grsecurity-3.1-4.3.3-20160119222620160119

2 files changed, 916 insertions, 25 deletions

diff --git a/4.3.3/0000_README b/4.3.3/0000_README
index 737c59b..a2a51bf 100644
--- a/4.3.3/0000_README
+++ b/4.3.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.3.3-201601171913.patch
+Patch:	4420_grsecurity-3.1-4.3.3-201601192226.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.3.3/4420_grsecurity-3.1-4.3.3-201601171913.patch b/4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch
index c47605c..e9f29bb 100644
--- a/4.3.3/4420_grsecurity-3.1-4.3.3-201601171913.patch
+++ b/4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch
@@ -78014,19 +78014,386 @@ index 4d24d17..4f8c09e 100644
  
  /*
 diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
-index 48851f6..6c79d32 100644
+index 48851f6..d6c96e5 100644
 --- a/fs/compat_ioctl.c
 +++ b/fs/compat_ioctl.c
-@@ -622,7 +622,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
+@@ -58,6 +58,8 @@
+ #include <linux/atalk.h>
+ #include <linux/gfp.h>
+ 
++#include "internal.h"
++
+ #include <net/bluetooth/bluetooth.h>
+ #include <net/bluetooth/hci_sock.h>
+ #include <net/bluetooth/rfcomm.h>
+@@ -115,19 +117,38 @@
+ #include <asm/fbio.h>
+ #endif
+ 
+-static int w_long(unsigned int fd, unsigned int cmd,
+-		compat_ulong_t __user *argp)
++#define convert_in_user(srcptr, dstptr)			\
++({							\
++	typeof(*srcptr) val;				\
++							\
++	get_user(val, srcptr) || put_user(val, dstptr);	\
++})
++
++static int do_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ {
+-	mm_segment_t old_fs = get_fs();
+ 	int err;
+-	unsigned long val;
+ 
+-	set_fs (KERNEL_DS);
+-	err = sys_ioctl(fd, cmd, (unsigned long)&val);
+-	set_fs (old_fs);
+-	if (!err && put_user(val, argp))
++	err = security_file_ioctl(file, cmd, arg);
++	if (err)
++		return err;
++
++	return vfs_ioctl(file, cmd, arg);
++}
++
++static int w_long(struct file *file,
++		unsigned int cmd, compat_ulong_t __user *argp)
++{
++	int err;
++	unsigned long __user *valp = compat_alloc_user_space(sizeof(*valp));
++
++	if (valp == NULL)
++		return -EFAULT;
++	err = do_ioctl(file, cmd, (unsigned long)valp);
++	if (err)
++		return err;
++	if (convert_in_user(valp, argp))
+ 		return -EFAULT;
+-	return err;
++	return 0;
+ }
+ 
+ struct compat_video_event {
+@@ -139,23 +160,23 @@ struct compat_video_event {
+ 	} u;
+ };
+ 
+-static int do_video_get_event(unsigned int fd, unsigned int cmd,
+-		struct compat_video_event __user *up)
++static int do_video_get_event(struct file *file,
++		unsigned int cmd, struct compat_video_event __user *up)
+ {
+-	struct video_event kevent;
+-	mm_segment_t old_fs = get_fs();
++	struct video_event __user *kevent =
++		compat_alloc_user_space(sizeof(*kevent));
+ 	int err;
+ 
+-	set_fs(KERNEL_DS);
+-	err = sys_ioctl(fd, cmd, (unsigned long) &kevent);
+-	set_fs(old_fs);
++	if (kevent == NULL)
++		return -EFAULT;
+ 
++	err = do_ioctl(file, cmd, (unsigned long)kevent);
+ 	if (!err) {
+-		err  = put_user(kevent.type, &up->type);
+-		err |= put_user(kevent.timestamp, &up->timestamp);
+-		err |= put_user(kevent.u.size.w, &up->u.size.w);
+-		err |= put_user(kevent.u.size.h, &up->u.size.h);
+-		err |= put_user(kevent.u.size.aspect_ratio,
++		err  = convert_in_user(&kevent->type, &up->type);
++		err |= convert_in_user(&kevent->timestamp, &up->timestamp);
++		err |= convert_in_user(&kevent->u.size.w, &up->u.size.w);
++		err |= convert_in_user(&kevent->u.size.h, &up->u.size.h);
++		err |= convert_in_user(&kevent->u.size.aspect_ratio,
+ 				&up->u.size.aspect_ratio);
+ 		if (err)
+ 			err = -EFAULT;
+@@ -169,8 +190,8 @@ struct compat_video_still_picture {
+         int32_t size;
+ };
+ 
+-static int do_video_stillpicture(unsigned int fd, unsigned int cmd,
+-	struct compat_video_still_picture __user *up)
++static int do_video_stillpicture(struct file *file,
++		unsigned int cmd, struct compat_video_still_picture __user *up)
+ {
+ 	struct video_still_picture __user *up_native;
+ 	compat_uptr_t fp;
+@@ -190,7 +211,7 @@ static int do_video_stillpicture(unsigned int fd, unsigned int cmd,
+ 	if (err)
+ 		return -EFAULT;
+ 
+-	err = sys_ioctl(fd, cmd, (unsigned long) up_native);
++	err = do_ioctl(file, cmd, (unsigned long) up_native);
+ 
+ 	return err;
+ }
+@@ -200,8 +221,8 @@ struct compat_video_spu_palette {
+ 	compat_uptr_t palette;
+ };
+ 
+-static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd,
+-		struct compat_video_spu_palette __user *up)
++static int do_video_set_spu_palette(struct file *file,
++		unsigned int cmd, struct compat_video_spu_palette __user *up)
+ {
+ 	struct video_spu_palette __user *up_native;
+ 	compat_uptr_t palp;
+@@ -218,7 +239,7 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd,
+ 	if (err)
+ 		return -EFAULT;
+ 
+-	err = sys_ioctl(fd, cmd, (unsigned long) up_native);
++	err = do_ioctl(file, cmd, (unsigned long) up_native);
+ 
+ 	return err;
+ }
+@@ -276,7 +297,7 @@ static int sg_build_iovec(sg_io_hdr_t __user *sgio, void __user *dxferp, u16 iov
+ 	return 0;
+ }
+ 
+-static int sg_ioctl_trans(unsigned int fd, unsigned int cmd,
++static int sg_ioctl_trans(struct file *file, unsigned int cmd,
+ 			sg_io_hdr32_t __user *sgio32)
+ {
+ 	sg_io_hdr_t __user *sgio;
+@@ -289,7 +310,7 @@ static int sg_ioctl_trans(unsigned int fd, unsigned int cmd,
+ 	if (get_user(interface_id, &sgio32->interface_id))
+ 		return -EFAULT;
+ 	if (interface_id != 'S')
+-		return sys_ioctl(fd, cmd, (unsigned long)sgio32);
++		return do_ioctl(file, cmd, (unsigned long)sgio32);
+ 
+ 	if (get_user(iovec_count, &sgio32->iovec_count))
+ 		return -EFAULT;
+@@ -349,7 +370,7 @@ static int sg_ioctl_trans(unsigned int fd, unsigned int cmd,
+ 	if (put_user(compat_ptr(data), &sgio->usr_ptr))
+ 		return -EFAULT;
+ 
