diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2013-10-17 09:47:30 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2013-10-20 11:38:26 -0400 |
| commit | 726eace4292f378d04635f804e58d2fa545c243d (patch) | |
| tree | a5a11b4163066b0f6b3d59323d47bf96e169b1ba | |
| parent | Grsec/PaX: 2.9.1-3.11.3-201310012249 (diff) | |
| download | hardened-patchset-726eace4292f378d04635f804e58d2fa545c243d.tar.gz hardened-patchset-726eace4292f378d04635f804e58d2fa545c243d.tar.bz2 hardened-patchset-726eace4292f378d04635f804e58d2fa545c243d.zip | |
Grsec/PaX: 2.9.1-{3.2.51,3.11.6}-20131019125920131019
| -rw-r--r-- | 3.11.6/0000_README (renamed from 3.11.3/0000_README) | 6 | ||||
| -rw-r--r-- | 3.11.6/1005_linux-3.11.6.patch | 2260 | ||||
| -rw-r--r-- | 3.11.6/4420_grsecurity-2.9.1-3.11.6-201310191259.patch (renamed from 3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch) | 1386 | ||||
| -rw-r--r-- | 3.11.6/4425_grsec_remove_EI_PAX.patch (renamed from 3.11.3/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.11.3/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4430_grsec-remove-localversion-grsec.patch (renamed from 3.11.3/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4435_grsec-mute-warnings.patch (renamed from 3.11.3/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4440_grsec-remove-protected-paths.patch (renamed from 3.11.3/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4450_grsec-kconfig-default-gids.patch (renamed from 3.11.3/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.11.3/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4470_disable-compat_vdso.patch (renamed from 3.11.3/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.11.6/4475_emutramp_default_on.patch (renamed from 3.11.3/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.51/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.51/4420_grsecurity-2.9.1-3.2.51-201310191257.patch (renamed from 3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch) | 392 |
14 files changed, 3595 insertions, 451 deletions
diff --git a/3.11.3/0000_README b/3.11.6/0000_README index b7b1adc..db9995c 100644 --- a/3.11.3/0000_README +++ b/3.11.6/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.11.3-201310012249.patch +Patch: 1005_linux-3.11.6.patch +From: http://www.kernel.org +Desc: Linux 3.11.6 + +Patch: 4420_grsecurity-2.9.1-3.11.6-201310191259.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.11.6/1005_linux-3.11.6.patch b/3.11.6/1005_linux-3.11.6.patch new file mode 100644 index 0000000..ad3cb53 --- /dev/null +++ b/3.11.6/1005_linux-3.11.6.patch @@ -0,0 +1,2260 @@ +diff --git a/Makefile b/Makefile +index 83121b7..e87ba83 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 11 +-SUBLEVEL = 5 ++SUBLEVEL = 6 + EXTRAVERSION = + NAME = Linux for Workgroups + +diff --git a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h +index 442ce5d..43de302 100644 +--- a/arch/arc/include/asm/delay.h ++++ b/arch/arc/include/asm/delay.h +@@ -53,11 +53,10 @@ static inline void __udelay(unsigned long usecs) + { + unsigned long loops; + +- /* (long long) cast ensures 64 bit MPY - real or emulated ++ /* (u64) cast ensures 64 bit MPY - real or emulated + * HZ * 4295 is pre-evaluated by gcc - hence only 2 mpy ops + */ +- loops = ((long long)(usecs * 4295 * HZ) * +- (long long)(loops_per_jiffy)) >> 32; ++ loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32; + + __delay(loops); + } +diff --git a/arch/arc/include/asm/spinlock.h b/arch/arc/include/asm/spinlock.h +index f158197..b6a8c2d 100644 +--- a/arch/arc/include/asm/spinlock.h ++++ b/arch/arc/include/asm/spinlock.h +@@ -45,7 +45,14 @@ static inline int arch_spin_trylock(arch_spinlock_t *lock) + + static inline void arch_spin_unlock(arch_spinlock_t *lock) + { +- lock->slock = __ARCH_SPIN_LOCK_UNLOCKED__; ++ unsigned int tmp = __ARCH_SPIN_LOCK_UNLOCKED__; ++ ++ __asm__ __volatile__( ++ " ex %0, [%1] \n" ++ : "+r" (tmp) ++ : "r"(&(lock->slock)) ++ : "memory"); ++ + smp_mb(); + } + +diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h +index 3242082..30c9baf 100644 +--- a/arch/arc/include/asm/uaccess.h ++++ b/arch/arc/include/asm/uaccess.h +@@ -43,7 +43,7 @@ + * Because it essentially checks if buffer end is within limit and @len is + * non-ngeative, which implies that buffer start will be within limit too. + * +- * The reason for rewriting being, for majorit yof cases, @len is generally ++ * The reason for rewriting being, for majority of cases, @len is generally + * compile time constant, causing first sub-expression to be compile time + * subsumed. + * +@@ -53,7 +53,7 @@ + * + */ + #define __user_ok(addr, sz) (((sz) <= TASK_SIZE) && \ +- (((addr)+(sz)) <= get_fs())) ++ ((addr) <= (get_fs() - (sz)))) + #define __access_ok(addr, sz) (unlikely(__kernel_ok) || \ + likely(__user_ok((addr), (sz)))) + +diff --git a/arch/arc/kernel/ptrace.c b/arch/arc/kernel/ptrace.c +index 3332385..5d76706 100644 +--- a/arch/arc/kernel/ptrace.c ++++ b/arch/arc/kernel/ptrace.c +@@ -102,7 +102,7 @@ static int genregs_set(struct task_struct *target, + REG_IGNORE_ONE(pad2); + REG_IN_CHUNK(callee, efa, cregs); /* callee_regs[r25..r13] */ + REG_IGNORE_ONE(efa); /* efa update invalid */ +- REG_IN_ONE(stop_pc, &ptregs->ret); /* stop_pc: PC update */ ++ REG_IGNORE_ONE(stop_pc); /* PC updated via @ret */ + + return ret; + } +diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c +index ee6ef2f..7e95e1a 100644 +--- a/arch/arc/kernel/signal.c ++++ b/arch/arc/kernel/signal.c +@@ -101,7 +101,6 @@ SYSCALL_DEFINE0(rt_sigreturn) + { + struct rt_sigframe __user *sf; + unsigned int magic; +- int err; + struct pt_regs *regs = current_pt_regs(); + + /* Always make any pending restarted system calls return -EINTR */ +@@ -119,15 +118,16 @@ SYSCALL_DEFINE0(rt_sigreturn) + if (!access_ok(VERIFY_READ, sf, sizeof(*sf))) + goto badframe; + +- err = restore_usr_regs(regs, sf); +- err |= __get_user(magic, &sf->sigret_magic); +- if (err) ++ if (__get_user(magic, &sf->sigret_magic)) + goto badframe; + + if (unlikely(is_do_ss_needed(magic))) + if (restore_altstack(&sf->uc.uc_stack)) + goto badframe; + ++ if (restore_usr_regs(regs, sf)) ++ goto badframe; ++ + /* Don't restart from sigreturn */ + syscall_wont_restart(regs); + +@@ -191,6 +191,15 @@ setup_rt_frame(int signo, struct k_sigaction *ka, siginfo_t *info, + return 1; + + /* ++ * w/o SA_SIGINFO, struct ucontext is partially populated (only ++ * uc_mcontext/uc_sigmask) for kernel's normal user state preservation ++ * during signal handler execution. This works for SA_SIGINFO as well ++ * although the semantics are now overloaded (the same reg state can be ++ * inspected by userland: but are they allowed to fiddle with it ? ++ */ ++ err |= stash_usr_regs(sf, regs, set); ++ ++ /* + * SA_SIGINFO requires 3 args to signal handler: + * #1: sig-no (common to any handler) + * #2: struct siginfo +@@ -213,14 +222,6 @@ setup_rt_frame(int signo, struct k_sigaction *ka, siginfo_t *info, + magic = MAGIC_SIGALTSTK; + } + +- /* +- * w/o SA_SIGINFO, struct ucontext is partially populated (only +- * uc_mcontext/uc_sigmask) for kernel's normal user state preservation +- * during signal handler execution. This works for SA_SIGINFO as well +- * although the semantics are now overloaded (the same reg state can be +- * inspected by userland: but are they allowed to fiddle with it ? +- */ +- err |= stash_usr_regs(sf, regs, set); + err |= __put_user(magic, &sf->sigret_magic); + if (err) + return err; +diff --git a/arch/arc/kernel/unaligned.c b/arch/arc/kernel/unaligned.c +index c0f832f..00ad070 100644 +--- a/arch/arc/kernel/unaligned.c ++++ b/arch/arc/kernel/unaligned.c +@@ -233,6 +233,12 @@ int misaligned_fixup(unsigned long address, struct pt_regs *regs, + regs->status32 &= ~STATUS_DE_MASK; + } else { + regs->ret += state.instr_len; ++ ++ /* handle zero-overhead-loop */ ++ if ((regs->ret == regs->lp_end) && (regs->lp_count)) { ++ regs->ret = regs->lp_start; ++ regs->lp_count--; ++ } + } + + return 0; +diff --git a/arch/arm/include/asm/jump_label.h b/arch/arm/include/asm/jump_label.h +index bfc198c..863c892 100644 +--- a/arch/arm/include/asm/jump_label.h ++++ b/arch/arm/include/asm/jump_label.h +@@ -16,7 +16,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key) + { +- asm goto("1:\n\t" ++ asm_volatile_goto("1:\n\t" + JUMP_LABEL_NOP "\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + ".word 1b, %l[l_yes], %c0\n\t" +diff --git a/arch/mips/include/asm/jump_label.h b/arch/mips/include/asm/jump_label.h +index 4d6d77e..e194f95 100644 +--- a/arch/mips/include/asm/jump_label.h ++++ b/arch/mips/include/asm/jump_label.h +@@ -22,7 +22,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key) + { +- asm goto("1:\tnop\n\t" ++ asm_volatile_goto("1:\tnop\n\t" + "nop\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + WORD_INSN " 1b, %l[l_yes], %0\n\t" +diff --git a/arch/mips/kernel/octeon_switch.S b/arch/mips/kernel/octeon_switch.S +index 4204d76..029e002 100644 +--- a/arch/mips/kernel/octeon_switch.S ++++ b/arch/mips/kernel/octeon_switch.S +@@ -73,7 +73,7 @@ + 3: + + #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) +- PTR_L t8, __stack_chk_guard ++ PTR_LA t8, __stack_chk_guard + LONG_L t9, TASK_STACK_CANARY(a1) + LONG_S t9, 0(t8) + #endif +diff --git a/arch/mips/kernel/r2300_switch.S b/arch/mips/kernel/r2300_switch.S +index 38af83f..20b7b04 100644 +--- a/arch/mips/kernel/r2300_switch.S ++++ b/arch/mips/kernel/r2300_switch.S +@@ -67,7 +67,7 @@ LEAF(resume) + 1: + + #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) +- PTR_L t8, __stack_chk_guard ++ PTR_LA t8, __stack_chk_guard + LONG_L t9, TASK_STACK_CANARY(a1) + LONG_S t9, 0(t8) + #endif +diff --git a/arch/mips/kernel/r4k_switch.S b/arch/mips/kernel/r4k_switch.S +index 921238a..078de5e 100644 +--- a/arch/mips/kernel/r4k_switch.S ++++ b/arch/mips/kernel/r4k_switch.S +@@ -69,7 +69,7 @@ + 1: + + #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) +- PTR_L t8, __stack_chk_guard ++ PTR_LA t8, __stack_chk_guard + LONG_L t9, TASK_STACK_CANARY(a1) + LONG_S t9, 0(t8) + #endif +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c +index 04e47c6..b3f87a3 100644 +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -805,14 +805,14 @@ void notrace handle_interruption(int code, struct pt_regs *regs) + else { + + /* +- * The kernel should never fault on its own address space. ++ * The kernel should never fault on its own address space, ++ * unless pagefault_disable() was called before. + */ + +- if (fault_space == 0) ++ if (fault_space == 0 && !in_atomic()) + { + pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC); + parisc_terminate("Kernel Fault", regs, code, fault_address); +- + } + } + +diff --git a/arch/powerpc/include/asm/jump_label.h b/arch/powerpc/include/asm/jump_label.h +index ae098c4..f016bb6 100644 +--- a/arch/powerpc/include/asm/jump_label.h ++++ b/arch/powerpc/include/asm/jump_label.h +@@ -19,7 +19,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key) + { +- asm goto("1:\n\t" ++ asm_volatile_goto("1:\n\t" + "nop\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + JUMP_ENTRY_TYPE "1b, %l[l_yes], %c0\n\t" +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index b02f91e..7bcd4d6 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1054,7 +1054,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_206) + BEGIN_FTR_SECTION + mfspr r8, SPRN_DSCR + ld r7, HSTATE_DSCR(r13) +- std r8, VCPU_DSCR(r7) ++ std r8, VCPU_DSCR(r9) + mtspr SPRN_DSCR, r7 + END_FTR_SECTION_IFSET(CPU_FTR_ARCH_206) + +diff --git a/arch/s390/include/asm/jump_label.h b/arch/s390/include/asm/jump_label.h +index 6c32190..346b1c8 100644 +--- a/arch/s390/include/asm/jump_label.h ++++ b/arch/s390/include/asm/jump_label.h +@@ -15,7 +15,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key) + { +- asm goto("0: brcl 0,0\n" ++ asm_volatile_goto("0: brcl 0,0\n" + ".pushsection __jump_table, \"aw\"\n" + ASM_ALIGN "\n" + ASM_PTR " 0b, %l[label], %0\n" +diff --git a/arch/sparc/include/asm/jump_label.h b/arch/sparc/include/asm/jump_label.h +index 5080d16..ec2e2e2 100644 +--- a/arch/sparc/include/asm/jump_label.h ++++ b/arch/sparc/include/asm/jump_label.h +@@ -9,7 +9,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key) + { +- asm goto("1:\n\t" ++ asm_volatile_goto("1:\n\t" + "nop\n\t" + "nop\n\t" + ".pushsection __jump_table, \"aw\"\n\t" +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index 47538a6..7290585 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -373,7 +373,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) + * Catch too early usage of this before alternatives + * have run. + */ +- asm goto("1: jmp %l[t_warn]\n" ++ asm_volatile_goto("1: jmp %l[t_warn]\n" + "2:\n" + ".section .altinstructions,\"a\"\n" + " .long 1b - .\n" +@@ -386,7 +386,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) + : : "i" (X86_FEATURE_ALWAYS) : : t_warn); + #endif + +- asm goto("1: jmp %l[t_no]\n" ++ asm_volatile_goto("1: jmp %l[t_no]\n" + "2:\n" + ".section .altinstructions,\"a\"\n" + " .long 1b - .\n" +@@ -448,7 +448,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) + * have. Thus, we force the jump to the widest, 4-byte, signed relative + * offset even though the last would often fit in less bytes. + */ +- asm goto("1: .byte 0xe9\n .long %l[t_dynamic] - 2f\n" ++ asm_volatile_goto("1: .byte 0xe9\n .long %l[t_dynamic] - 2f\n" + "2:\n" + ".section .altinstructions,\"a\"\n" + " .long 1b - .\n" /* src offset */ +diff --git a/arch/x86/include/asm/e820.h b/arch/x86/include/asm/e820.h +index cccd07f..779c2ef 100644 +--- a/arch/x86/include/asm/e820.h ++++ b/arch/x86/include/asm/e820.h +@@ -29,7 +29,7 @@ extern void e820_setup_gap(void); + extern int e820_search_gap(unsigned long *gapstart, unsigned long *gapsize, + unsigned long start_addr, unsigned long long end_addr); + struct setup_data; +-extern void parse_e820_ext(struct setup_data *data); ++extern void parse_e820_ext(u64 phys_addr, u32 data_len); + + #if defined(CONFIG_X86_64) || \ + (defined(CONFIG_X86_32) && defined(CONFIG_HIBERNATION)) +diff --git a/arch/x86/include/asm/jump_label.h b/arch/x86/include/asm/jump_label.h +index 3a16c14..0297669 100644 +--- a/arch/x86/include/asm/jump_label.h ++++ b/arch/x86/include/asm/jump_label.h +@@ -13,7 +13,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key) + { +- asm goto("1:" ++ asm_volatile_goto("1:" + STATIC_KEY_INITIAL_NOP + ".pushsection __jump_table, \"aw\" \n\t" + _ASM_ALIGN "\n\t" +diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c +index d32abea..174da5f 100644 +--- a/arch/x86/kernel/e820.c ++++ b/arch/x86/kernel/e820.c +@@ -658,15 +658,18 @@ __init void e820_setup_gap(void) + * boot_params.e820_map, others are passed via SETUP_E820_EXT node of + * linked list of struct setup_data, which is parsed here. + */ +-void __init parse_e820_ext(struct setup_data *sdata) ++void __init parse_e820_ext(u64 phys_addr, u32 data_len) + { + int entries; + struct e820entry *extmap; ++ struct setup_data *sdata; + ++ sdata = early_memremap(phys_addr, data_len); + entries = sdata->len / sizeof(struct e820entry); + extmap = (struct e820entry *)(sdata->data); + __append_e820_map(extmap, entries); + sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); ++ early_iounmap(sdata, data_len); + printk(KERN_INFO "e820: extended physical RAM map:\n"); + e820_print_map("extended"); + } +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index f8ec578..234e1e3 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -426,25 +426,23 @@ static void __init reserve_initrd(void) + static void __init parse_setup_data(void) + { + struct setup_data *data; +- u64 pa_data; ++ u64 pa_data, pa_next; + + pa_data = boot_params.hdr.setup_data; + while (pa_data) { +- u32 data_len, map_len; ++ u32 data_len, map_len, data_type; + + map_len = max(PAGE_SIZE - (pa_data & ~PAGE_MASK), + (u64)sizeof(struct setup_data)); + data = early_memremap(pa_data, map_len); + data_len = data->len + sizeof(struct setup_data); +- if (data_len > map_len) { +- early_iounmap(data, map_len); +- data = early_memremap(pa_data, data_len); +- map_len = data_len; +- } ++ data_type = data->type; ++ pa_next = data->next; ++ early_iounmap(data, map_len); + +- switch (data->type) { ++ switch (data_type) { + case SETUP_E820_EXT: +- parse_e820_ext(data); ++ parse_e820_ext(pa_data, data_len); + break; + case SETUP_DTB: + add_dtb(pa_data); +@@ -452,8 +450,7 @@ static void __init parse_setup_data(void) + default: + break; + } +- pa_data = data->next; +- early_iounmap(data, map_len); ++ pa_data = pa_next; + } + } + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 0d91fe5..92e6c67 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1462,12 +1462,11 @@ struct ctl_table random_table[] = { + + static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned; + +-static int __init random_int_secret_init(void) ++int random_int_secret_init(void) + { + get_random_bytes(random_int_secret, sizeof(random_int_secret)); + return 0; + } +-late_initcall(random_int_secret_init); + + /* + * Get a random word for internal kernel use only. Similar to urandom but +diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h +index 342f1f3..c42d31c 100644 +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -3791,6 +3791,9 @@ + #define GEN7_SQ_CHICKEN_MBCUNIT_CONFIG 0x9030 + #define GEN7_SQ_CHICKEN_MBCUNIT_SQINTMOB (1<<11) + ++#define HSW_SCRATCH1 0xb038 ++#define HSW_SCRATCH1_L3_DATA_ATOMICS_DISABLE (1<<27) ++ + #define HSW_FUSE_STRAP 0x42014 + #define HSW_CDCLK_LIMIT (1 << 24) + +@@ -4624,6 +4627,9 @@ + #define GEN7_ROW_CHICKEN2_GT2 0xf4f4 + #define DOP_CLOCK_GATING_DISABLE (1<<0) + ++#define HSW_ROW_CHICKEN3 0xe49c ++#define HSW_ROW_CHICKEN3_L3_GLOBAL_ATOMICS_DISABLE (1 << 6) ++ + #define G4X_AUD_VID_DID (dev_priv->info->display_mmio_offset + 0x62020) + #define INTEL_AUDIO_DEVCL 0x808629FB + #define INTEL_AUDIO_DEVBLC 0x80862801 +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 7fc8a76..90a7c17 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -3890,8 +3890,6 @@ static void intel_connector_check_state(struct intel_connector *connector) + * consider. */ + void intel_connector_dpms(struct drm_connector *connector, int mode) + { +- struct intel_encoder *encoder = intel_attached_encoder(connector); +- + /* All the simple cases only support two dpms states. */ + if (mode != DRM_MODE_DPMS_ON) + mode = DRM_MODE_DPMS_OFF; +@@ -3902,10 +3900,8 @@ void intel_connector_dpms(struct drm_connector *connector, int mode) + connector->dpms = mode; + + /* Only need to change hw state when actually enabled */ +- if (encoder->base.crtc) +- intel_encoder_dpms(encoder, mode); +- else +- WARN_ON(encoder->connectors_active != false); ++ if (connector->encoder) ++ intel_encoder_dpms(to_intel_encoder(connector->encoder), mode); + + intel_modeset_check_state(connector->dev); + } +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index b0e4a0b..cad0482 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -3603,8 +3603,6 @@ static void valleyview_enable_rps(struct drm_device *dev) + dev_priv->rps.rpe_delay), + dev_priv->rps.rpe_delay); + +- INIT_DELAYED_WORK(&dev_priv->rps.vlv_work, vlv_rps_timer_work); +- + valleyview_set_rps(dev_priv->dev, dev_priv->rps.rpe_delay); + + /* requires MSI enabled */ +@@ -4699,6 +4697,11 @@ static void haswell_init_clock_gating(struct drm_device *dev) + I915_WRITE(GEN7_L3_CHICKEN_MODE_REGISTER, + GEN7_WA_L3_CHICKEN_MODE); + ++ /* L3 caching of data atomics doesn't work -- disable it. */ ++ I915_WRITE(HSW_SCRATCH1, HSW_SCRATCH1_L3_DATA_ATOMICS_DISABLE); ++ I915_WRITE(HSW_ROW_CHICKEN3, ++ _MASKED_BIT_ENABLE(HSW_ROW_CHICKEN3_L3_GLOBAL_ATOMICS_DISABLE)); ++ + /* This is required by WaCatErrorRejectionIssue:hsw */ + I915_WRITE(GEN7_SQ_CHICKEN_MBCUNIT_CONFIG, + I915_READ(GEN7_SQ_CHICKEN_MBCUNIT_CONFIG) | +@@ -5562,6 +5565,8 @@ void intel_pm_init(struct drm_device *dev) + + INIT_DELAYED_WORK(&dev_priv->rps.delayed_resume_work, + intel_gen6_powersave_work); ++ ++ INIT_DELAYED_WORK(&dev_priv->rps.vlv_work, vlv_rps_timer_work); + } + + int sandybridge_pcode_read(struct drm_i915_private *dev_priv, u8 mbox, u32 *val) +diff --git a/drivers/gpu/drm/radeon/btc_dpm.c b/drivers/gpu/drm/radeon/btc_dpm.c +index 084e694..639b9aa 100644 +--- a/drivers/gpu/drm/radeon/btc_dpm.c ++++ b/drivers/gpu/drm/radeon/btc_dpm.c +@@ -1913,7 +1913,7 @@ static int btc_set_mc_special_registers(struct radeon_device *rdev, + } + j++; + +- if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + + tmp = RREG32(MC_PMG_CMD_MRS); +@@ -1928,7 +1928,7 @@ static int btc_set_mc_special_registers(struct radeon_device *rdev, + } + j++; + +- if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + break; + case MC_SEQ_RESERVE_M >> 2: +@@ -1942,7 +1942,7 @@ static int btc_set_mc_special_registers(struct radeon_device *rdev, + } + j++; + +- if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + break; + default: +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 94dab1e..8307883 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -3126,7 +3126,7 @@ static void evergreen_gpu_init(struct radeon_device *rdev) + rdev->config.evergreen.sx_max_export_size = 256; + rdev->config.evergreen.sx_max_export_pos_size = 64; + rdev->config.evergreen.sx_max_export_smx_size = 192; +- rdev->config.evergreen.max_hw_contexts = 8; ++ rdev->config.evergreen.max_hw_contexts = 4; + rdev->config.evergreen.sq_num_cf_insts = 2; + + rdev->config.evergreen.sc_prim_fifo_size = 0x40; +diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h +index 20fd17c..6be00c9 100644 +--- a/drivers/gpu/drm/radeon/evergreend.h ++++ b/drivers/gpu/drm/radeon/evergreend.h +@@ -1494,7 +1494,7 @@ + * 6. COMMAND [29:22] | BYTE_COUNT [20:0] + */ + # define PACKET3_CP_DMA_DST_SEL(x) ((x) << 20) +- /* 0 - SRC_ADDR ++ /* 0 - DST_ADDR + * 1 - GDS + */ + # define PACKET3_CP_DMA_ENGINE(x) ((x) << 27) +@@ -1509,7 +1509,7 @@ + # define PACKET3_CP_DMA_CP_SYNC (1 << 31) + /* COMMAND */ + # define PACKET3_CP_DMA_DIS_WC (1 << 21) +-# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 23) ++# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 22) + /* 0 - none + * 1 - 8 in 16 + * 2 - 8 in 32 +diff --git a/drivers/gpu/drm/radeon/r600d.h b/drivers/gpu/drm/radeon/r600d.h +index 7c78083..d079cb1 100644 +--- a/drivers/gpu/drm/radeon/r600d.h ++++ b/drivers/gpu/drm/radeon/r600d.h +@@ -1487,7 +1487,7 @@ + */ + # define PACKET3_CP_DMA_CP_SYNC (1 << 31) + /* COMMAND */ +-# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 23) ++# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 22) + /* 0 - none + * 1 - 8 in 16 + * 2 - 8 in 32 +diff --git a/drivers/gpu/drm/radeon/radeon_test.c b/drivers/gpu/drm/radeon/radeon_test.c +index f4d6bce..12e8099 100644 +--- a/drivers/gpu/drm/radeon/radeon_test.c ++++ b/drivers/gpu/drm/radeon/radeon_test.c +@@ -36,8 +36,8 @@ static void radeon_do_test_moves(struct radeon_device *rdev, int flag) + struct radeon_bo *vram_obj = NULL; + struct radeon_bo **gtt_obj = NULL; + uint64_t gtt_addr, vram_addr; +- unsigned i, n, size; +- int r, ring; ++ unsigned n, size; ++ int i, r, ring; + + switch (flag) { + case RADEON_TEST_COPY_DMA: +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c +index 1cfba39..1c23b61 100644 +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -5174,7 +5174,7 @@ static int si_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] |= 0x100; + } + j++; +- if (j > SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + + if (!pi->mem_gddr5) { +@@ -5184,7 +5184,7 @@ static int si_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] = + (table->mc_reg_table_entry[k].mc_data[i] & 0xffff0000) >> 16; + j++; +- if (j > SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + } + break; +@@ -5197,7 +5197,7 @@ static int si_set_mc_special_registers(struct radeon_device *rdev, + (temp_reg & 0xffff0000) | + (table->mc_reg_table_entry[k].mc_data[i] & 0x0000ffff); + j++; +- if (j > SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMC_SISLANDS_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + break; + default: +diff --git a/drivers/gpu/drm/radeon/sid.h b/drivers/gpu/drm/radeon/sid.h +index 2010d6b..a75d25a 100644 +--- a/drivers/gpu/drm/radeon/sid.h ++++ b/drivers/gpu/drm/radeon/sid.h +@@ -1490,7 +1490,7 @@ + * 6. COMMAND [30:21] | BYTE_COUNT [20:0] + */ + # define PACKET3_CP_DMA_DST_SEL(x) ((x) << 20) +- /* 0 - SRC_ADDR ++ /* 0 - DST_ADDR + * 1 - GDS + */ + # define PACKET3_CP_DMA_ENGINE(x) ((x) << 27) +@@ -1505,7 +1505,7 @@ + # define PACKET3_CP_DMA_CP_SYNC (1 << 31) + /* COMMAND */ + # define PACKET3_CP_DMA_DIS_WC (1 << 21) +-# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 23) ++# define PACKET3_CP_DMA_CMD_SRC_SWAP(x) ((x) << 22) + /* 0 - none + * 1 - 8 in 16 + * 2 - 8 in 32 +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c +index 98814d1..3288f13 100644 +--- a/drivers/hwmon/applesmc.c ++++ b/drivers/hwmon/applesmc.c +@@ -230,6 +230,7 @@ static int send_argument(const char *key) + + static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len) + { ++ u8 status, data = 0; + int i; + + if (send_command(cmd) || send_argument(key)) { +@@ -237,6 +238,7 @@ static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len) + return -EIO; + } + ++ /* This has no effect on newer (2012) SMCs */ + if (send_byte(len, APPLESMC_DATA_PORT)) { + pr_warn("%.4s: read len fail\n", key); + return -EIO; +@@ -250,6 +252,17 @@ static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len) + buffer[i] = inb(APPLESMC_DATA_PORT); + } + ++ /* Read the data port until bit0 is cleared */ ++ for (i = 0; i < 16; i++) { ++ udelay(APPLESMC_MIN_WAIT); ++ status = inb(APPLESMC_CMD_PORT); ++ if (!(status & 0x01)) ++ break; ++ data = inb(APPLESMC_DATA_PORT); ++ } ++ if (i) ++ pr_warn("flushed %d bytes, last value is: %d\n", i, data); ++ + return 0; + } + +diff --git a/drivers/i2c/busses/i2c-omap.c b/drivers/i2c/busses/i2c-omap.c +index 142b694d..e6b8dcd 100644 +--- a/drivers/i2c/busses/i2c-omap.c ++++ b/drivers/i2c/busses/i2c-omap.c +@@ -944,6 +944,9 @@ omap_i2c_isr_thread(int this_irq, void *dev_id) + /* + * ProDB0017052: Clear ARDY bit twice + */ ++ if (stat & OMAP_I2C_STAT_ARDY) ++ omap_i2c_ack_stat(dev, OMAP_I2C_STAT_ARDY); ++ + if (stat & (OMAP_I2C_STAT_ARDY | OMAP_I2C_STAT_NACK | + OMAP_I2C_STAT_AL)) { + omap_i2c_ack_stat(dev, (OMAP_I2C_STAT_RRDY | +diff --git a/drivers/watchdog/kempld_wdt.c b/drivers/watchdog/kempld_wdt.c +index 491419e..5c3d4df 100644 +--- a/drivers/watchdog/kempld_wdt.c ++++ b/drivers/watchdog/kempld_wdt.c +@@ -35,7 +35,7 @@ + #define KEMPLD_WDT_STAGE_TIMEOUT(x) (0x1b + (x) * 4) + #define KEMPLD_WDT_STAGE_CFG(x) (0x18 + (x)) + #define STAGE_CFG_GET_PRESCALER(x) (((x) & 0x30) >> 4) +-#define STAGE_CFG_SET_PRESCALER(x) (((x) & 0x30) << 4) ++#define STAGE_CFG_SET_PRESCALER(x) (((x) & 0x3) << 4) + #define STAGE_CFG_PRESCALER_MASK 0x30 + #define STAGE_CFG_ACTION_MASK 0x7 + #define STAGE_CFG_ASSERT (1 << 3) +diff --git a/drivers/watchdog/ts72xx_wdt.c b/drivers/watchdog/ts72xx_wdt.c +index 4da59b4..381999c 100644 +--- a/drivers/watchdog/ts72xx_wdt.c ++++ b/drivers/watchdog/ts72xx_wdt.c +@@ -310,7 +310,8 @@ static long ts72xx_wdt_ioctl(struct file *file, unsigned int cmd, + + case WDIOC_GETSTATUS: + case WDIOC_GETBOOTSTATUS: +- return put_user(0, p); ++ error = put_user(0, p); ++ break; + + case WDIOC_KEEPALIVE: + ts72xx_wdt_kick(wdt); +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index d3280b2..8220491 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -8036,7 +8036,7 @@ static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry, + + + /* check for collisions, even if the name isn't there */ +- ret = btrfs_check_dir_item_collision(root, new_dir->i_ino, ++ ret = btrfs_check_dir_item_collision(dest, new_dir->i_ino, + new_dentry->d_name.name, + new_dentry->d_name.len); + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index c081e34..03e9beb 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1350,6 +1350,8 @@ retry: + s_min_extra_isize) { + tried_min_extra_isize++; + new_extra_isize = s_min_extra_isize; ++ kfree(is); is = NULL; ++ kfree(bs); bs = NULL; + goto retry; + } + error = -1; +diff --git a/fs/statfs.c b/fs/statfs.c +index c219e733..083dc0a 100644 +--- a/fs/statfs.c ++++ b/fs/statfs.c +@@ -94,7 +94,7 @@ retry: + + int fd_statfs(int fd, struct kstatfs *st) + { +- struct fd f = fdget(fd); ++ struct fd f = fdget_raw(fd); + int error = -EBADF; + if (f.file) { + error = vfs_statfs(&f.file->f_path, st); +diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h +index 842de22..ded4299 100644 +--- a/include/linux/compiler-gcc4.h ++++ b/include/linux/compiler-gcc4.h +@@ -65,6 +65,21 @@ + #define __visible __attribute__((externally_visible)) + #endif + ++/* ++ * GCC 'asm goto' miscompiles certain code sequences: ++ * ++ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 ++ * ++ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. ++ * Fixed in GCC 4.8.2 and later versions. ++ * ++ * (asm goto is automatically volatile - the naming reflects this.) ++ */ ++#if GCC_VERSION <= 40801 ++# define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ++#else ++# define asm_volatile_goto(x...) do { asm goto(x); } while (0) ++#endif + + #ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP + #if GCC_VERSION >= 40400 +diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h +index c4d870b..19c19a5 100644 +--- a/include/linux/ipc_namespace.h ++++ b/include/linux/ipc_namespace.h +@@ -22,7 +22,7 @@ struct ipc_ids { + int in_use; + unsigned short seq; + unsigned short seq_max; +- struct rw_semaphore rw_mutex; ++ struct rw_semaphore rwsem; + struct idr ipcs_idr; + int next_id; + }; +diff --git a/include/linux/random.h b/include/linux/random.h +index 3b9377d..6312dd9 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -17,6 +17,7 @@ extern void add_interrupt_randomness(int irq, int irq_flags); + extern void get_random_bytes(void *buf, int nbytes); + extern void get_random_bytes_arch(void *buf, int nbytes); + void generate_random_uuid(unsigned char uuid_out[16]); ++extern int random_int_secret_init(void); + + #ifndef MODULE + extern const struct file_operations random_fops, urandom_fops; +diff --git a/init/main.c b/init/main.c +index d03d2ec..586cd33 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -75,6 +75,7 @@ + #include <linux/blkdev.h> + #include <linux/elevator.h> + #include <linux/sched_clock.h> ++#include <linux/random.h> + + #include <asm/io.h> + #include <asm/bugs.h> +@@ -778,6 +779,7 @@ static void __init do_basic_setup(void) + do_ctors(); + usermodehelper_enable(); + do_initcalls(); ++ random_int_secret_init(); + } + + static void __init do_pre_smp_initcalls(void) +diff --git a/ipc/msg.c b/ipc/msg.c +index a877c16..558aa91 100644 +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -70,8 +70,6 @@ struct msg_sender { + + #define msg_ids(ns) ((ns)->ids[IPC_MSG_IDS]) + +-#define msg_unlock(msq) ipc_unlock(&(msq)->q_perm) +- + static void freeque(struct ipc_namespace *, struct kern_ipc_perm *); + static int newque(struct ipc_namespace *, struct ipc_params *); + #ifdef CONFIG_PROC_FS +@@ -181,7 +179,7 @@ static void msg_rcu_free(struct rcu_head *head) + * @ns: namespace + * @params: ptr to the structure that contains the key and msgflg + * +- * Called with msg_ids.rw_mutex held (writer) ++ * Called with msg_ids.rwsem held (writer) + */ + static int newque(struct ipc_namespace *ns, struct ipc_params *params) + { +@@ -267,8 +265,8 @@ static void expunge_all(struct msg_queue *msq, int res) + * removes the message queue from message queue ID IDR, and cleans up all the + * messages associated with this queue. + * +- * msg_ids.rw_mutex (writer) and the spinlock for this message queue are held +- * before freeque() is called. msg_ids.rw_mutex remains locked on exit. ++ * msg_ids.rwsem (writer) and the spinlock for this message queue are held ++ * before freeque() is called. msg_ids.rwsem remains locked on exit. + */ + static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) + { +@@ -278,7 +276,8 @@ static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) + expunge_all(msq, -EIDRM); + ss_wakeup(&msq->q_senders, 1); + msg_rmid(ns, msq); +- msg_unlock(msq); ++ ipc_unlock_object(&msq->q_perm); ++ rcu_read_unlock(); + + list_for_each_entry_safe(msg, t, &msq->q_messages, m_list) { + atomic_dec(&ns->msg_hdrs); +@@ -289,7 +288,7 @@ static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) + } + + /* +- * Called with msg_ids.rw_mutex and ipcp locked. ++ * Called with msg_ids.rwsem and ipcp locked. + */ + static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) + { +@@ -393,9 +392,9 @@ copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version) + } + + /* +- * This function handles some msgctl commands which require the rw_mutex ++ * This function handles some msgctl commands which require the rwsem + * to be held in write mode. +- * NOTE: no locks must be held, the rw_mutex is taken inside this function. ++ * NOTE: no locks must be held, the rwsem is taken inside this function. + */ + static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd, + struct msqid_ds __user *buf, int version) +@@ -410,7 +409,7 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd, + return -EFAULT; + } + +- down_write(&msg_ids(ns).rw_mutex); ++ down_write(&msg_ids(ns).rwsem); + rcu_read_lock(); + + ipcp = ipcctl_pre_down_nolock(ns, &msg_ids(ns), msqid, cmd, +@@ -466,7 +465,7 @@ out_unlock0: + out_unlock1: + rcu_read_unlock(); + out_up: +- up_write(&msg_ids(ns).rw_mutex); ++ up_write(&msg_ids(ns).rwsem); + return err; + } + +@@ -501,7 +500,7 @@ static int msgctl_nolock(struct ipc_namespace *ns, int msqid, + msginfo.msgmnb = ns->msg_ctlmnb; + msginfo.msgssz = MSGSSZ; + msginfo.msgseg = MSGSEG; +- down_read(&msg_ids(ns).rw_mutex); ++ down_read(&msg_ids(ns).rwsem); + if (cmd == MSG_INFO) { + msginfo.msgpool = msg_ids(ns).in_use; + msginfo.msgmap = atomic_read(&ns->msg_hdrs); +@@ -512,7 +511,7 @@ static int msgctl_nolock(struct ipc_namespace *ns, int msqid, + msginfo.msgtql = MSGTQL; + } + max_id = ipc_get_maxid(&msg_ids(ns)); +- up_read(&msg_ids(ns).rw_mutex); ++ up_read(&msg_ids(ns).rwsem); + if (copy_to_user(buf, &msginfo, sizeof(struct msginfo))) + return -EFAULT; + return (max_id < 0) ? 0 : max_id; +diff --git a/ipc/namespace.c b/ipc/namespace.c +index 7ee61bf..aba9a58 100644 +--- a/ipc/namespace.c ++++ b/ipc/namespace.c +@@ -81,7 +81,7 @@ void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids, + int next_id; + int total, in_use; + +- down_write(&ids->rw_mutex); ++ down_write(&ids->rwsem); + + in_use = ids->in_use; + +@@ -89,11 +89,12 @@ void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids, + perm = idr_find(&ids->ipcs_idr, next_id); + if (perm == NULL) + continue; +- ipc_lock_by_ptr(perm); ++ rcu_read_lock(); ++ ipc_lock_object(perm); + free(ns, perm); + total++; + } +- up_write(&ids->rw_mutex); ++ up_write(&ids->rwsem); + } + + static void free_ipc_ns(struct ipc_namespace *ns) +diff --git a/ipc/sem.c b/ipc/sem.c +index 87614511..8e2bf30 100644 +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -248,12 +248,20 @@ static void merge_queues(struct sem_array *sma) + * Caller must own sem_perm.lock. + * New simple ops cannot start, because simple ops first check + * that sem_perm.lock is free. ++ * that a) sem_perm.lock is free and b) complex_count is 0. + */ + static void sem_wait_array(struct sem_array *sma) + { + int i; + struct sem *sem; + ++ if (sma->complex_count) { ++ /* The thread that increased sma->complex_count waited on ++ * all sem->lock locks. Thus we don't need to wait again. ++ */ ++ return; ++ } ++ + for (i = 0; i < sma->sem_nsems; i++) { + sem = sma->sem_base + i; + spin_unlock_wait(&sem->lock); +@@ -365,7 +373,7 @@ static inline void sem_unlock(struct sem_array *sma, int locknum) + } + + /* +- * sem_lock_(check_) routines are called in the paths where the rw_mutex ++ * sem_lock_(check_) routines are called in the paths where the rwsem + * is not held. + * + * The caller holds the RCU read lock. +@@ -464,7 +472,7 @@ static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) + * @ns: namespace + * @params: ptr to the structure that contains key, semflg and nsems + * +- * Called with sem_ids.rw_mutex held (as a writer) ++ * Called with sem_ids.rwsem held (as a writer) + */ + + static int newary(struct ipc_namespace *ns, struct ipc_params *params) +@@ -529,7 +537,7 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params) + + + /* +- * Called with sem_ids.rw_mutex and ipcp locked. ++ * Called with sem_ids.rwsem and ipcp locked. + */ + static inline int sem_security(struct kern_ipc_perm *ipcp, int semflg) + { +@@ -540,7 +548,7 @@ static inline int sem_security(struct kern_ipc_perm *ipcp, int semflg) + } + + /* +- * Called with sem_ids.rw_mutex and ipcp locked. ++ * Called with sem_ids.rwsem and ipcp locked. + */ + static inline int sem_more_checks(struct kern_ipc_perm *ipcp, + struct ipc_params *params) +@@ -910,6 +918,24 @@ again: + } + + /** ++ * set_semotime(sma, sops) - set sem_otime ++ * @sma: semaphore array ++ * @sops: operations that modified the array, may be NULL ++ * ++ * sem_otime is replicated to avoid cache line trashing. ++ * This function sets one instance to the current time. ++ */ ++static void set_semotime(struct sem_array *sma, struct sembuf *sops) ++{ ++ if (sops == NULL) { ++ sma->sem_base[0].sem_otime = get_seconds(); ++ } else { ++ sma->sem_base[sops[0].sem_num].sem_otime = ++ get_seconds(); ++ } ++} ++ ++/** + * do_smart_update(sma, sops, nsops, otime, pt) - optimized update_queue + * @sma: semaphore array + * @sops: operations that were performed +@@ -959,17 +985,10 @@ static void do_smart_update(struct sem_array *sma, struct sembuf *sops, int nsop + } + } + } +- if (otime) { +- if (sops == NULL) { +- sma->sem_base[0].sem_otime = get_seconds(); +- } else { +- sma->sem_base[sops[0].sem_num].sem_otime = +- get_seconds(); +- } +- } ++ if (otime) ++ set_semotime(sma, sops); + } + +- + /* The following counts are associated to each semaphore: + * semncnt number of tasks waiting on semval being nonzero + * semzcnt number of tasks waiting on semval being zero +@@ -1031,8 +1050,8 @@ static int count_semzcnt (struct sem_array * sma, ushort semnum) + return semzcnt; + } + +-/* Free a semaphore set. freeary() is called with sem_ids.rw_mutex locked +- * as a writer and the spinlock for this semaphore set hold. sem_ids.rw_mutex ++/* Free a semaphore set. freeary() is called with sem_ids.rwsem locked ++ * as a writer and the spinlock for this semaphore set hold. sem_ids.rwsem + * remains locked on exit. + */ + static void freeary(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) +@@ -1152,7 +1171,7 @@ static int semctl_nolock(struct ipc_namespace *ns, int semid, + seminfo.semmnu = SEMMNU; + seminfo.semmap = SEMMAP; + seminfo.semume = SEMUME; +- down_read(&sem_ids(ns).rw_mutex); ++ down_read(&sem_ids(ns).rwsem); + if (cmd == SEM_INFO) { + seminfo.semusz = sem_ids(ns).in_use; + seminfo.semaem = ns->used_sems; +@@ -1161,7 +1180,7 @@ static int semctl_nolock(struct ipc_namespace *ns, int semid, + seminfo.semaem = SEMAEM; + } + max_id = ipc_get_maxid(&sem_ids(ns)); +- up_read(&sem_ids(ns).rw_mutex); ++ up_read(&sem_ids(ns).rwsem); + if (copy_to_user(p, &seminfo, sizeof(struct seminfo))) + return -EFAULT; + return (max_id < 0) ? 