diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2015-07-12 10:37:35 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2015-07-12 10:37:35 -0400 |
commit | b51e5385946d2d0e11268c89bd777191706072fb (patch) | |
tree | 17b205ae0814c97363371d71b7ae9424ada8af1d | |
parent | Grsec/PaX: 3.1-{3.2.69,3.14.47,4.0.7}-201507050833 (diff) | |
download | hardened-patchset-b51e5385946d2d0e11268c89bd777191706072fb.tar.gz hardened-patchset-b51e5385946d2d0e11268c89bd777191706072fb.tar.bz2 hardened-patchset-b51e5385946d2d0e11268c89bd777191706072fb.zip |
Grsec/PaX: 3.1-{3.2.69,3.14.48,4.0.8}-20150711121120150711
-rw-r--r-- | 3.14.48/0000_README (renamed from 4.0.7/0000_README) | 10 | ||||
-rw-r--r-- | 3.14.48/1046_linux-3.14.47.patch (renamed from 3.14.47/1046_linux-3.14.47.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/1047_linux-3.14.48.patch | 1019 | ||||
-rw-r--r-- | 3.14.48/4420_grsecurity-3.1-3.14.48-201507111210.patch (renamed from 3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch) | 242 | ||||
-rw-r--r-- | 3.14.48/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.47/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.47/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.47/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4435_grsec-mute-warnings.patch (renamed from 3.14.47/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4440_grsec-remove-protected-paths.patch (renamed from 3.14.47/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.47/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.47/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4470_disable-compat_vdso.patch (renamed from 3.14.47/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.14.48/4475_emutramp_default_on.patch (renamed from 3.14.47/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 3.2.69/0000_README | 2 | ||||
-rw-r--r-- | 3.2.69/4420_grsecurity-3.1-3.2.69-201507111207.patch (renamed from 3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch) | 29 | ||||
-rw-r--r-- | 4.0.8/0000_README (renamed from 3.14.47/0000_README) | 6 | ||||
-rw-r--r-- | 4.0.8/1007_linux-4.0.8.patch | 2139 | ||||
-rw-r--r-- | 4.0.8/4420_grsecurity-3.1-4.0.8-201507111211.patch (renamed from 4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch) | 246 | ||||
-rw-r--r-- | 4.0.8/4425_grsec_remove_EI_PAX.patch (renamed from 4.0.7/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.0.7/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4430_grsec-remove-localversion-grsec.patch (renamed from 4.0.7/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4435_grsec-mute-warnings.patch (renamed from 4.0.7/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4440_grsec-remove-protected-paths.patch (renamed from 4.0.7/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4450_grsec-kconfig-default-gids.patch (renamed from 4.0.7/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.0.7/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4470_disable-compat_vdso.patch (renamed from 4.0.7/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 4.0.8/4475_emutramp_default_on.patch (renamed from 4.0.7/4475_emutramp_default_on.patch) | 0 |
27 files changed, 3429 insertions, 264 deletions
diff --git a/4.0.7/0000_README b/3.14.48/0000_README index fc634e5..44ff3ab 100644 --- a/4.0.7/0000_README +++ b/3.14.48/0000_README @@ -2,7 +2,15 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.0.7-201507050833.patch +Patch: 1046_linux-3.14.47.patch +From: http://www.kernel.org +Desc: Linux 3.14.47 + +Patch: 1047_linux-3.14.48.patch +From: http://www.kernel.org +Desc: Linux 3.14.48 + +Patch: 4420_grsecurity-3.1-3.14.48-201507111210.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.47/1046_linux-3.14.47.patch b/3.14.48/1046_linux-3.14.47.patch index 4dc0c5a..4dc0c5a 100644 --- a/3.14.47/1046_linux-3.14.47.patch +++ b/3.14.48/1046_linux-3.14.47.patch diff --git a/3.14.48/1047_linux-3.14.48.patch b/3.14.48/1047_linux-3.14.48.patch new file mode 100644 index 0000000..3a7169d --- /dev/null +++ b/3.14.48/1047_linux-3.14.48.patch @@ -0,0 +1,1019 @@ +diff --git a/Makefile b/Makefile +index f9041e6..25393e8 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 47 ++SUBLEVEL = 48 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h +index 9f79231..7d35af3 100644 +--- a/arch/arm/include/asm/kvm_mmu.h ++++ b/arch/arm/include/asm/kvm_mmu.h +@@ -117,13 +117,14 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd) + (__boundary - 1 < (end) - 1)? __boundary: (end); \ + }) + ++#define kvm_pgd_index(addr) pgd_index(addr) ++ + static inline bool kvm_page_empty(void *ptr) + { + struct page *ptr_page = virt_to_page(ptr); + return page_count(ptr_page) == 1; + } + +- + #define kvm_pte_table_empty(ptep) kvm_page_empty(ptep) + #define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp) + #define kvm_pud_table_empty(pudp) (0) +diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c +index 2e74a61..f6a52a2 100644 +--- a/arch/arm/kvm/arm.c ++++ b/arch/arm/kvm/arm.c +@@ -441,6 +441,7 @@ static void update_vttbr(struct kvm *kvm) + + static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu) + { ++ struct kvm *kvm = vcpu->kvm; + int ret; + + if (likely(vcpu->arch.has_run_once)) +@@ -452,12 +453,20 @@ static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu) + * Initialize the VGIC before running a vcpu the first time on + * this VM. + */ +- if (unlikely(!vgic_initialized(vcpu->kvm))) { +- ret = kvm_vgic_init(vcpu->kvm); ++ if (unlikely(!vgic_initialized(kvm))) { ++ ret = kvm_vgic_init(kvm); + if (ret) + return ret; + } + ++ /* ++ * Enable the arch timers only if we have an in-kernel VGIC ++ * and it has been properly initialized, since we cannot handle ++ * interrupts from the virtual timer with a userspace gic. ++ */ ++ if (irqchip_in_kernel(kvm) && vgic_initialized(kvm)) ++ kvm_timer_enable(kvm); ++ + return 0; + } + +diff --git a/arch/arm/kvm/interrupts.S b/arch/arm/kvm/interrupts.S +index 0d68d40..a1467e7 100644 +--- a/arch/arm/kvm/interrupts.S ++++ b/arch/arm/kvm/interrupts.S +@@ -159,13 +159,9 @@ __kvm_vcpu_return: + @ Don't trap coprocessor accesses for host kernel + set_hstr vmexit + set_hdcr vmexit +- set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)) ++ set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)), after_vfp_restore + + #ifdef CONFIG_VFPv3 +- @ Save floating point registers we if let guest use them. +- tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11)) +- bne after_vfp_restore +- + @ Switch VFP/NEON hardware state to the host's + add r7, vcpu, #VCPU_VFP_GUEST + store_vfp_state r7 +@@ -177,6 +173,8 @@ after_vfp_restore: + @ Restore FPEXC_EN which we clobbered on entry + pop {r2} + VFPFMXR FPEXC, r2 ++#else ++after_vfp_restore: + #endif + + @ Reset Hyp-role +@@ -467,7 +465,7 @@ switch_to_guest_vfp: + push {r3-r7} + + @ NEON/VFP used. Turn on VFP access. +- set_hcptr vmexit, (HCPTR_TCP(10) | HCPTR_TCP(11)) ++ set_hcptr vmtrap, (HCPTR_TCP(10) | HCPTR_TCP(11)) + + @ Switch VFP/NEON hardware state to the guest's + add r7, r0, #VCPU_VFP_HOST +diff --git a/arch/arm/kvm/interrupts_head.S b/arch/arm/kvm/interrupts_head.S +index 76af9302..2973b2d 100644 +--- a/arch/arm/kvm/interrupts_head.S ++++ b/arch/arm/kvm/interrupts_head.S +@@ -578,8 +578,13 @@ vcpu .req r0 @ vcpu pointer always in r0 + .endm + + /* Configures the HCPTR (Hyp Coprocessor Trap Register) on entry/return +- * (hardware reset value is 0). Keep previous value in r2. */ +-.macro set_hcptr operation, mask ++ * (hardware reset value is 0). Keep previous value in r2. ++ * An ISB is emited on vmexit/vmtrap, but executed on vmexit only if ++ * VFP wasn't already enabled (always executed on vmtrap). ++ * If a label is specified with vmexit, it is branched to if VFP wasn't ++ * enabled. ++ */ ++.macro set_hcptr operation, mask, label = none + mrc p15, 4, r2, c1, c1, 2 + ldr r3, =\mask + .if \operation == vmentry +@@ -588,6 +593,17 @@ vcpu .req r0 @ vcpu pointer always in r0 + bic r3, r2, r3 @ Don't trap defined coproc-accesses + .endif + mcr p15, 4, r3, c1, c1, 2 ++ .if \operation != vmentry ++ .if \operation == vmexit ++ tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11)) ++ beq 1f ++ .endif ++ isb ++ .if \label != none ++ b \label ++ .endif ++1: ++ .endif + .endm + + /* Configures the HDCR (Hyp Debug Configuration Register) on entry/return +diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c +index 524b4b5..c612e37 100644 +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -194,7 +194,7 @@ static void unmap_range(struct kvm *kvm, pgd_t *pgdp, + phys_addr_t addr = start, end = start + size; + phys_addr_t next; + +- pgd = pgdp + pgd_index(addr); ++ pgd = pgdp + kvm_pgd_index(addr); + do { + next = kvm_pgd_addr_end(addr, end); + if (!pgd_none(*pgd)) +@@ -264,7 +264,7 @@ static void stage2_flush_memslot(struct kvm *kvm, + phys_addr_t next; + pgd_t *pgd; + +- pgd = kvm->arch.pgd + pgd_index(addr); ++ pgd = kvm->arch.pgd + kvm_pgd_index(addr); + do { + next = kvm_pgd_addr_end(addr, end); + stage2_flush_puds(kvm, pgd, addr, next); +@@ -649,7 +649,7 @@ static pmd_t *stage2_get_pmd(struct kvm *kvm, struct kvm_mmu_memory_cache *cache + pud_t *pud; + pmd_t *pmd; + +- pgd = kvm->arch.pgd + pgd_index(addr); ++ pgd = kvm->arch.pgd + kvm_pgd_index(addr); + pud = pud_offset(pgd, addr); + if (pud_none(*pud)) { + if (!cache) +diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h +index 681cb90..91f33c2 100644 +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -41,6 +41,8 @@ void kvm_inject_pabt(struct kvm_vcpu *vcpu, unsigned long addr); + static inline void vcpu_reset_hcr(struct kvm_vcpu *vcpu) + { + vcpu->arch.hcr_el2 = HCR_GUEST_FLAGS; ++ if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features)) ++ vcpu->arch.hcr_el2 &= ~HCR_RW; + } + + static inline unsigned long *vcpu_pc(const struct kvm_vcpu *vcpu) +diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h +index 0d51874..15a8a86 100644 +--- a/arch/arm64/include/asm/kvm_mmu.h ++++ b/arch/arm64/include/asm/kvm_mmu.h +@@ -69,6 +69,8 @@ + #define PTRS_PER_S2_PGD (1 << (KVM_PHYS_SHIFT - PGDIR_SHIFT)) + #define S2_PGD_ORDER get_order(PTRS_PER_S2_PGD * sizeof(pgd_t)) + ++#define kvm_pgd_index(addr) (((addr) >> PGDIR_SHIFT) & (PTRS_PER_S2_PGD - 1)) ++ + int create_hyp_mappings(void *from, void *to); + int create_hyp_io_mappings(void *from, void *to, phys_addr_t); + void free_boot_hyp_pgd(void); +diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S +index 5dfc8331..3aaf3bc 100644 +--- a/arch/arm64/kvm/hyp.S ++++ b/arch/arm64/kvm/hyp.S +@@ -629,6 +629,7 @@ ENTRY(__kvm_tlb_flush_vmid_ipa) + * Instead, we invalidate Stage-2 for this IPA, and the + * whole of Stage-1. Weep... + */ ++ lsr x1, x1, #12 + tlbi ipas2e1is, x1 + /* + * We have to ensure completion of the invalidation at Stage-2, +diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c +index 70a7816..0b43265 100644 +--- a/arch/arm64/kvm/reset.c ++++ b/arch/arm64/kvm/reset.c +@@ -90,7 +90,6 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + if (!cpu_has_32bit_el1()) + return -EINVAL; + cpu_reset = &default_regs_reset32; +- vcpu->arch.hcr_el2 &= ~HCR_RW; + } else { + cpu_reset = &default_regs_reset; + } +diff --git a/arch/mips/include/asm/mach-generic/spaces.h b/arch/mips/include/asm/mach-generic/spaces.h +index 9488fa5..afc96ec 100644 +--- a/arch/mips/include/asm/mach-generic/spaces.h ++++ b/arch/mips/include/asm/mach-generic/spaces.h +@@ -94,7 +94,11 @@ + #endif + + #ifndef FIXADDR_TOP ++#ifdef CONFIG_KVM_GUEST ++#define FIXADDR_TOP ((unsigned long)(long)(int)0x7ffe0000) ++#else + #define FIXADDR_TOP ((unsigned long)(long)(int)0xfffe0000) + #endif ++#endif + + #endif /* __ASM_MACH_GENERIC_SPACES_H */ +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 38265dc..65dfbd0 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -124,7 +124,16 @@ static inline void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw) {} + + static bool regs_use_siar(struct pt_regs *regs) + { +- return !!regs->result; ++ /* ++ * When we take a performance monitor exception the regs are setup ++ * using perf_read_regs() which overloads some fields, in particular ++ * regs->result to tell us whether to use SIAR. ++ * ++ * However if the regs are from another exception, eg. a syscall, then ++ * they have not been setup using perf_read_regs() and so regs->result ++ * is something random. ++ */ ++ return ((TRAP(regs) == 0xf00) && regs->result); + } + + /* +diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c +index 27bb554..7ef2862 100644 +--- a/arch/sparc/kernel/ldc.c ++++ b/arch/sparc/kernel/ldc.c +@@ -2307,7 +2307,7 @@ void *ldc_alloc_exp_dring(struct ldc_channel *lp, unsigned int len, + if (len & (8UL - 1)) + return ERR_PTR(-EINVAL); + +- buf = kzalloc(len, GFP_KERNEL); ++ buf = kzalloc(len, GFP_ATOMIC); + if (!buf) + return ERR_PTR(-ENOMEM); + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 5dab54a..96e743a 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2440,9 +2440,19 @@ config X86_DMA_REMAP + depends on STA2X11 + + config IOSF_MBI +- tristate +- default m ++ tristate "Intel System On Chip IOSF Sideband support" + depends on PCI ++ ---help--- ++ Enables sideband access to mailbox registers on SoC's. The sideband is ++ available on the following platforms. This list is not meant to be ++ exclusive. ++ - BayTrail ++ - Cherryview ++ - Braswell ++ - Quark ++ ++ You should say Y if you are running a kernel on one of these ++ platforms. + + source "net/Kconfig" + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index e9dc029..ac03bd7 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -571,7 +571,7 @@ struct kvm_arch { + struct kvm_pic *vpic; + struct kvm_ioapic *vioapic; + struct kvm_pit *vpit; +- int vapics_in_nmi_mode; ++ atomic_t vapics_in_nmi_mode; + struct mutex apic_map_lock; + struct kvm_apic_map *apic_map; + +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c +index 298781d..1406ffd 100644 +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -305,7 +305,7 @@ static void pit_do_work(struct kthread_work *work) + * LVT0 to NMI delivery. Other PIC interrupts are just sent to + * VCPU0, and only if its LVT0 is in EXTINT mode. + */ +- if (kvm->arch.vapics_in_nmi_mode > 0) ++ if (atomic_read(&kvm->arch.vapics_in_nmi_mode) > 0) + kvm_for_each_vcpu(i, vcpu, kvm) + kvm_apic_nmi_wd_deliver(vcpu); + } +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 453e5fb..6456734 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1109,10 +1109,10 @@ static void apic_manage_nmi_watchdog(struct kvm_lapic *apic, u32 lvt0_val) + if (!nmi_wd_enabled) { + apic_debug("Receive NMI setting on APIC_LVT0 " + "for cpu %d\n", apic->vcpu->vcpu_id); +- apic->vcpu->kvm->arch.vapics_in_nmi_mode++; ++ atomic_inc(&apic->vcpu->kvm->arch.vapics_in_nmi_mode); + } + } else if (nmi_wd_enabled) +- apic->vcpu->kvm->arch.vapics_in_nmi_mode--; ++ atomic_dec(&apic->vcpu->kvm->arch.vapics_in_nmi_mode); + } + + static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val) +diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c +index 4f25ec0..bf00138 100644 +--- a/arch/x86/pci/acpi.c ++++ b/arch/x86/pci/acpi.c +@@ -84,6 +84,17 @@ static const struct dmi_system_id pci_crs_quirks[] __initconst = { + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"), + }, + }, ++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368 */ ++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299 */ ++ { ++ .callback = set_use_crs, ++ .ident = "Foxconn K8M890-8237A", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Foxconn"), ++ DMI_MATCH(DMI_BOARD_NAME, "K8M890-8237A"), ++ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"), ++ }, ++ }, + + /* Now for the blacklist.. */ + +@@ -124,8 +135,10 @@ void __init pci_acpi_crs_quirks(void) + { + int year; + +- if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) +- pci_use_crs = false; ++ if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) { ++ if (iomem_resource.end <= 0xffffffff) ++ pci_use_crs = false; ++ } + + dmi_check_system(pci_crs_quirks); + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 533a509..fbc693b 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -417,7 +417,7 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate) + + val |= vid; + +- wrmsrl(MSR_IA32_PERF_CTL, val); ++ wrmsrl_on_cpu(cpudata->cpu, MSR_IA32_PERF_CTL, val); + } + + #define BYT_BCLK_FREQS 5 +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 5967667..1f35487 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -927,7 +927,8 @@ static int sg_to_link_tbl(struct scatterlist *sg, int sg_count, + sg_count--; + link_tbl_ptr--; + } +- be16_add_cpu(&link_tbl_ptr->len, cryptlen); ++ link_tbl_ptr->len = cpu_to_be16(be16_to_cpu(link_tbl_ptr->len) ++ + cryptlen); + + /* tag end of link table */ + link_tbl_ptr->j_extent = DESC_PTR_LNKTBL_RETURN; +@@ -2563,6 +2564,7 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev, + break; + default: + dev_err(dev, "unknown algorithm type %d\n", t_alg->algt.type); ++ kfree(t_alg); + return ERR_PTR(-EINVAL); + } + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 9cbef59..9359740 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1922,9 +1922,15 @@ static void free_pt_##LVL (unsigned long __pt) \ + pt = (u64 *)__pt; \ + \ + for (i = 0; i < 512; ++i) { \ ++ /* PTE present? */ \ + if (!IOMMU_PTE_PRESENT(pt[i])) \ + continue; \ + \ ++ /* Large PTE? */ \ ++ if (PM_PTE_LEVEL(pt[i]) == 0 || \ ++ PM_PTE_LEVEL(pt[i]) == 7) \ ++ continue; \ ++ \ + p = (unsigned long)IOMMU_PTE_PAGE(pt[i]); \ + FN(p); \ + } \ +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 25f7419..62c3fb9 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -765,10 +765,11 @@ static int genphy_config_advert(struct phy_device *phydev) + if (phydev->supported & (SUPPORTED_1000baseT_Half | + SUPPORTED_1000baseT_Full)) { + adv |= ethtool_adv_to_mii_ctrl1000_t(advertise); +- if (adv != oldadv) +- changed = 1; + } + ++ if (adv != oldadv) ++ changed = 1; ++ + err = phy_write(phydev, MII_CTRL1000, adv); + if (err < 0) + return err; +diff --git a/fs/dcache.c b/fs/dcache.c +index 1d7e8a3..aa24f7d 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2905,17 +2905,6 @@ restart: + vfsmnt = &mnt->mnt; + continue; + } +- /* +- * Filesystems needing to implement special "root names" +- * should do so with ->d_dname() +- */ +- if (IS_ROOT(dentry) && +- (dentry->d_name.len != 1 || +- dentry->d_name.name[0] != '/')) { +- WARN(1, "Root dentry has weird name <%.