diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2014-01-06 14:01:09 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2014-01-06 14:01:09 -0500 |
commit | c32f9e1a1e58aa66f4b9928c9526c31c66984958 (patch) | |
tree | 06e7af682b18797dd9afc5b22cc3c338731d75e1 | |
parent | Grsec/PaX: 3.0-3.12.6-201401021726 (diff) | |
download | hardened-patchset-c32f9e1a1e58aa66f4b9928c9526c31c66984958.tar.gz hardened-patchset-c32f9e1a1e58aa66f4b9928c9526c31c66984958.tar.bz2 hardened-patchset-c32f9e1a1e58aa66f4b9928c9526c31c66984958.zip |
Grsec/PaX: 3.0-3.2.54-20140105164920140105
-rw-r--r-- | 3.2.54/0000_README (renamed from 3.2.53/0000_README) | 6 | ||||
-rw-r--r-- | 3.2.54/1021_linux-3.2.22.patch (renamed from 3.2.53/1021_linux-3.2.22.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1022_linux-3.2.23.patch (renamed from 3.2.53/1022_linux-3.2.23.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1023_linux-3.2.24.patch (renamed from 3.2.53/1023_linux-3.2.24.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1024_linux-3.2.25.patch (renamed from 3.2.53/1024_linux-3.2.25.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1025_linux-3.2.26.patch (renamed from 3.2.53/1025_linux-3.2.26.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1026_linux-3.2.27.patch (renamed from 3.2.53/1026_linux-3.2.27.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1027_linux-3.2.28.patch (renamed from 3.2.53/1027_linux-3.2.28.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1028_linux-3.2.29.patch (renamed from 3.2.53/1028_linux-3.2.29.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1029_linux-3.2.30.patch (renamed from 3.2.53/1029_linux-3.2.30.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1030_linux-3.2.31.patch (renamed from 3.2.53/1030_linux-3.2.31.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1031_linux-3.2.32.patch (renamed from 3.2.53/1031_linux-3.2.32.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1032_linux-3.2.33.patch (renamed from 3.2.53/1032_linux-3.2.33.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1033_linux-3.2.34.patch (renamed from 3.2.53/1033_linux-3.2.34.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1034_linux-3.2.35.patch (renamed from 3.2.53/1034_linux-3.2.35.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1035_linux-3.2.36.patch (renamed from 3.2.53/1035_linux-3.2.36.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1036_linux-3.2.37.patch (renamed from 3.2.53/1036_linux-3.2.37.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1037_linux-3.2.38.patch (renamed from 3.2.53/1037_linux-3.2.38.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1038_linux-3.2.39.patch (renamed from 3.2.53/1038_linux-3.2.39.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1039_linux-3.2.40.patch (renamed from 3.2.53/1039_linux-3.2.40.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1040_linux-3.2.41.patch (renamed from 3.2.53/1040_linux-3.2.41.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1041_linux-3.2.42.patch (renamed from 3.2.53/1041_linux-3.2.42.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1042_linux-3.2.43.patch (renamed from 3.2.53/1042_linux-3.2.43.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1043_linux-3.2.44.patch (renamed from 3.2.53/1043_linux-3.2.44.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1044_linux-3.2.45.patch (renamed from 3.2.53/1044_linux-3.2.45.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1045_linux-3.2.46.patch (renamed from 3.2.53/1045_linux-3.2.46.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1046_linux-3.2.47.patch (renamed from 3.2.53/1046_linux-3.2.47.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1047_linux-3.2.48.patch (renamed from 3.2.53/1047_linux-3.2.48.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1048_linux-3.2.49.patch (renamed from 3.2.53/1048_linux-3.2.49.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1049_linux-3.2.50.patch (renamed from 3.2.53/1049_linux-3.2.50.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1050_linux-3.2.51.patch (renamed from 3.2.53/1050_linux-3.2.51.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1051_linux-3.2.52.patch (renamed from 3.2.53/1051_linux-3.2.52.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1052_linux-3.2.53.patch (renamed from 3.2.53/1052_linux-3.2.53.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/1053_linux-3.2.54.patch | 6825 | ||||
-rw-r--r-- | 3.2.54/4420_grsecurity-3.0-3.2.54-201401051649.patch (renamed from 3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch) | 1127 | ||||
-rw-r--r-- | 3.2.54/4425_grsec_remove_EI_PAX.patch (renamed from 3.2.53/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.2.53/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.53/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/4435_grsec-mute-warnings.patch (renamed from 3.2.53/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/4440_grsec-remove-protected-paths.patch (renamed from 3.2.53/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.53/4450_grsec-kconfig-default-gids.patch) | 12 | ||||
-rw-r--r-- | 3.2.54/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.53/4465_selinux-avc_audit-log-curr_ip.patch) | 2 | ||||
-rw-r--r-- | 3.2.54/4470_disable-compat_vdso.patch (renamed from 3.2.53/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.2.54/4475_emutramp_default_on.patch (renamed from 3.2.53/4475_emutramp_default_on.patch) | 0 |
44 files changed, 7185 insertions, 787 deletions
diff --git a/3.2.53/0000_README b/3.2.54/0000_README index 62ff1d5..ffb2597 100644 --- a/3.2.53/0000_README +++ b/3.2.54/0000_README @@ -130,7 +130,11 @@ Patch: 1052_linux-3.2.53.patch From: http://www.kernel.org Desc: Linux 3.2.53 -Patch: 4420_grsecurity-3.0-3.2.53-201312262018.patch +Patch: 1053_linux-3.2.54.patch +From: http://www.kernel.org +Desc: Linux 3.2.54 + +Patch: 4420_grsecurity-3.0-3.2.54-201401051649.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.53/1021_linux-3.2.22.patch b/3.2.54/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.53/1021_linux-3.2.22.patch +++ b/3.2.54/1021_linux-3.2.22.patch diff --git a/3.2.53/1022_linux-3.2.23.patch b/3.2.54/1022_linux-3.2.23.patch index 3d796d0..3d796d0 100644 --- a/3.2.53/1022_linux-3.2.23.patch +++ b/3.2.54/1022_linux-3.2.23.patch diff --git a/3.2.53/1023_linux-3.2.24.patch b/3.2.54/1023_linux-3.2.24.patch index 4692eb4..4692eb4 100644 --- a/3.2.53/1023_linux-3.2.24.patch +++ b/3.2.54/1023_linux-3.2.24.patch diff --git a/3.2.53/1024_linux-3.2.25.patch b/3.2.54/1024_linux-3.2.25.patch index e95c213..e95c213 100644 --- a/3.2.53/1024_linux-3.2.25.patch +++ b/3.2.54/1024_linux-3.2.25.patch diff --git a/3.2.53/1025_linux-3.2.26.patch b/3.2.54/1025_linux-3.2.26.patch index 44065b9..44065b9 100644 --- a/3.2.53/1025_linux-3.2.26.patch +++ b/3.2.54/1025_linux-3.2.26.patch diff --git a/3.2.53/1026_linux-3.2.27.patch b/3.2.54/1026_linux-3.2.27.patch index 5878eb4..5878eb4 100644 --- a/3.2.53/1026_linux-3.2.27.patch +++ b/3.2.54/1026_linux-3.2.27.patch diff --git a/3.2.53/1027_linux-3.2.28.patch b/3.2.54/1027_linux-3.2.28.patch index 4dbba4b..4dbba4b 100644 --- a/3.2.53/1027_linux-3.2.28.patch +++ b/3.2.54/1027_linux-3.2.28.patch diff --git a/3.2.53/1028_linux-3.2.29.patch b/3.2.54/1028_linux-3.2.29.patch index 3c65179..3c65179 100644 --- a/3.2.53/1028_linux-3.2.29.patch +++ b/3.2.54/1028_linux-3.2.29.patch diff --git a/3.2.53/1029_linux-3.2.30.patch b/3.2.54/1029_linux-3.2.30.patch index 86aea4b..86aea4b 100644 --- a/3.2.53/1029_linux-3.2.30.patch +++ b/3.2.54/1029_linux-3.2.30.patch diff --git a/3.2.53/1030_linux-3.2.31.patch b/3.2.54/1030_linux-3.2.31.patch index c6accf5..c6accf5 100644 --- a/3.2.53/1030_linux-3.2.31.patch +++ b/3.2.54/1030_linux-3.2.31.patch diff --git a/3.2.53/1031_linux-3.2.32.patch b/3.2.54/1031_linux-3.2.32.patch index 247fc0b..247fc0b 100644 --- a/3.2.53/1031_linux-3.2.32.patch +++ b/3.2.54/1031_linux-3.2.32.patch diff --git a/3.2.53/1032_linux-3.2.33.patch b/3.2.54/1032_linux-3.2.33.patch index c32fb75..c32fb75 100644 --- a/3.2.53/1032_linux-3.2.33.patch +++ b/3.2.54/1032_linux-3.2.33.patch diff --git a/3.2.53/1033_linux-3.2.34.patch b/3.2.54/1033_linux-3.2.34.patch index d647b38..d647b38 100644 --- a/3.2.53/1033_linux-3.2.34.patch +++ b/3.2.54/1033_linux-3.2.34.patch diff --git a/3.2.53/1034_linux-3.2.35.patch b/3.2.54/1034_linux-3.2.35.patch index 76a9c19..76a9c19 100644 --- a/3.2.53/1034_linux-3.2.35.patch +++ b/3.2.54/1034_linux-3.2.35.patch diff --git a/3.2.53/1035_linux-3.2.36.patch b/3.2.54/1035_linux-3.2.36.patch index 5d192a3..5d192a3 100644 --- a/3.2.53/1035_linux-3.2.36.patch +++ b/3.2.54/1035_linux-3.2.36.patch diff --git a/3.2.53/1036_linux-3.2.37.patch b/3.2.54/1036_linux-3.2.37.patch index ad13251..ad13251 100644 --- a/3.2.53/1036_linux-3.2.37.patch +++ b/3.2.54/1036_linux-3.2.37.patch diff --git a/3.2.53/1037_linux-3.2.38.patch b/3.2.54/1037_linux-3.2.38.patch index a3c106f..a3c106f 100644 --- a/3.2.53/1037_linux-3.2.38.patch +++ b/3.2.54/1037_linux-3.2.38.patch diff --git a/3.2.53/1038_linux-3.2.39.patch b/3.2.54/1038_linux-3.2.39.patch index 5639e92..5639e92 100644 --- a/3.2.53/1038_linux-3.2.39.patch +++ b/3.2.54/1038_linux-3.2.39.patch diff --git a/3.2.53/1039_linux-3.2.40.patch b/3.2.54/1039_linux-3.2.40.patch index f26b39c..f26b39c 100644 --- a/3.2.53/1039_linux-3.2.40.patch +++ b/3.2.54/1039_linux-3.2.40.patch diff --git a/3.2.53/1040_linux-3.2.41.patch b/3.2.54/1040_linux-3.2.41.patch index 0d27fcb..0d27fcb 100644 --- a/3.2.53/1040_linux-3.2.41.patch +++ b/3.2.54/1040_linux-3.2.41.patch diff --git a/3.2.53/1041_linux-3.2.42.patch b/3.2.54/1041_linux-3.2.42.patch index 77a08ed..77a08ed 100644 --- a/3.2.53/1041_linux-3.2.42.patch +++ b/3.2.54/1041_linux-3.2.42.patch diff --git a/3.2.53/1042_linux-3.2.43.patch b/3.2.54/1042_linux-3.2.43.patch index a3f878b..a3f878b 100644 --- a/3.2.53/1042_linux-3.2.43.patch +++ b/3.2.54/1042_linux-3.2.43.patch diff --git a/3.2.53/1043_linux-3.2.44.patch b/3.2.54/1043_linux-3.2.44.patch index 3d5e6ff..3d5e6ff 100644 --- a/3.2.53/1043_linux-3.2.44.patch +++ b/3.2.54/1043_linux-3.2.44.patch diff --git a/3.2.53/1044_linux-3.2.45.patch b/3.2.54/1044_linux-3.2.45.patch index 44e1767..44e1767 100644 --- a/3.2.53/1044_linux-3.2.45.patch +++ b/3.2.54/1044_linux-3.2.45.patch diff --git a/3.2.53/1045_linux-3.2.46.patch b/3.2.54/1045_linux-3.2.46.patch index bc10efd..bc10efd 100644 --- a/3.2.53/1045_linux-3.2.46.patch +++ b/3.2.54/1045_linux-3.2.46.patch diff --git a/3.2.53/1046_linux-3.2.47.patch b/3.2.54/1046_linux-3.2.47.patch index b74563c..b74563c 100644 --- a/3.2.53/1046_linux-3.2.47.patch +++ b/3.2.54/1046_linux-3.2.47.patch diff --git a/3.2.53/1047_linux-3.2.48.patch b/3.2.54/1047_linux-3.2.48.patch index 6d55b1f..6d55b1f 100644 --- a/3.2.53/1047_linux-3.2.48.patch +++ b/3.2.54/1047_linux-3.2.48.patch diff --git a/3.2.53/1048_linux-3.2.49.patch b/3.2.54/1048_linux-3.2.49.patch index 2dab0cf..2dab0cf 100644 --- a/3.2.53/1048_linux-3.2.49.patch +++ b/3.2.54/1048_linux-3.2.49.patch diff --git a/3.2.53/1049_linux-3.2.50.patch b/3.2.54/1049_linux-3.2.50.patch index 20b3015..20b3015 100644 --- a/3.2.53/1049_linux-3.2.50.patch +++ b/3.2.54/1049_linux-3.2.50.patch diff --git a/3.2.53/1050_linux-3.2.51.patch b/3.2.54/1050_linux-3.2.51.patch index 5d5832b..5d5832b 100644 --- a/3.2.53/1050_linux-3.2.51.patch +++ b/3.2.54/1050_linux-3.2.51.patch diff --git a/3.2.53/1051_linux-3.2.52.patch b/3.2.54/1051_linux-3.2.52.patch index 94b9359..94b9359 100644 --- a/3.2.53/1051_linux-3.2.52.patch +++ b/3.2.54/1051_linux-3.2.52.patch diff --git a/3.2.53/1052_linux-3.2.53.patch b/3.2.54/1052_linux-3.2.53.patch index 986d714..986d714 100644 --- a/3.2.53/1052_linux-3.2.53.patch +++ b/3.2.54/1052_linux-3.2.53.patch diff --git a/3.2.54/1053_linux-3.2.54.patch b/3.2.54/1053_linux-3.2.54.patch new file mode 100644 index 0000000..a907496 --- /dev/null +++ b/3.2.54/1053_linux-3.2.54.patch @@ -0,0 +1,6825 @@ +diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt +index 1f24636..2a68089 100644 +--- a/Documentation/sysctl/kernel.txt ++++ b/Documentation/sysctl/kernel.txt +@@ -283,13 +283,24 @@ Default value is "/sbin/hotplug". + kptr_restrict: + + This toggle indicates whether restrictions are placed on +-exposing kernel addresses via /proc and other interfaces. When +-kptr_restrict is set to (0), there are no restrictions. When +-kptr_restrict is set to (1), the default, kernel pointers +-printed using the %pK format specifier will be replaced with 0's +-unless the user has CAP_SYSLOG. When kptr_restrict is set to +-(2), kernel pointers printed using %pK will be replaced with 0's +-regardless of privileges. ++exposing kernel addresses via /proc and other interfaces. ++ ++When kptr_restrict is set to (0), the default, there are no restrictions. ++ ++When kptr_restrict is set to (1), kernel pointers printed using the %pK ++format specifier will be replaced with 0's unless the user has CAP_SYSLOG ++and effective user and group ids are equal to the real ids. This is ++because %pK checks are done at read() time rather than open() time, so ++if permissions are elevated between the open() and the read() (e.g via ++a setuid binary) then %pK will not leak kernel pointers to unprivileged ++users. Note, this is a temporary solution only. The correct long-term ++solution is to do the permission checks at open() time. Consider removing ++world read permissions from files that use %pK, and using dmesg_restrict ++to protect against uses of %pK in dmesg(8) if leaking kernel pointer ++values to unprivileged users is a concern. ++ ++When kptr_restrict is set to (2), kernel pointers printed using ++%pK will be replaced with 0's regardless of privileges. + + ============================================================== + +diff --git a/Makefile b/Makefile +index 90f57dc..848be26 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 53 ++SUBLEVEL = 54 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h +index 7bb8bf9..b7c5d5d 100644 +--- a/arch/arm/include/asm/assembler.h ++++ b/arch/arm/include/asm/assembler.h +@@ -307,4 +307,12 @@ + .size \name , . - \name + .endm + ++ .macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req ++#ifndef CONFIG_CPU_USE_DOMAINS ++ adds \tmp, \addr, #\size - 1 ++ sbcccs \tmp, \tmp, \limit ++ bcs \bad ++#endif ++ .endm ++ + #endif /* __ASM_ASSEMBLER_H__ */ +diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h +index b293616..292c3f8 100644 +--- a/arch/arm/include/asm/uaccess.h ++++ b/arch/arm/include/asm/uaccess.h +@@ -101,28 +101,39 @@ extern int __get_user_1(void *); + extern int __get_user_2(void *); + extern int __get_user_4(void *); + +-#define __get_user_x(__r2,__p,__e,__s,__i...) \ ++#define __GUP_CLOBBER_1 "lr", "cc" ++#ifdef CONFIG_CPU_USE_DOMAINS ++#define __GUP_CLOBBER_2 "ip", "lr", "cc" ++#else ++#define __GUP_CLOBBER_2 "lr", "cc" ++#endif ++#define __GUP_CLOBBER_4 "lr", "cc" ++ ++#define __get_user_x(__r2,__p,__e,__l,__s) \ + __asm__ __volatile__ ( \ + __asmeq("%0", "r0") __asmeq("%1", "r2") \ ++ __asmeq("%3", "r1") \ + "bl __get_user_" #__s \ + : "=&r" (__e), "=r" (__r2) \ +- : "0" (__p) \ +- : __i, "cc") ++ : "0" (__p), "r" (__l) \ ++ : __GUP_CLOBBER_##__s) + + #define get_user(x,p) \ + ({ \ ++ unsigned long __limit = current_thread_info()->addr_limit - 1; \ + register const typeof(*(p)) __user *__p asm("r0") = (p);\ + register unsigned long __r2 asm("r2"); \ ++ register unsigned long __l asm("r1") = __limit; \ + register int __e asm("r0"); \ + switch (sizeof(*(__p))) { \ + case 1: \ +- __get_user_x(__r2, __p, __e, 1, "lr"); \ +- break; \ ++ __get_user_x(__r2, __p, __e, __l, 1); \ ++ break; \ + case 2: \ +- __get_user_x(__r2, __p, __e, 2, "r3", "lr"); \ ++ __get_user_x(__r2, __p, __e, __l, 2); \ + break; \ + case 4: \ +- __get_user_x(__r2, __p, __e, 4, "lr"); \ ++ __get_user_x(__r2, __p, __e, __l, 4); \ + break; \ + default: __e = __get_user_bad(); break; \ + } \ +@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int); + extern int __put_user_4(void *, unsigned int); + extern int __put_user_8(void *, unsigned long long); + +-#define __put_user_x(__r2,__p,__e,__s) \ ++#define __put_user_x(__r2,__p,__e,__l,__s) \ + __asm__ __volatile__ ( \ + __asmeq("%0", "r0") __asmeq("%2", "r2") \ ++ __asmeq("%3", "r1") \ + "bl __put_user_" #__s \ + : "=&r" (__e) \ +- : "0" (__p), "r" (__r2) \ ++ : "0" (__p), "r" (__r2), "r" (__l) \ + : "ip", "lr", "cc") + + #define put_user(x,p) \ + ({ \ ++ unsigned long __limit = current_thread_info()->addr_limit - 1; \ + register const typeof(*(p)) __r2 asm("r2") = (x); \ + register const typeof(*(p)) __user *__p asm("r0") = (p);\ ++ register unsigned long __l asm("r1") = __limit; \ + register int __e asm("r0"); \ + switch (sizeof(*(__p))) { \ + case 1: \ +- __put_user_x(__r2, __p, __e, 1); \ ++ __put_user_x(__r2, __p, __e, __l, 1); \ + break; \ + case 2: \ +- __put_user_x(__r2, __p, __e, 2); \ ++ __put_user_x(__r2, __p, __e, __l, 2); \ + break; \ + case 4: \ +- __put_user_x(__r2, __p, __e, 4); \ ++ __put_user_x(__r2, __p, __e, __l, 4); \ + break; \ + case 8: \ +- __put_user_x(__r2, __p, __e, 8); \ ++ __put_user_x(__r2, __p, __e, __l, 8); \ + break; \ + default: __e = __put_user_bad(); break; \ + } \ +diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c +index e68d251..d9e3c61 100644 +--- a/arch/arm/kernel/process.c ++++ b/arch/arm/kernel/process.c +@@ -468,6 +468,7 @@ EXPORT_SYMBOL(kernel_thread); + unsigned long get_wchan(struct task_struct *p) + { + struct stackframe frame; ++ unsigned long stack_page; + int count = 0; + if (!p || p == current || p->state == TASK_RUNNING) + return 0; +@@ -476,9 +477,11 @@ unsigned long get_wchan(struct task_struct *p) + frame.sp = thread_saved_sp(p); + frame.lr = 0; /* recovered from the stack */ + frame.pc = thread_saved_pc(p); ++ stack_page = (unsigned long)task_stack_page(p); + do { +- int ret = unwind_frame(&frame); +- if (ret < 0) ++ if (frame.sp < stack_page || ++ frame.sp >= stack_page + THREAD_SIZE || ++ unwind_frame(&frame) < 0) + return 0; + if (!in_sched_functions(frame.pc)) + return frame.pc; +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index 00f79e5..af4e8c8 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -31,7 +31,7 @@ int notrace unwind_frame(struct stackframe *frame) + high = ALIGN(low, THREAD_SIZE); + + /* check current frame pointer is within bounds */ +- if (fp < (low + 12) || fp + 4 >= high) ++ if (fp < low + 12 || fp > high - 4) + return -EINVAL; + + /* restore the registers from the stack frame */ +diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S +index 1b049cd..4306fbf 100644 +--- a/arch/arm/lib/getuser.S ++++ b/arch/arm/lib/getuser.S +@@ -16,8 +16,9 @@ + * __get_user_X + * + * Inputs: r0 contains the address ++ * r1 contains the address limit, which must be preserved + * Outputs: r0 is the error code +- * r2, r3 contains the zero-extended value ++ * r2 contains the zero-extended value + * lr corrupted + * + * No other registers must be altered. (see <asm/uaccess.h> +@@ -27,33 +28,39 @@ + * Note also that it is intended that __get_user_bad is not global. + */ + #include <linux/linkage.h> ++#include <asm/assembler.h> + #include <asm/errno.h> + #include <asm/domain.h> + + ENTRY(__get_user_1) ++ check_uaccess r0, 1, r1, r2, __get_user_bad + 1: T(ldrb) r2, [r0] + mov r0, #0 + mov pc, lr + ENDPROC(__get_user_1) + + ENTRY(__get_user_2) +-#ifdef CONFIG_THUMB2_KERNEL +-2: T(ldrb) r2, [r0] +-3: T(ldrb) r3, [r0, #1] ++ check_uaccess r0, 2, r1, r2, __get_user_bad ++#ifdef CONFIG_CPU_USE_DOMAINS ++rb .req ip ++2: ldrbt r2, [r0], #1 ++3: ldrbt rb, [r0], #0 + #else +-2: T(ldrb) r2, [r0], #1 +-3: T(ldrb) r3, [r0] ++rb .req r0 ++2: ldrb r2, [r0] ++3: ldrb rb, [r0, #1] + #endif + #ifndef __ARMEB__ +- orr r2, r2, r3, lsl #8 ++ orr r2, r2, rb, lsl #8 + #else +- orr r2, r3, r2, lsl #8 ++ orr r2, rb, r2, lsl #8 + #endif + mov r0, #0 + mov pc, lr + ENDPROC(__get_user_2) + + ENTRY(__get_user_4) ++ check_uaccess r0, 4, r1, r2, __get_user_bad + 4: T(ldr) r2, [r0] + mov r0, #0 + mov pc, lr +diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S +index c023fc1..9a897fa 100644 +--- a/arch/arm/lib/putuser.S ++++ b/arch/arm/lib/putuser.S +@@ -16,6 +16,7 @@ + * __put_user_X + * + * Inputs: r0 contains the address ++ * r1 contains the address limit, which must be preserved + * r2, r3 contains the value + * Outputs: r0 is the error code + * lr corrupted +@@ -27,16 +28,19 @@ + * Note also that it is intended that __put_user_bad is not global. + */ + #include <linux/linkage.h> ++#include <asm/assembler.h> + #include <asm/errno.h> + #include <asm/domain.h> + + ENTRY(__put_user_1) ++ check_uaccess r0, 1, r1, ip, __put_user_bad + 1: T(strb) r2, [r0] + mov r0, #0 + mov pc, lr + ENDPROC(__put_user_1) + + ENTRY(__put_user_2) ++ check_uaccess r0, 2, r1, ip, __put_user_bad + mov ip, r2, lsr #8 + #ifdef CONFIG_THUMB2_KERNEL + #ifndef __ARMEB__ +@@ -60,12 +64,14 @@ ENTRY(__put_user_2) + ENDPROC(__put_user_2) + + ENTRY(__put_user_4) ++ check_uaccess r0, 4, r1, ip, __put_user_bad + 4: T(str) r2, [r0] + mov r0, #0 + mov pc, lr + ENDPROC(__put_user_4) + + ENTRY(__put_user_8) ++ check_uaccess r0, 8, r1, ip, __put_user_bad + #ifdef CONFIG_THUMB2_KERNEL + 5: T(str) r2, [r0] + 6: T(str) r3, [r0, #4] +diff --git a/arch/arm/mach-footbridge/common.c b/arch/arm/mach-footbridge/common.c +index 38a44f9..5b91e45 100644 +--- a/arch/arm/mach-footbridge/common.c ++++ b/arch/arm/mach-footbridge/common.c +@@ -15,6 +15,7 @@ + #include <linux/init.h> + #include <linux/io.h> + #include <linux/spinlock.h> ++#include <video/vga.h> + + #include <asm/pgtable.h> + #include <asm/page.h> +@@ -197,6 +198,8 @@ void __init footbridge_map_io(void) + */ + if (footbridge_cfn_mode()) + iotable_init(ebsa285_host_io_desc, ARRAY_SIZE(ebsa285_host_io_desc)); ++ ++ vga_base = PCIMEM_BASE; + } + + #ifdef CONFIG_FOOTBRIDGE_ADDIN +diff --git a/arch/arm/mach-footbridge/dc21285.c b/arch/arm/mach-footbridge/dc21285.c +index 18c32a5..a8dfa00 100644 +--- a/arch/arm/mach-footbridge/dc21285.c ++++ b/arch/arm/mach-footbridge/dc21285.c +@@ -18,7 +18,6 @@ + #include <linux/irq.h> + #include <linux/io.h> + #include <linux/spinlock.h> +-#include <video/vga.h> + + #include <asm/irq.h> + #include <asm/system.h> +@@ -297,7 +296,6 @@ void __init dc21285_preinit(void) + int cfn_mode; + + pcibios_min_mem = 0x81000000; +- vga_base = PCIMEM_BASE; + + mem_size = (unsigned int)high_memory - PAGE_OFFSET; + for (mem_mask = 0x00100000; mem_mask < 0x10000000; mem_mask <<= 1) +diff --git a/arch/arm/mach-integrator/integrator_cp.c b/arch/arm/mach-integrator/integrator_cp.c +index 5de49c3..892d0d6 100644 +--- a/arch/arm/mach-integrator/integrator_cp.c ++++ b/arch/arm/mach-integrator/integrator_cp.c +@@ -384,7 +384,8 @@ static struct amba_device aaci_device = { + static void cp_clcd_enable(struct clcd_fb *fb) + { + struct fb_var_screeninfo *var = &fb->fb.var; +- u32 val = CM_CTRL_STATIC1 | CM_CTRL_STATIC2; ++ u32 val = CM_CTRL_STATIC1 | CM_CTRL_STATIC2 ++ | CM_CTRL_LCDEN0 | CM_CTRL_LCDEN1; + + if (var->bits_per_pixel <= 8 || + (var->bits_per_pixel == 16 && var->green.length == 5)) +diff --git a/arch/arm/mach-pxa/reset.c b/arch/arm/mach-pxa/reset.c +index 01e9d64..0e25348 100644 +--- a/arch/arm/mach-pxa/reset.c ++++ b/arch/arm/mach-pxa/reset.c +@@ -12,6 +12,7 @@ + + #include <mach/regs-ost.h> + #include <mach/reset.h> ++#include <mach/smemc.h> + + unsigned int reset_status; + EXPORT_SYMBOL(reset_status); +@@ -79,6 +80,12 @@ static void do_hw_reset(void) + OWER = OWER_WME; + OSSR = OSSR_M3; + OSMR3 = OSCR + 368640; /* ... in 100 ms */ ++ /* ++ * SDRAM hangs on watchdog reset on Marvell PXA270 (erratum 71) ++ * we put SDRAM into self-refresh to prevent that ++ */ ++ while (1) ++ writel_relaxed(MDREFR_SLFRSH, MDREFR); + } + + void arch_reset(char mode, const char *cmd) +@@ -99,4 +106,3 @@ void arch_reset(char mode, const char *cmd) + break; + } + } +- +diff --git a/arch/arm/mach-pxa/tosa.c b/arch/arm/mach-pxa/tosa.c +index 402b0c96..33dd57c 100644 +--- a/arch/arm/mach-pxa/tosa.c ++++ b/arch/arm/mach-pxa/tosa.c +@@ -424,57 +424,57 @@ static struct platform_device tosa_power_device = { + * Tosa Keyboard + */ + static const uint32_t tosakbd_keymap[] = { +- KEY(0, 2, KEY_W), +- KEY(0, 6, KEY_K), +- KEY(0, 7, KEY_BACKSPACE), +- KEY(0, 8, KEY_P), +- KEY(1, 1, KEY_Q), +- KEY(1, 2, KEY_E), +- KEY(1, 3, KEY_T), +- KEY(1, 4, KEY_Y), +- KEY(1, 6, KEY_O), +- KEY(1, 7, KEY_I), +- KEY(1, 8, KEY_COMMA), +- KEY(2, 1, KEY_A), +- KEY(2, 2, KEY_D), +- KEY(2, 3, KEY_G), +- KEY(2, 4, KEY_U), +- KEY(2, 6, KEY_L), +- KEY(2, 7, KEY_ENTER), +- KEY(2, 8, KEY_DOT), +- KEY(3, 1, KEY_Z), +- KEY(3, 2, KEY_C), +- KEY(3, 3, KEY_V), +- KEY(3, 4, KEY_J), +- KEY(3, 5, TOSA_KEY_ADDRESSBOOK), +- KEY(3, 6, TOSA_KEY_CANCEL), +- KEY(3, 7, TOSA_KEY_CENTER), +- KEY(3, 8, TOSA_KEY_OK), +- KEY(3, 9, KEY_LEFTSHIFT), +- KEY(4, 1, KEY_S), +- KEY(4, 2, KEY_R), +- KEY(4, 3, KEY_B), +- KEY(4, 4, KEY_N), +- KEY(4, 5, TOSA_KEY_CALENDAR), +- KEY(4, 6, TOSA_KEY_HOMEPAGE), +- KEY(4, 7, KEY_LEFTCTRL), +- KEY(4, 8, TOSA_KEY_LIGHT), +- KEY(4, 10, KEY_RIGHTSHIFT), +- KEY(5, 1, KEY_TAB), +- KEY(5, 2, KEY_SLASH), +- KEY(5, 3, KEY_H), +- KEY(5, 4, KEY_M), +- KEY(5, 5, TOSA_KEY_MENU), +- KEY(5, 7, KEY_UP), +- KEY(5, 11, TOSA_KEY_FN), +- KEY(6, 1, KEY_X), +- KEY(6, 2, KEY_F), +- KEY(6, 3, KEY_SPACE), +- KEY(6, 4, KEY_APOSTROPHE), +- KEY(6, 5, TOSA_KEY_MAIL), +- KEY(6, 6, KEY_LEFT), +- KEY(6, 7, KEY_DOWN), +- KEY(6, 8, KEY_RIGHT), ++ KEY(0, 1, KEY_W), ++ KEY(0, 5, KEY_K), ++ KEY(0, 6, KEY_BACKSPACE), ++ KEY(0, 7, KEY_P), ++ KEY(1, 0, KEY_Q), ++ KEY(1, 1, KEY_E), ++ KEY(1, 2, KEY_T), ++ KEY(1, 3, KEY_Y), ++ KEY(1, 5, KEY_O), ++ KEY(1, 6, KEY_I), ++ KEY(1, 7, KEY_COMMA), ++ KEY(2, 0, KEY_A), ++ KEY(2, 1, KEY_D), ++ KEY(2, 2, KEY_G), ++ KEY(2, 3, KEY_U), ++ KEY(2, 5, KEY_L), ++ KEY(2, 6, KEY_ENTER), ++ KEY(2, 7, KEY_DOT), ++ KEY(3, 0, KEY_Z), ++ KEY(3, 1, KEY_C), ++ KEY(3, 2, KEY_V), ++ KEY(3, 3, KEY_J), ++ KEY(3, 4, TOSA_KEY_ADDRESSBOOK), ++ KEY(3, 5, TOSA_KEY_CANCEL), ++ KEY(3, 6, TOSA_KEY_CENTER), ++ KEY(3, 7, TOSA_KEY_OK), ++ KEY(3, 8, KEY_LEFTSHIFT), ++ KEY(4, 0, KEY_S), ++ KEY(4, 1, KEY_R), ++ KEY(4, 2, KEY_B), ++ KEY(4, 3, KEY_N), ++ KEY(4, 4, TOSA_KEY_CALENDAR), ++ KEY(4, 5, TOSA_KEY_HOMEPAGE), ++ KEY(4, 6, KEY_LEFTCTRL), ++ KEY(4, 7, TOSA_KEY_LIGHT), ++ KEY(4, 9, KEY_RIGHTSHIFT), ++ KEY(5, 0, KEY_TAB), ++ KEY(5, 1, KEY_SLASH), ++ KEY(5, 2, KEY_H), ++ KEY(5, 3, KEY_M), ++ KEY(5, 4, TOSA_KEY_MENU), ++ KEY(5, 6, KEY_UP), ++ KEY(5, 10, TOSA_KEY_FN), ++ KEY(6, 0, KEY_X), ++ KEY(6, 1, KEY_F), ++ KEY(6, 2, KEY_SPACE), ++ KEY(6, 3, KEY_APOSTROPHE), ++ KEY(6, 4, TOSA_KEY_MAIL), ++ KEY(6, 5, KEY_LEFT), ++ KEY(6, 6, KEY_DOWN), ++ KEY(6, 7, KEY_RIGHT), + }; + + static struct matrix_keymap_data tosakbd_keymap_data = { +diff --git a/arch/arm/mach-sa1100/assabet.c b/arch/arm/mach-sa1100/assabet.c +index 3dd133f..ef8d9d8 100644 +--- a/arch/arm/mach-sa1100/assabet.c ++++ b/arch/arm/mach-sa1100/assabet.c +@@ -411,6 +411,9 @@ static void __init assabet_map_io(void) + * Its called GPCLKR0 in my SA1110 manual. + */ + Ser1SDCR0 |= SDCR0_SUS; ++ MSC1 = (MSC1 & ~0xffff) | ++ MSC_NonBrst | MSC_32BitStMem | ++ MSC_RdAcc(2) | MSC_WrAcc(2) | MSC_Rec(0); + + if (machine_has_neponset()) { + #ifdef CONFIG_ASSABET_NEPONSET +diff --git a/arch/avr32/boot/u-boot/head.S b/arch/avr32/boot/u-boot/head.S +index 4488fa2..2ffc298 100644 +--- a/arch/avr32/boot/u-boot/head.S ++++ b/arch/avr32/boot/u-boot/head.S +@@ -8,6 +8,8 @@ + * published by the Free Software Foundation. + */ + #include <asm/setup.h> ++#include <asm/thread_info.h> ++#include <asm/sysreg.h> + + /* + * The kernel is loaded where we want it to be and all caches +@@ -20,11 +22,6 @@ + .section .init.text,"ax" + .global _start + _start: +- /* Check if the boot loader actually provided a tag table */ +- lddpc r0, magic_number +- cp.w r12, r0 +- brne no_tag_table +- + /* Initialize .bss */ + lddpc r2, bss_start_addr + lddpc r3, end_addr +@@ -34,6 +31,25 @@ _start: + cp r2, r3 + brlo 1b + ++ /* Initialize status register */ ++ lddpc r0, init_sr ++ mtsr SYSREG_SR, r0 ++ ++ /* Set initial stack pointer */ ++ lddpc sp, stack_addr ++ sub sp, -THREAD_SIZE ++ ++#ifdef CONFIG_FRAME_POINTER ++ /* Mark last stack frame */ ++ mov lr, 0 ++ mov r7, 0 ++#endif ++ ++ /* Check if the boot loader actually provided a tag table */ ++ lddpc r0, magic_number ++ cp.w r12, r0 ++ brne no_tag_table ++ + /* + * Save the tag table address for later use. This must be done + * _after_ .bss has been initialized... +@@ -53,8 +69,15 @@ bss_start_addr: + .long __bss_start + end_addr: + .long _end ++init_sr: ++ .long 0x007f0000 /* Supervisor mode, everything masked */ ++stack_addr: ++ .long init_thread_union ++panic_addr: ++ .long panic + + no_tag_table: + sub r12, pc, (. - 2f) +- bral panic ++ /* branch to panic() which can be far away with that construct */ ++ lddpc pc, panic_addr + 2: .asciz "Boot loader didn't provide correct magic number\n" +diff --git a/arch/avr32/kernel/entry-avr32b.S b/arch/avr32/kernel/entry-avr32b.S +index 169268c..a91e898 100644 +--- a/arch/avr32/kernel/entry-avr32b.S ++++ b/arch/avr32/kernel/entry-avr32b.S +@@ -399,9 +399,10 @@ handle_critical: + /* We should never get here... */ + bad_return: + sub r12, pc, (. - 1f) +- bral panic ++ lddpc pc, 2f + .align 2 + 1: .asciz "Return from critical exception!" ++2: .long panic + + .align 1 + do_bus_error_write: +diff --git a/arch/avr32/kernel/head.S b/arch/avr32/kernel/head.S +index 6163bd0..59eae6d 100644 +--- a/arch/avr32/kernel/head.S ++++ b/arch/avr32/kernel/head.S +@@ -10,33 +10,13 @@ + #include <linux/linkage.h> + + #include <asm/page.h> +-#include <asm/thread_info.h> +-#include <asm/sysreg.h> + + .section .init.text,"ax" + .global kernel_entry + kernel_entry: +- /* Initialize status register */ +- lddpc r0, init_sr +- mtsr SYSREG_SR, r0 +- +- /* Set initial stack pointer */ +- lddpc sp, stack_addr +- sub sp, -THREAD_SIZE +- +-#ifdef CONFIG_FRAME_POINTER +- /* Mark last stack frame */ +- mov lr, 0 +- mov r7, 0 +-#endif +- + /* Start the show */ + lddpc pc, kernel_start_addr + + .align 2 +-init_sr: +- .long 0x007f0000 /* Supervisor mode, everything masked */ +-stack_addr: +- .long init_thread_union + kernel_start_addr: + .long start_kernel +diff --git a/arch/cris/include/asm/io.h b/arch/cris/include/asm/io.h +index ac12ae2..db9a16c 100644 +--- a/arch/cris/include/asm/io.h ++++ b/arch/cris/include/asm/io.h +@@ -3,6 +3,7 @@ + + #include <asm/page.h> /* for __va, __pa */ + #include <arch/io.h> ++#include <asm-generic/iomap.h> + #include <linux/kernel.h> + + struct cris_io_operations +diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h +index d9f397f..fba7696 100644 +--- a/arch/ia64/include/asm/processor.h ++++ b/arch/ia64/include/asm/processor.h +@@ -320,7 +320,7 @@ struct thread_struct { + regs->loadrs = 0; \ + regs->r8 = get_dumpable(current->mm); /* set "don't zap registers" flag */ \ + regs->r12 = new_sp - 16; /* allocate 16 byte scratch area */ \ +- if (unlikely(!get_dumpable(current->mm))) { \ ++ if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) { \ + /* \ + * Zap scratch regs to avoid leaking bits between processes with different \ + * uid/privileges. \ +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index 836a5a1..fa1e56b 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -445,6 +445,12 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame, + #endif /* CONFIG_ALTIVEC */ + if (copy_fpr_to_user(&frame->mc_fregs, current)) + return 1; ++ ++ /* ++ * Clear the MSR VSX bit to indicate there is no valid state attached ++ * to this context, except in the specific case below where we set it. ++ */ ++ msr &= ~MSR_VSX; + #ifdef CONFIG_VSX + /* + * Copy VSR 0-31 upper half from thread_struct to local +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index a50b5ec..60d1f75 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -116,6 +116,12 @@ static long setup_sigcontext(struct sigcontext __user *sc, struct pt_regs *regs, + flush_fp_to_thread(current); + /* copy fpr regs and fpscr */ + err |= copy_fpr_to_user(&sc->fp_regs, current); ++ ++ /* ++ * Clear the MSR VSX bit to indicate there is no valid state attached ++ * to this context, except in the specific case below where we set it. ++ */ ++ msr &= ~MSR_VSX; + #ifdef CONFIG_VSX + /* + * Copy VSX low doubleword to local buffer for formatting, +diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c +index e74f86e..304680a 100644 +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -235,8 +235,6 @@ static u64 scan_dispatch_log(u64 stop_tb) + if (i == vpa->dtl_idx) + return 0; + while (i < vpa->dtl_idx) { +- if (dtl_consumer) +- dtl_consumer(dtl, i); + dtb = dtl->timebase; + tb_delta = dtl->enqueue_to_dispatch_time + + dtl->ready_to_enqueue_time; +@@ -249,6 +247,8 @@ static u64 scan_dispatch_log(u64 stop_tb) + } + if (dtb > stop_tb) + break; ++ if (dtl_consumer) ++ dtl_consumer(dtl, i); + stolen += tb_delta; + ++i; + ++dtl; +diff --git a/arch/powerpc/kernel/vio.c b/arch/powerpc/kernel/vio.c +index f65af61..dfb1c19 100644 +--- a/arch/powerpc/kernel/vio.c ++++ b/arch/powerpc/kernel/vio.c +@@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, + const char *cp; + + dn = dev->of_node; +- if (!dn) +- return -ENODEV; ++ if (!dn) { ++ strcpy(buf, "\n"); ++ return strlen(buf); ++ } + cp = of_get_property(dn, "compatible", NULL); +- if (!cp) +- return -ENODEV; ++ if (!cp) { ++ strcpy(buf, "\n"); ++ return strlen(buf); ++ } + + return sprintf(buf, "vio:T%sS%s\n", vio_dev->type, cp); + } +diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c +index a9ce135..3ec8b39 100644 +--- a/arch/s390/crypto/aes_s390.c ++++ b/arch/s390/crypto/aes_s390.c +@@ -35,7 +35,6 @@ static u8 *ctrblk; + static char keylen_flag; + + struct s390_aes_ctx { +- u8 iv[AES_BLOCK_SIZE]; + u8 key[AES_MAX_KEY_SIZE]; + long enc; + long dec; +@@ -56,8 +55,7 @@ struct pcc_param { + + struct s390_xts_ctx { + u8 key[32]; +- u8 xts_param[16]; +- struct pcc_param pcc; ++ u8 pcc_key[32]; + long enc; + long dec; + int key_len; +@@ -442,29 +440,35 @@ static int cbc_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, + return aes_set_key(tfm, in_key, key_len); + } + +-static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, void *param, ++static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, + struct blkcipher_walk *walk) + { ++ struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm); + int ret = blkcipher_walk_virt(desc, walk); + unsigned int nbytes = walk->nbytes; ++ struct { ++ u8 iv[AES_BLOCK_SIZE]; ++ u8 key[AES_MAX_KEY_SIZE]; ++ } param; + + if (!nbytes) + goto out; + +- memcpy(param, walk->iv, AES_BLOCK_SIZE); ++ memcpy(param.iv, walk->iv, AES_BLOCK_SIZE); ++ memcpy(param.key, sctx->key, sctx->key_len); + do { + /* only use complete blocks */ + unsigned int n = nbytes & ~(AES_BLOCK_SIZE - 1); + u8 *out = walk->dst.virt.addr; + u8 *in = walk->src.virt.addr; + +- ret = crypt_s390_kmc(func, param, out, in, n); ++ ret = crypt_s390_kmc(func, ¶m, out, in, n); + BUG_ON((ret < 0) || (ret != n)); + + nbytes &= AES_BLOCK_SIZE - 1; + ret = blkcipher_walk_done(desc, walk, nbytes); + } while ((nbytes = walk->nbytes)); +- memcpy(walk->iv, param, AES_BLOCK_SIZE); ++ memcpy(walk->iv, param.iv, AES_BLOCK_SIZE); + + out: + return ret; +@@ -481,7 +485,7 @@ static int cbc_aes_encrypt(struct blkcipher_desc *desc, + return fallback_blk_enc(desc, dst, src, nbytes); + + blkcipher_walk_init(&walk, dst, src, nbytes); +- return cbc_aes_crypt(desc, sctx->enc, sctx->iv, &walk); ++ return cbc_aes_crypt(desc, sctx->enc, &walk); + } + + static int cbc_aes_decrypt(struct blkcipher_desc *desc, +@@ -495,7 +499,7 @@ static int cbc_aes_decrypt(struct blkcipher_desc *desc, + return fallback_blk_dec(desc, dst, src, nbytes); + + blkcipher_walk_init(&walk, dst, src, nbytes); +- return cbc_aes_crypt(desc, sctx->dec, sctx->iv, &walk); ++ return cbc_aes_crypt(desc, sctx->dec, &walk); + } + + static struct crypto_alg cbc_aes_alg = { +@@ -587,7 +591,7 @@ static int xts_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, + xts_ctx->enc = KM_XTS_128_ENCRYPT; + xts_ctx->dec = KM_XTS_128_DECRYPT; + memcpy(xts_ctx->key + 16, in_key, 16); +- memcpy(xts_ctx->pcc.key + 16, in_key + 16, 16); ++ memcpy(xts_ctx->pcc_key + 16, in_key + 16, 16); + break; + case 48: + xts_ctx->enc = 0; +@@ -598,7 +602,7 @@ static int xts_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, + xts_ctx->enc = KM_XTS_256_ENCRYPT; + xts_ctx->dec = KM_XTS_256_DECRYPT; + memcpy(xts_ctx->key, in_key, 32); +- memcpy(xts_ctx->pcc.key, in_key + 32, 32); ++ memcpy(xts_ctx->pcc_key, in_key + 32, 32); + break; + default: + *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; +@@ -617,28 +621,32 @@ static int xts_aes_crypt(struct blkcipher_desc *desc, long func, + unsigned int nbytes = walk->nbytes; + unsigned int n; + u8 *in, *out; +- void *param; ++ struct pcc_param pcc_param; ++ struct { ++ u8 key[32]; ++ u8 init[16]; ++ } xts_param; + + if (!nbytes) + goto out; + +- memset(xts_ctx->pcc.block, 0, sizeof(xts_ctx->pcc.block)); +- memset(xts_ctx->pcc.bit, 0, sizeof(xts_ctx->pcc.bit)); +- memset(xts_ctx->pcc.xts, 0, sizeof(xts_ctx->pcc.xts)); +- memcpy(xts_ctx->pcc.tweak, walk->iv, sizeof(xts_ctx->pcc.tweak)); +- param = xts_ctx->pcc.key + offset; +- ret = crypt_s390_pcc(func, param); ++ memset(pcc_param.block, 0, sizeof(pcc_param.block)); ++ memset(pcc_param.bit, 0, sizeof(pcc_param.bit)); ++ memset(pcc_param.xts, 0, sizeof(pcc_param.xts)); ++ memcpy(pcc_param.tweak, walk->iv, sizeof(pcc_param.tweak)); ++ memcpy(pcc_param.key, xts_ctx->pcc_key, 32); ++ ret = crypt_s390_pcc(func, &pcc_param.key[offset]); + BUG_ON(ret < 0); + +- memcpy(xts_ctx->xts_param, xts_ctx->pcc.xts, 16); +- param = xts_ctx->key + offset; ++ memcpy(xts_param.key, xts_ctx->key, 32); ++ memcpy(xts_param.init, pcc_param.xts, 16); + do { + /* only use complete blocks */ + n = nbytes & ~(AES_BLOCK_SIZE - 1); + out = walk->dst.virt.addr; + in = walk->src.virt.addr; + +- ret = crypt_s390_km(func, param, out, in, n); ++ ret = crypt_s390_km(func, &xts_param.key[offset], out, in, n); + BUG_ON(ret < 0 || ret != n); + + nbytes &= AES_BLOCK_SIZE - 1; +diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c +index 425162e..2f53b89 100644 +--- a/arch/um/os-Linux/start_up.c ++++ b/arch/um/os-Linux/start_up.c +@@ -15,6 +15,8 @@ + #include <sys/mman.h> + #include <sys/stat.h> + #include <sys/wait.h> ++#include <sys/time.h> ++#include <sys/resource.h> + #include <asm/unistd.h> + #include "init.h" + #include "os.h" +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index 95365a8..e80542b 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -51,18 +51,18 @@ $(obj)/cpustr.h: $(obj)/mkcpustr FORCE + + # How to compile the 16-bit code. Note we always compile for -march=i386, + # that way we can complain to the user if the CPU is insufficient. +-KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \ ++KBUILD_CFLAGS := $(LINUXINCLUDE) -m32 -g -Os -D_SETUP -D__KERNEL__ \ + -DDISABLE_BRANCH_PROFILING \ + -Wall -Wstrict-prototypes \ + -march=i386 -mregparm=3 \ + -include $(srctree)/$(src)/code16gcc.h \ + -fno-strict-aliasing -fomit-frame-pointer \ ++ -mno-mmx -mno-sse \ + $(call cc-option, -ffreestanding) \ + $(call cc-option, -fno-toplevel-reorder,\ +- $(call cc-option, -fno-unit-at-a-time)) \ ++ $(call cc-option, -fno-unit-at-a-time)) \ + $(call cc-option, -fno-stack-protector) \ + $(call cc-option, -mpreferred-stack-boundary=2) +-KBUILD_CFLAGS += $(call cc-option, -m32) + KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ + GCOV_PROFILE := n + +diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile +index 77453c6..cda5cef 100644 +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -12,6 +12,7 @@ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING + cflags-$(CONFIG_X86_32) := -march=i386 + cflags-$(CONFIG_X86_64) := -mcmodel=small + KBUILD_CFLAGS += $(cflags-y) ++KBUILD_CFLAGS += -mno-mmx -mno-sse + KBUILD_CFLAGS += $(call cc-option,-ffreestanding) + KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector) + +diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c +index 13ad899..69e231b 100644 +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -95,10 +95,10 @@ void native_machine_crash_shutdown(struct pt_regs *regs) + cpu_emergency_vmxoff(); + cpu_emergency_svm_disable(); + +- lapic_shutdown(); + #if defined(CONFIG_X86_IO_APIC) + disable_IO_APIC(); + #endif ++ lapic_shutdown(); + #ifdef CONFIG_HPET_TIMER + hpet_disable(); + #endif +diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c +index 1ef962b..f9b9eaa 100644 +--- a/arch/x86/kernel/microcode_amd.c ++++ b/arch/x86/kernel/microcode_amd.c +@@ -331,7 +331,7 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device) + snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86); + + if (request_firmware(&fw, (const char *)fw_name, device)) { +- pr_err("failed to load file %s\n", fw_name); ++ pr_debug("failed to load file %s\n", fw_name); + goto out; + } + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index a4e1b4b..f411aca 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -652,6 +652,13 @@ void native_machine_shutdown(void) + + /* The boot cpu is always logical cpu 0 */ + int reboot_cpu_id = 0; ++#endif ++ ++#ifdef CONFIG_X86_IO_APIC ++ disable_IO_APIC(); ++#endif ++ ++#ifdef CONFIG_SMP + + #ifdef CONFIG_X86_32 + /* See if there has been given a command line override */ +@@ -675,10 +682,6 @@ void native_machine_shutdown(void) + + lapic_shutdown(); + +-#ifdef CONFIG_X86_IO_APIC +- disable_IO_APIC(); +-#endif +- + #ifdef CONFIG_HPET_TIMER + hpet_disable(); + #endif +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 54abb40..43e7753 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -537,7 +537,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) + ASSERT(apic != NULL); + + /* if initial count is 0, current count should also be 0 */ +- if (apic_get_reg(apic, APIC_TMICT) == 0) ++ if (apic_get_reg(apic, APIC_TMICT) == 0 || ++ apic->lapic_timer.period == 0) + return 0; + + remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index a18d20d..bee75a6 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -614,11 +614,6 @@ void __init efi_init(void) + + set_bit(EFI_MEMMAP, &x86_efi_facility); + +-#ifdef CONFIG_X86_32 +- x86_platform.get_wallclock = efi_get_time; +- x86_platform.set_wallclock = efi_set_rtc_mmss; +-#endif +- + #if EFI_DEBUG + print_efi_memmap(); + #endif +diff --git a/block/blk-core.c b/block/blk-core.c +index 49d9e91..a219c89 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -483,6 +483,7 @@ struct request_queue *blk_alloc_queue_node(gfp_t gfp_mask, int node_id) + } + + if (blk_throtl_init(q)) { ++ bdi_destroy(&q->backing_dev_info); + kmem_cache_free(blk_requestq_cachep, q); + return NULL; + } +@@ -2015,6 +2016,7 @@ void blk_start_request(struct request *req) + if (unlikely(blk_bidi_rq(req))) + req->next_rq->resid_len = blk_rq_bytes(req->next_rq); + ++ BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags)); + blk_add_timer(req); + } + EXPORT_SYMBOL(blk_start_request); +diff --git a/block/blk-timeout.c b/block/blk-timeout.c +index 7803548..b1182ea 100644 +--- a/block/blk-timeout.c ++++ b/block/blk-timeout.c +@@ -90,8 +90,8 @@ static void blk_rq_timed_out(struct request *req) + __blk_complete_request(req); + break; + case BLK_EH_RESET_TIMER: +- blk_clear_rq_complete(req); + blk_add_timer(req); ++ blk_clear_rq_complete(req); + break; + case BLK_EH_NOT_HANDLED: + /* +@@ -173,7 +173,6 @@ void blk_add_timer(struct request *req) + return; + + BUG_ON(!list_empty(&req->timeout_list)); +- BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags)); + + /* + * Some LLDs, like scsi, peek at the timeout to prevent a +diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c +index 0262210..8502462 100644 +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -114,6 +114,9 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page, + struct hash_ctx *ctx = ask->private; + int err; + ++ if (flags & MSG_SENDPAGE_NOTLAST) ++ flags |= MSG_MORE; ++ + lock_sock(sk); + sg_init_table(ctx->sgl.sg, 1); + sg_set_page(ctx->sgl.sg, page, size, offset); +@@ -161,8 +164,6 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, + else if (len < ds) + msg->msg_flags |= MSG_TRUNC; + +- msg->msg_namelen = 0; +- + lock_sock(sk); + if (ctx->more) { + ctx->more = 0; +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index a1c4f0a..a19c027 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -378,6 +378,9 @@ static ssize_t skcipher_sendpage(struct socket *sock, struct page *page, + struct skcipher_sg_list *sgl; + int err = -EINVAL; + ++ if (flags & MSG_SENDPAGE_NOTLAST) ++ flags |= MSG_MORE; ++ + lock_sock(sk); + if (!ctx->more && ctx->used) + goto unlock; +@@ -432,7 +435,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, + long copied = 0; + + lock_sock(sk); +- msg->msg_namelen = 0; + for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; + iovlen--, iov++) { + unsigned long seglen = iov->iov_len; +diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c +index ffa0245..6056178 100644 +--- a/crypto/ansi_cprng.c ++++ b/crypto/ansi_cprng.c +@@ -230,11 +230,11 @@ remainder: + */ + if (byte_count < DEFAULT_BLK_SZ) { + empty_rbuf: +- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; +- ctx->rand_data_valid++) { ++ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { + *ptr = ctx->rand_data[ctx->rand_data_valid]; + ptr++; + byte_count--; ++ ctx->rand_data_valid++; + if (byte_count == 0) + goto done; + } +diff --git a/crypto/authenc.c b/crypto/authenc.c +index 5ef7ba6..d21da2f 100644 +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -368,9 +368,10 @@ static void crypto_authenc_encrypt_done(struct crypto_async_request *req, + if (!err) { + struct crypto_aead *authenc = crypto_aead_reqtfm(areq); + struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc); +- struct ablkcipher_request *abreq = aead_request_ctx(areq); +- u8 *iv = (u8 *)(abreq + 1) + +- crypto_ablkcipher_reqsize(ctx->enc); ++ struct authenc_request_ctx *areq_ctx = aead_request_ctx(areq); ++ struct ablkcipher_request *abreq = (void *)(areq_ctx->tail ++ + ctx->reqoff); ++ u8 *iv = (u8 *)abreq - crypto_ablkcipher_ivsize(ctx->enc); + + err = crypto_authenc_genicv(areq, iv, 0); + } +diff --git a/crypto/ccm.c b/crypto/ccm.c +index c36d654..2002ca7 100644 +--- a/crypto/ccm.c ++++ b/crypto/ccm.c +@@ -271,7 +271,8 @@ static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, + } + + /* compute plaintext into mac */ +- get_data_to_compute(cipher, pctx, plain, cryptlen); ++ if (cryptlen) ++ get_data_to_compute(cipher, pctx, plain, cryptlen); + + out: + return err; +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 0445f52..d29f6d5 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -303,6 +303,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */ + { PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */ + { PCI_VDEVICE(INTEL, 0x23a3), board_ahci }, /* Coleto Creek AHCI */ ++ { PCI_VDEVICE(INTEL, 0x9c83), board_ahci }, /* Wildcat Point-LP AHCI */ ++ { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, +@@ -437,6 +441,8 @@ static const struct pci_device_id ahci_pci_tbl[] = { + .