diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-08-22 07:18:30 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-08-22 08:08:43 -0400 |
commit | 6edbe713204f28f5ecd1704ff61515c5e28ea9ae (patch) | |
tree | cd66360b57604a4f4095b5095377639737e2a056 | |
parent | Grsec/PaX: 2.9.1-3.10.7-201308192211 (diff) | |
download | hardened-patchset-6edbe713204f28f5ecd1704ff61515c5e28ea9ae.tar.gz hardened-patchset-6edbe713204f28f5ecd1704ff61515c5e28ea9ae.tar.bz2 hardened-patchset-6edbe713204f28f5ecd1704ff61515c5e28ea9ae.zip |
Grsec/PaX: 2.9.1-{3.2.50.3.10.9}-20130820201520130820
-rw-r--r-- | 3.10.9/0000_README (renamed from 3.10.7/0000_README) | 10 | ||||
-rw-r--r-- | 3.10.9/1007_linux-3.10.8.patch | 1793 | ||||
-rw-r--r-- | 3.10.9/1008_linux-3.10.9.patch | 37 | ||||
-rw-r--r-- | 3.10.9/4420_grsecurity-2.9.1-3.10.9-201308202015.patch (renamed from 3.10.7/4420_grsecurity-2.9.1-3.10.7-201308192211.patch) | 768 | ||||
-rw-r--r-- | 3.10.9/4425_grsec_remove_EI_PAX.patch (renamed from 3.10.7/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.10.7/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4430_grsec-remove-localversion-grsec.patch (renamed from 3.10.7/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4435_grsec-mute-warnings.patch (renamed from 3.10.7/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4440_grsec-remove-protected-paths.patch (renamed from 3.10.7/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4450_grsec-kconfig-default-gids.patch (renamed from 3.10.7/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.10.7/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4470_disable-compat_vdso.patch (renamed from 3.10.7/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.10.9/4475_emutramp_default_on.patch (renamed from 3.10.7/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 3.2.50/0000_README | 2 | ||||
-rw-r--r-- | 3.2.50/4420_grsecurity-2.9.1-3.2.50-201308202017.patch (renamed from 3.2.50/4420_grsecurity-2.9.1-3.2.50-201308181813.patch) | 25 |
15 files changed, 2063 insertions, 572 deletions
diff --git a/3.10.7/0000_README b/3.10.9/0000_README index e8ef030..71cd5ee 100644 --- a/3.10.7/0000_README +++ b/3.10.9/0000_README @@ -2,7 +2,15 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.10.7-201308192211.patch +Patch: 1007_linux-3.10.8.patch +From: http://www.kernel.org +Desc: Linux 3.10.8 + +Patch: 1008_linux-3.10.9.patch +From: http://www.kernel.org +Desc: Linux 3.10.9 + +Patch: 4420_grsecurity-2.9.1-3.10.9-201308202015.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.10.9/1007_linux-3.10.8.patch b/3.10.9/1007_linux-3.10.8.patch new file mode 100644 index 0000000..bf200d8 --- /dev/null +++ b/3.10.9/1007_linux-3.10.8.patch @@ -0,0 +1,1793 @@ +diff --git a/Makefile b/Makefile +index 33e36ab..1a21612 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 10 +-SUBLEVEL = 7 ++SUBLEVEL = 8 + EXTRAVERSION = + NAME = TOSSUG Baby Fish + +diff --git a/arch/Kconfig b/arch/Kconfig +index a4429bc..00e3702 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -404,6 +404,12 @@ config CLONE_BACKWARDS2 + help + Architecture has the first two arguments of clone(2) swapped. + ++config CLONE_BACKWARDS3 ++ bool ++ help ++ Architecture has tls passed as the 3rd argument of clone(2), ++ not the 5th one. ++ + config ODD_RT_SIGACTION + bool + help +diff --git a/arch/arm/include/asm/kvm_asm.h b/arch/arm/include/asm/kvm_asm.h +index 18d5032..4bb08e3 100644 +--- a/arch/arm/include/asm/kvm_asm.h ++++ b/arch/arm/include/asm/kvm_asm.h +@@ -37,16 +37,18 @@ + #define c5_AIFSR 15 /* Auxilary Instrunction Fault Status R */ + #define c6_DFAR 16 /* Data Fault Address Register */ + #define c6_IFAR 17 /* Instruction Fault Address Register */ +-#define c9_L2CTLR 18 /* Cortex A15 L2 Control Register */ +-#define c10_PRRR 19 /* Primary Region Remap Register */ +-#define c10_NMRR 20 /* Normal Memory Remap Register */ +-#define c12_VBAR 21 /* Vector Base Address Register */ +-#define c13_CID 22 /* Context ID Register */ +-#define c13_TID_URW 23 /* Thread ID, User R/W */ +-#define c13_TID_URO 24 /* Thread ID, User R/O */ +-#define c13_TID_PRIV 25 /* Thread ID, Privileged */ +-#define c14_CNTKCTL 26 /* Timer Control Register (PL1) */ +-#define NR_CP15_REGS 27 /* Number of regs (incl. invalid) */ ++#define c7_PAR 18 /* Physical Address Register */ ++#define c7_PAR_high 19 /* PAR top 32 bits */ ++#define c9_L2CTLR 20 /* Cortex A15 L2 Control Register */ ++#define c10_PRRR 21 /* Primary Region Remap Register */ ++#define c10_NMRR 22 /* Normal Memory Remap Register */ ++#define c12_VBAR 23 /* Vector Base Address Register */ ++#define c13_CID 24 /* Context ID Register */ ++#define c13_TID_URW 25 /* Thread ID, User R/W */ ++#define c13_TID_URO 26 /* Thread ID, User R/O */ ++#define c13_TID_PRIV 27 /* Thread ID, Privileged */ ++#define c14_CNTKCTL 28 /* Timer Control Register (PL1) */ ++#define NR_CP15_REGS 29 /* Number of regs (incl. invalid) */ + + #define ARM_EXCEPTION_RESET 0 + #define ARM_EXCEPTION_UNDEFINED 1 +diff --git a/arch/arm/include/asm/tlb.h b/arch/arm/include/asm/tlb.h +index bdf2b84..aa9b4ac 100644 +--- a/arch/arm/include/asm/tlb.h ++++ b/arch/arm/include/asm/tlb.h +@@ -43,6 +43,7 @@ struct mmu_gather { + struct mm_struct *mm; + unsigned int fullmm; + struct vm_area_struct *vma; ++ unsigned long start, end; + unsigned long range_start; + unsigned long range_end; + unsigned int nr; +@@ -107,10 +108,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = fullmm; ++ tlb->fullmm = !(start | (end+1)); ++ tlb->start = start; ++ tlb->end = end; + tlb->vma = NULL; + tlb->max = ARRAY_SIZE(tlb->local); + tlb->pages = tlb->local; +diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c +index d9f5cd4..e19edc6 100644 +--- a/arch/arm/kernel/perf_event.c ++++ b/arch/arm/kernel/perf_event.c +@@ -53,7 +53,12 @@ armpmu_map_cache_event(const unsigned (*cache_map) + static int + armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config) + { +- int mapping = (*event_map)[config]; ++ int mapping; ++ ++ if (config >= PERF_COUNT_HW_MAX) ++ return -ENOENT; ++ ++ mapping = (*event_map)[config]; + return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping; + } + +@@ -253,6 +258,9 @@ validate_event(struct pmu_hw_events *hw_events, + struct arm_pmu *armpmu = to_arm_pmu(event->pmu); + struct pmu *leader_pmu = event->group_leader->pmu; + ++ if (is_software_event(event)) ++ return 1; ++ + if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF) + return 1; + +diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c +index 8eea97b..4a51990 100644 +--- a/arch/arm/kvm/coproc.c ++++ b/arch/arm/kvm/coproc.c +@@ -180,6 +180,10 @@ static const struct coproc_reg cp15_regs[] = { + NULL, reset_unknown, c6_DFAR }, + { CRn( 6), CRm( 0), Op1( 0), Op2( 2), is32, + NULL, reset_unknown, c6_IFAR }, ++ ++ /* PAR swapped by interrupt.S */ ++ { CRn( 7), Op1( 0), is64, NULL, reset_unknown64, c7_PAR }, ++ + /* + * DC{C,I,CI}SW operations: + */ +diff --git a/arch/arm/kvm/interrupts.S b/arch/arm/kvm/interrupts.S +index f7793df..16cd4ba 100644 +--- a/arch/arm/kvm/interrupts.S ++++ b/arch/arm/kvm/interrupts.S +@@ -49,6 +49,7 @@ __kvm_hyp_code_start: + ENTRY(__kvm_tlb_flush_vmid_ipa) + push {r2, r3} + ++ dsb ishst + add r0, r0, #KVM_VTTBR + ldrd r2, r3, [r0] + mcrr p15, 6, r2, r3, c2 @ Write VTTBR +@@ -291,6 +292,7 @@ THUMB( orr r2, r2, #PSR_T_BIT ) + ldr r2, =BSYM(panic) + msr ELR_hyp, r2 + ldr r0, =\panic_str ++ clrex @ Clear exclusive monitor + eret + .endm + +@@ -414,6 +416,10 @@ guest_trap: + mrcne p15, 4, r2, c6, c0, 4 @ HPFAR + bne 3f + ++ /* Preserve PAR */ ++ mrrc p15, 0, r0, r1, c7 @ PAR ++ push {r0, r1} ++ + /* Resolve IPA using the xFAR */ + mcr p15, 0, r2, c7, c8, 0 @ ATS1CPR + isb +@@ -424,13 +430,20 @@ guest_trap: + lsl r2, r2, #4 + orr r2, r2, r1, lsl #24 + ++ /* Restore PAR */ ++ pop {r0, r1} ++ mcrr p15, 0, r0, r1, c7 @ PAR ++ + 3: load_vcpu @ Load VCPU pointer to r0 + str r2, [r0, #VCPU_HPFAR] + + 1: mov r1, #ARM_EXCEPTION_HVC + b __kvm_vcpu_return + +-4: pop {r0, r1, r2} @ Failed translation, return to guest ++4: pop {r0, r1} @ Failed translation, return to guest ++ mcrr p15, 0, r0, r1, c7 @ PAR ++ clrex ++ pop {r0, r1, r2} + eret + + /* +@@ -456,6 +469,7 @@ switch_to_guest_vfp: + + pop {r3-r7} + pop {r0-r2} ++ clrex + eret + #endif + +diff --git a/arch/arm/kvm/interrupts_head.S b/arch/arm/kvm/interrupts_head.S +index 3c8f2f0..2b44b95 100644 +--- a/arch/arm/kvm/interrupts_head.S ++++ b/arch/arm/kvm/interrupts_head.S +@@ -302,11 +302,14 @@ vcpu .req r0 @ vcpu pointer always in r0 + .endif + + mrc p15, 0, r2, c14, c1, 0 @ CNTKCTL ++ mrrc p15, 0, r4, r5, c7 @ PAR + + .if \store_to_vcpu == 0 +- push {r2} ++ push {r2,r4-r5} + .else + str r2, [vcpu, #CP15_OFFSET(c14_CNTKCTL)] ++ add r12, vcpu, #CP15_OFFSET(c7_PAR) ++ strd r4, r5, [r12] + .endif + .endm + +@@ -319,12 +322,15 @@ vcpu .req r0 @ vcpu pointer always in r0 + */ + .macro write_cp15_state read_from_vcpu + .if \read_from_vcpu == 0 +- pop {r2} ++ pop {r2,r4-r5} + .else + ldr r2, [vcpu, #CP15_OFFSET(c14_CNTKCTL)] ++ add r12, vcpu, #CP15_OFFSET(c7_PAR) ++ ldrd r4, r5, [r12] + .endif + + mcr p15, 0, r2, c14, c1, 0 @ CNTKCTL ++ mcrr p15, 0, r4, r5, c7 @ PAR + + .if \read_from_vcpu == 0 + pop {r2-r12} +diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h +index 654f096..5546653 100644 +--- a/arch/arm64/include/asm/tlb.h ++++ b/arch/arm64/include/asm/tlb.h +@@ -35,6 +35,7 @@ struct mmu_gather { + struct mm_struct *mm; + unsigned int fullmm; + struct vm_area_struct *vma; ++ unsigned long start, end; + unsigned long range_start; + unsigned long range_end; + unsigned int nr; +@@ -97,10 +98,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = fullmm; ++ tlb->fullmm = !(start | (end+1)); ++ tlb->start = start; ++ tlb->end = end; + tlb->vma = NULL; + tlb->max = ARRAY_SIZE(tlb->local); + tlb->pages = tlb->local; +diff --git a/arch/ia64/include/asm/tlb.h b/arch/ia64/include/asm/tlb.h +index ef3a9de..bc5efc7 100644 +--- a/arch/ia64/include/asm/tlb.h ++++ b/arch/ia64/include/asm/tlb.h +@@ -22,7 +22,7 @@ + * unmapping a portion of the virtual address space, these hooks are called according to + * the following template: + * +- * tlb <- tlb_gather_mmu(mm, full_mm_flush); // start unmap for address space MM ++ * tlb <- tlb_gather_mmu(mm, start, end); // start unmap for address space MM + * { + * for each vma that needs a shootdown do { + * tlb_start_vma(tlb, vma); +@@ -58,6 +58,7 @@ struct mmu_gather { + unsigned int max; + unsigned char fullmm; /* non-zero means full mm flush */ + unsigned char need_flush; /* really unmapped some PTEs? */ ++ unsigned long start, end; + unsigned long start_addr; + unsigned long end_addr; + struct page **pages; +@@ -155,13 +156,15 @@ static inline void __tlb_alloc_page(struct mmu_gather *tlb) + + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; + tlb->max = ARRAY_SIZE(tlb->local); + tlb->pages = tlb->local; + tlb->nr = 0; +- tlb->fullmm = full_mm_flush; ++ tlb->fullmm = !(start | (end+1)); ++ tlb->start = start; ++ tlb->end = end; + tlb->start_addr = ~0UL; + } + +diff --git a/arch/m68k/emu/natfeat.c b/arch/m68k/emu/natfeat.c +index 2291a7d..fa277ae 100644 +--- a/arch/m68k/emu/natfeat.c ++++ b/arch/m68k/emu/natfeat.c +@@ -18,9 +18,11 @@ + #include <asm/machdep.h> + #include <asm/natfeat.h> + ++extern long nf_get_id2(const char *feature_name); ++ + asm("\n" +-" .global nf_get_id,nf_call\n" +-"nf_get_id:\n" ++" .global nf_get_id2,nf_call\n" ++"nf_get_id2:\n" + " .short 0x7300\n" + " rts\n" + "nf_call:\n" +@@ -29,12 +31,25 @@ asm("\n" + "1: moveq.l #0,%d0\n" + " rts\n" + " .section __ex_table,\"a\"\n" +-" .long nf_get_id,1b\n" ++" .long nf_get_id2,1b\n" + " .long nf_call,1b\n" + " .previous"); +-EXPORT_SYMBOL_GPL(nf_get_id); + EXPORT_SYMBOL_GPL(nf_call); + ++long nf_get_id(const char *feature_name) ++{ ++ /* feature_name may be in vmalloc()ed memory, so make a copy */ ++ char name_copy[32]; ++ size_t n; ++ ++ n = strlcpy(name_copy, feature_name, sizeof(name_copy)); ++ if (n >= sizeof(name_copy)) ++ return 0; ++ ++ return nf_get_id2(name_copy); ++} ++EXPORT_SYMBOL_GPL(nf_get_id); ++ + void nfprint(const char *fmt, ...) + { + static char buf[256]; +diff --git a/arch/m68k/include/asm/div64.h b/arch/m68k/include/asm/div64.h +index 444ea8a..ef881cf 100644 +--- a/arch/m68k/include/asm/div64.h ++++ b/arch/m68k/include/asm/div64.h +@@ -15,16 +15,17 @@ + unsigned long long n64; \ + } __n; \ + unsigned long __rem, __upper; \ ++ unsigned long __base = (base); \ + \ + __n.n64 = (n); \ + if ((__upper = __n.n32[0])) { \ + asm ("divul.l %2,%1:%0" \ +- : "=d" (__n.n32[0]), "=d" (__upper) \ +- : "d" (base), "0" (__n.n32[0])); \ ++ : "=d" (__n.n32[0]), "=d" (__upper) \ ++ : "d" (__base), "0" (__n.n32[0])); \ + } \ + asm ("divu.l %2,%1:%0" \ +- : "=d" (__n.n32[1]), "=d" (__rem) \ +- : "d" (base), "1" (__upper), "0" (__n.n32[1])); \ ++ : "=d" (__n.n32[1]), "=d" (__rem) \ ++ : "d" (__base), "1" (__upper), "0" (__n.n32[1])); \ + (n) = __n.n64; \ + __rem; \ + }) +diff --git a/arch/microblaze/Kconfig b/arch/microblaze/Kconfig +index d22a4ec..4fab522 100644 +--- a/arch/microblaze/Kconfig ++++ b/arch/microblaze/Kconfig +@@ -28,7 +28,7 @@ config MICROBLAZE + select GENERIC_CLOCKEVENTS + select GENERIC_IDLE_POLL_SETUP + select MODULES_USE_ELF_RELA +- select CLONE_BACKWARDS ++ select CLONE_BACKWARDS3 + + config SWAP + def_bool n +diff --git a/arch/s390/include/asm/tlb.h b/arch/s390/include/asm/tlb.h +index b75d7d6..6d6d92b 100644 +--- a/arch/s390/include/asm/tlb.h ++++ b/arch/s390/include/asm/tlb.h +@@ -32,6 +32,7 @@ struct mmu_gather { + struct mm_struct *mm; + struct mmu_table_batch *batch; + unsigned int fullmm; ++ unsigned long start, end; + }; + + struct mmu_table_batch { +@@ -48,10 +49,13 @@ extern void tlb_remove_table(struct mmu_gather *tlb, void *table); + + static inline void tlb_gather_mmu(struct mmu_gather *tlb, + struct mm_struct *mm, +- unsigned int full_mm_flush) ++ unsigned long start, ++ unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = full_mm_flush; ++ tlb->start = start; ++ tlb->end = end; ++ tlb->fullmm = !