredump;
-@@ -2183,7 +2643,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2189,7 +2649,7 @@ static int elf_core_dump(struct coredump_params *cprm)
unsigned long addr;
unsigned long end;
@@ -52843,7 +52991,7 @@ index 100edcc..244db37 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2192,6 +2652,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2198,6 +2658,7 @@ static int elf_core_dump(struct coredump_params *cprm)
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -52851,7 +52999,7 @@ index 100edcc..244db37 100644
stop = ((size += PAGE_SIZE) > cprm->limit) ||
!dump_write(cprm->file, kaddr,
PAGE_SIZE);
-@@ -2209,6 +2670,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2215,6 +2676,7 @@ static int elf_core_dump(struct coredump_params *cprm)
if (e_phnum == PN_XNUM) {
size += sizeof(*shdr4extnum);
@@ -52859,7 +53007,7 @@ index 100edcc..244db37 100644
if (size > cprm->limit
|| !dump_write(cprm->file, shdr4extnum,
sizeof(*shdr4extnum)))
-@@ -2229,6 +2691,167 @@ out:
+@@ -2235,6 +2697,167 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -53064,7 +53212,7 @@ index d50bbe5..af3b649 100644
goto err;
}
diff --git a/fs/bio.c b/fs/bio.c
-index c5eae72..599e3cf 100644
+index 5e7507d..418c639 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -1106,7 +1106,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
@@ -53222,10 +53370,32 @@ index 8eb6191..eda91e2 100644
wake_up(&root->fs_info->transaction_wait);
wake_up(&root->fs_info->transaction_blocked_wait);
diff --git a/fs/buffer.c b/fs/buffer.c
-index 4d74335..b0df7f9 100644
+index 4d74335..7bd000a 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
-@@ -3416,7 +3416,7 @@ void __init buffer_init(void)
+@@ -1005,9 +1005,19 @@ grow_dev_page(struct block_device *bdev, sector_t block,
+ struct buffer_head *bh;
+ sector_t end_block;
+ int ret = 0; /* Will call free_more_memory() */
++ gfp_t gfp_mask;
+
+- page = find_or_create_page(inode->i_mapping, index,
+- (mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS)|__GFP_MOVABLE);
++ gfp_mask = mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS;
++ gfp_mask |= __GFP_MOVABLE;
++ /*
++ * XXX: __getblk_slow() can not really deal with failure and
++ * will endlessly loop on improvised global reclaim. Prefer
++ * looping in the allocator rather than here, at least that
++ * code knows what it's doing.
++ */
++ gfp_mask |= __GFP_NOFAIL;
++
++ page = find_or_create_page(inode->i_mapping, index, gfp_mask);
+ if (!page)
+ return ret;
+
+@@ -3416,7 +3426,7 @@ void __init buffer_init(void)
bh_cachep = kmem_cache_create("buffer_head",
sizeof(struct buffer_head), 0,
(SLAB_RECLAIM_ACCOUNT|SLAB_PANIC|
@@ -53468,10 +53638,37 @@ index f3ac415..3d2420c 100644
server->ops->print_stats(m, tcon);
}
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
-index 85ea98d..b3ed4d6 100644
+index 85ea98d..1eee040 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
-@@ -1037,7 +1037,7 @@ cifs_init_request_bufs(void)
+@@ -120,14 +120,16 @@ cifs_read_super(struct super_block *sb)
+ {
+ struct inode *inode;
+ struct cifs_sb_info *cifs_sb;
++ struct cifs_tcon *tcon;
+ int rc = 0;
+
+ cifs_sb = CIFS_SB(sb);
++ tcon = cifs_sb_master_tcon(cifs_sb);
+
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIXACL)
+ sb->s_flags |= MS_POSIXACL;
+
+- if (cifs_sb_master_tcon(cifs_sb)->ses->capabilities & CAP_LARGE_FILES)
++ if (tcon->ses->capabilities & tcon->ses->server->vals->cap_large_files)
+ sb->s_maxbytes = MAX_LFS_FILESIZE;
+ else
+ sb->s_maxbytes = MAX_NON_LFS;
+@@ -147,7 +149,7 @@ cifs_read_super(struct super_block *sb)
+ goto out_no_root;
+ }
+
+- if (cifs_sb_master_tcon(cifs_sb)->nocase)
++ if (tcon->nocase)
+ sb->s_d_op = &cifs_ci_dentry_ops;
+ else
+ sb->s_d_op = &cifs_dentry_ops;
+@@ -1037,7 +1039,7 @@ cifs_init_request_bufs(void)
*/
cifs_req_cachep = kmem_cache_create("cifs_request",
CIFSMaxBufSize + max_hdr_size, 0,
@@ -53480,7 +53677,7 @@ index 85ea98d..b3ed4d6 100644
if (cifs_req_cachep == NULL)
return -ENOMEM;
-@@ -1064,7 +1064,7 @@ cifs_init_request_bufs(void)
+@@ -1064,7 +1066,7 @@ cifs_init_request_bufs(void)
efficient to alloc 1 per page off the slab compared to 17K (5page)
alloc of large cifs buffers even when page debugging is on */
cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
@@ -53489,7 +53686,7 @@ index 85ea98d..b3ed4d6 100644
NULL);
if (cifs_sm_req_cachep == NULL) {
mempool_destroy(cifs_req_poolp);
-@@ -1149,8 +1149,8 @@ init_cifs(void)
+@@ -1149,8 +1151,8 @@ init_cifs(void)
atomic_set(&bufAllocCount, 0);
atomic_set(&smBufAllocCount, 0);
#ifdef CONFIG_CIFS_STATS2
@@ -53619,6 +53816,21 @@ index f7d4b22..1254377 100644
#endif /* CONFIG_CIFS_STATS2 */
}
+diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
+index af847e1..651a527 100644
+--- a/fs/cifs/netmisc.c
++++ b/fs/cifs/netmisc.c
+@@ -780,7 +780,9 @@ static const struct {
+ ERRDOS, ERRnoaccess, 0xc0000290}, {
+ ERRDOS, ERRbadfunc, 0xc000029c}, {
+ ERRDOS, ERRsymlink, NT_STATUS_STOPPED_ON_SYMLINK}, {
+- ERRDOS, ERRinvlevel, 0x007c0001}, };
++ ERRDOS, ERRinvlevel, 0x007c0001}, {
++ 0, 0, 0 }
++};
+
+ /*****************************************************************************
+ Print an error message from the status code
diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
index 6094397..51e576f 100644
--- a/fs/cifs/smb1ops.c
@@ -55079,6 +55291,31 @@ index 22548f5..41521d8 100644
return 0;
}
return 1;
+diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c
+index 1194b1f..f8cde46 100644
+--- a/fs/ext3/namei.c
++++ b/fs/ext3/namei.c
+@@ -1783,7 +1783,7 @@ retry:
+ d_tmpfile(dentry, inode);
+ err = ext3_orphan_add(handle, inode);
+ if (err)
+- goto err_drop_inode;
++ goto err_unlock_inode;
+ mark_inode_dirty(inode);
+ unlock_new_inode(inode);
+ }
+@@ -1791,10 +1791,9 @@ retry:
+ if (err == -ENOSPC && ext3_should_retry_alloc(dir->i_sb, &retries))
+ goto retry;
+ return err;
+-err_drop_inode:
++err_unlock_inode:
+ ext3_journal_stop(handle);
+ unlock_new_inode(inode);
+- iput(inode);
+ return err;
+ }
+
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index ddd715e..c772f88 100644
--- a/fs/ext4/balloc.c
@@ -55258,6 +55495,31 @@ index 214461e..3614c89 100644
__ext4_warning(sb, function, line,
"MMP failure info: last update time: %llu, last update "
"node: %s, last update device: %s\n",
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 35f55a0..b53cbc6 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2319,7 +2319,7 @@ retry:
+ d_tmpfile(dentry, inode);
+ err = ext4_orphan_add(handle, inode);
+ if (err)
+- goto err_drop_inode;
++ goto err_unlock_inode;
+ mark_inode_dirty(inode);
+ unlock_new_inode(inode);
+ }
+@@ -2328,10 +2328,9 @@ retry:
+ if (err == -ENOSPC && ext4_should_retry_alloc(dir->i_sb, &retries))
+ goto retry;
+ return err;
+-err_drop_inode:
++err_unlock_inode:
+ ext4_journal_stop(handle);
+ unlock_new_inode(inode);
+- iput(inode);
+ return err;
+ }
+
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index b59373b..f41c2b5 100644
--- a/fs/ext4/super.c
@@ -72080,7 +72342,7 @@ index ec1aee4..1077986 100644
asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, size_t);
/*
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
-index 842de22..7f3a41f 100644
+index ded4299..da50e3b 100644
--- a/include/linux/compiler-gcc4.h
+++ b/include/linux/compiler-gcc4.h
@@ -39,9 +39,29 @@
@@ -75638,7 +75900,7 @@ index 34a1e10..03a6d03 100644
struct proc_ns {
void *ns;
diff --git a/include/linux/random.h b/include/linux/random.h
-index 3b9377d..e418336 100644
+index 6312dd9..2561947 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -10,9 +10,19 @@
@@ -75663,7 +75925,7 @@ index 3b9377d..e418336 100644
extern void get_random_bytes(void *buf, int nbytes);
extern void get_random_bytes_arch(void *buf, int nbytes);
-@@ -32,6 +42,11 @@ void prandom_seed(u32 seed);
+@@ -33,6 +43,11 @@ void prandom_seed(u32 seed);
u32 prandom_u32_state(struct rnd_state *);
void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes);
@@ -77143,6 +77405,18 @@ index fdbafc6..49dfe4f 100644
ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
+diff --git a/include/linux/yam.h b/include/linux/yam.h
+index 7fe2822..512cdc2 100644
+--- a/include/linux/yam.h
++++ b/include/linux/yam.h
+@@ -77,6 +77,6 @@ struct yamdrv_ioctl_cfg {
+
+ struct yamdrv_ioctl_mcs {
+ int cmd;
+- int bitrate;
++ unsigned int bitrate;
+ unsigned char bits[YAM_FPGA_SIZE];
+ };
diff --git a/include/linux/zlib.h b/include/linux/zlib.h
index 9c5a6b4..09c9438 100644
--- a/include/linux/zlib.h
@@ -77329,7 +77603,7 @@ index 53f464d..0bd0b49 100644
#endif /* _NET_INETPEER_H */
diff --git a/include/net/ip.h b/include/net/ip.h
-index a68f838..74518ab 100644
+index edfa591..a643b82 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -202,7 +202,7 @@ extern struct local_ports {
@@ -78702,10 +78976,10 @@ index a67ef9d..2d17ed9 100644
#ifdef CONFIG_BLK_DEV_RAM
int fd;
diff --git a/init/main.c b/init/main.c
-index d03d2ec..9fc4737 100644
+index 586cd33..f1af30f 100644
--- a/init/main.c
+++ b/init/main.c
-@@ -101,6 +101,8 @@ static inline void mark_rodata_ro(void) { }
+@@ -102,6 +102,8 @@ static inline void mark_rodata_ro(void) { }
extern void tc_init(void);
#endif
@@ -78714,7 +78988,7 @@ index d03d2ec..9fc4737 100644
/*
* Debug helper: via this flag we know that we are in 'early bootup code'
* where only the boot processor is running with IRQ disabled. This means
-@@ -154,6 +156,74 @@ static int __init set_reset_devices(char *str)