*s>\n", +- (int) dentry->d_name.len, +- dentry->d_name.name); +- } + if (!error) + error = is_mounted(vfsmnt) ? 1 : 2; + break; +diff --git a/fs/inode.c b/fs/inode.c +index e846a32..644875b 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1631,8 +1631,8 @@ int file_remove_suid(struct file *file) + error = security_inode_killpriv(dentry); + if (!error && killsuid) + error = __remove_suid(dentry, killsuid); +- if (!error && (inode->i_sb->s_flags & MS_NOSEC)) +- inode->i_flags |= S_NOSEC; ++ if (!error) ++ inode_has_no_xattr(inode); + + return error; + } +diff --git a/fs/namespace.c b/fs/namespace.c +index 2faa7ea..fc99d18 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3031,11 +3031,15 @@ bool fs_fully_visible(struct file_system_type *type) + if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root) + continue; + +- /* This mount is not fully visible if there are any child mounts +- * that cover anything except for empty directories. ++ /* This mount is not fully visible if there are any ++ * locked child mounts that cover anything except for ++ * empty directories. + */ + list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { + struct inode *inode = child->mnt_mountpoint->d_inode; ++ /* Only worry about locked mounts */ ++ if (!(mnt->mnt.mnt_flags & MNT_LOCKED)) ++ continue; + if (!S_ISDIR(inode->i_mode)) + goto next; + if (inode->i_nlink > 2) +diff --git a/include/kvm/arm_arch_timer.h b/include/kvm/arm_arch_timer.h +index 6d9aedd..327b155 100644 +--- a/include/kvm/arm_arch_timer.h ++++ b/include/kvm/arm_arch_timer.h +@@ -60,7 +60,8 @@ struct arch_timer_cpu { + + #ifdef CONFIG_KVM_ARM_TIMER + int kvm_timer_hyp_init(void); +-int kvm_timer_init(struct kvm *kvm); ++void kvm_timer_enable(struct kvm *kvm); ++void kvm_timer_init(struct kvm *kvm); + void kvm_timer_vcpu_reset(struct kvm_vcpu *vcpu, + const struct kvm_irq_level *irq); + void kvm_timer_vcpu_init(struct kvm_vcpu *vcpu); +@@ -73,11 +74,8 @@ static inline int kvm_timer_hyp_init(void) + return 0; + }; + +-static inline int kvm_timer_init(struct kvm *kvm) +-{ +- return 0; +-} +- ++static inline void kvm_timer_enable(struct kvm *kvm) {} ++static inline void kvm_timer_init(struct kvm *kvm) {} + static inline void kvm_timer_vcpu_reset(struct kvm_vcpu *vcpu, + const struct kvm_irq_level *irq) {} + static inline void kvm_timer_vcpu_init(struct kvm_vcpu *vcpu) {} +diff --git a/include/net/netns/sctp.h b/include/net/netns/sctp.h +index 3573a81..8ba379f 100644 +--- a/include/net/netns/sctp.h ++++ b/include/net/netns/sctp.h +@@ -31,6 +31,7 @@ struct netns_sctp { + struct list_head addr_waitq; + struct timer_list addr_wq_timer; + struct list_head auto_asconf_splist; ++ /* Lock that protects both addr_waitq and auto_asconf_splist */ + spinlock_t addr_wq_lock; + + /* Lock that protects the local_addr_list writers */ +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h +index 0dfcc92..2c2d388 100644 +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -219,6 +219,10 @@ struct sctp_sock { + atomic_t pd_mode; + /* Receive to here while partial delivery is in effect. */ + struct sk_buff_head pd_lobby; ++ ++ /* These must be the last fields, as they will skipped on copies, ++ * like on accept and peeloff operations ++ */ + struct list_head auto_asconf_list; + int do_auto_asconf; + }; +diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c +index a9a4a1b..8d423bc 100644 +--- a/net/bridge/br_ioctl.c ++++ b/net/bridge/br_ioctl.c +@@ -247,9 +247,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) + return -EPERM; + +- spin_lock_bh(&br->lock); + br_stp_set_bridge_priority(br, args[1]); +- spin_unlock_bh(&br->lock); + return 0; + + case BRCTL_SET_PORT_PRIORITY: +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 11a2e6c..7bbc8fe 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1086,6 +1086,9 @@ static void br_multicast_add_router(struct net_bridge *br, + struct net_bridge_port *p; + struct hlist_node *slot = NULL; + ++ if (!hlist_unhashed(&port->rlist)) ++ return; ++ + hlist_for_each_entry(p, &br->router_list, rlist) { + if ((unsigned long) port >= (unsigned long) p) + break; +@@ -1113,12 +1116,8 @@ static void br_multicast_mark_router(struct net_bridge *br, + if (port->multicast_router != 1) + return; + +- if (!hlist_unhashed(&port->rlist)) +- goto timer; +- + br_multicast_add_router(br, port); + +-timer: + mod_timer(&port->multicast_router_timer, + now + br->multicast_querier_interval); + } +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 189ba1e..9a0005a 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -243,12 +243,13 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br) + return true; + } + +-/* called under bridge lock */ ++/* Acquires and releases bridge lock */ + void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio) + { + struct net_bridge_port *p; + int wasroot; + ++ spin_lock_bh(&br->lock); + wasroot = br_is_root_bridge(br); + + list_for_each_entry(p, &br->port_list, list) { +@@ -266,6 +267,7 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio) + br_port_state_selection(br); + if (br_is_root_bridge(br) && !wasroot) + br_become_root_bridge(br); ++ spin_unlock_bh(&br->lock); + } + + /* called under bridge lock */ +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 7d95f69..0f062c6 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -976,6 +976,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) + rc = 0; + if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE)) + goto out_unlock_bh; ++ if (neigh->dead) ++ goto out_dead; + + if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) { + if (NEIGH_VAR(neigh->parms, MCAST_PROBES) + +@@ -1032,6 +1034,13 @@ out_unlock_bh: + write_unlock(&neigh->lock); + local_bh_enable(); + return rc; ++ ++out_dead: ++ if (neigh->nud_state & NUD_STALE) ++ goto out_unlock_bh; ++ write_unlock_bh(&neigh->lock); ++ kfree_skb(skb); ++ return 1; + } + EXPORT_SYMBOL(__neigh_event_send); + +@@ -1095,6 +1104,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, + if (!(flags & NEIGH_UPDATE_F_ADMIN) && + (old & (NUD_NOARP | NUD_PERMANENT))) + goto out; ++ if (neigh->dead) ++ goto out; + + if (!(new & NUD_VALID)) { + neigh_del_timer(neigh); +@@ -1244,6 +1255,8 @@ EXPORT_SYMBOL(neigh_update); + */ + void __neigh_set_probe_once(struct neighbour *neigh) + { ++ if (neigh->dead) ++ return; + neigh->updated = jiffies; + if (!(neigh->nud_state & NUD_FAILED)) + return; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 69ec61a..8207f8d 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -368,9 +368,11 @@ refill: + for (order = NETDEV_FRAG_PAGE_MAX_ORDER; ;) { + gfp_t gfp = gfp_mask; + +- if (order) ++ if (order) { + gfp |= __GFP_COMP | __GFP_NOWARN | + __GFP_NOMEMALLOC; ++ gfp &= ~__GFP_WAIT; ++ } + nc->frag.page = alloc_pages(gfp, order); + if (likely(nc->frag.page)) + break; +diff --git a/net/core/sock.c b/net/core/sock.c +index 650dd58..8ebfa52 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1914,8 +1914,10 @@ bool skb_page_frag_refill(unsigned int sz, struct page_frag *pfrag, gfp_t prio) + do { + gfp_t gfp = prio; + +- if (order) ++ if (order) { + gfp |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY; ++ gfp &= ~__GFP_WAIT; ++ } + pfrag->page = alloc_pages(gfp, order); + if (likely(pfrag->page)) { + pfrag->offset = 0; +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 07bd8ed..951fe55 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -228,6 +228,8 @@ int inet_listen(struct socket *sock, int backlog) + err = 0; + if (err) + goto out; ++ ++ tcp_fastopen_init_key_once(true); + } + err = inet_csk_listen_start(sk, backlog); + if (err) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 29d240b..dc45221 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2684,10 +2684,13 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_FASTOPEN: + if (val >= 0 && ((1 << sk->sk_state) & (TCPF_CLOSE | +- TCPF_LISTEN))) ++ TCPF_LISTEN))) { ++ tcp_fastopen_init_key_once(true); ++ + err = fastopen_init_queue(sk, val); +- else ++ } else { + err = -EINVAL; ++ } + break; + case TCP_TIMESTAMP: + if (!tp->repair) +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index f195d93..ee6518d 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -84,8 +84,6 @@ void tcp_fastopen_cookie_gen(__be32 src, __be32 dst, + __be32 path[4] = { src, dst, 0, 0 }; + struct tcp_fastopen_context *ctx; + +- tcp_fastopen_init_key_once(true); +- + rcu_read_lock(); + ctx = rcu_dereference(tcp_fastopen_ctx); + if (ctx) { +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 48b1817..84a60b8 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1264,16 +1264,6 @@ static void packet_sock_destruct(struct sock *sk) + sk_refcnt_debug_dec(sk); + } + +-static int fanout_rr_next(struct packet_fanout *f, unsigned int num) +-{ +- int x = atomic_read(&f->rr_cur) + 1; +- +- if (x >= num) +- x = 0; +- +- return x; +-} +- + static unsigned int fanout_demux_hash(struct packet_fanout *f, + struct sk_buff *skb, + unsigned int num) +@@ -1285,13 +1275,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f, + struct sk_buff *skb, + unsigned int num) + { +- int cur, old; ++ unsigned int val = atomic_inc_return(&f->rr_cur); + +- cur = atomic_read(&f->rr_cur); +- while ((old = atomic_cmpxchg(&f->rr_cur, cur, +- fanout_rr_next(f, num))) != cur) +- cur = old; +- return cur; ++ return val % num; + } + + static unsigned int fanout_demux_cpu(struct packet_fanout *f, +@@ -1345,7 +1331,7 @@ static int packet_rcv_fanout(struct sk_buff *skb, struct net_device *dev, + struct packet_type *pt, struct net_device *orig_dev) + { + struct packet_fanout *f = pt->af_packet_priv; +- unsigned int num = f->num_members; ++ unsigned int num = ACCESS_ONCE(f->num_members); + struct packet_sock *po; + unsigned int idx; + +diff --git a/net/sctp/output.c b/net/sctp/output.c +index 740ca5f..e39e6d5 100644 +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -599,7 +599,9 @@ out: + return err; + no_route: + kfree_skb(nskb); +- IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES); ++ ++ if (asoc) ++ IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES); + + /* FIXME: Returning the 'err' will effect all the associations + * associated with a socket, although only one of the paths of the +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 604a6ac..f940fdc 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1532,8 +1532,10 @@ static void sctp_close(struct sock *sk, long timeout) + + /* Supposedly, no process has access to the socket, but + * the net layers still may. ++ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock ++ * held and that should be grabbed before socket lock. + */ +- local_bh_disable(); ++ spin_lock_bh(&net->sctp.addr_wq_lock); + bh_lock_sock(sk); + + /* Hold the sock, since sk_common_release() will put sock_put() +@@ -1543,7 +1545,7 @@ static void sctp_close(struct sock *sk, long timeout) + sk_common_release(sk); + + bh_unlock_sock(sk); +- local_bh_enable(); ++ spin_unlock_bh(&net->sctp.addr_wq_lock); + + sock_put(sk); + +@@ -3511,6 +3513,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval, + if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf)) + return 0; + ++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock); + if (val == 0 && sp->do_auto_asconf) { + list_del(&sp->auto_asconf_list); + sp->do_auto_asconf = 0; +@@ -3519,6 +3522,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval, + &sock_net(sk)->sctp.auto_asconf_splist); + sp->do_auto_asconf = 1; + } ++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock); + return 0; + } + +@@ -4009,18 +4013,28 @@ static int sctp_init_sock(struct sock *sk) + local_bh_disable(); + percpu_counter_inc(&sctp_sockets_allocated); + sock_prot_inuse_add(net, sk->sk_prot, 1); ++ ++ /* Nothing can fail after this block, otherwise ++ * sctp_destroy_sock() will be called without addr_wq_lock held ++ */ + if (net->sctp.default_auto_asconf) { ++ spin_lock(&sock_net(sk)->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, + &net->sctp.auto_asconf_splist); + sp->do_auto_asconf = 1; +- } else ++ spin_unlock(&sock_net(sk)->sctp.addr_wq_lock); ++ } else { + sp->do_auto_asconf = 0; ++ } ++ + local_bh_enable(); + + return 0; + } + +-/* Cleanup any SCTP per socket resources. */ ++/* Cleanup any SCTP per socket resources. Must be called with ++ * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true ++ */ + static void sctp_destroy_sock(struct sock *sk) + { + struct sctp_sock *sp; +@@ -6973,6 +6987,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newinet->mc_list = NULL; + } + ++static inline void sctp_copy_descendant(struct sock *sk_to, ++ const struct sock *sk_from) ++{ ++ int ancestor_size = sizeof(struct inet_sock) + ++ sizeof(struct sctp_sock) - ++ offsetof(struct sctp_sock, auto_asconf_list); ++ ++ if (sk_from->sk_family == PF_INET6) ++ ancestor_size += sizeof(struct ipv6_pinfo); ++ ++ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size); ++} ++ + /* Populate the fields of the newsk from the oldsk and migrate the assoc + * and its messages to the newsk. + */ +@@ -6987,7 +7014,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, + struct sk_buff *skb, *tmp; + struct sctp_ulpevent *event; + struct sctp_bind_hashbucket *head; +- struct list_head tmplist; + + /* Migrate socket buffer sizes and all the socket level options to the + * new socket. +@@ -6995,12 +7021,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, + newsk->sk_sndbuf = oldsk->sk_sndbuf; + newsk->sk_rcvbuf = oldsk->sk_rcvbuf; + /* Brute force copy old sctp opt. */ +- if (oldsp->do_auto_asconf) { +- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist)); +- inet_sk_copy_descendant(newsk, oldsk); +- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist)); +- } else +- inet_sk_copy_descendant(newsk, oldsk); ++ sctp_copy_descendant(newsk, oldsk); + + /* Restore the ep value that was overwritten with the above structure + * copy. +diff --git a/virt/kvm/arm/arch_timer.c b/virt/kvm/arm/arch_timer.c +index 5081e80..c6fe405 100644 +--- a/virt/kvm/arm/arch_timer.c ++++ b/virt/kvm/arm/arch_timer.c +@@ -61,12 +61,14 @@ static void timer_disarm(struct arch_timer_cpu *timer) + + static void kvm_timer_inject_irq(struct kvm_vcpu *vcpu) + { ++ int ret; + struct arch_timer_cpu *timer = &vcpu->arch.timer_cpu; + + timer->cntv_ctl |= ARCH_TIMER_CTRL_IT_MASK; +- kvm_vgic_inject_irq(vcpu->kvm, vcpu->vcpu_id, +- timer->irq->irq, +- timer->irq->level); ++ ret = kvm_vgic_inject_irq(vcpu->kvm, vcpu->vcpu_id, ++ timer->irq->irq, ++ timer->irq->level); ++ WARN_ON(ret); + } + + static irqreturn_t kvm_arch_timer_handler(int irq, void *dev_id) +@@ -307,12 +309,24 @@ void kvm_timer_vcpu_terminate(struct kvm_vcpu *vcpu) + timer_disarm(timer); + } + +-int kvm_timer_init(struct kvm *kvm) ++void kvm_timer_enable(struct kvm *kvm) + { +- if (timecounter && wqueue) { +- kvm->arch.timer.cntvoff = kvm_phys_timer_read(); ++ if (kvm->arch.timer.enabled) ++ return; ++ ++ /* ++ * There is a potential race here between VCPUs starting for the first ++ * time, which may be enabling the timer multiple times. That doesn't ++ * hurt though, because we're just setting a variable to the same ++ * variable that it already was. The important thing is that all ++ * VCPUs have the enabled variable set, before entering the guest, if ++ * the arch timers are enabled. ++ */ ++ if (timecounter && wqueue) + kvm->arch.timer.enabled = 1; +- } ++} + +- return 0; ++void kvm_timer_init(struct kvm *kvm) ++{ ++ kvm->arch.timer.cntvoff = kvm_phys_timer_read(); + } +diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c +index c324a52..152ec76 100644 +--- a/virt/kvm/arm/vgic.c ++++ b/virt/kvm/arm/vgic.c +@@ -1042,6 +1042,7 @@ static bool vgic_queue_irq(struct kvm_vcpu *vcpu, u8 sgi_source_id, int irq) + lr, irq, vgic_cpu->vgic_lr[lr]); + BUG_ON(!test_bit(lr, vgic_cpu->lr_used)); + vgic_cpu->vgic_lr[lr] |= GICH_LR_PENDING_BIT; ++ __clear_bit(lr, (unsigned long *)vgic_cpu->vgic_elrsr); + return true; + } + +@@ -1055,6 +1056,7 @@ static bool vgic_queue_irq(struct kvm_vcpu *vcpu, u8 sgi_source_id, int irq) + vgic_cpu->vgic_lr[lr] = MK_LR_PEND(sgi_source_id, irq); + vgic_cpu->vgic_irq_lr_map[irq] = lr; + set_bit(lr, vgic_cpu->lr_used); ++ __clear_bit(lr, (unsigned long *)vgic_cpu->vgic_elrsr); + + if (!vgic_irq_is_edge(vcpu, irq)) + vgic_cpu->vgic_lr[lr] |= GICH_LR_EOI; +@@ -1209,6 +1211,14 @@ static bool vgic_process_maintenance(struct kvm_vcpu *vcpu) + if (vgic_cpu->vgic_misr & GICH_MISR_U) + vgic_cpu->vgic_hcr &= ~GICH_HCR_UIE; + ++ /* ++ * In the next iterations of the vcpu loop, if we sync the vgic state ++ * after flushing it, but before entering the guest (this happens for ++ * pending signals and vmid rollovers), then make sure we don't pick ++ * up any old maintenance interrupts here. ++ */ ++ memset(vgic_cpu->vgic_eisr, 0, sizeof(vgic_cpu->vgic_eisr[0]) * 2); ++ + return level_pending; + } + diff --git a/3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch b/3.14.48/4420_grsecurity-3.1-3.14.48-201507111210.patch index f646996..8faa105 100644 --- a/3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch +++ b/3.14.48/4420_grsecurity-3.1-3.14.48-201507111210.patch @@ -295,7 +295,7 @@ index 5d91ba1..ef1d374 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index f9041e6..46bcf1d 100644 +index 25393e8..65e3b07 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3307,7 +3307,7 @@ index 7bcee5c..e2f3249 100644 __data_loc = .; #endif diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c -index 2e74a61..14d0a66 100644 +index f6a52a2..f662d45 100644 --- a/arch/arm/kvm/arm.c +++ b/arch/arm/kvm/arm.c @@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors; @@ -3346,7 +3346,7 @@ index 2e74a61..14d0a66 100644 kvm->arch.vmid = kvm_next_vmid; kvm_next_vmid++; -@@ -1013,7 +1013,7 @@ static void check_kvm_target_cpu(void *ret) +@@ -1022,7 +1022,7 @@ static void check_kvm_target_cpu(void *ret) /** * Initialize Hyp-mode and memory mappings on all CPUs. */ @@ -12396,7 +12396,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 5dab54a..a20467d 100644 +index 96e743a..7f93c3a 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -22,6 +22,7 @@ config X86_64 @@ -17014,7 +17014,7 @@ index 9454c16..e4100e3 100644 #define flush_insn_slot(p) do { } while (0) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index e9dc029..468a823 100644 +index ac03bd7..5ce5402 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -55,6 +55,7 @@ @@ -28852,7 +28852,7 @@ index cf1eeea..cdb8f22 100644 II(Prot | Priv | SrcMem16, em_ltr, ltr), N, N, N, N, diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 453e5fb..214168f 100644 +index 6456734..b845039 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -55,7 +55,7 @@ @@ -31271,6 +31271,19 @@ index a63efd6..8149fbe 100644 + pax_force_retaddr ret CFI_ENDPROC +diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c +index ddf9ecb..e342586 100644 +--- a/arch/x86/lib/usercopy.c ++++ b/arch/x86/lib/usercopy.c +@@ -20,7 +20,7 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n) + unsigned long ret; + + if (__range_not_ok(from, n, TASK_SIZE)) +- return 0; ++ return n; + + /* + * Even though this function is typically called from NMI/IRQ context diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c index e2f5e21..4b22130 100644 --- a/arch/x86/lib/usercopy_32.c @@ -40354,7 +40367,7 @@ index 18d4091..434be15 100644 } EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index 533a509..4e1860b 100644 +index fbc693b..aebb914 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c @@ -138,10 +138,10 @@ struct pstate_funcs { @@ -44614,7 +44627,7 @@ index 92e2243..8fd9092 100644 .ident = "Shift", .matches = { diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c -index 9cbef59..26db8e4 100644 +index 9359740..9c6ef98 100644 --- a/drivers/iommu/amd_iommu.c +++ b/drivers/iommu/amd_iommu.c @@ -878,11 +878,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu, @@ -48855,7 +48868,7 @@ index d2bb12b..d6c921e 100644 .priv_size = sizeof(struct nlmon), .setup = nlmon_setup, diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c -index 25f7419..62ed80a7 100644 +index 62c3fb9..c072533 100644 --- a/drivers/net/phy/phy_device.c +++ b/drivers/net/phy/phy_device.c @@ -216,7 +216,7 @@ EXPORT_SYMBOL(phy_device_create); @@ -68108,7 +68121,7 @@ index a93f7e6..d58bcbe 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index 1d7e8a3..f87d4b8 100644 +index aa24f7d..befb5fd 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -250,7 +250,7 @@ static void __d_free(struct rcu_head *head) @@ -68263,7 +68276,7 @@ index 1d7e8a3..f87d4b8 100644 if (!spin_trylock(&inode->i_lock)) { spin_unlock(&dentry->d_lock); cpu_relax(); -@@ -3319,7 +3322,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) +@@ -3308,7 +3311,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) if (!