(start | (end+1)); + tlb->batch = NULL; + if (tlb->fullmm) + __tlb_flush_mm(mm); +diff --git a/arch/sh/include/asm/tlb.h b/arch/sh/include/asm/tlb.h +index e61d43d..362192e 100644 +--- a/arch/sh/include/asm/tlb.h ++++ b/arch/sh/include/asm/tlb.h +@@ -36,10 +36,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = full_mm_flush; ++ tlb->start = start; ++ tlb->end = end; ++ tlb->fullmm = !(start | (end+1)); + + init_tlb_gather(tlb); + } +diff --git a/arch/um/include/asm/tlb.h b/arch/um/include/asm/tlb.h +index 4febacd..29b0301 100644 +--- a/arch/um/include/asm/tlb.h ++++ b/arch/um/include/asm/tlb.h +@@ -45,10 +45,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = full_mm_flush; ++ tlb->start = start; ++ tlb->end = end; ++ tlb->fullmm = !(start | (end+1)); + + init_tlb_gather(tlb); + } +diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +index 52441a2..8aac56b 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +@@ -314,8 +314,8 @@ static struct uncore_event_desc snbep_uncore_imc_events[] = { + static struct uncore_event_desc snbep_uncore_qpi_events[] = { + INTEL_UNCORE_EVENT_DESC(clockticks, "event=0x14"), + INTEL_UNCORE_EVENT_DESC(txl_flits_active, "event=0x00,umask=0x06"), +- INTEL_UNCORE_EVENT_DESC(drs_data, "event=0x02,umask=0x08"), +- INTEL_UNCORE_EVENT_DESC(ncb_data, "event=0x03,umask=0x04"), ++ INTEL_UNCORE_EVENT_DESC(drs_data, "event=0x102,umask=0x08"), ++ INTEL_UNCORE_EVENT_DESC(ncb_data, "event=0x103,umask=0x04"), + { /* end: all zeroes */ }, + }; + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index dbded5a..48f8375 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -101,7 +101,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin, + *begin = new_begin; + } + } else { +- *begin = TASK_UNMAPPED_BASE; ++ *begin = mmap_legacy_base(); + *end = TASK_SIZE; + } + } +diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c +index 845df68..c1af323 100644 +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -98,7 +98,7 @@ static unsigned long mmap_base(void) + * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64 + * does, but not when emulating X86_32 + */ +-static unsigned long mmap_legacy_base(void) ++unsigned long mmap_legacy_base(void) + { + if (mmap_is_ia32()) + return TASK_UNMAPPED_BASE; +diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c +index d5cd313..d5bbdcf 100644 +--- a/block/cfq-iosched.c ++++ b/block/cfq-iosched.c +@@ -4347,18 +4347,28 @@ static void cfq_exit_queue(struct elevator_queue *e) + kfree(cfqd); + } + +-static int cfq_init_queue(struct request_queue *q) ++static int cfq_init_queue(struct request_queue *q, struct elevator_type *e) + { + struct cfq_data *cfqd; + struct blkcg_gq *blkg __maybe_unused; + int i, ret; ++ struct elevator_queue *eq; ++ ++ eq = elevator_alloc(q, e); ++ if (!eq) ++ return -ENOMEM; + + cfqd = kmalloc_node(sizeof(*cfqd), GFP_KERNEL | __GFP_ZERO, q->node); +- if (!cfqd) ++ if (!cfqd) { ++ kobject_put(&eq->kobj); + return -ENOMEM; ++ } ++ eq->elevator_data = cfqd; + + cfqd->queue = q; +- q->elevator->elevator_data = cfqd; ++ spin_lock_irq(q->queue_lock); ++ q->elevator = eq; ++ spin_unlock_irq(q->queue_lock); + + /* Init root service tree */ + cfqd->grp_service_tree = CFQ_RB_ROOT; +@@ -4433,6 +4443,7 @@ static int cfq_init_queue(struct request_queue *q) + + out_free: + kfree(cfqd); ++ kobject_put(&eq->kobj); + return ret; + } + +diff --git a/block/deadline-iosched.c b/block/deadline-iosched.c +index ba19a3a..20614a3 100644 +--- a/block/deadline-iosched.c ++++ b/block/deadline-iosched.c +@@ -337,13 +337,21 @@ static void deadline_exit_queue(struct elevator_queue *e) + /* + * initialize elevator private data (deadline_data). + */ +-static int deadline_init_queue(struct request_queue *q) ++static int deadline_init_queue(struct request_queue *q, struct elevator_type *e) + { + struct deadline_data *dd; ++ struct elevator_queue *eq; ++ ++ eq = elevator_alloc(q, e); ++ if (!eq) ++ return -ENOMEM; + + dd = kmalloc_node(sizeof(*dd), GFP_KERNEL | __GFP_ZERO, q->node); +- if (!dd) ++ if (!dd) { ++ kobject_put(&eq->kobj); + return -ENOMEM; ++ } ++ eq->elevator_data = dd; + + INIT_LIST_HEAD(&dd->fifo_list[READ]); + INIT_LIST_HEAD(&dd->fifo_list[WRITE]); +@@ -355,7 +363,9 @@ static int deadline_init_queue(struct request_queue *q) + dd->front_merges = 1; + dd->fifo_batch = fifo_batch; + +- q->elevator->elevator_data = dd; ++ spin_lock_irq(q->queue_lock); ++ q->elevator = eq; ++ spin_unlock_irq(q->queue_lock); + return 0; + } + +diff --git a/block/elevator.c b/block/elevator.c +index eba5b04..668394d 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -150,7 +150,7 @@ void __init load_default_elevator_module(void) + + static struct kobj_type elv_ktype; + +-static struct elevator_queue *elevator_alloc(struct request_queue *q, ++struct elevator_queue *elevator_alloc(struct request_queue *q, + struct elevator_type *e) + { + struct elevator_queue *eq; +@@ -170,6 +170,7 @@ err: + elevator_put(e); + return NULL; + } ++EXPORT_SYMBOL(elevator_alloc); + + static void elevator_release(struct kobject *kobj) + { +@@ -221,16 +222,7 @@ int elevator_init(struct request_queue *q, char *name) + } + } + +- q->elevator = elevator_alloc(q, e); +- if (!q->elevator) +- return -ENOMEM; +- +- err = e->ops.elevator_init_fn(q); +- if (err) { +- kobject_put(&q->elevator->kobj); +- return err; +- } +- ++ err = e->ops.elevator_init_fn(q, e); + return 0; + } + EXPORT_SYMBOL(elevator_init); +@@ -935,16 +927,9 @@ static int elevator_switch(struct request_queue *q, struct elevator_type *new_e) + spin_unlock_irq(q->queue_lock); + + /* allocate, init and register new elevator */ +- err = -ENOMEM; +- q->elevator = elevator_alloc(q, new_e); +- if (!q->elevator) +- goto fail_init; +- +- err = new_e->ops.elevator_init_fn(q); +- if (err) { +- kobject_put(&q->elevator->kobj); ++ err = new_e->ops.elevator_init_fn(q, new_e); ++ if (err) + goto fail_init; +- } + + if (registered) { + err = elv_register_queue(q); +diff --git a/block/noop-iosched.c b/block/noop-iosched.c +index 5d1bf70..3de89d4 100644 +--- a/block/noop-iosched.c ++++ b/block/noop-iosched.c +@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue *q, struct request *rq) + return list_entry(rq->queuelist.next, struct request, queuelist); + } + +-static int noop_init_queue(struct request_queue *q) ++static int noop_init_queue(struct request_queue *q, struct elevator_type *e) + { + struct noop_data *nd; ++ struct elevator_queue *eq; ++ ++ eq = elevator_alloc(q, e); ++ if (!eq) ++ return -ENOMEM; + + nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node); +- if (!nd) ++ if (!nd) { ++ kobject_put(&eq->kobj); + return -ENOMEM; ++ } ++ eq->elevator_data = nd; + + INIT_LIST_HEAD(&nd->queue); +- q->elevator->elevator_data = nd; ++ ++ spin_lock_irq(q->queue_lock); ++ q->elevator = eq; ++ spin_unlock_irq(q->queue_lock); + return 0; + } + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c +index 25723d8..925ab8e 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len) + if ((mc->ptr + rec_len) > mc->end) + goto decode_failed; + +- memcpy(cf->data, mc->ptr, rec_len); ++ memcpy(cf->data, mc->ptr, cf->can_dlc); + mc->ptr += rec_len; + } + +diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c +index 9a95045..900f5f8 100644 +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -4442,12 +4442,12 @@ il4965_irq_tasklet(struct il_priv *il) + * is killed. Hence update the killswitch state here. The + * rfkill handler will care about restarting if needed. + */ +- if (!test_bit(S_ALIVE, &il->status)) { +- if (hw_rf_kill) +- set_bit(S_RFKILL, &il->status); +- else +- clear_bit(S_RFKILL, &il->status); ++ if (hw_rf_kill) { ++ set_bit(S_RFKILL, &il->status); ++ } else { ++ clear_bit(S_RFKILL, &il->status); + wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill); ++ il_force_reset(il, true); + } + + handled |= CSR_INT_BIT_RF_KILL; +@@ -5316,6 +5316,9 @@ il4965_alive_start(struct il_priv *il) + + il->active_rate = RATES_MASK; + ++ il_power_update_mode(il, true); ++ D_INFO("Updated power mode\n"); ++ + if (il_is_associated(il)) { + struct il_rxon_cmd *active_rxon = + (struct il_rxon_cmd *)&il->active; +@@ -5346,9 +5349,6 @@ il4965_alive_start(struct il_priv *il) + D_INFO("ALIVE processing complete.\n"); + wake_up(&il->wait_command_queue); + +- il_power_update_mode(il, true); +- D_INFO("Updated power mode\n"); +- + return; + + restart: +diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c +index e9a3cbc..9c9ebad 100644 +--- a/drivers/net/wireless/iwlegacy/common.c ++++ b/drivers/net/wireless/iwlegacy/common.c +@@ -4660,6 +4660,7 @@ il_force_reset(struct il_priv *il, bool external) + + return 0; + } ++EXPORT_SYMBOL(il_force_reset); + + int + il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif, +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index a635988..5b44cd4 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -78,6 +78,12 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x04d8, 0x000c), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* CarrolTouch 4000U */ ++ { USB_DEVICE(0x04e7, 0x0009), .driver_info = USB_QUIRK_RESET_RESUME }, ++ ++ /* CarrolTouch 4500U */ ++ { USB_DEVICE(0x04e7, 0x0030), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Samsung Android phone modem - ID conflict with SPH-I500 */ + { USB_DEVICE(0x04e8, 0x6601), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, +diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c +index f80d033..8e3c878 100644 +--- a/drivers/usb/host/ehci-sched.c ++++ b/drivers/usb/host/ehci-sched.c +@@ -1391,21 +1391,20 @@ iso_stream_schedule ( + + /* Behind the scheduling threshold? */ + if (unlikely(start < next)) { ++ unsigned now2 = (now - base) & (mod - 1); + + /* USB_ISO_ASAP: Round up to the first available slot */ + if (urb->transfer_flags & URB_ISO_ASAP) + start += (next - start + period - 1) & -period; + + /* +- * Not ASAP: Use the next slot in the stream. If +- * the entire URB falls before the threshold, fail. ++ * Not ASAP: Use the next slot in the stream, ++ * no matter what. + */ +- else if (start + span - period < next) { +- ehci_dbg(ehci, "iso urb late %p (%u+%u < %u)\n", ++ else if (start + span - period < now2) { ++ ehci_dbg(ehci, "iso underrun %p (%u+%u < %u)\n", + urb, start + base, +- span - period, next + base); +- status = -EXDEV; +- goto fail; ++ span - period, now2 + base); + } + } + +diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c +index 3549d07..07fbdf0 100644 +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -2315,7 +2315,7 @@ static int keyspan_startup(struct usb_serial *serial) + if (d_details == NULL) { + dev_err(&serial->dev->dev, "%s - unknown product id %x\n", + __func__, le16_to_cpu(serial->dev->descriptor.idProduct)); +- return 1; ++ return -ENODEV; + } + + /* Setup private data for serial driver */ +diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c +index f27c621..5050cc8 100644 +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -90,6 +90,7 @@ struct urbtracker { + struct list_head urblist_entry; + struct kref ref_count; + struct urb *urb; ++ struct usb_ctrlrequest *setup; + }; + + enum mos7715_pp_modes { +@@ -271,6 +272,7 @@ static void destroy_urbtracker(struct kref *kref) + struct mos7715_parport *mos_parport = urbtrack->mos_parport; + + usb_free_urb(urbtrack->urb); ++ kfree(urbtrack->setup); + kfree(urbtrack); + kref_put(&mos_parport->ref_count, destroy_mos_parport); + } +@@ -355,7 +357,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, + struct urbtracker *urbtrack; + int ret_val; + unsigned long flags; +- struct usb_ctrlrequest setup; + struct usb_serial *serial = mos_parport->serial; + struct usb_device *usbdev = serial->dev; + +@@ -373,14 +374,20 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, + kfree(urbtrack); + return -ENOMEM; + } +- setup.bRequestType = (__u8)0x40; +- setup.bRequest = (__u8)0x0e; +- setup.wValue = get_reg_value(reg, dummy); +- setup.wIndex = get_reg_index(reg); +- setup.wLength = 0; ++ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL); ++ if (!urbtrack->setup) { ++ usb_free_urb(urbtrack->urb); ++ kfree(urbtrack); ++ return -ENOMEM; ++ } ++ urbtrack->setup->bRequestType = (__u8)0x40; ++ urbtrack->setup->bRequest = (__u8)0x0e; ++ urbtrack->setup->wValue = get_reg_value(reg, dummy); ++ urbtrack->setup->wIndex = get_reg_index(reg); ++ urbtrack->setup->wLength = 0; + usb_fill_control_urb(urbtrack->urb, usbdev, + usb_sndctrlpipe(usbdev, 0), +- (unsigned char *)&setup, ++ (unsigned char *)urbtrack->setup, + NULL, 0, async_complete, urbtrack); + kref_init(&urbtrack->ref_count); + INIT_LIST_HEAD(&urbtrack->urblist_entry); +diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c +index b92d333..2c1749d 100644 +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -2208,7 +2208,7 @@ static int mos7810_check(struct usb_serial *serial) + static int mos7840_probe(struct usb_serial *serial, + const struct usb_device_id *id) + { +- u16 product = serial->dev->descriptor.idProduct; ++ u16 product = le16_to_cpu(serial->dev->descriptor.idProduct); + u8 *buf; + int device_type; + +diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c +index 01f79f1..32bdd5e 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -1536,14 +1536,15 @@ static int ti_download_firmware(struct ti_device *tdev) + char buf[32]; + + /* try ID specific firmware first, then try generic firmware */ +- sprintf(buf, "ti_usb-v%04x-p%04x.fw", dev->descriptor.idVendor, +- dev->descriptor.idProduct); ++ sprintf(buf, "ti_usb-v%04x-p%04x.fw", ++ le16_to_cpu(dev->descriptor.idVendor), ++ le16_to_cpu(dev->descriptor.idProduct)); + status = request_firmware(&fw_p, buf, &dev->dev); + + if (status != 0) { + buf[0] = '\0'; +- if (dev->descriptor.idVendor == MTS_VENDOR_ID) { +- switch (dev->descriptor.idProduct) { ++ if (le16_to_cpu(dev->descriptor.idVendor) == MTS_VENDOR_ID) { ++ switch (le16_to_cpu(dev->descriptor.idProduct)) { + case MTS_CDMA_PRODUCT_ID: + strcpy(buf, "mts_cdma.fw"); + break; +diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c +index ece326e..db0cf53 100644 +--- a/drivers/usb/serial/usb_wwan.c ++++ b/drivers/usb/serial/usb_wwan.c +@@ -291,18 +291,18 @@ static void usb_wwan_indat_callback(struct urb *urb) + tty_flip_buffer_push(&port->port); + } else + dev_dbg(dev, "%s: empty read urb received\n", __func__); +- +- /* Resubmit urb so we continue receiving */ +- err = usb_submit_urb(urb, GFP_ATOMIC); +- if (err) { +- if (err != -EPERM) { +- dev_err(dev, "%s: resubmit read urb failed. (%d)\n", __func__, err); +- /* busy also in error unless we are killed */ +- usb_mark_last_busy(port->serial->dev); +- } +- } else { ++ } ++ /* Resubmit urb so we continue receiving */ ++ err = usb_submit_urb(urb, GFP_ATOMIC); ++ if (err) { ++ if (err != -EPERM) { ++ dev_err(dev, "%s: resubmit read urb failed. (%d)\n", ++ __func__, err); ++ /* busy also in error unless we are killed */ + usb_mark_last_busy(port->serial->dev); + } ++ } else { ++ usb_mark_last_busy(port->serial->dev); + } + } + +diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c +index 6ef94bc..028fc83 100644 +--- a/drivers/usb/wusbcore/wa-xfer.c ++++ b/drivers/usb/wusbcore/wa-xfer.c +@@ -1110,6 +1110,12 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb) + } + spin_lock_irqsave(&xfer->lock, flags); + rpipe = xfer->ep->hcpriv; ++ if (rpipe == NULL) { ++ pr_debug("%s: xfer id 0x%08X has no RPIPE. %s", ++ __func__, wa_xfer_id(xfer), ++ "Probably already aborted.