summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2015-07-12 10:37:35 -0400
committerAnthony G. Basile <blueness@gentoo.org>2015-07-12 10:37:35 -0400
commitb51e5385946d2d0e11268c89bd777191706072fb (patch)
tree17b205ae0814c97363371d71b7ae9424ada8af1d
parentGrsec/PaX: 3.1-{3.2.69,3.14.47,4.0.7}-201507050833 (diff)
downloadhardened-patchset-b51e5385946d2d0e11268c89bd777191706072fb.tar.gz
hardened-patchset-b51e5385946d2d0e11268c89bd777191706072fb.tar.bz2
hardened-patchset-b51e5385946d2d0e11268c89bd777191706072fb.zip
Grsec/PaX: 3.1-{3.2.69,3.14.48,4.0.8}-20150711121120150711
-rw-r--r--3.14.48/0000_README (renamed from 4.0.7/0000_README)10
-rw-r--r--3.14.48/1046_linux-3.14.47.patch (renamed from 3.14.47/1046_linux-3.14.47.patch)0
-rw-r--r--3.14.48/1047_linux-3.14.48.patch1019
-rw-r--r--3.14.48/4420_grsecurity-3.1-3.14.48-201507111210.patch (renamed from 3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch)242
-rw-r--r--3.14.48/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.47/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--3.14.48/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.47/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--3.14.48/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.47/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--3.14.48/4435_grsec-mute-warnings.patch (renamed from 3.14.47/4435_grsec-mute-warnings.patch)0
-rw-r--r--3.14.48/4440_grsec-remove-protected-paths.patch (renamed from 3.14.47/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--3.14.48/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.47/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--3.14.48/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.47/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--3.14.48/4470_disable-compat_vdso.patch (renamed from 3.14.47/4470_disable-compat_vdso.patch)0
-rw-r--r--3.14.48/4475_emutramp_default_on.patch (renamed from 3.14.47/4475_emutramp_default_on.patch)0
-rw-r--r--3.2.69/0000_README2
-rw-r--r--3.2.69/4420_grsecurity-3.1-3.2.69-201507111207.patch (renamed from 3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch)29
-rw-r--r--4.0.8/0000_README (renamed from 3.14.47/0000_README)6
-rw-r--r--4.0.8/1007_linux-4.0.8.patch2139
-rw-r--r--4.0.8/4420_grsecurity-3.1-4.0.8-201507111211.patch (renamed from 4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch)246
-rw-r--r--4.0.8/4425_grsec_remove_EI_PAX.patch (renamed from 4.0.7/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.0.8/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.0.7/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.0.8/4430_grsec-remove-localversion-grsec.patch (renamed from 4.0.7/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.0.8/4435_grsec-mute-warnings.patch (renamed from 4.0.7/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.0.8/4440_grsec-remove-protected-paths.patch (renamed from 4.0.7/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.0.8/4450_grsec-kconfig-default-gids.patch (renamed from 4.0.7/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.0.8/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.0.7/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.0.8/4470_disable-compat_vdso.patch (renamed from 4.0.7/4470_disable-compat_vdso.patch)0
-rw-r--r--4.0.8/4475_emutramp_default_on.patch (renamed from 4.0.7/4475_emutramp_default_on.patch)0
27 files changed, 3429 insertions, 264 deletions
diff --git a/4.0.7/0000_README b/3.14.48/0000_README
index fc634e5..44ff3ab 100644
--- a/4.0.7/0000_README
+++ b/3.14.48/0000_README
@@ -2,7 +2,15 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.0.7-201507050833.patch
+Patch: 1046_linux-3.14.47.patch
+From: http://www.kernel.org
+Desc: Linux 3.14.47
+
+Patch: 1047_linux-3.14.48.patch
+From: http://www.kernel.org
+Desc: Linux 3.14.48
+
+Patch: 4420_grsecurity-3.1-3.14.48-201507111210.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.47/1046_linux-3.14.47.patch b/3.14.48/1046_linux-3.14.47.patch
index 4dc0c5a..4dc0c5a 100644
--- a/3.14.47/1046_linux-3.14.47.patch
+++ b/3.14.48/1046_linux-3.14.47.patch
diff --git a/3.14.48/1047_linux-3.14.48.patch b/3.14.48/1047_linux-3.14.48.patch
new file mode 100644
index 0000000..3a7169d
--- /dev/null
+++ b/3.14.48/1047_linux-3.14.48.patch
@@ -0,0 +1,1019 @@
+diff --git a/Makefile b/Makefile
+index f9041e6..25393e8 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 47
++SUBLEVEL = 48
+ EXTRAVERSION =
+ NAME = Remembering Coco
+
+diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
+index 9f79231..7d35af3 100644
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -117,13 +117,14 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd)
+ (__boundary - 1 < (end) - 1)? __boundary: (end); \
+ })
+
++#define kvm_pgd_index(addr) pgd_index(addr)
++
+ static inline bool kvm_page_empty(void *ptr)
+ {
+ struct page *ptr_page = virt_to_page(ptr);
+ return page_count(ptr_page) == 1;
+ }
+
+-
+ #define kvm_pte_table_empty(ptep) kvm_page_empty(ptep)
+ #define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp)
+ #define kvm_pud_table_empty(pudp) (0)
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index 2e74a61..f6a52a2 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -441,6 +441,7 @@ static void update_vttbr(struct kvm *kvm)
+
+ static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu)
+ {
++ struct kvm *kvm = vcpu->kvm;
+ int ret;
+
+ if (likely(vcpu->arch.has_run_once))
+@@ -452,12 +453,20 @@ static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu)
+ * Initialize the VGIC before running a vcpu the first time on
+ * this VM.
+ */
+- if (unlikely(!vgic_initialized(vcpu->kvm))) {
+- ret = kvm_vgic_init(vcpu->kvm);
++ if (unlikely(!vgic_initialized(kvm))) {
++ ret = kvm_vgic_init(kvm);
+ if (ret)
+ return ret;
+ }
+
++ /*
++ * Enable the arch timers only if we have an in-kernel VGIC
++ * and it has been properly initialized, since we cannot handle
++ * interrupts from the virtual timer with a userspace gic.
++ */
++ if (irqchip_in_kernel(kvm) && vgic_initialized(kvm))
++ kvm_timer_enable(kvm);
++
+ return 0;
+ }
+
+diff --git a/arch/arm/kvm/interrupts.S b/arch/arm/kvm/interrupts.S
+index 0d68d40..a1467e7 100644
+--- a/arch/arm/kvm/interrupts.S
++++ b/arch/arm/kvm/interrupts.S
+@@ -159,13 +159,9 @@ __kvm_vcpu_return:
+ @ Don't trap coprocessor accesses for host kernel
+ set_hstr vmexit
+ set_hdcr vmexit
+- set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11))
++ set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)), after_vfp_restore
+
+ #ifdef CONFIG_VFPv3
+- @ Save floating point registers we if let guest use them.
+- tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11))
+- bne after_vfp_restore
+-
+ @ Switch VFP/NEON hardware state to the host's
+ add r7, vcpu, #VCPU_VFP_GUEST
+ store_vfp_state r7
+@@ -177,6 +173,8 @@ after_vfp_restore:
+ @ Restore FPEXC_EN which we clobbered on entry
+ pop {r2}
+ VFPFMXR FPEXC, r2
++#else
++after_vfp_restore:
+ #endif
+
+ @ Reset Hyp-role
+@@ -467,7 +465,7 @@ switch_to_guest_vfp:
+ push {r3-r7}
+
+ @ NEON/VFP used. Turn on VFP access.
+- set_hcptr vmexit, (HCPTR_TCP(10) | HCPTR_TCP(11))
++ set_hcptr vmtrap, (HCPTR_TCP(10) | HCPTR_TCP(11))
+
+ @ Switch VFP/NEON hardware state to the guest's
+ add r7, r0, #VCPU_VFP_HOST
+diff --git a/arch/arm/kvm/interrupts_head.S b/arch/arm/kvm/interrupts_head.S
+index 76af9302..2973b2d 100644
+--- a/arch/arm/kvm/interrupts_head.S
++++ b/arch/arm/kvm/interrupts_head.S
+@@ -578,8 +578,13 @@ vcpu .req r0 @ vcpu pointer always in r0
+ .endm
+
+ /* Configures the HCPTR (Hyp Coprocessor Trap Register) on entry/return
+- * (hardware reset value is 0). Keep previous value in r2. */
+-.macro set_hcptr operation, mask
++ * (hardware reset value is 0). Keep previous value in r2.
++ * An ISB is emited on vmexit/vmtrap, but executed on vmexit only if
++ * VFP wasn't already enabled (always executed on vmtrap).
++ * If a label is specified with vmexit, it is branched to if VFP wasn't
++ * enabled.
++ */
++.macro set_hcptr operation, mask, label = none
+ mrc p15, 4, r2, c1, c1, 2
+ ldr r3, =\mask
+ .if \operation == vmentry
+@@ -588,6 +593,17 @@ vcpu .req r0 @ vcpu pointer always in r0
+ bic r3, r2, r3 @ Don't trap defined coproc-accesses
+ .endif
+ mcr p15, 4, r3, c1, c1, 2
++ .if \operation != vmentry
++ .if \operation == vmexit
++ tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11))
++ beq 1f
++ .endif
++ isb
++ .if \label != none
++ b \label
++ .endif
++1:
++ .endif
+ .endm
+
+ /* Configures the HDCR (Hyp Debug Configuration Register) on entry/return
+diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
+index 524b4b5..c612e37 100644
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -194,7 +194,7 @@ static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
+ phys_addr_t addr = start, end = start + size;
+ phys_addr_t next;
+
+- pgd = pgdp + pgd_index(addr);
++ pgd = pgdp + kvm_pgd_index(addr);
+ do {
+ next = kvm_pgd_addr_end(addr, end);
+ if (!pgd_none(*pgd))
+@@ -264,7 +264,7 @@ static void stage2_flush_memslot(struct kvm *kvm,
+ phys_addr_t next;
+ pgd_t *pgd;
+
+- pgd = kvm->arch.pgd + pgd_index(addr);
++ pgd = kvm->arch.pgd + kvm_pgd_index(addr);
+ do {
+ next = kvm_pgd_addr_end(addr, end);
+ stage2_flush_puds(kvm, pgd, addr, next);
+@@ -649,7 +649,7 @@ static pmd_t *stage2_get_pmd(struct kvm *kvm, struct kvm_mmu_memory_cache *cache
+ pud_t *pud;
+ pmd_t *pmd;
+
+- pgd = kvm->arch.pgd + pgd_index(addr);
++ pgd = kvm->arch.pgd + kvm_pgd_index(addr);
+ pud = pud_offset(pgd, addr);
+ if (pud_none(*pud)) {
+ if (!cache)
+diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h
+index 681cb90..91f33c2 100644
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -41,6 +41,8 @@ void kvm_inject_pabt(struct kvm_vcpu *vcpu, unsigned long addr);
+ static inline void vcpu_reset_hcr(struct kvm_vcpu *vcpu)
+ {
+ vcpu->arch.hcr_el2 = HCR_GUEST_FLAGS;
++ if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features))
++ vcpu->arch.hcr_el2 &= ~HCR_RW;
+ }
+
+ static inline unsigned long *vcpu_pc(const struct kvm_vcpu *vcpu)
+diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
+index 0d51874..15a8a86 100644
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -69,6 +69,8 @@
+ #define PTRS_PER_S2_PGD (1 << (KVM_PHYS_SHIFT - PGDIR_SHIFT))
+ #define S2_PGD_ORDER get_order(PTRS_PER_S2_PGD * sizeof(pgd_t))
+
++#define kvm_pgd_index(addr) (((addr) >> PGDIR_SHIFT) & (PTRS_PER_S2_PGD - 1))
++
+ int create_hyp_mappings(void *from, void *to);
+ int create_hyp_io_mappings(void *from, void *to, phys_addr_t);
+ void free_boot_hyp_pgd(void);
+diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
+index 5dfc8331..3aaf3bc 100644
+--- a/arch/arm64/kvm/hyp.S
++++ b/arch/arm64/kvm/hyp.S
+@@ -629,6 +629,7 @@ ENTRY(__kvm_tlb_flush_vmid_ipa)
+ * Instead, we invalidate Stage-2 for this IPA, and the
+ * whole of Stage-1. Weep...
+ */
++ lsr x1, x1, #12
+ tlbi ipas2e1is, x1
+ /*
+ * We have to ensure completion of the invalidation at Stage-2,
+diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
+index 70a7816..0b43265 100644
+--- a/arch/arm64/kvm/reset.c
++++ b/arch/arm64/kvm/reset.c
+@@ -90,7 +90,6 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu)
+ if (!cpu_has_32bit_el1())
+ return -EINVAL;
+ cpu_reset = &default_regs_reset32;
+- vcpu->arch.hcr_el2 &= ~HCR_RW;
+ } else {
+ cpu_reset = &default_regs_reset;
+ }
+diff --git a/arch/mips/include/asm/mach-generic/spaces.h b/arch/mips/include/asm/mach-generic/spaces.h
+index 9488fa5..afc96ec 100644
+--- a/arch/mips/include/asm/mach-generic/spaces.h
++++ b/arch/mips/include/asm/mach-generic/spaces.h
+@@ -94,7 +94,11 @@
+ #endif
+
+ #ifndef FIXADDR_TOP
++#ifdef CONFIG_KVM_GUEST
++#define FIXADDR_TOP ((unsigned long)(long)(int)0x7ffe0000)
++#else
+ #define FIXADDR_TOP ((unsigned long)(long)(int)0xfffe0000)
+ #endif
++#endif
+
+ #endif /* __ASM_MACH_GENERIC_SPACES_H */
+diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
+index 38265dc..65dfbd0 100644
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -124,7 +124,16 @@ static inline void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw) {}
+
+ static bool regs_use_siar(struct pt_regs *regs)
+ {
+- return !!regs->result;
++ /*
++ * When we take a performance monitor exception the regs are setup
++ * using perf_read_regs() which overloads some fields, in particular
++ * regs->result to tell us whether to use SIAR.
++ *
++ * However if the regs are from another exception, eg. a syscall, then
++ * they have not been setup using perf_read_regs() and so regs->result
++ * is something random.
++ */
++ return ((TRAP(regs) == 0xf00) && regs->result);
+ }
+
+ /*
+diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
+index 27bb554..7ef2862 100644
+--- a/arch/sparc/kernel/ldc.c
++++ b/arch/sparc/kernel/ldc.c
+@@ -2307,7 +2307,7 @@ void *ldc_alloc_exp_dring(struct ldc_channel *lp, unsigned int len,
+ if (len & (8UL - 1))
+ return ERR_PTR(-EINVAL);
+
+- buf = kzalloc(len, GFP_KERNEL);
++ buf = kzalloc(len, GFP_ATOMIC);
+ if (!buf)
+ return ERR_PTR(-ENOMEM);
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 5dab54a..96e743a 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -2440,9 +2440,19 @@ config X86_DMA_REMAP
+ depends on STA2X11
+
+ config IOSF_MBI
+- tristate
+- default m
++ tristate "Intel System On Chip IOSF Sideband support"
+ depends on PCI
++ ---help---
++ Enables sideband access to mailbox registers on SoC's. The sideband is
++ available on the following platforms. This list is not meant to be
++ exclusive.
++ - BayTrail
++ - Cherryview
++ - Braswell
++ - Quark
++
++ You should say Y if you are running a kernel on one of these
++ platforms.
+
+ source "net/Kconfig"
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index e9dc029..ac03bd7 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -571,7 +571,7 @@ struct kvm_arch {
+ struct kvm_pic *vpic;
+ struct kvm_ioapic *vioapic;
+ struct kvm_pit *vpit;
+- int vapics_in_nmi_mode;
++ atomic_t vapics_in_nmi_mode;
+ struct mutex apic_map_lock;
+ struct kvm_apic_map *apic_map;
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 298781d..1406ffd 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -305,7 +305,7 @@ static void pit_do_work(struct kthread_work *work)
+ * LVT0 to NMI delivery. Other PIC interrupts are just sent to
+ * VCPU0, and only if its LVT0 is in EXTINT mode.
+ */
+- if (kvm->arch.vapics_in_nmi_mode > 0)
++ if (atomic_read(&kvm->arch.vapics_in_nmi_mode) > 0)
+ kvm_for_each_vcpu(i, vcpu, kvm)
+ kvm_apic_nmi_wd_deliver(vcpu);
+ }
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 453e5fb..6456734 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1109,10 +1109,10 @@ static void apic_manage_nmi_watchdog(struct kvm_lapic *apic, u32 lvt0_val)
+ if (!nmi_wd_enabled) {
+ apic_debug("Receive NMI setting on APIC_LVT0 "
+ "for cpu %d\n", apic->vcpu->vcpu_id);
+- apic->vcpu->kvm->arch.vapics_in_nmi_mode++;
++ atomic_inc(&apic->vcpu->kvm->arch.vapics_in_nmi_mode);
+ }
+ } else if (nmi_wd_enabled)
+- apic->vcpu->kvm->arch.vapics_in_nmi_mode--;
++ atomic_dec(&apic->vcpu->kvm->arch.vapics_in_nmi_mode);
+ }
+
+ static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
+diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
+index 4f25ec0..bf00138 100644
+--- a/arch/x86/pci/acpi.c
++++ b/arch/x86/pci/acpi.c
+@@ -84,6 +84,17 @@ static const struct dmi_system_id pci_crs_quirks[] __initconst = {
+ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
+ },
+ },
++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368 */
++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299 */
++ {
++ .callback = set_use_crs,
++ .ident = "Foxconn K8M890-8237A",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Foxconn"),
++ DMI_MATCH(DMI_BOARD_NAME, "K8M890-8237A"),
++ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
++ },
++ },
+
+ /* Now for the blacklist.. */
+
+@@ -124,8 +135,10 @@ void __init pci_acpi_crs_quirks(void)
+ {
+ int year;
+
+- if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008)
+- pci_use_crs = false;
++ if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) {
++ if (iomem_resource.end <= 0xffffffff)
++ pci_use_crs = false;
++ }
+
+ dmi_check_system(pci_crs_quirks);
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index 533a509..fbc693b 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -417,7 +417,7 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate)
+
+ val |= vid;
+
+- wrmsrl(MSR_IA32_PERF_CTL, val);
++ wrmsrl_on_cpu(cpudata->cpu, MSR_IA32_PERF_CTL, val);
+ }
+
+ #define BYT_BCLK_FREQS 5
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 5967667..1f35487 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -927,7 +927,8 @@ static int sg_to_link_tbl(struct scatterlist *sg, int sg_count,
+ sg_count--;
+ link_tbl_ptr--;
+ }
+- be16_add_cpu(&link_tbl_ptr->len, cryptlen);
++ link_tbl_ptr->len = cpu_to_be16(be16_to_cpu(link_tbl_ptr->len)
++ + cryptlen);
+
+ /* tag end of link table */
+ link_tbl_ptr->j_extent = DESC_PTR_LNKTBL_RETURN;
+@@ -2563,6 +2564,7 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
+ break;
+ default:
+ dev_err(dev, "unknown algorithm type %d\n", t_alg->algt.type);
++ kfree(t_alg);
+ return ERR_PTR(-EINVAL);
+ }
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 9cbef59..9359740 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1922,9 +1922,15 @@ static void free_pt_##LVL (unsigned long __pt) \
+ pt = (u64 *)__pt; \
+ \
+ for (i = 0; i < 512; ++i) { \
++ /* PTE present? */ \
+ if (!IOMMU_PTE_PRESENT(pt[i])) \
+ continue; \
+ \
++ /* Large PTE? */ \
++ if (PM_PTE_LEVEL(pt[i]) == 0 || \
++ PM_PTE_LEVEL(pt[i]) == 7) \
++ continue; \
++ \
+ p = (unsigned long)IOMMU_PTE_PAGE(pt[i]); \
+ FN(p); \
+ } \
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 25f7419..62c3fb9 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -765,10 +765,11 @@ static int genphy_config_advert(struct phy_device *phydev)
+ if (phydev->supported & (SUPPORTED_1000baseT_Half |
+ SUPPORTED_1000baseT_Full)) {
+ adv |= ethtool_adv_to_mii_ctrl1000_t(advertise);
+- if (adv != oldadv)
+- changed = 1;
+ }
+
++ if (adv != oldadv)
++ changed = 1;
++
+ err = phy_write(phydev, MII_CTRL1000, adv);
+ if (err < 0)
+ return err;
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 1d7e8a3..aa24f7d 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2905,17 +2905,6 @@ restart:
+ vfsmnt = &mnt->mnt;
+ continue;
+ }
+- /*
+- * Filesystems needing to implement special "root names"
+- * should do so with ->d_dname()
+- */
+- if (IS_ROOT(dentry) &&
+- (dentry->d_name.len != 1 ||
+- dentry->d_name.name[0] != '/')) {
+- WARN(1, "Root dentry has weird name <%.*s>\n",
+- (int) dentry->d_name.len,
+- dentry->d_name.name);
+- }
+ if (!error)
+ error = is_mounted(vfsmnt) ? 1 : 2;
+ break;
+diff --git a/fs/inode.c b/fs/inode.c
+index e846a32..644875b 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1631,8 +1631,8 @@ int file_remove_suid(struct file *file)
+ error = security_inode_killpriv(dentry);
+ if (!error && killsuid)
+ error = __remove_suid(dentry, killsuid);
+- if (!error && (inode->i_sb->s_flags & MS_NOSEC))
+- inode->i_flags |= S_NOSEC;
++ if (!error)
++ inode_has_no_xattr(inode);
+
+ return error;
+ }
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 2faa7ea..fc99d18 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -3031,11 +3031,15 @@ bool fs_fully_visible(struct file_system_type *type)
+ if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
+ continue;
+
+- /* This mount is not fully visible if there are any child mounts
+- * that cover anything except for empty directories.