(dentry->d_flags & DCACHE_GENOCIDE)) { dentry->d_flags |= DCACHE_GENOCIDE; @@ -68272,7 +68285,7 @@ index 1d7e8a3..f87d4b8 100644 } } return D_WALK_CONTINUE; -@@ -3435,7 +3438,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3424,7 +3427,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -71378,7 +71391,7 @@ index a4a8ed5..9e017c0 100644 static int can_do_hugetlb_shm(void) { diff --git a/fs/inode.c b/fs/inode.c -index e846a32..bb06bd0 100644 +index 644875b..eb40077 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -839,16 +839,20 @@ unsigned int get_next_ino(void) @@ -72302,7 +72315,7 @@ index ccb8000..ac58c5a 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 2faa7ea..66bad91 100644 +index fc99d18..917cffe 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1373,6 +1373,9 @@ static int do_umount(struct mount *mnt, int flags) @@ -72420,7 +72433,7 @@ index 2faa7ea..66bad91 100644 get_fs_root(current->fs, &root); old_mp = lock_mount(&old); error = PTR_ERR(old_mp); -@@ -3082,7 +3106,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) +@@ -3086,7 +3110,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; @@ -95570,10 +95583,10 @@ index 72a31db..aaa63d9 100644 /* Get the size of a DATA chunk payload. */ diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h -index 0dfcc92..7967849 100644 +index 2c2d388..491dadc 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h -@@ -507,7 +507,7 @@ struct sctp_pf { +@@ -511,7 +511,7 @@ struct sctp_pf { struct sctp_association *asoc); void (*addr_v4map) (struct sctp_sock *, union sctp_addr *); struct sctp_af *af; @@ -97202,9 +97215,18 @@ index b45b2da..159e8c4 100644 s.version = AUDIT_VERSION_LATEST; s.backlog_wait_time = audit_backlog_wait_time; diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index 619b58d..e58d957 100644 +index 619b58d..7ec5814 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c +@@ -1035,7 +1035,7 @@ static int audit_log_single_execve_arg(struct audit_context *context, + * for strings that are too long, we should not have created + * any. + */ +- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) { ++ if (unlikely(len > MAX_ARG_STRLEN - 1)) { + WARN_ON(1); + send_sig(SIGKILL, current, 0); + return -1; @@ -1954,7 +1954,7 @@ int auditsc_get_stamp(struct audit_context *ctx, } @@ -110138,6 +110160,26 @@ index 19311aa..339d794 100644 err = stp_proto_register(&br_stp_proto); if (err < 0) { pr_err("bridge: can't register sap for STP\n"); +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c +index b7b1914..13421bf 100644 +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -370,6 +370,7 @@ static int __br_mdb_add(struct net *net, struct net_bridge *br, + if (!p || p->br != br || p->state == BR_STATE_DISABLED) + return -EINVAL; + ++ memset(&ip, 0, sizeof(ip)); + ip.proto = entry->addr.proto; + if (ip.proto == htons(ETH_P_IP)) + ip.u.ip4 = entry->addr.u.ip4; +@@ -416,6 +417,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry) + if (!netif_running(br->dev) || br->multicast_disabled) + return -EINVAL; + ++ memset(&ip, 0, sizeof(ip)); + ip.proto = entry->addr.proto; + if (ip.proto == htons(ETH_P_IP)) { + if (timer_pending(&br->ip4_querier.timer)) diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index e8844d9..df3afa0 100644 --- a/net/bridge/br_netlink.c @@ -110735,51 +110777,10 @@ index 26dc006..89e838e 100644 m->msg_iov = iov; diff --git a/net/core/neighbour.c b/net/core/neighbour.c -index 7d95f69..1d316b1 100644 +index 0f062c6..1d316b1 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c -@@ -976,6 +976,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) - rc = 0; - if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE)) - goto out_unlock_bh; -+ if (neigh->dead) -+ goto out_dead; - - if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) { - if (NEIGH_VAR(neigh->parms, MCAST_PROBES) + -@@ -1032,6 +1034,13 @@ out_unlock_bh: - write_unlock(&neigh->lock); - local_bh_enable(); - return rc; -+ -+out_dead: -+ if (neigh->nud_state & NUD_STALE) -+ goto out_unlock_bh; -+ write_unlock_bh(&neigh->lock); -+ kfree_skb(skb); -+ return 1; - } - EXPORT_SYMBOL(__neigh_event_send); - -@@ -1095,6 +1104,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, - if (!(flags & NEIGH_UPDATE_F_ADMIN) && - (old & (NUD_NOARP | NUD_PERMANENT))) - goto out; -+ if (neigh->dead) -+ goto out; - - if (!(new & NUD_VALID)) { - neigh_del_timer(neigh); -@@ -1244,6 +1255,8 @@ EXPORT_SYMBOL(neigh_update); - */ - void __neigh_set_probe_once(struct neighbour *neigh) - { -+ if (neigh->dead) -+ return; - neigh->updated = jiffies; - if (!(neigh->nud_state & NUD_FAILED)) - return; -@@ -2824,7 +2837,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write, +@@ -2837,7 +2837,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { int size, ret; @@ -110788,7 +110789,7 @@ index 7d95f69..1d316b1 100644 tmp.extra1 = &zero; tmp.extra2 = &unres_qlen_max; -@@ -2886,7 +2899,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write, +@@ -2899,7 +2899,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -110797,7 +110798,7 @@ index 7d95f69..1d316b1 100644 int ret; tmp.extra1 = &zero; -@@ -3058,11 +3071,12 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p, +@@ -3071,11 +3071,12 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p, memset(&t->neigh_vars[NEIGH_VAR_GC_INTERVAL], 0, sizeof(t->neigh_vars[NEIGH_VAR_GC_INTERVAL])); } else { @@ -111051,10 +111052,10 @@ index b442e7e..6f5b5a2 100644 { struct socket *sock; diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 69ec61a..61843ef 100644 +index 8207f8d..2cd4778 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c -@@ -378,18 +378,29 @@ refill: +@@ -380,18 +380,29 @@ refill: goto end; } nc->frag.size = PAGE_SIZE << order; @@ -111091,7 +111092,7 @@ index 69ec61a..61843ef 100644 } data = page_address(nc->frag.page) + nc->frag.offset; -@@ -2022,7 +2033,7 @@ EXPORT_SYMBOL(__skb_checksum); +@@ -2024,7 +2035,7 @@ EXPORT_SYMBOL(__skb_checksum); __wsum skb_checksum(const struct sk_buff *skb, int offset, int len, __wsum csum) { @@ -111100,7 +111101,7 @@ index 69ec61a..61843ef 100644 .update = csum_partial_ext, .combine = csum_block_add_ext, }; -@@ -3243,13 +3254,15 @@ void __init skb_init(void) +@@ -3245,13 +3256,15 @@ void __init skb_init(void) skbuff_head_cache = kmem_cache_create("skbuff_head_cache", sizeof(struct sk_buff), 0, @@ -111119,7 +111120,7 @@ index 69ec61a..61843ef 100644 } diff --git a/net/core/sock.c b/net/core/sock.c -index 650dd58..25162a5 100644 +index 8ebfa52..2e53485 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -442,7 +442,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -111215,7 +111216,7 @@ index 650dd58..25162a5 100644 kfree(mem); atomic_sub(size, &sk->sk_omem_alloc); } -@@ -2394,7 +2396,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) +@@ -2396,7 +2398,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) */ smp_wmb(); atomic_set(&sk->sk_refcnt, 1); @@ -111224,7 +111225,7 @@ index 650dd58..25162a5 100644 } EXPORT_SYMBOL(sock_init_data); -@@ -2522,6 +2524,7 @@ void sock_enable_timestamp(struct sock *sk, int flag) +@@ -2524,6 +2526,7 @@ void sock_enable_timestamp(struct sock *sk, int flag) int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, int level, int type) { @@ -111232,7 +111233,7 @@ index 650dd58..25162a5 100644 struct sock_exterr_skb *serr; struct sk_buff *skb, *skb2; int copied, err; -@@ -2543,7 +2546,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, +@@ -2545,7 +2548,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -111464,10 +111465,10 @@ index 8edfea5..a17998f 100644 .priv_size = sizeof(struct lowpan_dev_info), .setup = lowpan_setup, diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index 07bd8ed..c574801 100644 +index 951fe55..d7c1ddd 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c -@@ -1706,13 +1706,9 @@ static int __init inet_init(void) +@@ -1708,13 +1708,9 @@ static int __init inet_init(void) BUILD_BUG_ON(sizeof(struct inet_skb_parm) > FIELD_SIZEOF(struct sk_buff, cb)); @@ -111482,7 +111483,7 @@ index 07bd8ed..c574801 100644 rc = proto_register(&udp_prot, 1); if (rc) -@@ -1819,8 +1815,6 @@ out_unregister_udp_proto: +@@ -1821,8 +1817,6 @@ out_unregister_udp_proto: proto_unregister(&udp_prot); out_unregister_tcp_proto: proto_unregister(&tcp_prot); @@ -114879,43 +114880,10 @@ index 270b77d..0a9d0981 100644 /* Queue all of the segments. */ skb = segs; diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 48b1817..3b2192f 100644 +index 84a60b8..3c94b0f 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1264,16 +1264,6 @@ static void packet_sock_destruct(struct sock *sk) - sk_refcnt_debug_dec(sk); - } - --static int fanout_rr_next(struct packet_fanout *f, unsigned int num) --{ -- int x = atomic_read(&f->rr_cur) + 1; -- -- if (x >= num) -- x = 0; -- -- return x; --} -- - static unsigned int fanout_demux_hash(struct packet_fanout *f, - struct sk_buff *skb, - unsigned int num) -@@ -1285,13 +1275,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f, - struct sk_buff *skb, - unsigned int num) - { -- int cur, old; -+ unsigned int val = atomic_inc_return(&f->rr_cur); - -- cur = atomic_read(&f->rr_cur); -- while ((old = atomic_cmpxchg(&f->rr_cur, cur, -- fanout_rr_next(f, num))) != cur) -- cur = old; -- return cur; -+ return val % num; - } - - static unsigned int fanout_demux_cpu(struct packet_fanout *f, -@@ -1846,7 +1832,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1832,7 +1832,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_packets++; @@ -114924,7 +114892,7 @@ index 48b1817..3b2192f 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1855,7 +1841,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1841,7 +1841,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_drops++; @@ -114933,7 +114901,7 @@ index 48b1817..3b2192f 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3462,7 +3448,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3448,7 +3448,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -114942,7 +114910,7 @@ index 48b1817..3b2192f 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3508,7 +3494,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3494,7 +3494,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -115755,10 +115723,10 @@ index fef2acd..c705c4f 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 604a6ac..990354d 100644 +index f940fdc..45a387b 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -1605,6 +1605,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, +@@ -1607,6 +1607,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, sctp_scope_t scope; long timeo; __u16 sinfo_flags = 0; @@ -115766,7 +115734,7 @@ index 604a6ac..990354d 100644 struct sctp_datamsg *datamsg; int msg_flags = msg->msg_flags; -@@ -1924,6 +1925,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, +@@ -1926,6 +1927,7 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, if (err < 0) goto out_free; @@ -115774,7 +115742,7 @@ index 604a6ac..990354d 100644 pr_debug("%s: we associated primitively\n", __func__); } -@@ -1961,6 +1963,11 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, +@@ -1963,6 +1965,11 @@ static int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, sctp_datamsg_put(datamsg); err = msg_len; @@ -115786,7 +115754,7 @@ index 604a6ac..990354d 100644 /* If we are already past ASSOCIATE, the lower * layers are responsible for association cleanup. */ -@@ -2175,11 +2182,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, +@@ -2177,11 +2184,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, { struct sctp_association *asoc; struct sctp_ulpevent *event; @@ -115801,7 +115769,7 @@ index 604a6ac..990354d 100644 /* * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, -@@ -4259,13 +4268,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4273,13 +4282,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -115819,7 +115787,7 @@ index 604a6ac..990354d 100644 return -EFAULT; return 0; } -@@ -4283,6 +4295,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4297,6 +4309,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -115828,7 +115796,7 @@ index 604a6ac..990354d 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4291,7 +4305,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4305,7 +4319,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -115838,7 +115806,7 @@ index 604a6ac..990354d 100644 return -EFAULT; return 0; } -@@ -4666,12 +4681,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4680,12 +4695,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -115855,7 +115823,7 @@ index 604a6ac..990354d 100644 return -EFAULT; return 0; } -@@ -4712,6 +4730,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4726,6 +4744,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -116536,6 +116504,18 @@ index e7000be..e3b0ba7 100644 uid_eq(root_uid, current_euid())) { int mode = (table->mode >> 6) & 7; return (mode << 6) | (mode << 3) | mode; +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 0ed0eaa..830e40b 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1681,6 +1681,7 @@ static int accept(struct socket *sock, struct socket *new_sock, int flags) + res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1); + if (res) + goto exit; ++ security_sk_clone(sock->sk, new_sock->sk); + + new_sk = new_sock->sk; + new_tsock = tipc_sk(new_sk); diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c index 6424372..afd36e9 100644 --- a/net/tipc/subscr.c @@ -119028,7 +119008,7 @@ index fc3e662..7844c60 100644 lock = &avc_cache.slots_lock[hvalue]; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 47b5c69..4fc9b7f 100644 +index 47b5c69..2434bd2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -95,8 +95,6 @@ @@ -119040,7 +119020,17 @@ index 47b5c69..4fc9b7f 100644 /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); -@@ -5759,7 +5757,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) +@@ -3192,7 +3190,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared + int rc = 0; + + if (default_noexec && +- (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { ++ (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || ++ (!shared && (prot & PROT_WRITE)))) { + /* + * We are making executable an anonymous mapping or a + * private file mapping that will also be writable. +@@ -5759,7 +5758,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif @@ -119049,7 +119039,7 @@ index 47b5c69..4fc9b7f 100644 .name = "selinux", .ptrace_access_check = selinux_ptrace_access_check, -@@ -6112,6 +6110,9 @@ static void selinux_nf_ip_exit(void) +@@ -6112,6 +6111,9 @@ static void selinux_nf_ip_exit(void) #ifdef CONFIG_SECURITY_SELINUX_DISABLE static int selinux_disabled; @@ -119059,7 +119049,7 @@ index 47b5c69..4fc9b7f 100644 int selinux_disable(void) { if (ss_initialized) { -@@ -6129,7 +6130,9 @@ int selinux_disable(void) +@@ -6129,7 +6131,9 @@ int selinux_disable(void) selinux_disabled = 1; selinux_enabled = 0; diff --git a/3.14.47/4425_grsec_remove_EI_PAX.patch b/3.14.48/4425_grsec_remove_EI_PAX.patch index a80a5d7..a80a5d7 100644 --- a/3.14.47/4425_grsec_remove_EI_PAX.patch +++ b/3.14.48/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.47/4427_force_XATTR_PAX_tmpfs.patch b/3.14.48/4427_force_XATTR_PAX_tmpfs.patch index 4c236cc..4c236cc 100644 --- a/3.14.47/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.48/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.47/4430_grsec-remove-localversion-grsec.patch b/3.14.48/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.47/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.48/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.47/4435_grsec-mute-warnings.patch b/3.14.48/4435_grsec-mute-warnings.patch index 2c2d463..2c2d463 100644 --- a/3.14.47/4435_grsec-mute-warnings.patch +++ b/3.14.48/4435_grsec-mute-warnings.patch diff --git a/3.14.47/4440_grsec-remove-protected-paths.patch b/3.14.48/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.47/4440_grsec-remove-protected-paths.patch +++ b/3.14.48/4440_grsec-remove-protected-paths.patch diff --git a/3.14.47/4450_grsec-kconfig-default-gids.patch b/3.14.48/4450_grsec-kconfig-default-gids.patch index b96defc..b96defc 100644 --- a/3.14.47/4450_grsec-kconfig-default-gids.patch +++ b/3.14.48/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.47/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.48/4465_selinux-avc_audit-log-curr_ip.patch index bba906e..bba906e 100644 --- a/3.14.47/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.48/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.47/4470_disable-compat_vdso.patch b/3.14.48/4470_disable-compat_vdso.patch index 3b3953b..3b3953b 100644 --- a/3.14.47/4470_disable-compat_vdso.patch +++ b/3.14.48/4470_disable-compat_vdso.patch diff --git a/3.14.47/4475_emutramp_default_on.patch b/3.14.48/4475_emutramp_default_on.patch index a128205..a128205 100644 --- a/3.14.47/4475_emutramp_default_on.patch +++ b/3.14.48/4475_emutramp_default_on.patch diff --git a/3.2.69/0000_README b/3.2.69/0000_README index 6773701..0df9a58 100644 --- a/3.2.69/0000_README +++ b/3.2.69/0000_README @@ -194,7 +194,7 @@ Patch: 1068_linux-3.2.69.patch From: http://www.kernel.org Desc: Linux 3.2.69 -Patch: 4420_grsecurity-3.1-3.2.69-201507050830.patch +Patch: 4420_grsecurity-3.1-3.2.69-201507111207.