+-	err = sys_ioctl(fd, cmd, (unsigned long) sgio);
++	err = do_ioctl(file, cmd, (unsigned long) sgio);
+ 
+ 	if (err >= 0) {
+ 		void __user *datap;
+@@ -380,13 +401,13 @@ struct compat_sg_req_info { /* used by SG_GET_REQUEST_TABLE ioctl() */
+ 	int unused;
+ };
+ 
+-static int sg_grt_trans(unsigned int fd, unsigned int cmd, struct
+-			compat_sg_req_info __user *o)
++static int sg_grt_trans(struct file *file,
++		unsigned int cmd, struct compat_sg_req_info __user *o)
+ {
+ 	int err, i;
+ 	sg_req_info_t __user *r;
+ 	r = compat_alloc_user_space(sizeof(sg_req_info_t)*SG_MAX_QUEUE);
+-	err = sys_ioctl(fd,cmd,(unsigned long)r);
++	err = do_ioctl(file, cmd, (unsigned long)r);
+ 	if (err < 0)
+ 		return err;
+ 	for (i = 0; i < SG_MAX_QUEUE; i++) {
+@@ -412,8 +433,8 @@ struct sock_fprog32 {
+ #define PPPIOCSPASS32	_IOW('t', 71, struct sock_fprog32)
+ #define PPPIOCSACTIVE32	_IOW('t', 70, struct sock_fprog32)
+ 
+-static int ppp_sock_fprog_ioctl_trans(unsigned int fd, unsigned int cmd,
+-			struct sock_fprog32 __user *u_fprog32)
++static int ppp_sock_fprog_ioctl_trans(struct file *file,
++		unsigned int cmd, struct sock_fprog32 __user *u_fprog32)
+ {
+ 	struct sock_fprog __user *u_fprog64 = compat_alloc_user_space(sizeof(struct sock_fprog));
+ 	void __user *fptr64;
+@@ -435,7 +456,7 @@ static int ppp_sock_fprog_ioctl_trans(unsigned int fd, unsigned int cmd,
+ 	else
+ 		cmd = PPPIOCSACTIVE;
+ 
+-	return sys_ioctl(fd, cmd, (unsigned long) u_fprog64);
++	return do_ioctl(file, cmd, (unsigned long) u_fprog64);
+ }
+ 
+ struct ppp_option_data32 {
+@@ -451,7 +472,7 @@ struct ppp_idle32 {
+ };
+ #define PPPIOCGIDLE32		_IOR('t', 63, struct ppp_idle32)
+ 
+-static int ppp_gidle(unsigned int fd, unsigned int cmd,
++static int ppp_gidle(struct file *file, unsigned int cmd,
+ 		struct ppp_idle32 __user *idle32)
+ {
+ 	struct ppp_idle __user *idle;
+@@ -460,7 +481,7 @@ static int ppp_gidle(unsigned int fd, unsigned int cmd,
+ 
+ 	idle = compat_alloc_user_space(sizeof(*idle));
+ 
+-	err = sys_ioctl(fd, PPPIOCGIDLE, (unsigned long) idle);
++	err = do_ioctl(file, PPPIOCGIDLE, (unsigned long) idle);
+ 
+ 	if (!err) {
+ 		if (get_user(xmit, &idle->xmit_idle) ||
+@@ -472,7 +493,7 @@ static int ppp_gidle(unsigned int fd, unsigned int cmd,
+ 	return err;
+ }
+ 
+-static int ppp_scompress(unsigned int fd, unsigned int cmd,
++static int ppp_scompress(struct file *file, unsigned int cmd,
+ 	struct ppp_option_data32 __user *odata32)
+ {
+ 	struct ppp_option_data __user *odata;
+@@ -492,7 +513,7 @@ static int ppp_scompress(unsigned int fd, unsigned int cmd,
+ 			 sizeof(__u32) + sizeof(int)))
+ 		return -EFAULT;
+ 
+-	return sys_ioctl(fd, PPPIOCSCOMPRESS, (unsigned long) odata);
++	return do_ioctl(file, PPPIOCSCOMPRESS, (unsigned long) odata);
+ }
+ 
+ #ifdef CONFIG_BLOCK
+@@ -512,12 +533,13 @@ struct mtpos32 {
+ };
+ #define MTIOCPOS32	_IOR('m', 3, struct mtpos32)
+ 
+-static int mt_ioctl_trans(unsigned int fd, unsigned int cmd, void __user *argp)
++static int mt_ioctl_trans(struct file *file,
++		unsigned int cmd, void __user *argp)
+ {
+-	mm_segment_t old_fs = get_fs();
+-	struct mtget get;
++	/* NULL initialization to make gcc shut up */
++	struct mtget __user *get = NULL;
+ 	struct mtget32 __user *umget32;
+-	struct mtpos pos;
++	struct mtpos __user *pos = NULL;
+ 	struct mtpos32 __user *upos32;
+ 	unsigned long kcmd;
+ 	void *karg;
+@@ -526,32 +548,34 @@ static int mt_ioctl_trans(unsigned int fd, unsigned int cmd, void __user *argp)
+ 	switch(cmd) {
+ 	case MTIOCPOS32:
+ 		kcmd = MTIOCPOS;
+-		karg = &pos;
++		pos = compat_alloc_user_space(sizeof(*pos));
++		karg = pos;
+ 		break;
+ 	default:	/* MTIOCGET32 */
+ 		kcmd = MTIOCGET;
+-		karg = &get;
++		get = compat_alloc_user_space(sizeof(*get));
++		karg = get;
+ 		break;
+ 	}
+-	set_fs (KERNEL_DS);
+-	err = sys_ioctl (fd, kcmd, (unsigned long)karg);
+-	set_fs (old_fs);
++	if (karg == NULL)
++		return -EFAULT;
++	err = do_ioctl(file, kcmd, (unsigned long)karg);
+ 	if (err)
+ 		return err;
+ 	switch (cmd) {
+ 	case MTIOCPOS32:
+ 		upos32 = argp;
+-		err = __put_user(pos.mt_blkno, &upos32->mt_blkno);
++		err = convert_in_user(&pos->mt_blkno, &upos32->mt_blkno);
+ 		break;
+ 	case MTIOCGET32:
+ 		umget32 = argp;
+-		err = __put_user(get.mt_type, &umget32->mt_type);
+-		err |= __put_user(get.mt_resid, &umget32->mt_resid);
+-		err |= __put_user(get.mt_dsreg, &umget32->mt_dsreg);
+-		err |= __put_user(get.mt_gstat, &umget32->mt_gstat);
+-		err |= __put_user(get.mt_erreg, &umget32->mt_erreg);
+-		err |= __put_user(get.mt_fileno, &umget32->mt_fileno);
+-		err |= __put_user(get.mt_blkno, &umget32->mt_blkno);
++		err = convert_in_user(&get->mt_type, &umget32->mt_type);
++		err |= convert_in_user(&get->mt_resid, &umget32->mt_resid);
++		err |= convert_in_user(&get->mt_dsreg, &umget32->mt_dsreg);
++		err |= convert_in_user(&get->mt_gstat, &umget32->mt_gstat);
++		err |= convert_in_user(&get->mt_erreg, &umget32->mt_erreg);
++		err |= convert_in_user(&get->mt_fileno, &umget32->mt_fileno);
++		err |= convert_in_user(&get->mt_blkno, &umget32->mt_blkno);
+ 		break;
+ 	}
+ 	return err ? -EFAULT: 0;
+@@ -605,42 +629,41 @@ struct serial_struct32 {
+         compat_int_t    reserved[1];
+ };
+ 
+-static int serial_struct_ioctl(unsigned fd, unsigned cmd,
+-			struct serial_struct32 __user *ss32)
++static int serial_struct_ioctl(struct file *file,
++		unsigned cmd, struct serial_struct32 __user *ss32)
+ {
+         typedef struct serial_struct32 SS32;
+         int err;
+-        struct serial_struct ss;
+-        mm_segment_t oldseg = get_fs();
++	struct serial_struct __user *ss = compat_alloc_user_space(sizeof(*ss));
+         __u32 udata;
+ 	unsigned int base;
++	unsigned char *iomem_base;
+ 
++	if (ss == NULL)
++		return -EFAULT;