++ /* This mount is not fully visible if there are any
++ * locked child mounts that cover anything except for
++ * empty directories.
+ */
+ list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
+ struct inode *inode = child->mnt_mountpoint->d_inode;
++ /* Only worry about locked mounts */
++ if (!(mnt->mnt.mnt_flags & MNT_LOCKED))
++ continue;
+ if (!S_ISDIR(inode->i_mode))
+ goto next;
+ if (inode->i_nlink > 2)
+diff --git a/include/kvm/arm_arch_timer.h b/include/kvm/arm_arch_timer.h
+index 6d9aedd..327b155 100644
+--- a/include/kvm/arm_arch_timer.h
++++ b/include/kvm/arm_arch_timer.h
+@@ -60,7 +60,8 @@ struct arch_timer_cpu {
+
+ #ifdef CONFIG_KVM_ARM_TIMER
+ int kvm_timer_hyp_init(void);
+-int kvm_timer_init(struct kvm *kvm);
++void kvm_timer_enable(struct kvm *kvm);
++void kvm_timer_init(struct kvm *kvm);
+ void kvm_timer_vcpu_reset(struct kvm_vcpu *vcpu,
+ const struct kvm_irq_level *irq);
+ void kvm_timer_vcpu_init(struct kvm_vcpu *vcpu);
+@@ -73,11 +74,8 @@ static inline int kvm_timer_hyp_init(void)
+ return 0;
+ };
+
+-static inline int kvm_timer_init(struct kvm *kvm)
+-{
+- return 0;
+-}
+-
++static inline void kvm_timer_enable(struct kvm *kvm) {}
++static inline void kvm_timer_init(struct kvm *kvm) {}
+ static inline void kvm_timer_vcpu_reset(struct kvm_vcpu *vcpu,
+ const struct kvm_irq_level *irq) {}
+ static inline void kvm_timer_vcpu_init(struct kvm_vcpu *vcpu) {}
+diff --git a/include/net/netns/sctp.h b/include/net/netns/sctp.h
+index 3573a81..8ba379f 100644
+--- a/include/net/netns/sctp.h
++++ b/include/net/netns/sctp.h
+@@ -31,6 +31,7 @@ struct netns_sctp {
+ struct list_head addr_waitq;
+ struct timer_list addr_wq_timer;
+ struct list_head auto_asconf_splist;
++ /* Lock that protects both addr_waitq and auto_asconf_splist */
+ spinlock_t addr_wq_lock;
+
+ /* Lock that protects the local_addr_list writers */
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index 0dfcc92..2c2d388 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -219,6 +219,10 @@ struct sctp_sock {
+ atomic_t pd_mode;
+ /* Receive to here while partial delivery is in effect. */
+ struct sk_buff_head pd_lobby;
++
++ /* These must be the last fields, as they will skipped on copies,
++ * like on accept and peeloff operations
++ */
+ struct list_head auto_asconf_list;
+ int do_auto_asconf;
+ };
+diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
+index a9a4a1b..8d423bc 100644
+--- a/net/bridge/br_ioctl.c
++++ b/net/bridge/br_ioctl.c
+@@ -247,9 +247,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
+- spin_lock_bh(&br->lock);
+ br_stp_set_bridge_priority(br, args[1]);
+- spin_unlock_bh(&br->lock);
+ return 0;
+
+ case BRCTL_SET_PORT_PRIORITY:
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index 11a2e6c..7bbc8fe 100644
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1086,6 +1086,9 @@ static void br_multicast_add_router(struct net_bridge *br,
+ struct net_bridge_port *p;
+ struct hlist_node *slot = NULL;
+
++ if (!hlist_unhashed(&port->rlist))
++ return;
++
+ hlist_for_each_entry(p, &br->router_list, rlist) {
+ if ((unsigned long) port >= (unsigned long) p)
+ break;
+@@ -1113,12 +1116,8 @@ static void br_multicast_mark_router(struct net_bridge *br,
+ if (port->multicast_router != 1)
+ return;
+
+- if (!hlist_unhashed(&port->rlist))
+- goto timer;
+-
+ br_multicast_add_router(br, port);
+
+-timer:
+ mod_timer(&port->multicast_router_timer,
+ now + br->multicast_querier_interval);
+ }
+diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
+index 189ba1e..9a0005a 100644
+--- a/net/bridge/br_stp_if.c
++++ b/net/bridge/br_stp_if.c
+@@ -243,12 +243,13 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
+ return true;
+ }
+
+-/* called under bridge lock */
++/* Acquires and releases bridge lock */
+ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
+ {
+ struct net_bridge_port *p;
+ int wasroot;
+
++ spin_lock_bh(&br->lock);
+ wasroot = br_is_root_bridge(br);
+
+ list_for_each_entry(p, &br->port_list, list) {
+@@ -266,6 +267,7 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
+ br_port_state_selection(br);
+ if (br_is_root_bridge(br) && !wasroot)
+ br_become_root_bridge(br);
++ spin_unlock_bh(&br->lock);
+ }
+
+ /* called under bridge lock */
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index 7d95f69..0f062c6 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -976,6 +976,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
+ rc = 0;
+ if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
+ goto out_unlock_bh;
++ if (neigh->dead)
++ goto out_dead;
+
+ if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
+ if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
+@@ -1032,6 +1034,13 @@ out_unlock_bh:
+ write_unlock(&neigh->lock);
+ local_bh_enable();
+ return rc;
++
++out_dead:
++ if (neigh->nud_state & NUD_STALE)
++ goto out_unlock_bh;
++ write_unlock_bh(&neigh->lock);
++ kfree_skb(skb);
++ return 1;
+ }
+ EXPORT_SYMBOL(__neigh_event_send);
+
+@@ -1095,6 +1104,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
+ if (!(flags & NEIGH_UPDATE_F_ADMIN) &&
+ (old & (NUD_NOARP | NUD_PERMANENT)))
+ goto out;
++ if (neigh->dead)
++ goto out;
+
+ if (!(new & NUD_VALID)) {
+ neigh_del_timer(neigh);
+@@ -1244,6 +1255,8 @@ EXPORT_SYMBOL(neigh_update);
+ */
+ void __neigh_set_probe_once(struct neighbour *neigh)
+ {
++ if (neigh->dead)
++ return;
+ neigh->updated = jiffies;
+ if (!(neigh->nud_state & NUD_FAILED))
+ return;
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 69ec61a..8207f8d 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -368,9 +368,11 @@ refill:
+ for (order = NETDEV_FRAG_PAGE_MAX_ORDER; ;) {
+ gfp_t gfp = gfp_mask;
+
+- if (order)
++ if (order) {
+ gfp |= __GFP_COMP | __GFP_NOWARN |
+ __GFP_NOMEMALLOC;
++ gfp &= ~__GFP_WAIT;
++ }
+ nc->frag.page = alloc_pages(gfp, order);
+ if (likely(nc->frag.page))
+ break;
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 650dd58..8ebfa52 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1914,8 +1914,10 @@ bool skb_page_frag_refill(unsigned int sz, struct page_frag *pfrag, gfp_t prio)
+ do {
+ gfp_t gfp = prio;
+
+- if (order)
++ if (order) {
+ gfp |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY;
++ gfp &= ~__GFP_WAIT;
++ }
+ pfrag->page = alloc_pages(gfp, order);
+ if (likely(pfrag->page)) {
+ pfrag->offset = 0;
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 07bd8ed..951fe55 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -228,6 +228,8 @@ int inet_listen(struct socket *sock, int backlog)
+ err = 0;
+ if (err)
+ goto out;
++
++ tcp_fastopen_init_key_once(true);
+ }
+ err = inet_csk_listen_start(sk, backlog);
+ if (err)
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 29d240b..dc45221 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2684,10 +2684,13 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
+
+ case TCP_FASTOPEN:
+ if (val >= 0 && ((1 << sk->sk_state) & (TCPF_CLOSE |
+- TCPF_LISTEN)))
++ TCPF_LISTEN))) {
++ tcp_fastopen_init_key_once(true);
++
+ err = fastopen_init_queue(sk, val);
+- else
++ } else {
+ err = -EINVAL;
++ }
+ break;
+ case TCP_TIMESTAMP:
+ if (!tp->repair)
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index f195d93..ee6518d 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -84,8 +84,6 @@ void tcp_fastopen_cookie_gen(__be32 src, __be32 dst,
+ __be32 path[4] = { src, dst, 0, 0 };
+ struct tcp_fastopen_context *ctx;
+
+- tcp_fastopen_init_key_once(true);
+-
+ rcu_read_lock();
+ ctx = rcu_dereference(tcp_fastopen_ctx);
+ if (ctx) {
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 48b1817..84a60b8 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1264,16 +1264,6 @@ static void packet_sock_destruct(struct sock *sk)
+ sk_refcnt_debug_dec(sk);
+ }
+
+-static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
+-{
+- int x = atomic_read(&f->rr_cur) + 1;
+-
+- if (x >= num)
+- x = 0;
+-
+- return x;
+-}
+-
+ static unsigned int fanout_demux_hash(struct packet_fanout *f,
+ struct sk_buff *skb,
+ unsigned int num)
+@@ -1285,13 +1275,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f,
+ struct sk_buff *skb,
+ unsigned int num)
+ {
+- int cur, old;
++ unsigned int val = atomic_inc_return(&f->rr_cur);
+
+- cur = atomic_read(&f->rr_cur);
+- while ((old = atomic_cmpxchg(&f->rr_cur, cur,
+- fanout_rr_next(f, num))) != cur)
+- cur = old;
+- return cur;
++ return val % num;
+ }
+
+ static unsigned int fanout_demux_cpu(struct packet_fanout *f,
+@@ -1345,7 +1331,7 @@ static int packet_rcv_fanout(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *pt, struct net_device *orig_dev)
+ {
+ struct packet_fanout *f = pt->af_packet_priv;
+- unsigned int num = f->num_members;
++ unsigned int num = ACCESS_ONCE(f->num_members);
+ struct packet_sock *po;
+ unsigned int idx;
+
+diff --git a/net/sctp/output.c b/net/sctp/output.c
+index 740ca5f..e39e6d5 100644
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -599,7 +599,9 @@ out:
+ return err;
+ no_route:
+ kfree_skb(nskb);
+- IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES);
++
++ if (asoc)
++ IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES);
+
+ /* FIXME: Returning the 'err' will effect all the associations
+ * associated with a socket, although only one of the paths of the
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 604a6ac..f940fdc 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1532,8 +1532,10 @@ static void sctp_close(struct sock *sk, long timeout)
+
+ /* Supposedly, no process has access to the socket, but
+ * the net layers still may.
++ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
++ * held and that should be grabbed before socket lock.
+ */
+- local_bh_disable();
++ spin_lock_bh(&net->sctp.addr_wq_lock);
+ bh_lock_sock(sk);
+
+ /* Hold the sock, since sk_common_release() will put sock_put()
+@@ -1543,7 +1545,7 @@ static void sctp_close(struct sock *sk, long timeout)
+ sk_common_release(sk);
+
+ bh_unlock_sock(sk);
+- local_bh_enable();
++ spin_unlock_bh(&net->sctp.addr_wq_lock);
+
+ sock_put(sk);
+
+@@ -3511,6 +3513,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
+ if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
+ return 0;
+
++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);
+ if (val == 0 && sp->do_auto_asconf) {
+ list_del(&sp->auto_asconf_list);
+ sp->do_auto_asconf = 0;
+@@ -3519,6 +3522,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
+ &sock_net(sk)->sctp.auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+ }
++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);
+ return 0;
+ }
+
+@@ -4009,18 +4013,28 @@ static int sctp_init_sock(struct sock *sk)
+ local_bh_disable();
+ percpu_counter_inc(&sctp_sockets_allocated);
+ sock_prot_inuse_add(net, sk->sk_prot, 1);
++
++ /* Nothing can fail after this block, otherwise
++ * sctp_destroy_sock() will be called without addr_wq_lock held
++ */
+ if (net->sctp.default_auto_asconf) {
++ spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
+ list_add_tail(&sp->auto_asconf_list,
+ &net->sctp.auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+- } else
++ spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
++ } else {
+ sp->do_auto_asconf = 0;
++ }
++
+ local_bh_enable();
+
+ return 0;
+ }
+
+-/* Cleanup any SCTP per socket resources. */
++/* Cleanup any SCTP per socket resources. Must be called with
++ * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true
++ */
+ static void sctp_destroy_sock(struct sock *sk)
+ {
+ struct sctp_sock *sp;
+@@ -6973,6 +6987,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
+ newinet->mc_list = NULL;
+ }
+
++static inline void sctp_copy_descendant(struct sock *sk_to,
++ const struct sock *sk_from)
++{
++ int ancestor_size = sizeof(struct inet_sock) +
++ sizeof(struct sctp_sock) -
++ offsetof(struct sctp_sock, auto_asconf_list);
++
++ if (sk_from->sk_family == PF_INET6)
++ ancestor_size += sizeof(struct ipv6_pinfo);
++
++ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
++}
++
+ /* Populate the fields of the newsk from the oldsk and migrate the assoc
+ * and its messages to the newsk.
+ */
+@@ -6987,7 +7014,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
+ struct sk_buff *skb, *tmp;
+ struct sctp_ulpevent *event;
+ struct sctp_bind_hashbucket *head;
+- struct list_head tmplist;
+
+ /* Migrate socket buffer sizes and all the socket level options to the
+ * new socket.
+@@ -6995,12 +7021,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
+ newsk->sk_sndbuf = oldsk->sk_sndbuf;
+ newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
+ /* Brute force copy old sctp opt. */
+- if (oldsp->do_auto_asconf) {
+- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
+- inet_sk_copy_descendant(newsk, oldsk);
+- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
+- } else
+- inet_sk_copy_descendant(newsk, oldsk);
++ sctp_copy_descendant(newsk, oldsk);
+
+ /* Restore the ep value that was overwritten with the above structure
+ * copy.
+diff --git a/virt/kvm/arm/arch_timer.c b/virt/kvm/arm/arch_timer.c
+index 5081e80..c6fe405 100644
+--- a/virt/kvm/arm/arch_timer.c
++++ b/virt/kvm/arm/arch_timer.c
+@@ -61,12 +61,14 @@ static void timer_disarm(struct arch_timer_cpu *timer)
+
+ static void kvm_timer_inject_irq(struct kvm_vcpu *vcpu)
+ {
++ int ret;
+ struct arch_timer_cpu *timer = &vcpu->arch.timer_cpu;
+
+ timer->cntv_ctl |= ARCH_TIMER_CTRL_IT_MASK;
+- kvm_vgic_inject_irq(vcpu->kvm, vcpu->vcpu_id,
+- timer->irq->irq,
+- timer->irq->level);
++ ret = kvm_vgic_inject_irq(vcpu->kvm, vcpu->vcpu_id,
++ timer->irq->irq,
++ timer->irq->level);
++ WARN_ON(ret);
+ }
+
+ static irqreturn_t kvm_arch_timer_handler(int irq, void *dev_id)
+@@ -307,12 +309,24 @@ void kvm_timer_vcpu_terminate(struct kvm_vcpu *vcpu)
+ timer_disarm(timer);
+ }
+
+-int kvm_timer_init(struct kvm *kvm)
++void kvm_timer_enable(struct kvm *kvm)
+ {
+- if (timecounter && wqueue) {
+- kvm->arch.timer.cntvoff = kvm_phys_timer_read();
++ if (kvm->arch.timer.enabled)
++ return;
++
++ /*
++ * There is a potential race here between VCPUs starting for the first
++ * time, which may be enabling the timer multiple times. That doesn't
++ * hurt though, because we're just setting a variable to the same
++ * variable that it already was. The important thing is that all
++ * VCPUs have the enabled variable set, before entering the guest, if
++ * the arch timers are enabled.
++ */
++ if (timecounter && wqueue)
+ kvm->arch.timer.enabled = 1;
+- }
++}
+
+- return 0;
++void kvm_timer_init(struct kvm *kvm)
++{
++ kvm->arch.timer.cntvoff = kvm_phys_timer_read();
+ }
+diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
+index c324a52..152ec76 100644
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1042,6 +1042,7 @@ static bool vgic_queue_irq(struct kvm_vcpu *vcpu, u8 sgi_source_id, int irq)
+ lr, irq, vgic_cpu->vgic_lr[lr]);
+ BUG_ON(!test_bit(lr, vgic_cpu->lr_used));
+ vgic_cpu->vgic_lr[lr] |= GICH_LR_PENDING_BIT;
++ __clear_bit(lr, (unsigned long *)vgic_cpu->vgic_elrsr);
+ return true;
+ }
+
+@@ -1055,6 +1056,7 @@ static bool vgic_queue_irq(struct kvm_vcpu *vcpu, u8 sgi_source_id, int irq)
+ vgic_cpu->vgic_lr[lr] = MK_LR_PEND(sgi_source_id, irq);
+ vgic_cpu->vgic_irq_lr_map[irq] = lr;
+ set_bit(lr, vgic_cpu->lr_used);
++ __clear_bit(lr, (unsigned long *)vgic_cpu->vgic_elrsr);
+
+ if (!vgic_irq_is_edge(vcpu, irq))
+ vgic_cpu->vgic_lr[lr] |= GICH_LR_EOI;
+@@ -1209,6 +1211,14 @@ static bool vgic_process_maintenance(struct kvm_vcpu *vcpu)
+ if (vgic_cpu->vgic_misr & GICH_MISR_U)
+ vgic_cpu->vgic_hcr &= ~GICH_HCR_UIE;
+
++ /*
++ * In the next iterations of the vcpu loop, if we sync the vgic state
++ * after flushing it, but before entering the guest (this happens for
++ * pending signals and vmid rollovers), then make sure we don't pick
++ * up any old maintenance interrupts here.
++ */
++ memset(vgic_cpu->vgic_eisr, 0, sizeof(vgic_cpu->vgic_eisr[0]) * 2);
++
+ return level_pending;
+ }
+
diff --git a/3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch b/3.14.48/4420_grsecurity-3.1-3.14.48-201507111210.patch
index f646996..8faa105 100644
--- a/3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch
+++ b/3.14.48/4420_grsecurity-3.1-3.14.48-201507111210.patch
@@ -295,7 +295,7 @@ index 5d91ba1..ef1d374 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index f9041e6..46bcf1d 100644
+index 25393e8..65e3b07 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3307,7 +3307,7 @@ index 7bcee5c..e2f3249 100644
__data_loc = .;
#endif
diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
-index 2e74a61..14d0a66 100644
+index f6a52a2..f662d45 100644
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
@@ -3346,7 +3346,7 @@ index 2e74a61..14d0a66 100644
kvm->arch.vmid = kvm_next_vmid;
kvm_next_vmid++;
-@@ -1013,7 +1013,7 @@ static void check_kvm_target_cpu(void *ret)
+@@ -1022,7 +1022,7 @@ static void check_kvm_target_cpu(void *ret)
/**
* Initialize Hyp-mode and memory mappings on all CPUs.
