Grsec/PaX: 3.0-{3.2.67,3.14.33,3.18.7}-20150220080720150220

79 files changed, 8383 insertions, 1348 deletions

diff --git a/3.14.31/0000_README b/3.14.33/0000_README
index cd1e617..0785237 100644
--- a/3.14.31/0000_README
+++ b/3.14.33/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.14.31-201502052352.patch
+Patch:	4420_grsecurity-3.0-3.14.33-201502200812.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.31/4420_grsecurity-3.0-3.14.31-201502052352.patch b/3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch
index 62bdff1..6f66607 100644
--- a/3.14.31/4420_grsecurity-3.0-3.14.31-201502052352.patch
+++ b/3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch
@@ -292,7 +292,7 @@ index 5d91ba1..935a4e7 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 5abf670..9b24a3b 100644
+index b0963ca..76c9099 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3896,7 +3896,7 @@ index 7abde2c..9df495f 100644
  static bool of_init = false;
  
 diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
-index 6eb97b3..e77848e 100644
+index 4370933..e77848e 100644
 --- a/arch/arm/mm/context.c
 +++ b/arch/arm/mm/context.c
 @@ -43,7 +43,7 @@
@@ -3908,40 +3908,7 @@ index 6eb97b3..e77848e 100644
  static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS);
  
  static DEFINE_PER_CPU(atomic64_t, active_asids);
-@@ -144,21 +144,17 @@ static void flush_context(unsigned int cpu)
- 	/* Update the list of reserved ASIDs and the ASID bitmap. */
- 	bitmap_clear(asid_map, 0, NUM_USER_ASIDS);
- 	for_each_possible_cpu(i) {
--		if (i == cpu) {
--			asid = 0;
--		} else {
--			asid = atomic64_xchg(&per_cpu(active_asids, i), 0);
--			/*
--			 * If this CPU has already been through a
--			 * rollover, but hasn't run another task in
--			 * the meantime, we must preserve its reserved
--			 * ASID, as this is the only trace we have of
--			 * the process it is still running.
--			 */
--			if (asid == 0)
--				asid = per_cpu(reserved_asids, i);
--			__set_bit(asid & ~ASID_MASK, asid_map);
--		}
-+		asid = atomic64_xchg(&per_cpu(active_asids, i), 0);
-+		/*
-+		 * If this CPU has already been through a
-+		 * rollover, but hasn't run another task in
-+		 * the meantime, we must preserve its reserved
-+		 * ASID, as this is the only trace we have of
-+		 * the process it is still running.
-+		 */
-+		if (asid == 0)
-+			asid = per_cpu(reserved_asids, i);
-+		__set_bit(asid & ~ASID_MASK, asid_map);
- 		per_cpu(reserved_asids, i) = asid;
- 	}
- 
-@@ -182,7 +178,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
+@@ -178,7 +178,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
  {
  	static u32 cur_idx = 1;
  	u64 asid = atomic64_read(&mm->context.id);
@@ -3950,7 +3917,7 @@ index 6eb97b3..e77848e 100644
  
  	if (asid != 0 && is_reserved_asid(asid)) {
  		/*
-@@ -203,7 +199,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
+@@ -199,7 +199,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
  		 */
  		asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
  		if (asid == NUM_USER_ASIDS) {
@@ -3959,7 +3926,7 @@ index 6eb97b3..e77848e 100644
  							 &asid_generation);
  			flush_context(cpu);
  			asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
-@@ -234,14 +230,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
+@@ -230,14 +230,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
  	cpu_set_reserved_ttbr0();
  
  	asid = atomic64_read(&mm->context.id);
@@ -12635,7 +12602,7 @@ index 50f8c5e..4f84fff 100644
  	return diff;
  }
 diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
-index b5bb498..74110e8 100644
+index 67e9f5c..2af15db 100644
 --- a/arch/x86/boot/compressed/Makefile
 +++ b/arch/x86/boot/compressed/Makefile
 @@ -16,6 +16,9 @@ KBUILD_CFLAGS += $(cflags-y)
@@ -28225,7 +28192,7 @@ index e8edcf5..27f9344 100644
  		goto cannot_handle;
  	if ((segoffs >> 16) == BIOSSEG)
 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
-index da6b35a..977e9cf 100644
+index da6b35a..7ef6b87 100644
 --- a/arch/x86/kernel/vmlinux.lds.S
 +++ b/arch/x86/kernel/vmlinux.lds.S
 @@ -26,6 +26,13 @@
@@ -28406,7 +28373,6 @@ index da6b35a..977e9cf 100644
 +	.init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
 +		VMLINUX_SYMBOL(_sinittext) = .;
 +		INIT_TEXT
-+		VMLINUX_SYMBOL(_einittext) = .;
 +		. = ALIGN(PAGE_SIZE);
 +	} :text.init
  
@@ -28417,6 +28383,7 @@ index da6b35a..977e9cf 100644
 +	 */
 +	.exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
 +		EXIT_TEXT
++		VMLINUX_SYMBOL(_einittext) = .;
 +		. = ALIGN(16);
 +	} :text.exit
 +	. = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
@@ -28834,18 +28801,10 @@ index 9643eda6..c9cb765 100644
  
  	local_irq_disable();
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index de42688..6e3ace5 100644
+index 80c22a3..ec2028e 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
-@@ -441,6 +441,7 @@ struct vcpu_vmx {
- #endif
- 		int           gs_ldt_reload_needed;
- 		int           fs_reload_needed;
-+		unsigned long vmcs_host_cr4;	/* May not match real cr4 */
- 	} host_state;
- 	struct {
- 		int vm86_active;
-@@ -1320,12 +1321,12 @@ static void vmcs_write64(unsigned long field, u64 value)
+@@ -1321,12 +1321,12 @@ static void vmcs_write64(unsigned long field, u64 value)
  #endif
  }
  
@@ -28860,7 +28819,7 @@ index de42688..6e3ace5 100644
  {
  	vmcs_writel(field, vmcs_readl(field) | mask);
  }
-@@ -1585,7 +1586,11 @@ static void reload_tss(void)
+@@ -1586,7 +1586,11 @@ static void reload_tss(void)
  	struct desc_struct *descs;
  
  	descs = (void *)gdt->address;
@@ -28872,7 +28831,7 @@ index de42688..6e3ace5 100644
  	load_TR_desc();
  }
  
-@@ -1809,6 +1814,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
+@@ -1810,6 +1814,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
  		vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
  		vmcs_writel(HOST_GDTR_BASE, gdt->address);   /* 22.2.4 */
  
@@ -28883,7 +28842,7 @@ index de42688..6e3ace5 100644
  		rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
  		vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
  		vmx->loaded_vmcs->cpu = cpu;
-@@ -2098,7 +2107,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
+@@ -2099,7 +2107,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
   * reads and returns guest's timestamp counter "register"
   * guest_tsc = host_tsc + tsc_offset    -- 21.3
   */
@@ -28892,7 +28851,7 @@ index de42688..6e3ace5 100644
  {
  	u64 host_tsc, tsc_offset;
  
-@@ -3027,8 +3036,11 @@ static __init int hardware_setup(void)
+@@ -3028,8 +3036,11 @@ static __init int hardware_setup(void)
  	if (!cpu_has_vmx_flexpriority())
  		flexpriority_enabled = 0;
  
@@ -28906,7 +28865,7 @@ index de42688..6e3ace5 100644
  
  	if (enable_ept && !cpu_has_vmx_ept_2m_page())
  		kvm_disable_largepages();
-@@ -3039,13 +3051,15 @@ static __init int hardware_setup(void)
+@@ -3040,13 +3051,15 @@ static __init int hardware_setup(void)
  	if (!cpu_has_vmx_apicv())
  		enable_apicv = 0;
  
@@ -28926,26 +28885,18 @@ index de42688..6e3ace5 100644
  
  	if (nested)
  		nested_vmx_setup_ctls_msrs();
-@@ -4165,10 +4179,17 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
- 	u32 low32, high32;
- 	unsigned long tmpl;
- 	struct desc_ptr dt;
-+	unsigned long cr4;
+@@ -4169,7 +4182,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+ 	unsigned long cr4;
  
  	vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS);  /* 22.2.3 */
--	vmcs_writel(HOST_CR4, read_cr4());  /* 22.2.3, 22.2.5 */
++
 +#ifndef CONFIG_PAX_PER_CPU_PGD
  	vmcs_writel(HOST_CR3, read_cr3());  /* 22.2.3  FIXME: shadow tables */
 +#endif
-+
-+	/* Save the most likely value for this task's CR4 in the VMCS. */
-+	cr4 = read_cr4();
-+	vmcs_writel(HOST_CR4, cr4);			/* 22.2.3, 22.2.5 */
-+	vmx->host_state.vmcs_host_cr4 = cr4;
  
- 	vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS);  /* 22.2.4 */
- #ifdef CONFIG_X86_64
-@@ -4190,7 +4211,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+ 	/* Save the most likely value for this task's CR4 in the VMCS. */
+ 	cr4 = read_cr4();
+@@ -4196,7 +4212,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
  	vmcs_writel(HOST_IDTR_BASE, dt.address);   /* 22.2.4 */
  	vmx->host_idt_base = dt.address;
  
@@ -28954,29 +28905,7 @@ index de42688..6e3ace5 100644
  
  	rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
  	vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -7196,7 +7217,7 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx)
- static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
- {
- 	struct vcpu_vmx *vmx = to_vmx(vcpu);
--	unsigned long debugctlmsr;
-+	unsigned long debugctlmsr, cr4;
- 
- 	/* Record the guest's net vcpu time for enforced NMI injections. */
- 	if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked))
-@@ -7217,6 +7238,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
- 	if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty))
- 		vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]);
- 
-+	cr4 = read_cr4();
-+	if (unlikely(cr4 != vmx->host_state.vmcs_host_cr4)) {
-+		vmcs_writel(HOST_CR4, cr4);
-+		vmx->host_state.vmcs_host_cr4 = cr4;
-+	}
-+
- 	/* When single-stepping over STI and MOV SS, we must clear the
- 	 * corresponding interruptibility bits in the guest state. Otherwise
- 	 * vmentry fails as it then expects bit 14 (BS) in pending debug
-@@ -7275,6 +7302,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7287,6 +7303,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  		"jmp 2f \n\t"
  		"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
  		"2: "
@@ -28989,7 +28918,7 @@ index de42688..6e3ace5 100644
  		/* Save guest registers, load host registers, keep flags */
  		"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
  		"pop %0 \n\t"
-@@ -7327,6 +7360,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7339,6 +7361,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  #endif
  		[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
  		[wordsize]"i"(sizeof(ulong))
@@ -29001,7 +28930,7 @@ index de42688..6e3ace5 100644
  	      : "cc", "memory"
  #ifdef CONFIG_X86_64
  		, "rax", "rbx", "rdi", "rsi"
-@@ -7340,7 +7378,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7352,7 +7379,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  	if (debugctlmsr)
  		update_debugctlmsr(debugctlmsr);
  
@@ -29010,7 +28939,7 @@ index de42688..6e3ace5 100644
  	/*
  	 * The sysexit path does not restore ds/es, so we must set them to
  	 * a reasonable value ourselves.
-@@ -7349,8 +7387,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7361,8 +7388,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  	 * may be executed in interrupt context, which saves and restore segments
  	 * around it, nullifying its effect.
  	 */
@@ -33438,7 +33367,7 @@ index 7b179b49..6bd17777 100644
  
  	return (void *)vaddr;
 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
-index 94bd247..7e48391 100644
+index 94bd247..49644a3 100644
 --- a/arch/x86/mm/ioremap.c
 +++ b/arch/x86/mm/ioremap.c
 @@ -56,8 +56,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
@@ -33461,17 +33390,29 @@ index 94bd247..7e48391 100644
  {
  	struct vm_struct *p, *o;
  
-@@ -322,6 +322,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
- 
+@@ -317,23 +317,22 @@ EXPORT_SYMBOL(iounmap);
+  */
+ void *xlate_dev_mem_ptr(unsigned long phys)
+ {
+-	void *addr;
+-	unsigned long start = phys & PAGE_MASK;
+-
  	/* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
- 	if (page_is_ram(start >> PAGE_SHIFT))
+-	if (page_is_ram(start >> PAGE_SHIFT))
++	if (page_is_ram(phys >> PAGE_SHIFT))
 +#ifdef CONFIG_HIGHMEM
-+	if ((start >> PAGE_SHIFT) < max_low_pfn)
++	if ((phys >> PAGE_SHIFT) < max_low_pfn)
 +#endif
  		return __va(phys);
  
- 	addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
-@@ -334,6 +337,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
+-	addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
+-	if (addr)
+-		addr = (void *)((unsigned long)addr | (phys & ~PAGE_MASK));
+-
+-	return addr;
++	return (void __force *)ioremap_cache(phys, PAGE_SIZE);
+ }
+ 
  void unxlate_dev_mem_ptr(unsigned long phys, void *addr)
  {
  	if (page_is_ram(phys >> PAGE_SHIFT))
@@ -33481,7 +33422,7 @@ index 94bd247..7e48391 100644
  		return;
  
  	iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
-@@ -351,7 +357,7 @@ static int __init early_ioremap_debug_setup(char *str)
+@@ -351,7 +350,7 @@ static int __init early_ioremap_debug_setup(char *str)
  early_param("early_ioremap_debug", early_ioremap_debug_setup);
  
  static __initdata int after_paging_init;
@@ -33490,7 +33431,7 @@ index 94bd247..7e48391 100644
  
  static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
  {
-@@ -388,8 +394,7 @@ void __init early_ioremap_init(void)
+@@ -388,8 +387,7 @@ void __init early_ioremap_init(void)
  		slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
  
  	pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
@@ -34391,10 +34332,10 @@ index 0149575..f746de8 100644
 +	pax_force_retaddr
  	ret
 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
-index af2d431..bc63cba 100644
+index af2d431..c405730 100644
 --- a/arch/x86/net/bpf_jit_comp.c
 +++ b/arch/x86/net/bpf_jit_comp.c
-@@ -50,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
+@@ -50,13 +50,102 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
  	return ptr + len;
  }
  
@@ -34422,7 +34363,8 @@ index af2d431..bc63cba 100644
 +	EMIT2(0x81, 0xf1);			\
 +	EMIT((_key) ^ (_off), 4);		\
 +} while (0)
-+
++#define SHORT_JMP_LENGTH 2
++#define NEAR_JMP_LENGTH (5 + 8)
 +#define EMIT1_off32(b1, _off)								\
 +do { 											\
 +	switch (b1) {									\
@@ -34430,13 +34372,21 @@ index af2d431..bc63cba 100644
 +		case 0x2d: /* sub eax, imm32 */						\
 +		case 0x25: /* and eax, imm32 */						\
 +		case 0x0d: /* or eax, imm32 */						\
-+		case 0xb8: /* mov eax, imm32 */						\
 +		case 0x35: /* xor eax, imm32 */						\
 +		case 0x3d: /* cmp eax, imm32 */						\
-+		case 0xa9: /* test eax, imm32 */					\
 +			DILUTE_CONST_SEQUENCE(_off, randkey);				\
 +			EMIT2((b1) - 4, 0xc8); /* convert imm instruction to eax, ecx */\
 +			break;								\
++		case 0xb8: /* mov eax, imm32 */						\
++			DILUTE_CONST_SEQUENCE(_off, randkey);				\
++			/* mov eax, ecx */						\
++			EMIT2(0x89, 0xc8);						\
++			break;								\
++		case 0xa9: /* test eax, imm32 */					\
++			DILUTE_CONST_SEQUENCE(_off, randkey);				\
++			/* test eax, ecx */						\
++			EMIT2(0x85, 0xc8);						\
++			break;								\
 +		case 0xbb: /* mov ebx, imm32 */						\
 +			DILUTE_CONST_SEQUENCE(_off, randkey);				\
 +			/* mov ebx, ecx */						\
@@ -34452,8 +34402,9 @@ index af2d431..bc63cba 100644
 +			EMIT(_off, 4);							\
 +			break;								\
 +		case 0xe9: /* jmp rel imm32 */						\
++			BUG_ON((int)(_off) < 0);					\
 +			EMIT1(b1);							\
-+			EMIT(_off, 4);							\
++			EMIT(_off + 8, 4);						\
 +			/* prevent fall-through, we're not called if off = 0 */		\
 +			EMIT(0xcccccccc, 4);						\
 +			EMIT(0xcccccccc, 4);						\
@@ -34481,11 +34432,21 @@ index af2d431..bc63cba 100644
 +#else
  #define EMIT1_off32(b1, off)	do { EMIT1(b1); EMIT(off, 4);} while (0)
 +#define EMIT2_off32(b1, b2, off) do { EMIT2(b1, b2); EMIT(off, 4);} while (0)
++#define SHORT_JMP_LENGTH 2
++#define NEAR_JMP_LENGTH 5
 +#endif
  
  #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */
  #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */
-@@ -91,6 +168,24 @@ do {									\
+@@ -73,6 +162,7 @@ static inline bool is_near(int offset)
+ 
+ #define EMIT_JMP(offset)						\
+ do {									\
++        BUG_ON((int)(offset) < 0);					\
+ 	if (offset) {							\
+ 		if (is_near(offset))					\
+ 			EMIT2(0xeb, offset); /* jmp .+off8 */		\
+@@ -91,13 +181,33 @@ do {									\
  #define X86_JBE 0x76
  #define X86_JA  0x77
  
@@ -34509,16 +34470,18 @@ index af2d431..bc63cba 100644
 +
  #define EMIT_COND_JMP(op, offset)				\
  do {								\
++        BUG_ON((int)(offset) < 0);				\
  	if (is_near(offset))					\
-@@ -98,6 +193,7 @@ do {								\
+ 		EMIT2(op, offset); /* jxx .+off8 */		\
  	else {							\
  		EMIT2(0x0f, op + 0x10);				\
- 		EMIT(offset, 4); /* jxx .+off32 */		\
+-		EMIT(offset, 4); /* jxx .+off32 */		\
++		EMIT((offset) + 21, 4); /* jxx .+off32 */		\
 +		APPEND_FLOW_VERIFY();				\
  	}							\
  } while (0)
  
-@@ -145,55 +241,54 @@ static int pkt_type_offset(void)
+@@ -145,55 +255,54 @@ static int pkt_type_offset(void)
  	return -1;
  }
  
@@ -34590,7 +34553,7 @@ index af2d431..bc63cba 100644
  
  	if (!bpf_jit_enable)
  		return;
-@@ -203,10 +298,10 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -203,10 +312,10 @@ void bpf_jit_compile(struct sk_filter *fp)
  		return;
  
  	/* Before first pass, make a rough estimation of addrs[]
@@ -34603,7 +34566,7 @@ index af2d431..bc63cba 100644
  		addrs[i] = proglen;
  	}
  	cleanup_addr = proglen; /* epilogue address */
-@@ -285,6 +380,10 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -285,6 +394,10 @@ void bpf_jit_compile(struct sk_filter *fp)
  		for (i = 0; i < flen; i++) {
  			unsigned int K = filter[i].k;
  
@@ -34614,7 +34577,7 @@ index af2d431..bc63cba 100644
  			switch (filter[i].code) {
  			case BPF_S_ALU_ADD_X: /* A += X; */
  				seen |= SEEN_XREG;
-@@ -317,10 +416,8 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -317,10 +430,8 @@ void bpf_jit_compile(struct sk_filter *fp)
  			case BPF_S_ALU_MUL_K: /* A *= K */
  				if (is_imm8(K))
  					EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */
@@ -34627,7 +34590,16 @@ index af2d431..bc63cba 100644
  				break;
  			case BPF_S_ALU_DIV_X: /* A /= X; */
  				seen |= SEEN_XREG;
-@@ -364,7 +461,11 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -333,7 +444,7 @@ void bpf_jit_compile(struct sk_filter *fp)
+ 					EMIT_COND_JMP(X86_JE, addrs[pc_ret0 - 1] -
+ 								(addrs[i] - 4));
+ 				} else {
+-					EMIT_COND_JMP(X86_JNE, 2 + 5);
++					EMIT_COND_JMP(X86_JNE, 2 + NEAR_JMP_LENGTH);
+ 					CLEAR_A();
+ 					EMIT1_off32(0xe9, cleanup_addr - (addrs[i] - 4)); /* jmp .+off32 */
+ 				}
+@@ -364,7 +475,11 @@ void bpf_jit_compile(struct sk_filter *fp)
  					break;
  				}
  				EMIT2(0x31, 0xd2);	/* xor %edx,%edx */
@@ -34639,7 +34611,7 @@ index af2d431..bc63cba 100644
  				EMIT2(0xf7, 0xf1);	/* div %ecx */
  				EMIT2(0x89, 0xd0);	/* mov %edx,%eax */
  				break;
-@@ -372,7 +473,11 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -372,7 +487,11 @@ void bpf_jit_compile(struct sk_filter *fp)
  				if (K == 1)
  					break;
  				EMIT2(0x31, 0xd2);	/* xor %edx,%edx */
@@ -34651,7 +34623,7 @@ index af2d431..bc63cba 100644
  				EMIT2(0xf7, 0xf1);	/* div %ecx */
  				break;
  			case BPF_S_ALU_AND_X:
-@@ -643,8 +748,7 @@ common_load_ind:		seen |= SEEN_DATAREF | SEEN_XREG;
+@@ -643,8 +762,7 @@ common_load_ind:		seen |= SEEN_DATAREF | SEEN_XREG;
  					if (is_imm8(K)) {
  						EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */
  					} else {
@@ -34661,7 +34633,16 @@ index af2d431..bc63cba 100644
  					}
  				} else {
  					EMIT2(0x89,0xde); /* mov %ebx,%esi */
-@@ -734,10 +838,12 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
+@@ -717,7 +835,7 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
+ 				}
+ 				if (filter[i].jt != 0) {
+ 					if (filter[i].jf && f_offset)
+-						t_offset += is_near(f_offset) ? 2 : 5;
++						t_offset += is_near(f_offset) ? SHORT_JMP_LENGTH : NEAR_JMP_LENGTH;
+ 					EMIT_COND_JMP(t_op, t_offset);
+ 					if (filter[i].jf)
+ 						EMIT_JMP(f_offset);
+@@ -734,10 +852,12 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
  				if (unlikely(proglen + ilen > oldproglen)) {
  					pr_err("bpb_jit_compile fatal error\n");
  					kfree(addrs);
@@ -34675,7 +34656,7 @@ index af2d431..bc63cba 100644
  			}
  			proglen += ilen;
  			addrs[i] = proglen;
-@@ -770,7 +876,6 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
+@@ -770,7 +890,6 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
  
  	if (image) {
  		bpf_flush_icache(header, image + proglen);
@@ -34683,7 +34664,7 @@ index af2d431..bc63cba 100644
  		fp->bpf_func = (void *)image;
  	}
  out:
-@@ -782,10 +887,8 @@ static void bpf_jit_free_deferred(struct work_struct *work)
+@@ -782,10 +901,8 @@ static void bpf_jit_free_deferred(struct work_struct *work)
  {
  	struct sk_filter *fp = container_of(work, struct sk_filter, work);
  	unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
@@ -50574,10 +50555,10 @@ index 84419af..268ede8 100644
  					&dev_attr_energy_uj.attr;
  	}
 diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
-index afca1bc..86840b8 100644
+index b798404..cd11618 100644
 --- a/drivers/regulator/core.c
 +++ b/drivers/regulator/core.c
-@@ -3366,7 +3366,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
+@@ -3368,7 +3368,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
  {
  	const struct regulation_constraints *constraints = NULL;
  	const struct regulator_init_data *init_data;
@@ -50586,7 +50567,7 @@ index afca1bc..86840b8 100644
  	struct regulator_dev *rdev;
  	struct device *dev;
  	int ret, i;
-@@ -3436,7 +3436,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
+@@ -3438,7 +3438,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
  	rdev->dev.of_node = config->of_node;
  	rdev->dev.parent = dev;
  	dev_set_name(&rdev->dev, "regulator.%d",
@@ -52623,7 +52604,7 @@ index 24884ca..26c8220 100644
  	login->tgt_agt = sbp_target_agent_register(login);
  	if (IS_ERR(login->tgt_agt)) {
 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
-index 38b4be2..c68af1c 100644
+index 26ae688..ca12181 100644
 --- a/drivers/target/target_core_device.c
 +++ b/drivers/target/target_core_device.c
 @@ -1526,7 +1526,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
@@ -60031,37 +60012,10 @@ index 5d12d69..161d0ce 100644
  GLOBAL_EXTERN atomic_t smBufAllocCount;
  GLOBAL_EXTERN atomic_t midCount;
 diff --git a/fs/cifs/file.c b/fs/cifs/file.c
-index d375322..2f1ac75 100644
+index 0218a9b..2f1ac75 100644
 --- a/fs/cifs/file.c
 +++ b/fs/cifs/file.c
-@@ -366,6 +366,7 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
- 	struct cifsLockInfo *li, *tmp;
- 	struct cifs_fid fid;
- 	struct cifs_pending_open open;
-+	bool oplock_break_cancelled;
- 
- 	spin_lock(&cifs_file_list_lock);
- 	if (--cifs_file->count > 0) {
-@@ -397,7 +398,7 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
- 	}
- 	spin_unlock(&cifs_file_list_lock);
- 
--	cancel_work_sync(&cifs_file->oplock_break);
-+	oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
- 
- 	if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
- 		struct TCP_Server_Info *server = tcon->ses->server;
-@@ -409,6 +410,9 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
- 		_free_xid(xid);
- 	}
- 
-+	if (oplock_break_cancelled)
-+		cifs_done_oplock_break(cifsi);
-+
- 	cifs_del_pending_open(&open);
- 
- 	/*
-@@ -1900,10 +1904,14 @@ static int cifs_writepages(struct address_space *mapping,
+@@ -1904,10 +1904,14 @@ static int cifs_writepages(struct address_space *mapping,
  		index = mapping->writeback_index; /* Start from prev offset */
  		end = -1;
  	} else {
@@ -60715,7 +60669,7 @@ index a93f7e6..d58bcbe 100644
  		return 0;
  	while (nr) {
 diff --git a/fs/dcache.c b/fs/dcache.c
-index 4366127..581b312 100644
+index 4366127..b8c2cf9 100644
 --- a/fs/dcache.c
 +++ b/fs/dcache.c
 @@ -250,7 +250,7 @@ static void __d_free(struct rcu_head *head)
@@ -60850,7 +60804,17 @@ index 4366127..581b312 100644
  	dentry->d_flags = 0;
  	spin_lock_init(&dentry->d_lock);
  	seqcount_init(&dentry->d_seq);
-@@ -2275,7 +2276,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
+@@ -1521,6 +1522,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+ 	dentry->d_sb = sb;
+ 	dentry->d_op = NULL;
+ 	dentry->d_fsdata = NULL;
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	atomic_set(&dentry->chroot_refcnt, 0);
++#endif
+ 	INIT_HLIST_BL_NODE(&dentry->d_hash);
+ 	INIT_LIST_HEAD(&dentry->d_lru);
+ 	INIT_LIST_HEAD(&dentry->d_subdirs);
+@@ -2275,7 +2279,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
  				goto next;
  		}
  
@@ -60859,7 +60823,7 @@ index 4366127..581b312 100644
  		found = dentry;
  		spin_unlock(&dentry->d_lock);
  		break;
-@@ -2374,7 +2375,7 @@ again:
+@@ -2374,7 +2378,7 @@ again:
  	spin_lock(&dentry->d_lock);
  	inode = dentry->d_inode;
  	isdir = S_ISDIR(inode->i_mode);
@@ -60868,7 +60832,7 @@ index 4366127..581b312 100644
  		if (!spin_trylock(&inode->i_lock)) {
  			spin_unlock(&dentry->d_lock);
  			cpu_relax();
-@@ -3318,7 +3319,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
+@@ -3318,7 +3322,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
  
  		if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
  			dentry->d_flags |= DCACHE_GENOCIDE;
@@ -60877,7 +60841,7 @@ index 4366127..581b312 100644
  		}
  	}
  	return D_WALK_CONTINUE;
-@@ -3434,7 +3435,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -3434,7 +3438,8 @@ void __init vfs_caches_init(unsigned long mempages)
  	mempages -= reserve;
  
  	names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -62309,7 +62273,7 @@ index 92567d9..fcd8cbf 100644
  
  	if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
 diff --git a/fs/fs_struct.c b/fs/fs_struct.c
-index 7dca743..543d620 100644
+index 7dca743..2f2786d 100644
 --- a/fs/fs_struct.c
 +++ b/fs/fs_struct.c
 @@ -4,6 +4,7 @@
@@ -62320,15 +62284,27 @@ index 7dca743..543d620 100644
  #include "internal.h"
  
  /*
-@@ -19,6 +20,7 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
+@@ -15,14 +16,18 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
+ 	struct path old_root;
+ 
+ 	path_get(path);
++	gr_inc_chroot_refcnts(path->dentry, path->mnt);
+ 	spin_lock(&fs->lock);
  	write_seqcount_begin(&fs->seq);
  	old_root = fs->root;
  	fs->root = *path;
 +	gr_set_chroot_entries(current, path);
  	write_seqcount_end(&fs->seq);
  	spin_unlock(&fs->lock);
- 	if (old_root.dentry)
-@@ -67,6 +69,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
+-	if (old_root.dentry)
++	if (old_root.dentry) {
++		gr_dec_chroot_refcnts(old_root.dentry, old_root.mnt);
+ 		path_put(&old_root);
++	}
+ }
+ 
+ /*
+@@ -67,6 +72,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
  			int hits = 0;
  			spin_lock(&fs->lock);
  			write_seqcount_begin(&fs->seq);
@@ -62339,7 +62315,15 @@ index 7dca743..543d620 100644
  			hits += replace_path(&fs->root, old_root, new_root);
  			hits += replace_path(&fs->pwd, old_root, new_root);
  			write_seqcount_end(&fs->seq);
-@@ -99,7 +105,8 @@ void exit_fs(struct task_struct *tsk)
+@@ -85,6 +94,7 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
+ 
+ void free_fs_struct(struct fs_struct *fs)
+ {
++	gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt);
+ 	path_put(&fs->root);
+ 	path_put(&fs->pwd);
+ 	kmem_cache_free(fs_cachep, fs);
+@@ -99,7 +109,8 @@ void exit_fs(struct task_struct *tsk)
  		task_lock(tsk);
  		spin_lock(&fs->lock);
  		tsk->fs = NULL;
@@ -62349,7 +62333,7 @@ index 7dca743..543d620 100644
  		spin_unlock(&fs->lock);
  		task_unlock(tsk);
  		if (kill)
-@@ -112,7 +119,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
+@@ -112,7 +123,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
  	struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
  	/* We don't need to lock fs - think why ;-) */
  	if (fs) {
@@ -62358,7 +62342,7 @@ index 7dca743..543d620 100644
  		fs->in_exec = 0;
  		spin_lock_init(&fs->lock);
  		seqcount_init(&fs->seq);
-@@ -121,6 +128,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
+@@ -121,6 +132,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
  		spin_lock(&old->lock);
  		fs->root = old->root;
  		path_get(&fs->root);
@@ -62368,7 +62352,7 @@ index 7dca743..543d620 100644
  		fs->pwd = old->pwd;
  		path_get(&fs->pwd);
  		spin_unlock(&old->lock);
-@@ -139,8 +149,9 @@ int unshare_fs_struct(void)
+@@ -139,8 +153,9 @@ int unshare_fs_struct(void)
  
  	task_lock(current);
  	spin_lock(&fs->lock);
@@ -62379,7 +62363,7 @@ index 7dca743..543d620 100644
  	spin_unlock(&fs->lock);
  	task_unlock(current);
  
-@@ -153,13 +164,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
+@@ -153,13 +168,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
  
  int current_umask(void)
  {
@@ -64185,7 +64169,7 @@ index b29e42f..5ea7fdf 100644
  #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
  
 diff --git a/fs/namei.c b/fs/namei.c
-index 0dd72c8..34dd17d 100644
+index 0dd72c8..b058c6d 100644
 --- a/fs/namei.c
 +++ b/fs/namei.c
 @@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask)
@@ -64752,10 +64736,18 @@ index 0dd72c8..34dd17d 100644
  	done_path_create(&new_path, new_dentry);
  	if (delegated_inode) {
  		error = break_deleg_wait(&delegated_inode);
-@@ -4239,6 +4433,12 @@ retry_deleg:
+@@ -4239,6 +4433,20 @@ retry_deleg:
  	if (new_dentry == trap)
  		goto exit5;
  
++	if (gr_bad_chroot_rename(old_dentry, oldnd.path.mnt, new_dentry, newnd.path.mnt)) {
++		/* use EXDEV error to cause 'mv' to switch to an alternative
++		 * method for usability
++		 */
++		error = -EXDEV;
++		goto exit5;
++	}
++
 +	error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
 +				     old_dentry, old_dir->d_inode, oldnd.path.mnt,
 +				     to);
@@ -64765,7 +64757,7 @@ index 0dd72c8..34dd17d 100644
  	error = security_path_rename(&oldnd.path, old_dentry,
  				     &newnd.path, new_dentry);
  	if (error)
-@@ -4246,6 +4446,9 @@ retry_deleg:
+@@ -4246,6 +4454,9 @@ retry_deleg:
  	error = vfs_rename(old_dir->d_inode, old_dentry,
  				   new_dir->d_inode, new_dentry,
  				   &delegated_inode);
@@ -64775,7 +64767,7 @@ index 0dd72c8..34dd17d 100644
  exit5:
  	dput(new_dentry);
  exit4:
-@@ -4282,6 +4485,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -4282,6 +4493,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
  
  int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
  {
@@ -64784,7 +64776,7 @@ index 0dd72c8..34dd17d 100644
  	int len;
  
  	len = PTR_ERR(link);
-@@ -4291,7 +4496,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -4291,7 +4504,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
  	len = strlen(link);
  	if (len > (unsigned) buflen)
  		len = buflen;
@@ -69182,10 +69174,10 @@ index f9bb590..af3c389 100644
  
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..cdaa3ef
+index 0000000..49e1a77
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1168 @@
+@@ -0,0 +1,1184 @@
 +#
 +# grecurity configuration
 +#
@@ -69828,6 +69820,22 @@ index 0000000..cdaa3ef
 +	  sysctl option is enabled, a sysctl option with name
 +	  "chroot_deny_sysctl" is created.
 +
++config GRKERNSEC_CHROOT_RENAME
++	bool "Deny bad renames"
++	default y if GRKERNSEC_CONFIG_AUTO
++	depends on GRKERNSEC_CHROOT
++	help
++	  If you say Y here, an attacker in a chroot will not be able to
++	  abuse the ability to create double chroots to break out of the
++	  chroot by exploiting a race condition between a rename of a directory
++	  within a chroot against an open of a symlink with relative path
++	  components.  This feature will likewise prevent an accomplice outside
++	  a chroot from enabling a user inside the chroot to break out and make
++	  use of their credentials on the global filesystem.  Enabling this
++	  feature is essential to prevent root users from breaking out of a
++	  chroot. If the sysctl option is enabled, a sysctl option with name
++	  "chroot_deny_bad_rename" is created.
++
 +config GRKERNSEC_CHROOT_CAPS
 +	bool "Capability restrictions"
 +	default y if GRKERNSEC_CONFIG_AUTO
@@ -76941,10 +76949,10 @@ index 0000000..bc0be01
 +}
 diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
 new file mode 100644
-index 0000000..baa635c
+index 0000000..2a43673
 --- /dev/null
 +++ b/grsecurity/grsec_chroot.c
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,469 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -76960,6 +76968,88 @@ index 0000000..baa635c
 +int gr_init_ran;
 +#endif
 +
++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	struct dentry *tmpd = dentry;
++
++	read_seqlock_excl(&mount_lock);
++	write_seqlock(&rename_lock);
++
++	while (tmpd != mnt->mnt_root) {
++		atomic_inc(&tmpd->chroot_refcnt);
++		tmpd = tmpd->d_parent;
++	}
++	atomic_inc(&tmpd->chroot_refcnt);
++
++	write_sequnlock(&rename_lock);
++	read_sequnlock_excl(&mount_lock);
++#endif
++}
++
++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	struct dentry *tmpd = dentry;
++
++	read_seqlock_excl(&mount_lock);
++	write_seqlock(&rename_lock);
++
++	while (tmpd != mnt->mnt_root) {
++		atomic_dec(&tmpd->chroot_refcnt);
++		tmpd = tmpd->d_parent;
++	}
++	atomic_dec(&tmpd->chroot_refcnt);
++
++	write_sequnlock(&rename_lock);
++	read_sequnlock_excl(&mount_lock);
++#endif
++}
++
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++static struct dentry *get_closest_chroot(struct dentry *dentry)
++{
++	write_seqlock(&rename_lock);
++	do {
++		if (atomic_read(&dentry->chroot_refcnt)) {
++			write_sequnlock(&rename_lock);
++			return dentry;
++		}
++		dentry = dentry->d_parent;
++	} while (!IS_ROOT(dentry));
++	write_sequnlock(&rename_lock);
++	return NULL;
++}
++#endif
++
++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
++			 struct dentry *newdentry, struct vfsmount *newmnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	struct dentry *chroot;
++
++	if (unlikely(!grsec_enable_chroot_rename))
++		return 0;
++
++	if (likely(!proc_is_chrooted(current) && gr_is_global_root(current_uid())))
++		return 0;
++
++	chroot = get_closest_chroot(olddentry);
++
++	if (chroot == NULL)
++		return 0;
++
++	if (is_subdir(newdentry, chroot))
++		return 0;
++
++	gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt);
++
++	return 1;
++#else
++	return 0;
++#endif
++}
++
 +void gr_set_chroot_entries(struct task_struct *task, const struct path *path)
 +{
 +#ifdef CONFIG_GRKERNSEC
@@ -78032,10 +78122,10 @@ index 0000000..8ca18bf
 +}
 diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
 new file mode 100644
-index 0000000..b7cb191
+index 0000000..4ed9e7d
 --- /dev/null
 +++ b/grsecurity/grsec_init.c
-@@ -0,0 +1,286 @@
+@@ -0,0 +1,290 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -78078,6 +78168,7 @@ index 0000000..b7cb191
 +int grsec_enable_chroot_nice;
 +int grsec_enable_chroot_execlog;
 +int grsec_enable_chroot_caps;
++int grsec_enable_chroot_rename;
 +int grsec_enable_chroot_sysctl;
 +int grsec_enable_chroot_unix;
 +int grsec_enable_tpe;
@@ -78289,6 +78380,9 @@ index 0000000..b7cb191
 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
 +	grsec_enable_chroot_caps = 1;
 +#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	grsec_enable_chroot_rename = 1;
++#endif
 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
 +	grsec_enable_chroot_sysctl = 1;
 +#endif
@@ -79519,10 +79613,10 @@ index 0000000..e3650b6
 +}
 diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
 new file mode 100644
-index 0000000..8159888
+index 0000000..cce889e
 --- /dev/null
 +++ b/grsecurity/grsec_sysctl.c
-@@ -0,0 +1,479 @@
+@@ -0,0 +1,488 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -79792,6 +79886,15 @@ index 0000000..8159888
 +		.proc_handler	= &proc_dointvec,
 +	},
 +#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	{
++		.procname	= "chroot_deny_bad_rename",
++		.data		= &grsec_enable_chroot_rename,
++		.maxlen		= sizeof(int),
++		.mode		= 0600,
++		.proc_handler	= &proc_dointvec,
++	},
++#endif
 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
 +	{
 +		.procname	= "chroot_deny_sysctl",
@@ -81319,6 +81422,39 @@ index 2507fd2..55203f8 100644
  /*
   * Mark a position in code as unreachable.  This can be used to
   * suppress control flow warnings after asm blocks that transfer
+diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
+index cdd1cc2..59dc542 100644
+--- a/include/linux/compiler-gcc5.h
++++ b/include/linux/compiler-gcc5.h
+@@ -28,6 +28,28 @@
+ # define __compiletime_error(message) __attribute__((error(message)))
+ #endif /* __CHECKER__ */
+ 
++#define __alloc_size(...)	__attribute((alloc_size(__VA_ARGS__)))
++#define __bos(ptr, arg)		__builtin_object_size((ptr), (arg))
++#define __bos0(ptr)		__bos((ptr), 0)
++#define __bos1(ptr)		__bos((ptr), 1)
++
++#ifdef CONSTIFY_PLUGIN
++#error not yet
++#define __no_const __attribute__((no_const))
++#define __do_const __attribute__((do_const))
++#endif
++
++#ifdef SIZE_OVERFLOW_PLUGIN
++#error not yet
++#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
++#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__)))
++#endif
++
++#ifdef LATENT_ENTROPY_PLUGIN
++#error not yet
++#define __latent_entropy __attribute__((latent_entropy))
++#endif
++
+ /*
+  * Mark a position in code as unreachable.  This can be used to
+  * suppress control flow warnings after asm blocks that transfer
 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
 index 2472740..4857634 100644
 --- a/include/linux/compiler.h
@@ -81675,10 +81811,20 @@ index 653589e..4ef254a 100644
  	return c | 0x20;
  }
 diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 3b50cac..71a4cec 100644
+index 3b50cac..a3b0c8a 100644
 --- a/include/linux/dcache.h
 +++ b/include/linux/dcache.h
-@@ -133,7 +133,7 @@ struct dentry {
+@@ -123,6 +123,9 @@ struct dentry {
+ 	unsigned long d_time;		/* used by d_revalidate */
+ 	void *d_fsdata;			/* fs-specific data */
+ 
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	atomic_t chroot_refcnt;		/* tracks use of directory in chroot */
++#endif
+ 	struct list_head d_lru;		/* LRU list */
+ 	/*
+ 	 * d_child and d_rcu can share memory
+@@ -133,7 +136,7 @@ struct dentry {
  	} d_u;
  	struct list_head d_subdirs;	/* our children */
  	struct hlist_node d_alias;	/* inode alias list */
@@ -82802,10 +82948,10 @@ index 0000000..be66033
 +#endif
 diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
 new file mode 100644
-index 0000000..d25522e
+index 0000000..fb1de5d
 --- /dev/null
 +++ b/include/linux/grinternal.h
-@@ -0,0 +1,229 @@
+@@ -0,0 +1,230 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
 +
@@ -82865,6 +83011,7 @@ index 0000000..d25522e
 +extern int grsec_enable_chroot_nice;
 +extern int grsec_enable_chroot_execlog;
 +extern int grsec_enable_chroot_caps;
++extern int grsec_enable_chroot_rename;
 +extern int grsec_enable_chroot_sysctl;
 +extern int grsec_enable_chroot_unix;
 +extern int grsec_enable_symlinkown;
@@ -83037,10 +83184,10 @@ index 0000000..d25522e
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..b02ba9d
+index 0000000..26ef560
 --- /dev/null
 +++ b/include/linux/grmsg.h
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,118 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -83084,6 +83231,7 @@ index 0000000..b02ba9d
 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
++#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by "
 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
@@ -83160,10 +83308,10 @@ index 0000000..b02ba9d
 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..acda855
+index 0000000..40e9e6a
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,254 @@
+@@ -0,0 +1,259 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -83387,14 +83535,19 @@ index 0000000..acda855
 +
 +#ifdef CONFIG_GRKERNSEC_RESLOG
 +extern void gr_log_resource(const struct task_struct *task, const int res,
-+				   const unsigned long wanted, const int gt);
++				const unsigned long wanted, const int gt);
 +#else
 +static inline void gr_log_resource(const struct task_struct *task, const int res,
-+				   const unsigned long wanted, const int gt)
++				const unsigned long wanted, const int gt)
 +{
 +}
 +#endif
 +
++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
++			 struct dentry *newdentry, struct vfsmount *newmnt);
++
 +#ifdef CONFIG_GRKERNSEC
 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
 +void gr_handle_vm86(void);
@@ -93826,10 +93979,10 @@ index 52f881d..1e9f941 100644
  	set_fs(seg);
  	if (ret >= 0 && uoss_ptr)  {
 diff --git a/kernel/smpboot.c b/kernel/smpboot.c
-index eb89e18..a4e6792 100644
+index 60d35ac5..59d289f 100644
 --- a/kernel/smpboot.c
 +++ b/kernel/smpboot.c
-@@ -288,7 +288,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
+@@ -289,7 +289,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
  		}
  		smpboot_unpark_thread(plug_thread, cpu);
  	}
@@ -93837,8 +93990,8 @@ index eb89e18..a4e6792 100644
 +	pax_list_add(&plug_thread->list, &hotplug_threads);
  out:
  	mutex_unlock(&smpboot_threads_lock);
- 	return ret;
-@@ -305,7 +305,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
+ 	put_online_cpus();
+@@ -307,7 +307,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
  {
  	get_online_cpus();
  	mutex_lock(&smpboot_threads_lock);
@@ -95205,10 +95358,10 @@ index c9b6f01..37781d9 100644
  	.thread_should_run	= watchdog_should_run,
  	.thread_fn		= watchdog,
 diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index b4defde..f092808 100644
+index f6f31d8..bbe30db 100644
 --- a/kernel/workqueue.c
 +++ b/kernel/workqueue.c
-@@ -4703,7 +4703,7 @@ static void rebind_workers(struct worker_pool *pool)
+@@ -4687,7 +4687,7 @@ static void rebind_workers(struct worker_pool *pool)
  		WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
  		worker_flags |= WORKER_REBOUND;
  		worker_flags &= ~WORKER_UNBOUND;
@@ -97576,7 +97729,7 @@ index b1eb536..091d154 100644
  	    capable(CAP_IPC_LOCK))
  		ret = do_mlockall(flags);
 diff --git a/mm/mmap.c b/mm/mmap.c
-index 085bcd8..cb98f9f 100644
+index 085bcd8..916b1d4 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -37,6 +37,7 @@
@@ -97641,6 +97794,24 @@ index 085bcd8..cb98f9f 100644
  /*
   * Make sure vm_committed_as in one cacheline and not cacheline shared with
   * other variables. It can be updated by several CPUs frequently.
+@@ -129,7 +150,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed);
+  */
+ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ {
+-	unsigned long free, allowed, reserve;
++	long free, allowed, reserve;
+ 
+ 	vm_acct_memory(pages);
+ 
+@@ -193,7 +214,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ 	 */
+ 	if (mm) {
+ 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
+-		allowed -= min(mm->total_vm / 32, reserve);
++		allowed -= min_t(long, mm->total_vm / 32, reserve);
+ 	}
+ 
+ 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)
 @@ -247,6 +268,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
  	struct vm_area_struct *next = vma->vm_next;
  
@@ -99169,7 +99340,7 @@ index 05f1180..c3cde48 100644
  out:
  	if (ret & ~PAGE_MASK)
 diff --git a/mm/nommu.c b/mm/nommu.c
-index 3ee4f74..9f4fdd8 100644
+index 3ee4f74..d79b8e2 100644
 --- a/mm/nommu.c
 +++ b/mm/nommu.c
 @@ -66,7 +66,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
@@ -99204,6 +99375,24 @@ index 3ee4f74..9f4fdd8 100644
  	*region = *vma->vm_region;
  	new->vm_region = region;
  
+@@ -1905,7 +1896,7 @@ EXPORT_SYMBOL(unmap_mapping_range);
+  */
+ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ {
+-	unsigned long free, allowed, reserve;
++	long free, allowed, reserve;
+ 
+ 	vm_acct_memory(pages);
+ 
+@@ -1969,7 +1960,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ 	 */
+ 	if (mm) {
+ 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
+-		allowed -= min(mm->total_vm / 32, reserve);
++		allowed -= min_t(long, mm->total_vm / 32, reserve);
+ 	}
+ 
+ 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)
 @@ -2001,8 +1992,8 @@ int generic_file_remap_pages(struct vm_area_struct *vma, unsigned long addr,
  }
  EXPORT_SYMBOL(generic_file_remap_pages);
@@ -104411,7 +104600,7 @@ index e1a6393..f634ce5 100644
  	return -ENOMEM;
  }
 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 3f0ec06..5aad945 100644
+index 3f0ec06..230c2c5 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
 @@ -170,7 +170,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
@@ -104484,7 +104673,29 @@ index 3f0ec06..5aad945 100644
  	for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
  		idx = 0;
  		head = &net->dev_index_head[h];
-@@ -4741,11 +4748,8 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
+@@ -4512,6 +4519,21 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
+ 	return 0;
+ }
+ 
++static const struct nla_policy inet6_af_policy[IFLA_INET6_MAX + 1] = {
++	[IFLA_INET6_TOKEN]		= { .len = sizeof(struct in6_addr) },
++};
++
++static int inet6_validate_link_af(const struct net_device *dev,
++				  const struct nlattr *nla)
++{
++	struct nlattr *tb[IFLA_INET6_MAX + 1];
++
++	if (dev && !__in6_dev_get(dev))
++		return -EAFNOSUPPORT;
++
++	return nla_parse_nested(tb, IFLA_INET6_MAX, nla, inet6_af_policy);
++}
++
+ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla)
+ {
+ 	int err = -EINVAL;
+@@ -4741,11 +4763,8 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
  
  			rt = rt6_lookup(dev_net(dev), &ifp->peer_addr, NULL,
  					dev->ifindex, 1);
@@ -104498,7 +104709,7 @@ index 3f0ec06..5aad945 100644
  		}
  		dst_hold(&ifp->rt->dst);
  
-@@ -4753,7 +4757,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
+@@ -4753,7 +4772,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
  			dst_free(&ifp->rt->dst);
  		break;
  	}
@@ -104507,7 +104718,7 @@ index 3f0ec06..5aad945 100644
  	rt_genid_bump_ipv6(net);
  }
  
-@@ -4774,7 +4778,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
+@@ -4774,7 +4793,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
  	int *valp = ctl->data;
  	int val = *valp;
  	loff_t pos = *ppos;
@@ -104516,7 +104727,7 @@ index 3f0ec06..5aad945 100644
  	int ret;
  
  	/*
-@@ -4859,7 +4863,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
+@@ -4859,7 +4878,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
  	int *valp = ctl->data;
  	int val = *valp;
  	loff_t pos = *ppos;
@@ -104525,6 +104736,14 @@ index 3f0ec06..5aad945 100644
  	int ret;
  
  	/*
+@@ -5299,6 +5318,7 @@ static struct rtnl_af_ops inet6_ops = {
+ 	.family		  = AF_INET6,
+ 	.fill_link_af	  = inet6_fill_link_af,
+ 	.get_link_af_size = inet6_get_link_af_size,
++	.validate_link_af = inet6_validate_link_af,
+ 	.set_link_af	  = inet6_set_link_af,
+ };
+ 
 diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
 index d935889..2f64330 100644
 --- a/net/ipv6/af_inet6.c
@@ -108507,14 +108726,14 @@ index 078fe1d..fbdb363 100644
  		fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianness? %#x\n",
 diff --git a/scripts/gcc-plugin.sh b/scripts/gcc-plugin.sh
 new file mode 100644
-index 0000000..42018ed
+index 0000000..822fa9e
 --- /dev/null
 +++ b/scripts/gcc-plugin.sh
 @@ -0,0 +1,51 @@
 +#!/bin/sh
 +srctree=$(dirname "$0")
 +gccplugins_dir=$($3 -print-file-name=plugin)
-+plugincc=$($1 -E - -o /dev/null -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF
++plugincc=$($1 -E - -o /dev/null -I"${srctree}"/../tools/gcc -I"${gccplugins_dir}"/include 2>&1 <<EOF
 +#include "gcc-common.h"
 +#if BUILDING_GCC_VERSION >= 4008 || defined(ENABLE_BUILD_WITH_CXX)
 +#warning $2 CXX
@@ -108545,7 +108764,7 @@ index 0000000..42018ed
 +esac
 +
 +# we need a c++ compiler that supports the designated initializer GNU extension
-+plugincc=$($2 -c -x c++ -std=gnu++98 - -fsyntax-only -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF
++plugincc=$($2 -c -x c++ -std=gnu++98 - -fsyntax-only -I"${srctree}"/../tools/gcc -I"${gccplugins_dir}"/include 2>&1 <<EOF
 +#include "gcc-common.h"
 +class test {
 +public:
@@ -110233,6 +110452,18 @@ index cee72ce..e46074a 100644
  err:
  	if (iov != iovstack)
  		kfree(iov);
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 3814119..2e8ebaa 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -432,6 +432,7 @@ link_check_failed:
+ 
+ link_prealloc_failed:
+ 	mutex_unlock(&user->cons_lock);
++	key_put(key);
+ 	kleave(" = %d [prelink]", ret);
+ 	return ret;
+ 
 diff --git a/security/min_addr.c b/security/min_addr.c
 index f728728..6457a0c 100644
 --- a/security/min_addr.c
diff --git a/3.14.31/4425_grsec_remove_EI_PAX.patch b/3.14.33/4425_grsec_remove_EI_PAX.patch
index 86e242a..86e242a 100644
--- a/3.14.31/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.33/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.31/4427_force_XATTR_PAX_tmpfs.patch b/3.14.33/4427_force_XATTR_PAX_tmpfs.patch
index aa540ad..aa540ad 100644
--- a/3.14.31/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.33/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.31/4430_grsec-remove-localversion-grsec.patch b/3.14.33/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.14.31/4430_grsec-remove-localversion-grsec.patch
+++ b/3.14.33/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.31/4435_grsec-mute-warnings.patch b/3.14.33/4435_grsec-mute-warnings.patch
index 392cefb..392cefb 100644
--- a/3.14.31/4435_grsec-mute-warnings.patch
+++ b/3.14.33/4435_grsec-mute-warnings.patch
diff --git a/3.14.31/4440_grsec-remove-protected-paths.patch b/3.14.33/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.14.31/4440_grsec-remove-protected-paths.patch
+++ b/3.14.33/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.31/4450_grsec-kconfig-default-gids.patch b/3.14.33/4450_grsec-kconfig-default-gids.patch
index 722821b..722821b 100644
--- a/3.14.31/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.33/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.31/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch
index f92c155..f92c155 100644
--- a/3.14.31/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.31/4470_disable-compat_vdso.patch b/3.14.33/4470_disable-compat_vdso.patch
index cc7c122..cc7c122 100644
--- a/3.14.31/4470_disable-compat_vdso.patch
+++ b/3.14.33/4470_disable-compat_vdso.patch
diff --git a/3.14.31/4475_emutramp_default_on.patch b/3.14.33/4475_emutramp_default_on.patch
index ad4967a..ad4967a 100644
--- a/3.14.31/4475_emutramp_default_on.patch
+++ b/3.14.33/4475_emutramp_default_on.patch
diff --git a/3.18.5/0000_README b/3.18.7/0000_README
index b1f502a..ee63631 100644
--- a/3.18.5/0000_README
+++ b/3.18.7/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.18.5-201502052352.patch
+Patch:	4420_grsecurity-3.0-3.18.7-201502200813.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.18.5/4420_grsecurity-3.0-3.18.5-201502052352.patch b/3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch
index ad22521..544940a 100644
--- a/3.18.5/4420_grsecurity-3.0-3.18.5-201502052352.patch
+++ b/3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch
@@ -370,7 +370,7 @@ index f4c71d4..66811b1 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 6276fca..e21ed81 100644
+index 0efae22..380e711 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -781,7 +781,7 @@ index f9c732e..78fbb0f 100644
  	return addr;
  }
 diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
-index 98838a0..b304fb4 100644
+index 9d0ac09..479a962 100644
 --- a/arch/alpha/mm/fault.c
 +++ b/arch/alpha/mm/fault.c
 @@ -53,6 +53,124 @@ __load_new_mm_context(struct mm_struct *next_mm)
@@ -3525,7 +3525,7 @@ index 7f352de..6dc0929 100644
  
  static int keystone_platform_notifier(struct notifier_block *nb,
 diff --git a/arch/arm/mach-mvebu/coherency.c b/arch/arm/mach-mvebu/coherency.c
-index 1163a3e..424adbf 100644
+index 2ffccd4..69ffe115 100644
 --- a/arch/arm/mach-mvebu/coherency.c
 +++ b/arch/arm/mach-mvebu/coherency.c
 @@ -316,7 +316,7 @@ static void __init armada_370_coherency_init(struct device_node *np)
@@ -3894,7 +3894,7 @@ index 5e65ca8..879e7b3 100644
  #define CACHE_LINE_SIZE		32
  
 diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
-index 6eb97b3..e77848e 100644
+index 4370933..e77848e 100644
 --- a/arch/arm/mm/context.c
 +++ b/arch/arm/mm/context.c
 @@ -43,7 +43,7 @@
@@ -3906,40 +3906,7 @@ index 6eb97b3..e77848e 100644
  static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS);
  
  static DEFINE_PER_CPU(atomic64_t, active_asids);
-@@ -144,21 +144,17 @@ static void flush_context(unsigned int cpu)
- 	/* Update the list of reserved ASIDs and the ASID bitmap. */
- 	bitmap_clear(asid_map, 0, NUM_USER_ASIDS);
- 	for_each_possible_cpu(i) {
--		if (i == cpu) {
--			asid = 0;
--		} else {
--			asid = atomic64_xchg(&per_cpu(active_asids, i), 0);
--			/*
--			 * If this CPU has already been through a
--			 * rollover, but hasn't run another task in
--			 * the meantime, we must preserve its reserved
--			 * ASID, as this is the only trace we have of
--			 * the process it is still running.
--			 */
--			if (asid == 0)
--				asid = per_cpu(reserved_asids, i);
--			__set_bit(asid & ~ASID_MASK, asid_map);
--		}
-+		asid = atomic64_xchg(&per_cpu(active_asids, i), 0);
-+		/*
-+		 * If this CPU has already been through a
-+		 * rollover, but hasn't run another task in
-+		 * the meantime, we must preserve its reserved
-+		 * ASID, as this is the only trace we have of
-+		 * the process it is still running.
-+		 */
-+		if (asid == 0)
-+			asid = per_cpu(reserved_asids, i);
-+		__set_bit(asid & ~ASID_MASK, asid_map);
- 		per_cpu(reserved_asids, i) = asid;
- 	}
- 
-@@ -182,7 +178,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
+@@ -178,7 +178,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
  {
  	static u32 cur_idx = 1;
  	u64 asid = atomic64_read(&mm->context.id);
@@ -3948,7 +3915,7 @@ index 6eb97b3..e77848e 100644
  
  	if (asid != 0 && is_reserved_asid(asid)) {
  		/*
-@@ -203,7 +199,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
+@@ -199,7 +199,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
  		 */
  		asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
  		if (asid == NUM_USER_ASIDS) {
@@ -3957,7 +3924,7 @@ index 6eb97b3..e77848e 100644
  							 &asid_generation);
  			flush_context(cpu);
  			asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
-@@ -234,14 +230,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
+@@ -230,14 +230,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
  	cpu_set_reserved_ttbr0();
  
  	asid = atomic64_read(&mm->context.id);
@@ -4947,7 +4914,7 @@ index 479330b..53717a8 100644
  
  #endif /* __ASM_AVR32_KMAP_TYPES_H */
 diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
-index 0eca933..eb78c7b 100644
+index d223a8b..69c5210 100644
 --- a/arch/avr32/mm/fault.c
 +++ b/arch/avr32/mm/fault.c
 @@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap)
@@ -4974,7 +4941,7 @@ index 0eca933..eb78c7b 100644
  /*
   * This routine handles page faults. It determines the address and the
   * problem, and then passes it off to one of the appropriate routines.
-@@ -176,6 +193,16 @@ bad_area:
+@@ -178,6 +195,16 @@ bad_area:
  	up_read(&mm->mmap_sem);
  
  	if (user_mode(regs)) {
@@ -5534,7 +5501,7 @@ index 84f8a52..7c76178 100644
  	 * ensure percpu data fits
  	 * into percpu page size
 diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
-index 7225dad..2a7c8256 100644
+index ba5ba7a..36e9d3a 100644
 --- a/arch/ia64/mm/fault.c
 +++ b/arch/ia64/mm/fault.c
 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned long address)
@@ -6878,7 +6845,7 @@ index 2242bdd..b284048 100644
  	}
  	/* Arrange for an interrupt in a short while */
 diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
-index 22b19c2..c5cc8c4 100644
+index d255a2a..916271c 100644
 --- a/arch/mips/kernel/traps.c
 +++ b/arch/mips/kernel/traps.c
 @@ -688,7 +688,18 @@ asmlinkage void do_ov(struct pt_regs *regs)
@@ -6915,7 +6882,7 @@ index e3b21e5..ea5ff7c 100644
  	if (kvm_mips_callbacks) {
  		kvm_err("kvm: module already exists\n");
 diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
-index becc42b..9e43d4b 100644
+index 70ab5d6..62940fe 100644
 --- a/arch/mips/mm/fault.c
 +++ b/arch/mips/mm/fault.c
 @@ -28,6 +28,23 @@
@@ -6942,7 +6909,7 @@ index becc42b..9e43d4b 100644
  /*
   * This routine handles page faults.  It determines the address,
   * and the problem, and then passes it off to one of the appropriate
-@@ -199,6 +216,14 @@ bad_area:
+@@ -201,6 +218,14 @@ bad_area:
  bad_area_nosemaphore:
  	/* User mode accesses just cause a SIGSEGV */
  	if (user_mode(regs)) {
@@ -7568,7 +7535,7 @@ index 47ee620..1107387 100644
  				fault_space = regs->iasq[0];
  
 diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
-index 3ca9c11..d163ef7 100644
+index e5120e6..8ddb5cc 100644
 --- a/arch/parisc/mm/fault.c
 +++ b/arch/parisc/mm/fault.c
 @@ -15,6 +15,7 @@
@@ -9269,7 +9236,7 @@ index 5eea6f3..5d10396 100644
  EXPORT_SYMBOL(copy_in_user);
  
 diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
-index 08d659a..ab329f4 100644
+index f06b56b..ffb2fb4 100644
 --- a/arch/powerpc/mm/fault.c
 +++ b/arch/powerpc/mm/fault.c
 @@ -33,6 +33,10 @@
@@ -9344,7 +9311,7 @@ index 08d659a..ab329f4 100644
  			goto bad_area;
  #endif /* CONFIG_PPC_STD_MMU */
  
-@@ -495,6 +526,23 @@ bad_area:
+@@ -497,6 +528,23 @@ bad_area:
  bad_area_nosemaphore:
  	/* User mode accesses cause a SIGSEGV */
  	if (user_mode(regs)) {
@@ -11384,7 +11351,7 @@ index 30c3ecc..736f015 100644
  obj-$(CONFIG_SPARC64)   += ultra.o tlb.o tsb.o gup.o
  obj-y                   += fault_$(BITS).o
 diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
-index 908e8c1..1524793 100644
+index 70d8171..274c6c0 100644
 --- a/arch/sparc/mm/fault_32.c
 +++ b/arch/sparc/mm/fault_32.c
 @@ -21,6 +21,9 @@
@@ -11701,7 +11668,7 @@ index 908e8c1..1524793 100644
  		if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
  			goto bad_area;
 diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
-index 18fcd71..e4fe821 100644
+index 4798232..f76e3aa 100644
 --- a/arch/sparc/mm/fault_64.c
 +++ b/arch/sparc/mm/fault_64.c
 @@ -22,6 +22,9 @@
@@ -12803,7 +12770,7 @@ index bd49ec6..94c7f58 100644
  }
  
 diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
-index 45abc36..97bea2d 100644
+index 6a1a845..0ad2dae 100644
 --- a/arch/x86/boot/compressed/Makefile
 +++ b/arch/x86/boot/compressed/Makefile
 @@ -16,6 +16,9 @@ KBUILD_CFLAGS += $(cflags-y)
@@ -20528,7 +20495,7 @@ index e45e4da..44e8572 100644
  extern struct x86_init_ops x86_init;
  extern struct x86_cpuinit_ops x86_cpuinit;
 diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h
-index c949923..c22bfa4 100644
+index f58ef6c..a2abc78 100644
 --- a/arch/x86/include/asm/xen/page.h
 +++ b/arch/x86/include/asm/xen/page.h
 @@ -63,7 +63,7 @@ extern int m2p_remove_override(struct page *page,
@@ -21666,7 +21633,7 @@ index 7dc5564..1273569 100644
  	wmb();
  
 diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
-index 15c2909..2cef20c 100644
+index 36a8361..e7058c2 100644
 --- a/arch/x86/kernel/cpu/microcode/core.c
 +++ b/arch/x86/kernel/cpu/microcode/core.c
 @@ -518,7 +518,7 @@ mc_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu)
@@ -21778,7 +21745,7 @@ index 639d128..e92d7e5 100644
  
  	while (amd_iommu_v2_event_descs[i].attr.attr.name)
 diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
-index 944bf01..4a4392f 100644
+index 498b6d9..4126515 100644
 --- a/arch/x86/kernel/cpu/perf_event_intel.c
 +++ b/arch/x86/kernel/cpu/perf_event_intel.c
 @@ -2353,10 +2353,10 @@ __init int intel_pmu_init(void)
@@ -21796,7 +21763,7 @@ index 944bf01..4a4392f 100644
  
  	intel_ds_init();
 diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
-index d64f275..26522ff 100644
+index 8c25674..30aa32e 100644
 --- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
 +++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
 @@ -449,7 +449,7 @@ static struct attribute *rapl_events_hsw_attr[] = {
@@ -28204,7 +28171,7 @@ index e8edcf5..27f9344 100644
  		goto cannot_handle;
  	if ((segoffs >> 16) == BIOSSEG)
 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
-index 49edf2d..c0d1362 100644
+index 49edf2d..df596b1 100644
 --- a/arch/x86/kernel/vmlinux.lds.S
 +++ b/arch/x86/kernel/vmlinux.lds.S
 @@ -26,6 +26,13 @@
@@ -28385,7 +28352,6 @@ index 49edf2d..c0d1362 100644
 +	.init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
 +		VMLINUX_SYMBOL(_sinittext) = .;
 +		INIT_TEXT
-+		VMLINUX_SYMBOL(_einittext) = .;
 +		. = ALIGN(PAGE_SIZE);
 +	} :text.init
  
@@ -28396,6 +28362,7 @@ index 49edf2d..c0d1362 100644
 +	 */
 +	.exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
 +		EXIT_TEXT
++		VMLINUX_SYMBOL(_einittext) = .;
 +		. = ALIGN(16);
 +	} :text.exit
 +	. = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
@@ -31745,7 +31712,7 @@ index 903ec1e..c4166b2 100644
  }
  
 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index d973e61..fb868e9 100644
+index 4d8ee82..ffc1011 100644
 --- a/arch/x86/mm/fault.c
 +++ b/arch/x86/mm/fault.c
 @@ -13,12 +13,19 @@
@@ -32001,7 +31968,7 @@ index d973e61..fb868e9 100644
  		/* Kernel addresses are always protection faults: */
  		if (address >= TASK_SIZE)
  			error_code |= PF_PROT;
-@@ -867,7 +979,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
+@@ -864,7 +976,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
  	if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
  		printk(KERN_ERR
  	"MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
@@ -32010,7 +31977,7 @@ index d973e61..fb868e9 100644
  		code = BUS_MCEERR_AR;
  	}
  #endif
-@@ -921,6 +1033,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
+@@ -916,6 +1028,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
  	return 1;
  }
  
@@ -32110,7 +32077,7 @@ index d973e61..fb868e9 100644
  /*
   * Handle a spurious fault caused by a stale TLB entry.
   *
-@@ -1006,6 +1211,9 @@ int show_unhandled_signals = 1;
+@@ -1001,6 +1206,9 @@ int show_unhandled_signals = 1;
  static inline int
  access_error(unsigned long error_code, struct vm_area_struct *vma)
  {
@@ -32120,7 +32087,7 @@ index d973e61..fb868e9 100644
  	if (error_code & PF_WRITE) {
  		/* write, present and write, not present: */
  		if (unlikely(!(vma->vm_flags & VM_WRITE)))
-@@ -1040,7 +1248,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
+@@ -1035,7 +1243,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
  	if (error_code & PF_USER)
  		return false;
  
@@ -32129,7 +32096,7 @@ index d973e61..fb868e9 100644
  		return false;
  
  	return true;
-@@ -1068,6 +1276,22 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
+@@ -1063,6 +1271,22 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
  	tsk = current;
  	mm = tsk->mm;
  
@@ -32152,7 +32119,7 @@ index d973e61..fb868e9 100644
  	/*
  	 * Detect and handle instructions that would cause a page fault for
  	 * both a tracked kernel page and a userspace page.
-@@ -1145,7 +1369,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
+@@ -1140,7 +1364,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
  	 * User-mode registers count as a user access even for any
  	 * potential system fault or CPU buglet:
  	 */
@@ -32161,7 +32128,7 @@ index d973e61..fb868e9 100644
  		local_irq_enable();
  		error_code |= PF_USER;
  		flags |= FAULT_FLAG_USER;
-@@ -1192,6 +1416,11 @@ retry:
+@@ -1187,6 +1411,11 @@ retry:
  		might_sleep();
  	}
  
@@ -32173,7 +32140,7 @@ index d973e61..fb868e9 100644
  	vma = find_vma(mm, address);
  	if (unlikely(!vma)) {
  		bad_area(regs, error_code, address);
-@@ -1203,18 +1432,24 @@ retry:
+@@ -1198,18 +1427,24 @@ retry:
  		bad_area(regs, error_code, address);
  		return;
  	}
@@ -32209,7 +32176,7 @@ index d973e61..fb868e9 100644
  	if (unlikely(expand_stack(vma, address))) {
  		bad_area(regs, error_code, address);
  		return;
-@@ -1331,3 +1566,292 @@ trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
+@@ -1327,3 +1562,292 @@ trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
  }
  NOKPROBE_SYMBOL(trace_do_page_fault);
  #endif /* CONFIG_TRACING */
@@ -33259,7 +33226,7 @@ index 7b179b49..6bd17777 100644
  
  	return (void *)vaddr;
 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
-index af78e50..0790b03 100644
+index af78e50..4f1fe56 100644
 --- a/arch/x86/mm/ioremap.c
 +++ b/arch/x86/mm/ioremap.c
 @@ -56,8 +56,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
@@ -33282,17 +33249,29 @@ index af78e50..0790b03 100644
  {
  	struct vm_struct *p, *o;
  