0: max_id; +@@ -1467,9 +1486,9 @@ copy_semid_from_user(struct semid64_ds *out, void __user *buf, int version) + } + + /* +- * This function handles some semctl commands which require the rw_mutex ++ * This function handles some semctl commands which require the rwsem + * to be held in write mode. +- * NOTE: no locks must be held, the rw_mutex is taken inside this function. ++ * NOTE: no locks must be held, the rwsem is taken inside this function. + */ + static int semctl_down(struct ipc_namespace *ns, int semid, + int cmd, int version, void __user *p) +@@ -1484,7 +1503,7 @@ static int semctl_down(struct ipc_namespace *ns, int semid, + return -EFAULT; + } + +- down_write(&sem_ids(ns).rw_mutex); ++ down_write(&sem_ids(ns).rwsem); + rcu_read_lock(); + + ipcp = ipcctl_pre_down_nolock(ns, &sem_ids(ns), semid, cmd, +@@ -1523,7 +1542,7 @@ out_unlock0: + out_unlock1: + rcu_read_unlock(); + out_up: +- up_write(&sem_ids(ns).rw_mutex); ++ up_write(&sem_ids(ns).rwsem); + return err; + } + +@@ -1831,12 +1850,17 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, + + error = perform_atomic_semop(sma, sops, nsops, un, + task_tgid_vnr(current)); +- if (error <= 0) { +- if (alter && error == 0) ++ if (error == 0) { ++ /* If the operation was successful, then do ++ * the required updates. ++ */ ++ if (alter) + do_smart_update(sma, sops, nsops, 1, &tasks); +- +- goto out_unlock_free; ++ else ++ set_semotime(sma, sops); + } ++ if (error <= 0) ++ goto out_unlock_free; + + /* We need to sleep on this operation, so we put the current + * task into the pending queue and go to sleep. +@@ -2095,6 +2119,14 @@ static int sysvipc_sem_proc_show(struct seq_file *s, void *it) + struct sem_array *sma = it; + time_t sem_otime; + ++ /* ++ * The proc interface isn't aware of sem_lock(), it calls ++ * ipc_lock_object() directly (in sysvipc_find_ipc). ++ * In order to stay compatible with sem_lock(), we must wait until ++ * all simple semop() calls have left their critical regions. ++ */ ++ sem_wait_array(sma); ++ + sem_otime = get_semotime(sma); + + return seq_printf(s, +diff --git a/ipc/shm.c b/ipc/shm.c +index 2d6833d..d697396 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -19,6 +19,9 @@ + * namespaces support + * OpenVZ, SWsoft Inc. + * Pavel Emelianov <xemul@openvz.org> ++ * ++ * Better ipc lock (kern_ipc_perm.lock) handling ++ * Davidlohr Bueso <davidlohr.bueso@hp.com>, June 2013. + */ + + #include <linux/slab.h> +@@ -80,8 +83,8 @@ void shm_init_ns(struct ipc_namespace *ns) + } + + /* +- * Called with shm_ids.rw_mutex (writer) and the shp structure locked. +- * Only shm_ids.rw_mutex remains locked on exit. ++ * Called with shm_ids.rwsem (writer) and the shp structure locked. ++ * Only shm_ids.rwsem remains locked on exit. + */ + static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) + { +@@ -124,8 +127,28 @@ void __init shm_init (void) + IPC_SHM_IDS, sysvipc_shm_proc_show); + } + ++static inline struct shmid_kernel *shm_obtain_object(struct ipc_namespace *ns, int id) ++{ ++ struct kern_ipc_perm *ipcp = ipc_obtain_object(&shm_ids(ns), id); ++ ++ if (IS_ERR(ipcp)) ++ return ERR_CAST(ipcp); ++ ++ return container_of(ipcp, struct shmid_kernel, shm_perm); ++} ++ ++static inline struct shmid_kernel *shm_obtain_object_check(struct ipc_namespace *ns, int id) ++{ ++ struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&shm_ids(ns), id); ++ ++ if (IS_ERR(ipcp)) ++ return ERR_CAST(ipcp); ++ ++ return container_of(ipcp, struct shmid_kernel, shm_perm); ++} ++ + /* +- * shm_lock_(check_) routines are called in the paths where the rw_mutex ++ * shm_lock_(check_) routines are called in the paths where the rwsem + * is not necessarily held. + */ + static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id) +@@ -144,17 +167,6 @@ static inline void shm_lock_by_ptr(struct shmid_kernel *ipcp) + ipc_lock_object(&ipcp->shm_perm); + } + +-static inline struct shmid_kernel *shm_lock_check(struct ipc_namespace *ns, +- int id) +-{ +- struct kern_ipc_perm *ipcp = ipc_lock_check(&shm_ids(ns), id); +- +- if (IS_ERR(ipcp)) +- return (struct shmid_kernel *)ipcp; +- +- return container_of(ipcp, struct shmid_kernel, shm_perm); +-} +- + static void shm_rcu_free(struct rcu_head *head) + { + struct ipc_rcu *p = container_of(head, struct ipc_rcu, rcu); +@@ -191,7 +203,7 @@ static void shm_open(struct vm_area_struct *vma) + * @ns: namespace + * @shp: struct to free + * +- * It has to be called with shp and shm_ids.rw_mutex (writer) locked, ++ * It has to be called with shp and shm_ids.rwsem (writer) locked, + * but returns with shp unlocked and freed. + */ + static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) +@@ -238,7 +250,7 @@ static void shm_close(struct vm_area_struct *vma) + struct shmid_kernel *shp; + struct ipc_namespace *ns = sfd->ns; + +- down_write(&shm_ids(ns).rw_mutex); ++ down_write(&shm_ids(ns).rwsem); + /* remove from the list of attaches of the shm segment */ + shp = shm_lock(ns, sfd->id); + BUG_ON(IS_ERR(shp)); +@@ -249,10 +261,10 @@ static void shm_close(struct vm_area_struct *vma) + shm_destroy(ns, shp); + else + shm_unlock(shp); +- up_write(&shm_ids(ns).rw_mutex); ++ up_write(&shm_ids(ns).rwsem); + } + +-/* Called with ns->shm_ids(ns).rw_mutex locked */ ++/* Called with ns->shm_ids(ns).rwsem locked */ + static int shm_try_destroy_current(int id, void *p, void *data) + { + struct ipc_namespace *ns = data; +@@ -283,7 +295,7 @@ static int shm_try_destroy_current(int id, void *p, void *data) + return 0; + } + +-/* Called with ns->shm_ids(ns).rw_mutex locked */ ++/* Called with ns->shm_ids(ns).rwsem locked */ + static int shm_try_destroy_orphaned(int id, void *p, void *data) + { + struct ipc_namespace *ns = data; +@@ -294,7 +306,7 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data) + * We want to destroy segments without users and with already + * exit'ed originating process. + * +- * As shp->* are changed under rw_mutex, it's safe to skip shp locking. ++ * As shp->* are changed under rwsem, it's safe to skip shp locking. + */ + if (shp->shm_creator != NULL) + return 0; +@@ -308,10 +320,10 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data) + + void shm_destroy_orphaned(struct ipc_namespace *ns) + { +- down_write(&shm_ids(ns).rw_mutex); ++ down_write(&shm_ids(ns).rwsem); + if (shm_ids(ns).in_use) + idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); +- up_write(&shm_ids(ns).rw_mutex); ++ up_write(&shm_ids(ns).rwsem); + } + + +@@ -323,10 +335,10 @@ void exit_shm(struct task_struct *task) + return; + + /* Destroy all already created segments, but not mapped yet */ +- down_write(&shm_ids(ns).rw_mutex); ++ down_write(&shm_ids(ns).rwsem); + if (shm_ids(ns).in_use) + idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_current, ns); +- up_write(&shm_ids(ns).rw_mutex); ++ up_write(&shm_ids(ns).rwsem); + } + + static int shm_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -460,7 +472,7 @@ static const struct vm_operations_struct shm_vm_ops = { + * @ns: namespace + * @params: ptr to the structure that contains key, size and shmflg + * +- * Called with shm_ids.rw_mutex held as a writer. ++ * Called with shm_ids.rwsem held as a writer. + */ + + static int newseg(struct ipc_namespace *ns, struct ipc_params *params) +@@ -567,7 +579,7 @@ no_file: + } + + /* +- * Called with shm_ids.rw_mutex and ipcp locked. ++ * Called with shm_ids.rwsem and ipcp locked. + */ + static inline int shm_security(struct kern_ipc_perm *ipcp, int shmflg) + { +@@ -578,7 +590,7 @@ static inline int shm_security(struct kern_ipc_perm *ipcp, int shmflg) + } + + /* +- * Called with shm_ids.rw_mutex and ipcp locked. ++ * Called with shm_ids.rwsem and ipcp locked. + */ + static inline int shm_more_checks(struct kern_ipc_perm *ipcp, + struct ipc_params *params) +@@ -691,7 +703,7 @@ static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminf + + /* + * Calculate and add used RSS and swap pages of a shm. +- * Called with shm_ids.rw_mutex held as a reader ++ * Called with shm_ids.rwsem held as a reader + */ + static void shm_add_rss_swap(struct shmid_kernel *shp, + unsigned long *rss_add, unsigned long *swp_add) +@@ -718,7 +730,7 @@ static void shm_add_rss_swap(struct shmid_kernel *shp, + } + + /* +- * Called with shm_ids.rw_mutex held as a reader ++ * Called with shm_ids.rwsem held as a reader + */ + static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss, + unsigned long *swp) +@@ -747,9 +759,9 @@ static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss, + } + + /* +- * This function handles some shmctl commands which require the rw_mutex ++ * This function handles some shmctl commands which require the rwsem + * to be held in write mode. +- * NOTE: no locks must be held, the rw_mutex is taken inside this function. ++ * NOTE: no locks must be held, the rwsem is taken inside this function. + */ + static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd, + struct shmid_ds __user *buf, int version) +@@ -764,14 +776,13 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd, + return -EFAULT; + } + +- down_write(&shm_ids(ns).rw_mutex); ++ down_write(&shm_ids(ns).rwsem); + rcu_read_lock(); + +- ipcp = ipcctl_pre_down(ns, &shm_ids(ns), shmid, cmd, +- &shmid64.shm_perm, 0); ++ ipcp = ipcctl_pre_down_nolock(ns, &shm_ids(ns), shmid, cmd, ++ &shmid64.shm_perm, 0); + if (IS_ERR(ipcp)) { + err = PTR_ERR(ipcp); +- /* the ipc lock is not held upon failure */ + goto out_unlock1; + } + +@@ -779,14 +790,16 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd, + + err = security_shm_shmctl(shp, cmd); + if (err) +- goto out_unlock0; ++ goto out_unlock1; + + switch (cmd) { + case IPC_RMID: ++ ipc_lock_object(&shp->shm_perm); + /* do_shm_rmid unlocks the ipc object and rcu */ + do_shm_rmid(ns, ipcp); + goto out_up; + case IPC_SET: ++ ipc_lock_object(&shp->shm_perm); + err = ipc_update_perm(&shmid64.shm_perm, ipcp); + if (err) + goto out_unlock0; +@@ -794,6 +807,7 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd, + break; + default: + err = -EINVAL; ++ goto out_unlock1; + } + + out_unlock0: +@@ -801,33 +815,28 @@ out_unlock0: + out_unlock1: + rcu_read_unlock(); + out_up: +- up_write(&shm_ids(ns).rw_mutex); ++ up_write(&shm_ids(ns).rwsem); + return err; + } + +-SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) ++static int shmctl_nolock(struct ipc_namespace *ns, int shmid, ++ int cmd, int version, void __user *buf) + { ++ int err; + struct shmid_kernel *shp; +- int err, version; +- struct ipc_namespace *ns; + +- if (cmd < 0 || shmid < 0) { +- err = -EINVAL; +- goto out; ++ /* preliminary security checks for *_INFO */ ++ if (cmd == IPC_INFO || cmd == SHM_INFO) { ++ err = security_shm_shmctl(NULL, cmd); ++ if (err) ++ return err; + } + +- version = ipc_parse_version(&cmd); +- ns = current->nsproxy->ipc_ns; +- +- switch (cmd) { /* replace with proc interface ? */ ++ switch (cmd) { + case IPC_INFO: + { + struct shminfo64 shminfo; + +- err = security_shm_shmctl(NULL, cmd); +- if (err) +- return err; +- + memset(&shminfo, 0, sizeof(shminfo)); + shminfo.shmmni = shminfo.shmseg = ns->shm_ctlmni; + shminfo.shmmax = ns->shm_ctlmax; +@@ -837,9 +846,9 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) + if(copy_shminfo_to_user (buf, &shminfo, version)) + return -EFAULT; + +- down_read(&shm_ids(ns).rw_mutex); ++ down_read(&shm_ids(ns).rwsem); + err = ipc_get_maxid(&shm_ids(ns)); +- up_read(&shm_ids(ns).rw_mutex); ++ up_read(&shm_ids(ns).rwsem); + + if(err<0) + err = 0; +@@ -849,19 +858,15 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) + { + struct shm_info shm_info; + +- err = security_shm_shmctl(NULL, cmd); +- if (err) +- return err; +- + memset(&shm_info, 0, sizeof(shm_info)); +- down_read(&shm_ids(ns).rw_mutex); ++ down_read(&shm_ids(ns).rwsem); + shm_info.used_ids = shm_ids(ns).in_use; + shm_get_stat (ns, &shm_info.shm_rss, &shm_info.shm_swp); + shm_info.shm_tot = ns->shm_tot; + shm_info.swap_attempts = 0; + shm_info.swap_successes = 0; + err = ipc_get_maxid(&shm_ids(ns)); +- up_read(&shm_ids(ns).rw_mutex); ++ up_read(&shm_ids(ns).rwsem); + if (copy_to_user(buf, &shm_info, sizeof(shm_info))) { + err = -EFAULT; + goto out; +@@ -876,27 +881,31 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) + struct shmid64_ds tbuf; + int result; + ++ rcu_read_lock(); + if (cmd == SHM_STAT) { +- shp = shm_lock(ns, shmid); ++ shp = shm_obtain_object(ns, shmid); + if (IS_ERR(shp)) { + err = PTR_ERR(shp); +- goto out; ++ goto out_unlock; + } + result = shp->shm_perm.id; + } else { +- shp = shm_lock_check(ns, shmid); ++ shp = shm_obtain_object_check(ns, shmid); + if (IS_ERR(shp)) { + err = PTR_ERR(shp); +- goto out; ++ goto out_unlock; + } + result = 0; + } ++ + err = -EACCES; + if (ipcperms(ns, &shp->shm_perm, S_IRUGO)) + goto out_unlock; ++ + err = security_shm_shmctl(shp, cmd); + if (err) + goto out_unlock; ++ + memset(&tbuf, 0, sizeof(tbuf)); + kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm); + tbuf.shm_segsz = shp->shm_segsz; +@@ -906,43 +915,76 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) + tbuf.shm_cpid = shp->shm_cprid; + tbuf.shm_lpid = shp->shm_lprid; + tbuf.shm_nattch = shp->shm_nattch; +- shm_unlock(shp); +- if(copy_shmid_to_user (buf, &tbuf, version)) ++ rcu_read_unlock(); ++ ++ if (copy_shmid_to_user(buf, &tbuf, version)) + err = -EFAULT; + else + err = result; + goto out; + } ++ default: ++ return -EINVAL; ++ } ++ ++out_unlock: ++ rcu_read_unlock(); ++out: ++ return err; ++} ++ ++SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) ++{ ++ struct shmid_kernel *shp; ++ int err, version; ++ struct ipc_namespace *ns; ++ ++ if (cmd < 0 || shmid < 0) ++ return -EINVAL; ++ ++ version = ipc_parse_version(&cmd); ++ ns = current->nsproxy->ipc_ns; ++ ++ switch (cmd) { ++ case IPC_INFO: ++ case SHM_INFO: ++ case SHM_STAT: ++ case IPC_STAT: ++ return shmctl_nolock(ns, shmid, cmd, version, buf); ++ case IPC_RMID: ++ case IPC_SET: ++ return shmctl_down(ns, shmid, cmd, buf, version); + case SHM_LOCK: + case SHM_UNLOCK: + { + struct file *shm_file; + +- shp = shm_lock_check(ns, shmid); ++ rcu_read_lock(); ++ shp = shm_obtain_object_check(ns, shmid); + if (IS_ERR(shp)) { + err = PTR_ERR(shp); +- goto out; ++ goto out_unlock1; + } + + audit_ipc_obj(&(shp->shm_perm)); ++ err = security_shm_shmctl(shp, cmd); ++ if (err) ++ goto out_unlock1; + ++ ipc_lock_object(&shp->shm_perm); + if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) { + kuid_t euid = current_euid(); + err = -EPERM; + if (!uid_eq(euid, shp->shm_perm.uid) && + !uid_eq(euid, shp->shm_perm.cuid)) +- goto out_unlock; ++ goto out_unlock0; + if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) +- goto out_unlock; ++ goto out_unlock0; + } + +- err = security_shm_shmctl(shp, cmd); +- if (err) +- goto out_unlock; +- + shm_file = shp->shm_file; + if (is_file_hugepages(shm_file)) +- goto out_unlock; ++ goto out_unlock0; + + if (cmd == SHM_LOCK) { + struct user_struct *user = current_user(); +@@ -951,32 +993,31 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) + shp->shm_perm.mode |= SHM_LOCKED; + shp->mlock_user = user; + } +- goto out_unlock; ++ goto out_unlock0; + } + + /* SHM_UNLOCK */ + if (!(shp->shm_perm.mode & SHM_LOCKED)) +- goto out_unlock; ++ goto out_unlock0; + shmem_lock(shm_file, 0, shp->mlock_user); + shp->shm_perm.mode &= ~SHM_LOCKED; + shp->mlock_user = NULL; + get_file(shm_file); +- shm_unlock(shp); ++ ipc_unlock_object(&shp->shm_perm); ++ rcu_read_unlock(); + shmem_unlock_mapping(shm_file->f_mapping); ++ + fput(shm_file); +- goto out; +- } +- case IPC_RMID: +- case IPC_SET: +- err = shmctl_down(ns, shmid, cmd, buf, version); + return err; ++ } + default: + return -EINVAL; + } + +-out_unlock: +- shm_unlock(shp); +-out: ++out_unlock0: ++ ipc_unlock_object(&shp->shm_perm); ++out_unlock1: ++ rcu_read_unlock(); + return err; + } + +@@ -1044,10 +1085,11 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, + * additional creator id... + */ + ns = current->nsproxy->ipc_ns; +- shp = shm_lock_check(ns, shmid); ++ rcu_read_lock(); ++ shp = shm_obtain_object_check(ns, shmid); + if (IS_ERR(shp)) { + err = PTR_ERR(shp); +- goto out; ++ goto out_unlock; + } + + err = -EACCES; +@@ -1058,24 +1100,31 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, + if (err) + goto out_unlock; + ++ ipc_lock_object(&shp->shm_perm); + path = shp->shm_file->f_path; + path_get(&path); + shp->shm_nattch++; + size = i_size_read(path.dentry->d_inode); +- shm_unlock(shp); ++ ipc_unlock_object(&shp->shm_perm); ++ rcu_read_unlock(); + + err = -ENOMEM; + sfd = kzalloc(sizeof(*sfd), GFP_KERNEL); +- if (!sfd) +- goto out_put_dentry; ++ if (!sfd) { ++ path_put(&path); ++ goto out_nattch; ++ } + + file = alloc_file(&path, f_mode, + is_file_hugepages(shp->shm_file) ? + &shm_file_operations_huge : + &shm_file_operations); + err = PTR_ERR(file); +- if (IS_ERR(file)) +- goto out_free; ++ if (IS_ERR(file)) { ++ kfree(sfd); ++ path_put(&path); ++ goto out_nattch; ++ } + + file->private_data = sfd; + file->f_mapping = shp->shm_file->f_mapping; +@@ -1101,7 +1150,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, + addr > current->mm->start_stack - size - PAGE_SIZE * 5) + goto invalid; + } +- ++ + addr = do_mmap_pgoff(file, addr, size, prot, flags, 0, &populate); + *raddr = addr; + err = 0; +@@ -1116,7 +1165,7 @@ out_fput: + fput(file); + + out_nattch: +- down_write(&shm_ids(ns).rw_mutex); ++ down_write(&shm_ids(ns).rwsem); + shp = shm_lock(ns, shmid); + BUG_ON(IS_ERR(shp)); + shp->shm_nattch--; +@@ -1124,20 +1173,13 @@ out_nattch: + shm_destroy(ns, shp); + else + shm_unlock(shp); +- up_write(&shm_ids(ns).rw_mutex); +- +-out: ++ up_write(&shm_ids(ns).rwsem); + return err; + + out_unlock: +- shm_unlock(shp); +- goto out; +- +-out_free: +- kfree(sfd); +-out_put_dentry: +- path_put(&path); +- goto out_nattch; ++ rcu_read_unlock(); ++out: ++ return err; + } + + SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg) +@@ -1242,8 +1284,7 @@ SYSCALL_DEFINE1(shmdt, char __user *, shmaddr) + #else /* CONFIG_MMU */ + /* under NOMMU conditions, the exact address to be destroyed must be + * given */ +- retval = -EINVAL; +- if (vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) { ++ if (vma && vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) { + do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start); + retval = 0; + } +diff --git a/ipc/util.c b/ipc/util.c +index 0c6566b..fdb8ae7 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -15,6 +15,14 @@ + * Jun 2006 - namespaces ssupport + * OpenVZ, SWsoft Inc. + * Pavel Emelianov <xemul@openvz.org> ++ * ++ * General sysv ipc locking scheme: ++ * when doing ipc id lookups, take the ids->rwsem ++ * rcu_read_lock() ++ * obtain the ipc object (kern_ipc_perm) ++ * perform security, capabilities, auditing and permission checks, etc. ++ * acquire the ipc lock (kern_ipc_perm.lock) throught ipc_lock_object() ++ * perform data updates (ie: SET, RMID, LOCK/UNLOCK commands) + */ + + #include <linux/mm.h> +@@ -119,7 +127,7 @@ __initcall(ipc_init); + + void ipc_init_ids(struct ipc_ids *ids) + { +- init_rwsem(&ids->rw_mutex); ++ init_rwsem(&ids->rwsem); + + ids->in_use = 0; + ids->seq = 0; +@@ -174,7 +182,7 @@ void __init ipc_init_proc_interface(const char *path, const char *header, + * @ids: Identifier set + * @key: The key to find + * +- * Requires ipc_ids.rw_mutex locked. ++ * Requires ipc_ids.rwsem locked. + * Returns the LOCKED pointer to the ipc structure if found or NULL + * if not. + * If key is found ipc points to the owning ipc structure +@@ -197,7 +205,8 @@ static struct kern_ipc_perm *ipc_findkey(struct ipc_ids *ids, key_t key) + continue; + } + +- ipc_lock_by_ptr(ipc); ++ rcu_read_lock(); ++ ipc_lock_object(ipc); + return ipc; + } + +@@ -208,7 +217,7 @@ static struct kern_ipc_perm *ipc_findkey(struct ipc_ids *ids, key_t key) + * ipc_get_maxid - get the last assigned id + * @ids: IPC identifier set + * +- * Called with ipc_ids.rw_mutex held. ++ * Called with ipc_ids.rwsem held. + */ + + int ipc_get_maxid(struct ipc_ids *ids) +@@ -246,7 +255,7 @@ int ipc_get_maxid(struct ipc_ids *ids) + * is returned. The 'new' entry is returned in a locked state on success. + * On failure the entry is not locked and a negative err-code is returned. + * +- * Called with writer ipc_ids.rw_mutex held. ++ * Called with writer ipc_ids.rwsem held. + */ + int ipc_addid(struct ipc_ids* ids, struct kern_ipc_perm* new, int size) + { +@@ -312,9 +321,9 @@ static int ipcget_new(struct ipc_namespace *ns, struct ipc_ids *ids, + { + int err; + +- down_write(&ids->rw_mutex); ++ down_write(&ids->rwsem); + err = ops->getnew(ns, params); +- up_write(&ids->rw_mutex); ++ up_write(&ids->rwsem); + return err; + } + +@@ -331,7 +340,7 @@ static int ipcget_new(struct ipc_namespace *ns, struct ipc_ids *ids, + * + * On success, the IPC id is returned. + * +- * It is called with ipc_ids.rw_mutex and ipcp->lock held. ++ * It is called with ipc_ids.rwsem and ipcp->lock held. + */ + static int ipc_check_perms(struct ipc_namespace *ns, + struct kern_ipc_perm *ipcp, +@@ -376,7 +385,7 @@ static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids, + * Take the lock as a writer since we are potentially going to add + * a new entry + read locks are not "upgradable" + */ +- down_write(&ids->rw_mutex); ++ down_write(&ids->rwsem); + ipcp = ipc_findkey(ids, params->key); + if (ipcp == NULL) { + /* key not used */ +@@ -402,7 +411,7 @@ static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids, + } + ipc_unlock(ipcp); + } +- up_write(&ids->rw_mutex); ++ up_write(&ids->rwsem); + + return err; + } +@@ -413,7 +422,7 @@ static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids, + * @ids: IPC identifier set + * @ipcp: ipc perm structure containing the identifier to remove + * +- * ipc_ids.rw_mutex (as a writer) and the spinlock for this ID are held ++ * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held + * before this function is called, and remain locked on the exit. + */ + +@@ -613,7 +622,7 @@ struct kern_ipc_perm *ipc_obtain_object(struct ipc_ids *ids, int id) + } + + /** +- * ipc_lock - Lock an ipc structure without rw_mutex held ++ * ipc_lock - Lock an ipc structure without rwsem held + * @ids: IPC identifier set + * @id: ipc id to look for + * +@@ -669,22 +678,6 @@ out: + return out; + } + +-struct kern_ipc_perm *ipc_lock_check(struct ipc_ids *ids, int id) +-{ +- struct kern_ipc_perm *out; +- +- out = ipc_lock(ids, id); +- if (IS_ERR(out)) +- return out; +- +- if (ipc_checkid(out, id)) { +- ipc_unlock(out); +- return ERR_PTR(-EIDRM); +- } +- +- return out; +-} +- + /** + * ipcget - Common sys_*get() code + * @ns : namsepace +@@ -725,7 +718,7 @@ int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out) + } + + /** +- * ipcctl_pre_down - retrieve an ipc and check permissions for some IPC_XXX cmd ++ * ipcctl_pre_down_nolock - retrieve an ipc and check permissions for some IPC_XXX cmd + * @ns: the ipc namespace + * @ids: the table of ids where to look for the ipc + * @id: the id of the ipc to retrieve +@@ -738,29 +731,13 @@ int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out) + * It must be called without any lock held and + * - retrieves the ipc with the given id in the given table. + * - performs some audit and permission check, depending on the given cmd +- * - returns the ipc with the ipc lock held in case of success +- * or an err-code without any lock held otherwise. ++ * - returns a pointer to the ipc object or otherwise, the corresponding error. + * +- * Call holding the both the rw_mutex and the rcu read lock. ++ * Call holding the both the rwsem and the rcu read lock. + */ +-struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns, +- struct ipc_ids *ids, int id, int cmd, +- struct ipc64_perm *perm, int extra_perm) +-{ +- struct kern_ipc_perm *ipcp; +- +- ipcp = ipcctl_pre_down_nolock(ns, ids, id, cmd, perm, extra_perm); +- if (IS_ERR(ipcp)) +- goto out; +- +- spin_lock(&ipcp->lock); +-out: +- return ipcp; +-} +- + struct kern_ipc_perm *ipcctl_pre_down_nolock(struct ipc_namespace *ns, +- struct ipc_ids *ids, int id, int cmd, +- struct ipc64_perm *perm, int extra_perm) ++ struct ipc_ids *ids, int id, int cmd, ++ struct ipc64_perm *perm, int extra_perm) + { + kuid_t euid; + int err = -EPERM; +@@ -838,7 +815,8 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos, + ipc = idr_find(&ids->ipcs_idr, pos); + if (ipc != NULL) { + *new_pos = pos + 1; +- ipc_lock_by_ptr(ipc); ++ rcu_read_lock(); ++ ipc_lock_object(ipc); + return ipc; + } + } +@@ -876,7 +854,7 @@ static void *sysvipc_proc_start(struct seq_file *s, loff_t *pos) + * Take the lock - this will be released by the corresponding + * call to stop(). + */ +- down_read(&ids->rw_mutex); ++ down_read(&ids->rwsem); + + /* pos < 0 is invalid */ + if (*pos < 0) +@@ -903,7 +881,7 @@ static void sysvipc_proc_stop(struct seq_file *s, void *it) + + ids = &iter->ns->ids[iface->ids]; + /* Release the lock we took in start() */ +- up_read(&ids->rw_mutex); ++ up_read(&ids->rwsem); + } + + static int sysvipc_proc_show(struct seq_file *s, void *it) +diff --git a/ipc/util.h b/ipc/util.h +index 25299e7..f2f5036 100644 +--- a/ipc/util.h ++++ b/ipc/util.h +@@ -101,10 +101,10 @@ void __init ipc_init_proc_interface(const char *path, const char *header, + #define ipcid_to_idx(id) ((id) % SEQ_MULTIPLIER) + #define ipcid_to_seqx(id) ((id) / SEQ_MULTIPLIER) + +-/* must be called with ids->rw_mutex acquired for writing */ ++/* must be called with ids->rwsem acquired for writing */ + int ipc_addid(struct ipc_ids *, struct kern_ipc_perm *, int); + +-/* must be called with ids->rw_mutex acquired for reading */ ++/* must be called with ids->rwsem acquired for reading */ + int ipc_get_maxid(struct ipc_ids *); + + /* must be called with both locks acquired. */ +@@ -139,9 +139,6 @@ int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out); + struct kern_ipc_perm *ipcctl_pre_down_nolock(struct ipc_namespace *ns, + struct ipc_ids *ids, int id, int cmd, + struct ipc64_perm *perm, int extra_perm); +-struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns, +- struct ipc_ids *ids, int id, int cmd, +- struct ipc64_perm *perm, int extra_perm); + + #ifndef CONFIG_ARCH_WANT_IPC_PARSE_VERSION + /* On IA-64, we always use the "64-bit version" of the IPC structures. */ +@@ -182,19 +179,12 @@ static inline void ipc_assert_locked_object(struct kern_ipc_perm *perm) + assert_spin_locked(&perm->lock); + } + +-static inline void ipc_lock_by_ptr(struct kern_ipc_perm *perm) +-{ +- rcu_read_lock(); +- ipc_lock_object(perm); +-} +- + static inline void ipc_unlock(struct kern_ipc_perm *perm) + { + ipc_unlock_object(perm); + rcu_read_unlock(); + } + +-struct kern_ipc_perm *ipc_lock_check(struct ipc_ids *ids, int id); + struct kern_ipc_perm *ipc_obtain_object_check(struct ipc_ids *ids, int id); + int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids, + struct ipc_ops *ops, struct ipc_params *params); +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 45850f6..4865756 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -930,6 +930,14 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec, + } + + /* ++ * always configure channel mapping, it may have been changed by the ++ * user in the meantime ++ */ ++ hdmi_setup_channel_mapping(codec, pin_nid, non_pcm, ca, ++ channels, per_pin->chmap, ++ per_pin->chmap_set); ++ ++ /* + * sizeof(ai) is used instead of sizeof(*hdmi_ai) or + * sizeof(*dp_ai) to avoid partial match/update problems when + * the user switches between HDMI/DP monitors. +@@ -940,20 +948,10 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec, + "pin=%d channels=%d\n", + pin_nid, + channels); +- hdmi_setup_channel_mapping(codec, pin_nid, non_pcm, ca, +- channels, per_pin->chmap, +- per_pin->chmap_set); + hdmi_stop_infoframe_trans(codec, pin_nid); + hdmi_fill_audio_infoframe(codec, pin_nid, + ai.bytes, sizeof(ai)); + hdmi_start_infoframe_trans(codec, pin_nid); +- } else { +- /* For non-pcm audio switch, setup new channel mapping +- * accordingly */ +- if (per_pin->non_pcm != non_pcm) +- hdmi_setup_channel_mapping(codec, pin_nid, non_pcm, ca, +- channels, per_pin->chmap, +- per_pin->chmap_set); + } + + per_pin->non_pcm = non_pcm; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 389db4c..1383f38 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3308,6 +3308,15 @@ static void alc269_fixup_limit_int_mic_boost(struct hda_codec *codec, + } + } + ++static void alc290_fixup_mono_speakers(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ /* Remove DAC node 0x03, as it seems to be ++ giving mono output */ ++ snd_hda_override_wcaps(codec, 0x03, 0); ++} ++ + enum { + ALC269_FIXUP_SONY_VAIO, + ALC275_FIXUP_SONY_VAIO_GPIO2, +@@ -3331,9 +3340,12 @@ enum { + ALC269_FIXUP_HP_GPIO_LED, + ALC269_FIXUP_INV_DMIC, + ALC269_FIXUP_LENOVO_DOCK, ++ ALC286_FIXUP_SONY_MIC_NO_PRESENCE, + ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT, + ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, ++ ALC269_FIXUP_DELL3_MIC_NO_PRESENCE, ++ ALC290_FIXUP_MONO_SPEAKERS, + ALC269_FIXUP_HEADSET_MODE, + ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC, + ALC269_FIXUP_ASUS_X101_FUNC, +@@ -3521,6 +3533,15 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC + }, ++ [ALC269_FIXUP_DELL3_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1a, 0x01a1913c }, /* use as headset mic, without its own jack detect */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC ++ }, + [ALC269_FIXUP_HEADSET_MODE] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_headset_mode, +@@ -3529,6 +3550,13 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_headset_mode_no_hp_mic, + }, ++ [ALC286_FIXUP_SONY_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x18, 0x01a1913c }, /* use as headset mic, without its own jack detect */ ++ { } ++ }, ++ }, + [ALC269_FIXUP_ASUS_X101_FUNC] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc269_fixup_x101_headset_mic, +@@ -3595,6 +3623,12 @@ static const struct hda_fixup alc269_fixups[] = { + { } + }, + }, ++ [ALC290_FIXUP_MONO_SPEAKERS] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc290_fixup_mono_speakers, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_DELL3_MIC_NO_PRESENCE, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -3631,6 +3665,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x0608, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x0609, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x0613, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_MONO_SPEAKERS), + SND_PCI_QUIRK(0x1028, 0x15cc, "Dell X5 Precision", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x15cd, "Dell X5 Precision", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), +@@ -3651,6 +3686,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x8398, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x83ce, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x8516, "ASUS X101CH", ALC269_FIXUP_ASUS_X101), ++ SND_PCI_QUIRK(0x104d, 0x90b6, "Sony VAIO Pro 13", ALC286_FIXUP_SONY_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x104d, 0x9073, "Sony VAIO", ALC275_FIXUP_SONY_VAIO_GPIO2), + SND_PCI_QUIRK(0x104d, 0x907b, "Sony VAIO", ALC275_FIXUP_SONY_HWEQ), + SND_PCI_QUIRK(0x104d, 0x9084, "Sony VAIO", ALC275_FIXUP_SONY_HWEQ), +@@ -4345,6 +4381,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x05d8, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), ++ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_ASUS_MODE4), + SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT), + SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2), + SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD), +diff --git a/sound/usb/usx2y/usbusx2yaudio.c b/sound/usb/usx2y/usbusx2yaudio.c +index 63fb521..6234a51 100644 +--- a/sound/usb/usx2y/usbusx2yaudio.c ++++ b/sound/usb/usx2y/usbusx2yaudio.c +@@ -299,19 +299,6 @@ static void usX2Y_error_urb_status(struct usX2Ydev *usX2Y, + usX2Y_clients_stop(usX2Y); + } + +-static void usX2Y_error_sequence(struct usX2Ydev *usX2Y, +- struct snd_usX2Y_substream *subs, struct urb *urb) +-{ +- snd_printk(KERN_ERR +-"Sequence Error!(hcd_frame=%i ep=%i%s;wait=%i,frame=%i).\n" +-"Most probably some urb of usb-frame %i is still missing.\n" +-"Cause could be too long delays in usb-hcd interrupt handling.\n", +- usb_get_current_frame_number(usX2Y->dev), +- subs->endpoint, usb_pipein(urb->pipe) ? "in" : "out", +- usX2Y->wait_iso_frame, urb->start_frame, usX2Y->wait_iso_frame); +- usX2Y_clients_stop(usX2Y); +-} +- + static void i_usX2Y_urb_complete(struct urb *urb) + { + struct snd_usX2Y_substream *subs = urb->context; +@@ -328,12 +315,9 @@ static void i_usX2Y_urb_complete(struct urb *urb) + usX2Y_error_urb_status(usX2Y, subs, urb); + return; + } +- if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF))) +- subs->completed_urb = urb; +- else { +- usX2Y_error_sequence(usX2Y, subs, urb); +- return; +- } ++ ++ subs->completed_urb = urb; ++ + { + struct snd_usX2Y_substream *capsubs = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE], + *playbacksubs = usX2Y->subs[SNDRV_PCM_STREAM_PLAYBACK]; +diff --git a/sound/usb/usx2y/usx2yhwdeppcm.c b/sound/usb/usx2y/usx2yhwdeppcm.c +index f2a1acd..814d0e8 100644 +--- a/sound/usb/usx2y/usx2yhwdeppcm.c ++++ b/sound/usb/usx2y/usx2yhwdeppcm.c +@@ -244,13 +244,8 @@ static void i_usX2Y_usbpcm_urb_complete(struct urb *urb) + usX2Y_error_urb_status(usX2Y, subs, urb); + return; + } +- if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF))) +- subs->completed_urb = urb; +- else { +- usX2Y_error_sequence(usX2Y, subs, urb); +- return; +- } + ++ subs->completed_urb = urb; + capsubs = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE]; + capsubs2 = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE + 2]; + playbacksubs = usX2Y->subs[SNDRV_PCM_STREAM_PLAYBACK]; diff --git a/3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch b/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310191259.patch index bfc60cf..46b1e15 100644 --- a/3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch +++ b/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310191259.patch @@ -281,7 +281,7 @@ index 7f9d4f5..6d1afd6 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 4f91b99..cb9dcfc 100644 +index e87ba83..ee3c7b7 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -2091,6 +2091,30 @@ index a8cae71c..65dd797 100644 /* * set platform specific SMP operations +diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h +index f1d96d4..73ddd72 100644 +--- a/arch/arm/include/asm/syscall.h ++++ b/arch/arm/include/asm/syscall.h +@@ -57,6 +57,9 @@ static inline void syscall_get_arguments(struct task_struct *task, + unsigned int i, unsigned int n, + unsigned long *args) + { ++ if (n == 0) ++ return; ++ + if (i + n > SYSCALL_MAX_ARGS) { + unsigned long *args_bad = args + SYSCALL_MAX_ARGS - i; + unsigned int n_bad = n + i - SYSCALL_MAX_ARGS; +@@ -81,6 +84,9 @@ static inline void syscall_set_arguments(struct task_struct *task, + unsigned int i, unsigned int n, + const unsigned long *args) + { ++ if (n == 0) ++ return; ++ + if (i + n > SYSCALL_MAX_ARGS) { + pr_warning("%s called with max args %d, handling only %d\n", + __func__, i + n, SYSCALL_MAX_ARGS); diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h index 2b8114f..8fe9bcf 100644 --- a/arch/arm/include/asm/thread_info.h @@ -7254,7 +7278,7 @@ index 5dfd248..64914ac 100644 return addr; } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index 04e47c6..7a8faf6 100644 +index b3f87a3..5d5d03d 100644 --- a/arch/parisc/kernel/traps.c +++ b/arch/parisc/kernel/traps.c @@ -727,9 +727,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) @@ -9442,24 +9466,6 @@ index d432fb2..6056af1 100644 extra-y := head_$(BITS).o -diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c -index 62d6b15..9231031 100644 ---- a/arch/sparc/kernel/ds.c -+++ b/arch/sparc/kernel/ds.c -@@ -849,10 +849,9 @@ void ldom_reboot(const char *boot_command) - if (boot_command && strlen(boot_command)) { - unsigned long len; - -- strcpy(full_boot_str, "boot "); -- strlcpy(full_boot_str + strlen("boot "), boot_command, -- sizeof(full_boot_str + strlen("boot "))); -- len = strlen(full_boot_str); -+ len = snprintf(full_boot_str, sizeof(full_boot_str), "boot %s", boot_command); -+ if (len >= sizeof(full_boot_str)) -+ len = sizeof(full_boot_str) - 1; - - if (reboot_data_supported) { - unsigned long ra = kimage_addr_to_ra(full_boot_str); diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c index fdd819d..5af08c8 100644 --- a/arch/sparc/kernel/process_32.c @@ -9820,7 +9826,7 @@ index 51561b8..8256764 100644 } } diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S -index 22a1098..6255eb9 100644 +index 73ec8a7..4611979 100644 --- a/arch/sparc/kernel/syscalls.S +++ b/arch/sparc/kernel/syscalls.S @@ -52,7 +52,7 @@ sys32_rt_sigreturn: @@ -9834,13 +9840,13 @@ index 22a1098..6255eb9 100644 call syscall_trace_leave @@ -184,7 +184,7 @@ linux_sparc_syscall32: - srl %i5, 0, %o5 ! IEU1 + srl %i3, 0, %o3 ! IEU0 srl %i2, 0, %o2 ! IEU0 Group - andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 + andcc %l0, _TIF_WORK_SYSCALL, %g0 bne,pn %icc, linux_syscall_trace32 ! CTI mov %i0, %l5 ! IEU1 - call %l7 ! CTI Group brk forced + 5: call %l7 ! CTI Group brk forced @@ -207,7 +207,7 @@ linux_sparc_syscall: mov %i3, %o3 ! IEU1 @@ -10323,10 +10329,10 @@ index 85c233d..68500e0 100644 cmp %g1, %g7 bne,pn %xcc, BACKOFF_LABEL(2f, 1b) diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c -index 0c4e35e..745d3e4 100644 +index 323335b..ed85ea2 100644 --- a/arch/sparc/lib/ksyms.c +++ b/arch/sparc/lib/ksyms.c -@@ -109,12 +109,18 @@ EXPORT_SYMBOL(__downgrade_write); +@@ -100,12 +100,18 @@ EXPORT_SYMBOL(__clear_user); /* Atomic counter implementation. */ EXPORT_SYMBOL(atomic_add); @@ -14874,7 +14880,7 @@ index 59c6c40..5e0b22c 100644 struct compat_timespec { compat_time_t tv_sec; diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index 47538a6..44902d1 100644 +index 7290585..717e89e 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h @@ -203,7 +203,7 @@ @@ -20503,10 +20509,10 @@ index addb207..99635fa 100644 +EXPORT_SYMBOL(pax_check_alloca); +#endif diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c -index d32abea..74daf4f 100644 +index 174da5f..5e55606 100644 --- a/arch/x86/kernel/e820.c +++ b/arch/x86/kernel/e820.c -@@ -800,8 +800,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void) +@@ -803,8 +803,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void) static void early_panic(char *msg) { @@ -24912,7 +24918,7 @@ index 2cb9470..ff1fd80 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index 563ed91..b9c3313 100644 +index 5f4ad27..9d96c99 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -68,6 +68,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d) @@ -24958,7 +24964,7 @@ index 563ed91..b9c3313 100644 "rm" (real_mode_header->machine_real_restart_asm), "a" (type)); #else -@@ -442,7 +469,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) +@@ -458,7 +485,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) * try to force a triple fault and then cycle between hitting the keyboard * controller and doing that */ @@ -24967,7 +24973,7 @@ index 563ed91..b9c3313 100644 { int i; int attempt = 0; -@@ -551,13 +578,13 @@ void native_machine_shutdown(void) +@@ -567,13 +594,13 @@ void native_machine_shutdown(void) #endif } @@ -24983,7 +24989,7 @@ index 563ed91..b9c3313 100644 { pr_notice("machine restart\n"); -@@ -566,7 +593,7 @@ static void native_machine_restart(char *__unused) +@@ -582,7 +609,7 @@ static void native_machine_restart(char *__unused) __machine_emergency_restart(0); } @@ -24992,7 +24998,7 @@ index 563ed91..b9c3313 100644 { /* Stop other cpus and apics */ machine_shutdown(); -@@ -576,7 +603,7 @@ static void native_machine_halt(void) +@@ -592,7 +619,7 @@ static void native_machine_halt(void) stop_this_cpu(NULL); } @@ -25001,7 +25007,7 @@ index 563ed91..b9c3313 100644 { if (pm_power_off) { if (!reboot_force) -@@ -585,9 +612,10 @@ static void native_machine_power_off(void) +@@ -601,9 +628,10 @@ static void native_machine_power_off(void) } /* A fallback in case there is no PM info available */ tboot_shutdown(TB_SHUTDOWN_HALT); @@ -25057,7 +25063,7 @@ index 3fd2c69..16ef367 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index f8ec578..0cc110a 100644 +index 234e1e3..1246d05 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -110,6 +110,7 @@ @@ -25122,16 +25128,16 @@ index f8ec578..0cc110a 100644 /* Boot loader ID and version as integers, for the benefit of proc_dointvec */ int bootloader_type, bootloader_version; -@@ -444,7 +483,7 @@ static void __init parse_setup_data(void) +@@ -442,7 +481,7 @@ static void __init parse_setup_data(void) - switch (data->type) { + switch (data_type) { case SETUP_E820_EXT: -- parse_e820_ext(data); -+ parse_e820_ext((struct setup_data __force_kernel *)data); +- parse_e820_ext(pa_data, data_len); ++ parse_e820_ext((struct setup_data __force_kernel *)pa_data, data_len); break; case SETUP_DTB: add_dtb(pa_data); -@@ -771,7 +810,7 @@ static void __init trim_bios_range(void) +@@ -768,7 +807,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. */ @@ -25140,7 +25146,7 @@ index f8ec578..0cc110a 100644 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); } -@@ -779,7 +818,7 @@ static void __init trim_bios_range(void) +@@ -776,7 +815,7 @@ static void __init trim_bios_range(void) /* called before trim_bios_range() to spare extra sanitize */ static void __init e820_add_kernel_range(void) { @@ -25149,7 +25155,7 @@ index f8ec578..0cc110a 100644 u64 size = __pa_symbol(_end) - start; /* -@@ -841,8 +880,12 @@ static void __init trim_low_memory_range(void) +@@ -838,8 +877,12 @@ static void __init trim_low_memory_range(void) void __init setup_arch(char **cmdline_p) { @@ -25162,7 +25168,7 @@ index f8ec578..0cc110a 100644 early_reserve_initrd(); -@@ -934,14 +977,14 @@ void __init setup_arch(char **cmdline_p) +@@ -931,14 +974,14 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -35953,18 +35959,10 @@ index e8d11b6..7b1b36f 100644 } EXPORT_SYMBOL_GPL(unregister_syscore_ops); diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c -index 62b6c2c..002d10f 100644 +index 90a4e6b..002d10f 100644 --- a/drivers/block/cciss.c +++ b/drivers/block/cciss.c -@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, - int err; - u32 cp; - -+ memset(&arg64, 0, sizeof(arg64)); - err = 0; - err |= - copy_from_user(&arg64.LUN_info, &arg32->LUN_info, -@@ -3010,7 +3011,7 @@ static void start_io(ctlr_info_t *h) +@@ -3011,7 +3011,7 @@ static void start_io(ctlr_info_t *h) while (!list_empty(&h->reqQ)) { c = list_entry(h->reqQ.next, CommandList_struct, list); /* can't do anything if fifo is full */ @@ -35973,7 +35971,7 @@ index 62b6c2c..002d10f 100644 dev_warn(&h->pdev->dev, "fifo full\n"); break; } -@@ -3020,7 +3021,7 @@ static void start_io(ctlr_info_t *h) +@@ -3021,7 +3021,7 @@ static void start_io(ctlr_info_t *h) h->Qdepth--; /* Tell the controller execute command */ @@ -35982,7 +35980,7 @@ index 62b6c2c..002d10f 100644 /* Put job onto the completed Q */ addQ(&h->cmpQ, c); -@@ -3446,17 +3447,17 @@ startio: +@@ -3447,17 +3447,17 @@ startio: static inline unsigned long get_next_completion(ctlr_info_t *h) { @@ -36003,7 +36001,7 @@ index 62b6c2c..002d10f 100644 (h->interrupts_enabled == 0)); } -@@ -3489,7 +3490,7 @@ static inline u32 next_command(ctlr_info_t *h) +@@ -3490,7 +3490,7 @@ static inline u32 next_command(ctlr_info_t *h) u32 a; if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant))) @@ -36012,7 +36010,7 @@ index 62b6c2c..002d10f 100644 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) { a = *(h->reply_pool_head); /* Next cmd in ring buffer */ -@@ -4046,7 +4047,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h) +@@ -4047,7 +4047,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h) trans_support & CFGTBL_Trans_use_short_tags); /* Change the access methods to the performant access methods */ @@ -36021,7 +36019,7 @@ index 62b6c2c..002d10f 100644 h->transMethod = CFGTBL_Trans_Performant; return; -@@ -4319,7 +4320,7 @@ static int cciss_pci_init(ctlr_info_t *h) +@@ -4320,7 +4320,7 @@ static int cciss_pci_init(ctlr_info_t *h) if (prod_index < 0) return -ENODEV; h->product_name = products[prod_index].product_name; @@ -36030,7 +36028,7 @@ index 62b6c2c..002d10f 100644 if (cciss_board_disabled(h)) { dev_warn(&h->pdev->dev, "controller appears to be disabled\n"); -@@ -5051,7 +5052,7 @@ reinit_after_soft_reset: +@@ -5052,7 +5052,7 @@ reinit_after_soft_reset: } /* make sure the board interrupts are off */ @@ -36039,7 +36037,7 @@ index 62b6c2c..002d10f 100644 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx); if (rc) goto clean2; -@@ -5101,7 +5102,7 @@ reinit_after_soft_reset: +@@ -5102,7 +5102,7 @@ reinit_after_soft_reset: * fake ones to scoop up any residual completions. */ spin_lock_irqsave(&h->lock, flags); @@ -36048,7 +36046,7 @@ index 62b6c2c..002d10f 100644 spin_unlock_irqrestore(&h->lock, flags); free_irq(h->intr[h->intr_mode], h); rc = cciss_request_irq(h, cciss_msix_discard_completions, -@@ -5121,9 +5122,9 @@ reinit_after_soft_reset: +@@ -5122,9 +5122,9 @@ reinit_after_soft_reset: dev_info(&h->pdev->dev, "Board READY.