*/
@@ -12396,7 +12396,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 5dab54a..a20467d 100644
+index 96e743a..7f93c3a 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -22,6 +22,7 @@ config X86_64
@@ -17014,7 +17014,7 @@ index 9454c16..e4100e3 100644
#define flush_insn_slot(p) do { } while (0)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index e9dc029..468a823 100644
+index ac03bd7..5ce5402 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -55,6 +55,7 @@
@@ -28852,7 +28852,7 @@ index cf1eeea..cdb8f22 100644
II(Prot | Priv | SrcMem16, em_ltr, ltr),
N, N, N, N,
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 453e5fb..214168f 100644
+index 6456734..b845039 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -55,7 +55,7 @@
@@ -31271,6 +31271,19 @@ index a63efd6..8149fbe 100644
+ pax_force_retaddr
ret
CFI_ENDPROC
+diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
+index ddf9ecb..e342586 100644
+--- a/arch/x86/lib/usercopy.c
++++ b/arch/x86/lib/usercopy.c
+@@ -20,7 +20,7 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
+ unsigned long ret;
+
+ if (__range_not_ok(from, n, TASK_SIZE))
+- return 0;
++ return n;
+
+ /*
+ * Even though this function is typically called from NMI/IRQ context
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
index e2f5e21..4b22130 100644
--- a/arch/x86/lib/usercopy_32.c
@@ -40354,7 +40367,7 @@ index 18d4091..434be15 100644
}
EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index 533a509..4e1860b 100644
+index fbc693b..aebb914 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -138,10 +138,10 @@ struct pstate_funcs {
@@ -44614,7 +44627,7 @@ index 92e2243..8fd9092 100644
.ident = "Shift",
.matches = {
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
-index 9cbef59..26db8e4 100644
+index 9359740..9c6ef98 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -878,11 +878,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
@@ -48855,7 +48868,7 @@ index d2bb12b..d6c921e 100644
.priv_size = sizeof(struct nlmon),
.setup = nlmon_setup,
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
-index 25f7419..62ed80a7 100644
+index 62c3fb9..c072533 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -216,7 +216,7 @@ EXPORT_SYMBOL(phy_device_create);
@@ -68108,7 +68121,7 @@ index a93f7e6..d58bcbe 100644
return 0;
while (nr) {
diff --git a/fs/dcache.c b/fs/dcache.c
-index 1d7e8a3..f87d4b8 100644
+index aa24f7d..befb5fd 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -250,7 +250,7 @@ static void __d_free(struct rcu_head *head)
@@ -68263,7 +68276,7 @@ index 1d7e8a3..f87d4b8 100644
if (!spin_trylock(&inode->i_lock)) {
spin_unlock(&dentry->d_lock);
cpu_relax();
-@@ -3319,7 +3322,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
+@@ -3308,7 +3311,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
dentry->d_flags |= DCACHE_GENOCIDE;
@@ -68272,7 +68285,7 @@ index 1d7e8a3..f87d4b8 100644
}
}
return D_WALK_CONTINUE;
-@@ -3435,7 +3438,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -3424,7 +3427,8 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -71378,7 +71391,7 @@ index a4a8ed5..9e017c0 100644
static int can_do_hugetlb_shm(void)
{
diff --git a/fs/inode.c b/fs/inode.c
-index e846a32..bb06bd0 100644
+index 644875b..eb40077 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -839,16 +839,20 @@ unsigned int get_next_ino(void)
@@ -72302,7 +72315,7 @@ index ccb8000..ac58c5a 100644
out:
return len;
diff --git a/fs/namespace.c b/fs/namespace.c
-index 2faa7ea..66bad91 100644
+index fc99d18..917cffe 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1373,6 +1373,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -72420,7 +72433,7 @@ index 2faa7ea..66bad91 100644
get_fs_root(current->fs, &root);
old_mp = lock_mount(&old);
error = PTR_ERR(old_mp);
-@@ -3082,7 +3106,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
+@@ -3086,7 +3110,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
@@ -95570,10 +95583,10 @@ index 72a31db..aaa63d9 100644
/* Get the size of a DATA chunk payload. */
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
-index 0dfcc92..7967849 100644
+index 2c2d388..491dadc 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
-@@ -507,7 +507,7 @@ struct sctp_pf {
+@@ -511,7 +511,7 @@ struct sctp_pf {
struct sctp_association *asoc);
void (*addr_v4map) (struct sctp_sock *, union sctp_addr *);
struct sctp_af *af;
@@ -97202,9 +97215,18 @@ index b45b2da..159e8c4 100644
s.version = AUDIT_VERSION_LATEST;
s.backlog_wait_time = audit_backlog_wait_time;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index 619b58d..e58d957 100644
+index 619b58d..7ec5814 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
+@@ -1035,7 +1035,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
+ * for strings that are too long, we should not have created
+ * any.
+ */
+- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
++ if (unlikely(len > MAX_ARG_STRLEN - 1)) {
+ WARN_ON(1);
+ send_sig(SIGKILL, current, 0);
+ return -1;
@@ -1954,7 +1954,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
}
@@ -110138,6 +110160,26 @@ index 19311aa..339d794 100644
err = stp_proto_register(&br_stp_proto);
if (err < 0) {
pr_err("bridge: can't register sap for STP\n");
+diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
+index b7b1914..13421bf 100644
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -370,6 +370,7 @@ static int __br_mdb_add(struct net *net, struct net_bridge *br,
+ if (!p || p->br != br || p->state == BR_STATE_DISABLED)
+ return -EINVAL;
+
++ memset(&ip, 0, sizeof(ip));
+ ip.proto = entry->addr.proto;
+ if (ip.proto == htons(ETH_P_IP))
+ ip.u.ip4 = entry->addr.u.ip4;
+@@ -416,6 +417,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry)
+ if (!netif_running(br->dev) || br->multicast_disabled)
+ return -EINVAL;
+
++ memset(&ip, 0, sizeof(ip));
+ ip.proto = entry->addr.proto;
+ if (ip.proto == htons(ETH_P_IP)) {
+ if (timer_pending(&br->ip4_querier.timer))
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index e8844d9..df3afa0 100644
--- a/net/bridge/br_netlink.c
@@ -110735,51 +110777,10 @@ index 26dc006..89e838e 100644
m->msg_iov = iov;
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
-index 7d95f69..1d316b1 100644
+index 0f062c6..1d316b1 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
-@@ -976,6 +976,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
- rc = 0;
- if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
- goto out_unlock_bh;
-+ if (neigh->dead)
-+ goto out_dead;
-
- if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
- if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
-@@ -1032,6 +1034,13 @@ out_unlock_bh:
- write_unlock(&neigh->lock);
- local_bh_enable();
- return rc;
-+
-+out_dead:
-+ if (neigh->nud_state & NUD_STALE)
-+ goto out_unlock_bh;
-+ write_unlock_bh(&neigh->lock);
-+ kfree_skb(skb);
-+ return 1;
- }
- EXPORT_SYMBOL(__neigh_event_send);
-
-@@ -1095,6 +1104,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
- if (!(flags & NEIGH_UPDATE_F_ADMIN) &&
- (old & (NUD_NOARP | NUD_PERMANENT)))
- goto out;
-+ if (neigh->dead)
-+ goto out;
-
- if (!(new & NUD_VALID)) {
- neigh_del_timer(neigh);
-@@ -1244,6 +1255,8 @@ EXPORT_SYMBOL(neigh_update);
- */
- void __neigh_set_probe_once(struct neighbour *neigh)
- {
-+ if (neigh->dead)
-+ return;
- neigh->updated = jiffies;
- if (!(neigh->nud_state & NUD_FAILED))
- return;
-@@ -2824,7 +2837,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
+@@ -2837,7 +2837,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
int size, ret;
@@ -110788,7 +110789,7 @@ index 7d95f69..1d316b1 100644
tmp.extra1 = &zero;
tmp.extra2 = &unres_qlen_max;
-@@ -2886,7 +2899,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
+@@ -2899,7 +2899,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
void __user *buffer,
size_t *lenp, loff_t *ppos)
{
@@ -110797,7 +110798,7 @@ index 7d95f69..1d316b1 100644
int ret;
tmp.extra1 = &zero;
-@@ -3058,11 +3071,12 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
+@@ -3071,11 +3071,12 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
memset(&t->neigh_vars[NEIGH_VAR_GC_INTERVAL], 0,
sizeof(t->neigh_vars[NEIGH_VAR_GC_INTERVAL]));
} else {
@@ -111051,10 +111052,10 @@ index b442e7e..6f5b5a2 100644
{
struct socket *sock;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 69ec61a..61843ef 100644
+index 8207f8d..2cd4778 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
-@@ -378,18 +378,29 @@ refill:
+@@ -380,18 +380,29 @@ refill:
goto end;
}
nc->frag.size = PAGE_SIZE << order;
@@ -111091,7 +111092,7 @@ index 69ec61a..61843ef 100644
}
data = page_address(nc->frag.page) + nc->frag.offset;
-@@ -2022,7 +2033,7 @@ EXPORT_SYMBOL(__skb_checksum);
+@@ -2024,7 +2035,7 @@ EXPORT_SYMBOL(__skb_checksum);
__wsum skb_checksum(const struct sk_buff *skb, int offset,
int len, __wsum csum)
{
@@ -111100,7 +111101,7 @@ index 69ec61a..61843ef 100644
.update = csum_partial_ext,
.combine = csum_block_add_ext,
};
-@@ -3243,13 +3254,15 @@ void __init skb_init(void)
+@@ -3245,13 +3256,15 @@ void __init skb_init(void)
skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
sizeof(struct sk_buff),
0,
@@ -111119,7 +111120,7 @@ index 69ec61a..61843ef 100644
}
diff --git a/net/core/sock.c b/net/core/sock.c
-index 650dd58..25162a5 100644
+index 8ebfa52..2e53485 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -442,7 +442,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -111215,7 +111216,7 @@ index 650dd58..25162a5 100644
kfree(mem);
atomic_sub(size, &sk->sk_omem_alloc);
}
-@@ -2394,7 +2396,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+@@ -2396,7 +2398,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
*/
smp_wmb();
atomic_set(&sk->sk_refcnt, 1);
@@ -111224,7 +111225,7 @@ index 650dd58..25162a5 100644
}
EXPORT_SYMBOL(sock_init_data);
-@@ -2522,6 +2524,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
+@@ -2524,6 +2526,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
int level, int type)
{
@@ -111232,7 +111233,7 @@ index 650dd58..25162a5 100644
struct sock_exterr_skb *serr;
struct sk_buff *skb, *skb2;
int copied, err;
-@@ -2543,7 +2546,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
+@@ -2545,7 +2548,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
sock_recv_timestamp(msg, sk, skb);
serr = SKB_EXT_ERR(skb);
@@ -111464,10 +111465,10 @@ index 8edfea5..a17998f 100644
.priv_size = sizeof(struct lowpan_dev_info),
.setup = lowpan_setup,
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index 07bd8ed..c574801 100644
+index 951fe55..d7c1ddd 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
-@@ -1706,13 +1706,9 @@ static int __init inet_init(void)
+@@ -1708,13 +1708,9 @@ static int __init inet_init(void)
BUILD_BUG_ON(sizeof(struct inet_skb_parm) > FIELD_SIZEOF(struct sk_buff, cb));
@@ -111482,7 +111483,7 @@ index 07bd8ed..c574801 100644
rc = proto_register(&udp_prot, 1);
if (rc)
-@@ -1819,8 +1815,6 @@ out_unregister_udp_proto:
+@@ -1821,8 +1817,6 @@ out_unregister_udp_proto:
proto_unregister(&udp_prot);
out_unregister_tcp_proto:
proto_unregister(&tcp_prot);
@@ -114879,43 +114880,10 @@ index 270b77d..0a9d0981 100644
/* Queue all of the segments. */
skb = segs;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 48b1817..3b2192f 100644
+index 84a60b8..3c94b0f 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
-@@ -1264,16 +1264,6 @@ static void packet_sock_destruct(struct sock *sk)
- sk_refcnt_debug_dec(sk);
- }
-
--static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
--{
-- int x = atomic_read(&f->rr_cur) + 1;
--
-- if (x >= num)
-- x = 0;
--
-- return x;
--}
--
- static unsigned int fanout_demux_hash(struct packet_fanout *f,
- struct sk_buff *skb,
- unsigned int num)
-@@ -1285,13 +1275,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f,
- struct sk_buff *skb,
- unsigned int num)
- {
-- int cur, old;
-+ unsigned int val = atomic_inc_return(&f->rr_cur);
-
-- cur = atomic_read(&f->rr_cur);
-- while ((old = atomic_cmpxchg(&f->rr_cur, cur,
-- fanout_rr_next(f, num))) != cur)
-- cur = old;
-- return cur;
-+ return val % num;
- }
-
- static unsigned int fanout_demux_cpu(struct packet_fanout *f,
-@@ -1846,7 +1832,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1832,7 +1832,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_packets++;
@@ -114924,7 +114892,7 @@ index 48b1817..3b2192f 100644
__skb_queue_tail(&sk->sk_receive_queue, skb);
spin_unlock(&sk->sk_receive_queue.lock);
sk->sk_data_ready(sk, skb->len);
-@@ -1855,7 +1841,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1841,7 +1841,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
drop_n_acct:
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_drops++;
@@ -114933,7 +114901,7 @@ index 48b1817..3b2192f 100644
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
-@@ -3462,7 +3448,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3448,7 +3448,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -114942,7 +114910,7 @@ index 48b1817..3b2192f 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3508,7 +3494,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3494,7 +3494,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -115755,10 +115723,10 @@ index fef2acd..c705c4f 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 604a6ac..990354d 100644
+index f940fdc..45a387b 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -1605,6 +1605,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -1607,6 +1607,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
sctp_scope_t scope;
long timeo;
__u16 sinfo_flags = 0;
@@ -115766,7 +115734,7 @@ index 604a6ac..990354d 100644
struct sctp_datamsg *datamsg;
int msg_flags = msg->msg_flags;
-@@ -1924,6 +1925,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -1926,6 +1927,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
if (err < 0)
goto out_free;
@@ -115774,7 +115742,7 @@ index 604a6ac..990354d 100644
pr_debug("%s: we associated primitively\n", __func__);
}
-@@ -1961,6 +1963,11 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -1963,6 +1965,11 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
sctp_datamsg_put(datamsg);
err = msg_len;
@@ -115786,7 +115754,7 @@ index 604a6ac..990354d 100644
/* If we are already past ASSOCIATE, the lower
* layers are responsible for association cleanup.
*/
-@@ -2175,11 +2182,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
+@@ -2177,11 +2184,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
{
struct sctp_association *asoc;
struct sctp_ulpevent *event;
@@ -115801,7 +115769,7 @@ index 604a6ac..990354d 100644
/*
* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4259,13 +4268,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4273,13 +4282,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -115819,7 +115787,7 @@ index 604a6ac..990354d 100644
return -EFAULT;
return 0;
}
-@@ -4283,6 +4295,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4297,6 +4309,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -115828,7 +115796,7 @@ index 604a6ac..990354d 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4291,7 +4305,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4305,7 +4319,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -115838,7 +115806,7 @@ index 604a6ac..990354d 100644
return -EFAULT;
return 0;
}
-@@ -4666,12 +4681,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4680,12 +4695,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -115855,7 +115823,7 @@ index 604a6ac..990354d 100644
return -EFAULT;
return 0;
}
-@@ -4712,6 +4730,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4726,6 +4744,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
@@ -116536,6 +116504,18 @@ index e7000be..e3b0ba7 100644
uid_eq(root_uid, current_euid())) {
int mode = (table->mode >> 6) & 7;
return (mode << 6) | (mode << 3) | mode;
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 0ed0eaa..830e40b 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1681,6 +1681,7 @@ static int accept(struct socket *sock, struct socket *new_sock, int flags)
+ res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1);
+ if (res)
+ goto exit;
++ security_sk_clone(sock->sk, new_sock->sk);
+
+ new_sk = new_sock->sk;
+ new_tsock = tipc_sk(new_sk);
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index 6424372..afd36e9 100644
--- a/net/tipc/subscr.c
@@ -119028,7 +119008,7 @@ index fc3e662..7844c60 100644
lock = &avc_cache.slots_lock[hvalue];
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 47b5c69..4fc9b7f 100644
+index 47b5c69..2434bd2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -95,8 +95,6 @@
@@ -119040,7 +119020,17 @@ index 47b5c69..4fc9b7f 100644
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
-@@ -5759,7 +5757,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
+@@ -3192,7 +3190,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
+ int rc = 0;
+
+ if (default_noexec &&
+- (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
++ (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
++ (!shared && (prot & PROT_WRITE)))) {
+ /*
+ * We are making executable an anonymous mapping or a
+ * private file mapping that will also be writable.
+@@ -5759,7 +5758,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
@@ -119049,7 +119039,7 @@ index 47b5c69..4fc9b7f 100644
.name = "selinux",
.ptrace_access_check = selinux_ptrace_access_check,
-@@ -6112,6 +6110,9 @@ static void selinux_nf_ip_exit(void)
+@@ -6112,6 +6111,9 @@ static void selinux_nf_ip_exit(void)
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static int selinux_disabled;
@@ -119059,7 +119049,7 @@ index 47b5c69..4fc9b7f 100644
int selinux_disable(void)
{
if (ss_initialized) {
-@@ -6129,7 +6130,9 @@ int selinux_disable(void)
+@@ -6129,7 +6131,9 @@ int selinux_disable(void)
selinux_disabled = 1;
selinux_enabled = 0;
diff --git a/3.14.47/4425_grsec_remove_EI_PAX.patch b/3.14.48/4425_grsec_remove_EI_PAX.patch
index a80a5d7..a80a5d7 100644
--- a/3.14.47/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.48/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.47/4427_force_XATTR_PAX_tmpfs.patch b/3.14.48/4427_force_XATTR_PAX_tmpfs.patch
index 4c236cc..4c236cc 100644
--- a/3.14.47/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.48/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.47/4430_grsec-remove-localversion-grsec.patch b/3.14.48/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.14.47/4430_grsec-remove-localversion-grsec.patch
+++ b/3.14.48/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.47/4435_grsec-mute-warnings.patch b/3.14.48/4435_grsec-mute-warnings.patch
index 2c2d463..2c2d463 100644
--- a/3.14.47/4435_grsec-mute-warnings.patch
+++ b/3.14.48/4435_grsec-mute-warnings.patch
diff --git a/3.14.47/4440_grsec-remove-protected-paths.patch b/3.14.48/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.14.47/4440_grsec-remove-protected-paths.patch
+++ b/3.14.48/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.47/4450_grsec-kconfig-default-gids.patch b/3.14.48/4450_grsec-kconfig-default-gids.patch
index b96defc..b96defc 100644
--- a/3.14.47/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.48/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.47/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.48/4465_selinux-avc_audit-log-curr_ip.patch
index bba906e..bba906e 100644
--- a/3.14.47/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.48/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.47/4470_disable-compat_vdso.patch b/3.14.48/4470_disable-compat_vdso.patch
index 3b3953b..3b3953b 100644
--- a/3.14.47/4470_disable-compat_vdso.patch
+++ b/3.14.48/4470_disable-compat_vdso.patch
diff --git a/3.14.47/4475_emutramp_default_on.patch b/3.14.48/4475_emutramp_default_on.patch
index a128205..a128205 100644
--- a/3.14.47/4475_emutramp_default_on.patch
+++ b/3.14.48/4475_emutramp_default_on.patch
diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index 6773701..0df9a58 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch: 1068_linux-3.2.69.patch
From: http://www.kernel.org
Desc: Linux 3.2.69
-Patch: 4420_grsecurity-3.1-3.2.69-201507050830.patch
+Patch: 4420_grsecurity-3.1-3.2.69-201507111207.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201507111207.patch
index 57ddd0b..d2caf34 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201507111207.patch
@@ -89437,7 +89437,7 @@ index e14bc74..bdf7f6c 100644
if (!ab)
return;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index d1d2843..08ff2b8 100644
+index d1d2843..4408c0d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -67,6 +67,7 @@
@@ -89448,6 +89448,15 @@ index d1d2843..08ff2b8 100644
#include "audit.h"
+@@ -1062,7 +1063,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
+ * for strings that are too long, we should not have created
+ * any.