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201507111207.patch index 57ddd0b..d2caf34 100644 --- a/3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch +++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201507111207.patch @@ -89437,7 +89437,7 @@ index e14bc74..bdf7f6c 100644 if (!ab) return; diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index d1d2843..08ff2b8 100644 +index d1d2843..4408c0d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -67,6 +67,7 @@ @@ -89448,6 +89448,15 @@ index d1d2843..08ff2b8 100644 #include "audit.h" +@@ -1062,7 +1063,7 @@ static int audit_log_single_execve_arg(struct audit_context *context, + * for strings that are too long, we should not have created + * any. + */ +- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) { ++ if (unlikely(len > MAX_ARG_STRLEN - 1)) { + WARN_ON(1); + send_sig(SIGKILL, current, 0); + return -1; @@ -1177,8 +1178,8 @@ static void audit_log_execve_info(struct audit_context *context, struct audit_buffer **ab, struct audit_aux_data_execve *axi) @@ -114693,7 +114702,7 @@ index dca1c22..4fa4591 100644 lock = &avc_cache.slots_lock[hvalue]; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 0cd7097a..3af4da9 100644 +index 0cd7097a..56b85a0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -95,8 +95,6 @@ @@ -114729,7 +114738,17 @@ index 0cd7097a..3af4da9 100644 new_tsec->sid = old_tsec->sid; if (new_tsec->sid == old_tsec->sid) { -@@ -5572,7 +5578,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) +@@ -3049,7 +3055,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared + int rc = 0; + + if (default_noexec && +- (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { ++ (prot & PROT_EXEC) && (!file || IS_PRIVATE(file->f_path.dentry->d_inode) || ++ (!shared && (prot & PROT_WRITE)))) { + /* + * We are making executable an anonymous mapping or a + * private file mapping that will also be writable. +@@ -5572,7 +5579,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif @@ -114738,7 +114757,7 @@ index 0cd7097a..3af4da9 100644 .name = "selinux", .ptrace_access_check = selinux_ptrace_access_check, -@@ -5918,6 +5924,9 @@ static void selinux_nf_ip_exit(void) +@@ -5918,6 +5925,9 @@ static void selinux_nf_ip_exit(void) #ifdef CONFIG_SECURITY_SELINUX_DISABLE static int selinux_disabled; @@ -114748,7 +114767,7 @@ index 0cd7097a..3af4da9 100644 int selinux_disable(void) { if (ss_initialized) { -@@ -5935,7 +5944,9 @@ int selinux_disable(void) +@@ -5935,7 +5945,9 @@ int selinux_disable(void) selinux_disabled = 1; selinux_enabled = 0; diff --git a/3.14.47/0000_README b/4.0.8/0000_README index b3b9e28..919b754 100644 --- a/3.14.47/0000_README +++ b/4.0.8/0000_README @@ -2,11 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1046_linux-3.14.47.patch +Patch: 1007_linux-4.0.8.patch From: http://www.kernel.org -Desc: Linux 3.14.47 +Desc: Linux 4.0.8 -Patch: 4420_grsecurity-3.1-3.14.47-201507050832.patch +Patch: 4420_grsecurity-3.1-4.0.8-201507111211.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.0.8/1007_linux-4.0.8.patch b/4.0.8/1007_linux-4.0.8.patch new file mode 100644 index 0000000..609598e --- /dev/null +++ b/4.0.8/1007_linux-4.0.8.patch @@ -0,0 +1,2139 @@ +diff --git a/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt b/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt +index 750d577..f5a8ca2 100644 +--- a/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt ++++ b/Documentation/devicetree/bindings/net/marvell-armada-370-neta.txt +@@ -1,7 +1,7 @@ + * Marvell Armada 370 / Armada XP Ethernet Controller (NETA) + + Required properties: +-- compatible: should be "marvell,armada-370-neta". ++- compatible: "marvell,armada-370-neta" or "marvell,armada-xp-neta". + - reg: address and length of the register set for the device. + - interrupts: interrupt for the device + - phy: See ethernet.txt file in the same directory. +diff --git a/Makefile b/Makefile +index bd76a8e..0e315d6 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 0 +-SUBLEVEL = 7 ++SUBLEVEL = 8 + EXTRAVERSION = + NAME = Hurr durr I'ma sheep + +diff --git a/arch/arm/boot/dts/armada-370-xp.dtsi b/arch/arm/boot/dts/armada-370-xp.dtsi +index 8a322ad..a038c20 100644 +--- a/arch/arm/boot/dts/armada-370-xp.dtsi ++++ b/arch/arm/boot/dts/armada-370-xp.dtsi +@@ -265,7 +265,6 @@ + }; + + eth0: ethernet@70000 { +- compatible = "marvell,armada-370-neta"; + reg = <0x70000 0x4000>; + interrupts = <8>; + clocks = <&gateclk 4>; +@@ -281,7 +280,6 @@ + }; + + eth1: ethernet@74000 { +- compatible = "marvell,armada-370-neta"; + reg = <0x74000 0x4000>; + interrupts = <10>; + clocks = <&gateclk 3>; +diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi +index 27397f1..3773025 100644 +--- a/arch/arm/boot/dts/armada-370.dtsi ++++ b/arch/arm/boot/dts/armada-370.dtsi +@@ -306,6 +306,14 @@ + dmacap,memset; + }; + }; ++ ++ ethernet@70000 { ++ compatible = "marvell,armada-370-neta"; ++ }; ++ ++ ethernet@74000 { ++ compatible = "marvell,armada-370-neta"; ++ }; + }; + }; + }; +diff --git a/arch/arm/boot/dts/armada-xp-mv78260.dtsi b/arch/arm/boot/dts/armada-xp-mv78260.dtsi +index 4a7cbed..1676d30 100644 +--- a/arch/arm/boot/dts/armada-xp-mv78260.dtsi ++++ b/arch/arm/boot/dts/armada-xp-mv78260.dtsi +@@ -319,7 +319,7 @@ + }; + + eth3: ethernet@34000 { +- compatible = "marvell,armada-370-neta"; ++ compatible = "marvell,armada-xp-neta"; + reg = <0x34000 0x4000>; + interrupts = <14>; + clocks = <&gateclk 1>; +diff --git a/arch/arm/boot/dts/armada-xp-mv78460.dtsi b/arch/arm/boot/dts/armada-xp-mv78460.dtsi +index 36ce63a..d41fe88 100644 +--- a/arch/arm/boot/dts/armada-xp-mv78460.dtsi ++++ b/arch/arm/boot/dts/armada-xp-mv78460.dtsi +@@ -357,7 +357,7 @@ + }; + + eth3: ethernet@34000 { +- compatible = "marvell,armada-370-neta"; ++ compatible = "marvell,armada-xp-neta"; + reg = <0x34000 0x4000>; + interrupts = <14>; + clocks = <&gateclk 1>; +diff --git a/arch/arm/boot/dts/armada-xp.dtsi b/arch/arm/boot/dts/armada-xp.dtsi +index 8291723..9ce7d5f 100644 +--- a/arch/arm/boot/dts/armada-xp.dtsi ++++ b/arch/arm/boot/dts/armada-xp.dtsi +@@ -175,7 +175,7 @@ + }; + + eth2: ethernet@30000 { +- compatible = "marvell,armada-370-neta"; ++ compatible = "marvell,armada-xp-neta"; + reg = <0x30000 0x4000>; + interrupts = <12>; + clocks = <&gateclk 2>; +@@ -218,6 +218,14 @@ + }; + }; + ++ ethernet@70000 { ++ compatible = "marvell,armada-xp-neta"; ++ }; ++ ++ ethernet@74000 { ++ compatible = "marvell,armada-xp-neta"; ++ }; ++ + xor@f0900 { + compatible = "marvell,orion-xor"; + reg = <0xF0900 0x100 +diff --git a/arch/arm/kvm/interrupts.S b/arch/arm/kvm/interrupts.S +index 79caf79..f7db3a5 100644 +--- a/arch/arm/kvm/interrupts.S ++++ b/arch/arm/kvm/interrupts.S +@@ -170,13 +170,9 @@ __kvm_vcpu_return: + @ Don't trap coprocessor accesses for host kernel + set_hstr vmexit + set_hdcr vmexit +- set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)) ++ set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)), after_vfp_restore + + #ifdef CONFIG_VFPv3 +- @ Save floating point registers we if let guest use them. +- tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11)) +- bne after_vfp_restore +- + @ Switch VFP/NEON hardware state to the host's + add r7, vcpu, #VCPU_VFP_GUEST + store_vfp_state r7 +@@ -188,6 +184,8 @@ after_vfp_restore: + @ Restore FPEXC_EN which we clobbered on entry + pop {r2} + VFPFMXR FPEXC, r2 ++#else ++after_vfp_restore: + #endif + + @ Reset Hyp-role +@@ -483,7 +481,7 @@ switch_to_guest_vfp: + push {r3-r7} + + @ NEON/VFP used. Turn on VFP access. +- set_hcptr vmexit, (HCPTR_TCP(10) | HCPTR_TCP(11)) ++ set_hcptr vmtrap, (HCPTR_TCP(10) | HCPTR_TCP(11)) + + @ Switch VFP/NEON hardware state to the guest's + add r7, r0, #VCPU_VFP_HOST +diff --git a/arch/arm/kvm/interrupts_head.S b/arch/arm/kvm/interrupts_head.S +index 14d4883..f6f1481 100644 +--- a/arch/arm/kvm/interrupts_head.S ++++ b/arch/arm/kvm/interrupts_head.S +@@ -599,8 +599,13 @@ ARM_BE8(rev r6, r6 ) + .endm + + /* Configures the HCPTR (Hyp Coprocessor Trap Register) on entry/return +- * (hardware reset value is 0). Keep previous value in r2. */ +-.macro set_hcptr operation, mask ++ * (hardware reset value is 0). Keep previous value in r2. ++ * An ISB is emited on vmexit/vmtrap, but executed on vmexit only if ++ * VFP wasn't already enabled (always executed on vmtrap). ++ * If a label is specified with vmexit, it is branched to if VFP wasn't ++ * enabled. ++ */ ++.macro set_hcptr operation, mask, label = none + mrc p15, 4, r2, c1, c1, 2 + ldr r3, =\mask + .if \operation == vmentry +@@ -609,6 +614,17 @@ ARM_BE8(rev r6, r6 ) + bic r3, r2, r3 @ Don't trap defined coproc-accesses + .endif + mcr p15, 4, r3, c1, c1, 2 ++ .if \operation != vmentry ++ .if \operation == vmexit ++ tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11)) ++ beq 1f ++ .endif ++ isb ++ .if \label != none ++ b \label ++ .endif ++1: ++ .endif + .endm + + /* Configures the HDCR (Hyp Debug Configuration Register) on entry/return +diff --git a/arch/arm/kvm/psci.c b/arch/arm/kvm/psci.c +index 02fa8ef..531e922 100644 +--- a/arch/arm/kvm/psci.c ++++ b/arch/arm/kvm/psci.c +@@ -230,10 +230,6 @@ static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu) + case PSCI_0_2_FN64_AFFINITY_INFO: + val = kvm_psci_vcpu_affinity_info(vcpu); + break; +- case PSCI_0_2_FN_MIGRATE: +- case PSCI_0_2_FN64_MIGRATE: +- val = PSCI_RET_NOT_SUPPORTED; +- break; + case PSCI_0_2_FN_MIGRATE_INFO_TYPE: + /* + * Trusted OS is MP hence does not require migration +@@ -242,10 +238,6 @@ static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu) + */ + val = PSCI_0_2_TOS_MP; + break; +- case PSCI_0_2_FN_MIGRATE_INFO_UP_CPU: +- case PSCI_0_2_FN64_MIGRATE_INFO_UP_CPU: +- val = PSCI_RET_NOT_SUPPORTED; +- break; + case PSCI_0_2_FN_SYSTEM_OFF: + kvm_psci_system_off(vcpu); + /* +@@ -271,7 +263,8 @@ static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu) + ret = 0; + break; + default: +- return -EINVAL; ++ val = PSCI_RET_NOT_SUPPORTED; ++ break; + } + + *vcpu_reg(vcpu, 0) = val; +@@ -291,12 +284,9 @@ static int kvm_psci_0_1_call(struct kvm_vcpu *vcpu) + case KVM_PSCI_FN_CPU_ON: + val = kvm_psci_vcpu_on(vcpu); + break; +- case KVM_PSCI_FN_CPU_SUSPEND: +- case KVM_PSCI_FN_MIGRATE: ++ default: + val = PSCI_RET_NOT_SUPPORTED; + break; +- default: +- return -EINVAL; + } + + *vcpu_reg(vcpu, 0) = val; +diff --git a/arch/arm/mach-imx/clk-imx6q.c b/arch/arm/mach-imx/clk-imx6q.c +index d04a430..3a3f88c 100644 +--- a/arch/arm/mach-imx/clk-imx6q.c ++++ b/arch/arm/mach-imx/clk-imx6q.c +@@ -439,7 +439,7 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node) + clk[IMX6QDL_CLK_GPMI_IO] = imx_clk_gate2("gpmi_io", "enfc", base + 0x78, 28); + clk[IMX6QDL_CLK_GPMI_APB] = imx_clk_gate2("gpmi_apb", "usdhc3", base + 0x78, 30); + clk[IMX6QDL_CLK_ROM] = imx_clk_gate2("rom", "ahb", base + 0x7c, 0); +- clk[IMX6QDL_CLK_SATA] = imx_clk_gate2("sata", "ipg", base + 0x7c, 4); ++ clk[IMX6QDL_CLK_SATA] = imx_clk_gate2("sata", "ahb", base + 0x7c, 4); + clk[IMX6QDL_CLK_SDMA] = imx_clk_gate2("sdma", "ahb", base + 0x7c, 6); + clk[IMX6QDL_CLK_SPBA] = imx_clk_gate2("spba", "ipg", base + 0x7c, 12); + clk[IMX6QDL_CLK_SPDIF] = imx_clk_gate2("spdif", "spdif_podf", base + 0x7c, 14); +diff --git a/arch/arm/mach-mvebu/pm-board.c b/arch/arm/mach-mvebu/pm-board.c +index 6dfd4ab..301ab38 100644 +--- a/arch/arm/mach-mvebu/pm-board.c ++++ b/arch/arm/mach-mvebu/pm-board.c +@@ -43,6 +43,9 @@ static void mvebu_armada_xp_gp_pm_enter(void __iomem *sdram_reg, u32 srcmd) + for (i = 0; i < ARMADA_XP_GP_PIC_NR_GPIOS; i++) + ackcmd |= BIT(pic_raw_gpios[i]); + ++ srcmd = cpu_to_le32(srcmd); ++ ackcmd = cpu_to_le32(ackcmd); ++ + /* + * Wait a while, the PIC needs quite a bit of time between the + * two GPIO commands. +diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c +index 4f25a7c..a351eff 100644 +--- a/arch/arm/mach-tegra/cpuidle-tegra20.c ++++ b/arch/arm/mach-tegra/cpuidle-tegra20.c +@@ -35,6 +35,7 @@ + #include "iomap.h" + #include "irq.h" + #include "pm.h" ++#include "reset.h" + #include "sleep.h" + + #ifdef CONFIG_PM_SLEEP +@@ -71,15 +72,13 @@ static struct cpuidle_driver tegra_idle_driver = { + + #ifdef CONFIG_PM_SLEEP + #ifdef CONFIG_SMP +-static void __iomem *pmc = IO_ADDRESS(TEGRA_PMC_BASE); +- + static int tegra20_reset_sleeping_cpu_1(void) + { + int ret = 0; + + tegra_pen_lock(); + +- if (readl(pmc + PMC_SCRATCH41) == CPU_RESETTABLE) ++ if (readb(tegra20_cpu1_resettable_status) == CPU_RESETTABLE) + tegra20_cpu_shutdown(1); + else + ret = -EINVAL; +diff --git a/arch/arm/mach-tegra/reset-handler.S b/arch/arm/mach-tegra/reset-handler.S +index 71be4af..e3070fd 100644 +--- a/arch/arm/mach-tegra/reset-handler.S ++++ b/arch/arm/mach-tegra/reset-handler.S +@@ -169,10 +169,10 @@ after_errata: + cmp r6, #TEGRA20 + bne 1f + /* If not CPU0, don't let CPU0 reset CPU1 now that CPU1 is coming up. */ +- mov32 r5, TEGRA_PMC_BASE +- mov r0, #0 ++ mov32 r5, TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET ++ mov r0, #CPU_NOT_RESETTABLE + cmp r10, #0 +- strne r0, [r5, #PMC_SCRATCH41] ++ strneb r0, [r5, #__tegra20_cpu1_resettable_status_offset] + 1: + #endif + +@@ -281,6 +281,10 @@ __tegra_cpu_reset_handler_data: + .rept TEGRA_RESET_DATA_SIZE + .long 0 + .endr ++ .globl __tegra20_cpu1_resettable_status_offset ++ .equ __tegra20_cpu1_resettable_status_offset, \ ++ . - __tegra_cpu_reset_handler_start ++ .byte 0 + .align L1_CACHE_SHIFT + + ENTRY(__tegra_cpu_reset_handler_end) +diff --git a/arch/arm/mach-tegra/reset.h b/arch/arm/mach-tegra/reset.h +index 76a9343..29c3dec 100644 +--- a/arch/arm/mach-tegra/reset.h ++++ b/arch/arm/mach-tegra/reset.h +@@ -35,6 +35,7 @@ extern unsigned long __tegra_cpu_reset_handler_data[TEGRA_RESET_DATA_SIZE]; + + void __tegra_cpu_reset_handler_start(void); + void __tegra_cpu_reset_handler(void); ++void __tegra20_cpu1_resettable_status_offset(void); + void __tegra_cpu_reset_handler_end(void); + void tegra_secondary_startup(void); + +@@ -47,6 +48,9 @@ void tegra_secondary_startup(void); + (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \ + ((u32)&__tegra_cpu_reset_handler_data[TEGRA_RESET_MASK_LP2] - \ + (u32)__tegra_cpu_reset_handler_start))) ++#define tegra20_cpu1_resettable_status \ ++ (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \ ++ (u32)__tegra20_cpu1_resettable_status_offset)) + #endif + + #define tegra_cpu_reset_handler_offset \ +diff --git a/arch/arm/mach-tegra/sleep-tegra20.S b/arch/arm/mach-tegra/sleep-tegra20.S +index be4bc5f..e6b684e 100644 +--- a/arch/arm/mach-tegra/sleep-tegra20.S ++++ b/arch/arm/mach-tegra/sleep-tegra20.S +@@ -97,9 +97,10 @@ ENDPROC(tegra20_hotplug_shutdown) + ENTRY(tegra20_cpu_shutdown) + cmp r0, #0 + reteq lr @ must not be called for CPU 0 +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset + mov r12, #CPU_RESETTABLE +- str r12, [r1] ++ strb r12, [r1, r2] + + cpu_to_halt_reg r1, r0 + ldr r3, =TEGRA_FLOW_CTRL_VIRT +@@ -182,38 +183,41 @@ ENDPROC(tegra_pen_unlock) + /* + * tegra20_cpu_clear_resettable(void) + * +- * Called to clear the "resettable soon" flag in PMC_SCRATCH41 when ++ * Called to clear the "resettable soon" flag in IRAM variable when + * it is expected that the secondary CPU will be idle soon. + */ + ENTRY(tegra20_cpu_clear_resettable) +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset + mov r12, #CPU_NOT_RESETTABLE +- str r12, [r1] ++ strb r12, [r1, r2] + ret lr + ENDPROC(tegra20_cpu_clear_resettable) + + /* + * tegra20_cpu_set_resettable_soon(void) + * +- * Called to set the "resettable soon" flag in PMC_SCRATCH41 when ++ * Called to set the "resettable soon" flag in IRAM variable when + * it is expected that the secondary CPU will be idle soon. + */ + ENTRY(tegra20_cpu_set_resettable_soon) +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset + mov r12, #CPU_RESETTABLE_SOON +- str r12, [r1] ++ strb r12, [r1, r2] + ret lr + ENDPROC(tegra20_cpu_set_resettable_soon) + + /* + * tegra20_cpu_is_resettable_soon(void) + * +- * Returns true if the "resettable soon" flag in PMC_SCRATCH41 has been ++ * Returns true if the "resettable soon" flag in IRAM variable has been + * set because it is expected that the secondary CPU will be idle soon. + */ + ENTRY(tegra20_cpu_is_resettable_soon) +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 +- ldr r12, [r1] ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset ++ ldrb r12, [r1, r2] + cmp r12, #CPU_RESETTABLE_SOON + moveq r0, #1 + movne r0, #0 +@@ -256,9 +260,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish) + mov r0, #TEGRA_FLUSH_CACHE_LOUIS + bl tegra_disable_clean_inv_dcache + +- mov32 r0, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r4, =__tegra20_cpu1_resettable_status_offset + mov r3, #CPU_RESETTABLE +- str r3, [r0] ++ strb r3, [r0, r4] + + bl tegra_cpu_do_idle + +@@ -274,10 +279,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish) + + bl tegra_pen_lock + +- mov32 r3, TEGRA_PMC_VIRT +- add r0, r3, #PMC_SCRATCH41 ++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r4, =__tegra20_cpu1_resettable_status_offset + mov r3, #CPU_NOT_RESETTABLE +- str r3, [r0] ++ strb r3, [r0, r4] + + bl tegra_pen_unlock + +diff --git a/arch/arm/mach-tegra/sleep.h b/arch/arm/mach-tegra/sleep.h +index 92d46ec..0d59360 100644 +--- a/arch/arm/mach-tegra/sleep.h ++++ b/arch/arm/mach-tegra/sleep.h +@@ -18,6 +18,7 @@ + #define __MACH_TEGRA_SLEEP_H + + #include "iomap.h" ++#include "irammap.h" + + #define TEGRA_ARM_PERIF_VIRT (TEGRA_ARM_PERIF_BASE - IO_CPU_PHYS \ + + IO_CPU_VIRT) +@@ -29,6 +30,9 @@ + + IO_APB_VIRT) + #define TEGRA_PMC_VIRT (TEGRA_PMC_BASE - IO_APB_PHYS + IO_APB_VIRT) + ++#define TEGRA_IRAM_RESET_BASE_VIRT (IO_IRAM_VIRT + \ ++ TEGRA_IRAM_RESET_HANDLER_OFFSET) ++ + /* PMC_SCRATCH37-39 and 41 are used for tegra_pen_lock and idle */ + #define PMC_SCRATCH37 0x130 + #define PMC_SCRATCH38 0x134 +diff --git a/arch/mips/include/asm/mach-generic/spaces.h b/arch/mips/include/asm/mach-generic/spaces.h +index 9488fa5..afc96ec 100644 +--- a/arch/mips/include/asm/mach-generic/spaces.h ++++ b/arch/mips/include/asm/mach-generic/spaces.h +@@ -94,7 +94,11 @@ + #endif + + #ifndef FIXADDR_TOP ++#ifdef CONFIG_KVM_GUEST ++#define FIXADDR_TOP ((unsigned long)(long)(int)0x7ffe0000) ++#else + #define FIXADDR_TOP ((unsigned long)(long)(int)0xfffe0000) + #endif ++#endif + + #endif /* __ASM_MACH_GENERIC_SPACES_H */ +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index f5e7dda..adf3886 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -785,7 +785,7 @@ int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log) + + /* If nothing is dirty, don't bother messing with page tables. */ + if (is_dirty) { +- memslot = &kvm->memslots->memslots[log->slot]; ++ memslot = id_to_memslot(kvm->memslots, log->slot); + + ga = memslot->base_gfn << PAGE_SHIFT; + ga_end = ga + (memslot->npages << PAGE_SHIFT); +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 7c4f669..3cb25fd 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -131,7 +131,16 @@ static void pmao_restore_workaround(bool ebb) { } + + static bool regs_use_siar(struct pt_regs *regs) + { +- return !!regs->result; ++ /* ++ * When we take a performance monitor exception the regs are setup ++ * using perf_read_regs() which overloads some fields, in particular ++ * regs->result to tell us whether to use SIAR. ++ * ++ * However if the regs are from another exception, eg. a syscall, then ++ * they have not been setup using perf_read_regs() and so regs->result ++ * is something random. ++ */ ++ return ((TRAP(regs) == 0xf00) && regs->result); + } + + /* +diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c +index 9f73c80..49b7445 100644 +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -415,7 +415,7 @@ static void *nt_s390_vx_low(void *ptr, __vector128 *vx_regs) + ptr += len; + /* Copy lower halves of SIMD registers 0-15 */ + for (i = 0; i < 16; i++) { +- memcpy(ptr, &vx_regs[i], 8); ++ memcpy(ptr, &vx_regs[i].u[2], 8); + ptr += 8; + } + return ptr; +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index e7bc2fd..b2b7ddf 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1037,7 +1037,7 @@ static int __inject_extcall(struct kvm_vcpu *vcpu, struct kvm_s390_irq *irq) + if (sclp_has_sigpif()) + return __inject_extcall_sigpif(vcpu, src_id); + +- if (!test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs)) ++ if (test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs)) + return -EBUSY; + *extcall = irq->u.extcall; + atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags); +diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c +index 274a9f5..591f119f 100644 +--- a/arch/sparc/kernel/ldc.c ++++ b/arch/sparc/kernel/ldc.c +@@ -2313,7 +2313,7 @@ void *ldc_alloc_exp_dring(struct ldc_channel *lp, unsigned int len, + if (len & (8UL - 1)) + return ERR_PTR(-EINVAL); + +- buf = kzalloc(len, GFP_KERNEL); ++ buf = kzalloc(len, GFP_ATOMIC); + if (!buf) + return ERR_PTR(-ENOMEM); + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index b7d31ca..570c71d 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -177,7 +177,7 @@ config SBUS + + config NEED_DMA_MAP_STATE + def_bool y +- depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG ++ depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG || SWIOTLB + + config NEED_SG_DMA_LENGTH + def_bool y +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 1c0fb57..e02589d 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -583,7 +583,7 @@ struct kvm_arch { + struct kvm_pic *vpic; + struct kvm_ioapic *vioapic; + struct kvm_pit *vpit; +- int vapics_in_nmi_mode; ++ atomic_t vapics_in_nmi_mode; + struct mutex apic_map_lock; + struct kvm_apic_map *apic_map; + +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c +index 298781d..1406ffd 100644 +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -305,7 +305,7 @@ static void pit_do_work(struct kthread_work *work) + * LVT0 to NMI delivery. Other PIC interrupts are just sent to + * VCPU0, and only if its LVT0 is in EXTINT mode. + */ +- if (kvm->arch.vapics_in_nmi_mode > 0) ++ if (atomic_read(&kvm->arch.vapics_in_nmi_mode) > 0) + kvm_for_each_vcpu(i, vcpu, kvm) + kvm_apic_nmi_wd_deliver(vcpu); + } +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 3cb2b58..8ee4aa7 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1224,10 +1224,10 @@ static void apic_manage_nmi_watchdog(struct kvm_lapic *apic, u32 lvt0_val) + if (!nmi_wd_enabled) { + apic_debug("Receive NMI setting on APIC_LVT0 " + "for cpu %d\n", apic->vcpu->vcpu_id); +- apic->vcpu->kvm->arch.vapics_in_nmi_mode++; ++ atomic_inc(&apic->vcpu->kvm->arch.vapics_in_nmi_mode); + } + } else if (nmi_wd_enabled) +- apic->vcpu->kvm->arch.vapics_in_nmi_mode--; ++ atomic_dec(&apic->vcpu->kvm->arch.vapics_in_nmi_mode); + } + + static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val) +@@ -1784,6 +1784,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu, + apic_update_ppr(apic); + hrtimer_cancel(&apic->lapic_timer.timer); + apic_update_lvtt(apic); ++ apic_manage_nmi_watchdog(apic, kvm_apic_get_reg(apic, APIC_LVT0)); + update_divide_count(apic); + start_apic_timer(apic); + apic->irr_pending = true; +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index a4e62fc..1b32e29 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -511,8 +511,10 @@ static void skip_emulated_instruction(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- if (svm->vmcb->control.next_rip != 0) ++ if (svm->vmcb->control.next_rip != 0) { ++ WARN_ON(!static_cpu_has(X86_FEATURE_NRIPS)); + svm->next_rip = svm->vmcb->control.next_rip; ++ } + + if (!svm->next_rip) { + if (emulate_instruction(vcpu, EMULTYPE_SKIP) != +@@ -4310,7 +4312,9 @@ static int svm_check_intercept(struct kvm_vcpu *vcpu, + break; + } + +- vmcb->control.next_rip = info->next_rip; ++ /* TODO: Advertise NRIPS to guest hypervisor unconditionally */ ++ if (static_cpu_has(X86_FEATURE_NRIPS)) ++ vmcb->control.next_rip = info->next_rip; + vmcb->control.exit_code = icpt_info.exit_code; + vmexit = nested_svm_exit_handled(svm); + +diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c +index d939633..b33615f 100644 +--- a/arch/x86/pci/acpi.c ++++ b/arch/x86/pci/acpi.c +@@ -81,6 +81,17 @@ static const struct dmi_system_id pci_crs_quirks[] __initconst = { + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"), + }, + }, ++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368 */ ++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299 */ ++ { ++ .callback = set_use_crs, ++ .ident = "Foxconn K8M890-8237A", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Foxconn"), ++ DMI_MATCH(DMI_BOARD_NAME, "K8M890-8237A"), ++ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"), ++ }, ++ }, + + /* Now for the blacklist.. */ + +@@ -121,8 +132,10 @@ void __init pci_acpi_crs_quirks(void) + { + int year; + +- if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) +- pci_use_crs = false; ++ if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) { ++ if (iomem_resource.end <= 0xffffffff) ++ pci_use_crs = false; ++ } + + dmi_check_system(pci_crs_quirks); + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 872c577..2c867a6 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -534,7 +534,7 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate) + + val |= vid; + +- wrmsrl(MSR_IA32_PERF_CTL, val); ++ wrmsrl_on_cpu(cpudata->cpu, MSR_IA32_PERF_CTL, val); + } + + #define BYT_BCLK_FREQS 5 +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index 5937207..3442764 100644 +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -60,6 +60,8 @@ static int nap_loop(struct cpuidle_device *dev, + return index; + } + ++/* Register for fastsleep only in oneshot mode of broadcast */ ++#ifdef CONFIG_TICK_ONESHOT + static int fastsleep_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) +@@ -83,7 +85,7 @@ static int fastsleep_loop(struct cpuidle_device *dev, + + return index; + } +- ++#endif + /* + * States for dedicated partition case. + */ +@@ -209,7 +211,14 @@ static int powernv_add_idle_states(void) + powernv_states[nr_idle_states].flags = 0; + powernv_states[nr_idle_states].target_residency = 100; + powernv_states[nr_idle_states].enter = &nap_loop; +- } else if (flags[i] & OPAL_PM_SLEEP_ENABLED || ++ } ++ ++ /* ++ * All cpuidle states with CPUIDLE_FLAG_TIMER_STOP set must come ++ * within this config dependency check. ++ */ ++#ifdef CONFIG_TICK_ONESHOT ++ if (flags[i] & OPAL_PM_SLEEP_ENABLED || + flags[i] & OPAL_PM_SLEEP_ENABLED_ER1) { + /* Add FASTSLEEP state */ + strcpy(powernv_states[nr_idle_states].name, "FastSleep"); +@@ -218,7 +227,7 @@ static int powernv_add_idle_states(void) + powernv_states[nr_idle_states].target_residency = 300000; + powernv_states[nr_idle_states].enter = &fastsleep_loop; + } +- ++#endif + powernv_states[nr_idle_states].exit_latency = + ((unsigned int)latency_ns[i]) / 1000; + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index ebbae8d..9f7333a 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -927,7 +927,8 @@ static int sg_to_link_tbl(struct scatterlist *sg, int sg_count, + sg_count--; + link_tbl_ptr--; + } +- be16_add_cpu(&link_tbl_ptr->len, cryptlen); ++ link_tbl_ptr->len = cpu_to_be16(be16_to_cpu(link_tbl_ptr->len) ++ + cryptlen); + + /* tag end of link table */ + link_tbl_ptr->j_extent = DESC_PTR_LNKTBL_RETURN; +@@ -2563,6 +2564,7 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev, + break; + default: + dev_err(dev, "unknown algorithm type %d\n", t_alg->algt.type); ++ kfree(t_alg); + return ERR_PTR(-EINVAL); + } + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 48882c1..13cfbf4 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1870,9 +1870,15 @@ static void free_pt_##LVL (unsigned long __pt) \ + pt = (u64 *)__pt; \ + \ + for (i = 0; i < 512; ++i) { \ ++ /* PTE present? */ \ + if (!IOMMU_PTE_PRESENT(pt[i])) \ + continue; \ + \ ++ /* Large PTE? */ \ ++ if (PM_PTE_LEVEL(pt[i]) == 0 || \ ++ PM_PTE_LEVEL(pt[i]) == 7) \ ++ continue; \ ++ \ + p = (unsigned long)IOMMU_PTE_PAGE(pt[i]); \ + FN(p); \ + } \ +diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c +index bd6252b..2d1b203 100644 +--- a/drivers/iommu/arm-smmu.c ++++ b/drivers/iommu/arm-smmu.c +@@ -1533,7 +1533,7 @@ static int arm_smmu_device_cfg_probe(struct arm_smmu_device *smmu) + return -ENODEV; + } + +- if ((id & ID0_S1TS) && ((smmu->version == 1) || (id & ID0_ATOSNS))) { ++ if ((id & ID0_S1TS) && ((smmu->version == 1) || !(id & ID0_ATOSNS))) { + smmu->features |= ARM_SMMU_FEAT_TRANS_OPS; + dev_notice(smmu->dev, "\taddress translation ops\n"); + } +diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c +index 0ad412a..d3a7bff 100644 +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -846,7 +846,7 @@ static void sdhci_prepare_data(struct sdhci_host *host, struct mmc_command *cmd) + int sg_cnt; + + sg_cnt = sdhci_pre_dma_transfer(host, data, NULL); +- if (sg_cnt == 0) { ++ if (sg_cnt <= 0) { + /* + * This only happens when someone fed + * us an invalid request. +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c +index d81fc6b..5c92fb7 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c +@@ -263,7 +263,7 @@ static int xgbe_alloc_pages(struct xgbe_prv_data *pdata, + int ret; + + /* Try to obtain pages, decreasing order if necessary */ +- gfp |= __GFP_COLD | __GFP_COMP; ++ gfp |= __GFP_COLD | __GFP_COMP | __GFP_NOWARN; + while (order >= 0) { + pages = alloc_pages(gfp, order); + if (pages) +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 1ec635f..196474f 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -9323,7 +9323,8 @@ unload_error: + * function stop ramrod is sent, since as part of this ramrod FW access + * PTP registers. + */ +- bnx2x_stop_ptp(bp); ++ if (bp->flags & PTP_SUPPORTED) ++ bnx2x_stop_ptp(bp); + + /* Disable HW interrupts, NAPI */ + bnx2x_netif_stop(bp, 1); +diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c +index d20fc8e..c365765 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -540,8 +540,8 @@ static int igb_ptp_feature_enable_i210(struct ptp_clock_info *ptp, + igb->perout[i].start.tv_nsec = rq->perout.start.nsec; + igb->perout[i].period.tv_sec = ts.tv_sec; + igb->perout[i].period.tv_nsec = ts.tv_nsec; +- wr32(trgttiml, rq->perout.start.sec); +- wr32(trgttimh, rq->perout.start.nsec); ++ wr32(trgttimh, rq->perout.start.sec); ++ wr32(trgttiml, rq->perout.start.nsec); + tsauxc |= tsauxc_mask; + tsim |= tsim_mask; + } else { +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 2db6532..87c7f52c 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -304,6 +304,7 @@ struct mvneta_port { + unsigned int link; + unsigned int duplex; + unsigned int speed; ++ unsigned int tx_csum_limit; + }; + + /* The mvneta_tx_desc and mvneta_rx_desc structures describe the +@@ -2441,8 +2442,10 @@ static int mvneta_change_mtu(struct net_device *dev, int mtu) + + dev->mtu = mtu; + +- if (!netif_running(dev)) ++ if (!netif_running(dev)) { ++ netdev_update_features(dev); + return 0; ++ } + + /* The interface is running, so we have to force a + * reallocation of the queues +@@ -2471,9 +2474,26 @@ static int mvneta_change_mtu(struct net_device *dev, int mtu) + mvneta_start_dev(pp); + mvneta_port_up(pp); + ++ netdev_update_features(dev); ++ + return 0; + } + ++static netdev_features_t mvneta_fix_features(struct net_device *dev, ++ netdev_features_t features) ++{ ++ struct mvneta_port *pp = netdev_priv(dev); ++ ++ if (pp->tx_csum_limit && dev->mtu > pp->tx_csum_limit) { ++ features &= ~(NETIF_F_IP_CSUM | NETIF_F_TSO); ++ netdev_info(dev, ++ "Disable IP checksum for MTU greater than %dB\n", ++ pp->tx_csum_limit); ++ } ++ ++ return features; ++} ++ + /* Get mac address */ + static void mvneta_get_mac_addr(struct mvneta_port *pp, unsigned char *addr) + { +@@ -2785,6 +2805,7 @@ static const struct net_device_ops mvneta_netdev_ops = { + .ndo_set_rx_mode = mvneta_set_rx_mode, + .ndo_set_mac_address = mvneta_set_mac_addr, + .ndo_change_mtu = mvneta_change_mtu, ++ .ndo_fix_features = mvneta_fix_features, + .ndo_get_stats64 = mvneta_get_stats64, + .ndo_do_ioctl = mvneta_ioctl, + }; +@@ -3023,6 +3044,9 @@ static int mvneta_probe(struct platform_device *pdev) + } + } + ++ if (of_device_is_compatible(dn, "marvell,armada-370-neta")) ++ pp->tx_csum_limit = 1600; ++ + pp->tx_ring_size = MVNETA_MAX_TXD; + pp->rx_ring_size = MVNETA_MAX_RXD; + +@@ -3095,6 +3119,7 @@ static int mvneta_remove(struct platform_device *pdev) + + static const struct of_device_id mvneta_match[] = { + { .compatible = "marvell,armada-370-neta" }, ++ { .compatible = "marvell,armada-xp-neta" }, + { } + }; + MODULE_DEVICE_TABLE(of, mvneta_match); +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +index 2f1324b..f30c322 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -1971,10 +1971,6 @@ void mlx4_en_free_resources(struct mlx4_en_priv *priv) + mlx4_en_destroy_cq(priv, &priv->rx_cq[i]); + } + +- if (priv->base_tx_qpn) { +- mlx4_qp_release_range(priv->mdev->dev, priv->base_tx_qpn, priv->tx_ring_num); +- priv->base_tx_qpn = 0; +- } + } + + int mlx4_en_alloc_resources(struct mlx4_en_priv *priv) +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +index 05ec5e1..3478c87 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -723,7 +723,7 @@ static int get_fixed_ipv6_csum(__wsum hw_checksum, struct sk_buff *skb, + } + #endif + static int check_csum(struct mlx4_cqe *cqe, struct sk_buff *skb, void *va, +- int hwtstamp_rx_filter) ++ netdev_features_t dev_features) + { + __wsum hw_checksum = 0; + +@@ -731,14 +731,8 @@ static int check_csum(struct mlx4_cqe *cqe, struct sk_buff *skb, void *va, + + hw_checksum = csum_unfold((__force __sum16)cqe->checksum); + +- if (((struct ethhdr *)va)->h_proto == htons(ETH_P_8021Q) && +- hwtstamp_rx_filter != HWTSTAMP_FILTER_NONE) { +- /* next protocol non IPv4 or IPv6 */ +- if (((struct vlan_hdr *)hdr)->h_vlan_encapsulated_proto +- != htons(ETH_P_IP) && +- ((struct vlan_hdr *)hdr)->h_vlan_encapsulated_proto +- != htons(ETH_P_IPV6)) +- return -1; ++ if (cqe->vlan_my_qpn & cpu_to_be32(MLX4_CQE_VLAN_PRESENT_MASK) && ++ !