+@@ -155,6 +157,74 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
@@ -78789,7 +79063,7 @@ index d03d2ec..9fc4737 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -679,25 +749,24 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -680,25 +750,24 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -78820,7 +79094,7 @@ index d03d2ec..9fc4737 100644
return ret;
}
-@@ -803,8 +872,8 @@ static int run_init_process(const char *init_filename)
+@@ -805,8 +874,8 @@ static int run_init_process(const char *init_filename)
{
argv_init[0] = init_filename;
return do_execve(init_filename,
@@ -78831,7 +79105,7 @@ index d03d2ec..9fc4737 100644
}
static noinline void __init kernel_init_freeable(void);
-@@ -881,7 +950,7 @@ static noinline void __init kernel_init_freeable(void)
+@@ -883,7 +952,7 @@ static noinline void __init kernel_init_freeable(void)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -78840,7 +79114,7 @@ index d03d2ec..9fc4737 100644
pr_err("Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -894,11 +963,13 @@ static noinline void __init kernel_init_freeable(void)
+@@ -896,11 +965,13 @@ static noinline void __init kernel_init_freeable(void)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -78930,10 +79204,10 @@ index ae1996d..a35f2cc 100644
if (u->mq_bytes + mq_bytes < u->mq_bytes ||
u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
diff --git a/ipc/msg.c b/ipc/msg.c
-index b65fdf1..89ec2b1 100644
+index 558aa91..359e718 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
-@@ -291,18 +291,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
+@@ -297,18 +297,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
return security_msg_queue_associate(msq, msgflg);
}
@@ -78959,10 +79233,10 @@ index b65fdf1..89ec2b1 100644
msg_params.flg = msgflg;
diff --git a/ipc/sem.c b/ipc/sem.c
-index 4108889..511ada1 100644
+index 8e2bf30..a711151 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
-@@ -517,10 +517,15 @@ static inline int sem_more_checks(struct kern_ipc_perm *ipcp,
+@@ -562,10 +562,15 @@ static inline int sem_more_checks(struct kern_ipc_perm *ipcp,
return 0;
}
@@ -78979,7 +79253,7 @@ index 4108889..511ada1 100644
struct ipc_params sem_params;
ns = current->nsproxy->ipc_ns;
-@@ -528,10 +533,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
+@@ -573,10 +578,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
if (nsems < 0 || nsems > ns->sc_semmsl)
return -EINVAL;
@@ -78991,10 +79265,10 @@ index 4108889..511ada1 100644
sem_params.flg = semflg;
sem_params.u.nsems = nsems;
diff --git a/ipc/shm.c b/ipc/shm.c
-index c6b4ad5..3ec3254 100644
+index d697396..40e887d 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
-@@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp);
+@@ -72,6 +72,14 @@ static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp);
static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
#endif
@@ -79009,7 +79283,7 @@ index c6b4ad5..3ec3254 100644
void shm_init_ns(struct ipc_namespace *ns)
{
ns->shm_ctlmax = SHMMAX;
-@@ -531,6 +539,14 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+@@ -551,6 +559,14 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
shp->shm_lprid = 0;
shp->shm_atim = shp->shm_dtim = 0;
shp->shm_ctim = get_seconds();
@@ -79024,7 +79298,7 @@ index c6b4ad5..3ec3254 100644
shp->shm_segsz = size;
shp->shm_nattch = 0;
shp->shm_file = file;
-@@ -585,18 +601,19 @@ static inline int shm_more_checks(struct kern_ipc_perm *ipcp,
+@@ -604,18 +620,19 @@ static inline int shm_more_checks(struct kern_ipc_perm *ipcp,
return 0;
}
@@ -79049,7 +79323,7 @@ index c6b4ad5..3ec3254 100644
shm_params.key = key;
shm_params.flg = shmflg;
shm_params.u.size = size;
-@@ -1028,6 +1045,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+@@ -1076,6 +1093,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
f_mode = FMODE_READ | FMODE_WRITE;
}
if (shmflg & SHM_EXEC) {
@@ -79062,7 +79336,7 @@ index c6b4ad5..3ec3254 100644
prot |= PROT_EXEC;
acc_mode |= S_IXUGO;
}
-@@ -1051,9 +1074,21 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+@@ -1100,10 +1123,22 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
if (err)
goto out_unlock;
@@ -79075,6 +79349,7 @@ index c6b4ad5..3ec3254 100644
+ }
+#endif
+
+ ipc_lock_object(&shp->shm_perm);
path = shp->shm_file->f_path;
path_get(&path);
shp->shm_nattch++;
@@ -79082,8 +79357,8 @@ index c6b4ad5..3ec3254 100644
+ shp->shm_lapid = current->pid;
+#endif
size = i_size_read(path.dentry->d_inode);
- shm_unlock(shp);
-
+ ipc_unlock_object(&shp->shm_perm);
+ rcu_read_unlock();
diff --git a/kernel/acct.c b/kernel/acct.c
index 8d6e145..33e0b1e 100644
--- a/kernel/acct.c
@@ -79098,7 +79373,7 @@ index 8d6e145..33e0b1e 100644
current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
set_fs(fs);
diff --git a/kernel/audit.c b/kernel/audit.c
-index 7b0e23a..861041e 100644
+index 7b0e23a..5b27ab9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -118,7 +118,7 @@ u32 audit_sig_sid = 0;
@@ -79128,7 +79403,13 @@ index 7b0e23a..861041e 100644
audit_rate_limit,
audit_backlog_limit);
audit_panic(message);
-@@ -664,7 +664,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -659,18 +659,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+
+ switch (msg_type) {
+ case AUDIT_GET:
++ status_set.mask = 0;
+ status_set.enabled = audit_enabled;
+ status_set.failure = audit_failure;
status_set.pid = audit_pid;
status_set.rate_limit = audit_rate_limit;
status_set.backlog_limit = audit_backlog_limit;
@@ -79137,6 +79418,22 @@ index 7b0e23a..861041e 100644
status_set.backlog = skb_queue_len(&audit_skb_queue);
audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
&status_set, sizeof(status_set));
+ break;
+ case AUDIT_SET:
+- if (nlh->nlmsg_len < sizeof(struct audit_status))
++ if (nlmsg_len(nlh) < sizeof(struct audit_status))
+ return -EINVAL;
+ status_get = (struct audit_status *)data;
+ if (status_get->mask & AUDIT_STATUS_ENABLED) {
+@@ -832,7 +833,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+
+ memset(&s, 0, sizeof(s));
+ /* guard against past and future API changes */
+- memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len));
++ memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
+ if ((s.enabled != 0 && s.enabled != 1) ||
+ (s.log_passwd != 0 && s.log_passwd != 1))
+ return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..3ec9369 100644
--- a/kernel/auditsc.c
@@ -80548,7 +80845,7 @@ index 59f7b55..4022f65 100644
/* Don't allow clients that don't understand the native
diff --git a/kernel/kmod.c b/kernel/kmod.c
-index fb32636..2fe8775 100644
+index b086006..a27913b 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -75,7 +75,7 @@ static void free_modprobe_argv(struct subprocess_info *info)
@@ -80685,7 +80982,7 @@ index fb32636..2fe8775 100644
/*
* If ret is 0, either ____call_usermodehelper failed and the
-@@ -646,7 +699,7 @@ EXPORT_SYMBOL(call_usermodehelper);
+@@ -650,7 +703,7 @@ EXPORT_SYMBOL(call_usermodehelper);
static int proc_cap_handler(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -83407,7 +83704,7 @@ index eb89e18..a4e6792 100644
mutex_unlock(&smpboot_threads_lock);
put_online_cpus();
diff --git a/kernel/softirq.c b/kernel/softirq.c
-index be3d351..e57af82 100644
+index adf6c00..5d89b73 100644
--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -83433,7 +83730,7 @@ index be3d351..e57af82 100644
trace_softirq_exit(vec_nr);
if (unlikely(prev_count != preempt_count())) {
printk(KERN_ERR "huh, entered softirq %u %s %p"
-@@ -403,7 +403,7 @@ void __raise_softirq_irqoff(unsigned int nr)
+@@ -412,7 +412,7 @@ void __raise_softirq_irqoff(unsigned int nr)
or_softirq_pending(1UL << nr);
}
@@ -83442,7 +83739,7 @@ index be3d351..e57af82 100644
{
softirq_vec[nr].action = action;
}
-@@ -459,7 +459,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
+@@ -468,7 +468,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
EXPORT_SYMBOL(__tasklet_hi_schedule_first);
@@ -83451,7 +83748,7 @@ index be3d351..e57af82 100644
{
struct tasklet_struct *list;
-@@ -494,7 +494,7 @@ static void tasklet_action(struct softirq_action *a)
+@@ -503,7 +503,7 @@ static void tasklet_action(struct softirq_action *a)
}
}
@@ -83460,7 +83757,7 @@ index be3d351..e57af82 100644
{
struct tasklet_struct *list;
-@@ -849,7 +849,7 @@ static struct notifier_block cpu_nfb = {
+@@ -858,7 +858,7 @@ static struct notifier_block cpu_nfb = {
.notifier_call = cpu_callback
};
@@ -85421,7 +85718,7 @@ index 0000000..7cd6065
@@ -0,0 +1 @@
+-grsec
diff --git a/mm/Kconfig b/mm/Kconfig
-index 8028dcc..9a2dbe7 100644
+index 6509d27..dbec5b8 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -317,10 +317,10 @@ config KSM
@@ -85850,6 +86147,19 @@ index 7055883..aafb1ed 100644
error = 0;
if (end == start)
return error;
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index aa44621..99011b3 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -2772,6 +2772,8 @@ done:
+ return 0;
+ nomem:
+ *ptr = NULL;
++ if (gfp_mask & __GFP_NOFAIL)
++ return 0;
+ return -ENOMEM;
+ bypass:
+ *ptr = root_mem_cgroup;
diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 2c13aa7..64cbc3f 100644
--- a/mm/memory-failure.c
@@ -86743,7 +87053,7 @@ index 4baf12e..5497066 100644
capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
diff --git a/mm/migrate.c b/mm/migrate.c
-index 6f0c244..6d1ae32 100644
+index 25ca7ca..abe1836 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1399,8 +1399,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