+         if (cmd == TIOCSSERIAL) {
+-                if (!access_ok(VERIFY_READ, ss32, sizeof(SS32)))
+-                        return -EFAULT;
+-                if (__copy_from_user(&ss, ss32, offsetof(SS32, iomem_base)))
++		if (copy_in_user(ss, ss32, offsetof(SS32, iomem_base)) ||
++		    get_user(udata, &ss32->iomem_base))
  			return -EFAULT;
-                 if (__get_user(udata, &ss32->iomem_base))
+-                if (__get_user(udata, &ss32->iomem_base))
++		iomem_base = compat_ptr(udata);
++		if (put_user(iomem_base, &ss->iomem_base) ||
++		    convert_in_user(&ss32->iomem_reg_shift,
++		      &ss->iomem_reg_shift) ||
++		    convert_in_user(&ss32->port_high, &ss->port_high) ||
++		    put_user(0UL, &ss->iomap_base))
  			return -EFAULT;
 -                ss.iomem_base = compat_ptr(udata);
-+                ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
-                 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
- 		    __get_user(ss.port_high, &ss32->port_high))
+-                if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
+-		    __get_user(ss.port_high, &ss32->port_high))
+-			return -EFAULT;
+-                ss.iomap_base = 0UL;
+         }
+-        set_fs(KERNEL_DS);
+-                err = sys_ioctl(fd,cmd,(unsigned long)(&ss));
+-        set_fs(oldseg);
++	err = do_ioctl(file, cmd, (unsigned long)ss);
+         if (cmd == TIOCGSERIAL && err >= 0) {
+-                if (!access_ok(VERIFY_WRITE, ss32, sizeof(SS32)))
+-                        return -EFAULT;
+-                if (__copy_to_user(ss32,&ss,offsetof(SS32,iomem_base)))
++		if (copy_in_user(ss32, ss, offsetof(SS32, iomem_base)) ||
++		    get_user(iomem_base, &ss->iomem_base))
+ 			return -EFAULT;
+-		base = (unsigned long)ss.iomem_base  >> 32 ?
+-			0xffffffff : (unsigned)(unsigned long)ss.iomem_base;
+-		if (__put_user(base, &ss32->iomem_base) ||
+-		    __put_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
+-		    __put_user(ss.port_high, &ss32->port_high))
++		base = (unsigned long)iomem_base  >> 32 ?
++			0xffffffff : (unsigned)(unsigned long)iomem_base;
++		if (put_user(base, &ss32->iomem_base) ||
++		    convert_in_user(&ss->iomem_reg_shift,
++		      &ss32->iomem_reg_shift) ||
++		    convert_in_user(&ss->port_high, &ss32->port_high))
  			return -EFAULT;
-@@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
+         }
+         return err;
+@@ -674,8 +697,8 @@ struct i2c_rdwr_aligned {
+ 	struct i2c_msg msgs[0];
+ };
+ 
+-static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
+-			struct i2c_rdwr_ioctl_data32    __user *udata)
++static int do_i2c_rdwr_ioctl(struct file *file,
++	unsigned int cmd, struct i2c_rdwr_ioctl_data32 __user *udata)
+ {
+ 	struct i2c_rdwr_aligned		__user *tdata;
+ 	struct i2c_msg			__user *tmsgs;
+@@ -704,15 +727,15 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
  	for (i = 0; i < nmsgs; i++) {
  		if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16)))
  			return -EFAULT;
@@ -78036,8 +78403,67 @@ index 48851f6..6c79d32 100644
 +		    put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf))
  			return -EFAULT;
  	}
- 	return sys_ioctl(fd, cmd, (unsigned long)tdata);
-@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
+-	return sys_ioctl(fd, cmd, (unsigned long)tdata);
++	return do_ioctl(file, cmd, (unsigned long)tdata);
+ }
+ 
+-static int do_i2c_smbus_ioctl(unsigned int fd, unsigned int cmd,
+-			struct i2c_smbus_ioctl_data32   __user *udata)
++static int do_i2c_smbus_ioctl(struct file *file,
++		unsigned int cmd, struct i2c_smbus_ioctl_data32   __user *udata)
+ {
+ 	struct i2c_smbus_ioctl_data	__user *tdata;
+ 	compat_caddr_t			datap;
+@@ -734,7 +757,7 @@ static int do_i2c_smbus_ioctl(unsigned int fd, unsigned int cmd,
+ 	    __put_user(compat_ptr(datap), &tdata->data))
+ 		return -EFAULT;
+ 
+-	return sys_ioctl(fd, cmd, (unsigned long)tdata);
++	return do_ioctl(file, cmd, (unsigned long)tdata);
+ }
+ 
+ #define RTC_IRQP_READ32		_IOR('p', 0x0b, compat_ulong_t)
+@@ -742,29 +765,27 @@ static int do_i2c_smbus_ioctl(unsigned int fd, unsigned int cmd,
+ #define RTC_EPOCH_READ32	_IOR('p', 0x0d, compat_ulong_t)
+ #define RTC_EPOCH_SET32		_IOW('p', 0x0e, compat_ulong_t)
+ 
+-static int rtc_ioctl(unsigned fd, unsigned cmd, void __user *argp)
++static int rtc_ioctl(struct file *file,
++		unsigned cmd, void __user *argp)
+ {
+-	mm_segment_t oldfs = get_fs();
+-	compat_ulong_t val32;
+-	unsigned long kval;
++	unsigned long __user *valp = compat_alloc_user_space(sizeof(*valp));
+ 	int ret;
+ 
++	if (valp == NULL)
++		return -EFAULT;
+ 	switch (cmd) {
+ 	case RTC_IRQP_READ32:
+ 	case RTC_EPOCH_READ32:
+-		set_fs(KERNEL_DS);
+-		ret = sys_ioctl(fd, (cmd == RTC_IRQP_READ32) ?
++		ret = do_ioctl(file, (cmd == RTC_IRQP_READ32) ?
+ 					RTC_IRQP_READ : RTC_EPOCH_READ,
+-					(unsigned long)&kval);
+-		set_fs(oldfs);
++					(unsigned long)valp);
+ 		if (ret)
+ 			return ret;
+-		val32 = kval;
+-		return put_user(val32, (unsigned int __user *)argp);
++		return convert_in_user(valp, (unsigned int __user *)argp);
+ 	case RTC_IRQP_SET32:
+-		return sys_ioctl(fd, RTC_IRQP_SET, (unsigned long)argp);
++		return do_ioctl(file, RTC_IRQP_SET, (unsigned long)argp);
+ 	case RTC_EPOCH_SET32:
+-		return sys_ioctl(fd, RTC_EPOCH_SET, (unsigned long)argp);
++		return do_ioctl(file, RTC_EPOCH_SET, (unsigned long)argp);
+ 	}
+ 
+ 	return -ENOIOCTLCMD;
+@@ -798,7 +819,7 @@ static int compat_ioctl_preallocate(struct file *file,
  	    copy_in_user(&p->l_len,	&p32->l_len,	sizeof(s64)) ||
  	    copy_in_user(&p->l_sysid,	&p32->l_sysid,	sizeof(s32)) ||
  	    copy_in_user(&p->l_pid,	&p32->l_pid,	sizeof(u32)) ||
@@ -78046,7 +78472,94 @@ index 48851f6..6c79d32 100644
  		return -EFAULT;
  