-@@ -334,6 +334,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
- 
+@@ -329,30 +329,29 @@ EXPORT_SYMBOL(iounmap);
+  */
+ void *xlate_dev_mem_ptr(unsigned long phys)
+ {
+-	void *addr;
+-	unsigned long start = phys & PAGE_MASK;
+-
  	/* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
- 	if (page_is_ram(start >> PAGE_SHIFT))
+-	if (page_is_ram(start >> PAGE_SHIFT))
++	if (page_is_ram(phys >> PAGE_SHIFT))
 +#ifdef CONFIG_HIGHMEM
-+	if ((start >> PAGE_SHIFT) < max_low_pfn)
++	if ((phys >> PAGE_SHIFT) < max_low_pfn)
 +#endif
  		return __va(phys);
  
- 	addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
-@@ -346,13 +349,16 @@ void *xlate_dev_mem_ptr(unsigned long phys)
+-	addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
+-	if (addr)
+-		addr = (void *)((unsigned long)addr | (phys & ~PAGE_MASK));
+-
+-	return addr;
++	return (void __force *)ioremap_cache(phys, PAGE_SIZE);
+ }
+ 
  void unxlate_dev_mem_ptr(unsigned long phys, void *addr)
  {
  	if (page_is_ram(phys >> PAGE_SHIFT))
@@ -33310,7 +33289,7 @@ index af78e50..0790b03 100644
  
  static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
  {
-@@ -388,8 +394,7 @@ void __init early_ioremap_init(void)
+@@ -388,8 +387,7 @@ void __init early_ioremap_init(void)
  	early_ioremap_setup();
  
  	pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
@@ -38706,7 +38685,7 @@ index 5c4e1f6..0ea58f9 100644
  	new_smi->interrupt_disabled = true;
  	atomic_set(&new_smi->stop_operation, 0);
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 524b707..29d07c1 100644
+index 524b707..62a3d70 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -18,6 +18,7 @@
@@ -38754,15 +38733,17 @@ index 524b707..29d07c1 100644
  #else
  static inline int range_is_allowed(unsigned long pfn, unsigned long size)
  {
-@@ -122,6 +136,7 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+@@ -121,7 +135,8 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+ #endif
  
  	while (count > 0) {
- 		unsigned long remaining;
+-		unsigned long remaining;
++		unsigned long remaining = 0;
 +		char *temp;
  
  		sz = size_inside_page(p, count);
  
-@@ -137,7 +152,23 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+@@ -137,7 +152,24 @@ static ssize_t read_mem(struct file *file, char __user *buf,
  		if (!ptr)
  			return -EFAULT;
  
@@ -38773,12 +38754,13 @@ index 524b707..29d07c1 100644
 +			unxlate_dev_mem_ptr(p, ptr);
 +			return -ENOMEM;
 +		}
-+		memcpy(temp, ptr, sz);
++		remaining = probe_kernel_read(temp, ptr, sz);
 +#else
 +		temp = ptr;
 +#endif
 +
-+		remaining = copy_to_user(buf, temp, sz);
++		if (!remaining)
++			remaining = copy_to_user(buf, temp, sz);
 +
 +#ifdef CONFIG_PAX_USERCOPY
 +		kfree(temp);
@@ -38787,7 +38769,7 @@ index 524b707..29d07c1 100644
  		unxlate_dev_mem_ptr(p, ptr);
  		if (remaining)
  			return -EFAULT;
-@@ -369,9 +400,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
+@@ -369,9 +401,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
  			 size_t count, loff_t *ppos)
  {
  	unsigned long p = *ppos;
@@ -38798,7 +38780,7 @@ index 524b707..29d07c1 100644
  
  	read = 0;
  	if (p < (unsigned long) high_memory) {
-@@ -393,6 +423,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
+@@ -393,6 +424,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
  		}
  #endif
  		while (low_count > 0) {
@@ -38807,7 +38789,7 @@ index 524b707..29d07c1 100644
  			sz = size_inside_page(p, low_count);
  
  			/*
-@@ -402,7 +434,22 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
+@@ -402,7 +435,23 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
  			 */
  			kbuf = xlate_dev_kmem_ptr((char *)p);
  
@@ -38816,12 +38798,13 @@ index 524b707..29d07c1 100644
 +			temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
 +			if (!temp)
 +				return -ENOMEM;
-+			memcpy(temp, kbuf, sz);
++			err = probe_kernel_read(temp, kbuf, sz);
 +#else
 +			temp = kbuf;
 +#endif
 +
-+			err = copy_to_user(buf, temp, sz);
++			if (!err)
++				err = copy_to_user(buf, temp, sz);
 +
 +#ifdef CONFIG_PAX_USERCOPY
 +			kfree(temp);
@@ -38831,7 +38814,7 @@ index 524b707..29d07c1 100644
  				return -EFAULT;
  			buf += sz;
  			p += sz;
-@@ -797,6 +844,9 @@ static const struct memdev {
+@@ -797,6 +846,9 @@ static const struct memdev {
  #ifdef CONFIG_PRINTK
  	[11] = { "kmsg", 0644, &kmsg_fops, NULL },
  #endif
@@ -38841,7 +38824,7 @@ index 524b707..29d07c1 100644
  };
  
  static int memory_open(struct inode *inode, struct file *filp)
-@@ -868,7 +918,7 @@ static int __init chr_dev_init(void)
+@@ -868,7 +920,7 @@ static int __init chr_dev_init(void)
  			continue;
  
  		device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor),
@@ -38936,7 +38919,7 @@ index 0ea9986..e7b07e4 100644
  
  	if (cmd != SIOCWANDEV)
 diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 04645c0..560e350 100644
+index 04645c0..6416f00 100644
 --- a/drivers/char/random.c
 +++ b/drivers/char/random.c
 @@ -289,9 +289,6 @@
@@ -38962,6 +38945,30 @@ index 04645c0..560e350 100644
  
  static struct entropy_store input_pool = {
  	.poolinfo = &poolinfo_table[0],
+@@ -569,19 +566,19 @@ static void fast_mix(struct fast_pool *f)
+ 	__u32 c = f->pool[2],	d = f->pool[3];
+ 
+ 	a += b;			c += d;
+-	b = rol32(a, 6);	d = rol32(c, 27);
++	b = rol32(b, 6);	d = rol32(d, 27);
+ 	d ^= a;			b ^= c;
+ 
+ 	a += b;			c += d;
+-	b = rol32(a, 16);	d = rol32(c, 14);
++	b = rol32(b, 16);	d = rol32(d, 14);
+ 	d ^= a;			b ^= c;
+ 
+ 	a += b;			c += d;
+-	b = rol32(a, 6);	d = rol32(c, 27);
++	b = rol32(b, 6);	d = rol32(d, 27);
+ 	d ^= a;			b ^= c;
+ 
+ 	a += b;			c += d;
+-	b = rol32(a, 16);	d = rol32(c, 14);
++	b = rol32(b, 16);	d = rol32(d, 14);
+ 	d ^= a;			b ^= c;
+ 
+ 	f->pool[0] = a;  f->pool[1] = b;
 @@ -635,7 +632,7 @@ retry:
  		/* The +2 corresponds to the /4 in the denominator */
  
@@ -40253,10 +40260,10 @@ index bc3da32..7289357 100644
  	}
  	mutex_unlock(&drm_global_mutex);
 diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
-index ef757f7..98f720c 100644
+index e9a2827..5df4716 100644
 --- a/drivers/gpu/drm/drm_fb_helper.c
 +++ b/drivers/gpu/drm/drm_fb_helper.c
-@@ -741,7 +741,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info)
+@@ -771,7 +771,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info)
  	int i, j, rc = 0;
  	int start;
  
@@ -40267,7 +40274,7 @@ index ef757f7..98f720c 100644
  	if (!drm_fb_helper_is_bound(fb_helper)) {
  		drm_modeset_unlock_all(dev);
  		return -EBUSY;
-@@ -915,7 +917,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var,
+@@ -945,7 +947,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var,
  	int ret = 0;
  	int i;
  
@@ -41168,10 +41175,10 @@ index 4a85bb6..aaea819 100644
  	if (regcomp
  	    (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index 995a8b1..b7cb898 100644
+index bdf263a..0305446 100644
 --- a/drivers/gpu/drm/radeon/radeon_device.c
 +++ b/drivers/gpu/drm/radeon/radeon_device.c
-@@ -1214,7 +1214,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
+@@ -1216,7 +1216,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
  	 * locking inversion with the driver load path. And the access here is
  	 * completely racy anyway. So don't bother with locking for now.
  	 */
@@ -41652,10 +41659,10 @@ index 1319433..a993b0c 100644
  	case VIA_IRQ_ABSOLUTE:
  		break;
 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
-index 4ee799b..69fc0d1 100644
+index d26a6da..5fa41ed 100644
 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
-@@ -446,7 +446,7 @@ struct vmw_private {
+@@ -447,7 +447,7 @@ struct vmw_private {
  	 * Fencing and IRQs.
  	 */
  
@@ -41663,12 +41670,12 @@ index 4ee799b..69fc0d1 100644
 +	atomic_unchecked_t marker_seq;
  	wait_queue_head_t fence_queue;
  	wait_queue_head_t fifo_queue;
- 	int fence_queue_waiters; /* Protected by hw_mutex */
+ 	spinlock_t waiter_lock;
 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
-index 09e10ae..cb76c60 100644
+index 39f2b03..d1b0a64 100644
 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
-@@ -154,7 +154,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo)
+@@ -152,7 +152,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo)
  		 (unsigned int) min,
  		 (unsigned int) fifo->capabilities);
  
@@ -41677,7 +41684,7 @@ index 09e10ae..cb76c60 100644
  	iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE);
  	vmw_marker_queue_init(&fifo->marker_queue);
  	return vmw_fifo_send_fence(dev_priv, &dummy);
-@@ -378,7 +378,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes)
+@@ -372,7 +372,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes)
  				if (reserveable)
  					iowrite32(bytes, fifo_mem +
  						  SVGA_FIFO_RESERVED);
@@ -41686,7 +41693,7 @@ index 09e10ae..cb76c60 100644
  			} else {
  				need_bounce = true;
  			}
-@@ -498,7 +498,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
+@@ -492,7 +492,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
  
  	fm = vmw_fifo_reserve(dev_priv, bytes);
  	if (unlikely(fm == NULL)) {
@@ -41695,7 +41702,7 @@ index 09e10ae..cb76c60 100644
  		ret = -ENOMEM;
  		(void)vmw_fallback_wait(dev_priv, false, true, *seqno,
  					false, 3*HZ);
-@@ -506,7 +506,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
+@@ -500,7 +500,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
  	}
  
  	do {
@@ -41724,7 +41731,7 @@ index 170b61b..fec7348 100644
 +	.debug = vmw_gmrid_man_debug
  };
 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
-index 37881ec..319065d 100644
+index 69c8ce2..cacb0ab 100644
 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
 @@ -235,7 +235,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data,
@@ -41746,10 +41753,10 @@ index 37881ec..319065d 100644
  	if (unlikely(num_clips == 0))
  		return 0;
 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
-index 0c42376..6febe77 100644
+index 9fe9827..0aa2fc0 100644
 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
-@@ -107,7 +107,7 @@ bool vmw_seqno_passed(struct vmw_private *dev_priv,
+@@ -102,7 +102,7 @@ bool vmw_seqno_passed(struct vmw_private *dev_priv,
  	 * emitted. Then the fence is stale and signaled.
  	 */
  
@@ -41758,7 +41765,7 @@ index 0c42376..6febe77 100644
  	       > VMW_FENCE_WRAP);
  
  	return ret;
-@@ -138,7 +138,7 @@ int vmw_fallback_wait(struct vmw_private *dev_priv,
+@@ -133,7 +133,7 @@ int vmw_fallback_wait(struct vmw_private *dev_priv,
  
  	if (fifo_idle)
  		down_read(&fifo_state->rwsem);
@@ -44925,7 +44932,7 @@ index 32e282f..5cec803 100644
  
  			rdev_dec_pending(rdev, mddev);
 diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
-index c1b0d52..07a0a5d 100644
+index b98765f..09e86d5 100644
 --- a/drivers/md/raid5.c
 +++ b/drivers/md/raid5.c
 @@ -1730,6 +1730,10 @@ static int grow_one_stripe(struct r5conf *conf, int hash)
@@ -50765,10 +50772,10 @@ index 302e626..12579af 100644
  		da->attr.name = info->pin_config[i].name;
  		da->attr.mode = 0644;
 diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
-index cd87c0c..715ecbe 100644
+index fc6fb54..b8c794ba 100644
 --- a/drivers/regulator/core.c
 +++ b/drivers/regulator/core.c
-@@ -3567,7 +3567,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
+@@ -3569,7 +3569,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
  {
  	const struct regulation_constraints *constraints = NULL;
  	const struct regulator_init_data *init_data;
@@ -50777,7 +50784,7 @@ index cd87c0c..715ecbe 100644
  	struct regulator_dev *rdev;
  	struct device *dev;
  	int ret, i;
-@@ -3641,7 +3641,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
+@@ -3643,7 +3643,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
  	rdev->dev.class = &regulator_class;
  	rdev->dev.parent = dev;
  	dev_set_name(&rdev->dev, "regulator.%d",
@@ -50823,15 +50830,16 @@ index dbedf17..18ff6b7 100644
  
  	if (pdata) {
 diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c
-index 793b662..85f74cd 100644
+index 793b662..01c20fc 100644
 --- a/drivers/regulator/mc13892-regulator.c
 +++ b/drivers/regulator/mc13892-regulator.c
 @@ -584,10 +584,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev)
  	mc13xxx_unlock(mc13892);
  
  	/* update mc13892_vcam ops */
+-	memcpy(&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
 +	pax_open_kernel();
- 	memcpy(&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
++	memcpy((void *)&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
  						sizeof(struct regulator_ops));
 -	mc13892_vcam_ops.set_mode = mc13892_vcam_set_mode,
 -	mc13892_vcam_ops.get_mode = mc13892_vcam_get_mode,
@@ -52058,24 +52066,10 @@ index ae45bd9..c32a586 100644
  
  	transport_setup_device(&rport->dev);
 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index cfba74c..4cdf6a1 100644
+index dd8c8d6..4cdf6a1 100644
 --- a/drivers/scsi/sd.c
 +++ b/drivers/scsi/sd.c
-@@ -2818,9 +2818,11 @@ static int sd_revalidate_disk(struct gendisk *disk)
- 	 */
- 	sd_set_flush_flag(sdkp);
- 
--	max_xfer = min_not_zero(queue_max_hw_sectors(sdkp->disk->queue),
--				sdkp->max_xfer_blocks);
-+	max_xfer = sdkp->max_xfer_blocks;
- 	max_xfer <<= ilog2(sdp->sector_size) - 9;
-+
-+	max_xfer = min_not_zero(queue_max_hw_sectors(sdkp->disk->queue),
-+				max_xfer);
- 	blk_queue_max_hw_sectors(sdkp->disk->queue, max_xfer);
- 	set_capacity(disk, sdkp->capacity);
- 	sd_config_write_same(sdkp);
-@@ -3022,7 +3024,7 @@ static int sd_probe(struct device *dev)
+@@ -3024,7 +3024,7 @@ static int sd_probe(struct device *dev)
  	sdkp->disk = gd;
  	sdkp->index = index;
  	atomic_set(&sdkp->openers, 0);
@@ -60073,37 +60067,10 @@ index 02a33e5..3a28b5a 100644
  GLOBAL_EXTERN atomic_t smBufAllocCount;
  GLOBAL_EXTERN atomic_t midCount;
 diff --git a/fs/cifs/file.c b/fs/cifs/file.c
-index 3e4d00a..4132187 100644
+index 9a7b6947..4132187 100644
 --- a/fs/cifs/file.c
 +++ b/fs/cifs/file.c
-@@ -366,6 +366,7 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
- 	struct cifsLockInfo *li, *tmp;
- 	struct cifs_fid fid;
- 	struct cifs_pending_open open;
-+	bool oplock_break_cancelled;
- 
- 	spin_lock(&cifs_file_list_lock);
- 	if (--cifs_file->count > 0) {
-@@ -397,7 +398,7 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
- 	}
- 	spin_unlock(&cifs_file_list_lock);
- 
--	cancel_work_sync(&cifs_file->oplock_break);
-+	oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
- 
- 	if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
- 		struct TCP_Server_Info *server = tcon->ses->server;
-@@ -409,6 +410,9 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
- 		_free_xid(xid);
- 	}
- 
-+	if (oplock_break_cancelled)
-+		cifs_done_oplock_break(cifsi);
-+
- 	cifs_del_pending_open(&open);
- 
- 	/*
-@@ -2056,10 +2060,14 @@ static int cifs_writepages(struct address_space *mapping,
+@@ -2060,10 +2060,14 @@ static int cifs_writepages(struct address_space *mapping,
  		index = mapping->writeback_index; /* Start from prev offset */
  		end = -1;
  	} else {
@@ -62280,7 +62247,7 @@ index 5797d45..7d7d79a 100644
  
  	if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
 diff --git a/fs/fs_struct.c b/fs/fs_struct.c
-index 7dca743..f5e007d 100644
+index 7dca743..2f2786d 100644
 --- a/fs/fs_struct.c
 +++ b/fs/fs_struct.c
 @@ -4,6 +4,7 @@
@@ -62305,7 +62272,7 @@ index 7dca743..f5e007d 100644
  	spin_unlock(&fs->lock);
 -	if (old_root.dentry)
 +	if (old_root.dentry) {
-+		gr_inc_chroot_refcnts(old_root.dentry, old_root.mnt);
++		gr_dec_chroot_refcnts(old_root.dentry, old_root.mnt);
  		path_put(&old_root);
 +	}
  }
@@ -80575,6 +80542,39 @@ index d1a5582..4424efa 100644
  /*
   * Mark a position in code as unreachable.  This can be used to
   * suppress control flow warnings after asm blocks that transfer
+diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
+index c8c5659..d09f2ad 100644
+--- a/include/linux/compiler-gcc5.h
++++ b/include/linux/compiler-gcc5.h
+@@ -28,6 +28,28 @@
+ # define __compiletime_error(message) __attribute__((error(message)))
+ #endif /* __CHECKER__ */
+ 
++#define __alloc_size(...)	__attribute((alloc_size(__VA_ARGS__)))
++#define __bos(ptr, arg)		__builtin_object_size((ptr), (arg))
++#define __bos0(ptr)		__bos((ptr), 0)
++#define __bos1(ptr)		__bos((ptr), 1)
++
++#ifdef CONSTIFY_PLUGIN
++#error not yet
++#define __no_const __attribute__((no_const))
++#define __do_const __attribute__((do_const))
++#endif
++
++#ifdef SIZE_OVERFLOW_PLUGIN
++#error not yet
++#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
++#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__)))
++#endif
++
++#ifdef LATENT_ENTROPY_PLUGIN
++#error not yet
++#define __latent_entropy __attribute__((latent_entropy))
++#endif
++
+ /*
+  * Mark a position in code as unreachable.  This can be used to
+  * suppress control flow warnings after asm blocks that transfer
 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
 index d5ad7b1..3b74638 100644
 --- a/include/linux/compiler.h
@@ -83355,7 +83355,7 @@ index 37e4404..26ebbd0 100644
  	MLX4_MFUNC_EQ_NUM	= 4,
  	MLX4_MFUNC_MAX_EQES     = 8,
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 5ab2da9..5f0b3df 100644
+index 86a977b..8122960 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -128,6 +128,11 @@ extern unsigned int kobjsize(const void *objp);
@@ -83389,7 +83389,7 @@ index 5ab2da9..5f0b3df 100644
  
  struct mmu_gather;
  struct inode;
-@@ -1165,8 +1171,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
+@@ -1167,8 +1173,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
  	unsigned long *pfn);
  int follow_phys(struct vm_area_struct *vma, unsigned long address,
  		unsigned int flags, unsigned long *prot, resource_size_t *phys);
@@ -83400,7 +83400,7 @@ index 5ab2da9..5f0b3df 100644
  
  static inline void unmap_shared_mapping_range(struct address_space *mapping,
  		loff_t const holebegin, loff_t const holelen)
-@@ -1206,9 +1212,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
+@@ -1208,9 +1214,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
  }
  #endif
  
@@ -83413,7 +83413,7 @@ index 5ab2da9..5f0b3df 100644
  
  long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  		      unsigned long start, unsigned long nr_pages,
-@@ -1240,34 +1246,6 @@ int set_page_dirty_lock(struct page *page);
+@@ -1242,34 +1248,6 @@ int set_page_dirty_lock(struct page *page);
  int clear_page_dirty_for_io(struct page *page);
  int get_cmdline(struct task_struct *task, char *buffer, int buflen);
  
@@ -83448,7 +83448,7 @@ index 5ab2da9..5f0b3df 100644
  extern struct task_struct *task_of_stack(struct task_struct *task,
  				struct vm_area_struct *vma, bool in_group);
  
-@@ -1385,8 +1363,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
+@@ -1387,8 +1365,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
  {
  	return 0;
  }
@@ -83464,7 +83464,7 @@ index 5ab2da9..5f0b3df 100644
  #endif
  
  #ifdef __PAGETABLE_PMD_FOLDED
-@@ -1395,8 +1380,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
+@@ -1397,8 +1382,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
  {
  	return 0;
  }
@@ -83480,7 +83480,7 @@ index 5ab2da9..5f0b3df 100644
  #endif
  
  int __pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
-@@ -1414,11 +1406,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
+@@ -1416,11 +1408,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
  		NULL: pud_offset(pgd, address);
  }
  
@@ -83504,7 +83504,7 @@ index 5ab2da9..5f0b3df 100644
  #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
  
  #if USE_SPLIT_PTE_PTLOCKS
-@@ -1801,12 +1805,23 @@ extern struct vm_area_struct *copy_vma(struct vm_area_struct **,
+@@ -1803,12 +1807,23 @@ extern struct vm_area_struct *copy_vma(struct vm_area_struct **,
  	bool *need_rmap_locks);
  extern void exit_mmap(struct mm_struct *);
  
@@ -83528,7 +83528,7 @@ index 5ab2da9..5f0b3df 100644
  	if (rlim < RLIM_INFINITY) {
  		if (((new - start) + (end_data - start_data)) > rlim)
  			return -ENOSPC;
-@@ -1831,7 +1846,7 @@ extern int install_special_mapping(struct mm_struct *mm,
+@@ -1833,7 +1848,7 @@ extern int install_special_mapping(struct mm_struct *mm,
  				   unsigned long addr, unsigned long len,
  				   unsigned long flags, struct page **pages);
  
@@ -83537,7 +83537,7 @@ index 5ab2da9..5f0b3df 100644
  
  extern unsigned long mmap_region(struct file *file, unsigned long addr,
  	unsigned long len, vm_flags_t vm_flags, unsigned long pgoff);
-@@ -1839,6 +1854,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1841,6 +1856,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	unsigned long len, unsigned long prot, unsigned long flags,
  	unsigned long pgoff, unsigned long *populate);
  extern int do_munmap(struct mm_struct *, unsigned long, size_t);
@@ -83545,7 +83545,7 @@ index 5ab2da9..5f0b3df 100644
  
  #ifdef CONFIG_MMU
  extern int __mm_populate(unsigned long addr, unsigned long len,
-@@ -1867,10 +1883,11 @@ struct vm_unmapped_area_info {
+@@ -1869,10 +1885,11 @@ struct vm_unmapped_area_info {
  	unsigned long high_limit;
  	unsigned long align_mask;
  	unsigned long align_offset;
@@ -83559,7 +83559,7 @@ index 5ab2da9..5f0b3df 100644
  
  /*
   * Search for an unmapped address range.
-@@ -1882,7 +1899,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
+@@ -1884,7 +1901,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
   * - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
   */
  static inline unsigned long
@@ -83568,7 +83568,7 @@ index 5ab2da9..5f0b3df 100644
  {
  	if (!(info->flags & VM_UNMAPPED_AREA_TOPDOWN))
  		return unmapped_area(info);
-@@ -1944,6 +1961,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
+@@ -1946,6 +1963,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
  extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
  					     struct vm_area_struct **pprev);
  
@@ -83579,7 +83579,7 @@ index 5ab2da9..5f0b3df 100644
  /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
     NULL if none.  Assume start_addr < end_addr. */
  static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
-@@ -1973,10 +1994,10 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
+@@ -1975,10 +1996,10 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
  }
  
  #ifdef CONFIG_MMU
@@ -83592,7 +83592,7 @@ index 5ab2da9..5f0b3df 100644
  {
  	return __pgprot(0);
  }
-@@ -2038,6 +2059,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+@@ -2040,6 +2061,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
  static inline void vm_stat_account(struct mm_struct *mm,
  			unsigned long flags, struct file *file, long pages)
  {
@@ -83604,7 +83604,7 @@ index 5ab2da9..5f0b3df 100644
  	mm->total_vm += pages;
  }
  #endif /* CONFIG_PROC_FS */
-@@ -2126,7 +2152,7 @@ extern int unpoison_memory(unsigned long pfn);
+@@ -2128,7 +2154,7 @@ extern int unpoison_memory(unsigned long pfn);
  extern int sysctl_memory_failure_early_kill;
  extern int sysctl_memory_failure_recovery;
  extern void shake_page(struct page *p, int access);
@@ -83613,7 +83613,7 @@ index 5ab2da9..5f0b3df 100644
  extern int soft_offline_page(struct page *page, int flags);
  
  #if defined(CONFIG_TRANSPARENT_HUGEPAGE) || defined(CONFIG_HUGETLBFS)
-@@ -2161,5 +2187,11 @@ void __init setup_nr_node_ids(void);
+@@ -2163,5 +2189,11 @@ void __init setup_nr_node_ids(void);
  static inline void setup_nr_node_ids(void) {}
  #endif
  
@@ -84527,7 +84527,7 @@ index 34a1e10..70f6bde 100644
  struct proc_ns {
  	void *ns;
 diff --git a/include/linux/quota.h b/include/linux/quota.h
-index 80d345a..9e89a9a 100644
+index 224fb81..9d85c41 100644
 --- a/include/linux/quota.h
 +++ b/include/linux/quota.h
 @@ -70,7 +70,7 @@ struct kqid {			/* Type in which we store the quota identifier */
@@ -92932,6 +92932,21 @@ index 2df8ef0..aae070f 100644
  
  static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
  {
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
+index 4ef9687..4f44028 100644
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -629,7 +629,9 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
+ 
+ 	switch (action) {
+ 	case SECCOMP_RET_ERRNO:
+-		/* Set the low-order 16-bits as a errno. */
++		/* Set low-order bits as an errno, capped at MAX_ERRNO. */
++		if (data > MAX_ERRNO)
++			data = MAX_ERRNO;
+ 		syscall_set_return_value(current, task_pt_regs(current),
+ 					 -data, 0);
+ 		goto skip;
 diff --git a/kernel/signal.c b/kernel/signal.c
 index 8f0876f..1153a5a 100644
 --- a/kernel/signal.c
@@ -93071,10 +93086,10 @@ index 8f0876f..1153a5a 100644
  	set_fs(seg);
  	if (ret >= 0 && uoss_ptr)  {
 diff --git a/kernel/smpboot.c b/kernel/smpboot.c
-index eb89e18..a4e6792 100644
+index 60d35ac5..59d289f 100644
 --- a/kernel/smpboot.c
 +++ b/kernel/smpboot.c
-@@ -288,7 +288,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
+@@ -289,7 +289,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
  		}
  		smpboot_unpark_thread(plug_thread, cpu);
  	}
@@ -93082,8 +93097,8 @@ index eb89e18..a4e6792 100644
 +	pax_list_add(&plug_thread->list, &hotplug_threads);
  out:
  	mutex_unlock(&smpboot_threads_lock);
- 	return ret;
-@@ -305,7 +305,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
+ 	put_online_cpus();
+@@ -307,7 +307,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
  {
  	get_online_cpus();
  	mutex_lock(&smpboot_threads_lock);
@@ -93617,7 +93632,7 @@ index a7077d3..dd48a49 100644
  		.clock_get	= alarm_clock_get,
  		.timer_create	= alarm_timer_create,
 diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
-index 37e50aa..57a9501 100644
+index d8c724c..6b331a4 100644
 --- a/kernel/time/hrtimer.c
 +++ b/kernel/time/hrtimer.c
 @@ -1399,7 +1399,7 @@ void hrtimer_peek_ahead_timers(void)
@@ -95568,7 +95583,7 @@ index 72b8fa3..c5b39f1 100644
  	 * Make sure the vma is shared, that it supports prefaulting,
  	 * and that the remapped range is valid and fully within
 diff --git a/mm/gup.c b/mm/gup.c
-index cd62c8c..3bb2053 100644
+index a0d57ec..79d469ce 100644
 --- a/mm/gup.c
 +++ b/mm/gup.c
 @@ -274,11 +274,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
@@ -96090,7 +96105,7 @@ index 8639f6b..b623882a 100644
  	}
  	unset_migratetype_isolate(page, MIGRATE_MOVABLE);
 diff --git a/mm/memory.c b/mm/memory.c
-index 7f86cf6..0600e22 100644
+index d442584..0600e22 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
 @@ -415,6 +415,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -96492,7 +96507,7 @@ index 7f86cf6..0600e22 100644
 -
 -	/* Check if we need to add a guard page to the stack */
 -	if (check_stack_guard_page(vma, address) < 0)
--		return VM_FAULT_SIGBUS;
+-		return VM_FAULT_SIGSEGV;
 -
 -	/* Use the zero-page for reads */
  	if (!(flags & FAULT_FLAG_WRITE)) {
@@ -96913,7 +96928,7 @@ index 73cf098..ab547c7 100644
  	    capable(CAP_IPC_LOCK))
  		ret = do_mlockall(flags);
 diff --git a/mm/mmap.c b/mm/mmap.c
-index 1620adb..348da48 100644
+index 1620adb..6b35ac8 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -41,6 +41,7 @@
@@ -96978,6 +96993,24 @@ index 1620adb..348da48 100644
  /*
   * Make sure vm_committed_as in one cacheline and not cacheline shared with
   * other variables. It can be updated by several CPUs frequently.
+@@ -152,7 +173,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed);
+  */
+ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ {
+-	unsigned long free, allowed, reserve;
++	long free, allowed, reserve;
+ 
+ 	VM_WARN_ONCE(percpu_counter_read(&vm_committed_as) <
+ 			-(s64)vm_committed_as_batch * num_online_cpus(),
+@@ -220,7 +241,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ 	 */
+ 	if (mm) {
+ 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
+-		allowed -= min(mm->total_vm / 32, reserve);
++		allowed -= min_t(long, mm->total_vm / 32, reserve);
+ 	}
+ 
+ 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)
 @@ -274,6 +295,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
  	struct vm_area_struct *next = vma->vm_next;
  
@@ -98505,7 +98538,7 @@ index b147f66..98a695ab 100644
  out:
  	if (ret & ~PAGE_MASK)
 diff --git a/mm/nommu.c b/mm/nommu.c
-index bd1808e..b63d87c 100644
+index bd1808e..22cbc6a 100644
 --- a/mm/nommu.c
 +++ b/mm/nommu.c
 @@ -70,7 +70,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
@@ -98540,6 +98573,24 @@ index bd1808e..b63d87c 100644
  	*region = *vma->vm_region;
  	new->vm_region = region;
  
+@@ -1905,7 +1896,7 @@ EXPORT_SYMBOL(unmap_mapping_range);
+  */
+ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ {
+-	unsigned long free, allowed, reserve;
++	long free, allowed, reserve;
+ 
+ 	vm_acct_memory(pages);
+ 
+@@ -1969,7 +1960,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ 	 */
+ 	if (mm) {
+ 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
+-		allowed -= min(mm->total_vm / 32, reserve);
++		allowed -= min_t(long, mm->total_vm / 32, reserve);
+ 	}
+ 
+ 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)
 @@ -2002,8 +1993,8 @@ int generic_file_remap_pages(struct vm_area_struct *vma, unsigned long addr,
  }
  EXPORT_SYMBOL(generic_file_remap_pages);
@@ -98876,7 +98927,7 @@ index 3e4c721..a5e3e39 100644
  
  /*
 diff --git a/mm/shmem.c b/mm/shmem.c
-index 185836b..d7255a1 100644
+index 0b4ba55..bcef4ae 100644
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
 @@ -33,7 +33,7 @@
@@ -103628,7 +103679,7 @@ index 6156f68..d6ab46d 100644
  	return -ENOMEM;
  }
 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 0169ccf..50d7b04 100644
+index 0169ccf..6f14338 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
 @@ -171,7 +171,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
@@ -103701,7 +103752,30 @@ index 0169ccf..50d7b04 100644
  	for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
  		idx = 0;
  		head = &net->dev_index_head[h];
-@@ -4788,7 +4795,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
+@@ -4536,6 +4543,22 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
+ 	return 0;
+ }
+ 
++static const struct nla_policy inet6_af_policy[IFLA_INET6_MAX + 1] = {
++	[IFLA_INET6_ADDR_GEN_MODE]	= { .type = NLA_U8 },
++	[IFLA_INET6_TOKEN]		= { .len = sizeof(struct in6_addr) },
++};
++
++static int inet6_validate_link_af(const struct net_device *dev,
++				  const struct nlattr *nla)
++{
++	struct nlattr *tb[IFLA_INET6_MAX + 1];
++
++	if (dev && !__in6_dev_get(dev))
++		return -EAFNOSUPPORT;
++
++	return nla_parse_nested(tb, IFLA_INET6_MAX, nla, inet6_af_policy);
++}
++
+ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla)
+ {
+ 	int err = -EINVAL;
+@@ -4788,7 +4811,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
  		rt_genid_bump_ipv6(net);
  		break;
  	}
@@ -103710,7 +103784,7 @@ index 0169ccf..50d7b04 100644
  }
  
  static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
-@@ -4808,7 +4815,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
+@@ -4808,7 +4831,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
  	int *valp = ctl->data;
  	int val = *valp;
  	loff_t pos = *ppos;
@@ -103719,7 +103793,7 @@ index 0169ccf..50d7b04 100644
  	int ret;
  
  	/*
-@@ -4893,7 +4900,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
+@@ -4893,7 +4916,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
  	int *valp = ctl->data;
  	int val = *valp;
  	loff_t pos = *ppos;
@@ -103728,6 +103802,14 @@ index 0169ccf..50d7b04 100644
  	int ret;
  
  	/*
+@@ -5351,6 +5374,7 @@ static struct rtnl_af_ops inet6_ops = {
+ 	.family		  = AF_INET6,
+ 	.fill_link_af	  = inet6_fill_link_af,
+ 	.get_link_af_size = inet6_get_link_af_size,
++	.validate_link_af = inet6_validate_link_af,
+ 	.set_link_af	  = inet6_set_link_af,
+ };
+ 
 diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
 index e8c4400..a4cd5da 100644
 --- a/net/ipv6/af_inet6.c
@@ -104862,7 +104944,7 @@ index 0de7c93..884b2ca 100644
  		/*
  		 * Goal:
 diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
-index 4c5192e..04cc0d8 100644
+index 4a95fe3..0bfd713 100644
 --- a/net/mac80211/pm.c
 +++ b/net/mac80211/pm.c
 @@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
@@ -104883,7 +104965,7 @@ index 4c5192e..04cc0d8 100644
  	if (local->wowlan) {
  		int err = drv_suspend(local, wowlan);
  		if (err < 0) {
-@@ -125,7 +125,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
+@@ -126,7 +126,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
  	WARN_ON(!list_empty(&local->chanctx_list));
  
  	/* stop hardware - this must stop RX */
@@ -107731,14 +107813,14 @@ index b304068..462d24e 100644
  		fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianness? %#x\n",
 diff --git a/scripts/gcc-plugin.sh b/scripts/gcc-plugin.sh
 new file mode 100644
-index 0000000..42018ed
+index 0000000..822fa9e
 --- /dev/null
 +++ b/scripts/gcc-plugin.sh
 @@ -0,0 +1,51 @@
 +#!/bin/sh
 +srctree=$(dirname "$0")
 +gccplugins_dir=$($3 -print-file-name=plugin)
-+plugincc=$($1 -E - -o /dev/null -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF
++plugincc=$($1 -E - -o /dev/null -I"${srctree}"/../tools/gcc -I"${gccplugins_dir}"/include 2>&1 <<EOF
 +#include "gcc-common.h"
 +#if BUILDING_GCC_VERSION >= 4008 || defined(ENABLE_BUILD_WITH_CXX)
 +#warning $2 CXX
@@ -107769,7 +107851,7 @@ index 0000000..42018ed
 +esac
 +
 +# we need a c++ compiler that supports the designated initializer GNU extension
-+plugincc=$($2 -c -x c++ -std=gnu++98 - -fsyntax-only -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF
++plugincc=$($2 -c -x c++ -std=gnu++98 - -fsyntax-only -I"${srctree}"/../tools/gcc -I"${gccplugins_dir}"/include 2>&1 <<EOF
 +#include "gcc-common.h"
 +class test {
 +public:
@@ -109436,6 +109518,18 @@ index 4743d71..170a185 100644
  err:
  	if (iov != iovstack)
  		kfree(iov);
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 0c7aea4..486ef6f 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -414,6 +414,7 @@ link_check_failed:
+ 
+ link_prealloc_failed:
+ 	mutex_unlock(&user->cons_lock);
++	key_put(key);
+ 	kleave(" = %d [prelink]", ret);
+ 	return ret;
+ 
 diff --git a/security/min_addr.c b/security/min_addr.c
 index f728728..6457a0c 100644
 --- a/security/min_addr.c
@@ -110936,10 +111030,10 @@ index 0000000..54461af
 +}
 diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
 new file mode 100644
-index 0000000..82bc5a8
+index 0000000..3b5af59
 --- /dev/null
 +++ b/tools/gcc/constify_plugin.c
-@@ -0,0 +1,557 @@
+@@ -0,0 +1,558 @@
 +/*
 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
 + * Copyright 2011-2014 by PaX Team <pageexec@freemail.hu>
@@ -111373,7 +111467,8 @@ index 0000000..82bc5a8
 +#if BUILDING_GCC_VERSION >= 4008
 +		.optinfo_flags		= OPTGROUP_NONE,
 +#endif
-+#if BUILDING_GCC_VERSION >= 4009
++#if BUILDING_GCC_VERSION >= 5000
++#elif BUILDING_GCC_VERSION >= 4009
 +		.has_gate		= false,
 +		.has_execute		= true,
 +#else
@@ -111481,8 +111576,8 @@ index 0000000..82bc5a8
 +		error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
 +	}
 +
-+	if (strcmp(lang_hooks.name, "GNU C")) {
-+		inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
++	if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) {
++		inform(UNKNOWN_LOCATION, G_("%s supports C only, not %s"), plugin_name, lang_hooks.name);
 +		constify = false;
 +	}
 +
diff --git a/3.18.5/4425_grsec_remove_EI_PAX.patch b/3.18.7/4425_grsec_remove_EI_PAX.patch
index 86e242a..86e242a 100644
--- a/3.18.5/4425_grsec_remove_EI_PAX.patch
+++ b/3.18.7/4425_grsec_remove_EI_PAX.patch
diff --git a/3.18.5/4427_force_XATTR_PAX_tmpfs.patch b/3.18.7/4427_force_XATTR_PAX_tmpfs.patch
index 22c9273..22c9273 100644
--- a/3.18.5/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.18.7/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.18.5/4430_grsec-remove-localversion-grsec.patch b/3.18.7/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.18.5/4430_grsec-remove-localversion-grsec.patch
+++ b/3.18.7/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.18.5/4435_grsec-mute-warnings.patch b/3.18.7/4435_grsec-mute-warnings.patch
index 0585e08..0585e08 100644
--- a/3.18.5/4435_grsec-mute-warnings.patch
+++ b/3.18.7/4435_grsec-mute-warnings.patch
diff --git a/3.18.5/4440_grsec-remove-protected-paths.patch b/3.18.7/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.18.5/4440_grsec-remove-protected-paths.patch
+++ b/3.18.7/4440_grsec-remove-protected-paths.patch
diff --git a/3.18.5/4450_grsec-kconfig-default-gids.patch b/3.18.7/4450_grsec-kconfig-default-gids.patch
index 5c025da..5c025da 100644
--- a/3.18.5/4450_grsec-kconfig-default-gids.patch
+++ b/3.18.7/4450_grsec-kconfig-default-gids.patch
diff --git a/3.18.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.18.7/4465_selinux-avc_audit-log-curr_ip.patch
index ba89596..ba89596 100644
--- a/3.18.5/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.18.7/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.18.5/4470_disable-compat_vdso.patch b/3.18.7/4470_disable-compat_vdso.patch
index df785ab..df785ab 100644
--- a/3.18.5/4470_disable-compat_vdso.patch
+++ b/3.18.7/4470_disable-compat_vdso.patch
diff --git a/3.18.5/4475_emutramp_default_on.patch b/3.18.7/4475_emutramp_default_on.patch
index ad4967a..ad4967a 100644
--- a/3.18.5/4475_emutramp_default_on.patch
+++ b/3.18.7/4475_emutramp_default_on.patch
diff --git a/3.2.66/0000_README b/3.2.67/0000_README
index 3806e75..deb8dff 100644
--- a/3.2.66/0000_README
+++ b/3.2.67/0000_README
@@ -182,7 +182,11 @@ Patch:	1065_linux-3.2.66.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.66
 