@@ -90254,6 +90564,19 @@ index 2fb2d88..8c06e40 100644
struct vlan_net *vn;
vn = net_generic(net, vlan_net_id);
+diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
+index 3091297..c7e634a 100644
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -171,7 +171,7 @@ static size_t vlan_get_size(const struct net_device *dev)
+
+ return nla_total_size(2) + /* IFLA_VLAN_PROTOCOL */
+ nla_total_size(2) + /* IFLA_VLAN_ID */
+- sizeof(struct ifla_vlan_flags) + /* IFLA_VLAN_FLAGS */
++ nla_total_size(sizeof(struct ifla_vlan_flags)) + /* IFLA_VLAN_FLAGS */
+ vlan_qos_map_size(vlan->nr_ingress_mappings) +
+ vlan_qos_map_size(vlan->nr_egress_mappings);
+ }
diff --git a/net/9p/mod.c b/net/9p/mod.c
index 6ab36ae..6f1841b 100644
--- a/net/9p/mod.c
@@ -90442,10 +90765,10 @@ index c478e6b..469fd2f 100644
hard_iface->net_dev->name);
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
-index 0f04e1c..9c0ac11 100644
+index 33b6144..3212ac5 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
-@@ -260,7 +260,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
+@@ -261,7 +261,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
primary_if->net_dev->dev_addr, ETH_ALEN);
/* set broadcast sequence number */
@@ -90454,7 +90777,7 @@ index 0f04e1c..9c0ac11 100644
bcast_packet->seqno = htonl(seqno);
batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay);
-@@ -479,7 +479,7 @@ static int batadv_softif_init_late(struct net_device *dev)
+@@ -481,7 +481,7 @@ static int batadv_softif_init_late(struct net_device *dev)
atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN);
atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
@@ -90649,6 +90972,46 @@ index b6e44ad..5b0d514 100644
spin_unlock_irqrestore(&dev->port.lock, flags);
if (dev->tty_dev->parent)
device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
+diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
+index 5180938..7c470c3 100644
+--- a/net/bridge/netfilter/ebt_ulog.c
++++ b/net/bridge/netfilter/ebt_ulog.c
+@@ -181,6 +181,7 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
+ ub->qlen++;
+
+ pm = nlmsg_data(nlh);
++ memset(pm, 0, sizeof(*pm));
+
+ /* Fill in the ulog data */
+ pm->version = EBT_ULOG_VERSION;
+@@ -193,8 +194,6 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
+ pm->hook = hooknr;
+ if (uloginfo->prefix != NULL)
+ strcpy(pm->prefix, uloginfo->prefix);
+- else
+- *(pm->prefix) = '\0';
+
+ if (in) {
+ strcpy(pm->physindev, in->name);
+@@ -204,16 +203,14 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
+ strcpy(pm->indev, br_port_get_rcu(in)->br->dev->name);
+ else
+ strcpy(pm->indev, in->name);
+- } else
+- pm->indev[0] = pm->physindev[0] = '\0';
++ }
+
+ if (out) {
+ /* If out exists, then out is a bridge port */
+ strcpy(pm->physoutdev, out->name);
+ /* rcu_read_lock()ed by nf_hook_slow */
+ strcpy(pm->outdev, br_port_get_rcu(out)->br->dev->name);
+- } else
+- pm->outdev[0] = pm->physoutdev[0] = '\0';
++ }
+
+ if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0)
+ BUG();
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index ac78024..161a80c 100644
--- a/net/bridge/netfilter/ebtables.c
@@ -90681,7 +91044,7 @@ index ac78024..161a80c 100644
break;
}
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
-index 2bd4b58..0dc30a1 100644
+index 0f45522..dab651f 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -10,6 +10,7 @@
@@ -91182,7 +91545,7 @@ index f9765203..9feaef8 100644
return error;
}
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
-index 2c637e9..68c9087 100644
+index fc75c9e..8c8e9be 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -428,7 +428,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
@@ -91571,10 +91934,10 @@ index 3b9d5f2..d7015c6 100644
*hc06_ptr = tmp;
hc06_ptr += 4;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index b4d0be2..443d0f0 100644
+index dd6b523..dfe558f 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
-@@ -1689,13 +1689,9 @@ static int __init inet_init(void)
+@@ -1687,13 +1687,9 @@ static int __init inet_init(void)
BUILD_BUG_ON(sizeof(struct inet_skb_parm) > FIELD_SIZEOF(struct sk_buff, cb));
@@ -91589,7 +91952,7 @@ index b4d0be2..443d0f0 100644
rc = proto_register(&udp_prot, 1);
if (rc)
-@@ -1804,8 +1800,6 @@ out_unregister_udp_proto:
+@@ -1802,8 +1798,6 @@ out_unregister_udp_proto:
proto_unregister(&udp_prot);
out_unregister_tcp_proto:
proto_unregister(&tcp_prot);
@@ -91753,7 +92116,7 @@ index 7bd8983..3abdcf6 100644
inet_twsk_deschedule(tw, death_row);
while (twrefcnt) {
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
-index 000e3d2..5472da3 100644
+index 33d5537..da337a4 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -503,8 +503,8 @@ relookup:
@@ -92045,6 +92408,41 @@ index d23118d..6ad7277 100644
break;
case IPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
+index cbc2215..9cb993c 100644
+--- a/net/ipv4/netfilter/ipt_ULOG.c
++++ b/net/ipv4/netfilter/ipt_ULOG.c
+@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net,
+ ub->qlen++;
+
+ pm = nlmsg_data(nlh);
++ memset(pm, 0, sizeof(*pm));
+
+ /* We might not have a timestamp, get one */
+ if (skb->tstamp.tv64 == 0)
+@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net,
+ }
+ else if (loginfo->prefix[0] != '\0')
+ strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
+- else
+- *(pm->prefix) = '\0';
+
+ if (in && in->hard_header_len > 0 &&
+ skb->mac_header != skb->network_header &&
+@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net,
+
+ if (in)
+ strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
+- else
+- pm->indev_name[0] = '\0';
+
+ if (out)
+ strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
+- else
+- pm->outdev_name[0] = '\0';
+
+ /* copy_len <= skb->len, so can't fail. */
+ if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 746427c..80eab72 100644
--- a/net/ipv4/ping.c
@@ -92113,7 +92511,7 @@ index 746427c..80eab72 100644
static int ping_v4_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 61e60d6..d6996cd 100644
+index 6fb2337..9cd6b20 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -309,7 +309,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -92489,6 +92887,40 @@ index ab1c086..2a8d76b 100644
} else if (fastopen) { /* received a valid RST pkt */
reqsk_fastopen_remove(sk, req, true);
tcp_reset(sk);
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 170737a..75cbd26 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -982,6 +982,9 @@ static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb)
+ static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb,
+ unsigned int mss_now)
+ {
++ /* Make sure we own this skb before messing gso_size/gso_segs */
++ WARN_ON_ONCE(skb_cloned(skb));
++
+ if (skb->len <= mss_now || !sk_can_gso(sk) ||
+ skb->ip_summed == CHECKSUM_NONE) {
+ /* Avoid the costly divide in the normal
+@@ -1063,9 +1066,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+ if (nsize < 0)
+ nsize = 0;
+
+- if (skb_cloned(skb) &&
+- skb_is_nonlinear(skb) &&
+- pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
++ if (skb_unclone(skb, GFP_ATOMIC))
+ return -ENOMEM;
+
+ /* Get a new skb... force flag on. */
+@@ -2334,6 +2335,8 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
+ int oldpcount = tcp_skb_pcount(skb);
+
+ if (unlikely(oldpcount > 1)) {
++ if (skb_unclone(skb, GFP_ATOMIC))
++ return -ENOMEM;
+ tcp_init_tso_segs(sk, skb, cur_mss);
+ tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb));
+ }
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index d4943f6..e7a74a5 100644
--- a/net/ipv4/tcp_probe.c
@@ -92703,7 +93135,7 @@ index 9a459be..c7bc04c 100644
return -ENOMEM;
}
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 498ea99..42501bc 100644
+index 0f99f7b..9375cf5 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -618,7 +618,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
@@ -92715,7 +93147,7 @@ index 498ea99..42501bc 100644
net->dev_base_seq;
hlist_for_each_entry_rcu(dev, head, index_hlist) {
if (idx < s_idx)
-@@ -2381,7 +2381,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
+@@ -2408,7 +2408,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
p.iph.ihl = 5;
p.iph.protocol = IPPROTO_IPV6;
p.iph.ttl = 64;
@@ -92724,7 +93156,7 @@ index 498ea99..42501bc 100644
if (ops->ndo_do_ioctl) {
mm_segment_t oldfs = get_fs();
-@@ -4030,7 +4030,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
+@@ -4057,7 +4057,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
s_ip_idx = ip_idx = cb->args[2];
rcu_read_lock();
@@ -92733,7 +93165,7 @@ index 498ea99..42501bc 100644
for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
idx = 0;
head = &net->dev_index_head[h];
-@@ -4651,7 +4651,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
+@@ -4678,7 +4678,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
dst_free(&ifp->rt->dst);
break;
}
@@ -92742,7 +93174,7 @@ index 498ea99..42501bc 100644
}
static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
-@@ -4671,7 +4671,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
+@@ -4698,7 +4698,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -92751,7 +93183,7 @@ index 498ea99..42501bc 100644
int ret;
/*
-@@ -4756,7 +4756,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
+@@ -4783,7 +4783,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -92785,7 +93217,7 @@ index 7cfc8d2..c5394b6 100644
table = kmemdup(ipv6_icmp_table_template,