  	return ioctl_preallocate(file, p);
-@@ -1621,8 +1621,8 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd,
+@@ -1436,53 +1457,53 @@ IGNORE_IOCTL(FBIOGCURSOR32)
+  * a compat_ioctl operation in the place that handleѕ the
+  * ioctl for the native case.
+  */
+-static long do_ioctl_trans(int fd, unsigned int cmd,
++static long do_ioctl_trans(unsigned int cmd,
+ 		 unsigned long arg, struct file *file)
+ {
+ 	void __user *argp = compat_ptr(arg);
+ 
+ 	switch (cmd) {
+ 	case PPPIOCGIDLE32:
+-		return ppp_gidle(fd, cmd, argp);
++		return ppp_gidle(file, cmd, argp);
+ 	case PPPIOCSCOMPRESS32:
+-		return ppp_scompress(fd, cmd, argp);
++		return ppp_scompress(file, cmd, argp);
+ 	case PPPIOCSPASS32:
+ 	case PPPIOCSACTIVE32:
+-		return ppp_sock_fprog_ioctl_trans(fd, cmd, argp);
++		return ppp_sock_fprog_ioctl_trans(file, cmd, argp);
+ #ifdef CONFIG_BLOCK
+ 	case SG_IO:
+-		return sg_ioctl_trans(fd, cmd, argp);
++		return sg_ioctl_trans(file, cmd, argp);
+ 	case SG_GET_REQUEST_TABLE:
+-		return sg_grt_trans(fd, cmd, argp);
++		return sg_grt_trans(file, cmd, argp);
+ 	case MTIOCGET32:
+ 	case MTIOCPOS32:
+-		return mt_ioctl_trans(fd, cmd, argp);
++		return mt_ioctl_trans(file, cmd, argp);
+ #endif
+ 	/* Serial */
+ 	case TIOCGSERIAL:
+ 	case TIOCSSERIAL:
+-		return serial_struct_ioctl(fd, cmd, argp);
++		return serial_struct_ioctl(file, cmd, argp);
+ 	/* i2c */
+ 	case I2C_FUNCS:
+-		return w_long(fd, cmd, argp);
++		return w_long(file, cmd, argp);
+ 	case I2C_RDWR:
+-		return do_i2c_rdwr_ioctl(fd, cmd, argp);
++		return do_i2c_rdwr_ioctl(file, cmd, argp);
+ 	case I2C_SMBUS:
+-		return do_i2c_smbus_ioctl(fd, cmd, argp);
++		return do_i2c_smbus_ioctl(file, cmd, argp);
+ 	/* Not implemented in the native kernel */
+ 	case RTC_IRQP_READ32:
+ 	case RTC_IRQP_SET32:
+ 	case RTC_EPOCH_READ32:
+ 	case RTC_EPOCH_SET32:
+-		return rtc_ioctl(fd, cmd, argp);
++		return rtc_ioctl(file, cmd, argp);
+ 
+ 	/* dvb */
+ 	case VIDEO_GET_EVENT:
+-		return do_video_get_event(fd, cmd, argp);
++		return do_video_get_event(file, cmd, argp);
+ 	case VIDEO_STILLPICTURE:
+-		return do_video_stillpicture(fd, cmd, argp);
++		return do_video_stillpicture(file, cmd, argp);
+ 	case VIDEO_SET_SPU_PALETTE:
+-		return do_video_set_spu_palette(fd, cmd, argp);
++		return do_video_set_spu_palette(file, cmd, argp);
+ 	}
+ 
+ 	/*
+@@ -1513,7 +1534,7 @@ static long do_ioctl_trans(int fd, unsigned int cmd,
+ 	case NBD_SET_BLKSIZE:
+ 	case NBD_SET_SIZE:
+ 	case NBD_SET_SIZE_BLOCKS:
+-		return do_vfs_ioctl(file, fd, cmd, arg);
++		return vfs_ioctl(file, cmd, arg);
+ 	}
+ 
+ 	return -ENOIOCTLCMD;
+@@ -1602,7 +1623,7 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd,
+ 	if (compat_ioctl_check_table(XFORM(cmd)))
+ 		goto found_handler;
+ 
+-	error = do_ioctl_trans(fd, cmd, arg, f.file);
++	error = do_ioctl_trans(cmd, arg, f.file);
+ 	if (error == -ENOIOCTLCMD)
+ 		error = -ENOTTY;
+ 
+@@ -1621,8 +1642,8 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd,
  static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
  {
  	unsigned int a, b;
@@ -79437,6 +79950,19 @@ index fd1f28b..eb832cf 100644
  	atomic_t s_lock_busy;
  