-Patch:	4420_grsecurity-3.0-3.2.66-201502052350.patch
+Patch:	1066_linux-3.2.67.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.2.67
+
+Patch:	4420_grsecurity-3.0-3.2.67-201502200807.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.66/1021_linux-3.2.22.patch b/3.2.67/1021_linux-3.2.22.patch
index e6ad93a..e6ad93a 100644
--- a/3.2.66/1021_linux-3.2.22.patch
+++ b/3.2.67/1021_linux-3.2.22.patch
diff --git a/3.2.66/1022_linux-3.2.23.patch b/3.2.67/1022_linux-3.2.23.patch
index 3d796d0..3d796d0 100644
--- a/3.2.66/1022_linux-3.2.23.patch
+++ b/3.2.67/1022_linux-3.2.23.patch
diff --git a/3.2.66/1023_linux-3.2.24.patch b/3.2.67/1023_linux-3.2.24.patch
index 4692eb4..4692eb4 100644
--- a/3.2.66/1023_linux-3.2.24.patch
+++ b/3.2.67/1023_linux-3.2.24.patch
diff --git a/3.2.66/1024_linux-3.2.25.patch b/3.2.67/1024_linux-3.2.25.patch
index e95c213..e95c213 100644
--- a/3.2.66/1024_linux-3.2.25.patch
+++ b/3.2.67/1024_linux-3.2.25.patch
diff --git a/3.2.66/1025_linux-3.2.26.patch b/3.2.67/1025_linux-3.2.26.patch
index 44065b9..44065b9 100644
--- a/3.2.66/1025_linux-3.2.26.patch
+++ b/3.2.67/1025_linux-3.2.26.patch
diff --git a/3.2.66/1026_linux-3.2.27.patch b/3.2.67/1026_linux-3.2.27.patch
index 5878eb4..5878eb4 100644
--- a/3.2.66/1026_linux-3.2.27.patch
+++ b/3.2.67/1026_linux-3.2.27.patch
diff --git a/3.2.66/1027_linux-3.2.28.patch b/3.2.67/1027_linux-3.2.28.patch
index 4dbba4b..4dbba4b 100644
--- a/3.2.66/1027_linux-3.2.28.patch
+++ b/3.2.67/1027_linux-3.2.28.patch
diff --git a/3.2.66/1028_linux-3.2.29.patch b/3.2.67/1028_linux-3.2.29.patch
index 3c65179..3c65179 100644
--- a/3.2.66/1028_linux-3.2.29.patch
+++ b/3.2.67/1028_linux-3.2.29.patch
diff --git a/3.2.66/1029_linux-3.2.30.patch b/3.2.67/1029_linux-3.2.30.patch
index 86aea4b..86aea4b 100644
--- a/3.2.66/1029_linux-3.2.30.patch
+++ b/3.2.67/1029_linux-3.2.30.patch
diff --git a/3.2.66/1030_linux-3.2.31.patch b/3.2.67/1030_linux-3.2.31.patch
index c6accf5..c6accf5 100644
--- a/3.2.66/1030_linux-3.2.31.patch
+++ b/3.2.67/1030_linux-3.2.31.patch
diff --git a/3.2.66/1031_linux-3.2.32.patch b/3.2.67/1031_linux-3.2.32.patch
index 247fc0b..247fc0b 100644
--- a/3.2.66/1031_linux-3.2.32.patch
+++ b/3.2.67/1031_linux-3.2.32.patch
diff --git a/3.2.66/1032_linux-3.2.33.patch b/3.2.67/1032_linux-3.2.33.patch
index c32fb75..c32fb75 100644
--- a/3.2.66/1032_linux-3.2.33.patch
+++ b/3.2.67/1032_linux-3.2.33.patch
diff --git a/3.2.66/1033_linux-3.2.34.patch b/3.2.67/1033_linux-3.2.34.patch
index d647b38..d647b38 100644
--- a/3.2.66/1033_linux-3.2.34.patch
+++ b/3.2.67/1033_linux-3.2.34.patch
diff --git a/3.2.66/1034_linux-3.2.35.patch b/3.2.67/1034_linux-3.2.35.patch
index 76a9c19..76a9c19 100644
--- a/3.2.66/1034_linux-3.2.35.patch
+++ b/3.2.67/1034_linux-3.2.35.patch
diff --git a/3.2.66/1035_linux-3.2.36.patch b/3.2.67/1035_linux-3.2.36.patch
index 5d192a3..5d192a3 100644
--- a/3.2.66/1035_linux-3.2.36.patch
+++ b/3.2.67/1035_linux-3.2.36.patch
diff --git a/3.2.66/1036_linux-3.2.37.patch b/3.2.67/1036_linux-3.2.37.patch
index ad13251..ad13251 100644
--- a/3.2.66/1036_linux-3.2.37.patch
+++ b/3.2.67/1036_linux-3.2.37.patch
diff --git a/3.2.66/1037_linux-3.2.38.patch b/3.2.67/1037_linux-3.2.38.patch
index a3c106f..a3c106f 100644
--- a/3.2.66/1037_linux-3.2.38.patch
+++ b/3.2.67/1037_linux-3.2.38.patch
diff --git a/3.2.66/1038_linux-3.2.39.patch b/3.2.67/1038_linux-3.2.39.patch
index 5639e92..5639e92 100644
--- a/3.2.66/1038_linux-3.2.39.patch
+++ b/3.2.67/1038_linux-3.2.39.patch
diff --git a/3.2.66/1039_linux-3.2.40.patch b/3.2.67/1039_linux-3.2.40.patch
index f26b39c..f26b39c 100644
--- a/3.2.66/1039_linux-3.2.40.patch
+++ b/3.2.67/1039_linux-3.2.40.patch
diff --git a/3.2.66/1040_linux-3.2.41.patch b/3.2.67/1040_linux-3.2.41.patch
index 0d27fcb..0d27fcb 100644
--- a/3.2.66/1040_linux-3.2.41.patch
+++ b/3.2.67/1040_linux-3.2.41.patch
diff --git a/3.2.66/1041_linux-3.2.42.patch b/3.2.67/1041_linux-3.2.42.patch
index 77a08ed..77a08ed 100644
--- a/3.2.66/1041_linux-3.2.42.patch
+++ b/3.2.67/1041_linux-3.2.42.patch
diff --git a/3.2.66/1042_linux-3.2.43.patch b/3.2.67/1042_linux-3.2.43.patch
index a3f878b..a3f878b 100644
--- a/3.2.66/1042_linux-3.2.43.patch
+++ b/3.2.67/1042_linux-3.2.43.patch
diff --git a/3.2.66/1043_linux-3.2.44.patch b/3.2.67/1043_linux-3.2.44.patch
index 3d5e6ff..3d5e6ff 100644
--- a/3.2.66/1043_linux-3.2.44.patch
+++ b/3.2.67/1043_linux-3.2.44.patch
diff --git a/3.2.66/1044_linux-3.2.45.patch b/3.2.67/1044_linux-3.2.45.patch
index 44e1767..44e1767 100644
--- a/3.2.66/1044_linux-3.2.45.patch
+++ b/3.2.67/1044_linux-3.2.45.patch
diff --git a/3.2.66/1045_linux-3.2.46.patch b/3.2.67/1045_linux-3.2.46.patch
index bc10efd..bc10efd 100644
--- a/3.2.66/1045_linux-3.2.46.patch
+++ b/3.2.67/1045_linux-3.2.46.patch
diff --git a/3.2.66/1046_linux-3.2.47.patch b/3.2.67/1046_linux-3.2.47.patch
index b74563c..b74563c 100644
--- a/3.2.66/1046_linux-3.2.47.patch
+++ b/3.2.67/1046_linux-3.2.47.patch
diff --git a/3.2.66/1047_linux-3.2.48.patch b/3.2.67/1047_linux-3.2.48.patch
index 6d55b1f..6d55b1f 100644
--- a/3.2.66/1047_linux-3.2.48.patch
+++ b/3.2.67/1047_linux-3.2.48.patch
diff --git a/3.2.66/1048_linux-3.2.49.patch b/3.2.67/1048_linux-3.2.49.patch
index 2dab0cf..2dab0cf 100644
--- a/3.2.66/1048_linux-3.2.49.patch
+++ b/3.2.67/1048_linux-3.2.49.patch
diff --git a/3.2.66/1049_linux-3.2.50.patch b/3.2.67/1049_linux-3.2.50.patch
index 20b3015..20b3015 100644
--- a/3.2.66/1049_linux-3.2.50.patch
+++ b/3.2.67/1049_linux-3.2.50.patch
diff --git a/3.2.66/1050_linux-3.2.51.patch b/3.2.67/1050_linux-3.2.51.patch
index 5d5832b..5d5832b 100644
--- a/3.2.66/1050_linux-3.2.51.patch
+++ b/3.2.67/1050_linux-3.2.51.patch
diff --git a/3.2.66/1051_linux-3.2.52.patch b/3.2.67/1051_linux-3.2.52.patch
index 94b9359..94b9359 100644
--- a/3.2.66/1051_linux-3.2.52.patch
+++ b/3.2.67/1051_linux-3.2.52.patch
diff --git a/3.2.66/1052_linux-3.2.53.patch b/3.2.67/1052_linux-3.2.53.patch
index 986d714..986d714 100644
--- a/3.2.66/1052_linux-3.2.53.patch
+++ b/3.2.67/1052_linux-3.2.53.patch
diff --git a/3.2.66/1053_linux-3.2.54.patch b/3.2.67/1053_linux-3.2.54.patch
index a907496..a907496 100644
--- a/3.2.66/1053_linux-3.2.54.patch
+++ b/3.2.67/1053_linux-3.2.54.patch
diff --git a/3.2.66/1054_linux-3.2.55.patch b/3.2.67/1054_linux-3.2.55.patch
index 6071ff5..6071ff5 100644
--- a/3.2.66/1054_linux-3.2.55.patch
+++ b/3.2.67/1054_linux-3.2.55.patch
diff --git a/3.2.66/1055_linux-3.2.56.patch b/3.2.67/1055_linux-3.2.56.patch
index 2e8239c..2e8239c 100644
--- a/3.2.66/1055_linux-3.2.56.patch
+++ b/3.2.67/1055_linux-3.2.56.patch
diff --git a/3.2.66/1056_linux-3.2.57.patch b/3.2.67/1056_linux-3.2.57.patch
index 7b8f174..7b8f174 100644
--- a/3.2.66/1056_linux-3.2.57.patch
+++ b/3.2.67/1056_linux-3.2.57.patch
diff --git a/3.2.66/1057_linux-3.2.58.patch b/3.2.67/1057_linux-3.2.58.patch
index db5723a..db5723a 100644
--- a/3.2.66/1057_linux-3.2.58.patch
+++ b/3.2.67/1057_linux-3.2.58.patch
diff --git a/3.2.66/1058_linux-3.2.59.patch b/3.2.67/1058_linux-3.2.59.patch
index cd59fe9..cd59fe9 100644
--- a/3.2.66/1058_linux-3.2.59.patch
+++ b/3.2.67/1058_linux-3.2.59.patch
diff --git a/3.2.66/1059_linux-3.2.60.patch b/3.2.67/1059_linux-3.2.60.patch
index c5a9389..c5a9389 100644
--- a/3.2.66/1059_linux-3.2.60.patch
+++ b/3.2.67/1059_linux-3.2.60.patch
diff --git a/3.2.66/1060_linux-3.2.61.patch b/3.2.67/1060_linux-3.2.61.patch
index a1bf580..a1bf580 100644
--- a/3.2.66/1060_linux-3.2.61.patch
+++ b/3.2.67/1060_linux-3.2.61.patch
diff --git a/3.2.66/1061_linux-3.2.62.patch b/3.2.67/1061_linux-3.2.62.patch
index 34217f0..34217f0 100644
--- a/3.2.66/1061_linux-3.2.62.patch
+++ b/3.2.67/1061_linux-3.2.62.patch
diff --git a/3.2.66/1062_linux-3.2.63.patch b/3.2.67/1062_linux-3.2.63.patch
index f7c7415..f7c7415 100644
--- a/3.2.66/1062_linux-3.2.63.patch
+++ b/3.2.67/1062_linux-3.2.63.patch
diff --git a/3.2.66/1063_linux-3.2.64.patch b/3.2.67/1063_linux-3.2.64.patch
index 862b4f0..862b4f0 100644
--- a/3.2.66/1063_linux-3.2.64.patch
+++ b/3.2.67/1063_linux-3.2.64.patch
diff --git a/3.2.66/1064_linux-3.2.65.patch b/3.2.67/1064_linux-3.2.65.patch
index c3ae4fa..c3ae4fa 100644
--- a/3.2.66/1064_linux-3.2.65.patch
+++ b/3.2.67/1064_linux-3.2.65.patch
diff --git a/3.2.66/1065_linux-3.2.66.patch b/3.2.67/1065_linux-3.2.66.patch
index 73fa646..73fa646 100644
--- a/3.2.66/1065_linux-3.2.66.patch
+++ b/3.2.67/1065_linux-3.2.66.patch
diff --git a/3.2.67/1066_linux-3.2.67.patch b/3.2.67/1066_linux-3.2.67.patch
new file mode 100644
index 0000000..c0a9278
--- /dev/null
+++ b/3.2.67/1066_linux-3.2.67.patch
@@ -0,0 +1,6792 @@
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index 1b196ea..f0001eb 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -940,6 +940,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ 	i8042.notimeout	[HW] Ignore timeout condition signalled by conroller
+ 	i8042.reset	[HW] Reset the controller during init and cleanup
+ 	i8042.unlock	[HW] Unlock (ignore) the keylock
++	i8042.kbdreset  [HW] Reset device connected to KBD port
+ 
+ 	i810=		[HW,DRM]
+ 
+diff --git a/Makefile b/Makefile
+index f08f8bf..70769fb 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 66
++SUBLEVEL = 67
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
+index fadd5f8..e576b91 100644
+--- a/arch/alpha/mm/fault.c
++++ b/arch/alpha/mm/fault.c
+@@ -150,6 +150,8 @@ do_page_fault(unsigned long address, unsigned long mmcsr,
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/arm/mach-omap2/omap_l3_noc.c b/arch/arm/mach-omap2/omap_l3_noc.c
+index d15225f..5b9631f 100644
+--- a/arch/arm/mach-omap2/omap_l3_noc.c
++++ b/arch/arm/mach-omap2/omap_l3_noc.c
+@@ -121,11 +121,15 @@ static irqreturn_t l3_interrupt_handler(int irq, void *_l3)
+ 				/* Nothing to be handled here as of now */
+ 				break;
+ 			}
+-		/* Error found so break the for loop */
+-		break;
++			/* Error found so break the for loop */
++			return IRQ_HANDLED;
+ 		}
+ 	}
+-	return IRQ_HANDLED;
++
++	dev_err(l3->dev, "L3 %s IRQ not handled!!\n",
++		inttype ? "debug" : "application");
++
++	return IRQ_NONE;
+ }
+ 
+ static int __devinit omap4_l3_probe(struct platform_device *pdev)
+diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
+index f7040a1..632b649 100644
+--- a/arch/avr32/mm/fault.c
++++ b/arch/avr32/mm/fault.c
+@@ -136,6 +136,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/cris/mm/fault.c b/arch/cris/mm/fault.c
+index 9dcac8e..280c8ea 100644
+--- a/arch/cris/mm/fault.c
++++ b/arch/cris/mm/fault.c
+@@ -166,6 +166,8 @@ do_page_fault(unsigned long address, struct pt_regs *regs,
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/frv/mm/fault.c b/arch/frv/mm/fault.c
+index a325d57..46a3c18 100644
+--- a/arch/frv/mm/fault.c
++++ b/arch/frv/mm/fault.c
+@@ -167,6 +167,8 @@ asmlinkage void do_page_fault(int datammu, unsigned long esr0, unsigned long ear
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
+index 20b3593..1e362cd 100644
+--- a/arch/ia64/mm/fault.c
++++ b/arch/ia64/mm/fault.c
+@@ -163,6 +163,8 @@ ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *re
+ 		 */
+ 		if (fault & VM_FAULT_OOM) {
+ 			goto out_of_memory;
++		} else if (fault & VM_FAULT_SIGSEGV) {
++			goto bad_area;
+ 		} else if (fault & VM_FAULT_SIGBUS) {
+ 			signal = SIGBUS;
+ 			goto bad_area;
+diff --git a/arch/m32r/mm/fault.c b/arch/m32r/mm/fault.c
+index 2c9aeb4..beda9cc 100644
+--- a/arch/m32r/mm/fault.c
++++ b/arch/m32r/mm/fault.c
+@@ -199,6 +199,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/m68k/mm/fault.c b/arch/m68k/mm/fault.c
+index 2db6099..d605b93 100644
+--- a/arch/m68k/mm/fault.c
++++ b/arch/m68k/mm/fault.c
+@@ -147,6 +147,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto map_err;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto bus_err;
+ 		BUG();
+diff --git a/arch/microblaze/mm/fault.c b/arch/microblaze/mm/fault.c
+index ae97d2c..31bb381 100644
+--- a/arch/microblaze/mm/fault.c
++++ b/arch/microblaze/mm/fault.c
+@@ -215,6 +215,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
+index 937cf33..b8314cfe 100644
+--- a/arch/mips/mm/fault.c
++++ b/arch/mips/mm/fault.c
+@@ -149,6 +149,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/mn10300/mm/fault.c b/arch/mn10300/mm/fault.c
+index 0945409..fe2ceb7 100644
+--- a/arch/mn10300/mm/fault.c
++++ b/arch/mn10300/mm/fault.c
+@@ -256,6 +256,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/openrisc/mm/fault.c b/arch/openrisc/mm/fault.c
+index a5dce82..162abfb 100644
+--- a/arch/openrisc/mm/fault.c
++++ b/arch/openrisc/mm/fault.c
+@@ -163,6 +163,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
+index 18162ce..a9b765a 100644
+--- a/arch/parisc/mm/fault.c
++++ b/arch/parisc/mm/fault.c
+@@ -210,6 +210,8 @@ good_area:
+ 		 */
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto bad_area;
+ 		BUG();
+diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
+index 5efe8c9..7450843 100644
+--- a/arch/powerpc/mm/fault.c
++++ b/arch/powerpc/mm/fault.c
+@@ -312,6 +312,8 @@ good_area:
+ 	 */
+ 	ret = handle_mm_fault(mm, vma, address, is_write ? FAULT_FLAG_WRITE : 0);
+ 	if (unlikely(ret & VM_FAULT_ERROR)) {
++		if (ret & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		if (ret & VM_FAULT_OOM)
+ 			goto out_of_memory;
+ 		else if (ret & VM_FAULT_SIGBUS)
+diff --git a/arch/powerpc/platforms/cell/spu_fault.c b/arch/powerpc/platforms/cell/spu_fault.c
+index 641e727..62f3e4e 100644
+--- a/arch/powerpc/platforms/cell/spu_fault.c
++++ b/arch/powerpc/platforms/cell/spu_fault.c
+@@ -75,7 +75,7 @@ int spu_handle_mm_fault(struct mm_struct *mm, unsigned long ea,
+ 		if (*flt & VM_FAULT_OOM) {
+ 			ret = -ENOMEM;
+ 			goto out_unlock;
+-		} else if (*flt & VM_FAULT_SIGBUS) {
++		} else if (*flt & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV)) {
+ 			ret = -EFAULT;
+ 			goto out_unlock;
+ 		}
+diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
+index 51fb1ef..05d08c8 100644
+--- a/arch/s390/crypto/aes_s390.c
++++ b/arch/s390/crypto/aes_s390.c
+@@ -972,7 +972,7 @@ static void __exit aes_s390_fini(void)
+ module_init(aes_s390_init);
+ module_exit(aes_s390_fini);
+ 
+-MODULE_ALIAS("aes-all");
++MODULE_ALIAS_CRYPTO("aes-all");
+ 
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
+ MODULE_LICENSE("GPL");
+diff --git a/arch/s390/crypto/des_s390.c b/arch/s390/crypto/des_s390.c
+index 991fb7d..28e336a 100644
+--- a/arch/s390/crypto/des_s390.c
++++ b/arch/s390/crypto/des_s390.c
+@@ -626,8 +626,8 @@ static void __exit des_s390_exit(void)
+ module_init(des_s390_init);
+ module_exit(des_s390_exit);
+ 
+-MODULE_ALIAS("des");
+-MODULE_ALIAS("des3_ede");
++MODULE_ALIAS_CRYPTO("des");
++MODULE_ALIAS_CRYPTO("des3_ede");
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms");
+diff --git a/arch/s390/crypto/ghash_s390.c b/arch/s390/crypto/ghash_s390.c
+index f6373f0..31086ea 100644
+--- a/arch/s390/crypto/ghash_s390.c
++++ b/arch/s390/crypto/ghash_s390.c
+@@ -161,7 +161,7 @@ static void __exit ghash_mod_exit(void)
+ module_init(ghash_mod_init);
+ module_exit(ghash_mod_exit);
+ 
+-MODULE_ALIAS("ghash");
++MODULE_ALIAS_CRYPTO("ghash");
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("GHASH Message Digest Algorithm, s390 implementation");
+diff --git a/arch/s390/crypto/sha1_s390.c b/arch/s390/crypto/sha1_s390.c
+index e9868c6..484c27c 100644
+--- a/arch/s390/crypto/sha1_s390.c
++++ b/arch/s390/crypto/sha1_s390.c
+@@ -103,6 +103,6 @@ static void __exit sha1_s390_fini(void)
+ module_init(sha1_s390_init);
+ module_exit(sha1_s390_fini);
+ 
+-MODULE_ALIAS("sha1");
++MODULE_ALIAS_CRYPTO("sha1");
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm");
+diff --git a/arch/s390/crypto/sha256_s390.c b/arch/s390/crypto/sha256_s390.c
+index 0317a35..af31018 100644
+--- a/arch/s390/crypto/sha256_s390.c
++++ b/arch/s390/crypto/sha256_s390.c
+@@ -143,7 +143,7 @@ static void __exit sha256_s390_fini(void)
+ module_init(sha256_s390_init);
+ module_exit(sha256_s390_fini);
+ 
+-MODULE_ALIAS("sha256");
+-MODULE_ALIAS("sha224");
++MODULE_ALIAS_CRYPTO("sha256");
++MODULE_ALIAS_CRYPTO("sha224");
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA256 and SHA224 Secure Hash Algorithm");
+diff --git a/arch/s390/crypto/sha512_s390.c b/arch/s390/crypto/sha512_s390.c
+index 32a8138..0c36989 100644
+--- a/arch/s390/crypto/sha512_s390.c
++++ b/arch/s390/crypto/sha512_s390.c
+@@ -86,7 +86,7 @@ static struct shash_alg sha512_alg = {
+ 	}
+ };
+ 
+-MODULE_ALIAS("sha512");
++MODULE_ALIAS_CRYPTO("sha512");
+ 
+ static int sha384_init(struct shash_desc *desc)
+ {
+@@ -126,7 +126,7 @@ static struct shash_alg sha384_alg = {
+ 	}
+ };
+ 
+-MODULE_ALIAS("sha384");
++MODULE_ALIAS_CRYPTO("sha384");
+ 
+ static int __init init(void)
+ {
+diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
+index a5f6eff..bc486d0 100644
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -58,6 +58,7 @@ static int handle_lctlg(struct kvm_vcpu *vcpu)
+ 			break;
+ 		reg = (reg + 1) % 16;
+ 	} while (1);
++	kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
+ 	return 0;
+ }
+ 
+@@ -97,6 +98,7 @@ static int handle_lctl(struct kvm_vcpu *vcpu)
+ 			break;
+ 		reg = (reg + 1) % 16;
+ 	} while (1);
++	kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
+ 	return 0;
+ }
+ 
+diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
+index 0fc0a7e..b53339d 100644
+--- a/arch/s390/mm/fault.c
++++ b/arch/s390/mm/fault.c
+@@ -249,6 +249,13 @@ static noinline void do_fault_error(struct pt_regs *regs, long int_code,
+ 				do_no_context(regs, int_code, trans_exc_code);
+ 			else
+ 				pagefault_out_of_memory();
++		} else if (fault & VM_FAULT_SIGSEGV) {
++			/* Kernel mode? Handle exceptions or die */
++			if (!user_mode(regs))
++				do_no_context(regs, int_code, trans_exc_code);
++			else
++				do_sigsegv(regs, int_code, SEGV_MAPERR,
++					   trans_exc_code);
+ 		} else if (fault & VM_FAULT_SIGBUS) {
+ 			/* Kernel mode? Handle exceptions or die */
+ 			if (!(regs->psw.mask & PSW_MASK_PSTATE))
+diff --git a/arch/score/mm/fault.c b/arch/score/mm/fault.c
+index 47b600e..b3744ca 100644
+--- a/arch/score/mm/fault.c
++++ b/arch/score/mm/fault.c
+@@ -110,6 +110,8 @@ survive:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/sh/mm/fault_32.c b/arch/sh/mm/fault_32.c
+index 7bebd04..db14482 100644
+--- a/arch/sh/mm/fault_32.c
++++ b/arch/sh/mm/fault_32.c
+@@ -206,6 +206,8 @@ good_area:
+ 			goto out_of_memory;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		BUG();
+ 	}
+ 	if (fault & VM_FAULT_MAJOR) {
+diff --git a/arch/sh/mm/tlbflush_64.c b/arch/sh/mm/tlbflush_64.c
+index e3430e0..43eef7b 100644
+--- a/arch/sh/mm/tlbflush_64.c
++++ b/arch/sh/mm/tlbflush_64.c
+@@ -195,6 +195,8 @@ good_area:
+ 			goto out_of_memory;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		BUG();
+ 	}
+ 
+diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
+index 8023fd7..802b806 100644
+--- a/arch/sparc/mm/fault_32.c
++++ b/arch/sparc/mm/fault_32.c
+@@ -294,6 +294,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
+index 2c0b966..bfd7c02 100644
+--- a/arch/sparc/mm/fault_64.c
++++ b/arch/sparc/mm/fault_64.c
+@@ -435,6 +435,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/tile/mm/fault.c b/arch/tile/mm/fault.c
+index 25b7b90..c796ce44 100644
+--- a/arch/tile/mm/fault.c
++++ b/arch/tile/mm/fault.c
+@@ -424,6 +424,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
+index dafc947..f79ffc9 100644
+--- a/arch/um/kernel/trap.c
++++ b/arch/um/kernel/trap.c
+@@ -69,6 +69,8 @@ good_area:
+ 		if (unlikely(fault & VM_FAULT_ERROR)) {
+ 			if (fault & VM_FAULT_OOM) {
+ 				goto out_of_memory;
++			} else if (fault & VM_FAULT_SIGSEGV) {
++				goto out;
+ 			} else if (fault & VM_FAULT_SIGBUS) {
+ 				err = -EACCES;
+ 				goto out;
+diff --git a/arch/x86/crypto/aes_glue.c b/arch/x86/crypto/aes_glue.c
+index 8efcf42..8950e0c 100644
+--- a/arch/x86/crypto/aes_glue.c
++++ b/arch/x86/crypto/aes_glue.c
+@@ -67,5 +67,5 @@ module_exit(aes_fini);
+ 
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm, asm optimized");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS("aes");
+-MODULE_ALIAS("aes-asm");
++MODULE_ALIAS_CRYPTO("aes");
++MODULE_ALIAS_CRYPTO("aes-asm");
+diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
+index 545d0ce..16acf68 100644
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1380,4 +1380,4 @@ module_exit(aesni_exit);
+ 
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm, Intel AES-NI instructions optimized");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS("aes");
++MODULE_ALIAS_CRYPTO("aes");
+diff --git a/arch/x86/crypto/blowfish_glue.c b/arch/x86/crypto/blowfish_glue.c
+index b05aa16..f8350d2 100644
+--- a/arch/x86/crypto/blowfish_glue.c
++++ b/arch/x86/crypto/blowfish_glue.c
+@@ -488,5 +488,5 @@ module_exit(fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Blowfish Cipher Algorithm, asm optimized");
+-MODULE_ALIAS("blowfish");
+-MODULE_ALIAS("blowfish-asm");
++MODULE_ALIAS_CRYPTO("blowfish");
++MODULE_ALIAS_CRYPTO("blowfish-asm");
+diff --git a/arch/x86/crypto/crc32c-intel.c b/arch/x86/crypto/crc32c-intel.c
+index b9d0026..7dad700 100644
+--- a/arch/x86/crypto/crc32c-intel.c
++++ b/arch/x86/crypto/crc32c-intel.c
+@@ -194,5 +194,5 @@ MODULE_AUTHOR("Austin Zhang <austin.zhang@intel.com>, Kent Liu <kent.liu@intel.c
+ MODULE_DESCRIPTION("CRC32c (Castagnoli) optimization using Intel Hardware.");
+ MODULE_LICENSE("GPL");
+ 
+-MODULE_ALIAS("crc32c");
+-MODULE_ALIAS("crc32c-intel");
++MODULE_ALIAS_CRYPTO("crc32c");
++MODULE_ALIAS_CRYPTO("crc32c-intel");
+diff --git a/arch/x86/crypto/fpu.c b/arch/x86/crypto/fpu.c
+index 98d7a18..f368ba2 100644
+--- a/arch/x86/crypto/fpu.c
++++ b/arch/x86/crypto/fpu.c
+@@ -17,6 +17,7 @@
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/crypto.h>
+ #include <asm/i387.h>
+ 
+ struct crypto_fpu_ctx {
+@@ -159,3 +160,5 @@ void __exit crypto_fpu_exit(void)
+ {
+ 	crypto_unregister_template(&crypto_fpu_tmpl);
+ }
++
++MODULE_ALIAS_CRYPTO("fpu");
+diff --git a/arch/x86/crypto/ghash-clmulni-intel_glue.c b/arch/x86/crypto/ghash-clmulni-intel_glue.c
+index 294a264..f781251 100644
+--- a/arch/x86/crypto/ghash-clmulni-intel_glue.c
++++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c
+@@ -339,4 +339,4 @@ module_exit(ghash_pclmulqdqni_mod_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("GHASH Message Digest Algorithm, "
+ 		   "acclerated by PCLMULQDQ-NI");
+-MODULE_ALIAS("ghash");
++MODULE_ALIAS_CRYPTO("ghash");
+diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c
+index bccb76d..ae1ee37 100644
+--- a/arch/x86/crypto/salsa20_glue.c
++++ b/arch/x86/crypto/salsa20_glue.c
+@@ -125,5 +125,5 @@ module_exit(fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm (optimized assembly version)");
+-MODULE_ALIAS("salsa20");
+-MODULE_ALIAS("salsa20-asm");
++MODULE_ALIAS_CRYPTO("salsa20");
++MODULE_ALIAS_CRYPTO("salsa20-asm");
+diff --git a/arch/x86/crypto/sha1_ssse3_glue.c b/arch/x86/crypto/sha1_ssse3_glue.c
+index f916499..49b112e 100644
+--- a/arch/x86/crypto/sha1_ssse3_glue.c
++++ b/arch/x86/crypto/sha1_ssse3_glue.c
+@@ -237,4 +237,4 @@ module_exit(sha1_ssse3_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm, Supplemental SSE3 accelerated");
+ 
+-MODULE_ALIAS("sha1");
++MODULE_ALIAS_CRYPTO("sha1");
+diff --git a/arch/x86/crypto/twofish_glue.c b/arch/x86/crypto/twofish_glue.c
+index dc6b3fb..7ec12d9 100644
+--- a/arch/x86/crypto/twofish_glue.c
++++ b/arch/x86/crypto/twofish_glue.c
+@@ -97,5 +97,5 @@ module_exit(fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Twofish Cipher Algorithm, asm optimized");
+-MODULE_ALIAS("twofish");
+-MODULE_ALIAS("twofish-asm");
++MODULE_ALIAS_CRYPTO("twofish");
++MODULE_ALIAS_CRYPTO("twofish-asm");
+diff --git a/arch/x86/crypto/twofish_glue_3way.c b/arch/x86/crypto/twofish_glue_3way.c
+index 5ede9c4..09ed353 100644
+--- a/arch/x86/crypto/twofish_glue_3way.c
++++ b/arch/x86/crypto/twofish_glue_3way.c
+@@ -468,5 +468,5 @@ module_exit(fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Twofish Cipher Algorithm, 3-way parallel asm optimized");
+-MODULE_ALIAS("twofish");
+-MODULE_ALIAS("twofish-asm");
++MODULE_ALIAS_CRYPTO("twofish");
++MODULE_ALIAS_CRYPTO("twofish-asm");
+diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
+index 41935fa..3225868 100644
+--- a/arch/x86/include/asm/desc.h
++++ b/arch/x86/include/asm/desc.h
+@@ -248,7 +248,8 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
+ 		gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
+ }
+ 
+-#define _LDT_empty(info)				\
++/* This intentionally ignores lm, since 32-bit apps don't have that field. */
++#define LDT_empty(info)					\
+ 	((info)->base_addr		== 0	&&	\
+ 	 (info)->limit			== 0	&&	\
+ 	 (info)->contents		== 0	&&	\
+@@ -258,11 +259,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
+ 	 (info)->seg_not_present	== 1	&&	\
+ 	 (info)->useable		== 0)
+ 
+-#ifdef CONFIG_X86_64
+-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
+-#else
+-#define LDT_empty(info) (_LDT_empty(info))
+-#endif
++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */
++static inline bool LDT_zero(const struct user_desc *info)
++{
++	return (info->base_addr		== 0 &&
++		info->limit		== 0 &&
++		info->contents		== 0 &&
++		info->read_exec_only	== 0 &&
++		info->seg_32bit		== 0 &&
++		info->limit_in_pages	== 0 &&
++		info->seg_not_present	== 0 &&
++		info->useable		== 0);
++}
+ 
+ static inline void clear_LDT(void)
+ {
+diff --git a/arch/x86/include/asm/ldt.h b/arch/x86/include/asm/ldt.h
+index 46727eb..6e1aaf7 100644
+--- a/arch/x86/include/asm/ldt.h
++++ b/arch/x86/include/asm/ldt.h
+@@ -28,6 +28,13 @@ struct user_desc {
+ 	unsigned int  seg_not_present:1;
+ 	unsigned int  useable:1;
+ #ifdef __x86_64__
++	/*
++	 * Because this bit is not present in 32-bit user code, user
++	 * programs can pass uninitialized values here.  Therefore, in
++	 * any context in which a user_desc comes from a 32-bit program,
++	 * the kernel must act as though lm == 0, regardless of the
++	 * actual value.
++	 */
+ 	unsigned int  lm:1;
+ #endif
+ };
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index a6962d9..5538b13 100644
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -123,6 +123,7 @@
+ #define MSR_AMD64_PATCH_LOADER		0xc0010020
+ #define MSR_AMD64_OSVW_ID_LENGTH	0xc0010140
+ #define MSR_AMD64_OSVW_STATUS		0xc0010141
++#define MSR_AMD64_LS_CFG		0xc0011020
+ #define MSR_AMD64_DC_CFG		0xc0011022
+ #define MSR_AMD64_IBSFETCHCTL		0xc0011030
+ #define MSR_AMD64_IBSFETCHLINAD		0xc0011031
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 2d44a28..60d4c33 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -408,6 +408,16 @@ static void __cpuinit early_init_amd_mc(struct cpuinfo_x86 *c)
+ 
+ 	c->x86_coreid_bits = bits;
+ #endif
++
++	/* F16h erratum 793, CVE-2013-6885 */
++	if (c->x86 == 0x16 && c->x86_model <= 0xf) {
++		u64 val;
++
++		if (!rdmsrl_amd_safe(MSR_AMD64_LS_CFG, &val) &&
++		    !(val & BIT(15)))
++			wrmsrl_amd_safe(MSR_AMD64_LS_CFG, val | BIT(15));
++	}
++
+ }
+ 
+ static void __cpuinit bsp_init_amd(struct cpuinfo_x86 *c)
+diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c
+index 1a3cf6e..d1582b6 100644
+--- a/arch/x86/kernel/cpu/mshyperv.c
++++ b/arch/x86/kernel/cpu/mshyperv.c
+@@ -56,6 +56,7 @@ static struct clocksource hyperv_cs = {
+ 	.rating		= 400, /* use this when running on Hyperv*/
+ 	.read		= read_hv_clock,
+ 	.mask		= CLOCKSOURCE_MASK(64),
++	.flags		= CLOCK_SOURCE_IS_CONTINUOUS,
+ };
+ 
+ static void __init ms_hyperv_init_platform(void)
+diff --git a/arch/x86/kernel/kprobes.c b/arch/x86/kernel/kprobes.c
+index 7da647d..083848f 100644
+--- a/arch/x86/kernel/kprobes.c
++++ b/arch/x86/kernel/kprobes.c
+@@ -1058,6 +1058,15 @@ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
+ 	regs->flags &= ~X86_EFLAGS_IF;
+ 	trace_hardirqs_off();
+ 	regs->ip = (unsigned long)(jp->entry);
++
++	/*
++	 * jprobes use jprobe_return() which skips the normal return
++	 * path of the function, and this messes up the accounting of the
++	 * function graph tracer to get messed up.
++	 *
++	 * Pause function graph tracing while performing the jprobe function.
++	 */
++	pause_graph_tracing();
+ 	return 1;
+ }
+ 
+@@ -1083,24 +1092,25 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
+ 	struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+ 	u8 *addr = (u8 *) (regs->ip - 1);
+ 	struct jprobe *jp = container_of(p, struct jprobe, kp);
++	void *saved_sp = kcb->jprobe_saved_sp;
+ 
+ 	if ((addr > (u8 *) jprobe_return) &&
+ 	    (addr < (u8 *) jprobe_return_end)) {
+-		if (stack_addr(regs) != kcb->jprobe_saved_sp) {
++		if (stack_addr(regs) != saved_sp) {
+ 			struct pt_regs *saved_regs = &kcb->jprobe_saved_regs;
+ 			printk(KERN_ERR
+ 			       "current sp %p does not match saved sp %p\n",
+-			       stack_addr(regs), kcb->jprobe_saved_sp);
++			       stack_addr(regs), saved_sp);
+ 			printk(KERN_ERR "Saved registers for jprobe %p\n", jp);
+ 			show_registers(saved_regs);
+ 			printk(KERN_ERR "Current registers\n");
+ 			show_registers(regs);
+ 			BUG();
+ 		}
++		/* It's OK to start function graph tracing again */
++		unpause_graph_tracing();
+ 		*regs = kcb->jprobe_saved_regs;
+-		memcpy((kprobe_opcode_t *)(kcb->jprobe_saved_sp),
+-		       kcb->jprobes_stack,
+-		       MIN_STACK_SIZE(kcb->jprobe_saved_sp));
++		memcpy(saved_sp, kcb->jprobes_stack, MIN_STACK_SIZE(saved_sp));
+ 		preempt_enable_no_resched();
+ 		return 1;
+ 	}
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index 6a364a6..e361095 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -385,24 +385,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
+ 
+ 	fpu = switch_fpu_prepare(prev_p, next_p);
+ 
+-	/*
+-	 * Reload esp0, LDT and the page table pointer:
+-	 */
++	/* Reload esp0 and ss1. */
+ 	load_sp0(tss, next);
+ 
+-	/*
+-	 * Switch DS and ES.
+-	 * This won't pick up thread selector changes, but I guess that is ok.
+-	 */
+-	savesegment(es, prev->es);
+-	if (unlikely(next->es | prev->es))
+-		loadsegment(es, next->es);
+-
+-	savesegment(ds, prev->ds);
+-	if (unlikely(next->ds | prev->ds))
+-		loadsegment(ds, next->ds);
+-
+-
+ 	/* We must save %fs and %gs before load_TLS() because
+ 	 * %fs and %gs may be cleared by load_TLS().
+ 	 *
+@@ -411,41 +396,101 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
+ 	savesegment(fs, fsindex);
+ 	savesegment(gs, gsindex);
+ 
++	/*
++	 * Load TLS before restoring any segments so that segment loads
++	 * reference the correct GDT entries.
++	 */
+ 	load_TLS(next, cpu);
+ 
+ 	/*
+-	 * Leave lazy mode, flushing any hypercalls made here.
+-	 * This must be done before restoring TLS segments so
+-	 * the GDT and LDT are properly updated, and must be
+-	 * done before math_state_restore, so the TS bit is up
+-	 * to date.
++	 * Leave lazy mode, flushing any hypercalls made here.  This
++	 * must be done after loading TLS entries in the GDT but before
++	 * loading segments that might reference them, and and it must
++	 * be done before math_state_restore, so the TS bit is up to
++	 * date.
+ 	 */
+ 	arch_end_context_switch(next_p);
+ 
++	/* Switch DS and ES.
++	 *
++	 * Reading them only returns the selectors, but writing them (if
++	 * nonzero) loads the full descriptor from the GDT or LDT.  The
++	 * LDT for next is loaded in switch_mm, and the GDT is loaded
++	 * above.
++	 *
++	 * We therefore need to write new values to the segment
++	 * registers on every context switch unless both the new and old
++	 * values are zero.
++	 *
++	 * Note that we don't need to do anything for CS and SS, as
++	 * those are saved and restored as part of pt_regs.
++	 */
++	savesegment(es, prev->es);
++	if (unlikely(next->es | prev->es))
++		loadsegment(es, next->es);
++
++	savesegment(ds, prev->ds);
++	if (unlikely(next->ds | prev->ds))
++		loadsegment(ds, next->ds);
++
+ 	/*
+ 	 * Switch FS and GS.
+ 	 *
+-	 * Segment register != 0 always requires a reload.  Also
+-	 * reload when it has changed.  When prev process used 64bit
+-	 * base always reload to avoid an information leak.
++	 * These are even more complicated than FS and GS: they have
++	 * 64-bit bases are that controlled by arch_prctl.  Those bases
++	 * only differ from the values in the GDT or LDT if the selector
++	 * is 0.
++	 *
++	 * Loading the segment register resets the hidden base part of
++	 * the register to 0 or the value from the GDT / LDT.  If the
++	 * next base address zero, writing 0 to the segment register is
++	 * much faster than using wrmsr to explicitly zero the base.
++	 *
++	 * The thread_struct.fs and thread_struct.gs values are 0
++	 * if the fs and gs bases respectively are not overridden
++	 * from the values implied by fsindex and gsindex.  They
++	 * are nonzero, and store the nonzero base addresses, if
++	 * the bases are overridden.
++	 *
++	 * (fs != 0 && fsindex != 0) || (gs != 0 && gsindex != 0) should
++	 * be impossible.
++	 *
++	 * Therefore we need to reload the segment registers if either
++	 * the old or new selector is nonzero, and we need to override
++	 * the base address if next thread expects it to be overridden.
++	 *
++	 * This code is unnecessarily slow in the case where the old and
++	 * new indexes are zero and the new base is nonzero -- it will
++	 * unnecessarily write 0 to the selector before writing the new
++	 * base address.
++	 *
++	 * Note: This all depends on arch_prctl being the only way that
++	 * user code can override the segment base.  Once wrfsbase and
++	 * wrgsbase are enabled, most of this code will need to change.
+ 	 */
+ 	if (unlikely(fsindex | next->fsindex | prev->fs)) {
+ 		loadsegment(fs, next->fsindex);
++
+ 		/*
+-		 * Check if the user used a selector != 0; if yes
+-		 *  clear 64bit base, since overloaded base is always
+-		 *  mapped to the Null selector
++		 * If user code wrote a nonzero value to FS, then it also
++		 * cleared the overridden base address.
++		 *
++		 * XXX: if user code wrote 0 to FS and cleared the base
++		 * address itself, we won't notice and we'll incorrectly
++		 * restore the prior base address next time we reschdule
++		 * the process.
+ 		 */
+ 		if (fsindex)
+ 			prev->fs = 0;
+ 	}
+-	/* when next process has a 64bit base use it */
+ 	if (next->fs)
+ 		wrmsrl(MSR_FS_BASE, next->fs);
+ 	prev->fsindex = fsindex;
+ 
+ 	if (unlikely(gsindex | next->gsindex | prev->gs)) {
+ 		load_gs_index(next->gsindex);
++
++		/* This works (and fails) the same way as fsindex above. */
+ 		if (gsindex)
+ 			prev->gs = 0;
+ 	}
+diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
+index 7af7338..0c38d06 100644
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -30,7 +30,28 @@ static int get_free_idx(void)
+ 
+ static bool tls_desc_okay(const struct user_desc *info)
+ {
+-	if (LDT_empty(info))
++	/*
++	 * For historical reasons (i.e. no one ever documented how any
++	 * of the segmentation APIs work), user programs can and do
++	 * assume that a struct user_desc that's all zeros except for
++	 * entry_number means "no segment at all".  This never actually
++	 * worked.  In fact, up to Linux 3.19, a struct user_desc like
++	 * this would create a 16-bit read-write segment with base and
++	 * limit both equal to zero.
++	 *
++	 * That was close enough to "no segment at all" until we
++	 * hardened this function to disallow 16-bit TLS segments.  Fix
++	 * it up by interpreting these zeroed segments the way that they
++	 * were almost certainly intended to be interpreted.
++	 *
++	 * The correct way to ask for "no segment at all" is to specify
++	 * a user_desc that satisfies LDT_empty.  To keep everything
++	 * working, we accept both.
++	 *
++	 * Note that there's a similar kludge in modify_ldt -- look at
++	 * the distinction between modes 1 and 0x11.
++	 */
++	if (LDT_empty(info) || LDT_zero(info))
+ 		return true;
+ 
+ 	/*
+@@ -40,6 +61,22 @@ static bool tls_desc_okay(const struct user_desc *info)
+ 	if (!info->seg_32bit)
+ 		return false;
+ 
++	/* Only allow data segments in the TLS array. */
++	if (info->contents > 1)
++		return false;
++
++	/*
++	 * Non-present segments with DPL 3 present an interesting attack
++	 * surface.  The kernel should handle such segments correctly,
++	 * but TLS is very difficult to protect in a sandbox, so prevent
++	 * such segments from being created.
++	 *
++	 * If userspace needs to remove a TLS entry, it can still delete
++	 * it outright.
++	 */
++	if (info->seg_not_present)
++		return false;
++
+ 	return true;
+ }
+ 
+@@ -56,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
+ 	cpu = get_cpu();
+ 
+ 	while (n-- > 0) {
+-		if (LDT_empty(info))
++		if (LDT_empty(info) || LDT_zero(info))
+ 			desc->a = desc->b = 0;
+ 		else
+ 			fill_ldt(desc, info);
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index f0ac042..bdad489 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1952,6 +1952,17 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
+ 	ss->p = 1;
+ }
+ 
++static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
++{
++	u32 eax, ebx, ecx, edx;
++
++	eax = ecx = 0;
++	return ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)
++		&& ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
++		&& ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
++		&& edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
++}
++
+ static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
+ {
+ 	struct x86_emulate_ops *ops = ctxt->ops;
+@@ -2068,6 +2079,14 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
+ 	if (ctxt->mode == X86EMUL_MODE_REAL)
+ 		return emulate_gp(ctxt, 0);
+ 
++	/*
++	 * Not recognized on AMD in compat mode (but is recognized in legacy
++	 * mode).
++	 */
++	if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
++	    && !vendor_intel(ctxt))
++		return emulate_ud(ctxt);
++
+ 	/* XXX sysenter/sysexit have not been tested in 64bit mode.
+ 	* Therefore, we inject an #UD.
+ 	*/
+@@ -2077,23 +2096,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
+ 	setup_syscalls_segments(ctxt, &cs, &ss);
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+-	switch (ctxt->mode) {
+-	case X86EMUL_MODE_PROT32:
+-		if ((msr_data & 0xfffc) == 0x0)
+-			return emulate_gp(ctxt, 0);
+-		break;
+-	case X86EMUL_MODE_PROT64:
+-		if (msr_data == 0x0)
+-			return emulate_gp(ctxt, 0);
+-		break;
+-	}
++	if ((msr_data & 0xfffc) == 0x0)
++		return emulate_gp(ctxt, 0);
+ 
+ 	ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+-	cs_sel = (u16)msr_data;
+-	cs_sel &= ~SELECTOR_RPL_MASK;
++	cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
+ 	ss_sel = cs_sel + 8;
+-	ss_sel &= ~SELECTOR_RPL_MASK;
+-	if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
++	if (efer & EFER_LMA) {
+ 		cs.d = 0;
+ 		cs.l = 1;
+ 	}
+@@ -2102,10 +2111,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
+ 	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
+-	ctxt->_eip = msr_data;
++	ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
+-	ctxt->regs[VCPU_REGS_RSP] = msr_data;
++	ctxt->regs[VCPU_REGS_RSP] = (efer & EFER_LMA) ? msr_data :
++							(u32)msr_data;
+ 
+ 	return X86EMUL_CONTINUE;
+ }
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 53a7b69..8cac088 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -877,6 +877,8 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
+ 		if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
+ 			     VM_FAULT_HWPOISON_LARGE))
+ 			do_sigbus(regs, error_code, address, fault);
++		else if (fault & VM_FAULT_SIGSEGV)
++			bad_area_nosemaphore(regs, error_code, address);
+ 		else
+ 			BUG();
+ 	}
+diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
+index 266f717..44b93da 100644
+--- a/arch/x86/mm/init_64.c
++++ b/arch/x86/mm/init_64.c
+@@ -778,7 +778,6 @@ void mark_rodata_ro(void)
+ 	unsigned long text_end = PAGE_ALIGN((unsigned long) &__stop___ex_table);
+ 	unsigned long rodata_end = PAGE_ALIGN((unsigned long) &__end_rodata);
+ 	unsigned long data_start = (unsigned long) &_sdata;
+-	unsigned long all_end;
+ 
+ 	printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
+ 	       (end - start) >> 10);
+@@ -787,19 +786,10 @@ void mark_rodata_ro(void)
+ 	kernel_set_to_readonly = 1;
+ 
+ 	/*
+-	 * The rodata/data/bss/brk section (but not the kernel text!)
+-	 * should also be not-executable.
+-	 *
+-	 * We align all_end to PMD_SIZE because the existing mapping
+-	 * is a full PMD. If we would align _brk_end to PAGE_SIZE we
+-	 * split the PMD and the reminder between _brk_end and the end
+-	 * of the PMD will remain mapped executable.
+-	 *
+-	 * Any PMD which was setup after the one which covers _brk_end
+-	 * has been zapped already via cleanup_highmem().
++	 * The rodata section (but not the kernel text!) should also be
++	 * not-executable.
+ 	 */
+-	all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
+-	set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
++	set_memory_nx(rodata_start, (end - rodata_start) >> PAGE_SHIFT);
+ 
+ 	rodata_test();
+ 
+diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c
+index 153407c..0ff8815 100644
+--- a/arch/x86/vdso/vma.c
++++ b/arch/x86/vdso/vma.c
+@@ -72,30 +72,43 @@ subsys_initcall(init_vdso);
+ 
+ struct linux_binprm;
+ 
+-/* Put the vdso above the (randomized) stack with another randomized offset.
+-   This way there is no hole in the middle of address space.
+-   To save memory make sure it is still in the same PTE as the stack top.
+-   This doesn't give that many random bits */
++/*
++ * Put the vdso above the (randomized) stack with another randomized
++ * offset.  This way there is no hole in the middle of address space.
++ * To save memory make sure it is still in the same PTE as the stack
++ * top.  This doesn't give that many random bits.
++ *
++ * Note that this algorithm is imperfect: the distribution of the vdso
++ * start address within a PMD is biased toward the end.
++ */
+ static unsigned long vdso_addr(unsigned long start, unsigned len)
+ {
+ 	unsigned long addr, end;
+ 	unsigned offset;
+-	end = (start + PMD_SIZE - 1) & PMD_MASK;
++
++	/*
++	 * Round up the start address.  It can start out unaligned as a result
++	 * of stack start randomization.
++	 */
++	start = PAGE_ALIGN(start);
++
++	/* Round the lowest possible end address up to a PMD boundary. */
++	end = (start + len + PMD_SIZE - 1) & PMD_MASK;
+ 	if (end >= TASK_SIZE_MAX)
+ 		end = TASK_SIZE_MAX;
+ 	end -= len;
+-	/* This loses some more bits than a modulo, but is cheaper */
+-	offset = get_random_int() & (PTRS_PER_PTE - 1);
+-	addr = start + (offset << PAGE_SHIFT);
+-	if (addr >= end)
+-		addr = end;
++
++	if (end > start) {
++		offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1);
++		addr = start + (offset << PAGE_SHIFT);
++	} else {
++		addr = start;
++	}
+ 
+ 	/*
+-	 * page-align it here so that get_unmapped_area doesn't
+-	 * align it wrongfully again to the next page. addr can come in 4K
+-	 * unaligned here as a result of stack start randomization.
++	 * Forcibly align the final address in case we have a hardware
++	 * issue that requires alignment for performance reasons.
+ 	 */
+-	addr = PAGE_ALIGN(addr);
+ 	addr = align_addr(addr, NULL, ALIGN_VDSO);
+ 
+ 	return addr;
+diff --git a/arch/xtensa/mm/fault.c b/arch/xtensa/mm/fault.c
+index e367e30..4439a1d 100644
+--- a/arch/xtensa/mm/fault.c
++++ b/arch/xtensa/mm/fault.c
+@@ -109,6 +109,8 @@ good_area:
+ 	if (unlikely(fault & VM_FAULT_ERROR)) {
+ 		if (fault & VM_FAULT_OOM)
+ 			goto out_of_memory;
++		else if (fault & VM_FAULT_SIGSEGV)
++			goto bad_area;
+ 		else if (fault & VM_FAULT_SIGBUS)
+ 			goto do_sigbus;
+ 		BUG();
+diff --git a/block/genhd.c b/block/genhd.c
+index 41b0435..424d1fa 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -1070,9 +1070,16 @@ int disk_expand_part_tbl(struct gendisk *disk, int partno)
+ 	struct disk_part_tbl *old_ptbl = disk->part_tbl;
+ 	struct disk_part_tbl *new_ptbl;
+ 	int len = old_ptbl ? old_ptbl->len : 0;
+-	int target = partno + 1;
++	int i, target;
+ 	size_t size;
+-	int i;
++
++	/*
++	 * check for int overflow, since we can get here from blkpg_ioctl()
++	 * with a user passed 'partno'.
++	 */
++	target = partno + 1;
++	if (target < 0)
++		return -EINVAL;
+ 
+ 	/* disk_max_parts() is zero during initialization, ignore if so */
+ 	if (disk_max_parts(disk) && target > disk_max_parts(disk))
+diff --git a/crypto/aes_generic.c b/crypto/aes_generic.c
+index a68c73d..bd776be 100644
+--- a/crypto/aes_generic.c
++++ b/crypto/aes_generic.c
+@@ -1475,4 +1475,5 @@ module_exit(aes_fini);
+ 
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
+ MODULE_LICENSE("Dual BSD/GPL");
+-MODULE_ALIAS("aes");
++MODULE_ALIAS_CRYPTO("aes");
++MODULE_ALIAS_CRYPTO("aes-generic");
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index bf948e1..6ef6e2a 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -449,6 +449,9 @@ void af_alg_complete(struct crypto_async_request *req, int err)
+ {
+ 	struct af_alg_completion *completion = req->data;
+ 
++	if (err == -EINPROGRESS)
++		return;
++
+ 	completion->err = err;
+ 	complete(&completion->completion);
+ }
+diff --git a/crypto/algapi.c b/crypto/algapi.c
+index dc9991f..3b9ef92 100644
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -477,8 +477,8 @@ static struct crypto_template *__crypto_lookup_template(const char *name)
+ 
+ struct crypto_template *crypto_lookup_template(const char *name)
+ {
+-	return try_then_request_module(__crypto_lookup_template(name), "%s",
+-				       name);
++	return try_then_request_module(__crypto_lookup_template(name),
++				       "crypto-%s", name);
+ }
+ EXPORT_SYMBOL_GPL(crypto_lookup_template);
+ 
+diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
+index 6056178..f112ca2 100644
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -485,4 +485,5 @@ module_param(dbg, int, 0);
+ MODULE_PARM_DESC(dbg, "Boolean to enable debugging (0/1 == off/on)");
+ module_init(prng_mod_init);
+ module_exit(prng_mod_fini);
+-MODULE_ALIAS("stdrng");
++MODULE_ALIAS_CRYPTO("stdrng");
++MODULE_ALIAS_CRYPTO("ansi_cprng");
+diff --git a/crypto/anubis.c b/crypto/anubis.c
+index 77530d5..523ed52 100644
+--- a/crypto/anubis.c
++++ b/crypto/anubis.c
+@@ -705,3 +705,4 @@ module_exit(anubis_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Anubis Cryptographic Algorithm");
++MODULE_ALIAS_CRYPTO("anubis");
+diff --git a/crypto/api.c b/crypto/api.c
+index cea3cf6..ac80794 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -222,11 +222,11 @@ struct crypto_alg *crypto_larval_lookup(const char *name, u32 type, u32 mask)
+ 
+ 	alg = crypto_alg_lookup(name, type, mask);
+ 	if (!alg) {
+-		request_module("%s", name);
++		request_module("crypto-%s", name);
+ 
+ 		if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask &
+ 		      CRYPTO_ALG_NEED_FALLBACK))
+-			request_module("%s-all", name);
++			request_module("crypto-%s-all", name);
+ 
+ 		alg = crypto_alg_lookup(name, type, mask);
+ 	}
+diff --git a/crypto/arc4.c b/crypto/arc4.c
+index 0d12a96..c404623 100644
+--- a/crypto/arc4.c
++++ b/crypto/arc4.c
+@@ -101,3 +101,4 @@ module_exit(arc4_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("ARC4 Cipher Algorithm");
+ MODULE_AUTHOR("Jon Oberheide <jon@oberheide.org>");
++MODULE_ALIAS_CRYPTO("arc4");
+diff --git a/crypto/authenc.c b/crypto/authenc.c
+index d21da2f..112b4e3 100644
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -710,3 +710,4 @@ module_exit(crypto_authenc_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Simple AEAD wrapper for IPsec");
++MODULE_ALIAS_CRYPTO("authenc");
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index 136b68b..dd1f303 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -833,3 +833,4 @@ module_exit(crypto_authenc_esn_module_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
+ MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
++MODULE_ALIAS_CRYPTO("authencesn");
+diff --git a/crypto/blowfish_generic.c b/crypto/blowfish_generic.c
+index 6f269b5..0938609 100644
+--- a/crypto/blowfish_generic.c
++++ b/crypto/blowfish_generic.c
+@@ -139,4 +139,5 @@ module_exit(blowfish_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Blowfish Cipher Algorithm");
+-MODULE_ALIAS("blowfish");
++MODULE_ALIAS_CRYPTO("blowfish");
++MODULE_ALIAS_CRYPTO("blowfish-generic");
+diff --git a/crypto/camellia.c b/crypto/camellia.c
+index 64cff46..18024da 100644
+--- a/crypto/camellia.c
++++ b/crypto/camellia.c
+@@ -1114,3 +1114,4 @@ module_exit(camellia_fini);
+ 
+ MODULE_DESCRIPTION("Camellia Cipher Algorithm");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_CRYPTO("camellia");
+diff --git a/crypto/cast5.c b/crypto/cast5.c
+index 4a230dd..b5f7ee5 100644
+--- a/crypto/cast5.c
++++ b/crypto/cast5.c
+@@ -806,4 +806,5 @@ module_exit(cast5_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Cast5 Cipher Algorithm");
++MODULE_ALIAS_CRYPTO("cast5");
+ 
+diff --git a/crypto/cast6.c b/crypto/cast6.c
+index e0c15a6..6839587 100644
+--- a/crypto/cast6.c
++++ b/crypto/cast6.c
+@@ -545,3 +545,4 @@ module_exit(cast6_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Cast6 Cipher Algorithm");
++MODULE_ALIAS_CRYPTO("cast6");
+diff --git a/crypto/cbc.c b/crypto/cbc.c
+index 61ac42e..780ee27 100644
+--- a/crypto/cbc.c
++++ b/crypto/cbc.c
+@@ -289,3 +289,4 @@ module_exit(crypto_cbc_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("CBC block cipher algorithm");
++MODULE_ALIAS_CRYPTO("cbc");
+diff --git a/crypto/ccm.c b/crypto/ccm.c
+index 2002ca7..aa8d4f5 100644
+--- a/crypto/ccm.c
++++ b/crypto/ccm.c
+@@ -888,5 +888,6 @@ module_exit(crypto_ccm_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Counter with CBC MAC");
+-MODULE_ALIAS("ccm_base");
+-MODULE_ALIAS("rfc4309");
++MODULE_ALIAS_CRYPTO("ccm_base");
++MODULE_ALIAS_CRYPTO("rfc4309");
++MODULE_ALIAS_CRYPTO("ccm");
+diff --git a/crypto/chainiv.c b/crypto/chainiv.c
+index ba200b0..3bf2eb0 100644
+--- a/crypto/chainiv.c
++++ b/crypto/chainiv.c
+@@ -360,3 +360,4 @@ module_exit(chainiv_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Chain IV Generator");
++MODULE_ALIAS_CRYPTO("chainiv");
+diff --git a/crypto/crc32c.c b/crypto/crc32c.c
+index 3f9ad28..b2c030b 100644
+--- a/crypto/crc32c.c
++++ b/crypto/crc32c.c
+@@ -258,3 +258,4 @@ module_exit(crc32c_mod_fini);
+ MODULE_AUTHOR("Clay Haapala <chaapala@cisco.com>");
+ MODULE_DESCRIPTION("CRC32c (Castagnoli) calculations wrapper for lib/crc32c");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_CRYPTO("crc32c");
+diff --git a/crypto/cryptd.c b/crypto/cryptd.c
+index 7bdd61b..75c415d 100644
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -955,3 +955,4 @@ module_exit(cryptd_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Software async crypto daemon");
++MODULE_ALIAS_CRYPTO("cryptd");
+diff --git a/crypto/crypto_null.c b/crypto/crypto_null.c
+index 07a8a96..7a2fbf6 100644
+--- a/crypto/crypto_null.c
++++ b/crypto/crypto_null.c
+@@ -156,9 +156,9 @@ static struct crypto_alg skcipher_null = {
+ 	.decrypt		=	skcipher_null_crypt } }
+ };
+ 
+-MODULE_ALIAS("compress_null");
+-MODULE_ALIAS("digest_null");
+-MODULE_ALIAS("cipher_null");
++MODULE_ALIAS_CRYPTO("compress_null");
++MODULE_ALIAS_CRYPTO("digest_null");
++MODULE_ALIAS_CRYPTO("cipher_null");
+ 
+ static int __init crypto_null_mod_init(void)
+ {
+diff --git a/crypto/ctr.c b/crypto/ctr.c
+index 4ca7222..ff7b3a3 100644
+--- a/crypto/ctr.c
++++ b/crypto/ctr.c
+@@ -421,4 +421,5 @@ module_exit(crypto_ctr_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("CTR Counter block mode");
+-MODULE_ALIAS("rfc3686");
++MODULE_ALIAS_CRYPTO("rfc3686");
++MODULE_ALIAS_CRYPTO("ctr");
+diff --git a/crypto/cts.c b/crypto/cts.c
+index ccf9c5d..714283d 100644
+--- a/crypto/cts.c
++++ b/crypto/cts.c
+@@ -351,3 +351,4 @@ module_exit(crypto_cts_module_exit);
+ 
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
++MODULE_ALIAS_CRYPTO("cts");
+diff --git a/crypto/deflate.c b/crypto/deflate.c
+index b0165ec..467423a 100644
+--- a/crypto/deflate.c
++++ b/crypto/deflate.c
+@@ -223,4 +223,4 @@ module_exit(deflate_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Deflate Compression Algorithm for IPCOMP");
+ MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
+-
++MODULE_ALIAS_CRYPTO("deflate");
+diff --git a/crypto/des_generic.c b/crypto/des_generic.c
+index 873818d..e404201 100644
+--- a/crypto/des_generic.c
++++ b/crypto/des_generic.c
+@@ -975,8 +975,6 @@ static struct crypto_alg des3_ede_alg = {
+ 	.cia_decrypt		=	des3_ede_decrypt } }
+ };
+ 
+-MODULE_ALIAS("des3_ede");
+-
+ static int __init des_generic_mod_init(void)
+ {
+ 	int ret = 0;
+@@ -1004,4 +1002,7 @@ module_exit(des_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms");
+ MODULE_AUTHOR("Dag Arne Osvik <da@osvik.no>");
+-MODULE_ALIAS("des");
++MODULE_ALIAS_CRYPTO("des");
++MODULE_ALIAS_CRYPTO("des-generic");
++MODULE_ALIAS_CRYPTO("des3_ede");
++MODULE_ALIAS_CRYPTO("des3_ede-generic");
+diff --git a/crypto/ecb.c b/crypto/ecb.c
+index 935cfef..12011af 100644
+--- a/crypto/ecb.c
++++ b/crypto/ecb.c
+@@ -185,3 +185,4 @@ module_exit(crypto_ecb_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("ECB block cipher algorithm");
++MODULE_ALIAS_CRYPTO("ecb");
+diff --git a/crypto/eseqiv.c b/crypto/eseqiv.c
+index 42ce9f5..388f582 100644
+--- a/crypto/eseqiv.c
++++ b/crypto/eseqiv.c
+@@ -267,3 +267,4 @@ module_exit(eseqiv_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Encrypted Sequence Number IV Generator");
++MODULE_ALIAS_CRYPTO("eseqiv");
+diff --git a/crypto/fcrypt.c b/crypto/fcrypt.c
+index c33107e..d99a67d 100644
+--- a/crypto/fcrypt.c
++++ b/crypto/fcrypt.c
+@@ -421,3 +421,4 @@ module_exit(fcrypt_mod_fini);
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("FCrypt Cipher Algorithm");
+ MODULE_AUTHOR("David Howells <dhowells@redhat.com>");
++MODULE_ALIAS_CRYPTO("fcrypt");
+diff --git a/crypto/gcm.c b/crypto/gcm.c
+index b97b186..1e33561 100644
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -1374,6 +1374,7 @@ module_exit(crypto_gcm_module_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Galois/Counter Mode");
+ MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
+-MODULE_ALIAS("gcm_base");
+-MODULE_ALIAS("rfc4106");
+-MODULE_ALIAS("rfc4543");
++MODULE_ALIAS_CRYPTO("gcm_base");
++MODULE_ALIAS_CRYPTO("rfc4106");
++MODULE_ALIAS_CRYPTO("rfc4543");
++MODULE_ALIAS_CRYPTO("gcm");
+diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c
+index 7835b8f..bf5f8d7 100644
+--- a/crypto/ghash-generic.c
++++ b/crypto/ghash-generic.c
+@@ -173,4 +173,5 @@ module_exit(ghash_mod_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("GHASH Message Digest Algorithm");
+-MODULE_ALIAS("ghash");
++MODULE_ALIAS_CRYPTO("ghash");
++MODULE_ALIAS_CRYPTO("ghash-generic");
+diff --git a/crypto/hmac.c b/crypto/hmac.c
+index 8d9544c..ade790b 100644
+--- a/crypto/hmac.c
++++ b/crypto/hmac.c
+@@ -271,3 +271,4 @@ module_exit(hmac_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("HMAC hash algorithm");
++MODULE_ALIAS_CRYPTO("hmac");
+diff --git a/crypto/khazad.c b/crypto/khazad.c
+index 527e4e3..ea82051 100644
+--- a/crypto/khazad.c
++++ b/crypto/khazad.c
+@@ -881,3 +881,4 @@ module_exit(khazad_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Khazad Cryptographic Algorithm");
++MODULE_ALIAS_CRYPTO("khazad");
+diff --git a/crypto/krng.c b/crypto/krng.c
+index 4328bb3..85418d6 100644
+--- a/crypto/krng.c
++++ b/crypto/krng.c
+@@ -63,4 +63,5 @@ module_exit(krng_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Kernel Random Number Generator");
+-MODULE_ALIAS("stdrng");
++MODULE_ALIAS_CRYPTO("stdrng");
++MODULE_ALIAS_CRYPTO("krng");
+diff --git a/crypto/lrw.c b/crypto/lrw.c
+index 358f80b..567c195 100644
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -312,3 +312,4 @@ module_exit(crypto_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("LRW block cipher mode");
++MODULE_ALIAS_CRYPTO("lrw");
+diff --git a/crypto/lzo.c b/crypto/lzo.c
+index b5e7707..6b21152 100644
+--- a/crypto/lzo.c
++++ b/crypto/lzo.c
+@@ -104,3 +104,4 @@ module_exit(lzo_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("LZO Compression Algorithm");
++MODULE_ALIAS_CRYPTO("lzo");
+diff --git a/crypto/md4.c b/crypto/md4.c
+index 0477a6a..3515af4 100644
+--- a/crypto/md4.c
++++ b/crypto/md4.c
+@@ -255,4 +255,4 @@ module_exit(md4_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("MD4 Message Digest Algorithm");
+-
++MODULE_ALIAS_CRYPTO("md4");
+diff --git a/crypto/md5.c b/crypto/md5.c
+index 7febeaa..36f5e5b 100644
+--- a/crypto/md5.c
++++ b/crypto/md5.c
+@@ -168,3 +168,4 @@ module_exit(md5_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("MD5 Message Digest Algorithm");
++MODULE_ALIAS_CRYPTO("md5");
+diff --git a/crypto/michael_mic.c b/crypto/michael_mic.c
+index 079b761..46195e0 100644
+--- a/crypto/michael_mic.c
++++ b/crypto/michael_mic.c
+@@ -184,3 +184,4 @@ module_exit(michael_mic_exit);
+ MODULE_LICENSE("GPL v2");
+ MODULE_DESCRIPTION("Michael MIC");
+ MODULE_AUTHOR("Jouni Malinen <j@w1.fi>");
++MODULE_ALIAS_CRYPTO("michael_mic");
+diff --git a/crypto/pcbc.c b/crypto/pcbc.c
+index d1b8bdf..f654965 100644
+--- a/crypto/pcbc.c
++++ b/crypto/pcbc.c
+@@ -295,3 +295,4 @@ module_exit(crypto_pcbc_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("PCBC block cipher algorithm");
++MODULE_ALIAS_CRYPTO("pcbc");
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
+index 29a89da..ba92046 100644
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -565,3 +565,4 @@ module_exit(pcrypt_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
+ MODULE_DESCRIPTION("Parallel crypto wrapper");
++MODULE_ALIAS_CRYPTO("pcrypt");
+diff --git a/crypto/rmd128.c b/crypto/rmd128.c
+index 8a0f68b..049486e 100644
+--- a/crypto/rmd128.c
++++ b/crypto/rmd128.c
+@@ -327,3 +327,4 @@ module_exit(rmd128_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken@codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-128 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd128");
+diff --git a/crypto/rmd160.c b/crypto/rmd160.c
+index 525d7bb..de585e5 100644
+--- a/crypto/rmd160.c
++++ b/crypto/rmd160.c
+@@ -371,3 +371,4 @@ module_exit(rmd160_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken@codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-160 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd160");
+diff --git a/crypto/rmd256.c b/crypto/rmd256.c
+index 69293d9..4ec02a7 100644
+--- a/crypto/rmd256.c
++++ b/crypto/rmd256.c
+@@ -346,3 +346,4 @@ module_exit(rmd256_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken@codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-256 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd256");
+diff --git a/crypto/rmd320.c b/crypto/rmd320.c
+index 09f97df..770f2cb 100644
+--- a/crypto/rmd320.c
++++ b/crypto/rmd320.c
+@@ -395,3 +395,4 @@ module_exit(rmd320_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken@codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-320 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd320");
+diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c
+index eac10c1..f5e5a33 100644
+--- a/crypto/salsa20_generic.c
++++ b/crypto/salsa20_generic.c
+@@ -249,4 +249,5 @@ module_exit(salsa20_generic_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
+-MODULE_ALIAS("salsa20");
++MODULE_ALIAS_CRYPTO("salsa20");
++MODULE_ALIAS_CRYPTO("salsa20-generic");
+diff --git a/crypto/seed.c b/crypto/seed.c
+index d3e422f..3e40f5f 100644
+--- a/crypto/seed.c
++++ b/crypto/seed.c
+@@ -477,3 +477,4 @@ module_exit(seed_fini);
+ MODULE_DESCRIPTION("SEED Cipher Algorithm");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Hye-Shik Chang <perky@FreeBSD.org>, Kim Hyun <hkim@kisa.or.kr>");
++MODULE_ALIAS_CRYPTO("seed");
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index 4c44912..385895f 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -363,3 +363,4 @@ module_exit(seqiv_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Sequence Number IV Generator");
++MODULE_ALIAS_CRYPTO("seqiv");
+diff --git a/crypto/serpent.c b/crypto/serpent.c
+index b651a55..db6beb6 100644
+--- a/crypto/serpent.c
++++ b/crypto/serpent.c
+@@ -584,4 +584,5 @@ module_exit(serpent_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Serpent and tnepres (kerneli compatible serpent reversed) Cipher Algorithm");
+ MODULE_AUTHOR("Dag Arne Osvik <osvik@ii.uib.no>");
+-MODULE_ALIAS("tnepres");
++MODULE_ALIAS_CRYPTO("tnepres");
++MODULE_ALIAS_CRYPTO("serpent");
+diff --git a/crypto/sha1_generic.c b/crypto/sha1_generic.c
+index 4279480..fdf7c00 100644
+--- a/crypto/sha1_generic.c
++++ b/crypto/sha1_generic.c
+@@ -153,4 +153,5 @@ module_exit(sha1_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm");
+ 
+-MODULE_ALIAS("sha1");
++MODULE_ALIAS_CRYPTO("sha1");
++MODULE_ALIAS_CRYPTO("sha1-generic");
+diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
+index c48459e..dcad5ce 100644
+--- a/crypto/sha256_generic.c
++++ b/crypto/sha256_generic.c
+@@ -398,5 +398,7 @@ module_exit(sha256_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA-224 and SHA-256 Secure Hash Algorithm");
+ 
+-MODULE_ALIAS("sha224");
+-MODULE_ALIAS("sha256");
++MODULE_ALIAS_CRYPTO("sha224");
++MODULE_ALIAS_CRYPTO("sha224-generic");
++MODULE_ALIAS_CRYPTO("sha256");
++MODULE_ALIAS_CRYPTO("sha256-generic");
+diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
+index dd30f40..7a54cb4 100644
+--- a/crypto/sha512_generic.c
++++ b/crypto/sha512_generic.c
+@@ -294,5 +294,7 @@ module_exit(sha512_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA-512 and SHA-384 Secure Hash Algorithms");
+ 
+-MODULE_ALIAS("sha384");
+-MODULE_ALIAS("sha512");
++MODULE_ALIAS_CRYPTO("sha384");
++MODULE_ALIAS_CRYPTO("sha384-generic");
++MODULE_ALIAS_CRYPTO("sha512");
++MODULE_ALIAS_CRYPTO("sha512-generic");
+diff --git a/crypto/tea.c b/crypto/tea.c
+index 412bc74..b8f7001 100644
+--- a/crypto/tea.c
++++ b/crypto/tea.c
+@@ -299,8 +299,9 @@ static void __exit tea_mod_fini(void)
+ 	crypto_unregister_alg(&xeta_alg);
+ }
+ 
+-MODULE_ALIAS("xtea");
+-MODULE_ALIAS("xeta");
++MODULE_ALIAS_CRYPTO("tea");
++MODULE_ALIAS_CRYPTO("xtea");
++MODULE_ALIAS_CRYPTO("xeta");
+ 
+ module_init(tea_mod_init);
+ module_exit(tea_mod_fini);
+diff --git a/crypto/tgr192.c b/crypto/tgr192.c
+index cbca4f20..35dbd59 100644
+--- a/crypto/tgr192.c
++++ b/crypto/tgr192.c
+@@ -702,8 +702,9 @@ static void __exit tgr192_mod_fini(void)
+ 	crypto_unregister_shash(&tgr128);
+ }
+ 
+-MODULE_ALIAS("tgr160");
+-MODULE_ALIAS("tgr128");
++MODULE_ALIAS_CRYPTO("tgr192");
++MODULE_ALIAS_CRYPTO("tgr160");
++MODULE_ALIAS_CRYPTO("tgr128");
+ 
+ module_init(tgr192_mod_init);
+ module_exit(tgr192_mod_fini);
+diff --git a/crypto/twofish_generic.c b/crypto/twofish_generic.c
+index 1f07b84..c8c35c5 100644
+--- a/crypto/twofish_generic.c
++++ b/crypto/twofish_generic.c
+@@ -212,4 +212,5 @@ module_exit(twofish_mod_fini);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Twofish Cipher Algorithm");
+-MODULE_ALIAS("twofish");
++MODULE_ALIAS_CRYPTO("twofish");
++MODULE_ALIAS_CRYPTO("twofish-generic");
+diff --git a/crypto/vmac.c b/crypto/vmac.c
+index 4243905..8979bc8 100644
+--- a/crypto/vmac.c
++++ b/crypto/vmac.c
+@@ -673,4 +673,5 @@ module_exit(vmac_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("VMAC hash algorithm");
++MODULE_ALIAS_CRYPTO("vmac");
+ 
+diff --git a/crypto/wp512.c b/crypto/wp512.c
+index 71719a2..1bf7f07 100644
+--- a/crypto/wp512.c
++++ b/crypto/wp512.c
+@@ -1194,8 +1194,9 @@ static void __exit wp512_mod_fini(void)
+ 	crypto_unregister_shash(&wp256);
+ }
+ 
+-MODULE_ALIAS("wp384");
+-MODULE_ALIAS("wp256");
++MODULE_ALIAS_CRYPTO("wp512");
++MODULE_ALIAS_CRYPTO("wp384");
++MODULE_ALIAS_CRYPTO("wp256");
+ 
+ module_init(wp512_mod_init);
+ module_exit(wp512_mod_fini);
+diff --git a/crypto/xcbc.c b/crypto/xcbc.c
+index a5fbdf3..df90b33 100644
+--- a/crypto/xcbc.c
++++ b/crypto/xcbc.c
+@@ -286,3 +286,4 @@ module_exit(crypto_xcbc_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("XCBC keyed hash algorithm");
++MODULE_ALIAS_CRYPTO("xcbc");
+diff --git a/crypto/xts.c b/crypto/xts.c
+index 8517054..6a09b72 100644
+--- a/crypto/xts.c
++++ b/crypto/xts.c
+@@ -289,3 +289,4 @@ module_exit(crypto_module_exit);
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("XTS block cipher mode");
++MODULE_ALIAS_CRYPTO("xts");
+diff --git a/crypto/zlib.c b/crypto/zlib.c
+index 06b62e5..d980788 100644
+--- a/crypto/zlib.c
++++ b/crypto/zlib.c
+@@ -378,3 +378,4 @@ module_exit(zlib_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Zlib Compression Algorithm");
+ MODULE_AUTHOR("Sony Corporation");
++MODULE_ALIAS_CRYPTO("zlib");
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index 05df096..30229af 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -129,6 +129,7 @@ static int EC_FLAGS_MSI; /* Out-of-spec MSI controller */
+ static int EC_FLAGS_VALIDATE_ECDT; /* ASUStec ECDTs need to be validated */
+ static int EC_FLAGS_SKIP_DSDT_SCAN; /* Not all BIOS survive early DSDT scan */
+ static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */
++static int EC_FLAGS_QUERY_HANDSHAKE; /* Needs QR_EC issued when SCI_EVT set */
+ 
+ /* --------------------------------------------------------------------------
+                              Transaction Management
+@@ -206,13 +207,8 @@ static bool advance_transaction(struct acpi_ec *ec)
+ 		}
+ 		return wakeup;
+ 	} else {
+-		/*
+-		 * There is firmware refusing to respond QR_EC when SCI_EVT
+-		 * is not set, for which case, we complete the QR_EC
+-		 * without issuing it to the firmware.
+-		 * https://bugzilla.kernel.org/show_bug.cgi?id=86211
+-		 */
+-		if (!(status & ACPI_EC_FLAG_SCI) &&
++		if (EC_FLAGS_QUERY_HANDSHAKE &&
++		    !(status & ACPI_EC_FLAG_SCI) &&
+ 		    (t->command == ACPI_EC_COMMAND_QUERY)) {
+ 			t->flags |= ACPI_EC_COMMAND_POLL;
+ 			t->rdata[t->ri++] = 0x00;
+@@ -987,6 +983,18 @@ static int ec_enlarge_storm_threshold(const struct dmi_system_id *id)
+ }
+ 
+ /*
++ * Acer EC firmware refuses to respond QR_EC when SCI_EVT is not set, for
++ * which case, we complete the QR_EC without issuing it to the firmware.
++ * https://bugzilla.kernel.org/show_bug.cgi?id=86211
++ */
++static int ec_flag_query_handshake(const struct dmi_system_id *id)
++{
++	pr_debug("Detected the EC firmware requiring QR_EC issued when SCI_EVT set\n");
++	EC_FLAGS_QUERY_HANDSHAKE = 1;
++	return 0;
++}
++
++/*
+  * On some hardware it is necessary to clear events accumulated by the EC during
+  * sleep. These ECs stop reporting GPEs until they are manually polled, if too
+  * many events are accumulated. (e.g. Samsung Series 5/9 notebooks)
+@@ -1052,6 +1060,9 @@ static struct dmi_system_id __initdata ec_dmi_table[] = {
+ 	{
+ 	ec_clear_on_resume, "Samsung hardware", {
+ 	DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD.")}, NULL},
++	{
++	ec_flag_query_handshake, "Acer hardware", {
++	DMI_MATCH(DMI_SYS_VENDOR, "Acer"), }, NULL},
+ 	{},
+ };
+ 
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 2ddf736..5d8fc3d 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4730,7 +4730,10 @@ static struct ata_queued_cmd *ata_qc_new(struct ata_port *ap)
+ 		return NULL;
+ 
+ 	for (i = 0, tag = ap->last_tag + 1; i < max_queue; i++, tag++) {
+-		tag = tag < max_queue ? tag : 0;
++		if (ap->flags & ATA_FLAG_LOWTAG)
++			tag = i;
++		else
++			tag = tag < max_queue ? tag : 0;
+ 
+ 		/* the last tag is reserved for internal command. */
+ 		if (tag == ATA_TAG_INTERNAL)
+diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
+index 8eae157..22edc92 100644
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -1333,7 +1333,19 @@ void ata_sff_flush_pio_task(struct ata_port *ap)
+ 	DPRINTK("ENTER\n");
+ 
+ 	cancel_delayed_work_sync(&ap->sff_pio_task);
++
++	/*
++	 * We wanna reset the HSM state to IDLE.  If we do so without
++	 * grabbing the port lock, critical sections protected by it which
++	 * expect the HSM state to stay stable may get surprised.  For
++	 * example, we may set IDLE in between the time
++	 * __ata_sff_port_intr() checks for HSM_ST_IDLE and before it calls
++	 * ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
++	 */
++	spin_lock_irq(ap->lock);
+ 	ap->hsm_task_state = HSM_ST_IDLE;
++	spin_unlock_irq(ap->lock);
++
+ 	ap->sff_pio_task_link = NULL;
+ 
+ 	if (ata_msg_ctl(ap))
+diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c
+index 5c42374..0bec79e 100644
+--- a/drivers/ata/sata_dwc_460ex.c
++++ b/drivers/ata/sata_dwc_460ex.c
+@@ -791,7 +791,7 @@ static int dma_dwc_init(struct sata_dwc_device *hsdev, int irq)
+ 	if (err) {
+ 		dev_err(host_pvt.dwc_dev, "%s: dma_request_interrupts returns"
+ 			" %d\n", __func__, err);
+-		goto error_out;
++		return err;
+ 	}
+ 
+ 	/* Enabe DMA */
+@@ -802,11 +802,6 @@ static int dma_dwc_init(struct sata_dwc_device *hsdev, int irq)
+ 		sata_dma_regs);
+ 
+ 	return 0;
+-
+-error_out:
+-	dma_dwc_exit(hsdev);
+-
+-	return err;
+ }
+ 
+ static int sata_dwc_scr_read(struct ata_link *link, unsigned int scr, u32 *val)
+@@ -1634,7 +1629,7 @@ static int sata_dwc_probe(struct platform_device *ofdev)
+ 	char *ver = (char *)&versionr;
+ 	u8 *base = NULL;
+ 	int err = 0;
+-	int irq, rc;
++	int irq;
+ 	struct ata_host *host;
+ 	struct ata_port_info pi = sata_dwc_port_info[0];
+ 	const struct ata_port_info *ppi[] = { &pi, NULL };
+@@ -1688,7 +1683,7 @@ static int sata_dwc_probe(struct platform_device *ofdev)
+ 	if (irq == NO_IRQ) {
+ 		dev_err(&ofdev->dev, "no SATA DMA irq\n");
+ 		err = -ENODEV;
+-		goto error_out;
++		goto error_iomap;
+ 	}
+ 
+ 	/* Get physical SATA DMA register base address */
+@@ -1697,14 +1692,16 @@ static int sata_dwc_probe(struct platform_device *ofdev)
+ 		dev_err(&ofdev->dev, "ioremap failed for AHBDMA register"
+ 			" address\n");
+ 		err = -ENODEV;
+-		goto error_out;
++		goto error_iomap;
+ 	}
+ 
+ 	/* Save dev for later use in dev_xxx() routines */
+ 	host_pvt.dwc_dev = &ofdev->dev;
+ 
+ 	/* Initialize AHB DMAC */
+-	dma_dwc_init(hsdev, irq);
++	err = dma_dwc_init(hsdev, irq);
++	if (err)
++		goto error_dma_iomap;
+ 
+ 	/* Enable SATA Interrupts */
+ 	sata_dwc_enable_interrupts(hsdev);
+@@ -1722,9 +1719,8 @@ static int sata_dwc_probe(struct platform_device *ofdev)
+ 	 * device discovery process, invoking our port_start() handler &
+ 	 * error_handler() to execute a dummy Softreset EH session
+ 	 */
+-	rc = ata_host_activate(host, irq, sata_dwc_isr, 0, &sata_dwc_sht);
+-
+-	if (rc != 0)
++	err = ata_host_activate(host, irq, sata_dwc_isr, 0, &sata_dwc_sht);
++	if (err)
+ 		dev_err(&ofdev->dev, "failed to activate host");
+ 
+ 	dev_set_drvdata(&ofdev->dev, host);
+@@ -1733,7 +1729,8 @@ static int sata_dwc_probe(struct platform_device *ofdev)
+ error_out:
+ 	/* Free SATA DMA resources */
+ 	dma_dwc_exit(hsdev);
+-
++error_dma_iomap:
++	iounmap((void __iomem *)host_pvt.sata_dma_regs);
+ error_iomap:
+ 	iounmap(base);
+ error_kmalloc:
+@@ -1754,6 +1751,7 @@ static int sata_dwc_remove(struct platform_device *ofdev)
+ 	/* Free SATA DMA resources */
+ 	dma_dwc_exit(hsdev);
+ 
++	iounmap((void __iomem *)host_pvt.sata_dma_regs);
+ 	iounmap(hsdev->reg_base);
+ 	kfree(hsdev);
+ 	kfree(host);
+diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c
+index 1e91406..2178022 100644
+--- a/drivers/ata/sata_sil24.c
++++ b/drivers/ata/sata_sil24.c
+@@ -246,7 +246,7 @@ enum {
+ 	/* host flags */
+ 	SIL24_COMMON_FLAGS	= ATA_FLAG_SATA | ATA_FLAG_PIO_DMA |
+ 				  ATA_FLAG_NCQ | ATA_FLAG_ACPI_SATA |
+-				  ATA_FLAG_AN | ATA_FLAG_PMP,
++				  ATA_FLAG_AN | ATA_FLAG_PMP | ATA_FLAG_LOWTAG,
+ 	SIL24_FLAG_PCIX_IRQ_WOC	= (1 << 24), /* IRQ loss errata on PCI-X */
+ 
+ 	IRQ_STAT_4PORTS		= 0xf,
+diff --git a/drivers/base/bus.c b/drivers/base/bus.c
+index 8b8e8c0..b802cfc 100644
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -240,13 +240,15 @@ static ssize_t store_drivers_probe(struct bus_type *bus,
+ 				   const char *buf, size_t count)
+ {
+ 	struct device *dev;
++	int err = -EINVAL;
+ 
+ 	dev = bus_find_device_by_name(bus, NULL, buf);
+ 	if (!dev)
+ 		return -ENODEV;
+-	if (bus_rescan_devices_helper(dev, NULL) != 0)
+-		return -EINVAL;
+-	return count;
++	if (bus_rescan_devices_helper(dev, NULL) == 0)
++		err = count;
++	put_device(dev);
++	return err;
+ }
+ #endif
+ 
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index 919daa7..81e0e87 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -1417,34 +1417,11 @@ static void device_create_release(struct device *dev)
+ 	kfree(dev);
+ }
+ 
+-/**
+- * device_create_vargs - creates a device and registers it with sysfs
+- * @class: pointer to the struct class that this device should be registered to
+- * @parent: pointer to the parent struct device of this new device, if any
+- * @devt: the dev_t for the char device to be added
+- * @drvdata: the data to be added to the device for callbacks
+- * @fmt: string for the device's name
+- * @args: va_list for the device's name
+- *
+- * This function can be used by char device classes.  A struct device
+- * will be created in sysfs, registered to the specified class.
+- *
+- * A "dev" file will be created, showing the dev_t for the device, if
+- * the dev_t is not 0,0.
+- * If a pointer to a parent struct device is passed in, the newly created
+- * struct device will be a child of that device in sysfs.
+- * The pointer to the struct device will be returned from the call.
+- * Any further sysfs files that might be required can be created using this
+- * pointer.
+- *
+- * Returns &struct device pointer on success, or ERR_PTR() on error.
+- *
+- * Note: the struct class passed to this function must have previously
+- * been created with a call to class_create().
+- */
+-struct device *device_create_vargs(struct class *class, struct device *parent,
+-				   dev_t devt, void *drvdata, const char *fmt,
+-				   va_list args)
++static struct device *
++device_create_groups_vargs(struct class *class, struct device *parent,
++			   dev_t devt, void *drvdata,
++			   const struct attribute_group **groups,
++			   const char *fmt, va_list args)
+ {
+ 	struct device *dev = NULL;
+ 	int retval = -ENODEV;
+@@ -1461,6 +1438,7 @@ struct device *device_create_vargs(struct class *class, struct device *parent,
+ 	dev->devt = devt;
+ 	dev->class = class;
+ 	dev->parent = parent;
++	dev->groups = groups;
+ 	dev->release = device_create_release;
+ 	dev_set_drvdata(dev, drvdata);
+ 
+@@ -1478,6 +1456,39 @@ error:
+ 	put_device(dev);
+ 	return ERR_PTR(retval);
+ }
++
++/**
++ * device_create_vargs - creates a device and registers it with sysfs
++ * @class: pointer to the struct class that this device should be registered to
++ * @parent: pointer to the parent struct device of this new device, if any
++ * @devt: the dev_t for the char device to be added
++ * @drvdata: the data to be added to the device for callbacks
++ * @fmt: string for the device's name
++ * @args: va_list for the device's name