sizeof(ipv6_icmp_table_template),
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 90747f1..76fbb5d 100644
+index 8bc717b..76fbb5d 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -74,7 +74,7 @@ struct ip6gre_net {
@@ -92797,24 +93229,6 @@ index 90747f1..76fbb5d 100644
static int ip6gre_tunnel_init(struct net_device *dev);
static void ip6gre_tunnel_setup(struct net_device *dev);
static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
-@@ -620,7 +620,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb,
- struct ip6_tnl *tunnel = netdev_priv(dev);
- struct net_device *tdev; /* Device to other host */
- struct ipv6hdr *ipv6h; /* Our new IP header */
-- unsigned int max_headroom; /* The extra header space needed */
-+ unsigned int max_headroom = 0; /* The extra header space needed */
- int gre_hlen;
- struct ipv6_tel_txoption opt;
- int mtu;
-@@ -693,7 +693,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb,
- tunnel->err_count = 0;
- }
-
-- max_headroom = LL_RESERVED_SPACE(tdev) + gre_hlen + dst->header_len;
-+ max_headroom += LL_RESERVED_SPACE(tdev) + gre_hlen + dst->header_len;
-
- if (skb_headroom(skb) < max_headroom || skb_shared(skb) ||
- (skb_cloned(skb) && !skb_clone_writable(skb, 0))) {
@@ -1288,7 +1288,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
}
@@ -92842,98 +93256,8 @@ index 90747f1..76fbb5d 100644
.kind = "ip6gretap",
.maxtype = IFLA_GRE_MAX,
.policy = ip6gre_policy,
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index e7ceb6c..44df1c9 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1040,6 +1040,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
- * udp datagram
- */
- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
-+ struct frag_hdr fhdr;
-+
- skb = sock_alloc_send_skb(sk,
- hh_len + fragheaderlen + transhdrlen + 20,
- (flags & MSG_DONTWAIT), &err);
-@@ -1061,12 +1063,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
- skb->protocol = htons(ETH_P_IPV6);
- skb->ip_summed = CHECKSUM_PARTIAL;
- skb->csum = 0;
-- }
--
-- err = skb_append_datato_frags(sk,skb, getfrag, from,
-- (length - transhdrlen));
-- if (!err) {
-- struct frag_hdr fhdr;
-
- /* Specify the length of each IPv6 datagram fragment.
- * It has to be a multiple of 8.
-@@ -1077,15 +1073,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
- ipv6_select_ident(&fhdr, rt);
- skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
- __skb_queue_tail(&sk->sk_write_queue, skb);
--
-- return 0;
- }
-- /* There is not enough support do UPD LSO,
-- * so follow normal path
-- */
-- kfree_skb(skb);
-
-- return err;
-+ return skb_append_datato_frags(sk, skb, getfrag, from,
-+ (length - transhdrlen));
- }
-
- static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
-@@ -1252,27 +1243,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
- * --yoshfuji
- */
-
-+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
-+ sk->sk_protocol == IPPROTO_RAW)) {
-+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
-+ return -EMSGSIZE;
-+ }
-+
-+ skb = skb_peek_tail(&sk->sk_write_queue);
- cork->length += length;
-- if (length > mtu) {
-- int proto = sk->sk_protocol;
-- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
-- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
-- return -EMSGSIZE;
-- }
--
-- if (proto == IPPROTO_UDP &&
-- (rt->dst.dev->features & NETIF_F_UFO)) {
--
-- err = ip6_ufo_append_data(sk, getfrag, from, length,
-- hh_len, fragheaderlen,
-- transhdrlen, mtu, flags, rt);
-- if (err)
-- goto error;
-- return 0;
-- }
-+ if (((length > mtu) ||
-+ (skb && skb_is_gso(skb))) &&
-+ (sk->sk_protocol == IPPROTO_UDP) &&
-+ (rt->dst.dev->features & NETIF_F_UFO)) {
-+ err = ip6_ufo_append_data(sk, getfrag, from, length,
-+ hh_len, fragheaderlen,
-+ transhdrlen, mtu, flags, rt);
-+ if (err)
-+ goto error;
-+ return 0;
- }
-
-- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
-+ if (!skb)
- goto alloc_new_skb;
-
- while (length > 0) {
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
-index 46ba243..576f50e 100644
+index cf5d490..30946f0 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -88,7 +88,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
@@ -93284,7 +93608,7 @@ index 8d9a93ed..cd89616 100644
table = kmemdup(ipv6_route_table_template,
sizeof(ipv6_route_table_template),
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
-index 21b25dd..9a43e37 100644
+index 86f639b..71e355e 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
@@ -93296,7 +93620,7 @@ index 21b25dd..9a43e37 100644
static int sit_net_id __read_mostly;
struct sit_net {
-@@ -1547,7 +1547,7 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = {
+@@ -1601,7 +1601,7 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = {
#endif
};
@@ -93597,10 +93921,20 @@ index cd5b8ec..f205e6b 100644
};
diff --git a/net/key/af_key.c b/net/key/af_key.c
-index ab8bd2c..cd2d641 100644
+index ab8bd2c..3a3eb81 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
-@@ -3048,10 +3048,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
+@@ -1098,7 +1098,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
+
+ x->id.proto = proto;
+ x->id.spi = sa->sadb_sa_spi;
+- x->props.replay_window = sa->sadb_sa_replay;
++ x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay,
++ (sizeof(x->replay.bitmap) * 8));
+ if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)
+ x->props.flags |= XFRM_STATE_NOECN;
+ if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)
+@@ -3048,10 +3049,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
static u32 get_acqseq(void)
{
u32 res;
@@ -93613,6 +93947,93 @@ index ab8bd2c..cd2d641 100644
} while (!res);
return res;
}
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index feae495..aedaa2c 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -496,6 +496,7 @@ out:
+ static inline int l2tp_verify_udp_checksum(struct sock *sk,
+ struct sk_buff *skb)
+ {
++ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
+ struct udphdr *uh = udp_hdr(skb);
+ u16 ulen = ntohs(uh->len);
+ __wsum psum;
+@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk,
+ return 0;
+
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (sk->sk_family == PF_INET6) {
++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) {
+ if (!uh->check) {
+ LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
+ return 1;
+@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
+ /* Queue the packet to IP for output */
+ skb->local_df = 1;
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (skb->sk->sk_family == PF_INET6)
++ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ error = inet6_csk_xmit(skb, NULL);
+ else
+ #endif
+@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
+
+ /* Calculate UDP checksum if configured to do so */
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (sk->sk_family == PF_INET6)
++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ l2tp_xmit_ipv6_csum(sk, skb, udp_len);
+ else
+ #endif
+@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
+ if (cfg != NULL)
+ tunnel->debug = cfg->debug;
+
++#if IS_ENABLED(CONFIG_IPV6)
++ if (sk->sk_family == PF_INET6) {
++ struct ipv6_pinfo *np = inet6_sk(sk);
++
++ if (ipv6_addr_v4mapped(&np->saddr) &&
++ ipv6_addr_v4mapped(&np->daddr)) {
++ struct inet_sock *inet = inet_sk(sk);
++
++ tunnel->v4mapped = true;
++ inet->inet_saddr = np->saddr.s6_addr32[3];
++ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3];
++ inet->inet_daddr = np->daddr.s6_addr32[3];
++ } else {
++ tunnel->v4mapped = false;
++ }
++ }
++#endif
++
+ /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
+ tunnel->encap = encap;
+ if (encap == L2TP_ENCAPTYPE_UDP) {
+@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
+ udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
+ udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (sk->sk_family == PF_INET6)
++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ udpv6_encap_enable();
+ else
+ #endif
+diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
+index 66a559b..6f251cb 100644
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -194,6 +194,9 @@ struct l2tp_tunnel {
+ struct sock *sock; /* Parent socket */
+ int fd; /* Parent fd, if tunnel socket
+ * was created by userspace */
++#if IS_ENABLED(CONFIG_IPV6)
++ bool v4mapped;
++#endif
+
+ struct work_struct del_work;
+
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 43dd752..63a23bc 100644
--- a/net/mac80211/cfg.c
@@ -94059,7 +94480,7 @@ index f448471..995f131 100644
cp->old_state = cp->state;
/*
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
-index b75ff64..0c51bbe 100644
+index c47444e..b0961c6 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -1102,7 +1102,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
@@ -95021,98 +95442,10 @@ index f226709..0e735a8 100644
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
-index 09ffcc9..3eff2c2 100644
+index 547a461e..ea606e3 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
-@@ -210,44 +210,23 @@ out:
- in6_dev_put(idev);
- }
-
--/* Based on tcp_v6_xmit() in tcp_ipv6.c. */
- static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
- {
- struct sock *sk = skb->sk;
- struct ipv6_pinfo *np = inet6_sk(sk);
-- struct flowi6 fl6;
--
-- memset(&fl6, 0, sizeof(fl6));
--
-- fl6.flowi6_proto = sk->sk_protocol;
--
-- /* Fill in the dest address from the route entry passed with the skb
-- * and the source address from the transport.