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ + { PCI_DEVICE(0x1b4b, 0x91a3), + .driver_data = board_ahci_yes_fbs }, ++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), ++ .driver_data = board_ahci_yes_fbs }, + + /* Promise */ + { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */ +diff --git a/drivers/ata/ahci_platform.c b/drivers/ata/ahci_platform.c +index 43b8758..6692108 100644 +--- a/drivers/ata/ahci_platform.c ++++ b/drivers/ata/ahci_platform.c +@@ -204,6 +204,7 @@ static int __devexit ahci_remove(struct platform_device *pdev) + + static const struct of_device_id ahci_of_match[] = { + { .compatible = "calxeda,hb-ahci", }, ++ { .compatible = "ibm,476gtr-ahci", }, + {}, + }; + MODULE_DEVICE_TABLE(of, ahci_of_match); +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index 60def03..de2802c 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -1247,9 +1247,11 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class, + { + struct ata_port *ap = link->ap; + struct ahci_host_priv *hpriv = ap->host->private_data; ++ struct ahci_port_priv *pp = ap->private_data; + const char *reason = NULL; + unsigned long now, msecs; + struct ata_taskfile tf; ++ bool fbs_disabled = false; + int rc; + + DPRINTK("ENTER\n"); +@@ -1259,6 +1261,16 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class, + if (rc && rc != -EOPNOTSUPP) + ata_link_warn(link, "failed to reset engine (errno=%d)\n", rc); + ++ /* ++ * According to AHCI-1.2 9.3.9: if FBS is enable, software shall ++ * clear PxFBS.EN to '0' prior to issuing software reset to devices ++ * that is attached to port multiplier. ++ */ ++ if (!ata_is_host_link(link) && pp->fbs_enabled) { ++ ahci_disable_fbs(ap); ++ fbs_disabled = true; ++ } ++ + ata_tf_init(link->device, &tf); + + /* issue the first D2H Register FIS */ +@@ -1299,6 +1311,10 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class, + } else + *class = ahci_dev_classify(ap); + ++ /* re-enable FBS if disabled before */ ++ if (fbs_disabled) ++ ahci_enable_fbs(ap); ++ + DPRINTK("EXIT, class=%u\n", *class); + return 0; + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index d54b7d6..a0a3987 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4067,6 +4067,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 }, + { "QUANTUM DAT DAT72-000", NULL, ATA_HORKAGE_ATAPI_MOD16_DMA }, + { "Slimtype DVD A DS8A8SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 }, ++ { "Slimtype DVD A DS8A9SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 }, + + /* Devices we expect to fail diagnostics */ + +diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c +index ce9dc62..c01f040 100644 +--- a/drivers/ata/libata-transport.c ++++ b/drivers/ata/libata-transport.c +@@ -312,25 +312,25 @@ int ata_tport_add(struct device *parent, + /* + * ATA link attributes + */ ++static int noop(int x) { return x; } + +- +-#define ata_link_show_linkspeed(field) \ ++#define ata_link_show_linkspeed(field, format) \ + static ssize_t \ + show_ata_link_##field(struct device *dev, \ + struct device_attribute *attr, char *buf) \ + { \ + struct ata_link *link = transport_class_to_link(dev); \ + \ +- return sprintf(buf,"%s\n", sata_spd_string(fls(link->field))); \ ++ return sprintf(buf, "%s\n", sata_spd_string(format(link->field))); \ + } + +-#define ata_link_linkspeed_attr(field) \ +- ata_link_show_linkspeed(field) \ ++#define ata_link_linkspeed_attr(field, format) \ ++ ata_link_show_linkspeed(field, format) \ + static DEVICE_ATTR(field, S_IRUGO, show_ata_link_##field, NULL) + +-ata_link_linkspeed_attr(hw_sata_spd_limit); +-ata_link_linkspeed_attr(sata_spd_limit); +-ata_link_linkspeed_attr(sata_spd); ++ata_link_linkspeed_attr(hw_sata_spd_limit, fls); ++ata_link_linkspeed_attr(sata_spd_limit, fls); ++ata_link_linkspeed_attr(sata_spd, noop); + + + static DECLARE_TRANSPORT_CLASS(ata_link_class, +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index 1c05212..b0e75ce 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -3513,7 +3513,7 @@ init_card(struct atm_dev *dev) + tmp = dev_get_by_name(&init_net, tname); /* jhs: was "tmp = dev_get(tname);" */ + if (tmp) { + memcpy(card->atmdev->esi, tmp->dev_addr, 6); +- ++ dev_put(tmp); + printk("%s: ESI %pM\n", card->name, card->atmdev->esi); + } + /* +diff --git a/drivers/block/brd.c b/drivers/block/brd.c +index 968a0d4..f35975f 100644 +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -547,7 +547,7 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data) + + mutex_lock(&brd_devices_mutex); + brd = brd_init_one(MINOR(dev) >> part_shift); +- kobj = brd ? get_disk(brd->brd_disk) : ERR_PTR(-ENOMEM); ++ kobj = brd ? get_disk(brd->brd_disk) : NULL; + mutex_unlock(&brd_devices_mutex); + + *part = 0; +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index a365562..d659135 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1635,7 +1635,7 @@ static int loop_add(struct loop_device **l, int i) + + lo->lo_queue = blk_alloc_queue(GFP_KERNEL); + if (!lo->lo_queue) +- goto out_free_dev; ++ goto out_free_idr; + + disk = lo->lo_disk = alloc_disk(1 << part_shift); + if (!disk) +@@ -1679,6 +1679,8 @@ static int loop_add(struct loop_device **l, int i) + + out_free_queue: + blk_cleanup_queue(lo->lo_queue); ++out_free_idr: ++ idr_remove(&loop_index_idr, i); + out_free_dev: + kfree(lo); + out: +@@ -1742,7 +1744,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data) + if (err < 0) + err = loop_add(&lo, MINOR(dev) >> part_shift); + if (err < 0) +- kobj = ERR_PTR(err); ++ kobj = NULL; + else + kobj = get_disk(lo->lo_disk); + mutex_unlock(&loop_index_mutex); +diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c +index 6e40072..51efcbc 100644 +--- a/drivers/char/i8k.c ++++ b/drivers/char/i8k.c +@@ -664,6 +664,13 @@ static struct dmi_system_id __initdata i8k_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Vostro"), + }, + }, ++ { ++ .ident = "Dell XPS421", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS L421X"), ++ }, ++ }, + { } + }; + +diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c +index 66d5384..094a710 100644 +--- a/drivers/connector/cn_proc.c ++++ b/drivers/connector/cn_proc.c +@@ -31,11 +31,23 @@ + #include <linux/ptrace.h> + #include <linux/atomic.h> + +-#include <asm/unaligned.h> +- + #include <linux/cn_proc.h> + +-#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event)) ++/* ++ * Size of a cn_msg followed by a proc_event structure. Since the ++ * sizeof struct cn_msg is a multiple of 4 bytes, but not 8 bytes, we ++ * add one 4-byte word to the size here, and then start the actual ++ * cn_msg structure 4 bytes into the stack buffer. The result is that ++ * the immediately following proc_event structure is aligned to 8 bytes. ++ */ ++#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event) + 4) ++ ++/* See comment above; we test our assumption about sizeof struct cn_msg here. */ ++static inline struct cn_msg *buffer_to_cn_msg(__u8 *buffer) ++{ ++ BUILD_BUG_ON(sizeof(struct cn_msg) != 20); ++ return (struct cn_msg *)(buffer + 4); ++} + + static atomic_t proc_event_num_listeners = ATOMIC_INIT(0); + static struct cb_id cn_proc_event_id = { CN_IDX_PROC, CN_VAL_PROC }; +@@ -55,19 +67,19 @@ void proc_fork_connector(struct task_struct *task) + { + struct cn_msg *msg; + struct proc_event *ev; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + struct timespec ts; + struct task_struct *parent; + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event*)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + ev->what = PROC_EVENT_FORK; + rcu_read_lock(); + parent = rcu_dereference(task->real_parent); +@@ -90,17 +102,17 @@ void proc_exec_connector(struct task_struct *task) + struct cn_msg *msg; + struct proc_event *ev; + struct timespec ts; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event*)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + ev->what = PROC_EVENT_EXEC; + ev->event_data.exec.process_pid = task->pid; + ev->event_data.exec.process_tgid = task->tgid; +@@ -116,14 +128,14 @@ void proc_id_connector(struct task_struct *task, int which_id) + { + struct cn_msg *msg; + struct proc_event *ev; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + struct timespec ts; + const struct cred *cred; + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event*)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + ev->what = which_id; +@@ -144,7 +156,7 @@ void proc_id_connector(struct task_struct *task, int which_id) + rcu_read_unlock(); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ +@@ -158,17 +170,17 @@ void proc_sid_connector(struct task_struct *task) + struct cn_msg *msg; + struct proc_event *ev; + struct timespec ts; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg *)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event *)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + ev->what = PROC_EVENT_SID; + ev->event_data.sid.process_pid = task->pid; + ev->event_data.sid.process_tgid = task->tgid; +@@ -185,17 +197,17 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) + struct cn_msg *msg; + struct proc_event *ev; + struct timespec ts; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg *)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event *)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + ev->what = PROC_EVENT_PTRACE; + ev->event_data.ptrace.process_pid = task->pid; + ev->event_data.ptrace.process_tgid = task->tgid; +@@ -220,17 +232,17 @@ void proc_comm_connector(struct task_struct *task) + struct cn_msg *msg; + struct proc_event *ev; + struct timespec ts; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg *)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event *)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + ev->what = PROC_EVENT_COMM; + ev->event_data.comm.process_pid = task->pid; + ev->event_data.comm.process_tgid = task->tgid; +@@ -247,18 +259,18 @@ void proc_exit_connector(struct task_struct *task) + { + struct cn_msg *msg; + struct proc_event *ev; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + struct timespec ts; + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event*)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + ev->what = PROC_EVENT_EXIT; + ev->event_data.exit.process_pid = task->pid; + ev->event_data.exit.process_tgid = task->tgid; +@@ -284,18 +296,18 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) + { + struct cn_msg *msg; + struct proc_event *ev; +- __u8 buffer[CN_PROC_MSG_SIZE]; ++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); + struct timespec ts; + + if (atomic_read(&proc_event_num_listeners) < 1) + return; + +- msg = (struct cn_msg*)buffer; ++ msg = buffer_to_cn_msg(buffer); + ev = (struct proc_event*)msg->data; + memset(&ev->event_data, 0, sizeof(ev->event_data)); + msg->seq = rcvd_seq; + ktime_get_ts(&ts); /* get high res monotonic timestamp */ +- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); ++ ev->timestamp_ns = timespec_to_ns(&ts); + ev->cpu = -1; + ev->what = PROC_EVENT_NONE; + ev->event_data.ack.err = err; +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index edcffd6..34be13b 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -69,10 +69,14 @@ static int mpc8572_gpio_get(struct gpio_chip *gc, unsigned int gpio) + u32 val; + struct of_mm_gpio_chip *mm = to_of_mm_gpio_chip(gc); + struct mpc8xxx_gpio_chip *mpc8xxx_gc = to_mpc8xxx_gpio_chip(mm); ++ u32 out_mask, out_shadow; + +- val = in_be32(mm->regs + GPIO_DAT) & ~in_be32(mm->regs + GPIO_DIR); ++ out_mask = in_be32(mm->regs + GPIO_DIR); + +- return (val | mpc8xxx_gc->data) & mpc8xxx_gpio2mask(gpio); ++ val = in_be32(mm->regs + GPIO_DAT) & ~out_mask; ++ out_shadow = mpc8xxx_gc->data & out_mask; ++ ++ return (val | out_shadow) & mpc8xxx_gpio2mask(gpio); + } + + static int mpc8xxx_gpio_get(struct gpio_chip *gc, unsigned int gpio) +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index ee29c1f..6d36695 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -6063,7 +6063,9 @@ static void i9xx_update_cursor(struct drm_crtc *crtc, u32 base) + intel_crtc->cursor_visible = visible; + } + /* and commit changes on next vblank */ ++ POSTING_READ(CURCNTR(pipe)); + I915_WRITE(CURBASE(pipe), base); ++ POSTING_READ(CURBASE(pipe)); + } + + static void ivb_update_cursor(struct drm_crtc *crtc, u32 base) +@@ -6088,7 +6090,9 @@ static void ivb_update_cursor(struct drm_crtc *crtc, u32 base) + intel_crtc->cursor_visible = visible; + } + /* and commit changes on next vblank */ ++ POSTING_READ(CURCNTR_IVB(pipe)); + I915_WRITE(CURBASE_IVB(pipe), base); ++ POSTING_READ(CURBASE_IVB(pipe)); + } + + /* If no-part of the cursor is visible on the framebuffer, then the GPU may hang... */ +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index 7ce3fde..bd0b1fc 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -281,7 +281,8 @@ validate_fini_list(struct list_head *list, struct nouveau_fence *fence) + list_for_each_safe(entry, tmp, list) { + nvbo = list_entry(entry, struct nouveau_bo, entry); + +- nouveau_bo_fence(nvbo, fence); ++ if (likely(fence)) ++ nouveau_bo_fence(nvbo, fence); + + if (unlikely(nvbo->validate_mapped)) { + ttm_bo_kunmap(&nvbo->kmap); +diff --git a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c +index daadf21..a9238b0 100644 +--- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c ++++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c +@@ -416,12 +416,40 @@ int radeon_crtc_do_set_base(struct drm_crtc *crtc, + /* Pin framebuffer & get tilling informations */ + obj = radeon_fb->obj; + rbo = gem_to_radeon_bo(obj); ++retry: + r = radeon_bo_reserve(rbo, false); + if (unlikely(r != 0)) + return r; + r = radeon_bo_pin(rbo, RADEON_GEM_DOMAIN_VRAM, &base); + if (unlikely(r != 0)) { + radeon_bo_unreserve(rbo); ++ ++ /* On old GPU like RN50 with little vram pining can fails because ++ * current fb is taking all space needed. So instead of unpining ++ * the old buffer after pining the new one, first unpin old one ++ * and then retry pining new one. ++ * ++ * As only master can set mode only master can pin and it is ++ * unlikely the master client will race with itself especialy ++ * on those old gpu with single crtc. ++ * ++ * We don't shutdown the display controller because new buffer ++ * will end up in same spot. ++ */ ++ if (!atomic && fb && fb != crtc->fb) { ++ struct radeon_bo *old_rbo; ++ unsigned long nsize, osize; ++ ++ old_rbo = gem_to_radeon_bo(to_radeon_framebuffer(fb)->obj); ++ osize = radeon_bo_size(old_rbo); ++ nsize = radeon_bo_size(rbo); ++ if (nsize <= osize && !radeon_bo_reserve(old_rbo, false)) { ++ radeon_bo_unpin(old_rbo); ++ radeon_bo_unreserve(old_rbo); ++ fb = NULL; ++ goto retry; ++ } ++ } + return -EINVAL; + } + radeon_bo_get_tiling_flags(rbo, &tiling_flags, NULL); +diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c +index 0d27bff..22a89cd 100644 +--- a/drivers/gpu/drm/ttm/ttm_bo.c ++++ b/drivers/gpu/drm/ttm/ttm_bo.c +@@ -1101,24 +1101,32 @@ out_unlock: + return ret; + } + +-static int ttm_bo_mem_compat(struct ttm_placement *placement, +- struct ttm_mem_reg *mem) ++static bool ttm_bo_mem_compat(struct ttm_placement *placement, ++ struct ttm_mem_reg *mem, ++ uint32_t *new_flags) + { + int i; + + if (mem->mm_node && placement->lpfn != 0 && + (mem->start < placement->fpfn || + mem->start + mem->num_pages > placement->lpfn)) +- return -1; ++ return false; + + for (i = 0; i < placement->num_placement; i++) { +- if ((placement->placement[i] & mem->placement & +- TTM_PL_MASK_CACHING) && +- (placement->placement[i] & mem->placement & +- TTM_PL_MASK_MEM)) +- return i; ++ *new_flags = placement->placement[i]; ++ if ((*new_flags & mem->placement & TTM_PL_MASK_CACHING) && ++ (*new_flags & mem->placement & TTM_PL_MASK_MEM)) ++ return true; ++ } ++ ++ for (i = 0; i < placement->num_busy_placement; i++) { ++ *new_flags = placement->busy_placement[i]; ++ if ((*new_flags & mem->placement & TTM_PL_MASK_CACHING) && ++ (*new_flags & mem->placement & TTM_PL_MASK_MEM)) ++ return true; + } +- return -1; ++ ++ return false; + } + + int ttm_bo_validate(struct ttm_buffer_object *bo, +@@ -1127,6 +1135,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo, + bool no_wait_gpu) + { + int ret; ++ uint32_t new_flags; + + BUG_ON(!atomic_read(&bo->reserved)); + /* Check that range is valid */ +@@ -1137,8 +1146,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo, + /* + * Check whether we need to move buffer. + */ +- ret = ttm_bo_mem_compat(placement, &bo->mem); +- if (ret < 0) { ++ if (!ttm_bo_mem_compat(placement, &bo->mem, &new_flags)) { + ret = ttm_bo_move_buffer(bo, placement, interruptible, no_wait_reserve, no_wait_gpu); + if (ret) + return ret; +@@ -1147,7 +1155,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo, + * Use the access and other non-mapping-related flag bits from + * the compatible memory placement flags to the active flags + */ +- ttm_flag_masked(&bo->mem.placement, placement->placement[ret], ++ ttm_flag_masked(&bo->mem.placement, new_flags, + ~TTM_PL_MASK_MEMTYPE); + } + /* +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 13af0f1..a605ba1 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -66,7 +66,7 @@ struct mt_device { + unsigned last_field_index; /* last field index of the report */ + unsigned last_slot_field; /* the last field of a slot */ + int last_mt_collection; /* last known mt-related collection */ +- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */ ++ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ + __u8 num_received; /* how many contacts we received */ + __u8 num_expected; /* expected last contact index */ + __u8 maxcontacts; +diff --git a/drivers/hwmon/lm78.c b/drivers/hwmon/lm78.c +index 6df0b46..a42a7b0 100644 +--- a/drivers/hwmon/lm78.c ++++ b/drivers/hwmon/lm78.c +@@ -90,6 +90,8 @@ static inline u8 FAN_TO_REG(long rpm, int div) + { + if (rpm <= 0) + return 255; ++ if (rpm > 1350000) ++ return 1; + return SENSORS_LIMIT((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c +index 615bc4f..6d5ece1 100644 +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -268,7 +268,7 @@ static const struct lm90_params lm90_params[] = { + [max6696] = { + .flags = LM90_HAVE_EMERGENCY + | LM90_HAVE_EMERGENCY_ALARM | LM90_HAVE_TEMP3, +- .alert_alarms = 0x187c, ++ .alert_alarms = 0x1c7c, + .max_convrate = 6, + .reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL, + }, +@@ -1474,19 +1474,22 @@ static void lm90_alert(struct i2c_client *client, unsigned int flag) + if ((alarms & 0x7f) == 0 && (alarms2 & 0xfe) == 0) { + dev_info(&client->dev, "Everything OK\n"); + } else { +- if (alarms & 0x61) ++ if ((alarms & 0x61) || (alarms2 & 0x80)) + dev_warn(&client->dev, + "temp%d out of range, please check!\n", 1); +- if (alarms & 0x1a) ++ if ((alarms & 0x1a) || (alarms2 & 0x20)) + dev_warn(&client->dev, + "temp%d out of range, please check!\n", 2); + if (alarms & 0x04) + dev_warn(&client->dev, + "temp%d diode open, please check!\n", 2); + +- if (alarms2 & 0x18) ++ if (alarms2 & 0x5a) + dev_warn(&client->dev, + "temp%d out of range, please check!\n", 3); ++ if (alarms2 & 0x04) ++ dev_warn(&client->dev, ++ "temp%d diode open, please check!\n", 3); + + /* Disable ALERT# output, because these chips don't implement + SMBus alert correctly; they should only hold the alert line +diff --git a/drivers/hwmon/sis5595.c b/drivers/hwmon/sis5595.c +index 47d7ce9..5ab6953 100644 +--- a/drivers/hwmon/sis5595.c ++++ b/drivers/hwmon/sis5595.c +@@ -133,6 +133,8 @@ static inline u8 FAN_TO_REG(long rpm, int div) + { + if (rpm <= 0) + return 255; ++ if (rpm > 1350000) ++ return 1; + return SENSORS_LIMIT((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +diff --git a/drivers/hwmon/vt8231.c b/drivers/hwmon/vt8231.c +index db3b2e8..6df67a9 100644 +--- a/drivers/hwmon/vt8231.c ++++ b/drivers/hwmon/vt8231.c +@@ -139,7 +139,7 @@ static const u8 regtempmin[] = { 0x3a, 0x3e, 0x2c, 0x2e, 0x30, 0x32 }; + */ + static inline u8 FAN_TO_REG(long rpm, int div) + { +- if (rpm == 0) ++ if (rpm <= 0 || rpm > 1310720) + return 0; + return SENSORS_LIMIT(1310720 / (rpm * div), 1, 255); + } +diff --git a/drivers/hwmon/w83l786ng.c b/drivers/hwmon/w83l786ng.c +index 0254e18..b9c0a7f 100644 +--- a/drivers/hwmon/w83l786ng.c ++++ b/drivers/hwmon/w83l786ng.c +@@ -447,8 +447,11 @@ store_pwm(struct device *dev, struct device_attribute *attr, + struct w83l786ng_data *data = i2c_get_clientdata(client); + u32 val = SENSORS_LIMIT(simple_strtoul(buf, NULL, 10), 0, 255); + ++ val = DIV_ROUND_CLOSEST(val, 0x11); ++ + mutex_lock(&data->update_lock); +- data->pwm[nr] = val; ++ data->pwm[nr] = val * 0x11; ++ val |= w83l786ng_read_value(client, W83L786NG_REG_PWM[nr]) & 0xf0; + w83l786ng_write_value(client, W83L786NG_REG_PWM[nr], val); + mutex_unlock(&data->update_lock); + return count; +@@ -471,7 +474,7 @@ store_pwm_enable(struct device *dev, struct device_attribute *attr, + mutex_lock(&data->update_lock); + reg = w83l786ng_read_value(client, W83L786NG_REG_FAN_CFG); + data->pwm_enable[nr] = val; +- reg &= ~(0x02 << W83L786NG_PWM_ENABLE_SHIFT[nr]); ++ reg &= ~(0x03 << W83L786NG_PWM_ENABLE_SHIFT[nr]); + reg |= (val - 1) << W83L786NG_PWM_ENABLE_SHIFT[nr]; + w83l786ng_write_value(client, W83L786NG_REG_FAN_CFG, reg); + mutex_unlock(&data->update_lock); +@@ -740,9 +743,10 @@ static struct w83l786ng_data *w83l786ng_update_device(struct device *dev) + ((pwmcfg >> W83L786NG_PWM_MODE_SHIFT[i]) & 1) + ? 0 : 1; + data->pwm_enable[i] = +- ((pwmcfg >> W83L786NG_PWM_ENABLE_SHIFT[i]) & 2) + 1; +- data->pwm[i] = w83l786ng_read_value(client, +- W83L786NG_REG_PWM[i]); ++ ((pwmcfg >> W83L786NG_PWM_ENABLE_SHIFT[i]) & 3) + 1; ++ data->pwm[i] = ++ (w83l786ng_read_value(client, W83L786NG_REG_PWM[i]) ++ & 0x0f) * 0x11; + } + + +diff --git a/drivers/infiniband/hw/ipath/ipath_user_sdma.c b/drivers/infiniband/hw/ipath/ipath_user_sdma.c +index f5cb13b..cc04b7b 100644 +--- a/drivers/infiniband/hw/ipath/ipath_user_sdma.c ++++ b/drivers/infiniband/hw/ipath/ipath_user_sdma.c +@@ -280,9 +280,7 @@ static int ipath_user_sdma_pin_pages(const struct ipath_devdata *dd, + int j; + int ret; + +- ret = get_user_pages(current, current->mm, addr, +- npages, 0, 1, pages, NULL); +- ++ ret = get_user_pages_fast(addr, npages, 0, pages); + if (ret != npages) { + int i; + +@@ -811,10 +809,7 @@ int ipath_user_sdma_writev(struct ipath_devdata *dd, + while (dim) { + const int mxp = 8; + +- down_write(¤t->mm->mmap_sem); + ret = ipath_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp); +- up_write(¤t->mm->mmap_sem); +- + if (ret <= 0) + goto done_unlock; + else { +diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c +index 8244208..573b460 100644 +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -284,8 +284,7 @@ static int qib_user_sdma_pin_pages(const struct qib_devdata *dd, + int j; + int ret; + +- ret = get_user_pages(current, current->mm, addr, +- npages, 0, 1, pages, NULL); ++ ret = get_user_pages_fast(addr, npages, 0, pages); + + if (ret != npages) { + int i; +@@ -830,10 +829,7 @@ int qib_user_sdma_writev(struct qib_ctxtdata *rcd, + while (dim) { + const int mxp = 8; + +- down_write(¤t->mm->mmap_sem); + ret = qib_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp); +- up_write(¤t->mm->mmap_sem); +- + if (ret <= 0) + goto done_unlock; + else { +diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c +index 509135f..4df80fb 100644 +--- a/drivers/isdn/isdnloop/isdnloop.c ++++ b/drivers/isdn/isdnloop/isdnloop.c +@@ -1083,8 +1083,10 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) + spin_unlock_irqrestore(&card->isdnloop_lock, flags); + return -ENOMEM; + } +- for (i = 0; i < 3; i++) +- strcpy(card->s0num[i], sdef.num[i]); ++ for (i = 0; i < 3; i++) { ++ strlcpy(card->s0num[i], sdef.num[i], ++ sizeof(card->s0num[0])); ++ } + break; + case ISDN_PTYPE_1TR6: + if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95", +@@ -1097,7 +1099,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) + spin_unlock_irqrestore(&card->isdnloop_lock, flags); + return -ENOMEM; + } +- strcpy(card->s0num[0], sdef.num[0]); ++ strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0])); + card->s0num[1][0] = '\0'; + card->s0num[2][0] = '\0'; + break; +diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c +index 738ea8d..98e8274 100644 +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + { + struct sk_buff *skb; + struct sock *sk = sock->sk; +- struct sockaddr_mISDN *maddr; + + int copied, err; + +@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) + return err; + +- if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) { +- msg->msg_namelen = sizeof(struct sockaddr_mISDN); +- maddr = (struct sockaddr_mISDN *)msg->msg_name; ++ if (msg->msg_name) { ++ struct sockaddr_mISDN *maddr = msg->msg_name; ++ + maddr->family = AF_ISDN; + maddr->dev = _pms(sk)->dev->id; + if ((sk->sk_protocol == ISDN_P_LAPD_TE) || +@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + maddr->sapi = _pms(sk)->ch.addr & 0xFF; + maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF; + } +- } else { +- if (msg->msg_namelen) +- printk(KERN_WARNING "%s: too small namelen %d\n", +- __func__, msg->msg_namelen); +- msg->msg_namelen = 0; ++ msg->msg_namelen = sizeof(*maddr); + } + + copied = skb->len + MISDN_HEADER_LEN; +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index a5dfcc0..910d2f8 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1611,6 +1611,11 @@ static int __init dm_bufio_init(void) + { + __u64 mem; + ++ dm_bufio_allocated_kmem_cache = 0; ++ dm_bufio_allocated_get_free_pages = 0; ++ dm_bufio_allocated_vmalloc = 0; ++ dm_bufio_current_allocated = 0; ++ + memset(&dm_bufio_caches, 0, sizeof dm_bufio_caches); + memset(&dm_bufio_cache_names, 0, sizeof dm_bufio_cache_names); + +diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c +index 11431ac..3f123f1 100644 +--- a/drivers/md/dm-delay.c ++++ b/drivers/md/dm-delay.c +@@ -20,6 +20,7 @@ + struct delay_c { + struct timer_list delay_timer; + struct mutex timer_lock; ++ struct workqueue_struct *kdelayd_wq; + struct work_struct flush_expired_bios; + struct list_head delayed_bios; + atomic_t may_delay; +@@ -45,14 +46,13 @@ struct dm_delay_info { + + static DEFINE_MUTEX(delayed_bios_lock); + +-static struct workqueue_struct *kdelayd_wq; + static struct kmem_cache *delayed_cache; + + static void handle_delayed_timer(unsigned long data) + { + struct delay_c *dc = (struct delay_c *)data; + +- queue_work(kdelayd_wq, &dc->flush_expired_bios); ++ queue_work(dc->kdelayd_wq, &dc->flush_expired_bios); + } + + static void queue_timeout(struct delay_c *dc, unsigned long expires) +@@ -190,6 +190,12 @@ out: + goto bad_dev_write; + } + ++ dc->kdelayd_wq = alloc_workqueue("kdelayd", WQ_MEM_RECLAIM, 0); ++ if (!dc->kdelayd_wq) { ++ DMERR("Couldn't start kdelayd"); ++ goto bad_queue; ++ } ++ + setup_timer(&dc->delay_timer, handle_delayed_timer, (unsigned long)dc); + + INIT_WORK(&dc->flush_expired_bios, flush_expired_bios); +@@ -202,6 +208,8 @@ out: + ti->private = dc; + return 0; + ++bad_queue: ++ mempool_destroy(dc->delayed_pool); + bad_dev_write: + if (dc->dev_write) + dm_put_device(ti, dc->dev_write); +@@ -216,7 +224,7 @@ static void delay_dtr(struct dm_target *ti) + { + struct delay_c *dc = ti->private; + +- flush_workqueue(kdelayd_wq); ++ destroy_workqueue(dc->kdelayd_wq); + + dm_put_device(ti, dc->dev_read); + +@@ -350,12 +358,6 @@ static int __init dm_delay_init(void) + { + int r = -ENOMEM; + +- kdelayd_wq = alloc_workqueue("kdelayd", WQ_MEM_RECLAIM, 0); +- if (!kdelayd_wq) { +- DMERR("Couldn't start kdelayd"); +- goto bad_queue; +- } +- + delayed_cache = KMEM_CACHE(dm_delay_info, 0); + if (!delayed_cache) { + DMERR("Couldn't create delayed bio cache."); +@@ -373,8 +375,6 @@ static int __init dm_delay_init(void) + bad_register: + kmem_cache_destroy(delayed_cache); + bad_memcache: +- destroy_workqueue(kdelayd_wq); +-bad_queue: + return r; + } + +@@ -382,7 +382,6 @@ static void __exit dm_delay_exit(void) + { + dm_unregister_target(&delay_target); + kmem_cache_destroy(delayed_cache); +- destroy_workqueue(kdelayd_wq); + } + + /* Module hooks */ +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c +index 7e766f92..84ad530 100644 +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -84,6 +84,7 @@ struct multipath { + unsigned queue_io; /* Must we queue all I/O? */ + unsigned queue_if_no_path; /* Queue I/O if last path fails? */ + unsigned saved_queue_if_no_path;/* Saved state during suspension */ ++ unsigned pg_init_disabled:1; /* pg_init is not currently allowed */ + unsigned pg_init_retries; /* Number of times to retry pg_init */ + unsigned pg_init_count; /* Number of times pg_init called */ + unsigned pg_init_delay_msecs; /* Number of msecs before pg_init retry */ +@@ -473,7 +474,8 @@ static void process_queued_ios(struct work_struct *work) + (!pgpath && !m->queue_if_no_path)) + must_queue = 0; + +- if (m->pg_init_required && !m->pg_init_in_progress && pgpath) ++ if (m->pg_init_required && !m->pg_init_in_progress && pgpath && ++ !m->pg_init_disabled) + __pg_init_all_paths(m); + + out: +@@ -887,10 +889,20 @@ static void multipath_wait_for_pg_init_completion(struct multipath *m) + + static void flush_multipath_work(struct multipath *m) + { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&m->lock, flags); ++ m->pg_init_disabled = 1; ++ spin_unlock_irqrestore(&m->lock, flags); ++ + flush_workqueue(kmpath_handlerd); + multipath_wait_for_pg_init_completion(m); + flush_workqueue(kmultipathd); + flush_work_sync(&m->trigger_event); ++ ++ spin_lock_irqsave(&m->lock, flags); ++ m->pg_init_disabled = 0; ++ spin_unlock_irqrestore(&m->lock, flags); + } + + static void multipath_dtr(struct dm_target *ti) +@@ -1111,7 +1123,7 @@ static int pg_init_limit_reached(struct multipath *m, struct pgpath *pgpath) + + spin_lock_irqsave(&m->lock, flags); + +- if (m->pg_init_count <= m->pg_init_retries) ++ if (m->pg_init_count <= m->pg_init_retries && !m->pg_init_disabled) + m->pg_init_required = 1; + else + limit_reached = 1; +@@ -1621,7 +1633,7 @@ out: + *---------------------------------------------------------------*/ + static struct target_type multipath_target = { + .name = "multipath", +- .version = {1, 3, 1}, ++ .version = {1, 3, 2}, + .module = THIS_MODULE, + .ctr = multipath_ctr, + .dtr = multipath_dtr, +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index 5c30316..fec79e7 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -66,6 +66,18 @@ struct dm_snapshot { + + atomic_t pending_exceptions_count; + ++ /* Protected by "lock" */ ++ sector_t exception_start_sequence; ++ ++ /* Protected by kcopyd single-threaded callback */ ++ sector_t exception_complete_sequence; ++ ++ /* ++ * A list of pending exceptions that completed out of order. ++ * Protected by kcopyd single-threaded callback. ++ */ ++ struct list_head out_of_order_list; ++ + mempool_t *pending_pool; + + struct dm_exception_table pending; +@@ -171,6 +183,14 @@ struct dm_snap_pending_exception { + */ + int started; + ++ /* There was copying error. */ ++ int copy_error; ++ ++ /* A sequence number, it is used for in-order completion. */ ++ sector_t exception_sequence; ++ ++ struct list_head out_of_order_entry; ++ + /* + * For writing a complete chunk, bypassing the copy. + */ +@@ -1090,6 +1110,9 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv) + s->valid = 1; + s->active = 0; + atomic_set(&s->pending_exceptions_count, 0); ++ s->exception_start_sequence = 0; ++ s->exception_complete_sequence = 0; ++ INIT_LIST_HEAD(&s->out_of_order_list); + init_rwsem(&s->lock); + INIT_LIST_HEAD(&s->list); + spin_lock_init(&s->pe_lock); +@@ -1448,6 +1471,19 @@ static void commit_callback(void *context, int success) + pending_complete(pe, success); + } + ++static void complete_exception(struct dm_snap_pending_exception *pe) ++{ ++ struct dm_snapshot *s = pe->snap; ++ ++ if (unlikely(pe->copy_error)) ++ pending_complete(pe, 0); ++ ++ else ++ /* Update the metadata if we are persistent */ ++ s->store->type->commit_exception(s->store, &pe->e, ++ commit_callback, pe); ++} ++ + /* + * Called when the copy I/O has finished. kcopyd actually runs + * this code so don't block. +@@ -1457,13 +1493,32 @@ static void copy_callback(int read_err, unsigned long write_err, void *context) + struct dm_snap_pending_exception *pe = context; + struct dm_snapshot *s = pe->snap; + +- if (read_err || write_err) +- pending_complete(pe, 0); ++ pe->copy_error = read_err || write_err; + +- else +- /* Update the metadata if we are persistent */ +- s->store->type->commit_exception(s->store, &pe->e, +- commit_callback, pe); ++ if (pe->exception_sequence == s->exception_complete_sequence) { ++ s->exception_complete_sequence++; ++ complete_exception(pe); ++ ++ while (!list_empty(&s->out_of_order_list)) { ++ pe = list_entry(s->out_of_order_list.next, ++ struct dm_snap_pending_exception, out_of_order_entry); ++ if (pe->exception_sequence != s->exception_complete_sequence) ++ break; ++ s->exception_complete_sequence++; ++ list_del(&pe->out_of_order_entry); ++ complete_exception(pe); ++ } ++ } else { ++ struct list_head *lh; ++ struct dm_snap_pending_exception *pe2; ++ ++ list_for_each_prev(lh, &s->out_of_order_list) { ++ pe2 = list_entry(lh, struct dm_snap_pending_exception, out_of_order_entry); ++ if (pe2->exception_sequence < pe->exception_sequence) ++ break; ++ } ++ list_add(&pe->out_of_order_entry, lh); ++ } + } + + /* +@@ -1558,6 +1613,8 @@ __find_pending_exception(struct dm_snapshot *s, + return NULL; + } + ++ pe->exception_sequence = s->exception_start_sequence++; ++ + dm_insert_exception(&s->pending, &pe->e); + + return pe; +@@ -2200,7 +2257,7 @@ static struct target_type origin_target = { + + static struct target_type snapshot_target = { + .name = "snapshot", +- .version = {1, 10, 1}, ++ .version = {1, 10, 2}, + .module = THIS_MODULE, + .ctr = snapshot_ctr, + .dtr = snapshot_dtr, +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index 52848ab..5c52582 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -215,6 +215,11 @@ int dm_table_create(struct dm_table **result, fmode_t mode, + + num_targets = dm_round_up(num_targets, KEYS_PER_NODE); + ++ if (!num_targets) { ++ kfree(t); ++ return -ENOMEM; ++ } ++ + if (alloc_targets(t, num_targets)) { + kfree(t); + t = NULL; +@@ -581,14 +586,28 @@ static int adjoin(struct dm_table *table, struct dm_target *ti) + + /* + * Used to dynamically allocate the arg array. ++ * ++ * We do first allocation with GFP_NOIO because dm-mpath and dm-thin must ++ * process messages even if some device is suspended. These messages have a ++ * small fixed number of arguments. ++ * ++ * On the other hand, dm-switch needs to process bulk data using messages and ++ * excessive use of GFP_NOIO could cause trouble. + */ + static char **realloc_argv(unsigned *array_size, char **old_argv) + { + char **argv; + unsigned new_size; ++ gfp_t gfp; + +- new_size = *array_size ? *array_size * 2 : 64; +- argv = kmalloc(new_size * sizeof(*argv), GFP_KERNEL); ++ if (*array_size) { ++ new_size = *array_size * 2; ++ gfp = GFP_KERNEL; ++ } else { ++ new_size = 8; ++ gfp = GFP_NOIO; ++ } ++ argv = kmalloc(new_size * sizeof(*argv), gfp); + if (argv) { + memcpy(argv, old_argv, *array_size * sizeof(*argv)); + *array_size = new_size; +diff --git a/drivers/media/video/saa7164/saa7164-core.c b/drivers/media/video/saa7164/saa7164-core.c +index 3b7d7b4..8f3c47e 100644 +--- a/drivers/media/video/saa7164/saa7164-core.c ++++ b/drivers/media/video/saa7164/saa7164-core.c +@@ -1386,9 +1386,11 @@ static int __devinit saa7164_initdev(struct pci_dev *pci_dev, + if (fw_debug) { + dev->kthread = kthread_run(saa7164_thread_function, dev, + "saa7164 debug"); +- if (!dev->kthread) ++ if (IS_ERR(dev->kthread)) { ++ dev->kthread = NULL; + printk(KERN_ERR "%s() Failed to create " + "debug kernel thread\n", __func__); ++ } + } + + } /* != BOARD_UNKNOWN */ +diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c +index 00e5fcac8..cbee842 100644 +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -198,6 +198,13 @@ static void enclosure_remove_links(struct enclosure_component *cdev) + { + char name[ENCLOSURE_NAME_SIZE]; + ++ /* ++ * In odd circumstances, like multipath devices, something else may ++ * already have removed the links, so check for this condition first. ++ */ ++ if (!cdev->dev->kobj.sd) ++ return; ++ + enclosure_link_name(cdev, name); + sysfs_remove_link(&cdev->dev->kobj, name); + sysfs_remove_link(&cdev->cdev.kobj, "device"); +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index 74793af..4802f7f 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -634,7 +634,7 @@ static int mmc_blk_cmd_error(struct request *req, const char *name, int error, + * Otherwise we don't understand what happened, so abort. + */ + static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req, +- struct mmc_blk_request *brq, int *ecc_err) ++ struct mmc_blk_request *brq, int *ecc_err, int *gen_err) + { + bool prev_cmd_status_valid = true; + u32 status, stop_status = 0; +@@ -665,6 +665,16 @@ static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req, + (brq->cmd.resp[0] & R1_CARD_ECC_FAILED)) + *ecc_err = 1; + ++ /* Flag General errors */ ++ if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) ++ if ((status & R1_ERROR) || ++ (brq->stop.resp[0] & R1_ERROR)) { ++ pr_err("%s: %s: general error sending stop or status command, stop cmd response %#x, card status %#x\n", ++ req->rq_disk->disk_name, __func__, ++ brq->stop.resp[0], status); ++ *gen_err = 1; ++ } ++ + /* + * Check the current card state. If it is in some data transfer + * mode, tell it to stop (and hopefully transition back to TRAN.) +@@ -684,6 +694,13 @@ static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req, + return ERR_ABORT; + if (stop_status & R1_CARD_ECC_FAILED) + *ecc_err = 1; ++ if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) ++ if (stop_status & R1_ERROR) { ++ pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n", ++ req->rq_disk->disk_name, __func__, ++ stop_status); ++ *gen_err = 1; ++ } + } + + /* Check for set block count errors */ +@@ -933,7 +950,7 @@ static int mmc_blk_err_check(struct mmc_card *card, + mmc_active); + struct mmc_blk_request *brq = &mq_mrq->brq; + struct request *req = mq_mrq->req; +- int ecc_err = 0; ++ int ecc_err = 0, gen_err = 0; + + /* + * sbc.error indicates a problem with the set block count +@@ -947,7 +964,7 @@ static int mmc_blk_err_check(struct mmc_card *card, + */ + if (brq->sbc.error || brq->cmd.error || brq->stop.error || + brq->data.error) { +- switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err)) { ++ switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err, &gen_err)) { + case ERR_RETRY: + return MMC_BLK_RETRY; + case ERR_ABORT: +@@ -975,6 +992,15 @@ static int mmc_blk_err_check(struct mmc_card *card, + */ + if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) { + u32 status; ++ ++ /* Check stop command response */ ++ if (brq->stop.resp[0] & R1_ERROR) { ++ pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n", ++ req->rq_disk->disk_name, __func__, ++ brq->stop.resp[0]); ++ gen_err = 1; ++ } ++ + do { + int err = get_card_status(card, &status, 5); + if (err) { +@@ -982,6 +1008,14 @@ static int mmc_blk_err_check(struct mmc_card *card, + req->rq_disk->disk_name, err); + return MMC_BLK_CMD_ERR; + } ++ ++ if (status & R1_ERROR) { ++ pr_err("%s: %s: general error sending status command, card status %#x\n", ++ req->rq_disk->disk_name, __func__, ++ status); ++ gen_err = 1; ++ } ++ + /* + * Some cards mishandle the status bits, + * so make sure to check both the busy +@@ -991,6 +1025,13 @@ static int mmc_blk_err_check(struct mmc_card *card, + (R1_CURRENT_STATE(status) == R1_STATE_PRG)); + } + ++ /* if general error occurs, retry the write operation. */ ++ if (gen_err) { ++ pr_warning("%s: retrying write for general error\n", ++ req->rq_disk->disk_name); ++ return MMC_BLK_RETRY; ++ } ++ + if (brq->data.error) { + pr_err("%s: error %d transferring data, sector %u, nr %u, cmd response %#x, card status %#x\n", + req->rq_disk->disk_name, brq->data.error, +diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c +index 9f9982f..3d6beb7 100644 +--- a/drivers/mtd/devices/m25p80.c ++++ b/drivers/mtd/devices/m25p80.c +@@ -71,7 +71,7 @@ + + /* Define max times to check status register before we give up. */ + #define MAX_READY_WAIT_JIFFIES (40 * HZ) /* M25P16 specs 40s max chip erase */ +-#define MAX_CMD_SIZE 5 ++#define MAX_CMD_SIZE 6 + + #ifdef CONFIG_M25PXX_USE_FAST_READ + #define OPCODE_READ OPCODE_FAST_READ +@@ -874,14 +874,13 @@ static int __devinit m25p_probe(struct spi_device *spi) + } + } + +- flash = kzalloc(sizeof *flash, GFP_KERNEL); ++ flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL); + if (!flash) + return -ENOMEM; +- flash->command = kmalloc(MAX_CMD_SIZE + FAST_READ_DUMMY_BYTE, GFP_KERNEL); +- if (!flash->command) { +- kfree(flash); ++ ++ flash->command = devm_kzalloc(&spi->dev, MAX_CMD_SIZE, GFP_KERNEL); ++ if (!flash->command) + return -ENOMEM; +- } + + flash->spi = spi; + mutex_init(&flash->lock); +@@ -978,14 +977,10 @@ static int __devinit m25p_probe(struct spi_device *spi) + static int __devexit m25p_remove(struct spi_device *spi) + { + struct m25p *flash = dev_get_drvdata(&spi->dev); +- int status; + + /* Clean up MTD stuff. */ +- status = mtd_device_unregister(&flash->mtd); +- if (status == 0) { +- kfree(flash->command); +- kfree(flash); +- } ++ mtd_device_unregister(&flash->mtd); ++ + return 0; + } + +diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +index f39f83e..d6a7764 100644 +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -227,8 +227,6 @@ static void dma_irq_callback(void *param) + struct gpmi_nand_data *this = param; + struct completion *dma_c = &this->dma_done; + +- complete(dma_c); +- + switch (this->dma_type) { + case DMA_FOR_COMMAND: + dma_unmap_sg(this->dev, &this->cmd_sgl, 1, DMA_TO_DEVICE); +@@ -253,6 +251,8 @@ static void dma_irq_callback(void *param) + default: + pr_err("in wrong DMA operation.\n"); + } ++ ++ complete(dma_c); + } + + int start_dma_without_bch_irq(struct gpmi_nand_data *this, +diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c +index daed698..46ed296 100644 +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2895,10 +2895,22 @@ static int nand_flash_detect_onfi(struct mtd_info *mtd, struct nand_chip *chip, + sanitize_string(p->model, sizeof(p->model)); + if (!mtd->name) + mtd->name = p->model; ++ + mtd->writesize = le32_to_cpu(p->byte_per_page); +- mtd->erasesize = le32_to_cpu(p->pages_per_block) * mtd->writesize; ++ ++ /* ++ * pages_per_block and blocks_per_lun may not be a power-of-2 size ++ * (don't ask me who thought of this...). MTD assumes that these ++ * dimensions will be power-of-2, so just truncate the remaining area. ++ */ ++ mtd->erasesize = 1 << (fls(le32_to_cpu(p->pages_per_block)) - 1); ++ mtd->erasesize *= mtd->writesize; ++ + mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page); +- chip->chipsize = (uint64_t)le32_to_cpu(p->blocks_per_lun) * mtd->erasesize; ++ ++ /* See erasesize comment */ ++ chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1); ++ chip->chipsize *= (uint64_t)mtd->erasesize; + *busw = 0; + if (le16_to_cpu(p->features) & 1) + *busw = NAND_BUSWIDTH_16; +diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c +index 8ed48c2..cf95bd8 100644 +--- a/drivers/net/bonding/bond_sysfs.c ++++ b/drivers/net/bonding/bond_sysfs.c +@@ -534,8 +534,9 @@ static ssize_t bonding_store_arp_interval(struct device *d, + goto out; + } + if (bond->params.mode == BOND_MODE_ALB || +- bond->params.mode == BOND_MODE_TLB) { +- pr_info("%s: ARP monitoring cannot be used with ALB/TLB. Only MII monitoring is supported on %s.\n", ++ bond->params.mode == BOND_MODE_TLB || ++ bond->params.mode == BOND_MODE_8023AD) { ++ pr_info("%s: ARP monitoring cannot be used with ALB/TLB/802.3ad. Only MII monitoring is supported on %s.\n", + bond->dev->name, bond->dev->name); + ret = -EINVAL; + goto out; +@@ -693,6 +694,8 @@ static ssize_t bonding_store_downdelay(struct device *d, + int new_value, ret = count; + struct bonding *bond = to_bond(d); + ++ if (!rtnl_trylock()) ++ return restart_syscall(); + if (!(bond->params.miimon)) { + pr_err("%s: Unable to set down delay as MII monitoring is disabled\n", + bond->dev->name); +@@ -726,6 +729,7 @@ static ssize_t bonding_store_downdelay(struct device *d, + } + + out: ++ rtnl_unlock(); + return ret; + } + static DEVICE_ATTR(downdelay, S_IRUGO | S_IWUSR, +@@ -748,6 +752,8 @@ static ssize_t bonding_store_updelay(struct device *d, + int new_value, ret = count; + struct bonding *bond = to_bond(d); + ++ if (!rtnl_trylock()) ++ return restart_syscall(); + if (!(bond->params.miimon)) { + pr_err("%s: Unable to set up delay as MII monitoring is disabled\n", + bond->dev->name); +@@ -781,6 +787,7 @@ static ssize_t bonding_store_updelay(struct device *d, + } + + out: ++ rtnl_unlock(); + return ret; + } + static DEVICE_ATTR(updelay, S_IRUGO | S_IWUSR, +diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c +index 64647d4..91d1b5a 100644 +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -764,9 +764,6 @@ static int c_can_do_rx_poll(struct net_device *dev, int quota) + msg_ctrl_save = priv->read_reg(priv, + &priv->regs->ifregs[0].msg_cntrl); + +- if (msg_ctrl_save & IF_MCONT_EOB) +- return num_rx_pkts; +- + if (msg_ctrl_save & IF_MCONT_MSGLST) { + c_can_handle_lost_msg_obj(dev, 0, msg_obj); + num_rx_pkts++; +@@ -774,6 +771,9 @@ static int c_can_do_rx_poll(struct net_device *dev, int quota) + continue; + } + ++ if (msg_ctrl_save & IF_MCONT_EOB) ++ return num_rx_pkts; ++ + if (!(msg_ctrl_save & IF_MCONT_NEWDAT)) + continue; + +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c +index 6a1acfe..568b821 100644 +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -488,19 +488,19 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id) + uint8_t isrc, status; + int n = 0; + +- /* Shared interrupts and IRQ off? */ +- if (priv->read_reg(priv, REG_IER) == IRQ_OFF) +- return IRQ_NONE; +- + if (priv->pre_irq) + priv->pre_irq(priv); + ++ /* Shared interrupts and IRQ off? */ ++ if (priv->read_reg(priv, REG_IER) == IRQ_OFF) ++ goto out; ++ + while ((isrc = priv->read_reg(priv, REG_IR)) && (n < SJA1000_MAX_IRQ)) { +- n++; ++ + status = priv->read_reg(priv, SJA1000_REG_SR); + /* check for absent controller due to hw unplug */ + if (status == 0xFF && sja1000_is_absent(priv)) +- return IRQ_NONE; ++ goto out; + + if (isrc & IRQ_WUI) + dev_warn(dev->dev.parent, "wakeup interrupt\n"); +@@ -519,7 +519,7 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id) + status = priv->read_reg(priv, SJA1000_REG_SR); + /* check for absent controller */ + if (status == 0xFF && sja1000_is_absent(priv)) +- return IRQ_NONE; ++ goto out; + } + } + if (isrc & (IRQ_DOI | IRQ_EI | IRQ_BEI | IRQ_EPI | IRQ_ALI)) { +@@ -527,8 +527,9 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id) + if (sja1000_err(dev, isrc, status)) + break; + } ++ n++; + } +- ++out: + if (priv->post_irq) + priv->post_irq(priv); + +diff --git a/drivers/net/ethernet/smsc/smc91x.h b/drivers/net/ethernet/smsc/smc91x.h +index 5f53fbb..ff1af41 100644 +--- a/drivers/net/ethernet/smsc/smc91x.h ++++ b/drivers/net/ethernet/smsc/smc91x.h +@@ -46,7 +46,8 @@ + defined(CONFIG_MACH_LITTLETON) ||\ + defined(CONFIG_MACH_ZYLONITE2) ||\ + defined(CONFIG_ARCH_VIPER) ||\ +- defined(CONFIG_MACH_STARGATE2) ++ defined(CONFIG_MACH_STARGATE2) ||\ ++ defined(CONFIG_ARCH_VERSATILE) + + #include <asm/mach-types.h> + +@@ -154,6 +155,8 @@ static inline void SMC_outw(u16 val, void __iomem *ioaddr, int reg) + #define SMC_outl(v, a, r) writel(v, (a) + (r)) + #define SMC_insl(a, r, p, l) readsl((a) + (r), p, l) + #define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l) ++#define SMC_insw(a, r, p, l) readsw((a) + (r), p, l) ++#define SMC_outsw(a, r, p, l) writesw((a) + (r), p, l) + #define SMC_IRQ_FLAGS (-1) /* from resource */ + + /* We actually can't write halfwords properly if not word aligned */ +@@ -206,23 +209,6 @@ SMC_outw(u16 val, void __iomem *ioaddr, int reg) + #define RPC_LSA_DEFAULT RPC_LED_TX_RX + #define RPC_LSB_DEFAULT RPC_LED_100_10 + +-#elif defined(CONFIG_ARCH_VERSATILE) +- +-#define SMC_CAN_USE_8BIT 1 +-#define SMC_CAN_USE_16BIT 1 +-#define SMC_CAN_USE_32BIT 1 +-#define SMC_NOWAIT 1 +- +-#define SMC_inb(a, r) readb((a) + (r)) +-#define SMC_inw(a, r) readw((a) + (r)) +-#define SMC_inl(a, r) readl((a) + (r)) +-#define SMC_outb(v, a, r) writeb(v, (a) + (r)) +-#define SMC_outw(v, a, r) writew(v, (a) + (r)) +-#define SMC_outl(v, a, r) writel(v, (a) + (r)) +-#define SMC_insl(a, r, p, l) readsl((a) + (r), p, l) +-#define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l) +-#define SMC_IRQ_FLAGS (-1) /* from resource */ +- + #elif defined(CONFIG_MN10300) + + /* +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 1161584..2f319d1 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -985,8 +985,6 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock, + if (error < 0) + goto end; + +- m->msg_namelen = 0; +- + if (skb) { + total_len = min_t(size_t, total_len, skb->len); + error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len); +diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c +index d8d8f0d..35d86fa 100644 +--- a/drivers/net/wireless/libertas/debugfs.c ++++ b/drivers/net/wireless/libertas/debugfs.c +@@ -919,7 +919,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, + char *p2; + struct debug_data *d = f->private_data; + +- pdata = kmalloc(cnt, GFP_KERNEL); ++ if (cnt == 0) ++ return 0; ++ ++ pdata = kmalloc(cnt + 1, GFP_KERNEL); + if (pdata == NULL) + return 0; + +@@ -928,6 +931,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, + kfree(pdata); + return 0; + } ++ pdata[cnt] = '\0'; + + p0 = pdata; + for (i = 0; i < num_of_items; i++) { +diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c +index 17f8720..72b253d2 100644 +--- a/drivers/net/wireless/mwifiex/sdio.c ++++ b/drivers/net/wireless/mwifiex/sdio.c +@@ -936,7 +936,10 @@ static int mwifiex_decode_rx_packet(struct mwifiex_adapter *adapter, + struct sk_buff *skb, u32 upld_typ) + { + u8 *cmd_buf; ++ __le16 *curr_ptr = (__le16 *)skb->data; ++ u16 pkt_len = le16_to_cpu(*curr_ptr); + ++ skb_trim(skb, pkt_len); + skb_pull(skb, INTF_HEADER_LEN); + + switch (upld_typ) { +diff --git a/drivers/net/wireless/prism54/islpci_dev.c b/drivers/net/wireless/prism54/islpci_dev.c +index 5d0f615..e2fa538 100644 +--- a/drivers/net/wireless/prism54/islpci_dev.c ++++ b/drivers/net/wireless/prism54/islpci_dev.c +@@ -812,6 +812,10 @@ static const struct net_device_ops islpci_netdev_ops = { + .ndo_validate_addr = eth_validate_addr, + }; + ++static struct device_type wlan_type = { ++ .name = "wlan", ++}; ++ + struct net_device * + islpci_setup(struct pci_dev *pdev) + { +@@ -822,9 +826,8 @@ islpci_setup(struct pci_dev *pdev) + return ndev; + + pci_set_drvdata(pdev, ndev); +-#if defined(SET_NETDEV_DEV) + SET_NETDEV_DEV(ndev, &pdev->dev); +-#endif ++ SET_NETDEV_DEVTYPE(ndev, &wlan_type); + + /* setup the structure members */ + ndev->base_addr = pci_resource_start(pdev, 0); +diff --git a/drivers/net/wireless/rt2x00/rt2400pci.c b/drivers/net/wireless/rt2x00/rt2400pci.c +index 0ea85f4..131b22b 100644 +--- a/drivers/net/wireless/rt2x00/rt2400pci.c ++++ b/drivers/net/wireless/rt2x00/rt2400pci.c +@@ -1253,7 +1253,7 @@ static void rt2400pci_fill_rxdone(struct queue_entry *entry, + */ + rxdesc->timestamp = ((u64)rx_high << 32) | rx_low; + rxdesc->signal = rt2x00_get_field32(word2, RXD_W2_SIGNAL) & ~0x08; +- rxdesc->rssi = rt2x00_get_field32(word2, RXD_W3_RSSI) - ++ rxdesc->rssi = rt2x00_get_field32(word3, RXD_W3_RSSI) - + entry->queue->rt2x00dev->rssi_offset; + rxdesc->size = rt2x00_get_field32(word0, RXD_W0_DATABYTE_COUNT); + +diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c +index 921da9a..5c38281 100644 +--- a/drivers/net/wireless/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c +@@ -771,6 +771,9 @@ void rt2x00mac_flush(struct ieee80211_hw *hw, bool drop) + struct rt2x00_dev *rt2x00dev = hw->priv; + struct data_queue *queue; + ++ if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags)) ++ return; ++ + tx_queue_for_each(rt2x00dev, queue) + rt2x00queue_flush_queue(queue, drop); + } +diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c +index b4ce934..a917a22 100644 +--- a/drivers/net/wireless/rtlwifi/base.c ++++ b/drivers/net/wireless/rtlwifi/base.c +@@ -31,6 +31,7 @@ + + #include <linux/ip.h> + #include <linux/module.h> ++#include <linux/udp.h> + #include "wifi.h" + #include "rc.h" + #include "base.h" +@@ -956,60 +957,51 @@ u8 rtl_is_special_data(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) + if (!ieee80211_is_data(fc)) + return false; + ++ ip = (const struct iphdr *)(skb->data + mac_hdr_len + ++ SNAP_SIZE + PROTOC_TYPE_SIZE); ++ ether_type = be16_to_cpup((__be16 *) ++ (skb->data + mac_hdr_len + SNAP_SIZE)); + +- ip = (struct iphdr *)((u8 *) skb->data + mac_hdr_len + +- SNAP_SIZE + PROTOC_TYPE_SIZE); +- ether_type = *(u16 *) ((u8 *) skb->data + mac_hdr_len + SNAP_SIZE); +- /* ether_type = ntohs(ether_type); */ +- +- if (ETH_P_IP == ether_type) { +- if (IPPROTO_UDP == ip->protocol) { +- struct udphdr *udp = (struct udphdr *)((u8 *) ip + +- (ip->ihl << 2)); +- if (((((u8 *) udp)[1] == 68) && +- (((u8 *) udp)[3] == 67)) || +- ((((u8 *) udp)[1] == 67) && +- (((u8 *) udp)[3] == 68))) { +- /* +- * 68 : UDP BOOTP client +- * 67 : UDP BOOTP server +- */ +- RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), +- DBG_DMESG, ("dhcp %s !!\n", +- (is_tx) ? "Tx" : "Rx")); +- +- if (is_tx) { +- rtl_lps_leave(hw); +- ppsc->last_delaylps_stamp_jiffies = +- jiffies; +- } +- +- return true; +- } +- } +- } else if (ETH_P_ARP == ether_type) { +- if (is_tx) { +- rtl_lps_leave(hw); +- ppsc->last_delaylps_stamp_jiffies = jiffies; +- } ++ switch (ether_type) { ++ case ETH_P_IP: { ++ struct udphdr *udp; ++ u16 src; ++ u16 dst; + +- return true; +- } else if (ETH_P_PAE == ether_type) { +- RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, +- ("802.1X %s EAPOL pkt!!\n", (is_tx) ? "Tx" : "Rx")); ++ if (ip->protocol != IPPROTO_UDP) ++ return false; ++ udp = (struct udphdr *)((u8 *)ip + (ip->ihl << 2)); ++ src = be16_to_cpu(udp->source); ++ dst = be16_to_cpu(udp->dest); + +- if (is_tx) { +- rtl_lps_leave(hw); +- ppsc->last_delaylps_stamp_jiffies = jiffies; +- } ++ /* If this case involves port 68 (UDP BOOTP client) connecting ++ * with port 67 (UDP BOOTP server), then return true so that ++ * the lowest speed is used. ++ */ ++ if (!((src == 68 && dst == 67) || (src == 67 && dst == 68))) ++ return false; + +- return true; +- } else if (ETH_P_IPV6 == ether_type) { +- /* IPv6 */ +- return true; ++ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, ++ ("dhcp %s !!\n", is_tx ? "Tx" : "Rx")); ++ break; + } +- +- return false; ++ case ETH_P_ARP: ++ break; ++ case ETH_P_PAE: ++ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, ++ ("802.1X %s EAPOL pkt!!\n", is_tx ? "Tx" : "Rx")); ++ break; ++ case ETH_P_IPV6: ++ /* TODO: Is this right? */ ++ return false; ++ default: ++ return false; ++ } ++ if (is_tx) { ++ rtl_lps_leave(hw); ++ ppsc->last_delaylps_stamp_jiffies = jiffies; ++ } ++ return true; + } + + /********************************************************* +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c +index 060a06f..5515215 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c +@@ -782,7 +782,7 @@ static long _rtl92c_signal_scale_mapping(struct ieee80211_hw *hw, + + static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw, + struct rtl_stats *pstats, +- struct rx_desc_92c *pdesc, ++ struct rx_desc_92c *p_desc, + struct rx_fwinfo_92c *p_drvinfo, + bool packet_match_bssid, + bool packet_toself, +@@ -797,11 +797,11 @@ static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw, + u32 rssi, total_rssi = 0; + bool in_powersavemode = false; + bool is_cck_rate; ++ u8 *pdesc = (u8 *)p_desc; + +- is_cck_rate = RX_HAL_IS_CCK_RATE(pdesc); ++ is_cck_rate = RX_HAL_IS_CCK_RATE(p_desc); + pstats->packet_matchbssid = packet_match_bssid; + pstats->packet_toself = packet_toself; +- pstats->is_cck = is_cck_rate; + pstats->packet_beacon = packet_beacon; + pstats->is_cck = is_cck_rate; + pstats->RX_SIGQ[0] = -1; +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c +index a7e1a2c..a6ea2d9 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c +@@ -303,10 +303,10 @@ out: + bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw, + struct rtl_stats *stats, + struct ieee80211_rx_status *rx_status, +- u8 *p_desc, struct sk_buff *skb) ++ u8 *pdesc, struct sk_buff *skb) + { + struct rx_fwinfo_92c *p_drvinfo; +- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc; ++ struct rx_desc_92c *p_desc = (struct rx_desc_92c *)pdesc; + u32 phystatus = GET_RX_DESC_PHY_STATUS(pdesc); + + stats->length = (u16) GET_RX_DESC_PKT_LEN(pdesc); +@@ -345,11 +345,11 @@ bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw, + if (phystatus) { + p_drvinfo = (struct rx_fwinfo_92c *)(skb->data + + stats->rx_bufshift); +- rtl92c_translate_rx_signal_stuff(hw, skb, stats, pdesc, ++ rtl92c_translate_rx_signal_stuff(hw, skb, stats, p_desc, + p_drvinfo); + } + /*rx_status->qual = stats->signal; */ +- rx_status->signal = stats->rssi + 10; ++ rx_status->signal = stats->recvsignalpower + 10; + /*rx_status->noise = -stats->noise; */ + return true; + } +diff --git a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c +index 3637c0c..639b57b 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c +@@ -529,7 +529,7 @@ bool rtl92de_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats, + p_drvinfo); + } + /*rx_status->qual = stats->signal; */ +- rx_status->signal = stats->rssi + 10; ++ rx_status->signal = stats->recvsignalpower + 10; + /*rx_status->noise = -stats->noise; */ + return true; + } +diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c +index 0ad50fe..13081d9 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c +@@ -274,7 +274,7 @@ static void _rtl92s_get_txpower_writeval_byregulatory(struct ieee80211_hw *hw, + rtlefuse->pwrgroup_ht40 + [RF90_PATH_A][chnl - 1]) { + pwrdiff_limit[i] = +- rtlefuse->pwrgroup_ht20 ++ rtlefuse->pwrgroup_ht40 + [RF90_PATH_A][chnl - 1]; + } + } else { +diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c +index fbebe3e..542a871 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c +@@ -582,7 +582,7 @@ bool rtl92se_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats, + } + + /*rx_status->qual = stats->signal; */ +- rx_status->signal = stats->rssi + 10; ++ rx_status->signal = stats->recvsignalpower + 10; + /*rx_status->noise = -stats->noise; */ + + return true; +diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h +index 82baaa2..5764ef7 100644 +--- a/drivers/net/wireless/rtlwifi/wifi.h ++++ b/drivers/net/wireless/rtlwifi/wifi.h +@@ -73,11 +73,7 @@ + #define RTL_SLOT_TIME_9 9 + #define RTL_SLOT_TIME_20 20 + +-/*related with tcp/ip. */ +-/*if_ehther.h*/ +-#define ETH_P_PAE 0x888E /*Port Access Entity (IEEE 802.1X) */ +-#define ETH_P_IP 0x0800 /*Internet Protocol packet */ +-#define ETH_P_ARP 0x0806 /*Address Resolution packet */ ++/*related to tcp/ip. */ + #define SNAP_SIZE 6 + #define PROTOC_TYPE_SIZE 2 + +diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c +index e0610bd..7e41b70 100644 +--- a/drivers/pci/pcie/portdrv_pci.c ++++ b/drivers/pci/pcie/portdrv_pci.c +@@ -151,7 +151,6 @@ static int __devinit pcie_portdrv_probe(struct pci_dev *dev, + static void pcie_portdrv_remove(struct pci_dev *dev) + { + pcie_port_device_remove(dev); +- pci_disable_device(dev); + } + + static int error_detected_iter(struct device *device, void *data) +diff --git a/drivers/rtc/rtc-at91rm9200.c b/drivers/rtc/rtc-at91rm9200.c +index e39b77a..15406d5 100644 +--- a/drivers/rtc/rtc-at91rm9200.c ++++ b/drivers/rtc/rtc-at91rm9200.c +@@ -156,6 +156,8 @@ static int at91_rtc_setalarm(struct device *dev, struct rtc_wkalrm *alrm) + + at91_alarm_year = tm.tm_year; + ++ tm.tm_mon = alrm->time.tm_mon; ++ tm.tm_mday = alrm->time.tm_mday; + tm.tm_hour = alrm->time.tm_hour; + tm.tm_min = alrm->time.tm_min; + tm.tm_sec = alrm->time.tm_sec; +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index fff57de..55f6488 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -4322,7 +4322,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) + struct qeth_cmd_buffer *iob; + struct qeth_ipa_cmd *cmd; + struct qeth_snmp_ureq *ureq; +- int req_len; ++ unsigned int req_len; + struct qeth_arp_query_info qinfo = {0, }; + int rc = 0; + +@@ -4338,6 +4338,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) + /* skip 4 bytes (data_len struct member) to get req_len */ + if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int))) + return -EFAULT; ++ if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE - ++ sizeof(struct qeth_ipacmd_hdr) - ++ sizeof(struct qeth_ipacmd_setadpparms_hdr))) ++ return -EINVAL; + ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr)); + if (IS_ERR(ureq)) { + QETH_CARD_TEXT(card, 2, "snmpnome"); +diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c +index 8a0b330..1254431 100644 +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) + goto cleanup; + } + +- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { ++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || ++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { + rcode = -EINVAL; + goto cleanup; + } +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 0f48550..5b7e1bf 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -1186,7 +1186,7 @@ static void complete_scsi_command(struct CommandList *cp) + "has check condition: aborted command: " + "ASC: 0x%x, ASCQ: 0x%x\n", + cp, asc, ascq); +- cmd->result = DID_SOFT_ERROR << 16; ++ cmd->result |= DID_SOFT_ERROR << 16; + break; + } + /* Must be some other type of check condition */ +@@ -4465,7 +4465,7 @@ reinit_after_soft_reset: + hpsa_hba_inquiry(h); + hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */ + start_controller_lockup_detector(h); +- return 1; ++ return 0; + + clean4: + hpsa_free_sg_chain_blocks(h); +diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c +index 4868fc9..5e170e3 100644 +--- a/drivers/scsi/libsas/sas_ata.c ++++ b/drivers/scsi/libsas/sas_ata.c +@@ -197,7 +197,7 @@ static unsigned int sas_ata_qc_issue(struct ata_queued_cmd *qc) + qc->tf.nsect = 0; + } + +- ata_tf_to_fis(&qc->tf, 1, 0, (u8*)&task->ata_task.fis); ++ ata_tf_to_fis(&qc->tf, qc->dev->link->pmp, 1, (u8 *)&task->ata_task.fis); + task->uldd_task = qc; + if (ata_is_atapi(qc->tf.protocol)) { + memcpy(task->ata_task.atapi_packet, qc->cdb, qc->dev->cdb_len); +diff --git a/drivers/staging/tidspbridge/Kconfig b/drivers/staging/tidspbridge/Kconfig +index 93de4f2..b27d9aa 100644 +--- a/drivers/staging/tidspbridge/Kconfig ++++ b/drivers/staging/tidspbridge/Kconfig +@@ -4,7 +4,7 @@ + + menuconfig TIDSPBRIDGE + tristate "DSP Bridge driver" +- depends on ARCH_OMAP3 ++ depends on ARCH_OMAP3 && BROKEN + select OMAP_MBOX_FWK + help + DSP/BIOS Bridge is designed for platforms that contain a GPP and +diff --git a/drivers/staging/zram/zram_sysfs.c b/drivers/staging/zram/zram_sysfs.c +index 1fae1e9..fc552d8 100644 +--- a/drivers/staging/zram/zram_sysfs.c ++++ b/drivers/staging/zram/zram_sysfs.c +@@ -95,20 +95,27 @@ static ssize_t reset_store(struct device *dev, + zram = dev_to_zram(dev); + bdev = bdget_disk(zram->disk, 0); + ++ if (!bdev) ++ return -ENOMEM; ++ + /* Do not reset an active device! */ +- if (bdev->bd_holders) +- return -EBUSY; ++ if (bdev->bd_holders) { ++ ret = -EBUSY; ++ goto out; ++ } + + ret = strict_strtoul(buf, 10, &do_reset); + if (ret) +- return ret; ++ goto out; + +- if (!do_reset) +- return -EINVAL; ++ if (!do_reset) { ++ ret = -EINVAL; ++ goto out; ++ } + + /* Make sure all pending I/O is finished */ +- if (bdev) +- fsync_bdev(bdev); ++ fsync_bdev(bdev); ++ bdput(bdev); + + down_write(&zram->init_lock); + if (zram->init_done) +@@ -116,6 +123,10 @@ static ssize_t reset_store(struct device *dev, + up_write(&zram->init_lock); + + return len; ++ ++out: ++ bdput(bdev); ++ return ret; + } + + static ssize_t num_reads_show(struct device *dev, +diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c +index 1cd6ce3..59e7378 100644 +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -172,6 +172,7 @@ static int chap_server_compute_md5( + unsigned char client_digest[MD5_SIGNATURE_SIZE]; + unsigned char server_digest[MD5_SIGNATURE_SIZE]; + unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; ++ size_t compare_len; + struct iscsi_chap *chap = (struct iscsi_chap *) conn->auth_protocol; + struct crypto_hash *tfm; + struct hash_desc desc; +@@ -210,7 +211,9 @@ static int chap_server_compute_md5( + goto out; + } + +- if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) { ++ /* Include the terminating NULL in the compare */ ++ compare_len = strlen(auth->userid) + 1; ++ if (strncmp(chap_n, auth->userid, compare_len) != 0) { + pr_err("CHAP_N values do not match!\n"); + goto out; + } +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c +index 7d85f88..3486d12 100644 +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -89,7 +89,7 @@ int extract_param( + if (len < 0) + return -1; + +- if (len > max_length) { ++ if (len >= max_length) { + pr_err("Length of input: %d exeeds max_length:" + " %d\n", len, max_length); + return -1; +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 0cdff38..636ee9e 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1448,6 +1448,8 @@ static int acm_reset_resume(struct usb_interface *intf) + + static const struct usb_device_id acm_ids[] = { + /* quirky and broken devices */ ++ { USB_DEVICE(0x17ef, 0x7000), /* Lenovo USB modem */ ++ .driver_info = NO_UNION_NORMAL, },/* has no union descriptor */ + { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index a5ea85f..7013165 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -900,6 +900,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_PORT_LINK_STATE); + } ++ if (portchange & USB_PORT_STAT_C_RESET) { ++ need_debounce_delay = true; ++ clear_port_feature(hub->hdev, port1, ++ USB_PORT_FEAT_C_RESET); ++ } + + if ((portchange & USB_PORT_STAT_C_BH_RESET) && + hub_is_superspeed(hub->hdev)) { +@@ -3749,8 +3754,9 @@ static void hub_events(void) + hub->hdev->children[i - 1]; + + dev_dbg(hub_dev, "warm reset port %d\n", i); +- if (!udev || !(portstatus & +- USB_PORT_STAT_CONNECTION)) { ++ if (!udev || ++ !(portstatus & USB_PORT_STAT_CONNECTION) || ++ udev->state == USB_STATE_NOTATTACHED) { + status = hub_port_reset(hub, i, + NULL, HUB_BH_RESET_TIME, + true); +@@ -4018,6 +4024,12 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + } + parent_hub = hdev_to_hub(parent_hdev); + ++ /* Disable USB2 hardware LPM. ++ * It will be re-enabled by the enumeration process. ++ */ ++ if (udev->usb2_hw_lpm_enabled == 1) ++ usb_set_usb2_hardware_lpm(udev, 0); ++ + set_bit(port1, parent_hub->busy_bits); + for (i = 0; i < SET_CONFIG_TRIES; ++i) { + +diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c +index c0dcf69..c4134e8 100644 +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -394,6 +394,8 @@ static int dwc3_ep0_handle_feature(struct dwc3 *dwc, + dep = dwc3_wIndex_to_dep(dwc, ctrl->wIndex); + if (!dep) + return -EINVAL; ++ if (set == 0 && (dep->flags & DWC3_EP_WEDGE)) ++ break; + ret = __dwc3_gadget_ep_set_halt(dep, set); + if (ret) + return -EINVAL; +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 619ee19..5f2e3d0 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -903,9 +903,6 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) + else + dep->flags |= DWC3_EP_STALL; + } else { +- if (dep->flags & DWC3_EP_WEDGE) +- return 0; +- + ret = dwc3_send_gadget_ep_cmd(dwc, dep->number, + DWC3_DEPCMD_CLEARSTALL, ¶ms); + if (ret) +@@ -913,7 +910,7 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) + value ? "set" : "clear", + dep->name); + else +- dep->flags &= ~DWC3_EP_STALL; ++ dep->flags &= ~(DWC3_EP_STALL | DWC3_EP_WEDGE); + } + + return ret; +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index f71b078..4484ef1 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -585,6 +585,7 @@ static void reset_config(struct usb_composite_dev *cdev) + bitmap_zero(f->endpoints, 32); + } + cdev->config = NULL; ++ cdev->delayed_status = 0; + } + + static int set_config(struct usb_composite_dev *cdev, +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index a3f6fe0..85504bb 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2192,6 +2192,20 @@ static void ftdi_set_termios(struct tty_struct *tty, + termios->c_cflag |= CRTSCTS; + } + ++ /* ++ * All FTDI UART chips are limited to CS7/8. We won't pretend to ++ * support CS5/6 and revert the CSIZE setting instead. ++ */ ++ if ((C_CSIZE(tty) != CS8) && (C_CSIZE(tty) != CS7)) { ++ dev_warn(&port->dev, "requested CSIZE setting not supported\n"); ++ ++ termios->c_cflag &= ~CSIZE; ++ if (old_termios) ++ termios->c_cflag |= old_termios->c_cflag & CSIZE; ++ else ++ termios->c_cflag |= CS8; ++ } ++ + cflag = termios->c_cflag; + + if (!old_termios) +@@ -2228,13 +2242,16 @@ no_skip: + } else { + urb_value |= FTDI_SIO_SET_DATA_PARITY_NONE; + } +- if (cflag & CSIZE) { +- switch (cflag & CSIZE) { +- case CS7: urb_value |= 7; dbg("Setting CS7"); break; +- case CS8: urb_value |= 8; dbg("Setting CS8"); break; +- default: +- dev_err(&port->dev, "CSIZE was set but not CS7-CS8\n"); +- } ++ switch (cflag & CSIZE) { ++ case CS7: ++ urb_value |= 7; ++ dev_dbg(&port->dev, "Setting CS7\n"); ++ break; ++ default: ++ case CS8: ++ urb_value |= 8; ++ dev_dbg(&port->dev, "Setting CS8\n"); ++ break; + } + + /* This is needed by the break command since it uses the same command +diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c +index 9f0b2bf..c0e6486 100644 +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -228,14 +228,7 @@ retry: + return result; + } + +- /* Try sending off another urb, unless in irq context (in which case +- * there will be no free urb). */ +- if (!in_irq()) +- goto retry; +- +- clear_bit_unlock(USB_SERIAL_WRITE_BUSY, &port->flags); +- +- return 0; ++ goto retry; /* try sending off another urb */ + } + + /** +diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c +index 5d2501e..80fc40a 100644 +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -1689,7 +1689,11 @@ static int mos7840_tiocmget(struct tty_struct *tty) + return -ENODEV; + + status = mos7840_get_uart_reg(port, MODEM_STATUS_REGISTER, &msr); ++ if (status != 1) ++ return -EIO; + status = mos7840_get_uart_reg(port, MODEM_CONTROL_REGISTER, &mcr); ++ if (status != 1) ++ return -EIO; + result = ((mcr & MCR_DTR) ? TIOCM_DTR : 0) + | ((mcr & MCR_RTS) ? TIOCM_RTS : 0) + | ((mcr & MCR_LOOPBACK) ? TIOCM_LOOP : 0) +@@ -1983,25 +1987,25 @@ static void mos7840_change_port_settings(struct tty_struct *tty, + iflag = tty->termios->c_iflag; + + /* Change the number of bits */ +- if (cflag & CSIZE) { +- switch (cflag & CSIZE) { +- case CS5: +- lData = LCR_BITS_5; +- break; ++ switch (cflag & CSIZE) { ++ case CS5: ++ lData = LCR_BITS_5; ++ break; + +- case CS6: +- lData = LCR_BITS_6; +- break; ++ case CS6: ++ lData = LCR_BITS_6; ++ break; + +- case CS7: +- lData = LCR_BITS_7; +- break; +- default: +- case CS8: +- lData = LCR_BITS_8; +- break; +- } ++ case CS7: ++ lData = LCR_BITS_7; ++ break; ++ ++ default: ++ case CS8: ++ lData = LCR_BITS_8; ++ break; + } ++ + /* Change the Parity bit */ + if (cflag & PARENB) { + if (cflag & PARODD) { +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index d8ace82..d6d0fb4 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -85,6 +85,7 @@ static void option_instat_callback(struct urb *urb); + #define HUAWEI_PRODUCT_K4505 0x1464 + #define HUAWEI_PRODUCT_K3765 0x1465 + #define HUAWEI_PRODUCT_K4605 0x14C6 ++#define HUAWEI_PRODUCT_E173S6 0x1C07 + + #define QUANTA_VENDOR_ID 0x0408 + #define QUANTA_PRODUCT_Q101 0xEA02 +@@ -586,6 +587,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173S6, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &net_intf2_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) }, +@@ -648,6 +651,10 @@ static const struct usb_device_id option_ids[] = { + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6D) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6E) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6F) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x72) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x73) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x74) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x75) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x78) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x79) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x7A) }, +@@ -702,6 +709,10 @@ static const struct usb_device_id option_ids[] = { + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6D) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6E) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6F) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x72) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x73) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x74) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x75) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x78) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x79) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x7A) }, +@@ -756,6 +767,10 @@ static const struct usb_device_id option_ids[] = { + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6D) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6E) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6F) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x72) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x73) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x74) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x75) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x78) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x79) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x7A) }, +@@ -810,6 +825,10 @@ static const struct usb_device_id option_ids[] = { + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6D) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6E) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6F) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x72) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x73) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x74) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x75) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x78) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x79) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x7A) }, +@@ -864,6 +883,10 @@ static const struct usb_device_id option_ids[] = { + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6D) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6E) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6F) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x72) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x73) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x74) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x75) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x78) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x79) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x7A) }, +@@ -918,6 +941,10 @@ static const struct usb_device_id option_ids[] = { + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6D) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6E) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6F) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x72) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x73) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x74) }, ++ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x75) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x78) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x79) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7A) }, +@@ -1391,6 +1418,23 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1426, 0xff, 0xff, 0xff), /* ZTE MF91 */ + .