\n" ); ++ goto out_unlock; ++ } + /* Check the delayed list -> if there, release and complete */ + spin_lock_irqsave(&wa->xfer_list_lock, flags2); + if (!list_empty(&xfer->list_node) && xfer->seg == NULL) +@@ -1493,8 +1499,7 @@ static void wa_xfer_result_cb(struct urb *urb) + break; + } + usb_status = xfer_result->bTransferStatus & 0x3f; +- if (usb_status == WA_XFER_STATUS_ABORTED +- || usb_status == WA_XFER_STATUS_NOT_FOUND) ++ if (usb_status == WA_XFER_STATUS_NOT_FOUND) + /* taken care of already */ + break; + xfer_id = xfer_result->dwTransferID; +diff --git a/fs/exec.c b/fs/exec.c +index ffd7a81..1f44670 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -607,7 +607,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) + return -ENOMEM; + + lru_add_drain(); +- tlb_gather_mmu(&tlb, mm, 0); ++ tlb_gather_mmu(&tlb, mm, old_start, old_end); + if (new_end > old_start) { + /* + * when the old and new regions overlap clear from new_end. +@@ -624,7 +624,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) + free_pgd_range(&tlb, old_start, old_end, new_end, + vma->vm_next ? vma->vm_next->vm_start : USER_PGTABLES_CEILING); + } +- tlb_finish_mmu(&tlb, new_end, old_end); ++ tlb_finish_mmu(&tlb, old_start, old_end); + + /* + * Shrink the vma to just the new range. Always succeeds. +diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c +index 451eb40..1c88061 100644 +--- a/fs/ext4/ext4_jbd2.c ++++ b/fs/ext4/ext4_jbd2.c +@@ -219,10 +219,10 @@ int __ext4_handle_dirty_metadata(const char *where, unsigned int line, + set_buffer_prio(bh); + if (ext4_handle_valid(handle)) { + err = jbd2_journal_dirty_metadata(handle, bh); +- if (err) { +- /* Errors can only happen if there is a bug */ +- handle->h_err = err; +- __ext4_journal_stop(where, line, handle); ++ /* Errors can only happen if there is a bug */ ++ if (WARN_ON_ONCE(err)) { ++ ext4_journal_abort_handle(where, line, __func__, bh, ++ handle, err); + } + } else { + if (inode) +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 3e636d8..65fc60a 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -792,14 +792,14 @@ typedef struct { + } pagemap_entry_t; + + struct pagemapread { +- int pos, len; ++ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */ + pagemap_entry_t *buffer; + }; + + #define PAGEMAP_WALK_SIZE (PMD_SIZE) + #define PAGEMAP_WALK_MASK (PMD_MASK) + +-#define PM_ENTRY_BYTES sizeof(u64) ++#define PM_ENTRY_BYTES sizeof(pagemap_entry_t) + #define PM_STATUS_BITS 3 + #define PM_STATUS_OFFSET (64 - PM_STATUS_BITS) + #define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET) +@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, + if (!count) + goto out_task; + +- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); +- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY); ++ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); ++ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY); + ret = -ENOMEM; + if (!pm.buffer) + goto out_task; +diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h +index 13821c3..5672d7e 100644 +--- a/include/asm-generic/tlb.h ++++ b/include/asm-generic/tlb.h +@@ -112,7 +112,7 @@ struct mmu_gather { + + #define HAVE_GENERIC_MMU_GATHER + +-void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, bool fullmm); ++void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end); + void tlb_flush_mmu(struct mmu_gather *tlb); + void tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start, + unsigned long end); +diff --git a/include/linux/elevator.h b/include/linux/elevator.h +index acd0312..306dd8c 100644 +--- a/include/linux/elevator.h ++++ b/include/linux/elevator.h +@@ -7,6 +7,7 @@ + #ifdef CONFIG_BLOCK + + struct io_cq; ++struct elevator_type; + + typedef int (elevator_merge_fn) (struct request_queue *, struct request **, + struct bio *); +@@ -35,7 +36,8 @@ typedef void (elevator_put_req_fn) (struct request *); + typedef void (elevator_activate_req_fn) (struct request_queue *, struct request *); + typedef void (elevator_deactivate_req_fn) (struct request_queue *, struct request *); + +-typedef int (elevator_init_fn) (struct request_queue *); ++typedef int (elevator_init_fn) (struct request_queue *, ++ struct elevator_type *e); + typedef void (elevator_exit_fn) (struct elevator_queue *); + + struct elevator_ops +@@ -155,6 +157,8 @@ extern int elevator_init(struct request_queue *, char *); + extern void elevator_exit(struct elevator_queue *); + extern int elevator_change(struct request_queue *, const char *); + extern bool elv_rq_merge_ok(struct request *, struct bio *); ++extern struct elevator_queue *elevator_alloc(struct request_queue *, ++ struct elevator_type *); + + /* + * Helper functions. +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 178a8d9..3aeb14b 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -314,6 +314,7 @@ struct nsproxy; + struct user_namespace; + + #ifdef CONFIG_MMU ++extern unsigned long mmap_legacy_base(void); + extern void arch_pick_mmap_layout(struct mm_struct *mm); + extern unsigned long + arch_get_unmapped_area(struct file *, unsigned long, unsigned long, +diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h +index 4147d70..84662ec 100644 +--- a/include/linux/syscalls.h ++++ b/include/linux/syscalls.h +@@ -802,9 +802,14 @@ asmlinkage long sys_vfork(void); + asmlinkage long sys_clone(unsigned long, unsigned long, int __user *, int, + int __user *); + #else ++#ifdef CONFIG_CLONE_BACKWARDS3 ++asmlinkage long sys_clone(unsigned long, unsigned long, int, int __user *, ++ int __user *, int); ++#else + asmlinkage long sys_clone(unsigned long, unsigned long, int __user *, + int __user *, int); + #endif ++#endif + + asmlinkage long sys_execve(const char __user *filename, + const char __user *const __user *argv, +diff --git a/kernel/cpuset.c b/kernel/cpuset.c +index 64b3f79..6948e94 100644 +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -1502,11 +1502,13 @@ static int cpuset_write_u64(struct cgroup *cgrp, struct cftype *cft, u64 val) + { + struct cpuset *cs = cgroup_cs(cgrp); + cpuset_filetype_t type = cft->private; +- int retval = -ENODEV; ++ int retval = 0; + + mutex_lock(&cpuset_mutex); +- if (!is_cpuset_online(cs)) ++ if (!is_cpuset_online(cs)) { ++ retval = -ENODEV; + goto out_unlock; ++ } + + switch (type) { + case FILE_CPU_EXCLUSIVE: +diff --git a/kernel/fork.c b/kernel/fork.c +index 987b28a..ffbc090 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1675,6 +1675,12 @@ SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags, + int __user *, parent_tidptr, + int __user *, child_tidptr, + int, tls_val) ++#elif defined(CONFIG_CLONE_BACKWARDS3) ++SYSCALL_DEFINE6(clone, unsigned long, clone_flags, unsigned long, newsp, ++ int, stack_size, ++ int __user *, parent_tidptr, ++ int __user *, child_tidptr, ++ int, tls_val) + #else + SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp, + int __user *, parent_tidptr, +diff --git a/kernel/power/qos.c b/kernel/power/qos.c +index 587ddde..25cf89b 100644 +--- a/kernel/power/qos.c ++++ b/kernel/power/qos.c +@@ -293,6 +293,15 @@ int pm_qos_request_active(struct pm_qos_request *req) + } + EXPORT_SYMBOL_GPL(pm_qos_request_active); + ++static void __pm_qos_update_request(struct pm_qos_request *req, ++ s32 new_value) ++{ ++ if (new_value != req->node.prio) ++ pm_qos_update_target( ++ pm_qos_array[req->pm_qos_class]->constraints, ++ &req->node, PM_QOS_UPDATE_REQ, new_value); ++} ++ + /** + * pm_qos_work_fn - the timeout handler of pm_qos_update_request_timeout + * @work: work struct for the delayed work (timeout) +@@ -305,7 +314,7 @@ static void pm_qos_work_fn(struct work_struct *work) + struct pm_qos_request, + work); + +- pm_qos_update_request(req, PM_QOS_DEFAULT_VALUE); ++ __pm_qos_update_request(req, PM_QOS_DEFAULT_VALUE); + } + + /** +@@ -365,6 +374,8 @@ void pm_qos_update_request(struct pm_qos_request *req, + pm_qos_update_target( + pm_qos_array[req->pm_qos_class]->constraints, + &req->node, PM_QOS_UPDATE_REQ, new_value); ++ ++ __pm_qos_update_request(req, new_value); + } + EXPORT_SYMBOL_GPL(pm_qos_update_request); + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index c61a614..03b73be 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -1984,6 +1984,7 @@ entity_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr, int queued) + */ + update_entity_load_avg(curr, 1); + update_cfs_rq_blocked_load(cfs_rq, 1); ++ update_cfs_shares(cfs_rq); + + #ifdef CONFIG_SCHED_HRTICK + /* +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 5cf99bf..7c5eb85 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2490,7 +2490,7 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start, + + mm = vma->vm_mm; + +- tlb_gather_mmu(&tlb, mm, 0); ++ tlb_gather_mmu(&tlb, mm, start, end); + __unmap_hugepage_range(&tlb, vma, start, end, ref_page); + tlb_finish_mmu(&tlb, start, end); + } +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 15b0409..82a187a 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3186,11 +3186,11 @@ int memcg_register_cache(struct mem_cgroup *memcg, struct kmem_cache *s, + if (!s->memcg_params) + return -ENOMEM; + +- INIT_WORK(&s->memcg_params->destroy, +- kmem_cache_destroy_work_func); + if (memcg) { + s->memcg_params->memcg = memcg; + s->memcg_params->root_cache = root_cache; ++ INIT_WORK(&s->memcg_params->destroy, ++ kmem_cache_destroy_work_func); + } else + s->memcg_params->is_root_cache = true; + +diff --git a/mm/memory.c b/mm/memory.c +index 5e50800..5a35443 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -211,14 +211,15 @@ static int tlb_next_batch(struct mmu_gather *tlb) + * tear-down from @mm. The @fullmm argument is used when @mm is without + * users and we're going to destroy the full address space (exit/execve). + */ +-void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, bool fullmm) ++void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; + +- tlb->fullmm = fullmm; ++ /* Is it from 0 to ~0? */ ++ tlb->fullmm = !(start | (end+1)); + tlb->need_flush_all = 0; +- tlb->start = -1UL; +- tlb->end = 0; ++ tlb->start = start; ++ tlb->end = end; + tlb->need_flush = 0; + tlb->local.next = NULL; + tlb->local.nr = 0; +@@ -258,8 +259,6 @@ void tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start, unsigned long e + { + struct mmu_gather_batch *batch, *next; + +- tlb->start = start; +- tlb->end = end; + tlb_flush_mmu(tlb); + + /* keep the page table cache within bounds */ +@@ -1101,7 +1100,6 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, + spinlock_t *ptl; + pte_t *start_pte; + pte_t *pte; +- unsigned long range_start = addr; + + again: + init_rss_vec(rss); +@@ -1204,17 +1202,25 @@ again: + * and page-free while holding it. + */ + if (force_flush) { ++ unsigned long old_end; ++ + force_flush = 0; + +-#ifdef HAVE_GENERIC_MMU_GATHER +- tlb->start = range_start; ++ /* ++ * Flush the TLB just for the previous segment, ++ * then update the range to be the remaining ++ * TLB range. ++ */ ++ old_end = tlb->end; + tlb->end = addr; +-#endif ++ + tlb_flush_mmu(tlb); +- if (addr != end) { +- range_start = addr; ++ ++ tlb->start = addr; ++ tlb->end = old_end; ++ ++ if (addr != end) + goto again; +- } + } + + return addr; +@@ -1399,7 +1405,7 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long start, + unsigned long end = start + size; + + lru_add_drain(); +- tlb_gather_mmu(&tlb, mm, 0); ++ tlb_gather_mmu(&tlb, mm, start, end); + update_hiwater_rss(mm); + mmu_notifier_invalidate_range_start(mm, start, end); + for ( ; vma && vma->vm_start < end; vma = vma->vm_next) +@@ -1425,7 +1431,7 @@ static void zap_page_range_single(struct vm_area_struct *vma, unsigned long addr + unsigned long end = address + size; + + lru_add_drain(); +- tlb_gather_mmu(&tlb, mm, 0); ++ tlb_gather_mmu(&tlb, mm, address, end); + update_hiwater_rss(mm); + mmu_notifier_invalidate_range_start(mm, address, end); + unmap_single_vma(&tlb, vma, address, end, details); +diff --git a/mm/mmap.c b/mm/mmap.c +index 7dbe397..8d25fdc 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2356,7 +2356,7 @@ static void unmap_region(struct mm_struct *mm, + struct mmu_gather tlb; + + lru_add_drain(); +- tlb_gather_mmu(&tlb, mm, 0); ++ tlb_gather_mmu(&tlb, mm, start, end); + update_hiwater_rss(mm); + unmap_vmas(&tlb, vma, start, end); + free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS, +@@ -2735,7 +2735,7 @@ void exit_mmap(struct mm_struct *mm) + + lru_add_drain(); + flush_cache_mm(mm); +- tlb_gather_mmu(&tlb, mm, 1); ++ tlb_gather_mmu(&tlb, mm, 0, -1); + /* update_hiwater_rss(mm) here? but nobody should be looking */ + /* Use -1 here to ensure all VMAs in the mm are unmapped */ + unmap_vmas(&tlb, vma, 0, -1); +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 741448b..55a42f9 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -237,8 +237,9 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + struct ieee80211_channel *channel, + const struct ieee80211_ht_operation *ht_oper, + const struct ieee80211_vht_operation *vht_oper, +- struct cfg80211_chan_def *chandef, bool verbose) ++ struct cfg80211_chan_def *chandef, bool tracking) + { ++ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + struct cfg80211_chan_def vht_chandef; + u32 ht_cfreq, ret; + +@@ -257,7 +258,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan, + channel->band); + /* check that channel matches the right operating channel */ +- if (channel->center_freq != ht_cfreq) { ++ if (!tracking && channel->center_freq != ht_cfreq) { + /* + * It's possible that some APs are confused here; + * Netgear WNDR3700 sometimes reports 4 higher than +@@ -265,11 +266,10 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + * since we look at probe response/beacon data here + * it should be OK. + */ +- if (verbose) +- sdata_info(sdata, +- "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", +- channel->center_freq, ht_cfreq, +- ht_oper->primary_chan, channel->band); ++ sdata_info(sdata, ++ "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", ++ channel->center_freq, ht_cfreq, ++ ht_oper->primary_chan, channel->band); + ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT; + goto out; + } +@@ -323,7 +323,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + channel->band); + break; + default: +- if (verbose) ++ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) + sdata_info(sdata, + "AP VHT operation IE has invalid channel width (%d), disable VHT\n", + vht_oper->chan_width); +@@ -332,7 +332,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + } + + if (!cfg80211_chandef_valid(&vht_chandef)) { +- if (verbose) ++ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) + sdata_info(sdata, + "AP VHT information is invalid, disable VHT\n"); + ret = IEEE80211_STA_DISABLE_VHT; +@@ -345,7 +345,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + } + + if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) { +- if (verbose) ++ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) + sdata_info(sdata, + "AP VHT information doesn't match HT, disable VHT\n"); + ret = IEEE80211_STA_DISABLE_VHT; +@@ -361,18 +361,27 @@ out: + if (ret & IEEE80211_STA_DISABLE_VHT) + vht_chandef = *chandef; + ++ /* ++ * Ignore the DISABLED flag when we're already connected and only ++ * tracking the APs beacon for bandwidth changes - otherwise we ++ * might get disconnected here if we connect to an AP, update our ++ * regulatory information based on the AP's country IE and the ++ * information we have is wrong/outdated and disables the channel ++ * that we're actually using for the connection to the AP. ++ */ + while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef, +- IEEE80211_CHAN_DISABLED)) { ++ tracking ? 0 : ++ IEEE80211_CHAN_DISABLED)) { + if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) { + ret = IEEE80211_STA_DISABLE_HT | + IEEE80211_STA_DISABLE_VHT; +- goto out; ++ break; + } + + ret |= chandef_downgrade(chandef); + } + +- if (chandef->width != vht_chandef.width && verbose) ++ if (chandef->width != vht_chandef.width && !tracking) + sdata_info(sdata, + "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n"); + +@@ -412,7 +421,7 @@ static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata, + + /* calculate new channel (type) based on HT/VHT operation IEs */ + flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper, +- vht_oper, &chandef, false); ++ vht_oper, &chandef, true); + + /* + * Downgrade the new channel if we associated with restricted +@@ -3906,7 +3915,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata, + ifmgd->flags |= ieee80211_determine_chantype(sdata, sband, + cbss->channel, + ht_oper, vht_oper, +- &chandef, true); ++ &chandef, false); + + sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss), + local->rx_chains); +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index 1076fe1..ba6e55d 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -789,6 +789,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb) + struct net *net = sock_net(skb->sk); + int chains_to_skip = cb->args[0]; + int fams_to_skip = cb->args[1]; ++ bool need_locking = chains_to_skip || fams_to_skip; ++ ++ if (need_locking) ++ genl_lock(); + + for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) { + n = 0; +@@ -810,6 +814,9 @@ errout: + cb->args[0] = i; + cb->args[1] = n; + ++ if (need_locking) ++ genl_unlock(); ++ + return skb->len; + } + +diff --git a/net/wireless/core.c b/net/wireless/core.c +index 73405e0..64fcbae 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -876,6 +876,7 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev, + cfg80211_leave_mesh(rdev, dev); + break; + case NL80211_IFTYPE_AP: ++ case NL80211_IFTYPE_P2P_GO: + cfg80211_stop_ap(rdev, dev); + break; + default: +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index db8ead9..448c034 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -471,10 +471,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb, + goto out_unlock; + } + *rdev = wiphy_to_dev((*wdev)->wiphy); +- cb->args[0] = (*rdev)->wiphy_idx; ++ /* 0 is the first index - add 1 to parse only once */ ++ cb->args[0] = (*rdev)->wiphy_idx + 1; + cb->args[1] = (*wdev)->identifier; + } else { +- struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]); ++ /* subtract the 1 again here */ ++ struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); + struct wireless_dev *tmp; + + if (!wiphy) { +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 24400cf..ad22dec 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -519,7 +519,7 @@ static bool same_amp_caps(struct hda_codec *codec, hda_nid_t nid1, + } + + #define nid_has_mute(codec, nid, dir) \ +- check_amp_caps(codec, nid, dir, AC_AMPCAP_MUTE) ++ check_amp_caps(codec, nid, dir, (AC_AMPCAP_MUTE | AC_AMPCAP_MIN_MUTE)) + #define nid_has_volume(codec, nid, dir) \ + check_amp_caps(codec, nid, dir, AC_AMPCAP_NUM_STEPS) + +@@ -621,7 +621,7 @@ static int get_amp_val_to_activate(struct hda_codec *codec, hda_nid_t nid, + if (enable) + val = (caps & AC_AMPCAP_OFFSET) >> AC_AMPCAP_OFFSET_SHIFT; + } +- if (caps & AC_AMPCAP_MUTE) { ++ if (caps & (AC_AMPCAP_MUTE | AC_AMPCAP_MIN_MUTE)) { + if (!enable) + val |= HDA_AMP_MUTE; + } +@@ -645,7 +645,7 @@ static unsigned int get_amp_mask_to_modify(struct hda_codec *codec, + { + unsigned int mask = 0xff; + +- if (caps & AC_AMPCAP_MUTE) { ++ if (caps & (AC_AMPCAP_MUTE | AC_AMPCAP_MIN_MUTE)) { + if (is_ctl_associated(codec, nid, dir, idx, NID_PATH_MUTE_CTL)) + mask &= ~0x80; + } +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 051c03d..57f9f2a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1027,6 +1027,7 @@ enum { + ALC880_FIXUP_GPIO2, + ALC880_FIXUP_MEDION_RIM, + ALC880_FIXUP_LG, ++ ALC880_FIXUP_LG_LW25, + ALC880_FIXUP_W810, + ALC880_FIXUP_EAPD_COEF, + ALC880_FIXUP_TCL_S700, +@@ -1085,6 +1086,14 @@ static const struct hda_fixup alc880_fixups[] = { + { } + } + }, ++ [ALC880_FIXUP_LG_LW25] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1a, 0x0181344f }, /* line-in */ ++ { 0x1b, 0x0321403f }, /* headphone */ ++ { } ++ } ++ }, + [ALC880_FIXUP_W810] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -1337,6 +1346,7 @@ static const struct snd_pci_quirk alc880_fixup_tbl[] = { + SND_PCI_QUIRK(0x1854, 0x003b, "LG", ALC880_FIXUP_LG), + SND_PCI_QUIRK(0x1854, 0x005f, "LG P1 Express", ALC880_FIXUP_LG), + SND_PCI_QUIRK(0x1854, 0x0068, "LG w1", ALC880_FIXUP_LG), ++ SND_PCI_QUIRK(0x1854, 0x0077, "LG LW25", ALC880_FIXUP_LG_LW25), + SND_PCI_QUIRK(0x19db, 0x4188, "TCL S700", ALC880_FIXUP_TCL_S700), + + /* Below is the copied entries from alc880_quirks.c. +@@ -4200,6 +4210,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = { + SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE), + SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC), ++ SND_PCI_QUIRK(0x1025, 0x034a, "Gateway LT27", ALC662_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE), + SND_PCI_QUIRK(0x1028, 0x05d8, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), +diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c +index 987f728..ee25f32 100644 +--- a/sound/soc/codecs/cs42l52.c ++++ b/sound/soc/codecs/cs42l52.c +@@ -451,7 +451,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = { + SOC_ENUM("Beep Pitch", beep_pitch_enum), + SOC_ENUM("Beep on Time", beep_ontime_enum), + SOC_ENUM("Beep off Time", beep_offtime_enum), +- SOC_SINGLE_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x1f, 0x07, hl_tlv), ++ SOC_SINGLE_SX_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x07, 0x1f, hl_tlv), + SOC_SINGLE("Beep Mixer Switch", CS42L52_BEEP_TONE_CTL, 5, 1, 1), + SOC_ENUM("Beep Treble Corner Freq", beep_treble_enum), + SOC_ENUM("Beep Bass Corner Freq", beep_bass_enum), +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index c7051c4..3606383 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -682,13 +682,14 @@ static int dapm_new_mux(struct snd_soc_dapm_widget *w) + return -EINVAL; + } + +- path = list_first_entry(&w->sources, struct snd_soc_dapm_path, +- list_sink); +- if (!path) { ++ if (list_empty(&w->sources)) { + dev_err(dapm->dev, "ASoC: mux %s has no paths\n", w->name); + return -EINVAL; + } + ++ path = list_first_entry(&w->sources, struct snd_soc_dapm_path, ++ list_sink); ++ + ret = dapm_create_or_share_mixmux_kcontrol(w, 0, path); + if (ret < 0) + return ret; +diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c +index 31d092d..a5432b1 100644 +--- a/sound/soc/tegra/tegra30_i2s.c ++++ b/sound/soc/tegra/tegra30_i2s.c +@@ -228,7 +228,7 @@ static int tegra30_i2s_hw_params(struct snd_pcm_substream *substream, + reg = TEGRA30_I2S_CIF_RX_CTRL; + } else { + val |= TEGRA30_AUDIOCIF_CTRL_DIRECTION_TX; +- reg = TEGRA30_I2S_CIF_RX_CTRL; ++ reg = TEGRA30_I2S_CIF_TX_CTRL; + } + + regmap_write(i2s->regmap, reg, val); +diff --git a/sound/usb/6fire/midi.c b/sound/usb/6fire/midi.c +index 2672242..f3dd726 100644 +--- a/sound/usb/6fire/midi.c ++++ b/sound/usb/6fire/midi.c +@@ -19,6 +19,10 @@ + #include "chip.h" + #include "comm.h" + ++enum { ++ MIDI_BUFSIZE = 64 ++}; ++ + static void usb6fire_midi_out_handler(struct urb *urb) + { + struct midi_runtime *rt = urb->context; +@@ -156,6 +160,12 @@ int usb6fire_midi_init(struct sfire_chip *chip) + if (!rt) + return -ENOMEM; + ++ rt->out_buffer = kzalloc(MIDI_BUFSIZE, GFP_KERNEL); ++ if (!rt->out_buffer) { ++ kfree(rt); ++ return -ENOMEM; ++ } ++ + rt->chip = chip; + rt->in_received = usb6fire_midi_in_received; + rt->out_buffer[0] = 0x80; /* 'send midi' command */ +@@ -169,6 +179,7 @@ int usb6fire_midi_init(struct sfire_chip *chip) + + ret = snd_rawmidi_new(chip->card, "6FireUSB", 0, 1, 1, &rt->instance); + if (ret < 0) { ++ kfree(rt->out_buffer); + kfree(rt); + snd_printk(KERN_ERR PREFIX "unable to create midi.\n"); + return ret; +@@ -197,6 +208,9 @@ void usb6fire_midi_abort(struct sfire_chip *chip) + + void usb6fire_midi_destroy(struct sfire_chip *chip) + { +- kfree(chip->midi); ++ struct midi_runtime *rt = chip->midi; ++ ++ kfree(rt->out_buffer); ++ kfree(rt); + chip->midi = NULL; + } +diff --git a/sound/usb/6fire/midi.h b/sound/usb/6fire/midi.h +index c321006..84851b9 100644 +--- a/sound/usb/6fire/midi.h ++++ b/sound/usb/6fire/midi.h +@@ -16,10 +16,6 @@ + + #include "common.h" + +-enum { +- MIDI_BUFSIZE = 64 +-}; +- + struct midi_runtime { + struct sfire_chip *chip; + struct snd_rawmidi *instance; +@@ -32,7 +28,7 @@ struct midi_runtime { + struct snd_rawmidi_substream *out; + struct urb out_urb; + u8 out_serial; /* serial number of out packet */ +- u8 out_buffer[MIDI_BUFSIZE]; ++ u8 *out_buffer; + int buffer_offset; + + void (*in_received)(struct midi_runtime *rt, u8 *data, int length); +diff --git a/sound/usb/6fire/pcm.c b/sound/usb/6fire/pcm.c +index 074aaf7..25f9e61 100644 +--- a/sound/usb/6fire/pcm.c ++++ b/sound/usb/6fire/pcm.c +@@ -580,6 +580,33 @@ static void usb6fire_pcm_init_urb(struct pcm_urb *urb, + urb->instance.number_of_packets = PCM_N_PACKETS_PER_URB; + } + ++static int usb6fire_pcm_buffers_init(struct pcm_runtime *rt) ++{ ++ int i; ++ ++ for (i = 0; i < PCM_N_URBS; i++) { ++ rt->out_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB ++ * PCM_MAX_PACKET_SIZE, GFP_KERNEL); ++ if (!rt->out_urbs[i].buffer) ++ return -ENOMEM; ++ rt->in_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB ++ * PCM_MAX_PACKET_SIZE, GFP_KERNEL); ++ if (!rt->in_urbs[i].buffer) ++ return -ENOMEM; ++ } ++ return 0; ++} ++ ++static void usb6fire_pcm_buffers_destroy(struct pcm_runtime *rt) ++{ ++ int i; ++ ++ for (i = 0; i < PCM_N_URBS; i++) { ++ kfree(rt->out_urbs[i].buffer); ++ kfree(rt->in_urbs[i].buffer); ++ } ++} ++ + int usb6fire_pcm_init(struct sfire_chip *chip) + { + int i; +@@ -591,6 +618,13 @@ int usb6fire_pcm_init(struct sfire_chip *chip) + if (!rt) + return -ENOMEM; + ++ ret = usb6fire_pcm_buffers_init(rt); ++ if (ret) { ++ usb6fire_pcm_buffers_destroy(rt); ++ kfree(rt); ++ return ret; ++ } ++ + rt->chip = chip; + rt->stream_state = STREAM_DISABLED; + rt->rate = ARRAY_SIZE(rates); +@@ -612,6 +646,7 @@ int usb6fire_pcm_init(struct sfire_chip *chip) + + ret = snd_pcm_new(chip->card, "DMX6FireUSB", 0, 1, 1, &pcm); + if (ret < 0) { ++ usb6fire_pcm_buffers_destroy(rt); + kfree(rt); + snd_printk(KERN_ERR PREFIX "cannot create pcm instance.\n"); + return ret; +@@ -627,6 +662,7 @@ int usb6fire_pcm_init(struct sfire_chip *chip) + snd_dma_continuous_data(GFP_KERNEL), + MAX_BUFSIZE, MAX_BUFSIZE); + if (ret) { ++ usb6fire_pcm_buffers_destroy(rt); + kfree(rt); + snd_printk(KERN_ERR PREFIX + "error preallocating pcm buffers.