-- */
-- fl6.daddr = transport->ipaddr.v6.sin6_addr;
-- fl6.saddr = transport->saddr.v6.sin6_addr;
--
-- fl6.flowlabel = np->flow_label;
-- IP6_ECN_flow_xmit(sk, fl6.flowlabel);
-- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL)
-- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id;
-- else
-- fl6.flowi6_oif = sk->sk_bound_dev_if;
--
-- if (np->opt && np->opt->srcrt) {
-- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
-- fl6.daddr = *rt0->addr;
-- }
-+ struct flowi6 *fl6 = &transport->fl.u.ip6;
-
- pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb,
-- skb->len, &fl6.saddr, &fl6.daddr);
-+ skb->len, &fl6->saddr, &fl6->daddr);
-
-- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
-+ IP6_ECN_flow_xmit(sk, fl6->flowlabel);
-
- if (!(transport->param_flags & SPP_PMTUD_ENABLE))
- skb->local_df = 1;
-
-- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
-+ SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
-+
-+ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
- }
-
- /* Returns the dst cache entry for the given source and destination ip
-@@ -260,10 +239,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
- struct dst_entry *dst = NULL;
- struct flowi6 *fl6 = &fl->u.ip6;
- struct sctp_bind_addr *bp;
-+ struct ipv6_pinfo *np = inet6_sk(sk);
- struct sctp_sockaddr_entry *laddr;
- union sctp_addr *baddr = NULL;
- union sctp_addr *daddr = &t->ipaddr;
- union sctp_addr dst_saddr;
-+ struct in6_addr *final_p, final;
- __u8 matchlen = 0;
- __u8 bmatchlen;
- sctp_scope_t scope;
-@@ -287,7 +268,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
- pr_debug("src=%pI6 - ", &fl6->saddr);
- }
-
-- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
-+ final_p = fl6_update_dst(fl6, np->opt, &final);
-+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
- if (!asoc || saddr)
- goto out;
-
-@@ -339,10 +321,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
- }
- }
- rcu_read_unlock();
-+
- if (baddr) {
- fl6->saddr = baddr->v6.sin6_addr;
- fl6->fl6_sport = baddr->v6.sin6_port;
-- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
-+ final_p = fl6_update_dst(fl6, np->opt, &final);
-+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
- }
-
- out:
-@@ -984,7 +968,7 @@ static const struct inet6_protocol sctpv6_protocol = {
+@@ -968,7 +968,7 @@ static const struct inet6_protocol sctpv6_protocol = {
.flags = INET6_PROTO_NOPOLICY | INET6_PROTO_FINAL,
};
@@ -95121,7 +95454,7 @@ index 09ffcc9..3eff2c2 100644
.sa_family = AF_INET6,
.sctp_xmit = sctp_v6_xmit,
.setsockopt = ipv6_setsockopt,
-@@ -1016,7 +1000,7 @@ static struct sctp_af sctp_af_inet6 = {
+@@ -1000,7 +1000,7 @@ static struct sctp_af sctp_af_inet6 = {
#endif
};
@@ -95130,7 +95463,7 @@ index 09ffcc9..3eff2c2 100644
.event_msgname = sctp_inet6_event_msgname,
.skb_msgname = sctp_inet6_skb_msgname,
.af_supported = sctp_inet6_af_supported,
-@@ -1041,7 +1025,7 @@ void sctp_v6_pf_init(void)
+@@ -1025,7 +1025,7 @@ void sctp_v6_pf_init(void)
void sctp_v6_pf_exit(void)
{
@@ -95210,10 +95543,10 @@ index 9da6885..7571898 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index c6670d2..6313e65 100644
+index cf6c6b0..b978b65 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -2156,11 +2156,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
+@@ -2159,11 +2159,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
{
struct sctp_association *asoc;
struct sctp_ulpevent *event;
@@ -95228,7 +95561,7 @@ index c6670d2..6313e65 100644
/*
* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4216,13 +4218,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4219,13 +4221,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -95246,7 +95579,7 @@ index c6670d2..6313e65 100644
return -EFAULT;
return 0;
}
-@@ -4240,6 +4245,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4243,6 +4248,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -95255,7 +95588,7 @@ index c6670d2..6313e65 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4248,7 +4255,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4251,7 +4258,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -95265,7 +95598,7 @@ index c6670d2..6313e65 100644
return -EFAULT;
return 0;
}
-@@ -4620,12 +4628,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4623,12 +4631,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -95282,7 +95615,7 @@ index c6670d2..6313e65 100644
return -EFAULT;
return 0;
}
-@@ -4666,6 +4677,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4669,6 +4680,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
@@ -95291,15 +95624,6 @@ index c6670d2..6313e65 100644
if (copy_to_user(to, &temp, addrlen))
return -EFAULT;
to += addrlen;
-@@ -6182,7 +6195,7 @@ unsigned int sctp_poll(struct file *file, struct socket *sock, poll_table *wait)
- /* Is there any exceptional events? */
- if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue))
- mask |= POLLERR |
-- sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
-+ (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0);
- if (sk->sk_shutdown & RCV_SHUTDOWN)
- mask |= POLLRDHUP | POLLIN | POLLRDNORM;
- if (sk->sk_shutdown == SHUTDOWN_MASK)
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 9a5c4c9..46e4b29 100644
--- a/net/sctp/sysctl.c
@@ -95854,7 +96178,7 @@ index 62e4f9b..dd3f2d7 100644
/* See if we can opportunistically reap SQ WR to make room */
sq_cq_reap(xprt);
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
-index 9bc6db0..47ac8c0 100644
+index e7000be..e3b0ba7 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ctl_table_header *head,
@@ -95863,7 +96187,7 @@ index 9bc6db0..47ac8c0 100644
/* Allow network administrator to have same access as root. */
- if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
+ if (ns_capable_nolog(net->user_ns, CAP_NET_ADMIN) ||
- uid_eq(root_uid, current_uid())) {
+ uid_eq(root_uid, current_euid())) {
int mode = (table->mode >> 6) & 7;
return (mode << 6) | (mode << 3) | mode;
diff --git a/net/tipc/link.c b/net/tipc/link.c
@@ -95992,6 +96316,18 @@ index c4ce243..2be7c59 100644
seq_putc(seq, '\n');
}
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index d591091..86fa0f3 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
+ rep->udiag_family = AF_UNIX;
+ rep->udiag_type = sk->sk_type;
+ rep->udiag_state = sk->sk_state;
++ rep->pad = 0;
+ rep->udiag_ino = sk_ino;
+ sock_diag_save_cookie(sk, rep->udiag_cookie);
+
diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
index b3d5150..ff3a837 100644
--- a/net/unix/sysctl_net_unix.c
@@ -96043,19 +96379,43 @@ index c8717c1..08539f5 100644
iwp->length += essid_compat;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index f77c371..e412fa6 100644
+index f77c371..b0cb010 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
-@@ -332,7 +332,7 @@ static void xfrm_policy_kill(struct xfrm_policy *policy)
+@@ -332,9 +332,10 @@ static void xfrm_policy_kill(struct xfrm_policy *policy)
{
policy->walk.dead = 1;
- atomic_inc(&policy->genid);
+ atomic_inc_unchecked(&policy->genid);
- del_timer(&policy->polq.hold_timer);
+- del_timer(&policy->polq.hold_timer);
++ if (del_timer(&policy->polq.hold_timer))
++ xfrm_pol_put(policy);
xfrm_queue_purge(&policy->polq.hold_queue);
-@@ -657,7 +657,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
+
+ if (del_timer(&policy->timer))
+@@ -589,7 +590,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
+
+ spin_lock_bh(&pq->hold_queue.lock);
+ skb_queue_splice_init(&pq->hold_queue, &list);
+- del_timer(&pq->hold_timer);
++ if (del_timer(&pq->hold_timer))
++ xfrm_pol_put(old);
+ spin_unlock_bh(&pq->hold_queue.lock);
+
+ if (skb_queue_empty(&list))
+@@ -600,7 +602,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
+ spin_lock_bh(&pq->hold_queue.lock);
+ skb_queue_splice(&list, &pq->hold_queue);
+ pq->timeout = XFRM_QUEUE_TMO_MIN;
+- mod_timer(&pq->hold_timer, jiffies);
++ if (!mod_timer(&pq->hold_timer, jiffies))
++ xfrm_pol_hold(new);
+ spin_unlock_bh(&pq->hold_queue.lock);
+ }
+
+@@ -657,7 +660,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
hlist_add_head(&policy->bydst, chain);
xfrm_pol_hold(policy);
net->xfrm.policy_count[dir]++;
@@ -96064,7 +96424,7 @@ index f77c371..e412fa6 100644
rt_genid_bump(net);
if (delpol) {
xfrm_policy_requeue(delpol, policy);
-@@ -1627,7 +1627,7 @@ free_dst:
+@@ -1627,7 +1630,7 @@ free_dst:
goto out;
}
@@ -96073,7 +96433,7 @@ index f77c371..e412fa6 100644
xfrm_dst_alloc_copy(void **target, const void *src, int size)
{
if (!*target) {
-@@ -1639,7 +1639,7 @@ xfrm_dst_alloc_copy(void **target, const void *src, int size)