(dev_features & NETIF_F_HW_VLAN_CTAG_RX)) { + hw_checksum = get_fixed_vlan_csum(hw_checksum, hdr); + hdr += sizeof(struct vlan_hdr); + } +@@ -901,7 +895,8 @@ int mlx4_en_process_rx_cq(struct net_device *dev, struct mlx4_en_cq *cq, int bud + + if (ip_summed == CHECKSUM_COMPLETE) { + void *va = skb_frag_address(skb_shinfo(gro_skb)->frags); +- if (check_csum(cqe, gro_skb, va, ring->hwtstamp_rx_filter)) { ++ if (check_csum(cqe, gro_skb, va, ++ dev->features)) { + ip_summed = CHECKSUM_NONE; + ring->csum_none++; + ring->csum_complete--; +@@ -956,7 +951,7 @@ int mlx4_en_process_rx_cq(struct net_device *dev, struct mlx4_en_cq *cq, int bud + } + + if (ip_summed == CHECKSUM_COMPLETE) { +- if (check_csum(cqe, skb, skb->data, ring->hwtstamp_rx_filter)) { ++ if (check_csum(cqe, skb, skb->data, dev->features)) { + ip_summed = CHECKSUM_NONE; + ring->csum_complete--; + ring->csum_none++; +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +index 8c234ec..35dd887 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -66,6 +66,7 @@ int mlx4_en_create_tx_ring(struct mlx4_en_priv *priv, + ring->size = size; + ring->size_mask = size - 1; + ring->stride = stride; ++ ring->full_size = ring->size - HEADROOM - MAX_DESC_TXBBS; + + tmp = size * sizeof(struct mlx4_en_tx_info); + ring->tx_info = kmalloc_node(tmp, GFP_KERNEL | __GFP_NOWARN, node); +@@ -180,6 +181,7 @@ void mlx4_en_destroy_tx_ring(struct mlx4_en_priv *priv, + mlx4_bf_free(mdev->dev, &ring->bf); + mlx4_qp_remove(mdev->dev, &ring->qp); + mlx4_qp_free(mdev->dev, &ring->qp); ++ mlx4_qp_release_range(priv->mdev->dev, ring->qpn, 1); + mlx4_en_unmap_buffer(&ring->wqres.buf); + mlx4_free_hwq_res(mdev->dev, &ring->wqres, ring->buf_size); + kfree(ring->bounce_buf); +@@ -231,6 +233,11 @@ void mlx4_en_deactivate_tx_ring(struct mlx4_en_priv *priv, + MLX4_QP_STATE_RST, NULL, 0, 0, &ring->qp); + } + ++static inline bool mlx4_en_is_tx_ring_full(struct mlx4_en_tx_ring *ring) ++{ ++ return ring->prod - ring->cons > ring->full_size; ++} ++ + static void mlx4_en_stamp_wqe(struct mlx4_en_priv *priv, + struct mlx4_en_tx_ring *ring, int index, + u8 owner) +@@ -473,11 +480,10 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev, + + netdev_tx_completed_queue(ring->tx_queue, packets, bytes); + +- /* +- * Wakeup Tx queue if this stopped, and at least 1 packet +- * was completed ++ /* Wakeup Tx queue if this stopped, and ring is not full. + */ +- if (netif_tx_queue_stopped(ring->tx_queue) && txbbs_skipped > 0) { ++ if (netif_tx_queue_stopped(ring->tx_queue) && ++ !mlx4_en_is_tx_ring_full(ring)) { + netif_tx_wake_queue(ring->tx_queue); + ring->wake_queue++; + } +@@ -921,8 +927,7 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff *skb, struct net_device *dev) + skb_tx_timestamp(skb); + + /* Check available TXBBs And 2K spare for prefetch */ +- stop_queue = (int)(ring->prod - ring_cons) > +- ring->size - HEADROOM - MAX_DESC_TXBBS; ++ stop_queue = mlx4_en_is_tx_ring_full(ring); + if (unlikely(stop_queue)) { + netif_tx_stop_queue(ring->tx_queue); + ring->queue_stopped++; +@@ -991,8 +996,7 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff *skb, struct net_device *dev) + smp_rmb(); + + ring_cons = ACCESS_ONCE(ring->cons); +- if (unlikely(((int)(ring->prod - ring_cons)) <= +- ring->size - HEADROOM - MAX_DESC_TXBBS)) { ++ if (unlikely(!mlx4_en_is_tx_ring_full(ring))) { + netif_tx_wake_queue(ring->tx_queue); + ring->wake_queue++; + } +diff --git a/drivers/net/ethernet/mellanox/mlx4/intf.c b/drivers/net/ethernet/mellanox/mlx4/intf.c +index 6fce587..0d80aed 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/intf.c ++++ b/drivers/net/ethernet/mellanox/mlx4/intf.c +@@ -93,8 +93,14 @@ int mlx4_register_interface(struct mlx4_interface *intf) + mutex_lock(&intf_mutex); + + list_add_tail(&intf->list, &intf_list); +- list_for_each_entry(priv, &dev_list, dev_list) ++ list_for_each_entry(priv, &dev_list, dev_list) { ++ if (mlx4_is_mfunc(&priv->dev) && (intf->flags & MLX4_INTFF_BONDING)) { ++ mlx4_dbg(&priv->dev, ++ "SRIOV, disabling HA mode for intf proto %d\n", intf->protocol); ++ intf->flags &= ~MLX4_INTFF_BONDING; ++ } + mlx4_add_device(intf, priv); ++ } + + mutex_unlock(&intf_mutex); + +diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +index 8687c8d..0bf0fdd 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +@@ -280,6 +280,7 @@ struct mlx4_en_tx_ring { + u32 size; /* number of TXBBs */ + u32 size_mask; + u16 stride; ++ u32 full_size; + u16 cqn; /* index of port CQ associated with this ring */ + u32 buf_size; + __be32 doorbell_qpn; +@@ -601,7 +602,6 @@ struct mlx4_en_priv { + int vids[128]; + bool wol; + struct device *ddev; +- int base_tx_qpn; + struct hlist_head mac_hash[MLX4_EN_MAC_HASH_SIZE]; + struct hwtstamp_config hwtstamp_config; + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index bdfe51f..d551df6 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -796,10 +796,11 @@ static int genphy_config_advert(struct phy_device *phydev) + if (phydev->supported & (SUPPORTED_1000baseT_Half | + SUPPORTED_1000baseT_Full)) { + adv |= ethtool_adv_to_mii_ctrl1000_t(advertise); +- if (adv != oldadv) +- changed = 1; + } + ++ if (adv != oldadv) ++ changed = 1; ++ + err = phy_write(phydev, MII_CTRL1000, adv); + if (err < 0) + return err; +diff --git a/drivers/s390/kvm/virtio_ccw.c b/drivers/s390/kvm/virtio_ccw.c +index 71d7802..5717117 100644 +--- a/drivers/s390/kvm/virtio_ccw.c ++++ b/drivers/s390/kvm/virtio_ccw.c +@@ -65,6 +65,7 @@ struct virtio_ccw_device { + bool is_thinint; + bool going_away; + bool device_lost; ++ unsigned int config_ready; + void *airq_info; + }; + +@@ -833,8 +834,11 @@ static void virtio_ccw_get_config(struct virtio_device *vdev, + if (ret) + goto out_free; + +- memcpy(vcdev->config, config_area, sizeof(vcdev->config)); +- memcpy(buf, &vcdev->config[offset], len); ++ memcpy(vcdev->config, config_area, offset + len); ++ if (buf) ++ memcpy(buf, &vcdev->config[offset], len); ++ if (vcdev->config_ready < offset + len) ++ vcdev->config_ready = offset + len; + + out_free: + kfree(config_area); +@@ -857,6 +861,9 @@ static void virtio_ccw_set_config(struct virtio_device *vdev, + if (!config_area) + goto out_free; + ++ /* Make sure we don't overwrite fields. */ ++ if (vcdev->config_ready < offset) ++ virtio_ccw_get_config(vdev, 0, NULL, offset); + memcpy(&vcdev->config[offset], buf, len); + /* Write the config area to the host. */ + memcpy(config_area, vcdev->config, sizeof(vcdev->config)); +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 175c995..ce3b407 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -845,7 +845,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) + ret = ep->status; + if (io_data->read && ret > 0) { + ret = copy_to_iter(data, ret, &io_data->data); +- if (unlikely(iov_iter_count(&io_data->data))) ++ if (!ret) + ret = -EFAULT; + } + } +@@ -3433,6 +3433,7 @@ done: + static void ffs_closed(struct ffs_data *ffs) + { + struct ffs_dev *ffs_obj; ++ struct f_fs_opts *opts; + + ENTER(); + ffs_dev_lock(); +@@ -3446,8 +3447,13 @@ static void ffs_closed(struct ffs_data *ffs) + if (ffs_obj->ffs_closed_callback) + ffs_obj->ffs_closed_callback(ffs); + +- if (!ffs_obj->opts || ffs_obj->opts->no_configfs +- || !ffs_obj->opts->func_inst.group.cg_item.ci_parent) ++ if (ffs_obj->opts) ++ opts = ffs_obj->opts; ++ else ++ goto done; ++ ++ if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent ++ || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount)) + goto done; + + unregister_gadget_item(ffs_obj->opts-> +diff --git a/fs/dcache.c b/fs/dcache.c +index 922f23e..b05c557 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2896,17 +2896,6 @@ restart: + vfsmnt = &mnt->mnt; + continue; + } +- /* +- * Filesystems needing to implement special "root names" +- * should do so with ->d_dname() +- */ +- if (IS_ROOT(dentry) && +- (dentry->d_name.len != 1 || +- dentry->d_name.name[0] != '/')) { +- WARN(1, "Root dentry has weird name <%.*s>\n", +- (int) dentry->d_name.len, +- dentry->d_name.name); +- } + if (!error) + error = is_mounted(vfsmnt) ? 1 : 2; + break; +diff --git a/fs/inode.c b/fs/inode.c +index f00b16f..c60671d 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1693,8 +1693,8 @@ int file_remove_suid(struct file *file) + error = security_inode_killpriv(dentry); + if (!error && killsuid) + error = __remove_suid(dentry, killsuid); +- if (!error && (inode->i_sb->s_flags & MS_NOSEC)) +- inode->i_flags |= S_NOSEC; ++ if (!error) ++ inode_has_no_xattr(inode); + + return error; + } +diff --git a/fs/namespace.c b/fs/namespace.c +index 13b0f7b..f07c769 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3187,11 +3187,15 @@ bool fs_fully_visible(struct file_system_type *type) + if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root) + continue; + +- /* This mount is not fully visible if there are any child mounts +- * that cover anything except for empty directories. ++ /* This mount is not fully visible if there are any ++ * locked child mounts that cover anything except for ++ * empty directories. + */ + list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { + struct inode *inode = child->mnt_mountpoint->d_inode; ++ /* Only worry about locked mounts */ ++ if (!(mnt->mnt.mnt_flags & MNT_LOCKED)) ++ continue; + if (!S_ISDIR(inode->i_mode)) + goto next; + if (inode->i_nlink > 2) +diff --git a/fs/ufs/balloc.c b/fs/ufs/balloc.c +index 2c10360..a7106ed 100644 +--- a/fs/ufs/balloc.c ++++ b/fs/ufs/balloc.c +@@ -51,8 +51,8 @@ void ufs_free_fragments(struct inode *inode, u64 fragment, unsigned count) + + if (ufs_fragnum(fragment) + count > uspi->s_fpg) + ufs_error (sb, "ufs_free_fragments", "internal error"); +- +- lock_ufs(sb); ++ ++ mutex_lock(&UFS_SB(sb)->s_lock); + + cgno = ufs_dtog(uspi, fragment); + bit = ufs_dtogd(uspi, fragment); +@@ -115,13 +115,13 @@ void ufs_free_fragments(struct inode *inode, u64 fragment, unsigned count) + if (sb->s_flags & MS_SYNCHRONOUS) + ubh_sync_block(UCPI_UBH(ucpi)); + ufs_mark_sb_dirty(sb); +- +- unlock_ufs(sb); ++ ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT\n"); + return; + + failed: +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT (FAILED)\n"); + return; + } +@@ -151,7 +151,7 @@ void ufs_free_blocks(struct inode *inode, u64 fragment, unsigned count) + goto failed; + } + +- lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + + do_more: + overflow = 0; +@@ -211,12 +211,12 @@ do_more: + } + + ufs_mark_sb_dirty(sb); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT\n"); + return; + + failed_unlock: +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + failed: + UFSD("EXIT (FAILED)\n"); + return; +@@ -357,7 +357,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, + usb1 = ubh_get_usb_first(uspi); + *err = -ENOSPC; + +- lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + tmp = ufs_data_ptr_to_cpu(sb, p); + + if (count + ufs_fragnum(fragment) > uspi->s_fpb) { +@@ -378,19 +378,19 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, + "fragment %llu, tmp %llu\n", + (unsigned long long)fragment, + (unsigned long long)tmp); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return INVBLOCK; + } + if (fragment < UFS_I(inode)->i_lastfrag) { + UFSD("EXIT (ALREADY ALLOCATED)\n"); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return 0; + } + } + else { + if (tmp) { + UFSD("EXIT (ALREADY ALLOCATED)\n"); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return 0; + } + } +@@ -399,7 +399,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, + * There is not enough space for user on the device + */ + if (!capable(CAP_SYS_RESOURCE) && ufs_freespace(uspi, UFS_MINFREE) <= 0) { +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT (FAILED)\n"); + return 0; + } +@@ -424,7 +424,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, + ufs_clear_frags(inode, result + oldcount, + newcount - oldcount, locked_page != NULL); + } +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT, result %llu\n", (unsigned long long)result); + return result; + } +@@ -439,7 +439,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, + fragment + count); + ufs_clear_frags(inode, result + oldcount, newcount - oldcount, + locked_page != NULL); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT, result %llu\n", (unsigned long long)result); + return result; + } +@@ -477,7 +477,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, + *err = 0; + UFS_I(inode)->i_lastfrag = max(UFS_I(inode)->i_lastfrag, + fragment + count); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + if (newcount < request) + ufs_free_fragments (inode, result + newcount, request - newcount); + ufs_free_fragments (inode, tmp, oldcount); +@@ -485,7 +485,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, + return result; + } + +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT (FAILED)\n"); + return 0; + } +diff --git a/fs/ufs/ialloc.c b/fs/ufs/ialloc.c +index 7caa016..fd0203c 100644 +--- a/fs/ufs/ialloc.c ++++ b/fs/ufs/ialloc.c +@@ -69,11 +69,11 @@ void ufs_free_inode (struct inode * inode) + + ino = inode->i_ino; + +- lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + + if (!((ino > 1) && (ino < (uspi->s_ncg * uspi->s_ipg )))) { + ufs_warning(sb, "ufs_free_inode", "reserved inode or nonexistent inode %u\n", ino); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return; + } + +@@ -81,7 +81,7 @@ void ufs_free_inode (struct inode * inode) + bit = ufs_inotocgoff (ino); + ucpi = ufs_load_cylinder (sb, cg); + if (!ucpi) { +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return; + } + ucg = ubh_get_ucg(UCPI_UBH(ucpi)); +@@ -115,7 +115,7 @@ void ufs_free_inode (struct inode * inode) + ubh_sync_block(UCPI_UBH(ucpi)); + + ufs_mark_sb_dirty(sb); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT\n"); + } + +@@ -193,7 +193,7 @@ struct inode *ufs_new_inode(struct inode *dir, umode_t mode) + sbi = UFS_SB(sb); + uspi = sbi->s_uspi; + +- lock_ufs(sb); ++ mutex_lock(&sbi->s_lock); + + /* + * Try to place the inode in its parent directory +@@ -331,21 +331,21 @@ cg_found: + sync_dirty_buffer(bh); + brelse(bh); + } +- unlock_ufs(sb); ++ mutex_unlock(&sbi->s_lock); + + UFSD("allocating inode %lu\n", inode->i_ino); + UFSD("EXIT\n"); + return inode; + + fail_remove_inode: +- unlock_ufs(sb); ++ mutex_unlock(&sbi->s_lock); + clear_nlink(inode); + unlock_new_inode(inode); + iput(inode); + UFSD("EXIT (FAILED): err %d\n", err); + return ERR_PTR(err); + failed: +- unlock_ufs(sb); ++ mutex_unlock(&sbi->s_lock); + make_bad_inode(inode); + iput (inode); + UFSD("EXIT (FAILED): err %d\n", err); +diff --git a/fs/ufs/inode.c b/fs/ufs/inode.c +index be7d42c..2d93ab0 100644 +--- a/fs/ufs/inode.c ++++ b/fs/ufs/inode.c +@@ -902,6 +902,9 @@ void ufs_evict_inode(struct inode * inode) + invalidate_inode_buffers(inode); + clear_inode(inode); + +- if (want_delete) ++ if (want_delete) { ++ lock_ufs(inode->i_sb); + ufs_free_inode(inode); ++ unlock_ufs(inode->i_sb); ++ } + } +diff --git a/fs/ufs/namei.c b/fs/ufs/namei.c +index fd65deb..e8ee298 100644 +--- a/fs/ufs/namei.c ++++ b/fs/ufs/namei.c +@@ -128,12 +128,12 @@ static int ufs_symlink (struct inode * dir, struct dentry * dentry, + if (l > sb->s_blocksize) + goto out_notlocked; + ++ lock_ufs(dir->i_sb); + inode = ufs_new_inode(dir, S_IFLNK | S_IRWXUGO); + err = PTR_ERR(inode); + if (IS_ERR(inode)) +- goto out_notlocked; ++ goto out; + +- lock_ufs(dir->i_sb); + if (l > UFS_SB(sb)->s_uspi->s_maxsymlinklen) { + /* slow symlink */ + inode->i_op = &ufs_symlink_inode_operations; +@@ -174,7 +174,12 @@ static int ufs_link (struct dentry * old_dentry, struct inode * dir, + inode_inc_link_count(inode); + ihold(inode); + +- error = ufs_add_nondir(dentry, inode); ++ error = ufs_add_link(dentry, inode); ++ if (error) { ++ inode_dec_link_count(inode); ++ iput(inode); ++ } else ++ d_instantiate(dentry, inode); + unlock_ufs(dir->i_sb); + return error; + } +@@ -184,9 +189,13 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode) + struct inode * inode; + int err; + ++ lock_ufs(dir->i_sb); ++ inode_inc_link_count(dir); ++ + inode = ufs_new_inode(dir, S_IFDIR|mode); ++ err = PTR_ERR(inode); + if (IS_ERR(inode)) +- return PTR_ERR(inode); ++ goto out_dir; + + inode->i_op = &ufs_dir_inode_operations; + inode->i_fop = &ufs_dir_operations; +@@ -194,9 +203,6 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode) + + inode_inc_link_count(inode); + +- lock_ufs(dir->i_sb); +- inode_inc_link_count(dir); +- + err = ufs_make_empty(inode, dir); + if (err) + goto out_fail; +@@ -206,6 +212,7 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode) + goto out_fail; + unlock_ufs(dir->i_sb); + ++ unlock_new_inode(inode); + d_instantiate(dentry, inode); + out: + return err; +@@ -215,6 +222,7 @@ out_fail: + inode_dec_link_count(inode); + unlock_new_inode(inode); + iput (inode); ++out_dir: + inode_dec_link_count(dir); + unlock_ufs(dir->i_sb); + goto out; +diff --git a/fs/ufs/super.c b/fs/ufs/super.c +index 8092d37..eb16791 100644 +--- a/fs/ufs/super.c ++++ b/fs/ufs/super.c +@@ -694,6 +694,7 @@ static int ufs_sync_fs(struct super_block *sb, int wait) + unsigned flags; + + lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + + UFSD("ENTER\n"); + +@@ -711,6 +712,7 @@ static int ufs_sync_fs(struct super_block *sb, int wait) + ufs_put_cstotal(sb); + + UFSD("EXIT\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + + return 0; +@@ -799,6 +801,7 @@ static int ufs_fill_super(struct super_block *sb, void *data, int silent) + UFSD("flag %u\n", (int)(sb->s_flags & MS_RDONLY)); + + mutex_init(&sbi->mutex); ++ mutex_init(&sbi->s_lock); + spin_lock_init(&sbi->work_lock); + INIT_DELAYED_WORK(&sbi->sync_work, delayed_sync_fs); + /* +@@ -1277,6 +1280,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) + + sync_filesystem(sb); + lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + uspi = UFS_SB(sb)->s_uspi; + flags = UFS_SB(sb)->s_flags; + usb1 = ubh_get_usb_first(uspi); +@@ -1290,6 +1294,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) + new_mount_opt = 0; + ufs_set_opt (new_mount_opt, ONERROR_LOCK); + if (!ufs_parse_options (data, &new_mount_opt)) { ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + } +@@ -1297,12 +1302,14 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) + new_mount_opt |= ufstype; + } else if ((new_mount_opt & UFS_MOUNT_UFSTYPE) != ufstype) { + pr_err("ufstype can't be changed during remount\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + } + + if ((*mount_flags & MS_RDONLY) == (sb->s_flags & MS_RDONLY)) { + UFS_SB(sb)->s_mount_opt = new_mount_opt; ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return 0; + } +@@ -1326,6 +1333,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) + */ + #ifndef CONFIG_UFS_FS_WRITE + pr_err("ufs was compiled with read-only support, can't be mounted as read-write\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + #else +@@ -1335,11 +1343,13 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) + ufstype != UFS_MOUNT_UFSTYPE_SUNx86 && + ufstype != UFS_MOUNT_UFSTYPE_UFS2) { + pr_err("this ufstype is read-only supported\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + } + if (!ufs_read_cylinder_structures(sb)) { + pr_err("failed during remounting\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EPERM; + } +@@ -1347,6 +1357,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) + #endif + } + UFS_SB(sb)->s_mount_opt = new_mount_opt; ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return 0; + } +diff --git a/fs/ufs/ufs.h b/fs/ufs/ufs.h +index 2a07396..cf6368d 100644 +--- a/fs/ufs/ufs.h ++++ b/fs/ufs/ufs.h +@@ -30,6 +30,7 @@ struct ufs_sb_info { + int work_queued; /* non-zero if the delayed work is queued */ + struct delayed_work sync_work; /* FS sync delayed work */ + spinlock_t work_lock; /* protects sync_work and work_queued */ ++ struct mutex s_lock; + }; + + struct ufs_inode_info { +diff --git a/include/net/netns/sctp.h b/include/net/netns/sctp.h +index 3573a81..8ba379f 100644 +--- a/include/net/netns/sctp.h ++++ b/include/net/netns/sctp.h +@@ -31,6 +31,7 @@ struct netns_sctp { + struct list_head addr_waitq; + struct timer_list addr_wq_timer; + struct list_head auto_asconf_splist; ++ /* Lock that protects both addr_waitq and auto_asconf_splist */ + spinlock_t addr_wq_lock; + + /* Lock that protects the local_addr_list writers */ +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h +index 2bb2fcf..495c87e 100644 +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -223,6 +223,10 @@ struct sctp_sock { + atomic_t pd_mode; + /* Receive to here while partial delivery is in effect. */ + struct sk_buff_head pd_lobby; ++ ++ /* These must be the last fields, as they will skipped on copies, ++ * like on accept and peeloff operations ++ */ + struct list_head auto_asconf_list; + int do_auto_asconf; + }; +diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c +index a9a4a1b..8d423bc 100644 +--- a/net/bridge/br_ioctl.c ++++ b/net/bridge/br_ioctl.c +@@ -247,9 +247,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) + return -EPERM; + +- spin_lock_bh(&br->lock); + br_stp_set_bridge_priority(br, args[1]); +- spin_unlock_bh(&br->lock); + return 0; + + case BRCTL_SET_PORT_PRIORITY: +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index b0aee78..c08f510 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1166,6 +1166,9 @@ static void br_multicast_add_router(struct net_bridge *br, + struct net_bridge_port *p; + struct hlist_node *slot = NULL; + ++ if (!hlist_unhashed(&port->rlist)) ++ return; ++ + hlist_for_each_entry(p, &br->router_list, rlist) { + if ((unsigned long) port >= (unsigned long) p) + break; +@@ -1193,12 +1196,8 @@ static void br_multicast_mark_router(struct net_bridge *br, + if (port->multicast_router != 1) + return; + +- if (!hlist_unhashed(&port->rlist)) +- goto timer; +- + br_multicast_add_router(br, port); + +-timer: + mod_timer(&port->multicast_router_timer, + now + br->multicast_querier_interval); + } +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 4114687..7832d07 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -243,12 +243,13 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br) + return true; + } + +-/* called under bridge lock */ ++/* Acquires and releases bridge lock */ + void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio) + { + struct net_bridge_port *p; + int wasroot; + ++ spin_lock_bh(&br->lock); + wasroot = br_is_root_bridge(br); + + list_for_each_entry(p, &br->port_list, list) { +@@ -266,6 +267,7 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio) + br_port_state_selection(br); + if (br_is_root_bridge(br) && !wasroot) + br_become_root_bridge(br); ++ spin_unlock_bh(&br->lock); + } + + /* called under bridge lock */ +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 70fe9e1..d0e5d66 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -971,6 +971,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) + rc = 0; + if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE)) + goto out_unlock_bh; ++ if (neigh->dead) ++ goto out_dead; + + if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) { + if (NEIGH_VAR(neigh->parms, MCAST_PROBES) + +@@ -1027,6 +1029,13 @@ out_unlock_bh: + write_unlock(&neigh->lock); + local_bh_enable(); + return rc; ++ ++out_dead: ++ if (neigh->nud_state & NUD_STALE) ++ goto out_unlock_bh; ++ write_unlock_bh(&neigh->lock); ++ kfree_skb(skb); ++ return 1; + } + EXPORT_SYMBOL(__neigh_event_send); + +@@ -1090,6 +1099,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, + if (!(flags & NEIGH_UPDATE_F_ADMIN) && + (old & (NUD_NOARP | NUD_PERMANENT))) + goto out; ++ if (neigh->dead) ++ goto out; + + if (!(new & NUD_VALID)) { + neigh_del_timer(neigh); +@@ -1239,6 +1250,8 @@ EXPORT_SYMBOL(neigh_update); + */ + void __neigh_set_probe_once(struct neighbour *neigh) + { ++ if (neigh->dead) ++ return; + neigh->updated = jiffies; + if (!(neigh->nud_state & NUD_FAILED)) + return; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index e9f9a15..1e3abb8 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4443,7 +4443,7 @@ struct sk_buff *alloc_skb_with_frags(unsigned long header_len, + + while (order) { + if (npages >= 1 << order) { +- page = alloc_pages(gfp_mask | ++ page = alloc_pages((gfp_mask & ~__GFP_WAIT) | + __GFP_COMP | + __GFP_NOWARN | + __GFP_NORETRY, +diff --git a/net/core/sock.c b/net/core/sock.c +index 71e3e5f..c77d5d2 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1895,7 +1895,7 @@ bool skb_page_frag_refill(unsigned int sz, struct page_frag *pfrag, gfp_t gfp) + + pfrag->offset = 0; + if (SKB_FRAG_PAGE_ORDER) { +- pfrag->page = alloc_pages(gfp | __GFP_COMP | ++ pfrag->page = alloc_pages((gfp & ~__GFP_WAIT) | __GFP_COMP | + __GFP_NOWARN | __GFP_NORETRY, + SKB_FRAG_PAGE_ORDER); + if (likely(pfrag->page)) { +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index d2e49ba..61edc49 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -228,6 +228,8 @@ int inet_listen(struct socket *sock, int backlog) + err = 0; + if (err) + goto out; ++ ++ tcp_fastopen_init_key_once(true); + } + err = inet_csk_listen_start(sk, backlog); + if (err) +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 5cd9927..d9e8ff3 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -432,6 +432,15 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf + kfree_skb(skb); + } + ++/* For some errors we have valid addr_offset even with zero payload and ++ * zero port. Also, addr_offset should be supported if port is set. ++ */ ++static inline bool ipv4_datagram_support_addr(struct sock_exterr_skb *serr) ++{ ++ return serr->ee.ee_origin == SO_EE_ORIGIN_ICMP || ++ serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL || serr->port; ++} ++ + /* IPv4 supports cmsg on all imcp errors and some timestamps + * + * Timestamp code paths do not initialize the fields expected by cmsg: +@@ -498,7 +507,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + serr = SKB_EXT_ERR(skb); + +- if (sin && serr->port) { ++ if (sin && ipv4_datagram_support_addr(serr)) { + sin->sin_family = AF_INET; + sin->sin_addr.s_addr = *(__be32 *)(skb_network_header(skb) + + serr->addr_offset); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 995a225..d03a344 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2541,10 +2541,13 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_FASTOPEN: + if (val >= 0 && ((1 << sk->sk_state) & (TCPF_CLOSE | +- TCPF_LISTEN))) ++ TCPF_LISTEN))) { ++ tcp_fastopen_init_key_once(true); ++ + err = fastopen_init_queue(sk, val); +- else ++ } else { + err = -EINVAL; ++ } + break; + case TCP_TIMESTAMP: + if (!tp->repair) +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index ea82fd4..9c37181 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -78,8 +78,6 @@ static bool __tcp_fastopen_cookie_gen(const void *path, + struct tcp_fastopen_context *ctx; + bool ok = false; + +- tcp_fastopen_init_key_once(true); +- + rcu_read_lock(); + ctx = rcu_dereference(tcp_fastopen_ctx); + if (ctx) { +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index ace8dac..d174b91 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -325,6 +325,16 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu) + kfree_skb(skb); + } + ++/* For some errors we have valid addr_offset even with zero payload and ++ * zero port. Also, addr_offset should be supported if port is set. ++ */ ++static inline bool ipv6_datagram_support_addr(struct sock_exterr_skb *serr) ++{ ++ return serr->ee.ee_origin == SO_EE_ORIGIN_ICMP6 || ++ serr->ee.ee_origin == SO_EE_ORIGIN_ICMP || ++ serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL || serr->port; ++} ++ + /* IPv6 supports cmsg on all origins aside from SO_EE_ORIGIN_LOCAL. + * + * At one point, excluding local errors was a quick test to identify icmp/icmp6 +@@ -389,7 +399,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + serr = SKB_EXT_ERR(skb); + +- if (sin && serr->port) { ++ if (sin && ipv6_datagram_support_addr(serr)) { + const unsigned char *nh = skb_network_header(skb); + sin->sin6_family = AF_INET6; + sin->sin6_flowinfo = 0; +diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c +index 46214f2..2c75361 100644 +--- a/net/netfilter/nft_rbtree.c ++++ b/net/netfilter/nft_rbtree.c +@@ -37,10 +37,11 @@ static bool nft_rbtree_lookup(const struct nft_set *set, + { + const struct nft_rbtree *priv = nft_set_priv(set); + const struct nft_rbtree_elem *rbe, *interval = NULL; +- const struct rb_node *parent = priv->root.rb_node; ++ const struct rb_node *parent; + int d; + + spin_lock_bh(&nft_rbtree_lock); ++ parent = priv->root.rb_node; + while (parent != NULL) { + rbe = rb_entry(parent, struct nft_rbtree_elem, node); + +@@ -158,7 +159,6 @@ static int nft_rbtree_get(const struct nft_set *set, struct nft_set_elem *elem) + struct nft_rbtree_elem *rbe; + int d; + +- spin_lock_bh(&nft_rbtree_lock); + while (parent != NULL) { + rbe = rb_entry(parent, struct nft_rbtree_elem, node); + +@@ -173,11 +173,9 @@ static int nft_rbtree_get(const struct nft_set *set, struct nft_set_elem *elem) + !(rbe->flags & NFT_SET_ELEM_INTERVAL_END)) + nft_data_copy(&elem->data, rbe->data); + elem->flags = rbe->flags; +- spin_unlock_bh(&nft_rbtree_lock); + return 0; + } + } +- spin_unlock_bh(&nft_rbtree_lock); + return -ENOENT; + } + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index f8db706..bfe5c69 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1266,16 +1266,6 @@ static void packet_sock_destruct(struct sock *sk) + sk_refcnt_debug_dec(sk); + } + +-static int fanout_rr_next(struct packet_fanout *f, unsigned int num) +-{ +- int x = atomic_read(&f->rr_cur) + 1; +- +- if (x >= num) +- x = 0; +- +- return x; +-} +- + static unsigned int fanout_demux_hash(struct packet_fanout *f, + struct sk_buff *skb, + unsigned int num) +@@ -1287,13 +1277,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f, + struct sk_buff *skb, + unsigned int num) + { +- int cur, old; ++ unsigned int val = atomic_inc_return(&f->rr_cur); + +- cur = atomic_read(&f->rr_cur); +- while ((old = atomic_cmpxchg(&f->rr_cur, cur, +- fanout_rr_next(f, num))) != cur) +- cur = old; +- return cur; ++ return val % num; + } + + static unsigned int fanout_demux_cpu(struct packet_fanout *f, +@@ -1347,7 +1333,7 @@ static int packet_rcv_fanout(struct sk_buff *skb, struct net_device *dev, + struct packet_type *pt, struct net_device *orig_dev) + { + struct packet_fanout *f = pt->af_packet_priv; +- unsigned int num = f->num_members; ++ unsigned int num = READ_ONCE(f->num_members); + struct packet_sock *po; + unsigned int idx; + +diff --git a/net/sctp/output.c b/net/sctp/output.c +index fc5e45b..abe7c2d 100644 +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -599,7 +599,9 @@ out: + return err; + no_route: + kfree_skb(nskb); +- IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES); ++ ++ if (asoc) ++ IP_INC_STATS(sock_net(asoc->base.sk), IPSTATS_MIB_OUTNOROUTES); + + /* FIXME: Returning the 'err' will effect all the associations + * associated with a socket, although only one of the paths of the +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index aafe94b..4e56571 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1533,8 +1533,10 @@ static void sctp_close(struct sock *sk, long timeout) + + /* Supposedly, no process has access to the socket, but + * the net layers still may. ++ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock ++ * held and that should be grabbed before socket lock. + */ +- local_bh_disable(); ++ spin_lock_bh(&net->sctp.addr_wq_lock); + bh_lock_sock(sk); + + /* Hold the sock, since sk_common_release() will put sock_put() +@@ -1544,7 +1546,7 @@ static void sctp_close(struct sock *sk, long timeout) + sk_common_release(sk); + + bh_unlock_sock(sk); +- local_bh_enable(); ++ spin_unlock_bh(&net->sctp.addr_wq_lock); + + sock_put(sk); + +@@ -3587,6 +3589,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval, + if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf)) + return 0; + ++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock); + if (val == 0 && sp->do_auto_asconf) { + list_del(&sp->auto_asconf_list); + sp->do_auto_asconf = 0; +@@ -3595,6 +3598,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval, + &sock_net(sk)->sctp.auto_asconf_splist); + sp->do_auto_asconf = 1; + } ++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock); + return 0; + } + +@@ -4128,18 +4132,28 @@ static int sctp_init_sock(struct sock *sk) + local_bh_disable(); + percpu_counter_inc(&sctp_sockets_allocated); + sock_prot_inuse_add(net, sk->sk_prot, 1); ++ ++ /* Nothing can fail after this block, otherwise ++ * sctp_destroy_sock() will be called without addr_wq_lock held ++ */ + if (net->sctp.default_auto_asconf) { ++ spin_lock(&sock_net(sk)->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, + &net->sctp.auto_asconf_splist); + sp->do_auto_asconf = 1; +- } else ++ spin_unlock(&sock_net(sk)->sctp.addr_wq_lock); ++ } else { + sp->do_auto_asconf = 0; ++ } ++ + local_bh_enable(); + + return 0; + } + +-/* Cleanup any SCTP per socket resources. */ ++/* Cleanup any SCTP per socket resources. Must be called with ++ * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true ++ */ + static void sctp_destroy_sock(struct sock *sk) + { + struct sctp_sock *sp; +@@ -7202,6 +7216,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newinet->mc_list = NULL; + } + ++static inline void sctp_copy_descendant(struct sock *sk_to, ++ const struct sock *sk_from) ++{ ++ int ancestor_size = sizeof(struct inet_sock) + ++ sizeof(struct sctp_sock) - ++ offsetof(struct sctp_sock, auto_asconf_list); ++ ++ if (sk_from->sk_family == PF_INET6) ++ ancestor_size += sizeof(struct ipv6_pinfo); ++ ++ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size); ++} ++ + /* Populate the fields of the newsk from the oldsk and migrate the assoc + * and its messages to the newsk. + */ +@@ -7216,7 +7243,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, + struct sk_buff *skb, *tmp; + struct sctp_ulpevent *event; + struct sctp_bind_hashbucket *head; +- struct list_head tmplist; + + /* Migrate socket buffer sizes and all the socket level options to the + * new socket. +@@ -7224,12 +7250,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, + newsk->sk_sndbuf = oldsk->sk_sndbuf; + newsk->sk_rcvbuf = oldsk->sk_rcvbuf; + /* Brute force copy old sctp opt. */ +- if (oldsp->do_auto_asconf) { +- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist)); +- inet_sk_copy_descendant(newsk, oldsk); +- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist)); +- } else +- inet_sk_copy_descendant(newsk, oldsk); ++ sctp_copy_descendant(newsk, oldsk); + + /* Restore the ep value that was overwritten with the above structure + * copy. +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 4d1a541..2588e08 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -404,6 +404,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) + return sbsec->behavior == SECURITY_FS_USE_XATTR || + sbsec->behavior == SECURITY_FS_USE_TRANS || + sbsec->behavior == SECURITY_FS_USE_TASK || ++ sbsec->behavior == SECURITY_FS_USE_NATIVE || + /* Special handling. Genfs but also in-core setxattr handler */ + !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore") || diff --git a/4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch b/4.0.8/4420_grsecurity-3.1-4.0.8-201507111211.patch index c471dac..c0c4b69 100644 --- a/4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch +++ b/4.0.8/4420_grsecurity-3.1-4.0.8-201507111211.patch @@ -373,7 +373,7 @@ index 4d68ec8..9546b75 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index bd76a8e..ed02758 100644 +index 0e315d6..68f608f 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3662,10 +3662,10 @@ index ff0a68c..b312aa0 100644 sizeof(struct omap_wd_timer_platform_data)); WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n", diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c -index 4f25a7c..a81be85 100644 +index a351eff..87baad9 100644 --- a/arch/arm/mach-tegra/cpuidle-tegra20.c +++ b/arch/arm/mach-tegra/cpuidle-tegra20.c -@@ -179,7 +179,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev, +@@ -178,7 +178,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev, bool entered_lp2 = false; if (tegra_pending_sgi()) @@ -6890,7 +6890,7 @@ index 33984c0..666a96d 100644 info.si_code = FPE_INTOVF; info.si_signo = SIGFPE; diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c -index f5e7dda..47198ec 100644 +index adf3886..ce8f002 100644 --- a/arch/mips/kvm/mips.c +++ b/arch/mips/kvm/mips.c @@ -816,7 +816,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg) @@ -12512,7 +12512,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index b7d31ca..9481ec5 100644 +index 570c71d..992da93 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -132,7 +132,7 @@ config X86 @@ -28771,7 +28771,7 @@ index 106c015..2db7161 100644 0, 0, 0, /* CR3 checked later */ CR4_RESERVED_BITS, diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 3cb2b58..83c8e31 100644 +index 8ee4aa7..40c3d4c 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -56,7 +56,7 @@ @@ -28810,10 +28810,10 @@ index 6e6d115..43fecbf 100644 goto error; walker->ptep_user[walker->level - 1] = ptep_user; diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index a4e62fc..fbbad55 100644 +index 1b32e29..076a16d 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c -@@ -3568,7 +3568,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) +@@ -3570,7 +3570,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) int cpu = raw_smp_processor_id(); struct svm_cpu_data *sd = per_cpu(svm_data, cpu); @@ -28825,7 +28825,7 @@ index a4e62fc..fbbad55 100644 load_TR_desc(); } -@@ -3964,6 +3968,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) +@@ -3966,6 +3970,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif #endif @@ -31146,6 +31146,19 @@ index b30b5eb..2b57052 100644 ret CFI_ENDPROC _ASM_NOKPROBE(restore) +diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c +index