++ *
++ * This function can be used by char device classes.  A struct device
++ * will be created in sysfs, registered to the specified class.
++ *
++ * A "dev" file will be created, showing the dev_t for the device, if
++ * the dev_t is not 0,0.
++ * If a pointer to a parent struct device is passed in, the newly created
++ * struct device will be a child of that device in sysfs.
++ * The pointer to the struct device will be returned from the call.
++ * Any further sysfs files that might be required can be created using this
++ * pointer.
++ *
++ * Returns &struct device pointer on success, or ERR_PTR() on error.
++ *
++ * Note: the struct class passed to this function must have previously
++ * been created with a call to class_create().
++ */
++struct device *device_create_vargs(struct class *class, struct device *parent,
++				   dev_t devt, void *drvdata, const char *fmt,
++				   va_list args)
++{
++	return device_create_groups_vargs(class, parent, devt, drvdata, NULL,
++					  fmt, args);
++}
+ EXPORT_SYMBOL_GPL(device_create_vargs);
+ 
+ /**
+@@ -1517,6 +1528,50 @@ struct device *device_create(struct class *class, struct device *parent,
+ }
+ EXPORT_SYMBOL_GPL(device_create);
+ 
++/**
++ * device_create_with_groups - creates a device and registers it with sysfs
++ * @class: pointer to the struct class that this device should be registered to
++ * @parent: pointer to the parent struct device of this new device, if any
++ * @devt: the dev_t for the char device to be added
++ * @drvdata: the data to be added to the device for callbacks
++ * @groups: NULL-terminated list of attribute groups to be created
++ * @fmt: string for the device's name
++ *
++ * This function can be used by char device classes.  A struct device
++ * will be created in sysfs, registered to the specified class.
++ * Additional attributes specified in the groups parameter will also
++ * be created automatically.
++ *
++ * A "dev" file will be created, showing the dev_t for the device, if
++ * the dev_t is not 0,0.
++ * If a pointer to a parent struct device is passed in, the newly created
++ * struct device will be a child of that device in sysfs.
++ * The pointer to the struct device will be returned from the call.
++ * Any further sysfs files that might be required can be created using this
++ * pointer.
++ *
++ * Returns &struct device pointer on success, or ERR_PTR() on error.
++ *
++ * Note: the struct class passed to this function must have previously
++ * been created with a call to class_create().
++ */
++struct device *device_create_with_groups(struct class *class,
++					 struct device *parent, dev_t devt,
++					 void *drvdata,
++					 const struct attribute_group **groups,
++					 const char *fmt, ...)
++{
++	va_list vargs;
++	struct device *dev;
++
++	va_start(vargs, fmt);
++	dev = device_create_groups_vargs(class, parent, devt, drvdata, groups,
++					 fmt, vargs);
++	va_end(vargs);
++	return dev;
++}
++EXPORT_SYMBOL_GPL(device_create_with_groups);
++
+ static int __match_devt(struct device *dev, void *data)
+ {
+ 	dev_t *devt = data;
+diff --git a/drivers/block/drbd/drbd_req.c b/drivers/block/drbd/drbd_req.c
+index be984e0..43da226 100644
+--- a/drivers/block/drbd/drbd_req.c
++++ b/drivers/block/drbd/drbd_req.c
+@@ -1184,6 +1184,7 @@ int drbd_merge_bvec(struct request_queue *q, struct bvec_merge_data *bvm, struct
+ 		struct request_queue * const b =
+ 			mdev->ldev->backing_bdev->bd_disk->queue;
+ 		if (b->merge_bvec_fn) {
++			bvm->bi_bdev = mdev->ldev->backing_bdev;
+ 			backing_limit = b->merge_bvec_fn(b, bvm, bvec);
+ 			limit = min(limit, backing_limit);
+ 		}
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 6fe003a..10e442b 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -61,48 +61,59 @@ static struct usb_device_id ath3k_table[] = {
+ 	{ USB_DEVICE(0x0CF3, 0x3000) },
+ 
+ 	/* Atheros AR3011 with sflash firmware*/
++	{ USB_DEVICE(0x0489, 0xE027) },
++	{ USB_DEVICE(0x0489, 0xE03D) },
++	{ USB_DEVICE(0x0930, 0x0215) },
+ 	{ USB_DEVICE(0x0CF3, 0x3002) },
+ 	{ USB_DEVICE(0x0CF3, 0xE019) },
+ 	{ USB_DEVICE(0x13d3, 0x3304) },
+-	{ USB_DEVICE(0x0930, 0x0215) },
+-	{ USB_DEVICE(0x0489, 0xE03D) },
+-	{ USB_DEVICE(0x0489, 0xE027) },
+ 
+ 	/* Atheros AR9285 Malbec with sflash firmware */
+ 	{ USB_DEVICE(0x03F0, 0x311D) },
+ 
+ 	/* Atheros AR3012 with sflash firmware*/
+-	{ USB_DEVICE(0x0CF3, 0x0036) },
+-	{ USB_DEVICE(0x0CF3, 0x3004) },
+-	{ USB_DEVICE(0x0CF3, 0x3008) },
+-	{ USB_DEVICE(0x0CF3, 0x311D) },
+-	{ USB_DEVICE(0x0CF3, 0x817a) },
+-	{ USB_DEVICE(0x13d3, 0x3375) },
++	{ USB_DEVICE(0x0489, 0xe04d) },
++	{ USB_DEVICE(0x0489, 0xe04e) },
++	{ USB_DEVICE(0x0489, 0xe057) },
++	{ USB_DEVICE(0x0489, 0xe056) },
++	{ USB_DEVICE(0x0489, 0xe05f) },
++	{ USB_DEVICE(0x0489, 0xe078) },
++	{ USB_DEVICE(0x04c5, 0x1330) },
+ 	{ USB_DEVICE(0x04CA, 0x3004) },
+ 	{ USB_DEVICE(0x04CA, 0x3005) },
+ 	{ USB_DEVICE(0x04CA, 0x3006) },
+ 	{ USB_DEVICE(0x04CA, 0x3007) },
+ 	{ USB_DEVICE(0x04CA, 0x3008) },
+-	{ USB_DEVICE(0x13d3, 0x3362) },
++	{ USB_DEVICE(0x04CA, 0x300b) },
++	{ USB_DEVICE(0x04CA, 0x3010) },
++	{ USB_DEVICE(0x0930, 0x0219) },
++	{ USB_DEVICE(0x0930, 0x0220) },
++	{ USB_DEVICE(0x0930, 0x0227) },
++	{ USB_DEVICE(0x0b05, 0x17d0) },
++	{ USB_DEVICE(0x0CF3, 0x0036) },
++	{ USB_DEVICE(0x0CF3, 0x3004) },
++	{ USB_DEVICE(0x0CF3, 0x3008) },
++	{ USB_DEVICE(0x0CF3, 0x311D) },
++	{ USB_DEVICE(0x0CF3, 0x311E) },
++	{ USB_DEVICE(0x0CF3, 0x311F) },
++	{ USB_DEVICE(0x0cf3, 0x3121) },
++	{ USB_DEVICE(0x0CF3, 0x817a) },
++	{ USB_DEVICE(0x0cf3, 0xe003) },
+ 	{ USB_DEVICE(0x0CF3, 0xE004) },
+ 	{ USB_DEVICE(0x0CF3, 0xE005) },
+-	{ USB_DEVICE(0x0930, 0x0219) },
+-	{ USB_DEVICE(0x0489, 0xe057) },
++	{ USB_DEVICE(0x13d3, 0x3362) },
++	{ USB_DEVICE(0x13d3, 0x3375) },
+ 	{ USB_DEVICE(0x13d3, 0x3393) },
+-	{ USB_DEVICE(0x0489, 0xe04e) },
+-	{ USB_DEVICE(0x0489, 0xe056) },
+-	{ USB_DEVICE(0x0489, 0xe04d) },
+-	{ USB_DEVICE(0x04c5, 0x1330) },
+ 	{ USB_DEVICE(0x13d3, 0x3402) },
+-	{ USB_DEVICE(0x0cf3, 0x3121) },
+-	{ USB_DEVICE(0x0cf3, 0xe003) },
++	{ USB_DEVICE(0x13d3, 0x3408) },
++	{ USB_DEVICE(0x13d3, 0x3432) },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE02C) },
+ 
+ 	/* Atheros AR5BBU22 with sflash firmware */
+-	{ USB_DEVICE(0x0489, 0xE03C) },
+ 	{ USB_DEVICE(0x0489, 0xE036) },
++	{ USB_DEVICE(0x0489, 0xE03C) },
+ 
+ 	{ }	/* Terminating entry */
+ };
+@@ -115,34 +126,45 @@ MODULE_DEVICE_TABLE(usb, ath3k_table);
+ static struct usb_device_id ath3k_blist_tbl[] = {
+ 
+ 	/* Atheros AR3012 with sflash firmware*/
+-	{ USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x311E), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU22 with sflash firmware */
+-	{ USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
+ 
+ 	{ }	/* Terminating entry */
+ };
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 8750d52..2b479d6 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -55,6 +55,7 @@ static struct usb_driver btusb_driver;
+ #define BTUSB_BROKEN_ISOC	0x20
+ #define BTUSB_WRONG_SCO_MTU	0x40
+ #define BTUSB_ATH3012		0x80
++#define BTUSB_INTEL_BOOT	0x200
+ 
+ static struct usb_device_id btusb_table[] = {
+ 	/* Generic Bluetooth USB device */
+@@ -107,18 +108,31 @@ static struct usb_device_id btusb_table[] = {
+ 	{ USB_DEVICE(0x0c10, 0x0000) },
+ 
+ 	/* Broadcom BCM20702A0 */
++	{ USB_DEVICE(0x0489, 0xe042) },
++	{ USB_DEVICE(0x04ca, 0x2003) },
+ 	{ USB_DEVICE(0x0b05, 0x17b5) },
+ 	{ USB_DEVICE(0x0b05, 0x17cb) },
+-	{ USB_DEVICE(0x04ca, 0x2003) },
+-	{ USB_DEVICE(0x0489, 0xe042) },
+ 	{ USB_DEVICE(0x413c, 0x8197) },
+ 
+ 	/* Foxconn - Hon Hai */
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
+ 
+-	/*Broadcom devices with vendor specific id */
++	/* Broadcom devices with vendor specific id */
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) },
+ 
++	/* ASUSTek Computer - Broadcom based */
++	{ USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) },
++
++	/* Belkin F8065bf - Broadcom based */
++	{ USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
++
++	/* IMC Networks - Broadcom based */
++	{ USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
++
++	/* Intel Bluetooth USB Bootloader (RAM module) */
++	{ USB_DEVICE(0x8087, 0x0a5a),
++	  .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
++
+ 	{ }	/* Terminating entry */
+ };
+ 
+@@ -132,53 +146,64 @@ static struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
+ 
+ 	/* Atheros 3011 with sflash firmware */
++	{ USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
++	{ USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
++	{ USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
+ 	{ USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
+ 	{ USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
+ 	{ USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
+-	{ USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
+-	{ USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
+-	{ USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
+ 
+ 	/* Atheros AR9285 Malbec with sflash firmware */
+ 	{ USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
+ 
+ 	/* Atheros 3012 with sflash firmware */
+-	{ USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+-	{ USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+-	{ USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Broadcom BCM2035 */
+-	{ USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
+-	{ USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
+ 	{ USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
++	{ USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
++	{ USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
+ 
+ 	/* Broadcom BCM2045 */
+ 	{ USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
+@@ -1058,6 +1083,9 @@ static int btusb_probe(struct usb_interface *intf,
+ 
+ 	hdev->owner = THIS_MODULE;
+ 
++	if (id->driver_info & BTUSB_INTEL_BOOT)
++		set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
++
+ 	/* Interface numbers are hardcoded in the specification */
+ 	data->isoc = usb_ifnum_to_if(data->udev, 1);
+ 
+diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c
+index 29b9469..87500e6 100644
+--- a/drivers/crypto/padlock-aes.c
++++ b/drivers/crypto/padlock-aes.c
+@@ -559,4 +559,4 @@ MODULE_DESCRIPTION("VIA PadLock AES algorithm support");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Michal Ludvig");
+ 
+-MODULE_ALIAS("aes");
++MODULE_ALIAS_CRYPTO("aes");
+diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c
+index 06bdb4b..710f3cb 100644
+--- a/drivers/crypto/padlock-sha.c
++++ b/drivers/crypto/padlock-sha.c
+@@ -593,7 +593,7 @@ MODULE_DESCRIPTION("VIA PadLock SHA1/SHA256 algorithms support.");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Michal Ludvig");
+ 
+-MODULE_ALIAS("sha1-all");
+-MODULE_ALIAS("sha256-all");
+-MODULE_ALIAS("sha1-padlock");
+-MODULE_ALIAS("sha256-padlock");
++MODULE_ALIAS_CRYPTO("sha1-all");
++MODULE_ALIAS_CRYPTO("sha256-all");
++MODULE_ALIAS_CRYPTO("sha1-padlock");
++MODULE_ALIAS_CRYPTO("sha256-padlock");
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index a971e3d..51e5ee8 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -58,6 +58,7 @@ struct gpio_desc {
+ #define FLAG_TRIG_FALL	5	/* trigger on falling edge */
+ #define FLAG_TRIG_RISE	6	/* trigger on rising edge */
+ #define FLAG_ACTIVE_LOW	7	/* sysfs value has active low */
++#define FLAG_SYSFS_DIR	10	/* show sysfs direction attribute */
+ 
+ #define ID_SHIFT	16	/* add new flags before this one */
+ 
+@@ -317,7 +318,7 @@ static ssize_t gpio_value_store(struct device *dev,
+ 	return status;
+ }
+ 
+-static const DEVICE_ATTR(value, 0644,
++static DEVICE_ATTR(value, 0644,
+ 		gpio_value_show, gpio_value_store);
+ 
+ static irqreturn_t gpio_sysfs_irq(int irq, void *priv)
+@@ -540,17 +541,47 @@ static ssize_t gpio_active_low_store(struct device *dev,
+ 	return status ? : size;
+ }
+ 
+-static const DEVICE_ATTR(active_low, 0644,
++static DEVICE_ATTR(active_low, 0644,
+ 		gpio_active_low_show, gpio_active_low_store);
+ 
+-static const struct attribute *gpio_attrs[] = {
++static mode_t gpio_is_visible(struct kobject *kobj, struct attribute *attr,
++			       int n)
++{
++	struct device *dev = container_of(kobj, struct device, kobj);
++	struct gpio_desc *desc = dev_get_drvdata(dev);
++	unsigned gpio = desc - gpio_desc;
++	mode_t mode = attr->mode;
++	bool show_direction = test_bit(FLAG_SYSFS_DIR, &desc->flags);
++
++	if (attr == &dev_attr_direction.attr) {
++		if (!show_direction)
++			mode = 0;
++	} else if (attr == &dev_attr_edge.attr) {
++		if (gpio_to_irq(gpio) < 0)
++			mode = 0;
++		if (!show_direction && test_bit(FLAG_IS_OUT, &desc->flags))
++			mode = 0;
++	}
++
++	return mode;
++}
++
++static struct attribute *gpio_attrs[] = {
++	&dev_attr_direction.attr,
++	&dev_attr_edge.attr,
+ 	&dev_attr_value.attr,
+ 	&dev_attr_active_low.attr,
+ 	NULL,
+ };
+ 
+-static const struct attribute_group gpio_attr_group = {
+-	.attrs = (struct attribute **) gpio_attrs,
++static const struct attribute_group gpio_group = {
++	.attrs = gpio_attrs,
++	.is_visible = gpio_is_visible,
++};
++
++static const struct attribute_group *gpio_groups[] = {
++	&gpio_group,
++	NULL
+ };
+ 
+ /*
+@@ -587,16 +618,13 @@ static ssize_t chip_ngpio_show(struct device *dev,
+ }
+ static DEVICE_ATTR(ngpio, 0444, chip_ngpio_show, NULL);
+ 
+-static const struct attribute *gpiochip_attrs[] = {
++static struct attribute *gpiochip_attrs[] = {
+ 	&dev_attr_base.attr,
+ 	&dev_attr_label.attr,
+ 	&dev_attr_ngpio.attr,
+ 	NULL,
+ };
+-
+-static const struct attribute_group gpiochip_attr_group = {
+-	.attrs = (struct attribute **) gpiochip_attrs,
+-};
++ATTRIBUTE_GROUPS(gpiochip);
+ 
+ /*
+  * /sys/class/gpio/export ... write-only
+@@ -700,8 +728,9 @@ int gpio_export(unsigned gpio, bool direction_may_change)
+ {
+ 	unsigned long		flags;
+ 	struct gpio_desc	*desc;
+-	int			status = -EINVAL;
++	int			status;
+ 	const char		*ioname = NULL;
++	struct device		*dev;
+ 
+ 	/* can't export until sysfs is available ... */
+ 	if (!gpio_class.p) {
+@@ -709,59 +738,50 @@ int gpio_export(unsigned gpio, bool direction_may_change)
+ 		return -ENOENT;
+ 	}
+ 
+-	if (!gpio_is_valid(gpio))
+-		goto done;
++	if (!gpio_is_valid(gpio)) {
++		pr_debug("%s: gpio %d is not valid\n", __func__, gpio);
++		return -EINVAL;
++	}
+ 
+ 	mutex_lock(&sysfs_lock);
+ 
+ 	spin_lock_irqsave(&gpio_lock, flags);
+ 	desc = &gpio_desc[gpio];
+-	if (test_bit(FLAG_REQUESTED, &desc->flags)
+-			&& !test_bit(FLAG_EXPORT, &desc->flags)) {
+-		status = 0;
+-		if (!desc->chip->direction_input
+-				|| !desc->chip->direction_output)
+-			direction_may_change = false;
++	if (!test_bit(FLAG_REQUESTED, &desc->flags) ||
++	     test_bit(FLAG_EXPORT, &desc->flags)) {
++		spin_unlock_irqrestore(&gpio_lock, flags);
++		pr_debug("%s: gpio %d unavailable (requested=%d, exported=%d)\n",
++				__func__, gpio,
++				test_bit(FLAG_REQUESTED, &desc->flags),
++				test_bit(FLAG_EXPORT, &desc->flags));
++		return -EPERM;
++	}
++
++	if (desc->chip->direction_input && desc->chip->direction_output &&
++			direction_may_change) {
++		set_bit(FLAG_SYSFS_DIR, &desc->flags);
+ 	}
++
+ 	spin_unlock_irqrestore(&gpio_lock, flags);
+ 
+ 	if (desc->chip->names && desc->chip->names[gpio - desc->chip->base])
+ 		ioname = desc->chip->names[gpio - desc->chip->base];
+ 
+-	if (status == 0) {
+-		struct device	*dev;
+-
+-		dev = device_create(&gpio_class, desc->chip->dev, MKDEV(0, 0),
+-				desc, ioname ? ioname : "gpio%u", gpio);
+-		if (!IS_ERR(dev)) {
+-			status = sysfs_create_group(&dev->kobj,
+-						&gpio_attr_group);
+-
+-			if (!status && direction_may_change)
+-				status = device_create_file(dev,
+-						&dev_attr_direction);
+-
+-			if (!status && gpio_to_irq(gpio) >= 0
+-					&& (direction_may_change
+-						|| !test_bit(FLAG_IS_OUT,
+-							&desc->flags)))
+-				status = device_create_file(dev,
+-						&dev_attr_edge);
+-
+-			if (status != 0)
+-				device_unregister(dev);
+-		} else
+-			status = PTR_ERR(dev);
+-		if (status == 0)
+-			set_bit(FLAG_EXPORT, &desc->flags);
++	dev = device_create_with_groups(&gpio_class, desc->chip->dev,
++					MKDEV(0, 0), desc, gpio_groups,
++					ioname ? ioname : "gpio%u", gpio);
++	if (IS_ERR(dev)) {
++		status = PTR_ERR(dev);
++		goto fail_unlock;
+ 	}
+ 
++	set_bit(FLAG_EXPORT, &desc->flags);
+ 	mutex_unlock(&sysfs_lock);
++	return 0;
+ 
+-done:
+-	if (status)
+-		pr_debug("%s: gpio%d status %d\n", __func__, gpio, status);
+-
++fail_unlock:
++	mutex_unlock(&sysfs_lock);
++	pr_debug("%s: gpio%d status %d\n", __func__, gpio, status);
+ 	return status;
+ }
+ EXPORT_SYMBOL_GPL(gpio_export);
+@@ -873,6 +893,7 @@ void gpio_unexport(unsigned gpio)
+ {
+ 	struct gpio_desc	*desc;
+ 	int			status = 0;
++	struct device		*dev = NULL;
+ 
+ 	if (!gpio_is_valid(gpio)) {
+ 		status = -EINVAL;
+@@ -884,19 +905,21 @@ void gpio_unexport(unsigned gpio)
+ 	desc = &gpio_desc[gpio];
+ 
+ 	if (test_bit(FLAG_EXPORT, &desc->flags)) {
+-		struct device	*dev = NULL;
+ 
+ 		dev = class_find_device(&gpio_class, NULL, desc, match_export);
+ 		if (dev) {
+ 			gpio_setup_irq(desc, dev, 0);
++			clear_bit(FLAG_SYSFS_DIR, &desc->flags);
+ 			clear_bit(FLAG_EXPORT, &desc->flags);
+-			put_device(dev);
+-			device_unregister(dev);
+ 		} else
+ 			status = -ENODEV;
+ 	}
+ 
+ 	mutex_unlock(&sysfs_lock);
++	if (dev) {
++		device_unregister(dev);
++		put_device(dev);
++	}
+ done:
+ 	if (status)
+ 		pr_debug("%s: gpio%d status %d\n", __func__, gpio, status);
+@@ -918,13 +941,13 @@ static int gpiochip_export(struct gpio_chip *chip)
+ 
+ 	/* use chip->base for the ID; it's already known to be unique */
+ 	mutex_lock(&sysfs_lock);
+-	dev = device_create(&gpio_class, chip->dev, MKDEV(0, 0), chip,
+-				"gpiochip%d", chip->base);
+-	if (!IS_ERR(dev)) {
+-		status = sysfs_create_group(&dev->kobj,
+-				&gpiochip_attr_group);
+-	} else
++	dev = device_create_with_groups(&gpio_class, chip->dev, MKDEV(0, 0),
++					chip, gpiochip_groups,
++					"gpiochip%d", chip->base);
++	if (IS_ERR(dev))
+ 		status = PTR_ERR(dev);
++	else
++		status = 0;
+ 	chip->exported = (status == 0);
+ 	mutex_unlock(&sysfs_lock);
+ 
+@@ -1075,9 +1098,9 @@ int gpiochip_add(struct gpio_chip *chip)
+ 				? (1 << FLAG_IS_OUT)
+ 				: 0;
+ 		}
+-	}
+ 
+-	of_gpiochip_add(chip);
++		of_gpiochip_add(chip);
++	}
+ 
+ unlock:
+ 	spin_unlock_irqrestore(&gpio_lock, flags);
+@@ -1086,8 +1109,10 @@ unlock:
+ 		goto fail;
+ 
+ 	status = gpiochip_export(chip);
+-	if (status)
++	if (status) {
++		of_gpiochip_remove(chip);
+ 		goto fail;
++	}
+ 
+ 	return 0;
+ fail:
+diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
+index 2865b44..315a49e 100644
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -2248,6 +2248,13 @@ static int sandybridge_write_fence_reg(struct drm_i915_gem_object *obj,
+ 	int regnum = obj->fence_reg;
+ 	uint64_t val;
+ 
++	/* Adjust fence size to match tiled area */
++	if (obj->tiling_mode != I915_TILING_NONE) {
++		uint32_t row_size = obj->stride *
++			(obj->tiling_mode == I915_TILING_Y ? 32 : 8);
++		size = (size / row_size) * row_size;
++	}
++
+ 	val = (uint64_t)((obj->gtt_offset + size - 4096) &
+ 			 0xfffff000) << 32;
+ 	val |= obj->gtt_offset & 0xfffff000;
+@@ -2285,6 +2292,13 @@ static int i965_write_fence_reg(struct drm_i915_gem_object *obj,
+ 	int regnum = obj->fence_reg;
+ 	uint64_t val;
+ 
++	/* Adjust fence size to match tiled area */
++	if (obj->tiling_mode != I915_TILING_NONE) {
++		uint32_t row_size = obj->stride *
++			(obj->tiling_mode == I915_TILING_Y ? 32 : 8);
++		size = (size / row_size) * row_size;
++	}
++
+ 	val = (uint64_t)((obj->gtt_offset + size - 4096) &
+ 		    0xfffff000) << 32;
+ 	val |= obj->gtt_offset & 0xfffff000;
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
+index 15fb260..1ed5a1c 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
+@@ -484,14 +484,7 @@ void vmw_fence_obj_flush(struct vmw_fence_obj *fence)
+ 
+ static void vmw_fence_destroy(struct vmw_fence_obj *fence)
+ {
+-	struct vmw_fence_manager *fman = fence->fman;
+-
+ 	kfree(fence);
+-	/*
+-	 * Free kernel space accounting.
+-	 */
+-	ttm_mem_global_free(vmw_mem_glob(fman->dev_priv),
+-			    fman->fence_size);
+ }
+ 
+ int vmw_fence_create(struct vmw_fence_manager *fman,
+@@ -499,20 +492,12 @@ int vmw_fence_create(struct vmw_fence_manager *fman,
+ 		     uint32_t mask,
+ 		     struct vmw_fence_obj **p_fence)
+ {
+-	struct ttm_mem_global *mem_glob = vmw_mem_glob(fman->dev_priv);
+ 	struct vmw_fence_obj *fence;
+ 	int ret;
+ 
+-	ret = ttm_mem_global_alloc(mem_glob, fman->fence_size,
+-				   false, false);
+-	if (unlikely(ret != 0))
+-		return ret;
+-
+ 	fence = kzalloc(sizeof(*fence), GFP_KERNEL);
+-	if (unlikely(fence == NULL)) {
+-		ret = -ENOMEM;
+-		goto out_no_object;
+-	}
++	if (unlikely(fence == NULL))
++		return -ENOMEM;
+ 
+ 	ret = vmw_fence_obj_init(fman, fence, seqno, mask,
+ 				 vmw_fence_destroy);
+@@ -524,8 +509,6 @@ int vmw_fence_create(struct vmw_fence_manager *fman,
+ 
+ out_err_init:
+ 	kfree(fence);
+-out_no_object:
+-	ttm_mem_global_free(mem_glob, fman->fence_size);
+ 	return ret;
+ }
+ 
+diff --git a/drivers/hid/hid-roccat-pyra.c b/drivers/hid/hid-roccat-pyra.c
+index df05c1b1..13b40a0 100644
+--- a/drivers/hid/hid-roccat-pyra.c
++++ b/drivers/hid/hid-roccat-pyra.c
+@@ -35,6 +35,8 @@ static struct class *pyra_class;
+ static void profile_activated(struct pyra_device *pyra,
+ 		unsigned int new_profile)
+ {
++	if (new_profile >= ARRAY_SIZE(pyra->profile_settings))
++		return;
+ 	pyra->actual_profile = new_profile;
+ 	pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi;
+ }
+@@ -303,6 +305,10 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp,
+ 	if (off != 0 || count != sizeof(struct pyra_settings))
+ 		return -EINVAL;
+ 
++	if (((struct pyra_settings const *)buf)->startup_profile >=
++	    ARRAY_SIZE(pyra->profile_settings))
++		return -EINVAL;
++
+ 	mutex_lock(&pyra->pyra_lock);
+ 	difference = memcmp(buf, &pyra->settings, sizeof(struct pyra_settings));
+ 	if (difference) {
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
+index a5c6a8c..858b0e3 100644
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -152,6 +152,14 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = {
+ 		},
+ 	},
+ 	{
++		/* Medion Akoya E7225 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Medion"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Akoya E7225"),
++			DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
++		},
++	},
++	{
+ 		/* Blue FB5601 */
+ 		.matches = {
+ 			DMI_MATCH(DMI_SYS_VENDOR, "blue"),
+@@ -408,6 +416,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = {
+ 		},
+ 	},
+ 	{
++		/* Acer Aspire 7738 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 7738"),
++		},
++	},
++	{
+ 		/* Gericom Bellagio */
+ 		.matches = {
+ 			DMI_MATCH(DMI_SYS_VENDOR, "Gericom"),
+@@ -714,6 +729,35 @@ static const struct dmi_system_id __initconst i8042_dmi_dritek_table[] = {
+ 	{ }
+ };
+ 
++/*
++ * Some laptops need keyboard reset before probing for the trackpad to get
++ * it detected, initialised & finally work.
++ */
++static const struct dmi_system_id __initconst i8042_dmi_kbdreset_table[] = {
++	{
++		/* Gigabyte P35 v2 - Elantech touchpad */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "P35V2"),
++		},
++	},
++		{
++		/* Aorus branded Gigabyte X3 Plus - Elantech touchpad */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "X3"),
++		},
++	},
++	{
++		/* Gigabyte P34 - Elantech touchpad */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "P34"),
++		},
++	},
++	{ }
++};
++
+ #endif /* CONFIG_X86 */
+ 
+ #ifdef CONFIG_PNP
+@@ -992,6 +1036,9 @@ static int __init i8042_platform_init(void)
+ 	if (dmi_check_system(i8042_dmi_dritek_table))
+ 		i8042_dritek = true;
+ 
++	if (dmi_check_system(i8042_dmi_kbdreset_table))
++		i8042_kbdreset = true;
++
+ 	/*
+ 	 * A20 was already enabled during early kernel init. But some buggy
+ 	 * BIOSes (in MSI Laptops) require A20 to be enabled using 8042 to
+diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
+index 8656441..178e75d 100644
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -67,6 +67,10 @@ static bool i8042_notimeout;
+ module_param_named(notimeout, i8042_notimeout, bool, 0);
+ MODULE_PARM_DESC(notimeout, "Ignore timeouts signalled by i8042");
+ 
++static bool i8042_kbdreset;
++module_param_named(kbdreset, i8042_kbdreset, bool, 0);
++MODULE_PARM_DESC(kbdreset, "Reset device connected to KBD port");
++
+ #ifdef CONFIG_X86
+ static bool i8042_dritek;
+ module_param_named(dritek, i8042_dritek, bool, 0);
+@@ -783,6 +787,16 @@ static int __init i8042_check_aux(void)
+ 		return -1;
+ 
+ /*
++ * Reset keyboard (needed on some laptops to successfully detect
++ * touchpad, e.g., some Gigabyte laptop models with Elantech
++ * touchpads).
++ */
++	if (i8042_kbdreset) {
++		pr_warn("Attempting to reset device connected to KBD port\n");
++		i8042_kbd_write(NULL, (unsigned char) 0xff);
++	}
++
++/*
+  * Test AUX IRQ delivery to make sure BIOS did not grab the IRQ and
+  * used it for a PCI card or somethig else.
+  */
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index e83aa8e..d3da166 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -1763,7 +1763,7 @@ static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn,
+ 	struct dma_pte *first_pte = NULL, *pte = NULL;
+ 	phys_addr_t uninitialized_var(pteval);
+ 	int addr_width = agaw_to_width(domain->agaw) - VTD_PAGE_SHIFT;
+-	unsigned long sg_res;
++	unsigned long sg_res = 0;
+ 	unsigned int largepage_lvl = 0;
+ 	unsigned long lvl_pages = 0;
+ 
+@@ -1774,10 +1774,8 @@ static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn,
+ 
+ 	prot &= DMA_PTE_READ | DMA_PTE_WRITE | DMA_PTE_SNP;
+ 
+-	if (sg)
+-		sg_res = 0;
+-	else {
+-		sg_res = nr_pages + 1;
++	if (!sg) {
++		sg_res = nr_pages;
+ 		pteval = ((phys_addr_t)phys_pfn << VTD_PAGE_SHIFT) | prot;
+ 	}
+ 
+diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
+index e89ae5e..955db34 100644
+--- a/drivers/md/persistent-data/dm-space-map-metadata.c
++++ b/drivers/md/persistent-data/dm-space-map-metadata.c
+@@ -419,7 +419,9 @@ static int sm_bootstrap_get_nr_blocks(struct dm_space_map *sm, dm_block_t *count
+ {
+ 	struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
+ 
+-	return smm->ll.nr_blocks;
++	*count = smm->ll.nr_blocks;
++
++	return 0;
+ }
+ 
+ static int sm_bootstrap_get_nr_free(struct dm_space_map *sm, dm_block_t *count)
+diff --git a/drivers/media/dvb/dvb-usb/af9005.c b/drivers/media/dvb/dvb-usb/af9005.c
+index bd51a76..0b3ef9f 100644
+--- a/drivers/media/dvb/dvb-usb/af9005.c
++++ b/drivers/media/dvb/dvb-usb/af9005.c
+@@ -1072,9 +1072,12 @@ static int __init af9005_usb_module_init(void)
+ 		err("usb_register failed. (%d)", result);
+ 		return result;
+ 	}
++#if IS_MODULE(CONFIG_DVB_USB_AF9005) || defined(CONFIG_DVB_USB_AF9005_REMOTE)
++	/* FIXME: convert to todays kernel IR infrastructure */
+ 	rc_decode = symbol_request(af9005_rc_decode);
+ 	rc_keys = symbol_request(rc_map_af9005_table);
+ 	rc_keys_size = symbol_request(rc_map_af9005_table_size);
++#endif
+ 	if (rc_decode == NULL || rc_keys == NULL || rc_keys_size == NULL) {
+ 		err("af9005_rc_decode function not found, disabling remote");
+ 		af9005_properties.rc.legacy.rc_query = NULL;
+diff --git a/drivers/media/video/au0828/au0828-cards.c b/drivers/media/video/au0828/au0828-cards.c
+index 1c6015a..d6adee6 100644
+--- a/drivers/media/video/au0828/au0828-cards.c
++++ b/drivers/media/video/au0828/au0828-cards.c
+@@ -36,6 +36,11 @@ void hvr950q_cs5340_audio(void *priv, int enable)
+ 		au0828_clear(dev, REG_000, 0x10);
+ }
+ 
++/*
++ * WARNING: There's a quirks table at sound/usb/quirks-table.h
++ * that should also be updated every time a new device with V4L2 support
++ * is added here.
++ */
+ struct au0828_board au0828_boards[] = {
+ 	[AU0828_BOARD_UNKNOWN] = {
+ 		.name	= "Unknown board",
+diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c
+index 8fd00e8..135e3ca 100644
+--- a/drivers/media/video/uvc/uvc_driver.c
++++ b/drivers/media/video/uvc/uvc_driver.c
+@@ -1597,12 +1597,12 @@ static void uvc_delete(struct uvc_device *dev)
+ {
+ 	struct list_head *p, *n;
+ 
+-	usb_put_intf(dev->intf);
+-	usb_put_dev(dev->udev);
+-
+ 	uvc_status_cleanup(dev);
+ 	uvc_ctrl_cleanup_device(dev);
+ 
++	usb_put_intf(dev->intf);
++	usb_put_dev(dev->udev);
++
+ 	if (dev->vdev.dev)
+ 		v4l2_device_unregister(&dev->vdev);
+ #ifdef CONFIG_MEDIA_CONTROLLER
+diff --git a/drivers/mfd/tc6393xb.c b/drivers/mfd/tc6393xb.c
+index 9612264..b69d91b 100644
+--- a/drivers/mfd/tc6393xb.c
++++ b/drivers/mfd/tc6393xb.c
+@@ -263,6 +263,17 @@ static int tc6393xb_ohci_disable(struct platform_device *dev)
+ 	return 0;
+ }
+ 
++static int tc6393xb_ohci_suspend(struct platform_device *dev)
++{
++	struct tc6393xb_platform_data *tcpd = dev_get_platdata(dev->dev.parent);
++
++	/* We can't properly store/restore OHCI state, so fail here */
++	if (tcpd->resume_restore)
++		return -EBUSY;
++
++	return tc6393xb_ohci_disable(dev);
++}
++
+ static int tc6393xb_fb_enable(struct platform_device *dev)
+ {
+ 	struct tc6393xb *tc6393xb = dev_get_drvdata(dev->dev.parent);
+@@ -403,7 +414,7 @@ static struct mfd_cell __devinitdata tc6393xb_cells[] = {
+ 		.num_resources = ARRAY_SIZE(tc6393xb_ohci_resources),
+ 		.resources = tc6393xb_ohci_resources,
+ 		.enable = tc6393xb_ohci_enable,
+-		.suspend = tc6393xb_ohci_disable,
++		.suspend = tc6393xb_ohci_suspend,
+ 		.resume = tc6393xb_ohci_enable,
+ 		.disable = tc6393xb_ohci_disable,
+ 	},
+diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c
+index 425bf5a..068a246 100644
+--- a/drivers/mtd/ubi/upd.c
++++ b/drivers/mtd/ubi/upd.c
+@@ -135,6 +135,10 @@ int ubi_start_update(struct ubi_device *ubi, struct ubi_volume *vol,
+ 	ubi_assert(!vol->updating && !vol->changing_leb);
+ 	vol->updating = 1;
+ 
++	vol->upd_buf = vmalloc(ubi->leb_size);
++	if (!vol->upd_buf)
++		return -ENOMEM;
++
+ 	err = set_update_marker(ubi, vol);
+ 	if (err)
+ 		return err;
+@@ -154,14 +158,12 @@ int ubi_start_update(struct ubi_device *ubi, struct ubi_volume *vol,
+ 		err = clear_update_marker(ubi, vol, 0);
+ 		if (err)
+ 			return err;
++
++		vfree(vol->upd_buf);
+ 		vol->updating = 0;
+ 		return 0;
+ 	}
+ 
+-	vol->upd_buf = vmalloc(ubi->leb_size);
+-	if (!vol->upd_buf)
+-		return -ENOMEM;
+-
+ 	vol->upd_ebs = div_u64(bytes + vol->usable_leb_size - 1,
+ 			       vol->usable_leb_size);
+ 	vol->upd_bytes = bytes;
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 1eac27f..a25442e 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -605,10 +605,14 @@ static int can_changelink(struct net_device *dev,
+ 		if (dev->flags & IFF_UP)
+ 			return -EBUSY;
+ 		cm = nla_data(data[IFLA_CAN_CTRLMODE]);
+-		if (cm->flags & ~priv->ctrlmode_supported)
++
++		/* check whether changed bits are allowed to be modified */
++		if (cm->mask & ~priv->ctrlmode_supported)
+ 			return -EOPNOTSUPP;
++
++		/* clear bits to be modified and copy the flag values */
+ 		priv->ctrlmode &= ~cm->mask;
+-		priv->ctrlmode |= cm->flags;
++		priv->ctrlmode |= (cm->flags & cm->mask);
+ 	}
+ 
+ 	if (data[IFLA_CAN_BITTIMING]) {
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index 2615433..2ec19e7 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -15647,23 +15647,6 @@ static int __devinit tg3_init_one(struct pci_dev *pdev,
+ 		goto err_out_apeunmap;
+ 	}
+ 
+-	/*
+-	 * Reset chip in case UNDI or EFI driver did not shutdown
+-	 * DMA self test will enable WDMAC and we'll see (spurious)
+-	 * pending DMA on the PCI bus at that point.
+-	 */
+-	if ((tr32(HOSTCC_MODE) & HOSTCC_MODE_ENABLE) ||
+-	    (tr32(WDMAC_MODE) & WDMAC_MODE_ENABLE)) {
+-		tw32(MEMARB_MODE, MEMARB_MODE_ENABLE);
+-		tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
+-	}
+-
+-	err = tg3_test_dma(tp);
+-	if (err) {
+-		dev_err(&pdev->dev, "DMA engine test failed, aborting\n");
+-		goto err_out_apeunmap;
+-	}
+-
+ 	intmbx = MAILBOX_INTERRUPT_0 + TG3_64BIT_REG_LOW;
+ 	rcvmbx = MAILBOX_RCVRET_CON_IDX_0 + TG3_64BIT_REG_LOW;
+ 	sndmbx = MAILBOX_SNDHOST_PROD_IDX_0 + TG3_64BIT_REG_LOW;
+@@ -15708,6 +15691,23 @@ static int __devinit tg3_init_one(struct pci_dev *pdev,
+ 			sndmbx += 0xc;
+ 	}
+ 
++	/*
++	 * Reset chip in case UNDI or EFI driver did not shutdown
++	 * DMA self test will enable WDMAC and we'll see (spurious)
++	 * pending DMA on the PCI bus at that point.
++	 */
++	if ((tr32(HOSTCC_MODE) & HOSTCC_MODE_ENABLE) ||
++	    (tr32(WDMAC_MODE) & WDMAC_MODE_ENABLE)) {
++		tw32(MEMARB_MODE, MEMARB_MODE_ENABLE);
++		tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
++	}
++
++	err = tg3_test_dma(tp);
++	if (err) {
++		dev_err(&pdev->dev, "DMA engine test failed, aborting\n");
++		goto err_out_apeunmap;
++	}
++
+ 	tg3_init_coal(tp);
+ 
+ 	pci_set_drvdata(pdev, dev);
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index c3786fd..b9dcd0f 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1272,10 +1272,14 @@ static void enic_rq_indicate_buf(struct vnic_rq *rq,
+ 		skb_put(skb, bytes_written);
+ 		skb->protocol = eth_type_trans(skb, netdev);
+ 
+-		if ((netdev->features & NETIF_F_RXCSUM) && !csum_not_calc) {
+-			skb->csum = htons(checksum);
+-			skb->ip_summed = CHECKSUM_COMPLETE;
+-		}
++		/* Hardware does not provide whole packet checksum. It only
++		 * provides pseudo checksum. Since hw validates the packet
++		 * checksum but not provide us the checksum value. use
++		 * CHECSUM_UNNECESSARY.
++		 */
++		if ((netdev->features & NETIF_F_RXCSUM) && tcp_udp_csum_ok &&
++		    ipv4_csum_ok)
++			skb->ip_summed = CHECKSUM_UNNECESSARY;
+ 
+ 		skb->dev = netdev;
+ 
+diff --git a/drivers/net/wireless/ath/ath5k/qcu.c b/drivers/net/wireless/ath/ath5k/qcu.c
+index 7766542..ff3d348 100644
+--- a/drivers/net/wireless/ath/ath5k/qcu.c
++++ b/drivers/net/wireless/ath/ath5k/qcu.c
+@@ -167,13 +167,7 @@ int ath5k_hw_setup_tx_queue(struct ath5k_hw *ah, enum ath5k_tx_queue queue_type,
+ 	} else {
+ 		switch (queue_type) {
+ 		case AR5K_TX_QUEUE_DATA:
+-			for (queue = AR5K_TX_QUEUE_ID_DATA_MIN;
+-				ah->ah_txq[queue].tqi_type !=
+-				AR5K_TX_QUEUE_INACTIVE; queue++) {
+-
+-				if (queue > AR5K_TX_QUEUE_ID_DATA_MAX)
+-					return -EINVAL;
+-			}
++			queue = queue_info->tqi_subtype;
+ 			break;
+ 		case AR5K_TX_QUEUE_UAPSD:
+ 			queue = AR5K_TX_QUEUE_ID_UAPSD;
+diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
+index dc774cd..8b1123d 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.h
++++ b/drivers/net/wireless/ath/ath9k/hw.h
+@@ -174,8 +174,8 @@
+ #define PAPRD_IDEAL_AGC2_PWR_RANGE	0xe0
+ 
+ enum ath_hw_txq_subtype {
+-	ATH_TXQ_AC_BE = 0,
+-	ATH_TXQ_AC_BK = 1,
++	ATH_TXQ_AC_BK = 0,
++	ATH_TXQ_AC_BE = 1,
+ 	ATH_TXQ_AC_VI = 2,
+ 	ATH_TXQ_AC_VO = 3,
+ };
+diff --git a/drivers/net/wireless/ath/ath9k/mac.c b/drivers/net/wireless/ath/ath9k/mac.c
+index bbcb777..167c7f6 100644
+--- a/drivers/net/wireless/ath/ath9k/mac.c
++++ b/drivers/net/wireless/ath/ath9k/mac.c
+@@ -311,14 +311,7 @@ int ath9k_hw_setuptxqueue(struct ath_hw *ah, enum ath9k_tx_queue type,
+ 		q = ATH9K_NUM_TX_QUEUES - 3;
+ 		break;
+ 	case ATH9K_TX_QUEUE_DATA:
+-		for (q = 0; q < ATH9K_NUM_TX_QUEUES; q++)
+-			if (ah->txq[q].tqi_type ==
+-			    ATH9K_TX_QUEUE_INACTIVE)
+-				break;
+-		if (q == ATH9K_NUM_TX_QUEUES) {
+-			ath_err(common, "No available TX queue\n");
+-			return -1;
+-		}
++		q = qinfo->tqi_subtype;
+ 		break;
+ 	default:
+ 		ath_err(common, "Invalid TX queue type: %u\n", type);
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 9005380..bc92c47 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -175,14 +175,17 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
+ 		res->flags |= IORESOURCE_SIZEALIGN;
+ 		if (res->flags & IORESOURCE_IO) {
+ 			l &= PCI_BASE_ADDRESS_IO_MASK;
++			sz &= PCI_BASE_ADDRESS_IO_MASK;
+ 			mask = PCI_BASE_ADDRESS_IO_MASK & (u32) IO_SPACE_LIMIT;
+ 		} else {
+ 			l &= PCI_BASE_ADDRESS_MEM_MASK;
++			sz &= PCI_BASE_ADDRESS_MEM_MASK;
+ 			mask = (u32)PCI_BASE_ADDRESS_MEM_MASK;
+ 		}
+ 	} else {
+ 		res->flags |= (l & IORESOURCE_ROM_ENABLE);
+ 		l &= PCI_ROM_ADDRESS_MASK;
++		sz &= PCI_ROM_ADDRESS_MASK;
+ 		mask = (u32)PCI_ROM_ADDRESS_MASK;
+ 	}
+ 
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 9b48d61..127dfe5d 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -388,19 +388,52 @@ static void __devinit quirk_s3_64M(struct pci_dev *dev)
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_S3,	PCI_DEVICE_ID_S3_868,		quirk_s3_64M);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_S3,	PCI_DEVICE_ID_S3_968,		quirk_s3_64M);
+ 
++static void quirk_io(struct pci_dev *dev, int pos, unsigned size,
++		     const char *name)
++{
++	u32 region;
++	struct pci_bus_region bus_region;
++	struct resource *res = dev->resource + pos;
++
++	pci_read_config_dword(dev, PCI_BASE_ADDRESS_0 + (pos << 2), &region);
++
++	if (!region)
++		return;
++
++	res->name = pci_name(dev);
++	res->flags = region & ~PCI_BASE_ADDRESS_IO_MASK;
++	res->flags |=
++		(IORESOURCE_IO | IORESOURCE_PCI_FIXED | IORESOURCE_SIZEALIGN);
++	region &= ~(size - 1);
++
++	/* Convert from PCI bus to resource space */
++	bus_region.start = region;
++	bus_region.end = region + size - 1;
++	pcibios_bus_to_resource(dev->bus, res, &bus_region);
++
++	dev_info(&dev->dev, FW_BUG "%s quirk: reg 0x%x: %pR\n",
++		 name, PCI_BASE_ADDRESS_0 + (pos << 2), res);
++}
++
+ /*
+  * Some CS5536 BIOSes (for example, the Soekris NET5501 board w/ comBIOS
+  * ver. 1.33  20070103) don't set the correct ISA PCI region header info.
+  * BAR0 should be 8 bytes; instead, it may be set to something like 8k
+  * (which conflicts w/ BAR1's memory range).
++ *
++ * CS553x's ISA PCI BARs may also be read-only (ref:
++ * https://bugzilla.kernel.org/show_bug.cgi?id=85991 - Comment #4 forward).
+  */
+ static void __devinit quirk_cs5536_vsa(struct pci_dev *dev)
+ {
++	static char *name = "CS5536 ISA bridge";
++
+ 	if (pci_resource_len(dev, 0) != 8) {
+-		struct resource *res = &dev->resource[0];
+-		res->end = res->start + 8 - 1;
+-		dev_info(&dev->dev, "CS5536 ISA bridge bug detected "
+-				"(incorrect header); workaround applied.\n");
++		quirk_io(dev, 0,   8, name);	/* SMB */
++		quirk_io(dev, 1, 256, name);	/* GPIO */
++		quirk_io(dev, 2,  64, name);	/* MFGPT */
++		dev_info(&dev->dev, "%s bug detected (incorrect header); workaround applied\n",
++			 name);
+ 	}
+ }
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CS5536_ISA, quirk_cs5536_vsa);
+diff --git a/drivers/platform/x86/hp_accel.c b/drivers/platform/x86/hp_accel.c
+index 0076fea..be6b648 100644
+--- a/drivers/platform/x86/hp_accel.c
++++ b/drivers/platform/x86/hp_accel.c
+@@ -237,6 +237,7 @@ static struct dmi_system_id lis3lv02d_dmi_ids[] = {
+ 	AXIS_DMI_MATCH("HPB64xx", "HP ProBook 64", xy_swap),
+ 	AXIS_DMI_MATCH("HPB64xx", "HP EliteBook 84", xy_swap),
+ 	AXIS_DMI_MATCH("HPB65xx", "HP ProBook 65", x_inverted),
++	AXIS_DMI_MATCH("HPZBook15", "HP ZBook 15", x_inverted),
+ 	{ NULL, }
+ /* Laptop models without axis info (yet):
+  * "NC6910" "HP Compaq 6910"
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 6ec610c..adba3d6 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1314,12 +1314,14 @@ void regulator_put(struct regulator *regulator)
+ 		device_remove_file(regulator->dev, &regulator->dev_attr);
+ 		kfree(regulator->dev_attr.attr.name);
+ 	}
++	mutex_lock(&rdev->mutex);
+ 	kfree(regulator->supply_name);
+ 	list_del(&regulator->list);
+ 	kfree(regulator);
+ 
+ 	rdev->open_count--;
+ 	rdev->exclusive = 0;
++	mutex_unlock(&rdev->mutex);
+ 
+ 	module_put(rdev->owner);
+ 	mutex_unlock(&regulator_list_mutex);
+diff --git a/drivers/s390/char/con3215.c b/drivers/s390/char/con3215.c
+index 934458a..2c8d79c 100644
+--- a/drivers/s390/char/con3215.c
++++ b/drivers/s390/char/con3215.c
+@@ -993,12 +993,26 @@ static int tty3215_write(struct tty_struct * tty,
+ 			 const unsigned char *buf, int count)
+ {
+ 	struct raw3215_info *raw;
++	int i, written;
+ 
+ 	if (!tty)
+ 		return 0;
+ 	raw = (struct raw3215_info *) tty->driver_data;
+-	raw3215_write(raw, buf, count);
+-	return count;
++	written = count;
++	while (count > 0) {
++		for (i = 0; i < count; i++)
++			if (buf[i] == '\t' || buf[i] == '\n')
++				break;
++		raw3215_write(raw, buf, i);
++		count -= i;
++		buf += i;
++		if (count > 0) {
++			raw3215_putchar(raw, *buf);
++			count--;
++			buf++;
++		}
++	}
++	return written;
+ }
+ 
+ /*
+@@ -1146,7 +1160,7 @@ static int __init tty3215_init(void)
+ 	driver->subtype = SYSTEM_TYPE_TTY;
+ 	driver->init_termios = tty_std_termios;
+ 	driver->init_termios.c_iflag = IGNBRK | IGNPAR;
+-	driver->init_termios.c_oflag = ONLCR | XTABS;
++	driver->init_termios.c_oflag = ONLCR;
+ 	driver->init_termios.c_lflag = ISIG;
+ 	driver->flags = TTY_DRIVER_REAL_RAW;
+ 	tty_set_operations(driver, &tty3215_ops);
+diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
+index 165e4dd86..a57f85a 100644
+--- a/drivers/scsi/NCR5380.c
++++ b/drivers/scsi/NCR5380.c
+@@ -2662,14 +2662,14 @@ static void NCR5380_dma_complete(NCR5380_instance * instance) {
+  *
+  * Purpose : abort a command
+  *
+- * Inputs : cmd - the Scsi_Cmnd to abort, code - code to set the 
+- *      host byte of the result field to, if zero DID_ABORTED is 
++ * Inputs : cmd - the Scsi_Cmnd to abort, code - code to set the
++ *      host byte of the result field to, if zero DID_ABORTED is
+  *      used.
+  *
+- * Returns : 0 - success, -1 on failure.
++ * Returns : SUCCESS - success, FAILED on failure.
+  *
+- *	XXX - there is no way to abort the command that is currently 
+- *	connected, you have to wait for it to complete.  If this is 
++ *	XXX - there is no way to abort the command that is currently
++ *	connected, you have to wait for it to complete.  If this is
+  *	a problem, we could implement longjmp() / setjmp(), setjmp()
+  *	called where the loop started in NCR5380_main().
+  *
+@@ -2719,7 +2719,7 @@ static int NCR5380_abort(Scsi_Cmnd * cmd) {
+  * aborted flag and get back into our main loop.
+  */
+ 
+-		return 0;
++		return SUCCESS;
+ 	}
+ #endif
+ 
+diff --git a/drivers/scsi/aha1740.c b/drivers/scsi/aha1740.c
+index 1c10b79..7f7dc2b 100644
+--- a/drivers/scsi/aha1740.c
++++ b/drivers/scsi/aha1740.c
+@@ -551,7 +551,7 @@ static int aha1740_eh_abort_handler (Scsi_Cmnd *dummy)
+  * quiet as possible...
+  */
+ 
+-	return 0;
++	return SUCCESS;
+ }
+ 
+ static struct scsi_host_template aha1740_template = {
+diff --git a/drivers/scsi/atari_NCR5380.c b/drivers/scsi/atari_NCR5380.c
+index 2db79b4..589c2a3 100644
+--- a/drivers/scsi/atari_NCR5380.c
++++ b/drivers/scsi/atari_NCR5380.c
+@@ -2638,7 +2638,7 @@ static void NCR5380_reselect(struct Scsi_Host *instance)
+  *	host byte of the result field to, if zero DID_ABORTED is
+  *	used.
+  *
+- * Returns : 0 - success, -1 on failure.
++ * Returns : SUCCESS - success, FAILED on failure.
+  *
+  * XXX - there is no way to abort the command that is currently
+  *	 connected, you have to wait for it to complete.  If this is
+diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
+index 5c17764..04240a4 100644
+--- a/drivers/scsi/megaraid.c
++++ b/drivers/scsi/megaraid.c
+@@ -1964,7 +1964,7 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor)
+ 	     cmd->device->id, cmd->device->lun);
+ 
+ 	if(list_empty(&adapter->pending_list))
+-		return FALSE;
++		return FAILED;
+ 
+ 	list_for_each_safe(pos, next, &adapter->pending_list) {
+ 
+@@ -1987,7 +1987,7 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor)
+ 					(aor==SCB_ABORT) ? "ABORTING":"RESET",
+ 					scb->idx);
+ 
+-				return FALSE;
++				return FAILED;
+ 			}
+ 			else {
+ 
+@@ -2012,12 +2012,12 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor)
+ 				list_add_tail(SCSI_LIST(cmd),
+ 						&adapter->completed_list);
+ 
+-				return TRUE;
++				return SUCCESS;
+ 			}
+ 		}
+ 	}
+ 
+-	return FALSE;
++	return FAILED;
+ }
+ 
+ static inline int
+diff --git a/drivers/scsi/sun3_NCR5380.c b/drivers/scsi/sun3_NCR5380.c
+index 7e12a2e..9aaf084 100644
+--- a/drivers/scsi/sun3_NCR5380.c
++++ b/drivers/scsi/sun3_NCR5380.c
+@@ -2624,15 +2624,15 @@ static void NCR5380_reselect (struct Scsi_Host *instance)
+  * Purpose : abort a command
+  *
+  * Inputs : cmd - the struct scsi_cmnd to abort, code - code to set the
+- * 	host byte of the result field to, if zero DID_ABORTED is 
++ *	host byte of the result field to, if zero DID_ABORTED is
+  *	used.
+  *
+- * Returns : 0 - success, -1 on failure.
++ * Returns : SUCCESS - success, FAILED on failure.
+  *
+- * XXX - there is no way to abort the command that is currently 
+- * 	 connected, you have to wait for it to complete.  If this is 
++ * XXX - there is no way to abort the command that is currently
++ *	 connected, you have to wait for it to complete.  If this is
+  *	 a problem, we could implement longjmp() / setjmp(), setjmp()
+- * 	 called where the loop started in NCR5380_main().
++ *	 called where the loop started in NCR5380_main().
+  */
+ 
+ static int NCR5380_abort(struct scsi_cmnd *cmd)
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index c0ca0ee..e6a1bd3 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -219,7 +219,6 @@ int dw_spi_mid_init(struct dw_spi *dws)
+ 	iounmap(clk_reg);
+ 
+ 	dws->num_cs = 16;
+-	dws->fifo_len = 40;	/* FIFO has 40 words buffer */
+ 
+ #ifdef CONFIG_SPI_DW_MID_DMA
+ 	dws->dma_priv = kzalloc(sizeof(struct mid_dma), GFP_KERNEL);
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index 9eddaab..bbdf0cf 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -786,13 +786,13 @@ static void spi_hw_init(struct dw_spi *dws)
+ 	 */
+ 	if (!dws->fifo_len) {
+ 		u32 fifo;
+-		for (fifo = 2; fifo <= 257; fifo++) {
++		for (fifo = 2; fifo <= 256; fifo++) {
+ 			dw_writew(dws, DW_SPI_TXFLTR, fifo);
+ 			if (fifo != dw_readw(dws, DW_SPI_TXFLTR))
+ 				break;
+ 		}
+ 
+-		dws->fifo_len = (fifo == 257) ? 0 : fifo;
++		dws->fifo_len = (fifo == 2) ? 0 : fifo - 1;
+ 		dw_writew(dws, DW_SPI_TXFLTR, 0);
+ 	}
+ }
+diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c
+index e612722..f0d1c9c 100644
+--- a/drivers/target/iscsi/iscsi_target_util.c
++++ b/drivers/target/iscsi/iscsi_target_util.c
+@@ -1483,15 +1483,15 @@ static int iscsit_do_tx_data(
+ 	struct iscsi_conn *conn,
+ 	struct iscsi_data_count *count)
+ {
+-	int data = count->data_length, total_tx = 0, tx_loop = 0, iov_len;
++	int ret, iov_len;
+ 	struct kvec *iov_p;
+ 	struct msghdr msg;
+ 
+ 	if (!conn || !conn->sock || !conn->conn_ops)
+ 		return -1;
+ 
+-	if (data <= 0) {
+-		pr_err("Data length is: %d\n", data);
++	if (count->data_length <= 0) {
++		pr_err("Data length is: %d\n", count->data_length);
+ 		return -1;
+ 	}
+ 
+@@ -1500,20 +1500,16 @@ static int iscsit_do_tx_data(
+ 	iov_p = count->iov;
+ 	iov_len = count->iov_count;
+ 
+-	while (total_tx < data) {
+-		tx_loop = kernel_sendmsg(conn->sock, &msg, iov_p, iov_len,
+-					(data - total_tx));
+-		if (tx_loop <= 0) {
+-			pr_debug("tx_loop: %d total_tx %d\n",
+-				tx_loop, total_tx);
+-			return tx_loop;
+-		}
+-		total_tx += tx_loop;
+-		pr_debug("tx_loop: %d, total_tx: %d, data: %d\n",
+-					tx_loop, total_tx, data);
++	ret = kernel_sendmsg(conn->sock, &msg, iov_p, iov_len,
++			     count->data_length);
++	if (ret != count->data_length) {
++		pr_err("Unexpected ret: %d send data %d\n",
++		       ret, count->data_length);
++		return -EPIPE;
+ 	}
++	pr_debug("ret: %d, sent data: %d\n", ret, count->data_length);
+ 
+-	return total_tx;
++	return ret;
+ }
+ 
+ int rx_data(
+diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
+index b31f1c3..626e75b 100644
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -519,11 +519,15 @@ static void s3c24xx_serial_pm(struct uart_port *port, unsigned int level,
+ 			      unsigned int old)
+ {
+ 	struct s3c24xx_uart_port *ourport = to_ourport(port);
++	int timeout = 10000;
+ 
+ 	ourport->pm_level = level;
+ 
+ 	switch (level) {
+ 	case 3:
++		while (--timeout && !s3c24xx_serial_txempty_nofifo(port))
++			udelay(100);
++
+ 		if (!IS_ERR(ourport->baudclk) && ourport->baudclk != NULL)
+ 			clk_disable(ourport->baudclk);
+ 
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 6647081..d38d88e 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1011,10 +1011,11 @@ next_desc:
+ 	} else {
+ 		control_interface = usb_ifnum_to_if(usb_dev, union_header->bMasterInterface0);
+ 		data_interface = usb_ifnum_to_if(usb_dev, (data_interface_num = union_header->bSlaveInterface0));
+-		if (!control_interface || !data_interface) {
+-			dev_dbg(&intf->dev, "no interfaces\n");
+-			return -ENODEV;
+-		}
++	}
++
++	if (!control_interface || !data_interface) {
++		dev_dbg(&intf->dev, "no interfaces\n");
++		return -ENODEV;
+ 	}
+ 
+ 	if (data_interface_num != call_interface_num)
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 1e3e211..0276db3 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -201,6 +201,17 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
+ 			if (n == 0)
+ 				n = 9;	/* 32 ms = 2^(9-1) uframes */
+ 			j = 16;
++
++			/*
++			 * Adjust bInterval for quirked devices.
++			 * This quirk fixes bIntervals reported in
++			 * linear microframes.
++			 */
++			if (to_usb_device(ddev)->quirks &
++				USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL) {
++				n = clamp(fls(d->bInterval), i, j);
++				i = j = n;
++			}
+ 			break;
+ 		default:		/* USB_SPEED_FULL or _LOW */
+ 			/* For low-speed, 10 ms is the official minimum.
+diff --git a/drivers/usb/core/otg_whitelist.h b/drivers/usb/core/otg_whitelist.h
+index e8cdce5..2753cec 100644
+--- a/drivers/usb/core/otg_whitelist.h
++++ b/drivers/usb/core/otg_whitelist.h
+@@ -59,6 +59,11 @@ static int is_targeted(struct usb_device *dev)
+ 	     le16_to_cpu(dev->descriptor.idProduct) == 0xbadd))
+ 		return 0;
+ 
++	/* OTG PET device is always targeted (see OTG 2.0 ECN 6.4.2) */
++	if ((le16_to_cpu(dev->descriptor.idVendor) == 0x1a0a &&
++	     le16_to_cpu(dev->descriptor.idProduct) == 0x0200))
++		return 1;
++
+ 	/* NOTE: can't use usb_match_id() since interface caches
+ 	 * aren't set up yet. this is cut/paste from that code.
+ 	 */
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 3dbb18c..ad4540e 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -150,6 +150,10 @@ static const struct usb_device_id usb_quirk_list[] = {
+ 	/* SKYMEDI USB_DRIVE */
+ 	{ USB_DEVICE(0x1516, 0x8628), .driver_info = USB_QUIRK_RESET_RESUME },
+ 
++	/* Razer - Razer Blade Keyboard */
++	{ USB_DEVICE(0x1532, 0x0116), .driver_info =
++			USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
++
+ 	/* BUILDWIN Photo Frame */
+ 	{ USB_DEVICE(0x1908, 0x1315), .driver_info =
+ 			USB_QUIRK_HONOR_BNUMINTERFACES },
+@@ -164,6 +168,10 @@ static const struct usb_device_id usb_quirk_list[] = {
+ 	{ USB_DEVICE(0x0b05, 0x17e0), .driver_info =
+ 			USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+ 
++	/* Protocol and OTG Electrical Test Device */
++	{ USB_DEVICE(0x1a0a, 0x0200), .driver_info =
++			USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
++
+ 	{ }  /* terminating entry must be last */
+ };
+ 
+diff --git a/drivers/usb/gadget/atmel_usba_udc.c b/drivers/usb/gadget/atmel_usba_udc.c
+index b299c32..9ba3114 100644
+--- a/drivers/usb/gadget/atmel_usba_udc.c
++++ b/drivers/usb/gadget/atmel_usba_udc.c
+@@ -739,10 +739,10 @@ static int queue_dma(struct usba_udc *udc, struct usba_ep *ep,
+ 
+ 	req->ctrl = USBA_BF(DMA_BUF_LEN, req->req.length)
+ 			| USBA_DMA_CH_EN | USBA_DMA_END_BUF_IE
+-			| USBA_DMA_END_TR_EN | USBA_DMA_END_TR_IE;
++			| USBA_DMA_END_BUF_EN;
+ 
+-	if (ep->is_in)
+-		req->ctrl |= USBA_DMA_END_BUF_EN;
++	if (!ep->is_in)
++		req->ctrl |= USBA_DMA_END_TR_EN | USBA_DMA_END_TR_IE;
+ 
+ 	/*
+ 	 * Add this request to the queue and submit for DMA if
+@@ -850,7 +850,7 @@ static int usba_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ {
+ 	struct usba_ep *ep = to_usba_ep(_ep);
+ 	struct usba_udc *udc = ep->udc;
+-	struct usba_request *req = to_usba_req(_req);
++	struct usba_request *req;
+ 	unsigned long flags;
+ 	u32 status;
+ 
+@@ -859,6 +859,16 @@ static int usba_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ 
+ 	spin_lock_irqsave(&udc->lock, flags);
+ 
++	list_for_each_entry(req, &ep->queue, queue) {
++		if (&req->req == _req)
++			break;
++	}
++
++	if (&req->req != _req) {
++		spin_unlock_irqrestore(&udc->lock, flags);
++		return -EINVAL;
++	}
++
+ 	if (req->using_dma) {
+ 		/*
+ 		 * If this request is currently being transferred,
+@@ -1597,7 +1607,6 @@ static void usba_ep_irq(struct usba_udc *udc, struct usba_ep *ep)
+ 	if ((epstatus & epctrl) & USBA_RX_BK_RDY) {
+ 		DBG(DBG_BUS, "%s: RX data ready\n", ep->ep.name);
+ 		receive_data(ep);
+-		usba_ep_writel(ep, CLR_STA, USBA_RX_BK_RDY);
+ 	}
+ }
+ 
+diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c
+index eae35c1..d5cb148 100644
+--- a/drivers/usb/host/pci-quirks.c
++++ b/drivers/usb/host/pci-quirks.c
+@@ -470,7 +470,8 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)
+ {
+ 	void __iomem *base;
+ 	u32 control;
+-	u32 fminterval;
++	u32 fminterval = 0;
++	bool no_fminterval = false;
+ 	int cnt;
+ 
+ 	if (!mmio_resource_enabled(pdev, 0))
+@@ -480,6 +481,13 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)
+ 	if (base == NULL)
+ 		return;
+ 
++	/*
++	 * ULi M5237 OHCI controller locks the whole system when accessing
++	 * the OHCI_FMINTERVAL offset.
++	 */
++	if (pdev->vendor == PCI_VENDOR_ID_AL && pdev->device == 0x5237)
++		no_fminterval = true;
++
+ 	control = readl(base + OHCI_CONTROL);
+ 
+ /* On PA-RISC, PDC can leave IR set incorrectly; ignore it there. */
+@@ -518,7 +526,9 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)
+ 	}
+ 
+ 	/* software reset of the controller, preserving HcFmInterval */
+-	fminterval = readl(base + OHCI_FMINTERVAL);
++	if (!no_fminterval)
++		fminterval = readl(base + OHCI_FMINTERVAL);
++
+ 	writel(OHCI_HCR, base + OHCI_CMDSTATUS);
+ 
+ 	/* reset requires max 10 us delay */
+@@ -527,7 +537,9 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)
+ 			break;
+ 		udelay(1);
+ 	}
+-	writel(fminterval, base + OHCI_FMINTERVAL);
++
++	if (!no_fminterval)
++		writel(fminterval, base + OHCI_FMINTERVAL);
+ 
+ 	/* Now the controller is safely in SUSPEND and nothing can wake it up */
+ 	iounmap(base);
+diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c
+index db5128b7e..501ab4f 100644
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -865,15 +865,11 @@ static void adu_disconnect(struct usb_interface *interface)
+ 	usb_set_intfdata(interface, NULL);
+ 
+ 	/* if the device is not opened, then we clean up right now */
+-	dbg(2," %s : open count %d", __func__, dev->open_count);
+ 	if (!dev->open_count)
+ 		adu_delete(dev);
+ 
+ 	mutex_unlock(&adutux_mutex);
+ 
+-	dev_info(&interface->dev, "ADU device adutux%d now disconnected\n",
+-		 (minor - ADU_MINOR_BASE));
+-
+ 	dbg(2," %s : leave", __func__);
+ }
+ 
+diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
+index aa0d183..0b1fc07 100644
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -514,6 +514,10 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
+ static int usbhsg_ep_disable(struct usb_ep *ep)
+ {
+ 	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
++	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
++
++	if (!pipe)
++		return -EINVAL;
+ 
+ 	return usbhsg_pipe_disable(uep);
+ }
+diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
+index 1ee6b2a..87302dd 100644
+--- a/drivers/usb/serial/console.c
++++ b/drivers/usb/serial/console.c
+@@ -47,6 +47,8 @@ static struct console usbcons;
+  * ------------------------------------------------------------
+  */
+ 
++static const struct tty_operations usb_console_fake_tty_ops = {
++};
+ 
+ /*
+  * The parsing of the command line works exactly like the
+@@ -141,14 +143,17 @@ static int usb_console_setup(struct console *co, char *options)
+ 				goto reset_open_count;
+ 			}
+ 			kref_init(&tty->kref);
+-			tty_port_tty_set(&port->port, tty);
+ 			tty->driver = usb_serial_tty_driver;
+ 			tty->index = co->index;
++			INIT_LIST_HEAD(&tty->tty_files);
++			kref_get(&tty->driver->kref);
++			tty->ops = &usb_console_fake_tty_ops;
+ 			if (tty_init_termios(tty)) {
+ 				retval = -ENOMEM;
+ 				err("no more memory");
+-				goto free_tty;
++				goto put_tty;
+ 			}
++			tty_port_tty_set(&port->port, tty);
+ 		}
+ 
+ 		/* only call the device specific open if this
+@@ -170,7 +175,7 @@ static int usb_console_setup(struct console *co, char *options)
+ 			serial->type->set_termios(tty, port, &dummy);
+ 
+ 			tty_port_tty_set(&port->port, NULL);
+-			kfree(tty);
++			tty_kref_put(tty);
+ 		}
+ 		set_bit(ASYNCB_INITIALIZED, &port->port.flags);
+ 	}
+@@ -186,8 +191,8 @@ static int usb_console_setup(struct console *co, char *options)
+ 
+  fail:
+ 	tty_port_tty_set(&port->port, NULL);
+- free_tty:
+-	kfree(tty);
++ put_tty:
++	tty_kref_put(tty);
+  reset_open_count:
+ 	port->port.count = 0;
+ 	usb_autopm_put_interface(serial->interface);
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index da92d2d..e795a4c 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -126,10 +126,12 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
+ 	{ USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */
+ 	{ USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
+-	{ USB_DEVICE(0x10C4, 0x8875) }, /* CEL MeshConnect USB Stick */
++	{ USB_DEVICE(0x10C4, 0x8856) },	/* CEL EM357 ZigBee USB Stick - LR */
++	{ USB_DEVICE(0x10C4, 0x8857) },	/* CEL EM357 ZigBee USB Stick */
+ 	{ USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
+ 	{ USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+ 	{ USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
++	{ USB_DEVICE(0x10C4, 0x8977) },	/* CEL MeshWorks DevKit Device */
+ 	{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
+ 	{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+ 	{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
+diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
+index a6c4c7d..0e2c2de 100644
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1956,6 +1956,13 @@ UNUSUAL_DEV(  0x152d, 0x2329, 0x0100, 0x0100,
+ 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ 		US_FL_IGNORE_RESIDUE | US_FL_SANE_SENSE ),
+ 
++/* Reported by Dmitry Nezhevenko <dion@dion.org.ua> */
++UNUSUAL_DEV(  0x152d, 0x2566, 0x0114, 0x0114,
++		"JMicron",
++		"USB to ATA/ATAPI Bridge",
++		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++		US_FL_BROKEN_FUA ),
++
+ /* Entrega Technologies U1-SC25 (later Xircom PortGear PGSCSI)
+  * and Mac USB Dock USB-SCSI */
+ UNUSUAL_DEV(  0x1645, 0x0007, 0x0100, 0x0133,
+diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c
+index c27e153..8a3d51f 100644
+--- a/drivers/video/fb_defio.c
++++ b/drivers/video/fb_defio.c
+@@ -83,9 +83,10 @@ int fb_deferred_io_fsync(struct file *file, loff_t start, loff_t end, int datasy
+ 	cancel_delayed_work_sync(&info->deferred_work);
+ 
+ 	/* Run it immediately */
+-	err = schedule_delayed_work(&info->deferred_work, 0);
++	schedule_delayed_work(&info->deferred_work, 0);
+ 	mutex_unlock(&inode->i_mutex);
+-	return err;
++
++	return 0;
+ }
+ EXPORT_SYMBOL_GPL(fb_deferred_io_fsync);
+ 
+diff --git a/drivers/video/logo/logo.c b/drivers/video/logo/logo.c
+index ea7a8cc..4bbe1b0 100644
+--- a/drivers/video/logo/logo.c
++++ b/drivers/video/logo/logo.c
+@@ -25,6 +25,21 @@ static int nologo;
+ module_param(nologo, bool, 0);
+ MODULE_PARM_DESC(nologo, "Disables startup logo");
+ 
++/*
++ * Logos are located in the initdata, and will be freed in kernel_init.
++ * Use late_init to mark the logos as freed to prevent any further use.
++ */
++
++static bool logos_freed;
++
++static int __init fb_logo_late_init(void)
++{
++	logos_freed = true;
++	return 0;
++}
++
++late_initcall(fb_logo_late_init);
++
+ /* logo's are marked __initdata. Use __init_refok to tell
+  * modpost that it is intended that this function uses data
+  * marked __initdata.
+@@ -33,7 +48,7 @@ const struct linux_logo * __init_refok fb_find_logo(int depth)
+ {
+ 	const struct linux_logo *logo = NULL;
+ 
+-	if (nologo)
++	if (nologo || logos_freed)
+ 		return NULL;
+ 
+ 	if (depth >= 1) {
+diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
+index 984c501..cc02a9b 100644
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -9,33 +9,32 @@ static unsigned int dev_index;
+ static ssize_t device_show(struct device *_d,
+ 			   struct device_attribute *attr, char *buf)
+ {
+-	struct virtio_device *dev = container_of(_d,struct virtio_device,dev);
++	struct virtio_device *dev = dev_to_virtio(_d);
+ 	return sprintf(buf, "0x%04x\n", dev->id.device);
+ }
+ static ssize_t vendor_show(struct device *_d,
+ 			   struct device_attribute *attr, char *buf)
+ {
+-	struct virtio_device *dev = container_of(_d,struct virtio_device,dev);
++	struct virtio_device *dev = dev_to_virtio(_d);
+ 	return sprintf(buf, "0x%04x\n", dev->id.vendor);
+ }
+ static ssize_t status_show(struct device *_d,
+ 			   struct device_attribute *attr, char *buf)
+ {
+-	struct virtio_device *dev = container_of(_d,struct virtio_device,dev);
++	struct virtio_device *dev = dev_to_virtio(_d);
+ 	return sprintf(buf, "0x%08x\n", dev->config->get_status(dev));
+ }
+ static ssize_t modalias_show(struct device *_d,
+ 			     struct device_attribute *attr, char *buf)
+ {
+-	struct virtio_device *dev = container_of(_d,struct virtio_device,dev);
+-
++	struct virtio_device *dev = dev_to_virtio(_d);
+ 	return sprintf(buf, "virtio:d%08Xv%08X\n",
+ 		       dev->id.device, dev->id.vendor);
+ }
+ static ssize_t features_show(struct device *_d,
+ 			     struct device_attribute *attr, char *buf)
+ {
+-	struct virtio_device *dev = container_of(_d, struct virtio_device, dev);
++	struct virtio_device *dev = dev_to_virtio(_d);
+ 	unsigned int i;
+ 	ssize_t len = 0;
+ 
+@@ -70,7 +69,7 @@ static inline int virtio_id_match(const struct virtio_device *dev,
+ static int virtio_dev_match(struct device *_dv, struct device_driver *_dr)
+ {
+ 	unsigned int i;
+-	struct virtio_device *dev = container_of(_dv,struct virtio_device,dev);
++	struct virtio_device *dev = dev_to_virtio(_dv);
+ 	const struct virtio_device_id *ids;
+ 
+ 	ids = container_of(_dr, struct virtio_driver, driver)->id_table;
+@@ -82,7 +81,7 @@ static int virtio_dev_match(struct device *_dv, struct device_driver *_dr)
+ 
+ static int virtio_uevent(struct device *_dv, struct kobj_uevent_env *env)
+ {
+-	struct virtio_device *dev = container_of(_dv,struct virtio_device,dev);
++	struct virtio_device *dev = dev_to_virtio(_dv);
+ 
+ 	return add_uevent_var(env, "MODALIAS=virtio:d%08Xv%08X",
+ 			      dev->id.device, dev->id.vendor);
+@@ -110,7 +109,7 @@ EXPORT_SYMBOL_GPL(virtio_check_driver_offered_feature);
+ static int virtio_dev_probe(struct device *_d)
+ {
+ 	int err, i;
+-	struct virtio_device *dev = container_of(_d,struct virtio_device,dev);
++	struct virtio_device *dev = dev_to_virtio(_d);
+ 	struct virtio_driver *drv = container_of(dev->dev.driver,
+ 						 struct virtio_driver, driver);
+ 	u32 device_features;
+@@ -148,7 +147,7 @@ static int virtio_dev_probe(struct device *_d)
+ 
+ static int virtio_dev_remove(struct device *_d)
+ {
+-	struct virtio_device *dev = container_of(_d,struct virtio_device,dev);
++	struct virtio_device *dev = dev_to_virtio(_d);
+ 	struct virtio_driver *drv = container_of(dev->dev.driver,
+ 						 struct virtio_driver, driver);
+ 
+diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c
+index 03d1984..13f6cd8 100644
+--- a/drivers/virtio/virtio_pci.c
++++ b/drivers/virtio/virtio_pci.c
+@@ -612,11 +612,13 @@ static struct virtio_config_ops virtio_pci_config_ops = {
+ 
+ static void virtio_pci_release_dev(struct device *_d)
+ {
+-	/*
+-	 * No need for a release method as we allocate/free
+-	 * all devices together with the pci devices.
+-	 * Provide an empty one to avoid getting a warning from core.
+-	 */
++	struct virtio_device *vdev = dev_to_virtio(_d);
++	struct virtio_pci_device *vp_dev = to_vp_device(vdev);
++
++	/* As struct device is a kobject, it's not safe to
++	 * free the memory (including the reference counter itself)
++	 * until it's release callback. */
++	kfree(vp_dev);
+ }
+ 
+ /* the PCI probing function */
+@@ -704,7 +706,6 @@ static void __devexit virtio_pci_remove(struct pci_dev *pci_dev)
+ 	pci_iounmap(pci_dev, vp_dev->ioaddr);
+ 	pci_release_regions(pci_dev);
+ 	pci_disable_device(pci_dev);
+-	kfree(vp_dev);
+ }
+ 
+ #ifdef CONFIG_PM
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index cfdf6fe..b8fc473 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3481,12 +3481,6 @@ static int btrfs_destroy_pinned_extent(struct btrfs_root *root,
+ 		if (ret)
+ 			break;
+ 
+-		/* opt_discard */
+-		if (btrfs_test_opt(root, DISCARD))
+-			ret = btrfs_error_discard_extent(root, start,
+-							 end + 1 - start,
+-							 NULL);
+-
+ 		clear_extent_dirty(unpin, start, end, GFP_NOFS);
+ 		btrfs_error_unpin_extent_range(root, start, end);
+ 		cond_resched();
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index f63719a..a694317 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4611,7 +4611,8 @@ int btrfs_prepare_extent_commit(struct btrfs_trans_handle *trans,
+ 	return 0;
+ }
+ 
+-static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
++static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end,
++			      const bool return_free_space)
+ {
+ 	struct btrfs_fs_info *fs_info = root->fs_info;
+ 	struct btrfs_block_group_cache *cache = NULL;
+@@ -4631,7 +4632,8 @@ static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
+ 
+ 		if (start < cache->last_byte_to_unpin) {
+ 			len = min(len, cache->last_byte_to_unpin - start);
+-			btrfs_add_free_space(cache, start, len);
++			if (return_free_space)
++				btrfs_add_free_space(cache, start, len);
+ 		}
+ 
+ 		start += len;
+@@ -4676,7 +4678,7 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans,
+ 						   end + 1 - start, NULL);
+ 
+ 		clear_extent_dirty(unpin, start, end, GFP_NOFS);
+-		unpin_extent_range(root, start, end);
++		unpin_extent_range(root, start, end, true);
+ 		cond_resched();
+ 	}
+ 
+@@ -7650,7 +7652,7 @@ out:
+ 
+ int btrfs_error_unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
+ {
+-	return unpin_extent_range(root, start, end);
++	return unpin_extent_range(root, start, end, false);
+ }
+ 
+ int btrfs_error_discard_extent(struct btrfs_root *root, u64 bytenr,
+diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
+index e5206fc..d5df940 100644
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -288,6 +288,9 @@ static int cmpu64_rev(const void *a, const void *b)
+ 	return 0;
+ }
+ 
++
++static struct ceph_snap_context *empty_snapc;
++
+ /*
+  * build the snap context for a given realm.
+  */
+@@ -329,6 +332,12 @@ static int build_snap_context(struct ceph_snap_realm *realm)
+ 		return 0;
+ 	}
+ 
++	if (num == 0 && realm->seq == empty_snapc->seq) {
++		ceph_get_snap_context(empty_snapc);
++		snapc = empty_snapc;
++		goto done;
++	}
++
+ 	/* alloc new snap context */
+ 	err = -ENOMEM;
+ 	if (num > (SIZE_MAX - sizeof(*snapc)) / sizeof(u64))
+@@ -364,6 +373,7 @@ static int build_snap_context(struct ceph_snap_realm *realm)
+ 	dout("build_snap_context %llx %p: %p seq %lld (%d snaps)\n",
+ 	     realm->ino, realm, snapc, snapc->seq, snapc->num_snaps);
+ 
++done:
+ 	if (realm->cached_context)
+ 		ceph_put_snap_context(realm->cached_context);
+ 	realm->cached_context = snapc;
+@@ -465,6 +475,9 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
+ 		   cap_snap.  lucky us. */
+ 		dout("queue_cap_snap %p already pending\n", inode);
+ 		kfree(capsnap);
++	} else if (ci->i_snap_realm->cached_context == empty_snapc) {
++		dout("queue_cap_snap %p empty snapc\n", inode);
++		kfree(capsnap);
+ 	} else if (dirty & (CEPH_CAP_AUTH_EXCL|CEPH_CAP_XATTR_EXCL|
+ 			    CEPH_CAP_FILE_EXCL|CEPH_CAP_FILE_WR)) {
+ 		struct ceph_snap_context *snapc = ci->i_head_snapc;
+@@ -927,5 +940,17 @@ out:
+ 	return;
+ }
+ 
++int __init ceph_snap_init(void)
++{
++	empty_snapc = kzalloc(sizeof(struct ceph_snap_context), GFP_NOFS);
++	if (!empty_snapc)
++		return -ENOMEM;
++	atomic_set(&empty_snapc->nref, 1);
++	empty_snapc->seq = 1;
++	return 0;
++}
+ 
+-
++void ceph_snap_exit(void)
++{
++	ceph_put_snap_context(empty_snapc);
++}
+diff --git a/fs/ceph/super.c b/fs/ceph/super.c
+index de268a8..3c981db 100644
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -911,14 +911,20 @@ static int __init init_ceph(void)
+ 	if (ret)
+ 		goto out;
+ 
+-	ret = register_filesystem(&ceph_fs_type);
++	ret = ceph_snap_init();
+ 	if (ret)
+ 		goto out_icache;
+ 
++	ret = register_filesystem(&ceph_fs_type);
++	if (ret)
++		goto out_snap;
++
+ 	pr_info("loaded (mds proto %d)\n", CEPH_MDSC_PROTOCOL);
+ 
+ 	return 0;
+ 
++out_snap:
++	ceph_snap_exit();
+ out_icache:
+ 	destroy_caches();
+ out:
+@@ -929,6 +935,7 @@ static void __exit exit_ceph(void)
+ {
+ 	dout("exit_ceph\n");
+ 	unregister_filesystem(&ceph_fs_type);
++	ceph_snap_exit();
+ 	destroy_caches();
+ }
+ 
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index a097817..242df58 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -677,6 +677,8 @@ extern void ceph_queue_cap_snap(struct ceph_inode_info *ci);
+ extern int __ceph_finish_cap_snap(struct ceph_inode_info *ci,
+ 				  struct ceph_cap_snap *capsnap);
+ extern void ceph_cleanup_empty_realms(struct ceph_mds_client *mdsc);
++extern int ceph_snap_init(void);
++extern void ceph_snap_exit(void);
+ 
+ /*
+  * a cap_snap is "pending" if it is still awaiting an in-progress
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 3f65742..8bc98af 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1035,7 +1035,7 @@ ascend:
+ 	return 0; /* No mount points found in tree */
+ positive:
+ 	if (!locked && read_seqretry(&rename_lock, seq))
+-		goto rename_retry;
++		goto rename_retry_unlocked;
+ 	if (locked)
+ 		write_sequnlock(&rename_lock);
+ 	return 1;
+@@ -1045,6 +1045,7 @@ rename_retry:
+ 	rcu_read_unlock();
+ 	if (locked)
+ 		goto again;
++rename_retry_unlocked:
+ 	locked = 1;
+ 	write_seqlock(&rename_lock);
+ 	goto again;
+@@ -1109,6 +1110,7 @@ resume:
+ 		 */
+ 		if (found && need_resched()) {
+ 			spin_unlock(&dentry->d_lock);
++			rcu_read_lock();
+ 			goto out;
+ 		}
+ 
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 68b19ab..dceedec 100644
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
+ 			break;
+ 		case 2:
+ 			dst[dst_byte_offset++] |= (src_byte);
+-			dst[dst_byte_offset] = 0;
+ 			current_bit_offset = 0;
+ 			break;
+ 		}
+diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
+index 841f24f..80fc876 100644
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -196,24 +196,12 @@ static int ecryptfs_open(struct inode *inode, struct file *file)
+ {
+ 	int rc = 0;
+ 	struct ecryptfs_crypt_stat *crypt_stat = NULL;
+-	struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
+ 	struct dentry *ecryptfs_dentry = file->f_path.dentry;
+ 	/* Private value of ecryptfs_dentry allocated in
+ 	 * ecryptfs_lookup() */
+ 	struct dentry *lower_dentry;
+ 	struct ecryptfs_file_info *file_info;
+ 
+-	mount_crypt_stat = &ecryptfs_superblock_to_private(
+-		ecryptfs_dentry->d_sb)->mount_crypt_stat;
+-	if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
+-	    && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR)
+-		|| (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC)
+-		|| (file->f_flags & O_APPEND))) {
+-		printk(KERN_WARNING "Mount has encrypted view enabled; "
+-		       "files may only be read\n");
+-		rc = -EPERM;
+-		goto out;
+-	}
+ 	/* Released in ecryptfs_release or end of function if failure */
+ 	file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL);
+ 	ecryptfs_set_file_private(file, file_info);
+diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
+index 94afdfd..62b8ddc 100644
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -494,6 +494,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
+ {
+ 	struct super_block *s;
+ 	struct ecryptfs_sb_info *sbi;
++	struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
+ 	struct ecryptfs_dentry_info *root_info;
+ 	const char *err = "Getting sb failed";
+ 	struct inode *inode;
+@@ -512,6 +513,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
+ 		err = "Error parsing options";
+ 		goto out;
+ 	}
++	mount_crypt_stat = &sbi->mount_crypt_stat;
+ 
+ 	s = sget(fs_type, NULL, set_anon_super, NULL);
+ 	if (IS_ERR(s)) {
+@@ -557,11 +559,19 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
+ 
+ 	/**
+ 	 * Set the POSIX ACL flag based on whether they're enabled in the lower
+-	 * mount. Force a read-only eCryptfs mount if the lower mount is ro.
+-	 * Allow a ro eCryptfs mount even when the lower mount is rw.
++	 * mount.
+ 	 */
+ 	s->s_flags = flags & ~MS_POSIXACL;
+-	s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL);
++	s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL;
++
++	/**
++	 * Force a read-only eCryptfs mount when:
++	 *   1) The lower mount is ro
++	 *   2) The ecryptfs_encrypted_view mount option is specified
++	 */
++	if (path.dentry->d_sb->s_flags & MS_RDONLY ||
++	    mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
++		s->s_flags |= MS_RDONLY;
+ 
+ 	s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ 	s->s_blocksize = path.dentry->d_sb->s_blocksize;
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 13bfa07..7286eb4 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -396,7 +396,6 @@ writeback_single_inode(struct inode *inode, struct bdi_writeback *wb,
+ 
+ 	/* Set I_SYNC, reset I_DIRTY_PAGES */
+ 	inode->i_state |= I_SYNC;
+-	inode->i_state &= ~I_DIRTY_PAGES;
+ 	spin_unlock(&inode->i_lock);
+ 	spin_unlock(&wb->list_lock);
+ 
+@@ -419,9 +418,28 @@ writeback_single_inode(struct inode *inode, struct bdi_writeback *wb,
+ 	 * write_inode()
+ 	 */
+ 	spin_lock(&inode->i_lock);
++
+ 	dirty = inode->i_state & I_DIRTY;
+-	inode->i_state &= ~(I_DIRTY_SYNC | I_DIRTY_DATASYNC);
++	inode->i_state &= ~I_DIRTY;
++
++	/*
++	 * Paired with smp_mb() in __mark_inode_dirty().  This allows
++	 * __mark_inode_dirty() to test i_state without grabbing i_lock -
++	 * either they see the I_DIRTY bits cleared or we see the dirtied
++	 * inode.
++	 *
++	 * I_DIRTY_PAGES is always cleared together above even if @mapping
++	 * still has dirty pages.  The flag is reinstated after smp_mb() if
++	 * necessary.  This guarantees that either __mark_inode_dirty()
++	 * sees clear I_DIRTY_PAGES or we see PAGECACHE_TAG_DIRTY.
++	 */
++	smp_mb();
++
++	if (mapping_tagged(mapping, PAGECACHE_TAG_DIRTY))
++		inode->i_state |= I_DIRTY_PAGES;
++
+ 	spin_unlock(&inode->i_lock);
++
+ 	/* Don't write the inode if only I_DIRTY_PAGES was set */
+ 	if (dirty & (I_DIRTY_SYNC | I_DIRTY_DATASYNC)) {
+ 		int err = write_inode(inode, wbc);