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1545, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1546, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1547, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1565, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1566, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1567, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1589, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1590, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1591, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1592, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1594, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1596, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1598, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1600, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff, + 0xff, 0xff), .driver_info = (kernel_ulong_t)&zte_k3765_z_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2003, 0xff, 0xff, 0xff) }, +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index 317e503..e3936c1 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -290,24 +290,21 @@ static void pl2303_set_termios(struct tty_struct *tty, + dbg("0xa1:0x21:0:0 %d - %x %x %x %x %x %x %x", i, + buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6]); + +- if (cflag & CSIZE) { +- switch (cflag & CSIZE) { +- case CS5: +- buf[6] = 5; +- break; +- case CS6: +- buf[6] = 6; +- break; +- case CS7: +- buf[6] = 7; +- break; +- default: +- case CS8: +- buf[6] = 8; +- break; +- } +- dbg("%s - data bits = %d", __func__, buf[6]); ++ switch (C_CSIZE(tty)) { ++ case CS5: ++ buf[6] = 5; ++ break; ++ case CS6: ++ buf[6] = 6; ++ break; ++ case CS7: ++ buf[6] = 7; ++ break; ++ default: ++ case CS8: ++ buf[6] = 8; + } ++ dev_dbg(&port->dev, "data bits = %d\n", buf[6]); + + /* For reference buf[0]:buf[3] baud rate value */ + /* NOTE: Only the values defined in baud_sup are supported ! +diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c +index f3179b0..2f67b99 100644 +--- a/drivers/usb/serial/spcp8x5.c ++++ b/drivers/usb/serial/spcp8x5.c +@@ -394,22 +394,20 @@ static void spcp8x5_set_termios(struct tty_struct *tty, + } + + /* Set Data Length : 00:5bit, 01:6bit, 10:7bit, 11:8bit */ +- if (cflag & CSIZE) { +- switch (cflag & CSIZE) { +- case CS5: +- buf[1] |= SET_UART_FORMAT_SIZE_5; +- break; +- case CS6: +- buf[1] |= SET_UART_FORMAT_SIZE_6; +- break; +- case CS7: +- buf[1] |= SET_UART_FORMAT_SIZE_7; +- break; +- default: +- case CS8: +- buf[1] |= SET_UART_FORMAT_SIZE_8; +- break; +- } ++ switch (cflag & CSIZE) { ++ case CS5: ++ buf[1] |= SET_UART_FORMAT_SIZE_5; ++ break; ++ case CS6: ++ buf[1] |= SET_UART_FORMAT_SIZE_6; ++ break; ++ case CS7: ++ buf[1] |= SET_UART_FORMAT_SIZE_7; ++ break; ++ default: ++ case CS8: ++ buf[1] |= SET_UART_FORMAT_SIZE_8; ++ break; + } + + /* Set Stop bit2 : 0:1bit 1:2bit */ +diff --git a/drivers/usb/wusbcore/wa-rpipe.c b/drivers/usb/wusbcore/wa-rpipe.c +index f0d546c..ca1031b 100644 +--- a/drivers/usb/wusbcore/wa-rpipe.c ++++ b/drivers/usb/wusbcore/wa-rpipe.c +@@ -332,7 +332,10 @@ static int rpipe_aim(struct wa_rpipe *rpipe, struct wahc *wa, + /* FIXME: compute so seg_size > ep->maxpktsize */ + rpipe->descr.wBlocks = cpu_to_le16(16); /* given */ + /* ep0 maxpktsize is 0x200 (WUSB1.0[4.8.1]) */ +- rpipe->descr.wMaxPacketSize = cpu_to_le16(ep->desc.wMaxPacketSize); ++ if (usb_endpoint_xfer_isoc(&ep->desc)) ++ rpipe->descr.wMaxPacketSize = epcd->wOverTheAirPacketSize; ++ else ++ rpipe->descr.wMaxPacketSize = ep->desc.wMaxPacketSize; + rpipe->descr.bHSHubAddress = 0; /* reserved: zero */ + rpipe->descr.bHSHubPort = wusb_port_no_to_idx(urb->dev->portnum); + /* FIXME: use maximum speed as supported or recommended by device */ +diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c +index 57c01ab..5f6df6e 100644 +--- a/drivers/usb/wusbcore/wa-xfer.c ++++ b/drivers/usb/wusbcore/wa-xfer.c +@@ -90,7 +90,8 @@ + #include "wusbhc.h" + + enum { +- WA_SEGS_MAX = 255, ++ /* [WUSB] section 8.3.3 allocates 7 bits for the segment index. */ ++ WA_SEGS_MAX = 128, + }; + + enum wa_seg_status { +@@ -444,7 +445,7 @@ static ssize_t __wa_xfer_setup_sizes(struct wa_xfer *xfer, + xfer->seg_size = (xfer->seg_size / maxpktsize) * maxpktsize; + xfer->segs = (urb->transfer_buffer_length + xfer->seg_size - 1) + / xfer->seg_size; +- if (xfer->segs >= WA_SEGS_MAX) { ++ if (xfer->segs > WA_SEGS_MAX) { + dev_err(dev, "BUG? ops, number of segments %d bigger than %d\n", + (int)(urb->transfer_buffer_length / xfer->seg_size), + WA_SEGS_MAX); +diff --git a/drivers/video/backlight/atmel-pwm-bl.c b/drivers/video/backlight/atmel-pwm-bl.c +index 0443a4f..dab3a0c 100644 +--- a/drivers/video/backlight/atmel-pwm-bl.c ++++ b/drivers/video/backlight/atmel-pwm-bl.c +@@ -70,7 +70,7 @@ static int atmel_pwm_bl_set_intensity(struct backlight_device *bd) + static int atmel_pwm_bl_get_intensity(struct backlight_device *bd) + { + struct atmel_pwm_bl *pwmbl = bl_get_data(bd); +- u8 intensity; ++ u32 intensity; + + if (pwmbl->pdata->pwm_active_low) { + intensity = pwm_channel_readl(&pwmbl->pwmc, PWM_CDTY) - +@@ -80,7 +80,7 @@ static int atmel_pwm_bl_get_intensity(struct backlight_device *bd) + pwm_channel_readl(&pwmbl->pwmc, PWM_CDTY); + } + +- return intensity; ++ return intensity & 0xffff; + } + + static int atmel_pwm_bl_init_pwm(struct atmel_pwm_bl *pwmbl) +@@ -211,7 +211,8 @@ static int __exit atmel_pwm_bl_remove(struct platform_device *pdev) + struct atmel_pwm_bl *pwmbl = platform_get_drvdata(pdev); + + if (pwmbl->gpio_on != -1) { +- gpio_set_value(pwmbl->gpio_on, 0); ++ gpio_set_value(pwmbl->gpio_on, ++ 0 ^ pwmbl->pdata->on_active_low); + gpio_free(pwmbl->gpio_on); + } + pwm_channel_disable(&pwmbl->pwmc); +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index c858a29..969f74f 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -3437,11 +3437,13 @@ static __u16 ACL_to_cifs_posix(char *parm_data, const char *pACL, + return 0; + } + cifs_acl->version = cpu_to_le16(1); +- if (acl_type == ACL_TYPE_ACCESS) ++ if (acl_type == ACL_TYPE_ACCESS) { + cifs_acl->access_entry_count = cpu_to_le16(count); +- else if (acl_type == ACL_TYPE_DEFAULT) ++ cifs_acl->default_entry_count = __constant_cpu_to_le16(0xFFFF); ++ } else if (acl_type == ACL_TYPE_DEFAULT) { + cifs_acl->default_entry_count = cpu_to_le16(count); +- else { ++ cifs_acl->access_entry_count = __constant_cpu_to_le16(0xFFFF); ++ } else { + cFYI(1, "unknown ACL type %d", acl_type); + return 0; + } +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index 9a37a9b..5ef72c8 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -56,10 +56,19 @@ static void configfs_d_iput(struct dentry * dentry, + struct configfs_dirent *sd = dentry->d_fsdata; + + if (sd) { +- BUG_ON(sd->s_dentry != dentry); + /* Coordinate with configfs_readdir */ + spin_lock(&configfs_dirent_lock); +- sd->s_dentry = NULL; ++ /* Coordinate with configfs_attach_attr where will increase ++ * sd->s_count and update sd->s_dentry to new allocated one. ++ * Only set sd->dentry to null when this dentry is the only ++ * sd owner. ++ * If not do so, configfs_d_iput may run just after ++ * configfs_attach_attr and set sd->s_dentry to null ++ * even it's still in use. ++ */ ++ if (atomic_read(&sd->s_count) <= 2) ++ sd->s_dentry = NULL; ++ + spin_unlock(&configfs_dirent_lock); + configfs_put(sd); + } +@@ -436,8 +445,11 @@ static int configfs_attach_attr(struct configfs_dirent * sd, struct dentry * den + struct configfs_attribute * attr = sd->s_element; + int error; + ++ spin_lock(&configfs_dirent_lock); + dentry->d_fsdata = configfs_get(sd); + sd->s_dentry = dentry; ++ spin_unlock(&configfs_dirent_lock); ++ + error = configfs_create(dentry, (attr->ca_mode & S_IALLUGO) | S_IFREG, + configfs_init_file); + if (error) { +diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c +index d5d5297..2a95047 100644 +--- a/fs/devpts/inode.c ++++ b/fs/devpts/inode.c +@@ -413,6 +413,7 @@ static void devpts_kill_sb(struct super_block *sb) + { + struct pts_fs_info *fsi = DEVPTS_SB(sb); + ++ ida_destroy(&fsi->allocated_ptys); + kfree(fsi); + kill_litter_super(sb); + } +diff --git a/fs/exec.c b/fs/exec.c +index a2d0e51..78199eb 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -2032,6 +2032,12 @@ static int __get_dumpable(unsigned long mm_flags) + return (ret >= 2) ? 2 : ret; + } + ++/* ++ * This returns the actual value of the suid_dumpable flag. For things ++ * that are using this for checking for privilege transitions, it must ++ * test against SUID_DUMP_USER rather than treating it as a boolean ++ * value. ++ */ + int get_dumpable(struct mm_struct *mm) + { + return __get_dumpable(mm->flags); +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index b4e9f3f..05617bd 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1271,6 +1271,7 @@ retry: + new_extra_isize = s_min_extra_isize; + kfree(is); is = NULL; + kfree(bs); bs = NULL; ++ brelse(bh); + goto retry; + } + error = -1; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 5639efd..3d02931 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3764,8 +3764,7 @@ nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server, + dprintk("%s ERROR %d, Reset session\n", __func__, + task->tk_status); + nfs4_schedule_session_recovery(clp->cl_session); +- task->tk_status = 0; +- return -EAGAIN; ++ goto wait_on_recovery; + #endif /* CONFIG_NFS_V4_1 */ + case -NFS4ERR_DELAY: + nfs_inc_server_stats(server, NFSIOS_DELAY); +@@ -3887,11 +3886,17 @@ static void nfs4_delegreturn_done(struct rpc_task *task, void *calldata) + return; + + switch (task->tk_status) { +- case -NFS4ERR_STALE_STATEID: +- case -NFS4ERR_EXPIRED: + case 0: + renew_lease(data->res.server, data->timestamp); + break; ++ case -NFS4ERR_ADMIN_REVOKED: ++ case -NFS4ERR_DELEG_REVOKED: ++ case -NFS4ERR_BAD_STATEID: ++ case -NFS4ERR_OLD_STATEID: ++ case -NFS4ERR_STALE_STATEID: ++ case -NFS4ERR_EXPIRED: ++ task->tk_status = 0; ++ break; + default: + if (nfs4_async_handle_error(task, data->res.server, NULL) == + -EAGAIN) { +@@ -4052,6 +4057,7 @@ static int _nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock + status = 0; + } + request->fl_ops->fl_release_private(request); ++ request->fl_ops = NULL; + out: + return status; + } +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 99625b8..ade5316 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -177,8 +177,8 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes) + */ + memcpy(p, argp->p, avail); + /* step to next page */ +- argp->pagelist++; + argp->p = page_address(argp->pagelist[0]); ++ argp->pagelist++; + if (argp->pagelen < PAGE_SIZE) { + argp->end = argp->p + (argp->pagelen>>2); + argp->pagelen = 0; +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index 61b697e..6a66fc0 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -297,41 +297,12 @@ commit_metadata(struct svc_fh *fhp) + } + + /* +- * Set various file attributes. +- * N.B. After this call fhp needs an fh_put ++ * Go over the attributes and take care of the small differences between ++ * NFS semantics and what Linux expects. + */ +-__be32 +-nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, +- int check_guard, time_t guardtime) ++static void ++nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap) + { +- struct dentry *dentry; +- struct inode *inode; +- int accmode = NFSD_MAY_SATTR; +- int ftype = 0; +- __be32 err; +- int host_err; +- int size_change = 0; +- +- if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE)) +- accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE; +- if (iap->ia_valid & ATTR_SIZE) +- ftype = S_IFREG; +- +- /* Get inode */ +- err = fh_verify(rqstp, fhp, ftype, accmode); +- if (err) +- goto out; +- +- dentry = fhp->fh_dentry; +- inode = dentry->d_inode; +- +- /* Ignore any mode updates on symlinks */ +- if (S_ISLNK(inode->i_mode)) +- iap->ia_valid &= ~ATTR_MODE; +- +- if (!iap->ia_valid) +- goto out; +- + /* + * NFSv2 does not differentiate between "set-[ac]time-to-now" + * which only requires access, and "set-[ac]time-to-X" which +@@ -341,8 +312,7 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, + * convert to "set to now" instead of "set to explicit time" + * + * We only call inode_change_ok as the last test as technically +- * it is not an interface that we should be using. It is only +- * valid if the filesystem does not define it's own i_op->setattr. ++ * it is not an interface that we should be using. + */ + #define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET) + #define MAX_TOUCH_TIME_ERROR (30*60) +@@ -368,30 +338,6 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, + iap->ia_valid &= ~BOTH_TIME_SET; + } + } +- +- /* +- * The size case is special. +- * It changes the file as well as the attributes. +- */ +- if (iap->ia_valid & ATTR_SIZE) { +- if (iap->ia_size < inode->i_size) { +- err = nfsd_permission(rqstp, fhp->fh_export, dentry, +- NFSD_MAY_TRUNC|NFSD_MAY_OWNER_OVERRIDE); +- if (err) +- goto out; +- } +- +- host_err = get_write_access(inode); +- if (host_err) +- goto out_nfserr; +- +- size_change = 1; +- host_err = locks_verify_truncate(inode, NULL, iap->ia_size); +- if (host_err) { +- put_write_access(inode); +- goto out_nfserr; +- } +- } + + /* sanitize the mode change */ + if (iap->ia_valid & ATTR_MODE) { +@@ -414,32 +360,111 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, + iap->ia_valid |= (ATTR_KILL_SUID | ATTR_KILL_SGID); + } + } ++} + +- /* Change the attributes. */ ++static __be32 ++nfsd_get_write_access(struct svc_rqst *rqstp, struct svc_fh *fhp, ++ struct iattr *iap) ++{ ++ struct inode *inode = fhp->fh_dentry->d_inode; ++ int host_err; + +- iap->ia_valid |= ATTR_CTIME; ++ if (iap->ia_size < inode->i_size) { ++ __be32 err; + +- err = nfserr_notsync; +- if (!check_guard || guardtime == inode->i_ctime.tv_sec) { +- host_err = nfsd_break_lease(inode); +- if (host_err) +- goto out_nfserr; +- fh_lock(fhp); ++ err = nfsd_permission(rqstp, fhp->fh_export, fhp->fh_dentry, ++ NFSD_MAY_TRUNC | NFSD_MAY_OWNER_OVERRIDE); ++ if (err) ++ return err; ++ } + +- host_err = notify_change(dentry, iap); +- err = nfserrno(host_err); +- fh_unlock(fhp); ++ host_err = get_write_access(inode); ++ if (host_err) ++ goto out_nfserrno; ++ ++ host_err = locks_verify_truncate(inode, NULL, iap->ia_size); ++ if (host_err) ++ goto out_put_write_access; ++ return 0; ++ ++out_put_write_access: ++ put_write_access(inode); ++out_nfserrno: ++ return nfserrno(host_err); ++} ++ ++/* ++ * Set various file attributes. After this call fhp needs an fh_put. ++ */ ++__be32 ++nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, ++ int check_guard, time_t guardtime) ++{ ++ struct dentry *dentry; ++ struct inode *inode; ++ int accmode = NFSD_MAY_SATTR; ++ int ftype = 0; ++ __be32 err; ++ int host_err; ++ int size_change = 0; ++ ++ if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE)) ++ accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE; ++ if (iap->ia_valid & ATTR_SIZE) ++ ftype = S_IFREG; ++ ++ /* Get inode */ ++ err = fh_verify(rqstp, fhp, ftype, accmode); ++ if (err) ++ goto out; ++ ++ dentry = fhp->fh_dentry; ++ inode = dentry->d_inode; ++ ++ /* Ignore any mode updates on symlinks */ ++ if (S_ISLNK(inode->i_mode)) ++ iap->ia_valid &= ~ATTR_MODE; ++ ++ if (!iap->ia_valid) ++ goto out; ++ ++ nfsd_sanitize_attrs(inode, iap); ++ ++ /* ++ * The size case is special, it changes the file in addition to the ++ * attributes. ++ */ ++ if (iap->ia_valid & ATTR_SIZE) { ++ err = nfsd_get_write_access(rqstp, fhp, iap); ++ if (err) ++ goto out; ++ size_change = 1; + } ++ ++ iap->ia_valid |= ATTR_CTIME; ++ ++ if (check_guard && guardtime != inode->i_ctime.tv_sec) { ++ err = nfserr_notsync; ++ goto out_put_write_access; ++ } ++ ++ host_err = nfsd_break_lease(inode); ++ if (host_err) ++ goto out_put_write_access_nfserror; ++ ++ fh_lock(fhp); ++ host_err = notify_change(dentry, iap); ++ fh_unlock(fhp); ++ ++out_put_write_access_nfserror: ++ err = nfserrno(host_err); ++out_put_write_access: + if (size_change) + put_write_access(inode); + if (!err) + commit_metadata(fhp); + out: + return err; +- +-out_nfserr: +- err = nfserrno(host_err); +- goto out; + } + + #if defined(CONFIG_NFSD_V2_ACL) || \ +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index d99a905..eb519de 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -404,7 +404,8 @@ xfs_attrlist_by_handle( + return -XFS_ERROR(EPERM); + if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* +diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c +index 54e623b..0d685b3 100644 +--- a/fs/xfs/xfs_ioctl32.c ++++ b/fs/xfs/xfs_ioctl32.c +@@ -361,7 +361,8 @@ xfs_compat_attrlist_by_handle( + if (copy_from_user(&al_hreq, arg, + sizeof(compat_xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* +diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h +index 4fd95a3..0532279 100644 +--- a/include/crypto/scatterwalk.h ++++ b/include/crypto/scatterwalk.h +@@ -58,6 +58,7 @@ static inline void scatterwalk_sg_chain(struct scatterlist *sg1, int num, + { + sg_set_page(&sg1[num - 1], (void *)sg2, 0, 0); + sg1[num - 1].page_link &= ~0x02; ++ sg1[num - 1].page_link |= 0x01; + } + + static inline struct scatterlist *scatterwalk_sg_next(struct scatterlist *sg) +@@ -65,7 +66,7 @@ static inline struct scatterlist *scatterwalk_sg_next(struct scatterlist *sg) + if (sg_is_last(sg)) + return NULL; + +- return (++sg)->length ? sg : (void *)sg_page(sg); ++ return (++sg)->length ? sg : sg_chain_ptr(sg); + } + + static inline void scatterwalk_crypto_chain(struct scatterlist *head, +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index acd8d4b..d337419 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -112,9 +112,6 @@ extern void setup_new_exec(struct linux_binprm * bprm); + extern void would_dump(struct linux_binprm *, struct file *); + + extern int suid_dumpable; +-#define SUID_DUMP_DISABLE 0 /* No setuid dumping */ +-#define SUID_DUMP_USER 1 /* Dump as user of process */ +-#define SUID_DUMP_ROOT 2 /* Dump as root */ + + /* Stack area protections */ + #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */ +diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h +index d8e636e..cba9593 100644 +--- a/include/linux/compiler-intel.h ++++ b/include/linux/compiler-intel.h +@@ -27,5 +27,3 @@ + #define __must_be_array(a) 0 + + #endif +- +-#define uninitialized_var(x) x +diff --git a/include/linux/msg.h b/include/linux/msg.h +index 56abf155..70fc369 100644 +--- a/include/linux/msg.h ++++ b/include/linux/msg.h +@@ -76,9 +76,9 @@ struct msginfo { + + /* one msg_msg structure for each message */ + struct msg_msg { +- struct list_head m_list; +- long m_type; +- int m_ts; /* message text size */ ++ struct list_head m_list; ++ long m_type; ++ size_t m_ts; /* message text size */ + struct msg_msgseg* next; + void *security; + /* the actual message follows immediately */ +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h +index daad4e6..3887901 100644 +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -361,7 +361,7 @@ static inline map_word map_word_load_partial(struct map_info *map, map_word orig + bitpos = (map_bankwidth(map)-1-i)*8; + #endif + orig.x[0] &= ~(0xff << bitpos); +- orig.x[0] |= buf[i-start] << bitpos; ++ orig.x[0] |= (unsigned long)buf[i-start] << bitpos; + } + } + return orig; +@@ -380,7 +380,7 @@ static inline map_word map_word_ff(struct map_info *map) + + if (map_bankwidth(map) < MAP_FF_LIMIT) { + int bw = 8 * map_bankwidth(map); +- r.x[0] = (1 << bw) - 1; ++ r.x[0] = (1UL << bw) - 1; + } else { + for (i=0; i<map_words(map); i++) + r.x[i] = ~0UL; +diff --git a/include/linux/net.h b/include/linux/net.h +index b7ca08e..bd4f6c7 100644 +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -197,6 +197,14 @@ struct proto_ops { + #endif + int (*sendmsg) (struct kiocb *iocb, struct socket *sock, + struct msghdr *m, size_t total_len); ++ /* Notes for implementing recvmsg: ++ * =============================== ++ * msg->msg_namelen should get updated by the recvmsg handlers ++ * iff msg_name != NULL. It is by default 0 to prevent ++ * returning uninitialized memory to user space. The recvfrom ++ * handlers can assume that msg.msg_name is either NULL or has ++ * a minimum size of sizeof(struct sockaddr_storage). ++ */ + int (*recvmsg) (struct kiocb *iocb, struct socket *sock, + struct msghdr *m, size_t total_len, + int flags); +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 3db3da1..d93f417 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -1579,6 +1579,7 @@ + #define PCI_SUBDEVICE_ID_KEYSPAN_SX2 0x5334 + + #define PCI_VENDOR_ID_MARVELL 0x11ab ++#define PCI_VENDOR_ID_MARVELL_EXT 0x1b4b + #define PCI_DEVICE_ID_MARVELL_GT64111 0x4146 + #define PCI_DEVICE_ID_MARVELL_GT64260 0x6430 + #define PCI_DEVICE_ID_MARVELL_MV64360 0x6460 +diff --git a/include/linux/random.h b/include/linux/random.h +index 7e77cee..f5e1311 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -89,9 +89,9 @@ static inline void prandom32_seed(struct rnd_state *state, u64 seed) + { + u32 i = (seed >> 32) ^ (seed << 10) ^ seed; + +- state->s1 = __seed(i, 1); +- state->s2 = __seed(i, 7); +- state->s3 = __seed(i, 15); ++ state->s1 = __seed(i, 2); ++ state->s2 = __seed(i, 8); ++ state->s3 = __seed(i, 16); + } + + #ifdef CONFIG_ARCH_RANDOM +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 8204898..312d047 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -403,6 +403,10 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {} + extern void set_dumpable(struct mm_struct *mm, int value); + extern int get_dumpable(struct mm_struct *mm); + ++#define SUID_DUMP_DISABLE 0 /* No setuid dumping */ ++#define SUID_DUMP_USER 1 /* Dump as user of process */ ++#define SUID_DUMP_ROOT 2 /* Dump as root */ ++ + /* mm flags */ + /* dumpable bits */ + #define MMF_DUMPABLE 0 /* core dump is permitted */ +diff --git a/include/net/ip.h b/include/net/ip.h +index 06aed72..b935e6c 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -466,7 +466,7 @@ extern int compat_ip_getsockopt(struct sock *sk, int level, + int optname, char __user *optval, int __user *optlen); + extern int ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *)); + +-extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len); ++extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len); + extern void ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, + __be16 port, u32 info, u8 *payload); + extern void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport, +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 4d549cf..0580673 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -602,8 +602,10 @@ extern int compat_ipv6_getsockopt(struct sock *sk, + extern int ip6_datagram_connect(struct sock *sk, + struct sockaddr *addr, int addr_len); + +-extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len); +-extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len); ++extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, ++ int *addr_len); ++extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, ++ int *addr_len); + extern void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port, + u32 info, u8 *payload); + extern void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info); +diff --git a/include/sound/memalloc.h b/include/sound/memalloc.h +index c425062..ab240bb 100644 +--- a/include/sound/memalloc.h ++++ b/include/sound/memalloc.h +@@ -101,7 +101,7 @@ static inline unsigned int snd_sgbuf_aligned_pages(size_t size) + static inline dma_addr_t snd_sgbuf_get_addr(struct snd_sg_buf *sgbuf, size_t offset) + { + dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr; +- addr &= PAGE_MASK; ++ addr &= ~((dma_addr_t)PAGE_SIZE - 1); + return addr + offset % PAGE_SIZE; + } + +diff --git a/include/trace/ftrace.h b/include/trace/ftrace.h +index 7697249..763bf05 100644 +--- a/include/trace/ftrace.h ++++ b/include/trace/ftrace.h +@@ -379,7 +379,8 @@ ftrace_define_fields_##call(struct ftrace_event_call *event_call) \ + __data_size += (len) * sizeof(type); + + #undef __string +-#define __string(item, src) __dynamic_array(char, item, strlen(src) + 1) ++#define __string(item, src) __dynamic_array(char, item, \ ++ strlen((src) ? (const char *)(src) : "(null)") + 1) + + #undef DECLARE_EVENT_CLASS + #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, assign, print) \ +@@ -504,7 +505,7 @@ static inline notrace int ftrace_get_offsets_##call( \ + + #undef __assign_str + #define __assign_str(dst, src) \ +- strcpy(__get_str(dst), src); ++ strcpy(__get_str(dst), (src) ? (const char *)(src) : "(null)"); + + #undef TP_fast_assign + #define TP_fast_assign(args...) args +diff --git a/ipc/msgutil.c b/ipc/msgutil.c +index 5652101..fc6fded 100644 +--- a/ipc/msgutil.c ++++ b/ipc/msgutil.c +@@ -37,15 +37,15 @@ struct msg_msgseg { + /* the next part of the message follows immediately */ + }; + +-#define DATALEN_MSG (PAGE_SIZE-sizeof(struct msg_msg)) +-#define DATALEN_SEG (PAGE_SIZE-sizeof(struct msg_msgseg)) ++#define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) ++#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) + +-struct msg_msg *load_msg(const void __user *src, int len) ++struct msg_msg *load_msg(const void __user *src, size_t len) + { + struct msg_msg *msg; + struct msg_msgseg **pseg; + int err; +- int alen; ++ size_t alen; + + alen = len; + if (alen > DATALEN_MSG) +@@ -99,9 +99,9 @@ out_err: + return ERR_PTR(err); + } + +-int store_msg(void __user *dest, struct msg_msg *msg, int len) ++int store_msg(void __user *dest, struct msg_msg *msg, size_t len) + { +- int alen; ++ size_t alen; + struct msg_msgseg *seg; + + alen = len; +diff --git a/ipc/util.h b/ipc/util.h +index 6f5c20b..0bfc934 100644 +--- a/ipc/util.h ++++ b/ipc/util.h +@@ -138,8 +138,8 @@ int ipc_parse_version (int *cmd); + #endif + + extern void free_msg(struct msg_msg *msg); +-extern struct msg_msg *load_msg(const void __user *src, int len); +-extern int store_msg(void __user *dest, struct msg_msg *msg, int len); ++extern struct msg_msg *load_msg(const void __user *src, size_t len); ++extern int store_msg(void __user *dest, struct msg_msg *msg, size_t len); + + extern void recompute_msgmni(struct ipc_namespace *); + +diff --git a/kernel/audit.c b/kernel/audit.c +index d4bc594..e14bc74 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, + char *ctx = NULL; + u32 len; + +- if (!audit_enabled) { ++ if (!audit_enabled && msg_type != AUDIT_USER_AVC) { + *ab = NULL; + return rc; + } +@@ -684,6 +684,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + switch (msg_type) { + case AUDIT_GET: ++ status_set.mask = 0; + status_set.enabled = audit_enabled; + status_set.failure = audit_failure; + status_set.pid = audit_pid; +@@ -695,7 +696,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + &status_set, sizeof(status_set)); + break; + case AUDIT_SET: +- if (nlh->nlmsg_len < sizeof(struct audit_status)) ++ if (nlmsg_len(nlh) < sizeof(struct audit_status)) + return -EINVAL; + status_get = (struct audit_status *)data; + if (status_get->mask & AUDIT_STATUS_ENABLED) { +@@ -899,7 +900,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + struct task_struct *tsk; + unsigned long flags; + +- if (nlh->nlmsg_len < sizeof(struct audit_tty_status)) ++ if (nlmsg_len(nlh) < sizeof(struct audit_tty_status)) + return -EINVAL; + s = data; + if (s->enabled != 0 && s->enabled != 1) +diff --git a/kernel/cpuset.c b/kernel/cpuset.c +index 835eee6..57eb98d 100644 +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -983,8 +983,10 @@ static void cpuset_change_task_nodemask(struct task_struct *tsk, + need_loop = task_has_mempolicy(tsk) || + !nodes_intersects(*newmems, tsk->mems_allowed); + +- if (need_loop) ++ if (need_loop) { ++ local_irq_disable(); + write_seqcount_begin(&tsk->mems_allowed_seq); ++ } + + nodes_or(tsk->mems_allowed, tsk->mems_allowed, *newmems); + mpol_rebind_task(tsk, newmems, MPOL_REBIND_STEP1); +@@ -992,8 +994,10 @@ static void cpuset_change_task_nodemask(struct task_struct *tsk, + mpol_rebind_task(tsk, newmems, MPOL_REBIND_STEP2); + tsk->mems_allowed = *newmems; + +- if (need_loop) ++ if (need_loop) { + write_seqcount_end(&tsk->mems_allowed_seq); ++ local_irq_enable(); ++ } + + task_unlock(tsk); + } +diff --git a/kernel/futex.c b/kernel/futex.c +index 1d0538e..8888815 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -285,7 +285,7 @@ again: + put_page(page); + /* serialize against __split_huge_page_splitting() */ + local_irq_disable(); +- if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) { ++ if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) { + page_head = compound_head(page); + /* + * page_head is valid pointer but we must pin +diff --git a/kernel/irq/pm.c b/kernel/irq/pm.c +index 15e53b1..dcd3f97 100644 +--- a/kernel/irq/pm.c ++++ b/kernel/irq/pm.c +@@ -50,7 +50,7 @@ static void resume_irqs(bool want_early) + bool is_early = desc->action && + desc->action->flags & IRQF_EARLY_RESUME; + +- if (is_early != want_early) ++ if (!is_early && want_early) + continue; + + raw_spin_lock_irqsave(&desc->lock, flags); +diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c +index cbe2c14..380291e 100644 +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -1390,7 +1390,11 @@ int hibernate_preallocate_memory(void) + * highmem and non-highmem zones separately. + */ + pages_highmem = preallocate_image_highmem(highmem / 2); +- alloc = (count - max_size) - pages_highmem; ++ alloc = count - max_size; ++ if (alloc > pages_highmem) ++ alloc -= pages_highmem; ++ else ++ alloc = 0; + pages = preallocate_image_memory(alloc, avail_normal); + if (pages < alloc) { + /* We have exhausted non-highmem pages, try highmem. */ +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 67fedad..f79803a 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -246,7 +246,8 @@ ok: + smp_rmb(); + if (task->mm) + dumpable = get_dumpable(task->mm); +- if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE)) ++ if (dumpable != SUID_DUMP_USER && ++ !task_ns_capable(task, CAP_SYS_PTRACE)) + return -EPERM; + + return security_ptrace_access_check(task, mode); +diff --git a/kernel/sched_debug.c b/kernel/sched_debug.c +index a6710a1..f4010e2 100644 +--- a/kernel/sched_debug.c ++++ b/kernel/sched_debug.c +@@ -213,6 +213,14 @@ void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq) + SEQ_printf(m, " .%-30s: %d\n", "load_tg", + atomic_read(&cfs_rq->tg->load_weight)); + #endif ++#ifdef CONFIG_CFS_BANDWIDTH ++ SEQ_printf(m, " .%-30s: %d\n", "tg->cfs_bandwidth.timer_active", ++ cfs_rq->tg->cfs_bandwidth.timer_active); ++ SEQ_printf(m, " .%-30s: %d\n", "throttled", ++ cfs_rq->throttled); ++ SEQ_printf(m, " .%-30s: %d\n", "throttle_count", ++ cfs_rq->throttle_count); ++#endif + + print_cfs_group_stats(m, cpu, cfs_rq->tg); + #endif +diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c +index c261da7..5b9e456 100644 +--- a/kernel/sched_fair.c ++++ b/kernel/sched_fair.c +@@ -1527,6 +1527,8 @@ static void throttle_cfs_rq(struct cfs_rq *cfs_rq) + cfs_rq->throttled_timestamp = rq->clock; + raw_spin_lock(&cfs_b->lock); + list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq); ++ if (!cfs_b->timer_active) ++ __start_cfs_bandwidth(cfs_b); + raw_spin_unlock(&cfs_b->lock); + } + +diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c +index 8a46f5d..0907e43 100644 +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -468,7 +468,7 @@ static int alarm_clock_getres(const clockid_t which_clock, struct timespec *tp) + clockid_t baseid = alarm_bases[clock2alarm(which_clock)].base_clockid; + + if (!alarmtimer_get_rtcdev()) +- return -ENOTSUPP; ++ return -EINVAL; + + return hrtimer_get_res(baseid, tp); + } +@@ -485,7 +485,7 @@ static int alarm_clock_get(clockid_t which_clock, struct timespec *tp) + struct alarm_base *base = &alarm_bases[clock2alarm(which_clock)]; + + if (!alarmtimer_get_rtcdev()) +- return -ENOTSUPP; ++ return -EINVAL; + + *tp = ktime_to_timespec(base->gettime()); + return 0; +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 226776b..d40d7f6 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -259,9 +259,6 @@ static int remove_ftrace_ops(struct ftrace_ops **list, struct ftrace_ops *ops) + + static int __register_ftrace_function(struct ftrace_ops *ops) + { +- if (ftrace_disabled) +- return -ENODEV; +- + if (FTRACE_WARN_ON(ops == &global_ops)) + return -EINVAL; + +@@ -290,9 +287,6 @@ static int __unregister_ftrace_function(struct ftrace_ops *ops) + { + int ret; + +- if (ftrace_disabled) +- return -ENODEV; +- + if (WARN_ON(!(ops->flags & FTRACE_OPS_FL_ENABLED))) + return -EBUSY; + +@@ -1017,6 +1011,11 @@ static struct ftrace_page *ftrace_pages; + + static struct dyn_ftrace *ftrace_free_records; + ++static bool ftrace_hash_empty(struct ftrace_hash *hash) ++{ ++ return !hash || !hash->count; ++} ++ + static struct ftrace_func_entry * + ftrace_lookup_ip(struct ftrace_hash *hash, unsigned long ip) + { +@@ -1025,7 +1024,7 @@ ftrace_lookup_ip(struct ftrace_hash *hash, unsigned long ip) + struct hlist_head *hhd; + struct hlist_node *n; + +- if (!hash->count) ++ if (ftrace_hash_empty(hash)) + return NULL; + + if (hash->size_bits > 0) +@@ -1169,7 +1168,7 @@ alloc_and_copy_ftrace_hash(int size_bits, struct ftrace_hash *hash) + return NULL; + + /* Empty hash? */ +- if (!hash || !hash->count) ++ if (ftrace_hash_empty(hash)) + return new_hash; + + size = 1 << hash->size_bits; +@@ -1294,9 +1293,9 @@ ftrace_ops_test(struct ftrace_ops *ops, unsigned long ip) + filter_hash = rcu_dereference_raw(ops->filter_hash); + notrace_hash = rcu_dereference_raw(ops->notrace_hash); + +- if ((!filter_hash || !filter_hash->count || ++ if ((ftrace_hash_empty(filter_hash) || + ftrace_lookup_ip(filter_hash, ip)) && +- (!notrace_hash || !notrace_hash->count || ++ (ftrace_hash_empty(notrace_hash) || + !ftrace_lookup_ip(notrace_hash, ip))) + ret = 1; + else +@@ -1348,7 +1347,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, + if (filter_hash) { + hash = ops->filter_hash; + other_hash = ops->notrace_hash; +- if (!hash || !hash->count) ++ if (ftrace_hash_empty(hash)) + all = 1; + } else { + inc = !inc; +@@ -1358,7 +1357,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, + * If the notrace hash has no items, + * then there's nothing to do. + */ +- if (hash && !hash->count) ++ if (ftrace_hash_empty(hash)) + return; + } + +@@ -1375,8 +1374,8 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, + if (!other_hash || !ftrace_lookup_ip(other_hash, rec->ip)) + match = 1; + } else { +- in_hash = hash && !!ftrace_lookup_ip(hash, rec->ip); +- in_other_hash = other_hash && !!ftrace_lookup_ip(other_hash, rec->ip); ++ in_hash = !!ftrace_lookup_ip(hash, rec->ip); ++ in_other_hash = !!ftrace_lookup_ip(other_hash, rec->ip); + + /* + * +@@ -1384,7 +1383,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, + if (filter_hash && in_hash && !in_other_hash) + match = 1; + else if (!filter_hash && in_hash && +- (in_other_hash || !other_hash->count)) ++ (in_other_hash || ftrace_hash_empty(other_hash))) + match = 1; + } + if (!match) +@@ -1698,10 +1697,15 @@ static void ftrace_startup_enable(int command) + static int ftrace_startup(struct ftrace_ops *ops, int command) + { + bool hash_enable = true; ++ int ret; + + if (unlikely(ftrace_disabled)) + return -ENODEV; + ++ ret = __register_ftrace_function(ops); ++ if (ret) ++ return ret; ++ + ftrace_start_up++; + command |= FTRACE_UPDATE_CALLS; + +@@ -1723,12 +1727,17 @@ static int ftrace_startup(struct ftrace_ops *ops, int command) + return 0; + } + +-static void ftrace_shutdown(struct ftrace_ops *ops, int command) ++static int ftrace_shutdown(struct ftrace_ops *ops, int command) + { + bool hash_disable = true; ++ int ret; + + if (unlikely(ftrace_disabled)) +- return; ++ return -ENODEV; ++ ++ ret = __unregister_ftrace_function(ops); ++ if (ret) ++ return ret; + + ftrace_start_up--; + /* +@@ -1763,9 +1772,10 @@ static void ftrace_shutdown(struct ftrace_ops *ops, int command) + } + + if (!command || !ftrace_enabled) +- return; ++ return 0; + + ftrace_run_update_code(command); ++ return 0; + } + + static void ftrace_startup_sysctl(void) +@@ -1794,12 +1804,57 @@ static cycle_t ftrace_update_time; + static unsigned long ftrace_update_cnt; + unsigned long ftrace_update_tot_cnt; + +-static int ops_traces_mod(struct ftrace_ops *ops) ++static inline int ops_traces_mod(struct ftrace_ops *ops) + { +- struct ftrace_hash *hash; ++ /* ++ * Filter_hash being empty will default to trace module. ++ * But notrace hash requires a test of individual module functions. ++ */ ++ return ftrace_hash_empty(ops->filter_hash) && ++ ftrace_hash_empty(ops->notrace_hash); ++} + +- hash = ops->filter_hash; +- return !!(!hash || !hash->count); ++/* ++ * Check if the current ops references the record. ++ * ++ * If the ops traces all functions, then it was already accounted for. ++ * If the ops does not trace the current record function, skip it. ++ * If the ops ignores the function via notrace filter, skip it. ++ */ ++static inline bool ++ops_references_rec(struct ftrace_ops *ops, struct dyn_ftrace *rec) ++{ ++ /* If ops isn't enabled, ignore it */ ++ if (!(ops->flags & FTRACE_OPS_FL_ENABLED)) ++ return 0; ++ ++ /* If ops traces all mods, we already accounted for it */ ++ if (ops_traces_mod(ops)) ++ return 0; ++ ++ /* The function must be in the filter */ ++ if (!ftrace_hash_empty(ops->filter_hash) && ++ !ftrace_lookup_ip(ops->filter_hash, rec->ip)) ++ return 0; ++ ++ /* If in notrace hash, we ignore it too */ ++ if (ftrace_lookup_ip(ops->notrace_hash, rec->ip)) ++ return 0; ++ ++ return 1; ++} ++ ++static int referenced_filters(struct dyn_ftrace *rec) ++{ ++ struct ftrace_ops *ops; ++ int cnt = 0; ++ ++ for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) { ++ if (ops_references_rec(ops, rec)) ++ cnt++; ++ } ++ ++ return cnt; + } + + static int ftrace_update_code(struct module *mod) +@@ -1807,6 +1862,7 @@ static int ftrace_update_code(struct module *mod) + struct dyn_ftrace *p; + cycle_t start, stop; + unsigned long ref = 0; ++ bool test = false; + + /* + * When adding a module, we need to check if tracers are +@@ -1819,9 +1875,12 @@ static int ftrace_update_code(struct module *mod) + + for (ops = ftrace_ops_list; + ops != &ftrace_list_end; ops = ops->next) { +- if (ops->flags & FTRACE_OPS_FL_ENABLED && +- ops_traces_mod(ops)) +- ref++; ++ if (ops->flags & FTRACE_OPS_FL_ENABLED) { ++ if (ops_traces_mod(ops)) ++ ref++; ++ else ++ test = true; ++ } + } + } + +@@ -1829,6 +1888,7 @@ static int ftrace_update_code(struct module *mod) + ftrace_update_cnt = 0; + + while (ftrace_new_addrs) { ++ int cnt = ref; + + /* If something went wrong, bail without enabling anything */ + if (unlikely(ftrace_disabled)) +@@ -1836,7 +1896,9 @@ static int ftrace_update_code(struct module *mod) + + p = ftrace_new_addrs; + ftrace_new_addrs = p->newlist; +- p->flags = ref; ++ if (test) ++ cnt += referenced_filters(p); ++ p->flags = cnt; + + /* + * Do the initial record conversion from mcount jump +@@ -1859,7 +1921,7 @@ static int ftrace_update_code(struct module *mod) + * conversion puts the module to the correct state, thus + * passing the ftrace_make_call check. + */ +- if (ftrace_start_up && ref) { ++ if (ftrace_start_up && cnt) { + int failed = __ftrace_replace_code(p, 1); + if (failed) { + ftrace_bug(failed, p->ip); +@@ -2112,7 +2174,8 @@ static void *t_start(struct seq_file *m, loff_t *pos) + * off, we can short cut and just print out that all + * functions are enabled. + */ +- if (iter->flags & FTRACE_ITER_FILTER && !ops->filter_hash->count) { ++ if (iter->flags & FTRACE_ITER_FILTER && ++ ftrace_hash_empty(ops->filter_hash)) { + if (*pos > 0) + return t_hash_start(m, pos); + iter->flags |= FTRACE_ITER_PRINTALL; +@@ -2564,16 +2627,13 @@ static void __enable_ftrace_function_probe(void) + if (i == FTRACE_FUNC_HASHSIZE) + return; + +- ret = __register_ftrace_function(&trace_probe_ops); +- if (!ret) +- ret = ftrace_startup(&trace_probe_ops, 0); ++ ret = ftrace_startup(&trace_probe_ops, 0); + + ftrace_probe_registered = 1; + } + + static void __disable_ftrace_function_probe(void) + { +- int ret; + int i; + + if (!ftrace_probe_registered) +@@ -2586,9 +2646,7 @@ static void __disable_ftrace_function_probe(void) + } + + /* no more funcs left */ +- ret = __unregister_ftrace_function(&trace_probe_ops); +- if (!ret) +- ftrace_shutdown(&trace_probe_ops, 0); ++ ftrace_shutdown(&trace_probe_ops, 0); + + ftrace_probe_registered = 0; + } +@@ -3561,12 +3619,15 @@ device_initcall(ftrace_nodyn_init); + static inline int ftrace_init_dyn_debugfs(struct dentry *d_tracer) { return 0; } + static inline void ftrace_startup_enable(int command) { } + /* Keep as macros so we do not need to define the commands */ +-# define ftrace_startup(ops, command) \ +- ({ \ +- (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ +- 0; \ ++# define ftrace_startup(ops, command) \ ++ ({ \ ++ int ___ret = __register_ftrace_function(ops); \ ++ if (!