  	/* locality groups */
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 7f486e3..2d61649 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -862,7 +862,7 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
+ 	struct ext4_extent_header *eh;
+ 	struct buffer_head *bh;
+ 	struct ext4_ext_path *path = orig_path ? *orig_path : NULL;
+-	short int depth, i, ppos = 0;
++	int depth, i, ppos = 0;
+ 	int ret;
+ 
+ 	eh = ext_inode_hdr(inode);
 diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
 index 34b610e..ecc47cb 100644
 --- a/fs/ext4/mballoc.c
@@ -81629,6 +82155,43 @@ index 78a17b8..fb43210 100644
  	*p = res;
  	put_cpu_var(last_ino);
  	return res;
+diff --git a/fs/internal.h b/fs/internal.h
+index 71859c4d..e38c08c 100644
+--- a/fs/internal.h
++++ b/fs/internal.h
+@@ -151,3 +151,10 @@ extern void mnt_pin_kill(struct mount *m);
+  * fs/nsfs.c
+  */
+ extern struct dentry_operations ns_dentry_operations;
++
++/*
++ * fs/ioctl.c
++ */
++extern int do_vfs_ioctl(struct file *file, unsigned int fd, unsigned int cmd,
++		    unsigned long arg);
++extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+diff --git a/fs/ioctl.c b/fs/ioctl.c
+index 5d01d26..41c352e 100644
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -15,6 +15,7 @@
+ #include <linux/writeback.h>
+ #include <linux/buffer_head.h>
+ #include <linux/falloc.h>
++#include "internal.h"
+ 
+ #include <asm/ioctls.h>
+ 
+@@ -32,8 +33,7 @@
+  *
+  * Returns 0 on success, -errno on error.
+  */
+-static long vfs_ioctl(struct file *filp, unsigned int cmd,
+-		      unsigned long arg)
++long vfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ {
+ 	int error = -ENOTTY;
+ 
 diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
 index 4a6cf28..d3a29d3 100644
 --- a/fs/jffs2/erase.c
@@ -96438,10 +97001,10 @@ index 0000000..304c518
 +}
 diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
 new file mode 100644
-index 0000000..528fd00
+index 0000000..f50742d
 --- /dev/null
 +++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,244 @@
+@@ -0,0 +1,245 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/fs.h>
@@ -96449,6 +97012,7 @@ index 0000000..528fd00
 +#include <linux/grsecurity.h>
 +#include <linux/grinternal.h>
 +#include <linux/hardirq.h>
++#include <asm/pgtable.h>
 +
 +char *signames[] = {
 +	[SIGSEGV] = "Segmentation fault",
@@ -99523,7 +100087,7 @@ index fa2cab9..d42a5b8 100644
  {
  	BUG_ON(ftest->code & BPF_ANC);
 diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 72d8a84..4027250 100644
+index 72d8a84..d67bd25 100644
 --- a/include/linux/fs.h
 +++ b/include/linux/fs.h
 @@ -439,7 +439,7 @@ struct address_space {
@@ -99599,7 +100163,16 @@ index 72d8a84..4027250 100644
  				unsigned int count, const char *name);
  extern void unregister_chrdev_region(dev_t, unsigned);
  extern void chrdev_show(struct seq_file *,off_t);
-@@ -3040,4 +3041,14 @@ static inline bool dir_relax(struct inode *inode)
+@@ -2778,8 +2779,6 @@ extern int vfs_lstat(const char __user *, struct kstat *);
+ extern int vfs_fstat(unsigned int, struct kstat *);
+ extern int vfs_fstatat(int , const char __user *, struct kstat *, int);
+ 
+-extern int do_vfs_ioctl(struct file *filp, unsigned int fd, unsigned int cmd,
+-		    unsigned long arg);
+ extern int __generic_block_fiemap(struct inode *inode,
+ 				  struct fiemap_extent_info *fieinfo,
+ 				  loff_t start, loff_t len,
+@@ -3040,4 +3039,14 @@ static inline bool dir_relax(struct inode *inode)
  