+@@ -447,7 +465,6 @@ writeback_single_inode(struct inode *inode, struct bdi_writeback *wb,
+ 			 * We didn't write back all the pages.  nfs_writepages()
+ 			 * sometimes bales out without doing anything.
+ 			 */
+-			inode->i_state |= I_DIRTY_PAGES;
+ 			if (wbc->nr_to_write <= 0) {
+ 				/*
+ 				 * slice used up: queue for next turn
+@@ -1064,12 +1081,11 @@ void __mark_inode_dirty(struct inode *inode, int flags)
+ 	}
+ 
+ 	/*
+-	 * make sure that changes are seen by all cpus before we test i_state
+-	 * -- mikulas
++	 * Paired with smp_mb() in __writeback_single_inode() for the
++	 * following lockless i_state test.  See there for details.
+ 	 */
+ 	smp_mb();
+ 
+-	/* avoid the locking if we can */
+ 	if ((inode->i_state & flags) == flags)
+ 		return;
+ 
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index ee62cc0..1780949 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+ 	int cont_size;
+ 	int cont_extent;
+ 	int cont_offset;
++	int cont_loops;
+ 	struct inode *inode;
+ };
+ 
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+ 	rs->inode = inode;
+ }
+ 
++/* Maximum number of Rock Ridge continuation entries */
++#define RR_MAX_CE_ENTRIES 32
++
+ /*
+  * Returns 0 if the caller should continue scanning, 1 if the scan must end
+  * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+ 			goto out;
+ 		}
+ 		ret = -EIO;
++		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
++			goto out;
+ 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+ 		if (bh) {
+ 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+@@ -356,6 +362,9 @@ repeat:
+ 			rs.cont_size = isonum_733(rr->u.CE.size);
+ 			break;
+ 		case SIG('E', 'R'):
++			/* Invalid length of ER tag id? */
++			if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
++				goto out;
+ 			ISOFS_SB(inode->i_sb)->s_rock = 1;
+ 			printk(KERN_DEBUG "ISO 9660 Extensions: ");
+ 			{
+diff --git a/fs/namei.c b/fs/namei.c
+index dea2dab..c8b13a9 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1567,6 +1567,7 @@ static int path_init(int dfd, const char *name, unsigned int flags,
+ 	if (!(nd->flags & LOOKUP_ROOT))
+ 		nd->root.mnt = NULL;
+ 	rcu_read_unlock();
++	br_read_unlock(vfsmount_lock);
+ 	return -ECHILD;
+ 
+ fput_fail:
+diff --git a/fs/ncpfs/ioctl.c b/fs/ncpfs/ioctl.c
+index 790e92a..ea6f706 100644
+--- a/fs/ncpfs/ioctl.c
++++ b/fs/ncpfs/ioctl.c
+@@ -445,7 +445,6 @@ static long __ncp_ioctl(struct inode *inode, unsigned int cmd, unsigned long arg
+ 						result = -EIO;
+ 					}
+ 				}
+-				result = 0;
+ 			}
+ 			mutex_unlock(&server->root_setup_lock);
+ 
+diff --git a/fs/notify/inode_mark.c b/fs/notify/inode_mark.c
+index b13c00a..df6dacc 100644
+--- a/fs/notify/inode_mark.c
++++ b/fs/notify/inode_mark.c
+@@ -282,20 +282,25 @@ void fsnotify_unmount_inodes(struct list_head *list)
+ 		spin_unlock(&inode->i_lock);
+ 
+ 		/* In case the dropping of a reference would nuke next_i. */
+-		if ((&next_i->i_sb_list != list) &&
+-		    atomic_read(&next_i->i_count)) {
++		while (&next_i->i_sb_list != list) {
+ 			spin_lock(&next_i->i_lock);
+-			if (!(next_i->i_state & (I_FREEING | I_WILL_FREE))) {
++			if (!(next_i->i_state & (I_FREEING | I_WILL_FREE)) &&
++						atomic_read(&next_i->i_count)) {
+ 				__iget(next_i);
+ 				need_iput = next_i;
++				spin_unlock(&next_i->i_lock);
++				break;
+ 			}
+ 			spin_unlock(&next_i->i_lock);
++			next_i = list_entry(next_i->i_sb_list.next,
++						struct inode, i_sb_list);
+ 		}
+ 
+ 		/*
+-		 * We can safely drop inode_sb_list_lock here because we hold
+-		 * references on both inode and next_i.  Also no new inodes
+-		 * will be added since the umount has begun.
++		 * We can safely drop inode_sb_list_lock here because either
++		 * we actually hold references on both inode and next_i or
++		 * end of list.  Also no new inodes will be added since the
++		 * umount has begun.
+ 		 */
+ 		spin_unlock(&inode_sb_list_lock);
+ 
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index 4402b18..16653b2 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -917,7 +917,7 @@ void ocfs2_unlock_and_free_pages(struct page **pages, int num_pages)
+ 	}
+ }
+ 
+-static void ocfs2_free_write_ctxt(struct ocfs2_write_ctxt *wc)
++static void ocfs2_unlock_pages(struct ocfs2_write_ctxt *wc)
+ {
+ 	int i;
+ 
+@@ -938,7 +938,11 @@ static void ocfs2_free_write_ctxt(struct ocfs2_write_ctxt *wc)
+ 		page_cache_release(wc->w_target_page);
+ 	}
+ 	ocfs2_unlock_and_free_pages(wc->w_pages, wc->w_num_pages);
++}
+ 
++static void ocfs2_free_write_ctxt(struct ocfs2_write_ctxt *wc)
++{
++	ocfs2_unlock_pages(wc);
+ 	brelse(wc->w_di_bh);
+ 	kfree(wc);
+ }
+@@ -2059,11 +2063,19 @@ out_write_size:
+ 	di->i_mtime_nsec = di->i_ctime_nsec = cpu_to_le32(inode->i_mtime.tv_nsec);
+ 	ocfs2_journal_dirty(handle, wc->w_di_bh);
+ 
++	/* unlock pages before dealloc since it needs acquiring j_trans_barrier
++	 * lock, or it will cause a deadlock since journal commit threads holds
++	 * this lock and will ask for the page lock when flushing the data.
++	 * put it here to preserve the unlock order.
++	 */
++	ocfs2_unlock_pages(wc);
++
+ 	ocfs2_commit_trans(osb, handle);
+ 
+ 	ocfs2_run_deallocs(osb, &wc->w_dealloc);
+ 
+-	ocfs2_free_write_ctxt(wc);
++	brelse(wc->w_di_bh);
++	kfree(wc);
+ 
+ 	return copied;
+ }
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index d20d64c..0de24a2 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2468,9 +2468,7 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 
+@@ -2480,6 +2478,12 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
+ 			out->f_path.dentry->d_name.len,
+ 			out->f_path.dentry->d_name.name, len);
+ 
++	ret = generic_write_checks(out, ppos, &len, 0);
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	if (pipe->inode)
+ 		mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
+ 
+diff --git a/fs/proc/stat.c b/fs/proc/stat.c
+index 4c9a859..81a48d1 100644
+--- a/fs/proc/stat.c
++++ b/fs/proc/stat.c
+@@ -141,7 +141,7 @@ static int show_stat(struct seq_file *p, void *v)
+ 
+ 	/* sum again ? it could be updated? */
+ 	for_each_irq_nr(j)
+-		seq_printf(p, " %u", kstat_irqs(j));
++		seq_printf(p, " %u", kstat_irqs_usr(j));
+ 
+ 	seq_printf(p,
+ 		"\nctxt %llu\n"
+diff --git a/fs/splice.c b/fs/splice.c
+index 714471d..34c2b2b 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1013,13 +1013,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
+ 	struct address_space *mapping = out->f_mapping;
+ 	struct inode *inode = mapping->host;
+ 	struct splice_desc sd = {
+-		.total_len = len,
+ 		.flags = flags,
+-		.pos = *ppos,
+ 		.u.file = out,
+ 	};
+ 	ssize_t ret;
+ 
++	ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++	if (ret)
++		return ret;
++	sd.total_len = len;
++	sd.pos = *ppos;
++
+ 	pipe_lock(pipe);
+ 
+ 	splice_from_pipe_begin(&sd);
+diff --git a/fs/udf/dir.c b/fs/udf/dir.c
+index eb8bfe2..56341af 100644
+--- a/fs/udf/dir.c
++++ b/fs/udf/dir.c
+@@ -163,7 +163,8 @@ static int do_udf_readdir(struct inode *dir, struct file *filp,
+ 			struct kernel_lb_addr tloc = lelb_to_cpu(cfi.icb.extLocation);
+ 
+ 			iblock = udf_get_lb_pblock(dir->i_sb, &tloc, 0);
+-			flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++			flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++						UDF_NAME_LEN);
+ 			dt_type = DT_UNKNOWN;
+ 		}
+ 
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index a0f6ded..2a706bb 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1403,6 +1403,24 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 							iinfo->i_lenEAttr;
+ 	}
+ 
++	/* Sanity checks for files in ICB so that we don't get confused later */
++	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
++		/*
++		 * For file in ICB data is stored in allocation descriptor
++		 * so sizes should match
++		 */
++		if (iinfo->i_lenAlloc != inode->i_size) {
++			make_bad_inode(inode);
++			return;
++		}
++		/* File in ICB has to fit in there... */
++		if (inode->i_size > inode->i_sb->s_blocksize -
++					udf_file_entry_alloc_offset(inode)) {
++			make_bad_inode(inode);
++			return;
++		}
++	}
++
+ 	switch (fe->icbTag.fileType) {
+ 	case ICBTAG_FILE_TYPE_DIRECTORY:
+ 		inode->i_op = &udf_dir_inode_operations;
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 71c97fb..483d662 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -235,7 +235,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir,
+ 		if (!lfi)
+ 			continue;
+ 
+-		flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++		flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++					UDF_NAME_LEN);
+ 		if (flen && udf_match(flen, fname, child->len, child->name))
+ 			goto out_ok;
+ 	}
+diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c
+index b1d4488..0422b7b 100644
+--- a/fs/udf/symlink.c
++++ b/fs/udf/symlink.c
+@@ -30,43 +30,73 @@
+ #include <linux/buffer_head.h>
+ #include "udf_i.h"
+ 
+-static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
+-			   int fromlen, unsigned char *to)
++static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
++			  int fromlen, unsigned char *to, int tolen)
+ {
+ 	struct pathComponent *pc;
+ 	int elen = 0;
++	int comp_len;
+ 	unsigned char *p = to;
+ 
++	/* Reserve one byte for terminating \0 */
++	tolen--;
+ 	while (elen < fromlen) {
+ 		pc = (struct pathComponent *)(from + elen);
++		elen += sizeof(struct pathComponent);
+ 		switch (pc->componentType) {
+ 		case 1:
+-			if (pc->lengthComponentIdent == 0) {
+-				p = to;
+-				*p++ = '/';
++			/*
++			 * Symlink points to some place which should be agreed
++ 			 * upon between originator and receiver of the media. Ignore.
++			 */
++			if (pc->lengthComponentIdent > 0) {
++				elen += pc->lengthComponentIdent;
++				break;
+ 			}
++			/* Fall through */
++		case 2:
++			if (tolen == 0)
++				return -ENAMETOOLONG;
++			p = to;
++			*p++ = '/';
++			tolen--;
+ 			break;
+ 		case 3:
++			if (tolen < 3)
++				return -ENAMETOOLONG;
+ 			memcpy(p, "../", 3);
+ 			p += 3;
++			tolen -= 3;
+ 			break;
+ 		case 4:
++			if (tolen < 2)
++				return -ENAMETOOLONG;
+ 			memcpy(p, "./", 2);
+ 			p += 2;
++			tolen -= 2;
+ 			/* that would be . - just ignore */
+ 			break;
+ 		case 5:
+-			p += udf_get_filename(sb, pc->componentIdent, p,
+-					      pc->lengthComponentIdent);
++			elen += pc->lengthComponentIdent;
++			if (elen > fromlen)
++				return -EIO;
++			comp_len = udf_get_filename(sb, pc->componentIdent,
++						    pc->lengthComponentIdent,
++						    p, tolen);
++			p += comp_len;
++			tolen -= comp_len;
++			if (tolen == 0)
++				return -ENAMETOOLONG;
+ 			*p++ = '/';
++			tolen--;
+ 			break;
+ 		}
+-		elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
+ 	}
+ 	if (p > to + 1)
+ 		p[-1] = '\0';
+ 	else
+ 		p[0] = '\0';
++	return 0;
+ }
+ 
+ static int udf_symlink_filler(struct file *file, struct page *page)
+@@ -74,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ 	struct inode *inode = page->mapping->host;
+ 	struct buffer_head *bh = NULL;
+ 	unsigned char *symlink;
+-	int err = -EIO;
++	int err;
+ 	unsigned char *p = kmap(page);
+ 	struct udf_inode_info *iinfo;
+ 	uint32_t pos;
+ 
++	/* We don't support symlinks longer than one block */
++	if (inode->i_size > inode->i_sb->s_blocksize) {
++		err = -ENAMETOOLONG;
++		goto out_unmap;
++	}
++
+ 	iinfo = UDF_I(inode);
+ 	pos = udf_block_map(inode, 0);
+ 
+@@ -88,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ 	} else {
+ 		bh = sb_bread(inode->i_sb, pos);
+ 
+-		if (!bh)
+-			goto out;
++		if (!bh) {
++			err = -EIO;
++			goto out_unlock_inode;
++		}
+ 
+ 		symlink = bh->b_data;
+ 	}
+ 
+-	udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
++	err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
+ 	brelse(bh);
++	if (err)
++		goto out_unlock_inode;
+ 
+ 	up_read(&iinfo->i_data_sem);
+ 	SetPageUptodate(page);
+@@ -103,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ 	unlock_page(page);
+ 	return 0;
+ 
+-out:
++out_unlock_inode:
+ 	up_read(&iinfo->i_data_sem);
+ 	SetPageError(page);
++out_unmap:
+ 	kunmap(page);
+ 	unlock_page(page);
+ 	return err;
+diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
+index f34e6fc..8775ab23 100644
+--- a/fs/udf/udfdecl.h
++++ b/fs/udf/udfdecl.h
+@@ -207,7 +207,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc,
+ }
+ 
+ /* unicode.c */
+-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
++			    int);
+ extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
+ 			    int);
+ extern int udf_build_ustr(struct ustr *, dstring *, int);
+diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
+index 44b815e..d29c06f 100644
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -28,7 +28,8 @@
+ 
+ #include "udf_sb.h"
+ 
+-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
++				  int);
+ 
+ static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
+ {
+@@ -333,8 +334,8 @@ try_again:
+ 	return u_len + 1;
+ }
+ 
+-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+-		     int flen)
++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
++		     uint8_t *dname, int dlen)
+ {
+ 	struct ustr *filename, *unifilename;
+ 	int len = 0;
+@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ 	if (!unifilename)
+ 		goto out1;
+ 
+-	if (udf_build_ustr_exact(unifilename, sname, flen))
++	if (udf_build_ustr_exact(unifilename, sname, slen))
+ 		goto out2;
+ 
+ 	if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
+@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ 	} else
+ 		goto out2;
+ 
+-	len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
++	len = udf_translate_to_linux(dname, dlen,
++				     filename->u_name, filename->u_len,
+ 				     unifilename->u_name, unifilename->u_len);
+ out2:
+ 	kfree(unifilename);
+@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname,
+ #define EXT_MARK		'.'
+ #define CRC_MARK		'#'
+ #define EXT_SIZE 		5
++/* Number of chars we need to store generated CRC to make filename unique */
++#define CRC_LEN			5
+ 
+-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+-				  int udfLen, uint8_t *fidName,
+-				  int fidNameLen)
++static int udf_translate_to_linux(uint8_t *newName, int newLen,
++				  uint8_t *udfName, int udfLen,
++				  uint8_t *fidName, int fidNameLen)
+ {
+ 	int index, newIndex = 0, needsCRC = 0;
+ 	int extIndex = 0, newExtIndex = 0, hasExt = 0;
+@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ 					newExtIndex = newIndex;
+ 				}
+ 			}
+-			if (newIndex < 256)
++			if (newIndex < newLen)
+ 				newName[newIndex++] = curr;
+ 			else
+ 				needsCRC = 1;
+@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ 				}
+ 				ext[localExtIndex++] = curr;
+ 			}
+-			maxFilenameLen = 250 - localExtIndex;
++			maxFilenameLen = newLen - CRC_LEN - localExtIndex;
+ 			if (newIndex > maxFilenameLen)
+ 				newIndex = maxFilenameLen;
+ 			else
+ 				newIndex = newExtIndex;
+-		} else if (newIndex > 250)
+-			newIndex = 250;
++		} else if (newIndex > newLen - CRC_LEN)
++			newIndex = newLen - CRC_LEN;
+ 		newName[newIndex++] = CRC_MARK;
+ 		valueCRC = crc_itu_t(0, fidName, fidNameLen);
+ 		newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12];
+diff --git a/include/linux/crypto.h b/include/linux/crypto.h
+index 8a94217..ca01ea8 100644
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -25,6 +25,19 @@
+ #include <linux/uaccess.h>
+ 
+ /*
++ * Autoloaded crypto modules should only use a prefixed name to avoid allowing
++ * arbitrary modules to be loaded. Loading from userspace may still need the
++ * unprefixed names, so retains those aliases as well.
++ * This uses __MODULE_INFO directly instead of MODULE_ALIAS because pre-4.3
++ * gcc (e.g. avr32 toolchain) uses __LINE__ for uniqueness, and this macro
++ * expands twice on the same line. Instead, use a separate base name for the
++ * alias.
++ */
++#define MODULE_ALIAS_CRYPTO(name)	\
++		__MODULE_INFO(alias, alias_userspace, name);	\
++		__MODULE_INFO(alias, alias_crypto, "crypto-" name)
++
++/*
+  * Algorithm masks and types.
+  */
+ #define CRYPTO_ALG_TYPE_MASK		0x0000000f
+diff --git a/include/linux/device.h b/include/linux/device.h
+index 3136ede..a31c5d0 100644
+--- a/include/linux/device.h
++++ b/include/linux/device.h
+@@ -767,6 +767,11 @@ extern __printf(5, 6)
+ struct device *device_create(struct class *cls, struct device *parent,
+ 			     dev_t devt, void *drvdata,
+ 			     const char *fmt, ...);
++extern __printf(6, 7)
++struct device *device_create_with_groups(struct class *cls,
++			     struct device *parent, dev_t devt, void *drvdata,
++			     const struct attribute_group **groups,
++			     const char *fmt, ...);
+ extern void device_destroy(struct class *cls, dev_t devt);
+ 
+ /*
+diff --git a/include/linux/kernel_stat.h b/include/linux/kernel_stat.h
+index 0cce2db..3256aee 100644
+--- a/include/linux/kernel_stat.h
++++ b/include/linux/kernel_stat.h
+@@ -96,8 +96,13 @@ static inline unsigned int kstat_irqs(unsigned int irq)
+ 
+ 	return sum;
+ }
++static inline unsigned int kstat_irqs_usr(unsigned int irq)
++{
++	return kstat_irqs(irq);
++}
+ #else
+ extern unsigned int kstat_irqs(unsigned int irq);
++extern unsigned int kstat_irqs_usr(unsigned int irq);
+ #endif
+ 
+ /*
+diff --git a/include/linux/libata.h b/include/linux/libata.h
+index d773b21..42ac6ad 100644
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -207,6 +207,7 @@ enum {
+ 	ATA_FLAG_SW_ACTIVITY	= (1 << 22), /* driver supports sw activity
+ 					      * led */
+ 	ATA_FLAG_NO_DIPM	= (1 << 23), /* host not happy with DIPM */
++	ATA_FLAG_LOWTAG		= (1 << 24), /* host wants lowest available tag */
+ 
+ 	/* bits 24:31 of ap->flags are reserved for LLD specific flags */
+ 
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 7f40120..e5ee683 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -840,6 +840,7 @@ static inline int page_mapped(struct page *page)
+ #define VM_FAULT_WRITE	0x0008	/* Special case for get_user_pages */
+ #define VM_FAULT_HWPOISON 0x0010	/* Hit poisoned small page */
+ #define VM_FAULT_HWPOISON_LARGE 0x0020  /* Hit poisoned large page. Index encoded in upper bits */
++#define VM_FAULT_SIGSEGV 0x0040
+ 
+ #define VM_FAULT_NOPAGE	0x0100	/* ->fault installed the pte, not return page */
+ #define VM_FAULT_LOCKED	0x0200	/* ->fault locked the returned page */
+@@ -847,8 +848,8 @@ static inline int page_mapped(struct page *page)
+ 
+ #define VM_FAULT_HWPOISON_LARGE_MASK 0xf000 /* encodes hpage index for large hwpoison */
+ 
+-#define VM_FAULT_ERROR	(VM_FAULT_OOM | VM_FAULT_SIGBUS | VM_FAULT_HWPOISON | \
+-			 VM_FAULT_HWPOISON_LARGE)
++#define VM_FAULT_ERROR	(VM_FAULT_OOM | VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV | \
++			 VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE)
+ 
+ /* Encode hstate index for a hwpoisoned large page */
+ #define VM_FAULT_SET_HINDEX(x) ((x) << 12)
+@@ -1470,7 +1471,7 @@ extern int expand_downwards(struct vm_area_struct *vma,
+ #if VM_GROWSUP
+ extern int expand_upwards(struct vm_area_struct *vma, unsigned long address);
+ #else
+-  #define expand_upwards(vma, address) do { } while (0)
++  #define expand_upwards(vma, address) (0)
+ #endif
+ 
+ /* Look up the first VMA which satisfies  addr < vm_end,  NULL if none. */
+diff --git a/include/linux/rmap.h b/include/linux/rmap.h
+index 2148b12..b0df05a 100644
+--- a/include/linux/rmap.h
++++ b/include/linux/rmap.h
+@@ -37,6 +37,16 @@ struct anon_vma {
+ 	atomic_t refcount;
+ 
+ 	/*
++	 * Count of child anon_vmas and VMAs which points to this anon_vma.
++	 *
++	 * This counter is used for making decision about reusing anon_vma
++	 * instead of forking new one. See comments in function anon_vma_clone.
++	 */
++	unsigned degree;
++
++	struct anon_vma *parent;	/* Parent of this anon_vma */
++
++	/*
+ 	 * NOTE: the LSB of the head.next is set by
+ 	 * mm_take_all_locks() _after_ taking the above lock. So the
+ 	 * head must only be read/written after taking the above lock
+diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
+index dac0859..2b9cd8d 100644
+--- a/include/linux/sysfs.h
++++ b/include/linux/sysfs.h
+@@ -80,6 +80,15 @@ struct attribute_group {
+ 
+ #define __ATTR_NULL { .attr = { .name = NULL } }
+ 
++#define ATTRIBUTE_GROUPS(name)					\
++static const struct attribute_group name##_group = {		\
++	.attrs = name##_attrs,					\
++};								\
++static const struct attribute_group *name##_groups[] = {	\
++	&name##_group,						\
++	NULL,							\
++}
++
+ #define attr_name(_attr) (_attr).attr.name
+ 
+ struct file;
+diff --git a/include/linux/time.h b/include/linux/time.h
+index 8c0216e..a87b440 100644
+--- a/include/linux/time.h
++++ b/include/linux/time.h
+@@ -138,6 +138,19 @@ static inline bool timespec_valid_strict(const struct timespec *ts)
+ 	return true;
+ }
+ 
++static inline bool timeval_valid(const struct timeval *tv)
++{
++	/* Dates before 1970 are bogus */
++	if (tv->tv_sec < 0)
++		return false;
++
++	/* Can't have more microseconds then a second */
++	if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC)
++		return false;
++
++	return true;
++}
++
+ extern void read_persistent_clock(struct timespec *ts);
+ extern void read_boot_clock(struct timespec *ts);
+ extern int update_persistent_clock(struct timespec now);
+diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
+index 8eeeb87..142252c 100644
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -30,6 +30,17 @@
+    descriptor */
+ #define USB_QUIRK_DELAY_INIT		0x00000040
+ 
++/*
++ * For high speed and super speed interupt endpoints, the USB 2.0 and
++ * USB 3.0 spec require the interval in microframes
++ * (1 microframe = 125 microseconds) to be calculated as
++ * interval = 2 ^ (bInterval-1).
++ *
++ * Devices with this quirk report their bInterval as the result of this
++ * calculation instead of the exponent variable used in the calculation.
++ */
++#define USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL	0x00000080
++
+ /* device generates spurious wakeup, ignore remote wakeup capability */
+ #define USB_QUIRK_IGNORE_REMOTE_WAKEUP	0x00000200
+ 
+diff --git a/include/linux/virtio.h b/include/linux/virtio.h
+index 96c7843..e4807af 100644
+--- a/include/linux/virtio.h
++++ b/include/linux/virtio.h
+@@ -127,7 +127,11 @@ struct virtio_device {
+ 	void *priv;
+ };
+ 
+-#define dev_to_virtio(dev) container_of(dev, struct virtio_device, dev)
++static inline struct virtio_device *dev_to_virtio(struct device *_dev)
++{
++	return container_of(_dev, struct virtio_device, dev);
++}
++
+ int register_virtio_device(struct virtio_device *dev);
+ void unregister_virtio_device(struct virtio_device *dev);
+ 
+diff --git a/include/linux/writeback.h b/include/linux/writeback.h
+index 7e85d45..9f149dd 100644
+--- a/include/linux/writeback.h
++++ b/include/linux/writeback.h
+@@ -190,7 +190,6 @@ int write_cache_pages(struct address_space *mapping,
+ 		      struct writeback_control *wbc, writepage_t writepage,
+ 		      void *data);
+ int do_writepages(struct address_space *mapping, struct writeback_control *wbc);
+-void set_page_dirty_balance(struct page *page, int page_mkwrite);
+ void writeback_set_ratelimit(void);
+ void tag_pages_for_writeback(struct address_space *mapping,
+ 			     pgoff_t start, pgoff_t end);
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index 2124004..6e4569f 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -175,8 +175,8 @@ extern void fib_free_table(struct fib_table *tb);
+ 
+ #ifndef CONFIG_IP_MULTIPLE_TABLES
+ 
+-#define TABLE_LOCAL_INDEX	0
+-#define TABLE_MAIN_INDEX	1
++#define TABLE_LOCAL_INDEX	(RT_TABLE_LOCAL & (FIB_TABLE_HASHSZ - 1))
++#define TABLE_MAIN_INDEX	(RT_TABLE_MAIN  & (FIB_TABLE_HASHSZ - 1))
+ 
+ static inline struct fib_table *fib_get_table(struct net *net, u32 id)
+ {
+diff --git a/include/net/sock.h b/include/net/sock.h
+index e6454b6..c8dcbb8 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -194,7 +194,6 @@ struct sock_common {
+   *	@sk_route_nocaps: forbidden route capabilities (e.g NETIF_F_GSO_MASK)
+   *	@sk_gso_type: GSO type (e.g. %SKB_GSO_TCPV4)
+   *	@sk_gso_max_size: Maximum GSO segment size to build
+-  *	@sk_gso_max_segs: Maximum number of GSO segments
+   *	@sk_lingertime: %SO_LINGER l_linger setting
+   *	@sk_backlog: always used with the per-socket spinlock held
+   *	@sk_callback_lock: used with the callbacks in the end of this struct
+@@ -311,7 +310,6 @@ struct sock {
+ 	int			sk_route_nocaps;
+ 	int			sk_gso_type;
+ 	unsigned int		sk_gso_max_size;
+-	u16			sk_gso_max_segs;
+ 	int			sk_rcvlowat;
+ 	unsigned long	        sk_lingertime;
+ 	struct sk_buff_head	sk_error_queue;
+diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h
+index e1a8b64..f69e37ce 100644
+--- a/kernel/irq/internals.h
++++ b/kernel/irq/internals.h
+@@ -76,6 +76,13 @@ extern void irq_percpu_disable(struct irq_desc *desc, unsigned int cpu);
+ extern void mask_irq(struct irq_desc *desc);
+ extern void unmask_irq(struct irq_desc *desc);
+ 
++#ifdef CONFIG_SPARSE_IRQ
++extern void irq_lock_sparse(void);
++extern void irq_unlock_sparse(void);
++#else
++static inline void irq_lock_sparse(void) { }
++static inline void irq_unlock_sparse(void) { }
++#endif
+ extern void init_kstat_irqs(struct irq_desc *desc, int node, int nr);
+ 
+ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc, struct irqaction *action);
+diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
+index d86e254..f497ff7 100644
+--- a/kernel/irq/irqdesc.c
++++ b/kernel/irq/irqdesc.c
+@@ -130,6 +130,16 @@ static void free_masks(struct irq_desc *desc)
+ static inline void free_masks(struct irq_desc *desc) { }
+ #endif
+ 
++void irq_lock_sparse(void)
++{
++	mutex_lock(&sparse_irq_lock);
++}
++
++void irq_unlock_sparse(void)
++{
++	mutex_unlock(&sparse_irq_lock);
++}
++
+ static struct irq_desc *alloc_desc(int irq, int node, struct module *owner)
+ {
+ 	struct irq_desc *desc;
+@@ -166,6 +176,12 @@ static void free_desc(unsigned int irq)
+ 
+ 	unregister_irq_proc(irq, desc);
+ 
++	/*
++	 * sparse_irq_lock protects also show_interrupts() and
++	 * kstat_irq_usr(). Once we deleted the descriptor from the
++	 * sparse tree we can free it. Access in proc will fail to
++	 * lookup the descriptor.
++	 */
+ 	mutex_lock(&sparse_irq_lock);
+ 	delete_irq_desc(irq);
+ 	mutex_unlock(&sparse_irq_lock);
+@@ -487,6 +503,15 @@ void dynamic_irq_cleanup(unsigned int irq)
+ 	raw_spin_unlock_irqrestore(&desc->lock, flags);
+ }
+ 
++/**
++ * kstat_irqs_cpu - Get the statistics for an interrupt on a cpu
++ * @irq:	The interrupt number
++ * @cpu:	The cpu number
++ *
++ * Returns the sum of interrupt counts on @cpu since boot for
++ * @irq. The caller must ensure that the interrupt is not removed
++ * concurrently.
++ */
+ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)
+ {
+ 	struct irq_desc *desc = irq_to_desc(irq);
+@@ -495,6 +520,14 @@ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)
+ 			*per_cpu_ptr(desc->kstat_irqs, cpu) : 0;
+ }
+ 
++/**
++ * kstat_irqs - Get the statistics for an interrupt
++ * @irq:	The interrupt number
++ *
++ * Returns the sum of interrupt counts on all cpus since boot for
++ * @irq. The caller must ensure that the interrupt is not removed
++ * concurrently.
++ */
+ unsigned int kstat_irqs(unsigned int irq)
+ {
+ 	struct irq_desc *desc = irq_to_desc(irq);
+@@ -507,3 +540,22 @@ unsigned int kstat_irqs(unsigned int irq)
+ 		sum += *per_cpu_ptr(desc->kstat_irqs, cpu);
+ 	return sum;
+ }
++
++/**
++ * kstat_irqs_usr - Get the statistics for an interrupt
++ * @irq:	The interrupt number
++ *
++ * Returns the sum of interrupt counts on all cpus since boot for
++ * @irq. Contrary to kstat_irqs() this can be called from any
++ * preemptible context. It's protected against concurrent removal of
++ * an interrupt descriptor when sparse irqs are enabled.
++ */
++unsigned int kstat_irqs_usr(unsigned int irq)
++{
++	int sum;
++
++	irq_lock_sparse();
++	sum = kstat_irqs(irq);
++	irq_unlock_sparse();
++	return sum;
++}
+diff --git a/kernel/irq/proc.c b/kernel/irq/proc.c
+index 4bd4faa..fb655f5f 100644
+--- a/kernel/irq/proc.c
++++ b/kernel/irq/proc.c
+@@ -15,6 +15,23 @@
+ 
+ #include "internals.h"
+ 
++/*
++ * Access rules:
++ *
++ * procfs protects read/write of /proc/irq/N/ files against a
++ * concurrent free of the interrupt descriptor. remove_proc_entry()
++ * immediately prevents new read/writes to happen and waits for
++ * already running read/write functions to complete.
++ *
++ * We remove the proc entries first and then delete the interrupt
++ * descriptor from the radix tree and free it. So it is guaranteed
++ * that irq_to_desc(N) is valid as long as the read/writes are
++ * permitted by procfs.
++ *
++ * The read from /proc/interrupts is a different problem because there
++ * is no protection. So the lookup and the access to irqdesc
++ * information must be protected by sparse_irq_lock.
++ */
+ static struct proc_dir_entry *root_irq_dir;
+ 
+ #ifdef CONFIG_SMP
+@@ -441,9 +458,10 @@ int show_interrupts(struct seq_file *p, void *v)
+ 		seq_putc(p, '\n');
+ 	}
+ 
++	irq_lock_sparse();
+ 	desc = irq_to_desc(i);
+ 	if (!desc)
+-		return 0;
++		goto outsparse;
+ 
+ 	raw_spin_lock_irqsave(&desc->lock, flags);
+ 	for_each_online_cpu(j)
+@@ -481,6 +499,8 @@ int show_interrupts(struct seq_file *p, void *v)
+ 	seq_putc(p, '\n');
+ out:
+ 	raw_spin_unlock_irqrestore(&desc->lock, flags);
++outsparse:
++	irq_unlock_sparse();
+ 	return 0;
+ }
+ #endif
+diff --git a/kernel/time.c b/kernel/time.c
+index 060f961..f64e88b 100644
+--- a/kernel/time.c
++++ b/kernel/time.c
+@@ -192,6 +192,10 @@ SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv,
+ 	if (tv) {
+ 		if (copy_from_user(&user_tv, tv, sizeof(*tv)))
+ 			return -EFAULT;
++
++		if (!timeval_valid(&user_tv))
++			return -EINVAL;
++
+ 		new_ts.tv_sec = user_tv.tv_sec;
+ 		new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC;
+ 	}
+diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
+index a7b80c1..6a110e2 100644
+--- a/lib/decompress_bunzip2.c
++++ b/lib/decompress_bunzip2.c
+@@ -185,7 +185,7 @@ static int INIT get_next_block(struct bunzip_data *bd)
+ 	if (get_bits(bd, 1))
+ 		return RETVAL_OBSOLETE_INPUT;
+ 	origPtr = get_bits(bd, 24);
+-	if (origPtr > dbufSize)
++	if (origPtr >= dbufSize)
+ 		return RETVAL_DATA_ERROR;
+ 	/* mapping table: if some byte values are never used (encoding things
+ 	   like ascii text), the compression code removes the gaps to have fewer
+diff --git a/mm/ksm.c b/mm/ksm.c
+index 310544a..6741c9d 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -342,7 +342,7 @@ static int break_ksm(struct vm_area_struct *vma, unsigned long addr)
+ 		else
+ 			ret = VM_FAULT_WRITE;
+ 		put_page(page);
+-	} while (!(ret & (VM_FAULT_WRITE | VM_FAULT_SIGBUS | VM_FAULT_OOM)));
++	} while (!(ret & (VM_FAULT_WRITE | VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV | VM_FAULT_OOM)));
+ 	/*
+ 	 * We must loop because handle_mm_fault() may back out if there's
+ 	 * any difficulty e.g. if pte accessed bit gets updated concurrently.
+diff --git a/mm/memory.c b/mm/memory.c
+index 628cadc..0a7bb38 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1767,7 +1767,7 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+ 						else
+ 							return -EFAULT;
+ 					}
+-					if (ret & VM_FAULT_SIGBUS)
++					if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV))
+ 						return i ? i : -EFAULT;
+ 					BUG();
+ 				}
+@@ -1871,7 +1871,7 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
+ 			return -ENOMEM;
+ 		if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE))
+ 			return -EHWPOISON;
+-		if (ret & VM_FAULT_SIGBUS)
++		if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV))
+ 			return -EFAULT;
+ 		BUG();
+ 	}
+@@ -2661,17 +2661,24 @@ reuse:
+ 		if (!dirty_page)
+ 			return ret;
+ 
+-		/*
+-		 * Yes, Virginia, this is actually required to prevent a race
+-		 * with clear_page_dirty_for_io() from clearing the page dirty
+-		 * bit after it clear all dirty ptes, but before a racing
+-		 * do_wp_page installs a dirty pte.
+-		 *
+-		 * __do_fault is protected similarly.
+-		 */
+ 		if (!page_mkwrite) {
+-			wait_on_page_locked(dirty_page);
+-			set_page_dirty_balance(dirty_page, page_mkwrite);
++			struct address_space *mapping;
++			int dirtied;
++
++			lock_page(dirty_page);
++			dirtied = set_page_dirty(dirty_page);
++			VM_BUG_ON(PageAnon(dirty_page));
++			mapping = dirty_page->mapping;
++			unlock_page(dirty_page);
++
++			if (dirtied && mapping) {
++				/*
++				 * Some device drivers do not set page.mapping
++				 * but still dirty their pages
++				 */
++				balance_dirty_pages_ratelimited(mapping);
++			}
++
+ 		}
+ 		put_page(dirty_page);
+ 		if (page_mkwrite) {
+@@ -3117,7 +3124,7 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo
+ 		if (prev && prev->vm_end == address)
+ 			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
+ 
+-		expand_downwards(vma, address - PAGE_SIZE);
++		return expand_downwards(vma, address - PAGE_SIZE);
+ 	}
+ 	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
+ 		struct vm_area_struct *next = vma->vm_next;
+@@ -3126,7 +3133,7 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo
+ 		if (next && next->vm_start == address + PAGE_SIZE)
+ 			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
+ 
+-		expand_upwards(vma, address + PAGE_SIZE);
++		return expand_upwards(vma, address + PAGE_SIZE);
+ 	}
+ 	return 0;
+ }
+@@ -3148,7 +3155,7 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+ 
+ 	/* Check if we need to add a guard page to the stack */
+ 	if (check_stack_guard_page(vma, address) < 0)
+-		return VM_FAULT_SIGBUS;
++		return VM_FAULT_SIGSEGV;
+ 
+ 	/* Use the zero-page for reads */
+ 	if (!(flags & FAULT_FLAG_WRITE)) {
+diff --git a/mm/mmap.c b/mm/mmap.c
+index f2badbf..13b5685 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -537,9 +537,14 @@ again:			remove_next = 1 + (end > next->vm_end);
+ 		 * shrinking vma had, to cover any anon pages imported.
+ 		 */
+ 		if (exporter && exporter->anon_vma && !importer->anon_vma) {
+-			if (anon_vma_clone(importer, exporter))
+-				return -ENOMEM;
++			int error;
++
+ 			importer->anon_vma = exporter->anon_vma;
++			error = anon_vma_clone(importer, exporter);
++			if (error) {
++				importer->anon_vma = NULL;
++				return error;
++			}
+ 		}
+ 	}
+ 
+@@ -1648,14 +1653,17 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct rlimit *rlim = current->signal->rlim;
+-	unsigned long new_start;
++	unsigned long new_start, actual_size;
+ 
+ 	/* address space limit tests */
+ 	if (!may_expand_vm(mm, grow))
+ 		return -ENOMEM;
+ 
+ 	/* Stack limit test */
+-	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
++	actual_size = size;
++	if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
++		actual_size -= PAGE_SIZE;
++	if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
+ 		return -ENOMEM;
+ 
+ 	/* mlock limit tests */
+diff --git a/mm/page-writeback.c b/mm/page-writeback.c
+index d2ac057..aad22aa 100644
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -1202,16 +1202,6 @@ pause:
+ 		bdi_start_background_writeback(bdi);
+ }
+ 
+-void set_page_dirty_balance(struct page *page, int page_mkwrite)
+-{
+-	if (set_page_dirty(page) || page_mkwrite) {
+-		struct address_space *mapping = page_mapping(page);
+-
+-		if (mapping)
+-			balance_dirty_pages_ratelimited(mapping);
+-	}
+-}
+-
+ static DEFINE_PER_CPU(int, bdp_ratelimits);
+ 
+ /**
+@@ -1764,32 +1754,25 @@ EXPORT_SYMBOL(account_page_writeback);
+  * page dirty in that case, but not all the buffers.  This is a "bottom-up"
+  * dirtying, whereas __set_page_dirty_buffers() is a "top-down" dirtying.
+  *
+- * Most callers have locked the page, which pins the address_space in memory.
+- * But zap_pte_range() does not lock the page, however in that case the
+- * mapping is pinned by the vma's ->vm_file reference.
+- *
+- * We take care to handle the case where the page was truncated from the
+- * mapping by re-checking page_mapping() inside tree_lock.
++ * The caller must ensure this doesn't race with truncation.  Most will simply
++ * hold the page lock, but e.g. zap_pte_range() calls with the page mapped and
++ * the pte lock held, which also locks out truncation.
+  */
+ int __set_page_dirty_nobuffers(struct page *page)
+ {
+ 	if (!TestSetPageDirty(page)) {
+ 		struct address_space *mapping = page_mapping(page);
+-		struct address_space *mapping2;
+ 		unsigned long flags;
+ 
+ 		if (!mapping)
+ 			return 1;
+ 
+ 		spin_lock_irqsave(&mapping->tree_lock, flags);
+-		mapping2 = page_mapping(page);
+-		if (mapping2) { /* Race with truncate? */
+-			BUG_ON(mapping2 != mapping);
+-			WARN_ON_ONCE(!PagePrivate(page) && !PageUptodate(page));
+-			account_page_dirtied(page, mapping);
+-			radix_tree_tag_set(&mapping->page_tree,
+-				page_index(page), PAGECACHE_TAG_DIRTY);
+-		}
++		BUG_ON(page_mapping(page) != mapping);
++		WARN_ON_ONCE(!PagePrivate(page) && !PageUptodate(page));
++		account_page_dirtied(page, mapping);
++		radix_tree_tag_set(&mapping->page_tree, page_index(page),
++				   PAGECACHE_TAG_DIRTY);
+ 		spin_unlock_irqrestore(&mapping->tree_lock, flags);
+ 		if (mapping->host) {
+ 			/* !PageAnon && !swapper_space */
+@@ -1946,12 +1929,10 @@ int clear_page_dirty_for_io(struct page *page)
+ 		/*
+ 		 * We carefully synchronise fault handlers against
+ 		 * installing a dirty pte and marking the page dirty
+-		 * at this point. We do this by having them hold the
+-		 * page lock at some point after installing their
+-		 * pte, but before marking the page dirty.
+-		 * Pages are always locked coming in here, so we get
+-		 * the desired exclusion. See mm/memory.c:do_wp_page()
+-		 * for more comments.
++		 * at this point.  We do this by having them hold the
++		 * page lock while dirtying the page, and pages are
++		 * always locked coming in here, so we get the desired
++		 * exclusion.
+ 		 */
+ 		if (TestClearPageDirty(page)) {
+ 			dec_zone_page_state(page, NR_FILE_DIRTY);
+diff --git a/mm/rmap.c b/mm/rmap.c
+index f3f6fd3..2c4ee3e 100644
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -72,6 +72,8 @@ static inline struct anon_vma *anon_vma_alloc(void)
+ 	anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL);
+ 	if (anon_vma) {
+ 		atomic_set(&anon_vma->refcount, 1);
++		anon_vma->degree = 1;	/* Reference for first vma */
++		anon_vma->parent = anon_vma;
+ 		/*
+ 		 * Initialise the anon_vma root to point to itself. If called
+ 		 * from fork, the root will be reset to the parents anon_vma.
+@@ -181,6 +183,8 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+ 			avc->vma = vma;
+ 			list_add(&avc->same_vma, &vma->anon_vma_chain);
+ 			list_add_tail(&avc->same_anon_vma, &anon_vma->head);
++			/* vma reference or self-parent link for new root */
++			anon_vma->degree++;
+ 			allocated = NULL;
+ 			avc = NULL;
+ 		}
+@@ -244,6 +248,14 @@ static void anon_vma_chain_link(struct vm_area_struct *vma,
+ /*
+  * Attach the anon_vmas from src to dst.
+  * Returns 0 on success, -ENOMEM on failure.
++ *
++ * If dst->anon_vma is NULL this function tries to find and reuse existing
++ * anon_vma which has no vmas and only one child anon_vma. This prevents
++ * degradation of anon_vma hierarchy to endless linear chain in case of
++ * constantly forking task. On the other hand, an anon_vma with more than one
++ * child isn't reused even if there was no alive vma, thus rmap walker has a
++ * good chance of avoiding scanning the whole hierarchy when it searches where
++ * page is mapped.
+  */
+ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
+ {
+@@ -264,7 +276,21 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
+ 		anon_vma = pavc->anon_vma;
+ 		root = lock_anon_vma_root(root, anon_vma);
+ 		anon_vma_chain_link(dst, avc, anon_vma);
++
++		/*
++		 * Reuse existing anon_vma if its degree lower than two,
++		 * that means it has no vma and only one anon_vma child.
++		 *
++		 * Do not chose parent anon_vma, otherwise first child
++		 * will always reuse it. Root anon_vma is never reused:
++		 * it has self-parent reference and at least one child.
++		 */
++		if (!dst->anon_vma && anon_vma != src->anon_vma &&
++				anon_vma->degree < 2)
++			dst->anon_vma = anon_vma;
+ 	}
++	if (dst->anon_vma)
++		dst->anon_vma->degree++;
+ 	unlock_anon_vma_root(root);
+ 	return 0;
+ 
+@@ -287,6 +313,9 @@ int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
+ 	if (!pvma->anon_vma)
+ 		return 0;
+ 
++	/* Drop inherited anon_vma, we'll reuse existing or allocate new. */
++	vma->anon_vma = NULL;
++
+ 	/*
+ 	 * First, attach the new VMA to the parent VMA's anon_vmas,
+ 	 * so rmap can find non-COWed pages in child processes.
+@@ -294,6 +323,10 @@ int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
+ 	if (anon_vma_clone(vma, pvma))
+ 		return -ENOMEM;
+ 
++	/* An existing anon_vma has been reused, all done then. */
++	if (vma->anon_vma)
++		return 0;
++
+ 	/* Then add our own anon_vma. */
+ 	anon_vma = anon_vma_alloc();
+ 	if (!anon_vma)
+@@ -307,6 +340,7 @@ int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
+ 	 * lock any of the anon_vmas in this anon_vma tree.
+ 	 */
+ 	anon_vma->root = pvma->anon_vma->root;
++	anon_vma->parent = pvma->anon_vma;
+ 	/*
+ 	 * With refcounts, an anon_vma can stay around longer than the
+ 	 * process it belongs to. The root anon_vma needs to be pinned until
+@@ -317,6 +351,7 @@ int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
+ 	vma->anon_vma = anon_vma;
+ 	anon_vma_lock(anon_vma);
+ 	anon_vma_chain_link(vma, avc, anon_vma);
++	anon_vma->parent->degree++;
+ 	anon_vma_unlock(anon_vma);
+ 
+ 	return 0;
+@@ -347,12 +382,16 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
+ 		 * Leave empty anon_vmas on the list - we'll need
+ 		 * to free them outside the lock.
+ 		 */
+-		if (list_empty(&anon_vma->head))
++		if (list_empty(&anon_vma->head)) {
++			anon_vma->parent->degree--;
+ 			continue;
++		}
+ 
+ 		list_del(&avc->same_vma);
+ 		anon_vma_chain_free(avc);
+ 	}
++	if (vma->anon_vma)
++		vma->anon_vma->degree--;
+ 	unlock_anon_vma_root(root);
+ 
+ 	/*
+@@ -363,6 +402,7 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
+ 	list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {
+ 		struct anon_vma *anon_vma = avc->anon_vma;
+ 
++		BUG_ON(anon_vma->degree);
+ 		put_anon_vma(anon_vma);
+ 
+ 		list_del(&avc->same_vma);
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 854da15..fcb5133 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1616,6 +1616,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+ 	skb->tstamp.tv64 = 0;
+ 	skb->pkt_type = PACKET_HOST;
+ 	skb->protocol = eth_type_trans(skb, dev);
++	skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
+ 	skb->mark = 0;
+ 	secpath_reset(skb);
+ 	nf_reset(skb);
+@@ -2128,11 +2129,13 @@ u32 netif_skb_features(struct sk_buff *skb)
+ 	if (skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs)
+ 		features &= ~NETIF_F_GSO_MASK;
+ 
+-	if (protocol == htons(ETH_P_8021Q)) {
+-		struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data;
+-		protocol = veh->h_vlan_encapsulated_proto;
+-	} else if (!vlan_tx_tag_present(skb)) {
+-		return harmonize_features(skb, protocol, features);
++	if (!vlan_tx_tag_present(skb)) {
++		if (unlikely(protocol == htons(ETH_P_8021Q))) {
++			struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data;
++			protocol = veh->h_vlan_encapsulated_proto;
++		} else {
++			return harmonize_features(skb, protocol, features);
++		}
+ 	}
+ 
+ 	features &= (skb->dev->vlan_features | NETIF_F_HW_VLAN_TX);
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 8a2c2dd..e093528 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1311,7 +1311,6 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ 		} else {
+ 			sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
+ 			sk->sk_gso_max_size = dst->dev->gso_max_size;
+-			sk->sk_gso_max_segs = dst->dev->gso_max_segs;
+ 		}
+ 	}
+ }
+diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
+index 59a7041..d1f56e1 100644
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -592,16 +592,18 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
+ 	struct sk_buff *skb;
+ 	struct arphdr *arp;
+ 	unsigned char *arp_ptr;
++	int hlen = LL_RESERVED_SPACE(dev);
++	int tlen = dev->needed_tailroom;
+ 
+ 	/*
+ 	 *	Allocate a buffer
+ 	 */
+ 
+-	skb = alloc_skb(arp_hdr_len(dev) + LL_ALLOCATED_SPACE(dev), GFP_ATOMIC);
++	skb = alloc_skb(arp_hdr_len(dev) + hlen + tlen, GFP_ATOMIC);
+ 	if (skb == NULL)
+ 		return NULL;
+ 
+-	skb_reserve(skb, LL_RESERVED_SPACE(dev));
++	skb_reserve(skb, hlen);
+ 	skb_reset_network_header(skb);
+ 	arp = (struct arphdr *) skb_put(skb, arp_hdr_len(dev));
+ 	skb->dev = dev;
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 7fe66d9..03e9486 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -294,9 +294,7 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted)
+ 	return scount;
+ }
+ 
+-#define igmp_skb_size(skb) (*(unsigned int *)((skb)->cb))
+-
+-static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
++static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
+ {
+ 	struct sk_buff *skb;
+ 	struct rtable *rt;
+@@ -304,9 +302,12 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
+ 	struct igmpv3_report *pig;
+ 	struct net *net = dev_net(dev);
+ 	struct flowi4 fl4;
++	int hlen = LL_RESERVED_SPACE(dev);
++	int tlen = dev->needed_tailroom;
++	unsigned int size = mtu;
+ 
+ 	while (1) {
+-		skb = alloc_skb(size + LL_ALLOCATED_SPACE(dev),
++		skb = alloc_skb(size + hlen + tlen,
+ 				GFP_ATOMIC | __GFP_NOWARN);
+ 		if (skb)
+ 			break;
+@@ -314,7 +315,6 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
+ 		if (size < 256)
+ 			return NULL;
+ 	}
+-	igmp_skb_size(skb) = size;
+ 
+ 	rt = ip_route_output_ports(net, &fl4, NULL, IGMPV3_ALL_MCR, 0,
+ 				   0, 0,
+@@ -327,7 +327,9 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
+ 	skb_dst_set(skb, &rt->dst);
+ 	skb->dev = dev;
+ 
+-	skb_reserve(skb, LL_RESERVED_SPACE(dev));
++	skb->reserved_tailroom = skb_end_offset(skb) -
++				 min(mtu, skb_end_offset(skb));
++	skb_reserve(skb, hlen);
+ 
+ 	skb_reset_network_header(skb);
+ 	pip = ip_hdr(skb);
+@@ -396,8 +398,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc,
+ 	return skb;
+ }
+ 
+-#define AVAILABLE(skb) ((skb) ? ((skb)->dev ? igmp_skb_size(skb) - (skb)->len : \
+-	skb_tailroom(skb)) : 0)
++#define AVAILABLE(skb)	((skb) ? skb_availroom(skb) : 0)
+ 
+ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
+ 	int type, int gdeleted, int sdeleted)
+@@ -647,6 +648,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
+ 	__be32	group = pmc ? pmc->multiaddr : 0;
+ 	struct flowi4 fl4;
+ 	__be32	dst;
++	int hlen, tlen;
+ 
+ 	if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
+ 		return igmpv3_send_report(in_dev, pmc);
+@@ -661,7 +663,9 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
+ 	if (IS_ERR(rt))
+ 		return -1;
+ 
+-	skb = alloc_skb(IGMP_SIZE+LL_ALLOCATED_SPACE(dev), GFP_ATOMIC);
++	hlen = LL_RESERVED_SPACE(dev);
++	tlen = dev->needed_tailroom;
++	skb = alloc_skb(IGMP_SIZE + hlen + tlen, GFP_ATOMIC);
+ 	if (skb == NULL) {
+ 		ip_rt_put(rt);
+ 		return -1;
+@@ -669,7 +673,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
+ 
+ 	skb_dst_set(skb, &rt->dst);
+ 
+-	skb_reserve(skb, LL_RESERVED_SPACE(dev));
++	skb_reserve(skb, hlen);
+ 
+ 	skb_reset_network_header(skb);
+ 	iph = ip_hdr(skb);
+diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
+index 99ec116..efb1ff5 100644
+--- a/net/ipv4/ipconfig.c
++++ b/net/ipv4/ipconfig.c
+@@ -767,13 +767,15 @@ static void __init ic_bootp_send_if(struct ic_device *d, unsigned long jiffies_d
+ 	struct sk_buff *skb;
+ 	struct bootp_pkt *b;
+ 	struct iphdr *h;
++	int hlen = LL_RESERVED_SPACE(dev);
++	int tlen = dev->needed_tailroom;
+ 
+ 	/* Allocate packet */
+-	skb = alloc_skb(sizeof(struct bootp_pkt) + LL_ALLOCATED_SPACE(dev) + 15,
++	skb = alloc_skb(sizeof(struct bootp_pkt) + hlen + tlen + 15,
+ 			GFP_KERNEL);
+ 	if (!skb)
+ 		return;
+-	skb_reserve(skb, LL_RESERVED_SPACE(dev));
++	skb_reserve(skb, hlen);
+ 	b = (struct bootp_pkt *) skb_put(skb, sizeof(struct bootp_pkt));
+ 	memset(b, 0, sizeof(struct bootp_pkt));
+ 
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 75fea1f..063bcd5 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -329,6 +329,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
+ 	unsigned int iphlen;
+ 	int err;
+ 	struct rtable *rt = *rtp;
++	int hlen, tlen;
+ 
+ 	if (length > rt->dst.dev->mtu) {
+ 		ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
+@@ -338,12 +339,14 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
+ 	if (flags&MSG_PROBE)
+ 		goto out;
+ 
++	hlen = LL_RESERVED_SPACE(rt->dst.dev);
++	tlen = rt->dst.dev->needed_tailroom;
+ 	skb = sock_alloc_send_skb(sk,
+-				  length + LL_ALLOCATED_SPACE(rt->dst.dev) + 15,
++				  length + hlen + tlen + 15,
+ 				  flags & MSG_DONTWAIT, &err);
+ 	if (skb == NULL)
+ 		goto error;
+-	skb_reserve(skb, LL_RESERVED_SPACE(rt->dst.dev));
++	skb_reserve(skb, hlen);
+ 
+ 	skb->priority = sk->sk_priority;
+ 	skb->mark = sk->sk_mark;
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 32c9e83..9a7c01e 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -738,9 +738,7 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now,
+ 			   old_size_goal + mss_now > xmit_size_goal)) {
+ 			xmit_size_goal = old_size_goal;
+ 		} else {
+-			tp->xmit_size_goal_segs =
+-				min_t(u16, xmit_size_goal / mss_now,
+-				      sk->sk_gso_max_segs);
++			tp->xmit_size_goal_segs = xmit_size_goal / mss_now;
+ 			xmit_size_goal = tp->xmit_size_goal_segs * mss_now;
+ 		}
+ 	}
+diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
+index 6cebfd2..850c737 100644
+--- a/net/ipv4/tcp_cong.c
++++ b/net/ipv4/tcp_cong.c
+@@ -290,8 +290,7 @@ int tcp_is_cwnd_limited(const struct sock *sk, u32 in_flight)
+ 	left = tp->snd_cwnd - in_flight;
+ 	if (sk_can_gso(sk) &&
+ 	    left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd &&
+-	    left * tp->mss_cache < sk->sk_gso_max_size &&
+-	    left < sk->sk_gso_max_segs)
++	    left * tp->mss_cache < sk->sk_gso_max_size)
+ 		return 1;
+ 	return left <= tcp_max_burst(tp);
+ }
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 0d5a118..3a37f54 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1320,21 +1320,21 @@ static void tcp_cwnd_validate(struct sock *sk)
+  * when we would be allowed to send the split-due-to-Nagle skb fully.
+  */
+ static unsigned int tcp_mss_split_point(const struct sock *sk, const struct sk_buff *skb,
+-					unsigned int mss_now, unsigned int max_segs)
++					unsigned int mss_now, unsigned int cwnd)
+ {
+ 	const struct tcp_sock *tp = tcp_sk(sk);
+-	u32 needed, window, max_len;
++	u32 needed, window, cwnd_len;
+ 
+ 	window = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq;
+-	max_len = mss_now * max_segs;
++	cwnd_len = mss_now * cwnd;
+ 
+-	if (likely(max_len <= window && skb != tcp_write_queue_tail(sk)))
+-		return max_len;
++	if (likely(cwnd_len <= window && skb != tcp_write_queue_tail(sk)))
++		return cwnd_len;
+ 
+ 	needed = min(skb->len, window);
+ 
+-	if (max_len <= needed)
+-		return max_len;
++	if (cwnd_len <= needed)
++		return cwnd_len;
+ 
+ 	return needed - needed % mss_now;
+ }
+@@ -1562,8 +1562,7 @@ static int tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb)
+ 	limit = min(send_win, cong_win);
+ 
+ 	/* If a full-sized TSO skb can be sent, do it. */
+-	if (limit >= min_t(unsigned int, sk->sk_gso_max_size,
+-			   sk->sk_gso_max_segs * tp->mss_cache))
++	if (limit >= sk->sk_gso_max_size)
+ 		goto send_now;
+ 
+ 	/* Middle in queue won't get any more data, full sendable already? */
+@@ -1792,9 +1791,7 @@ static int tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
+ 		limit = mss_now;
+ 		if (tso_segs > 1 && !tcp_urg_mode(tp))
+ 			limit = tcp_mss_split_point(sk, skb, mss_now,
+-						    min_t(unsigned int,
+-							  cwnd_quota,
+-							  sk->sk_gso_max_segs));
++						    cwnd_quota);
+ 
+ 		if (skb->len > limit &&
+ 		    unlikely(tso_fragment(sk, skb, limit, mss_now, gfp)))
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 46fc6a3..2215d6b 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -623,6 +623,7 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
+ 	struct ipv6hdr *tmp_hdr;
+ 	struct frag_hdr *fh;
+ 	unsigned int mtu, hlen, left, len;
++	int hroom, troom;
+ 	__be32 frag_id = 0;
+ 	int ptr, offset = 0, err=0;
+ 	u8 *prevhdr, nexthdr = 0;
+@@ -789,6 +790,8 @@ slow_path:
+ 	 */
+ 
+ 	*prevhdr = NEXTHDR_FRAGMENT;
++	hroom = LL_RESERVED_SPACE(rt->dst.dev);
++	troom = rt->dst.dev->needed_tailroom;
+ 
+ 	/*
+ 	 *	Keep copying data until we run out.
+@@ -807,7 +810,8 @@ slow_path:
+ 		 *	Allocate buffer.
+ 		 */
+ 
+-		if ((frag = alloc_skb(len+hlen+sizeof(struct frag_hdr)+LL_ALLOCATED_SPACE(rt->dst.dev), GFP_ATOMIC)) == NULL) {
++		if ((frag = alloc_skb(len + hlen + sizeof(struct frag_hdr) +
++				      hroom + troom, GFP_ATOMIC)) == NULL) {
+ 			NETDEBUG(KERN_INFO "IPv6: frag: no memory for new fragment!\n");
+ 			IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+ 				      IPSTATS_MIB_FRAGFAILS);
+@@ -820,7 +824,7 @@ slow_path:
+ 		 */
+ 
+ 		ip6_copy_metadata(frag, skb);
+-		skb_reserve(frag, LL_RESERVED_SPACE(rt->dst.dev));
++		skb_reserve(frag, hroom);
+ 		skb_put(frag, len + hlen + sizeof(struct frag_hdr));
+ 		skb_reset_network_header(frag);
+ 		fh = (struct frag_hdr *)(skb_network_header(frag) + hlen);
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index 4f12b66..7bb6644 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1334,7 +1334,7 @@ mld_scount(struct ifmcaddr6 *pmc, int type, int gdeleted, int sdeleted)
+ 	return scount;
+ }
+ 
+-static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
++static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu)
+ {
+ 	struct net_device *dev = idev->dev;
+ 	struct net *net = dev_net(dev);
+@@ -1343,13 +1343,15 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
+ 	struct mld2_report *pmr;
+ 	struct in6_addr addr_buf;
+ 	const struct in6_addr *saddr;
++	int hlen = LL_RESERVED_SPACE(dev);
++	int tlen = dev->needed_tailroom;
++	unsigned int size = mtu + hlen + tlen;
+ 	int err;
+ 	u8 ra[8] = { IPPROTO_ICMPV6, 0,
+ 		     IPV6_TLV_ROUTERALERT, 2, 0, 0,
+ 		     IPV6_TLV_PADN, 0 };
+ 
+ 	/* we assume size > sizeof(ra) here */
+-	size += LL_ALLOCATED_SPACE(dev);
+ 	/* limit our allocations to order-0 page */
+ 	size = min_t(int, size, SKB_MAX_ORDER(0, 0));
+ 	skb = sock_alloc_send_skb(sk, size, 1, &err);
+@@ -1357,7 +1359,9 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
+ 	if (!skb)
+ 		return NULL;
+ 
+-	skb_reserve(skb, LL_RESERVED_SPACE(dev));
++	skb->reserved_tailroom = skb_end_offset(skb) -
++				 min(mtu, skb_end_offset(skb));
++	skb_reserve(skb, hlen);
+ 
+ 	if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) {
+ 		/* <draft-ietf-magma-mld-source-05.txt>:
+@@ -1477,8 +1481,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc,
+ 	return skb;
+ }
+ 
+-#define AVAILABLE(skb) ((skb) ? ((skb)->dev ? (skb)->dev->mtu - (skb)->len : \
+-	skb_tailroom(skb)) : 0)
++#define AVAILABLE(skb)	((skb) ? skb_availroom(skb) : 0)
+ 
+ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
+ 	int type, int gdeleted, int sdeleted)
+@@ -1725,6 +1728,8 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)
+ 	struct mld_msg *hdr;
+ 	const struct in6_addr *snd_addr, *saddr;
+ 	struct in6_addr addr_buf;
++	int hlen = LL_RESERVED_SPACE(dev);
++	int tlen = dev->needed_tailroom;
+ 	int err, len, payload_len, full_len;
+ 	u8 ra[8] = { IPPROTO_ICMPV6, 0,
+ 		     IPV6_TLV_ROUTERALERT, 2, 0, 0,
+@@ -1746,7 +1751,7 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)
+ 		      IPSTATS_MIB_OUT, full_len);
+ 	rcu_read_unlock();
+ 
+-	skb = sock_alloc_send_skb(sk, LL_ALLOCATED_SPACE(dev) + full_len, 1, &err);
++	skb = sock_alloc_send_skb(sk, hlen + tlen + full_len, 1, &err);
+ 
+ 	if (skb == NULL) {
+ 		rcu_read_lock();
+@@ -1756,7 +1761,7 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)
+ 		return;
+ 	}
+ 
+-	skb_reserve(skb, LL_RESERVED_SPACE(dev));
++	skb_reserve(skb, hlen);
+ 
+ 	if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) {
+ 		/* <draft-ietf-magma-mld-source-05.txt>:
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index bc55358..62096d8 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -446,6 +446,8 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
+ 	struct sock *sk = net->ipv6.ndisc_sk;
+ 	struct sk_buff *skb;
+ 	struct icmp6hdr *hdr;
++	int hlen = LL_RESERVED_SPACE(dev);
++	int tlen = dev->needed_tailroom;
+ 	int len;
+ 	u8 *opt;
+ 
+@@ -457,7 +459,7 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
+ 		len += ndisc_opt_addr_space(dev);
+ 
+ 	skb = alloc_skb((MAX_HEADER + sizeof(struct ipv6hdr) +
+-			 len + LL_ALLOCATED_SPACE(dev)), GFP_ATOMIC);
++			 len + hlen + tlen), GFP_ATOMIC);
+ 	if (!skb) {
+ 		ND_PRINTK0(KERN_ERR
+ 			   "ICMPv6 ND: %s() failed to allocate an skb.\n",
+@@ -465,7 +467,7 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
+ 		return NULL;
+ 	}
+ 
+-	skb_reserve(skb, LL_RESERVED_SPACE(dev));
++	skb_reserve(skb, hlen);
+ 	ip6_nd_hdr(sk, skb, dev, saddr, daddr, IPPROTO_ICMPV6, len);
+ 
+ 	skb->transport_header = skb->tail;
+@@ -1534,6 +1536,7 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
+ 	struct inet6_dev *idev;
+ 	struct flowi6 fl6;
+ 	u8 *opt;
++	int hlen, tlen;
+ 	int rd_len;
+ 	int err;
+ 	u8 ha_buf[MAX_ADDR_LEN], *ha = NULL;
+@@ -1591,9 +1594,11 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
+ 	rd_len &= ~0x7;
+ 	len += rd_len;
+ 
++	hlen = LL_RESERVED_SPACE(dev);
++	tlen = dev->needed_tailroom;
+ 	buff = sock_alloc_send_skb(sk,
+ 				   (MAX_HEADER + sizeof(struct ipv6hdr) +
+-				    len + LL_ALLOCATED_SPACE(dev)),
++				    len + hlen + tlen),
+ 				   1, &err);
+ 	if (buff == NULL) {
+ 		ND_PRINTK0(KERN_ERR
+@@ -1602,7 +1607,7 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
+ 		goto release;
+ 	}
+ 
+-	skb_reserve(buff, LL_RESERVED_SPACE(dev));
++	skb_reserve(buff, hlen);
+ 	ip6_nd_hdr(sk, buff, dev, &saddr_buf, &ipv6_hdr(skb)->saddr,
+ 		   IPPROTO_ICMPV6, len);
+ 
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
+index 9ecbc84..9287f3e 100644
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -607,6 +607,8 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
+ 	struct sk_buff *skb;
+ 	int err;
+ 	struct rt6_info *rt = (struct rt6_info *)*dstp;
++	int hlen = LL_RESERVED_SPACE(rt->dst.dev);
++	int tlen = rt->dst.dev->needed_tailroom;
+ 
+ 	if (length > rt->dst.dev->mtu) {
+ 		ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu);
+@@ -616,11 +618,11 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
+ 		goto out;
+ 
+ 	skb = sock_alloc_send_skb(sk,
+-				  length + LL_ALLOCATED_SPACE(rt->dst.dev) + 15,
++				  length + hlen + tlen + 15,
+ 				  flags & MSG_DONTWAIT, &err);
+ 	if (skb == NULL)
+ 		goto error;
+-	skb_reserve(skb, LL_RESERVED_SPACE(rt->dst.dev));
++	skb_reserve(skb, hlen);
+ 
+ 	skb->priority = sk->sk_priority;
+ 	skb->mark = sk->sk_mark;
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 2064612..c0444a0 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1470,14 +1470,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ 	sc = le16_to_cpu(hdr->seq_ctrl);
+ 	frag = sc & IEEE80211_SCTL_FRAG;
+ 
+-	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
+-		goto out;
+-
+ 	if (is_multicast_ether_addr(hdr->addr1)) {
+ 		rx->local->dot11MulticastReceivedFrameCount++;
+-		goto out;
++		goto out_no_led;
+ 	}
+ 
++	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
++		goto out;
++
+ 	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+ 
+ 	if (skb_linearize(rx->skb))
+@@ -1568,9 +1568,10 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ 	status->rx_flags |= IEEE80211_RX_FRAGMENTED;
+ 
+  out:
++	ieee80211_led_rx(rx->local);
++ out_no_led:
+ 	if (rx->sta)
+ 		rx->sta->rx_packets++;
+-	ieee80211_led_rx(rx->local);
+ 	return RX_CONTINUE;
+ }
+ 
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 86137b5..b88dcec 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1615,6 +1615,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
+ 	if (*op < IP_SET_OP_VERSION) {
+ 		/* Check the version at the beginning of operations */
+ 		struct ip_set_req_version *req_version = data;
++
++		if (*len < sizeof(struct ip_set_req_version)) {
++			ret = -EINVAL;
++			goto done;
++		}
++
+ 		if (req_version->version != IPSET_PROTOCOL) {
+ 			ret = -EPROTO;
+ 			goto done;
+diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
+index e2091d0..53bf12a 100644
+--- a/net/netfilter/nf_conntrack_proto_generic.c
++++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+ 
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+ 
++static bool nf_generic_should_process(u8 proto)
++{
++	switch (proto) {
++#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
++	case IPPROTO_SCTP:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
++	case IPPROTO_DCCP:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
++	case IPPROTO_GRE:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
++	case IPPROTO_UDPLITE:
++		return false;
++#endif
++	default:
++		return true;
++	}
++}
++
+ static bool generic_pkt_to_tuple(const struct sk_buff *skb,
+ 				 unsigned int dataoff,
+ 				 struct nf_conntrack_tuple *tuple)
+@@ -56,7 +80,7 @@ static int packet(struct nf_conn *ct,
+ static bool new(struct nf_conn *ct, const struct sk_buff *skb,
+ 		unsigned int dataoff)
+ {
+-	return true;
++	return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+ 
+ #ifdef CONFIG_SYSCTL
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index 5b2d8e6..d014b05 100644
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -1272,7 +1272,6 @@ void sctp_assoc_update(struct sctp_association *asoc,
+ 	asoc->peer.peer_hmacs = new->peer.peer_hmacs;
+ 	new->peer.peer_hmacs = NULL;
+ 
+-	sctp_auth_key_put(asoc->asoc_shared_key);
+ 	sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
+ }
+ 
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index c28eb7b..fc63664 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1611,6 +1611,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+ 	sctp_scope_t scope;
+ 	long timeo;
+ 	__u16 sinfo_flags = 0;
++	bool wait_connect = false;
+ 	struct sctp_datamsg *datamsg;
+ 	int msg_flags = msg->msg_flags;
+ 
+@@ -1929,6 +1930,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+ 		err = sctp_primitive_ASSOCIATE(asoc, NULL);
+ 		if (err < 0)
+ 			goto out_free;
++		wait_connect = true;
+ 		SCTP_DEBUG_PRINTK("We associated primitively.\n");
+ 	}
+ 
+@@ -1968,6 +1970,11 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+ 	else
+ 		err = msg_len;
+ 
++	if (unlikely(wait_connect)) {
++		timeo = sock_sndtimeo(sk, msg_flags & MSG_DONTWAIT);
++		sctp_wait_for_connect(asoc, &timeo);
++	}
++
+ 	/* If we are already past ASSOCIATE, the lower
+ 	 * layers are responsible for association cleanup.
+ 	 */
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index cdf77a2..cb4168e 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -1815,6 +1815,9 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
+ 	if (!rdev->ops->get_key)
+ 		return -EOPNOTSUPP;
+ 
++	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
++		return -ENOENT;
++
+ 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ 	if (!msg)
+ 		return -ENOMEM;
+@@ -1832,10 +1835,6 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
+ 	if (mac_addr)
+ 		NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr);
+ 
+-	if (pairwise && mac_addr &&
+-	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
+-		return -ENOENT;
+-
+ 	err = rdev->ops->get_key(&rdev->wiphy, dev, key_idx, pairwise,
+ 				 mac_addr, &cookie, get_key_callback);
+ 
+@@ -2007,7 +2006,7 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
+ 	wdev_lock(dev->ieee80211_ptr);
+ 	err = nl80211_key_allowed(dev->ieee80211_ptr);
+ 
+-	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
++	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
+ 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
+ 		err = -ENOENT;
+ 
+diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
+index 858966a..679218b 100755
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -262,7 +262,6 @@ if ($arch eq "x86_64") {
+     # force flags for this arch
+     $ld .= " -m shlelf_linux";
+     $objcopy .= " -O elf32-sh-linux";
+-    $cc .= " -m32";
+ 
+ } elsif ($arch eq "powerpc") {
+     $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\.?\\S+)";
+diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
+index 41144f7..7c5d1d8 100644
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -1016,10 +1016,13 @@ static int __init init_encrypted(void)
+ 	ret = encrypted_shash_alloc();
+ 	if (ret < 0)
+ 		return ret;
++	ret = aes_get_sizes();
++	if (ret < 0)
++		goto out;
+ 	ret = register_key_type(&key_type_encrypted);
+ 	if (ret < 0)
+ 		goto out;
+-	return aes_get_sizes();
++	return 0;
+ out:
+ 	encrypted_shash_release();
+ 	return ret;
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index bf4d8da..2e2395d 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -186,12 +186,12 @@ static noinline void key_gc_unused_key(struct key *key)
+ 	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
+ 		atomic_dec(&key->user->nikeys);
+ 
+-	key_user_put(key->user);
+-
+ 	/* now throw away the key memory */
+ 	if (key->type->destroy)
+ 		key->type->destroy(key);
+ 
++	key_user_put(key->user);
++
+ 	kfree(key->description);
+ 
+ #ifdef KEY_DEBUGGING
+diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c
+index b9b2235..5b41e04 100644
+--- a/sound/core/seq/seq_dummy.c
++++ b/sound/core/seq/seq_dummy.c
+@@ -82,36 +82,6 @@ struct snd_seq_dummy_port {
+ static int my_client = -1;
+ 
+ /*
+- * unuse callback - send ALL_SOUNDS_OFF and RESET_CONTROLLERS events
+- * to subscribers.
+- * Note: this callback is called only after all subscribers are removed.
+- */
+-static int
+-dummy_unuse(void *private_data, struct snd_seq_port_subscribe *info)
+-{
+-	struct snd_seq_dummy_port *p;
+-	int i;
+-	struct snd_seq_event ev;
+-
+-	p = private_data;
+-	memset(&ev, 0, sizeof(ev));
+-	if (p->duplex)
+-		ev.source.port = p->connect;
+-	else
+-		ev.source.port = p->port;
+-	ev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
+-	ev.type = SNDRV_SEQ_EVENT_CONTROLLER;
+-	for (i = 0; i < 16; i++) {
+-		ev.data.control.channel = i;
+-		ev.data.control.param = MIDI_CTL_ALL_SOUNDS_OFF;
+-		snd_seq_kernel_client_dispatch(p->client, &ev, 0, 0);
+-		ev.data.control.param = MIDI_CTL_RESET_CONTROLLERS;
+-		snd_seq_kernel_client_dispatch(p->client, &ev, 0, 0);
+-	}
+-	return 0;
+-}
+-
+-/*
+  * event input callback - just redirect events to subscribers
+  */
+ static int
+@@ -175,7 +145,6 @@ create_port(int idx, int type)
+ 		| SNDRV_SEQ_PORT_TYPE_PORT;
+ 	memset(&pcb, 0, sizeof(pcb));
+ 	pcb.owner = THIS_MODULE;
+-	pcb.unuse = dummy_unuse;
+ 	pcb.event_input = dummy_input;
+ 	pcb.private_free = dummy_free;
+ 	pcb.private_data = rec;
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index faabaa5..ee95618 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -311,8 +311,10 @@ int snd_hda_get_sub_nodes(struct hda_codec *codec, hda_nid_t nid,
+ 	unsigned int parm;
+ 
+ 	parm = snd_hda_param_read(codec, nid, AC_PAR_NODE_COUNT);
+-	if (parm == -1)
++	if (parm == -1) {
++		*start_id = 0;
+ 		return 0;
++	}
+ 	*start_id = (parm >> 16) & 0x7fff;
+ 	return (int)(parm & 0x7fff);
+ }
+diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
+index 467a73b..240658b 100644
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -4309,9 +4309,9 @@ static void stac_store_hints(struct hda_codec *codec)
+ 			spec->gpio_mask;
+ 	}
+ 	if (get_int_hint(codec, "gpio_dir", &spec->gpio_dir))
+-		spec->gpio_mask &= spec->gpio_mask;
+-	if (get_int_hint(codec, "gpio_data", &spec->gpio_data))
+ 		spec->gpio_dir &= spec->gpio_mask;
++	if (get_int_hint(codec, "gpio_data", &spec->gpio_data))
++		spec->gpio_data &= spec->gpio_mask;
+ 	if (get_int_hint(codec, "eapd_mask", &spec->eapd_mask))
+ 		spec->eapd_mask &= spec->gpio_mask;
+ 	if (get_int_hint(codec, "gpio_mute", &spec->gpio_mute))
+diff --git a/sound/soc/codecs/wm8960.c b/sound/soc/codecs/wm8960.c
+index ef96ca6..3551705 100644
+--- a/sound/soc/codecs/wm8960.c
++++ b/sound/soc/codecs/wm8960.c
+@@ -499,7 +499,7 @@ static struct {
+ 	{ 22050, 2 },
+ 	{ 24000, 2 },
+ 	{ 16000, 3 },
+-	{ 11250, 4 },
++	{ 11025, 4 },
+ 	{ 12000, 4 },
+ 	{  8000, 5 },
+ };
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index e5fee18..de86e74 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -364,6 +364,8 @@ static void snd_usbmidi_error_timer(unsigned long data)
+ 		if (in && in->error_resubmit) {
+ 			in->error_resubmit = 0;
+ 			for (j = 0; j < INPUT_URBS; ++j) {
++				if (atomic_read(&in->urbs[j]->use_count))
++					continue;
+ 				in->urbs[j]->dev = umidi->dev;
+ 				snd_usbmidi_submit_urb(in->urbs[j], GFP_ATOMIC);
+ 			}
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index 4f7b330..88160b7 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -834,6 +834,7 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval,
+ 	case USB_ID(0x046d, 0x0807): /* Logitech Webcam C500 */
+ 	case USB_ID(0x046d, 0x0808):
+ 	case USB_ID(0x046d, 0x0809):
++	case USB_ID(0x046d, 0x0819): /* Logitech Webcam C210 */
+ 	case USB_ID(0x046d, 0x081b): /* HD Webcam c310 */
+ 	case USB_ID(0x046d, 0x081d): /* HD Webcam c510 */
+ 	case USB_ID(0x046d, 0x0825): /* HD Webcam c270 */
+diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
+index 0e4e909..1e0798f 100644
+--- a/sound/usb/mixer_maps.c
++++ b/sound/usb/mixer_maps.c
+@@ -304,8 +304,11 @@ static struct usbmix_name_map hercules_usb51_map[] = {
+ 	{ 0 }				/* terminator */
+ };
+ 
+-static const struct usbmix_name_map kef_x300a_map[] = {
+-	{ 10, NULL }, /* firmware locks up (?) when we try to access this FU */
++/* some (all?) SCMS USB3318 devices are affected by a firmware lock up
++ * when anything attempts to access FU 10 (control)
++ */
++static const struct usbmix_name_map scms_usb3318_map[] = {
++	{ 10, NULL },
+ 	{ 0 }
+ };
+ 
+@@ -377,8 +380,14 @@ static struct usbmix_ctl_map usbmix_ctl_maps[] = {
+ 		.ignore_ctl_error = 1,
+ 	},
+ 	{
++		/* KEF X300A */
+ 		.id = USB_ID(0x27ac, 0x1000),
+-		.map = kef_x300a_map,
++		.map = scms_usb3318_map,
++	},
++	{
++		/* Arcam rPAC */
++		.id = USB_ID(0x25c4, 0x0003),
++		.map = scms_usb3318_map,
+ 	},
+ 	{ 0 } /* terminator */
+ };
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index e467a58..2aacb96 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -2540,133 +2540,45 @@ YAMAHA_DEVICE(0x7010, "UB99"),
+ 	}
+ },
+ 
+-/* Hauppauge HVR-950Q and HVR-850 */
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x7200),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x7240),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-850",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x7210),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x7217),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x721b),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x721e),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x721f),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x2040, 0x7280),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
+-{
+-	USB_DEVICE_VENDOR_SPEC(0x0fd9, 0x0008),
+-	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
+-		       USB_DEVICE_ID_MATCH_INT_CLASS |
+-		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
+-	.bInterfaceClass = USB_CLASS_AUDIO,
+-	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+-	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+-		.vendor_name = "Hauppauge",
+-		.product_name = "HVR-950Q",
+-		.ifnum = QUIRK_ANY_INTERFACE,
+-		.type = QUIRK_AUDIO_ALIGN_TRANSFER,
+-	}
+-},
++/*
++ * Auvitek au0828 devices with audio interface.
++ * This should be kept in sync with drivers/media/video/au0828/au0828-cards.c
++ * Please notice that some drivers are DVB only, and don't need to be
++ * here. That's the case, for example, of DVICO_FUSIONHDTV7.
++ */
++
++#define AU0828_DEVICE(vid, pid, vname, pname) { \
++	USB_DEVICE_VENDOR_SPEC(vid, pid), \
++	.match_flags = USB_DEVICE_ID_MATCH_DEVICE | \
++		       USB_DEVICE_ID_MATCH_INT_CLASS | \
++		       USB_DEVICE_ID_MATCH_INT_SUBCLASS, \
++	.bInterfaceClass = USB_CLASS_AUDIO, \
++	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, \
++	.driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { \
++		.vendor_name = vname, \
++		.product_name = pname, \
++		.ifnum = QUIRK_ANY_INTERFACE, \
++		.type = QUIRK_AUDIO_ALIGN_TRANSFER, \
++	} \
++}
++
++AU0828_DEVICE(0x2040, 0x7200, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x7240, "Hauppauge", "HVR-850"),
++AU0828_DEVICE(0x2040, 0x7210, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x7217, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x721b, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x721e, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x721f, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x7280, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x0fd9, 0x0008, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x7201, "Hauppauge", "HVR-950Q-MXL"),
++AU0828_DEVICE(0x2040, 0x7211, "Hauppauge", "HVR-950Q-MXL"),
++AU0828_DEVICE(0x2040, 0x7281, "Hauppauge", "HVR-950Q-MXL"),
++AU0828_DEVICE(0x05e1, 0x0480, "Hauppauge", "Woodbury"),
++AU0828_DEVICE(0x2040, 0x8200, "Hauppauge", "Woodbury"),
++AU0828_DEVICE(0x2040, 0x7260, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x7213, "Hauppauge", "HVR-950Q"),
++AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
+ 
+ /* Digidesign Mbox */
+ {
diff --git a/3.2.66/4420_grsecurity-3.0-3.2.66-201502052350.patch b/3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch
index 520ed1e..880a085 100644
--- a/3.2.66/4420_grsecurity-3.0-3.2.66-201502052350.patch
+++ b/3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch
@@ -203,7 +203,7 @@ index dfa6fc6..ccbfbf3 100644
 +zconf.lex.c
  zoffset.h
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 1b196ea..da5220d 100644
+index f0001eb..1727e84 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
 @@ -859,6 +859,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -216,7 +216,7 @@ index 1b196ea..da5220d 100644
  	hashdist=	[KNL,NUMA] Large hashes allocated during boot
  			are distributed across NUMA nodes.  Defaults on
  			for 64-bit NUMA, off otherwise.
-@@ -1962,6 +1965,27 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -1963,6 +1966,27 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
  			the specified number of seconds.  This is to be used if
  			your oopses keep scrolling off the screen.
  