___ret) \ ++ (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ ++ ___ret; \ + }) +-# define ftrace_shutdown(ops, command) do { } while (0) ++# define ftrace_shutdown(ops, command) __unregister_ftrace_function(ops) ++ + # define ftrace_startup_sysctl() do { } while (0) + # define ftrace_shutdown_sysctl() do { } while (0) + +@@ -3906,15 +3967,8 @@ int register_ftrace_function(struct ftrace_ops *ops) + + mutex_lock(&ftrace_lock); + +- if (unlikely(ftrace_disabled)) +- goto out_unlock; +- +- ret = __register_ftrace_function(ops); +- if (!ret) +- ret = ftrace_startup(ops, 0); +- ++ ret = ftrace_startup(ops, 0); + +- out_unlock: + mutex_unlock(&ftrace_lock); + return ret; + } +@@ -3931,9 +3985,7 @@ int unregister_ftrace_function(struct ftrace_ops *ops) + int ret; + + mutex_lock(&ftrace_lock); +- ret = __unregister_ftrace_function(ops); +- if (!ret) +- ftrace_shutdown(ops, 0); ++ ret = ftrace_shutdown(ops, 0); + mutex_unlock(&ftrace_lock); + + return ret; +@@ -4127,6 +4179,12 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, + return NOTIFY_DONE; + } + ++/* Just a place holder for function graph */ ++static struct ftrace_ops fgraph_ops __read_mostly = { ++ .func = ftrace_stub, ++ .flags = FTRACE_OPS_FL_GLOBAL, ++}; ++ + int register_ftrace_graph(trace_func_graph_ret_t retfunc, + trace_func_graph_ent_t entryfunc) + { +@@ -4153,7 +4211,7 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, + ftrace_graph_return = retfunc; + ftrace_graph_entry = entryfunc; + +- ret = ftrace_startup(&global_ops, FTRACE_START_FUNC_RET); ++ ret = ftrace_startup(&fgraph_ops, FTRACE_START_FUNC_RET); + + out: + mutex_unlock(&ftrace_lock); +@@ -4170,7 +4228,7 @@ void unregister_ftrace_graph(void) + ftrace_graph_active--; + ftrace_graph_return = (trace_func_graph_ret_t)ftrace_stub; + ftrace_graph_entry = ftrace_graph_entry_stub; +- ftrace_shutdown(&global_ops, FTRACE_STOP_FUNC_RET); ++ ftrace_shutdown(&fgraph_ops, FTRACE_STOP_FUNC_RET); + unregister_pm_notifier(&ftrace_suspend_notifier); + unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL); + +diff --git a/lib/random32.c b/lib/random32.c +index fc3545a..1f44bdc 100644 +--- a/lib/random32.c ++++ b/lib/random32.c +@@ -92,7 +92,7 @@ void srandom32(u32 entropy) + */ + for_each_possible_cpu (i) { + struct rnd_state *state = &per_cpu(net_rand_state, i); +- state->s1 = __seed(state->s1 ^ entropy, 1); ++ state->s1 = __seed(state->s1 ^ entropy, 2); + } + } + EXPORT_SYMBOL(srandom32); +@@ -109,9 +109,9 @@ static int __init random32_init(void) + struct rnd_state *state = &per_cpu(net_rand_state,i); + + #define LCG(x) ((x) * 69069) /* super-duper LCG */ +- state->s1 = __seed(LCG(i + jiffies), 1); +- state->s2 = __seed(LCG(state->s1), 7); +- state->s3 = __seed(LCG(state->s2), 15); ++ state->s1 = __seed(LCG(i + jiffies), 2); ++ state->s2 = __seed(LCG(state->s1), 8); ++ state->s3 = __seed(LCG(state->s2), 16); + + /* "warm it up" */ + prandom32(state); +@@ -138,9 +138,9 @@ static int __init random32_reseed(void) + u32 seeds[3]; + + get_random_bytes(&seeds, sizeof(seeds)); +- state->s1 = __seed(seeds[0], 1); +- state->s2 = __seed(seeds[1], 7); +- state->s3 = __seed(seeds[2], 15); ++ state->s1 = __seed(seeds[0], 2); ++ state->s2 = __seed(seeds[1], 8); ++ state->s3 = __seed(seeds[2], 16); + + /* mix it in */ + prandom32(state); +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index d74c317..ae02e42 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -25,6 +25,7 @@ + #include <linux/kallsyms.h> + #include <linux/uaccess.h> + #include <linux/ioport.h> ++#include <linux/cred.h> + #include <net/addrconf.h> + + #include <asm/page.h> /* for PAGE_SIZE */ +@@ -892,10 +893,35 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, + spec.field_width = 2 * sizeof(void *); + return string(buf, end, "pK-error", spec); + } +- if (!((kptr_restrict == 0) || +- (kptr_restrict == 1 && +- has_capability_noaudit(current, CAP_SYSLOG)))) ++ ++ switch (kptr_restrict) { ++ case 0: ++ /* Always print %pK values */ ++ break; ++ case 1: { ++ /* ++ * Only print the real pointer value if the current ++ * process has CAP_SYSLOG and is running with the ++ * same credentials it started with. This is because ++ * access to files is checked at open() time, but %pK ++ * checks permission at read() time. We don't want to ++ * leak pointer values if a binary opens a file using ++ * %pK and then elevates privileges before reading it. ++ */ ++ const struct cred *cred = current_cred(); ++ ++ if (!has_capability_noaudit(current, CAP_SYSLOG) || ++ cred->euid != cred->uid || ++ cred->egid != cred->gid) ++ ptr = NULL; ++ break; ++ } ++ case 2: ++ default: ++ /* Always print 0's for %pK */ + ptr = NULL; ++ break; ++ } + break; + } + spec.flags |= SMALL; +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index bfa9ab93..334d4cd 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1740,7 +1740,6 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr + size_t size, int flags) + { + struct sock *sk = sock->sk; +- struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name; + struct ddpehdr *ddp; + int copied = 0; + int offset = 0; +@@ -1769,14 +1768,13 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr + } + err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied); + +- if (!err) { +- if (sat) { +- sat->sat_family = AF_APPLETALK; +- sat->sat_port = ddp->deh_sport; +- sat->sat_addr.s_node = ddp->deh_snode; +- sat->sat_addr.s_net = ddp->deh_snet; +- } +- msg->msg_namelen = sizeof(*sat); ++ if (!err && msg->msg_name) { ++ struct sockaddr_at *sat = msg->msg_name; ++ sat->sat_family = AF_APPLETALK; ++ sat->sat_port = ddp->deh_sport; ++ sat->sat_addr.s_node = ddp->deh_snode; ++ sat->sat_addr.s_net = ddp->deh_snet; ++ msg->msg_namelen = sizeof(*sat); + } + + skb_free_datagram(sk, skb); /* Free the datagram. */ +diff --git a/net/atm/common.c b/net/atm/common.c +index 43b6bfe..0ca06e8 100644 +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -500,8 +500,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + struct sk_buff *skb; + int copied, error = -EINVAL; + +- msg->msg_namelen = 0; +- + if (sock->state != SS_CONNECTED) + return -ENOTCONN; + if (flags & ~MSG_DONTWAIT) /* only handle MSG_DONTWAIT */ +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 86ac37f..7b8db0e 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1635,11 +1635,11 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, + + skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); + +- if (msg->msg_namelen != 0) { +- struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name; ++ if (msg->msg_name) { + ax25_digi digi; + ax25_address src; + const unsigned char *mac = skb_mac_header(skb); ++ struct sockaddr_ax25 *sax = msg->msg_name; + + memset(sax, 0, sizeof(struct full_sockaddr_ax25)); + ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index 838f113..0938f6b 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -245,8 +245,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags & (MSG_OOB)) + return -EOPNOTSUPP; + +- msg->msg_namelen = 0; +- + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) { + if (sk->sk_shutdown & RCV_SHUTDOWN) +@@ -311,8 +309,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags & MSG_OOB) + return -EOPNOTSUPP; + +- msg->msg_namelen = 0; +- + BT_DBG("sk %p size %zu", sk, size); + + lock_sock(sk); +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 8361ee4..bb78c75 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -448,8 +448,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) + return err; + +- msg->msg_namelen = 0; +- + copied = skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 82ce164..14c4864 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -627,7 +627,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + + if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { + rfcomm_dlc_accept(d); +- msg->msg_namelen = 0; + return 0; + } + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index f3f75ad..56693c3 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -170,6 +170,8 @@ void br_dev_delete(struct net_device *dev, struct list_head *head) + del_nbp(p); + } + ++ br_fdb_delete_by_port(br, NULL, 1); ++ + del_timer_sync(&br->gc_timer); + + br_sysfs_delbr(br->dev); +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index 53a8e37..7fac75f 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -320,8 +320,6 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, + if (m->msg_flags&MSG_OOB) + goto read_error; + +- m->msg_namelen = 0; +- + skb = skb_recv_datagram(sk, flags, 0 , &ret); + if (!skb) + goto read_error; +@@ -395,8 +393,6 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags&MSG_OOB) + goto out; + +- msg->msg_namelen = 0; +- + /* + * Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg +diff --git a/net/compat.c b/net/compat.c +index 3139ef2..41724c9 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) +- return -EINVAL; ++ kmsg->msg_namelen = sizeof(struct sockaddr_storage); + kmsg->msg_name = compat_ptr(tmp1); + kmsg->msg_iov = compat_ptr(tmp2); + kmsg->msg_control = compat_ptr(tmp3); +@@ -93,7 +93,8 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + if (err < 0) + return err; + } +- kern_msg->msg_name = kern_address; ++ if (kern_msg->msg_name) ++ kern_msg->msg_name = kern_address; + } else + kern_msg->msg_name = NULL; + +diff --git a/net/core/dev.c b/net/core/dev.c +index 8e455b8..7bcf37d 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2609,6 +2609,8 @@ ip: + goto done; + + ip = (const struct iphdr *) (skb->data + nhoff); ++ if (ip->ihl < 5) ++ goto done; + if (ip_is_fragment(ip)) + ip_proto = 0; + else +@@ -4515,7 +4517,7 @@ static void dev_change_rx_flags(struct net_device *dev, int flags) + { + const struct net_device_ops *ops = dev->netdev_ops; + +- if ((dev->flags & IFF_UP) && ops->ndo_change_rx_flags) ++ if (ops->ndo_change_rx_flags) + ops->ndo_change_rx_flags(dev, flags); + } + +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c +index c02e63c..c0c21b1 100644 +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -443,7 +443,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) + if (frh->action && (frh->action != rule->action)) + continue; + +- if (frh->table && (frh_get_table(frh, tb) != rule->table)) ++ if (frh_get_table(frh, tb) && ++ (frh_get_table(frh, tb) != rule->table)) + continue; + + if (tb[FRA_PRIORITY] && +diff --git a/net/core/iovec.c b/net/core/iovec.c +index c40f27e..139ef93 100644 +--- a/net/core/iovec.c ++++ b/net/core/iovec.c +@@ -48,7 +48,8 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, + if (err < 0) + return err; + } +- m->msg_name = address; ++ if (m->msg_name) ++ m->msg_name = address; + } else { + m->msg_name = NULL; + } +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index 2ef7da0..80aeac9 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -2524,6 +2524,8 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, + if (x) { + int ret; + __u8 *eth; ++ struct iphdr *iph; ++ + nhead = x->props.header_len - skb_headroom(skb); + if (nhead > 0) { + ret = pskb_expand_head(skb, nhead, 0, GFP_ATOMIC); +@@ -2545,6 +2547,11 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, + eth = (__u8 *) skb_push(skb, ETH_HLEN); + memcpy(eth, pkt_dev->hh, 12); + *(u16 *) ð[12] = protocol; ++ ++ /* Update IPv4 header len as well as checksum value */ ++ iph = ip_hdr(skb); ++ iph->tot_len = htons(skb->len - ETH_HLEN); ++ ip_send_check(iph); + } + } + return 1; +diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c +index 19d6aef..5d42df2 100644 +--- a/net/ieee802154/6lowpan.c ++++ b/net/ieee802154/6lowpan.c +@@ -563,7 +563,7 @@ lowpan_process_data(struct sk_buff *skb) + * Traffic class carried in-line + * ECN + DSCP (1 byte), Flow Label is elided + */ +- case 1: /* 10b */ ++ case 2: /* 10b */ + if (!skb->len) + goto drop; + tmp = lowpan_fetch_skb_u8(skb); +@@ -576,7 +576,7 @@ lowpan_process_data(struct sk_buff *skb) + * Flow Label carried in-line + * ECN + 2-bit Pad + Flow Label (3 bytes), DSCP is elided + */ +- case 2: /* 01b */ ++ case 1: /* 01b */ + if (!skb->len) + goto drop; + tmp = lowpan_fetch_skb_u8(skb); +diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c +index 424fafb..ec07510 100644 +--- a/net/ipv4/datagram.c ++++ b/net/ipv4/datagram.c +@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + if (IS_ERR(rt)) { + err = PTR_ERR(rt); + if (err == -ENETUNREACH) +- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); ++ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); + goto out; + } + +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 3b36002..542a9c1 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -374,7 +374,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf + /* + * Handle MSG_ERRQUEUE + */ +-int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) ++int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { + struct sock_exterr_skb *serr; + struct sk_buff *skb, *skb2; +@@ -411,6 +411,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) + serr->addr_offset); + sin->sin_port = serr->port; + memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 294a380..00975b6 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -567,7 +567,7 @@ static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + err = PTR_ERR(rt); + rt = NULL; + if (err == -ENETUNREACH) +- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); ++ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES); + goto out; + } + +@@ -623,7 +623,6 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + size_t len, int noblock, int flags, int *addr_len) + { + struct inet_sock *isk = inet_sk(sk); +- struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; + struct sk_buff *skb; + int copied, err; + +@@ -632,11 +631,8 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + if (flags & MSG_OOB) + goto out; + +- if (addr_len) +- *addr_len = sizeof(*sin); +- + if (flags & MSG_ERRQUEUE) +- return ip_recv_error(sk, msg, len); ++ return ip_recv_error(sk, msg, len, addr_len); + + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) +@@ -656,11 +652,14 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + sock_recv_timestamp(msg, sk, skb); + + /* Copy the address. */ +- if (sin) { ++ if (msg->msg_name) { ++ struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; ++ + sin->sin_family = AF_INET; + sin->sin_port = 0 /* skb->h.uh->source */; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + if (isk->cmsg_flags) + ip_cmsg_recv(msg, skb); +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 2815014..cfded93 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -686,11 +686,8 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + if (flags & MSG_OOB) + goto out; + +- if (addr_len) +- *addr_len = sizeof(*sin); +- + if (flags & MSG_ERRQUEUE) { +- err = ip_recv_error(sk, msg, len); ++ err = ip_recv_error(sk, msg, len, addr_len); + goto out; + } + +@@ -716,6 +713,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + sin->sin_port = 0; + memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + if (inet->cmsg_flags) + ip_cmsg_recv(msg, skb); +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index a97c9ad..92d7138 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -182,7 +182,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + if (IS_ERR(rt)) { + err = PTR_ERR(rt); + if (err == -ENETUNREACH) +- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); ++ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); + return err; + } + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 5decc93..8c2e259 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -937,7 +937,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + err = PTR_ERR(rt); + rt = NULL; + if (err == -ENETUNREACH) +- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); ++ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES); + goto out; + } + +@@ -1036,6 +1036,9 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset, + struct udp_sock *up = udp_sk(sk); + int ret; + ++ if (flags & MSG_SENDPAGE_NOTLAST) ++ flags |= MSG_MORE; ++ + if (!up->pending) { + struct msghdr msg = { .msg_flags = flags|MSG_MORE }; + +@@ -1171,14 +1174,8 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + int is_udplite = IS_UDPLITE(sk); + bool slow; + +- /* +- * Check any passed addresses +- */ +- if (addr_len) +- *addr_len = sizeof(*sin); +- + if (flags & MSG_ERRQUEUE) +- return ip_recv_error(sk, msg, len); ++ return ip_recv_error(sk, msg, len, addr_len); + + try_again: + skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), +@@ -1231,6 +1228,7 @@ try_again: + sin->sin_port = udp_hdr(skb)->source; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + if (inet->cmsg_flags) + ip_cmsg_recv(msg, skb); +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index e248069..3c7c948 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -315,7 +315,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu) + /* + * Handle MSG_ERRQUEUE + */ +-int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) ++int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct sock_exterr_skb *serr; +@@ -366,6 +366,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) + ipv6_addr_set_v4mapped(*(__be32 *)(nh + serr->addr_offset), + &sin->sin6_addr); + } ++ *addr_len = sizeof(*sin); + } + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); +@@ -374,6 +375,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) + if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { + sin->sin6_family = AF_INET6; + sin->sin6_flowinfo = 0; ++ sin->sin6_port = 0; + sin->sin6_scope_id = 0; + if (skb->protocol == htons(ETH_P_IPV6)) { + ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr); +@@ -418,7 +420,8 @@ out: + /* + * Handle IPV6_RECVPATHMTU + */ +-int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) ++int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, ++ int *addr_len) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct sk_buff *skb; +@@ -452,6 +455,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) + sin->sin6_port = 0; + sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id; + ipv6_addr_copy(&sin->sin6_addr, &mtu_info.ip6m_addr.sin6_addr); ++ *addr_len = sizeof(*sin); + } + + put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info); +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 97675bf..d3fde7e 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -144,8 +144,8 @@ static int ip6_finish_output2(struct sk_buff *skb) + return res; + } + rcu_read_unlock(); +- IP6_INC_STATS_BH(dev_net(dst->dev), +- ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); ++ IP6_INC_STATS(dev_net(dst->dev), ++ ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); + kfree_skb(skb); + return -EINVAL; + } +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 6e6c2c4..9ecbc84 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -456,14 +456,11 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, + if (flags & MSG_OOB) + return -EOPNOTSUPP; + +- if (addr_len) +- *addr_len=sizeof(*sin6); +- + if (flags & MSG_ERRQUEUE) +- return ipv6_recv_error(sk, msg, len); ++ return ipv6_recv_error(sk, msg, len, addr_len); + + if (np->rxpmtu && np->rxopt.bits.rxpmtu) +- return ipv6_recv_rxpmtu(sk, msg, len); ++ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); + + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) +@@ -498,6 +495,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, + sin6->sin6_scope_id = 0; + if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LINKLOCAL) + sin6->sin6_scope_id = IP6CB(skb)->iif; ++ *addr_len = sizeof(*sin6); + } + + sock_recv_ts_and_drops(msg, sk, skb); +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index bc9103d..1768238 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -592,8 +592,11 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len, + prefix = &prefix_buf; + } + +- rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, gwaddr, +- dev->ifindex); ++ if (rinfo->prefix_len == 0) ++ rt = rt6_get_dflt_router(gwaddr, dev); ++ else ++ rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, ++ gwaddr, dev->ifindex); + + if (rt && !lifetime) { + ip6_del_rt(rt); +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index f9e496b..f8bec1e 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -347,14 +347,11 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, + int is_udp4; + bool slow; + +- if (addr_len) +- *addr_len=sizeof(struct sockaddr_in6); +- + if (flags & MSG_ERRQUEUE) +- return ipv6_recv_error(sk, msg, len); ++ return ipv6_recv_error(sk, msg, len, addr_len); + + if (np->rxpmtu && np->rxopt.bits.rxpmtu) +- return ipv6_recv_rxpmtu(sk, msg, len); ++ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); + + try_again: + skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), +@@ -423,7 +420,7 @@ try_again: + if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LINKLOCAL) + sin6->sin6_scope_id = IP6CB(skb)->iif; + } +- ++ *addr_len = sizeof(*sin6); + } + if (is_udp4) { + if (inet->cmsg_flags) +diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c +index 9680226..8c06a50 100644 +--- a/net/ipx/af_ipx.c ++++ b/net/ipx/af_ipx.c +@@ -1835,8 +1835,6 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, + if (skb->tstamp.tv64) + sk->sk_stamp = skb->tstamp; + +- msg->msg_namelen = sizeof(*sipx); +- + if (sipx) { + sipx->sipx_family = AF_IPX; + sipx->sipx_port = ipx->ipx_source.sock; +@@ -1844,6 +1842,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, + sipx->sipx_network = IPX_SKB_CB(skb)->ipx_source_net; + sipx->sipx_type = ipx->ipx_type; + sipx->sipx_zero = 0; ++ msg->msg_namelen = sizeof(*sipx); + } + rc = copied; + +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index 91821e9..f5d011a 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1386,8 +1386,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock, + + IRDA_DEBUG(4, "%s()\n", __func__); + +- msg->msg_namelen = 0; +- + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &err); + if (!skb) +@@ -1452,8 +1450,6 @@ static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock, + target = sock_rcvlowat(sk, flags & MSG_WAITALL, size); + timeo = sock_rcvtimeo(sk, noblock); + +- msg->msg_namelen = 0; +- + do { + int chunk; + struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue); +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index e836140..cf98d62 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -1356,8 +1356,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + int blen; + int err = 0; + +- msg->msg_namelen = 0; +- + if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) && + skb_queue_empty(&iucv->backlog_skb_q) && + skb_queue_empty(&sk->sk_receive_queue) && +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 8dbdb8e..dc8d7ef 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3595,7 +3595,6 @@ static int pfkey_recvmsg(struct kiocb *kiocb, + if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT)) + goto out; + +- msg->msg_namelen = 0; + skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err); + if (skb == NULL) + goto out; +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 6c7e609..334a93d 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -568,9 +568,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m + if (flags & MSG_OOB) + goto out; + +- if (addr_len) +- *addr_len = sizeof(*sin); +- + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) + goto out; +@@ -593,6 +590,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + sin->sin_port = 0; + memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + if (inet->cmsg_flags) + ip_cmsg_recv(msg, skb); +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 8570079..969cd3e 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -200,8 +200,6 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock, + if (sk->sk_state & PPPOX_BOUND) + goto end; + +- msg->msg_namelen = 0; +- + err = 0; + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &err); +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index e5565c7..99a60d5 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -720,8 +720,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, + int target; /* Read at least this many bytes */ + long timeo; + +- msg->msg_namelen = 0; +- + lock_sock(sk); + copied = -ENOTCONN; + if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index db01d02..71d8564 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -764,7 +764,8 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx) + u16 sc; + int tid; + +- if (!ieee80211_is_data_qos(hdr->frame_control)) ++ if (!ieee80211_is_data_qos(hdr->frame_control) || ++ is_multicast_ether_addr(hdr->addr1)) + goto dont_reorder; + + /* +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 3d1d55d..2369e96 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1445,8 +1445,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, + } + #endif + +- msg->msg_namelen = 0; +- + copied = data_skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 3df7c5a..b4d889b 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1182,10 +1182,9 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock, + sax->sax25_family = AF_NETROM; + skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, + AX25_ADDR_LEN); ++ msg->msg_namelen = sizeof(*sax); + } + +- msg->msg_namelen = sizeof(*sax); +- + skb_free_datagram(sk, skb); + + release_sock(sk); +diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c +index 7a167fc..0d570d3 100644 +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -248,8 +248,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) + return rc; + +- msg->msg_namelen = 0; +- + copied = skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index a2ac2c3..4f19bf2 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -295,6 +295,7 @@ struct packet_sock { + unsigned int tp_reserve; + unsigned int tp_loss:1; + unsigned int tp_tstamp; ++ struct net_device __rcu *cached_dev; + struct packet_type prot_hook ____cacheline_aligned_in_smp; + }; + +@@ -350,11 +351,15 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po); + static void register_prot_hook(struct sock *sk) + { + struct packet_sock *po = pkt_sk(sk); ++ + if (!po->running) { +- if (po->fanout) ++ if (po->fanout) { + __fanout_link(sk, po); +- else ++ } else { + dev_add_pack(&po->prot_hook); ++ rcu_assign_pointer(po->cached_dev, po->prot_hook.dev); ++ } ++ + sock_hold(sk); + po->running = 1; + } +@@ -372,10 +377,13 @@ static void __unregister_prot_hook(struct sock *sk, bool sync) + struct packet_sock *po = pkt_sk(sk); + + po->running = 0; +- if (po->fanout) ++ if (po->fanout) { + __fanout_unlink(sk, po); +- else ++ } else { + __dev_remove_pack(&po->prot_hook); ++ RCU_INIT_POINTER(po->cached_dev, NULL); ++ } ++ + __sock_put(sk); + + if (sync) { +@@ -497,9 +505,9 @@ static void prb_shutdown_retire_blk_timer(struct packet_sock *po, + + pkc = tx_ring ? &po->tx_ring.prb_bdqc : &po->rx_ring.prb_bdqc; + +- spin_lock(&rb_queue->lock); ++ spin_lock_bh(&rb_queue->lock); + pkc->delete_blk_timer = 1; +- spin_unlock(&rb_queue->lock); ++ spin_unlock_bh(&rb_queue->lock); + + prb_del_retire_blk_timer(pkc); + } +@@ -2032,12 +2040,24 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + return tp_len; + } + ++static struct net_device *packet_cached_dev_get(struct packet_sock *po) ++{ ++ struct net_device *dev; ++ ++ rcu_read_lock(); ++ dev = rcu_dereference(po->cached_dev); ++ if (dev) ++ dev_hold(dev); ++ rcu_read_unlock(); ++ ++ return dev; ++} ++ + static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + { + struct sk_buff *skb; + struct net_device *dev; + __be16 proto; +- bool need_rls_dev = false; + int err, reserve = 0; + void *ph; + struct sockaddr_ll *saddr = (struct sockaddr_ll *)msg->msg_name; +@@ -2050,7 +2070,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + + err = -EBUSY; + if (saddr == NULL) { +- dev = po->prot_hook.dev; ++ dev = packet_cached_dev_get(po); + proto = po->num; + addr = NULL; + } else { +@@ -2064,19 +2084,17 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + proto = saddr->sll_protocol; + addr = saddr->sll_addr; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); +- need_rls_dev = true; + } + + err = -ENXIO; + if (unlikely(dev == NULL)) + goto out; +- +- reserve = dev->hard_header_len; +- + err = -ENETDOWN; + if (unlikely(!(dev->flags & IFF_UP))) + goto out_put; + ++ reserve = dev->hard_header_len; ++ + size_max = po->tx_ring.frame_size + - (po->tp_hdrlen - sizeof(struct sockaddr_ll)); + +@@ -2152,8 +2170,7 @@ out_status: + __packet_set_status(po, ph, status); + kfree_skb(skb); + out_put: +- if (need_rls_dev) +- dev_put(dev); ++ dev_put(dev); + out: + mutex_unlock(&po->pg_vec_lock); + return err; +@@ -2191,7 +2208,6 @@ static int packet_snd(struct socket *sock, + struct sk_buff *skb; + struct net_device *dev; + __be16 proto; +- bool need_rls_dev = false; + unsigned char *addr; + int err, reserve = 0; + struct virtio_net_hdr vnet_hdr = { 0 }; +@@ -2205,7 +2221,7 @@ static int packet_snd(struct socket *sock, + */ + + if (saddr == NULL) { +- dev = po->prot_hook.dev; ++ dev = packet_cached_dev_get(po); + proto = po->num; + addr = NULL; + } else { +@@ -2217,19 +2233,17 @@ static int packet_snd(struct socket *sock, + proto = saddr->sll_protocol; + addr = saddr->sll_addr; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); +- need_rls_dev = true; + } + + err = -ENXIO; +- if (dev == NULL) ++ if (unlikely(dev == NULL)) + goto out_unlock; +- if (sock->type == SOCK_RAW) +- reserve = dev->hard_header_len; +- + err = -ENETDOWN; +- if (!(dev->flags & IFF_UP)) ++ if (unlikely(!(dev->flags & IFF_UP))) + goto out_unlock; + ++ if (sock->type == SOCK_RAW) ++ reserve = dev->hard_header_len; + if (po->has_vnet_hdr) { + vnet_hdr_len = sizeof(vnet_hdr); + +@@ -2350,15 +2364,14 @@ static int packet_snd(struct socket *sock, + if (err > 0 && (err = net_xmit_errno(err)) != 0) + goto out_unlock; + +- if (need_rls_dev) +- dev_put(dev); ++ dev_put(dev); + + return len; + + out_free: + kfree_skb(skb); + out_unlock: +- if (dev && need_rls_dev) ++ if (dev) + dev_put(dev); + out: + return err; +@@ -2575,6 +2588,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + po = pkt_sk(sk); + sk->sk_family = PF_PACKET; + po->num = proto; ++ RCU_INIT_POINTER(po->cached_dev, NULL); + + sk->sk_destruct = packet_sock_destruct; + sk_refcnt_debug_inc(sk); +@@ -2663,7 +2677,6 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, + struct sock *sk = sock->sk; + struct sk_buff *skb; + int copied, err; +- struct sockaddr_ll *sll; + int vnet_hdr_len = 0; + + err = -EINVAL; +@@ -2746,22 +2759,10 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, + goto out_free; + } + +- /* +- * If the address length field is there to be filled in, we fill +- * it in now. ++ /* You lose any data beyond the buffer you gave. If it worries ++ * a user program they can ask the device for its MTU ++ * anyway. + */ +- +- sll = &PACKET_SKB_CB(skb)->sa.ll; +- if (sock->type == SOCK_PACKET) +- msg->msg_namelen = sizeof(struct sockaddr_pkt); +- else +- msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr); +- +- /* +- * You lose any data beyond the buffer you gave. If it worries a +- * user program they can ask the device for its MTU anyway. +- */ +- + copied = skb->len; + if (copied > len) { + copied = len; +@@ -2774,9 +2775,20 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, + + sock_recv_ts_and_drops(msg, sk, skb); + +- if (msg->msg_name) ++ if (msg->msg_name) { ++ /* If the address length field is there to be filled ++ * in, we fill it in now. ++ */ ++ if (sock->type == SOCK_PACKET) { ++ msg->msg_namelen = sizeof(struct sockaddr_pkt); ++ } else { ++ struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; ++ msg->msg_namelen = sll->sll_halen + ++ offsetof(struct sockaddr_ll, sll_addr); ++ } + memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, + msg->msg_namelen); ++ } + + if (pkt_sk(sk)->auxdata) { + struct tpacket_auxdata aux; +diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c +index bf35b4e..b25f2d3 100644 +--- a/net/phonet/datagram.c ++++ b/net/phonet/datagram.c +@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, + MSG_CMSG_COMPAT)) + goto out_nofree; + +- if (addr_len) +- *addr_len = sizeof(sa); +- + skb = skb_recv_datagram(sk, flags, noblock, &rval); + if (skb == NULL) + goto out_nofree; +@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, + + rval = (flags & MSG_TRUNC) ? skb->len : copylen; + +- if (msg->msg_name != NULL) +- memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn)); ++ if (msg->msg_name != NULL) { ++ memcpy(msg->msg_name, &sa, sizeof(sa)); ++ *addr_len = sizeof(sa); ++ } + + out: + skb_free_datagram(sk, skb); +diff --git a/net/rds/recv.c b/net/rds/recv.c +index fc57d31..96a1239 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + + rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); + +- msg->msg_namelen = 0; +- + if (msg_flags & MSG_OOB) + goto out; + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 1f96fb9..bf76dec7 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1221,7 +1221,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, + { + struct sock *sk = sock->sk; + struct rose_sock *rose = rose_sk(sk); +- struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name; + size_t copied; + unsigned char *asmptr; + struct sk_buff *skb; +@@ -1257,8 +1256,11 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, + + skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); + +- if (srose != NULL) { +- memset(srose, 0, msg->msg_namelen); ++ if (msg->msg_name) { ++ struct sockaddr_rose *srose; ++ ++ memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose)); ++ srose = msg->msg_name; + srose->srose_family = AF_ROSE; + srose->srose_addr = rose->dest_addr; + srose->srose_call = rose->dest_call; +diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c +index 4b48687..898492a 100644 +--- a/net/rxrpc/ar-recvmsg.c ++++ b/net/rxrpc/ar-recvmsg.c +@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, + + /* copy the peer address and timestamp */ + if (!continue_call) { +- if (msg->msg_name && msg->msg_namelen > 0) ++ if (msg->msg_name) { ++ size_t len = ++ sizeof(call->conn->trans->peer->srx); + memcpy(msg->msg_name, +- &call->conn->trans->peer->srx, +- sizeof(call->conn->trans->peer->srx)); ++ &call->conn->trans->peer->srx, len); ++ msg->msg_namelen = len; ++ } + sock_recv_ts_and_drops(msg, &rx->sk, skb); + } + +diff --git a/net/socket.c b/net/socket.c +index bf7adaa..d4faade 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -215,12 +215,13 @@ static int move_addr_to_user(struct sockaddr *kaddr, int klen, + int err; + int len; + ++ BUG_ON(klen > sizeof(struct sockaddr_storage)); + err = get_user(len, ulen); + if (err) + return err; + if (len > klen) + len = klen; +- if (len < 0 || len > sizeof(struct sockaddr_storage)) ++ if (len < 0) + return -EINVAL; + if (len) { + if (audit_sockaddr(klen, kaddr)) +@@ -1752,8 +1753,10 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, + msg.msg_iov = &iov; + iov.iov_len = size; + iov.iov_base = ubuf; +- msg.msg_name = (struct sockaddr *)&address; +- msg.msg_namelen = sizeof(address); ++ /* Save some cycles and don't copy the address if not needed */ ++ msg.msg_name = addr ? (struct sockaddr *)&address : NULL; ++ /* We assume all kernel code knows the size of sockaddr_storage */ ++ msg.msg_namelen = 0; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, size, flags); +@@ -1882,7 +1885,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, + if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) + return -EFAULT; + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) +- return -EINVAL; ++ kmsg->msg_namelen = sizeof(struct sockaddr_storage); + return 0; + } + +@@ -2142,18 +2145,16 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + goto out; + } + +- /* +- * Save the user-mode address (verify_iovec will change the +- * kernel msghdr to use the kernel address space) ++ /* Save the user-mode address (verify_iovec will change the ++ * kernel msghdr to use the kernel address space) + */ +- + uaddr = (__force void __user *)msg_sys->msg_name; + uaddr_len = COMPAT_NAMELEN(msg); +- if (MSG_CMSG_COMPAT & flags) { ++ if (MSG_CMSG_COMPAT & flags) + err = verify_compat_iovec(msg_sys, iov, + (struct sockaddr *)&addr, + VERIFY_WRITE); +- } else ++ else + err = verify_iovec(msg_sys, iov, + (struct sockaddr *)&addr, + VERIFY_WRITE); +@@ -2164,6 +2165,9 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + cmsg_ptr = (unsigned long)msg_sys->msg_control; + msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT); + ++ /* We assume all kernel code knows the size of sockaddr_storage */ ++ msg_sys->msg_namelen = 0; ++ + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys, +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 65fe23b..bfb78fa 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -390,8 +390,10 @@ static int xs_send_kvec(struct socket *sock, struct sockaddr *addr, int addrlen, + return kernel_sendmsg(sock, &msg, NULL, 0, 0); + } + +-static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned int base, int more) ++static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned int base, int more, bool zerocopy) + { ++ ssize_t (*do_sendpage)(struct socket *sock, struct page *page, ++ int offset, size_t size, int flags); + struct page **ppage; + unsigned int remainder; + int err, sent = 0; +@@ -400,6 +402,9 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i + base += xdr->page_base; + ppage = xdr->pages + (base >> PAGE_SHIFT); + base &= ~PAGE_MASK; ++ do_sendpage = sock->ops->sendpage; ++ if (!zerocopy) ++ do_sendpage = sock_no_sendpage; + for(;;) { + unsigned int len = min_t(unsigned int, PAGE_SIZE - base, remainder); + int flags = XS_SENDMSG_FLAGS; +@@ -407,7 +412,7 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i + remainder -= len; + if (remainder != 0 || more) + flags |= MSG_MORE; +- err = sock->ops->sendpage(sock, *ppage, base, len, flags); ++ err = do_sendpage(sock, *ppage, base, len, flags); + if (remainder == 0 || err != len) + break; + sent += err; +@@ -428,9 +433,10 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i + * @addrlen: UDP only -- length of destination address + * @xdr: buffer containing this request + * @base: starting position in the buffer ++ * @zerocopy: true if it is safe to use sendpage() + * + */ +-static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, struct xdr_buf *xdr, unsigned int base) ++static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, struct xdr_buf *xdr, unsigned int base, bool zerocopy) + { + unsigned int remainder = xdr->len - base; + int err, sent = 0; +@@ -458,7 +464,7 @@ static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, + if (base < xdr->page_len) { + unsigned int len = xdr->page_len - base; + remainder -= len; +- err = xs_send_pagedata(sock, xdr, base, remainder != 0); ++ err = xs_send_pagedata(sock, xdr, base, remainder != 0, zerocopy); + if (remainder == 0 || err != len) + goto out; + sent += err; +@@ -561,7 +567,7 @@ static int xs_local_send_request(struct rpc_task *task) + req->rq_svec->iov_base, req->rq_svec->iov_len); + + status = xs_sendpages(transport->sock, NULL, 0, +- xdr, req->rq_bytes_sent); ++ xdr, req->rq_bytes_sent, true); + dprintk("RPC: %s(%u) = %d\n", + __func__, xdr->len - req->rq_bytes_sent, status); + if (likely(status >= 0)) { +@@ -617,7 +623,7 @@ static int xs_udp_send_request(struct rpc_task *task) + status = xs_sendpages(transport->sock, + xs_addr(xprt), + xprt->addrlen, xdr, +- req->rq_bytes_sent); ++ req->rq_bytes_sent, true); + + dprintk("RPC: xs_udp_send_request(%u) = %d\n", + xdr->len - req->rq_bytes_sent, status); +@@ -688,6 +694,7 @@ static int xs_tcp_send_request(struct rpc_task *task) + struct rpc_xprt *xprt = req->rq_xprt; + struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt); + struct xdr_buf *xdr = &req->rq_snd_buf; ++ bool zerocopy = true; + int status; + + xs_encode_stream_record_marker(&req->rq_snd_buf); +@@ -695,13 +702,20 @@ static int xs_tcp_send_request(struct rpc_task *task) + xs_pktdump("packet data:", + req->rq_svec->iov_base, + req->rq_svec->iov_len); ++ /* Don't use zero copy if this is a resend. If the RPC call ++ * completes while the socket holds a reference to the pages, ++ * then we may end up resending corrupted data. ++ */ ++ if (task->tk_flags & RPC_TASK_SENT) ++ zerocopy = false; + + /* Continue transmitting the packet/record. We must be careful + * to cope with writespace callbacks arriving _after_ we have + * called sendmsg(). */ + while (1) { + status = xs_sendpages(transport->sock, +- NULL, 0, xdr, req->rq_bytes_sent); ++ NULL, 0, xdr, req->rq_bytes_sent, ++ zerocopy); + + dprintk("RPC: xs_tcp_send_request(%u) = %d\n", + xdr->len - req->rq_bytes_sent, status); +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index fdf34af..058941e 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -949,9 +949,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock, + goto exit; + } + +- /* will be updated in set_orig_addr() if needed */ +- m->msg_namelen = 0; +- + timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + restart: + +@@ -1078,9 +1075,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock, + goto exit; + } + +- /* will be updated in set_orig_addr() if needed */ +- m->msg_namelen = 0; +- + target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); + timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + restart: +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 5122b22..9338ccc 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1744,7 +1744,6 @@ static void unix_copy_addr(struct msghdr *msg, struct sock *sk) + { + struct unix_sock *u = unix_sk(sk); + +- msg->msg_namelen = 0; + if (u->addr) { + msg->msg_namelen = u->addr->len; + memcpy(msg->msg_name, u->addr->name, u->addr->len); +@@ -1767,8 +1766,6 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags&MSG_OOB) + goto out; + +- msg->msg_namelen = 0; +- + err = mutex_lock_interruptible(&u->readlock); + if (err) { + err = sock_intr_errno(sock_rcvtimeo(sk, noblock)); +@@ -1902,8 +1899,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, + target = sock_rcvlowat(sk, flags&MSG_WAITALL, size); + timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT); + +- msg->msg_namelen = 0; +- + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index dc24ba9..07b9973 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1343,10 +1343,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock, + if (sx25) { + sx25->sx25_family = AF_X25; + sx25->sx25_addr = x25->dest_addr; ++ msg->msg_namelen = sizeof(*sx25); + } + +- msg->msg_namelen = sizeof(struct sockaddr_x25); +- + x25_check_rbuf(sk); + rc = copied; + out_free_dgram: +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 1126c10..5898f34 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -53,6 +53,7 @@ + #include <net/icmp.h> + #include <net/ip.h> /* for local_port_range[] */ + #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ ++#include <net/inet_connection_sock.h> + #include <net/net_namespace.h> + #include <net/netlabel.h> + #include <linux/uaccess.h> +@@ -3704,6 +3705,30 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) + return 0; + } + ++/** ++ * selinux_conn_sid - Determine the child socket label for a connection ++ * @sk_sid: the parent socket's SID ++ * @skb_sid: the packet's SID ++ * @conn_sid: the resulting connection SID ++ * ++ * If @skb_sid is valid then the user:role:type information from @sk_sid is ++ * combined with the MLS information from @skb_sid in order to create ++ * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy ++ * of @sk_sid. Returns zero on success, negative values on failure. ++ * ++ */ ++static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) ++{ ++ int err = 0; ++ ++ if (skb_sid != SECSID_NULL) ++ err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); ++ else ++ *conn_sid = sk_sid; ++ ++ return err; ++} ++ + /* socket security operations */ + + static int socket_sockcreate_sid(const struct task_security_struct *tsec, +@@ -4295,7 +4320,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, + struct sk_security_struct *sksec = sk->sk_security; + int err; + u16 family = sk->sk_family; +- u32 newsid; ++ u32 connsid; + u32 peersid; + + /* handle mapped IPv4 packets arriving via IPv6 sockets */ +@@ -4305,16 +4330,11 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, + err = selinux_skb_peerlbl_sid(skb, family, &peersid); + if (err) + return err; +- if (peersid == SECSID_NULL) { +- req->secid = sksec->sid; +- req->peer_secid = SECSID_NULL; +- } else { +- err = security_sid_mls_copy(sksec->sid, peersid, &newsid); +- if (err) +- return err; +- req->secid = newsid; +- req->peer_secid = peersid; +- } ++ err = selinux_conn_sid(sksec->sid, peersid, &connsid); ++ if (err) ++ return err; ++ req->secid = connsid; ++ req->peer_secid = peersid; + + return selinux_netlbl_inet_conn_request(req, family); + } +@@ -4542,6 +4562,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum, + static unsigned int selinux_ip_output(struct sk_buff *skb, + u16 family) + { ++ struct sock *sk; + u32 sid; + + if (!netlbl_enabled()) +@@ -4550,8 +4571,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, + /* we do this in the LOCAL_OUT path and not the POST_ROUTING path + * because we want to make sure we apply the necessary labeling + * before IPsec is applied so we can leverage AH protection */ +- if (skb->sk) { +- struct sk_security_struct *sksec = skb->sk->sk_security; ++ sk = skb->sk; ++ if (sk) { ++ struct sk_security_struct *sksec; ++ ++ if (sk->sk_state == TCP_LISTEN) ++ /* if the socket is the listening state then this ++ * packet is a SYN-ACK packet which means it needs to ++ * be labeled based on the connection/request_sock and ++ * not the parent socket. unfortunately, we can't ++ * lookup the request_sock yet as it isn't queued on ++ * the parent socket until after the SYN-ACK is sent. ++ * the "solution" is to simply pass the packet as-is ++ * as any IP option based labeling should be copied ++ * from the initial connection request (in the IP ++ * layer). it is far from ideal, but until we get a ++ * security label in the packet itself this is the ++ * best we can do. */ ++ return NF_ACCEPT; ++ ++ /* standard practice, label using the parent socket */ ++ sksec = sk->sk_security; + sid = sksec->sid; + } else + sid = SECINITSID_KERNEL; +@@ -4633,12 +4673,12 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, + if (!secmark_active && !peerlbl_active) + return NF_ACCEPT; + +- /* if the packet is being forwarded then get the peer label from the +- * packet itself; otherwise check to see if it is from a local +- * application or the kernel, if from an application get the peer label +- * from the sending socket, otherwise use the kernel's sid */ + sk = skb->sk; + if (sk == NULL) { ++ /* Without an associated socket the packet is either coming ++ * from the kernel or it is being forwarded; check the packet ++ * to determine which and if the packet is being forwarded ++ * query the packet directly to determine the security label. */ + if (skb->skb_iif) { + secmark_perm = PACKET__FORWARD_OUT; + if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) +@@ -4647,7 +4687,26 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, + secmark_perm = PACKET__SEND; + peer_sid = SECINITSID_KERNEL; + } ++ } else if (sk->sk_state == TCP_LISTEN) { ++ /* Locally generated packet but the associated socket is in the ++ * listening state which means this is a SYN-ACK packet. In ++ * this particular case the correct security label is assigned ++ * to the connection/request_sock but unfortunately we can't ++ * query the request_sock as it isn't queued on the parent ++ * socket until after the SYN-ACK packet is sent; the only ++ * viable choice is to regenerate the label like we do in ++ * selinux_inet_conn_request(). See also selinux_ip_output() ++ * for similar problems. */ ++ u32 skb_sid; ++ struct sk_security_struct *sksec = sk->sk_security; ++ if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) ++ return NF_DROP; ++ if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) ++ return NF_DROP; ++ secmark_perm = PACKET__SEND; + } else { ++ /* Locally generated packet, fetch the security label from the ++ * associated socket. */ + struct sk_security_struct *sksec = sk->sk_security; + peer_sid = sksec->sid; + secmark_perm = PACKET__SEND; +diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c +index da4b8b2..6235d05 100644 +--- a/security/selinux/netlabel.c ++++ b/security/selinux/netlabel.c +@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) + sksec->nlbl_state != NLBL_CONNLABELED) + return 0; + +- local_bh_disable(); +- bh_lock_sock_nested(sk); ++ lock_sock(sk); + + /* connected sockets are allowed to disconnect when the address family + * is set to AF_UNSPEC, if that is what is happening we want to reset +@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) + sksec->nlbl_state = NLBL_CONNLABELED; + + socket_connect_return: +- bh_unlock_sock(sk); +- local_bh_enable(); ++ release_sock(sk); + return rc; + } +diff --git a/sound/drivers/pcsp/pcsp.c b/sound/drivers/pcsp/pcsp.c +index 946a0cb..e6ad8d4 100644 +--- a/sound/drivers/pcsp/pcsp.c ++++ b/sound/drivers/pcsp/pcsp.c +@@ -187,8 +187,8 @@ static int __devinit pcsp_probe(struct platform_device *dev) + static int __devexit pcsp_remove(struct platform_device *dev) + { + struct snd_pcsp *chip = platform_get_drvdata(dev); +- alsa_card_pcsp_exit(chip); + pcspkr_input_remove(chip->input_dev); ++ alsa_card_pcsp_exit(chip); + platform_set_drvdata(dev, NULL); + return 0; + } +diff --git a/sound/isa/msnd/msnd_pinnacle.c b/sound/isa/msnd/msnd_pinnacle.c +index 0961e2c..a9cc687 100644 +--- a/sound/isa/msnd/msnd_pinnacle.c ++++ b/sound/isa/msnd/msnd_pinnacle.c +@@ -73,9 +73,11 @@ + #ifdef MSND_CLASSIC + # include "msnd_classic.h" + # define LOGNAME "msnd_classic" ++# define DEV_NAME "msnd-classic" + #else + # include "msnd_pinnacle.h" + # define LOGNAME "snd_msnd_pinnacle" ++# define DEV_NAME "msnd-pinnacle" + #endif + + static void __devinit set_default_audio_parameters(struct snd_msnd *chip) +@@ -1068,8 +1070,6 @@ static int __devexit snd_msnd_isa_remove(struct device *pdev, unsigned int dev) + return 0; + } + +-#define DEV_NAME "msnd-pinnacle" +- + static struct isa_driver snd_msnd_driver = { + .match = snd_msnd_isa_match, + .probe = snd_msnd_isa_probe, +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 984b5b1..843d9f3 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -4610,6 +4610,8 @@ static const struct hda_codec_preset snd_hda_preset_conexant[] = { + .patch = patch_conexant_auto }, + { .id = 0x14f15115, .name = "CX20757", + .patch = patch_conexant_auto }, ++ { .id = 0x14f151d7, .name = "CX20952", ++ .patch = patch_conexant_auto }, + {} /* terminator */ + }; + +@@ -4636,6 +4638,7 @@ MODULE_ALIAS("snd-hda-codec-id:14f15111"); + MODULE_ALIAS("snd-hda-codec-id:14f15113"); + MODULE_ALIAS("snd-hda-codec-id:14f15114"); + MODULE_ALIAS("snd-hda-codec-id:14f15115"); ++MODULE_ALIAS("snd-hda-codec-id:14f151d7"); + + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Conexant HD-audio codec"); +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 92c913d..1f78ca6 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5943,6 +5943,7 @@ static int patch_alc662(struct hda_codec *codec) + case 0x10ec0272: + case 0x10ec0663: + case 0x10ec0665: ++ case 0x10ec0668: + set_beep_amp(spec, 0x0b, 0x04, HDA_INPUT); + break; + case 0x10ec0273: +@@ -6019,6 +6020,7 @@ static int patch_alc680(struct hda_codec *codec) + */ + static const struct hda_codec_preset snd_hda_preset_realtek[] = { + { .id = 0x10ec0221, .name = "ALC221", .patch = patch_alc269 }, ++ { .id = 0x10ec0231, .name = "ALC231", .patch = patch_alc269 }, + { .id = 0x10ec0260, .name = "ALC260", .patch = patch_alc260 }, + { .id = 0x10ec0262, .name = "ALC262", .patch = patch_alc262 }, + { .id = 0x10ec0267, .name = "ALC267", .patch = patch_alc268 }, +diff --git a/sound/soc/codecs/ak4642.c b/sound/soc/codecs/ak4642.c +index 1c4999d..f2dac5c 100644 +--- a/sound/soc/codecs/ak4642.c ++++ b/sound/soc/codecs/ak4642.c +@@ -214,7 +214,7 @@ static int ak4642_dai_startup(struct snd_pcm_substream *substream, + * This operation came from example code of + * "ASAHI KASEI AK4642" (japanese) manual p94. + */ +- snd_soc_write(codec, SG_SL1, PMMP | MGAIN0); ++ snd_soc_update_bits(codec, SG_SL1, PMMP | MGAIN0, PMMP | MGAIN0); + snd_soc_write(codec, TIMER, ZTM(0x3) | WTM(0x3)); + snd_soc_write(codec, ALC_CTL1, ALC | LMTH0); + snd_soc_update_bits(codec, PW_MGMT1, PMVCM | PMADL, +diff --git a/sound/soc/codecs/wm8731.c b/sound/soc/codecs/wm8731.c +index a7c9ae1..6cfd4f7 100644 +--- a/sound/soc/codecs/wm8731.c ++++ b/sound/soc/codecs/wm8731.c +@@ -392,10 +392,10 @@ static int wm8731_set_dai_fmt(struct snd_soc_dai *codec_dai, + iface |= 0x0001; + break; + case SND_SOC_DAIFMT_DSP_A: +- iface |= 0x0003; ++ iface |= 0x0013; + break; + case SND_SOC_DAIFMT_DSP_B: +- iface |= 0x0013; ++ iface |= 0x0003; + break; + default: + return -EINVAL; +diff --git a/sound/soc/codecs/wm8990.c b/sound/soc/codecs/wm8990.c +index d29a962..cfa5bea 100644 +--- a/sound/soc/codecs/wm8990.c ++++ b/sound/soc/codecs/wm8990.c +@@ -1266,6 +1266,8 @@ static int wm8990_set_bias_level(struct snd_soc_codec *codec, + + /* disable POBCTRL, SOFT_ST and BUFDCOPEN */ + snd_soc_write(codec, WM8990_ANTIPOP2, 0x0); ++ ++ codec->cache_sync = 1; + break; + } + +diff --git a/sound/usb/6fire/chip.c b/sound/usb/6fire/chip.c +index c7dca7b..46a2816 100644 +--- a/sound/usb/6fire/chip.c ++++ b/sound/usb/6fire/chip.c +@@ -102,7 +102,7 @@ static int __devinit usb6fire_chip_probe(struct usb_interface *intf, + usb_set_intfdata(intf, chips[i]); + mutex_unlock(®ister_mutex); + return 0; +- } else if (regidx < 0) ++ } else if (!devices[i] && regidx < 0) + regidx = i; + } + if (regidx < 0) { +diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c +index 533db33..5dbb35d 100644 +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -101,6 +101,10 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) + while ((gfn << PAGE_SHIFT) & (page_size - 1)) + page_size >>= 1; + ++ /* Make sure hva is aligned to the page size we want to map */ ++ while (gfn_to_hva_memslot(slot, gfn) & (page_size - 1)) ++ page_size >>= 1; ++ + /* + * Pin all pages we are about to map in memory. This is + * important because we unmap and unpin in 4kb steps later. +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 8bf05f0..d83aa5e 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -774,7 +774,7 @@ skip_lpage: + new.userspace_addr = mem->userspace_addr; + #endif /* not defined CONFIG_S390 */ + +- if (!npages) { ++ if (!npages || base_gfn != old.base_gfn) { + r = -ENOMEM; + slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL); + if (!slots) +@@ -788,8 +788,10 @@ skip_lpage: + old_memslots = kvm->memslots; + rcu_assign_pointer(kvm->memslots, slots); + synchronize_srcu_expedited(&kvm->srcu); +- /* From this point no new shadow pages pointing to a deleted +- * memslot will be created. ++ /* slot was deleted or moved, clear iommu mapping */ ++ kvm_iommu_unmap_pages(kvm, &old); ++ /* From this point no new shadow pages pointing to a deleted, ++ * or moved, memslot will be created. + * + * validation of sp->gfn happens in: + * - gfn_to_hva (kvm_read_guest, gfn_to_pfn) +@@ -803,14 +805,6 @@ skip_lpage: + if (r) + goto out_free; + +- /* map/unmap the pages in iommu page table */ +- if (npages) { +- r = kvm_iommu_map_pages(kvm, &new); +- if (r) +- goto out_free; +- } else +- kvm_iommu_unmap_pages(kvm, &old); +- + r = -ENOMEM; + slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL); + if (!slots) +@@ -820,6 +814,13 @@ skip_lpage: + slots->nmemslots = mem->slot + 1; + slots->generation++; + ++ /* map new memory slot into the iommu */ ++ if (npages) { ++ r = kvm_iommu_map_pages(kvm, &new); ++ if (r) ++ goto out_slots; ++ } ++ + /* actual memory is freed via old in kvm_free_physmem_slot below */ + if (!npages) { + new.rmap = NULL; +@@ -847,6 +848,8 @@ skip_lpage: + + return 0; + ++out_slots: ++ kfree(slots); + out_free: + kvm_free_physmem_slot(&new, &old); + out: +@@ -1683,6 +1686,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + int r; + struct kvm_vcpu *vcpu, *v; + ++ if (id >= KVM_MAX_VCPUS) ++ return -EINVAL; ++ + vcpu = kvm_arch_vcpu_create(kvm, id); + if (IS_ERR(vcpu)) + return PTR_ERR(vcpu); diff --git a/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch b/3.2.54/4420_grsecurity-3.0-3.2.54-201401051649.patch index 02cb583..3e204e8 100644 --- a/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch +++ b/3.2.54/4420_grsecurity-3.0-3.2.54-201401051649.patch @@ -270,7 +270,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index 90f57dc..1082409 100644 +index 848be26..3deab0e 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -850,7 +850,7 @@ index fadd5f8..904e73a 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h -index 7bb8bf9..4b0c4ed 100644 +index b7c5d5d..4b0c4ed 100644 --- a/arch/arm/include/asm/assembler.h +++ b/arch/arm/include/asm/assembler.h @@ -231,7 +231,7 @@ @@ -871,19 +871,6 @@ index 7bb8bf9..4b0c4ed 100644 .rept \rept 9999: .if \inc == 1 -@@ -307,4 +307,12 @@ - .size \name , . - \name - .endm - -+ .macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req -+#ifndef CONFIG_CPU_USE_DOMAINS -+ adds \tmp, \addr, #\size - 1 -+ sbcccs \tmp, \tmp, \limit -+ bcs \bad -+#endif -+ .endm -+ - #endif /* __ASM_ASSEMBLER_H__ */ diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h index 86976d0..269b872 100644 --- a/arch/arm/include/asm/atomic.h @@ -1748,98 +1735,10 @@ index 7b5cc8d..5d70d88 100644 /* * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index b293616..47aa55e 100644 +index 292c3f8..47aa55e 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h -@@ -101,28 +101,39 @@ extern int __get_user_1(void *); - extern int __get_user_2(void *); - extern int __get_user_4(void *); - --#define __get_user_x(__r2,__p,__e,__s,__i...) \ -+#define __GUP_CLOBBER_1 "lr", "cc" -+#ifdef CONFIG_CPU_USE_DOMAINS -+#define __GUP_CLOBBER_2 "ip", "lr", "cc" -+#else -+#define __GUP_CLOBBER_2 "lr", "cc" -+#endif -+#define __GUP_CLOBBER_4 "lr", "cc" -+ -+#define __get_user_x(__r2,__p,__e,__l,__s) \ - __asm__ __volatile__ ( \ - __asmeq("%0", "r0") __asmeq("%1", "r2") \ -+ __asmeq("%3", "r1") \ - "bl __get_user_" #__s \ - : "=&r" (__e), "=r" (__r2) \ -- : "0" (__p) \ -- : __i, "cc") -+ : "0" (__p), "r" (__l) \ -+ : __GUP_CLOBBER_##__s) - - #define get_user(x,p) \ - ({ \ -+ unsigned long __limit = current_thread_info()->addr_limit - 1; \ - register const typeof(*(p)) __user *__p asm("r0") = (p);\ - register unsigned long __r2 asm("r2"); \ -+ register unsigned long __l asm("r1") = __limit; \ - register int __e asm("r0"); \ - switch (sizeof(*(__p))) { \ - case 1: \ -- __get_user_x(__r2, __p, __e, 1, "lr"); \ -- break; \ -+ __get_user_x(__r2, __p, __e, __l, 1); \ -+ break; \ - case 2: \ -- __get_user_x(__r2, __p, __e, 2, "r3", "lr"); \ -+ __get_user_x(__r2, __p, __e, __l, 2); \ - break; \ - case 4: \ -- __get_user_x(__r2, __p, __e, 4, "lr"); \ -+ __get_user_x(__r2, __p, __e, __l, 4); \ - break; \ - default: __e = __get_user_bad(); break; \ - } \ -@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int); - extern int __put_user_4(void *, unsigned int); - extern int __put_user_8(void *, unsigned long long); - --#define __put_user_x(__r2,__p,__e,__s) \ -+#define __put_user_x(__r2,__p,__e,__l,__s) \ - __asm__ __volatile__ ( \ - __asmeq("%0", "r0") __asmeq("%2", "r2") \ -+ __asmeq("%3", "r1") \ - "bl __put_user_" #__s \ - : "=&r" (__e) \ -- : "0" (__p), "r" (__r2) \ -+ : "0" (__p), "r" (__r2), "r" (__l) \ - : "ip", "lr", "cc") - - #define put_user(x,p) \ - ({ \ -+ unsigned long __limit = current_thread_info()->addr_limit - 1; \ - register const typeof(*(p)) __r2 asm("r2") = (x); \ - register const typeof(*(p)) __user *__p asm("r0") = (p);\ -+ register unsigned long __l asm("r1") = __limit; \ - register int __e asm("r0"); \ - switch (sizeof(*(__p))) { \ - case 1: \ -- __put_user_x(__r2, __p, __e, 1); \ -+ __put_user_x(__r2, __p, __e, __l, 1); \ - break; \ - case 2: \ -- __put_user_x(__r2, __p, __e, 2); \ -+ __put_user_x(__r2, __p, __e, __l, 2); \ - break; \ - case 4: \ -- __put_user_x(__r2, __p, __e, 4); \ -+ __put_user_x(__r2, __p, __e, __l, 4); \ - break; \ - case 8: \ -- __put_user_x(__r2, __p, __e, 8); \ -+ __put_user_x(__r2, __p, __e, __l, 8); \ - break; \ - default: __e = __put_user_bad(); break; \ - } \ -@@ -227,7 +241,7 @@ do { \ +@@ -241,7 +241,7 @@ do { \ #define __get_user_asm_byte(x,addr,err) \ __asm__ __volatile__( \ @@ -1848,7 +1747,7 @@ index b293616..47aa55e 100644 "2:\n" \ " .pushsection .fixup,\"ax\"\n" \ " .align 2\n" \ -@@ -263,7 +277,7 @@ do { \ +@@ -277,7 +277,7 @@ do { \ #define __get_user_asm_word(x,addr,err) \ __asm__ __volatile__( \ @@ -1857,7 +1756,7 @@ index b293616..47aa55e 100644 "2:\n" \ " .pushsection .fixup,\"ax\"\n" \ " .align 2\n" \ -@@ -308,7 +322,7 @@ do { \ +@@ -322,7 +322,7 @@ do { \ #define __put_user_asm_byte(x,__pu_addr,err) \ __asm__ __volatile__( \ @@ -1866,7 +1765,7 @@ index b293616..47aa55e 100644 "2:\n" \ " .pushsection .fixup,\"ax\"\n" \ " .align 2\n" \ -@@ -341,7 +355,7 @@ do { \ +@@ -355,7 +355,7 @@ do { \ #define __put_user_asm_word(x,__pu_addr,err) \ __asm__ __volatile__( \ @@ -1875,7 +1774,7 @@ index b293616..47aa55e 100644 "2:\n" \ " .pushsection .fixup,\"ax\"\n" \ " .align 2\n" \ -@@ -366,10 +380,10 @@ do { \ +@@ -380,10 +380,10 @@ do { \ #define __put_user_asm_dword(x,__pu_addr,err) \ __asm__ __volatile__( \ @@ -1890,7 +1789,7 @@ index b293616..47aa55e 100644 "3:\n" \ " .pushsection .fixup,\"ax\"\n" \ " .align 2\n" \ -@@ -387,8 +401,21 @@ do { \ +@@ -401,8 +401,21 @@ do { \ #ifdef CONFIG_MMU @@ -1914,7 +1813,7 @@ index b293616..47aa55e 100644 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n); extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n); extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n); -@@ -403,6 +430,9 @@ extern unsigned long __must_check __strnlen_user(const char __user *s, long n); +@@ -417,6 +430,9 @@ extern unsigned long __must_check __strnlen_user(const char __user *s, long n); static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) { @@ -1924,7 +1823,7 @@ index b293616..47aa55e 100644 if (access_ok(VERIFY_READ, from, n)) n = __copy_from_user(to, from, n); else /* security hole - plug it */ -@@ -412,6 +442,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u +@@ -426,6 +442,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) { @@ -2013,7 +1912,7 @@ index 1e9be5d..4e0f470 100644 GFP_KERNEL, PAGE_KERNEL_EXEC, -1, __builtin_return_address(0)); diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index e68d251..c5bac2c 100644 +index d9e3c61..9cf9513 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -28,7 +28,6 @@ @@ -2061,7 +1960,7 @@ index e68d251..c5bac2c 100644 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" "sp : %08lx ip : %08lx fp : %08lx\n", regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, -@@ -486,12 +486,6 @@ unsigned long get_wchan(struct task_struct *p) +@@ -489,12 +489,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -2219,100 +2118,41 @@ index d066df6..df28194 100644 .pushsection .fixup,"ax" diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S -index 1b049cd..9b06bb4 100644 +index 4306fbf..9b06bb4 100644 --- a/arch/arm/lib/getuser.S +++ b/arch/arm/lib/getuser.S -@@ -16,8 +16,9 @@ - * __get_user_X - * - * Inputs: r0 contains the address -+ * r1 contains the address limit, which must be preserved - * Outputs: r0 is the error code -- * r2, r3 contains the zero-extended value -+ * r2 contains the zero-extended value - * lr corrupted - * - * No other registers must be altered. (see <asm/uaccess.h> -@@ -27,34 +28,40 @@ - * Note also that it is intended that __get_user_bad is not global. - */ - #include <linux/linkage.h> -+#include <asm/assembler.h> - #include <asm/errno.h> - #include <asm/domain.h> +@@ -34,7 +34,7 @@ ENTRY(__get_user_1) + check_uaccess r0, 1, r1, r2, __get_user_bad -1: T(ldrb) r2, [r0] -+ check_uaccess r0, 1, r1, r2, __get_user_bad +1: TUSER(ldrb) r2, [r0] mov r0, #0 mov pc, lr ENDPROC(__get_user_1) - - ENTRY(__get_user_2) --#ifdef CONFIG_THUMB2_KERNEL --2: T(ldrb) r2, [r0] --3: T(ldrb) r3, [r0, #1] -+ check_uaccess r0, 2, r1, r2, __get_user_bad -+#ifdef CONFIG_CPU_USE_DOMAINS -+rb .req ip -+2: ldrbt r2, [r0], #1 -+3: ldrbt rb, [r0], #0 - #else --2: T(ldrb) r2, [r0], #1 --3: T(ldrb) r3, [r0] -+rb .req r0 -+2: ldrb r2, [r0] -+3: ldrb rb, [r0, #1] - #endif - #ifndef __ARMEB__ -- orr r2, r2, r3, lsl #8 -+ orr r2, r2, rb, lsl #8 - #else -- orr r2, r3, r2, lsl #8 -+ orr r2, rb, r2, lsl #8 - #endif - mov r0, #0 - mov pc, lr - ENDPROC(__get_user_2) +@@ -61,7 +61,7 @@ ENDPROC(__get_user_2) ENTRY(__get_user_4) + check_uaccess r0, 4, r1, r2, __get_user_bad -4: T(ldr) r2, [r0] -+ check_uaccess r0, 4, r1, r2, __get_user_bad +4: TUSER(ldr) r2, [r0] mov r0, #0 mov pc, lr ENDPROC(__get_user_4) diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S -index c023fc1..3d73dcb 100644 +index 9a897fa..3d73dcb 100644 --- a/arch/arm/lib/putuser.S +++ b/arch/arm/lib/putuser.S -@@ -16,6 +16,7 @@ - * __put_user_X - * - * Inputs: r0 contains the address -+ * r1 contains the address limit, which must be preserved - * r2, r3 contains the value - * Outputs: r0 is the error code - * lr corrupted -@@ -27,32 +28,35 @@ - * Note also that it is intended that __put_user_bad is not global. - */ - #include <linux/linkage.h> -+#include <asm/assembler.h> - #include <asm/errno.h> - #include <asm/domain.h> +@@ -34,7 +34,7 @@ ENTRY(__put_user_1) + check_uaccess r0, 1, r1, ip, __put_user_bad -1: T(strb) r2, [r0] -+ check_uaccess r0, 1, r1, ip, __put_user_bad +1: TUSER(strb) r2, [r0] mov r0, #0 mov pc, lr ENDPROC(__put_user_1) - - ENTRY(__put_user_2) -+ check_uaccess r0, 2, r1, ip, __put_user_bad +@@ -44,19 +44,19 @@ ENTRY(__put_user_2) mov ip, r2, lsr #8 #ifdef CONFIG_THUMB2_KERNEL #ifndef __ARMEB__ @@ -2340,19 +2180,18 @@ index c023fc1..3d73dcb 100644 #endif #endif /* CONFIG_THUMB2_KERNEL */ mov r0, #0 -@@ -60,18 +64,20 @@ ENTRY(__put_user_2) - ENDPROC(__put_user_2) +@@ -65,7 +65,7 @@ ENDPROC(__put_user_2) ENTRY(__put_user_4) + check_uaccess r0, 4, r1, ip, __put_user_bad -4: T(str) r2, [r0] -+ check_uaccess r0, 4, r1, ip, __put_user_bad +4: TUSER(str) r2, [r0] mov r0, #0 mov pc, lr ENDPROC(__put_user_4) - +@@ -73,11 +73,11 @@ ENDPROC(__put_user_4) ENTRY(__put_user_8) -+ check_uaccess r0, 8, r1, ip, __put_user_bad + check_uaccess r0, 8, r1, ip, __put_user_bad #ifdef CONFIG_THUMB2_KERNEL -5: T(str) r2, [r0] -6: T(str) r3, [r0, #4] @@ -3286,15 +3125,15 @@ index 1a97af3..7529d31 100644 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX) #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX) diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h -index d9f397f..70d477b 100644 +index fba7696..a7650fd 100644 --- a/arch/ia64/include/asm/processor.h +++ b/arch/ia64/include/asm/processor.h @@ -320,7 +320,7 @@ struct thread_struct { regs->loadrs = 0; \ regs->r8 = get_dumpable(current->mm); /* set "don't zap registers" flag */ \ regs->r12 = new_sp - 16; /* allocate 16 byte scratch area */ \ -- if (unlikely(!get_dumpable(current->mm))) { \ -+ if (unlikely(get_dumpable(current->mm) != SUID_DUMPABLE_ENABLED)) { \ +- if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) { \ ++ if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) { \ /* \ * Zap scratch regs to avoid leaking bits between processes with different \ * uid/privileges. \ @@ -5644,10 +5483,10 @@ index 5de73db..a05f61c 100644 audit_syscall_exit((regs->ccr&0x10000000)?AUDITSC_FAILURE:AUDITSC_SUCCESS, regs->result); diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index 836a5a1..27289a3 100644 +index fa1e56b..e8ef867 100644 --- a/arch/powerpc/kernel/signal_32.c +++ b/arch/powerpc/kernel/signal_32.c -@@ -859,7 +859,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, +@@ -865,7 +865,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, /* Save user registers on the stack */ frame = &rt_sf->uc.uc_mcontext; addr = frame; @@ -5657,10 +5496,10 @@ index 836a5a1..27289a3 100644 goto badframe; regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp; diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index a50b5ec..547078a 100644 +index 60d1f75..2c29348 100644 --- a/arch/powerpc/kernel/signal_64.c +++ b/arch/powerpc/kernel/signal_64.c -@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info, +@@ -435,7 +435,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info, current->thread.fpscr.val = 0; /* Set up to return from userspace. */ @@ -9753,13 +9592,13 @@ index 03dbc7f5b..e1aa479 100644 +archprepare: + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD))) diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile -index 95365a8..88aadd2 100644 +index e80542b..c5099c3 100644 --- a/arch/x86/boot/Makefile +++ b/arch/x86/boot/Makefile -@@ -63,6 +63,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \ +@@ -63,6 +63,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -m32 -g -Os -D_SETUP -D__KERNEL__ \ + $(call cc-option, -fno-unit-at-a-time)) \ $(call cc-option, -fno-stack-protector) \ $(call cc-option, -mpreferred-stack-boundary=2) - KBUILD_CFLAGS += $(call cc-option, -m32) +ifdef CONSTIFY_PLUGIN +KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify +endif @@ -9811,11 +9650,11 @@ index c7093bd..d4247ffe0 100644 return diff; } diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile -index 77453c6..6235831 100644 +index cda5cef..c1f26aa 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile -@@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=small - KBUILD_CFLAGS += $(cflags-y) +@@ -15,6 +15,9 @@ KBUILD_CFLAGS += $(cflags-y) + KBUILD_CFLAGS += -mno-mmx -mno-sse KBUILD_CFLAGS += $(call cc-option,-ffreestanding) KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector) +ifdef CONSTIFY_PLUGIN @@ -17367,7 +17206,7 @@ index 212a6a4..322f5d9 100644 .notifier_call = cpuid_class_cpu_callback, }; diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c -index 13ad899..f642b9a 100644 +index 69e231b..8b4e1c6 100644 --- a/arch/x86/kernel/crash.c +++ b/arch/x86/kernel/crash.c @@ -36,10 +36,8 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs) @@ -22157,7 +21996,7 @@ index 42eb330..139955c 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index a4e1b4b..0460044 100644 +index f411aca..bd2aa3b 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -35,7 +35,7 @@ void (*pm_power_off)(void); @@ -22251,7 +22090,7 @@ index a4e1b4b..0460044 100644 { int i; int attempt = 0; -@@ -688,13 +720,13 @@ void native_machine_shutdown(void) +@@ -691,13 +723,13 @@ void native_machine_shutdown(void) #endif } @@ -22267,7 +22106,7 @@ index a4e1b4b..0460044 100644 { printk("machine restart\n"); -@@ -703,7 +735,7 @@ static void native_machine_restart(char *__unused) +@@ -706,7 +738,7 @@ static void native_machine_restart(char *__unused) __machine_emergency_restart(0); } @@ -22276,7 +22115,7 @@ index a4e1b4b..0460044 100644 { /* stop other cpus and apics */ machine_shutdown(); -@@ -714,7 +746,7 @@ static void native_machine_halt(void) +@@ -717,7 +749,7 @@ static void native_machine_halt(void) stop_this_cpu(NULL); } @@ -22285,7 +22124,7 @@ index a4e1b4b..0460044 100644 { if (pm_power_off) { if (!reboot_force) -@@ -723,9 +755,10 @@ static void native_machine_power_off(void) +@@ -726,9 +758,10 @@ static void native_machine_power_off(void) } /* a fallback in case there is no PM info available */ tboot_shutdown(TB_SHUTDOWN_HALT); @@ -23880,7 +23719,7 @@ index f5302da..6ee193e 100644 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 54abb40..fbcaf81 100644 +index 43e7753..873f4440 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -53,7 +53,7 @@ @@ -23892,15 +23731,6 @@ index 54abb40..fbcaf81 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ -@@ -537,7 +537,7 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) - ASSERT(apic != NULL); - - /* if initial count is 0, current count should also be 0 */ -- if (apic_get_reg(apic, APIC_TMICT) == 0) -+ if (apic_get_reg(apic, APIC_TMICT) == 0 || apic->lapic_timer.period == 0) - return 0; - - remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index f1b36cf..af8a124 100644 --- a/arch/x86/kvm/mmu.c @@ -31852,7 +31682,7 @@ index 240a244..bc6239e 100644 static void delete_gpe_attr_array(void) { diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c -index 60def03..dcbb9ac 100644 +index de2802c..2260da9 100644 --- a/drivers/ata/libahci.c +++ b/drivers/ata/libahci.c @@ -1211,7 +1211,7 @@ int ahci_kick_engine(struct ata_port *ap) @@ -31865,10 +31695,10 @@ index 60def03..dcbb9ac 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index d54b7d6..33e80e0 100644 +index a0a3987..d029614 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c -@@ -4745,7 +4745,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) +@@ -4746,7 +4746,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -31877,7 +31707,7 @@ index d54b7d6..33e80e0 100644 ap = qc->ap; qc->flags = 0; -@@ -4761,7 +4761,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) +@@ -4762,7 +4762,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) struct ata_port *ap; struct ata_link *link; @@ -31886,7 +31716,7 @@ index d54b7d6..33e80e0 100644 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); ap = qc->ap; link = qc->dev->link; -@@ -5766,6 +5766,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5767,6 +5767,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) return; spin_lock(&lock); @@ -31894,7 +31724,7 @@ index d54b7d6..33e80e0 100644 for (cur = ops->inherits; cur; cur = cur->inherits) { void **inherit = (void **)cur; -@@ -5779,8 +5780,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5780,8 +5781,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) if (IS_ERR(*pp)) *pp = NULL; @@ -32289,7 +32119,7 @@ index b812103..e391a49 100644 // free the skb hrz_kfree_skb (skb); diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c -index 1c05212..c28e200 100644 +index b0e75ce..035bf7e 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc) @@ -33600,7 +33430,7 @@ index 13cbdd3..d374957 100644 static struct asender_cmd *get_asender_cmd(int cmd) { diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index a365562..933bbbd 100644 +index d659135..45fe633 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -227,7 +227,7 @@ static int __do_lo_send_write(struct file *file, @@ -37061,7 +36891,7 @@ index 93e74fb..4a1182d 100644 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func); INIT_WORK(&dev_priv->error_work, i915_error_work_func); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index ee29c1f..07609a4 100644 +index 6d36695..4a3e870 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -2215,7 +2215,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) @@ -37073,7 +36903,7 @@ index ee29c1f..07609a4 100644 /* Big Hammer, we also need to ensure that any pending * MI_WAIT_FOR_EVENT inside a user batch buffer on the -@@ -6987,8 +6987,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, +@@ -6991,8 +6991,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, obj = work->old_fb_obj; @@ -37083,7 +36913,7 @@ index ee29c1f..07609a4 100644 wake_up(&dev_priv->pending_flip_queue); schedule_work(&work->work); -@@ -7197,7 +7196,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev, +@@ -7201,7 +7200,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev, OUT_RING(fb->pitch | obj->tiling_mode); OUT_RING(obj->gtt_offset); @@ -37098,7 +36928,7 @@ index ee29c1f..07609a4 100644 pipesrc = I915_READ(PIPESRC(intel_crtc->pipe)) & 0x0fff0fff; OUT_RING(pf | pipesrc); -@@ -7329,7 +7334,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, +@@ -7333,7 +7338,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, /* Block clients from rendering to the new back buffer until * the flip occurs and the object is no longer visible. */ @@ -37107,7 +36937,7 @@ index ee29c1f..07609a4 100644 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj); if (ret) -@@ -7343,7 +7348,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, +@@ -7347,7 +7352,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, return 0; cleanup_pending: @@ -37116,7 +36946,7 @@ index ee29c1f..07609a4 100644 crtc->fb = old_fb; drm_gem_object_unreference(&work->old_fb_obj->base); drm_gem_object_unreference(&obj->base); -@@ -7478,11 +7483,15 @@ static void intel_crtc_init(struct drm_device *dev, int pipe) +@@ -7482,11 +7487,15 @@ static void intel_crtc_init(struct drm_device *dev, int pipe) if (HAS_PCH_SPLIT(dev)) { if (pipe == 2 && IS_IVYBRIDGE(dev)) intel_crtc->no_pll = true; @@ -37136,7 +36966,7 @@ index ee29c1f..07609a4 100644 } drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs); -@@ -8858,7 +8867,7 @@ struct intel_quirk { +@@ -8862,7 +8871,7 @@ struct intel_quirk { int subsystem_vendor; int subsystem_device; void (*hook)(struct drm_device *dev); @@ -37328,10 +37158,10 @@ index 2f6daae..c9d7b9e 100644 } diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c -index 7ce3fde..cb3ea04 100644 +index bd0b1fc..c082986 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c -@@ -314,7 +314,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv, +@@ -315,7 +315,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv, int trycnt = 0; int ret, i; @@ -38208,7 +38038,7 @@ index 9ac4389..5c05af3 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index 13af0f1..dc797c9 100644 +index a605ba1..fb91952 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -195,6 +195,9 @@ static void mt_feature_mapping(struct hid_device *hdev, @@ -40345,28 +40175,6 @@ index 1f355bb..43f1fea 100644 return -EFAULT; } else memcpy(msg, buf, count); -diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c -index 509135f..c8645eb 100644 ---- a/drivers/isdn/isdnloop/isdnloop.c -+++ b/drivers/isdn/isdnloop/isdnloop.c -@@ -1084,7 +1084,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) - return -ENOMEM; - } - for (i = 0; i < 3; i++) -- strcpy(card->s0num[i], sdef.num[i]); -+ strlcpy(card->s0num[i], sdef.num[i], sizeof(card->s0num[0])); - break; - case ISDN_PTYPE_1TR6: - if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95", -@@ -1097,7 +1097,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) - spin_unlock_irqrestore(&card->isdnloop_lock, flags); - return -ENOMEM; - } -- strcpy(card->s0num[0], sdef.num[0]); -+ strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0])); - card->s0num[1][0] = '\0'; - card->s0num[2][0] = '\0'; - break; diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c index 4d395de..c504763 100644 --- a/drivers/isdn/mISDN/dsp_cmx.c @@ -40728,10 +40536,10 @@ index cbd41d2..1717044 100644 schedule_work(&sc->trigger_event); } diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c -index 52848ab..b8a17d4 100644 +index 5c52582..91793db 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c -@@ -323,7 +323,7 @@ static struct dm_dev_internal *find_device(struct list_head *l, dev_t dev) +@@ -328,7 +328,7 @@ static struct dm_dev_internal *find_device(struct list_head *l, dev_t dev) static int open_dev(struct dm_dev_internal *d, dev_t dev, struct mapped_device *md) { @@ -40740,7 +40548,7 @@ index 52848ab..b8a17d4 100644 struct block_device *bdev; int r; -@@ -391,7 +391,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev, +@@ -396,7 +396,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev, if (!dev_size) return 0; @@ -42364,10 +42172,10 @@ index 1bf36ac..55c534e 100644 #ifdef CONFIG_NET_POLL_CONTROLLER /* diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c -index 8ed48c2..ae2cb9a 100644 +index cf95bd8d..f61f675 100644 --- a/drivers/net/bonding/bond_sysfs.c +++ b/drivers/net/bonding/bond_sysfs.c -@@ -1056,7 +1056,7 @@ static ssize_t bonding_store_primary(struct device *d, +@@ -1063,7 +1063,7 @@ static ssize_t bonding_store_primary(struct device *d, goto out; } @@ -42376,7 +42184,7 @@ index 8ed48c2..ae2cb9a 100644 /* check to see if we are clearing primary */ if (!strlen(ifname) || buf[0] == '\n') { -@@ -1229,7 +1229,7 @@ static ssize_t bonding_store_active_slave(struct device *d, +@@ -1236,7 +1236,7 @@ static ssize_t bonding_store_active_slave(struct device *d, goto out; } @@ -43966,30 +43774,6 @@ index 75da4bc..7737dff 100644 int csr; memset(buf, 0, sizeof(buf)); -diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c -index d8d8f0d..35d86fa 100644 ---- a/drivers/net/wireless/libertas/debugfs.c -+++ b/drivers/net/wireless/libertas/debugfs.c -@@ -919,7 +919,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - char *p2; - struct debug_data *d = f->private_data; - -- pdata = kmalloc(cnt, GFP_KERNEL); -+ if (cnt == 0) -+ return 0; -+ -+ pdata = kmalloc(cnt + 1, GFP_KERNEL); - if (pdata == NULL) - return 0; - -@@ -928,6 +931,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - kfree(pdata); - return 0; - } -+ pdata[cnt] = '\0'; - - p0 = pdata; - for (i = 0; i < num_of_items; i++) { diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 523ad55..f8c5dc5 100644 --- a/drivers/net/wireless/mac80211_hwsim.c @@ -45084,44 +44868,6 @@ index 2836538..30edf9d 100644 ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr); if (ret) { -diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c -index fff57de..55f6488 100644 ---- a/drivers/s390/net/qeth_core_main.c -+++ b/drivers/s390/net/qeth_core_main.c -@@ -4322,7 +4322,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) - struct qeth_cmd_buffer *iob; - struct qeth_ipa_cmd *cmd; - struct qeth_snmp_ureq *ureq; -- int req_len; -+ unsigned int req_len; - struct qeth_arp_query_info qinfo = {0, }; - int rc = 0; - -@@ -4338,6 +4338,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) - /* skip 4 bytes (data_len struct member) to get req_len */ - if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int))) - return -EFAULT; -+ if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE - -+ sizeof(struct qeth_ipacmd_hdr) - -+ sizeof(struct qeth_ipacmd_setadpparms_hdr))) -+ return -EINVAL; - ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr)); - if (IS_ERR(ureq)) { - QETH_CARD_TEXT(card, 2, "snmpnome"); -diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c -index 8a0b330..1254431 100644 ---- a/drivers/scsi/aacraid/commctrl.c -+++ b/drivers/scsi/aacraid/commctrl.c -@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) - goto cleanup; - } - -- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { -+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || -+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { - rcode = -EINVAL; - goto cleanup; - } diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c index 2e658d2..46f4afb 100644 --- a/drivers/scsi/aacraid/linit.c @@ -45282,7 +45028,7 @@ index ee77a58..af9d518 100644 /* These three are default values which can be overridden */ diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c -index 0f48550..e3fb2d8 100644 +index 5b7e1bf..6e5521a 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -523,7 +523,7 @@ static inline u32 next_command(struct ctlr_info *h) @@ -45547,7 +45293,7 @@ index 9de9db2..1e09660 100644 fc_frame_free(fp); } diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c -index 4868fc9..7f2e028 100644 +index 5e170e3..1e87efc 100644 --- a/drivers/scsi/libsas/sas_ata.c +++ b/drivers/scsi/libsas/sas_ata.c @@ -368,7 +368,7 @@ static struct ata_port_operations sas_sata_ops = { @@ -47725,7 +47471,7 @@ index 032e5a6..bc422e4 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index a5ea85f..6530989 100644 +index 7013165..608be1a 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -25,6 +25,7 @@ @@ -47736,7 +47482,7 @@ index a5ea85f..6530989 100644 #include <asm/uaccess.h> #include <asm/byteorder.h> -@@ -3405,6 +3406,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, +@@ -3410,6 +3411,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, return; } @@ -47983,10 +47729,10 @@ index d6bea3e..60b250e 100644 /** diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c -index 57c01ab..8a05959 100644 +index 5f6df6e..0a16602 100644 --- a/drivers/usb/wusbcore/wa-xfer.c +++ b/drivers/usb/wusbcore/wa-xfer.c -@@ -296,7 +296,7 @@ out: +@@ -297,7 +297,7 @@ out: */ static void wa_xfer_id_init(struct wa_xfer *xfer) { @@ -53541,27 +53287,6 @@ index 7b68088..17a275b 100644 #endif GLOBAL_EXTERN atomic_t smBufAllocCount; GLOBAL_EXTERN atomic_t midCount; -diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c -index c858a29..969f74f 100644 ---- a/fs/cifs/cifssmb.c -+++ b/fs/cifs/cifssmb.c -@@ -3437,11 +3437,13 @@ static __u16 ACL_to_cifs_posix(char *parm_data, const char *pACL, - return 0; - } - cifs_acl->version = cpu_to_le16(1); -- if (acl_type == ACL_TYPE_ACCESS) -+ if (acl_type == ACL_TYPE_ACCESS) { - cifs_acl->access_entry_count = cpu_to_le16(count); -- else if (acl_type == ACL_TYPE_DEFAULT) -+ cifs_acl->default_entry_count = __constant_cpu_to_le16(0xFFFF); -+ } else if (acl_type == ACL_TYPE_DEFAULT) { - cifs_acl->default_entry_count = cpu_to_le16(count); -- else { -+ cifs_acl->access_entry_count = __constant_cpu_to_le16(0xFFFF); -+ } else { - cFYI(1, "unknown ACL type %d", acl_type); - return 0; - } diff --git a/fs/cifs/file.c b/fs/cifs/file.c index c55808e..c1814ab 100644 --- a/fs/cifs/file.c @@ -53885,10 +53610,10 @@ index f854cf9..d513829 100644 return 1; if (a < b) diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c -index 9a37a9b..80968f3 100644 +index 5ef72c8..0c72810 100644 --- a/fs/configfs/dir.c +++ b/fs/configfs/dir.c -@@ -1047,10 +1047,11 @@ static int configfs_dump(struct configfs_dirent *sd, int level) +@@ -1059,10 +1059,11 @@ static int configfs_dump(struct configfs_dirent *sd, int level) static int configfs_depend_prep(struct dentry *origin, struct config_item *target) { @@ -53902,7 +53627,7 @@ index 9a37a9b..80968f3 100644 if (sd->s_element == target) /* Boo-yah */ goto out; -@@ -1575,7 +1576,8 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir +@@ -1587,7 +1588,8 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir } for (p=q->next; p!