+ */
+- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
++ if (unlikely(len > MAX_ARG_STRLEN - 1)) {
+ WARN_ON(1);
+ send_sig(SIGKILL, current, 0);
+ return -1;
@@ -1177,8 +1178,8 @@ static void audit_log_execve_info(struct audit_context *context,
struct audit_buffer **ab,
struct audit_aux_data_execve *axi)
@@ -114693,7 +114702,7 @@ index dca1c22..4fa4591 100644
lock = &avc_cache.slots_lock[hvalue];
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 0cd7097a..3af4da9 100644
+index 0cd7097a..56b85a0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -95,8 +95,6 @@
@@ -114729,7 +114738,17 @@ index 0cd7097a..3af4da9 100644
new_tsec->sid = old_tsec->sid;
if (new_tsec->sid == old_tsec->sid) {
-@@ -5572,7 +5578,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
+@@ -3049,7 +3055,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
+ int rc = 0;
+
+ if (default_noexec &&
+- (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
++ (prot & PROT_EXEC) && (!file || IS_PRIVATE(file->f_path.dentry->d_inode) ||
++ (!shared && (prot & PROT_WRITE)))) {
+ /*
+ * We are making executable an anonymous mapping or a
+ * private file mapping that will also be writable.
+@@ -5572,7 +5579,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
@@ -114738,7 +114757,7 @@ index 0cd7097a..3af4da9 100644
.name = "selinux",
.ptrace_access_check = selinux_ptrace_access_check,
-@@ -5918,6 +5924,9 @@ static void selinux_nf_ip_exit(void)
+@@ -5918,6 +5925,9 @@ static void selinux_nf_ip_exit(void)
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static int selinux_disabled;
@@ -114748,7 +114767,7 @@ index 0cd7097a..3af4da9 100644
int selinux_disable(void)
{
if (ss_initialized) {
-@@ -5935,7 +5944,9 @@ int selinux_disable(void)
+@@ -5935,7 +5945,9 @@ int selinux_disable(void)
selinux_disabled = 1;
selinux_enabled = 0;
diff --git a/3.14.47/0000_README b/4.0.8/0000_README
index b3b9e28..919b754 100644
--- a/3.14.47/0000_README
+++ b/4.0.8/0000_README
@@ -2,11 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1046_linux-3.14.47.patch
+Patch: 1007_linux-4.0.8.patch
From: http://www.kernel.org
-Desc: Linux 3.14.47
+Desc: Linux 4.0.8
-Patch: 4420_grsecurity-3.1-3.14.47-201507050832.patch
+Patch: 4420_grsecurity-3.1-4.0.8-201507111211.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.0.8/1007_linux-4.0.8.patch b/4.0.8/1007_linux-4.0.8.patch
new file mode 100644
index 0000000..609598e
--- /dev/null
+++ b/4.0.8/1007_linux-4.0.8.patch
@@ -0,0 +1,2139 @@
+diff --git a/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt b/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt
+index 750d577..f5a8ca2 100644
+--- a/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt
++++ b/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt
+@@ -1,7 +1,7 @@
+ * Marvell Armada 370 / Armada XP Ethernet Controller (NETA)
+
+ Required properties:
+-- compatible: should be "marvell,armada-370-neta".
++- compatible: "marvell,armada-370-neta" or "marvell,armada-xp-neta".
+ - reg: address and length of the register set for the device.
+ - interrupts: interrupt for the device
+ - phy: See ethernet.txt file in the same directory.
+diff --git a/Makefile b/Makefile
+index bd76a8e..0e315d6 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 0
+-SUBLEVEL = 7
++SUBLEVEL = 8
+ EXTRAVERSION =
+ NAME = Hurr durr I'ma sheep
+
+diff --git a/arch/arm/boot/dts/armada-370-xp.dtsi b/arch/arm/boot/dts/armada-370-xp.dtsi
+index 8a322ad..a038c20 100644
+--- a/arch/arm/boot/dts/armada-370-xp.dtsi
++++ b/arch/arm/boot/dts/armada-370-xp.dtsi
+@@ -265,7 +265,6 @@
+ };
+
+ eth0: ethernet@70000 {
+- compatible = "marvell,armada-370-neta";
+ reg = <0x70000 0x4000>;
+ interrupts = <8>;
+ clocks = <&gateclk 4>;
+@@ -281,7 +280,6 @@
+ };
+
+ eth1: ethernet@74000 {
+- compatible = "marvell,armada-370-neta";
+ reg = <0x74000 0x4000>;
+ interrupts = <10>;
+ clocks = <&gateclk 3>;
+diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi
+index 27397f1..3773025 100644
+--- a/arch/arm/boot/dts/armada-370.dtsi
++++ b/arch/arm/boot/dts/armada-370.dtsi
+@@ -306,6 +306,14 @@
+ dmacap,memset;
+ };
+ };
++
++ ethernet@70000 {
++ compatible = "marvell,armada-370-neta";
++ };
++
++ ethernet@74000 {
++ compatible = "marvell,armada-370-neta";
++ };
+ };
+ };
+ };
+diff --git a/arch/arm/boot/dts/armada-xp-mv78260.dtsi b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
+index 4a7cbed..1676d30 100644
+--- a/arch/arm/boot/dts/armada-xp-mv78260.dtsi
++++ b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
+@@ -319,7 +319,7 @@
+ };
+
+ eth3: ethernet@34000 {
+- compatible = "marvell,armada-370-neta";
++ compatible = "marvell,armada-xp-neta";
+ reg = <0x34000 0x4000>;
+ interrupts = <14>;
+ clocks = <&gateclk 1>;
+diff --git a/arch/arm/boot/dts/armada-xp-mv78460.dtsi b/arch/arm/boot/dts/armada-xp-mv78460.dtsi
+index 36ce63a..d41fe88 100644
+--- a/arch/arm/boot/dts/armada-xp-mv78460.dtsi
++++ b/arch/arm/boot/dts/armada-xp-mv78460.dtsi
+@@ -357,7 +357,7 @@
+ };
+
+ eth3: ethernet@34000 {
+- compatible = "marvell,armada-370-neta";
++ compatible = "marvell,armada-xp-neta";
+ reg = <0x34000 0x4000>;
+ interrupts = <14>;
+ clocks = <&gateclk 1>;
+diff --git a/arch/arm/boot/dts/armada-xp.dtsi b/arch/arm/boot/dts/armada-xp.dtsi
+index 8291723..9ce7d5f 100644
+--- a/arch/arm/boot/dts/armada-xp.dtsi
++++ b/arch/arm/boot/dts/armada-xp.dtsi
+@@ -175,7 +175,7 @@
+ };
+
+ eth2: ethernet@30000 {
+- compatible = "marvell,armada-370-neta";
++ compatible = "marvell,armada-xp-neta";
+ reg = <0x30000 0x4000>;
+ interrupts = <12>;
+ clocks = <&gateclk 2>;
+@@ -218,6 +218,14 @@
+ };
+ };
+
++ ethernet@70000 {
++ compatible = "marvell,armada-xp-neta";
++ };
++
++ ethernet@74000 {
++ compatible = "marvell,armada-xp-neta";
++ };
++
+ xor@f0900 {
+ compatible = "marvell,orion-xor";
+ reg = <0xF0900 0x100
+diff --git a/arch/arm/kvm/interrupts.S b/arch/arm/kvm/interrupts.S
+index 79caf79..f7db3a5 100644
+--- a/arch/arm/kvm/interrupts.S
++++ b/arch/arm/kvm/interrupts.S
+@@ -170,13 +170,9 @@ __kvm_vcpu_return:
+ @ Don't trap coprocessor accesses for host kernel
+ set_hstr vmexit
+ set_hdcr vmexit
+- set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11))
++ set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)), after_vfp_restore
+
+ #ifdef CONFIG_VFPv3
+- @ Save floating point registers we if let guest use them.
+- tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11))
+- bne after_vfp_restore
+-
+ @ Switch VFP/NEON hardware state to the host's
+ add r7, vcpu, #VCPU_VFP_GUEST
+ store_vfp_state r7
+@@ -188,6 +184,8 @@ after_vfp_restore:
+ @ Restore FPEXC_EN which we clobbered on entry
+ pop {r2}
+ VFPFMXR FPEXC, r2
++#else
++after_vfp_restore:
+ #endif
+
+ @ Reset Hyp-role
+@@ -483,7 +481,7 @@ switch_to_guest_vfp:
+ push {r3-r7}
+
+ @ NEON/VFP used. Turn on VFP access.
+- set_hcptr vmexit, (HCPTR_TCP(10) | HCPTR_TCP(11))
++ set_hcptr vmtrap, (HCPTR_TCP(10) | HCPTR_TCP(11))
+
+ @ Switch VFP/NEON hardware state to the guest's
+ add r7, r0, #VCPU_VFP_HOST
+diff --git a/arch/arm/kvm/interrupts_head.S b/arch/arm/kvm/interrupts_head.S
+index 14d4883..f6f1481 100644
+--- a/arch/arm/kvm/interrupts_head.S
++++ b/arch/arm/kvm/interrupts_head.S
+@@ -599,8 +599,13 @@ ARM_BE8(rev r6, r6 )
+ .endm
+
+ /* Configures the HCPTR (Hyp Coprocessor Trap Register) on entry/return
+- * (hardware reset value is 0). Keep previous value in r2. */
+-.macro set_hcptr operation, mask
++ * (hardware reset value is 0). Keep previous value in r2.
++ * An ISB is emited on vmexit/vmtrap, but executed on vmexit only if
++ * VFP wasn't already enabled (always executed on vmtrap).
++ * If a label is specified with vmexit, it is branched to if VFP wasn't
++ * enabled.
++ */
++.macro set_hcptr operation, mask, label = none
+ mrc p15, 4, r2, c1, c1, 2
+ ldr r3, =\mask
+ .if \operation == vmentry
+@@ -609,6 +614,17 @@ ARM_BE8(rev r6, r6 )
+ bic r3, r2, r3 @ Don't trap defined coproc-accesses
+ .endif
+ mcr p15, 4, r3, c1, c1, 2
++ .if \operation != vmentry
++ .if \operation == vmexit
++ tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11))
++ beq 1f
++ .endif
++ isb
++ .if \label != none
++ b \label
++ .endif
++1:
++ .endif
+ .endm
+
+ /* Configures the HDCR (Hyp Debug Configuration Register) on entry/return
+diff --git a/arch/arm/kvm/psci.c b/arch/arm/kvm/psci.c
+index 02fa8ef..531e922 100644
+--- a/arch/arm/kvm/psci.c
++++ b/arch/arm/kvm/psci.c
+@@ -230,10 +230,6 @@ static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu)
+ case PSCI_0_2_FN64_AFFINITY_INFO:
+ val = kvm_psci_vcpu_affinity_info(vcpu);
+ break;
+- case PSCI_0_2_FN_MIGRATE:
+- case PSCI_0_2_FN64_MIGRATE:
+- val = PSCI_RET_NOT_SUPPORTED;
+- break;
+ case PSCI_0_2_FN_MIGRATE_INFO_TYPE:
+ /*
+ * Trusted OS is MP hence does not require migration
+@@ -242,10 +238,6 @@ static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu)
+ */
+ val = PSCI_0_2_TOS_MP;
+ break;
+- case PSCI_0_2_FN_MIGRATE_INFO_UP_CPU:
+- case PSCI_0_2_FN64_MIGRATE_INFO_UP_CPU:
+- val = PSCI_RET_NOT_SUPPORTED;
+- break;
+ case PSCI_0_2_FN_SYSTEM_OFF:
+ kvm_psci_system_off(vcpu);
+ /*
+@@ -271,7 +263,8 @@ static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu)
+ ret = 0;
+ break;
+ default:
+- return -EINVAL;
++ val = PSCI_RET_NOT_SUPPORTED;
++ break;
+ }
+
+ *vcpu_reg(vcpu, 0) = val;
+@@ -291,12 +284,9 @@ static int kvm_psci_0_1_call(struct kvm_vcpu *vcpu)
+ case KVM_PSCI_FN_CPU_ON:
+ val = kvm_psci_vcpu_on(vcpu);
+ break;
+- case KVM_PSCI_FN_CPU_SUSPEND:
+- case KVM_PSCI_FN_MIGRATE:
++ default:
+ val = PSCI_RET_NOT_SUPPORTED;
+ break;
+- default:
+- return -EINVAL;
+ }
+
+ *vcpu_reg(vcpu, 0) = val;
+diff --git a/arch/arm/mach-imx/clk-imx6q.c b/arch/arm/mach-imx/clk-imx6q.c
+index d04a430..3a3f88c 100644
+--- a/arch/arm/mach-imx/clk-imx6q.c
++++ b/arch/arm/mach-imx/clk-imx6q.c
+@@ -439,7 +439,7 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node)
+ clk[IMX6QDL_CLK_GPMI_IO] = imx_clk_gate2("gpmi_io", "enfc", base + 0x78, 28);
+ clk[IMX6QDL_CLK_GPMI_APB] = imx_clk_gate2("gpmi_apb", "usdhc3", base + 0x78, 30);
+ clk[IMX6QDL_CLK_ROM] = imx_clk_gate2("rom", "ahb", base + 0x7c, 0);
+- clk[IMX6QDL_CLK_SATA] = imx_clk_gate2("sata", "ipg", base + 0x7c, 4);
++ clk[IMX6QDL_CLK_SATA] = imx_clk_gate2("sata", "ahb", base + 0x7c, 4);
+ clk[IMX6QDL_CLK_SDMA] = imx_clk_gate2("sdma", "ahb", base + 0x7c, 6);
+ clk[IMX6QDL_CLK_SPBA] = imx_clk_gate2("spba", "ipg", base + 0x7c, 12);
+ clk[IMX6QDL_CLK_SPDIF] = imx_clk_gate2("spdif", "spdif_podf", base + 0x7c, 14);
+diff --git a/arch/arm/mach-mvebu/pm-board.c b/arch/arm/mach-mvebu/pm-board.c
+index 6dfd4ab..301ab38 100644
+--- a/arch/arm/mach-mvebu/pm-board.c
++++ b/arch/arm/mach-mvebu/pm-board.c
+@@ -43,6 +43,9 @@ static void mvebu_armada_xp_gp_pm_enter(void __iomem *sdram_reg, u32 srcmd)
+ for (i = 0; i < ARMADA_XP_GP_PIC_NR_GPIOS; i++)
+ ackcmd |= BIT(pic_raw_gpios[i]);
+
++ srcmd = cpu_to_le32(srcmd);
++ ackcmd = cpu_to_le32(ackcmd);
++
+ /*
+ * Wait a while, the PIC needs quite a bit of time between the
+ * two GPIO commands.
+diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c
+index 4f25a7c..a351eff 100644
+--- a/arch/arm/mach-tegra/cpuidle-tegra20.c
++++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
+@@ -35,6 +35,7 @@
+ #include "iomap.h"
+ #include "irq.h"
+ #include "pm.h"
++#include "reset.h"
+ #include "sleep.h"
+
+ #ifdef CONFIG_PM_SLEEP
+@@ -71,15 +72,13 @@ static struct cpuidle_driver tegra_idle_driver = {
+
+ #ifdef CONFIG_PM_SLEEP
+ #ifdef CONFIG_SMP
+-static void __iomem *pmc = IO_ADDRESS(TEGRA_PMC_BASE);
+-
+ static int tegra20_reset_sleeping_cpu_1(void)
+ {
+ int ret = 0;
+
+ tegra_pen_lock();
+
+- if (readl(pmc + PMC_SCRATCH41) == CPU_RESETTABLE)
++ if (readb(tegra20_cpu1_resettable_status) == CPU_RESETTABLE)
+ tegra20_cpu_shutdown(1);
+ else
+ ret = -EINVAL;
+diff --git a/arch/arm/mach-tegra/reset-handler.S b/arch/arm/mach-tegra/reset-handler.S
+index 71be4af..e3070fd 100644
+--- a/arch/arm/mach-tegra/reset-handler.S
++++ b/arch/arm/mach-tegra/reset-handler.S
+@@ -169,10 +169,10 @@ after_errata:
+ cmp r6, #TEGRA20
+ bne 1f
+ /* If not CPU0, don't let CPU0 reset CPU1 now that CPU1 is coming up. */
+- mov32 r5, TEGRA_PMC_BASE
+- mov r0, #0
++ mov32 r5, TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET
++ mov r0, #CPU_NOT_RESETTABLE
+ cmp r10, #0
+- strne r0, [r5, #PMC_SCRATCH41]
++ strneb r0, [r5, #__tegra20_cpu1_resettable_status_offset]
+ 1:
+ #endif
+
+@@ -281,6 +281,10 @@ __tegra_cpu_reset_handler_data:
+ .rept TEGRA_RESET_DATA_SIZE
+ .long 0
+ .endr
++ .globl __tegra20_cpu1_resettable_status_offset
++ .equ __tegra20_cpu1_resettable_status_offset, \
++ . - __tegra_cpu_reset_handler_start
++ .byte 0
+ .align L1_CACHE_SHIFT
+
+ ENTRY(__tegra_cpu_reset_handler_end)
+diff --git a/arch/arm/mach-tegra/reset.h b/arch/arm/mach-tegra/reset.h
+index 76a9343..29c3dec 100644
+--- a/arch/arm/mach-tegra/reset.h
++++ b/arch/arm/mach-tegra/reset.h
+@@ -35,6 +35,7 @@ extern unsigned long __tegra_cpu_reset_handler_data[TEGRA_RESET_DATA_SIZE];
+
+ void __tegra_cpu_reset_handler_start(void);
+ void __tegra_cpu_reset_handler(void);
++void __tegra20_cpu1_resettable_status_offset(void);
+ void __tegra_cpu_reset_handler_end(void);
+ void tegra_secondary_startup(void);
+
+@@ -47,6 +48,9 @@ void tegra_secondary_startup(void);
+ (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \
+ ((u32)&__tegra_cpu_reset_handler_data[TEGRA_RESET_MASK_LP2] - \
+ (u32)__tegra_cpu_reset_handler_start)))
++#define tegra20_cpu1_resettable_status \
++ (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \
++ (u32)__tegra20_cpu1_resettable_status_offset))
+ #endif
+
+ #define tegra_cpu_reset_handler_offset \
+diff --git a/arch/arm/mach-tegra/sleep-tegra20.S b/arch/arm/mach-tegra/sleep-tegra20.S
+index be4bc5f..e6b684e 100644
+--- a/arch/arm/mach-tegra/sleep-tegra20.S
++++ b/arch/arm/mach-tegra/sleep-tegra20.S
+@@ -97,9 +97,10 @@ ENDPROC(tegra20_hotplug_shutdown)
+ ENTRY(tegra20_cpu_shutdown)
+ cmp r0, #0
+ reteq lr @ must not be called for CPU 0
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
+ mov r12, #CPU_RESETTABLE
+- str r12, [r1]
++ strb r12, [r1, r2]
+
+ cpu_to_halt_reg r1, r0
+ ldr r3, =TEGRA_FLOW_CTRL_VIRT
+@@ -182,38 +183,41 @@ ENDPROC(tegra_pen_unlock)
+ /*
+ * tegra20_cpu_clear_resettable(void)
+ *
+- * Called to clear the "resettable soon" flag in PMC_SCRATCH41 when
++ * Called to clear the "resettable soon" flag in IRAM variable when
+ * it is expected that the secondary CPU will be idle soon.
+ */
+ ENTRY(tegra20_cpu_clear_resettable)
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
+ mov r12, #CPU_NOT_RESETTABLE
+- str r12, [r1]
++ strb r12, [r1, r2]
+ ret lr
+ ENDPROC(tegra20_cpu_clear_resettable)
+
+ /*
+ * tegra20_cpu_set_resettable_soon(void)
+ *
+- * Called to set the "resettable soon" flag in PMC_SCRATCH41 when
++ * Called to set the "resettable soon" flag in IRAM variable when
+ * it is expected that the secondary CPU will be idle soon.
+ */
+ ENTRY(tegra20_cpu_set_resettable_soon)
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
+ mov r12, #CPU_RESETTABLE_SOON
+- str r12, [r1]
++ strb r12, [r1, r2]
+ ret lr
+ ENDPROC(tegra20_cpu_set_resettable_soon)
+
+ /*
+ * tegra20_cpu_is_resettable_soon(void)
+ *
+- * Returns true if the "resettable soon" flag in PMC_SCRATCH41 has been
++ * Returns true if the "resettable soon" flag in IRAM variable has been
+ * set because it is expected that the secondary CPU will be idle soon.