@@ -278,7 +278,7 @@ index 88fd7f5..b318a78 100644
  ==============================================================
  
 diff --git a/Makefile b/Makefile
-index f08f8bf..f762039 100644
+index 70769fb..720ab16 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -786,7 +786,7 @@ index 01e8715..6a5a03b 100644
  	return addr;
  }
 diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
-index fadd5f8..904e73a 100644
+index e576b91..9b43be9 100644
 --- a/arch/alpha/mm/fault.c
 +++ b/arch/alpha/mm/fault.c
 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *next_mm)
@@ -2933,7 +2933,7 @@ index b7f5c68..556135c 100644
  
  #undef D
 diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
-index f7040a1..db9f300 100644
+index 632b649..043ddd2 100644
 --- a/arch/avr32/mm/fault.c
 +++ b/arch/avr32/mm/fault.c
 @@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap)
@@ -2960,7 +2960,7 @@ index f7040a1..db9f300 100644
  /*
   * This routine handles page faults. It determines the address and the
   * problem, and then passes it off to one of the appropriate routines.
-@@ -156,6 +173,16 @@ bad_area:
+@@ -158,6 +175,16 @@ bad_area:
  	up_read(&mm->mmap_sem);
  
  	if (user_mode(regs)) {
@@ -3651,7 +3651,7 @@ index 53c0ba0..2accdde 100644
  	 * ensure percpu data fits
  	 * into percpu page size
 diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
-index 20b3593..1ce77f0 100644
+index 1e362cd..3ad6444 100644
 --- a/arch/ia64/mm/fault.c
 +++ b/arch/ia64/mm/fault.c
 @@ -73,6 +73,23 @@ mapped_kernel_page_is_present (unsigned long address)
@@ -4240,7 +4240,7 @@ index 07fc524..b9d7f28 100644
 +	BUG();
  }
 diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
-index 937cf33..adb39bb 100644
+index b8314cfe..5bfa31a 100644
 --- a/arch/mips/mm/fault.c
 +++ b/arch/mips/mm/fault.c
 @@ -28,6 +28,23 @@
@@ -5025,7 +5025,7 @@ index cd8b02f..543008b 100644
  				fault_space = regs->iasq[0];
  
 diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
-index 18162ce..94de376 100644
+index a9b765a..e78ae8e 100644
 --- a/arch/parisc/mm/fault.c
 +++ b/arch/parisc/mm/fault.c
 @@ -15,6 +15,7 @@
@@ -6161,7 +6161,7 @@ index 5eea6f3..5d10396 100644
  EXPORT_SYMBOL(copy_in_user);
  
 diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
-index 5efe8c9..db9ceef 100644
+index 7450843..9f8cfc7 100644
 --- a/arch/powerpc/mm/fault.c
 +++ b/arch/powerpc/mm/fault.c
 @@ -32,6 +32,10 @@
@@ -6244,7 +6244,7 @@ index 5efe8c9..db9ceef 100644
  			goto bad_area;
  #endif /* CONFIG_PPC_STD_MMU */
  
-@@ -343,6 +375,23 @@ bad_area:
+@@ -345,6 +377,23 @@ bad_area:
  bad_area_nosemaphore:
  	/* User mode accesses cause a SIGSEGV */
  	if (user_mode(regs)) {
@@ -9054,7 +9054,7 @@ index 301421c1..e2535d1 100644
  obj-$(CONFIG_SPARC64)   += ultra.o tlb.o tsb.o gup.o
  obj-y                   += fault_$(BITS).o
 diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
-index 8023fd7..3a6d569 100644
+index 802b806..483d6e9 100644
 --- a/arch/sparc/mm/fault_32.c
 +++ b/arch/sparc/mm/fault_32.c
 @@ -21,6 +21,9 @@
@@ -9371,7 +9371,7 @@ index 8023fd7..3a6d569 100644
  		if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
  			goto bad_area;
 diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
-index 2c0b966..00bf94e 100644
+index bfd7c02..6e941d8 100644
 --- a/arch/sparc/mm/fault_64.c
 +++ b/arch/sparc/mm/fault_64.c
 @@ -21,6 +21,9 @@
@@ -13556,7 +13556,7 @@ index b8a5fe5..fbbe2c2 100644
  			     "4:\n"
  			     ".previous\n"
 diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
-index 41935fa..e0fb1f6 100644
+index 3225868..e0fb1f6 100644
 --- a/arch/x86/include/asm/desc.h
 +++ b/arch/x86/include/asm/desc.h
 @@ -4,6 +4,7 @@
@@ -13650,7 +13650,7 @@ index 41935fa..e0fb1f6 100644
  }
  
  static inline void native_load_gdt(const struct desc_ptr *dtr)
-@@ -244,11 +255,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
+@@ -244,8 +255,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
  	struct desc_struct *gdt = get_cpu_gdt_table(cpu);
  	unsigned int i;
  
@@ -13660,37 +13660,8 @@ index 41935fa..e0fb1f6 100644
 +	pax_close_kernel();
  }
  
--#define _LDT_empty(info)				\
-+/* This intentionally ignores lm, since 32-bit apps don't have that field. */
-+#define LDT_empty(info)					\
- 	((info)->base_addr		== 0	&&	\
- 	 (info)->limit			== 0	&&	\
- 	 (info)->contents		== 0	&&	\
-@@ -258,11 +272,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
- 	 (info)->seg_not_present	== 1	&&	\
- 	 (info)->useable		== 0)
- 
--#ifdef CONFIG_X86_64
--#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
--#else
--#define LDT_empty(info) (_LDT_empty(info))
--#endif
-+/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */
-+static inline bool LDT_zero(const struct user_desc *info)
-+{
-+	return (info->base_addr		== 0 &&
-+		info->limit		== 0 &&
-+		info->contents		== 0 &&
-+		info->read_exec_only	== 0 &&
-+		info->seg_32bit		== 0 &&
-+		info->limit_in_pages	== 0 &&
-+		info->seg_not_present	== 0 &&
-+		info->useable		== 0);
-+}
- 
- static inline void clear_LDT(void)
- {
-@@ -284,7 +305,7 @@ static inline void load_LDT(mm_context_t *pc)
+ /* This intentionally ignores lm, since 32-bit apps don't have that field. */
+@@ -292,7 +305,7 @@ static inline void load_LDT(mm_context_t *pc)
  	preempt_enable();
  }
  
@@ -13699,7 +13670,7 @@ index 41935fa..e0fb1f6 100644
  {
  	return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
  }
-@@ -307,7 +328,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
+@@ -315,7 +328,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
  	desc->limit = (limit >> 16) & 0xf;
  }
  
@@ -13708,7 +13679,7 @@ index 41935fa..e0fb1f6 100644
  			     unsigned dpl, unsigned ist, unsigned seg)
  {
  	gate_desc s;
-@@ -326,7 +347,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
+@@ -334,7 +347,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
   * Pentium F0 0F bugfix can have resulted in the mapped
   * IDT being write-protected.
   */
@@ -13717,7 +13688,7 @@ index 41935fa..e0fb1f6 100644
  {
  	BUG_ON((unsigned)n > 0xFF);
  	_set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
-@@ -356,19 +377,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr)
+@@ -364,19 +377,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr)
  /*
   * This routine sets up an interrupt gate at directory privilege level 3.
   */
@@ -13740,7 +13711,7 @@ index 41935fa..e0fb1f6 100644
  {
  	BUG_ON((unsigned)n > 0xFF);
  	_set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
-@@ -377,19 +398,31 @@ static inline void set_trap_gate(unsigned int n, void *addr)
+@@ -385,19 +398,31 @@ static inline void set_trap_gate(unsigned int n, void *addr)
  static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
  {
  	BUG_ON((unsigned)n > 0xFF);
@@ -14223,24 +14194,6 @@ index 9171618..fe2b1da 100644
  	struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
  	/*
  	 * Hash table of struct kvm_mmu_page.
-diff --git a/arch/x86/include/asm/ldt.h b/arch/x86/include/asm/ldt.h
-index 46727eb..6e1aaf7 100644
---- a/arch/x86/include/asm/ldt.h
-+++ b/arch/x86/include/asm/ldt.h
-@@ -28,6 +28,13 @@ struct user_desc {
- 	unsigned int  seg_not_present:1;
- 	unsigned int  useable:1;
- #ifdef __x86_64__
-+	/*
-+	 * Because this bit is not present in 32-bit user code, user
-+	 * programs can pass uninitialized values here.  Therefore, in
-+	 * any context in which a user_desc comes from a 32-bit program,
-+	 * the kernel must act as though lm == 0, regardless of the
-+	 * actual value.
-+	 */
- 	unsigned int  lm:1;
- #endif
- };
 diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
 index 9cdae5d..3534f04 100644
 --- a/arch/x86/include/asm/local.h
@@ -17910,10 +17863,10 @@ index 25f24dc..4094a7f 100644
  obj-y			+= proc.o capflags.o powerflags.o common.o
  obj-y			+= vmware.o hypervisor.o sched.o mshyperv.o
 diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index 2d44a28..c33f4c8 100644
+index 60d4c33..3f51857 100644
 --- a/arch/x86/kernel/cpu/amd.c
 +++ b/arch/x86/kernel/cpu/amd.c
-@@ -701,7 +701,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c,
+@@ -711,7 +711,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c,
  							unsigned int size)
  {
  	/* AMD errata T13 (order #21922) */
@@ -22086,7 +22039,7 @@ index 2f45c4c..3f51a0c 100644
  }
  
 diff --git a/arch/x86/kernel/kprobes.c b/arch/x86/kernel/kprobes.c
-index 7da647d..6e9fab5 100644
+index 083848f..69321f0 100644
 --- a/arch/x86/kernel/kprobes.c
 +++ b/arch/x86/kernel/kprobes.c
 @@ -117,9 +117,12 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op)
@@ -22228,7 +22181,7 @@ index 7da647d..6e9fab5 100644
  		return ret;
  
  	switch (val) {
-@@ -1120,6 +1130,7 @@ static void __kprobes synthesize_relcall(void *from, void *to)
+@@ -1130,6 +1140,7 @@ static void __kprobes synthesize_relcall(void *from, void *to)
  static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr,
  					  unsigned long val)
  {
@@ -22236,7 +22189,7 @@ index 7da647d..6e9fab5 100644
  #ifdef CONFIG_X86_64
  	*addr++ = 0x48;
  	*addr++ = 0xbf;
-@@ -1127,6 +1138,7 @@ static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr,
+@@ -1137,6 +1148,7 @@ static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr,
  	*addr++ = 0xb8;
  #endif
  	*(unsigned long *)addr = val;
@@ -22244,7 +22197,7 @@ index 7da647d..6e9fab5 100644
  }
  
  static void __used __kprobes kprobes_optinsn_template_holder(void)
-@@ -1307,7 +1319,7 @@ static int __kprobes can_optimize(unsigned long paddr)
+@@ -1317,7 +1329,7 @@ static int __kprobes can_optimize(unsigned long paddr)
  			ret = recover_probed_instruction(buf, addr);
  			if (ret)
  				return 0;
@@ -22253,7 +22206,7 @@ index 7da647d..6e9fab5 100644
  		}
  		insn_get_length(&insn);
  		/* Recover address */
-@@ -1384,7 +1396,7 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op)
+@@ -1394,7 +1406,7 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op)
  	 * Verify if the address gap is in 2GB range, because this uses
  	 * a relative jump.
  	 */
@@ -22262,7 +22215,7 @@ index 7da647d..6e9fab5 100644
  	if (abs(rel) > 0x7fffffff)
  		return -ERANGE;
  
-@@ -1399,16 +1411,18 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op)
+@@ -1409,16 +1421,18 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op)
  	op->optinsn.size = ret;
  
  	/* Copy arch-dep-instance from template */
@@ -22284,7 +22237,7 @@ index 7da647d..6e9fab5 100644
  			   (u8 *)op->kp.addr + op->optinsn.size);
  
  	flush_icache_range((unsigned long) buf,
-@@ -1431,7 +1445,7 @@ static void __kprobes setup_optimize_kprobe(struct text_poke_param *tprm,
+@@ -1441,7 +1455,7 @@ static void __kprobes setup_optimize_kprobe(struct text_poke_param *tprm,
  			((long)op->kp.addr + RELATIVEJUMP_SIZE));
  
  	/* Backup instructions which will be replaced by jump address */
@@ -22293,7 +22246,7 @@ index 7da647d..6e9fab5 100644
  	       RELATIVE_ADDR_SIZE);
  
  	insn_buf[0] = RELATIVEJUMP_OPCODE;
-@@ -1530,7 +1544,7 @@ static int  __kprobes setup_detour_execution(struct kprobe *p,
+@@ -1540,7 +1554,7 @@ static int  __kprobes setup_detour_execution(struct kprobe *p,
  		/* This kprobe is really able to run optimized path. */
  		op = container_of(p, struct optimized_kprobe, kp);
  		/* Detour through copied instructions */
@@ -23120,7 +23073,7 @@ index 8598296..3fd3443 100644
  }
 -
 diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
-index 6a364a6..030f5d6 100644
+index e361095..4882b55 100644
 --- a/arch/x86/kernel/process_64.c
 +++ b/arch/x86/kernel/process_64.c
 @@ -89,7 +89,7 @@ static void __exit_idle(void)
@@ -23159,7 +23112,7 @@ index 6a364a6..030f5d6 100644
  	unsigned fsindex, gsindex;
  	fpu_switch_t fpu;
  
-@@ -461,10 +461,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
+@@ -506,10 +506,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
  	prev->usersp = percpu_read(old_rsp);
  	percpu_write(old_rsp, next->usersp);
  	percpu_write(current_task, next_p);
@@ -23172,7 +23125,7 @@ index 6a364a6..030f5d6 100644
  
  	/*
  	 * Now maybe reload the debug registers and handle I/O bitmaps
-@@ -519,12 +518,11 @@ unsigned long get_wchan(struct task_struct *p)
+@@ -564,12 +563,11 @@ unsigned long get_wchan(struct task_struct *p)
  	if (!p || p == current || p->state == TASK_RUNNING)
  		return 0;
  	stack = (unsigned long)task_stack_page(p);
@@ -24398,72 +24351,10 @@ index dd5fbf4..b7f2232 100644
  	return pc;
  }
 diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index 7af7338..79ea0e3 100644
+index 0c38d06..79ea0e3 100644
 --- a/arch/x86/kernel/tls.c
 +++ b/arch/x86/kernel/tls.c
-@@ -30,7 +30,28 @@ static int get_free_idx(void)
- 
- static bool tls_desc_okay(const struct user_desc *info)
- {
--	if (LDT_empty(info))
-+	/*
-+	 * For historical reasons (i.e. no one ever documented how any
-+	 * of the segmentation APIs work), user programs can and do
-+	 * assume that a struct user_desc that's all zeros except for
-+	 * entry_number means "no segment at all".  This never actually
-+	 * worked.  In fact, up to Linux 3.19, a struct user_desc like
-+	 * this would create a 16-bit read-write segment with base and
-+	 * limit both equal to zero.
-+	 *
-+	 * That was close enough to "no segment at all" until we
-+	 * hardened this function to disallow 16-bit TLS segments.  Fix
-+	 * it up by interpreting these zeroed segments the way that they
-+	 * were almost certainly intended to be interpreted.
-+	 *
-+	 * The correct way to ask for "no segment at all" is to specify
-+	 * a user_desc that satisfies LDT_empty.  To keep everything
-+	 * working, we accept both.
-+	 *
-+	 * Note that there's a similar kludge in modify_ldt -- look at
-+	 * the distinction between modes 1 and 0x11.
-+	 */
-+	if (LDT_empty(info) || LDT_zero(info))
- 		return true;
- 
- 	/*
-@@ -40,6 +61,22 @@ static bool tls_desc_okay(const struct user_desc *info)
- 	if (!info->seg_32bit)
- 		return false;
- 
-+	/* Only allow data segments in the TLS array. */
-+	if (info->contents > 1)
-+		return false;
-+
-+	/*
-+	 * Non-present segments with DPL 3 present an interesting attack
-+	 * surface.  The kernel should handle such segments correctly,
-+	 * but TLS is very difficult to protect in a sandbox, so prevent
-+	 * such segments from being created.
-+	 *
-+	 * If userspace needs to remove a TLS entry, it can still delete
-+	 * it outright.
-+	 */
-+	if (info->seg_not_present)
-+		return false;
-+
- 	return true;
- }
- 
-@@ -56,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
- 	cpu = get_cpu();
- 
- 	while (n-- > 0) {
--		if (LDT_empty(info))
-+		if (LDT_empty(info) || LDT_zero(info))
- 			desc->a = desc->b = 0;
- 		else
- 			fill_ldt(desc, info);
-@@ -103,6 +140,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
+@@ -140,6 +140,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
  	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
  		return -EINVAL;
  
@@ -24475,7 +24366,7 @@ index 7af7338..79ea0e3 100644
  	set_tls_desc(p, idx, &info, 1);
  
  	return 0;
-@@ -224,7 +266,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+@@ -261,7 +266,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
  
  	if (kbuf)
  		info = kbuf;
@@ -24800,7 +24691,7 @@ index 04b8726..0c35b29 100644
  		goto cannot_handle;
  	if ((segoffs >> 16) == BIOSSEG)
 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
-index 0f703f1..cd7e91b 100644
+index 0f703f1..045a8f1 100644
 --- a/arch/x86/kernel/vmlinux.lds.S
 +++ b/arch/x86/kernel/vmlinux.lds.S
 @@ -26,6 +26,13 @@
@@ -24982,7 +24873,6 @@ index 0f703f1..cd7e91b 100644
 +	.init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
 +		VMLINUX_SYMBOL(_sinittext) = .;
 +		INIT_TEXT
-+		VMLINUX_SYMBOL(_einittext) = .;
 +		. = ALIGN(PAGE_SIZE);
 +	} :text.init
  
@@ -24993,6 +24883,7 @@ index 0f703f1..cd7e91b 100644
 +	 */
 +	.exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
 +		EXIT_TEXT
++		VMLINUX_SYMBOL(_einittext) = .;
 +		. = ALIGN(16);
 +	} :text.exit
 +	. = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
@@ -25192,7 +25083,7 @@ index 7110911..069da9c 100644
  		/*
  		 * Encountered an error while doing the restore from the
 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index f0ac042..39c366e 100644
+index bdad489..43849f4 100644
 --- a/arch/x86/kvm/emulate.c
 +++ b/arch/x86/kvm/emulate.c
 @@ -249,6 +249,7 @@ struct gprefix {
@@ -25230,49 +25121,7 @@ index f0ac042..39c366e 100644
  	} while (0)
  
  /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
-@@ -2077,23 +2074,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- 	setup_syscalls_segments(ctxt, &cs, &ss);
- 
- 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
--	switch (ctxt->mode) {
--	case X86EMUL_MODE_PROT32:
--		if ((msr_data & 0xfffc) == 0x0)
--			return emulate_gp(ctxt, 0);
--		break;
--	case X86EMUL_MODE_PROT64:
--		if (msr_data == 0x0)
--			return emulate_gp(ctxt, 0);
--		break;
--	}
-+	if ((msr_data & 0xfffc) == 0x0)
-+		return emulate_gp(ctxt, 0);
- 
- 	ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
--	cs_sel = (u16)msr_data;
--	cs_sel &= ~SELECTOR_RPL_MASK;
-+	cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
- 	ss_sel = cs_sel + 8;
--	ss_sel &= ~SELECTOR_RPL_MASK;
--	if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
-+	if (efer & EFER_LMA) {
- 		cs.d = 0;
- 		cs.l = 1;
- 	}
-@@ -2102,10 +2089,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- 	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
- 
- 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
--	ctxt->_eip = msr_data;
-+	ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
- 
- 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
--	ctxt->regs[VCPU_REGS_RSP] = msr_data;
-+	ctxt->regs[VCPU_REGS_RSP] = (efer & EFER_LMA) ? msr_data :
-+							(u32)msr_data;
- 
- 	return X86EMUL_CONTINUE;
- }
-@@ -3003,7 +2991,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
+@@ -3013,7 +3010,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
  	int cr = ctxt->modrm_reg;
  	u64 efer = 0;
  
@@ -25281,7 +25130,7 @@ index f0ac042..39c366e 100644
  		0xffffffff00000000ULL,
  		0, 0, 0, /* CR3 checked later */
  		CR4_RESERVED_BITS,
-@@ -3038,7 +3026,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
+@@ -3048,7 +3045,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
  
  		ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
  		if (efer & EFER_LMA)
@@ -28404,7 +28253,7 @@ index d0474ad..36e9257 100644
  		extern u32 pnp_bios_is_utter_crap;
  		pnp_bios_is_utter_crap = 1;
 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index 53a7b69..8cc6fea 100644
+index 8cac088..527a9c0 100644
 --- a/arch/x86/mm/fault.c
 +++ b/arch/x86/mm/fault.c
 @@ -13,11 +13,18 @@
@@ -28639,7 +28488,7 @@ index 53a7b69..8cc6fea 100644
  		code = BUS_MCEERR_AR;
  	}
  #endif
-@@ -894,6 +992,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
+@@ -896,6 +994,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
  	return 1;
  }
  
@@ -28739,7 +28588,7 @@ index 53a7b69..8cc6fea 100644
  /*
   * Handle a spurious fault caused by a stale TLB entry.
   *
-@@ -966,6 +1157,9 @@ int show_unhandled_signals = 1;
+@@ -968,6 +1159,9 @@ int show_unhandled_signals = 1;
  static inline int
  access_error(unsigned long error_code, struct vm_area_struct *vma)
  {
@@ -28749,7 +28598,7 @@ index 53a7b69..8cc6fea 100644
  	if (error_code & PF_WRITE) {
  		/* write, present and write, not present: */
  		if (unlikely(!(vma->vm_flags & VM_WRITE)))
-@@ -999,18 +1193,32 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
+@@ -1001,18 +1195,32 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
  {
  	struct vm_area_struct *vma;
  	struct task_struct *tsk;
@@ -28787,7 +28636,7 @@ index 53a7b69..8cc6fea 100644
  
  	/*
  	 * Detect and handle instructions that would cause a page fault for
-@@ -1071,7 +1279,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
+@@ -1073,7 +1281,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
  	 * User-mode registers count as a user access even for any
  	 * potential system fault or CPU buglet:
  	 */
@@ -28796,7 +28645,7 @@ index 53a7b69..8cc6fea 100644
  		local_irq_enable();
  		error_code |= PF_USER;
  	} else {
-@@ -1126,6 +1334,11 @@ retry:
+@@ -1128,6 +1336,11 @@ retry:
  		might_sleep();
  	}
  
@@ -28808,7 +28657,7 @@ index 53a7b69..8cc6fea 100644
  	vma = find_vma(mm, address);
  	if (unlikely(!vma)) {
  		bad_area(regs, error_code, address);
-@@ -1137,18 +1350,24 @@ retry:
+@@ -1139,18 +1352,24 @@ retry:
  		bad_area(regs, error_code, address);
  		return;
  	}
@@ -28844,7 +28693,7 @@ index 53a7b69..8cc6fea 100644
  	if (unlikely(expand_stack(vma, address))) {
  		bad_area(regs, error_code, address);
  		return;
-@@ -1203,3 +1422,292 @@ good_area:
+@@ -1205,3 +1424,292 @@ good_area:
  
  	up_read(&mm->mmap_sem);
  }
@@ -29870,7 +29719,7 @@ index 29f7c6d9..5122941 100644
  	printk(KERN_INFO "Write protecting the kernel text: %luk\n",
  		size >> 10);
 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 266f717..51ef7c9 100644
+index 44b93da..5a0b3ee 100644
 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -30005,7 +29854,7 @@ index 266f717..51ef7c9 100644
  		spin_unlock(&init_mm.page_table_lock);
  		pgd_changed = true;
  	}
-@@ -866,8 +880,8 @@ int kern_addr_valid(unsigned long addr)
+@@ -856,8 +870,8 @@ int kern_addr_valid(unsigned long addr)
  static struct vm_area_struct gate_vma = {
  	.vm_start	= VSYSCALL_START,
  	.vm_end		= VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
@@ -30016,7 +29865,7 @@ index 266f717..51ef7c9 100644
  };
  
  struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
-@@ -901,7 +915,7 @@ int in_gate_area_no_mm(unsigned long addr)
+@@ -891,7 +905,7 @@ int in_gate_area_no_mm(unsigned long addr)
  
  const char *arch_vma_name(struct vm_area_struct *vma)
  {
@@ -30042,7 +29891,7 @@ index 7b179b49..6bd17777 100644
  
  	return (void *)vaddr;
 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
-index dec49d3..e2bd3f0 100644
+index dec49d3..1943563 100644
 --- a/arch/x86/mm/ioremap.c
 +++ b/arch/x86/mm/ioremap.c
 @@ -56,8 +56,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
@@ -30065,17 +29914,29 @@ index dec49d3..e2bd3f0 100644
  {
  	struct vm_struct *p, *o;
  
-@@ -327,6 +327,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
- 
+@@ -322,23 +322,22 @@ EXPORT_SYMBOL(iounmap);
+  */
+ void *xlate_dev_mem_ptr(unsigned long phys)
+ {
+-	void *addr;
+-	unsigned long start = phys & PAGE_MASK;
+-
  	/* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
- 	if (page_is_ram(start >> PAGE_SHIFT))
+-	if (page_is_ram(start >> PAGE_SHIFT))
++	if (page_is_ram(phys >> PAGE_SHIFT))
 +#ifdef CONFIG_HIGHMEM
-+	if ((start >> PAGE_SHIFT) < max_low_pfn)
++	if ((phys >> PAGE_SHIFT) < max_low_pfn)
 +#endif
  		return __va(phys);
  
- 	addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
-@@ -339,6 +342,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
+-	addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
+-	if (addr)
+-		addr = (void *)((unsigned long)addr | (phys & ~PAGE_MASK));
+-
+-	return addr;
++	return (void __force *)ioremap_cache(phys, PAGE_SIZE);
+ }
+ 
  void unxlate_dev_mem_ptr(unsigned long phys, void *addr)
  {
  	if (page_is_ram(phys >> PAGE_SHIFT))
@@ -30085,7 +29946,7 @@ index dec49d3..e2bd3f0 100644
  		return;
  
  	iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
-@@ -356,7 +362,7 @@ static int __init early_ioremap_debug_setup(char *str)
+@@ -356,7 +355,7 @@ static int __init early_ioremap_debug_setup(char *str)
  early_param("early_ioremap_debug", early_ioremap_debug_setup);
  
  static __initdata int after_paging_init;
@@ -30094,7 +29955,7 @@ index dec49d3..e2bd3f0 100644
  
  static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
  {
-@@ -393,8 +399,7 @@ void __init early_ioremap_init(void)
+@@ -393,8 +392,7 @@ void __init early_ioremap_init(void)
  		slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
  
  	pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
@@ -30905,7 +30766,7 @@ index 6687022..ceabcfa 100644
 +	pax_force_retaddr
  	ret
 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
-index 5a5b6e4..3cbf9b7 100644
+index 5a5b6e4..07b4acb 100644
 --- a/arch/x86/net/bpf_jit_comp.c
 +++ b/arch/x86/net/bpf_jit_comp.c
 @@ -11,6 +11,7 @@
@@ -30916,7 +30777,7 @@ index 5a5b6e4..3cbf9b7 100644
  
  /*
   * Conventions :
-@@ -45,13 +46,84 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
+@@ -45,13 +46,96 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
  	return ptr + len;
  }
  
@@ -30944,7 +30805,8 @@ index 5a5b6e4..3cbf9b7 100644
 +	EMIT2(0x81, 0xf1);			\
 +	EMIT((_key) ^ (_off), 4);		\
 +} while (0)
-+
++#define SHORT_JMP_LENGTH 2
++#define NEAR_JMP_LENGTH (5 + 8)
 +#define EMIT1_off32(b1, _off)								\
 +do { 											\
 +	switch (b1) {									\
@@ -30952,12 +30814,20 @@ index 5a5b6e4..3cbf9b7 100644
 +		case 0x2d: /* sub eax, imm32 */						\
 +		case 0x25: /* and eax, imm32 */						\
 +		case 0x0d: /* or eax, imm32 */						\
-+		case 0xb8: /* mov eax, imm32 */						\
 +		case 0x3d: /* cmp eax, imm32 */						\
-+		case 0xa9: /* test eax, imm32 */					\
 +			DILUTE_CONST_SEQUENCE(_off, randkey);				\
 +			EMIT2((b1) - 4, 0xc8); /* convert imm instruction to eax, ecx */\
 +			break;								\
++		case 0xb8: /* mov eax, imm32 */						\
++			DILUTE_CONST_SEQUENCE(_off, randkey);				\
++			/* mov eax, ecx */						\
++			EMIT2(0x89, 0xc8);						\
++			break;								\
++		case 0xa9: /* test eax, imm32 */					\
++			DILUTE_CONST_SEQUENCE(_off, randkey);				\
++			/* test eax, ecx */						\
++			EMIT2(0x85, 0xc8);						\
++			break;								\
 +		case 0xbb: /* mov ebx, imm32 */						\
 +			DILUTE_CONST_SEQUENCE(_off, randkey);				\
 +			/* mov ebx, ecx */						\
@@ -30973,8 +30843,9 @@ index 5a5b6e4..3cbf9b7 100644
 +			EMIT(_off, 4);							\
 +			break;								\
 +		case 0xe9: /* jmp rel imm32 */						\
++			BUG_ON((int)(_off) < 0);					\
 +			EMIT1(b1);							\
-+			EMIT(_off, 4);							\
++			EMIT(_off + 8, 4);						\
 +			/* prevent fall-through, we're not called if off = 0 */		\
 +			EMIT(0xcccccccc, 4);						\
 +			EMIT(0xcccccccc, 4);						\
@@ -30997,11 +30868,21 @@ index 5a5b6e4..3cbf9b7 100644
 +#else
  #define EMIT1_off32(b1, off)	do { EMIT1(b1); EMIT(off, 4);} while (0)
 +#define EMIT2_off32(b1, b2, off) do { EMIT2(b1, b2); EMIT(off, 4);} while (0)
++#define SHORT_JMP_LENGTH 2
++#define NEAR_JMP_LENGTH 5
 +#endif
  
  #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */
  #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */
-@@ -86,6 +158,24 @@ do {									\
+@@ -68,6 +152,7 @@ static inline bool is_near(int offset)
+ 
+ #define EMIT_JMP(offset)						\
+ do {									\
++        BUG_ON((int)(offset) < 0);					\
+ 	if (offset) {							\
+ 		if (is_near(offset))					\
+ 			EMIT2(0xeb, offset); /* jmp .+off8 */		\
+@@ -86,13 +171,33 @@ do {									\
  #define X86_JBE 0x76
  #define X86_JA  0x77
  
@@ -31025,16 +30906,18 @@ index 5a5b6e4..3cbf9b7 100644
 +
  #define EMIT_COND_JMP(op, offset)				\
  do {								\
++        BUG_ON((int)(offset) < 0);				\
  	if (is_near(offset))					\
-@@ -93,6 +183,7 @@ do {								\
+ 		EMIT2(op, offset); /* jxx .+off8 */		\
  	else {							\
  		EMIT2(0x0f, op + 0x10);				\
- 		EMIT(offset, 4); /* jxx .+off32 */		\
+-		EMIT(offset, 4); /* jxx .+off32 */		\
++		EMIT((offset) + 21, 4); /* jxx .+off32 */		\
 +		APPEND_FLOW_VERIFY();				\
  	}							\
  } while (0)
  
-@@ -117,10 +208,14 @@ static inline void bpf_flush_icache(void *start, void *end)
+@@ -117,10 +222,14 @@ static inline void bpf_flush_icache(void *start, void *end)
  	set_fs(old_fs);
  }
  
@@ -31050,7 +30933,7 @@ index 5a5b6e4..3cbf9b7 100644
  	u8 *prog;
  	unsigned int proglen, oldproglen = 0;
  	int ilen, i;
-@@ -133,6 +228,9 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -133,6 +242,9 @@ void bpf_jit_compile(struct sk_filter *fp)
  	unsigned int *addrs;
  	const struct sock_filter *filter = fp->insns;
  	int flen = fp->len;
@@ -31060,7 +30943,7 @@ index 5a5b6e4..3cbf9b7 100644
  
  	if (!bpf_jit_enable)
  		return;
-@@ -141,11 +239,15 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -141,11 +253,15 @@ void bpf_jit_compile(struct sk_filter *fp)
  	if (addrs == NULL)
  		return;
  
@@ -31078,7 +30961,7 @@ index 5a5b6e4..3cbf9b7 100644
  		addrs[i] = proglen;
  	}
  	cleanup_addr = proglen; /* epilogue address */
-@@ -221,6 +323,10 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -221,6 +337,10 @@ void bpf_jit_compile(struct sk_filter *fp)
  		for (i = 0; i < flen; i++) {
  			unsigned int K = filter[i].k;
  
@@ -31089,7 +30972,7 @@ index 5a5b6e4..3cbf9b7 100644
  			switch (filter[i].code) {
  			case BPF_S_ALU_ADD_X: /* A += X; */
  				seen |= SEEN_XREG;
-@@ -253,10 +359,8 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -253,10 +373,8 @@ void bpf_jit_compile(struct sk_filter *fp)
  			case BPF_S_ALU_MUL_K: /* A *= K */
  				if (is_imm8(K))
  					EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */
@@ -31102,7 +30985,15 @@ index 5a5b6e4..3cbf9b7 100644
  				break;
  			case BPF_S_ALU_DIV_X: /* A /= X; */
  				seen |= SEEN_XREG;
-@@ -276,8 +380,14 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -269,15 +387,21 @@ void bpf_jit_compile(struct sk_filter *fp)
+ 					EMIT_COND_JMP(X86_JE, addrs[pc_ret0 - 1] -
+ 								(addrs[i] - 4));
+ 				} else {
+-					EMIT_COND_JMP(X86_JNE, 2 + 5);
++					EMIT_COND_JMP(X86_JNE, 2 + NEAR_JMP_LENGTH);
+ 					CLEAR_A();
+ 					EMIT1_off32(0xe9, cleanup_addr - (addrs[i] - 4)); /* jmp .+off32 */
+ 				}
  				EMIT4(0x31, 0xd2, 0xf7, 0xf3); /* xor %edx,%edx; div %ebx */
  				break;
  			case BPF_S_ALU_DIV_K: /* A = reciprocal_divide(A, K); */
@@ -31117,7 +31008,7 @@ index 5a5b6e4..3cbf9b7 100644
  				EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */
  				break;
  			case BPF_S_ALU_AND_X:
-@@ -477,7 +587,7 @@ void bpf_jit_compile(struct sk_filter *fp)
+@@ -477,7 +601,7 @@ void bpf_jit_compile(struct sk_filter *fp)
  common_load:			seen |= SEEN_DATAREF;
  				if ((int)K < 0) {
  					/* Abort the JIT because __load_pointer() is needed. */
@@ -31126,7 +31017,7 @@ index 5a5b6e4..3cbf9b7 100644
  				}
  				t_offset = func - (image + addrs[i]);
  				EMIT1_off32(0xbe, K); /* mov imm32,%esi */
-@@ -492,7 +602,7 @@ common_load:			seen |= SEEN_DATAREF;
+@@ -492,7 +616,7 @@ common_load:			seen |= SEEN_DATAREF;
  			case BPF_S_LDX_B_MSH:
  				if ((int)K < 0) {
  					/* Abort the JIT because __load_pointer() is needed. */
@@ -31135,7 +31026,16 @@ index 5a5b6e4..3cbf9b7 100644
  				}
  				seen |= SEEN_DATAREF | SEEN_XREG;
  				t_offset = sk_load_byte_msh - (image + addrs[i]);
-@@ -582,17 +692,18 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
+@@ -572,7 +696,7 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
+ 				}
+ 				if (filter[i].jt != 0) {
+ 					if (filter[i].jf && f_offset)
+-						t_offset += is_near(f_offset) ? 2 : 5;
++						t_offset += is_near(f_offset) ? SHORT_JMP_LENGTH : NEAR_JMP_LENGTH;
+ 					EMIT_COND_JMP(t_op, t_offset);
+ 					if (filter[i].jf)
+ 						EMIT_JMP(f_offset);
+@@ -582,17 +706,18 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
  				break;
  			default:
  				/* hmm, too complex filter, give up with jit compiler */
@@ -31158,7 +31058,7 @@ index 5a5b6e4..3cbf9b7 100644
  			}
  			proglen += ilen;
  			addrs[i] = proglen;
-@@ -613,11 +724,9 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
+@@ -613,11 +738,9 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
  			break;
  		}
  		if (proglen == oldproglen) {
@@ -31172,7 +31072,7 @@ index 5a5b6e4..3cbf9b7 100644
  		}
  		oldproglen = proglen;
  	}
-@@ -633,7 +742,10 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
+@@ -633,7 +756,10 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
  		bpf_flush_icache(image, image + proglen);
  
  		fp->bpf_func = (void *)image;
@@ -31184,7 +31084,7 @@ index 5a5b6e4..3cbf9b7 100644
  out:
  	kfree(addrs);
  	return;
-@@ -641,18 +753,20 @@ out:
+@@ -641,18 +767,20 @@ out:
  
  static void jit_free_defer(struct work_struct *arg)
  {
@@ -32393,7 +32293,7 @@ index 468d591..8e80a0a 100644
  	return NULL;
  }
 diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c
-index 153407c..611cba9 100644
+index 0ff8815..7abe843 100644
 --- a/arch/x86/vdso/vma.c
 +++ b/arch/x86/vdso/vma.c
 @@ -16,8 +16,6 @@
@@ -32405,15 +32305,7 @@ index 153407c..611cba9 100644
  extern char vdso_start[], vdso_end[];
  extern unsigned short vdso_sync_cpuid;
  
-@@ -96,7 +94,6 @@ static unsigned long vdso_addr(unsigned long start, unsigned len)
- 	 * unaligned here as a result of stack start randomization.
- 	 */
- 	addr = PAGE_ALIGN(addr);
--	addr = align_addr(addr, NULL, ALIGN_VDSO);
- 
- 	return addr;
- }
-@@ -106,40 +103,35 @@ static unsigned long vdso_addr(unsigned long start, unsigned len)
+@@ -119,13 +117,15 @@ static unsigned long vdso_addr(unsigned long start, unsigned len)
  int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
  {
  	struct mm_struct *mm = current->mm;
@@ -32431,10 +32323,9 @@ index 153407c..611cba9 100644
 +#endif
 +
  	addr = vdso_addr(mm->start_stack, vdso_size);
-+	addr = align_addr(addr, NULL, ALIGN_VDSO);
  	addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
  	if (IS_ERR_VALUE(addr)) {
- 		ret = addr;
+@@ -133,26 +133,18 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
  		goto up_fail;
  	}
  
@@ -32961,7 +32852,7 @@ index 7b72502..3d7b647 100644
  			err = -EFAULT;
  			goto out;
 diff --git a/block/genhd.c b/block/genhd.c
-index 41b0435..09f9f28 100644
+index 424d1fa..8e99b22 100644
 --- a/block/genhd.c
 +++ b/block/genhd.c
 @@ -472,21 +472,24 @@ static char *bdevt_str(dev_t devt, char *buf)
@@ -33057,7 +32948,7 @@ index f124268..e5bfd12 100644
  		goto error;
  
 diff --git a/crypto/api.c b/crypto/api.c
-index cea3cf6..86a0f6f 100644
+index ac80794..dd053f8 100644
 --- a/crypto/api.c
 +++ b/crypto/api.c
 @@ -42,6 +42,8 @@ static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
@@ -33070,7 +32961,7 @@ index cea3cf6..86a0f6f 100644
  {
  	return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
 diff --git a/crypto/cryptd.c b/crypto/cryptd.c
-index 7bdd61b..afec999 100644
+index 75c415d..0b21cd8 100644
 --- a/crypto/cryptd.c
 +++ b/crypto/cryptd.c
 @@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
@@ -33147,7 +33038,7 @@ index 5b63b8d..6f46ba0 100644
  		exact = 1;
  
 diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
-index 29a89da..7e23990 100644
+index ba92046..2d5921a 100644
 --- a/crypto/pcrypt.c
 +++ b/crypto/pcrypt.c
 @@ -440,7 +440,7 @@ static int pcrypt_sysfs_add(struct padata_instance *pinst, const char *name)
@@ -33386,10 +33277,10 @@ index de2802c..2260da9 100644
  				unsigned long timeout_msec)
  {
 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index 2ddf736..e60d263 100644
+index 5d8fc3d..d537f03 100644
 --- a/drivers/ata/libata-core.c
 +++ b/drivers/ata/libata-core.c
-@@ -4787,7 +4787,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
+@@ -4790,7 +4790,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	unsigned int tag;
  
@@ -33398,7 +33289,7 @@ index 2ddf736..e60d263 100644
  	ap = qc->ap;
  
  	qc->flags = 0;
-@@ -4803,7 +4803,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
+@@ -4806,7 +4806,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	struct ata_link *link;
  