+@@ -1639,7 +1642,7 @@ xfrm_dst_alloc_copy(void **target, const void *src, int size)
return 0;
}
@@ -96082,7 +96442,7 @@ index f77c371..e412fa6 100644
xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
{
#ifdef CONFIG_XFRM_SUB_POLICY
-@@ -1651,7 +1651,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
+@@ -1651,7 +1654,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
#endif
}
@@ -96091,7 +96451,7 @@ index f77c371..e412fa6 100644
xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
{
#ifdef CONFIG_XFRM_SUB_POLICY
-@@ -1745,7 +1745,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
+@@ -1745,7 +1748,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
xdst->num_pols = num_pols;
memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
@@ -96100,7 +96460,69 @@ index f77c371..e412fa6 100644
return xdst;
}
-@@ -2557,11 +2557,12 @@ void xfrm_garbage_collect(struct net *net)
+@@ -1763,6 +1766,10 @@ static void xfrm_policy_queue_process(unsigned long arg)
+
+ spin_lock(&pq->hold_queue.lock);
+ skb = skb_peek(&pq->hold_queue);
++ if (!skb) {
++ spin_unlock(&pq->hold_queue.lock);
++ goto out;
++ }
+ dst = skb_dst(skb);
+ sk = skb->sk;
+ xfrm_decode_session(skb, &fl, dst->ops->family);
+@@ -1781,8 +1788,9 @@ static void xfrm_policy_queue_process(unsigned long arg)
+ goto purge_queue;
+
+ pq->timeout = pq->timeout << 1;
+- mod_timer(&pq->hold_timer, jiffies + pq->timeout);
+- return;
++ if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
++ xfrm_pol_hold(pol);
++ goto out;
+ }
+
+ dst_release(dst);
+@@ -1813,11 +1821,14 @@ static void xfrm_policy_queue_process(unsigned long arg)
+ err = dst_output(skb);
+ }
+
++out:
++ xfrm_pol_put(pol);
+ return;
+
+ purge_queue:
+ pq->timeout = 0;
+ xfrm_queue_purge(&pq->hold_queue);
++ xfrm_pol_put(pol);
+ }
+
+ static int xdst_queue_output(struct sk_buff *skb)
+@@ -1825,7 +1836,8 @@ static int xdst_queue_output(struct sk_buff *skb)
+ unsigned long sched_next;
+ struct dst_entry *dst = skb_dst(skb);
+ struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
+- struct xfrm_policy_queue *pq = &xdst->pols[0]->polq;
++ struct xfrm_policy *pol = xdst->pols[0];
++ struct xfrm_policy_queue *pq = &pol->polq;
+
+ if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
+ kfree_skb(skb);
+@@ -1844,10 +1856,12 @@ static int xdst_queue_output(struct sk_buff *skb)
+ if (del_timer(&pq->hold_timer)) {
+ if (time_before(pq->hold_timer.expires, sched_next))
+ sched_next = pq->hold_timer.expires;
++ xfrm_pol_put(pol);
+ }
+
+ __skb_queue_tail(&pq->hold_queue, skb);
+- mod_timer(&pq->hold_timer, sched_next);
++ if (!mod_timer(&pq->hold_timer, sched_next))
++ xfrm_pol_hold(pol);
+
+ spin_unlock_bh(&pq->hold_queue.lock);
+
+@@ -2557,11 +2571,12 @@ void xfrm_garbage_collect(struct net *net)
}
EXPORT_SYMBOL(xfrm_garbage_collect);
@@ -96114,7 +96536,7 @@ index f77c371..e412fa6 100644
static void xfrm_init_pmtu(struct dst_entry *dst)
{
-@@ -2611,7 +2612,7 @@ static int xfrm_bundle_ok(struct xfrm_dst *first)
+@@ -2611,7 +2626,7 @@ static int xfrm_bundle_ok(struct xfrm_dst *first)
if (xdst->xfrm_genid != dst->xfrm->genid)
return 0;
if (xdst->num_pols > 0 &&
@@ -96123,7 +96545,7 @@ index f77c371..e412fa6 100644
return 0;
mtu = dst_mtu(dst->child);
-@@ -2699,8 +2700,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
+@@ -2699,8 +2714,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
dst_ops->link_failure = xfrm_link_failure;
if (likely(dst_ops->neigh_lookup == NULL))
dst_ops->neigh_lookup = xfrm_neigh_lookup;
@@ -96132,7 +96554,7 @@ index f77c371..e412fa6 100644
rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo);
}
spin_unlock(&xfrm_policy_afinfo_lock);
-@@ -2754,7 +2753,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
+@@ -2754,7 +2767,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
dst_ops->check = NULL;
dst_ops->negative_advice = NULL;
dst_ops->link_failure = NULL;
@@ -96140,7 +96562,7 @@ index f77c371..e412fa6 100644
}
return err;
}
-@@ -3137,7 +3135,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
+@@ -3137,7 +3149,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
sizeof(pol->xfrm_vec[i].saddr));
pol->xfrm_vec[i].encap_family = mp->new_family;
/* flush bundles */
@@ -96149,6 +96571,96 @@ index f77c371..e412fa6 100644
}
}
+diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
+index 8dafe6d3..dab57da 100644
+--- a/net/xfrm/xfrm_replay.c
++++ b/net/xfrm/xfrm_replay.c
+@@ -61,9 +61,9 @@ static void xfrm_replay_notify(struct xfrm_state *x, int event)
+
+ switch (event) {
+ case XFRM_REPLAY_UPDATE:
+- if (x->replay_maxdiff &&
+- (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
+- (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
++ if (!x->replay_maxdiff ||
++ ((x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
++ (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff))) {
+ if (x->xflags & XFRM_TIME_DEFER)
+ event = XFRM_REPLAY_TIMEOUT;
+ else
+@@ -129,8 +129,7 @@ static int xfrm_replay_check(struct xfrm_state *x,
+ return 0;
+
+ diff = x->replay.seq - seq;
+- if (diff >= min_t(unsigned int, x->props.replay_window,
+- sizeof(x->replay.bitmap) * 8)) {
++ if (diff >= x->props.replay_window) {
+ x->stats.replay_window++;
+ goto err;
+ }
+@@ -302,9 +301,10 @@ static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
+
+ switch (event) {
+ case XFRM_REPLAY_UPDATE:
+- if (x->replay_maxdiff &&
+- (replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
+- (replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) {
++ if (!x->replay_maxdiff ||
++ ((replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
++ (replay_esn->oseq - preplay_esn->oseq
++ < x->replay_maxdiff))) {
+ if (x->xflags & XFRM_TIME_DEFER)
+ event = XFRM_REPLAY_TIMEOUT;
+ else
+@@ -353,28 +353,30 @@ static void xfrm_replay_notify_esn(struct xfrm_state *x, int event)
+
+ switch (event) {
+ case XFRM_REPLAY_UPDATE:
+- if (!x->replay_maxdiff)
+- break;
+-
+- if (replay_esn->seq_hi == preplay_esn->seq_hi)
+- seq_diff = replay_esn->seq - preplay_esn->seq;
+- else
+- seq_diff = ~preplay_esn->seq + replay_esn->seq + 1;
+-
+- if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
+- oseq_diff = replay_esn->oseq - preplay_esn->oseq;
+- else
+- oseq_diff = ~preplay_esn->oseq + replay_esn->oseq + 1;
+-
+- if (seq_diff < x->replay_maxdiff &&
+- oseq_diff < x->replay_maxdiff) {
++ if (x->replay_maxdiff) {
++ if (replay_esn->seq_hi == preplay_esn->seq_hi)
++ seq_diff = replay_esn->seq - preplay_esn->seq;
++ else
++ seq_diff = ~preplay_esn->seq + replay_esn->seq
++ + 1;
+
+- if (x->xflags & XFRM_TIME_DEFER)
+- event = XFRM_REPLAY_TIMEOUT;
++ if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
++ oseq_diff = replay_esn->oseq
++ - preplay_esn->oseq;
+ else
+- return;
++ oseq_diff = ~preplay_esn->oseq
++ + replay_esn->oseq + 1;
++
++ if (seq_diff >= x->replay_maxdiff ||
++ oseq_diff >= x->replay_maxdiff)
++ break;
+ }
+
++ if (x->xflags & XFRM_TIME_DEFER)
++ event = XFRM_REPLAY_TIMEOUT;
++ else
++ return;
++
+ break;
+
+ case XFRM_REPLAY_TIMEOUT:
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 54c0acd..56814bd 100644
--- a/net/xfrm/xfrm_state.c
@@ -96271,10 +96783,20 @@ index 05a6e3d..6716ec9 100644
__xfrm_sysctl_init(net);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index 3f565e4..4b26cee 100644
+index 3f565e4..f964d4c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
-@@ -1856,7 +1856,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
+@@ -446,7 +446,8 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
+ memcpy(&x->sel, &p->sel, sizeof(x->sel));
+ memcpy(&x->lft, &p->lft, sizeof(x->lft));
+ x->props.mode = p->mode;
+- x->props.replay_window = p->replay_window;
++ x->props.replay_window = min_t(unsigned int, p->replay_window,
++ sizeof(x->replay.bitmap) * 8);
+ x->props.reqid = p->reqid;
+ x->props.family = p->family;
+ memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
+@@ -1856,7 +1857,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
if (x->km.state != XFRM_STATE_VALID)
goto out;
diff --git a/3.11.3/4425_grsec_remove_EI_PAX.patch b/3.11.6/4425_grsec_remove_EI_PAX.patch
index 415fda5..415fda5 100644
--- a/3.11.3/4425_grsec_remove_EI_PAX.patch
+++ b/3.11.6/4425_grsec_remove_EI_PAX.patch
diff --git a/3.11.3/4427_force_XATTR_PAX_tmpfs.patch b/3.11.6/4427_force_XATTR_PAX_tmpfs.patch
index 23e60cd..23e60cd 100644
--- a/3.11.3/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.11.6/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.11.3/4430_grsec-remove-localversion-grsec.patch b/3.11.6/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.11.3/4430_grsec-remove-localversion-grsec.patch