  extern bool path_noexec(const struct path *path);
  
@@ -101451,15 +102024,24 @@ index 6883e19..e854fcb 100644
  /* This macro allows us to keep printk typechecking */
  static __printf(1, 2)
 diff --git a/include/linux/key-type.h b/include/linux/key-type.h
-index ff9f1d3..6712be5 100644
+index ff9f1d3..77627d8 100644
 --- a/include/linux/key-type.h
 +++ b/include/linux/key-type.h
+@@ -47,7 +47,7 @@ struct key_preparsed_payload {
+ 	size_t		quotalen;	/* Quota length for proposed payload */
+ 	time_t		expiry;		/* Expiry time of key */
+ 	bool		trusted;	/* True if key is trusted */
+-};
++} __randomize_layout;
+ 
+ typedef int (*request_key_actor_t)(struct key_construction *key,
+ 				   const char *op, void *aux);
 @@ -152,7 +152,7 @@ struct key_type {
  	/* internal fields */
  	struct list_head	link;		/* link in types list */
  	struct lock_class_key	lock_class;	/* key->sem lock class */
 -};
-+} __do_const;
++} __do_const __randomize_layout;
  
  extern struct key_type key_type_keyring;
  
@@ -102798,10 +103380,10 @@ index 5df733b..d55f252 100644
  /* config parameters */
  #define PNP_CONFIG_NORMAL	0x0001
 diff --git a/include/linux/poison.h b/include/linux/poison.h
-index 317e16d..924c034 100644
+index 317e16d..c5701ff 100644
 --- a/include/linux/poison.h
 +++ b/include/linux/poison.h
-@@ -19,8 +19,8 @@
+@@ -19,15 +19,15 @@
   * under normal circumstances, used to verify that nobody uses
   * non-initialized list entries.
   */
@@ -102812,6 +103394,14 @@ index 317e16d..924c034 100644
  
  /********** include/linux/timer.h **********/
  /*
+  * Magic number "tsta" to indicate a static timer initializer
+  * for the object debugging code.
+  */
+-#define TIMER_ENTRY_STATIC	((void *) 0x74737461)
++#define TIMER_ENTRY_STATIC	((void *) 0x300 + POISON_POINTER_DELTA)
+ 
+ /********** mm/debug-pagealloc.c **********/
+ #define PAGE_POISON 0xaa
 diff --git a/include/linux/power/smartreflex.h b/include/linux/power/smartreflex.h
 index d8b187c3..9a9257a 100644
 --- a/include/linux/power/smartreflex.h
@@ -107280,6 +107870,28 @@ index 1471db9..dbdcf7f 100644
  
  	seq_printf(s,
  		   "%10d %10d  %4o  %10lu %10lu %5u %5u %5u %5u %5u %5u %10lu %10lu %10lu\n",
+diff --git a/ipc/msgutil.c b/ipc/msgutil.c
+index 71f448e..5cb11f3 100644
+--- a/ipc/msgutil.c
++++ b/ipc/msgutil.c
+@@ -55,7 +55,7 @@ static struct msg_msg *alloc_msg(size_t len)
+ 	size_t alen;
+ 
+ 	alen = min(len, DATALEN_MSG);
+-	msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL);
++	msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL|GFP_USERCOPY);
+ 	if (msg == NULL)
+ 		return NULL;
+ 
+@@ -67,7 +67,7 @@ static struct msg_msg *alloc_msg(size_t len)
+ 	while (len > 0) {
+ 		struct msg_msgseg *seg;
+ 		alen = min(len, DATALEN_SEG);
+-		seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL);
++		seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL|GFP_USERCOPY);
+ 		if (seg == NULL)
+ 			goto out_err;
+ 		*pseg = seg;
 diff --git a/ipc/sem.c b/ipc/sem.c
 index b471e5a..cb0c603 100644
 --- a/ipc/sem.c
@@ -124347,7 +124959,7 @@ index b9ac598..f88cc56 100644
  		return;
  
 diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
-index 918151c..5bbe95a 100644
+index 918151c..2186df8 100644
 --- a/net/iucv/af_iucv.c
 +++ b/net/iucv/af_iucv.c
 @@ -686,10 +686,10 @@ static void __iucv_auto_name(struct iucv_sock *iucv)
@@ -124363,6 +124975,16 @@ index 918151c..5bbe95a 100644
  	}
  	memcpy(iucv->src_name, name, 8);
  }
+@@ -709,6 +709,9 @@ static int iucv_sock_bind(struct socket *sock, struct sockaddr *addr,
+ 	if (!addr || addr->sa_family != AF_IUCV)
+ 		return -EINVAL;
+ 
++	if (addr_len < sizeof(struct sockaddr_iucv))
++		return -EINVAL;
++
+ 	lock_sock(sk);
+ 	if (sk->sk_state != IUCV_OPEN) {
+ 		err = -EBADFD;
 diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
 index 2a6a1fd..6c112b0 100644
 --- a/net/iucv/iucv.c
@@ -125371,6 +125993,42 @@ index fafe33b..8896912 100644
  			   sock_i_ino(s)
  			);
  
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index dba635d..0d2884b 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -1159,17 +1159,26 @@ int ovs_execute_actions(struct datapath *dp, struct sk_buff *skb,
+ 			const struct sw_flow_actions *acts,
+ 			struct sw_flow_key *key)
+ {
+-	int level = this_cpu_read(exec_actions_level);
+-	int err;
++	static const int ovs_recursion_limit = 5;
++	int err, level;
++
++	level = __this_cpu_inc_return(exec_actions_level);
++	if (unlikely(level > ovs_recursion_limit)) {
++		net_crit_ratelimited("ovs: recursion limit reached on datapath %s, probable configuration error\n",
++				     ovs_dp_name(dp));
++		kfree_skb(skb);
++		err = -ENETDOWN;
++		goto out;
++	}
+ 
+-	this_cpu_inc(exec_actions_level);
+ 	err = do_execute_actions(dp, skb, key,
+ 				 acts->actions, acts->actions_len);
+ 
+-	if (!level)
++	if (level == 1)
+ 		process_deferred_actions(dp);
+ 
+-	this_cpu_dec(exec_actions_level);
++out:
++	__this_cpu_dec(exec_actions_level);
+ 	return err;
+ }
+ 
 diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
 index b393412..3b2f7eb 100644
 --- a/net/openvswitch/vport-internal_dev.c
@@ -129759,7 +130417,7 @@ index 552705d..9920f4fb 100644
  	hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
  	return 0;
 diff --git a/security/keys/internal.h b/security/keys/internal.h
-index 5105c2c..fd59e52 100644
+index 5105c2c..a5010e6 100644
 --- a/security/keys/internal.h
 +++ b/security/keys/internal.h
 @@ -90,12 +90,16 @@ extern void key_type_put(struct key_type *ktype);
@@ -129781,6 +130439,15 @@ index 5105c2c..fd59e52 100644
  
  extern key_ref_t find_key_to_update(key_ref_t keyring_ref,
  				    const struct keyring_index_key *index_key);
+@@ -191,7 +195,7 @@ struct request_key_auth {
+ 	void			*callout_info;
+ 	size_t			callout_len;
+ 	pid_t			pid;
+-};
++} __randomize_layout;
+ 
+ extern struct key_type key_type_request_key_auth;
+ extern struct key *request_key_auth_new(struct key *target,
 diff --git a/security/keys/key.c b/security/keys/key.c
 index aee2ec5..c276071 100644
 --- a/security/keys/key.c
@@ -129890,6 +130557,18 @@ index d334370..b03e5a8 100644
  {
  	BUG_ON(index_key->type == NULL);
  	kenter("%d,%s,", keyring->serial, index_key->type->name);
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 43b4cdd..7877e5c 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
 diff --git a/security/min_addr.c b/security/min_addr.c
 index f728728..6457a0c 100644
 --- a/security/min_addr.c
@@ -130207,6 +130886,27 @@ index ffd2025..df062c9 100644
  
  /* PCM3052 register definitions */
  
+diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
+index f845ecf..656d9a9 100644
+--- a/sound/core/hrtimer.c
++++ b/sound/core/hrtimer.c
+@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
+ 	struct snd_hrtimer *stime = t->private_data;
+ 
+ 	atomic_set(&stime->running, 0);
+-	hrtimer_cancel(&stime->hrt);
++	hrtimer_try_to_cancel(&stime->hrt);
+ 	hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
+ 		      HRTIMER_MODE_REL);
+ 	atomic_set(&stime->running, 1);
+@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
+ {
+ 	struct snd_hrtimer *stime = t->private_data;
+ 	atomic_set(&stime->running, 0);
++	hrtimer_try_to_cancel(&stime->hrt);
+ 	return 0;
+ }
+ 
 diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
 index 58550cc..4687a93 100644
 --- a/sound/core/oss/pcm_oss.c
@@ -130314,7 +131014,7 @@ index 75888dd..c940854 100644
  	default:
  		result = -EINVAL;
 diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index b64f20d..aff6c32 100644
+index b64f20d..a68addd 100644
 --- a/sound/core/seq/seq_clientmgr.c
 +++ b/sound/core/seq/seq_clientmgr.c
 @@ -446,7 +446,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count,
@@ -130342,6 +131042,15 @@ index b64f20d..aff6c32 100644
  				event.data.ext.ptr = ptr;
  			}
  #endif
+@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
+ 		 * No restrictions so for a user client we can clear
+ 		 * the whole fifo
+ 		 */
+-		if (client->type == USER_CLIENT)
++		if (client->type == USER_CLIENT && client->data.user.fifo)
+ 			snd_seq_fifo_clear(client->data.user.fifo);
+ 	}
+ 
 @@ -2420,7 +2420,7 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
  	if (client == NULL)
  		return -ENXIO;
@@ -130395,6 +131104,21 @@ index 8010766..4bd361f 100644
  					err = -EFAULT;
  					goto __error;
  				}
+diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
+index 7dfd0f4..0bec02e 100644
+--- a/sound/core/seq/seq_queue.c
++++ b/sound/core/seq/seq_queue.c
+@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
+ static void queue_delete(struct snd_seq_queue *q)
+ {
+ 	/* stop and release the timer */
++	mutex_lock(&q->timer_mutex);
+ 	snd_seq_timer_stop(q->timer);
+ 	snd_seq_timer_close(q);
++	mutex_unlock(&q->timer_mutex);
+ 	/* wait until access free */
+ 	snd_use_lock_sync(&q->use_lock);
+ 	/* release resources... */
 diff --git a/sound/core/sound.c b/sound/core/sound.c
 index 175f9e4..3518d31 100644
 --- a/sound/core/sound.c
@@ -130408,6 +131132,171 @@ index 175f9e4..3518d31 100644
  }
  