@@ -33407,7 +33298,7 @@ index 2ddf736..e60d263 100644
  	WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
  	ap = qc->ap;
  	link = qc->dev->link;
-@@ -5808,6 +5808,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5811,6 +5811,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
  		return;
  
  	spin_lock(&lock);
@@ -33415,7 +33306,7 @@ index 2ddf736..e60d263 100644
  
  	for (cur = ops->inherits; cur; cur = cur->inherits) {
  		void **inherit = (void **)cur;
-@@ -5821,8 +5822,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5824,8 +5825,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
  		if (IS_ERR(*pp))
  			*pp = NULL;
  
@@ -35683,7 +35574,7 @@ index 1aeaaba..e018570 100644
  	 .part_num = MBCS_PART_NUM,
  	 .mfg_num = MBCS_MFG_NUM,
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 1451790..046b083 100644
+index 1451790..a57c233 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -18,6 +18,7 @@
@@ -35731,15 +35622,17 @@ index 1451790..046b083 100644
  #else
  static inline int range_is_allowed(unsigned long pfn, unsigned long size)
  {
-@@ -118,6 +132,7 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+@@ -117,7 +131,8 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+ #endif
  
  	while (count > 0) {
- 		unsigned long remaining;
+-		unsigned long remaining;
++		unsigned long remaining = 0;
 +		char *temp;
  
  		sz = size_inside_page(p, count);
  
-@@ -133,7 +148,23 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+@@ -133,7 +148,24 @@ static ssize_t read_mem(struct file *file, char __user *buf,
  		if (!ptr)
  			return -EFAULT;
  
@@ -35750,12 +35643,13 @@ index 1451790..046b083 100644
 +			unxlate_dev_mem_ptr(p, ptr);
 +			return -ENOMEM;
 +		}
-+		memcpy(temp, ptr, sz);
++		remaining = probe_kernel_read(temp, ptr, sz);
 +#else
 +		temp = ptr;
 +#endif
 +
-+		remaining = copy_to_user(buf, temp, sz);
++		if (!remaining)
++			remaining = copy_to_user(buf, temp, sz);
 +
 +#ifdef CONFIG_PAX_USERCOPY
 +		kfree(temp);
@@ -35764,7 +35658,7 @@ index 1451790..046b083 100644
  		unxlate_dev_mem_ptr(p, ptr);
  		if (remaining)
  			return -EFAULT;
-@@ -376,7 +407,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf,
+@@ -376,7 +408,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf,
  		else
  			csize = count;
  
@@ -35773,7 +35667,7 @@ index 1451790..046b083 100644
  		if (rc < 0)
  			return rc;
  		buf += csize;
-@@ -396,9 +427,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
+@@ -396,9 +428,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
  			 size_t count, loff_t *ppos)
  {
  	unsigned long p = *ppos;
@@ -35784,7 +35678,7 @@ index 1451790..046b083 100644
  
  	read = 0;
  	if (p < (unsigned long) high_memory) {
-@@ -420,6 +450,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
+@@ -420,6 +451,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
  		}
  #endif
  		while (low_count > 0) {
@@ -35793,7 +35687,7 @@ index 1451790..046b083 100644
  			sz = size_inside_page(p, low_count);
  
  			/*
-@@ -429,7 +461,22 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
+@@ -429,7 +462,23 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
  			 */
  			kbuf = xlate_dev_kmem_ptr((char *)p);
  
@@ -35802,12 +35696,13 @@ index 1451790..046b083 100644
 +			temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
 +			if (!temp)
 +				return -ENOMEM;
-+			memcpy(temp, kbuf, sz);
++			err = probe_kernel_read(temp, kbuf, sz);
 +#else
 +			temp = kbuf;
 +#endif
 +
-+			err = copy_to_user(buf, temp, sz);
++			if (!err)
++				err = copy_to_user(buf, temp, sz);
 +
 +#ifdef CONFIG_PAX_USERCOPY
 +			kfree(temp);
@@ -35817,7 +35712,7 @@ index 1451790..046b083 100644
  				return -EFAULT;
  			buf += sz;
  			p += sz;
-@@ -815,6 +862,11 @@ static ssize_t kmsg_writev(struct kiocb *iocb, const struct iovec *iv,
+@@ -815,6 +864,11 @@ static ssize_t kmsg_writev(struct kiocb *iocb, const struct iovec *iv,
  	ssize_t ret = -EFAULT;
  	size_t len = iov_length(iv, count);
  
@@ -35829,7 +35724,7 @@ index 1451790..046b083 100644
  	line = kmalloc(len + 1, GFP_KERNEL);
  	if (line == NULL)
  		return -ENOMEM;
-@@ -867,6 +919,9 @@ static const struct memdev {
+@@ -867,6 +921,9 @@ static const struct memdev {
  #ifdef CONFIG_CRASH_DUMP
  	[12] = { "oldmem", 0, &oldmem_fops, NULL },
  #endif
@@ -35839,7 +35734,7 @@ index 1451790..046b083 100644
  };
  
  static int memory_open(struct inode *inode, struct file *filp)
-@@ -931,7 +986,7 @@ static int __init chr_dev_init(void)
+@@ -931,7 +988,7 @@ static int __init chr_dev_init(void)
  		if (!devlist[minor].name)
  			continue;
  		device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor),
@@ -43910,6 +43805,19 @@ index 16a089f..1661b11 100644
  		return -EFAULT;
  	return i;
  }
+diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
+index 5991ab6..049f4ac 100644
+--- a/drivers/media/radio/wl128x/fmdrv_common.c
++++ b/drivers/media/radio/wl128x/fmdrv_common.c
+@@ -71,7 +71,7 @@ module_param(default_rds_buf, uint, 0444);
+ MODULE_PARM_DESC(rds_buf, "RDS buffer entries");
+ 
+ /* Radio Nr */
+-static u32 radio_nr = -1;
++static int radio_nr = -1;
+ module_param(radio_nr, int, 0444);
+ MODULE_PARM_DESC(radio_nr, "Radio Nr");
+ 
 diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
 index a47ba33..deafb02 100644
 --- a/drivers/media/rc/rc-main.c
@@ -45159,10 +45067,10 @@ index cf95bd8d..f61f675 100644
  	/* check to see if we are clearing active */
  	if (!strlen(ifname) || buf[0] == '\n') {
 diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
-index 1eac27f..ecd3827 100644
+index a25442e..d1235bc 100644
 --- a/drivers/net/can/dev.c
 +++ b/drivers/net/can/dev.c
-@@ -721,7 +721,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
+@@ -725,7 +725,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
  	return -EOPNOTSUPP;
  }
  
@@ -45960,6 +45868,28 @@ index 0e6e57e..060e208 100644
  	.notifier_call	= macvtap_device_event,
  };
  
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 83a5a5a..9a9d0ae 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -207,7 +207,7 @@ static struct phy_device* phy_device_create(struct mii_bus *bus,
+  * Description: Reads the ID registers of the PHY at @addr on the
+  *   @bus, stores it in @phy_id and returns zero on success.
+  */
+-int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id)
++int get_phy_id(struct mii_bus *bus, int addr, int *phy_id)
+ {
+ 	int phy_reg;
+ 
+@@ -243,7 +243,7 @@ EXPORT_SYMBOL(get_phy_id);
+ struct phy_device * get_phy_device(struct mii_bus *bus, int addr)
+ {
+ 	struct phy_device *dev = NULL;
+-	u32 phy_id;
++	int phy_id;
+ 	int r;
+ 
+ 	r = get_phy_id(bus, addr, &phy_id);
 diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c
 index 1dbdf82..43764cc 100644
 --- a/drivers/net/ppp/ppp_deflate.c
@@ -46848,7 +46778,7 @@ index f5ae3c67..7936af3 100644
  
  static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
 diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
-index dc774cd..fd6efed 100644
+index 8b1123d..20a54e9 100644
 --- a/drivers/net/wireless/ath/ath9k/hw.h
 +++ b/drivers/net/wireless/ath/ath9k/hw.h
 @@ -607,7 +607,7 @@ struct ath_hw_private_ops {
@@ -47626,7 +47556,7 @@ index c73ed00..cc3edec 100644
  #define ASPM_STATE_ALL		(ASPM_STATE_L0S | ASPM_STATE_L1)
  
 diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 9005380..c497080 100644
+index bc92c47..47e01d7 100644
 --- a/drivers/pci/probe.c
 +++ b/drivers/pci/probe.c
 @@ -136,7 +136,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
@@ -48030,10 +47960,10 @@ index e15d4c9..83cd617 100644
  		__power_supply_attrs[i] = &power_supply_attrs[i].attr;
  }
 diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
-index 6ec610c..078eaf3 100644
+index adba3d6..7d7a5a6 100644
 --- a/drivers/regulator/core.c
 +++ b/drivers/regulator/core.c
-@@ -2639,7 +2639,7 @@ struct regulator_dev *regulator_register(struct regulator_desc *regulator_desc,
+@@ -2641,7 +2641,7 @@ struct regulator_dev *regulator_register(struct regulator_desc *regulator_desc,
  	struct device *dev, const struct regulator_init_data *init_data,
  	void *driver_data)
  {
@@ -48042,7 +47972,7 @@ index 6ec610c..078eaf3 100644
  	struct regulator_dev *rdev;
  	int ret, i;
  
-@@ -2698,7 +2698,7 @@ struct regulator_dev *regulator_register(struct regulator_desc *regulator_desc,
+@@ -2700,7 +2700,7 @@ struct regulator_dev *regulator_register(struct regulator_desc *regulator_desc,
  	rdev->dev.class = &regulator_class;
  	rdev->dev.parent = dev;
  	dev_set_name(&rdev->dev, "regulator.%d",
@@ -51510,7 +51440,7 @@ index 8131e2c..b48928a 100644
  	if (unlikely(pdev->id < 0 || pdev->id >= UART_NR))
  		return -ENXIO;
 diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
-index b31f1c3..1b6b8c4 100644
+index 626e75b..4a87ecc 100644
 --- a/drivers/tty/serial/samsung.c
 +++ b/drivers/tty/serial/samsung.c
 @@ -440,11 +440,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
@@ -51530,7 +51460,7 @@ index b31f1c3..1b6b8c4 100644
  	dbg("s3c24xx_serial_startup: port=%p (%08lx,%p)\n",
  	    port->mapbase, port->membase);
  
-@@ -1149,10 +1154,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
+@@ -1153,10 +1158,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
  	port->dev	= &platdev->dev;
  	ourport->info	= info;
  
@@ -52226,10 +52156,10 @@ index 9f7003e..b1db1b6 100644
  	props.type = BACKLIGHT_RAW;
  	props.max_brightness = 0xff;
 diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
-index 1ee6b2a..523c0ae 100644
+index 87302dd..2d0130a 100644
 --- a/drivers/usb/serial/console.c
 +++ b/drivers/usb/serial/console.c
-@@ -200,7 +200,7 @@ static int usb_console_setup(struct console *co, char *options)
+@@ -205,7 +205,7 @@ static int usb_console_setup(struct console *co, char *options)
  static void usb_console_write(struct console *co,
  					const char *buf, unsigned count)
  {
@@ -52448,10 +52378,10 @@ index 6b4fb5c..385e560 100644
  		if (!strncmp(options, "scrollback:", 11)) {
  			options += 11;
 diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c
-index c27e153..5beb687 100644
+index 8a3d51f..f3e2e64 100644
 --- a/drivers/video/fb_defio.c
 +++ b/drivers/video/fb_defio.c
-@@ -200,7 +200,9 @@ void fb_deferred_io_init(struct fb_info *info)
+@@ -201,7 +201,9 @@ void fb_deferred_io_init(struct fb_info *info)
  
  	BUG_ON(!fbdefio);
  	mutex_init(&fbdefio->lock);
@@ -52462,7 +52392,7 @@ index c27e153..5beb687 100644
  	INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
  	INIT_LIST_HEAD(&fbdefio->pagelist);
  	if (fbdefio->delay == 0) /* set a default of 1 s */
-@@ -231,7 +233,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
+@@ -232,7 +234,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
  		page->mapping = NULL;
  	}
  
@@ -55859,10 +55789,10 @@ index 88714ae..16c2e11 100644
  
  static inline u32 get_pll_internal_frequency(u32 ref_freq,
 diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
-index 984c501..9167bb2 100644
+index cc02a9b..2686ac9 100644
 --- a/drivers/virtio/virtio.c
 +++ b/drivers/virtio/virtio.c
-@@ -140,8 +140,11 @@ static int virtio_dev_probe(struct device *_d)
+@@ -139,8 +139,11 @@ static int virtio_dev_probe(struct device *_d)
  	err = drv->probe(dev);
  	if (err)
  		add_status(dev, VIRTIO_CONFIG_S_FAILED);
@@ -57473,10 +57403,10 @@ index dede441..f2a2507 100644
  
  		WARN_ON(trans->transid != btrfs_header_generation(parent));
 diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
-index f63719a..5f00ed6 100644
+index a694317..dc698a1 100644
 --- a/fs/btrfs/extent-tree.c
 +++ b/fs/btrfs/extent-tree.c
-@@ -5642,7 +5642,7 @@ again:
+@@ -5644,7 +5644,7 @@ again:
  
  	if (ret == -ENOSPC && num_bytes > min_alloc_size) {
  		num_bytes = num_bytes >> 1;
@@ -57748,7 +57678,7 @@ index 7903e62..096162e 100644
  	}
  
 diff --git a/fs/ceph/super.c b/fs/ceph/super.c
-index de268a8..2a158be 100644
+index 3c981db..eb87cfb 100644
 --- a/fs/ceph/super.c
 +++ b/fs/ceph/super.c
 @@ -785,7 +785,7 @@ static int ceph_compare_super(struct super_block *sb, void *data)
@@ -58428,7 +58358,7 @@ index 739fb59..5385976 100644
  static int __init init_cramfs_fs(void)
  {
 diff --git a/fs/dcache.c b/fs/dcache.c
-index 3f65742..0972e8b 100644
+index 8bc98af..a49e6f0 100644
 --- a/fs/dcache.c
 +++ b/fs/dcache.c
 @@ -103,11 +103,11 @@ static unsigned int d_hash_shift __read_mostly;
@@ -58447,19 +58377,17 @@ index 3f65742..0972e8b 100644
  	return dentry_hashtable + (hash & D_HASHMASK);
  }
  
-@@ -1034,8 +1034,10 @@ ascend:
- 		write_sequnlock(&rename_lock);
- 	return 0; /* No mount points found in tree */
- positive:
--	if (!locked && read_seqretry(&rename_lock, seq))
-+	if (!locked && read_seqretry(&rename_lock, seq)) {
-+		rcu_read_lock();
- 		goto rename_retry;
-+	}
- 	if (locked)
- 		write_sequnlock(&rename_lock);
- 	return 1;
-@@ -3080,7 +3082,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -1235,6 +1235,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+ 	dentry->d_sb = sb;
+ 	dentry->d_op = NULL;
+ 	dentry->d_fsdata = NULL;
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	atomic_set(&dentry->chroot_refcnt, 0);
++#endif
+ 	INIT_HLIST_BL_NODE(&dentry->d_hash);
+ 	INIT_LIST_HEAD(&dentry->d_lru);
+ 	INIT_LIST_HEAD(&dentry->d_subdirs);
+@@ -3082,7 +3085,8 @@ void __init vfs_caches_init(unsigned long mempages)
  	mempages -= reserve;
  
  	names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -58548,10 +58476,10 @@ index 5ce56e7..d80e1db 100644
  	return rc;
  }
 diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
-index 94afdfd..bdb8854 100644
+index 62b8ddc..7df8b1c 100644
 --- a/fs/ecryptfs/main.c
 +++ b/fs/ecryptfs/main.c
-@@ -629,6 +629,7 @@ static struct file_system_type ecryptfs_fs_type = {
+@@ -639,6 +639,7 @@ static struct file_system_type ecryptfs_fs_type = {
  	.kill_sb = ecryptfs_kill_block_super,
  	.fs_flags = 0
  };
@@ -60382,7 +60310,7 @@ index 9d1c995..7685971 100644
  static int __init
  vxfs_init(void)
 diff --git a/fs/fs_struct.c b/fs/fs_struct.c
-index 78b519c..0386555 100644
+index 78b519c..b6e3076 100644
 --- a/fs/fs_struct.c
 +++ b/fs/fs_struct.c
 @@ -4,6 +4,7 @@
@@ -60393,15 +60321,28 @@ index 78b519c..0386555 100644
  #include "internal.h"
  
  static inline void path_get_longterm(struct path *path)
-@@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, struct path *path)
+@@ -26,15 +27,19 @@ void set_fs_root(struct fs_struct *fs, struct path *path)
+ {
+ 	struct path old_root;
+ 
++	gr_inc_chroot_refcnts(path->dentry, path->mnt);
+ 	spin_lock(&fs->lock);
+ 	write_seqcount_begin(&fs->seq);
  	old_root = fs->root;
  	fs->root = *path;
  	path_get_longterm(path);
 +	gr_set_chroot_entries(current, path);
  	write_seqcount_end(&fs->seq);
  	spin_unlock(&fs->lock);
- 	if (old_root.dentry)
-@@ -74,6 +76,13 @@ void chroot_fs_refs(struct path *old_root, struct path *new_root)
+-	if (old_root.dentry)
++	if (old_root.dentry) {
++		gr_dec_chroot_refcnts(old_root.dentry, old_root.mnt);
+ 		path_put_longterm(&old_root);
++	}
+ }
+ 
+ /*
+@@ -74,6 +79,13 @@ void chroot_fs_refs(struct path *old_root, struct path *new_root)
  			    && fs->root.mnt == old_root->mnt) {
  				path_get_longterm(new_root);
  				fs->root = *new_root;
@@ -60415,7 +60356,15 @@ index 78b519c..0386555 100644
  				count++;
  			}
  			if (fs->pwd.dentry == old_root->dentry
-@@ -109,7 +118,8 @@ void exit_fs(struct task_struct *tsk)
+@@ -94,6 +106,7 @@ void chroot_fs_refs(struct path *old_root, struct path *new_root)
+ 
+ void free_fs_struct(struct fs_struct *fs)
+ {
++	gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt);
+ 	path_put_longterm(&fs->root);
+ 	path_put_longterm(&fs->pwd);
+ 	kmem_cache_free(fs_cachep, fs);
+@@ -109,7 +122,8 @@ void exit_fs(struct task_struct *tsk)
  		spin_lock(&fs->lock);
  		write_seqcount_begin(&fs->seq);
  		tsk->fs = NULL;
@@ -60425,7 +60374,7 @@ index 78b519c..0386555 100644
  		write_seqcount_end(&fs->seq);
  		spin_unlock(&fs->lock);
  		task_unlock(tsk);
-@@ -123,7 +133,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
+@@ -123,7 +137,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
  	struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
  	/* We don't need to lock fs - think why ;-) */
  	if (fs) {
@@ -60434,7 +60383,7 @@ index 78b519c..0386555 100644
  		fs->in_exec = 0;
  		spin_lock_init(&fs->lock);
  		seqcount_init(&fs->seq);
-@@ -132,6 +142,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
+@@ -132,6 +146,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
  		spin_lock(&old->lock);
  		fs->root = old->root;
  		path_get_longterm(&fs->root);
@@ -60444,7 +60393,7 @@ index 78b519c..0386555 100644
  		fs->pwd = old->pwd;
  		path_get_longterm(&fs->pwd);
  		spin_unlock(&old->lock);
-@@ -150,8 +163,9 @@ int unshare_fs_struct(void)
+@@ -150,8 +167,9 @@ int unshare_fs_struct(void)
  
  	task_lock(current);
  	spin_lock(&fs->lock);
@@ -60455,7 +60404,7 @@ index 78b519c..0386555 100644
  	spin_unlock(&fs->lock);
  	task_unlock(current);
  
-@@ -164,13 +178,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
+@@ -164,13 +182,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
  
  int current_umask(void)
  {
@@ -60471,7 +60420,7 @@ index 78b519c..0386555 100644
  	.lock		= __SPIN_LOCK_UNLOCKED(init_fs.lock),
  	.seq		= SEQCNT_ZERO,
  	.umask		= 0022,
-@@ -186,12 +200,13 @@ void daemonize_fs_struct(void)
+@@ -186,12 +204,13 @@ void daemonize_fs_struct(void)
  		task_lock(current);
  
  		spin_lock(&init_fs.lock);
@@ -62116,47 +62065,6 @@ index 2f9197f..e2f03bf 100644
  MODULE_LICENSE("GPL");
 -/* Actual filesystem name is iso9660, as requested in filesystems.c */
 -MODULE_ALIAS("iso9660");
-diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index ee62cc0..1780949 100644
---- a/fs/isofs/rock.c
-+++ b/fs/isofs/rock.c
-@@ -30,6 +30,7 @@ struct rock_state {
- 	int cont_size;
- 	int cont_extent;
- 	int cont_offset;
-+	int cont_loops;
- 	struct inode *inode;
- };
- 
-@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
- 	rs->inode = inode;
- }
- 
-+/* Maximum number of Rock Ridge continuation entries */
-+#define RR_MAX_CE_ENTRIES 32
-+
- /*
-  * Returns 0 if the caller should continue scanning, 1 if the scan must end
-  * and -ve on error.
-@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
- 			goto out;
- 		}
- 		ret = -EIO;
-+		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
-+			goto out;
- 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
- 		if (bh) {
- 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
-@@ -356,6 +362,9 @@ repeat:
- 			rs.cont_size = isonum_733(rr->u.CE.size);
- 			break;
- 		case SIG('E', 'R'):
-+			/* Invalid length of ER tag id? */
-+			if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
-+				goto out;
- 			ISOFS_SB(inode->i_sb)->s_rock = 1;
- 			printk(KERN_DEBUG "ISO 9660 Extensions: ");
- 			{
 diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
 index e513f19..2ab1351 100644
 --- a/fs/jffs2/erase.c
@@ -62327,7 +62235,7 @@ index 4d46a6a..dee1cdf 100644
  static int __init init_minix_fs(void)
  {
 diff --git a/fs/namei.c b/fs/namei.c
-index dea2dab..6452ab2 100644
+index c8b13a9..09cc61e 100644
 --- a/fs/namei.c
 +++ b/fs/namei.c
 @@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -62411,7 +62319,7 @@ index dea2dab..6452ab2 100644
  		put_link(nd, &link, cookie);
  	} while (res > 0);
  
-@@ -1624,6 +1642,8 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1625,6 +1643,8 @@ static int path_lookupat(int dfd, const char *name,
  			err = follow_link(&link, nd, &cookie);
  			if (!err)
  				err = lookup_last(nd, &path);
@@ -62420,7 +62328,7 @@ index dea2dab..6452ab2 100644
  			put_link(nd, &link, cookie);
  		}
  	}
-@@ -1631,6 +1651,13 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1632,6 +1652,13 @@ static int path_lookupat(int dfd, const char *name,
  	if (!err)
  		err = complete_walk(nd);
  
@@ -62434,7 +62342,7 @@ index dea2dab..6452ab2 100644
  	if (!err && nd->flags & LOOKUP_DIRECTORY) {
  		if (!nd->inode->i_op->lookup) {
  			path_put(&nd->path);
-@@ -1662,6 +1689,12 @@ static int do_path_lookup(int dfd, const char *name,
+@@ -1663,6 +1690,12 @@ static int do_path_lookup(int dfd, const char *name,
  			if (nd->path.dentry && nd->inode)
  				audit_inode(name, nd->path.dentry);
  		}
@@ -62447,7 +62355,7 @@ index dea2dab..6452ab2 100644
  	}
  	return retval;
  }
-@@ -1791,7 +1824,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
+@@ -1792,7 +1825,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
  	if (!len)
  		return ERR_PTR(-EACCES);
  
@@ -62461,7 +62369,7 @@ index dea2dab..6452ab2 100644
  	while (len--) {
  		c = *(const unsigned char *)name++;
  		if (c == '/' || c == '\0')
-@@ -2055,6 +2094,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2056,6 +2095,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
  	if (flag & O_NOATIME && !inode_owner_or_capable(inode))
  		return -EPERM;
  
@@ -62475,7 +62383,7 @@ index dea2dab..6452ab2 100644
  	return 0;
  }
  
-@@ -2090,7 +2136,7 @@ static inline int open_to_namei_flags(int flag)
+@@ -2091,7 +2137,7 @@ static inline int open_to_namei_flags(int flag)
  /*
   * Handle the last step of open()
   */
@@ -62484,7 +62392,7 @@ index dea2dab..6452ab2 100644
  			    const struct open_flags *op, const char *pathname)
  {
  	struct dentry *dir = nd->path.dentry;
-@@ -2116,16 +2162,32 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2117,16 +2163,32 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  		error = complete_walk(nd);
  		if (error)
  			return ERR_PTR(error);
@@ -62517,7 +62425,7 @@ index dea2dab..6452ab2 100644
  		audit_inode(pathname, dir);
  		goto ok;
  	}
-@@ -2141,18 +2203,31 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2142,18 +2204,31 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  					!symlink_ok);
  		if (error < 0)
  			return ERR_PTR(error);
@@ -62550,7 +62458,7 @@ index dea2dab..6452ab2 100644
  		audit_inode(pathname, nd->path.dentry);
  		goto ok;
  	}
-@@ -2187,6 +2262,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2188,6 +2263,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  	/* Negative dentry, just create the file */
  	if (!dentry->d_inode) {
  		int mode = op->mode;
@@ -62568,7 +62476,7 @@ index dea2dab..6452ab2 100644
  		if (!IS_POSIXACL(dir->d_inode))
  			mode &= ~current_umask();
  		/*
-@@ -2210,6 +2296,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2211,6 +2297,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  		error = vfs_create(dir->d_inode, dentry, mode, nd);
  		if (error)
  			goto exit_mutex_unlock;
@@ -62577,7 +62485,7 @@ index dea2dab..6452ab2 100644
  		mutex_unlock(&dir->d_inode->i_mutex);
  		dput(nd->path.dentry);
  		nd->path.dentry = dentry;
-@@ -2219,6 +2307,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2220,6 +2308,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  	/*
  	 * It already exists.
  	 */
@@ -62597,7 +62505,7 @@ index dea2dab..6452ab2 100644
  	mutex_unlock(&dir->d_inode->i_mutex);
  	audit_inode(pathname, path->dentry);
  
-@@ -2237,11 +2338,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2238,11 +2339,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  	if (!path->dentry->d_inode)
  		goto exit_dput;
  
@@ -62616,7 +62524,7 @@ index dea2dab..6452ab2 100644
  	/* Why this, you ask?  _Now_ we might have grown LOOKUP_JUMPED... */
  	error = complete_walk(nd);
  	if (error)
-@@ -2249,6 +2356,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2250,6 +2357,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  	error = -EISDIR;
  	if (S_ISDIR(nd->inode->i_mode))
  		goto exit;
@@ -62629,7 +62537,7 @@ index dea2dab..6452ab2 100644
  ok:
  	if (!S_ISREG(nd->inode->i_mode))
  		will_truncate = 0;
-@@ -2321,7 +2434,7 @@ static struct file *path_openat(int dfd, const char *pathname,
+@@ -2322,7 +2435,7 @@ static struct file *path_openat(int dfd, const char *pathname,
  	if (unlikely(error))
  		goto out_filp;
  
@@ -62638,7 +62546,7 @@ index dea2dab..6452ab2 100644
  	while (unlikely(!filp)) { /* trailing symlink */
  		struct path link = path;
  		void *cookie;
-@@ -2336,8 +2449,9 @@ static struct file *path_openat(int dfd, const char *pathname,
+@@ -2337,8 +2450,9 @@ static struct file *path_openat(int dfd, const char *pathname,
  		error = follow_link(&link, nd, &cookie);
  		if (unlikely(error))
  			filp = ERR_PTR(error);
@@ -62650,7 +62558,7 @@ index dea2dab..6452ab2 100644
  		put_link(nd, &link, cookie);
  	}
  out:
-@@ -2431,6 +2545,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
+@@ -2432,6 +2546,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
  	*path = nd.path;
  	return dentry;
  eexist:
@@ -62662,7 +62570,7 @@ index dea2dab..6452ab2 100644
  	dput(dentry);
  	dentry = ERR_PTR(-EEXIST);
  fail:
-@@ -2453,6 +2572,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
+@@ -2454,6 +2573,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
  }
  EXPORT_SYMBOL(user_path_create);
  
@@ -62683,7 +62591,7 @@ index dea2dab..6452ab2 100644
  int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
  {
  	int error = may_create(dir, dentry);
-@@ -2520,6 +2653,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2521,6 +2654,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
  	error = mnt_want_write(path.mnt);
  	if (error)
  		goto out_dput;
@@ -62701,7 +62609,7 @@ index dea2dab..6452ab2 100644
  	error = security_path_mknod(&path, dentry, mode, dev);
  	if (error)
  		goto out_drop_write;
-@@ -2537,6 +2681,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2538,6 +2682,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
  	}
  out_drop_write:
  	mnt_drop_write(path.mnt);
@@ -62711,7 +62619,7 @@ index dea2dab..6452ab2 100644
  out_dput:
  	dput(dentry);
  	mutex_unlock(&path.dentry->d_inode->i_mutex);
-@@ -2586,12 +2733,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
+@@ -2587,12 +2734,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
  	error = mnt_want_write(path.mnt);
  	if (error)
  		goto out_dput;
@@ -62733,7 +62641,7 @@ index dea2dab..6452ab2 100644
  out_dput:
  	dput(dentry);
  	mutex_unlock(&path.dentry->d_inode->i_mutex);
-@@ -2671,6 +2827,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2672,6 +2828,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
  	char * name;
  	struct dentry *dentry;
  	struct nameidata nd;
@@ -62742,7 +62650,7 @@ index dea2dab..6452ab2 100644
  
  	error = user_path_parent(dfd, pathname, &nd, &name);
  	if (error)
-@@ -2699,6 +2857,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2700,6 +2858,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
  		error = -ENOENT;
  		goto exit3;
  	}
@@ -62758,7 +62666,7 @@ index dea2dab..6452ab2 100644
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto exit3;
-@@ -2706,6 +2873,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2707,6 +2874,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
  	if (error)
  		goto exit4;
  	error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
@@ -62767,7 +62675,7 @@ index dea2dab..6452ab2 100644
  exit4:
  	mnt_drop_write(nd.path.mnt);
  exit3:
-@@ -2768,6 +2937,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2769,6 +2938,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
  	struct dentry *dentry;
  	struct nameidata nd;
  	struct inode *inode = NULL;
@@ -62776,7 +62684,7 @@ index dea2dab..6452ab2 100644
  
  	error = user_path_parent(dfd, pathname, &nd, &name);
  	if (error)
-@@ -2790,6 +2961,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2791,6 +2962,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
  		if (!inode)
  			goto slashes;
  		ihold(inode);
@@ -62793,7 +62701,7 @@ index dea2dab..6452ab2 100644
  		error = mnt_want_write(nd.path.mnt);
  		if (error)
  			goto exit2;
-@@ -2797,6 +2978,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2798,6 +2979,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
  		if (error)
  			goto exit3;
  		error = vfs_unlink(nd.path.dentry->d_inode, dentry);
@@ -62802,7 +62710,7 @@ index dea2dab..6452ab2 100644
  exit3:
  		mnt_drop_write(nd.path.mnt);
  	exit2:
-@@ -2872,10 +3055,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
+@@ -2873,10 +3056,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
  	error = mnt_want_write(path.mnt);
  	if (error)
  		goto out_dput;
@@ -62821,7 +62729,7 @@ index dea2dab..6452ab2 100644
  out_drop_write:
  	mnt_drop_write(path.mnt);
  out_dput:
-@@ -2947,6 +3138,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2948,6 +3139,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
  {
  	struct dentry *new_dentry;
  	struct path old_path, new_path;
@@ -62829,7 +62737,7 @@ index dea2dab..6452ab2 100644
  	int how = 0;
  	int error;
  
-@@ -2970,7 +3162,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2971,7 +3163,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
  	if (error)
  		return error;
  
@@ -62838,7 +62746,7 @@ index dea2dab..6452ab2 100644
  	error = PTR_ERR(new_dentry);
  	if (IS_ERR(new_dentry))
  		goto out;
-@@ -2981,13 +3173,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2982,13 +3174,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
  	error = mnt_want_write(new_path.mnt);
  	if (error)
  		goto out_dput;
@@ -62869,10 +62777,18 @@ index dea2dab..6452ab2 100644
  	dput(new_dentry);
  	mutex_unlock(&new_path.dentry->d_inode->i_mutex);
  	path_put(&new_path);
-@@ -3215,6 +3424,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -3216,6 +3425,20 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
  	if (new_dentry == trap)
  		goto exit5;
  
++	if (gr_bad_chroot_rename(old_dentry, oldnd.path.mnt, new_dentry, newnd.path.mnt)) {
++		/* use EXDEV error to cause 'mv' to switch to an alternative
++		 * method for usability
++		 */
++		error = -EXDEV;
++		goto exit5;
++	}
++
 +	error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
 +				     old_dentry, old_dir->d_inode, oldnd.path.mnt,
 +				     to);
@@ -62882,7 +62798,7 @@ index dea2dab..6452ab2 100644
  	error = mnt_want_write(oldnd.path.mnt);
  	if (error)
  		goto exit5;
-@@ -3224,6 +3439,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -3225,6 +3448,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
  		goto exit6;
  	error = vfs_rename(old_dir->d_inode, old_dentry,
  				   new_dir->d_inode, new_dentry);
@@ -62892,7 +62808,7 @@ index dea2dab..6452ab2 100644
  exit6:
  	mnt_drop_write(oldnd.path.mnt);
  exit5:
-@@ -3249,6 +3467,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -3250,6 +3476,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
  
  int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
  {
@@ -62901,7 +62817,7 @@ index dea2dab..6452ab2 100644
  	int len;
  
  	len = PTR_ERR(link);
-@@ -3258,7 +3478,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -3259,7 +3487,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
  	len = strlen(link);
  	if (len > (unsigned) buflen)
  		len = buflen;
@@ -65328,7 +65244,7 @@ index 03102d9..4ae347e 100644
  }
  
 diff --git a/fs/proc/stat.c b/fs/proc/stat.c
-index 4c9a859..8c9ebb1 100644
+index 81a48d1..b2275ba 100644
 --- a/fs/proc/stat.c
 +++ b/fs/proc/stat.c
 @@ -11,6 +11,7 @@
@@ -66163,7 +66079,7 @@ index dba43c3..cb3437c 100644
  {
  	const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
 diff --git a/fs/splice.c b/fs/splice.c
-index 714471d..2ca7fb5 100644
+index 34c2b2b..2f91055 100644
 --- a/fs/splice.c
 +++ b/fs/splice.c
 @@ -195,7 +195,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -66227,7 +66143,7 @@ index 714471d..2ca7fb5 100644
  			return 0;
  
  		if (sd->flags & SPLICE_F_NONBLOCK)
-@@ -1209,7 +1209,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+@@ -1213,7 +1213,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
  		 * out of the pipe right after the splice_to_pipe(). So set
  		 * PIPE_READERS appropriately.
  		 */
@@ -66236,7 +66152,7 @@ index 714471d..2ca7fb5 100644
  
  		current->splice_pipe = pipe;
  	}
-@@ -1477,6 +1477,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+@@ -1481,6 +1481,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
  
  			partial[buffers].offset = off;
  			partial[buffers].len = plen;
@@ -66244,7 +66160,7 @@ index 714471d..2ca7fb5 100644
  
  			off = 0;
  			len -= plen;
-@@ -1762,9 +1763,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1766,9 +1767,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
  			ret = -ERESTARTSYS;
  			break;
  		}
@@ -66256,7 +66172,7 @@ index 714471d..2ca7fb5 100644
  			if (flags & SPLICE_F_NONBLOCK) {
  				ret = -EAGAIN;
  				break;
-@@ -1796,7 +1797,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1800,7 +1801,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
  	pipe_lock(pipe);
  
  	while (pipe->nrbufs >= pipe->buffers) {
@@ -66265,7 +66181,7 @@ index 714471d..2ca7fb5 100644
  			send_sig(SIGPIPE, current, 0);
  			ret = -EPIPE;
  			break;
-@@ -1809,9 +1810,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1813,9 +1814,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
  			ret = -ERESTARTSYS;
  			break;
  		}
@@ -66277,7 +66193,7 @@ index 714471d..2ca7fb5 100644
  	}
  
  	pipe_unlock(pipe);
-@@ -1847,14 +1848,14 @@ retry:
+@@ -1851,14 +1852,14 @@ retry:
  	pipe_double_lock(ipipe, opipe);
  
  	do {
@@ -66294,7 +66210,7 @@ index 714471d..2ca7fb5 100644
  			break;
  
  		/*
-@@ -1951,7 +1952,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1955,7 +1956,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
  	pipe_double_lock(ipipe, opipe);
  
  	do {
@@ -66303,7 +66219,7 @@ index 714471d..2ca7fb5 100644
  			send_sig(SIGPIPE, current, 0);
  			if (!ret)
  				ret = -EPIPE;
-@@ -1996,7 +1997,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -2000,7 +2001,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
  	 * return EAGAIN if we have the potential of some data in the
  	 * future, otherwise just return 0
  	 */
@@ -66589,22 +66505,8 @@ index 201bcfc..cee4d16 100644
  
  /*
   * Inode slab cache constructor.
-diff --git a/fs/udf/dir.c b/fs/udf/dir.c
-index eb8bfe2..7ab52de 100644
---- a/fs/udf/dir.c
-+++ b/fs/udf/dir.c
-@@ -163,7 +163,8 @@ static int do_udf_readdir(struct inode *dir, struct file *filp,
- 			struct kernel_lb_addr tloc = lelb_to_cpu(cfi.icb.extLocation);
- 
- 			iblock = udf_get_lb_pblock(dir->i_sb, &tloc, 0);
--			flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
-+			flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
-+					UDF_NAME_LEN);
- 			dt_type = DT_UNKNOWN;
- 		}
- 
 diff --git a/fs/udf/inode.c b/fs/udf/inode.c
-index a0f6ded..645d7053 100644
+index 2a706bb..f1e984a 100644
 --- a/fs/udf/inode.c
 +++ b/fs/udf/inode.c
 @@ -50,7 +50,6 @@ MODULE_LICENSE("GPL");
@@ -66816,8 +66718,8 @@ index a0f6ded..645d7053 100644
 +			goto out;
  	}
  
- 	switch (fe->icbTag.fileType) {
-@@ -1451,8 +1449,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 	/* Sanity checks for files in ICB so that we don't get confused later */
+@@ -1469,8 +1467,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
  	default:
  		udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n",
  			inode->i_ino, fe->icbTag.fileType);
@@ -66827,7 +66729,7 @@ index a0f6ded..645d7053 100644
  	}
  	if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) {
  		struct deviceSpec *dsea =
-@@ -1463,8 +1460,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+@@ -1481,8 +1478,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
  				      le32_to_cpu(dsea->minorDeviceIdent)));
  			/* Developer ID ??? */
  		} else
@@ -66841,7 +66743,7 @@ index a0f6ded..645d7053 100644
  }
  
  static int udf_alloc_i_data(struct inode *inode, size_t size)
-@@ -1577,7 +1578,7 @@ static int udf_update_inode(struct inode *inode, int do_sync)
+@@ -1595,7 +1596,7 @@ static int udf_update_inode(struct inode *inode, int do_sync)
  		     FE_PERM_U_DELETE | FE_PERM_U_CHATTR));
  	fe->permissions = cpu_to_le32(udfperms);
  
@@ -66850,7 +66752,7 @@ index a0f6ded..645d7053 100644
  		fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1);
  	else
  		fe->fileLinkCount = cpu_to_le16(inode->i_nlink);
-@@ -1738,32 +1739,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino)
+@@ -1756,32 +1757,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino)
  {
  	unsigned long block = udf_get_lb_pblock(sb, ino, 0);
  	struct inode *inode = iget_locked(sb, block);
@@ -66907,20 +66809,10 @@ index c175b4d..8f36a16 100644
  	int i;
  	for (i = 0; i < sizeof(struct tag); ++i)
 diff --git a/fs/udf/namei.c b/fs/udf/namei.c
-index 71c97fb..d86a93a 100644
+index 483d662..d86a93a 100644
 --- a/fs/udf/namei.c
 +++ b/fs/udf/namei.c
-@@ -235,7 +235,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir,
- 		if (!lfi)
- 			continue;
- 
--		flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
-+		flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
-+					UDF_NAME_LEN);
- 		if (flen && udf_match(flen, fname, child->len, child->name))
- 			goto out_ok;
- 	}
-@@ -272,9 +273,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
+@@ -273,9 +273,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
  						NULL, 0),
  		};
  		inode = udf_iget(dir->i_sb, lb);
@@ -66932,7 +66824,7 @@ index 71c97fb..d86a93a 100644
  	} else
  #endif /* UDF_RECOVERY */
  
-@@ -287,9 +287,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
+@@ -288,9 +287,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
  
  		loc = lelb_to_cpu(cfi.icb.extLocation);
  		inode = udf_iget(dir->i_sb, &loc);
@@ -66944,7 +66836,7 @@ index 71c97fb..d86a93a 100644
  	}
  
  	return d_splice_alias(inode, dentry);
-@@ -1211,7 +1210,7 @@ static struct dentry *udf_get_parent(struct dentry *child)
+@@ -1212,7 +1210,7 @@ static struct dentry *udf_get_parent(struct dentry *child)
  	struct udf_fileident_bh fibh;
  
  	if (!udf_find_entry(child->d_inode, &dotdot, &fibh, &cfi))
@@ -66953,7 +66845,7 @@ index 71c97fb..d86a93a 100644
  
  	if (fibh.sbh != fibh.ebh)
  		brelse(fibh.ebh);
-@@ -1219,12 +1218,10 @@ static struct dentry *udf_get_parent(struct dentry *child)
+@@ -1220,12 +1218,10 @@ static struct dentry *udf_get_parent(struct dentry *child)
  
  	tloc = lelb_to_cpu(cfi.icb.extLocation);
  	inode = udf_iget(child->d_inode->i_sb, &tloc);
@@ -66968,7 +66860,7 @@ index 71c97fb..d86a93a 100644
  }
  
  
-@@ -1241,8 +1238,8 @@ static struct dentry *udf_nfs_get_inode(struct super_block *sb, u32 block,
+@@ -1242,8 +1238,8 @@ static struct dentry *udf_nfs_get_inode(struct super_block *sb, u32 block,
  	loc.partitionReferenceNum = partref;
  	inode = udf_iget(sb, &loc);
  
@@ -67157,147 +67049,8 @@ index f66439e..247cfef 100644
  		goto error_out;
  	}
  
-diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c
-index b1d4488..0422b7b 100644
---- a/fs/udf/symlink.c
-+++ b/fs/udf/symlink.c
-@@ -30,43 +30,73 @@
- #include <linux/buffer_head.h>
- #include "udf_i.h"
- 
--static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
--			   int fromlen, unsigned char *to)
-+static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
-+			  int fromlen, unsigned char *to, int tolen)
- {
- 	struct pathComponent *pc;
- 	int elen = 0;
-+	int comp_len;
- 	unsigned char *p = to;
- 
-+	/* Reserve one byte for terminating \0 */
-+	tolen--;
- 	while (elen < fromlen) {
- 		pc = (struct pathComponent *)(from + elen);
-+		elen += sizeof(struct pathComponent);
- 		switch (pc->componentType) {
- 		case 1:
--			if (pc->lengthComponentIdent == 0) {
--				p = to;
--				*p++ = '/';
-+			/*
-+			 * Symlink points to some place which should be agreed
-+ 			 * upon between originator and receiver of the media. Ignore.
-+			 */
-+			if (pc->lengthComponentIdent > 0) {
-+				elen += pc->lengthComponentIdent;
-+				break;
- 			}
-+			/* Fall through */
-+		case 2:
-+			if (tolen == 0)
-+				return -ENAMETOOLONG;
-+			p = to;
-+			*p++ = '/';
-+			tolen--;
- 			break;
- 		case 3:
-+			if (tolen < 3)
-+				return -ENAMETOOLONG;
- 			memcpy(p, "../", 3);
- 			p += 3;
-+			tolen -= 3;
- 			break;
- 		case 4:
-+			if (tolen < 2)
-+				return -ENAMETOOLONG;
- 			memcpy(p, "./", 2);
- 			p += 2;
-+			tolen -= 2;
- 			/* that would be . - just ignore */
- 			break;
- 		case 5:
--			p += udf_get_filename(sb, pc->componentIdent, p,
--					      pc->lengthComponentIdent);
-+			elen += pc->lengthComponentIdent;
-+			if (elen > fromlen)
-+				return -EIO;
-+			comp_len = udf_get_filename(sb, pc->componentIdent,
-+						    pc->lengthComponentIdent,
-+						    p, tolen);
-+			p += comp_len;
-+			tolen -= comp_len;
-+			if (tolen == 0)
-+				return -ENAMETOOLONG;
- 			*p++ = '/';
-+			tolen--;
- 			break;
- 		}
--		elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
- 	}
- 	if (p > to + 1)
- 		p[-1] = '\0';
- 	else
- 		p[0] = '\0';
-+	return 0;
- }
- 
- static int udf_symlink_filler(struct file *file, struct page *page)
-@@ -74,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page)
- 	struct inode *inode = page->mapping->host;
- 	struct buffer_head *bh = NULL;
- 	unsigned char *symlink;
--	int err = -EIO;
-+	int err;
- 	unsigned char *p = kmap(page);
- 	struct udf_inode_info *iinfo;
- 	uint32_t pos;
- 
-+	/* We don't support symlinks longer than one block */
-+	if (inode->i_size > inode->i_sb->s_blocksize) {
-+		err = -ENAMETOOLONG;
-+		goto out_unmap;
-+	}
-+
- 	iinfo = UDF_I(inode);
- 	pos = udf_block_map(inode, 0);
- 
-@@ -88,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page)
- 	} else {
- 		bh = sb_bread(inode->i_sb, pos);
- 
--		if (!bh)
--			goto out;
-+		if (!bh) {
-+			err = -EIO;
-+			goto out_unlock_inode;
-+		}
- 
- 		symlink = bh->b_data;
- 	}
- 
--	udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
-+	err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
- 	brelse(bh);
-+	if (err)
-+		goto out_unlock_inode;
- 
- 	up_read(&iinfo->i_data_sem);
- 	SetPageUptodate(page);
-@@ -103,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
- 	unlock_page(page);
- 	return 0;
- 
--out:
-+out_unlock_inode:
- 	up_read(&iinfo->i_data_sem);
- 	SetPageError(page);
-+out_unmap:
- 	kunmap(page);
- 	unlock_page(page);
- 	return err;
 diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
-index f34e6fc..3156eb1 100644
+index 8775ab23..3156eb1 100644
 --- a/fs/udf/udfdecl.h
 +++ b/fs/udf/udfdecl.h
 @@ -149,7 +149,6 @@ extern int udf_expand_file_adinicb(struct inode *);
@@ -67308,102 +67061,6 @@ index f34e6fc..3156eb1 100644
  extern void udf_evict_inode(struct inode *);
  extern int udf_write_inode(struct inode *, struct writeback_control *wbc);
  extern long udf_block_map(struct inode *, sector_t);
-@@ -207,7 +206,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc,
- }
- 
- /* unicode.c */
--extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
-+extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
-+			    int);
- extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
- 			    int);
- extern int udf_build_ustr(struct ustr *, dstring *, int);
-diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
-index 44b815e..d29c06f 100644
---- a/fs/udf/unicode.c
-+++ b/fs/udf/unicode.c
-@@ -28,7 +28,8 @@
- 
- #include "udf_sb.h"
- 
--static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
-+static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
-+				  int);
- 
- static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
- {
-@@ -333,8 +334,8 @@ try_again:
- 	return u_len + 1;
- }
- 
--int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
--		     int flen)
-+int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
-+		     uint8_t *dname, int dlen)
- {
- 	struct ustr *filename, *unifilename;
- 	int len = 0;
-@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
- 	if (!unifilename)
- 		goto out1;
- 
--	if (udf_build_ustr_exact(unifilename, sname, flen))
-+	if (udf_build_ustr_exact(unifilename, sname, slen))
- 		goto out2;
- 
- 	if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
-@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
- 	} else
- 		goto out2;
- 
--	len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
-+	len = udf_translate_to_linux(dname, dlen,
-+				     filename->u_name, filename->u_len,
- 				     unifilename->u_name, unifilename->u_len);
- out2:
- 	kfree(unifilename);
-@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname,
- #define EXT_MARK		'.'
- #define CRC_MARK		'#'
- #define EXT_SIZE 		5
-+/* Number of chars we need to store generated CRC to make filename unique */
-+#define CRC_LEN			5
- 
--static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
--				  int udfLen, uint8_t *fidName,
--				  int fidNameLen)
-+static int udf_translate_to_linux(uint8_t *newName, int newLen,
-+				  uint8_t *udfName, int udfLen,
-+				  uint8_t *fidName, int fidNameLen)
- {
- 	int index, newIndex = 0, needsCRC = 0;
- 	int extIndex = 0, newExtIndex = 0, hasExt = 0;
-@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
- 					newExtIndex = newIndex;
- 				}
- 			}
--			if (newIndex < 256)
-+			if (newIndex < newLen)
- 				newName[newIndex++] = curr;
- 			else
- 				needsCRC = 1;
-@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
- 				}
- 				ext[localExtIndex++] = curr;
- 			}
--			maxFilenameLen = 250 - localExtIndex;
-+			maxFilenameLen = newLen - CRC_LEN - localExtIndex;
- 			if (newIndex > maxFilenameLen)
- 				newIndex = maxFilenameLen;
- 			else
- 				newIndex = newExtIndex;
--		} else if (newIndex > 250)
--			newIndex = 250;
-+		} else if (newIndex > newLen - CRC_LEN)
-+			newIndex = newLen - CRC_LEN;
- 		newName[newIndex++] = CRC_MARK;
- 		valueCRC = crc_itu_t(0, fidName, fidNameLen);
- 		newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12];
 diff --git a/fs/ufs/super.c b/fs/ufs/super.c
 index 3915ade..00fcbf4 100644
 --- a/fs/ufs/super.c
@@ -67766,10 +67423,10 @@ index 8a89949..6776861 100644
  xfs_init_zones(void)
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..0e0866c
+index 0000000..1d38334
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1154 @@
+@@ -0,0 +1,1170 @@
 +#
 +# grecurity configuration
 +#
@@ -68398,6 +68055,22 @@ index 0000000..0e0866c
 +	  sysctl option is enabled, a sysctl option with name
 +	  "chroot_deny_sysctl" is created.
 +
++config GRKERNSEC_CHROOT_RENAME
++	bool "Deny bad renames"
++	default y if GRKERNSEC_CONFIG_AUTO
++	depends on GRKERNSEC_CHROOT
++	help
++	  If you say Y here, an attacker in a chroot will not be able to
++	  abuse the ability to create double chroots to break out of the
++	  chroot by exploiting a race condition between a rename of a directory
++	  within a chroot against an open of a symlink with relative path
++	  components.  This feature will likewise prevent an accomplice outside
++	  a chroot from enabling a user inside the chroot to break out and make
++	  use of their credentials on the global filesystem.  Enabling this
++	  feature is essential to prevent root users from breaking out of a
++	  chroot. If the sysctl option is enabled, a sysctl option with name
++	  "chroot_deny_bad_rename" is created.
++
 +config GRKERNSEC_CHROOT_CAPS
 +	bool "Capability restrictions"
 +	default y if GRKERNSEC_CONFIG_AUTO
@@ -75645,15 +75318,16 @@ index 0000000..bc0be01
 +}
 diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
 new file mode 100644
-index 0000000..60b786f
+index 0000000..bf944ab
 --- /dev/null
 +++ b/grsecurity/grsec_chroot.c
-@@ -0,0 +1,370 @@
+@@ -0,0 +1,455 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
 +#include <linux/file.h>
 +#include <linux/fs.h>
++#include <linux/lglock.h>
 +#include <linux/mount.h>
 +#include <linux/types.h>
 +#include <linux/pid_namespace.h>
@@ -75664,6 +75338,90 @@ index 0000000..60b786f
 +int gr_init_ran;
 +#endif
 +
++DECLARE_BRLOCK(vfsmount_lock);
++
++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	struct dentry *tmpd = dentry;
++
++	br_read_lock(vfsmount_lock);
++	write_seqlock(&rename_lock);
++
++	while (tmpd != mnt->mnt_root) {
++		atomic_inc(&tmpd->chroot_refcnt);
++		tmpd = tmpd->d_parent;
++	}
++	atomic_inc(&tmpd->chroot_refcnt);
++
++	write_sequnlock(&rename_lock);
++	br_read_unlock(vfsmount_lock);
++#endif
++}
++
++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	struct dentry *tmpd = dentry;
++
++	br_read_lock(vfsmount_lock);
++	write_seqlock(&rename_lock);
++
++	while (tmpd != mnt->mnt_root) {
++		atomic_dec(&tmpd->chroot_refcnt);
++		tmpd = tmpd->d_parent;
++	}
++	atomic_dec(&tmpd->chroot_refcnt);
++
++	write_sequnlock(&rename_lock);
++	br_read_unlock(vfsmount_lock);
++#endif
++}
++
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++static struct dentry *get_closest_chroot(struct dentry *dentry)
++{
++	write_seqlock(&rename_lock);
++	do {
++		if (atomic_read(&dentry->chroot_refcnt)) {
++			write_sequnlock(&rename_lock);
++			return dentry;
++		}
++		dentry = dentry->d_parent;
++	} while (!IS_ROOT(dentry));
++	write_sequnlock(&rename_lock);
++	return NULL;
++}
++#endif
++
++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
++			 struct dentry *newdentry, struct vfsmount *newmnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	struct dentry *chroot;
++
++	if (unlikely(!grsec_enable_chroot_rename))
++		return 0;
++
++	if (likely(!proc_is_chrooted(current) && !current_uid()))
++		return 0;
++
++	chroot = get_closest_chroot(olddentry);
++
++	if (chroot == NULL)
++		return 0;
++
++	if (is_subdir(newdentry, chroot))
++		return 0;
++
++	gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt);
++
++	return 1;
++#else
++	return 0;
++#endif
++}
++
 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
 +{
 +#ifdef CONFIG_GRKERNSEC
@@ -76698,10 +76456,10 @@ index 0000000..8ca18bf
 +}
 diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
 new file mode 100644
-index 0000000..a5e1b5c
+index 0000000..b09101d
 --- /dev/null
 +++ b/grsecurity/grsec_init.c
-@@ -0,0 +1,286 @@
+@@ -0,0 +1,290 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -76744,6 +76502,7 @@ index 0000000..a5e1b5c
 +int grsec_enable_chroot_nice;
 +int grsec_enable_chroot_execlog;
 +int grsec_enable_chroot_caps;
++int grsec_enable_chroot_rename;
 +int grsec_enable_chroot_sysctl;
 +int grsec_enable_chroot_unix;
 +int grsec_enable_tpe;
@@ -76955,6 +76714,9 @@ index 0000000..a5e1b5c
 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
 +	grsec_enable_chroot_caps = 1;
 +#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	grsec_enable_chroot_rename = 1;
++#endif
 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
 +	grsec_enable_chroot_sysctl = 1;
 +#endif
@@ -78190,10 +77952,10 @@ index 0000000..e3650b6
 +}
 diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
 new file mode 100644
-index 0000000..0d4723d
+index 0000000..a51b175
 --- /dev/null
 +++ b/grsecurity/grsec_sysctl.c
-@@ -0,0 +1,477 @@
+@@ -0,0 +1,486 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -78461,6 +78223,15 @@ index 0000000..0d4723d
 +		.proc_handler	= &proc_dointvec,
 +	},
 +#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	{
++		.procname	= "chroot_deny_bad_rename",
++		.data		= &grsec_enable_chroot_rename,
++		.maxlen		= sizeof(int),
++		.mode		= 0600,
++		.proc_handler	= &proc_dointvec,
++	},
++#endif
 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
 +	{
 +		.procname	= "chroot_deny_sysctl",
@@ -80160,6 +79931,39 @@ index e2a360a..1d61efb 100644
  #endif
  
  #if __GNUC_MINOR__ > 0
+diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
+index cdd1cc2..59dc542 100644
+--- a/include/linux/compiler-gcc5.h
++++ b/include/linux/compiler-gcc5.h
+@@ -28,6 +28,28 @@
+ # define __compiletime_error(message) __attribute__((error(message)))
+ #endif /* __CHECKER__ */
+ 
++#define __alloc_size(...)	__attribute((alloc_size(__VA_ARGS__)))
++#define __bos(ptr, arg)		__builtin_object_size((ptr), (arg))
++#define __bos0(ptr)		__bos((ptr), 0)
++#define __bos1(ptr)		__bos((ptr), 1)
++
++#ifdef CONSTIFY_PLUGIN
++#error not yet
++#define __no_const __attribute__((no_const))
++#define __do_const __attribute__((do_const))
++#endif
++
++#ifdef SIZE_OVERFLOW_PLUGIN
++#error not yet
++#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
++#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__)))
++#endif
++
++#ifdef LATENT_ENTROPY_PLUGIN
++#error not yet
++#define __latent_entropy __attribute__((latent_entropy))
++#endif
++
+ /*
+  * Mark a position in code as unreachable.  This can be used to
+  * suppress control flow warnings after asm blocks that transfer
 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
 index 7c7546b..92ea3ae 100644
 --- a/include/linux/compiler.h
@@ -80497,10 +80301,10 @@ index 4030896..4d2c309 100644
  #define current_cred_xxx(xxx)			\
  ({						\
 diff --git a/include/linux/crypto.h b/include/linux/crypto.h
-index 8a94217..15d49e3 100644
+index ca01ea8..daaa939 100644
 --- a/include/linux/crypto.h
 +++ b/include/linux/crypto.h
-@@ -365,7 +365,7 @@ struct cipher_tfm {
+@@ -378,7 +378,7 @@ struct cipher_tfm {
  	                  const u8 *key, unsigned int keylen);
  	void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
  	void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
@@ -80509,7 +80313,7 @@ index 8a94217..15d49e3 100644
  
  struct hash_tfm {
  	int (*init)(struct hash_desc *desc);
-@@ -386,13 +386,13 @@ struct compress_tfm {
+@@ -399,13 +399,13 @@ struct compress_tfm {
  	int (*cot_decompress)(struct crypto_tfm *tfm,
  	                      const u8 *src, unsigned int slen,
  	                      u8 *dst, unsigned int *dlen);
@@ -80539,10 +80343,20 @@ index 8acfe31..6ffccd63 100644
  	return c | 0x20;
  }
 diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 99374de..6388abb 100644
+index 99374de..ac23d39 100644
 --- a/include/linux/dcache.h
 +++ b/include/linux/dcache.h
-@@ -142,7 +142,7 @@ struct dentry {
+@@ -132,6 +132,9 @@ struct dentry {
+ 	unsigned long d_time;		/* used by d_revalidate */
+ 	void *d_fsdata;			/* fs-specific data */
+ 
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
++	atomic_t chroot_refcnt;		/* tracks use of directory in chroot */
++#endif
+ 	struct list_head d_lru;		/* LRU list */
+ 	struct list_head d_child;	/* child of parent list */
+ 	struct list_head d_subdirs;	/* our children */
+@@ -142,7 +145,7 @@ struct dentry {
  		struct list_head d_alias;	/* inode alias list */
  	 	struct rcu_head d_rcu;
  	} d_u;
@@ -80565,7 +80379,7 @@ index 7925bf0..d5143d2 100644
  
  #define large_malloc(a) vmalloc(a)
 diff --git a/include/linux/device.h b/include/linux/device.h
-index 3136ede..9a589c5 100644
+index a31c5d0..ff3d03b 100644
 --- a/include/linux/device.h
 +++ b/include/linux/device.h
 @@ -427,7 +427,7 @@ struct device_type {
@@ -81740,10 +81554,10 @@ index 0000000..be66033
 +#endif
 diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
 new file mode 100644
-index 0000000..7dc4203
+index 0000000..248956b
 --- /dev/null
 +++ b/include/linux/grinternal.h
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,238 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
 +
@@ -81803,6 +81617,7 @@ index 0000000..7dc4203
 +extern int grsec_enable_chroot_nice;
 +extern int grsec_enable_chroot_execlog;
 +extern int grsec_enable_chroot_caps;
++extern int grsec_enable_chroot_rename;
 +extern int grsec_enable_chroot_sysctl;
 +extern int grsec_enable_chroot_unix;
 +extern int grsec_enable_symlinkown;
@@ -81983,10 +81798,10 @@ index 0000000..7dc4203
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..b02ba9d
+index 0000000..26ef560
 --- /dev/null
 +++ b/include/linux/grmsg.h
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,118 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -82030,6 +81845,7 @@ index 0000000..b02ba9d
 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
++#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by "
 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
@@ -82106,10 +81922,10 @@ index 0000000..b02ba9d
 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..85351c8
+index 0000000..083dbf1
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,233 @@
+@@ -0,0 +1,238 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -82320,6 +82136,11 @@ index 0000000..85351c8
 +
 +int gr_ptrace_readexec(struct file *file, int unsafe_flags);
 +
++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
++			 struct dentry *newdentry, struct vfsmount *newmnt);
++
 +#ifdef CONFIG_GRKERNSEC
 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
 +void gr_handle_vm86(void);
@@ -82856,10 +82677,10 @@ index f93d8c1..71244f6 100644
  
  int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
 diff --git a/include/linux/libata.h b/include/linux/libata.h
-index d773b21..95a0913 100644
+index 42ac6ad..703f223 100644
 --- a/include/linux/libata.h
 +++ b/include/linux/libata.h
-@@ -914,7 +914,7 @@ struct ata_port_operations {
+@@ -915,7 +915,7 @@ struct ata_port_operations {
  	 * fields must be pointers.
  	 */
  	const struct ata_port_operations	*inherits;
@@ -82991,7 +82812,7 @@ index 3797270..7765ede 100644
  struct mca_bus {
  	u64			default_dma_mask;
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 7f40120..8879e77 100644
+index e5ee683..61d2731 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -115,7 +115,14 @@ extern unsigned int kobjsize(const void *objp);
@@ -83028,7 +82849,7 @@ index 7f40120..8879e77 100644
  
  struct mmu_gather;
  struct inode;
-@@ -941,8 +949,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
+@@ -942,8 +950,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
  	unsigned long *pfn);
  int follow_phys(struct vm_area_struct *vma, unsigned long address,
  		unsigned int flags, unsigned long *prot, resource_size_t *phys);
@@ -83039,7 +82860,7 @@ index 7f40120..8879e77 100644
  
  static inline void unmap_shared_mapping_range(struct address_space *mapping,
  		loff_t const holebegin, loff_t const holelen)
-@@ -985,10 +993,10 @@ static inline int fixup_user_fault(struct task_struct *tsk,
+@@ -986,10 +994,10 @@ static inline int fixup_user_fault(struct task_struct *tsk,
  }
  #endif
  
@@ -83054,7 +82875,7 @@ index 7f40120..8879e77 100644
  
  int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  		     unsigned long start, int len, unsigned int foll_flags,
-@@ -1014,34 +1022,6 @@ int set_page_dirty(struct page *page);
+@@ -1015,34 +1023,6 @@ int set_page_dirty(struct page *page);
  int set_page_dirty_lock(struct page *page);
  int clear_page_dirty_for_io(struct page *page);
  
@@ -83089,7 +82910,7 @@ index 7f40120..8879e77 100644
  extern unsigned long move_page_tables(struct vm_area_struct *vma,
  		unsigned long old_addr, struct vm_area_struct *new_vma,
  		unsigned long new_addr, unsigned long len);
-@@ -1136,6 +1116,15 @@ static inline void sync_mm_rss(struct task_struct *task, struct mm_struct *mm)
+@@ -1137,6 +1117,15 @@ static inline void sync_mm_rss(struct task_struct *task, struct mm_struct *mm)
  }
  #endif
  
@@ -83105,7 +82926,7 @@ index 7f40120..8879e77 100644
  int vma_wants_writenotify(struct vm_area_struct *vma);
  
  extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
-@@ -1154,8 +1143,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
+@@ -1155,8 +1144,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
  {
  	return 0;
  }
@@ -83121,7 +82942,7 @@ index 7f40120..8879e77 100644
  #endif
  
  #ifdef __PAGETABLE_PMD_FOLDED
-@@ -1164,8 +1160,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
+@@ -1165,8 +1161,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
  {
  	return 0;
  }
@@ -83137,7 +82958,7 @@ index 7f40120..8879e77 100644
  #endif
  
  int __pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
-@@ -1183,11 +1186,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
+@@ -1184,11 +1187,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
  		NULL: pud_offset(pgd, address);
  }
  
@@ -83161,7 +82982,7 @@ index 7f40120..8879e77 100644
  #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
  
  #if USE_SPLIT_PTLOCKS
-@@ -1398,7 +1413,7 @@ extern int install_special_mapping(struct mm_struct *mm,
+@@ -1399,7 +1414,7 @@ extern int install_special_mapping(struct mm_struct *mm,
  				   unsigned long addr, unsigned long len,
  				   unsigned long flags, struct page **pages);
  
@@ -83170,7 +82991,7 @@ index 7f40120..8879e77 100644
  
  extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	unsigned long len, unsigned long prot,
-@@ -1421,6 +1436,7 @@ out:
+@@ -1422,6 +1437,7 @@ out:
  }
  
  extern int do_munmap(struct mm_struct *, unsigned long, size_t);
@@ -83178,7 +82999,7 @@ index 7f40120..8879e77 100644
  
  extern unsigned long do_brk(unsigned long, unsigned long);
  
-@@ -1478,6 +1494,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
+@@ -1479,6 +1495,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
  extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
  					     struct vm_area_struct **pprev);
  
@@ -83189,7 +83010,7 @@ index 7f40120..8879e77 100644
  /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
     NULL if none.  Assume start_addr < end_addr. */
  static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
-@@ -1494,15 +1514,6 @@ static inline unsigned long vma_pages(struct vm_area_struct *vma)
+@@ -1495,15 +1515,6 @@ static inline unsigned long vma_pages(struct vm_area_struct *vma)
  	return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
  }
  
@@ -83205,7 +83026,7 @@ index 7f40120..8879e77 100644
  struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
  int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
  			unsigned long pfn, unsigned long size, pgprot_t);
-@@ -1538,6 +1549,12 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+@@ -1539,6 +1550,12 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
  static inline void vm_stat_account(struct mm_struct *mm,
  			unsigned long flags, struct file *file, long pages)
  {
@@ -83218,7 +83039,7 @@ index 7f40120..8879e77 100644
  }
  #endif /* CONFIG_PROC_FS */
  
-@@ -1618,7 +1635,7 @@ extern int unpoison_memory(unsigned long pfn);
+@@ -1619,7 +1636,7 @@ extern int unpoison_memory(unsigned long pfn);
  extern int sysctl_memory_failure_early_kill;
  extern int sysctl_memory_failure_recovery;
  extern void shake_page(struct page *p, int access);
@@ -83227,7 +83048,7 @@ index 7f40120..8879e77 100644
  extern int soft_offline_page(struct page *page, int flags);
  
  extern void dump_page(struct page *page);
-@@ -1632,5 +1649,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
+@@ -1633,5 +1650,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
  				unsigned int pages_per_huge_page);
  #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
  
@@ -83783,6 +83604,19 @@ index 45fc162..01a4068 100644
  
  /**
   * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
+diff --git a/include/linux/percpu.h b/include/linux/percpu.h
+index 9ca008f..d82f96a 100644
+--- a/include/linux/percpu.h
++++ b/include/linux/percpu.h
+@@ -58,7 +58,7 @@
+  * preallocate for this.  Keep PERCPU_DYNAMIC_RESERVE equal to or
+  * larger than PERCPU_DYNAMIC_EARLY_SIZE.
+  */
+-#define PERCPU_DYNAMIC_EARLY_SLOTS	128
++#define PERCPU_DYNAMIC_EARLY_SLOTS	256
+ #define PERCPU_DYNAMIC_EARLY_SIZE	(12 << 10)
+ 
+ /*
 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
 index 8d5b91e..9209ea4 100644
 --- a/include/linux/perf_event.h
@@ -83867,6 +83701,19 @@ index 8fc7dd1a..c19d89e 100644
  			    MMAP_PAGE_ZERO)
  
  /*
+diff --git a/include/linux/phy.h b/include/linux/phy.h
+index 79f337c..228104f 100644
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -471,7 +471,7 @@ static inline int phy_write(struct phy_device *phydev, u32 regnum, u16 val)
+ 	return mdiobus_write(phydev->bus, phydev->addr, regnum, val);
+ }
+ 
+-int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id);
++int get_phy_id(struct mii_bus *bus, int addr, int *phy_id);
+ struct phy_device* get_phy_device(struct mii_bus *bus, int addr);
+ int phy_device_register(struct phy_device *phy);
+ int phy_init_hw(struct phy_device *phydev);
 diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
 index 38d1032..d3f6744 100644
 --- a/include/linux/pid_namespace.h
@@ -84376,10 +84223,10 @@ index 4d50611..c6858a2 100644
  #define RIO_RESOURCE_MEM	0x00000100
  #define RIO_RESOURCE_DOORBELL	0x00000200
 diff --git a/include/linux/rmap.h b/include/linux/rmap.h
-index 2148b12..519b820 100644
+index b0df05a..d0803b6 100644
 --- a/include/linux/rmap.h
 +++ b/include/linux/rmap.h
-@@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struct anon_vma *anon_vma)
+@@ -129,8 +129,8 @@ static inline void anon_vma_unlock(struct anon_vma *anon_vma)
  void anon_vma_init(void);	/* create anon_vma_cachep */
  int  anon_vma_prepare(struct vm_area_struct *);
  void unlink_anon_vmas(struct vm_area_struct *);
@@ -85681,7 +85528,7 @@ index 20f63d3..fdd3cbb 100644
  #define _SYSDEV_ATTR(_name, _mode, _show, _store)		\
  {								\
 diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
-index dac0859..4ea79a9 100644
+index 2b9cd8d..b8a7592 100644
 --- a/include/linux/sysfs.h
 +++ b/include/linux/sysfs.h
 @@ -30,7 +30,8 @@ struct attribute {
@@ -85705,7 +85552,7 @@ index dac0859..4ea79a9 100644
  