\n"); +@@ -671,6 +707,9 @@ void usb6fire_pcm_abort(struct sfire_chip *chip) + + void usb6fire_pcm_destroy(struct sfire_chip *chip) + { +- kfree(chip->pcm); ++ struct pcm_runtime *rt = chip->pcm; ++ ++ usb6fire_pcm_buffers_destroy(rt); ++ kfree(rt); + chip->pcm = NULL; + } +diff --git a/sound/usb/6fire/pcm.h b/sound/usb/6fire/pcm.h +index 9b01133..f5779d6 100644 +--- a/sound/usb/6fire/pcm.h ++++ b/sound/usb/6fire/pcm.h +@@ -32,7 +32,7 @@ struct pcm_urb { + struct urb instance; + struct usb_iso_packet_descriptor packets[PCM_N_PACKETS_PER_URB]; + /* END DO NOT SEPARATE */ +- u8 buffer[PCM_N_PACKETS_PER_URB * PCM_MAX_PACKET_SIZE]; ++ u8 *buffer; + + struct pcm_urb *peer; + }; +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index d543808..95558ef 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -888,6 +888,7 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval, + case USB_ID(0x046d, 0x081b): /* HD Webcam c310 */ + case USB_ID(0x046d, 0x081d): /* HD Webcam c510 */ + case USB_ID(0x046d, 0x0825): /* HD Webcam c270 */ ++ case USB_ID(0x046d, 0x0826): /* HD Webcam c525 */ + case USB_ID(0x046d, 0x0991): + /* Most audio usb devices lie about volume resolution. + * Most Logitech webcams have res = 384. diff --git a/3.10.9/1008_linux-3.10.9.patch b/3.10.9/1008_linux-3.10.9.patch new file mode 100644 index 0000000..e91b33a --- /dev/null +++ b/3.10.9/1008_linux-3.10.9.patch @@ -0,0 +1,37 @@ +diff --git a/Makefile b/Makefile +index 1a21612..4b31d62 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 10 +-SUBLEVEL = 8 ++SUBLEVEL = 9 + EXTRAVERSION = + NAME = TOSSUG Baby Fish + +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index ba6e55d..1076fe1 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -789,10 +789,6 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb) + struct net *net = sock_net(skb->sk); + int chains_to_skip = cb->args[0]; + int fams_to_skip = cb->args[1]; +- bool need_locking = chains_to_skip || fams_to_skip; +- +- if (need_locking) +- genl_lock(); + + for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) { + n = 0; +@@ -814,9 +810,6 @@ errout: + cb->args[0] = i; + cb->args[1] = n; + +- if (need_locking) +- genl_unlock(); +- + return skb->len; + } + diff --git a/3.10.7/4420_grsecurity-2.9.1-3.10.7-201308192211.patch b/3.10.9/4420_grsecurity-2.9.1-3.10.9-201308202015.patch index 73ebf27..24d81a0 100644 --- a/3.10.7/4420_grsecurity-2.9.1-3.10.7-201308192211.patch +++ b/3.10.9/4420_grsecurity-2.9.1-3.10.9-201308202015.patch @@ -281,7 +281,7 @@ index 2fe6e76..889ee23 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 33e36ab..31f1dc8 100644 +index 4b31d62..ac99d49 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -2144,33 +2144,6 @@ index f00b569..aa5bb41 100644 /* * Change these and you break ASM code in entry-common.S -diff --git a/arch/arm/include/asm/tlb.h b/arch/arm/include/asm/tlb.h -index bdf2b84..aa9b4ac 100644 ---- a/arch/arm/include/asm/tlb.h -+++ b/arch/arm/include/asm/tlb.h -@@ -43,6 +43,7 @@ struct mmu_gather { - struct mm_struct *mm; - unsigned int fullmm; - struct vm_area_struct *vma; -+ unsigned long start, end; - unsigned long range_start; - unsigned long range_end; - unsigned int nr; -@@ -107,10 +108,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb) - } - - static inline void --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm) -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) - { - tlb->mm = mm; -- tlb->fullmm = fullmm; -+ tlb->fullmm = !(start | (end+1)); -+ tlb->start = start; -+ tlb->end = end; - tlb->vma = NULL; - tlb->max = ARRAY_SIZE(tlb->local); - tlb->pages = tlb->local; diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index 7e1f760..de33b13 100644 --- a/arch/arm/include/asm/uaccess.h @@ -2889,33 +2862,18 @@ index 07314af..c46655c 100644 flush_icache_range((uintptr_t)(addr), (uintptr_t)(addr) + size); diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c -index d9f5cd4..e186ee1 100644 +index e19edc6..e186ee1 100644 --- a/arch/arm/kernel/perf_event.c +++ b/arch/arm/kernel/perf_event.c -@@ -53,7 +53,12 @@ armpmu_map_cache_event(const unsigned (*cache_map) - static int - armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config) - { -- int mapping = (*event_map)[config]; -+ int mapping; -+ -+ if (config >= PERF_COUNT_HW_MAX) -+ return -EINVAL; -+ -+ mapping = (*event_map)[config]; - return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping; - } - -@@ -253,6 +258,9 @@ validate_event(struct pmu_hw_events *hw_events, - struct arm_pmu *armpmu = to_arm_pmu(event->pmu); - struct pmu *leader_pmu = event->group_leader->pmu; +@@ -56,7 +56,7 @@ armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config) + int mapping; -+ if (is_software_event(event)) -+ return 1; -+ - if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF) - return 1; + if (config >= PERF_COUNT_HW_MAX) +- return -ENOENT; ++ return -EINVAL; + mapping = (*event_map)[config]; + return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping; diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c index 1f2740e..b36e225 100644 --- a/arch/arm/kernel/perf_event_cpu.c @@ -2930,21 +2888,9 @@ index 1f2740e..b36e225 100644 }; diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 5bc2615..4f1a0c2 100644 +index 5bc2615..dcd439f 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c -@@ -28,10 +28,10 @@ - #include <linux/tick.h> - #include <linux/utsname.h> - #include <linux/uaccess.h> --#include <linux/random.h> - #include <linux/hw_breakpoint.h> - #include <linux/cpuidle.h> - #include <linux/leds.h> -+#include <linux/random.h> - - #include <asm/cacheflush.h> - #include <asm/idmap.h> @@ -223,6 +223,7 @@ void machine_power_off(void) if (pm_power_off) @@ -4543,33 +4489,6 @@ index ce6d763..cfea917 100644 extern void *samsung_dmadev_get_ops(void); extern void *s3c_dma_get_ops(void); -diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h -index 654f096..5546653 100644 ---- a/arch/arm64/include/asm/tlb.h -+++ b/arch/arm64/include/asm/tlb.h -@@ -35,6 +35,7 @@ struct mmu_gather { - struct mm_struct *mm; - unsigned int fullmm; - struct vm_area_struct *vma; -+ unsigned long start, end; - unsigned long range_start; - unsigned long range_end; - unsigned int nr; -@@ -97,10 +98,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb) - } - - static inline void --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm) -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) - { - tlb->mm = mm; -- tlb->fullmm = fullmm; -+ tlb->fullmm = !(start | (end+1)); -+ tlb->start = start; -+ tlb->end = end; - tlb->vma = NULL; - tlb->max = ARRAY_SIZE(tlb->local); - tlb->pages = tlb->local; diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c index f4726dc..39ed646 100644 --- a/arch/arm64/kernel/debug-monitors.c @@ -4979,45 +4898,6 @@ index 54ff557..70c88b7 100644 } static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock) -diff --git a/arch/ia64/include/asm/tlb.h b/arch/ia64/include/asm/tlb.h -index ef3a9de..bc5efc7 100644 ---- a/arch/ia64/include/asm/tlb.h -+++ b/arch/ia64/include/asm/tlb.h -@@ -22,7 +22,7 @@ - * unmapping a portion of the virtual address space, these hooks are called according to - * the following template: - * -- * tlb <- tlb_gather_mmu(mm, full_mm_flush); // start unmap for address space MM -+ * tlb <- tlb_gather_mmu(mm, start, end); // start unmap for address space MM - * { - * for each vma that needs a shootdown do { - * tlb_start_vma(tlb, vma); -@@ -58,6 +58,7 @@ struct mmu_gather { - unsigned int max; - unsigned char fullmm; /* non-zero means full mm flush */ - unsigned char need_flush; /* really unmapped some PTEs? */ -+ unsigned long start, end; - unsigned long start_addr; - unsigned long end_addr; - struct page **pages; -@@ -155,13 +156,15 @@ static inline void __tlb_alloc_page(struct mmu_gather *tlb) - - - static inline void --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) - { - tlb->mm = mm; - tlb->max = ARRAY_SIZE(tlb->local); - tlb->pages = tlb->local; - tlb->nr = 0; -- tlb->fullmm = full_mm_flush; -+ tlb->fullmm = !(start | (end+1)); -+ tlb->start = start; -+ tlb->end = end; - tlb->start_addr = ~0UL; - } - diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h index 449c8c0..18965fb 100644 --- a/arch/ia64/include/asm/uaccess.h @@ -7645,34 +7525,6 @@ index c4a93d6..4d2a9b4 100644 +#define arch_align_stack(x) ((x) & ~0xfUL) #endif /* __ASM_EXEC_H */ -diff --git a/arch/s390/include/asm/tlb.h b/arch/s390/include/asm/tlb.h -index b75d7d6..6d6d92b 100644 ---- a/arch/s390/include/asm/tlb.h -+++ b/arch/s390/include/asm/tlb.h -@@ -32,6 +32,7 @@ struct mmu_gather { - struct mm_struct *mm; - struct mmu_table_batch *batch; - unsigned int fullmm; -+ unsigned long start, end; - }; - - struct mmu_table_batch { -@@ -48,10 +49,13 @@ extern void tlb_remove_table(struct mmu_gather *tlb, void *table); - - static inline void tlb_gather_mmu(struct mmu_gather *tlb, - struct mm_struct *mm, -- unsigned int full_mm_flush) -+ unsigned long start, -+ unsigned long end) - { - tlb->mm = mm; -- tlb->fullmm = full_mm_flush; -+ tlb->start = start; -+ tlb->end = end; -+ tlb->fullmm = !(start | (end+1)); - tlb->batch = NULL; - if (tlb->fullmm) - __tlb_flush_mm(mm); diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h index 9c33ed4..e40cbef 100644 --- a/arch/s390/include/asm/uaccess.h @@ -7941,25 +7793,6 @@ index ef9e555..331bd29 100644 #define __read_mostly __attribute__((__section__(".data..read_mostly"))) -diff --git a/arch/sh/include/asm/tlb.h b/arch/sh/include/asm/tlb.h -index e61d43d..362192e 100644 ---- a/arch/sh/include/asm/tlb.h -+++ b/arch/sh/include/asm/tlb.h -@@ -36,10 +36,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb) - } - - static inline void --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) - { - tlb->mm = mm; -- tlb->fullmm = full_mm_flush; -+ tlb->start = start; -+ tlb->end = end; -+ tlb->fullmm = !(start | (end+1)); - - init_tlb_gather(tlb); - } diff --git a/arch/sh/kernel/cpu/sh4a/smp-shx3.c b/arch/sh/kernel/cpu/sh4a/smp-shx3.c index 03f2b55..b0270327 100644 --- a/arch/sh/kernel/cpu/sh4a/smp-shx3.c @@ -10595,25 +10428,6 @@ index 0032f92..cd151e0 100644 #ifdef CONFIG_64BIT #define set_pud(pudptr, pudval) set_64bit((u64 *) (pudptr), pud_val(pudval)) -diff --git a/arch/um/include/asm/tlb.h b/arch/um/include/asm/tlb.h -index 4febacd..29b0301 100644 ---- a/arch/um/include/asm/tlb.h -+++ b/arch/um/include/asm/tlb.h -@@ -45,10 +45,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb) - } - - static inline void --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) - { - tlb->mm = mm; -- tlb->fullmm = full_mm_flush; -+ tlb->start = start; -+ tlb->end = end; -+ tlb->fullmm = !(start | (end+1)); - - init_tlb_gather(tlb); - } diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c index bbcef52..6a2a483 100644 --- a/arch/um/kernel/process.c @@ -15963,7 +15777,7 @@ index e642300..0ef8f31 100644 #define pgprot_writecombine pgprot_writecombine extern pgprot_t pgprot_writecombine(pgprot_t prot); diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 22224b3..c5d8d7d 100644 +index 22224b3..b3a2f90 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -198,9 +198,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, @@ -16006,7 +15820,39 @@ index 22224b3..c5d8d7d 100644 #endif #ifdef CONFIG_X86_32 unsigned long ip; -@@ -823,11 +836,18 @@ static inline void spin_lock_prefetch(const void *x) +@@ -552,29 +565,8 @@ static inline void load_sp0(struct tss_struct *tss, + extern unsigned long mmu_cr4_features; + extern u32 *trampoline_cr4_features; + +-static inline void set_in_cr4(unsigned long mask) +-{ +- unsigned long cr4; +- +- mmu_cr4_features |= mask; +- if (trampoline_cr4_features) +- *trampoline_cr4_features = mmu_cr4_features; +- cr4 = read_cr4(); +- cr4 |= mask; +- write_cr4(cr4); +-} +- +-static inline void clear_in_cr4(unsigned long mask) +-{ +- unsigned long cr4; +- +- mmu_cr4_features &= ~mask; +- if (trampoline_cr4_features) +- *trampoline_cr4_features = mmu_cr4_features; +- cr4 = read_cr4(); +- cr4 &= ~mask; +- write_cr4(cr4); +-} ++extern void set_in_cr4(unsigned long mask); ++extern void clear_in_cr4(unsigned long mask); + + typedef struct { + unsigned long seg; +@@ -823,11 +815,18 @@ static inline void spin_lock_prefetch(const void *x) */ #define TASK_SIZE PAGE_OFFSET #define TASK_SIZE_MAX TASK_SIZE @@ -16027,7 +15873,7 @@ index 22224b3..c5d8d7d 100644 .vm86_info = NULL, \ .sysenter_cs = __KERNEL_CS, \ .io_bitmap_ptr = NULL, \ -@@ -841,7 +861,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -841,7 +840,7 @@ static inline void spin_lock_prefetch(const void *x) */ #define INIT_TSS { \ .x86_tss = { \ @@ -16036,7 +15882,7 @@ index 22224b3..c5d8d7d 100644 .ss0 = __KERNEL_DS, \ .ss1 = __KERNEL_CS, \ .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \ -@@ -852,11 +872,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -852,11 +851,7 @@ static inline void spin_lock_prefetch(const void *x) extern unsigned long thread_saved_pc(struct task_struct *tsk); #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long)) @@ -16049,7 +15895,7 @@ index 22224b3..c5d8d7d 100644 /* * The below -8 is to reserve 8 bytes on top of the ring0 stack. -@@ -871,7 +887,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -871,7 +866,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); #define task_pt_regs(task) \ ({ \ struct pt_regs *__regs__; \ @@ -16058,7 +15904,7 @@ index 22224b3..c5d8d7d 100644 __regs__ - 1; \ }) -@@ -881,13 +897,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -881,13 +876,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); /* * User space process size. 47bits minus one guard page. */ @@ -16074,7 +15920,7 @@ index 22224b3..c5d8d7d 100644 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \ IA32_PAGE_OFFSET : TASK_SIZE_MAX) -@@ -898,11 +914,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -898,11 +893,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); #define STACK_TOP_MAX TASK_SIZE_MAX #define INIT_THREAD { \ @@ -16088,7 +15934,7 @@ index 22224b3..c5d8d7d 100644 } /* -@@ -930,6 +946,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, +@@ -930,6 +925,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, */ #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) @@ -16099,7 +15945,7 @@ index 22224b3..c5d8d7d 100644 #define KSTK_EIP(task) (task_pt_regs(task)->ip) /* Get/set a process' ability to use the timestamp counter instruction */ -@@ -942,7 +962,8 @@ extern int set_tsc_mode(unsigned int val); +@@ -942,7 +941,8 @@ extern int set_tsc_mode(unsigned int val); extern u16 amd_get_nb_id(int cpu); struct aperfmperf { @@ -16109,7 +15955,7 @@ index 22224b3..c5d8d7d 100644 }; static inline void get_aperfmperf(struct aperfmperf *am) -@@ -970,7 +991,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old, +@@ -970,7 +970,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old, return ratio; } @@ -16118,7 +15964,7 @@ index 22224b3..c5d8d7d 100644 extern void free_init_pages(char *what, unsigned long begin, unsigned long end); void default_idle(void); -@@ -980,6 +1001,6 @@ bool xen_set_default_idle(void); +@@ -980,6 +980,6 @@ bool xen_set_default_idle(void); #define xen_set_default_idle 0 #endif @@ -18612,7 +18458,7 @@ index 5013a48..0782c53 100644 if (c->x86_model == 