+ */
+ ENTRY(tegra20_cpu_is_resettable_soon)
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
+- ldr r12, [r1]
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
++ ldrb r12, [r1, r2]
+ cmp r12, #CPU_RESETTABLE_SOON
+ moveq r0, #1
+ movne r0, #0
+@@ -256,9 +260,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish)
+ mov r0, #TEGRA_FLUSH_CACHE_LOUIS
+ bl tegra_disable_clean_inv_dcache
+
+- mov32 r0, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r4, =__tegra20_cpu1_resettable_status_offset
+ mov r3, #CPU_RESETTABLE
+- str r3, [r0]
++ strb r3, [r0, r4]
+
+ bl tegra_cpu_do_idle
+
+@@ -274,10 +279,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish)
+
+ bl tegra_pen_lock
+
+- mov32 r3, TEGRA_PMC_VIRT
+- add r0, r3, #PMC_SCRATCH41
++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r4, =__tegra20_cpu1_resettable_status_offset
+ mov r3, #CPU_NOT_RESETTABLE
+- str r3, [r0]
++ strb r3, [r0, r4]
+
+ bl tegra_pen_unlock
+
+diff --git a/arch/arm/mach-tegra/sleep.h b/arch/arm/mach-tegra/sleep.h
+index 92d46ec..0d59360 100644
+--- a/arch/arm/mach-tegra/sleep.h
++++ b/arch/arm/mach-tegra/sleep.h
+@@ -18,6 +18,7 @@
+ #define __MACH_TEGRA_SLEEP_H
+
+ #include "iomap.h"
++#include "irammap.h"
+
+ #define TEGRA_ARM_PERIF_VIRT (TEGRA_ARM_PERIF_BASE - IO_CPU_PHYS \
+ + IO_CPU_VIRT)
+@@ -29,6 +30,9 @@
+ + IO_APB_VIRT)
+ #define TEGRA_PMC_VIRT (TEGRA_PMC_BASE - IO_APB_PHYS + IO_APB_VIRT)
+
++#define TEGRA_IRAM_RESET_BASE_VIRT (IO_IRAM_VIRT + \
++ TEGRA_IRAM_RESET_HANDLER_OFFSET)
++
+ /* PMC_SCRATCH37-39 and 41 are used for tegra_pen_lock and idle */
+ #define PMC_SCRATCH37 0x130
+ #define PMC_SCRATCH38 0x134
+diff --git a/arch/mips/include/asm/mach-generic/spaces.h b/arch/mips/include/asm/mach-generic/spaces.h
+index 9488fa5..afc96ec 100644
+--- a/arch/mips/include/asm/mach-generic/spaces.h
++++ b/arch/mips/include/asm/mach-generic/spaces.h
+@@ -94,7 +94,11 @@
+ #endif
+
+ #ifndef FIXADDR_TOP
++#ifdef CONFIG_KVM_GUEST
++#define FIXADDR_TOP ((unsigned long)(long)(int)0x7ffe0000)
++#else
+ #define FIXADDR_TOP ((unsigned long)(long)(int)0xfffe0000)
+ #endif
++#endif
+
+ #endif /* __ASM_MACH_GENERIC_SPACES_H */
+diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
+index f5e7dda..adf3886 100644
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -785,7 +785,7 @@ int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log)
+
+ /* If nothing is dirty, don't bother messing with page tables. */
+ if (is_dirty) {
+- memslot = &kvm->memslots->memslots[log->slot];
++ memslot = id_to_memslot(kvm->memslots, log->slot);
+
+ ga = memslot->base_gfn << PAGE_SHIFT;
+ ga_end = ga + (memslot->npages << PAGE_SHIFT);
+diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
+index 7c4f669..3cb25fd 100644
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -131,7 +131,16 @@ static void pmao_restore_workaround(bool ebb) { }
+
+ static bool regs_use_siar(struct pt_regs *regs)
+ {
+- return !!regs->result;
++ /*
++ * When we take a performance monitor exception the regs are setup
++ * using perf_read_regs() which overloads some fields, in particular
++ * regs->result to tell us whether to use SIAR.
++ *
++ * However if the regs are from another exception, eg. a syscall, then
++ * they have not been setup using perf_read_regs() and so regs->result
++ * is something random.
++ */
++ return ((TRAP(regs) == 0xf00) && regs->result);
+ }
+
+ /*
+diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c
+index 9f73c80..49b7445 100644
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -415,7 +415,7 @@ static void *nt_s390_vx_low(void *ptr, __vector128 *vx_regs)
+ ptr += len;
+ /* Copy lower halves of SIMD registers 0-15 */
+ for (i = 0; i < 16; i++) {
+- memcpy(ptr, &vx_regs[i], 8);
++ memcpy(ptr, &vx_regs[i].u[2], 8);
+ ptr += 8;
+ }
+ return ptr;
+diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
+index e7bc2fd..b2b7ddf 100644
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1037,7 +1037,7 @@ static int __inject_extcall(struct kvm_vcpu *vcpu, struct kvm_s390_irq *irq)
+ if (sclp_has_sigpif())
+ return __inject_extcall_sigpif(vcpu, src_id);
+
+- if (!test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs))
++ if (test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs))
+ return -EBUSY;
+ *extcall = irq->u.extcall;
+ atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags);
+diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
+index 274a9f5..591f119f 100644
+--- a/arch/sparc/kernel/ldc.c
++++ b/arch/sparc/kernel/ldc.c
+@@ -2313,7 +2313,7 @@ void *ldc_alloc_exp_dring(struct ldc_channel *lp, unsigned int len,
+ if (len & (8UL - 1))
+ return ERR_PTR(-EINVAL);
+
+- buf = kzalloc(len, GFP_KERNEL);
++ buf = kzalloc(len, GFP_ATOMIC);
+ if (!buf)
+ return ERR_PTR(-ENOMEM);
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index b7d31ca..570c71d 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -177,7 +177,7 @@ config SBUS
+
+ config NEED_DMA_MAP_STATE
+ def_bool y
+- depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG
++ depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG || SWIOTLB
+
+ config NEED_SG_DMA_LENGTH
+ def_bool y
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 1c0fb57..e02589d 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -583,7 +583,7 @@ struct kvm_arch {
+ struct kvm_pic *vpic;
+ struct kvm_ioapic *vioapic;
+ struct kvm_pit *vpit;
+- int vapics_in_nmi_mode;
++ atomic_t vapics_in_nmi_mode;
+ struct mutex apic_map_lock;
+ struct kvm_apic_map *apic_map;
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 298781d..1406ffd 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -305,7 +305,7 @@ static void pit_do_work(struct kthread_work *work)
+ * LVT0 to NMI delivery. Other PIC interrupts are just sent to
+ * VCPU0, and only if its LVT0 is in EXTINT mode.
+ */
+- if (kvm->arch.vapics_in_nmi_mode > 0)
++ if (atomic_read(&kvm->arch.vapics_in_nmi_mode) > 0)
+ kvm_for_each_vcpu(i, vcpu, kvm)
+ kvm_apic_nmi_wd_deliver(vcpu);
+ }
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 3cb2b58..8ee4aa7 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1224,10 +1224,10 @@ static void apic_manage_nmi_watchdog(struct kvm_lapic *apic, u32 lvt0_val)
+ if (!nmi_wd_enabled) {
+ apic_debug("Receive NMI setting on APIC_LVT0 "
+ "for cpu %d\n", apic->vcpu->vcpu_id);
+- apic->vcpu->kvm->arch.vapics_in_nmi_mode++;
++ atomic_inc(&apic->vcpu->kvm->arch.vapics_in_nmi_mode);
+ }
+ } else if (nmi_wd_enabled)
+- apic->vcpu->kvm->arch.vapics_in_nmi_mode--;
++ atomic_dec(&apic->vcpu->kvm->arch.vapics_in_nmi_mode);
+ }
+
+ static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
+@@ -1784,6 +1784,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu,
+ apic_update_ppr(apic);
+ hrtimer_cancel(&apic->lapic_timer.timer);
+ apic_update_lvtt(apic);
++ apic_manage_nmi_watchdog(apic, kvm_apic_get_reg(apic, APIC_LVT0));
+ update_divide_count(apic);
+ start_apic_timer(apic);
+ apic->irr_pending = true;
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index a4e62fc..1b32e29 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -511,8 +511,10 @@ static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+- if (svm->vmcb->control.next_rip != 0)
++ if (svm->vmcb->control.next_rip != 0) {
++ WARN_ON(!static_cpu_has(X86_FEATURE_NRIPS));
+ svm->next_rip = svm->vmcb->control.next_rip;
++ }
+
+ if (!svm->next_rip) {
+ if (emulate_instruction(vcpu, EMULTYPE_SKIP) !=
+@@ -4310,7 +4312,9 @@ static int svm_check_intercept(struct kvm_vcpu *vcpu,
+ break;
+ }
+
+- vmcb->control.next_rip = info->next_rip;
++ /* TODO: Advertise NRIPS to guest hypervisor unconditionally */
++ if (static_cpu_has(X86_FEATURE_NRIPS))
++ vmcb->control.next_rip = info->next_rip;
+ vmcb->control.exit_code = icpt_info.exit_code;
+ vmexit = nested_svm_exit_handled(svm);
+
+diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
+index d939633..b33615f 100644
+--- a/arch/x86/pci/acpi.c
++++ b/arch/x86/pci/acpi.c
+@@ -81,6 +81,17 @@ static const struct dmi_system_id pci_crs_quirks[] __initconst = {
+ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
+ },
+ },
++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368 */
++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299 */
++ {
++ .callback = set_use_crs,
++ .ident = "Foxconn K8M890-8237A",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Foxconn"),
++ DMI_MATCH(DMI_BOARD_NAME, "K8M890-8237A"),
++ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
++ },
++ },
+
+ /* Now for the blacklist.. */
+
+@@ -121,8 +132,10 @@ void __init pci_acpi_crs_quirks(void)
+ {
+ int year;
+
+- if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008)
+- pci_use_crs = false;
++ if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) {
++ if (iomem_resource.end <= 0xffffffff)
++ pci_use_crs = false;
++ }
+
+ dmi_check_system(pci_crs_quirks);
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index 872c577..2c867a6 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -534,7 +534,7 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate)
+
+ val |= vid;
+
+- wrmsrl(MSR_IA32_PERF_CTL, val);
++ wrmsrl_on_cpu(cpudata->cpu, MSR_IA32_PERF_CTL, val);
+ }
+
+ #define BYT_BCLK_FREQS 5
+diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c
+index 5937207..3442764 100644
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -60,6 +60,8 @@ static int nap_loop(struct cpuidle_device *dev,
+ return index;
+ }
+
++/* Register for fastsleep only in oneshot mode of broadcast */
++#ifdef CONFIG_TICK_ONESHOT
+ static int fastsleep_loop(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv,
+ int index)
+@@ -83,7 +85,7 @@ static int fastsleep_loop(struct cpuidle_device *dev,
+
+ return index;
+ }
+-
++#endif
+ /*
+ * States for dedicated partition case.
+ */
+@@ -209,7 +211,14 @@ static int powernv_add_idle_states(void)
+ powernv_states[nr_idle_states].flags = 0;
+ powernv_states[nr_idle_states].target_residency = 100;
+ powernv_states[nr_idle_states].enter = &nap_loop;
+- } else if (flags[i] & OPAL_PM_SLEEP_ENABLED ||
++ }
++
++ /*
++ * All cpuidle states with CPUIDLE_FLAG_TIMER_STOP set must come
++ * within this config dependency check.
++ */
++#ifdef CONFIG_TICK_ONESHOT
++ if (flags[i] & OPAL_PM_SLEEP_ENABLED ||
+ flags[i] & OPAL_PM_SLEEP_ENABLED_ER1) {
+ /* Add FASTSLEEP state */
+ strcpy(powernv_states[nr_idle_states].name, "FastSleep");
+@@ -218,7 +227,7 @@ static int powernv_add_idle_states(void)
+ powernv_states[nr_idle_states].target_residency = 300000;
+ powernv_states[nr_idle_states].enter = &fastsleep_loop;
+ }
+-
++#endif
+ powernv_states[nr_idle_states].exit_latency =
+ ((unsigned int)latency_ns[i]) / 1000;
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index ebbae8d..9f7333a 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -927,7 +927,8 @@ static int sg_to_link_tbl(struct scatterlist *sg, int sg_count,
+ sg_count--;
+ link_tbl_ptr--;
+ }
+- be16_add_cpu(&link_tbl_ptr->len, cryptlen);
++ link_tbl_ptr->len = cpu_to_be16(be16_to_cpu(link_tbl_ptr->len)
++ + cryptlen);
+
+ /* tag end of link table */
+ link_tbl_ptr->j_extent = DESC_PTR_LNKTBL_RETURN;
+@@ -2563,6 +2564,7 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
+ break;
+ default:
+ dev_err(dev, "unknown algorithm type %d\n", t_alg->algt.type);
++ kfree(t_alg);
+ return ERR_PTR(-EINVAL);
+ }
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 48882c1..13cfbf4 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1870,9 +1870,15 @@ static void free_pt_##LVL (unsigned long __pt) \
+ pt = (u64 *)__pt; \
+ \
+ for (i = 0; i < 512; ++i) { \
++ /* PTE present? */ \
+ if (!IOMMU_PTE_PRESENT(pt[i])) \
+ continue; \
+ \
++ /* Large PTE? */ \
++ if (PM_PTE_LEVEL(pt[i]) == 0 || \
++ PM_PTE_LEVEL(pt[i]) == 7) \
++ continue; \
++ \
+ p = (unsigned long)IOMMU_PTE_PAGE(pt[i]); \
+ FN(p); \
+ } \
+diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
+index bd6252b..2d1b203 100644
+--- a/drivers/iommu/arm-smmu.c
++++ b/drivers/iommu/arm-smmu.c
+@@ -1533,7 +1533,7 @@ static int arm_smmu_device_cfg_probe(struct arm_smmu_device *smmu)
+ return -ENODEV;
+ }
+
+- if ((id & ID0_S1TS) && ((smmu->version == 1) || (id & ID0_ATOSNS))) {
++ if ((id & ID0_S1TS) && ((smmu->version == 1) || !(id & ID0_ATOSNS))) {
+ smmu->features |= ARM_SMMU_FEAT_TRANS_OPS;
+ dev_notice(smmu->dev, "\taddress translation ops\n");
+ }
+diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
+index 0ad412a..d3a7bff 100644
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -846,7 +846,7 @@ static void sdhci_prepare_data(struct sdhci_host *host, struct mmc_command *cmd)
+ int sg_cnt;
+
+ sg_cnt = sdhci_pre_dma_transfer(host, data, NULL);
+- if (sg_cnt == 0) {
++ if (sg_cnt <= 0) {
+ /*
+ * This only happens when someone fed
+ * us an invalid request.
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
+index d81fc6b..5c92fb7 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
+@@ -263,7 +263,7 @@ static int xgbe_alloc_pages(struct xgbe_prv_data *pdata,
+ int ret;
+
+ /* Try to obtain pages, decreasing order if necessary */
+- gfp |= __GFP_COLD | __GFP_COMP;
++ gfp |= __GFP_COLD | __GFP_COMP | __GFP_NOWARN;
+ while (order >= 0) {
+ pages = alloc_pages(gfp, order);
+ if (pages)
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index 1ec635f..196474f 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -9323,7 +9323,8 @@ unload_error:
+ * function stop ramrod is sent, since as part of this ramrod FW access
+ * PTP registers.
+ */
+- bnx2x_stop_ptp(bp);
++ if (bp->flags & PTP_SUPPORTED)
++ bnx2x_stop_ptp(bp);
+
+ /* Disable HW interrupts, NAPI */
+ bnx2x_netif_stop(bp, 1);
+diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c
+index d20fc8e..c365765 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
+@@ -540,8 +540,8 @@ static int igb_ptp_feature_enable_i210(struct ptp_clock_info *ptp,
+ igb->perout[i].start.tv_nsec = rq->perout.start.nsec;
+ igb->perout[i].period.tv_sec = ts.tv_sec;
+ igb->perout[i].period.tv_nsec = ts.tv_nsec;
+- wr32(trgttiml, rq->perout.start.sec);
+- wr32(trgttimh, rq->perout.start.nsec);
++ wr32(trgttimh, rq->perout.start.sec);
++ wr32(trgttiml, rq->perout.start.nsec);
+ tsauxc |= tsauxc_mask;
+ tsim |= tsim_mask;
+ } else {
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 2db6532..87c7f52c 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -304,6 +304,7 @@ struct mvneta_port {
+ unsigned int link;
+ unsigned int duplex;
+ unsigned int speed;
++ unsigned int tx_csum_limit;
+ };
+
+ /* The mvneta_tx_desc and mvneta_rx_desc structures describe the
+@@ -2441,8 +2442,10 @@ static int mvneta_change_mtu(struct net_device *dev, int mtu)
+
+ dev->mtu = mtu;
+
+- if (!netif_running(dev))
++ if (!netif_running(dev)) {
++ netdev_update_features(dev);
+ return 0;
++ }
+
+ /* The interface is running, so we have to force a
+ * reallocation of the queues
+@@ -2471,9 +2474,26 @@ static int mvneta_change_mtu(struct net_device *dev, int mtu)
+ mvneta_start_dev(pp);
+ mvneta_port_up(pp);
+
++ netdev_update_features(dev);
++
+ return 0;
+ }
+
++static netdev_features_t mvneta_fix_features(struct net_device *dev,
++ netdev_features_t features)
++{
++ struct mvneta_port *pp = netdev_priv(dev);
++
++ if (pp->tx_csum_limit && dev->mtu > pp->tx_csum_limit) {
++ features &= ~(NETIF_F_IP_CSUM | NETIF_F_TSO);
++ netdev_info(dev,
++ "Disable IP checksum for MTU greater than %dB\n",
++ pp->tx_csum_limit);
++ }
++
++ return features;
++}
++
+ /* Get mac address */
+ static void mvneta_get_mac_addr(struct mvneta_port *pp, unsigned char *addr)
+ {
+@@ -2785,6 +2805,7 @@ static const struct net_device_ops mvneta_netdev_ops = {
+ .ndo_set_rx_mode = mvneta_set_rx_mode,
+ .ndo_set_mac_address = mvneta_set_mac_addr,
+ .ndo_change_mtu = mvneta_change_mtu,
++ .ndo_fix_features = mvneta_fix_features,
+ .ndo_get_stats64 = mvneta_get_stats64,
+ .ndo_do_ioctl = mvneta_ioctl,
+ };
+@@ -3023,6 +3044,9 @@ static int mvneta_probe(struct platform_device *pdev)
+ }
+ }
+
++ if (of_device_is_compatible(dn, "marvell,armada-370-neta"))
++ pp->tx_csum_limit = 1600;
++
+ pp->tx_ring_size = MVNETA_MAX_TXD;
+ pp->rx_ring_size = MVNETA_MAX_RXD;
+
+@@ -3095,6 +3119,7 @@ static int mvneta_remove(struct platform_device *pdev)
+
+ static const struct of_device_id mvneta_match[] = {
+ { .compatible = "marvell,armada-370-neta" },
++ { .compatible = "marvell,armada-xp-neta" },
+ { }
+ };
+ MODULE_DEVICE_TABLE(of, mvneta_match);
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+index 2f1324b..f30c322 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+@@ -1971,10 +1971,6 @@ void mlx4_en_free_resources(struct mlx4_en_priv *priv)
+ mlx4_en_destroy_cq(priv, &priv->rx_cq[i]);
+ }
+
+- if (priv->base_tx_qpn) {
+- mlx4_qp_release_range(priv->mdev->dev, priv->base_tx_qpn, priv->tx_ring_num);
+- priv->base_tx_qpn = 0;
+- }
+ }
+
+ int mlx4_en_alloc_resources(struct mlx4_en_priv *priv)
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+index 05ec5e1..3478c87 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+@@ -723,7 +723,7 @@ static int get_fixed_ipv6_csum(__wsum hw_checksum, struct sk_buff *skb,
+ }
+ #endif
+ static int check_csum(struct mlx4_cqe *cqe, struct sk_buff *skb, void *va,
+- int hwtstamp_rx_filter)
++ netdev_features_t dev_features)
+ {
+ __wsum hw_checksum = 0;
+
+@@ -731,14 +731,8 @@ static int check_csum(struct mlx4_cqe *cqe, struct sk_buff *skb, void *va,
+
+ hw_checksum = csum_unfold((__force __sum16)cqe->checksum);
+
+- if (((struct ethhdr *)va)->h_proto == htons(ETH_P_8021Q) &&
+- hwtstamp_rx_filter != HWTSTAMP_FILTER_NONE) {
+- /* next protocol non IPv4 or IPv6 */
+- if (((struct vlan_hdr *)hdr)->h_vlan_encapsulated_proto
+- != htons(ETH_P_IP) &&
+- ((struct vlan_hdr *)hdr)->h_vlan_encapsulated_proto
+- != htons(ETH_P_IPV6))
+- return -1;
++ if (cqe->vlan_my_qpn & cpu_to_be32(MLX4_CQE_VLAN_PRESENT_MASK) &&
++ !(dev_features & NETIF_F_HW_VLAN_CTAG_RX)) {
+ hw_checksum = get_fixed_vlan_csum(hw_checksum, hdr);
+ hdr += sizeof(struct vlan_hdr);
+ }
+@@ -901,7 +895,8 @@ int mlx4_en_process_rx_cq(struct net_device *dev, struct mlx4_en_cq *cq, int bud
+
+ if (ip_summed == CHECKSUM_COMPLETE) {
+ void *va = skb_frag_address(skb_shinfo(gro_skb)->frags);
+- if (check_csum(cqe, gro_skb, va, ring->hwtstamp_rx_filter)) {
++ if (check_csum(cqe, gro_skb, va,
++ dev->features)) {
+ ip_summed = CHECKSUM_NONE;
+ ring->csum_none++;
+ ring->csum_complete--;
+@@ -956,7 +951,7 @@ int mlx4_en_process_rx_cq(struct net_device *dev, struct mlx4_en_cq *cq, int bud
+ }
+
+ if (ip_summed == CHECKSUM_COMPLETE) {
+- if (check_csum(cqe, skb, skb->data, ring->hwtstamp_rx_filter)) {
++ if (check_csum(cqe, skb, skb->data, dev->features)) {
+ ip_summed = CHECKSUM_NONE;
+ ring->csum_complete--;
+ ring->csum_none++;
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+index 8c234ec..35dd887 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+@@ -66,6 +66,7 @@ int mlx4_en_create_tx_ring(struct mlx4_en_priv *priv,
+ ring->size = size;
+ ring->size_mask = size - 1;
+ ring->stride = stride;
++ ring->full_size = ring->size - HEADROOM - MAX_DESC_TXBBS;
+
+ tmp = size * sizeof(struct mlx4_en_tx_info);
+ ring->tx_info = kmalloc_node(tmp, GFP_KERNEL | __GFP_NOWARN, node);
+@@ -180,6 +181,7 @@ void mlx4_en_destroy_tx_ring(struct mlx4_en_priv *priv,
+ mlx4_bf_free(mdev->dev, &ring->bf);
+ mlx4_qp_remove(mdev->dev, &ring->qp);
+ mlx4_qp_free(mdev->dev, &ring->qp);
++ mlx4_qp_release_range(priv->mdev->dev, ring->qpn, 1);
+ mlx4_en_unmap_buffer(&ring->wqres.buf);
+ mlx4_free_hwq_res(mdev->dev, &ring->wqres, ring->buf_size);
+ kfree(ring->bounce_buf);
+@@ -231,6 +233,11 @@ void mlx4_en_deactivate_tx_ring(struct mlx4_en_priv *priv,
+ MLX4_QP_STATE_RST, NULL, 0, 0, &ring->qp);
+ }
+
++static inline bool mlx4_en_is_tx_ring_full(struct mlx4_en_tx_ring *ring)
++{
++ return ring->prod - ring->cons > ring->full_size;
++}
++
+ static void mlx4_en_stamp_wqe(struct mlx4_en_priv *priv,
+ struct mlx4_en_tx_ring *ring, int index,
+ u8 owner)
+@@ -473,11 +480,10 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev,
+
+ netdev_tx_completed_queue(ring->tx_queue, packets, bytes);
+
+- /*
+- * Wakeup Tx queue if this stopped, and at least 1 packet
+- * was completed
++ /* Wakeup Tx queue if this stopped, and ring is not full.