+++ b/3.11.6/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.11.3/4435_grsec-mute-warnings.patch b/3.11.6/4435_grsec-mute-warnings.patch
index ed941d5..ed941d5 100644
--- a/3.11.3/4435_grsec-mute-warnings.patch
+++ b/3.11.6/4435_grsec-mute-warnings.patch
diff --git a/3.11.3/4440_grsec-remove-protected-paths.patch b/3.11.6/4440_grsec-remove-protected-paths.patch
index 05710b1..05710b1 100644
--- a/3.11.3/4440_grsec-remove-protected-paths.patch
+++ b/3.11.6/4440_grsec-remove-protected-paths.patch
diff --git a/3.11.3/4450_grsec-kconfig-default-gids.patch b/3.11.6/4450_grsec-kconfig-default-gids.patch
index 8c7b0b2..8c7b0b2 100644
--- a/3.11.3/4450_grsec-kconfig-default-gids.patch
+++ b/3.11.6/4450_grsec-kconfig-default-gids.patch
diff --git a/3.11.3/4465_selinux-avc_audit-log-curr_ip.patch b/3.11.6/4465_selinux-avc_audit-log-curr_ip.patch
index fea3943..fea3943 100644
--- a/3.11.3/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.11.6/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.11.3/4470_disable-compat_vdso.patch b/3.11.6/4470_disable-compat_vdso.patch
index 4572f4f..4572f4f 100644
--- a/3.11.3/4470_disable-compat_vdso.patch
+++ b/3.11.6/4470_disable-compat_vdso.patch
diff --git a/3.11.3/4475_emutramp_default_on.patch b/3.11.6/4475_emutramp_default_on.patch
index cfde6f8..cfde6f8 100644
--- a/3.11.3/4475_emutramp_default_on.patch
+++ b/3.11.6/4475_emutramp_default_on.patch
diff --git a/3.2.51/0000_README b/3.2.51/0000_README
index e87b456..7299d26 100644
--- a/3.2.51/0000_README
+++ b/3.2.51/0000_README
@@ -122,7 +122,7 @@ Patch: 1050_linux-3.2.51.patch
From: http://www.kernel.org
Desc: Linux 3.2.51
-Patch: 4420_grsecurity-2.9.1-3.2.51-201309281102.patch
+Patch: 4420_grsecurity-2.9.1-3.2.51-201310191257.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch b/3.2.51/4420_grsecurity-2.9.1-3.2.51-201310191257.patch
index 79a6bf4..4e9a590 100644
--- a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch
+++ b/3.2.51/4420_grsecurity-2.9.1-3.2.51-201310191257.patch
@@ -33208,6 +33208,184 @@ index c68b8ad..ef7a702 100644
}
static ssize_t port_fops_write(struct file *filp, const char __user *ubuf,
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 46bbf43..9954dff 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -62,8 +62,9 @@ void proc_fork_connector(struct task_struct *task)
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg*)buffer;
+- ev = (struct proc_event*)msg->data;
++ msg = (struct cn_msg *)buffer;
++ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -79,6 +80,7 @@ void proc_fork_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ /* If cn_netlink_send() failed, the data is not sent */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+@@ -93,8 +95,9 @@ void proc_exec_connector(struct task_struct *task)
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg*)buffer;
+- ev = (struct proc_event*)msg->data;
++ msg = (struct cn_msg *)buffer;
++ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -105,6 +108,7 @@ void proc_exec_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -119,8 +123,9 @@ void proc_id_connector(struct task_struct *task, int which_id)
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg*)buffer;
+- ev = (struct proc_event*)msg->data;
++ msg = (struct cn_msg *)buffer;
++ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ ev->what = which_id;
+ ev->event_data.id.process_pid = task->pid;
+ ev->event_data.id.process_tgid = task->tgid;
+@@ -144,6 +149,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -159,6 +165,7 @@ void proc_sid_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -169,6 +176,7 @@ void proc_sid_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -184,6 +192,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -202,6 +211,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -217,6 +227,7 @@ void proc_comm_connector(struct task_struct *task)
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -228,6 +239,7 @@ void proc_comm_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -241,8 +253,9 @@ void proc_exit_connector(struct task_struct *task)
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg*)buffer;
+- ev = (struct proc_event*)msg->data;
++ msg = (struct cn_msg *)buffer;
++ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -255,6 +268,7 @@ void proc_exit_connector(struct task_struct *task)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -276,8 +290,9 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg*)buffer;
+- ev = (struct proc_event*)msg->data;
++ msg = (struct cn_msg *)buffer;
++ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ msg->seq = rcvd_seq;
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -287,6 +302,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = rcvd_ack + 1;
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index dde6a0f..ea6efe8 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb)
+ static void cn_rx_skb(struct sk_buff *__skb)
+ {
+ struct nlmsghdr *nlh;
+- int err;
+ struct sk_buff *skb;
++ int len, err;
+
+ skb = skb_get(__skb);
+
+ if (skb->len >= NLMSG_SPACE(0)) {
+ nlh = nlmsg_hdr(skb);
++ len = nlmsg_len(nlh);
+
+- if (nlh->nlmsg_len < sizeof(struct cn_msg) ||
++ if (len < (int)sizeof(struct cn_msg) ||
+ skb->len < nlh->nlmsg_len ||
+- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
++ len > CONNECTOR_MAX_MSG_SIZE) {
+ kfree_skb(skb);
+ return;
+ }
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
index 56c6c6b..99056e6 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
@@ -41209,6 +41387,18 @@ index e662cbc..8d4a102 100644
return -EINVAL;
}
+diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
+index ebb9f24..7a4c491 100644
+--- a/drivers/net/wan/farsync.c
++++ b/drivers/net/wan/farsync.c
+@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card, struct fst_port_info *port,
+ }
+
+ i = port->index;
++ memset(&sync, 0, sizeof(sync));
+ sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed);
+ /* Lucky card and linux use same encoding here */
+ sync.clock_type = FST_RDB(card, portConfig[i].internalClock) ==
diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
index 4045e5a..506f1cf 100644
--- a/drivers/net/wireless/at76c50x-usb.c
@@ -52710,6 +52900,19 @@ index 84f84bf..a8770cd 100644
static int __init ext4_init_feat_adverts(void)
{
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index d5498b2..b4e9f3f 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1269,6 +1269,8 @@ retry:
+ s_min_extra_isize) {
+ tried_min_extra_isize++;
+ new_extra_isize = s_min_extra_isize;
++ kfree(is); is = NULL;
++ kfree(bs); bs = NULL;
+ goto retry;
+ }
+ error = -1;
diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c
index 216b419..350a088 100644
--- a/fs/fat/namei_msdos.c
@@ -75781,6 +75984,18 @@ index e5d1220..5a87d07 100644
ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
+diff --git a/include/linux/yam.h b/include/linux/yam.h
+index 7fe2822..512cdc2 100644
+--- a/include/linux/yam.h
++++ b/include/linux/yam.h
+@@ -77,6 +77,6 @@ struct yamdrv_ioctl_cfg {
+
+ struct yamdrv_ioctl_mcs {
+ int cmd;
+- int bitrate;
++ unsigned int bitrate;
+ unsigned char bits[YAM_FPGA_SIZE];
+ };
diff --git a/include/linux/zlib.h b/include/linux/zlib.h
index 9c5a6b4..09c9438 100644
--- a/include/linux/zlib.h
@@ -77423,7 +77638,7 @@ index fa7eb3d..7faf116 100644
current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
set_fs(fs);
diff --git a/kernel/audit.c b/kernel/audit.c
-index d4bc594..cf6b5d7 100644
+index d4bc594..efa193f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -115,7 +115,7 @@ u32 audit_sig_sid = 0;
@@ -77453,7 +77668,13 @@ index d4bc594..cf6b5d7 100644
audit_rate_limit,
audit_backlog_limit);
audit_panic(message);
-@@ -689,7 +689,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -684,18 +684,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+
+ switch (msg_type) {
+ case AUDIT_GET:
++ status_set.mask = 0;
+ status_set.enabled = audit_enabled;
+ status_set.failure = audit_failure;
status_set.pid = audit_pid;
status_set.rate_limit = audit_rate_limit;
status_set.backlog_limit = audit_backlog_limit;
@@ -77462,7 +77683,23 @@ index d4bc594..cf6b5d7 100644
status_set.backlog = skb_queue_len(&audit_skb_queue);
audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
&status_set, sizeof(status_set));
-@@ -1260,12 +1260,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
+ break;
+ case AUDIT_SET:
+- if (nlh->nlmsg_len < sizeof(struct audit_status))
++ if (nlmsg_len(nlh) < sizeof(struct audit_status))