3 && c->x86_mask == 0) size = 64; diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 22018f7..2ae0e75 100644 +index 22018f7..df77e23 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -88,60 +88,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = { @@ -18676,7 +18522,7 @@ index 22018f7..2ae0e75 100644 static int __init x86_xsave_setup(char *s) { setup_clear_cpu_cap(X86_FEATURE_XSAVE); -@@ -288,6 +234,53 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) +@@ -288,6 +234,57 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) set_in_cr4(X86_CR4_SMAP); } @@ -18700,7 +18546,9 @@ index 22018f7..2ae0e75 100644 + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if (clone_pgd_mask != ~(pgdval_t)0UL) { ++ pax_open_kernel(); + pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; ++ pax_close_kernel(); + printk("PAX: slow and weak UDEREF enabled\n"); + } else + printk("PAX: UDEREF disabled\n"); @@ -18713,7 +18561,9 @@ index 22018f7..2ae0e75 100644 + set_in_cr4(X86_CR4_PCIDE); + +#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pax_open_kernel(); + clone_pgd_mask = ~(pgdval_t)0UL; ++ pax_close_kernel(); + if (pax_user_shadow_base) + printk("PAX: weak UDEREF enabled\n"); + else { @@ -18730,7 +18580,7 @@ index 22018f7..2ae0e75 100644 /* * Some CPU features depend on higher CPUID levels, which may not always * be available due to CPUID level capping or broken virtualization -@@ -386,7 +379,7 @@ void switch_to_new_gdt(int cpu) +@@ -386,7 +383,7 @@ void switch_to_new_gdt(int cpu) { struct desc_ptr gdt_descr; @@ -18739,7 +18589,7 @@ index 22018f7..2ae0e75 100644 gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); /* Reload the per-cpu base */ -@@ -874,6 +867,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) +@@ -874,6 +871,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) setup_smep(c); setup_smap(c); @@ -18750,7 +18600,7 @@ index 22018f7..2ae0e75 100644 /* * The vendor-specific functions might have changed features. * Now we do "generic changes." -@@ -882,6 +879,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) +@@ -882,6 +883,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) /* Filter out anything that depends on CPUID levels we don't have */ filter_cpuid_features(c, true); @@ -18761,7 +18611,7 @@ index 22018f7..2ae0e75 100644 /* If the model name is still unset, do table lookup. */ if (!c->x86_model_id[0]) { const char *p; -@@ -1069,10 +1070,12 @@ static __init int setup_disablecpuid(char *arg) +@@ -1069,10 +1074,12 @@ static __init int setup_disablecpuid(char *arg) } __setup("clearcpuid=", setup_disablecpuid); @@ -18776,7 +18626,7 @@ index 22018f7..2ae0e75 100644 DEFINE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __aligned(PAGE_SIZE); -@@ -1086,7 +1089,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = +@@ -1086,7 +1093,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = EXPORT_PER_CPU_SYMBOL(current_task); DEFINE_PER_CPU(unsigned long, kernel_stack) = @@ -18785,7 +18635,7 @@ index 22018f7..2ae0e75 100644 EXPORT_PER_CPU_SYMBOL(kernel_stack); DEFINE_PER_CPU(char *, irq_stack_ptr) = -@@ -1231,7 +1234,7 @@ void __cpuinit cpu_init(void) +@@ -1231,7 +1238,7 @@ void __cpuinit cpu_init(void) load_ucode_ap(); cpu = stack_smp_processor_id(); @@ -18794,7 +18644,7 @@ index 22018f7..2ae0e75 100644 oist = &per_cpu(orig_ist, cpu); #ifdef CONFIG_NUMA -@@ -1257,7 +1260,7 @@ void __cpuinit cpu_init(void) +@@ -1257,7 +1264,7 @@ void __cpuinit cpu_init(void) switch_to_new_gdt(cpu); loadsegment(fs, 0); @@ -18803,7 +18653,7 @@ index 22018f7..2ae0e75 100644 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8); syscall_init(); -@@ -1266,7 +1269,6 @@ void __cpuinit cpu_init(void) +@@ -1266,7 +1273,6 @@ void __cpuinit cpu_init(void) wrmsrl(MSR_KERNEL_GS_BASE, 0); barrier(); @@ -18811,7 +18661,7 @@ index 22018f7..2ae0e75 100644 enable_x2apic(); /* -@@ -1318,7 +1320,7 @@ void __cpuinit cpu_init(void) +@@ -1318,7 +1324,7 @@ void __cpuinit cpu_init(void) { int cpu = smp_processor_id(); struct task_struct *curr = current; @@ -19214,7 +19064,7 @@ index a9e2207..d70c83a 100644 intel_ds_init(); diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -index 52441a2..f94fae8 100644 +index 8aac56b..588fb13 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c @@ -3093,7 +3093,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) @@ -20482,7 +20332,7 @@ index 8f3e2de..6b71e39 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 7272089..ee191c7 100644 +index 7272089..0b74104 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -20838,14 +20688,22 @@ index 7272089..ee191c7 100644 + SET_RDI_INTO_CR3 + jmp 2f +1: ++ + mov %rdi,%rbx ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ GET_CR0_INTO_RDI ++ btr $16,%rdi ++ jnc 3f ++ SET_RDI_INTO_CR0 ++#endif ++ + add $__START_KERNEL_map,%rbx + sub phys_base(%rip),%rbx + +#ifdef CONFIG_PARAVIRT + cmpl $0, pv_info+PARAVIRT_enabled + jz 1f -+ pushq %rdi + i = 0 + .rept USER_PGD_PTRS + mov i*8(%rbx),%rsi @@ -20854,18 +20712,10 @@ index 7272089..ee191c7 100644 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched) + i = i + 1 + .endr -+ popq %rdi + jmp 2f +1: +#endif + -+#ifdef CONFIG_PAX_KERNEXEC -+ GET_CR0_INTO_RDI -+ btr $16,%rdi -+ jnc 3f -+ SET_RDI_INTO_CR0 -+#endif -+ + i = 0 + .rept USER_PGD_PTRS + movb $0x67,i*8(%rbx) @@ -22497,7 +22347,7 @@ index a836860..1b5c665 100644 - .skip PAGE_SIZE + .fill 512,8,0 diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c -index 0fa6912..37fce70 100644 +index 0fa6912..b37438b 100644 --- a/arch/x86/kernel/i386_ksyms_32.c +++ b/arch/x86/kernel/i386_ksyms_32.c @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void); @@ -22513,7 +22363,7 @@ index 0fa6912..37fce70 100644 EXPORT_SYMBOL(__get_user_1); EXPORT_SYMBOL(__get_user_2); -@@ -37,3 +41,7 @@ EXPORT_SYMBOL(strstr); +@@ -37,3 +41,11 @@ EXPORT_SYMBOL(strstr); EXPORT_SYMBOL(csum_partial); EXPORT_SYMBOL(empty_zero_page); @@ -22521,6 +22371,10 @@ index 0fa6912..37fce70 100644 +#ifdef CONFIG_PAX_KERNEXEC +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR); +#endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++EXPORT_SYMBOL(cpu_pgd); ++#endif diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c index f7ea30d..6318acc 100644 --- a/arch/x86/kernel/i387.c @@ -24272,7 +24126,7 @@ index f2bb9c9..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 56f7fcf..3b88ad1 100644 +index 56f7fcf..2cfe4f1 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -110,6 +110,7 @@ @@ -24283,7 +24137,7 @@ index 56f7fcf..3b88ad1 100644 /* * max_low_pfn_mapped: highest direct mapped pfn under 4GB -@@ -205,10 +206,12 @@ EXPORT_SYMBOL(boot_cpu_data); +@@ -205,12 +206,50 @@ EXPORT_SYMBOL(boot_cpu_data); #endif @@ -24298,8 +24152,46 @@ index 56f7fcf..3b88ad1 100644 +unsigned long mmu_cr4_features __read_only; #endif ++void set_in_cr4(unsigned long mask) ++{ ++ unsigned long cr4 = read_cr4(); ++ ++ if ((cr4 & mask) == mask && cr4 == mmu_cr4_features) ++ return; ++ ++ pax_open_kernel(); ++ mmu_cr4_features |= mask; ++ pax_close_kernel(); ++ ++ if (trampoline_cr4_features) ++ *trampoline_cr4_features = mmu_cr4_features; ++ cr4 |= mask; ++ write_cr4(cr4); ++} ++EXPORT_SYMBOL(set_in_cr4); ++ ++void clear_in_cr4(unsigned long mask) ++{ ++ unsigned long cr4 = read_cr4(); ++ ++ if (!(cr4 & mask) && cr4 == mmu_cr4_features) ++ return; ++ ++ pax_open_kernel(); ++ mmu_cr4_features &= ~mask; ++ pax_close_kernel(); ++ ++ if (trampoline_cr4_features) ++ *trampoline_cr4_features = mmu_cr4_features; ++ cr4 &= ~mask; ++ write_cr4(cr4); ++} ++EXPORT_SYMBOL(clear_in_cr4); ++ /* Boot loader ID and version as integers, for the benefit of proc_dointvec */ -@@ -444,7 +447,7 @@ static void __init parse_setup_data(void) + int bootloader_type, bootloader_version; + +@@ -444,7 +483,7 @@ static void __init parse_setup_data(void) switch (data->type) { case SETUP_E820_EXT: @@ -24308,7 +24200,7 @@ index 56f7fcf..3b88ad1 100644 break; case SETUP_DTB: add_dtb(pa_data); -@@ -771,7 +774,7 @@ static void __init trim_bios_range(void) +@@ -771,7 +810,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. */ @@ -24317,7 +24209,7 @@ index 56f7fcf..3b88ad1 100644 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); } -@@ -779,7 +782,7 @@ static void __init trim_bios_range(void) +@@ -779,7 +818,7 @@ static void __init trim_bios_range(void) /* called before trim_bios_range() to spare extra sanitize */ static void __init e820_add_kernel_range(void) { @@ -24326,7 +24218,7 @@ index 56f7fcf..3b88ad1 100644 u64 size = __pa_symbol(_end) - start; /* -@@ -841,8 +844,12 @@ static void __init trim_low_memory_range(void) +@@ -841,8 +880,12 @@ static void __init trim_low_memory_range(void) void __init setup_arch(char **cmdline_p) { @@ -24339,7 +24231,7 @@ index 56f7fcf..3b88ad1 100644 early_reserve_initrd(); -@@ -934,14 +941,14 @@ void __init setup_arch(char **cmdline_p) +@@ -934,14 +977,14 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -24842,7 +24734,7 @@ index 0000000..5877189 + return arch_get_unmapped_area(filp, addr0, len, pgoff, flags); +} diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index dbded5a..ace2781 100644 +index 48f8375..ace2781 100644 --- a/arch/x86/kernel/sys_x86_64.c +++ b/arch/x86/kernel/sys_x86_64.c @@ -81,8 +81,8 @@ out: @@ -24860,7 +24752,7 @@ index dbded5a..ace2781 100644 *begin = new_begin; } } else { -- *begin = TASK_UNMAPPED_BASE; +- *begin = mmap_legacy_base(); + *begin = mm->mmap_base; *end = TASK_SIZE; } @@ -25621,7 +25513,7 @@ index 9a907a6..f83f921 100644 (unsigned long)VSYSCALL_START); diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c -index b014d94..6d6ca7b 100644 +index b014d94..e775258 100644 --- a/arch/x86/kernel/x8664_ksyms_64.c +++ b/arch/x86/kernel/x8664_ksyms_64.c @@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string); @@ -25633,6 +25525,14 @@ index b014d94..6d6ca7b 100644 EXPORT_SYMBOL(copy_page); EXPORT_SYMBOL(clear_page); +@@ -66,3 +64,7 @@ EXPORT_SYMBOL(empty_zero_page); + #ifndef CONFIG_PARAVIRT + EXPORT_SYMBOL(native_load_gs_index); + #endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++EXPORT_SYMBOL(cpu_pgd); ++#endif diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c index 45a14db..075bb9b 100644 --- a/arch/x86/kernel/x86_init.c @@ -30668,7 +30568,7 @@ index d87dd6d..bf3fa66 100644 pte = kmemcheck_pte_lookup(address); diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c -index 845df68..1d8d29f 100644 +index c1af323..4758dad 100644 --- a/arch/x86/mm/mmap.c +++ b/arch/x86/mm/mmap.c @@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void) @@ -30708,8 +30608,8 @@ index 845df68..1d8d29f 100644 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64 * does, but not when emulating X86_32 */ --static unsigned long mmap_legacy_base(void) -+static unsigned long mmap_legacy_base(struct mm_struct *mm) +-unsigned long mmap_legacy_base(void) ++unsigned long mmap_legacy_base(struct mm_struct *mm) { - if (mmap_is_ia32()) + if (mmap_is_ia32()) { @@ -30726,7 +30626,7 @@ index 845df68..1d8d29f 100644 return TASK_UNMAPPED_BASE + mmap_rnd(); } -@@ -113,11 +126,23 @@ static unsigned long mmap_legacy_base(void) +@@ -113,11 +126,23 @@ unsigned long mmap_legacy_base(void) void arch_pick_mmap_layout(struct mm_struct *mm) { if (mmap_is_legacy()) { @@ -41972,19 +41872,6 @@ index f975696..4597e21 100644 #ifdef CONFIG_NET_POLL_CONTROLLER /* -diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c -index 25723d8..925ab8e 100644 ---- a/drivers/net/can/usb/peak_usb/pcan_usb.c -+++ b/drivers/net/can/usb/peak_usb/pcan_usb.c -@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len) - if ((mc->ptr + rec_len) > mc->end) - goto decode_failed; - -- memcpy(cf->data, mc->ptr, rec_len); -+ memcpy(cf->data, mc->ptr, cf->can_dlc); - mc->ptr += rec_len; - } - diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c index e1d2643..7f4133b 100644 --- a/drivers/net/ethernet/8390/ax88796.c @@ -45297,45 +45184,25 @@ index c699a30..b90a5fd 100644 pDevice->apdev->netdev_ops = &apdev_netdev_ops; pDevice->apdev->type = ARPHRD_IEEE80211; -diff --git a/drivers/staging/zcache/tmem.c b/drivers/staging/zcache/tmem.c -index d7e51e4..d07eaab 100644 ---- a/drivers/staging/zcache/tmem.c -+++ b/drivers/staging/zcache/tmem.c -@@ -51,7 +51,7 @@ - * A tmem host implementation must use this function to register callbacks - * for memory allocation. - */ --static struct tmem_hostops tmem_hostops; -+static tmem_hostops_no_const tmem_hostops; - - static void tmem_objnode_tree_init(void); - -@@ -65,7 +65,7 @@ void tmem_register_hostops(struct tmem_hostops *m) - * A tmem host implementation must use this function to register - * callbacks for a page-accessible memory (PAM) implementation. - */ --static struct tmem_pamops tmem_pamops; -+static tmem_pamops_no_const tmem_pamops; - - void tmem_register_pamops(struct tmem_pamops *m) - { diff --git a/drivers/staging/zcache/tmem.h b/drivers/staging/zcache/tmem.h -index d128ce2..a43980c 100644 +index d128ce2..fc1f9a1 100644 --- a/drivers/staging/zcache/tmem.h +++ b/drivers/staging/zcache/tmem.h -@@ -226,6 +226,7 @@ struct tmem_pamops { +@@ -225,7 +225,7 @@ struct tmem_pamops { + bool (*is_remote)(void *); int (*replace_in_obj)(void *, struct tmem_obj *); #endif - }; -+typedef struct tmem_pamops __no_const tmem_pamops_no_const; +-}; ++} __no_const; extern void tmem_register_pamops(struct tmem_pamops *m); /* memory allocation methods provided by the host implementation */ -@@ -235,6 +236,7 @@ struct tmem_hostops { +@@ -234,7 +234,7 @@ struct tmem_hostops { + void (*obj_free)(struct tmem_obj *, struct tmem_pool *); struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *); void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *); - }; -+typedef struct tmem_hostops __no_const tmem_hostops_no_const; +-}; ++} __no_const; extern void tmem_register_hostops(struct tmem_hostops *m); /* core tmem accessor functions */ @@ -47004,7 +46871,7 @@ index d6bea3e..60b250e 100644 /** diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c -index 6ef94bc..1b41265 100644 +index 028fc83..65bb105 100644 --- a/drivers/usb/wusbcore/wa-xfer.c +++ b/drivers/usb/wusbcore/wa-xfer.c @@ -296,7 +296,7 @@ out: @@ -52866,7 +52733,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index ffd7a81..3c84660 100644 +index 1f44670..3c84660 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,8 +55,20 @@ @@ -53073,24 +52940,6 @@ index ffd7a81..3c84660 100644 /* * cover the whole range: [new_start, old_end) */ -@@ -607,7 +653,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) - return -ENOMEM; - - lru_add_drain(); -- tlb_gather_mmu(&tlb, mm, 0); -+ tlb_gather_mmu(&tlb, mm, old_start, old_end); - if (new_end > old_start) { - /* - * when the old and new regions overlap clear from new_end. -@@ -624,7 +670,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) - free_pgd_range(&tlb, old_start, old_end, new_end, - vma->vm_next ? vma->vm_next->vm_start : USER_PGTABLES_CEILING); - } -- tlb_finish_mmu(&tlb, new_end, old_end); -+ tlb_finish_mmu(&tlb, old_start, old_end); - - /* - * Shrink the vma to just the new range. Always succeeds. @@ -672,10 +718,6 @@ int setup_arg_pages(struct linux_binprm *bprm, stack_top = arch_align_stack(stack_top); stack_top = PAGE_ALIGN(stack_top); @@ -58496,7 +58345,7 @@ index 6b6a993..807cccc 100644 kfree(s); } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 3e636d8..350cc48 100644 +index 65fc60a..350cc48 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -11,12 +11,19 @@ @@ -58663,34 +58512,6 @@ index 3e636d8..350cc48 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, -@@ -792,14 +843,14 @@ typedef struct { - } pagemap_entry_t; - - struct pagemapread { -- int pos, len; -+ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */ - pagemap_entry_t *buffer; - }; - - #define PAGEMAP_WALK_SIZE (PMD_SIZE) - #define PAGEMAP_WALK_MASK (PMD_MASK) - --#define PM_ENTRY_BYTES sizeof(u64) -+#define PM_ENTRY_BYTES sizeof(pagemap_entry_t) - #define PM_STATUS_BITS 3 - #define PM_STATUS_OFFSET (64 - PM_STATUS_BITS) - #define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET) -@@ -1038,8 +1089,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, - if (!count) - goto out_task; - -- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); -- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY); -+ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); -+ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY); - ret = -ENOMEM; - if (!pm.buffer) - goto out_task; @@ -1264,6 +1315,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) int n; char buffer[50]; @@ -70603,19 +70424,6 @@ index a59ff51..2594a70 100644 #endif /* CONFIG_MMU */ #endif /* !__ASSEMBLY__ */ -diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h -index 13821c3..5672d7e 100644 ---- a/include/asm-generic/tlb.h -+++ b/include/asm-generic/tlb.h -@@ -112,7 +112,7 @@ struct mmu_gather { - - #define HAVE_GENERIC_MMU_GATHER - --void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, bool fullmm); -+void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end); - void tlb_flush_mmu(struct mmu_gather *tlb); - void tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start, - unsigned long end); diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h index c184aa8..d049942 100644 --- a/include/asm-generic/uaccess.h @@ -74681,7 +74489,7 @@ index 6dacb93..6174423 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, struct vm_area_struct *next) diff --git a/include/linux/sched.h b/include/linux/sched.h -index 178a8d9..450bf11 100644 +index 3aeb14b..73816a6 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -62,6 +62,7 @@ struct bio_list; @@ -74701,10 +74509,11 @@ index 178a8d9..450bf11 100644 extern signed long schedule_timeout_interruptible(signed long timeout); extern signed long schedule_timeout_killable(signed long timeout); extern signed long schedule_timeout_uninterruptible(signed long timeout); -@@ -314,6 +315,19 @@ struct nsproxy; +@@ -314,7 +315,19 @@ struct nsproxy; struct user_namespace; #ifdef CONFIG_MMU +-extern unsigned long mmap_legacy_base(void); + +#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK +extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags); @@ -74717,11 +74526,11 @@ index 178a8d9..450bf11 100644 + +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset); +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset); -+ ++extern unsigned long mmap_legacy_base(struct mm_struct *mm); extern void arch_pick_mmap_layout(struct mm_struct *mm); extern unsigned long arch_get_unmapped_area(struct file *, unsigned long, unsigned long, -@@ -591,6 +605,17 @@ struct signal_struct { +@@ -592,6 +605,17 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif @@ -74739,7 +74548,7 @@ index 178a8d9..450bf11 100644 #ifdef CONFIG_AUDIT unsigned audit_tty; unsigned audit_tty_log_passwd; -@@ -671,6 +696,14 @@ struct user_struct { +@@ -672,6 +696,14 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif @@ -74754,7 +74563,7 @@ index 178a8d9..450bf11 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; kuid_t uid; -@@ -1158,8 +1191,8 @@ struct task_struct { +@@ -1159,8 +1191,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -74765,7 +74574,7 @@ index 178a8d9..450bf11 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1184,11 +1217,6 @@ struct task_struct { +@@ -1185,11 +1217,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -74777,7 +74586,7 @@ index 178a8d9..450bf11 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1205,6 +1233,10 @@ struct task_struct { +@@ -1206,6 +1233,10 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -74788,7 +74597,7 @@ index 178a8d9..450bf11 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1278,6 +1310,10 @@ struct task_struct { +@@ -1279,6 +1310,10 @@ struct task_struct { gfp_t lockdep_reclaim_gfp; #endif @@ -74799,7 +74608,7 @@ index 178a8d9..450bf11 100644 /* journalling filesystem info */ void *journal_info; -@@ -1316,6 +1352,10 @@ struct task_struct { +@@ -1317,6 +1352,10 @@ struct task_struct { /* cg_list protected by css_set_lock and tsk->alloc_lock */ struct list_head cg_list; #endif @@ -74810,7 +74619,7 @@ index 178a8d9..450bf11 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1416,8 +1456,76 @@ struct task_struct { +@@ -1417,8 +1456,76 @@ struct task_struct { unsigned int sequential_io; unsigned int sequential_io_avg; #endif @@ -74887,7 +74696,7 @@ index 178a8d9..450bf11 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -1476,7 +1584,7 @@ struct pid_namespace; +@@ -1477,7 +1584,7 @@ struct pid_namespace; pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, struct pid_namespace *ns); @@ -74896,7 +74705,7 @@ index 178a8d9..450bf11 100644 { return tsk->pid; } -@@ -1919,7 +2027,9 @@ void yield(void); +@@ -1920,7 +2027,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -74906,7 +74715,7 @@ index 178a8d9..450bf11 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -1952,6 +2062,7 @@ extern struct pid_namespace init_pid_ns; +@@ -1953,6 +2062,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -74914,7 +74723,7 @@ index 178a8d9..450bf11 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2118,7 +2229,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2119,7 +2229,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -74923,7 +74732,7 @@ index 178a8d9..450bf11 100644 extern int allow_signal(int); extern int disallow_signal(int); -@@ -2309,9 +2420,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2310,9 +2420,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -75489,7 +75298,7 @@ index a5ffd32..0935dea 100644 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h -index 4147d70..d356a10 100644 +index 84662ec..d8f8adb 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -97,8 +97,12 @@ struct sigaltstack; @@ -78773,7 +78582,7 @@ index 7bb73f9..d7978ed 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index 987b28a..11ee8a5 100644 +index ffbc090..08ceeee 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -79068,7 +78877,7 @@ index 987b28a..11ee8a5 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1723,7 +1785,7 @@ void __init proc_caches_init(void) +@@ -1729,7 +1791,7 @@ void __init proc_caches_init(void) mm_cachep = kmem_cache_create("mm_struct", sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL); @@ -79077,7 +78886,7 @@ index 987b28a..11ee8a5 100644 mmap_init(); nsproxy_cache_init(); } -@@ -1763,7 +1825,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1769,7 +1831,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -79086,7 +78895,7 @@ index 987b28a..11ee8a5 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1875,7 +1937,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1881,7 +1943,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -82096,7 +81905,7 @@ index e8b3350..d83d44e 100644 .priority = CPU_PRI_MIGRATION, }; diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index c61a614..d7f3d7e 100644 +index 03b73be..9422b9f 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -831,7 +831,7 @@ void task_numa_fault(int node, int pages, bool migrated) @@ -82108,7 +81917,7 @@ index c61a614..d7f3d7e 100644 p->mm->numa_scan_offset = 0; } -@@ -5686,7 +5686,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { } +@@ -5687,7 +5687,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { } * run_rebalance_domains is triggered when needed from the scheduler tick. * Also triggered for nohz idle balancing (with nohz_balancing_kick set). */ @@ -84466,7 +84275,7 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 5cf99bf..5c01c2f 100644 +index 7c5eb85..5c01c2f 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2022,15 +2022,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -84511,15 +84320,6 @@ index 5cf99bf..5c01c2f 100644 if (ret) goto out; -@@ -2490,7 +2494,7 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start, - - mm = vma->vm_mm; - -- tlb_gather_mmu(&tlb, mm, 0); -+ tlb_gather_mmu(&tlb, mm, start, end); - __unmap_hugepage_range(&tlb, vma, start, end, ref_page); - tlb_finish_mmu(&tlb, start, end); - } @@ -2545,6 +2549,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -84872,39 +84672,10 @@ index ceb0c7f..b2b8e94 100644 } else { pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n", diff --git a/mm/memory.c b/mm/memory.c -index 5e50800..7c0340f 100644 +index 5a35443..7c0340f 100644 --- a/mm/memory.c +++ b/mm/memory.c -@@ -211,14 +211,15 @@ static int tlb_next_batch(struct mmu_gather *tlb) - * tear-down from @mm. The @fullmm argument is used when @mm is without - * users and we're going to destroy the full address space (exit/execve). - */ --void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, bool fullmm) -+void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) - { - tlb->mm = mm; - -- tlb->fullmm = fullmm; -+ /* Is it from 0 to ~0? */ -+ tlb->fullmm = !(start | (end+1)); - tlb->need_flush_all = 0; -- tlb->start = -1UL; -- tlb->end = 0; -+ tlb->start = start; -+ tlb->end = end; - tlb->need_flush = 0; - tlb->local.next = NULL; - tlb->local.nr = 0; -@@ -258,8 +259,6 @@ void tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start, unsigned long e - { - struct mmu_gather_batch *batch, *next; - -- tlb->start = start; -- tlb->end = end; - tlb_flush_mmu(tlb); - - /* keep the page table cache within bounds */ -@@ -429,6 +428,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, +@@ -428,6 +428,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, free_pte_range(tlb, pmd, addr); } while (pmd++, addr = next, addr != end); @@ -84912,7 +84683,7 @@ index 5e50800..7c0340f 100644 start &= PUD_MASK; if (start < floor) return; -@@ -443,6 +443,8 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, +@@ -442,6 +443,8 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, pmd = pmd_offset(pud, start); pud_clear(pud); pmd_free_tlb(tlb, pmd, start); @@ -84921,7 +84692,7 @@ index 5e50800..7c0340f 100644 } static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, -@@ -462,6 +464,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, +@@ -461,6 +464,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, free_pmd_range(tlb, pud, addr, next, floor, ceiling); } while (pud++, addr = next, addr != end); @@ -84929,7 +84700,7 @@ index 5e50800..7c0340f 100644 start &= PGDIR_MASK; if (start < floor) return; -@@ -476,6 +479,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, +@@ -475,6 +479,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, pud = pud_offset(pgd, start); pgd_clear(pgd); pud_free_tlb(tlb, pud, start); @@ -84938,65 +84709,7 @@ index 5e50800..7c0340f 100644 } /* -@@ -1101,7 +1106,6 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, - spinlock_t *ptl; - pte_t *start_pte; - pte_t *pte; -- unsigned long range_start = addr; - - again: - init_rss_vec(rss); -@@ -1204,17 +1208,25 @@ again: - * and page-free while holding it. - */ - if (force_flush) { -+ unsigned long old_end; -+ - force_flush = 0; - --#ifdef HAVE_GENERIC_MMU_GATHER -- tlb->start = range_start; -+ /* -+ * Flush the TLB just for the previous segment, -+ * then update the range to be the remaining -+ * TLB range. -+ */ -+ old_end = tlb->end; - tlb->end = addr; --#endif -+ - tlb_flush_mmu(tlb); -- if (addr != end) { -- range_start = addr; -+ -+ tlb->start = addr; -+ tlb->end = old_end; -+ -+ if (addr != end) - goto again; -- } - } - - return addr; -@@ -1399,7 +1411,7 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long start, - unsigned long end = start + size; - - lru_add_drain(); -- tlb_gather_mmu(&tlb, mm, 0); -+ tlb_gather_mmu(&tlb, mm, start, end); - update_hiwater_rss(mm); - mmu_notifier_invalidate_range_start(mm, start, end); - for ( ; vma && vma->vm_start < end; vma = vma->vm_next) -@@ -1425,7 +1437,7 @@ static void zap_page_range_single(struct vm_area_struct *vma, unsigned long addr - unsigned long end = address + size; - - lru_add_drain(); -- tlb_gather_mmu(&tlb, mm, 0); -+ tlb_gather_mmu(&tlb, mm, address, end); - update_hiwater_rss(mm); - mmu_notifier_invalidate_range_start(mm, address, end); - unmap_single_vma(&tlb, vma, address, end, details); -@@ -1638,12 +1650,6 @@ no_page_table: +@@ -1644,12 +1650,6 @@ no_page_table: return page; } @@ -85009,7 +84722,7 @@ index 5e50800..7c0340f 100644 /** * __get_user_pages() - pin user pages in memory * @tsk: task_struct of target task -@@ -1730,10 +1736,10 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, +@@ -1736,10 +1736,10 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, i = 0; @@ -85022,7 +84735,7 @@ index 5e50800..7c0340f 100644 if (!vma && in_gate_area(mm, start)) { unsigned long pg = start & PAGE_MASK; pgd_t *pgd; -@@ -1782,7 +1788,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, +@@ -1788,7 +1788,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, goto next_page; } @@ -85031,7 +84744,7 @@ index 5e50800..7c0340f 100644 (vma->vm_flags & (VM_IO | VM_PFNMAP)) || !