+ */
+- if (netif_tx_queue_stopped(ring->tx_queue) && txbbs_skipped > 0) {
++ if (netif_tx_queue_stopped(ring->tx_queue) &&
++ !mlx4_en_is_tx_ring_full(ring)) {
+ netif_tx_wake_queue(ring->tx_queue);
+ ring->wake_queue++;
+ }
+@@ -921,8 +927,7 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff *skb, struct net_device *dev)
+ skb_tx_timestamp(skb);
+
+ /* Check available TXBBs And 2K spare for prefetch */
+- stop_queue = (int)(ring->prod - ring_cons) >
+- ring->size - HEADROOM - MAX_DESC_TXBBS;
++ stop_queue = mlx4_en_is_tx_ring_full(ring);
+ if (unlikely(stop_queue)) {
+ netif_tx_stop_queue(ring->tx_queue);
+ ring->queue_stopped++;
+@@ -991,8 +996,7 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff *skb, struct net_device *dev)
+ smp_rmb();
+
+ ring_cons = ACCESS_ONCE(ring->cons);
+- if (unlikely(((int)(ring->prod - ring_cons)) <=
+- ring->size - HEADROOM - MAX_DESC_TXBBS)) {
++ if (unlikely(!mlx4_en_is_tx_ring_full(ring))) {
+ netif_tx_wake_queue(ring->tx_queue);
+ ring->wake_queue++;
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx4/intf.c b/drivers/net/ethernet/mellanox/mlx4/intf.c
+index 6fce587..0d80aed 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/intf.c
++++ b/drivers/net/ethernet/mellanox/mlx4/intf.c
+@@ -93,8 +93,14 @@ int mlx4_register_interface(struct mlx4_interface *intf)
+ mutex_lock(&intf_mutex);
+
+ list_add_tail(&intf->list, &intf_list);
+- list_for_each_entry(priv, &dev_list, dev_list)
++ list_for_each_entry(priv, &dev_list, dev_list) {
++ if (mlx4_is_mfunc(&priv->dev) && (intf->flags & MLX4_INTFF_BONDING)) {
++ mlx4_dbg(&priv->dev,
++ "SRIOV, disabling HA mode for intf proto %d\n", intf->protocol);
++ intf->flags &= ~MLX4_INTFF_BONDING;
++ }
+ mlx4_add_device(intf, priv);
++ }
+
+ mutex_unlock(&intf_mutex);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
+index 8687c8d..0bf0fdd 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
+@@ -280,6 +280,7 @@ struct mlx4_en_tx_ring {
+ u32 size; /* number of TXBBs */
+ u32 size_mask;
+ u16 stride;
++ u32 full_size;
+ u16 cqn; /* index of port CQ associated with this ring */
+ u32 buf_size;
+ __be32 doorbell_qpn;
+@@ -601,7 +602,6 @@ struct mlx4_en_priv {
+ int vids[128];
+ bool wol;
+ struct device *ddev;
+- int base_tx_qpn;
+ struct hlist_head mac_hash[MLX4_EN_MAC_HASH_SIZE];
+ struct hwtstamp_config hwtstamp_config;
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index bdfe51f..d551df6 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -796,10 +796,11 @@ static int genphy_config_advert(struct phy_device *phydev)
+ if (phydev->supported & (SUPPORTED_1000baseT_Half |
+ SUPPORTED_1000baseT_Full)) {
+ adv |= ethtool_adv_to_mii_ctrl1000_t(advertise);
+- if (adv != oldadv)
+- changed = 1;
+ }
+
++ if (adv != oldadv)
++ changed = 1;
++
+ err = phy_write(phydev, MII_CTRL1000, adv);
+ if (err < 0)
+ return err;
+diff --git a/drivers/s390/kvm/virtio_ccw.c b/drivers/s390/kvm/virtio_ccw.c
+index 71d7802..5717117 100644
+--- a/drivers/s390/kvm/virtio_ccw.c
++++ b/drivers/s390/kvm/virtio_ccw.c
+@@ -65,6 +65,7 @@ struct virtio_ccw_device {
+ bool is_thinint;
+ bool going_away;
+ bool device_lost;
++ unsigned int config_ready;
+ void *airq_info;
+ };
+
+@@ -833,8 +834,11 @@ static void virtio_ccw_get_config(struct virtio_device *vdev,
+ if (ret)
+ goto out_free;
+
+- memcpy(vcdev->config, config_area, sizeof(vcdev->config));
+- memcpy(buf, &vcdev->config[offset], len);
++ memcpy(vcdev->config, config_area, offset + len);
++ if (buf)
++ memcpy(buf, &vcdev->config[offset], len);
++ if (vcdev->config_ready < offset + len)
++ vcdev->config_ready = offset + len;
+
+ out_free:
+ kfree(config_area);
+@@ -857,6 +861,9 @@ static void virtio_ccw_set_config(struct virtio_device *vdev,
+ if (!config_area)
+ goto out_free;
+
++ /* Make sure we don't overwrite fields. */
++ if (vcdev->config_ready < offset)
++ virtio_ccw_get_config(vdev, 0, NULL, offset);
+ memcpy(&vcdev->config[offset], buf, len);
+ /* Write the config area to the host. */
+ memcpy(config_area, vcdev->config, sizeof(vcdev->config));
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 175c995..ce3b407 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -845,7 +845,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
+ ret = ep->status;
+ if (io_data->read && ret > 0) {
+ ret = copy_to_iter(data, ret, &io_data->data);
+- if (unlikely(iov_iter_count(&io_data->data)))
++ if (!ret)
+ ret = -EFAULT;
+ }
+ }
+@@ -3433,6 +3433,7 @@ done:
+ static void ffs_closed(struct ffs_data *ffs)
+ {
+ struct ffs_dev *ffs_obj;
++ struct f_fs_opts *opts;
+
+ ENTER();
+ ffs_dev_lock();
+@@ -3446,8 +3447,13 @@ static void ffs_closed(struct ffs_data *ffs)
+ if (ffs_obj->ffs_closed_callback)
+ ffs_obj->ffs_closed_callback(ffs);
+
+- if (!ffs_obj->opts || ffs_obj->opts->no_configfs
+- || !ffs_obj->opts->func_inst.group.cg_item.ci_parent)
++ if (ffs_obj->opts)
++ opts = ffs_obj->opts;
++ else
++ goto done;
++
++ if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
++ || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount))
+ goto done;
+
+ unregister_gadget_item(ffs_obj->opts->
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 922f23e..b05c557 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2896,17 +2896,6 @@ restart:
+ vfsmnt = &mnt->mnt;
+ continue;
+ }
+- /*
+- * Filesystems needing to implement special "root names"
+- * should do so with ->d_dname()
+- */
+- if (IS_ROOT(dentry) &&
+- (dentry->d_name.len != 1 ||
+- dentry->d_name.name[0] != '/')) {
+- WARN(1, "Root dentry has weird name <%.*s>\n",
+- (int) dentry->d_name.len,
+- dentry->d_name.name);
+- }
+ if (!error)
+ error = is_mounted(vfsmnt) ? 1 : 2;
+ break;
+diff --git a/fs/inode.c b/fs/inode.c
+index f00b16f..c60671d 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1693,8 +1693,8 @@ int file_remove_suid(struct file *file)
+ error = security_inode_killpriv(dentry);
+ if (!error && killsuid)
+ error = __remove_suid(dentry, killsuid);
+- if (!error && (inode->i_sb->s_flags & MS_NOSEC))
+- inode->i_flags |= S_NOSEC;
++ if (!error)
++ inode_has_no_xattr(inode);
+
+ return error;
+ }
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 13b0f7b..f07c769 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -3187,11 +3187,15 @@ bool fs_fully_visible(struct file_system_type *type)
+ if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
+ continue;
+
+- /* This mount is not fully visible if there are any child mounts
+- * that cover anything except for empty directories.
++ /* This mount is not fully visible if there are any
++ * locked child mounts that cover anything except for
++ * empty directories.
+ */
+ list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
+ struct inode *inode = child->mnt_mountpoint->d_inode;
++ /* Only worry about locked mounts */
++ if (!(mnt->mnt.mnt_flags & MNT_LOCKED))
++ continue;
+ if (!S_ISDIR(inode->i_mode))
+ goto next;
+ if (inode->i_nlink > 2)
+diff --git a/fs/ufs/balloc.c b/fs/ufs/balloc.c
+index 2c10360..a7106ed 100644
+--- a/fs/ufs/balloc.c
++++ b/fs/ufs/balloc.c
+@@ -51,8 +51,8 @@ void ufs_free_fragments(struct inode *inode, u64 fragment, unsigned count)
+
+ if (ufs_fragnum(fragment) + count > uspi->s_fpg)
+ ufs_error (sb, "ufs_free_fragments", "internal error");
+-
+- lock_ufs(sb);
++
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ cgno = ufs_dtog(uspi, fragment);
+ bit = ufs_dtogd(uspi, fragment);
+@@ -115,13 +115,13 @@ void ufs_free_fragments(struct inode *inode, u64 fragment, unsigned count)
+ if (sb->s_flags & MS_SYNCHRONOUS)
+ ubh_sync_block(UCPI_UBH(ucpi));
+ ufs_mark_sb_dirty(sb);
+-
+- unlock_ufs(sb);
++
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT\n");
+ return;
+
+ failed:
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT (FAILED)\n");
+ return;
+ }
+@@ -151,7 +151,7 @@ void ufs_free_blocks(struct inode *inode, u64 fragment, unsigned count)
+ goto failed;
+ }
+
+- lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ do_more:
+ overflow = 0;
+@@ -211,12 +211,12 @@ do_more:
+ }
+
+ ufs_mark_sb_dirty(sb);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT\n");
+ return;
+
+ failed_unlock:
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ failed:
+ UFSD("EXIT (FAILED)\n");
+ return;
+@@ -357,7 +357,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment,
+ usb1 = ubh_get_usb_first(uspi);
+ *err = -ENOSPC;
+
+- lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+ tmp = ufs_data_ptr_to_cpu(sb, p);
+
+ if (count + ufs_fragnum(fragment) > uspi->s_fpb) {
+@@ -378,19 +378,19 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment,
+ "fragment %llu, tmp %llu\n",
+ (unsigned long long)fragment,
+ (unsigned long long)tmp);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return INVBLOCK;
+ }
+ if (fragment < UFS_I(inode)->i_lastfrag) {
+ UFSD("EXIT (ALREADY ALLOCATED)\n");
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return 0;
+ }
+ }
+ else {
+ if (tmp) {
+ UFSD("EXIT (ALREADY ALLOCATED)\n");
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return 0;
+ }
+ }
+@@ -399,7 +399,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment,
+ * There is not enough space for user on the device
+ */
+ if (!capable(CAP_SYS_RESOURCE) && ufs_freespace(uspi, UFS_MINFREE) <= 0) {
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT (FAILED)\n");
+ return 0;
+ }
+@@ -424,7 +424,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment,
+ ufs_clear_frags(inode, result + oldcount,
+ newcount - oldcount, locked_page != NULL);
+ }
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT, result %llu\n", (unsigned long long)result);
+ return result;
+ }
+@@ -439,7 +439,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment,
+ fragment + count);
+ ufs_clear_frags(inode, result + oldcount, newcount - oldcount,
+ locked_page != NULL);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT, result %llu\n", (unsigned long long)result);
+ return result;
+ }
+@@ -477,7 +477,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment,
+ *err = 0;
+ UFS_I(inode)->i_lastfrag = max(UFS_I(inode)->i_lastfrag,
+ fragment + count);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ if (newcount < request)
+ ufs_free_fragments (inode, result + newcount, request - newcount);
+ ufs_free_fragments (inode, tmp, oldcount);
+@@ -485,7 +485,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment,
+ return result;
+ }
+
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT (FAILED)\n");
+ return 0;
+ }
+diff --git a/fs/ufs/ialloc.c b/fs/ufs/ialloc.c
+index 7caa016..fd0203c 100644
+--- a/fs/ufs/ialloc.c
++++ b/fs/ufs/ialloc.c
+@@ -69,11 +69,11 @@ void ufs_free_inode (struct inode * inode)
+
+ ino = inode->i_ino;
+
+- lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ if (!((ino > 1) && (ino < (uspi->s_ncg * uspi->s_ipg )))) {
+ ufs_warning(sb, "ufs_free_inode", "reserved inode or nonexistent inode %u\n", ino);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return;
+ }
+
+@@ -81,7 +81,7 @@ void ufs_free_inode (struct inode * inode)
+ bit = ufs_inotocgoff (ino);
+ ucpi = ufs_load_cylinder (sb, cg);
+ if (!ucpi) {
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return;
+ }
+ ucg = ubh_get_ucg(UCPI_UBH(ucpi));
+@@ -115,7 +115,7 @@ void ufs_free_inode (struct inode * inode)
+ ubh_sync_block(UCPI_UBH(ucpi));
+
+ ufs_mark_sb_dirty(sb);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT\n");
+ }
+
+@@ -193,7 +193,7 @@ struct inode *ufs_new_inode(struct inode *dir, umode_t mode)
+ sbi = UFS_SB(sb);
+ uspi = sbi->s_uspi;
+
+- lock_ufs(sb);
++ mutex_lock(&sbi->s_lock);
+
+ /*
+ * Try to place the inode in its parent directory
+@@ -331,21 +331,21 @@ cg_found:
+ sync_dirty_buffer(bh);
+ brelse(bh);
+ }
+- unlock_ufs(sb);
++ mutex_unlock(&sbi->s_lock);
+
+ UFSD("allocating inode %lu\n", inode->i_ino);
+ UFSD("EXIT\n");
+ return inode;
+
+ fail_remove_inode:
+- unlock_ufs(sb);
++ mutex_unlock(&sbi->s_lock);
+ clear_nlink(inode);
+ unlock_new_inode(inode);
+ iput(inode);
+ UFSD("EXIT (FAILED): err %d\n", err);
+ return ERR_PTR(err);
+ failed:
+- unlock_ufs(sb);
++ mutex_unlock(&sbi->s_lock);
+ make_bad_inode(inode);
+ iput (inode);
+ UFSD("EXIT (FAILED): err %d\n", err);
+diff --git a/fs/ufs/inode.c b/fs/ufs/inode.c
+index be7d42c..2d93ab0 100644
+--- a/fs/ufs/inode.c
++++ b/fs/ufs/inode.c
+@@ -902,6 +902,9 @@ void ufs_evict_inode(struct inode * inode)
+ invalidate_inode_buffers(inode);
+ clear_inode(inode);
+
+- if (want_delete)
++ if (want_delete) {
++ lock_ufs(inode->i_sb);
+ ufs_free_inode(inode);
++ unlock_ufs(inode->i_sb);
++ }
+ }
+diff --git a/fs/ufs/namei.c b/fs/ufs/namei.c
+index fd65deb..e8ee298 100644
+--- a/fs/ufs/namei.c
++++ b/fs/ufs/namei.c
+@@ -128,12 +128,12 @@ static int ufs_symlink (struct inode * dir, struct dentry * dentry,
+ if (l > sb->s_blocksize)
+ goto out_notlocked;
+
++ lock_ufs(dir->i_sb);
+ inode = ufs_new_inode(dir, S_IFLNK | S_IRWXUGO);
+ err = PTR_ERR(inode);
+ if (IS_ERR(inode))
+- goto out_notlocked;
++ goto out;
+
+- lock_ufs(dir->i_sb);
+ if (l > UFS_SB(sb)->s_uspi->s_maxsymlinklen) {
+ /* slow symlink */
+ inode->i_op = &ufs_symlink_inode_operations;
+@@ -174,7 +174,12 @@ static int ufs_link (struct dentry * old_dentry, struct inode * dir,
+ inode_inc_link_count(inode);
+ ihold(inode);
+
+- error = ufs_add_nondir(dentry, inode);
++ error = ufs_add_link(dentry, inode);
++ if (error) {
++ inode_dec_link_count(inode);
++ iput(inode);
++ } else
++ d_instantiate(dentry, inode);
+ unlock_ufs(dir->i_sb);
+ return error;
+ }
+@@ -184,9 +189,13 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode)
+ struct inode * inode;
+ int err;
+
++ lock_ufs(dir->i_sb);
++ inode_inc_link_count(dir);
++
+ inode = ufs_new_inode(dir, S_IFDIR|mode);
++ err = PTR_ERR(inode);
+ if (IS_ERR(inode))
+- return PTR_ERR(inode);
++ goto out_dir;
+
+ inode->i_op = &ufs_dir_inode_operations;
+ inode->i_fop = &ufs_dir_operations;
+@@ -194,9 +203,6 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode)
+
+ inode_inc_link_count(inode);
+
+- lock_ufs(dir->i_sb);
+- inode_inc_link_count(dir);
+-
+ err = ufs_make_empty(inode, dir);
+ if (err)
+ goto out_fail;
+@@ -206,6 +212,7 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode)
+ goto out_fail;
+ unlock_ufs(dir->i_sb);
+
++ unlock_new_inode(inode);
+ d_instantiate(dentry, inode);
+ out:
+ return err;
+@@ -215,6 +222,7 @@ out_fail:
+ inode_dec_link_count(inode);
+ unlock_new_inode(inode);
+ iput (inode);
++out_dir:
+ inode_dec_link_count(dir);
+ unlock_ufs(dir->i_sb);
+ goto out;
+diff --git a/fs/ufs/super.c b/fs/ufs/super.c
+index 8092d37..eb16791 100644
+--- a/fs/ufs/super.c
++++ b/fs/ufs/super.c
+@@ -694,6 +694,7 @@ static int ufs_sync_fs(struct super_block *sb, int wait)
+ unsigned flags;
+
+ lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ UFSD("ENTER\n");
+
+@@ -711,6 +712,7 @@ static int ufs_sync_fs(struct super_block *sb, int wait)
+ ufs_put_cstotal(sb);
+
+ UFSD("EXIT\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+
+ return 0;
+@@ -799,6 +801,7 @@ static int ufs_fill_super(struct super_block *sb, void *data, int silent)
+ UFSD("flag %u\n", (int)(sb->s_flags & MS_RDONLY));
+
+ mutex_init(&sbi->mutex);
++ mutex_init(&sbi->s_lock);
+ spin_lock_init(&sbi->work_lock);
+ INIT_DELAYED_WORK(&sbi->sync_work, delayed_sync_fs);
+ /*
+@@ -1277,6 +1280,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data)
+
+ sync_filesystem(sb);
+ lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+ uspi = UFS_SB(sb)->s_uspi;
+ flags = UFS_SB(sb)->s_flags;
+ usb1 = ubh_get_usb_first(uspi);
+@@ -1290,6 +1294,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data)
+ new_mount_opt = 0;
+ ufs_set_opt (new_mount_opt, ONERROR_LOCK);
+ if (!ufs_parse_options (data, &new_mount_opt)) {
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ }
+@@ -1297,12 +1302,14 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data)
+ new_mount_opt |= ufstype;
+ } else if ((new_mount_opt & UFS_MOUNT_UFSTYPE) != ufstype) {
+ pr_err("ufstype can't be changed during remount\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ }
+
+ if ((*mount_flags & MS_RDONLY) == (sb->s_flags & MS_RDONLY)) {
+ UFS_SB(sb)->s_mount_opt = new_mount_opt;