\n"); dev_info(&h->pdev->dev, "Waiting for stale completions to drain.\n"); @@ -36060,7 +36058,7 @@ index 62b6c2c..002d10f 100644 rc = controller_reset_failed(h->cfgtable); if (rc) -@@ -5146,7 +5147,7 @@ reinit_after_soft_reset: +@@ -5147,7 +5147,7 @@ reinit_after_soft_reset: cciss_scsi_setup(h); /* Turn the interrupts on so we can service requests */ @@ -36069,7 +36067,7 @@ index 62b6c2c..002d10f 100644 /* Get the firmware version */ inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL); -@@ -5218,7 +5219,7 @@ static void cciss_shutdown(struct pci_dev *pdev) +@@ -5219,7 +5219,7 @@ static void cciss_shutdown(struct pci_dev *pdev) kfree(flush_buf); if (return_code != IO_OK) dev_warn(&h->pdev->dev, "Error flushing cache\n"); @@ -36092,7 +36090,7 @@ index 7fda30e..eb5dfe0 100644 /* queue and queue Info */ struct list_head reqQ; diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c -index 639d26b..fd6ad1f 100644 +index 2b94403..fd6ad1f 100644 --- a/drivers/block/cpqarray.c +++ b/drivers/block/cpqarray.c @@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev) @@ -36167,15 +36165,7 @@ index 639d26b..fd6ad1f 100644 a1 = a; a &= ~3; if ((c = h->cmpQ) == NULL) { -@@ -1193,6 +1193,7 @@ out_passthru: - ida_pci_info_struct pciinfo; - - if (!arg) return -EINVAL; -+ memset(&pciinfo, 0, sizeof(pciinfo)); - pciinfo.bus = host->pci_dev->bus->number; - pciinfo.dev_fn = host->pci_dev->devfn; - pciinfo.board_id = host->board_id; -@@ -1447,11 +1448,11 @@ static int sendcmd( +@@ -1448,11 +1448,11 @@ static int sendcmd( /* * Disable interrupt */ @@ -36189,7 +36179,7 @@ index 639d26b..fd6ad1f 100644 if (temp != 0) { break; } -@@ -1464,7 +1465,7 @@ DBG( +@@ -1465,7 +1465,7 @@ DBG( /* * Send the cmd */ @@ -36198,7 +36188,7 @@ index 639d26b..fd6ad1f 100644 complete = pollcomplete(ctlr); pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr, -@@ -1547,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host) +@@ -1548,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host) * we check the new geometry. Then turn interrupts back on when * we're done. */ @@ -36210,7 +36200,7 @@ index 639d26b..fd6ad1f 100644 for(i=0; i<NWD; i++) { struct gendisk *disk = ida_gendisk[ctlr][i]; -@@ -1589,7 +1590,7 @@ static int pollcomplete(int ctlr) +@@ -1590,7 +1590,7 @@ static int pollcomplete(int ctlr) /* Wait (up to 2 seconds) for a command to complete */ for (i = 200000; i > 0; i--) { @@ -36917,7 +36907,7 @@ index 5c5cc00..ac9edb7 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index 0d91fe5..f8e37b0 100644 +index 92e6c67..c640ec3 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -272,8 +272,13 @@ @@ -37151,6 +37141,180 @@ index 5bb848c..f1d4fc9 100644 .recalc_rate = socfpga_clk_recalc_rate, .get_parent = socfpga_clk_get_parent, .set_parent = socfpga_clk_set_parent, +diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c +index 08ae128..c73fc2b 100644 +--- a/drivers/connector/cn_proc.c ++++ b/drivers/connector/cn_proc.c +@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + /* If cn_netlink_send() failed, the data is not sent */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } +@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struct *task, int which_id) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + ev->what = which_id; + ev->event_data.id.process_pid = task->pid; + ev->event_data.id.process_tgid = task->tgid; +@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struct *task, int which_id) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + msg->seq = rcvd_seq; + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = rcvd_ack + 1; + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c +index 6ecfa75..0daa11e 100644 +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb) + static void cn_rx_skb(struct sk_buff *__skb) + { + struct nlmsghdr *nlh; +- int err; + struct sk_buff *skb; ++ int len, err; + + skb = skb_get(__skb); + + if (skb->len >= NLMSG_HDRLEN) { + nlh = nlmsg_hdr(skb); ++ len = nlmsg_len(nlh); + +- if (nlh->nlmsg_len < sizeof(struct cn_msg) || ++ if (len < (int)sizeof(struct cn_msg) || + skb->len < nlh->nlmsg_len || +- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { ++ len > CONNECTOR_MAX_MSG_SIZE) { + kfree_skb(skb); + return; + } diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c index 3926402..37b580d 100644 --- a/drivers/cpufreq/acpi-cpufreq.c @@ -38534,7 +38698,7 @@ index 46d46ba..6e49848 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index bedf15a..d02d1e6 100644 +index 90a7c17..ecedc6a 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -9424,13 +9424,13 @@ struct intel_quirk { @@ -38921,7 +39085,7 @@ index af85299..ed9ac8d 100644 if (regcomp (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 63398ae..669e045 100644 +index d15f27e..ef11ffc 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c @@ -1105,7 +1105,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) @@ -39410,10 +39574,10 @@ index 5360e5a..c2c0d26 100644 err = drm_debugfs_create_files(dc->debugfs_files, ARRAY_SIZE(debugfs_files), diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index ee75486..65621fd 100644 +index 9f60d63..c89e0b7 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -2351,7 +2351,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); +@@ -2370,7 +2370,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); int hid_add_device(struct hid_device *hdev) { @@ -39422,7 +39586,7 @@ index ee75486..65621fd 100644 int ret; if (WARN_ON(hdev->status & HID_STAT_ADDED)) -@@ -2385,7 +2385,7 @@ int hid_add_device(struct hid_device *hdev) +@@ -2404,7 +2404,7 @@ int hid_add_device(struct hid_device *hdev) /* XXX hack, any other cleaner solution after the driver core * is converted to allow more than 20 bytes as the device name? */ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, @@ -39445,7 +39609,7 @@ index c13fb5b..55a3802 100644 *off += size; diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c -index fc307e0..2b255e8 100644 +index 145a4cb..2353a3e 100644 --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -47,7 +47,7 @@ struct uhid_device { @@ -39641,10 +39805,10 @@ index 6351aba..dc4aaf4 100644 int res = 0; diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c -index 62c2e32..8f2859a 100644 +index 3288f13..71cfb4e 100644 --- a/drivers/hwmon/applesmc.c +++ b/drivers/hwmon/applesmc.c -@@ -1084,7 +1084,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num) +@@ -1106,7 +1106,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num) { struct applesmc_node_group *grp; struct applesmc_dev_attr *node; @@ -42096,7 +42260,7 @@ index 60bce43..9b997d0 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 9e39d2b..fb879a7 100644 +index 995e1fc..2468cec 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -178,9 +178,9 @@ struct mapped_device { @@ -42131,7 +42295,7 @@ index 9e39d2b..fb879a7 100644 wake_up(&md->eventq); } -@@ -2716,18 +2716,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2727,18 +2727,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -43686,10 +43850,10 @@ index f9d5615..99dd95f 100644 struct sm_sysfs_attribute *vendor_attribute; diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index e48cb33..72e73fc 100644 +index 5e31046..82f8ddc 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c -@@ -4832,7 +4832,7 @@ static unsigned int bond_get_num_tx_queues(void) +@@ -4839,7 +4839,7 @@ static unsigned int bond_get_num_tx_queues(void) return tx_queues; } @@ -43698,7 +43862,7 @@ index e48cb33..72e73fc 100644 .kind = "bond", .priv_size = sizeof(struct bonding), .setup = bond_setup, -@@ -4957,8 +4957,8 @@ static void __exit bonding_exit(void) +@@ -4964,8 +4964,8 @@ static void __exit bonding_exit(void) bond_destroy_debugfs(); @@ -43961,7 +44125,7 @@ index 599d1fd..59868fe 100644 default: dev_err(&adapter->pdev->dev, "Invalid Virtual NIC opmode\n"); diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index 85e5c97..76f97ec 100644 +index 7ba68e0..618c73d 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -759,22 +759,22 @@ struct rtl8169_private { @@ -44177,38 +44341,10 @@ index bff7e0b..7315137 100644 }; diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 71af122..b3c20f3 100644 +index 68b9aa3..b3c20f3 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c -@@ -1691,11 +1691,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) - INIT_LIST_HEAD(&tun->disabled); - err = tun_attach(tun, file); - if (err < 0) -- goto err_free_dev; -+ goto err_free_flow; - - err = register_netdevice(tun->dev); - if (err < 0) -- goto err_free_dev; -+ goto err_detach; - - if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) || - device_create_file(&tun->dev->dev, &dev_attr_owner) || -@@ -1739,7 +1739,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) - strcpy(ifr->ifr_name, tun->dev->name); - return 0; - -- err_free_dev: -+err_detach: -+ tun_detach_all(dev); -+err_free_flow: -+ tun_flow_uninit(tun); -+ security_tun_dev_free_security(tun->security); -+err_free_dev: - free_netdev(dev); - return err; - } -@@ -1869,7 +1874,7 @@ unlock: +@@ -1874,7 +1874,7 @@ unlock: } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -44217,7 +44353,7 @@ index 71af122..b3c20f3 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1881,6 +1886,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1886,6 +1886,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; @@ -44341,10 +44477,10 @@ index a79e9d3..78cd4fa 100644 /* we will have to manufacture ethernet headers, prepare template */ diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c -index 767f7af..8162b9d 100644 +index 8a05d77..ba8b9c5 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c -@@ -1868,7 +1868,7 @@ nla_put_failure: +@@ -1870,7 +1870,7 @@ nla_put_failure: return -EMSGSIZE; } @@ -44353,6 +44489,18 @@ index 767f7af..8162b9d 100644 .kind = "vxlan", .maxtype = IFLA_VXLAN_MAX, .policy = vxlan_policy, +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index 3f0c4f2..bcfff0d 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card, struct fst_port_info *port, + } + + i = port->index; ++ memset(&sync, 0, sizeof(sync)); + sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed); + /* Lucky card and linux use same encoding here */ + sync.clock_type = FST_RDB(card, portConfig[i].internalClock) == diff --git a/drivers/net/wimax/i2400m/rx.c b/drivers/net/wimax/i2400m/rx.c index 0b60295..b8bfa5b 100644 --- a/drivers/net/wimax/i2400m/rx.c @@ -52050,7 +52198,7 @@ index 89dec7f..361b0d75 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 100edcc..244db37 100644 +index 4c94a79..f428019 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -34,6 +34,7 @@ @@ -52778,7 +52926,7 @@ index 100edcc..244db37 100644 set_fs(old_fs); fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata); } -@@ -2017,14 +2474,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -2023,14 +2480,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -52795,7 +52943,7 @@ index 100edcc..244db37 100644 return size; } -@@ -2117,7 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2123,7 +2580,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -52804,7 +52952,7 @@ index 100edcc..244db37 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -2131,10 +2588,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2137,10 +2594,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -52817,7 +52965,7 @@ index 100edcc..244db37 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -2148,7 +2607,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2154,7 +2613,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -52826,7 +52974,7 @@ index 100edcc..244db37 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2159,6 +2618,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2165,6 +2624,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -52834,7 +52982,7 @@ index 100edcc..244db37 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2183,7 +2643,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2189,7 +2649,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -52843,7 +52991,7 @@ index 100edcc..244db37 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2192,6 +2652,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2198,6 +2658,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -52851,7 +52999,7 @@ index 100edcc..244db37 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2209,6 +2670,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2215,6 +2676,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -52859,7 +53007,7 @@ index 100edcc..244db37 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2229,6 +2691,167 @@ out: +@@ -2235,6 +2697,167 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -53064,7 +53212,7 @@ index d50bbe5..af3b649 100644 goto err; } diff --git a/fs/bio.c b/fs/bio.c -index c5eae72..599e3cf 100644 +index 5e7507d..418c639 100644 --- a/fs/bio.c +++ b/fs/bio.c @@ -1106,7 +1106,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q, @@ -53222,10 +53370,32 @@ index 8eb6191..eda91e2 100644 wake_up(&root->fs_info->transaction_wait); wake_up(&root->fs_info->transaction_blocked_wait); diff --git a/fs/buffer.c b/fs/buffer.c -index 4d74335..b0df7f9 100644 +index 4d74335..7bd000a 100644 --- a/fs/buffer.c +++ b/fs/buffer.c -@@ -3416,7 +3416,7 @@ void __init buffer_init(void) +@@ -1005,9 +1005,19 @@ grow_dev_page(struct block_device *bdev, sector_t block, + struct buffer_head *bh; + sector_t end_block; + int ret = 0; /* Will call free_more_memory() */ ++ gfp_t gfp_mask; + +- page = find_or_create_page(inode->i_mapping, index, +- (mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS)|__GFP_MOVABLE); ++ gfp_mask = mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS; ++ gfp_mask |= __GFP_MOVABLE; ++ /* ++ * XXX: __getblk_slow() can not really deal with failure and ++ * will endlessly loop on improvised global reclaim. Prefer ++ * looping in the allocator rather than here, at least that ++ * code knows what it's doing. ++ */ ++ gfp_mask |= __GFP_NOFAIL; ++ ++ page = find_or_create_page(inode->i_mapping, index, gfp_mask); + if (!page) + return ret; + +@@ -3416,7 +3426,7 @@ void __init buffer_init(void) bh_cachep = kmem_cache_create("buffer_head", sizeof(struct buffer_head), 0, (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC| @@ -53468,10 +53638,37 @@ index f3ac415..3d2420c 100644 server->ops->print_stats(m, tcon); } diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c -index 85ea98d..b3ed4d6 100644 +index 85ea98d..1eee040 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c -@@ -1037,7 +1037,7 @@ cifs_init_request_bufs(void) +@@ -120,14 +120,16 @@ cifs_read_super(struct super_block *sb) + { + struct inode *inode; + struct cifs_sb_info *cifs_sb; ++ struct cifs_tcon *tcon; + int rc = 0; + + cifs_sb = CIFS_SB(sb); ++ tcon = cifs_sb_master_tcon(cifs_sb); + + if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIXACL) + sb->s_flags |= MS_POSIXACL; + +- if (cifs_sb_master_tcon(cifs_sb)->ses->capabilities & CAP_LARGE_FILES) ++ if (tcon->ses->capabilities & tcon->ses->server->vals->cap_large_files) + sb->s_maxbytes = MAX_LFS_FILESIZE; + else + sb->s_maxbytes = MAX_NON_LFS; +@@ -147,7 +149,7 @@ cifs_read_super(struct super_block *sb) + goto out_no_root; + } + +- if (cifs_sb_master_tcon(cifs_sb)->nocase) ++ if (tcon->nocase) + sb->s_d_op = &cifs_ci_dentry_ops; + else + sb->s_d_op = &cifs_dentry_ops; +@@ -1037,7 +1039,7 @@ cifs_init_request_bufs(void) */ cifs_req_cachep = kmem_cache_create("cifs_request", CIFSMaxBufSize + max_hdr_size, 0, @@ -53480,7 +53677,7 @@ index 85ea98d..b3ed4d6 100644 if (cifs_req_cachep == NULL) return -ENOMEM; -@@ -1064,7 +1064,7 @@ cifs_init_request_bufs(void) +@@ -1064,7 +1066,7 @@ cifs_init_request_bufs(void) efficient to alloc 1 per page off the slab compared to 17K (5page) alloc of large cifs buffers even when page debugging is on */ cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq", @@ -53489,7 +53686,7 @@ index 85ea98d..b3ed4d6 100644 NULL); if (cifs_sm_req_cachep == NULL) { mempool_destroy(cifs_req_poolp); -@@ -1149,8 +1149,8 @@ init_cifs(void) +@@ -1149,8 +1151,8 @@ init_cifs(void) atomic_set(&bufAllocCount, 0); atomic_set(&smBufAllocCount, 0); #ifdef CONFIG_CIFS_STATS2 @@ -53619,6 +53816,21 @@ index f7d4b22..1254377 100644 #endif /* CONFIG_CIFS_STATS2 */ } +diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c +index af847e1..651a527 100644 +--- a/fs/cifs/netmisc.c ++++ b/fs/cifs/netmisc.c +@@ -780,7 +780,9 @@ static const struct { + ERRDOS, ERRnoaccess, 0xc0000290}, { + ERRDOS, ERRbadfunc, 0xc000029c}, { + ERRDOS, ERRsymlink, NT_STATUS_STOPPED_ON_SYMLINK}, { +- ERRDOS, ERRinvlevel, 0x007c0001}, }; ++ ERRDOS, ERRinvlevel, 0x007c0001}, { ++ 0, 0, 0 } ++}; + + /***************************************************************************** + Print an error message from the status code diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c index 6094397..51e576f 100644 --- a/fs/cifs/smb1ops.c @@ -55079,6 +55291,31 @@ index 22548f5..41521d8 100644 return 0; } return 1; +diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c +index 1194b1f..f8cde46 100644 +--- a/fs/ext3/namei.c ++++ b/fs/ext3/namei.c +@@ -1783,7 +1783,7 @@ retry: + d_tmpfile(dentry, inode); + err = ext3_orphan_add(handle, inode); + if (err) +- goto err_drop_inode; ++ goto err_unlock_inode; + mark_inode_dirty(inode); + unlock_new_inode(inode); + } +@@ -1791,10 +1791,9 @@ retry: + if (err == -ENOSPC && ext3_should_retry_alloc(dir->i_sb, &retries)) + goto retry; + return err; +-err_drop_inode: ++err_unlock_inode: + ext3_journal_stop(handle); + unlock_new_inode(inode); +- iput(inode); + return err; + } + diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c index ddd715e..c772f88 100644 --- a/fs/ext4/balloc.c @@ -55258,6 +55495,31 @@ index 214461e..3614c89 100644 __ext4_warning(sb, function, line, "MMP failure info: last update time: %llu, last update " "node: %s, last update device: %s\n", +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 35f55a0..b53cbc6 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2319,7 +2319,7 @@ retry: + d_tmpfile(dentry, inode); + err = ext4_orphan_add(handle, inode); + if (err) +- goto err_drop_inode; ++ goto err_unlock_inode; + mark_inode_dirty(inode); + unlock_new_inode(inode); + } +@@ -2328,10 +2328,9 @@ retry: + if (err == -ENOSPC && ext4_should_retry_alloc(dir->i_sb, &retries)) + goto retry; + return err; +-err_drop_inode: ++err_unlock_inode: + ext4_journal_stop(handle); + unlock_new_inode(inode); +- iput(inode); + return err; + } + diff --git a/fs/ext4/super.c b/fs/ext4/super.c index b59373b..f41c2b5 100644 --- a/fs/ext4/super.c @@ -72080,7 +72342,7 @@ index ec1aee4..1077986 100644 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, size_t); /* diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h -index 842de22..7f3a41f 100644 +index ded4299..da50e3b 100644 --- a/include/linux/compiler-gcc4.h +++ b/include/linux/compiler-gcc4.h @@ -39,9 +39,29 @@ @@ -75638,7 +75900,7 @@ index 34a1e10..03a6d03 100644 struct proc_ns { void *ns; diff --git a/include/linux/random.h b/include/linux/random.h -index 3b9377d..e418336 100644 +index 6312dd9..2561947 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -10,9 +10,19 @@ @@ -75663,7 +75925,7 @@ index 3b9377d..e418336 100644 extern void get_random_bytes(void *buf, int nbytes); extern void get_random_bytes_arch(void *buf, int nbytes); -@@ -32,6 +42,11 @@ void prandom_seed(u32 seed); +@@ -33,6 +43,11 @@ void prandom_seed(u32 seed); u32 prandom_u32_state(struct rnd_state *); void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes); @@ -77143,6 +77405,18 @@ index fdbafc6..49dfe4f 100644 ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t); ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size); int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int); +diff --git a/include/linux/yam.h b/include/linux/yam.h +index 7fe2822..512cdc2 100644 +--- a/include/linux/yam.h ++++ b/include/linux/yam.h +@@ -77,6 +77,6 @@ struct yamdrv_ioctl_cfg { + + struct yamdrv_ioctl_mcs { + int cmd; +- int bitrate; ++ unsigned int bitrate; + unsigned char bits[YAM_FPGA_SIZE]; + }; diff --git a/include/linux/zlib.h b/include/linux/zlib.h index 9c5a6b4..09c9438 100644 --- a/include/linux/zlib.h @@ -77329,7 +77603,7 @@ index 53f464d..0bd0b49 100644 #endif /* _NET_INETPEER_H */ diff --git a/include/net/ip.h b/include/net/ip.h -index a68f838..74518ab 100644 +index edfa591..a643b82 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -202,7 +202,7 @@ extern struct local_ports { @@ -78702,10 +78976,10 @@ index