  
  /**
-@@ -95,7 +96,8 @@ struct bin_attribute {
+@@ -104,7 +105,8 @@ struct bin_attribute {
  			 char *, loff_t, size_t);
  	int (*mmap)(struct file *, struct kobject *, struct bin_attribute *attr,
  		    struct vm_area_struct *vma);
@@ -86085,7 +85932,7 @@ index 45a7698..76e6993 100644
  } __attribute__ ((packed));
  
 diff --git a/include/linux/virtio.h b/include/linux/virtio.h
-index 96c7843..e518462 100644
+index e4807af..f12924f 100644
 --- a/include/linux/virtio.h
 +++ b/include/linux/virtio.h
 @@ -90,6 +90,10 @@ static inline int virtqueue_add_buf(struct virtqueue *vq,
@@ -86099,7 +85946,7 @@ index 96c7843..e518462 100644
  void *virtqueue_get_buf(struct virtqueue *vq, unsigned int *len);
  
  void virtqueue_disable_cb(struct virtqueue *vq);
-@@ -148,6 +152,7 @@ struct virtio_driver {
+@@ -152,6 +156,7 @@ struct virtio_driver {
  	const unsigned int *feature_table;
  	unsigned int feature_table_size;
  	int (*probe)(struct virtio_device *dev);
@@ -86592,7 +86439,7 @@ index 1ee535b..91976cb1 100644
  {
  	return test_bit(port, sysctl_local_reserved_ports);
 diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
-index 2124004..3713897 100644
+index 6e4569f..0c8aa25 100644
 --- a/include/net/ip_fib.h
 +++ b/include/net/ip_fib.h
 @@ -144,7 +144,7 @@ extern __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh);
@@ -86994,10 +86841,10 @@ index b1c3d1c..895573a 100644
  extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
  				      __be16 dport);
 diff --git a/include/net/sock.h b/include/net/sock.h
-index e6454b6..7a6b6bc 100644
+index c8dcbb8..50b02f1 100644
 --- a/include/net/sock.h
 +++ b/include/net/sock.h
-@@ -278,7 +278,7 @@ struct sock {
+@@ -277,7 +277,7 @@ struct sock {
  #ifdef CONFIG_RPS
  	__u32			sk_rxhash;
  #endif
@@ -87006,7 +86853,7 @@ index e6454b6..7a6b6bc 100644
  	int			sk_rcvbuf;
  
  	struct sk_filter __rcu	*sk_filter;
-@@ -849,7 +849,7 @@ struct proto {
+@@ -847,7 +847,7 @@ struct proto {
  #ifdef SOCK_REFCNT_DEBUG
  	atomic_t		socks;
  #endif
@@ -87015,7 +86862,7 @@ index e6454b6..7a6b6bc 100644
  
  extern int proto_register(struct proto *prot, int alloc_slab);
  extern void proto_unregister(struct proto *prot);
-@@ -929,7 +929,7 @@ struct sock_iocb {
+@@ -927,7 +927,7 @@ struct sock_iocb {
  	struct scm_cookie	*scm;
  	struct msghdr		*msg, async_msg;
  	struct kiocb		*kiocb;
@@ -87024,7 +86871,7 @@ index e6454b6..7a6b6bc 100644
  
  static inline struct sock_iocb *kiocb_to_siocb(struct kiocb *iocb)
  {
-@@ -1416,7 +1416,7 @@ static inline void sk_nocaps_add(struct sock *sk, int flags)
+@@ -1414,7 +1414,7 @@ static inline void sk_nocaps_add(struct sock *sk, int flags)
  }
  
  static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
@@ -87033,7 +86880,7 @@ index e6454b6..7a6b6bc 100644
  					   int copy, int offset)
  {
  	if (skb->ip_summed == CHECKSUM_NONE) {
-@@ -1678,7 +1678,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
+@@ -1676,7 +1676,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
  	}
  }
  
@@ -94457,7 +94304,7 @@ index e660464..c8b9e67 100644
  		return cmd_attr_register_cpumask(info);
  	else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
 diff --git a/kernel/time.c b/kernel/time.c
-index 060f961..fe7a19e 100644
+index f64e88b..9406590 100644
 --- a/kernel/time.c
 +++ b/kernel/time.c
 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz)
@@ -97199,7 +97046,7 @@ index 51901b1..79af2f4 100644
  	/* keep elevated page count for bad page */
  	return ret;
 diff --git a/mm/memory.c b/mm/memory.c
-index 628cadc..4db2e08 100644
+index 0a7bb38..4efd48c 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
 @@ -462,8 +462,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -97535,7 +97382,7 @@ index 628cadc..4db2e08 100644
  /*
   * This routine handles present pages, when users try to write
   * to a shared page. It is done by copying the page to a new address
-@@ -2726,6 +2923,12 @@ gotten:
+@@ -2733,6 +2930,12 @@ gotten:
  	 */
  	page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -97548,7 +97395,7 @@ index 628cadc..4db2e08 100644
  		if (old_page) {
  			if (!PageAnon(old_page)) {
  				dec_mm_counter_fast(mm, MM_FILEPAGES);
-@@ -2777,6 +2980,10 @@ gotten:
+@@ -2784,6 +2987,10 @@ gotten:
  			page_remove_rmap(old_page);
  		}
  
@@ -97559,7 +97406,7 @@ index 628cadc..4db2e08 100644
  		/* Free the old page.. */
  		new_page = old_page;
  		ret |= VM_FAULT_WRITE;
-@@ -3056,6 +3263,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3063,6 +3270,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	swap_free(entry);
  	if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
  		try_to_free_swap(page);
@@ -97571,7 +97418,7 @@ index 628cadc..4db2e08 100644
  	unlock_page(page);
  	if (swapcache) {
  		/*
-@@ -3079,6 +3291,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3086,6 +3298,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -97583,7 +97430,7 @@ index 628cadc..4db2e08 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  out:
-@@ -3098,40 +3315,6 @@ out_release:
+@@ -3105,40 +3322,6 @@ out_release:
  }
  
  /*
@@ -97606,7 +97453,7 @@ index 628cadc..4db2e08 100644
 -		if (prev && prev->vm_end == address)
 -			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
 -
--		expand_downwards(vma, address - PAGE_SIZE);
+-		return expand_downwards(vma, address - PAGE_SIZE);
 -	}
 -	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
 -		struct vm_area_struct *next = vma->vm_next;
@@ -97615,7 +97462,7 @@ index 628cadc..4db2e08 100644
 -		if (next && next->vm_start == address + PAGE_SIZE)
 -			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
 -
--		expand_upwards(vma, address + PAGE_SIZE);
+-		return expand_upwards(vma, address + PAGE_SIZE);
 -	}
 -	return 0;
 -}
@@ -97624,7 +97471,7 @@ index 628cadc..4db2e08 100644
   * We enter with non-exclusive mmap_sem (to exclude vma changes,
   * but allow concurrent faults), and pte mapped but not yet locked.
   * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -3140,27 +3323,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3147,27 +3330,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  		unsigned long address, pte_t *page_table, pmd_t *pmd,
  		unsigned int flags)
  {
@@ -97637,7 +97484,7 @@ index 628cadc..4db2e08 100644
 -
 -	/* Check if we need to add a guard page to the stack */
 -	if (check_stack_guard_page(vma, address) < 0)
--		return VM_FAULT_SIGBUS;
+-		return VM_FAULT_SIGSEGV;
 -
 -	/* Use the zero-page for reads */
  	if (!(flags & FAULT_FLAG_WRITE)) {
@@ -97657,7 +97504,7 @@ index 628cadc..4db2e08 100644
  	if (unlikely(anon_vma_prepare(vma)))
  		goto oom;
  	page = alloc_zeroed_user_highpage_movable(vma, address);
-@@ -3179,6 +3358,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3186,6 +3365,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (!pte_none(*page_table))
  		goto release;
  
@@ -97669,7 +97516,7 @@ index 628cadc..4db2e08 100644
  	inc_mm_counter_fast(mm, MM_ANONPAGES);
  	page_add_new_anon_rmap(page, vma, address);
  setpte:
-@@ -3186,6 +3370,12 @@ setpte:
+@@ -3193,6 +3377,12 @@ setpte:
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -97682,7 +97529,7 @@ index 628cadc..4db2e08 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  	return 0;
-@@ -3329,6 +3519,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3336,6 +3526,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	 */
  	/* Only go through if we didn't race with anybody else... */
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -97695,7 +97542,7 @@ index 628cadc..4db2e08 100644
  		flush_icache_page(vma, page);
  		entry = mk_pte(page, vma->vm_page_prot);
  		if (flags & FAULT_FLAG_WRITE)
-@@ -3348,6 +3544,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3355,6 +3551,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  
  		/* no need to invalidate: a not-present page won't be cached */
  		update_mmu_cache(vma, address, page_table);
@@ -97710,7 +97557,7 @@ index 628cadc..4db2e08 100644
  	} else {
  		if (cow_page)
  			mem_cgroup_uncharge_page(cow_page);
-@@ -3501,6 +3705,12 @@ int handle_pte_fault(struct mm_struct *mm,
+@@ -3508,6 +3712,12 @@ int handle_pte_fault(struct mm_struct *mm,
  		if (flags & FAULT_FLAG_WRITE)
  			flush_tlb_fix_spurious_fault(vma, address);
  	}
@@ -97723,7 +97570,7 @@ index 628cadc..4db2e08 100644
  unlock:
  	pte_unmap_unlock(pte, ptl);
  	return 0;
-@@ -3517,6 +3727,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3524,6 +3734,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	pmd_t *pmd;
  	pte_t *pte;
  
@@ -97734,7 +97581,7 @@ index 628cadc..4db2e08 100644
  	__set_current_state(TASK_RUNNING);
  
  	count_vm_event(PGFAULT);
-@@ -3528,6 +3742,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3535,6 +3749,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (unlikely(is_vm_hugetlb_page(vma)))
  		return hugetlb_fault(mm, vma, address, flags);
  
@@ -97769,7 +97616,7 @@ index 628cadc..4db2e08 100644
  retry:
  	pgd = pgd_offset(mm, address);
  	pud = pud_alloc(mm, pgd, address);
-@@ -3569,7 +3811,7 @@ retry:
+@@ -3576,7 +3818,7 @@ retry:
  	 * run pte_offset_map on the pmd, if an huge pmd could
  	 * materialize from under us from a different thread.
  	 */
@@ -97778,7 +97625,7 @@ index 628cadc..4db2e08 100644
  		return VM_FAULT_OOM;
  	/* if an huge pmd materialized from under us just retry later */
  	if (unlikely(pmd_trans_huge(*pmd)))
-@@ -3606,6 +3848,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3613,6 +3855,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -97802,7 +97649,7 @@ index 628cadc..4db2e08 100644
  #endif /* __PAGETABLE_PUD_FOLDED */
  
  #ifndef __PAGETABLE_PMD_FOLDED
-@@ -3636,11 +3895,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
+@@ -3643,11 +3902,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -97840,7 +97687,7 @@ index 628cadc..4db2e08 100644
  	struct vm_area_struct * vma;
  
  	vma = find_vma(current->mm, addr);
-@@ -3673,7 +3956,7 @@ static int __init gate_vma_init(void)
+@@ -3680,7 +3963,7 @@ static int __init gate_vma_init(void)
  	gate_vma.vm_start = FIXADDR_USER_START;
  	gate_vma.vm_end = FIXADDR_USER_END;
  	gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
@@ -97849,7 +97696,7 @@ index 628cadc..4db2e08 100644
  	/*
  	 * Make sure the vDSO gets into every core dump.
  	 * Dumping its contents makes post-mortem fully interpretable later
-@@ -3813,8 +4096,8 @@ out:
+@@ -3820,8 +4103,8 @@ out:
  	return ret;
  }
  
@@ -97860,7 +97707,7 @@ index 628cadc..4db2e08 100644
  {
  	resource_size_t phys_addr;
  	unsigned long prot = 0;
-@@ -3839,8 +4122,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
+@@ -3846,8 +4129,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
   * Access another process' address space as given in mm.  If non-NULL, use the
   * given task for page fault accounting.
   */
@@ -97871,7 +97718,7 @@ index 628cadc..4db2e08 100644
  {
  	struct vm_area_struct *vma;
  	void *old_buf = buf;
-@@ -3848,7 +4131,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3855,7 +4138,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
  	down_read(&mm->mmap_sem);
  	/* ignore errors, just check how much was successfully transferred */
  	while (len) {
@@ -97880,7 +97727,7 @@ index 628cadc..4db2e08 100644
  		void *maddr;
  		struct page *page = NULL;
  
-@@ -3907,8 +4190,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3914,8 +4197,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
   *
   * The caller must hold a reference on @mm.
   */
@@ -97891,7 +97738,7 @@ index 628cadc..4db2e08 100644
  {
  	return __access_remote_vm(NULL, mm, addr, buf, len, write);
  }
-@@ -3918,11 +4201,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
+@@ -3925,11 +4208,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
   * Source/target buffer must be kernel space,
   * Do not walk the page table directly, use get_user_pages
   */
@@ -98141,7 +97988,7 @@ index 1ffd97a..ed75674 100644
  int mminit_loglevel;
  
 diff --git a/mm/mmap.c b/mm/mmap.c
-index f2badbf..06d44c2 100644
+index 13b5685..39383bb 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -30,6 +30,7 @@
@@ -98226,7 +98073,7 @@ index f2badbf..06d44c2 100644
  	if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
  			(mm->end_data - mm->start_data) > rlim)
  		goto out;
-@@ -689,6 +717,12 @@ static int
+@@ -694,6 +722,12 @@ static int
  can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
  	struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
  {
@@ -98239,7 +98086,7 @@ index f2badbf..06d44c2 100644
  	if (is_mergeable_vma(vma, file, vm_flags) &&
  	    is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
  		if (vma->vm_pgoff == vm_pgoff)
-@@ -708,6 +742,12 @@ static int
+@@ -713,6 +747,12 @@ static int
  can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
  	struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
  {
@@ -98252,7 +98099,7 @@ index f2badbf..06d44c2 100644
  	if (is_mergeable_vma(vma, file, vm_flags) &&
  	    is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
  		pgoff_t vm_pglen;
-@@ -750,13 +790,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
+@@ -755,13 +795,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
  struct vm_area_struct *vma_merge(struct mm_struct *mm,
  			struct vm_area_struct *prev, unsigned long addr,
  			unsigned long end, unsigned long vm_flags,
@@ -98274,7 +98121,7 @@ index f2badbf..06d44c2 100644
  	/*
  	 * We later require that vma->vm_flags == vm_flags,
  	 * so this tests vma->vm_flags & VM_SPECIAL, too.
-@@ -772,6 +819,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -777,6 +824,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
  	if (next && next->vm_end == end)		/* cases 6, 7, 8 */
  		next = next->vm_next;
  
@@ -98290,7 +98137,7 @@ index f2badbf..06d44c2 100644
  	/*
  	 * Can it merge with the predecessor?
  	 */
-@@ -791,9 +847,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -796,9 +852,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
  							/* cases 1, 6 */
  			err = vma_adjust(prev, prev->vm_start,
  				next->vm_end, prev->vm_pgoff, NULL);
@@ -98316,7 +98163,7 @@ index f2badbf..06d44c2 100644
  		if (err)
  			return NULL;
  		khugepaged_enter_vma_merge(prev, vm_flags);
-@@ -807,12 +878,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -812,12 +883,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
   			mpol_equal(policy, vma_policy(next)) &&
  			can_vma_merge_before(next, vm_flags,
  					anon_vma, file, pgoff+pglen)) {
@@ -98346,7 +98193,7 @@ index f2badbf..06d44c2 100644
  		if (err)
  			return NULL;
  		khugepaged_enter_vma_merge(area, vm_flags);
-@@ -921,15 +1007,22 @@ none:
+@@ -926,15 +1012,22 @@ none:
  void vm_stat_account(struct mm_struct *mm, unsigned long flags,
  						struct file *file, long pages)
  {
@@ -98372,7 +98219,7 @@ index f2badbf..06d44c2 100644
  	if (flags & (VM_RESERVED|VM_IO))
  		mm->reserved_vm += pages;
  }
-@@ -955,7 +1048,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -960,7 +1053,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	 * (the exception is when the underlying filesystem is noexec
  	 *  mounted, in which case we dont add PROT_EXEC.)
  	 */
@@ -98381,7 +98228,7 @@ index f2badbf..06d44c2 100644
  		if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
  			prot |= PROT_EXEC;
  
-@@ -981,7 +1074,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -986,7 +1079,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	/* Obtain the address to map to. we verify (or select) it and ensure
  	 * that it represents a valid section of the address space.
  	 */
@@ -98390,7 +98237,7 @@ index f2badbf..06d44c2 100644
  	if (addr & ~PAGE_MASK)
  		return addr;
  
-@@ -992,6 +1085,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -997,6 +1090,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
  			mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
  
@@ -98434,7 +98281,7 @@ index f2badbf..06d44c2 100644
  	if (flags & MAP_LOCKED)
  		if (!can_do_mlock())
  			return -EPERM;
-@@ -1003,6 +1133,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1008,6 +1138,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  		locked += mm->locked_vm;
  		lock_limit = rlimit(RLIMIT_MEMLOCK);
  		lock_limit >>= PAGE_SHIFT;
@@ -98442,7 +98289,7 @@ index f2badbf..06d44c2 100644
  		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
  			return -EAGAIN;
  	}
-@@ -1073,6 +1204,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1078,6 +1209,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	if (error)
  		return error;
  
@@ -98452,7 +98299,7 @@ index f2badbf..06d44c2 100644
  	return mmap_region(file, addr, len, flags, vm_flags, pgoff);
  }
  EXPORT_SYMBOL(do_mmap_pgoff);
-@@ -1153,7 +1287,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
+@@ -1158,7 +1292,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
  	vm_flags_t vm_flags = vma->vm_flags;
  
  	/* If it was private or non-writable, the write bit is already clear */
@@ -98461,7 +98308,7 @@ index f2badbf..06d44c2 100644
  		return 0;
  
  	/* The backer wishes to know when pages are first written to? */
-@@ -1202,17 +1336,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1207,17 +1341,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
  	unsigned long charged = 0;
  	struct inode *inode =  file ? file->f_path.dentry->d_inode : NULL;
  
@@ -98496,7 +98343,7 @@ index f2badbf..06d44c2 100644
  	if (!may_expand_vm(mm, len >> PAGE_SHIFT))
  		return -ENOMEM;
  
-@@ -1258,6 +1407,16 @@ munmap_back:
+@@ -1263,6 +1412,16 @@ munmap_back:
  		goto unacct_error;
  	}
  
@@ -98513,7 +98360,7 @@ index f2badbf..06d44c2 100644
  	vma->vm_mm = mm;
  	vma->vm_start = addr;
  	vma->vm_end = addr + len;
-@@ -1266,8 +1425,9 @@ munmap_back:
+@@ -1271,8 +1430,9 @@ munmap_back:
  	vma->vm_pgoff = pgoff;
  	INIT_LIST_HEAD(&vma->anon_vma_chain);
  
@@ -98524,7 +98371,7 @@ index f2badbf..06d44c2 100644
  		if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
  			goto free_vma;
  		if (vm_flags & VM_DENYWRITE) {
-@@ -1281,6 +1441,19 @@ munmap_back:
+@@ -1286,6 +1446,19 @@ munmap_back:
  		error = file->f_op->mmap(file, vma);
  		if (error)
  			goto unmap_and_free_vma;
@@ -98544,7 +98391,7 @@ index f2badbf..06d44c2 100644
  		if (vm_flags & VM_EXECUTABLE)
  			added_exe_file_vma(mm);
  
-@@ -1293,6 +1466,8 @@ munmap_back:
+@@ -1298,6 +1471,8 @@ munmap_back:
  		pgoff = vma->vm_pgoff;
  		vm_flags = vma->vm_flags;
  	} else if (vm_flags & VM_SHARED) {
@@ -98553,7 +98400,7 @@ index f2badbf..06d44c2 100644
  		error = shmem_zero_setup(vma);
  		if (error)
  			goto free_vma;
-@@ -1316,14 +1491,19 @@ munmap_back:
+@@ -1321,14 +1496,19 @@ munmap_back:
  	vma_link(mm, vma, prev, rb_link, rb_parent);
  	file = vma->vm_file;
  
@@ -98574,7 +98421,7 @@ index f2badbf..06d44c2 100644
  	if (vm_flags & VM_LOCKED) {
  		if (!mlock_vma_pages_range(vma, addr, addr + len))
  			mm->locked_vm += (len >> PAGE_SHIFT);
-@@ -1341,6 +1521,12 @@ unmap_and_free_vma:
+@@ -1346,6 +1526,12 @@ unmap_and_free_vma:
  	unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
  	charged = 0;
  free_vma:
@@ -98587,7 +98434,7 @@ index f2badbf..06d44c2 100644
  	kmem_cache_free(vm_area_cachep, vma);
  unacct_error:
  	if (charged)
-@@ -1348,6 +1534,73 @@ unacct_error:
+@@ -1353,6 +1539,73 @@ unacct_error:
  	return error;
  }
  
@@ -98661,7 +98508,7 @@ index f2badbf..06d44c2 100644
  /* Get an address range which is currently unmapped.
   * For shmat() with addr=0.
   *
-@@ -1367,6 +1620,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1372,6 +1625,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
  	struct mm_struct *mm = current->mm;
  	struct vm_area_struct *vma;
  	unsigned long start_addr;
@@ -98669,7 +98516,7 @@ index f2badbf..06d44c2 100644
  
  	if (len > TASK_SIZE - mmap_min_addr)
  		return -ENOMEM;
-@@ -1374,18 +1628,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1379,18 +1633,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
  	if (flags & MAP_FIXED)
  		return addr;
  
@@ -98700,7 +98547,7 @@ index f2badbf..06d44c2 100644
  	}
  
  full_search:
-@@ -1396,34 +1655,40 @@ full_search:
+@@ -1401,34 +1660,40 @@ full_search:
  			 * Start a new search - just in case we missed
  			 * some holes.
  			 */
@@ -98752,7 +98599,7 @@ index f2badbf..06d44c2 100644
  		mm->free_area_cache = addr;
  		mm->cached_hole_size = ~0UL;
  	}
-@@ -1441,7 +1706,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1446,7 +1711,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  {
  	struct vm_area_struct *vma;
  	struct mm_struct *mm = current->mm;
@@ -98762,7 +98609,7 @@ index f2badbf..06d44c2 100644
  	unsigned long low_limit = max(PAGE_SIZE, mmap_min_addr);
  
  	/* requested length too big for entire address space */
-@@ -1451,13 +1717,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1456,13 +1722,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  	if (flags & MAP_FIXED)
  		return addr;
  
@@ -98785,7 +98632,7 @@ index f2badbf..06d44c2 100644
  	}
  
  	/* check if free_area_cache is useful for us */
-@@ -1471,10 +1742,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1476,10 +1747,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  
  	/* make sure it can fit in the remaining address space */
  	if (addr >= low_limit + len) {
@@ -98800,7 +98647,7 @@ index f2badbf..06d44c2 100644
  	}
  
  	if (mm->mmap_base < low_limit + len)
-@@ -1489,7 +1761,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1494,7 +1766,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  		 * return with success:
  		 */
  		vma = find_vma(mm, addr);
@@ -98809,7 +98656,7 @@ index f2badbf..06d44c2 100644
  			/* remember the address as a hint for next time */
  			return (mm->free_area_cache = addr);
  
-@@ -1498,8 +1770,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1503,8 +1775,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
   		        mm->cached_hole_size = vma->vm_start - addr;
  
  		/* try just below the current vma->vm_start */
@@ -98820,7 +98667,7 @@ index f2badbf..06d44c2 100644
  
  bottomup:
  	/*
-@@ -1508,13 +1780,21 @@ bottomup:
+@@ -1513,13 +1785,21 @@ bottomup:
  	 * can happen with large stack limits and large mmap()
  	 * allocations.
  	 */
@@ -98844,7 +98691,7 @@ index f2badbf..06d44c2 100644
  	mm->cached_hole_size = ~0UL;
  
  	return addr;
-@@ -1523,6 +1803,12 @@ bottomup:
+@@ -1528,6 +1808,12 @@ bottomup:
  
  void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
  {
@@ -98857,7 +98704,7 @@ index f2badbf..06d44c2 100644
  	/*
  	 * Is this a new hole at the highest possible address?
  	 */
-@@ -1530,8 +1816,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
+@@ -1535,8 +1821,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
  		mm->free_area_cache = addr;
  
  	/* dont allow allocations above current base */
@@ -98869,7 +98716,7 @@ index f2badbf..06d44c2 100644
  }
  
  unsigned long
-@@ -1604,40 +1892,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1609,40 +1897,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
  
  EXPORT_SYMBOL(find_vma);
  
@@ -98945,15 +98792,28 @@ index f2badbf..06d44c2 100644
  
  /*
   * Verify that the stack growth is acceptable and
-@@ -1655,6 +1953,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1653,17 +1951,15 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct rlimit *rlim = current->signal->rlim;
+-	unsigned long new_start, actual_size;
++	unsigned long new_start;
+ 
+ 	/* address space limit tests */
+ 	if (!may_expand_vm(mm, grow))
  		return -ENOMEM;
  
  	/* Stack limit test */
+-	actual_size = size;
+-	if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
+-		actual_size -= PAGE_SIZE;
+-	if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
 +	gr_learn_resource(current, RLIMIT_STACK, size, 1);
- 	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
++	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
  		return -ENOMEM;
  
-@@ -1665,6 +1964,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+ 	/* mlock limit tests */
+@@ -1673,6 +1969,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
  		locked = mm->locked_vm + grow;
  		limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
  		limit >>= PAGE_SHIFT;
@@ -98961,7 +98821,7 @@ index f2badbf..06d44c2 100644
  		if (locked > limit && !capable(CAP_IPC_LOCK))
  			return -ENOMEM;
  	}
-@@ -1683,7 +1983,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1691,7 +1988,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
  		return -ENOMEM;
  
  	/* Ok, everything looks good - let it rip */
@@ -98969,7 +98829,7 @@ index f2badbf..06d44c2 100644
  	if (vma->vm_flags & VM_LOCKED)
  		mm->locked_vm += grow;
  	vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
-@@ -1695,37 +1994,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1703,37 +1999,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
   * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
   * vma is the last one with address > vma->vm_end.  Have to extend vma.
   */
@@ -99027,7 +98887,7 @@ index f2badbf..06d44c2 100644
  		unsigned long size, grow;
  
  		size = address - vma->vm_start;
-@@ -1740,6 +2050,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -1748,6 +2055,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
  			}
  		}
  	}
@@ -99036,7 +98896,7 @@ index f2badbf..06d44c2 100644
  	vma_unlock_anon_vma(vma);
  	khugepaged_enter_vma_merge(vma, vma->vm_flags);
  	return error;
-@@ -1753,6 +2065,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1761,6 +2070,8 @@ int expand_downwards(struct vm_area_struct *vma,
  				   unsigned long address)
  {
  	int error;
@@ -99045,7 +98905,7 @@ index f2badbf..06d44c2 100644
  
  	/*
  	 * We must make sure the anon_vma is allocated
-@@ -1766,6 +2080,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1774,6 +2085,15 @@ int expand_downwards(struct vm_area_struct *vma,
  	if (error)
  		return error;
  
@@ -99061,7 +98921,7 @@ index f2badbf..06d44c2 100644
  	vma_lock_anon_vma(vma);
  
  	/*
-@@ -1775,9 +2098,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1783,9 +2103,17 @@ int expand_downwards(struct vm_area_struct *vma,
  	 */
  
  	/* Somebody else might have raced and expanded it already */
@@ -99080,7 +98940,7 @@ index f2badbf..06d44c2 100644
  		size = vma->vm_end - address;
  		grow = (vma->vm_start - address) >> PAGE_SHIFT;
  
-@@ -1787,18 +2118,48 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1795,18 +2123,48 @@ int expand_downwards(struct vm_area_struct *vma,
  			if (!error) {
  				vma->vm_start = address;
  				vma->vm_pgoff -= grow;
@@ -99129,7 +98989,7 @@ index f2badbf..06d44c2 100644
  	return expand_upwards(vma, address);
  }
  
-@@ -1821,6 +2182,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1829,6 +2187,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
  #else
  int expand_stack(struct vm_area_struct *vma, unsigned long address)
  {
@@ -99144,7 +99004,7 @@ index f2badbf..06d44c2 100644
  	return expand_downwards(vma, address);
  }
  
-@@ -1861,7 +2230,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -1869,7 +2235,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
  	do {
  		long nrpages = vma_pages(vma);
  
@@ -99159,7 +99019,7 @@ index f2badbf..06d44c2 100644
  		vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
  		vma = remove_vma(vma);
  	} while (vma);
-@@ -1906,6 +2281,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -1914,6 +2286,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
  	insertion_point = (prev ? &prev->vm_next : &mm->mmap);
  	vma->vm_prev = NULL;
  	do {
@@ -99176,7 +99036,7 @@ index f2badbf..06d44c2 100644
  		rb_erase(&vma->vm_rb, &mm->mm_rb);
  		mm->map_count--;
  		tail_vma = vma;
-@@ -1934,14 +2319,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1942,14 +2324,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	struct vm_area_struct *new;
  	int err = -ENOMEM;
  
@@ -99210,7 +99070,7 @@ index f2badbf..06d44c2 100644
  	/* most fields are the same, copy all, and then fixup */
  	*new = *vma;
  
-@@ -1954,6 +2358,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1962,6 +2363,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  		new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
  	}
  
@@ -99233,7 +99093,7 @@ index f2badbf..06d44c2 100644
  	pol = mpol_dup(vma_policy(vma));
  	if (IS_ERR(pol)) {
  		err = PTR_ERR(pol);
-@@ -1979,6 +2399,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1987,6 +2404,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	else
  		err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
  
@@ -99276,7 +99136,7 @@ index f2badbf..06d44c2 100644
  	/* Success. */
  	if (!err)
  		return 0;
-@@ -1991,10 +2447,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1999,10 +2452,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  			removed_exe_file_vma(mm);
  		fput(new->vm_file);
  	}
@@ -99296,7 +99156,7 @@ index f2badbf..06d44c2 100644
  	kmem_cache_free(vm_area_cachep, new);
   out_err:
  	return err;
-@@ -2007,6 +2471,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2015,6 +2476,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
  	      unsigned long addr, int new_below)
  {
@@ -99312,7 +99172,7 @@ index f2badbf..06d44c2 100644
  	if (mm->map_count >= sysctl_max_map_count)
  		return -ENOMEM;
  
-@@ -2018,11 +2491,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2026,11 +2496,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
   * work.  This now handles partial unmappings.
   * Jeremy Fitzhardinge <jeremy@goop.org>
   */
@@ -99343,7 +99203,7 @@ index f2badbf..06d44c2 100644
  	if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
  		return -EINVAL;
  
-@@ -2097,6 +2589,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2105,6 +2594,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
  	/* Fix up all other VM information */
  	remove_vma_list(mm, vma);
  
@@ -99352,7 +99212,7 @@ index f2badbf..06d44c2 100644
  	return 0;
  }
  
-@@ -2109,22 +2603,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2117,22 +2608,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
  
  	profile_munmap(addr);
  
@@ -99381,7 +99241,7 @@ index f2badbf..06d44c2 100644
  /*
   *  this is really a simplified "do_mmap".  it only handles
   *  anonymous maps.  eventually we may be able to do some
-@@ -2138,6 +2628,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2146,6 +2633,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	struct rb_node ** rb_link, * rb_parent;
  	pgoff_t pgoff = addr >> PAGE_SHIFT;
  	int error;
@@ -99389,7 +99249,7 @@ index f2badbf..06d44c2 100644
  
  	len = PAGE_ALIGN(len);
  	if (!len)
-@@ -2149,16 +2640,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2157,16 +2645,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  
  	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
  
@@ -99421,7 +99281,7 @@ index f2badbf..06d44c2 100644
  		locked += mm->locked_vm;
  		lock_limit = rlimit(RLIMIT_MEMLOCK);
  		lock_limit >>= PAGE_SHIFT;
-@@ -2175,22 +2680,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2183,22 +2685,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	/*
  	 * Clear old maps.  this also does some error checking for us
  	 */
@@ -99448,7 +99308,7 @@ index f2badbf..06d44c2 100644
  		return -ENOMEM;
  
  	/* Can we just expand an old private anonymous mapping? */
-@@ -2204,7 +2709,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2212,7 +2714,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	 */
  	vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
  	if (!vma) {
@@ -99457,7 +99317,7 @@ index f2badbf..06d44c2 100644
  		return -ENOMEM;
  	}
  
-@@ -2218,11 +2723,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2226,11 +2728,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	vma_link(mm, vma, prev, rb_link, rb_parent);
  out:
  	perf_event_mmap(vma);
@@ -99472,7 +99332,7 @@ index f2badbf..06d44c2 100644
  	return addr;
  }
  
-@@ -2269,8 +2775,10 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2277,8 +2780,10 @@ void exit_mmap(struct mm_struct *mm)
  	 * Walk the list again, actually closing and freeing it,
  	 * with preemption enabled, without holding any MM locks.
  	 */
@@ -99484,7 +99344,7 @@ index f2badbf..06d44c2 100644
  
  	BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
  }
-@@ -2284,6 +2792,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2292,6 +2797,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
  	struct vm_area_struct * __vma, * prev;
  	struct rb_node ** rb_link, * rb_parent;
  
@@ -99498,7 +99358,7 @@ index f2badbf..06d44c2 100644
  	/*
  	 * The vm_pgoff of a purely anonymous vma should be irrelevant
  	 * until its first write fault, when page's anon_vma and index
-@@ -2306,7 +2821,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2314,7 +2826,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
  	if ((vma->vm_flags & VM_ACCOUNT) &&
  	     security_vm_enough_memory_mm(mm, vma_pages(vma)))
  		return -ENOMEM;
@@ -99521,7 +99381,7 @@ index f2badbf..06d44c2 100644
  	return 0;
  }
  
-@@ -2324,6 +2854,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2332,6 +2859,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	struct rb_node **rb_link, *rb_parent;
  	struct mempolicy *pol;
  
@@ -99530,7 +99390,7 @@ index f2badbf..06d44c2 100644
  	/*
  	 * If anonymous vma has not yet been faulted, update new pgoff
  	 * to match new location, to increase its chance of merging.
-@@ -2374,6 +2906,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2382,6 +2911,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	return NULL;
  }
  
@@ -99570,7 +99430,7 @@ index f2badbf..06d44c2 100644
  /*
   * Return true if the calling process may expand its vm space by the passed
   * number of pages
-@@ -2385,6 +2950,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2393,6 +2955,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
  
  	lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
  
@@ -99578,7 +99438,7 @@ index f2badbf..06d44c2 100644
  	if (cur + npages > lim)
  		return 0;
  	return 1;
-@@ -2455,6 +3021,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2463,6 +3026,22 @@ int install_special_mapping(struct mm_struct *mm,
  	vma->vm_start = addr;
  	vma->vm_end = addr + len;
  
@@ -100072,7 +99932,7 @@ index 1db7971..5dba7b6 100644
  	struct mm_struct *mm;
  
 diff --git a/mm/page-writeback.c b/mm/page-writeback.c
-index d2ac057..aa60e8c 100644
+index aad22aa..ad60f09 100644
 --- a/mm/page-writeback.c
 +++ b/mm/page-writeback.c
 @@ -522,7 +522,7 @@ unsigned long bdi_dirty_limit(struct backing_dev_info *bdi, unsigned long dirty)
@@ -100084,7 +99944,7 @@ index d2ac057..aa60e8c 100644
  					unsigned long thresh,
  					unsigned long bg_thresh,
  					unsigned long dirty,
-@@ -1380,7 +1380,7 @@ ratelimit_handler(struct notifier_block *self, unsigned long u, void *v)
+@@ -1370,7 +1370,7 @@ ratelimit_handler(struct notifier_block *self, unsigned long u, void *v)
  	return NOTIFY_DONE;
  }
  
@@ -100290,10 +100150,10 @@ index cbcbb02..dfdc1de 100644
  				   pgoff_t offset, unsigned long max)
  {
 diff --git a/mm/rmap.c b/mm/rmap.c
-index f3f6fd3..0d91a63 100644
+index 2c4ee3e..8eebe1d 100644
 --- a/mm/rmap.c
 +++ b/mm/rmap.c
-@@ -154,6 +154,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -156,6 +156,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
  	struct anon_vma *anon_vma = vma->anon_vma;
  	struct anon_vma_chain *avc;
  
@@ -100304,7 +100164,7 @@ index f3f6fd3..0d91a63 100644
  	might_sleep();
  	if (unlikely(!anon_vma)) {
  		struct mm_struct *mm = vma->vm_mm;
-@@ -163,6 +167,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -165,6 +169,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
  		if (!avc)
  			goto out_enomem;
  
@@ -100317,7 +100177,7 @@ index f3f6fd3..0d91a63 100644
  		anon_vma = find_mergeable_anon_vma(vma);
  		allocated = NULL;
  		if (!anon_vma) {
-@@ -176,6 +186,21 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -178,6 +188,21 @@ int anon_vma_prepare(struct vm_area_struct *vma)
  		/* page_table_lock to protect against threads */
  		spin_lock(&mm->page_table_lock);
  		if (likely(!vma->anon_vma)) {
@@ -100339,7 +100199,7 @@ index f3f6fd3..0d91a63 100644
  			vma->anon_vma = anon_vma;
  			avc->anon_vma = anon_vma;
  			avc->vma = vma;
-@@ -189,12 +214,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -193,12 +218,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
  
  		if (unlikely(allocated))
  			put_anon_vma(allocated);
@@ -100364,16 +100224,16 @@ index f3f6fd3..0d91a63 100644
  	anon_vma_chain_free(avc);
   out_enomem:
  	return -ENOMEM;
-@@ -245,7 +282,7 @@ static void anon_vma_chain_link(struct vm_area_struct *vma,
-  * Attach the anon_vmas from src to dst.
-  * Returns 0 on success, -ENOMEM on failure.
+@@ -257,7 +294,7 @@ static void anon_vma_chain_link(struct vm_area_struct *vma,
+  * good chance of avoiding scanning the whole hierarchy when it searches where
+  * page is mapped.
   */
 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
  {
  	struct anon_vma_chain *avc, *pavc;
  	struct anon_vma *root = NULL;
-@@ -278,7 +315,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
+@@ -304,7 +341,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
   * the corresponding VMA in the parent process is attached to.
   * Returns 0 on success, non-zero on failure.
   */
@@ -100382,7 +100242,7 @@ index f3f6fd3..0d91a63 100644
  {
  	struct anon_vma_chain *avc;
  	struct anon_vma *anon_vma;
-@@ -382,8 +419,10 @@ static void anon_vma_ctor(void *data)
+@@ -422,8 +459,10 @@ static void anon_vma_ctor(void *data)
  void __init anon_vma_init(void)
  {
  	anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma),
@@ -103238,7 +103098,7 @@ index 68bbf9f..5ef0d12 100644
  
  	return err;
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 854da15..19d9b66 100644
+index fcb5133..5d5223c 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name)
@@ -103274,7 +103134,7 @@ index 854da15..19d9b66 100644
  		kfree_skb(skb);
  		return NET_RX_DROP;
  	}
-@@ -2047,7 +2051,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
+@@ -2048,7 +2052,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
  
  struct dev_gso_cb {
  	void (*destructor)(struct sk_buff *skb);
@@ -103283,7 +103143,7 @@ index 854da15..19d9b66 100644
  
  #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
  
-@@ -2969,7 +2973,7 @@ enqueue:
+@@ -2972,7 +2976,7 @@ enqueue:
  
  	local_irq_restore(flags);
  
@@ -103292,7 +103152,7 @@ index 854da15..19d9b66 100644
  	kfree_skb(skb);
  	return NET_RX_DROP;
  }
-@@ -3043,7 +3047,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3046,7 +3050,7 @@ int netif_rx_ni(struct sk_buff *skb)
  }
  EXPORT_SYMBOL(netif_rx_ni);
  
@@ -103301,7 +103161,7 @@ index 854da15..19d9b66 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  
-@@ -3342,7 +3346,7 @@ ncls:
+@@ -3345,7 +3349,7 @@ ncls:
  	if (pt_prev) {
  		ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
  	} else {
@@ -103310,7 +103170,7 @@ index 854da15..19d9b66 100644
  		kfree_skb(skb);
  		/* Jamal, now you will not able to escape explaining
  		 * me how you were going to use this. :-)
-@@ -3908,7 +3912,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -3911,7 +3915,7 @@ void netif_napi_del(struct napi_struct *napi)
  }
  EXPORT_SYMBOL(netif_napi_del);
  
@@ -103319,7 +103179,7 @@ index 854da15..19d9b66 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  	unsigned long time_limit = jiffies + 2;
-@@ -4186,7 +4190,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev)
+@@ -4189,7 +4193,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev)
  	struct rtnl_link_stats64 temp;
  	const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp);
  
@@ -103334,7 +103194,7 @@ index 854da15..19d9b66 100644
  		   "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
  		   dev->name, stats->rx_bytes, stats->rx_packets,
  		   stats->rx_errors,
-@@ -4261,7 +4271,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v)
+@@ -4264,7 +4274,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v)
  	return 0;
  }
  
@@ -103343,7 +103203,7 @@ index 854da15..19d9b66 100644
  	.start = dev_seq_start,
  	.next  = dev_seq_next,
  	.stop  = dev_seq_stop,
-@@ -4291,7 +4301,7 @@ static const struct seq_operations softnet_seq_ops = {
+@@ -4294,7 +4304,7 @@ static const struct seq_operations softnet_seq_ops = {
  
  static int softnet_seq_open(struct inode *inode, struct file *file)
  {
@@ -103352,7 +103212,7 @@ index 854da15..19d9b66 100644
  }
  
  static const struct file_operations softnet_seq_fops = {
-@@ -4378,8 +4388,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
+@@ -4381,8 +4391,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
  		else
  			seq_printf(seq, "%04x", ntohs(pt->type));
  
@@ -103366,7 +103226,7 @@ index 854da15..19d9b66 100644
  	}
  
  	return 0;
-@@ -4441,7 +4456,7 @@ static void __net_exit dev_proc_net_exit(struct net *net)
+@@ -4444,7 +4459,7 @@ static void __net_exit dev_proc_net_exit(struct net *net)
  	proc_net_remove(net, "dev");
  }
  
@@ -103375,7 +103235,7 @@ index 854da15..19d9b66 100644
  	.init = dev_proc_net_init,
  	.exit = dev_proc_net_exit,
  };
-@@ -5936,7 +5951,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5939,7 +5954,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
  	} else {
  		netdev_stats_to_stats64(storage, &dev->stats);
  	}
@@ -103384,7 +103244,7 @@ index 854da15..19d9b66 100644
  	return storage;
  }
  EXPORT_SYMBOL(dev_get_stats);
-@@ -6515,7 +6530,7 @@ static void __net_exit netdev_exit(struct net *net)
+@@ -6518,7 +6533,7 @@ static void __net_exit netdev_exit(struct net *net)
  	kfree(net->dev_index_head);
  }
  
@@ -103393,7 +103253,7 @@ index 854da15..19d9b66 100644
  	.init = netdev_init,
  	.exit = netdev_exit,
  };
-@@ -6577,7 +6592,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
+@@ -6580,7 +6595,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
  	rtnl_unlock();
  }
  
@@ -103830,7 +103690,7 @@ index 7121d9b..d256e3c 100644
  }
  
 diff --git a/net/core/sock.c b/net/core/sock.c
-index 8a2c2dd..a264b79 100644
+index e093528..3966d08 100644
 --- a/net/core/sock.c
 +++ b/net/core/sock.c
 @@ -289,7 +289,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -103943,7 +103803,7 @@ index 8a2c2dd..a264b79 100644
  		return -EFAULT;
  lenout:
  	if (put_user(len, optlen))
-@@ -1456,6 +1456,8 @@ EXPORT_SYMBOL(sock_kmalloc);
+@@ -1455,6 +1455,8 @@ EXPORT_SYMBOL(sock_kmalloc);
   */
  void sock_kfree_s(struct sock *sk, void *mem, int size)
  {
@@ -103952,7 +103812,7 @@ index 8a2c2dd..a264b79 100644
  	kfree(mem);
  	atomic_sub(size, &sk->sk_omem_alloc);
  }
-@@ -2027,7 +2029,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+@@ -2026,7 +2028,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
  	 */
  	smp_wmb();
  	atomic_set(&sk->sk_refcnt, 1);
@@ -103961,7 +103821,7 @@ index 8a2c2dd..a264b79 100644
  }
  EXPORT_SYMBOL(sock_init_data);
  
-@@ -2564,7 +2566,7 @@ static __net_exit void proto_exit_net(struct net *net)
+@@ -2563,7 +2565,7 @@ static __net_exit void proto_exit_net(struct net *net)
  }
  
  
@@ -104168,10 +104028,10 @@ index 5d228de..91bdee5 100644
  }
  
 diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
-index 59a7041..060976d 100644
+index d1f56e1..0aee701 100644
 --- a/net/ipv4/arp.c
 +++ b/net/ipv4/arp.c
-@@ -945,24 +945,25 @@ static void parp_redo(struct sk_buff *skb)
+@@ -947,24 +947,25 @@ static void parp_redo(struct sk_buff *skb)
  static int arp_rcv(struct sk_buff *skb, struct net_device *dev,
  		   struct packet_type *pt, struct net_device *orig_dev)
  {
@@ -104637,7 +104497,7 @@ index 542a9c1..9f73775 100644
  		msg.msg_flags = flags;
  
 diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
-index 99ec116..c5628fe 100644
+index efb1ff5..bc97573 100644
 --- a/net/ipv4/ipconfig.c
 +++ b/net/ipv4/ipconfig.c
 @@ -318,7 +318,7 @@ static int __init ic_devinet_ioctl(unsigned int cmd, struct ifreq *arg)
@@ -104833,7 +104693,7 @@ index f7fdbe9..63740b7 100644
  	.exit = ip_proc_exit_net,
  };
 diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 75fea1f..a26be5a 100644
+index 063bcd5..2402343 100644
 --- a/net/ipv4/raw.c
 +++ b/net/ipv4/raw.c
 @@ -305,7 +305,7 @@ static int raw_rcv_skb(struct sock * sk, struct sk_buff * skb)
@@ -104845,7 +104705,7 @@ index 75fea1f..a26be5a 100644
  		kfree_skb(skb);
  		return NET_RX_DROP;
  	}
-@@ -738,16 +738,20 @@ static int raw_init(struct sock *sk)
+@@ -741,16 +741,20 @@ static int raw_init(struct sock *sk)
  
  static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
  {
@@ -104867,7 +104727,7 @@ index 75fea1f..a26be5a 100644
  
  	if (get_user(len, optlen))
  		goto out;
-@@ -757,8 +761,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
+@@ -760,8 +764,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
  	if (len > sizeof(struct icmp_filter))
  		len = sizeof(struct icmp_filter);
  	ret = -EFAULT;
@@ -104878,7 +104738,7 @@ index 75fea1f..a26be5a 100644
  		goto out;
  	ret = 0;
  out:	return ret;
-@@ -986,7 +990,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
+@@ -989,7 +993,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
  		sk_wmem_alloc_get(sp),
  		sk_rmem_alloc_get(sp),
  		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
@@ -104893,7 +104753,7 @@ index 75fea1f..a26be5a 100644
  }
  
  static int raw_seq_show(struct seq_file *seq, void *v)
-@@ -1049,7 +1059,7 @@ static __net_exit void raw_exit_net(struct net *net)
+@@ -1052,7 +1062,7 @@ static __net_exit void raw_exit_net(struct net *net)
  	proc_net_remove(net, "raw");
  }
  
@@ -105510,7 +105370,7 @@ index 00e1530..47b4f16 100644
  		req->rsk_ops->send_reset(sk, skb);
  
 diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
-index 0d5a118..5f6f0e6 100644
+index 3a37f54..109c484 100644
 --- a/net/ipv4/tcp_output.c
 +++ b/net/ipv4/tcp_output.c
 @@ -1319,7 +1319,7 @@ static void tcp_cwnd_validate(struct sock *sk)
@@ -105519,7 +105379,7 @@ index 0d5a118..5f6f0e6 100644
   */
 -static unsigned int tcp_mss_split_point(const struct sock *sk, const struct sk_buff *skb,
 +static unsigned int __intentional_overflow(0) tcp_mss_split_point(const struct sock *sk, const struct sk_buff *skb,
- 					unsigned int mss_now, unsigned int max_segs)
+ 					unsigned int mss_now, unsigned int cwnd)
  {
  	const struct tcp_sock *tp = tcp_sk(sk);
 diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
@@ -105932,7 +105792,7 @@ index 1008ce9..db7ea62 100644
  		goto proc_dev_snmp6_fail;
  	return 0;
 diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
-index 9ecbc84..7dd6ff7 100644
+index 9287f3ea..136d642 100644
 --- a/net/ipv6/raw.c
 +++ b/net/ipv6/raw.c
 @@ -109,7 +109,7 @@ found:
@@ -105980,7 +105840,7 @@ index 9ecbc84..7dd6ff7 100644
  			struct flowi6 *fl6, struct dst_entry **dstp,
  			unsigned int flags)
  {
-@@ -906,12 +906,15 @@ do_confirm:
+@@ -908,12 +908,15 @@ do_confirm:
  static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
  			       char __user *optval, int optlen)
  {
@@ -105997,7 +105857,7 @@ index 9ecbc84..7dd6ff7 100644
  		return 0;
  	default:
  		return -ENOPROTOOPT;
-@@ -924,6 +927,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -926,6 +929,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
  			       char __user *optval, int __user *optlen)
  {
  	int len;
@@ -106005,7 +105865,7 @@ index 9ecbc84..7dd6ff7 100644
  
  	switch (optname) {
  	case ICMPV6_FILTER:
-@@ -935,7 +939,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -937,7 +941,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
  			len = sizeof(struct icmp6_filter);
  		if (put_user(len, optlen))
  			return -EFAULT;
@@ -106015,7 +105875,7 @@ index 9ecbc84..7dd6ff7 100644
  			return -EFAULT;
  		return 0;
  	default:
-@@ -1242,7 +1247,13 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
+@@ -1244,7 +1249,13 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
  		   0, 0L, 0,
  		   sock_i_uid(sp), 0,
  		   sock_i_ino(sp),
@@ -106957,10 +106817,10 @@ index afca6c7..594a841 100644
  		panic("cannot create netfilter proc entry");
  #endif
 diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
-index 86137b5..c12e721 100644
+index b88dcec..d817abf27 100644
 --- a/net/netfilter/ipset/ip_set_core.c
 +++ b/net/netfilter/ipset/ip_set_core.c
-@@ -1679,7 +1679,7 @@ done:
+@@ -1685,7 +1685,7 @@ done:
  	return ret;
  }
  
@@ -108486,18 +108346,6 @@ index 7635107..4670276 100644
  	_proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
  
  	ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
-diff --git a/net/sctp/associola.c b/net/sctp/associola.c
-index 5b2d8e6..d014b05 100644
---- a/net/sctp/associola.c
-+++ b/net/sctp/associola.c
-@@ -1272,7 +1272,6 @@ void sctp_assoc_update(struct sctp_association *asoc,
- 	asoc->peer.peer_hmacs = new->peer.peer_hmacs;
- 	new->peer.peer_hmacs = NULL;
- 
--	sctp_auth_key_put(asoc->asoc_shared_key);
- 	sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
- }
- 
 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
 index 0b6a391..febcef2 100644
 --- a/net/sctp/ipv6.c
@@ -108622,38 +108470,10 @@ index 76388b0..a967f68 100644
  	sctp_generate_t1_cookie_event,
  	sctp_generate_t1_init_event,
 diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index c28eb7b..832978a 100644
+index fc63664..832978a 100644
 --- a/net/sctp/socket.c
 +++ b/net/sctp/socket.c
-@@ -1611,6 +1611,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
- 	sctp_scope_t scope;
- 	long timeo;
- 	__u16 sinfo_flags = 0;
-+	bool wait_connect = false;
- 	struct sctp_datamsg *datamsg;
- 	int msg_flags = msg->msg_flags;
- 
-@@ -1929,6 +1930,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
- 		err = sctp_primitive_ASSOCIATE(asoc, NULL);
- 		if (err < 0)
- 			goto out_free;
-+		wait_connect = true;
- 		SCTP_DEBUG_PRINTK("We associated primitively.\n");
- 	}
- 
-@@ -1968,6 +1970,11 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
- 	else
- 		err = msg_len;
- 
-+	if (unlikely(wait_connect)) {
-+		timeo = sock_sndtimeo(sk, msg_flags & MSG_DONTWAIT);
-+		sctp_wait_for_connect(asoc, &timeo);
-+	}
-+
- 	/* If we are already past ASSOCIATE, the lower
- 	 * layers are responsible for association cleanup.
- 	 */
-@@ -2183,11 +2190,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
+@@ -2190,11 +2190,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
  {
  	struct sctp_association *asoc;
  	struct sctp_ulpevent *event;
@@ -108668,7 +108488,7 @@ index c28eb7b..832978a 100644
  
  	/*
  	 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4173,13 +4182,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4180,13 +4182,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
  static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
  				  int __user *optlen)
  {
@@ -108686,7 +108506,7 @@ index c28eb7b..832978a 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4197,6 +4209,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4204,6 +4209,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
   */
  static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
  {
@@ -108695,7 +108515,7 @@ index c28eb7b..832978a 100644
  	/* Applicable to UDP-style socket only */
  	if (sctp_style(sk, TCP))
  		return -EOPNOTSUPP;
-@@ -4205,7 +4219,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4212,7 +4219,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
  	len = sizeof(int);
  	if (put_user(len, optlen))
  		return -EFAULT;
@@ -108705,7 +108525,7 @@ index c28eb7b..832978a 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4569,12 +4584,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4576,12 +4584,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
   */
  static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
  {
@@ -108722,7 +108542,7 @@ index c28eb7b..832978a 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4615,6 +4633,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4622,6 +4633,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
  		addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
  		if (space_left < addrlen)
  			return -ENOMEM;
@@ -110604,14 +110424,14 @@ index cb1f50c..cef2a7c 100644
  		fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
 diff --git a/scripts/gcc-plugin.sh b/scripts/gcc-plugin.sh
 new file mode 100644
-index 0000000..42018ed
+index 0000000..822fa9e
 --- /dev/null
 +++ b/scripts/gcc-plugin.sh
 @@ -0,0 +1,51 @@
 +#!/bin/sh
 +srctree=$(dirname "$0")
 +gccplugins_dir=$($3 -print-file-name=plugin)
-+plugincc=$($1 -E - -o /dev/null -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF
++plugincc=$($1 -E - -o /dev/null -I"${srctree}"/../tools/gcc -I"${gccplugins_dir}"/include 2>&1 <<EOF
 +#include "gcc-common.h"
 +#if BUILDING_GCC_VERSION >= 4008 || defined(ENABLE_BUILD_WITH_CXX)
 +#warning $2 CXX
@@ -110642,7 +110462,7 @@ index 0000000..42018ed
 +esac
 +
 +# we need a c++ compiler that supports the designated initializer GNU extension
-+plugincc=$($2 -c -x c++ -std=gnu++98 - -fsyntax-only -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF
++plugincc=$($2 -c -x c++ -std=gnu++98 - -fsyntax-only -I"${srctree}"/../tools/gcc -I"${gccplugins_dir}"/include 2>&1 <<EOF
 +#include "gcc-common.h"
 +class test {
 +public:
@@ -113356,6 +113176,18 @@ index 37a7f3b..86dc19f 100644
  					goto error;
  
  				buflen -= tmp;
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 8246532..45c403f 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -423,6 +423,7 @@ link_check_failed:
+ 
+ link_prealloc_failed:
+ 	mutex_unlock(&user->cons_lock);
++	key_put(key);
+ 	kleave(" = %d [prelink]", ret);
+ 	return ret;
+ 
 diff --git a/security/lsm_audit.c b/security/lsm_audit.c
 index 893af8a..ba9237c 100644
 --- a/security/lsm_audit.c
@@ -114265,10 +114097,10 @@ index 4c41c90..37f3631 100644
  	return snd_seq_device_register_driver(SNDRV_SEQ_DEV_ID_EMU10K1_SYNTH, &ops,
  					      sizeof(struct snd_emu10k1_synth_arg));
 diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
-index faabaa5..9888f8b 100644
+index ee95618..7752241 100644
 --- a/sound/pci/hda/hda_codec.c
 +++ b/sound/pci/hda/hda_codec.c
-@@ -850,14 +850,10 @@ find_codec_preset(struct hda_codec *codec)
+@@ -852,14 +852,10 @@ find_codec_preset(struct hda_codec *codec)
  	mutex_unlock(&preset_mutex);
  
  	if (mod_requested < HDA_MODREQ_MAX_COUNT) {
@@ -114867,10 +114699,10 @@ index 0000000..54461af
 +}
 diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
 new file mode 100644
-index 0000000..82bc5a8
+index 0000000..3b5af59
 --- /dev/null
 +++ b/tools/gcc/constify_plugin.c
-@@ -0,0 +1,557 @@
+@@ -0,0 +1,558 @@
 +/*
 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
 + * Copyright 2011-2014 by PaX Team <pageexec@freemail.hu>
@@ -115304,7 +115136,8 @@ index 0000000..82bc5a8
 +#if BUILDING_GCC_VERSION >= 4008
 +		.optinfo_flags		= OPTGROUP_NONE,
 +#endif
-+#if BUILDING_GCC_VERSION >= 4009
++#if BUILDING_GCC_VERSION >= 5000
++#elif BUILDING_GCC_VERSION >= 4009
 +		.has_gate		= false,
 +		.has_execute		= true,
 +#else
@@ -115412,8 +115245,8 @@ index 0000000..82bc5a8
 +		error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
 +	}
 +
-+	if (strcmp(lang_hooks.name, "GNU C")) {
-+		inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
++	if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) {
++		inform(UNKNOWN_LOCATION, G_("%s supports C only, not %s"), plugin_name, lang_hooks.name);
 +		constify = false;
 +	}
 +
@@ -115430,10 +115263,10 @@ index 0000000..82bc5a8
 +}
 diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
 new file mode 100644
-index 0000000..e90c205
+index 0000000..9fa1978
 --- /dev/null
 +++ b/tools/gcc/gcc-common.h
-@@ -0,0 +1,295 @@
+@@ -0,0 +1,375 @@
 +#ifndef GCC_COMMON_H_INCLUDED
 +#define GCC_COMMON_H_INCLUDED
 +
@@ -115470,7 +115303,13 @@ index 0000000..e90c205
 +#include "timevar.h"
 +
 +#include "params.h"
++
++#if BUILDING_GCC_VERSION <= 4009
 +#include "pointer-set.h"
++#else
++#include "hash-map.h"
++#endif
++
 +#include "emit-rtl.h"
 +//#include "reload.h"
 +//#include "ira.h"
@@ -115485,11 +115324,21 @@ index 0000000..e90c205
 +//#include "coverage.h"
 +//#include "value-prof.h"
 +
++#if BUILDING_GCC_VERSION == 4005
++#include <sys/mman.h>
++#endif
++
 +#if BUILDING_GCC_VERSION >= 4007
 +#include "tree-pretty-print.h"
 +#include "gimple-pretty-print.h"
-+#include "c-tree.h"
-+//#include "alloc-pool.h"
++#endif
++
++#if BUILDING_GCC_VERSION >= 4007
++//#include "c-tree.h"
++//#include "cp/cp-tree.h"
++#include "c-family/c-common.h"
++#else
++#include "c-common.h"
 +#endif
 +
 +#if BUILDING_GCC_VERSION <= 4008
@@ -115511,6 +115360,7 @@ index 0000000..e90c205
 +#include "stor-layout.h"
 +#include "internal-fn.h"
 +#include "gimple-expr.h"
++#include "gimple-fold.h"
 +//#include "diagnostic-color.h"
 +#include "context.h"
 +#include "tree-ssa-alias.h"
@@ -115533,7 +115383,11 @@ index 0000000..e90c205
 +#endif
 +
 +//#include "lto/lto.h"
++#if BUILDING_GCC_VERSION >= 4007
 +//#include "data-streamer.h"
++#else
++//#include "lto-streamer.h"
++#endif
 +//#include "lto-compress.h"
 +
 +//#include "expr.h" where are you...
@@ -115543,6 +115397,15 @@ index 0000000..e90c205
 +extern void debug_dominance_info(enum cdi_direction dir);
 +extern void debug_dominance_tree(enum cdi_direction dir, basic_block root);
 +
++#ifdef __cplusplus
++static inline void debug_tree(const_tree t)
++{
++	debug_tree(CONST_CAST_TREE(t));
++}
++#else
++#define debug_tree(t) debug_tree(CONST_CAST_TREE(t))
++#endif
++
 +#define __unused __attribute__((__unused__))
 +
 +#define DECL_NAME_POINTER(node) IDENTIFIER_POINTER(DECL_NAME(node))
@@ -115550,12 +115413,20 @@ index 0000000..e90c205
 +#define TYPE_NAME_POINTER(node) IDENTIFIER_POINTER(TYPE_NAME(node))
 +#define TYPE_NAME_LENGTH(node) IDENTIFIER_LENGTH(TYPE_NAME(node))
 +
++// should come from c-tree.h if only it were installed for gcc 4.5...
++#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
++
 +#if BUILDING_GCC_VERSION == 4005
-+#define FOR_EACH_LOCAL_DECL(FUN, I, D) for (tree vars = (FUN)->local_decls; vars && (D = TREE_VALUE(vars)); vars = TREE_CHAIN(vars), I)
++#define FOR_EACH_VEC_ELT_REVERSE(T,V,I,P) for (I = VEC_length(T, (V)) - 1; VEC_iterate(T, (V), (I), (P)); (I)--)
++#define FOR_EACH_LOCAL_DECL(FUN, I, D) FOR_EACH_VEC_ELT_REVERSE(tree, (FUN)->local_decls, I, D)
 +#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE)))
 +#define FOR_EACH_VEC_ELT(T, V, I, P) for (I = 0; VEC_iterate(T, (V), (I), (P)); ++(I))
 +#define TODO_rebuild_cgraph_edges 0
 +
++#ifndef O_BINARY
++#define O_BINARY 0
++#endif
++
 +static inline bool gimple_call_builtin_p(gimple stmt, enum built_in_function code)
 +{
 +	tree fndecl;
@@ -115605,25 +115476,45 @@ index 0000000..e90c205
 +#if BUILDING_GCC_VERSION <= 4006
 +#define ANY_RETURN_P(rtx) (GET_CODE(rtx) == RETURN)
 +#define C_DECL_REGISTER(EXP) DECL_LANG_FLAG_4(EXP)
-+
-+// should come from c-tree.h if only it were installed for gcc 4.5...
-+#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
++#define EDGE_PRESERVE 0ULL
++#define HOST_WIDE_INT_PRINT_HEX_PURE "%" HOST_WIDE_INT_PRINT "x"
++#define flag_fat_lto_objects true
 +
 +#define get_random_seed(noinit) ({						\
 +	unsigned HOST_WIDE_INT seed;						\
 +	sscanf(get_random_seed(noinit), "%" HOST_WIDE_INT_PRINT "x", &seed);	\
 +	seed * seed; })
 +
++#define int_const_binop(code, arg1, arg2) int_const_binop((code), (arg1), (arg2), 0)
++
 +static inline bool gimple_clobber_p(gimple s)
 +{
 +	return false;
 +}
 +
++static inline bool gimple_asm_clobbers_memory_p(const_gimple stmt)
++{
++	unsigned i;
++
++	for (i = 0; i < gimple_asm_nclobbers(stmt); i++) {
++		tree op = gimple_asm_clobber_op(stmt, i);
++		if (!strcmp(TREE_STRING_POINTER(TREE_VALUE(op)), "memory"))
++			return true;
++	}
++
++	return false;
++}
++
 +static inline tree builtin_decl_implicit(enum built_in_function fncode)
 +{
 +	return implicit_built_in_decls[fncode];
 +}
 +
++static inline int ipa_reverse_postorder(struct cgraph_node **order)
++{
++	return cgraph_postorder(order);
++}
++
 +static inline struct cgraph_node *cgraph_get_create_node(tree decl)
 +{
 +	struct cgraph_node *node = cgraph_get_node(decl);
@@ -115669,8 +115560,11 @@ index 0000000..e90c205
 +#endif
 +
 +#if BUILDING_GCC_VERSION <= 4007
++#define FOR_EACH_FUNCTION(node) for (node = cgraph_nodes; node; node = node->next)
 +#define FOR_EACH_VARIABLE(node) for (node = varpool_nodes; node; node = node->next)
 +#define PROP_loops 0
++#define NODE_SYMBOL(node) (node)
++#define NODE_DECL(node) (node)->decl
 +
 +static inline int bb_loop_depth(const_basic_block bb)
 +{
@@ -115700,6 +115594,8 @@ index 0000000..e90c205
 +#define last_basic_block_for_fn(FN)	((FN)->cfg->x_last_basic_block)
 +#define label_to_block_map_for_fn(FN)	((FN)->cfg->x_label_to_block_map)
 +#define profile_status_for_fn(FN)	((FN)->cfg->x_profile_status)
++#define BASIC_BLOCK_FOR_FN(FN, N)	BASIC_BLOCK_FOR_FUNCTION((FN), (N))
++#define NODE_IMPLICIT_ALIAS(node)	(node)->same_body_alias
 +
 +static inline const char *get_tree_code_name(enum tree_code code)
 +{
@@ -115711,9 +115607,8 @@ index 0000000..e90c205
 +#endif
 +
 +#if BUILDING_GCC_VERSION == 4008
-+#define NODE_DECL(node) node->symbol.decl
-+#else
-+#define NODE_DECL(node) node->decl
++#define NODE_SYMBOL(node) (&(node)->symbol)
++#define NODE_DECL(node) (node)->symbol.decl
 +#endif
 +
 +#if BUILDING_GCC_VERSION >= 4008
@@ -115724,8 +115619,26 @@ index 0000000..e90c205
 +#define TODO_dump_cgraph 0
 +#endif
 +
++#if BUILDING_GCC_VERSION <= 4009
++#define TODO_verify_il 0
++#endif
++
 +#if BUILDING_GCC_VERSION >= 4009
 +#define TODO_ggc_collect 0
++#define NODE_SYMBOL(node) (node)
++#define NODE_DECL(node) (node)->decl
++#define cgraph_node_name(node) (node)->name()
++#define NODE_IMPLICIT_ALIAS(node) (node)->cpp_implicit_alias
++#endif
++
++#if BUILDING_GCC_VERSION >= 5000
++#define TODO_verify_ssa TODO_verify_il
++#define TODO_verify_flow TODO_verify_il
++#define TODO_verify_stmts TODO_verify_il
++#define TODO_verify_rtl_sharing TODO_verify_il
++
++#define debug_cgraph_node(node) (node)->debug()
++#define cgraph_get_node(decl) cgraph_node::get(decl)
 +#endif
 +
 +#endif
diff --git a/3.2.66/4425_grsec_remove_EI_PAX.patch b/3.2.67/4425_grsec_remove_EI_PAX.patch
index 366baa8..366baa8 100644
--- a/3.2.66/4425_grsec_remove_EI_PAX.patch
+++ b/3.2.67/4425_grsec_remove_EI_PAX.patch
diff --git a/3.2.66/4427_force_XATTR_PAX_tmpfs.patch b/3.2.67/4427_force_XATTR_PAX_tmpfs.patch
index caaeed1..caaeed1 100644
--- a/3.2.66/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.2.67/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.2.66/4430_grsec-remove-localversion-grsec.patch b/3.2.67/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.2.66/4430_grsec-remove-localversion-grsec.patch
+++ b/3.2.67/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.66/4435_grsec-mute-warnings.patch b/3.2.67/4435_grsec-mute-warnings.patch
index da01ac7..da01ac7 100644
--- a/3.2.66/4435_grsec-mute-warnings.patch
+++ b/3.2.67/4435_grsec-mute-warnings.patch
diff --git a/3.2.66/4440_grsec-remove-protected-paths.patch b/3.2.67/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.2.66/4440_grsec-remove-protected-paths.patch
+++ b/3.2.67/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.66/4450_grsec-kconfig-default-gids.patch b/3.2.67/4450_grsec-kconfig-default-gids.patch
index 9456d08..9456d08 100644
--- a/3.2.66/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.67/4450_grsec-kconfig-default-gids.patch
diff --git a/3.2.66/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch
index ed1cb9b..ed1cb9b 100644
--- a/3.2.66/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.2.66/4470_disable-compat_vdso.patch b/3.2.67/4470_disable-compat_vdso.patch
index 34d46de..34d46de 100644
--- a/3.2.66/4470_disable-compat_vdso.patch
+++ b/3.2.67/4470_disable-compat_vdso.patch
diff --git a/3.2.66/4475_emutramp_default_on.patch b/3.2.67/4475_emutramp_default_on.patch
index 1f3d51a..1f3d51a 100644
--- a/3.2.66/4475_emutramp_default_on.patch
+++ b/3.2.67/4475_emutramp_default_on.patch