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return 0;
+ }
+@@ -1326,6 +1333,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data)
+ */
+ #ifndef CONFIG_UFS_FS_WRITE
+ pr_err("ufs was compiled with read-only support, can't be mounted as read-write\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ #else
+@@ -1335,11 +1343,13 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data)
+ ufstype != UFS_MOUNT_UFSTYPE_SUNx86 &&
+ ufstype != UFS_MOUNT_UFSTYPE_UFS2) {
+ pr_err("this ufstype is read-only supported\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ }
+ if (!ufs_read_cylinder_structures(sb)) {
+ pr_err("failed during remounting\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EPERM;
+ }
+@@ -1347,6 +1357,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data)
+ #endif
+ }
+ UFS_SB(sb)->s_mount_opt = new_mount_opt;
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return 0;
+ }
+diff --git a/fs/ufs/ufs.h b/fs/ufs/ufs.h
+index 2a07396..cf6368d 100644
+--- a/fs/ufs/ufs.h
++++ b/fs/ufs/ufs.h
+@@ -30,6 +30,7 @@ struct ufs_sb_info {
+ int work_queued; /* non-zero if the delayed work is queued */
+ struct delayed_work sync_work; /* FS sync delayed work */
+ spinlock_t work_lock; /* protects sync_work and work_queued */
++ struct mutex s_lock;
+ };
+
+ struct ufs_inode_info {
+diff --git a/include/net/netns/sctp.h b/include/net/netns/sctp.h
+index 3573a81..8ba379f 100644
+--- a/include/net/netns/sctp.h
++++ b/include/net/netns/sctp.h
+@@ -31,6 +31,7 @@ struct netns_sctp {
+ struct list_head addr_waitq;
+ struct timer_list addr_wq_timer;
+ struct list_head auto_asconf_splist;
++ /* Lock that protects both addr_waitq and auto_asconf_splist */
+ spinlock_t addr_wq_lock;
+
+ /* Lock that protects the local_addr_list writers */
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index 2bb2fcf..495c87e 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -223,6 +223,10 @@ struct sctp_sock {
+ atomic_t pd_mode;
+ /* Receive to here while partial delivery is in effect. */
+ struct sk_buff_head pd_lobby;
++
++ /* These must be the last fields, as they will skipped on copies,
++ * like on accept and peeloff operations
++ */
+ struct list_head auto_asconf_list;
+ int do_auto_asconf;
+ };
+diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
+index a9a4a1b..8d423bc 100644
+--- a/net/bridge/br_ioctl.c
++++ b/net/bridge/br_ioctl.c
+@@ -247,9 +247,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
+- spin_lock_bh(&br->lock);
+ br_stp_set_bridge_priority(br, args[1]);
+- spin_unlock_bh(&br->lock);
+ return 0;
+
+ case BRCTL_SET_PORT_PRIORITY:
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index b0aee78..c08f510 100644
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1166,6 +1166,9 @@ static void br_multicast_add_router(struct net_bridge *br,
+ struct net_bridge_port *p;
+ struct hlist_node *slot = NULL;
+
++ if (!hlist_unhashed(&port->rlist))
++ return;
++
+ hlist_for_each_entry(p, &br->router_list, rlist) {
+ if ((unsigned long) port >= (unsigned long) p)
+ break;
+@@ -1193,12 +1196,8 @@ static void br_multicast_mark_router(struct net_bridge *br,
+ if (port->multicast_router != 1)
+ return;
+
+- if (!hlist_unhashed(&port->rlist))
+- goto timer;
+-
+ br_multicast_add_router(br, port);
+
+-timer:
+ mod_timer(&port->multicast_router_timer,
+ now + br->multicast_querier_interval);
+ }
+diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
+index 4114687..7832d07 100644
+--- a/net/bridge/br_stp_if.c
++++ b/net/bridge/br_stp_if.c
+@@ -243,12 +243,13 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
+ return true;
+ }
+
+-/* called under bridge lock */
++/* Acquires and releases bridge lock */
+ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
+ {
+ struct net_bridge_port *p;
+ int wasroot;
+
++ spin_lock_bh(&br->lock);
+ wasroot = br_is_root_bridge(br);
+
+ list_for_each_entry(p, &br->port_list, list) {
+@@ -266,6 +267,7 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
+ br_port_state_selection(br);
+ if (br_is_root_bridge(br) && !wasroot)
+ br_become_root_bridge(br);
++ spin_unlock_bh(&br->lock);
+ }
+
+ /* called under bridge lock */
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index 70fe9e1..d0e5d66 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -971,6 +971,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
+ rc = 0;
+ if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
+ goto out_unlock_bh;
++ if (neigh->dead)
++ goto out_dead;
+
+ if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
+ if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
+@@ -1027,6 +1029,13 @@ out_unlock_bh:
+ write_unlock(&neigh->lock);
+ local_bh_enable();
+ return rc;
++
++out_dead:
++ if (neigh->nud_state & NUD_STALE)
++ goto out_unlock_bh;
++ write_unlock_bh(&neigh->lock);
++ kfree_skb(skb);
++ return 1;
+ }
+ EXPORT_SYMBOL(__neigh_event_send);
+
+@@ -1090,6 +1099,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
+ if (!(flags & NEIGH_UPDATE_F_ADMIN) &&
+ (old & (NUD_NOARP | NUD_PERMANENT)))
+ goto out;
++ if (neigh->dead)
++ goto out;
+
+ if (!(new & NUD_VALID)) {
+ neigh_del_timer(neigh);
+@@ -1239,6 +1250,8 @@ EXPORT_SYMBOL(neigh_update);
+ */
+ void __neigh_set_probe_once(struct neighbour *neigh)
+ {
++ if (neigh->dead)
++ return;
+ neigh->updated = jiffies;
+ if (!(neigh->nud_state & NUD_FAILED))
+ return;
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index e9f9a15..1e3abb8 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4443,7 +4443,7 @@ struct sk_buff *alloc_skb_with_frags(unsigned long header_len,
+
+ while (order) {
+ if (npages >= 1 << order) {
+- page = alloc_pages(gfp_mask |
++ page = alloc_pages((gfp_mask & ~__GFP_WAIT) |
+ __GFP_COMP |
+ __GFP_NOWARN |
+ __GFP_NORETRY,
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 71e3e5f..c77d5d2 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1895,7 +1895,7 @@ bool skb_page_frag_refill(unsigned int sz, struct page_frag *pfrag, gfp_t gfp)
+
+ pfrag->offset = 0;
+ if (SKB_FRAG_PAGE_ORDER) {
+- pfrag->page = alloc_pages(gfp | __GFP_COMP |
++ pfrag->page = alloc_pages((gfp & ~__GFP_WAIT) | __GFP_COMP |
+ __GFP_NOWARN | __GFP_NORETRY,
+ SKB_FRAG_PAGE_ORDER);
+ if (likely(pfrag->page)) {
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index d2e49ba..61edc49 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -228,6 +228,8 @@ int inet_listen(struct socket *sock, int backlog)
+ err = 0;
+ if (err)
+ goto out;
++
++ tcp_fastopen_init_key_once(true);
+ }
+ err = inet_csk_listen_start(sk, backlog);
+ if (err)
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 5cd9927..d9e8ff3 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -432,6 +432,15 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf
+ kfree_skb(skb);
+ }
+
++/* For some errors we have valid addr_offset even with zero payload and
++ * zero port. Also, addr_offset should be supported if port is set.
++ */
++static inline bool ipv4_datagram_support_addr(struct sock_exterr_skb *serr)
++{
++ return serr->ee.ee_origin == SO_EE_ORIGIN_ICMP ||
++ serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL || serr->port;
++}
++
+ /* IPv4 supports cmsg on all imcp errors and some timestamps
+ *
+ * Timestamp code paths do not initialize the fields expected by cmsg:
+@@ -498,7 +507,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ serr = SKB_EXT_ERR(skb);
+
+- if (sin && serr->port) {
++ if (sin && ipv4_datagram_support_addr(serr)) {
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = *(__be32 *)(skb_network_header(skb) +
+ serr->addr_offset);
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 995a225..d03a344 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2541,10 +2541,13 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
+
+ case TCP_FASTOPEN:
+ if (val >= 0 && ((1 << sk->sk_state) & (TCPF_CLOSE |
+- TCPF_LISTEN)))
++ TCPF_LISTEN))) {
++ tcp_fastopen_init_key_once(true);
++
+ err = fastopen_init_queue(sk, val);
+- else
++ } else {
+ err = -EINVAL;
++ }
+ break;
+ case TCP_TIMESTAMP:
+ if (!tp->repair)
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index ea82fd4..9c37181 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -78,8 +78,6 @@ static bool __tcp_fastopen_cookie_gen(const void *path,
+ struct tcp_fastopen_context *ctx;
+ bool ok = false;
+
+- tcp_fastopen_init_key_once(true);
+-
+ rcu_read_lock();
+ ctx = rcu_dereference(tcp_fastopen_ctx);
+ if (ctx) {
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index ace8dac..d174b91 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -325,6 +325,16 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu)
+ kfree_skb(skb);
+ }
+
++/* For some errors we have valid addr_offset even with zero payload and
++ * zero port. Also, addr_offset should be supported if port is set.
++ */
++static inline bool ipv6_datagram_support_addr(struct sock_exterr_skb *serr)
++{
++ return serr->ee.ee_origin == SO_EE_ORIGIN_ICMP6 ||
++ serr->ee.ee_origin == SO_EE_ORIGIN_ICMP ||
++ serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL || serr->port;
++}
++
+ /* IPv6 supports cmsg on all origins aside from SO_EE_ORIGIN_LOCAL.
+ *
+ * At one point, excluding local errors was a quick test to identify icmp/icmp6
+@@ -389,7 +399,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ serr = SKB_EXT_ERR(skb);
+
+- if (sin && serr->port) {
++ if (sin && ipv6_datagram_support_addr(serr)) {
+ const unsigned char *nh = skb_network_header(skb);
+ sin->sin6_family = AF_INET6;
+ sin->sin6_flowinfo = 0;
+diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
+index 46214f2..2c75361 100644
+--- a/net/netfilter/nft_rbtree.c
++++ b/net/netfilter/nft_rbtree.c
+@@ -37,10 +37,11 @@ static bool nft_rbtree_lookup(const struct nft_set *set,
+ {
+ const struct nft_rbtree *priv = nft_set_priv(set);
+ const struct nft_rbtree_elem *rbe, *interval = NULL;
+- const struct rb_node *parent = priv->root.rb_node;
++ const struct rb_node *parent;
+ int d;
+
+ spin_lock_bh(&nft_rbtree_lock);
++ parent = priv->root.rb_node;
+ while (parent != NULL) {
+ rbe = rb_entry(parent, struct nft_rbtree_elem, node);
+
+@@ -158,7 +159,6 @@ static int nft_rbtree_get(const struct nft_set *set, struct nft_set_elem *elem)
+ struct nft_rbtree_elem *rbe;
+ int d;
+
+- spin_lock_bh(&nft_rbtree_lock);
+ while (parent != NULL) {
+ rbe = rb_entry(parent, struct nft_rbtree_elem, node);
+
+@@ -173,11 +173,9 @@ static int nft_rbtree_get(const struct nft_set *set, struct nft_set_elem *elem)
+ !(rbe->flags & NFT_SET_ELEM_INTERVAL_END))
+ nft_data_copy(&elem->data, rbe->data);
+ elem->flags = rbe->flags;
+- spin_unlock_bh(&nft_rbtree_lock);
+ return 0;
+ }
+ }
+- spin_unlock_bh(&nft_rbtree_lock);
+ return -ENOENT;
+ }
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index f8db706..bfe5c69 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1266,16 +1266,6 @@ static void packet_sock_destruct(struct sock *sk)
+ sk_refcnt_debug_dec(sk);
+ }
+
+-static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
+-{
+- int x = atomic_read(&f->rr_cur) + 1;
+-
+- if (x >= num)
+- x = 0;
+-
+- return x;
+-}
+-
+ static unsigned int fanout_demux_hash(struct packet_fanout *f,
+ struct sk_buff *skb,
+ unsigned int num)
+@@ -1287,13 +1277,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f,
+ struct sk_buff *skb,
+ unsigned int num)
+ {
+- int cur, old;
++ unsigned int val = atomic_inc_return(&f->rr_cur);
+
+- cur = atomic_read(&f->rr_cur);
+- while ((old = atomic_cmpxchg(&f->rr_cur, cur,
+- fanout_rr_next(f, num))) != cur)
+- cur = old;
+- return cur;
++ return val % num;
+ }
+
+ static unsigned int fanout_demux_cpu(struct packet_fanout *f,
+@@ -1347,7 +1333,7 @@ static int packet_rcv_fanout(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *pt, struct net_device *orig_dev)
+ {
+ struct packet_fanout *f = pt->af_packet_priv;
+- unsigned int num = f->num_members;
++ unsigned int num = READ_ONCE(f->num_members);
+ struct packet_sock *po;
+ unsigned int idx;
+
+diff --git a/net/sctp/output.c b/net/sctp/output.c
+index fc5e45b..abe7c2d 100644
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -599,7 +599,9 @@ out:
+ return err;
+ no_route:
+ kfree_skb(nskb);
+- IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES);
++
++ if (asoc)
++ IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES);
+
+ /* FIXME: Returning the 'err' will effect all the associations
+ * associated with a socket, although only one of the paths of the
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index aafe94b..4e56571 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1533,8 +1533,10 @@ static void sctp_close(struct sock *sk, long timeout)
+
+ /* Supposedly, no process has access to the socket, but
+ * the net layers still may.
++ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
++ * held and that should be grabbed before socket lock.
+ */
+- local_bh_disable();
++ spin_lock_bh(&net->sctp.addr_wq_lock);
+ bh_lock_sock(sk);
+
+ /* Hold the sock, since sk_common_release() will put sock_put()
+@@ -1544,7 +1546,7 @@ static void sctp_close(struct sock *sk, long timeout)
+ sk_common_release(sk);
+
+ bh_unlock_sock(sk);
+- local_bh_enable();
++ spin_unlock_bh(&net->sctp.addr_wq_lock);
+
+ sock_put(sk);
+
+@@ -3587,6 +3589,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
+ if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
+ return 0;
+
++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);
+ if (val == 0 && sp->do_auto_asconf) {
+ list_del(&sp->auto_asconf_list);
+ sp->do_auto_asconf = 0;
+@@ -3595,6 +3598,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
+ &sock_net(sk)->sctp.auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+ }
++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);
+ return 0;
+ }
+
+@@ -4128,18 +4132,28 @@ static int sctp_init_sock(struct sock *sk)
+ local_bh_disable();
+ percpu_counter_inc(&sctp_sockets_allocated);
+ sock_prot_inuse_add(net, sk->sk_prot, 1);
++
++ /* Nothing can fail after this block, otherwise
++ * sctp_destroy_sock() will be called without addr_wq_lock held
++ */
+ if (net->sctp.default_auto_asconf) {
++ spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
+ list_add_tail(&sp->auto_asconf_list,
+ &net->sctp.auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+- } else
++ spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
++ } else {
+ sp->do_auto_asconf = 0;
++ }
++
+ local_bh_enable();
+
+ return 0;
+ }
+
+-/* Cleanup any SCTP per socket resources. */
++/* Cleanup any SCTP per socket resources. Must be called with
++ * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true
++ */
+ static void sctp_destroy_sock(struct sock *sk)
+ {
+ struct sctp_sock *sp;
+@@ -7202,6 +7216,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
+ newinet->mc_list = NULL;
+ }
+
++static inline void sctp_copy_descendant(struct sock *sk_to,
++ const struct sock *sk_from)
++{
++ int ancestor_size = sizeof(struct inet_sock) +
++ sizeof(struct sctp_sock) -
++ offsetof(struct sctp_sock, auto_asconf_list);
++
++ if (sk_from->sk_family == PF_INET6)
++ ancestor_size += sizeof(struct ipv6_pinfo);
++
++ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
++}
++
+ /* Populate the fields of the newsk from the oldsk and migrate the assoc
+ * and its messages to the newsk.
+ */
+@@ -7216,7 +7243,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
+ struct sk_buff *skb, *tmp;
+ struct sctp_ulpevent *event;
+ struct sctp_bind_hashbucket *head;
+- struct list_head tmplist;
+
+ /* Migrate socket buffer sizes and all the socket level options to the
+ * new socket.
+@@ -7224,12 +7250,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
+ newsk->sk_sndbuf = oldsk->sk_sndbuf;
+ newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
+ /* Brute force copy old sctp opt. */
+- if (oldsp->do_auto_asconf) {
+- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
+- inet_sk_copy_descendant(newsk, oldsk);
+- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
+- } else
+- inet_sk_copy_descendant(newsk, oldsk);
++ sctp_copy_descendant(newsk, oldsk);
+
+ /* Restore the ep value that was overwritten with the above structure
+ * copy.