ddf9ecb..e342586 100644 +--- a/arch/x86/lib/usercopy.c ++++ b/arch/x86/lib/usercopy.c +@@ -20,7 +20,7 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n) + unsigned long ret; + + if (__range_not_ok(from, n, TASK_SIZE)) +- return 0; ++ return n; + + /* + * Even though this function is typically called from NMI/IRQ context diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c index e2f5e21..4b22130 100644 --- a/arch/x86/lib/usercopy_32.c @@ -39905,7 +39918,7 @@ index ad3f38f..8f086cd 100644 } EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index 872c577..5fb3c20 100644 +index 2c867a6..2d7d333 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c @@ -133,10 +133,10 @@ struct pstate_funcs { @@ -44236,7 +44249,7 @@ index 92e2243..8fd9092 100644 .ident = "Shift", .matches = { diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c -index 48882c1..93e0987 100644 +index 13cfbf4..b5184d9 100644 --- a/drivers/iommu/amd_iommu.c +++ b/drivers/iommu/amd_iommu.c @@ -823,11 +823,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu, @@ -44264,7 +44277,7 @@ index 48882c1..93e0987 100644 CMD_SET_TYPE(cmd, CMD_COMPL_WAIT); } diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c -index bd6252b..0716605 100644 +index 2d1b203..b9f8e18 100644 --- a/drivers/iommu/arm-smmu.c +++ b/drivers/iommu/arm-smmu.c @@ -331,7 +331,7 @@ enum arm_smmu_domain_stage { @@ -48264,7 +48277,7 @@ index 8a50b01..39c1ad0 100644 return 0; } diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c -index d81fc6b..6f8ab25 100644 +index 5c92fb7..e0757dc 100644 --- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c @@ -347,7 +347,7 @@ static int xgbe_map_rx_buffer(struct xgbe_prv_data *pdata, @@ -49091,10 +49104,10 @@ index 79c00f5..8da39f6 100644 /* need lock to prevent incorrect read while modifying cyclecounter */ diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c -index 8c234ec..757331f 100644 +index 35dd887..38b3476 100644 --- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c +++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c -@@ -468,8 +468,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev, +@@ -475,8 +475,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev, wmb(); /* we want to dirty this cache line once */ @@ -49412,7 +49425,7 @@ index 34924df..a747360 100644 .priv_size = sizeof(struct nlmon), .setup = nlmon_setup, diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c -index bdfe51f..e7845c7 100644 +index d551df6..fa4c2df 100644 --- a/drivers/net/phy/phy_device.c +++ b/drivers/net/phy/phy_device.c @@ -218,7 +218,7 @@ EXPORT_SYMBOL(phy_device_create); @@ -68477,7 +68490,7 @@ index bbbe139..b76fae5 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index 922f23e..05e38ae 100644 +index b05c557..4bcc589 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -511,7 +511,7 @@ static void __dentry_kill(struct dentry *dentry) @@ -68670,7 +68683,7 @@ index 922f23e..05e38ae 100644 if (!spin_trylock(&inode->i_lock)) { spin_unlock(&dentry->d_lock); cpu_relax(); -@@ -3311,7 +3314,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) +@@ -3300,7 +3303,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) if (!(dentry->d_flags & DCACHE_GENOCIDE)) { dentry->d_flags |= DCACHE_GENOCIDE; @@ -68679,7 +68692,7 @@ index 922f23e..05e38ae 100644 } } return D_WALK_CONTINUE; -@@ -3427,7 +3430,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3416,7 +3419,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -71849,7 +71862,7 @@ index c274aca..772fa5e 100644 static int can_do_hugetlb_shm(void) { diff --git a/fs/inode.c b/fs/inode.c -index f00b16f..b653fea 100644 +index c60671d..9c2eb5f 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -830,16 +830,20 @@ unsigned int get_next_ino(void) @@ -72713,7 +72726,7 @@ index 50a8583..44c470a 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 13b0f7b..1ee96e7 100644 +index f07c769..9246b81 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1480,6 +1480,9 @@ static int do_umount(struct mount *mnt, int flags) @@ -72832,7 +72845,7 @@ index 13b0f7b..1ee96e7 100644 get_fs_root(current->fs, &root); old_mp = lock_mount(&old); error = PTR_ERR(old_mp); -@@ -3238,7 +3262,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns) +@@ -3242,7 +3266,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns) !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; @@ -95313,10 +95326,10 @@ index 487ef34..d457f98 100644 /* Get the size of a DATA chunk payload. */ diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h -index 2bb2fcf..d17c291 100644 +index 495c87e..5b327ff 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h -@@ -509,7 +509,7 @@ struct sctp_pf { +@@ -513,7 +513,7 @@ struct sctp_pf { void (*to_sk_saddr)(union sctp_addr *, struct sock *sk); void (*to_sk_daddr)(union sctp_addr *, struct sock *sk); struct sctp_af *af; @@ -96784,9 +96797,18 @@ index 72ab759..757deba 100644 s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL; s.backlog_wait_time = audit_backlog_wait_time; diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index dc4ae70..2a2bddc 100644 +index dc4ae70..14681ff 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c +@@ -1023,7 +1023,7 @@ static int audit_log_single_execve_arg(struct audit_context *context, + * for strings that are too long, we should not have created + * any. + */ +- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) { ++ if (unlikely(len > MAX_ARG_STRLEN - 1)) { + WARN_ON(1); + send_sig(SIGKILL, current, 0); + return -1; @@ -1955,7 +1955,7 @@ int auditsc_get_stamp(struct audit_context *ctx, } @@ -110068,6 +110090,26 @@ index 8e385a0..a5bdd8e 100644 tty_port_close(&dev->port, tty, filp); } +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c +index 4096089..c602d26 100644 +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -371,6 +371,7 @@ static int __br_mdb_add(struct net *net, struct net_bridge *br, + if (!p || p->br != br || p->state == BR_STATE_DISABLED) + return -EINVAL; + ++ memset(&ip, 0, sizeof(ip)); + ip.proto = entry->addr.proto; + if (ip.proto == htons(ETH_P_IP)) + ip.u.ip4 = entry->addr.u.ip4; +@@ -417,6 +418,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry) + if (!netif_running(br->dev) || br->multicast_disabled) + return -EINVAL; + ++ memset(&ip, 0, sizeof(ip)); + ip.proto = entry->addr.proto; + if (ip.proto == htons(ETH_P_IP)) { + if (timer_pending(&br->ip4_other_query.timer)) diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 4fbcea0..69a6786 100644 --- a/net/bridge/br_netlink.c @@ -110545,51 +110587,10 @@ index 1033725..340f65d 100644 fle->object = flo; else diff --git a/net/core/neighbour.c b/net/core/neighbour.c -index 70fe9e1..c55e69d 100644 +index d0e5d66..c55e69d 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c -@@ -971,6 +971,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) - rc = 0; - if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE)) - goto out_unlock_bh; -+ if (neigh->dead) -+ goto out_dead; - - if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) { - if (NEIGH_VAR(neigh->parms, MCAST_PROBES) + -@@ -1027,6 +1029,13 @@ out_unlock_bh: - write_unlock(&neigh->lock); - local_bh_enable(); - return rc; -+ -+out_dead: -+ if (neigh->nud_state & NUD_STALE) -+ goto out_unlock_bh; -+ write_unlock_bh(&neigh->lock); -+ kfree_skb(skb); -+ return 1; - } - EXPORT_SYMBOL(__neigh_event_send); - -@@ -1090,6 +1099,8 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, - if (!(flags & NEIGH_UPDATE_F_ADMIN) && - (old & (NUD_NOARP | NUD_PERMANENT))) - goto out; -+ if (neigh->dead) -+ goto out; - - if (!(new & NUD_VALID)) { - neigh_del_timer(neigh); -@@ -1239,6 +1250,8 @@ EXPORT_SYMBOL(neigh_update); - */ - void __neigh_set_probe_once(struct neighbour *neigh) - { -+ if (neigh->dead) -+ return; - neigh->updated = jiffies; - if (!(neigh->nud_state & NUD_FAILED)) - return; -@@ -2806,7 +2819,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write, +@@ -2819,7 +2819,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { int size, ret; @@ -110598,7 +110599,7 @@ index 70fe9e1..c55e69d 100644 tmp.extra1 = &zero; tmp.extra2 = &unres_qlen_max; -@@ -2868,7 +2881,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write, +@@ -2881,7 +2881,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -110835,7 +110836,7 @@ index 3b6899b..cf36238 100644 { struct socket *sock; diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index e9f9a15..6eb024e 100644 +index 1e3abb8..d751ebd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2139,7 +2139,7 @@ EXPORT_SYMBOL(__skb_checksum); @@ -110865,7 +110866,7 @@ index e9f9a15..6eb024e 100644 } diff --git a/net/core/sock.c b/net/core/sock.c -index 71e3e5f..ab90920 100644 +index c77d5d2..c1d6a84 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -443,7 +443,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -111263,10 +111264,10 @@ index f46e4d1..30231f1 100644 return -ENOMEM; } diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index d2e49ba..f78e8aa 100644 +index 61edc49..99991a4 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c -@@ -1390,7 +1390,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) +@@ -1392,7 +1392,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) return ip_recv_error(sk, msg, len, addr_len); #if IS_ENABLED(CONFIG_IPV6) if (sk->sk_family == AF_INET6) @@ -111577,10 +111578,10 @@ index 3d4da2c..40f9c29 100644 ICMP_PROT_UNREACH, 0); } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 5cd9927..8610b9f 100644 +index d9e8ff3..a70a150 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1254,7 +1254,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1263,7 +1263,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -111590,7 +111591,7 @@ index 5cd9927..8610b9f 100644 return -EFAULT; return 0; } -@@ -1388,7 +1389,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1397,7 +1398,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -112110,7 +112111,7 @@ index d151539..5f5e247 100644 goto err_reg; diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 995a225..e1e9183 100644 +index d03a344..f3bbb71 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -520,8 +520,10 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait) @@ -112632,10 +112633,10 @@ index e8c4400..a4cd5da 100644 err = ipv6_init_mibs(net); if (err) diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c -index ace8dac..bd6942d 100644 +index d174b91..34801a1 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c -@@ -957,5 +957,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, +@@ -967,5 +967,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -114418,7 +114419,7 @@ index bc85331..0d3dce0 100644 /** * struct vport_portids - array of netlink portids of a vport. diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index f8db706..0e29f8f 100644 +index bfe5c69..24c3a37 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -269,7 +269,7 @@ static int packet_direct_xmit(struct sk_buff *skb) @@ -114430,40 +114431,7 @@ index f8db706..0e29f8f 100644 kfree_skb(skb); return NET_XMIT_DROP; } -@@ -1266,16 +1266,6 @@ static void packet_sock_destruct(struct sock *sk) - sk_refcnt_debug_dec(sk); - } - --static int fanout_rr_next(struct packet_fanout *f, unsigned int num) --{ -- int x = atomic_read(&f->rr_cur) + 1; -- -- if (x >= num) -- x = 0; -- -- return x; --} -- - static unsigned int fanout_demux_hash(struct packet_fanout *f, - struct sk_buff *skb, - unsigned int num) -@@ -1287,13 +1277,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f, - struct sk_buff *skb, - unsigned int num) - { -- int cur, old; -+ unsigned int val = atomic_inc_return(&f->rr_cur); - -- cur = atomic_read(&f->rr_cur); -- while ((old = atomic_cmpxchg(&f->rr_cur, cur, -- fanout_rr_next(f, num))) != cur) -- cur = old; -- return cur; -+ return val % num; - } - - static unsigned int fanout_demux_cpu(struct packet_fanout *f, -@@ -1847,7 +1833,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1833,7 +1833,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_packets++; @@ -114472,7 +114440,7 @@ index f8db706..0e29f8f 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk); -@@ -1856,7 +1842,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1842,7 +1842,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_drops++; @@ -114481,7 +114449,7 @@ index f8db706..0e29f8f 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3499,7 +3485,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3485,7 +3485,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -114490,7 +114458,7 @@ index f8db706..0e29f8f 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3545,7 +3531,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3531,7 +3531,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -115196,10 +115164,10 @@ index fef2acd..c705c4f 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index aafe94b..40b016f 100644 +index 4e56571..f5cf113 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -2205,11 +2205,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, +@@ -2207,11 +2207,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, { struct sctp_association *asoc; struct sctp_ulpevent *event; @@ -115214,7 +115182,7 @@ index aafe94b..40b016f 100644 if (sctp_sk(sk)->subscribe.sctp_data_io_event) pr_warn_ratelimited(DEPRECATED "%s (pid %d) " -@@ -4378,13 +4380,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4392,13 +4394,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -115232,7 +115200,7 @@ index aafe94b..40b016f 100644 return -EFAULT; return 0; } -@@ -4402,6 +4407,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4416,6 +4421,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -115241,7 +115209,7 @@ index aafe94b..40b016f 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4410,7 +4417,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4424,7 +4431,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -115251,7 +115219,7 @@ index aafe94b..40b016f 100644 return -EFAULT; return 0; } -@@ -4784,12 +4792,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4798,12 +4806,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -115268,7 +115236,7 @@ index aafe94b..40b016f 100644 return -EFAULT; return 0; } -@@ -4830,6 +4841,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4844,6 +4855,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, ->addr_to_user(sp, &temp); if (space_left < addrlen) return -ENOMEM; @@ -115967,6 +115935,18 @@ index ce9121e..fd1fcce 100644 err = __tipc_nl_compat_dumpit(&dump, msg, args); kfree_skb(args); +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index b4d4467..afb49d4 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2071,6 +2071,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags) + res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1); + if (res) + goto exit; ++ security_sk_clone(sock->sk, new_sock->sk); + + new_sk = new_sock->sk; + new_tsock = tipc_sk(new_sk); diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c index 72c339e..a93593a 100644 --- a/net/tipc/subscr.c @@ -118425,10 +118405,20 @@ index afcc0ae..71f0525 100644 lock = &avc_cache.slots_lock[hvalue]; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 4d1a541..4d87c9b 100644 +index 2588e08..271f042 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -5862,7 +5862,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) +@@ -3295,7 +3295,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared + int rc = 0; + + if (default_noexec && +- (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { ++ (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || ++ (!shared && (prot & PROT_WRITE)))) { + /* + * We are making executable an anonymous mapping or a + * private file mapping that will also be writable. +@@ -5863,7 +5864,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif @@ -118438,7 +118428,7 @@ index 4d1a541..4d87c9b 100644 .name = "selinux", .binder_set_context_mgr = selinux_binder_set_context_mgr, -@@ -6208,6 +6209,9 @@ static void selinux_nf_ip_exit(void) +@@ -6209,6 +6211,9 @@ static void selinux_nf_ip_exit(void) #ifdef CONFIG_SECURITY_SELINUX_DISABLE static int selinux_disabled; @@ -118448,7 +118438,7 @@ index 4d1a541..4d87c9b 100644 int selinux_disable(void) { if (ss_initialized) { -@@ -6225,7 +6229,9 @@ int selinux_disable(void) +@@ -6226,7 +6231,9 @@ int selinux_disable(void) selinux_disabled = 1; selinux_enabled = 0; diff --git a/4.0.7/4425_grsec_remove_EI_PAX.patch b/4.0.8/4425_grsec_remove_EI_PAX.patch index a80a5d7..a80a5d7 100644 --- a/4.0.7/4425_grsec_remove_EI_PAX.patch +++ b/4.0.8/4425_grsec_remove_EI_PAX.patch diff --git a/4.0.7/4427_force_XATTR_PAX_tmpfs.patch b/4.0.8/4427_force_XATTR_PAX_tmpfs.patch index a789f0b..a789f0b 100644 --- a/4.0.7/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.0.8/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.0.7/4430_grsec-remove-localversion-grsec.patch b/4.0.8/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.0.7/4430_grsec-remove-localversion-grsec.patch +++ b/4.0.8/4430_grsec-remove-localversion-grsec.patch diff --git a/4.0.7/4435_grsec-mute-warnings.patch b/4.0.8/4435_grsec-mute-warnings.patch index b7564e4..b7564e4 100644 --- a/4.0.7/4435_grsec-mute-warnings.patch +++ b/4.0.8/4435_grsec-mute-warnings.patch diff --git a/4.0.7/4440_grsec-remove-protected-paths.patch b/4.0.8/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.0.7/4440_grsec-remove-protected-paths.patch +++ b/4.0.8/4440_grsec-remove-protected-paths.patch diff --git a/4.0.7/4450_grsec-kconfig-default-gids.patch b/4.0.8/4450_grsec-kconfig-default-gids.patch index 61d903e..61d903e 100644 --- a/4.0.7/4450_grsec-kconfig-default-gids.patch +++ b/4.0.8/4450_grsec-kconfig-default-gids.patch diff --git a/4.0.7/4465_selinux-avc_audit-log-curr_ip.patch b/4.0.8/4465_selinux-avc_audit-log-curr_ip.patch index ba89596..ba89596 100644 --- a/4.0.7/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.0.8/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.0.7/4470_disable-compat_vdso.patch b/4.0.8/4470_disable-compat_vdso.patch index 7aefa02..7aefa02 100644 --- a/4.0.7/4470_disable-compat_vdso.patch +++ b/4.0.8/4470_disable-compat_vdso.patch diff --git a/4.0.7/4475_emutramp_default_on.patch b/4.0.8/4475_emutramp_default_on.patch index a128205..a128205 100644 --- a/4.0.7/4475_emutramp_default_on.patch +++ b/4.0.8/4475_emutramp_default_on.patch |