= &parent_sd->s_children; p=p->next) { struct configfs_dirent *next; @@ -53912,7 +53637,7 @@ index 9a37a9b..80968f3 100644 int len; struct inode *inode = NULL; -@@ -1585,7 +1587,12 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir +@@ -1597,7 +1599,12 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir continue; name = configfs_get_name(next); @@ -54132,7 +53857,7 @@ index 451b9b8..12e5a03 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index a2d0e51..64ad6ea 100644 +index 78199eb..e6c84a8 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,35 @@ @@ -55067,8 +54792,8 @@ index a2d0e51..64ad6ea 100644 + return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret; } - int get_dumpable(struct mm_struct *mm) -@@ -2044,17 +2513,17 @@ static void wait_for_dump_helpers(struct file *file) + /* +@@ -2050,17 +2519,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -55091,7 +54816,7 @@ index a2d0e51..64ad6ea 100644 pipe_unlock(pipe); } -@@ -2115,7 +2584,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2121,7 +2590,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -55101,7 +54826,7 @@ index a2d0e51..64ad6ea 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2130,6 +2600,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2136,6 +2606,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -55111,7 +54836,7 @@ index a2d0e51..64ad6ea 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2140,14 +2613,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2146,14 +2619,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) if (!cred) goto fail; /* @@ -55132,7 +54857,7 @@ index a2d0e51..64ad6ea 100644 } retval = coredump_wait(exit_code, &core_state); -@@ -2197,7 +2672,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2203,7 +2678,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -55141,7 +54866,7 @@ index a2d0e51..64ad6ea 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2224,9 +2699,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2230,9 +2705,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -55161,7 +54886,7 @@ index a2d0e51..64ad6ea 100644 cprm.file = filp_open(cn.corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); -@@ -2267,7 +2752,7 @@ close_fail: +@@ -2273,7 +2758,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -55170,7 +54895,7 @@ index a2d0e51..64ad6ea 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2286,7 +2771,7 @@ fail: +@@ -2292,7 +2777,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -55547,7 +55272,7 @@ index 84f84bf..a8770cd 100644 static int __init ext4_init_feat_adverts(void) { diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index b4e9f3f..14a9eca 100644 +index 05617bd..aac23ad 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -328,7 +328,7 @@ static int @@ -58477,7 +58202,7 @@ index b78b5b6..c64d84f 100644 void nfs_fattr_init(struct nfs_fattr *fattr) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 5639efd..4531174 100644 +index 3d02931..e2b575a 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) @@ -58531,7 +58256,7 @@ index e065497..258fa11 100644 static struct nfsd4_operation nfsd4_ops[]; diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 99625b8..7e04dea 100644 +index ade5316..f1a6152 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -1445,7 +1445,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) @@ -58598,10 +58323,10 @@ index c45a2ea..1a6bd66 100644 #ifdef CONFIG_PROC_FS static int create_proc_exports_entry(void) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c -index 61b697e..eb6503c 100644 +index 6a66fc0..cfdadae 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c -@@ -923,7 +923,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, +@@ -948,7 +948,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, } else { oldfs = get_fs(); set_fs(KERNEL_DS); @@ -58610,7 +58335,7 @@ index 61b697e..eb6503c 100644 set_fs(oldfs); } -@@ -1027,7 +1027,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, +@@ -1052,7 +1052,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, /* Write the data. */ oldfs = get_fs(); set_fs(KERNEL_DS); @@ -58619,7 +58344,7 @@ index 61b697e..eb6503c 100644 set_fs(oldfs); if (host_err < 0) goto out_nfserr; -@@ -1568,7 +1568,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp) +@@ -1593,7 +1593,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp) */ oldfs = get_fs(); set_fs(KERNEL_DS); @@ -61824,7 +61549,7 @@ index 79d05e8..e3e5861 100644 *offset = off & 0x7fffffff; return 0; diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c -index d99a905..a7569b5 100644 +index eb519de..a7569b5 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -128,7 +128,7 @@ xfs_find_handle( @@ -61836,30 +61561,6 @@ index d99a905..a7569b5 100644 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32))) goto out_put; -@@ -404,7 +404,8 @@ xfs_attrlist_by_handle( - return -XFS_ERROR(EPERM); - if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* -diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c -index 54e623b..0d685b3 100644 ---- a/fs/xfs/xfs_ioctl32.c -+++ b/fs/xfs/xfs_ioctl32.c -@@ -361,7 +361,8 @@ xfs_compat_attrlist_by_handle( - if (copy_from_user(&al_hreq, arg, - sizeof(compat_xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c index bd2fb43..86fd3e8d 100644 --- a/fs/xfs/xfs_iops.c @@ -73726,7 +73427,7 @@ index 2f81c6f..225b4e4 100644 #define audit_get_loginuid(t) (-1) #define audit_get_sessionid(t) (-1) diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index acd8d4b..c87c74b 100644 +index d337419..c87c74b 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -18,7 +18,7 @@ struct pt_regs; @@ -73758,16 +73459,6 @@ index acd8d4b..c87c74b 100644 extern int __register_binfmt(struct linux_binfmt *fmt, int insert); -@@ -112,9 +115,6 @@ extern void setup_new_exec(struct linux_binprm * bprm); - extern void would_dump(struct linux_binprm *, struct file *); - - extern int suid_dumpable; --#define SUID_DUMP_DISABLE 0 /* No setuid dumping */ --#define SUID_DUMP_USER 1 /* Dump as user of process */ --#define SUID_DUMP_ROOT 2 /* Dump as root */ - - /* Stack area protections */ - #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */ diff --git a/include/linux/bitops.h b/include/linux/bitops.h index fc8a3ff..ad5938b 100644 --- a/include/linux/bitops.h @@ -77283,10 +76974,10 @@ index ffc0213..2c1f2cb 100644 return nd->saved_names[nd->depth]; } diff --git a/include/linux/net.h b/include/linux/net.h -index b7ca08e..c8350cb 100644 +index bd4f6c7..e9b8bb8 100644 --- a/include/linux/net.h +++ b/include/linux/net.h -@@ -216,7 +216,7 @@ struct net_proto_family { +@@ -224,7 +224,7 @@ struct net_proto_family { int (*create)(struct net *net, struct socket *sock, int protocol, int kern); struct module *owner; @@ -77745,7 +77436,7 @@ index 800f113..13b3715 100644 } diff --git a/include/linux/random.h b/include/linux/random.h -index 7e77cee..d51eec7 100644 +index f5e1311..d51eec7 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -41,19 +41,27 @@ struct rand_pool_info { @@ -77824,9 +77515,9 @@ index 7e77cee..d51eec7 100644 { u32 i = (seed >> 32) ^ (seed << 10) ^ seed; -- state->s1 = __seed(i, 1); -- state->s2 = __seed(i, 7); -- state->s3 = __seed(i, 15); +- state->s1 = __seed(i, 2); +- state->s2 = __seed(i, 8); +- state->s3 = __seed(i, 16); + state->s1 = __seed(i, 2U); + state->s2 = __seed(i, 8U); + state->s3 = __seed(i, 16U); @@ -78015,7 +77706,7 @@ index 2148b12..519b820 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, diff --git a/include/linux/sched.h b/include/linux/sched.h -index 8204898..d17b99e 100644 +index 312d047..dbf4637 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio_list; @@ -78068,10 +77759,10 @@ index 8204898..d17b99e 100644 +#define SUID_DUMPABLE_ENABLED 1 +#define SUID_DUMPABLE_SAFE 2 + - /* mm flags */ - /* dumpable bits */ - #define MMF_DUMPABLE 0 /* core dump is permitted */ -@@ -630,6 +649,17 @@ struct signal_struct { + #define SUID_DUMP_DISABLE 0 /* No setuid dumping */ + #define SUID_DUMP_USER 1 /* Dump as user of process */ + #define SUID_DUMP_ROOT 2 /* Dump as root */ +@@ -634,6 +653,17 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif @@ -78089,7 +77780,7 @@ index 8204898..d17b99e 100644 #ifdef CONFIG_AUDIT unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; -@@ -711,6 +741,14 @@ struct user_struct { +@@ -715,6 +745,14 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif @@ -78104,7 +77795,7 @@ index 8204898..d17b99e 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; uid_t uid; -@@ -1125,7 +1163,7 @@ struct sched_class { +@@ -1129,7 +1167,7 @@ struct sched_class { #ifdef CONFIG_FAIR_GROUP_SCHED void (*task_move_group) (struct task_struct *p, int on_rq); #endif @@ -78113,7 +77804,7 @@ index 8204898..d17b99e 100644 struct load_weight { unsigned long weight, inv_weight; -@@ -1301,6 +1339,8 @@ struct task_struct { +@@ -1305,6 +1343,8 @@ struct task_struct { * execve */ unsigned in_iowait:1; @@ -78122,7 +77813,7 @@ index 8204898..d17b99e 100644 /* Revert to default priority/policy when forking */ unsigned sched_reset_on_fork:1; -@@ -1341,8 +1381,8 @@ struct task_struct { +@@ -1345,8 +1385,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -78133,7 +77824,7 @@ index 8204898..d17b99e 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1358,13 +1398,6 @@ struct task_struct { +@@ -1362,13 +1402,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -78147,7 +77838,7 @@ index 8204898..d17b99e 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1381,8 +1414,16 @@ struct task_struct { +@@ -1385,8 +1418,16 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -78164,7 +77855,7 @@ index 8204898..d17b99e 100644 /* open file information */ struct files_struct *files; /* namespaces */ -@@ -1405,7 +1446,7 @@ struct task_struct { +@@ -1409,7 +1450,7 @@ struct task_struct { uid_t loginuid; unsigned int sessionid; #endif @@ -78173,7 +77864,7 @@ index 8204898..d17b99e 100644 /* Thread group tracking */ u32 parent_exec_id; -@@ -1429,6 +1470,11 @@ struct task_struct { +@@ -1433,6 +1474,11 @@ struct task_struct { struct rt_mutex_waiter *pi_blocked_on; #endif @@ -78185,7 +77876,7 @@ index 8204898..d17b99e 100644 #ifdef CONFIG_DEBUG_MUTEXES /* mutex deadlock detection */ struct mutex_waiter *blocked_on; -@@ -1544,6 +1590,30 @@ struct task_struct { +@@ -1548,6 +1594,30 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; @@ -78216,7 +77907,7 @@ index 8204898..d17b99e 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack */ int curr_ret_stack; -@@ -1578,6 +1648,52 @@ struct task_struct { +@@ -1582,6 +1652,52 @@ struct task_struct { #endif }; @@ -78269,7 +77960,7 @@ index 8204898..d17b99e 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2093,7 +2209,9 @@ void yield(void); +@@ -2097,7 +2213,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -78279,7 +77970,7 @@ index 8204898..d17b99e 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2126,6 +2244,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2130,6 +2248,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -78287,7 +77978,7 @@ index 8204898..d17b99e 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2247,6 +2366,12 @@ static inline void mmdrop(struct mm_struct * mm) +@@ -2251,6 +2370,12 @@ static inline void mmdrop(struct mm_struct * mm) extern void mmput(struct mm_struct *); /* Grab a reference to a task's mm, if it is not already going away */ extern struct mm_struct *get_task_mm(struct task_struct *task); @@ -78300,7 +77991,7 @@ index 8204898..d17b99e 100644 /* Remove the current tasks stale references to the old mm_struct */ extern void mm_release(struct task_struct *, struct mm_struct *); /* Allocate a new mm structure and copy contents from tsk->mm */ -@@ -2263,9 +2388,8 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2267,9 +2392,8 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -78311,7 +78002,7 @@ index 8204898..d17b99e 100644 extern int allow_signal(int); extern int disallow_signal(int); -@@ -2428,9 +2552,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2432,9 +2556,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -79789,7 +79480,7 @@ index 34b06da..03b1d34 100644 #endif /* _NET_INETPEER_H */ diff --git a/include/net/ip.h b/include/net/ip.h -index 06aed72..54fbf5b 100644 +index b935e6c..511250f 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -214,7 +214,7 @@ extern struct local_ports { @@ -81590,7 +81281,7 @@ index fa7eb3d..7faf116 100644 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); diff --git a/kernel/audit.c b/kernel/audit.c -index d4bc594..b26065d 100644 +index e14bc74..bdf7f6c 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -115,7 +115,7 @@ u32 audit_sig_sid = 0; @@ -81620,13 +81311,7 @@ index d4bc594..b26065d 100644 audit_rate_limit, audit_backlog_limit); audit_panic(message); -@@ -684,18 +684,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - - switch (msg_type) { - case AUDIT_GET: -+ status_set.mask = 0; - status_set.enabled = audit_enabled; - status_set.failure = audit_failure; +@@ -690,7 +690,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) status_set.pid = audit_pid; status_set.rate_limit = audit_rate_limit; status_set.backlog_limit = audit_backlog_limit; @@ -81635,23 +81320,7 @@ index d4bc594..b26065d 100644 status_set.backlog = skb_queue_len(&audit_skb_queue); audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, &status_set, sizeof(status_set)); - break; - case AUDIT_SET: -- if (nlh->nlmsg_len < sizeof(struct audit_status)) -+ if (nlmsg_len(nlh) < sizeof(struct audit_status)) - return -EINVAL; - status_get = (struct audit_status *)data; - if (status_get->mask & AUDIT_STATUS_ENABLED) { -@@ -899,7 +900,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - struct task_struct *tsk; - unsigned long flags; - -- if (nlh->nlmsg_len < sizeof(struct audit_tty_status)) -+ if (nlmsg_len(nlh) < sizeof(struct audit_tty_status)) - return -EINVAL; - s = data; - if (s->enabled != 0 && s->enabled != 1) -@@ -1260,12 +1261,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, +@@ -1261,12 +1261,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); if (!avail) @@ -81667,7 +81336,7 @@ index d4bc594..b26065d 100644 out: return; } -@@ -1306,7 +1308,7 @@ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, +@@ -1307,7 +1308,7 @@ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, int i, avail, new_len; unsigned char *ptr; struct sk_buff *skb; @@ -82962,7 +82631,7 @@ index ce0c182..c6ec99a 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 1d0538e..9a6f6fb 100644 +index 8888815..9a6f6fb 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -82985,15 +82654,6 @@ index 1d0538e..9a6f6fb 100644 /* * The futex address must be "naturally" aligned. */ -@@ -285,7 +291,7 @@ again: - put_page(page); - /* serialize against __split_huge_page_splitting() */ - local_irq_disable(); -- if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) { -+ if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) { - page_head = compound_head(page); - /* - * page_head is valid pointer but we must pin @@ -438,7 +444,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr, static int get_futex_value_locked(u32 *dest, u32 __user *from) @@ -84999,7 +84659,7 @@ index 76b8e77..a2930e8 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 67fedad..8a94754 100644 +index f79803a..0dcc1be 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -211,7 +211,8 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state) @@ -85022,18 +84682,17 @@ index 67fedad..8a94754 100644 goto ok; rcu_read_unlock(); return -EPERM; -@@ -246,7 +248,9 @@ ok: - smp_rmb(); +@@ -247,7 +249,8 @@ ok: if (task->mm) dumpable = get_dumpable(task->mm); -- if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE)) -+ if (dumpable != SUID_DUMPABLE_ENABLED && + if (dumpable != SUID_DUMP_USER && +- !task_ns_capable(task, CAP_SYS_PTRACE)) + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) || + (log && !task_ns_capable(task, CAP_SYS_PTRACE)))) return -EPERM; return security_ptrace_access_check(task, mode); -@@ -256,7 +260,21 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode) +@@ -257,7 +260,21 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode) { int err; task_lock(task); @@ -85056,7 +84715,7 @@ index 67fedad..8a94754 100644 task_unlock(task); return !err; } -@@ -301,7 +319,7 @@ static int ptrace_attach(struct task_struct *task, long request, +@@ -302,7 +319,7 @@ static int ptrace_attach(struct task_struct *task, long request, goto out; task_lock(task); @@ -85065,7 +84724,7 @@ index 67fedad..8a94754 100644 task_unlock(task); if (retval) goto unlock_creds; -@@ -316,7 +334,7 @@ static int ptrace_attach(struct task_struct *task, long request, +@@ -317,7 +334,7 @@ static int ptrace_attach(struct task_struct *task, long request, task->ptrace = PT_PTRACED; if (seize) task->ptrace |= PT_SEIZED; @@ -85074,7 +84733,7 @@ index 67fedad..8a94754 100644 task->ptrace |= PT_PTRACE_CAP; __ptrace_link(task, current); -@@ -522,7 +540,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst +@@ -523,7 +540,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst break; return -EIO; } @@ -85083,7 +84742,7 @@ index 67fedad..8a94754 100644 return -EFAULT; copied += retval; src += retval; -@@ -582,6 +600,9 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data) +@@ -583,6 +600,9 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data) if (data & PTRACE_O_TRACEEXIT) child->ptrace |= PT_TRACE_EXIT; @@ -85093,7 +84752,7 @@ index 67fedad..8a94754 100644 return (data & ~PTRACE_O_MASK) ? -EINVAL : 0; } -@@ -719,7 +740,7 @@ int ptrace_request(struct task_struct *child, long request, +@@ -720,7 +740,7 @@ int ptrace_request(struct task_struct *child, long request, bool seized = child->ptrace & PT_SEIZED; int ret = -EIO; siginfo_t siginfo, *si; @@ -85102,7 +84761,7 @@ index 67fedad..8a94754 100644 unsigned long __user *datalp = datavp; unsigned long flags; -@@ -921,14 +942,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, +@@ -922,14 +942,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, goto out; } @@ -85125,7 +84784,7 @@ index 67fedad..8a94754 100644 goto out_put_task_struct; } -@@ -956,7 +984,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, +@@ -957,7 +984,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0); if (copied != sizeof(tmp)) return -EIO; @@ -85134,7 +84793,7 @@ index 67fedad..8a94754 100644 } int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr, -@@ -1050,7 +1078,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, +@@ -1051,7 +1078,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, } asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, @@ -85143,7 +84802,7 @@ index 67fedad..8a94754 100644 { struct task_struct *child; long ret; -@@ -1066,14 +1094,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +@@ -1067,14 +1094,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, goto out; } @@ -85882,10 +85541,10 @@ index f280df1..da1281d 100644 #ifdef CONFIG_RT_GROUP_SCHED /* diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c -index c261da7..4e5221ad 100644 +index 5b9e456..03c74cd 100644 --- a/kernel/sched_fair.c +++ b/kernel/sched_fair.c -@@ -4801,7 +4801,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { } +@@ -4803,7 +4803,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { } * run_rebalance_domains is triggered when needed from the scheduler tick. * Also triggered for nohz idle balancing (with nohz_balancing_kick set). */ @@ -87361,7 +87020,7 @@ index 73e416d..cfc6f69 100644 sys_tz = *tz; update_vsyscall_tz(); diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c -index 8a46f5d..bbe6f9c 100644 +index 0907e43..56a6a92 100644 --- a/kernel/time/alarmtimer.c +++ b/kernel/time/alarmtimer.c @@ -773,7 +773,7 @@ static int __init alarmtimer_init(void) @@ -87588,10 +87247,10 @@ index 16fc34a..efd8bb8 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 226776b..175300f 100644 +index d40d7f6..b4e9662 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c -@@ -1599,12 +1599,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) +@@ -1598,12 +1598,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) if (unlikely(ftrace_disabled)) return 0; @@ -87611,7 +87270,7 @@ index 226776b..175300f 100644 } /* -@@ -2607,7 +2612,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp) +@@ -2665,7 +2670,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp) int register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops, @@ -87620,7 +87279,7 @@ index 226776b..175300f 100644 { struct ftrace_func_probe *entry; struct ftrace_page *pg; -@@ -3982,8 +3987,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, +@@ -4034,8 +4039,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, #ifdef CONFIG_FUNCTION_GRAPH_TRACER static int ftrace_graph_active; @@ -87629,7 +87288,7 @@ index 226776b..175300f 100644 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) { return 0; -@@ -4127,6 +4130,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, +@@ -4179,6 +4182,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, return NOTIFY_DONE; } @@ -87637,10 +87296,10 @@ index 226776b..175300f 100644 + .notifier_call = ftrace_suspend_notifier_call +}; + - int register_ftrace_graph(trace_func_graph_ret_t retfunc, - trace_func_graph_ent_t entryfunc) - { -@@ -4140,7 +4147,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, + /* Just a place holder for function graph */ + static struct ftrace_ops fgraph_ops __read_mostly = { + .func = ftrace_stub, +@@ -4198,7 +4205,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, goto out; } @@ -88781,7 +88440,7 @@ index d9df745..e73c2fe 100644 static inline void *ptr_to_indirect(void *ptr) { diff --git a/lib/random32.c b/lib/random32.c -index fc3545a..1e5b2df 100644 +index 1f44bdc..1e5b2df 100644 --- a/lib/random32.c +++ b/lib/random32.c @@ -2,19 +2,19 @@ @@ -88983,7 +88642,7 @@ index fc3545a..1e5b2df 100644 */ for_each_possible_cpu (i) { struct rnd_state *state = &per_cpu(net_rand_state, i); -- state->s1 = __seed(state->s1 ^ entropy, 1); +- state->s1 = __seed(state->s1 ^ entropy, 2); + + state->s1 = __seed(state->s1 ^ entropy, 2U); + prandom_warmup(state); @@ -89010,9 +88669,9 @@ index fc3545a..1e5b2df 100644 struct rnd_state *state = &per_cpu(net_rand_state,i); -#define LCG(x) ((x) * 69069) /* super-duper LCG */ -- state->s1 = __seed(LCG(i + jiffies), 1); -- state->s2 = __seed(LCG(state->s1), 7); -- state->s3 = __seed(LCG(state->s2), 15); +- state->s1 = __seed(LCG(i + jiffies), 2); +- state->s2 = __seed(LCG(state->s1), 8); +- state->s3 = __seed(LCG(state->s2), 16); - - /* "warm it up" */ - prandom32(state); @@ -89078,9 +88737,9 @@ index fc3545a..1e5b2df 100644 + u32 seeds[4]; get_random_bytes(&seeds, sizeof(seeds)); -- state->s1 = __seed(seeds[0], 1); -- state->s2 = __seed(seeds[1], 7); -- state->s3 = __seed(seeds[2], 15); +- state->s1 = __seed(seeds[0], 2); +- state->s2 = __seed(seeds[1], 8); +- state->s3 = __seed(seeds[2], 16); + state->s1 = __seed(seeds[0], 2U); + state->s2 = __seed(seeds[1], 8U); + state->s3 = __seed(seeds[2], 16U); @@ -89270,7 +88929,7 @@ index fc3545a..1e5b2df 100644 +} +#endif diff --git a/lib/vsprintf.c b/lib/vsprintf.c -index d74c317..1170419 100644 +index ae02e42..4ffc938 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -16,6 +16,9 @@ @@ -89283,7 +88942,7 @@ index d74c317..1170419 100644 #include <stdarg.h> #include <linux/module.h> #include <linux/types.h> -@@ -413,7 +416,7 @@ char *symbol_string(char *buf, char *end, void *ptr, +@@ -414,7 +417,7 @@ char *symbol_string(char *buf, char *end, void *ptr, char sym[KSYM_SYMBOL_LEN]; if (ext == 'B') sprint_backtrace(sym, value); @@ -89292,7 +88951,7 @@ index d74c317..1170419 100644 sprint_symbol(sym, value); else kallsyms_lookup(value, NULL, NULL, NULL, sym); -@@ -777,7 +780,11 @@ char *uuid_string(char *buf, char *end, const u8 *addr, +@@ -778,7 +781,11 @@ char *uuid_string(char *buf, char *end, const u8 *addr, return string(buf, end, uuid, spec); } @@ -89304,7 +88963,7 @@ index d74c317..1170419 100644 /* * Show a '%p' thing. A kernel extension is that the '%p' is followed -@@ -791,6 +798,8 @@ int kptr_restrict __read_mostly; +@@ -792,6 +799,8 @@ int kptr_restrict __read_mostly; * - 'S' For symbolic direct pointers with offset * - 's' For symbolic direct pointers without offset * - 'B' For backtraced symbolic direct pointers with offset @@ -89313,7 +88972,7 @@ index d74c317..1170419 100644 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref] * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201] * - 'M' For a 6-byte MAC address, it prints the address in the -@@ -835,12 +844,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, +@@ -836,12 +845,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, { if (!ptr && *fmt != 'K') { /* @@ -89328,7 +88987,7 @@ index d74c317..1170419 100644 } switch (*fmt) { -@@ -850,6 +859,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, +@@ -851,6 +860,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, /* Fallthrough */ case 'S': case 's': @@ -89342,7 +89001,7 @@ index d74c317..1170419 100644 case 'B': return symbol_string(buf, end, ptr, spec, *fmt); case 'R': -@@ -878,9 +894,17 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, +@@ -879,9 +895,17 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, case 'U': return uuid_string(buf, end, ptr, spec, fmt); case 'V': @@ -89363,8 +89022,8 @@ index d74c317..1170419 100644 case 'K': /* * %pK cannot be used in IRQ context because its test -@@ -898,6 +922,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, - ptr = NULL; +@@ -924,6 +948,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, + } break; } + @@ -89385,7 +89044,7 @@ index d74c317..1170419 100644 spec.flags |= SMALL; if (spec.field_width == -1) { spec.field_width = 2 * sizeof(void *); -@@ -1609,11 +1648,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) +@@ -1635,11 +1674,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) typeof(type) value; \ if (sizeof(type) == 8) { \ args = PTR_ALIGN(args, sizeof(u32)); \ @@ -89400,7 +89059,7 @@ index d74c317..1170419 100644 } \ args += sizeof(type); \ value; \ -@@ -1676,7 +1715,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) +@@ -1702,7 +1741,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) case FORMAT_TYPE_STR: { const char *str_arg = args; args += strlen(str_arg) + 1; @@ -94865,10 +94524,10 @@ index aa12649..a22d595 100644 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); } diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c -index 8361ee4..a4f0f18 100644 +index bb78c75..a48650e 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c -@@ -607,7 +607,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char +@@ -605,7 +605,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char uf.event_mask[1] = *((u32 *) f->event_mask + 1); } @@ -94963,10 +94622,10 @@ index 158887a..1b70c49 100644 err = -EFAULT; break; diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c -index 82ce164..00bd057 100644 +index 14c4864..77ff888 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c -@@ -685,7 +685,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c +@@ -684,7 +684,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c struct sock *sk = sock->sk; struct bt_security sec; int err = 0; @@ -94975,7 +94634,7 @@ index 82ce164..00bd057 100644 u32 opt; BT_DBG("sk %p", sk); -@@ -707,7 +707,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c +@@ -706,7 +706,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c sec.level = BT_SECURITY_LOW; @@ -95069,7 +94728,7 @@ index 5864cc4..6ddb362 100644 break; } diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c -index 53a8e37..45c033e 100644 +index 7fac75f..5d8351b 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -48,19 +48,20 @@ static struct dentry *debugfsdir; @@ -95174,7 +94833,7 @@ index 53a8e37..45c033e 100644 set_rx_flow_on(cf_sk); caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ); } -@@ -856,7 +857,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, +@@ -852,7 +853,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, /*ifindex = id of the interface.*/ cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if; @@ -95183,7 +94842,7 @@ index 53a8e37..45c033e 100644 cf_sk->layer.receive = caif_sktrecv_cb; err = caif_connect_client(sock_net(sk), &cf_sk->conn_req, -@@ -945,7 +946,7 @@ static int caif_release(struct socket *sock) +@@ -941,7 +942,7 @@ static int caif_release(struct socket *sock) spin_unlock_bh(&sk->sk_receive_queue.lock); sock->sk = NULL; @@ -95192,7 +94851,7 @@ index 53a8e37..45c033e 100644 WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir)); if (cf_sk->debugfs_socket_dir != NULL) -@@ -1124,7 +1125,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol, +@@ -1120,7 +1121,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol, cf_sk->conn_req.protocol = protocol; /* Increase the number of sockets created. */ dbfs_atomic_inc(&cnt.caif_nr_socks); @@ -95363,18 +95022,16 @@ index f78f898..d7aa843 100644 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { diff --git a/net/compat.c b/net/compat.c -index 3139ef2..2717671 100644 +index 41724c9..630f046 100644 --- a/net/compat.c +++ b/net/compat.c -@@ -72,10 +72,10 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) - __get_user(kmsg->msg_flags, &umsg->msg_flags)) +@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) return -EFAULT; if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; + kmsg->msg_namelen = sizeof(struct sockaddr_storage); - kmsg->msg_name = compat_ptr(tmp1); - kmsg->msg_iov = compat_ptr(tmp2); - kmsg->msg_control = compat_ptr(tmp3); -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1); + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2); + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3); @@ -95390,7 +95047,7 @@ index 3139ef2..2717671 100644 kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -98,7 +98,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -99,7 +99,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, kern_msg->msg_name = NULL; tot_len = iov_from_user_compat_to_kern(kern_iov, @@ -95399,7 +95056,7 @@ index 3139ef2..2717671 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -118,20 +118,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -119,20 +119,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -95423,7 +95080,7 @@ index 3139ef2..2717671 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -223,7 +223,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -224,7 +224,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat { struct compat_timeval ctv; struct compat_timespec cts[3]; @@ -95432,7 +95089,7 @@ index 3139ef2..2717671 100644 struct compat_cmsghdr cmhdr; int cmlen; -@@ -275,7 +275,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -276,7 +276,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -95441,7 +95098,7 @@ index 3139ef2..2717671 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -328,14 +328,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) +@@ -329,14 +329,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) __scm_destroy(scm); } @@ -95456,7 +95113,7 @@ index 3139ef2..2717671 100644 static int do_set_attach_filter(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen) { -@@ -372,7 +364,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -373,7 +365,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -95465,7 +95122,7 @@ index 3139ef2..2717671 100644 set_fs(old_fs); return err; -@@ -433,7 +425,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -434,7 +426,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -95474,7 +95131,7 @@ index 3139ef2..2717671 100644 set_fs(old_fs); if (!err) { -@@ -568,7 +560,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -569,7 +561,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -95483,7 +95140,7 @@ index 3139ef2..2717671 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -589,7 +581,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -590,7 +582,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -95492,7 +95149,7 @@ index 3139ef2..2717671 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -610,7 +602,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -611,7 +603,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -95501,7 +95158,7 @@ index 3139ef2..2717671 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -648,7 +640,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -649,7 +641,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -95510,7 +95167,7 @@ index 3139ef2..2717671 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -801,7 +793,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -802,7 +794,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -95533,7 +95190,7 @@ index 68bbf9f..5ef0d12 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 8e455b8..4ebd90f 100644 +index 7bcf37d..15d6bb8 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name) @@ -95578,7 +95235,7 @@ index 8e455b8..4ebd90f 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -2967,7 +2971,7 @@ enqueue: +@@ -2969,7 +2973,7 @@ enqueue: local_irq_restore(flags); @@ -95587,7 +95244,7 @@ index 8e455b8..4ebd90f 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3041,7 +3045,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3043,7 +3047,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -95596,7 +95253,7 @@ index 8e455b8..4ebd90f 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3340,7 +3344,7 @@ ncls: +@@ -3342,7 +3346,7 @@ ncls: if (pt_prev) { ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { @@ -95605,7 +95262,7 @@ index 8e455b8..4ebd90f 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -3905,7 +3909,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -3907,7 +3911,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -95614,7 +95271,7 @@ index 8e455b8..4ebd90f 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -4375,8 +4379,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) +@@ -4377,8 +4381,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) else seq_printf(seq, "%04x", ntohs(pt->type)); @@ -95628,7 +95285,7 @@ index 8e455b8..4ebd90f 100644 } return 0; -@@ -4438,7 +4447,7 @@ static void __net_exit dev_proc_net_exit(struct net *net) +@@ -4440,7 +4449,7 @@ static void __net_exit dev_proc_net_exit(struct net *net) proc_net_remove(net, "dev"); } @@ -95637,7 +95294,7 @@ index 8e455b8..4ebd90f 100644 .init = dev_proc_net_init, .exit = dev_proc_net_exit, }; -@@ -5933,7 +5942,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5935,7 +5944,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -95646,7 +95303,7 @@ index 8e455b8..4ebd90f 100644 return storage; } EXPORT_SYMBOL(dev_get_stats); -@@ -6512,7 +6521,7 @@ static void __net_exit netdev_exit(struct net *net) +@@ -6514,7 +6523,7 @@ static void __net_exit netdev_exit(struct net *net) kfree(net->dev_index_head); } @@ -95655,7 +95312,7 @@ index 8e455b8..4ebd90f 100644 .init = netdev_init, .exit = netdev_exit, }; -@@ -6574,7 +6583,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) +@@ -6576,7 +6585,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) rtnl_unlock(); } @@ -95784,7 +95441,7 @@ index e318c7e..168b1d0 100644 fle->object = flo; else diff --git a/net/core/iovec.c b/net/core/iovec.c -index c40f27e..7f49254 100644 +index 139ef93..7afaa2f 100644 --- a/net/core/iovec.c +++ b/net/core/iovec.c @@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, @@ -95796,7 +95453,7 @@ index c40f27e..7f49254 100644 err = move_addr_to_kernel(namep, m->msg_namelen, address); if (err < 0) -@@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, +@@ -55,7 +55,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, } size = m->msg_iovlen * sizeof(struct iovec); @@ -96215,7 +95872,7 @@ index 39a2d29..f39c0fe 100644 Econet is a fairly old and slow networking protocol mainly used by Acorn computers to access file and print servers. It uses native diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c -index 19d6aef..4f610f4 100644 +index 5d42df2..10638af 100644 --- a/net/ieee802154/6lowpan.c +++ b/net/ieee802154/6lowpan.c @@ -329,7 +329,7 @@ static int lowpan_header_create(struct sk_buff *skb, @@ -96325,19 +95982,6 @@ index 59a7041..060976d 100644 memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb)); return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process); -diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c -index 424fafb..ec07510 100644 ---- a/net/ipv4/datagram.c -+++ b/net/ipv4/datagram.c -@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) - if (IS_ERR(rt)) { - err = PTR_ERR(rt); - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); - goto out; - } - diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index e41c40f..fbed7a7 100644 --- a/net/ipv4/devinet.c @@ -96715,10 +96359,10 @@ index 5f28fab..ebd7a97 100644 .maxtype = IFLA_GRE_MAX, .policy = ipgre_policy, diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 3b36002..27e6634 100644 +index 542a9c1..5b792eb 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1120,7 +1120,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1121,7 +1121,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -96728,7 +96372,7 @@ index 3b36002..27e6634 100644 return -EFAULT; return 0; } -@@ -1248,7 +1249,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1249,7 +1250,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -96917,10 +96561,10 @@ index b550815..c3b44d5 100644 /* copy_len <= skb->len, so can't fail. */ if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 294a380..885a292 100644 +index 00975b6..e922b06 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c -@@ -836,7 +836,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, +@@ -835,7 +835,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -96943,7 +96587,7 @@ index f7fdbe9..63740b7 100644 .exit = ip_proc_exit_net, }; diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 2815014..1d39ae6 100644 +index cfded93..7b72cc0 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -305,7 +305,7 @@ static int raw_rcv_skb(struct sock * sk, struct sk_buff * skb) @@ -96955,7 +96599,7 @@ index 2815014..1d39ae6 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -740,16 +740,20 @@ static int raw_init(struct sock *sk) +@@ -738,16 +738,20 @@ static int raw_init(struct sock *sk) static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen) { @@ -96977,7 +96621,7 @@ index 2815014..1d39ae6 100644 if (get_user(len, optlen)) goto out; -@@ -759,8 +763,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o +@@ -757,8 +761,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o if (len > sizeof(struct icmp_filter)) len = sizeof(struct icmp_filter); ret = -EFAULT; @@ -96988,7 +96632,7 @@ index 2815014..1d39ae6 100644 goto out; ret = 0; out: return ret; -@@ -988,7 +992,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) +@@ -986,7 +990,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -97003,7 +96647,7 @@ index 2815014..1d39ae6 