(vm_flags & vma->vm_flags)) return i ? : -EFAULT; -@@ -1811,11 +1817,6 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, +@@ -1817,11 +1817,6 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, int ret; unsigned int fault_flags = 0; @@ -85043,7 +84756,7 @@ index 5e50800..7c0340f 100644 if (foll_flags & FOLL_WRITE) fault_flags |= FAULT_FLAG_WRITE; if (nonblocking) -@@ -1895,7 +1896,7 @@ next_page: +@@ -1901,7 +1896,7 @@ next_page: start += page_increm * PAGE_SIZE; nr_pages -= page_increm; } while (nr_pages && start < vma->vm_end); @@ -85052,7 +84765,7 @@ index 5e50800..7c0340f 100644 return i; } EXPORT_SYMBOL(__get_user_pages); -@@ -2102,6 +2103,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, +@@ -2108,6 +2103,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, page_add_file_rmap(page); set_pte_at(mm, addr, pte, mk_pte(page, prot)); @@ -85063,7 +84776,7 @@ index 5e50800..7c0340f 100644 retval = 0; pte_unmap_unlock(pte, ptl); return retval; -@@ -2146,9 +2151,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, +@@ -2152,9 +2151,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, if (!page_count(page)) return -EINVAL; if (!(vma->vm_flags & VM_MIXEDMAP)) { @@ -85085,7 +84798,7 @@ index 5e50800..7c0340f 100644 } return insert_page(vma, addr, page, vma->vm_page_prot); } -@@ -2231,6 +2248,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, +@@ -2237,6 +2248,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, unsigned long pfn) { BUG_ON(!(vma->vm_flags & VM_MIXEDMAP)); @@ -85093,7 +84806,7 @@ index 5e50800..7c0340f 100644 if (addr < vma->vm_start || addr >= vma->vm_end) return -EFAULT; -@@ -2478,7 +2496,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, +@@ -2484,7 +2496,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, BUG_ON(pud_huge(*pud)); @@ -85104,7 +84817,7 @@ index 5e50800..7c0340f 100644 if (!pmd) return -ENOMEM; do { -@@ -2498,7 +2518,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, +@@ -2504,7 +2518,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, unsigned long next; int err; @@ -85115,7 +84828,7 @@ index 5e50800..7c0340f 100644 if (!pud) return -ENOMEM; do { -@@ -2586,6 +2608,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo +@@ -2592,6 +2608,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo copy_user_highpage(dst, src, va, vma); } @@ -85302,7 +85015,7 @@ index 5e50800..7c0340f 100644 /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2802,6 +3004,12 @@ gotten: +@@ -2808,6 +3004,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -85315,7 +85028,7 @@ index 5e50800..7c0340f 100644 if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter_fast(mm, MM_FILEPAGES); -@@ -2853,6 +3061,10 @@ gotten: +@@ -2859,6 +3061,10 @@ gotten: page_remove_rmap(old_page); } @@ -85326,7 +85039,7 @@ index 5e50800..7c0340f 100644 /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -3128,6 +3340,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3134,6 +3340,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -85338,7 +85051,7 @@ index 5e50800..7c0340f 100644 unlock_page(page); if (page != swapcache) { /* -@@ -3151,6 +3368,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3157,6 +3368,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -85350,7 +85063,7 @@ index 5e50800..7c0340f 100644 unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -3170,40 +3392,6 @@ out_release: +@@ -3176,40 +3392,6 @@ out_release: } /* @@ -85391,7 +85104,7 @@ index 5e50800..7c0340f 100644 * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -3212,27 +3400,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3218,27 +3400,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -85424,7 +85137,7 @@ index 5e50800..7c0340f 100644 if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -3256,6 +3440,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3262,6 +3440,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, if (!pte_none(*page_table)) goto release; @@ -85436,7 +85149,7 @@ index 5e50800..7c0340f 100644 inc_mm_counter_fast(mm, MM_ANONPAGES); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -3263,6 +3452,12 @@ setpte: +@@ -3269,6 +3452,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -85449,7 +85162,7 @@ index 5e50800..7c0340f 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -3406,6 +3601,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3412,6 +3601,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -85462,7 +85175,7 @@ index 5e50800..7c0340f 100644 flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -3425,6 +3626,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3431,6 +3626,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, page_table); @@ -85477,7 +85190,7 @@ index 5e50800..7c0340f 100644 } else { if (cow_page) mem_cgroup_uncharge_page(cow_page); -@@ -3746,6 +3955,12 @@ int handle_pte_fault(struct mm_struct *mm, +@@ -3752,6 +3955,12 @@ int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vma, address); } @@ -85490,7 +85203,7 @@ index 5e50800..7c0340f 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3762,6 +3977,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3768,6 +3977,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -85501,7 +85214,7 @@ index 5e50800..7c0340f 100644 __set_current_state(TASK_RUNNING); count_vm_event(PGFAULT); -@@ -3773,6 +3992,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3779,6 +3992,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (unlikely(is_vm_hugetlb_page(vma))) return hugetlb_fault(mm, vma, address, flags); @@ -85536,7 +85249,7 @@ index 5e50800..7c0340f 100644 retry: pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); -@@ -3871,6 +4118,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3877,6 +4118,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -85560,7 +85273,7 @@ index 5e50800..7c0340f 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3901,6 +4165,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3907,6 +4165,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -85591,7 +85304,7 @@ index 5e50800..7c0340f 100644 #endif /* __PAGETABLE_PMD_FOLDED */ #if !defined(__HAVE_ARCH_GATE_AREA) -@@ -3914,7 +4202,7 @@ static int __init gate_vma_init(void) +@@ -3920,7 +4202,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -85600,7 +85313,7 @@ index 5e50800..7c0340f 100644 return 0; } -@@ -4048,8 +4336,8 @@ out: +@@ -4054,8 +4336,8 @@ out: return ret; } @@ -85611,7 +85324,7 @@ index 5e50800..7c0340f 100644 { resource_size_t phys_addr; unsigned long prot = 0; -@@ -4074,8 +4362,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr, +@@ -4080,8 +4362,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr, * Access another process' address space as given in mm. If non-NULL, use the * given task for page fault accounting. */ @@ -85622,7 +85335,7 @@ index 5e50800..7c0340f 100644 { struct vm_area_struct *vma; void *old_buf = buf; -@@ -4083,7 +4371,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4089,7 +4371,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, down_read(&mm->mmap_sem); /* ignore errors, just check how much was successfully transferred */ while (len) { @@ -85631,7 +85344,7 @@ index 5e50800..7c0340f 100644 void *maddr; struct page *page = NULL; -@@ -4142,8 +4430,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4148,8 +4430,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -85642,7 +85355,7 @@ index 5e50800..7c0340f 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -4153,11 +4441,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -4159,11 +4441,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Source/target buffer must be kernel space, * Do not walk the page table directly, use get_user_pages */ @@ -85819,7 +85532,7 @@ index 79b7cf7..9944291 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 7dbe397..bfb7626 100644 +index 8d25fdc..bfb7626 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -36,6 +36,7 @@ @@ -86688,15 +86401,6 @@ index 7dbe397..bfb7626 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -2356,7 +2728,7 @@ static void unmap_region(struct mm_struct *mm, - struct mmu_gather tlb; - - lru_add_drain(); -- tlb_gather_mmu(&tlb, mm, 0); -+ tlb_gather_mmu(&tlb, mm, start, end); - update_hiwater_rss(mm); - unmap_vmas(&tlb, vma, start, end); - free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS, @@ -2379,6 +2751,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; @@ -87002,15 +86706,6 @@ index 7dbe397..bfb7626 100644 return addr; } -@@ -2735,7 +3232,7 @@ void exit_mmap(struct mm_struct *mm) - - lru_add_drain(); - flush_cache_mm(mm); -- tlb_gather_mmu(&tlb, mm, 1); -+ tlb_gather_mmu(&tlb, mm, 0, -1); - /* update_hiwater_rss(mm) here? but nobody should be looking */ - /* Use -1 here to ensure all VMAs in the mm are unmapped */ - unmap_vmas(&tlb, vma, 0, -1); @@ -2750,6 +3247,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) @@ -93669,7 +93364,7 @@ index 57ee84d..8b99cf5 100644 ); diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c -index 1076fe1..8285fd7 100644 +index 1076fe1..f190285 100644 --- a/net/netlink/genetlink.c +++ b/net/netlink/genetlink.c @@ -310,18 +310,20 @@ int genl_register_ops(struct genl_family *family, struct genl_ops *ops) @@ -93710,27 +93405,6 @@ index 1076fe1..8285fd7 100644 return 0; } } -@@ -789,6 +791,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb) - struct net *net = sock_net(skb->sk); - int chains_to_skip = cb->args[0]; - int fams_to_skip = cb->args[1]; -+ bool need_locking = chains_to_skip || fams_to_skip; -+ -+ if (need_locking) -+ genl_lock(); - - for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) { - n = 0; -@@ -810,6 +816,9 @@ errout: - cb->args[0] = i; - cb->args[1] = n; - -+ if (need_locking) -+ genl_unlock(); -+ - return skb->len; - } - diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index ec0c80f..41e1830 100644 --- a/net/netrom/af_netrom.c diff --git a/3.10.7/4425_grsec_remove_EI_PAX.patch b/3.10.9/4425_grsec_remove_EI_PAX.patch index 415fda5..415fda5 100644 --- a/3.10.7/4425_grsec_remove_EI_PAX.patch +++ b/3.10.9/4425_grsec_remove_EI_PAX.patch diff --git a/3.10.7/4427_force_XATTR_PAX_tmpfs.patch b/3.10.9/4427_force_XATTR_PAX_tmpfs.patch index 3090b07..3090b07 100644 --- a/3.10.7/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.10.9/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.10.7/4430_grsec-remove-localversion-grsec.patch b/3.10.9/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.10.7/4430_grsec-remove-localversion-grsec.patch +++ b/3.10.9/4430_grsec-remove-localversion-grsec.patch diff --git a/3.10.7/4435_grsec-mute-warnings.patch b/3.10.9/4435_grsec-mute-warnings.patch index ed941d5..ed941d5 100644 --- a/3.10.7/4435_grsec-mute-warnings.patch +++ b/3.10.9/4435_grsec-mute-warnings.patch diff --git a/3.10.7/4440_grsec-remove-protected-paths.patch b/3.10.9/4440_grsec-remove-protected-paths.patch index e2c2dc9..e2c2dc9 100644 --- a/3.10.7/4440_grsec-remove-protected-paths.patch +++ b/3.10.9/4440_grsec-remove-protected-paths.patch diff --git a/3.10.7/4450_grsec-kconfig-default-gids.patch b/3.10.9/4450_grsec-kconfig-default-gids.patch index 7a1010d..7a1010d 100644 --- a/3.10.7/4450_grsec-kconfig-default-gids.patch +++ b/3.10.9/4450_grsec-kconfig-default-gids.patch diff --git a/3.10.7/4465_selinux-avc_audit-log-curr_ip.patch b/3.10.9/4465_selinux-avc_audit-log-curr_ip.patch index 042c034..042c034 100644 --- a/3.10.7/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.10.9/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.10.7/4470_disable-compat_vdso.patch b/3.10.9/4470_disable-compat_vdso.patch index a2d6ed9..a2d6ed9 100644 --- a/3.10.7/4470_disable-compat_vdso.patch +++ b/3.10.9/4470_disable-compat_vdso.patch diff --git a/3.10.7/4475_emutramp_default_on.patch b/3.10.9/4475_emutramp_default_on.patch index cfde6f8..cfde6f8 100644 --- a/3.10.7/4475_emutramp_default_on.patch +++ b/3.10.9/4475_emutramp_default_on.patch diff --git a/3.2.50/0000_README b/3.2.50/0000_README index df20efb..a654e82 100644 --- a/3.2.50/0000_README +++ b/3.2.50/0000_README @@ -118,7 +118,7 @@ Patch: 1049_linux-3.2.50.patch From: http://www.kernel.org Desc: Linux 3.2.50 -Patch: 4420_grsecurity-2.9.1-3.2.50-201308181813.patch +Patch: 4420_grsecurity-2.9.1-3.2.50-201308202017.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308181813.patch b/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308202017.patch index d8e4449..01378eb 100644 --- a/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308181813.patch +++ b/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308202017.patch @@ -5050,7 +5050,7 @@ index 9844662..04a2a1e 100644 do_exit(err); diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c -index 7d14bb6..1305601 100644 +index 7d14bb69..1305601 100644 --- a/arch/powerpc/kernel/vdso.c +++ b/arch/powerpc/kernel/vdso.c @@ -35,6 +35,7 @@ @@ -92175,7 +92175,7 @@ index 3d1d55d..1ee2a18 100644 .exit = netlink_net_exit, }; diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c -index 874f8ff..d8b8f87 100644 +index 874f8ff..339bb58 100644 --- a/net/netlink/genetlink.c +++ b/net/netlink/genetlink.c @@ -288,18 +288,20 @@ int genl_register_ops(struct genl_family *family, struct genl_ops *ops) @@ -92216,27 +92216,6 @@ index 874f8ff..d8b8f87 100644 return 0; } } -@@ -700,6 +702,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb) - struct net *net = sock_net(skb->sk); - int chains_to_skip = cb->args[0]; - int fams_to_skip = cb->args[1]; -+ bool need_locking = chains_to_skip || fams_to_skip; -+ -+ if (need_locking) -+ genl_lock(); - - for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) { - n = 0; -@@ -721,6 +727,9 @@ errout: - cb->args[0] = i; - cb->args[1] = n; - -+ if (need_locking) -+ genl_unlock(); -+ - return skb->len; - } - diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index 3df7c5a..8f324b0 100644 --- a/net/netrom/af_netrom.c |