a67ef9d..2d17ed9 100644 #ifdef CONFIG_BLK_DEV_RAM int fd; diff --git a/init/main.c b/init/main.c -index d03d2ec..9fc4737 100644 +index 586cd33..f1af30f 100644 --- a/init/main.c +++ b/init/main.c -@@ -101,6 +101,8 @@ static inline void mark_rodata_ro(void) { } +@@ -102,6 +102,8 @@ static inline void mark_rodata_ro(void) { } extern void tc_init(void); #endif @@ -78714,7 +78988,7 @@ index d03d2ec..9fc4737 100644 /* * Debug helper: via this flag we know that we are in 'early bootup code' * where only the boot processor is running with IRQ disabled. This means -@@ -154,6 +156,74 @@ static int __init set_reset_devices(char *str) +@@ -155,6 +157,74 @@ static int __init set_reset_devices(char *str) __setup("reset_devices", set_reset_devices); @@ -78789,7 +79063,7 @@ index d03d2ec..9fc4737 100644 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param; -@@ -679,25 +749,24 @@ int __init_or_module do_one_initcall(initcall_t fn) +@@ -680,25 +750,24 @@ int __init_or_module do_one_initcall(initcall_t fn) { int count = preempt_count(); int ret; @@ -78820,7 +79094,7 @@ index d03d2ec..9fc4737 100644 return ret; } -@@ -803,8 +872,8 @@ static int run_init_process(const char *init_filename) +@@ -805,8 +874,8 @@ static int run_init_process(const char *init_filename) { argv_init[0] = init_filename; return do_execve(init_filename, @@ -78831,7 +79105,7 @@ index d03d2ec..9fc4737 100644 } static noinline void __init kernel_init_freeable(void); -@@ -881,7 +950,7 @@ static noinline void __init kernel_init_freeable(void) +@@ -883,7 +952,7 @@ static noinline void __init kernel_init_freeable(void) do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -78840,7 +79114,7 @@ index d03d2ec..9fc4737 100644 pr_err("Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -894,11 +963,13 @@ static noinline void __init kernel_init_freeable(void) +@@ -896,11 +965,13 @@ static noinline void __init kernel_init_freeable(void) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -78930,10 +79204,10 @@ index ae1996d..a35f2cc 100644 if (u->mq_bytes + mq_bytes < u->mq_bytes || u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) { diff --git a/ipc/msg.c b/ipc/msg.c -index b65fdf1..89ec2b1 100644 +index 558aa91..359e718 100644 --- a/ipc/msg.c +++ b/ipc/msg.c -@@ -291,18 +291,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) +@@ -297,18 +297,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) return security_msg_queue_associate(msq, msgflg); } @@ -78959,10 +79233,10 @@ index b65fdf1..89ec2b1 100644 msg_params.flg = msgflg; diff --git a/ipc/sem.c b/ipc/sem.c -index 4108889..511ada1 100644 +index 8e2bf30..a711151 100644 --- a/ipc/sem.c +++ b/ipc/sem.c -@@ -517,10 +517,15 @@ static inline int sem_more_checks(struct kern_ipc_perm *ipcp, +@@ -562,10 +562,15 @@ static inline int sem_more_checks(struct kern_ipc_perm *ipcp, return 0; } @@ -78979,7 +79253,7 @@ index 4108889..511ada1 100644 struct ipc_params sem_params; ns = current->nsproxy->ipc_ns; -@@ -528,10 +533,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg) +@@ -573,10 +578,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg) if (nsems < 0 || nsems > ns->sc_semmsl) return -EINVAL; @@ -78991,10 +79265,10 @@ index 4108889..511ada1 100644 sem_params.flg = semflg; sem_params.u.nsems = nsems; diff --git a/ipc/shm.c b/ipc/shm.c -index c6b4ad5..3ec3254 100644 +index d697396..40e887d 100644 --- a/ipc/shm.c +++ b/ipc/shm.c -@@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp); +@@ -72,6 +72,14 @@ static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp); static int sysvipc_shm_proc_show(struct seq_file *s, void *it); #endif @@ -79009,7 +79283,7 @@ index c6b4ad5..3ec3254 100644 void shm_init_ns(struct ipc_namespace *ns) { ns->shm_ctlmax = SHMMAX; -@@ -531,6 +539,14 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) +@@ -551,6 +559,14 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) shp->shm_lprid = 0; shp->shm_atim = shp->shm_dtim = 0; shp->shm_ctim = get_seconds(); @@ -79024,7 +79298,7 @@ index c6b4ad5..3ec3254 100644 shp->shm_segsz = size; shp->shm_nattch = 0; shp->shm_file = file; -@@ -585,18 +601,19 @@ static inline int shm_more_checks(struct kern_ipc_perm *ipcp, +@@ -604,18 +620,19 @@ static inline int shm_more_checks(struct kern_ipc_perm *ipcp, return 0; } @@ -79049,7 +79323,7 @@ index c6b4ad5..3ec3254 100644 shm_params.key = key; shm_params.flg = shmflg; shm_params.u.size = size; -@@ -1028,6 +1045,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, +@@ -1076,6 +1093,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, f_mode = FMODE_READ | FMODE_WRITE; } if (shmflg & SHM_EXEC) { @@ -79062,7 +79336,7 @@ index c6b4ad5..3ec3254 100644 prot |= PROT_EXEC; acc_mode |= S_IXUGO; } -@@ -1051,9 +1074,21 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, +@@ -1100,10 +1123,22 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, if (err) goto out_unlock; @@ -79075,6 +79349,7 @@ index c6b4ad5..3ec3254 100644 + } +#endif + + ipc_lock_object(&shp->shm_perm); path = shp->shm_file->f_path; path_get(&path); shp->shm_nattch++; @@ -79082,8 +79357,8 @@ index c6b4ad5..3ec3254 100644 + shp->shm_lapid = current->pid; +#endif size = i_size_read(path.dentry->d_inode); - shm_unlock(shp); - + ipc_unlock_object(&shp->shm_perm); + rcu_read_unlock(); diff --git a/kernel/acct.c b/kernel/acct.c index 8d6e145..33e0b1e 100644 --- a/kernel/acct.c @@ -79098,7 +79373,7 @@ index 8d6e145..33e0b1e 100644 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); diff --git a/kernel/audit.c b/kernel/audit.c -index 7b0e23a..861041e 100644 +index 7b0e23a..5b27ab9 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -118,7 +118,7 @@ u32 audit_sig_sid = 0; @@ -79128,7 +79403,13 @@ index 7b0e23a..861041e 100644 audit_rate_limit, audit_backlog_limit); audit_panic(message); -@@ -664,7 +664,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) +@@ -659,18 +659,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + switch (msg_type) { + case AUDIT_GET: ++ status_set.mask = 0; + status_set.enabled = audit_enabled; + status_set.failure = audit_failure; status_set.pid = audit_pid; status_set.rate_limit = audit_rate_limit; status_set.backlog_limit = audit_backlog_limit; @@ -79137,6 +79418,22 @@ index 7b0e23a..861041e 100644 status_set.backlog = skb_queue_len(&audit_skb_queue); audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, &status_set, sizeof(status_set)); + break; + case AUDIT_SET: +- if (nlh->nlmsg_len < sizeof(struct audit_status)) ++ if (nlmsg_len(nlh) < sizeof(struct audit_status)) + return -EINVAL; + status_get = (struct audit_status *)data; + if (status_get->mask & AUDIT_STATUS_ENABLED) { +@@ -832,7 +833,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len)); ++ memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + if ((s.enabled != 0 && s.enabled != 1) || + (s.log_passwd != 0 && s.log_passwd != 1)) + return -EINVAL; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..3ec9369 100644 --- a/kernel/auditsc.c @@ -80548,7 +80845,7 @@ index 59f7b55..4022f65 100644 /* Don't allow clients that don't understand the native diff --git a/kernel/kmod.c b/kernel/kmod.c -index fb32636..2fe8775 100644 +index b086006..a27913b 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -75,7 +75,7 @@ static void free_modprobe_argv(struct subprocess_info *info) @@ -80685,7 +80982,7 @@ index fb32636..2fe8775 100644 /* * If ret is 0, either ____call_usermodehelper failed and the -@@ -646,7 +699,7 @@ EXPORT_SYMBOL(call_usermodehelper); +@@ -650,7 +703,7 @@ EXPORT_SYMBOL(call_usermodehelper); static int proc_cap_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -83407,7 +83704,7 @@ index eb89e18..a4e6792 100644 mutex_unlock(&smpboot_threads_lock); put_online_cpus(); diff --git a/kernel/softirq.c b/kernel/softirq.c -index be3d351..e57af82 100644 +index adf6c00..5d89b73 100644 --- a/kernel/softirq.c +++ b/kernel/softirq.c @@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; @@ -83433,7 +83730,7 @@ index be3d351..e57af82 100644 trace_softirq_exit(vec_nr); if (unlikely(prev_count != preempt_count())) { printk(KERN_ERR "huh, entered softirq %u %s %p" -@@ -403,7 +403,7 @@ void __raise_softirq_irqoff(unsigned int nr) +@@ -412,7 +412,7 @@ void __raise_softirq_irqoff(unsigned int nr) or_softirq_pending(1UL << nr); } @@ -83442,7 +83739,7 @@ index be3d351..e57af82 100644 { softirq_vec[nr].action = action; } -@@ -459,7 +459,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) +@@ -468,7 +468,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) EXPORT_SYMBOL(__tasklet_hi_schedule_first); @@ -83451,7 +83748,7 @@ index be3d351..e57af82 100644 { struct tasklet_struct *list; -@@ -494,7 +494,7 @@ static void tasklet_action(struct softirq_action *a) +@@ -503,7 +503,7 @@ static void tasklet_action(struct softirq_action *a) } } @@ -83460,7 +83757,7 @@ index be3d351..e57af82 100644 { struct tasklet_struct *list; -@@ -849,7 +849,7 @@ static struct notifier_block cpu_nfb = { +@@ -858,7 +858,7 @@ static struct notifier_block cpu_nfb = { .notifier_call = cpu_callback }; @@ -85421,7 +85718,7 @@ index 0000000..7cd6065 @@ -0,0 +1 @@ +-grsec diff --git a/mm/Kconfig b/mm/Kconfig -index 8028dcc..9a2dbe7 100644 +index 6509d27..dbec5b8 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -317,10 +317,10 @@ config KSM @@ -85850,6 +86147,19 @@ index 7055883..aafb1ed 100644 error = 0; if (end == start) return error; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index aa44621..99011b3 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2772,6 +2772,8 @@ done: + return 0; + nomem: + *ptr = NULL; ++ if (gfp_mask & __GFP_NOFAIL) ++ return 0; + return -ENOMEM; + bypass: + *ptr = root_mem_cgroup; diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 2c13aa7..64cbc3f 100644 --- a/mm/memory-failure.c @@ -86743,7 +87053,7 @@ index 4baf12e..5497066 100644 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); diff --git a/mm/migrate.c b/mm/migrate.c -index 6f0c244..6d1ae32 100644 +index 25ca7ca..abe1836 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -1399,8 +1399,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, @@ -90254,6 +90564,19 @@ index 2fb2d88..8c06e40 100644 struct vlan_net *vn; vn = net_generic(net, vlan_net_id); +diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c +index 3091297..c7e634a 100644 +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -171,7 +171,7 @@ static size_t vlan_get_size(const struct net_device *dev) + + return nla_total_size(2) + /* IFLA_VLAN_PROTOCOL */ + nla_total_size(2) + /* IFLA_VLAN_ID */ +- sizeof(struct ifla_vlan_flags) + /* IFLA_VLAN_FLAGS */ ++ nla_total_size(sizeof(struct ifla_vlan_flags)) + /* IFLA_VLAN_FLAGS */ + vlan_qos_map_size(vlan->nr_ingress_mappings) + + vlan_qos_map_size(vlan->nr_egress_mappings); + } diff --git a/net/9p/mod.c b/net/9p/mod.c index 6ab36ae..6f1841b 100644 --- a/net/9p/mod.c @@ -90442,10 +90765,10 @@ index c478e6b..469fd2f 100644 hard_iface->net_dev->name); diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c -index 0f04e1c..9c0ac11 100644 +index 33b6144..3212ac5 100644 --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c -@@ -260,7 +260,7 @@ static int batadv_interface_tx(struct sk_buff *skb, +@@ -261,7 +261,7 @@ static int batadv_interface_tx(struct sk_buff *skb, primary_if->net_dev->dev_addr, ETH_ALEN); /* set broadcast sequence number */ @@ -90454,7 +90777,7 @@ index 0f04e1c..9c0ac11 100644 bcast_packet->seqno = htonl(seqno); batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay); -@@ -479,7 +479,7 @@ static int batadv_softif_init_late(struct net_device *dev) +@@ -481,7 +481,7 @@ static int batadv_softif_init_late(struct net_device *dev) atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN); atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE); @@ -90649,6 +90972,46 @@ index b6e44ad..5b0d514 100644 spin_unlock_irqrestore(&dev->port.lock, flags); if (dev->tty_dev->parent) device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST); +diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c +index 5180938..7c470c3 100644 +--- a/net/bridge/netfilter/ebt_ulog.c ++++ b/net/bridge/netfilter/ebt_ulog.c +@@ -181,6 +181,7 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr, + ub->qlen++; + + pm = nlmsg_data(nlh); ++ memset(pm, 0, sizeof(*pm)); + + /* Fill in the ulog data */ + pm->version = EBT_ULOG_VERSION; +@@ -193,8 +194,6 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr, + pm->hook = hooknr; + if (uloginfo->prefix != NULL) + strcpy(pm->prefix, uloginfo->prefix); +- else +- *(pm->prefix) = '\0'; + + if (in) { + strcpy(pm->physindev, in->name); +@@ -204,16 +203,14 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr, + strcpy(pm->indev, br_port_get_rcu(in)->br->dev->name); + else + strcpy(pm->indev, in->name); +- } else +- pm->indev[0] = pm->physindev[0] = '\0'; ++ } + + if (out) { + /* If out exists, then out is a bridge port */ + strcpy(pm->physoutdev, out->name); + /* rcu_read_lock()ed by nf_hook_slow */ + strcpy(pm->outdev, br_port_get_rcu(out)->br->dev->name); +- } else +- pm->outdev[0] = pm->physoutdev[0] = '\0'; ++ } + + if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0) + BUG(); diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index ac78024..161a80c 100644 --- a/net/bridge/netfilter/ebtables.c @@ -90681,7 +91044,7 @@ index ac78024..161a80c 100644 break; } diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c -index 2bd4b58..0dc30a1 100644 +index 0f45522..dab651f 100644 --- a/net/caif/cfctrl.c +++ b/net/caif/cfctrl.c @@ -10,6 +10,7 @@ @@ -91182,7 +91545,7 @@ index f9765203..9feaef8 100644 return error; } diff --git a/net/core/netpoll.c b/net/core/netpoll.c -index 2c637e9..68c9087 100644 +index fc75c9e..8c8e9be 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -428,7 +428,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len) @@ -91571,10 +91934,10 @@ index 3b9d5f2..d7015c6 100644 *hc06_ptr = tmp; hc06_ptr += 4; diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index b4d0be2..443d0f0 100644 +index dd6b523..dfe558f 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c -@@ -1689,13 +1689,9 @@ static int __init inet_init(void) +@@ -1687,13 +1687,9 @@ static int __init inet_init(void) BUILD_BUG_ON(sizeof(struct inet_skb_parm) > FIELD_SIZEOF(struct sk_buff, cb)); @@ -91589,7 +91952,7 @@ index b4d0be2..443d0f0 100644 rc = proto_register(&udp_prot, 1); if (rc) -@@ -1804,8 +1800,6 @@ out_unregister_udp_proto: +@@ -1802,8 +1798,6 @@ out_unregister_udp_proto: proto_unregister(&udp_prot); out_unregister_tcp_proto: proto_unregister(&tcp_prot); @@ -91753,7 +92116,7 @@ index 7bd8983..3abdcf6 100644 inet_twsk_deschedule(tw, death_row); while (twrefcnt) { diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c -index 000e3d2..5472da3 100644 +index 33d5537..da337a4 100644 --- a/net/ipv4/inetpeer.c +++ b/net/ipv4/inetpeer.c @@ -503,8 +503,8 @@ relookup: @@ -92045,6 +92408,41 @@ index d23118d..6ad7277 100644 break; case IPT_SO_GET_ENTRIES: +diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c +index cbc2215..9cb993c 100644 +--- a/net/ipv4/netfilter/ipt_ULOG.c ++++ b/net/ipv4/netfilter/ipt_ULOG.c +@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net, + ub->qlen++; + + pm = nlmsg_data(nlh); ++ memset(pm, 0, sizeof(*pm)); + + /* We might not have a timestamp, get one */ + if (skb->tstamp.tv64 == 0) +@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net, + } + else if (loginfo->prefix[0] != '\0') + strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); +- else +- *(pm->prefix) = '\0'; + + if (in && in->hard_header_len > 0 && + skb->mac_header != skb->network_header && +@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net, + + if (in) + strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); +- else +- pm->indev_name[0] = '\0'; + + if (out) + strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); +- else +- pm->outdev_name[0] = '\0'; + + /* copy_len <= skb->len, so can't fail. */ + if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index 746427c..80eab72 100644 --- a/net/ipv4/ping.c @@ -92113,7 +92511,7 @@ index 746427c..80eab72 100644 static int ping_v4_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 61e60d6..d6996cd 100644 +index 6fb2337..9cd6b20 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -309,7 +309,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -92489,6 +92887,40 @@ index ab1c086..2a8d76b 100644 } else if (fastopen) { /* received a valid RST pkt */ reqsk_fastopen_remove(sk, req, true); tcp_reset(sk); +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 170737a..75cbd26 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -982,6 +982,9 @@ static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb) + static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb, + unsigned int mss_now) + { ++ /* Make sure we own this skb before messing gso_size/gso_segs */ ++ WARN_ON_ONCE(skb_cloned(skb)); ++ + if (skb->len <= mss_now || !sk_can_gso(sk) || + skb->ip_summed == CHECKSUM_NONE) { + /* Avoid the costly divide in the normal +@@ -1063,9 +1066,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, + if (nsize < 0) + nsize = 0; + +- if (skb_cloned(skb) && +- skb_is_nonlinear(skb) && +- pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) ++ if (skb_unclone(skb, GFP_ATOMIC)) + return -ENOMEM; + + /* Get a new skb... force flag on. */ +@@ -2334,6 +2335,8 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb) + int oldpcount = tcp_skb_pcount(skb); + + if (unlikely(oldpcount > 1)) { ++ if (skb_unclone(skb, GFP_ATOMIC)) ++ return -ENOMEM; + tcp_init_tso_segs(sk, skb, cur_mss); + tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb)); + } diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c index d4943f6..e7a74a5 100644 --- a/net/ipv4/tcp_probe.c @@ -92703,7 +93135,7 @@ index 9a459be..c7bc04c 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 498ea99..42501bc 100644 +index 0f99f7b..9375cf5 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -618,7 +618,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, @@ -92715,7 +93147,7 @@ index 498ea99..42501bc 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -2381,7 +2381,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) +@@ -2408,7 +2408,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) p.iph.ihl = 5; p.iph.protocol = IPPROTO_IPV6; p.iph.ttl = 64; @@ -92724,7 +93156,7 @@ index 498ea99..42501bc 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -4030,7 +4030,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, +@@ -4057,7 +4057,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, s_ip_idx = ip_idx = cb->args[2]; rcu_read_lock(); @@ -92733,7 +93165,7 @@ index 498ea99..42501bc 100644 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; head = &net->dev_index_head[h]; -@@ -4651,7 +4651,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) +@@ -4678,7 +4678,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) dst_free(&ifp->rt->dst); break; } @@ -92742,7 +93174,7 @@ index 498ea99..42501bc 100644 } static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) -@@ -4671,7 +4671,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, +@@ -4698,7 +4698,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -92751,7 +93183,7 @@ index 498ea99..42501bc 100644 int ret; /* -@@ -4756,7 +4756,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, +@@ -4783,7 +4783,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -92785,7 +93217,7 @@ index 7cfc8d2..c5394b6 100644 table = kmemdup(ipv6_icmp_table_template, sizeof(ipv6_icmp_table_template), diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 90747f1..76fbb5d 100644 +index 8bc717b..76fbb5d 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -74,7 +74,7 @@ struct ip6gre_net { @@ -92797,24 +93229,6 @@ index 90747f1..76fbb5d 100644 static int ip6gre_tunnel_init(struct net_device *dev); static void ip6gre_tunnel_setup(struct net_device *dev); static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t); -@@ -620,7 +620,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb, - struct ip6_tnl *tunnel = netdev_priv(dev); - struct net_device *tdev; /* Device to other host */ - struct ipv6hdr *ipv6h; /* Our new IP header */ -- unsigned int max_headroom; /* The extra header space needed */ -+ unsigned int max_headroom = 0; /* The extra header space needed */ - int gre_hlen; - struct ipv6_tel_txoption opt; - int mtu; -@@ -693,7 +693,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb, - tunnel->err_count = 0; - } - -- max_headroom = LL_RESERVED_SPACE(tdev) + gre_hlen + dst->header_len; -+ max_headroom += LL_RESERVED_SPACE(tdev) + gre_hlen + dst->header_len; - - if (skb_headroom(skb) < max_headroom || skb_shared(skb) || - (skb_cloned(skb) && !skb_clone_writable(skb, 0))) { @@ -1288,7 +1288,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev) } @@ -92842,98 +93256,8 @@ index 90747f1..76fbb5d 100644 .kind = "ip6gretap", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index e7ceb6c..44df1c9 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1040,6 +1040,8 @@ static inline int ip6_ufo_append_data(struct sock *sk, - * udp datagram - */ - if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) { -+ struct frag_hdr fhdr; -+ - skb = sock_alloc_send_skb(sk, - hh_len + fragheaderlen + transhdrlen + 20, - (flags & MSG_DONTWAIT), &err); -@@ -1061,12 +1063,6 @@ static inline int ip6_ufo_append_data(struct sock *sk, - skb->protocol = htons(ETH_P_IPV6); - skb->ip_summed = CHECKSUM_PARTIAL; - skb->csum = 0; -- } -- -- err = skb_append_datato_frags(sk,skb, getfrag, from, -- (length - transhdrlen)); -- if (!err) { -- struct frag_hdr fhdr; - - /* Specify the length of each IPv6 datagram fragment. - * It has to be a multiple of 8. -@@ -1077,15 +1073,10 @@ static inline int ip6_ufo_append_data(struct sock *sk, - ipv6_select_ident(&fhdr, rt); - skb_shinfo(skb)->ip6_frag_id = fhdr.identification; - __skb_queue_tail(&sk->sk_write_queue, skb); -- -- return 0; - } -- /* There is not enough support do UPD LSO, -- * so follow normal path -- */ -- kfree_skb(skb); - -- return err; -+ return skb_append_datato_frags(sk, skb, getfrag, from, -+ (length - transhdrlen)); - } - - static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src, -@@ -1252,27 +1243,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, - * --yoshfuji - */ - -+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP || -+ sk->sk_protocol == IPPROTO_RAW)) { -+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); -+ return -EMSGSIZE; -+ } -+ -+ skb = skb_peek_tail(&sk->sk_write_queue); - cork->length += length; -- if (length > mtu) { -- int proto = sk->sk_protocol; -- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){ -- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); -- return -EMSGSIZE; -- } -- -- if (proto == IPPROTO_UDP && -- (rt->dst.dev->features & NETIF_F_UFO)) { -- -- err = ip6_ufo_append_data(sk, getfrag, from, length, -- hh_len, fragheaderlen, -- transhdrlen, mtu, flags, rt); -- if (err) -- goto error; -- return 0; -- } -+ if (((length > mtu) || -+ (skb && skb_is_gso(skb))) && -+ (sk->sk_protocol == IPPROTO_UDP) && -+ (rt->dst.dev->features & NETIF_F_UFO)) { -+ err = ip6_ufo_append_data(sk, getfrag, from, length, -+ hh_len, fragheaderlen, -+ transhdrlen, mtu, flags, rt); -+ if (err) -+ goto error; -+ return 0; - } - -- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) -+ if (!skb) - goto alloc_new_skb; - - while (length > 0) { diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index 46ba243..576f50e 100644 +index cf5d490..30946f0 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -88,7 +88,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2) @@ -93284,7 +93608,7 @@ index 8d9a93ed..cd89616 100644 table = kmemdup(ipv6_route_table_template, sizeof(ipv6_route_table_template), diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index 21b25dd..9a43e37 100644 +index 86f639b..71e355e 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev); @@ -93296,7 +93620,7 @@ index 21b25dd..9a43e37 100644 static int sit_net_id __read_mostly; struct sit_net { -@@ -1547,7 +1547,7 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = { +@@ -1601,7 +1601,7 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = { #endif }; @@ -93597,10 +93921,20 @@ index cd5b8ec..f205e6b 100644 }; diff --git a/net/key/af_key.c b/net/key/af_key.c -index ab8bd2c..cd2d641 100644 +index ab8bd2c..3a3eb81 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c -@@ -3048,10 +3048,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc +@@ -1098,7 +1098,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + + x->id.proto = proto; + x->id.spi = sa->sadb_sa_spi; +- x->props.replay_window = sa->sadb_sa_replay; ++ x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay, ++ (sizeof(x->replay.bitmap) * 8)); + if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN) + x->props.flags |= XFRM_STATE_NOECN; + if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP) +@@ -3048,10 +3049,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc static u32 get_acqseq(void) { u32 res; @@ -93613,6 +93947,93 @@ index ab8bd2c..cd2d641 100644 } while (!res); return res; } +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index feae495..aedaa2c 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -496,6 +496,7 @@ out: + static inline int l2tp_verify_udp_checksum(struct sock *sk, + struct sk_buff *skb) + { ++ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data; + struct udphdr *uh = udp_hdr(skb); + u16 ulen = ntohs(uh->len); + __wsum psum; +@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk, + return 0; + + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) { ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) { + if (!uh->check) { + LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n"); + return 1; +@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, + /* Queue the packet to IP for output */ + skb->local_df = 1; + #if IS_ENABLED(CONFIG_IPV6) +- if (skb->sk->sk_family == PF_INET6) ++ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped) + error = inet6_csk_xmit(skb, NULL); + else + #endif +@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len + + /* Calculate UDP checksum if configured to do so */ + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) + l2tp_xmit_ipv6_csum(sk, skb, udp_len); + else + #endif +@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + if (cfg != NULL) + tunnel->debug = cfg->debug; + ++#if IS_ENABLED(CONFIG_IPV6) ++ if (sk->sk_family == PF_INET6) { ++ struct ipv6_pinfo *np = inet6_sk(sk); ++ ++ if (ipv6_addr_v4mapped(&np->saddr) && ++ ipv6_addr_v4mapped(&np->daddr)) { ++ struct inet_sock *inet = inet_sk(sk); ++ ++ tunnel->v4mapped = true; ++ inet->inet_saddr = np->saddr.s6_addr32[3]; ++ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3]; ++ inet->inet_daddr = np->daddr.s6_addr32[3]; ++ } else { ++ tunnel->v4mapped = false; ++ } ++ } ++#endif ++ + /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ + tunnel->encap = encap; + if (encap == L2TP_ENCAPTYPE_UDP) { +@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv; + udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy; + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) + udpv6_encap_enable(); + else + #endif +diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h +index 66a559b..6f251cb 100644 +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -194,6 +194,9 @@ struct l2tp_tunnel { + struct sock *sock; /* Parent socket */ + int fd; /* Parent fd, if tunnel socket + * was created by userspace */ ++#if IS_ENABLED(CONFIG_IPV6) ++ bool v4mapped; ++#endif + + struct work_struct del_work; + diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 43dd752..63a23bc 100644 --- a/net/mac80211/cfg.c @@ -94059,7 +94480,7 @@ index f448471..995f131 100644 cp->old_state = cp->state; /* diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c -index b75ff64..0c51bbe 100644 +index c47444e..b0961c6 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c @@ -1102,7 +1102,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, @@ -95021,98 +95442,10 @@ index f226709..0e735a8 100644 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index 09ffcc9..3eff2c2 100644 +index 547a461e..ea606e3 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c -@@ -210,44 +210,23 @@ out: - in6_dev_put(idev); - } - --/* Based on tcp_v6_xmit() in tcp_ipv6.c. */ - static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) - { - struct sock *sk = skb->sk; - struct ipv6_pinfo *np = inet6_sk(sk); -- struct flowi6 fl6; -- -- memset(&fl6, 0, sizeof(fl6)); -- -- fl6.flowi6_proto = sk->sk_protocol; -- -- /* Fill in the dest address from the route entry passed with the skb -- * and the source address from the transport. -- */ -- fl6.daddr = transport->ipaddr.v6.sin6_addr; -- fl6.saddr = transport->saddr.v6.sin6_addr; -- -- fl6.flowlabel = np->flow_label; -- IP6_ECN_flow_xmit(sk, fl6.flowlabel); -- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL) -- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id; -- else -- fl6.flowi6_oif = sk->sk_bound_dev_if; -- -- if (np->opt && np->opt->srcrt) { -- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt; -- fl6.daddr = *rt0->addr; -- } -+ struct flowi6 *fl6 = &transport->fl.u.ip6; - - pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb, -- skb->len, &fl6.saddr, &fl6.daddr); -+ skb->len, &fl6->saddr, &fl6->daddr); - -- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); -+ IP6_ECN_flow_xmit(sk, fl6->flowlabel); - - if (!(transport->param_flags & SPP_PMTUD_ENABLE)) - skb->local_df = 1; - -- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); -+ SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); -+ -+ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass); - } - - /* Returns the dst cache entry for the given source and destination ip -@@ -260,10 +239,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - struct dst_entry *dst = NULL; - struct flowi6 *fl6 = &fl->u.ip6; - struct sctp_bind_addr *bp; -+ struct ipv6_pinfo *np = inet6_sk(sk); - struct sctp_sockaddr_entry *laddr; - union sctp_addr *baddr = NULL; - union sctp_addr *daddr = &t->ipaddr; - union sctp_addr dst_saddr; -+ struct in6_addr *final_p, final; - __u8 matchlen = 0; - __u8 bmatchlen; - sctp_scope_t scope; -@@ -287,7 +268,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - pr_debug("src=%pI6 - ", &fl6->saddr); - } - -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); -+ final_p = fl6_update_dst(fl6, np->opt, &final); -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); - if (!asoc || saddr) - goto out; - -@@ -339,10 +321,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - } - } - rcu_read_unlock(); -+ - if (baddr) { - fl6->saddr = baddr->v6.sin6_addr; - fl6->fl6_sport = baddr->v6.sin6_port; -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); -+ final_p = fl6_update_dst(fl6, np->opt, &final); -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); - } - - out: -@@ -984,7 +968,7 @@ static const struct inet6_protocol sctpv6_protocol = { +@@ -968,7 +968,7 @@ static const struct inet6_protocol sctpv6_protocol = { .flags = INET6_PROTO_NOPOLICY | INET6_PROTO_FINAL, }; @@ -95121,7 +95454,7 @@ index 09ffcc9..3eff2c2 100644 .sa_family = AF_INET6, .sctp_xmit = sctp_v6_xmit, .setsockopt = ipv6_setsockopt, -@@ -1016,7 +1000,7 @@ static struct sctp_af sctp_af_inet6 = { +@@ -1000,7 +1000,7 @@ static struct sctp_af sctp_af_inet6 = { #endif }; @@ -95130,7 +95463,7 @@ index 09ffcc9..3eff2c2 100644 .event_msgname = sctp_inet6_event_msgname, .skb_msgname = sctp_inet6_skb_msgname, .af_supported = sctp_inet6_af_supported, -@@ -1041,7 +1025,7 @@ void sctp_v6_pf_init(void) +@@ -1025,7 +1025,7 @@ void sctp_v6_pf_init(void) void sctp_v6_pf_exit(void) { @@ -95210,10 +95543,10 @@ index 9da6885..7571898 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index c6670d2..6313e65 100644 +index cf6c6b0..b978b65 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -2156,11 +2156,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, +@@ -2159,11 +2159,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, { struct sctp_association *asoc; struct sctp_ulpevent *event; @@ -95228,7 +95561,7 @@ index c6670d2..6313e65 100644 /* * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, -@@ -4216,13 +4218,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4219,13 +4221,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -95246,7 +95579,7 @@ index c6670d2..6313e65 100644 return -EFAULT; return 0; } -@@ -4240,6 +4245,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4243,6 +4248,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -95255,7 +95588,7 @@ index c6670d2..6313e65 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4248,7 +4255,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4251,7 +4258,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -95265,7 +95598,7 @@ index c6670d2..6313e65 100644 return -EFAULT; return 0; } -@@ -4620,12 +4628,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4623,12 +4631,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -95282,7 +95615,7 @@ index c6670d2..6313e65 100644 return -EFAULT; return 0; } -@@ -4666,6 +4677,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4669,6 +4680,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -95291,15 +95624,6 @@ index c6670d2..6313e65 100644 if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; -@@ -6182,7 +6195,7 @@ unsigned int sctp_poll(struct file *file, struct socket *sock, poll_table *wait) - /* Is there any exceptional events? */ - if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) - mask |= POLLERR | -- sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0; -+ (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0); - if (sk->sk_shutdown & RCV_SHUTDOWN) - mask |= POLLRDHUP | POLLIN | POLLRDNORM; - if (sk->sk_shutdown == SHUTDOWN_MASK) diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 9a5c4c9..46e4b29 100644 --- a/net/sctp/sysctl.c @@ -95854,7 +96178,7 @@ index 62e4f9b..dd3f2d7 100644 /* See if we can opportunistically reap SQ WR to make room */ sq_cq_reap(xprt); diff --git a/net/sysctl_net.c b/net/sysctl_net.c -index 9bc6db0..47ac8c0 100644 +index e7000be..e3b0ba7 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ctl_table_header *head, @@ -95863,7 +96187,7 @@ index 9bc6db0..47ac8c0 100644 /* Allow network administrator to have same access as root. */ - if (ns_capable(net->user_ns, CAP_NET_ADMIN) || + if (ns_capable_nolog(net->user_ns, CAP_NET_ADMIN) || - uid_eq(root_uid, current_uid())) { + uid_eq(root_uid, current_euid())) { int mode = (table->mode >> 6) & 7; return (mode << 6) | (mode << 3) | mode; diff --git a/net/tipc/link.c b/net/tipc/link.c @@ -95992,6 +96316,18 @@ index c4ce243..2be7c59 100644 seq_putc(seq, '\n'); } +diff --git a/net/unix/diag.c b/net/unix/diag.c +index d591091..86fa0f3 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + rep->udiag_family = AF_UNIX; + rep->udiag_type = sk->sk_type; + rep->udiag_state = sk->sk_state; ++ rep->pad = 0; + rep->udiag_ino = sk_ino; + sock_diag_save_cookie(sk, rep->udiag_cookie); + diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c index b3d5150..ff3a837 100644 --- a/net/unix/sysctl_net_unix.c @@ -96043,19 +96379,43 @@ index c8717c1..08539f5 100644 iwp->length += essid_compat; diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index f77c371..e412fa6 100644 +index f77c371..b0cb010 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c -@@ -332,7 +332,7 @@ static void xfrm_policy_kill(struct xfrm_policy *policy) +@@ -332,9 +332,10 @@ static void xfrm_policy_kill(struct xfrm_policy *policy) { policy->walk.dead = 1; - atomic_inc(&policy->genid); + atomic_inc_unchecked(&policy->genid); - del_timer(&policy->polq.hold_timer); +- del_timer(&policy->polq.hold_timer); ++ if (del_timer(&policy->polq.hold_timer)) ++ xfrm_pol_put(policy); xfrm_queue_purge(&policy->polq.hold_queue); -@@ -657,7 +657,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) + + if (del_timer(&policy->timer)) +@@ -589,7 +590,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old, + + spin_lock_bh(&pq->hold_queue.lock); + skb_queue_splice_init(&pq->hold_queue, &list); +- del_timer(&pq->hold_timer); ++ if (del_timer(&pq->hold_timer)) ++ xfrm_pol_put(old); + spin_unlock_bh(&pq->hold_queue.lock); + + if (skb_queue_empty(&list)) +@@ -600,7 +602,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old, + spin_lock_bh(&pq->hold_queue.lock); + skb_queue_splice(&list, &pq->hold_queue); + pq->timeout = XFRM_QUEUE_TMO_MIN; +- mod_timer(&pq->hold_timer, jiffies); ++ if (!mod_timer(&pq->hold_timer, jiffies)) ++ xfrm_pol_hold(new); + spin_unlock_bh(&pq->hold_queue.lock); + } + +@@ -657,7 +660,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) hlist_add_head(&policy->bydst, chain); xfrm_pol_hold(policy); net->xfrm.policy_count[dir]++; @@ -96064,7 +96424,7 @@ index f77c371..e412fa6 100644 rt_genid_bump(net); if (delpol) { xfrm_policy_requeue(delpol, policy); -@@ -1627,7 +1627,7 @@ free_dst: +@@ -1627,7 +1630,7 @@ free_dst: goto out; } @@ -96073,7 +96433,7 @@ index f77c371..e412fa6 100644 xfrm_dst_alloc_copy(void **target, const void *src, int size) { if (!*target) { -@@ -1639,7 +1639,7 @@ xfrm_dst_alloc_copy(void **target, const void *src, int size) +@@ -1639,7 +1642,7 @@ xfrm_dst_alloc_copy(void **target, const void *src, int size) return 0; } @@ -96082,7 +96442,7 @@ index f77c371..e412fa6 100644 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel) { #ifdef CONFIG_XFRM_SUB_POLICY -@@ -1651,7 +1651,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel) +@@ -1651,7 +1654,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel) #endif } @@ -96091,7 +96451,7 @@ index f77c371..e412fa6 100644 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl) { #ifdef CONFIG_XFRM_SUB_POLICY -@@ -1745,7 +1745,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, +@@ -1745,7 +1748,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, xdst->num_pols = num_pols; memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols); @@ -96100,7 +96460,69 @@ index f77c371..e412fa6 100644 return xdst; } -@@ -2557,11 +2557,12 @@ void xfrm_garbage_collect(struct net *net) +@@ -1763,6 +1766,10 @@ static void xfrm_policy_queue_process(unsigned long arg) + + spin_lock(&pq->hold_queue.lock); + skb = skb_peek(&pq->hold_queue); ++ if (!skb) { ++ spin_unlock(&pq->hold_queue.lock); ++ goto out; ++ } + dst = skb_dst(skb); + sk = skb->sk; + xfrm_decode_session(skb, &fl, dst->ops->family); +@@ -1781,8 +1788,9 @@ static void xfrm_policy_queue_process(unsigned long arg) + goto purge_queue; + + pq->timeout = pq->timeout << 1; +- mod_timer(&pq->hold_timer, jiffies + pq->timeout); +- return; ++ if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout)) ++ xfrm_pol_hold(pol); ++ goto out; + } + + dst_release(dst); +@@ -1813,11 +1821,14 @@ static void xfrm_policy_queue_process(unsigned long arg) + err = dst_output(skb); + } + ++out: ++ xfrm_pol_put(pol); + return; + + purge_queue: + pq->timeout = 0; + xfrm_queue_purge(&pq->hold_queue); ++ xfrm_pol_put(pol); + } + + static int xdst_queue_output(struct sk_buff *skb) +@@ -1825,7 +1836,8 @@ static int xdst_queue_output(struct sk_buff *skb) + unsigned long sched_next; + struct dst_entry *dst = skb_dst(skb); + struct xfrm_dst *xdst = (struct xfrm_dst *) dst; +- struct xfrm_policy_queue *pq = &xdst->pols[0]->polq; ++ struct xfrm_policy *pol = xdst->pols[0]; ++ struct xfrm_policy_queue *pq = &pol->polq; + + if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) { + kfree_skb(skb); +@@ -1844,10 +1856,12 @@ static int xdst_queue_output(struct sk_buff *skb) + if (del_timer(&pq->hold_timer)) { + if (time_before(pq->hold_timer.expires, sched_next)) + sched_next = pq->hold_timer.expires; ++ xfrm_pol_put(pol); + } + + __skb_queue_tail(&pq->hold_queue, skb); +- mod_timer(&pq->hold_timer, sched_next); ++ if (!mod_timer(&pq->hold_timer, sched_next)) ++ xfrm_pol_hold(pol); + + spin_unlock_bh(&pq->hold_queue.lock); + +@@ -2557,11 +2571,12 @@ void xfrm_garbage_collect(struct net *net) } EXPORT_SYMBOL(xfrm_garbage_collect); @@ -96114,7 +96536,7 @@ index f77c371..e412fa6 100644 static void xfrm_init_pmtu(struct dst_entry *dst) { -@@ -2611,7 +2612,7 @@ static int xfrm_bundle_ok(struct xfrm_dst *first) +@@ -2611,7 +2626,7 @@ static int xfrm_bundle_ok(struct xfrm_dst *first) if (xdst->xfrm_genid != dst->xfrm->genid) return 0; if (xdst->num_pols > 0 && @@ -96123,7 +96545,7 @@ index f77c371..e412fa6 100644 return 0; mtu = dst_mtu(dst->child); -@@ -2699,8 +2700,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) +@@ -2699,8 +2714,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) dst_ops->link_failure = xfrm_link_failure; if (likely(dst_ops->neigh_lookup == NULL)) dst_ops->neigh_lookup = xfrm_neigh_lookup; @@ -96132,7 +96554,7 @@ index f77c371..e412fa6 100644 rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo); } spin_unlock(&xfrm_policy_afinfo_lock); -@@ -2754,7 +2753,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) +@@ -2754,7 +2767,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) dst_ops->check = NULL; dst_ops->negative_advice = NULL; dst_ops->link_failure = NULL; @@ -96140,7 +96562,7 @@ index f77c371..e412fa6 100644 } return err; } -@@ -3137,7 +3135,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol, +@@ -3137,7 +3149,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol, sizeof(pol->xfrm_vec[i].saddr)); pol->xfrm_vec[i].encap_family = mp->new_family; /* flush bundles */ @@ -96149,6 +96571,96 @@ index f77c371..e412fa6 100644 } } +diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c +index 8dafe6d3..dab57da 100644 +--- a/net/xfrm/xfrm_replay.c ++++ b/net/xfrm/xfrm_replay.c +@@ -61,9 +61,9 @@ static void xfrm_replay_notify(struct xfrm_state *x, int event) + + switch (event) { + case XFRM_REPLAY_UPDATE: +- if (x->replay_maxdiff && +- (x->replay.seq - x->preplay.seq < x->replay_maxdiff) && +- (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) { ++ if (!x->replay_maxdiff || ++ ((x->replay.seq - x->preplay.seq < x->replay_maxdiff) && ++ (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff))) { + if (x->xflags & XFRM_TIME_DEFER) + event = XFRM_REPLAY_TIMEOUT; + else +@@ -129,8 +129,7 @@ static int xfrm_replay_check(struct xfrm_state *x, + return 0; + + diff = x->replay.seq - seq; +- if (diff >= min_t(unsigned int, x->props.replay_window, +- sizeof(x->replay.bitmap) * 8)) { ++ if (diff >= x->props.replay_window) { + x->stats.replay_window++; + goto err; + } +@@ -302,9 +301,10 @@ static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event) + + switch (event) { + case XFRM_REPLAY_UPDATE: +- if (x->replay_maxdiff && +- (replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) && +- (replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) { ++ if (!x->replay_maxdiff || ++ ((replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) && ++ (replay_esn->oseq - preplay_esn->oseq ++ < x->replay_maxdiff))) { + if (x->xflags & XFRM_TIME_DEFER) + event = XFRM_REPLAY_TIMEOUT; + else +@@ -353,28 +353,30 @@ static void xfrm_replay_notify_esn(struct xfrm_state *x, int event) + + switch (event) { + case XFRM_REPLAY_UPDATE: +- if (!x->replay_maxdiff) +- break; +- +- if (replay_esn->seq_hi == preplay_esn->seq_hi) +- seq_diff = replay_esn->seq - preplay_esn->seq; +- else +- seq_diff = ~preplay_esn->seq + replay_esn->seq + 1; +- +- if (replay_esn->oseq_hi == preplay_esn->oseq_hi) +- oseq_diff = replay_esn->oseq - preplay_esn->oseq; +- else +- oseq_diff = ~preplay_esn->oseq + replay_esn->oseq + 1; +- +- if (seq_diff < x->replay_maxdiff && +- oseq_diff < x->replay_maxdiff) { ++ if (x->replay_maxdiff) { ++ if (replay_esn->seq_hi == preplay_esn->seq_hi) ++ seq_diff = replay_esn->seq - preplay_esn->seq; ++ else ++ seq_diff = ~preplay_esn->seq + replay_esn->seq ++ + 1; + +- if (x->xflags & XFRM_TIME_DEFER) +- event = XFRM_REPLAY_TIMEOUT; ++ if (replay_esn->oseq_hi == preplay_esn->oseq_hi) ++ oseq_diff = replay_esn->oseq ++ - preplay_esn->oseq; + else +- return; ++ oseq_diff = ~preplay_esn->oseq ++ + replay_esn->oseq + 1; ++ ++ if (seq_diff >= x->replay_maxdiff || ++ oseq_diff >= x->replay_maxdiff) ++ break; + } + ++ if (x->xflags & XFRM_TIME_DEFER) ++ event = XFRM_REPLAY_TIMEOUT; ++ else ++ return; ++ + break; + + case XFRM_REPLAY_TIMEOUT: diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 54c0acd..56814bd 100644 --- a/net/xfrm/xfrm_state.c @@ -96271,10 +96783,20 @@ index 05a6e3d..6716ec9 100644 __xfrm_sysctl_init(net); diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index 3f565e4..4b26cee 100644 +index 3f565e4..f964d4c 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c -@@ -1856,7 +1856,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -446,7 +446,8 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info * + memcpy(&x->sel, &p->sel, sizeof(x->sel)); + memcpy(&x->lft, &p->lft, sizeof(x->lft)); + x->props.mode = p->mode; +- x->props.replay_window = p->replay_window; ++ x->props.replay_window = min_t(unsigned int, p->replay_window, ++ sizeof(x->replay.bitmap) * 8); + x->props.reqid = p->reqid; + x->props.family = p->family; + memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); +@@ -1856,7 +1857,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, if (x->km.state != XFRM_STATE_VALID) goto out; diff --git a/3.11.3/4425_grsec_remove_EI_PAX.patch b/3.11.6/4425_grsec_remove_EI_PAX.patch index 415fda5..415fda5 100644 --- a/3.11.3/4425_grsec_remove_EI_PAX.patch +++ b/3.11.6/4425_grsec_remove_EI_PAX.patch diff --git a/3.11.3/4427_force_XATTR_PAX_tmpfs.patch b/3.11.6/4427_force_XATTR_PAX_tmpfs.patch index 23e60cd..23e60cd 100644 --- a/3.11.3/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.11.6/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.11.3/4430_grsec-remove-localversion-grsec.patch b/3.11.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.11.3/4430_grsec-remove-localversion-grsec.patch +++ b/3.11.6/4430_grsec-remove-localversion-grsec.patch diff --git a/3.11.3/4435_grsec-mute-warnings.patch b/3.11.6/4435_grsec-mute-warnings.patch index ed941d5..ed941d5 100644 --- a/3.11.3/4435_grsec-mute-warnings.patch +++ b/3.11.6/4435_grsec-mute-warnings.patch diff --git a/3.11.3/4440_grsec-remove-protected-paths.patch b/3.11.6/4440_grsec-remove-protected-paths.patch index 05710b1..05710b1 100644 --- a/3.11.3/4440_grsec-remove-protected-paths.patch +++ b/3.11.6/4440_grsec-remove-protected-paths.patch diff --git a/3.11.3/4450_grsec-kconfig-default-gids.patch b/3.11.6/4450_grsec-kconfig-default-gids.patch index 8c7b0b2..8c7b0b2 100644 --- a/3.11.3/4450_grsec-kconfig-default-gids.patch +++ b/3.11.6/4450_grsec-kconfig-default-gids.patch diff --git a/3.11.3/4465_selinux-avc_audit-log-curr_ip.patch b/3.11.6/4465_selinux-avc_audit-log-curr_ip.patch index fea3943..fea3943 100644 --- a/3.11.3/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.11.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.11.3/4470_disable-compat_vdso.patch b/3.11.6/4470_disable-compat_vdso.patch index 4572f4f..4572f4f 100644 --- a/3.11.3/4470_disable-compat_vdso.patch +++ b/3.11.6/4470_disable-compat_vdso.patch diff --git a/3.11.3/4475_emutramp_default_on.patch b/3.11.6/4475_emutramp_default_on.patch index cfde6f8..cfde6f8 100644 --- a/3.11.3/4475_emutramp_default_on.patch +++ b/3.11.6/4475_emutramp_default_on.patch diff --git a/3.2.51/0000_README b/3.2.51/0000_README index e87b456..7299d26 100644 --- a/3.2.51/0000_README +++ b/3.2.51/0000_README @@ -122,7 +122,7 @@ Patch: 1050_linux-3.2.51.patch From: http://www.kernel.org Desc: Linux 3.2.51 -Patch: 4420_grsecurity-2.9.1-3.2.51-201309281102.patch +Patch: 4420_grsecurity-2.9.1-3.2.51-201310191257.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch b/3.2.51/4420_grsecurity-2.9.1-3.2.51-201310191257.patch index 79a6bf4..4e9a590 100644 --- a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch +++ b/3.2.51/4420_grsecurity-2.9.1-3.2.51-201310191257.patch @@ -33208,6 +33208,184 @@ index c68b8ad..ef7a702 100644 } static ssize_t port_fops_write(struct file *filp, const char __user *ubuf, +diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c +index 46bbf43..9954dff 100644 +--- a/drivers/connector/cn_proc.c ++++ b/drivers/connector/cn_proc.c +@@ -62,8 +62,9 @@ void proc_fork_connector(struct task_struct *task) + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; +- ev = (struct proc_event*)msg->data; ++ msg = (struct cn_msg *)buffer; ++ ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -79,6 +80,7 @@ void proc_fork_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + /* If cn_netlink_send() failed, the data is not sent */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } +@@ -93,8 +95,9 @@ void proc_exec_connector(struct task_struct *task) + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; +- ev = (struct proc_event*)msg->data; ++ msg = (struct cn_msg *)buffer; ++ ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -105,6 +108,7 @@ void proc_exec_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -119,8 +123,9 @@ void proc_id_connector(struct task_struct *task, int which_id) + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; +- ev = (struct proc_event*)msg->data; ++ msg = (struct cn_msg *)buffer; ++ ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + ev->what = which_id; + ev->event_data.id.process_pid = task->pid; + ev->event_data.id.process_tgid = task->tgid; +@@ -144,6 +149,7 @@ void proc_id_connector(struct task_struct *task, int which_id) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -159,6 +165,7 @@ void proc_sid_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -169,6 +176,7 @@ void proc_sid_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -184,6 +192,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -202,6 +211,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -217,6 +227,7 @@ void proc_comm_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -228,6 +239,7 @@ void proc_comm_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -241,8 +253,9 @@ void proc_exit_connector(struct task_struct *task) + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; +- ev = (struct proc_event*)msg->data; ++ msg = (struct cn_msg *)buffer; ++ ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -255,6 +268,7 @@ void proc_exit_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -276,8 +290,9 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; +- ev = (struct proc_event*)msg->data; ++ msg = (struct cn_msg *)buffer; ++ ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + msg->seq = rcvd_seq; + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -287,6 +302,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = rcvd_ack + 1; + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c +index dde6a0f..ea6efe8 100644 +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb) + static void cn_rx_skb(struct sk_buff *__skb) + { + struct nlmsghdr *nlh; +- int err; + struct sk_buff *skb; ++ int len, err; + + skb = skb_get(__skb); + + if (skb->len >= NLMSG_SPACE(0)) { + nlh = nlmsg_hdr(skb); ++ len = nlmsg_len(nlh); + +- if (nlh->nlmsg_len < sizeof(struct cn_msg) || ++ if (len < (int)sizeof(struct cn_msg) || + skb->len < nlh->nlmsg_len || +- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { ++ len > CONNECTOR_MAX_MSG_SIZE) { + kfree_skb(skb); + return; + } diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c index 56c6c6b..99056e6 100644 --- a/drivers/cpufreq/acpi-cpufreq.c @@ -41209,6 +41387,18 @@ index e662cbc..8d4a102 100644 return -EINVAL; } +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index ebb9f24..7a4c491 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card, struct fst_port_info *port, + } + + i = port->index; ++ memset(&sync, 0, sizeof(sync)); + sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed); + /* Lucky card and linux use same encoding here */ + sync.clock_type = FST_RDB(card, portConfig[i].internalClock) == diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c index 4045e5a..506f1cf 100644 --- a/drivers/net/wireless/at76c50x-usb.c @@ -52710,6 +52900,19 @@ index 84f84bf..a8770cd 100644 static int __init ext4_init_feat_adverts(void) { +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index d5498b2..b4e9f3f 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1269,6 +1269,8 @@ retry: + s_min_extra_isize) { + tried_min_extra_isize++; + new_extra_isize = s_min_extra_isize; ++ kfree(is); is = NULL; ++ kfree(bs); bs = NULL; + goto retry; + } + error = -1; diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c index 216b419..350a088 100644 --- a/fs/fat/namei_msdos.c @@ -75781,6 +75984,18 @@ index e5d1220..5a87d07 100644 ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t); ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size); int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int); +diff --git a/include/linux/yam.h b/include/linux/yam.h +index 7fe2822..512cdc2 100644 +--- a/include/linux/yam.h ++++ b/include/linux/yam.h +@@ -77,6 +77,6 @@ struct yamdrv_ioctl_cfg { + + struct yamdrv_ioctl_mcs { + int cmd; +- int bitrate; ++ unsigned int bitrate; + unsigned char bits[YAM_FPGA_SIZE]; + }; diff --git a/include/linux/zlib.h b/include/linux/zlib.h index 9c5a6b4..09c9438 100644 --- a/include/linux/zlib.h @@ -77423,7 +77638,7 @@ index fa7eb3d..7faf116 100644 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); diff --git a/kernel/audit.c b/kernel/audit.c -index d4bc594..cf6b5d7 100644 +index d4bc594..efa193f 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -115,7 +115,7 @@ u32 audit_sig_sid = 0; @@ -77453,7 +77668,13 @@ index d4bc594..cf6b5d7 100644 audit_rate_limit, audit_backlog_limit); audit_panic(message); -@@ -689,7 +689,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) +@@ -684,18 +684,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + switch (msg_type) { + case AUDIT_GET: ++ status_set.mask = 0; + status_set.enabled = audit_enabled; + status_set.failure = audit_failure; status_set.pid = audit_pid; status_set.rate_limit = audit_rate_limit; status_set.backlog_limit = audit_backlog_limit; @@ -77462,7 +77683,23 @@ index d4bc594..cf6b5d7 100644 status_set.backlog = skb_queue_len(&audit_skb_queue); audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, &status_set, sizeof(status_set)); -@@ -1260,12 +1260,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, + break; + case AUDIT_SET: +- if (nlh->nlmsg_len < sizeof(struct audit_status)) ++ if (nlmsg_len(nlh) < sizeof(struct audit_status)) + return -EINVAL; + status_get = (struct audit_status *)data; + if (status_get->mask & AUDIT_STATUS_ENABLED) { +@@ -899,7 +900,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + struct task_struct *tsk; + unsigned long flags; + +- if (nlh->nlmsg_len < sizeof(struct audit_tty_status)) ++ if (nlmsg_len(nlh) < sizeof(struct audit_tty_status)) + return -EINVAL; + s = data; + if (s->enabled != 0 && s->enabled != 1) +@@ -1260,12 +1261,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); if (!avail) @@ -89439,6 +89676,46 @@ index b81500c..92fc8ec 100644 return 0; /* Okay, we found ICMPv6 header */ +diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c +index 5449294..c1d8d99 100644 +--- a/net/bridge/netfilter/ebt_ulog.c ++++ b/net/bridge/netfilter/ebt_ulog.c +@@ -158,6 +158,7 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb, + ub->qlen++; + + pm = NLMSG_DATA(nlh); ++ memset(pm, 0, sizeof(*pm)); + + /* Fill in the ulog data */ + pm->version = EBT_ULOG_VERSION; +@@ -170,8 +171,6 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb, + pm->hook = hooknr; + if (uloginfo->prefix != NULL) + strcpy(pm->prefix, uloginfo->prefix); +- else +- *(pm->prefix) = '\0'; + + if (in) { + strcpy(pm->physindev, in->name); +@@ -181,16 +180,14 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb, + strcpy(pm->indev, br_port_get_rcu(in)->br->dev->name); + else + strcpy(pm->indev, in->name); +- } else +- pm->indev[0] = pm->physindev[0] = '\0'; ++ } + + if (out) { + /* If out exists, then out is a bridge port */ + strcpy(pm->physoutdev, out->name); + /* rcu_read_lock()ed by nf_hook_slow */ + strcpy(pm->outdev, br_port_get_rcu(out)->br->dev->name); +- } else +- pm->outdev[0] = pm->physoutdev[0] = '\0'; ++ } + + if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0) + BUG(); diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5864cc4..6ddb362 100644 --- a/net/bridge/netfilter/ebtables.c @@ -91221,6 +91498,41 @@ index 24e556e..f6918b4 100644 break; case IPT_SO_GET_ENTRIES: +diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c +index b550815..c3b44d5 100644 +--- a/net/ipv4/netfilter/ipt_ULOG.c ++++ b/net/ipv4/netfilter/ipt_ULOG.c +@@ -202,6 +202,7 @@ static void ipt_ulog_packet(unsigned int hooknum, + ub->qlen++; + + pm = NLMSG_DATA(nlh); ++ memset(pm, 0, sizeof(*pm)); + + /* We might not have a timestamp, get one */ + if (skb->tstamp.tv64 == 0) +@@ -218,8 +219,6 @@ static void ipt_ulog_packet(unsigned int hooknum, + strncpy(pm->prefix, prefix, sizeof(pm->prefix)); + else if (loginfo->prefix[0] != '\0') + strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); +- else +- *(pm->prefix) = '\0'; + + if (in && in->hard_header_len > 0 && + skb->mac_header != skb->network_header && +@@ -231,13 +230,9 @@ static void ipt_ulog_packet(unsigned int hooknum, + + if (in) + strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); +- else +- pm->indev_name[0] = '\0'; + + if (out) + strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); +- else +- pm->outdev_name[0] = '\0'; + + /* copy_len <= skb->len, so can't fail. */ + if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index 294a380..885a292 100644 --- a/net/ipv4/ping.c @@ -91546,10 +91858,22 @@ index 739b073..7ac6591 100644 hdr = register_sysctl_paths(net_ipv4_ctl_path, ipv4_table); if (hdr == NULL) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 872b41d..54a02f1 100644 +index 872b41d..bb914c3 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -4736,7 +4736,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -1469,7 +1469,10 @@ static int tcp_shifted_skb(struct sock *sk, struct sk_buff *skb, + tp->lost_cnt_hint -= tcp_skb_pcount(prev); + } + +- TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags; ++ TCP_SKB_CB(prev)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags; ++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) ++ TCP_SKB_CB(prev)->end_seq++; ++ + if (skb == tcp_highest_sack(sk)) + tcp_advance_highest_sack(sk, skb); + +@@ -4736,7 +4739,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -91558,7 +91882,7 @@ index 872b41d..54a02f1 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5551,6 +5551,9 @@ slow_path: +@@ -5551,6 +5554,9 @@ slow_path: if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb)) goto csum_error; @@ -91568,7 +91892,7 @@ index 872b41d..54a02f1 100644 /* * Standard slow path. */ -@@ -5559,8 +5562,7 @@ slow_path: +@@ -5559,8 +5565,7 @@ slow_path: return 0; step5: @@ -91578,7 +91902,7 @@ index 872b41d..54a02f1 100644 goto discard; tcp_rcv_rtt_measure_ts(sk, skb); -@@ -5791,6 +5793,7 @@ discard: +@@ -5791,6 +5796,7 @@ discard: tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -91586,7 +91910,7 @@ index 872b41d..54a02f1 100644 if (th->syn) { /* We see SYN without ACK. It is attempt of * simultaneous connect with crossed SYNs. -@@ -5839,6 +5842,7 @@ discard: +@@ -5839,6 +5845,7 @@ discard: goto discard; #endif } @@ -91594,7 +91918,7 @@ index 872b41d..54a02f1 100644 /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return." */ -@@ -5882,7 +5886,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5882,7 +5889,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -91603,7 +91927,7 @@ index 872b41d..54a02f1 100644 goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; -@@ -5921,11 +5925,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5921,11 +5928,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, return 0; } @@ -91619,7 +91943,7 @@ index 872b41d..54a02f1 100644 int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH | FLAG_UPDATE_TS_RECENT) > 0; -@@ -6031,8 +6038,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -6031,8 +6041,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, } break; } @@ -92774,10 +93098,20 @@ index 403be43..87f09da 100644 }; diff --git a/net/key/af_key.c b/net/key/af_key.c -index 8dbdb8e..c765b51 100644 +index 8dbdb8e..50f4169 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c -@@ -1924,6 +1924,9 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) +@@ -1097,7 +1097,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + + x->id.proto = proto; + x->id.spi = sa->sadb_sa_spi; +- x->props.replay_window = sa->sadb_sa_replay; ++ x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay, ++ (sizeof(x->replay.bitmap) * 8)); + if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN) + x->props.flags |= XFRM_STATE_NOECN; + if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP) +@@ -1924,6 +1925,9 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) int len = pol->sadb_x_policy_len*8 - sizeof(struct sadb_x_policy); struct sadb_x_ipsecrequest *rq = (void*)(pol+1); @@ -92787,7 +93121,7 @@ index 8dbdb8e..c765b51 100644 while (len >= sizeof(struct sadb_x_ipsecrequest)) { if ((err = parse_ipsecrequest(xp, rq)) < 0) return err; -@@ -3020,10 +3023,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc +@@ -3020,10 +3024,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc static u32 get_acqseq(void) { u32 res; @@ -96068,6 +96402,20 @@ index 113d20e..2bb5a4e 100644 } } +diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c +index 3efb07d..2576ee4 100644 +--- a/net/xfrm/xfrm_replay.c ++++ b/net/xfrm/xfrm_replay.c +@@ -129,8 +129,7 @@ static int xfrm_replay_check(struct xfrm_state *x, + return 0; + + diff = x->replay.seq - seq; +- if (diff >= min_t(unsigned int, x->props.replay_window, +- sizeof(x->replay.bitmap) * 8)) { ++ if (diff >= x->props.replay_window) { + x->stats.replay_window++; + goto err; + } diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 9414b9c..2477932 100644 --- a/net/xfrm/xfrm_state.c @@ -96199,10 +96547,20 @@ index 05640bc..b67eaaa 100644 __xfrm_sysctl_init(net); diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index ede01a8..d7fdd07 100644 +index ede01a8..756e6bd 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c -@@ -1816,7 +1816,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -446,7 +446,8 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info * + memcpy(&x->sel, &p->sel, sizeof(x->sel)); + memcpy(&x->lft, &p->lft, sizeof(x->lft)); + x->props.mode = p->mode; +- x->props.replay_window = p->replay_window; ++ x->props.replay_window = min_t(unsigned int, p->replay_window, ++ sizeof(x->replay.bitmap) * 8); + x->props.reqid = p->reqid; + x->props.family = p->family; + memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); +@@ -1816,7 +1817,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, if (x->km.state != XFRM_STATE_VALID) goto out; |