100644 } static int raw_seq_show(struct seq_file *seq, void *v) -@@ -1051,7 +1061,7 @@ static __net_exit void raw_exit_net(struct net *net) +@@ -1049,7 +1059,7 @@ static __net_exit void raw_exit_net(struct net *net) proc_net_remove(net, "raw"); } @@ -97325,7 +96969,7 @@ index c1ed01e..bb914c3 100644 /* step 6: check the URG bit */ tcp_urg(sk, skb, th); diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index a97c9ad..640d986 100644 +index 92d7138..df6f00f 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly; @@ -97514,7 +97158,7 @@ index 2e0f0af..e2948bf 100644 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 5decc93..79830d4 100644 +index 8c2e259..076bc5b 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -86,6 +86,7 @@ @@ -97565,7 +97209,7 @@ index 5decc93..79830d4 100644 daddr = inet->inet_daddr; dport = inet->inet_dport; /* Open fast path for connected socket. -@@ -1100,7 +1117,7 @@ static unsigned int first_packet_length(struct sock *sk) +@@ -1103,7 +1120,7 @@ static unsigned int first_packet_length(struct sock *sk) udp_lib_checksum_complete(skb)) { UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, IS_UDPLITE(sk)); @@ -97574,7 +97218,7 @@ index 5decc93..79830d4 100644 __skb_unlink(skb, rcvq); __skb_queue_tail(&list_kill, skb); } -@@ -1186,6 +1203,10 @@ try_again: +@@ -1183,6 +1200,10 @@ try_again: if (!skb) goto out; @@ -97585,7 +97229,7 @@ index 5decc93..79830d4 100644 ulen = skb->len - sizeof(struct udphdr); copied = len; if (copied > ulen) -@@ -1488,7 +1509,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +@@ -1486,7 +1507,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) drop: UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite); @@ -97594,7 +97238,7 @@ index 5decc93..79830d4 100644 kfree_skb(skb); return -1; } -@@ -1507,7 +1528,7 @@ static void flush_stack(struct sock **stack, unsigned int count, +@@ -1505,7 +1526,7 @@ static void flush_stack(struct sock **stack, unsigned int count, skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC); if (!skb1) { @@ -97603,7 +97247,7 @@ index 5decc93..79830d4 100644 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk)); UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, -@@ -1676,6 +1697,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -1674,6 +1695,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, goto csum_error; UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -97613,7 +97257,7 @@ index 5decc93..79830d4 100644 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* -@@ -2099,8 +2123,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, +@@ -2097,8 +2121,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -97730,7 +97374,7 @@ index 1567fb1..29af910 100644 dst = NULL; } diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 97675bf..7dc5e62 100644 +index d3fde7e..f526e49 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -600,8 +600,8 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) @@ -97825,7 +97469,7 @@ index 94874b0..a47969c 100644 case IP6T_SO_GET_ENTRIES: diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c -index 6e6c2c4..c97891e 100644 +index 9ecbc84..7dd6ff7 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -109,7 +109,7 @@ found: @@ -97864,7 +97508,7 @@ index 6e6c2c4..c97891e 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -600,7 +600,7 @@ out: +@@ -598,7 +598,7 @@ out: return err; } @@ -97873,7 +97517,7 @@ index 6e6c2c4..c97891e 100644 struct flowi6 *fl6, struct dst_entry **dstp, unsigned int flags) { -@@ -908,12 +908,15 @@ do_confirm: +@@ -906,12 +906,15 @@ do_confirm: static int rawv6_seticmpfilter(struct sock *sk, int level, int optname, char __user *optval, int optlen) { @@ -97890,7 +97534,7 @@ index 6e6c2c4..c97891e 100644 return 0; default: return -ENOPROTOOPT; -@@ -926,6 +929,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname, +@@ -924,6 +927,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen) { int len; @@ -97898,7 +97542,7 @@ index 6e6c2c4..c97891e 100644 switch (optname) { case ICMPV6_FILTER: -@@ -937,7 +941,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname, +@@ -935,7 +939,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname, len = sizeof(struct icmp6_filter); if (put_user(len, optlen)) return -EFAULT; @@ -97908,7 +97552,7 @@ index 6e6c2c4..c97891e 100644 return -EFAULT; return 0; default: -@@ -1244,7 +1249,13 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) +@@ -1242,7 +1247,13 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -97965,10 +97609,10 @@ index eba5deb..61e026f 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index bc9103d..48a383f 100644 +index 1768238..b28b21a 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -2809,7 +2809,7 @@ ctl_table ipv6_route_table_template[] = { +@@ -2812,7 +2812,7 @@ ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { @@ -98094,7 +97738,7 @@ index c69358c..d1e5855 100644 static int tcp6_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index f9e496b..729da61 100644 +index f8bec1e..8628321 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -50,6 +50,10 @@ @@ -98108,7 +97752,7 @@ index f9e496b..729da61 100644 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2) { const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr; -@@ -549,7 +553,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) +@@ -546,7 +550,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) return 0; drop: @@ -98117,7 +97761,7 @@ index f9e496b..729da61 100644 drop_no_sk_drops_inc: UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite); kfree_skb(skb); -@@ -625,7 +629,7 @@ static void flush_stack(struct sock **stack, unsigned int count, +@@ -622,7 +626,7 @@ static void flush_stack(struct sock **stack, unsigned int count, continue; } drop: @@ -98126,7 +97770,7 @@ index f9e496b..729da61 100644 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk)); UDP6_INC_STATS_BH(sock_net(sk), -@@ -780,6 +784,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -777,6 +781,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -98136,7 +97780,7 @@ index f9e496b..729da61 100644 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); kfree_skb(skb); -@@ -796,7 +803,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -793,7 +800,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, if (!sock_owned_by_user(sk)) udpv6_queue_rcv_skb(sk, skb); else if (sk_add_backlog(sk, skb)) { @@ -98145,7 +97789,7 @@ index f9e496b..729da61 100644 bh_unlock_sock(sk); sock_put(sk); goto discard; -@@ -1412,8 +1419,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket +@@ -1409,8 +1416,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -98349,7 +97993,7 @@ index 32e3bb0..a4e5eb8 100644 } diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c -index e836140..f8ec098 100644 +index cf98d62..7bf2972 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -786,10 +786,10 @@ static int iucv_sock_autobind(struct sock *sk) @@ -98379,7 +98023,7 @@ index 403be43..87f09da 100644 }; diff --git a/net/key/af_key.c b/net/key/af_key.c -index 8dbdb8e..50f4169 100644 +index dc8d7ef..9d37285 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1097,7 +1097,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, @@ -99326,7 +98970,7 @@ index 4fe4fb4..87a89e5 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 3d1d55d..1ee2a18 100644 +index 2369e96..3c3f7de 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -753,7 +753,7 @@ static void netlink_overrun(struct sock *sk) @@ -99338,7 +98982,7 @@ index 3d1d55d..1ee2a18 100644 } static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid) -@@ -2013,7 +2013,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) +@@ -2011,7 +2011,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) sk_wmem_alloc_get(s), nlk->cb, atomic_read(&s->sk_refcnt), @@ -99347,7 +98991,7 @@ index 3d1d55d..1ee2a18 100644 sock_i_ino(s) ); -@@ -2120,7 +2120,7 @@ static void __init netlink_add_usersock_entry(void) +@@ -2118,7 +2118,7 @@ static void __init netlink_add_usersock_entry(void) netlink_table_ungrab(); } @@ -99399,7 +99043,7 @@ index 874f8ff..339bb58 100644 } } diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c -index 3df7c5a..8f324b0 100644 +index b4d889b..bb33240 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -839,6 +839,7 @@ static int nr_getname(struct socket *sock, struct sockaddr *uaddr, @@ -99419,10 +99063,10 @@ index 3df7c5a..8f324b0 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index a2ac2c3..070be35 100644 +index 4f19bf2..5770069 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1670,7 +1670,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1678,7 +1678,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_packets++; @@ -99431,7 +99075,7 @@ index a2ac2c3..070be35 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1679,7 +1679,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1687,7 +1687,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_drops++; @@ -99440,7 +99084,7 @@ index a2ac2c3..070be35 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -2609,6 +2609,7 @@ out: +@@ -2623,6 +2623,7 @@ out: static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) { @@ -99448,7 +99092,7 @@ index a2ac2c3..070be35 100644 struct sock_exterr_skb *serr; struct sk_buff *skb, *skb2; int copied, err; -@@ -2630,8 +2631,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) +@@ -2644,8 +2645,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -99459,7 +99103,7 @@ index a2ac2c3..070be35 100644 msg->msg_flags |= MSG_ERRQUEUE; err = copied; -@@ -3261,7 +3263,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3273,7 +3275,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -99468,7 +99112,7 @@ index a2ac2c3..070be35 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3311,7 +3313,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3323,7 +3325,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, if (put_user(len, optlen)) return -EFAULT; @@ -100256,7 +99900,7 @@ index 8da4481..d02565e 100644 + (rtt >> sctp_rto_alpha); } else { diff --git a/net/socket.c b/net/socket.c -index bf7adaa..997cbc7 100644 +index d4faade..2492841 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -100285,7 +99929,7 @@ index bf7adaa..997cbc7 100644 /* * Statistics counters of the socket lists -@@ -321,7 +324,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type, +@@ -322,7 +325,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type, &sockfs_dentry_operations, SOCKFS_MAGIC); } @@ -100294,7 +99938,7 @@ index bf7adaa..997cbc7 100644 static struct file_system_type sock_fs_type = { .name = "sockfs", -@@ -1187,6 +1190,8 @@ int __sock_create(struct net *net, int family, int type, int protocol, +@@ -1188,6 +1191,8 @@ int __sock_create(struct net *net, int family, int type, int protocol, return -EAFNOSUPPORT; if (type < 0 || type >= SOCK_MAX) return -EINVAL; @@ -100303,7 +99947,7 @@ index bf7adaa..997cbc7 100644 /* Compatibility. -@@ -1207,6 +1212,20 @@ int __sock_create(struct net *net, int family, int type, int protocol, +@@ -1208,6 +1213,20 @@ int __sock_create(struct net *net, int family, int type, int protocol, if (err) return err; @@ -100324,7 +99968,7 @@ index bf7adaa..997cbc7 100644 /* * Allocate the socket and allow the family to set things up. if * the protocol is 0, the family is instructed to select an appropriate -@@ -1431,6 +1450,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) +@@ -1432,6 +1451,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) if (sock) { err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address); if (err >= 0) { @@ -100339,7 +99983,7 @@ index bf7adaa..997cbc7 100644 err = security_socket_bind(sock, (struct sockaddr *)&address, addrlen); -@@ -1439,6 +1466,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) +@@ -1440,6 +1467,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) (struct sockaddr *) &address, addrlen); } @@ -100347,7 +99991,7 @@ index bf7adaa..997cbc7 100644 fput_light(sock->file, fput_needed); } return err; -@@ -1462,10 +1490,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog) +@@ -1463,10 +1491,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog) if ((unsigned)backlog > somaxconn) backlog = somaxconn; @@ -100368,7 +100012,7 @@ index bf7adaa..997cbc7 100644 fput_light(sock->file, fput_needed); } return err; -@@ -1509,6 +1547,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, +@@ -1510,6 +1548,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, newsock->type = sock->type; newsock->ops = sock->ops; @@ -100387,7 +100031,7 @@ index bf7adaa..997cbc7 100644 /* * We don't need try_module_get here, as the listening socket (sock) * has the protocol module (sock->ops->owner) held. -@@ -1547,6 +1597,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, +@@ -1548,6 +1598,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, fd_install(newfd, newfile); err = newfd; @@ -100396,7 +100040,7 @@ index bf7adaa..997cbc7 100644 out_put: fput_light(sock->file, fput_needed); out: -@@ -1579,6 +1631,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, +@@ -1580,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, int, addrlen) { struct socket *sock; @@ -100404,7 +100048,7 @@ index bf7adaa..997cbc7 100644 struct sockaddr_storage address; int err, fput_needed; -@@ -1589,6 +1642,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, +@@ -1590,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, if (err < 0) goto out_put; @@ -100422,7 +100066,7 @@ index bf7adaa..997cbc7 100644 err = security_socket_connect(sock, (struct sockaddr *)&address, addrlen); if (err) -@@ -1670,6 +1734,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr, +@@ -1671,6 +1735,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr, * the protocol. */ @@ -100431,7 +100075,7 @@ index bf7adaa..997cbc7 100644 SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, unsigned, flags, struct sockaddr __user *, addr, int, addr_len) -@@ -1736,7 +1802,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, +@@ -1737,7 +1803,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, struct socket *sock; struct iovec iov; struct msghdr msg; @@ -100440,16 +100084,7 @@ index bf7adaa..997cbc7 100644 int err, err2; int fput_needed; -@@ -1882,7 +1948,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, - if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) - return -EFAULT; - if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); - return 0; - } - -@@ -1963,7 +2029,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, +@@ -1966,7 +2032,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -100458,7 +100093,7 @@ index bf7adaa..997cbc7 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2114,7 +2180,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2117,7 +2183,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, int err, iov_size, total_len, len; /* kernel mode address */ @@ -100467,16 +100102,17 @@ index bf7adaa..997cbc7 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2147,7 +2213,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - * kernel msghdr to use the kernel address space) +@@ -2148,7 +2214,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + /* Save the user-mode address (verify_iovec will change the + * kernel msghdr to use the kernel address space) */ - - uaddr = (__force void __user *)msg_sys->msg_name; ++ + uaddr = (void __force_user *)msg_sys->msg_name; uaddr_len = COMPAT_NAMELEN(msg); - if (MSG_CMSG_COMPAT & flags) { + if (MSG_CMSG_COMPAT & flags) err = verify_compat_iovec(msg_sys, iov, -@@ -2788,7 +2854,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2792,7 +2859,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) } ifr = compat_alloc_user_space(buf_size); @@ -100485,7 +100121,7 @@ index bf7adaa..997cbc7 100644 if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ)) return -EFAULT; -@@ -2812,12 +2878,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2816,12 +2883,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) offsetof(struct ethtool_rxnfc, fs.ring_cookie)); if (copy_in_user(rxnfc, compat_rxnfc, @@ -100502,7 +100138,7 @@ index bf7adaa..997cbc7 100644 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2829,12 +2895,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2833,12 +2900,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) if (convert_out) { if (copy_in_user(compat_rxnfc, rxnfc, @@ -100519,7 +100155,7 @@ index bf7adaa..997cbc7 100644 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2904,7 +2970,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2908,7 +2975,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -100528,7 +100164,7 @@ index bf7adaa..997cbc7 100644 set_fs(old_fs); return err; -@@ -3013,7 +3079,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3017,7 +3084,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -100537,7 +100173,7 @@ index bf7adaa..997cbc7 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3118,7 +3184,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3122,7 +3189,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -100546,7 +100182,7 @@ index bf7adaa..997cbc7 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3358,8 +3424,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3362,8 +3429,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -100557,7 +100193,7 @@ index bf7adaa..997cbc7 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3379,7 +3445,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3383,7 +3450,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -101372,7 +101008,7 @@ index 1983717..4d6102c 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 5122b22..25b11eb 100644 +index 9338ccc..9bc732b 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -766,6 +766,12 @@ static struct sock *unix_find_other(struct net *net, @@ -101421,7 +101057,7 @@ index 5122b22..25b11eb 100644 mutex_unlock(&path.dentry->d_inode->i_mutex); dput(path.dentry); path.dentry = dentry; -@@ -2270,9 +2290,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2265,9 +2285,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -101436,7 +101072,7 @@ index 5122b22..25b11eb 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2299,8 +2323,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2294,8 +2318,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) } for ( ; i < len; i++) seq_putc(seq, u->addr->name->sun_path[i]); @@ -104640,10 +104276,10 @@ index dca1c22..4fa4591 100644 lock = &avc_cache.slots_lock[hvalue]; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 1126c10..3bd5447 100644 +index 5898f34..f44199b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -94,8 +94,6 @@ +@@ -95,8 +95,6 @@ #define NUM_SEL_MNT_OPTS 5 @@ -104652,7 +104288,7 @@ index 1126c10..3bd5447 100644 /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); -@@ -2000,6 +1998,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) +@@ -2001,6 +1999,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) new_tsec->sid = old_tsec->exec_sid; /* Reset exec SID on execve. */ new_tsec->exec_sid = 0; @@ -104666,7 +104302,7 @@ index 1126c10..3bd5447 100644 } else { /* Check for a default transition on this program. */ rc = security_transition_sid(old_tsec->sid, isec->sid, -@@ -2012,7 +2017,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) +@@ -2013,7 +2018,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) COMMON_AUDIT_DATA_INIT(&ad, PATH); ad.u.path = bprm->file->f_path; @@ -104676,7 +104312,7 @@ index 1126c10..3bd5447 100644 new_tsec->sid = old_tsec->sid; if (new_tsec->sid == old_tsec->sid) { -@@ -4156,8 +4162,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) +@@ -4181,8 +4187,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) } err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, PEER__RECV, &ad); @@ -104688,7 +104324,7 @@ index 1126c10..3bd5447 100644 } if (secmark_active) { -@@ -5313,11 +5321,11 @@ static int selinux_setprocattr(struct task_struct *p, +@@ -5372,11 +5380,11 @@ static int selinux_setprocattr(struct task_struct *p, /* Check for ptracing, and update the task SID if ok. Otherwise, leave SID unchanged and fail. */ ptsid = 0; @@ -104702,7 +104338,7 @@ index 1126c10..3bd5447 100644 if (tracer) { error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, -@@ -5449,7 +5457,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) +@@ -5508,7 +5516,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif @@ -104711,7 +104347,7 @@ index 1126c10..3bd5447 100644 .name = "selinux", .ptrace_access_check = selinux_ptrace_access_check, -@@ -5795,6 +5803,9 @@ static void selinux_nf_ip_exit(void) +@@ -5854,6 +5862,9 @@ static void selinux_nf_ip_exit(void) #ifdef CONFIG_SECURITY_SELINUX_DISABLE static int selinux_disabled; @@ -104721,7 +104357,7 @@ index 1126c10..3bd5447 100644 int selinux_disable(void) { if (ss_initialized) { -@@ -5812,7 +5823,9 @@ int selinux_disable(void) +@@ -5871,7 +5882,9 @@ int selinux_disable(void) selinux_disabled = 1; selinux_enabled = 0; @@ -107395,10 +107031,10 @@ index 0000000..679b9ef +} diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data new file mode 100644 -index 0000000..c4e61fd +index 0000000..2d131cc --- /dev/null +++ b/tools/gcc/size_overflow_hash.data -@@ -0,0 +1,5995 @@ +@@ -0,0 +1,5998 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -108022,8 +107658,8 @@ index 0000000..c4e61fd +send_mpa_reject_7135 send_mpa_reject 3 7135 NULL +ipv6_recv_rxpmtu_7142 ipv6_recv_rxpmtu 3 7142 NULL +ocfs2_get_left_path_7159 ocfs2_get_left_path 0 7159 NULL -+utf16_strsize_7203 utf16_strsize 0 7203 NULL nohasharray -+__alloc_objio_seg_7203 __alloc_objio_seg 1 7203 &utf16_strsize_7203 ++__alloc_objio_seg_7203 __alloc_objio_seg 1 7203 NULL nohasharray ++utf16_strsize_7203 utf16_strsize 0 7203 &__alloc_objio_seg_7203 +sys32_ipc_7238 sys32_ipc 3 7238 NULL +hdlc_loop_7255 hdlc_loop 0 7255 NULL +snd_mask_refine_7267 snd_mask_refine 0 7267 NULL @@ -108189,8 +107825,8 @@ index 0000000..c4e61fd +usb_allocate_stream_buffers_8964 usb_allocate_stream_buffers 3 8964 NULL +qib_qsfp_dump_8966 qib_qsfp_dump 0-3 8966 NULL +venus_mkdir_8967 venus_mkdir 4 8967 NULL -+seq_open_net_8968 seq_open_net 4 8968 NULL nohasharray -+vol_cdev_read_8968 vol_cdev_read 3 8968 &seq_open_net_8968 ++vol_cdev_read_8968 vol_cdev_read 3 8968 NULL nohasharray ++seq_open_net_8968 seq_open_net 4 8968 &vol_cdev_read_8968 +bio_integrity_get_tag_8974 bio_integrity_get_tag 3 8974 NULL +btrfs_alloc_free_block_8986 btrfs_alloc_free_block 8 8986 NULL +get_pipes_9008 get_pipes 0 9008 NULL @@ -108342,8 +107978,8 @@ index 0000000..c4e61fd +do_compat_pselect_10398 do_compat_pselect 1 10398 NULL +event_phy_transmit_error_read_10471 event_phy_transmit_error_read 3 10471 NULL +qib_alloc_fast_reg_page_list_10507 qib_alloc_fast_reg_page_list 2 10507 NULL -+rbd_get_segment_10511 rbd_get_segment 0-3-4 10511 NULL nohasharray -+sel_write_disable_10511 sel_write_disable 3 10511 &rbd_get_segment_10511 ++sel_write_disable_10511 sel_write_disable 3 10511 NULL nohasharray ++rbd_get_segment_10511 rbd_get_segment 0-3-4 10511 &sel_write_disable_10511 +osd_req_write_sg_kern_10514 osd_req_write_sg_kern 5 10514 NULL +rds_message_alloc_10517 rds_message_alloc 1 10517 NULL +snd_pcm_hw_params_user_10520 snd_pcm_hw_params_user 0 10520 NULL @@ -108738,8 +108374,8 @@ index 0000000..c4e61fd +cmd_complete_14502 cmd_complete 5 14502 NULL +ocfs2_debug_read_14507 ocfs2_debug_read 3 14507 NULL +prepare_data_14536 prepare_data 3 14536 NULL nohasharray -+dataflash_read_user_otp_14536 dataflash_read_user_otp 3-2 14536 &prepare_data_14536 nohasharray -+ep0_write_14536 ep0_write 3 14536 &dataflash_read_user_otp_14536 ++ep0_write_14536 ep0_write 3 14536 &prepare_data_14536 nohasharray ++dataflash_read_user_otp_14536 dataflash_read_user_otp 3-2 14536 &ep0_write_14536 +register_trace_sched_switch_14545 register_trace_sched_switch 0 14545 NULL +l2cap_send_cmd_14548 l2cap_send_cmd 4 14548 NULL +picolcd_debug_eeprom_read_14549 picolcd_debug_eeprom_read 3 14549 NULL @@ -108765,8 +108401,8 @@ index 0000000..c4e61fd +ext4_kvmalloc_14796 ext4_kvmalloc 1 14796 NULL +__kfifo_in_14797 __kfifo_in 3-0 14797 NULL +nfs_parse_server_name_14800 nfs_parse_server_name 2 14800 NULL -+hpet_readl_14801 hpet_readl 0 14801 NULL nohasharray -+snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 &hpet_readl_14801 ++snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 NULL nohasharray ++hpet_readl_14801 hpet_readl 0 14801 &snd_als300_gcr_read_14801 +__i2400ms_rx_get_size_14826 __i2400ms_rx_get_size 0 14826 NULL +do_tune_cpucache_14828 do_tune_cpucache 2 14828 NULL +__mutex_fastpath_lock_retval_14844 __mutex_fastpath_lock_retval 0 14844 NULL @@ -109538,8 +109174,8 @@ index 0000000..c4e61fd +pipe_iov_copy_from_user_23102 pipe_iov_copy_from_user 3 23102 NULL +dgram_recvmsg_23104 dgram_recvmsg 4 23104 NULL +ip_recv_error_23109 ip_recv_error 3 23109 NULL -+mwl8k_cmd_set_beacon_23110 mwl8k_cmd_set_beacon 4 23110 NULL nohasharray -+msix_setup_entries_23110 msix_setup_entries 0 23110 &mwl8k_cmd_set_beacon_23110 ++msix_setup_entries_23110 msix_setup_entries 0 23110 NULL nohasharray ++mwl8k_cmd_set_beacon_23110 mwl8k_cmd_set_beacon 4 23110 &msix_setup_entries_23110 +nl80211_send_rx_auth_23111 nl80211_send_rx_auth 4 23111 NULL +__clear_user_23118 __clear_user 0-2 23118 NULL +iwl_legacy_dbgfs_interrupt_write_23122 iwl_legacy_dbgfs_interrupt_write 3 23122 NULL nohasharray @@ -109956,9 +109592,9 @@ index 0000000..c4e61fd +cxio_hal_pblpool_alloc_27714 cxio_hal_pblpool_alloc 2 27714 NULL +evm_write_key_27715 evm_write_key 3 27715 NULL +ieee80211_if_fmt_dot11MeshGateAnnouncementProtocol_27722 ieee80211_if_fmt_dot11MeshGateAnnouncementProtocol 3 27722 NULL -+reg_w_buf_27724 reg_w_buf 3 27724 NULL nohasharray -+pstore_write_27724 pstore_write 3 27724 ®_w_buf_27724 nohasharray -+iwl_dbgfs_traffic_log_write_27724 iwl_dbgfs_traffic_log_write 3 27724 &pstore_write_27724 ++pstore_write_27724 pstore_write 3 27724 NULL nohasharray ++iwl_dbgfs_traffic_log_write_27724 iwl_dbgfs_traffic_log_write 3 27724 &pstore_write_27724 nohasharray ++reg_w_buf_27724 reg_w_buf 3 27724 &iwl_dbgfs_traffic_log_write_27724 +xfs_dir2_block_sfsize_27727 xfs_dir2_block_sfsize 0 27727 NULL +kcalloc_27770 kcalloc 2-1 27770 NULL +ttm_object_file_init_27804 ttm_object_file_init 2 27804 NULL @@ -110075,8 +109711,8 @@ index 0000000..c4e61fd +hci_sock_setsockopt_28993 hci_sock_setsockopt 5 28993 NULL +bin_uuid_28999 bin_uuid 3 28999 NULL +sys_fcntl64_29031 sys_fcntl64 3 29031 NULL -+ProcessGetHostMibs_29049 ProcessGetHostMibs 0 29049 NULL nohasharray -+rxrpc_sendmsg_29049 rxrpc_sendmsg 4 29049 &ProcessGetHostMibs_29049 ++rxrpc_sendmsg_29049 rxrpc_sendmsg 4 29049 NULL nohasharray ++ProcessGetHostMibs_29049 ProcessGetHostMibs 0 29049 &rxrpc_sendmsg_29049 +tso_fragment_29050 tso_fragment 3 29050 NULL +split_bvec_29058 split_bvec 5 29058 NULL +iso_packets_buffer_init_29061 iso_packets_buffer_init 3-4 29061 NULL @@ -110155,7 +109791,8 @@ index 0000000..c4e61fd +pin_code_reply_29893 pin_code_reply 4 29893 NULL +write_file_queue_29922 write_file_queue 3 29922 NULL +ext4_xattr_set_acl_29930 ext4_xattr_set_acl 4 29930 NULL -+__btrfs_getxattr_29947 __btrfs_getxattr 0 29947 NULL ++__btrfs_getxattr_29947 __btrfs_getxattr 0 29947 NULL nohasharray ++ipv6_recv_error_29947 ipv6_recv_error 3 29947 &__btrfs_getxattr_29947 +xfrm_count_auth_supported_29957 xfrm_count_auth_supported 0 29957 NULL +irias_add_octseq_attrib_29983 irias_add_octseq_attrib 4 29983 NULL +arch_setup_dmar_msi_29992 arch_setup_dmar_msi 1-0 29992 NULL @@ -110889,8 +110526,8 @@ index 0000000..c4e61fd +snd_pcm_playback_rewind_38249 snd_pcm_playback_rewind 0-2 38249 NULL +ieee80211_if_read_auto_open_plinks_38268 ieee80211_if_read_auto_open_plinks 3 38268 NULL nohasharray +mthca_alloc_icm_table_38268 mthca_alloc_icm_table 3-4 38268 &ieee80211_if_read_auto_open_plinks_38268 -+xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 NULL nohasharray -+xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 &xfs_bmdr_to_bmbt_38275 ++xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 NULL nohasharray ++xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 &xfs_bmbt_to_bmdr_38275 +zd_mac_rx_38296 zd_mac_rx 3 38296 NULL +isr_rx_headers_read_38325 isr_rx_headers_read 3 38325 NULL +ida_simple_get_38326 ida_simple_get 2 38326 NULL @@ -111387,8 +111024,8 @@ index 0000000..c4e61fd +msi_capability_init_43423 msi_capability_init 0 43423 &__alloc_bootmem_low_43423 +usb_alloc_urb_43436 usb_alloc_urb 1 43436 NULL +ocfs2_rotate_tree_left_43442 ocfs2_rotate_tree_left 0 43442 NULL -+usemap_size_43443 usemap_size 0-2-1 43443 NULL nohasharray -+usb_string_43443 usb_string 0 43443 &usemap_size_43443 ++usb_string_43443 usb_string 0 43443 NULL nohasharray ++usemap_size_43443 usemap_size 0-2-1 43443 &usb_string_43443 +__data_list_add_eb_43472 __data_list_add_eb 0 43472 NULL +alloc_new_reservation_43480 alloc_new_reservation 4-0-2 43480 NULL +nf_nat_ftp_fmt_cmd_43495 nf_nat_ftp_fmt_cmd 0 43495 NULL @@ -111605,6 +111242,7 @@ index 0000000..c4e61fd +pcpu_alloc_alloc_info_45813 pcpu_alloc_alloc_info 1-2 45813 NULL +fm_v4l2_init_video_device_45821 fm_v4l2_init_video_device 2 45821 NULL +r600_texture_size_45823 r600_texture_size 6-5-4 45823 NULL ++ipv6_recv_rxpmtu_45830 ipv6_recv_rxpmtu 3 45830 NULL +amthi_read_45831 amthi_read 4 45831 NULL +audit_make_reply_45835 audit_make_reply 7 45835 NULL +__ip_select_ident_45851 __ip_select_ident 3 45851 NULL @@ -111793,8 +111431,8 @@ index 0000000..c4e61fd +iwl_dbgfs_ucode_tracing_read_47983 iwl_dbgfs_ucode_tracing_read 3 47983 NULL nohasharray +mempool_resize_47983 mempool_resize 2 47983 &iwl_dbgfs_ucode_tracing_read_47983 +pnpacpi_parse_allocated_irqresource_47986 pnpacpi_parse_allocated_irqresource 2 47986 NULL -+dbg_port_buf_47990 dbg_port_buf 2 47990 NULL nohasharray -+mgmt_pending_add_47990 mgmt_pending_add 5 47990 &dbg_port_buf_47990 ++mgmt_pending_add_47990 mgmt_pending_add 5 47990 NULL nohasharray ++dbg_port_buf_47990 dbg_port_buf 2 47990 &mgmt_pending_add_47990 +ib_umad_write_47993 ib_umad_write 3 47993 NULL +ocfs2_find_refcount_split_pos_48001 ocfs2_find_refcount_split_pos 0 48001 NULL +ffs_epfile_write_48014 ffs_epfile_write 3 48014 NULL @@ -111839,8 +111477,8 @@ index 0000000..c4e61fd +r8712_usbctrl_vendorreq_48489 r8712_usbctrl_vendorreq 6 48489 NULL +send_control_msg_48498 send_control_msg 6 48498 NULL +mlx4_en_create_tx_ring_48501 mlx4_en_create_tx_ring 4 48501 NULL -+iwl_legacy_dbgfs_status_read_48508 iwl_legacy_dbgfs_status_read 3 48508 NULL nohasharray -+diva_os_copy_to_user_48508 diva_os_copy_to_user 4 48508 &iwl_legacy_dbgfs_status_read_48508 ++diva_os_copy_to_user_48508 diva_os_copy_to_user 4 48508 NULL nohasharray ++iwl_legacy_dbgfs_status_read_48508 iwl_legacy_dbgfs_status_read 3 48508 &diva_os_copy_to_user_48508 +phantom_get_free_48514 phantom_get_free 0 48514 NULL +ubi_dbg_check_write_48525 ubi_dbg_check_write 0 48525 NULL +wiimote_hid_send_48528 wiimote_hid_send 3 48528 NULL @@ -112399,8 +112037,8 @@ index 0000000..c4e61fd +pn_raw_send_54330 pn_raw_send 2 54330 NULL +br_fdb_fillbuf_54339 br_fdb_fillbuf 0 54339 NULL +__alloc_dev_table_54343 __alloc_dev_table 2 54343 NULL -+__get_free_pages_54352 __get_free_pages 0 54352 NULL nohasharray -+_osd_realloc_seg_54352 _osd_realloc_seg 3 54352 &__get_free_pages_54352 ++_osd_realloc_seg_54352 _osd_realloc_seg 3 54352 NULL nohasharray ++__get_free_pages_54352 __get_free_pages 0 54352 &_osd_realloc_seg_54352 +tcf_hash_create_54360 tcf_hash_create 4 54360 NULL +read_file_credit_dist_stats_54367 read_file_credit_dist_stats 3 54367 NULL +vfs_readlink_54368 vfs_readlink 3 54368 NULL @@ -112628,8 +112266,8 @@ index 0000000..c4e61fd +pvr2_debugifc_print_status_56890 pvr2_debugifc_print_status 3 56890 NULL +__bitmap_clear_bits_56912 __bitmap_clear_bits 3 56912 NULL +__kfifo_out_56927 __kfifo_out 0-3 56927 NULL -+CopyBufferToControlPacket_56933 CopyBufferToControlPacket 0 56933 NULL nohasharray -+journal_init_revoke_56933 journal_init_revoke 2 56933 &CopyBufferToControlPacket_56933 ++journal_init_revoke_56933 journal_init_revoke 2 56933 NULL nohasharray ++CopyBufferToControlPacket_56933 CopyBufferToControlPacket 0 56933 &journal_init_revoke_56933 +diva_get_driver_info_56967 diva_get_driver_info 0 56967 NULL +vlsi_alloc_ring_57003 vlsi_alloc_ring 3-4 57003 NULL +btrfs_super_csum_size_57004 btrfs_super_csum_size 0 57004 NULL @@ -112723,8 +112361,8 @@ index 0000000..c4e61fd +tt_response_fill_table_57902 tt_response_fill_table 1 57902 NULL +xt_alloc_table_info_57903 xt_alloc_table_info 1 57903 NULL +emi26_writememory_57908 emi26_writememory 4 57908 NULL -+iio_read_first_n_kfifo_57910 iio_read_first_n_kfifo 2 57910 NULL nohasharray -+atomic_add_return_unchecked_57910 atomic_add_return_unchecked 0-1 57910 &iio_read_first_n_kfifo_57910 ++atomic_add_return_unchecked_57910 atomic_add_return_unchecked 0-1 57910 NULL nohasharray ++iio_read_first_n_kfifo_57910 iio_read_first_n_kfifo 2 57910 &atomic_add_return_unchecked_57910 +__snd_gf1_look16_57925 __snd_gf1_look16 0 57925 NULL +sel_read_handle_unknown_57933 sel_read_handle_unknown 3 57933 NULL +xfs_mru_cache_create_57943 xfs_mru_cache_create 3 57943 NULL @@ -112917,8 +112555,8 @@ index 0000000..c4e61fd +sys_sched_getaffinity_60033 sys_sched_getaffinity 2 60033 NULL +bio_integrity_hw_sectors_60039 bio_integrity_hw_sectors 0-2 60039 NULL +do_ip6t_set_ctl_60040 do_ip6t_set_ctl 4 60040 NULL -+pin_2_irq_60050 pin_2_irq 0-3 60050 NULL nohasharray -+vcs_size_60050 vcs_size 0 60050 &pin_2_irq_60050 ++vcs_size_60050 vcs_size 0 60050 NULL nohasharray ++pin_2_irq_60050 pin_2_irq 0-3 60050 &vcs_size_60050 +load_module_60056 load_module 2 60056 NULL nohasharray +gru_alloc_gts_60056 gru_alloc_gts 3-2 60056 &load_module_60056 +compat_writev_60063 compat_writev 3 60063 NULL @@ -113098,6 +112736,7 @@ index 0000000..c4e61fd +pcpu_alloc_bootmem_62074 pcpu_alloc_bootmem 2 62074 NULL +get_domain_for_dev_62099 get_domain_for_dev 2 62099 NULL +jffs2_security_setxattr_62107 jffs2_security_setxattr 4 62107 NULL ++ip_recv_error_62117 ip_recv_error 3 62117 NULL +generic_block_fiemap_62122 generic_block_fiemap 4 62122 NULL +llc_ui_header_len_62131 llc_ui_header_len 0 62131 NULL +qib_diag_write_62133 qib_diag_write 3 62133 NULL nohasharray @@ -117973,7 +117612,7 @@ index 547628e..74de9f2 100644 + #endif diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 8bf05f0..e097f17 100644 +index d83aa5e..e097f17 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -75,12 +75,17 @@ LIST_HEAD(vm_list); @@ -118005,67 +117644,7 @@ index 8bf05f0..e097f17 100644 (void __user *)(unsigned long)mem->userspace_addr, mem->memory_size))) goto out; -@@ -774,7 +779,7 @@ skip_lpage: - new.userspace_addr = mem->userspace_addr; - #endif /* not defined CONFIG_S390 */ - -- if (!npages) { -+ if (!npages || base_gfn != old.base_gfn) { - r = -ENOMEM; - slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL); - if (!slots) -@@ -788,8 +793,10 @@ skip_lpage: - old_memslots = kvm->memslots; - rcu_assign_pointer(kvm->memslots, slots); - synchronize_srcu_expedited(&kvm->srcu); -- /* From this point no new shadow pages pointing to a deleted -- * memslot will be created. -+ /* slot was deleted or moved, clear iommu mapping */ -+ kvm_iommu_unmap_pages(kvm, &old); -+ /* From this point no new shadow pages pointing to a deleted, -+ * or moved, memslot will be created. - * - * validation of sp->gfn happens in: - * - gfn_to_hva (kvm_read_guest, gfn_to_pfn) -@@ -803,14 +810,6 @@ skip_lpage: - if (r) - goto out_free; - -- /* map/unmap the pages in iommu page table */ -- if (npages) { -- r = kvm_iommu_map_pages(kvm, &new); -- if (r) -- goto out_free; -- } else -- kvm_iommu_unmap_pages(kvm, &old); -- - r = -ENOMEM; - slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL); - if (!slots) -@@ -820,6 +819,13 @@ skip_lpage: - slots->nmemslots = mem->slot + 1; - slots->generation++; - -+ /* map new memory slot into the iommu */ -+ if (npages) { -+ r = kvm_iommu_map_pages(kvm, &new); -+ if (r) -+ goto out_slots; -+ } -+ - /* actual memory is freed via old in kvm_free_physmem_slot below */ - if (!npages) { - new.rmap = NULL; -@@ -847,6 +853,8 @@ skip_lpage: - - return 0; - -+out_slots: -+ kfree(slots); - out_free: - kvm_free_physmem_slot(&new, &old); - out: -@@ -1657,7 +1665,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp) +@@ -1660,7 +1665,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp) return 0; } @@ -118074,17 +117653,7 @@ index 8bf05f0..e097f17 100644 .release = kvm_vcpu_release, .unlocked_ioctl = kvm_vcpu_ioctl, #ifdef CONFIG_COMPAT -@@ -1683,6 +1691,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) - int r; - struct kvm_vcpu *vcpu, *v; - -+ if (id >= KVM_MAX_VCPUS) -+ return -EINVAL; -+ - vcpu = kvm_arch_vcpu_create(kvm, id); - if (IS_ERR(vcpu)) - return PTR_ERR(vcpu); -@@ -2177,7 +2188,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma) +@@ -2183,7 +2188,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma) return 0; } @@ -118093,7 +117662,7 @@ index 8bf05f0..e097f17 100644 .release = kvm_vm_release, .unlocked_ioctl = kvm_vm_ioctl, #ifdef CONFIG_COMPAT -@@ -2275,7 +2286,7 @@ out: +@@ -2281,7 +2286,7 @@ out: return r; } @@ -118102,7 +117671,7 @@ index 8bf05f0..e097f17 100644 .unlocked_ioctl = kvm_dev_ioctl, .compat_ioctl = kvm_dev_ioctl, .llseek = noop_llseek, -@@ -2301,7 +2312,7 @@ static void hardware_enable_nolock(void *junk) +@@ -2307,7 +2312,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -118111,7 +117680,7 @@ index 8bf05f0..e097f17 100644 printk(KERN_INFO "kvm: enabling virtualization on " "CPU%d failed\n", cpu); } -@@ -2355,10 +2366,10 @@ static int hardware_enable_all(void) +@@ -2361,10 +2366,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -118124,7 +117693,7 @@ index 8bf05f0..e097f17 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -2709,7 +2720,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -2715,7 +2720,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -118133,7 +117702,7 @@ index 8bf05f0..e097f17 100644 struct module *module) { int r; -@@ -2772,7 +2783,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2778,7 +2783,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, @@ -118142,7 +117711,7 @@ index 8bf05f0..e097f17 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -2782,9 +2793,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2788,9 +2793,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; @@ -118154,7 +117723,7 @@ index 8bf05f0..e097f17 100644 r = misc_register(&kvm_dev); if (r) { -@@ -2794,9 +2807,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2800,9 +2807,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, register_syscore_ops(&kvm_syscore_ops); diff --git a/3.2.53/4425_grsec_remove_EI_PAX.patch b/3.2.54/4425_grsec_remove_EI_PAX.patch index 415fda5..415fda5 100644 --- a/3.2.53/4425_grsec_remove_EI_PAX.patch +++ b/3.2.54/4425_grsec_remove_EI_PAX.patch diff --git a/3.2.53/4427_force_XATTR_PAX_tmpfs.patch b/3.2.54/4427_force_XATTR_PAX_tmpfs.patch index 8c7a533..8c7a533 100644 --- a/3.2.53/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.2.54/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.2.53/4430_grsec-remove-localversion-grsec.patch b/3.2.54/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.53/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.54/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.53/4435_grsec-mute-warnings.patch b/3.2.54/4435_grsec-mute-warnings.patch index f099757..f099757 100644 --- a/3.2.53/4435_grsec-mute-warnings.patch +++ b/3.2.54/4435_grsec-mute-warnings.patch diff --git a/3.2.53/4440_grsec-remove-protected-paths.patch b/3.2.54/4440_grsec-remove-protected-paths.patch index 05710b1..05710b1 100644 --- a/3.2.53/4440_grsec-remove-protected-paths.patch +++ b/3.2.54/4440_grsec-remove-protected-paths.patch diff --git a/3.2.53/4450_grsec-kconfig-default-gids.patch b/3.2.54/4450_grsec-kconfig-default-gids.patch index 8c7b0b2..55a02aa 100644 --- a/3.2.53/4450_grsec-kconfig-default-gids.patch +++ b/3.2.54/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -612,7 +612,7 @@ +@@ -617,7 +617,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -821,7 +821,7 @@ +@@ -826,7 +826,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -830,7 +830,7 @@ +@@ -835,7 +835,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -923,7 +923,7 @@ +@@ -928,7 +928,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -944,7 +944,7 @@ +@@ -949,7 +949,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -962,7 +962,7 @@ +@@ -967,7 +967,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.2.53/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.54/4465_selinux-avc_audit-log-curr_ip.patch index 687ae4c..a946b66 100644 --- a/3.2.53/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.54/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1057,6 +1057,27 @@ +@@ -1062,6 +1062,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.2.53/4470_disable-compat_vdso.patch b/3.2.54/4470_disable-compat_vdso.patch index 6905571..6905571 100644 --- a/3.2.53/4470_disable-compat_vdso.patch +++ b/3.2.54/4470_disable-compat_vdso.patch diff --git a/3.2.53/4475_emutramp_default_on.patch b/3.2.54/4475_emutramp_default_on.patch index cfde6f8..cfde6f8 100644 --- a/3.2.53/4475_emutramp_default_on.patch +++ b/3.2.54/4475_emutramp_default_on.patch |