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 4d1a541..2588e08 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -404,6 +404,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
+ return sbsec->behavior == SECURITY_FS_USE_XATTR ||
+ sbsec->behavior == SECURITY_FS_USE_TRANS ||
+ sbsec->behavior == SECURITY_FS_USE_TASK ||
++ sbsec->behavior == SECURITY_FS_USE_NATIVE ||
+ /* Special handling. Genfs but also in-core setxattr handler */
+ !strcmp(sb->s_type->name, "sysfs") ||
+ !strcmp(sb->s_type->name, "pstore") ||
diff --git a/4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch b/4.0.8/4420_grsecurity-3.1-4.0.8-201507111211.patch
index c471dac..c0c4b69 100644
--- a/4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch
+++ b/4.0.8/4420_grsecurity-3.1-4.0.8-201507111211.patch
@@ -373,7 +373,7 @@ index 4d68ec8..9546b75 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index bd76a8e..ed02758 100644
+index 0e315d6..68f608f 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3662,10 +3662,10 @@ index ff0a68c..b312aa0 100644
sizeof(struct omap_wd_timer_platform_data));
WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c
-index 4f25a7c..a81be85 100644
+index a351eff..87baad9 100644
--- a/arch/arm/mach-tegra/cpuidle-tegra20.c
+++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
-@@ -179,7 +179,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev,
+@@ -178,7 +178,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev,
bool entered_lp2 = false;
if (tegra_pending_sgi())
@@ -6890,7 +6890,7 @@ index 33984c0..666a96d 100644
info.si_code = FPE_INTOVF;
info.si_signo = SIGFPE;
diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
-index f5e7dda..47198ec 100644
+index adf3886..ce8f002 100644
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -816,7 +816,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
@@ -12512,7 +12512,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index b7d31ca..9481ec5 100644
+index 570c71d..992da93 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -132,7 +132,7 @@ config X86
@@ -28771,7 +28771,7 @@ index 106c015..2db7161 100644
0, 0, 0, /* CR3 checked later */
CR4_RESERVED_BITS,
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 3cb2b58..83c8e31 100644
+index 8ee4aa7..40c3d4c 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -56,7 +56,7 @@
@@ -28810,10 +28810,10 @@ index 6e6d115..43fecbf 100644
goto error;
walker->ptep_user[walker->level - 1] = ptep_user;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index a4e62fc..fbbad55 100644
+index 1b32e29..076a16d 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -3568,7 +3568,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -3570,7 +3570,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
@@ -28825,7 +28825,7 @@ index a4e62fc..fbbad55 100644
load_TR_desc();
}
-@@ -3964,6 +3968,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -3966,6 +3970,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif
#endif
@@ -31146,6 +31146,19 @@ index b30b5eb..2b57052 100644
ret
CFI_ENDPROC
_ASM_NOKPROBE(restore)
+diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
+index ddf9ecb..e342586 100644
+--- a/arch/x86/lib/usercopy.c
++++ b/arch/x86/lib/usercopy.c
+@@ -20,7 +20,7 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
+ unsigned long ret;
+
+ if (__range_not_ok(from, n, TASK_SIZE))
+- return 0;
++ return n;
+
+ /*
+ * Even though this function is typically called from NMI/IRQ context
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
index e2f5e21..4b22130 100644
--- a/arch/x86/lib/usercopy_32.c
@@ -39905,7 +39918,7 @@ index ad3f38f..8f086cd 100644
}
EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index 872c577..5fb3c20 100644
+index 2c867a6..2d7d333 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -133,10 +133,10 @@ struct pstate_funcs {
@@ -44236,7 +44249,7 @@ index 92e2243..8fd9092 100644
.ident = "Shift",
.matches = {
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
-index 48882c1..93e0987 100644
+index 13cfbf4..b5184d9 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -823,11 +823,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
@@ -44264,7 +44277,7 @@ index 48882c1..93e0987 100644
CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
}
diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
-index bd6252b..0716605 100644
+index 2d1b203..b9f8e18 100644
--- a/drivers/iommu/arm-smmu.c
+++ b/drivers/iommu/arm-smmu.c
@@ -331,7 +331,7 @@ enum arm_smmu_domain_stage {
@@ -48264,7 +48277,7 @@ index 8a50b01..39c1ad0 100644
return 0;
}
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
-index d81fc6b..6f8ab25 100644
+index 5c92fb7..e0757dc 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
@@ -347,7 +347,7 @@ static int xgbe_map_rx_buffer(struct xgbe_prv_data *pdata,
@@ -49091,10 +49104,10 @@ index 79c00f5..8da39f6 100644
/* need lock to prevent incorrect read while modifying cyclecounter */
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
-index 8c234ec..757331f 100644
+index 35dd887..38b3476 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
-@@ -468,8 +468,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev,
+@@ -475,8 +475,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev,
wmb();
/* we want to dirty this cache line once */
@@ -49412,7 +49425,7 @@ index 34924df..a747360 100644
.priv_size = sizeof(struct nlmon),
.setup = nlmon_setup,
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
-index bdfe51f..e7845c7 100644
+index d551df6..fa4c2df 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -218,7 +218,7 @@ EXPORT_SYMBOL(phy_device_create);
@@ -68477,7 +68490,7 @@ index bbbe139..b76fae5 100644
return 0;
while (nr) {
diff --git a/fs/dcache.c b/fs/dcache.c
-index 922f23e..05e38ae 100644
+index b05c557..4bcc589 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -511,7 +511,7 @@ static void __dentry_kill(struct dentry *dentry)
@@ -68670,7 +68683,7 @@ index 922f23e..05e38ae 100644
if (!spin_trylock(&inode->i_lock)) {
spin_unlock(&dentry->d_lock);
cpu_relax();
-@@ -3311,7 +3314,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
+@@ -3300,7 +3303,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
dentry->d_flags |= DCACHE_GENOCIDE;
@@ -68679,7 +68692,7 @@ index 922f23e..05e38ae 100644
}
}
return D_WALK_CONTINUE;
-@@ -3427,7 +3430,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -3416,7 +3419,8 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -71849,7 +71862,7 @@ index c274aca..772fa5e 100644
static int can_do_hugetlb_shm(void)
{
diff --git a/fs/inode.c b/fs/inode.c
-index f00b16f..b653fea 100644
+index c60671d..9c2eb5f 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -830,16 +830,20 @@ unsigned int get_next_ino(void)
@@ -72713,7 +72726,7 @@ index 50a8583..44c470a 100644
out:
return len;
diff --git a/fs/namespace.c b/fs/namespace.c
-index 13b0f7b..1ee96e7 100644
+index f07c769..9246b81 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1480,6 +1480,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -72832,7 +72845,7 @@ index 13b0f7b..1ee96e7 100644
get_fs_root(current->fs, &root);
old_mp = lock_mount(&old);
error = PTR_ERR(old_mp);
-@@ -3238,7 +3262,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
+@@ -3242,7 +3266,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
@@ -95313,10 +95326,10 @@ index 487ef34..d457f98 100644
/* Get the size of a DATA chunk payload. */
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
-index 2bb2fcf..d17c291 100644
+index 495c87e..5b327ff 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
-@@ -509,7 +509,7 @@ struct sctp_pf {
+@@ -513,7 +513,7 @@ struct sctp_pf {
void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
struct sctp_af *af;
@@ -96784,9 +96797,18 @@ index 72ab759..757deba 100644
s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
s.backlog_wait_time = audit_backlog_wait_time;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index dc4ae70..2a2bddc 100644
+index dc4ae70..14681ff 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
+@@ -1023,7 +1023,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
+ * for strings that are too long, we should not have created
+ * any.
+ */
+- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
++ if (unlikely(len > MAX_ARG_STRLEN - 1)) {
+ WARN_ON(1);
+ send_sig(SIGKILL, current, 0);
+ return -1;
@@ -1955,7 +1955,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
}
@@ -110068,6 +110090,26 @@ index 8e385a0..a5bdd8e 100644
tty_port_close(&dev->port, tty, filp);
}
+diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
+index 4096089..c602d26 100644
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -371,6 +371,7 @@ static int __br_mdb_add(struct net *net, struct net_bridge *br,
+ if (!p || p->br != br || p->state == BR_STATE_DISABLED)
+ return -EINVAL;
+
++ memset(&ip, 0, sizeof(ip));
+ ip.proto = entry->addr.proto;
+ if (ip.proto == htons(ETH_P_IP))
+ ip.u.ip4 = entry->addr.u.ip4;
+@@ -417,6 +418,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry)
+ if (!netif_running(br->dev) || br->multicast_disabled)
+ return -EINVAL;
+
++ memset(&ip, 0, sizeof(ip));
+ ip.proto = entry->addr.proto;
+ if (ip.proto == htons(ETH_P_IP)) {
+ if (timer_pending(&br->ip4_other_query.timer))
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 4fbcea0..69a6786 100644
--- a/net/bridge/br_netlink.c
@@ -110545,51 +110587,10 @@ index 1033725..340f65d 100644
fle->object = flo;
else
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
-index 70fe9e1..c55e69d 100644
+index d0e5d66..c55e69d 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
-@@ -971,6 +971,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
- rc = 0;
- if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
- goto out_unlock_bh;
-+ if (neigh->dead)
-+ goto out_dead;
-
- if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
- if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
-@@ -1027,6 +1029,13 @@ out_unlock_bh:
- write_unlock(&neigh->lock);
- local_bh_enable();
- return rc;
-+
-+out_dead:
-+ if (neigh->nud_state & NUD_STALE)
-+ goto out_unlock_bh;
-+ write_unlock_bh(&neigh->lock);
-+ kfree_skb(skb);
-+ return 1;
- }
- EXPORT_SYMBOL(__neigh_event_send);
-
-@@ -1090,6 +1099,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
- if (!(flags & NEIGH_UPDATE_F_ADMIN) &&
- (old & (NUD_NOARP | NUD_PERMANENT)))
- goto out;
-+ if (neigh->dead)
-+ goto out;
-
- if (!(new & NUD_VALID)) {
- neigh_del_timer(neigh);
-@@ -1239,6 +1250,8 @@ EXPORT_SYMBOL(neigh_update);
- */
- void __neigh_set_probe_once(struct neighbour *neigh)
- {
-+ if (neigh->dead)
-+ return;
- neigh->updated = jiffies;
- if (!(neigh->nud_state & NUD_FAILED))
- return;
-@@ -2806,7 +2819,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
+@@ -2819,7 +2819,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
int size, ret;
@@ -110598,7 +110599,7 @@ index 70fe9e1..c55e69d 100644
tmp.extra1 = &zero;
tmp.extra2 = &unres_qlen_max;
-@@ -2868,7 +2881,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
+@@ -2881,7 +2881,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
void __user *buffer,
size_t *lenp, loff_t *ppos)
{
@@ -110835,7 +110836,7 @@ index 3b6899b..cf36238 100644
{
struct socket *sock;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index e9f9a15..6eb024e 100644
+index 1e3abb8..d751ebd 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2139,7 +2139,7 @@ EXPORT_SYMBOL(__skb_checksum);
@@ -110865,7 +110866,7 @@ index e9f9a15..6eb024e 100644
}
diff --git a/net/core/sock.c b/net/core/sock.c
-index 71e3e5f..ab90920 100644
+index c77d5d2..c1d6a84 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -443,7 +443,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -111263,10 +111264,10 @@ index f46e4d1..30231f1 100644
return -ENOMEM;
}
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index d2e49ba..f78e8aa 100644
+index 61edc49..99991a4 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
-@@ -1390,7 +1390,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+@@ -1392,7 +1392,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
return ip_recv_error(sk, msg, len, addr_len);
#if IS_ENABLED(CONFIG_IPV6)
if (sk->sk_family == AF_INET6)
@@ -111577,10 +111578,10 @@ index 3d4da2c..40f9c29 100644
ICMP_PROT_UNREACH, 0);
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 5cd9927..8610b9f 100644
+index d9e8ff3..a70a150 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
-@@ -1254,7 +1254,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1263,7 +1263,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
len = min_t(unsigned int, len, opt->optlen);
if (put_user(len, optlen))
return -EFAULT;
@@ -111590,7 +111591,7 @@ index 5cd9927..8610b9f 100644
return -EFAULT;
return 0;
}
-@@ -1388,7 +1389,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1397,7 +1398,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
if (sk->sk_type != SOCK_STREAM)
return -ENOPROTOOPT;
@@ -112110,7 +112111,7 @@ index d151539..5f5e247 100644
goto err_reg;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 995a225..e1e9183 100644
+index d03a344..f3bbb71 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -520,8 +520,10 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
@@ -112632,10 +112633,10 @@ index e8c4400..a4cd5da 100644
err = ipv6_init_mibs(net);
if (err)
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index ace8dac..bd6942d 100644
+index d174b91..34801a1 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
-@@ -957,5 +957,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
+@@ -967,5 +967,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
0,
sock_i_ino(sp),
atomic_read(&sp->sk_refcnt), sp,
@@ -114418,7 +114419,7 @@ index bc85331..0d3dce0 100644
/**
* struct vport_portids - array of netlink portids of a vport.
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index f8db706..0e29f8f 100644
+index bfe5c69..24c3a37 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -269,7 +269,7 @@ static int packet_direct_xmit(struct sk_buff *skb)
@@ -114430,40 +114431,7 @@ index f8db706..0e29f8f 100644
kfree_skb(skb);
return NET_XMIT_DROP;
}
-@@ -1266,16 +1266,6 @@ static void packet_sock_destruct(struct sock *sk)
- sk_refcnt_debug_dec(sk);
- }
-
--static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
--{
-- int x = atomic_read(&f->rr_cur) + 1;
--
-- if (x >= num)
-- x = 0;
--
-- return x;
--}
--
- static unsigned int fanout_demux_hash(struct packet_fanout *f,
- struct sk_buff *skb,
- unsigned int num)
-@@ -1287,13 +1277,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f,
- struct sk_buff *skb,
- unsigned int num)
- {
-- int cur, old;
-+ unsigned int val = atomic_inc_return(&f->rr_cur);
-
-- cur = atomic_read(&f->rr_cur);
-- while ((old = atomic_cmpxchg(&f->rr_cur, cur,
-- fanout_rr_next(f, num))) != cur)
-- cur = old;
-- return cur;
-+ return val % num;
- }
-
- static unsigned int fanout_demux_cpu(struct packet_fanout *f,
-@@ -1847,7 +1833,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1833,7 +1833,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_packets++;
@@ -114472,7 +114440,7 @@ index f8db706..0e29f8f 100644
__skb_queue_tail(&sk->sk_receive_queue, skb);
spin_unlock(&sk->sk_receive_queue.lock);
sk->sk_data_ready(sk);
-@@ -1856,7 +1842,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1842,7 +1842,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
drop_n_acct:
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_drops++;
@@ -114481,7 +114449,7 @@ index f8db706..0e29f8f 100644
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
-@@ -3499,7 +3485,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3485,7 +3485,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -114490,7 +114458,7 @@ index f8db706..0e29f8f 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3545,7 +3531,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3531,7 +3531,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -115196,10 +115164,10 @@ index fef2acd..c705c4f 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index aafe94b..40b016f 100644
+index 4e56571..f5cf113 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -2205,11 +2205,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
+@@ -2207,11 +2207,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
{
struct sctp_association *asoc;
struct sctp_ulpevent *event;
@@ -115214,7 +115182,7 @@ index aafe94b..40b016f 100644
if (sctp_sk(sk)->subscribe.sctp_data_io_event)
pr_warn_ratelimited(DEPRECATED "%s (pid %d) "
-@@ -4378,13 +4380,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4392,13 +4394,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -115232,7 +115200,7 @@ index aafe94b..40b016f 100644
return -EFAULT;
return 0;
}
-@@ -4402,6 +4407,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4416,6 +4421,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -115241,7 +115209,7 @@ index aafe94b..40b016f 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4410,7 +4417,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4424,7 +4431,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -115251,7 +115219,7 @@ index aafe94b..40b016f 100644
return -EFAULT;
return 0;
}
-@@ -4784,12 +4792,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4798,12 +4806,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -115268,7 +115236,7 @@ index aafe94b..40b016f 100644
return -EFAULT;
return 0;
}
-@@ -4830,6 +4841,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4844,6 +4855,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
->addr_to_user(sp, &temp);
if (space_left < addrlen)
return -ENOMEM;
@@ -115967,6 +115935,18 @@ index ce9121e..fd1fcce 100644
err = __tipc_nl_compat_dumpit(&dump, msg, args);
kfree_skb(args);
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index b4d4467..afb49d4 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2071,6 +2071,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags)
+ res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1);
+ if (res)
+ goto exit;
++ security_sk_clone(sock->sk, new_sock->sk);
+
+ new_sk = new_sock->sk;
+ new_tsock = tipc_sk(new_sk);
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index 72c339e..a93593a 100644
--- a/net/tipc/subscr.c
@@ -118425,10 +118405,20 @@ index afcc0ae..71f0525 100644
lock = &avc_cache.slots_lock[hvalue];
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 4d1a541..4d87c9b 100644
+index 2588e08..271f042 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
-@@ -5862,7 +5862,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
+@@ -3295,7 +3295,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
+ int rc = 0;
+
+ if (default_noexec &&
+- (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
++ (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
++ (!shared && (prot & PROT_WRITE)))) {
+ /*
+ * We are making executable an anonymous mapping or a
+ * private file mapping that will also be writable.
+@@ -5863,7 +5864,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
@@ -118438,7 +118428,7 @@ index 4d1a541..4d87c9b 100644
.name = "selinux",
.binder_set_context_mgr = selinux_binder_set_context_mgr,
-@@ -6208,6 +6209,9 @@ static void selinux_nf_ip_exit(void)
+@@ -6209,6 +6211,9 @@ static void selinux_nf_ip_exit(void)
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static int selinux_disabled;
@@ -118448,7 +118438,7 @@ index 4d1a541..4d87c9b 100644
int selinux_disable(void)
{
if (ss_initialized) {
-@@ -6225,7 +6229,9 @@ int selinux_disable(void)
+@@ -6226,7 +6231,9 @@ int selinux_disable(void)
selinux_disabled = 1;
selinux_enabled = 0;
diff --git a/4.0.7/4425_grsec_remove_EI_PAX.patch b/4.0.8/4425_grsec_remove_EI_PAX.patch
index a80a5d7..a80a5d7 100644
--- a/4.0.7/4425_grsec_remove_EI_PAX.patch
+++ b/4.0.8/4425_grsec_remove_EI_PAX.patch
diff --git a/4.0.7/4427_force_XATTR_PAX_tmpfs.patch b/4.0.8/4427_force_XATTR_PAX_tmpfs.patch
index a789f0b..a789f0b 100644
--- a/4.0.7/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.0.8/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.0.7/4430_grsec-remove-localversion-grsec.patch b/4.0.8/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.0.7/4430_grsec-remove-localversion-grsec.patch
+++ b/4.0.8/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.0.7/4435_grsec-mute-warnings.patch b/4.0.8/4435_grsec-mute-warnings.patch
index b7564e4..b7564e4 100644
--- a/4.0.7/4435_grsec-mute-warnings.patch
+++ b/4.0.8/4435_grsec-mute-warnings.patch
diff --git a/4.0.7/4440_grsec-remove-protected-paths.patch b/4.0.8/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.0.7/4440_grsec-remove-protected-paths.patch
+++ b/4.0.8/4440_grsec-remove-protected-paths.patch
diff --git a/4.0.7/4450_grsec-kconfig-default-gids.patch b/4.0.8/4450_grsec-kconfig-default-gids.patch
index 61d903e..61d903e 100644
--- a/4.0.7/4450_grsec-kconfig-default-gids.patch
+++ b/4.0.8/4450_grsec-kconfig-default-gids.patch
diff --git a/4.0.7/4465_selinux-avc_audit-log-curr_ip.patch b/4.0.8/4465_selinux-avc_audit-log-curr_ip.patch
index ba89596..ba89596 100644
--- a/4.0.7/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.0.8/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.0.7/4470_disable-compat_vdso.patch b/4.0.8/4470_disable-compat_vdso.patch
index 7aefa02..7aefa02 100644
--- a/4.0.7/4470_disable-compat_vdso.patch
+++ b/4.0.8/4470_disable-compat_vdso.patch
diff --git a/4.0.7/4475_emutramp_default_on.patch b/4.0.8/4475_emutramp_default_on.patch
index a128205..a128205 100644
--- a/4.0.7/4475_emutramp_default_on.patch
+++ b/4.0.8/4475_emutramp_default_on.patch