+ return -EINVAL;
+ status_get = (struct audit_status *)data;
+ if (status_get->mask & AUDIT_STATUS_ENABLED) {
+@@ -899,7 +900,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ struct task_struct *tsk;
+ unsigned long flags;
+
+- if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
++ if (nlmsg_len(nlh) < sizeof(struct audit_tty_status))
+ return -EINVAL;
+ s = data;
+ if (s->enabled != 0 && s->enabled != 1)
+@@ -1260,12 +1261,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
avail = audit_expand(ab,
max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
if (!avail)
@@ -89439,6 +89676,46 @@ index b81500c..92fc8ec 100644
return 0;
/* Okay, we found ICMPv6 header */
+diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
+index 5449294..c1d8d99 100644
+--- a/net/bridge/netfilter/ebt_ulog.c
++++ b/net/bridge/netfilter/ebt_ulog.c
+@@ -158,6 +158,7 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
+ ub->qlen++;
+
+ pm = NLMSG_DATA(nlh);
++ memset(pm, 0, sizeof(*pm));
+
+ /* Fill in the ulog data */
+ pm->version = EBT_ULOG_VERSION;
+@@ -170,8 +171,6 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
+ pm->hook = hooknr;
+ if (uloginfo->prefix != NULL)
+ strcpy(pm->prefix, uloginfo->prefix);
+- else
+- *(pm->prefix) = '\0';
+
+ if (in) {
+ strcpy(pm->physindev, in->name);
+@@ -181,16 +180,14 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
+ strcpy(pm->indev, br_port_get_rcu(in)->br->dev->name);
+ else
+ strcpy(pm->indev, in->name);
+- } else
+- pm->indev[0] = pm->physindev[0] = '\0';
++ }
+
+ if (out) {
+ /* If out exists, then out is a bridge port */
+ strcpy(pm->physoutdev, out->name);
+ /* rcu_read_lock()ed by nf_hook_slow */
+ strcpy(pm->outdev, br_port_get_rcu(out)->br->dev->name);
+- } else
+- pm->outdev[0] = pm->physoutdev[0] = '\0';
++ }
+
+ if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0)
+ BUG();
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5864cc4..6ddb362 100644
--- a/net/bridge/netfilter/ebtables.c
@@ -91221,6 +91498,41 @@ index 24e556e..f6918b4 100644
break;
case IPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
+index b550815..c3b44d5 100644
+--- a/net/ipv4/netfilter/ipt_ULOG.c
++++ b/net/ipv4/netfilter/ipt_ULOG.c
+@@ -202,6 +202,7 @@ static void ipt_ulog_packet(unsigned int hooknum,
+ ub->qlen++;
+
+ pm = NLMSG_DATA(nlh);
++ memset(pm, 0, sizeof(*pm));
+
+ /* We might not have a timestamp, get one */
+ if (skb->tstamp.tv64 == 0)
+@@ -218,8 +219,6 @@ static void ipt_ulog_packet(unsigned int hooknum,
+ strncpy(pm->prefix, prefix, sizeof(pm->prefix));
+ else if (loginfo->prefix[0] != '\0')
+ strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
+- else
+- *(pm->prefix) = '\0';
+
+ if (in && in->hard_header_len > 0 &&
+ skb->mac_header != skb->network_header &&
+@@ -231,13 +230,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
+
+ if (in)
+ strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
+- else
+- pm->indev_name[0] = '\0';
+
+ if (out)
+ strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
+- else
+- pm->outdev_name[0] = '\0';
+
+ /* copy_len <= skb->len, so can't fail. */
+ if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 294a380..885a292 100644
--- a/net/ipv4/ping.c
@@ -91546,10 +91858,22 @@ index 739b073..7ac6591 100644
hdr = register_sysctl_paths(net_ipv4_ctl_path, ipv4_table);
if (hdr == NULL)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 872b41d..54a02f1 100644
+index 872b41d..bb914c3 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
-@@ -4736,7 +4736,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -1469,7 +1469,10 @@ static int tcp_shifted_skb(struct sock *sk, struct sk_buff *skb,
+ tp->lost_cnt_hint -= tcp_skb_pcount(prev);
+ }
+
+- TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags;
++ TCP_SKB_CB(prev)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags;
++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
++ TCP_SKB_CB(prev)->end_seq++;
++
+ if (skb == tcp_highest_sack(sk))
+ tcp_advance_highest_sack(sk, skb);
+
+@@ -4736,7 +4739,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
* simplifies code)
*/
static void
@@ -91558,7 +91882,7 @@ index 872b41d..54a02f1 100644
struct sk_buff *head, struct sk_buff *tail,
u32 start, u32 end)
{
-@@ -5551,6 +5551,9 @@ slow_path:
+@@ -5551,6 +5554,9 @@ slow_path:
if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
goto csum_error;
@@ -91568,7 +91892,7 @@ index 872b41d..54a02f1 100644
/*
* Standard slow path.
*/
-@@ -5559,8 +5562,7 @@ slow_path:
+@@ -5559,8 +5565,7 @@ slow_path:
return 0;
step5:
@@ -91578,7 +91902,7 @@ index 872b41d..54a02f1 100644
goto discard;
tcp_rcv_rtt_measure_ts(sk, skb);
-@@ -5791,6 +5793,7 @@ discard:
+@@ -5791,6 +5796,7 @@ discard:
tcp_paws_reject(&tp->rx_opt, 0))
goto discard_and_undo;
@@ -91586,7 +91910,7 @@ index 872b41d..54a02f1 100644
if (th->syn) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
-@@ -5839,6 +5842,7 @@ discard:
+@@ -5839,6 +5845,7 @@ discard:
goto discard;
#endif
}
@@ -91594,7 +91918,7 @@ index 872b41d..54a02f1 100644
/* "fifth, if neither of the SYN or RST bits is set then
* drop the segment and return."
*/
-@@ -5882,7 +5886,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5882,7 +5889,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
@@ -91603,7 +91927,7 @@ index 872b41d..54a02f1 100644
goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
-@@ -5921,11 +5925,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5921,11 +5928,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
return 0;
}
@@ -91619,7 +91943,7 @@ index 872b41d..54a02f1 100644
int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
FLAG_UPDATE_TS_RECENT) > 0;
-@@ -6031,8 +6038,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -6031,8 +6041,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
}
break;
}
@@ -92774,10 +93098,20 @@ index 403be43..87f09da 100644
};
diff --git a/net/key/af_key.c b/net/key/af_key.c
-index 8dbdb8e..c765b51 100644
+index 8dbdb8e..50f4169 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
-@@ -1924,6 +1924,9 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
+@@ -1097,7 +1097,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
+
+ x->id.proto = proto;
+ x->id.spi = sa->sadb_sa_spi;
+- x->props.replay_window = sa->sadb_sa_replay;
++ x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay,
++ (sizeof(x->replay.bitmap) * 8));
+ if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)
+ x->props.flags |= XFRM_STATE_NOECN;
+ if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)
+@@ -1924,6 +1925,9 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
int len = pol->sadb_x_policy_len*8 - sizeof(struct sadb_x_policy);
struct sadb_x_ipsecrequest *rq = (void*)(pol+1);
@@ -92787,7 +93121,7 @@ index 8dbdb8e..c765b51 100644
while (len >= sizeof(struct sadb_x_ipsecrequest)) {
if ((err = parse_ipsecrequest(xp, rq)) < 0)
return err;
-@@ -3020,10 +3023,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
+@@ -3020,10 +3024,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
static u32 get_acqseq(void)
{
u32 res;
@@ -96068,6 +96402,20 @@ index 113d20e..2bb5a4e 100644
}
}
+diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
+index 3efb07d..2576ee4 100644
+--- a/net/xfrm/xfrm_replay.c
++++ b/net/xfrm/xfrm_replay.c
+@@ -129,8 +129,7 @@ static int xfrm_replay_check(struct xfrm_state *x,
+ return 0;
+
+ diff = x->replay.seq - seq;
+- if (diff >= min_t(unsigned int, x->props.replay_window,
+- sizeof(x->replay.bitmap) * 8)) {
++ if (diff >= x->props.replay_window) {
+ x->stats.replay_window++;
+ goto err;
+ }
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9414b9c..2477932 100644
--- a/net/xfrm/xfrm_state.c
@@ -96199,10 +96547,20 @@ index 05640bc..b67eaaa 100644
__xfrm_sysctl_init(net);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index ede01a8..d7fdd07 100644
+index ede01a8..756e6bd 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
-@@ -1816,7 +1816,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
+@@ -446,7 +446,8 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
+ memcpy(&x->sel, &p->sel, sizeof(x->sel));
+ memcpy(&x->lft, &p->lft, sizeof(x->lft));
+ x->props.mode = p->mode;
+- x->props.replay_window = p->replay_window;
++ x->props.replay_window = min_t(unsigned int, p->replay_window,
++ sizeof(x->replay.bitmap) * 8);
+ x->props.reqid = p->reqid;
+ x->props.family = p->family;
+ memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
+@@ -1816,7 +1817,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
if (x->km.state != XFRM_STATE_VALID)
goto out;