  #endif	/* modular kernel */
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 31f40f0..4e8d7bf 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -73,7 +73,7 @@ struct snd_timer_user {
+ 	struct timespec tstamp;		/* trigger tstamp */
+ 	wait_queue_head_t qchange_sleep;
+ 	struct fasync_struct *fasync;
+-	struct mutex tread_sem;
++	struct mutex ioctl_lock;
+ };
+ 
+ /* list of timers */
+@@ -215,11 +215,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
+ 		    slave->slave_id == master->slave_id) {
+ 			list_move_tail(&slave->open_list, &master->slave_list_head);
+ 			spin_lock_irq(&slave_active_lock);
++			spin_lock(&master->timer->lock);
+ 			slave->master = master;
+ 			slave->timer = master->timer;
+ 			if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
+ 				list_add_tail(&slave->active_list,
+ 					      &master->slave_active_head);
++			spin_unlock(&master->timer->lock);
+ 			spin_unlock_irq(&slave_active_lock);
+ 		}
+ 	}
+@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_instance *timeri)
+ 		    timer->hw.close)
+ 			timer->hw.close(timer);
+ 		/* remove slave links */
++		spin_lock_irq(&slave_active_lock);
++		spin_lock(&timer->lock);
+ 		list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
+ 					 open_list) {
+-			spin_lock_irq(&slave_active_lock);
+-			_snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
+ 			list_move_tail(&slave->open_list, &snd_timer_slave_list);
+ 			slave->master = NULL;
+ 			slave->timer = NULL;
+-			spin_unlock_irq(&slave_active_lock);
++			list_del_init(&slave->ack_list);
++			list_del_init(&slave->active_list);
+ 		}
++		spin_unlock(&timer->lock);
++		spin_unlock_irq(&slave_active_lock);
+ 		mutex_unlock(&register_mutex);
+ 	}
+  out:
+@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
+ 
+ 	spin_lock_irqsave(&slave_active_lock, flags);
+ 	timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
+-	if (timeri->master)
++	if (timeri->master && timeri->timer) {
++		spin_lock(&timeri->timer->lock);
+ 		list_add_tail(&timeri->active_list,
+ 			      &timeri->master->slave_active_head);
++		spin_unlock(&timeri->timer->lock);
++	}
+ 	spin_unlock_irqrestore(&slave_active_lock, flags);
+ 	return 1; /* delayed start */
+ }
+@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
+ 		if (!keep_flag) {
+ 			spin_lock_irqsave(&slave_active_lock, flags);
+ 			timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
++			list_del_init(&timeri->ack_list);
++			list_del_init(&timeri->active_list);
+ 			spin_unlock_irqrestore(&slave_active_lock, flags);
+ 		}
+ 		goto __end;
+@@ -694,7 +704,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
+ 		} else {
+ 			ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+ 			if (--timer->running)
+-				list_del(&ti->active_list);
++				list_del_init(&ti->active_list);
+ 		}
+ 		if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) ||
+ 		    (ti->flags & SNDRV_TIMER_IFLG_FAST))
+@@ -1253,7 +1263,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file)
+ 		return -ENOMEM;
+ 	spin_lock_init(&tu->qlock);
+ 	init_waitqueue_head(&tu->qchange_sleep);
+-	mutex_init(&tu->tread_sem);
++	mutex_init(&tu->ioctl_lock);
+ 	tu->ticks = 1;
+ 	tu->queue_size = 128;
+ 	tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read),
+@@ -1273,8 +1283,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file)
+ 	if (file->private_data) {
+ 		tu = file->private_data;
+ 		file->private_data = NULL;
++		mutex_lock(&tu->ioctl_lock);
+ 		if (tu->timeri)
+ 			snd_timer_close(tu->timeri);
++		mutex_unlock(&tu->ioctl_lock);
+ 		kfree(tu->queue);
+ 		kfree(tu->tqueue);
+ 		kfree(tu);
+@@ -1512,7 +1524,6 @@ static int snd_timer_user_tselect(struct file *file,
+ 	int err = 0;
+ 
+ 	tu = file->private_data;
+-	mutex_lock(&tu->tread_sem);
+ 	if (tu->timeri) {
+ 		snd_timer_close(tu->timeri);
+ 		tu->timeri = NULL;
+@@ -1556,7 +1567,6 @@ static int snd_timer_user_tselect(struct file *file,
+ 	}
+ 
+       __err:
+-      	mutex_unlock(&tu->tread_sem);
+ 	return err;
+ }
+ 
+@@ -1769,7 +1779,7 @@ enum {
+ 	SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23),
+ };
+ 
+-static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
++static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd,
+ 				 unsigned long arg)
+ {
+ 	struct snd_timer_user *tu;
+@@ -1786,17 +1796,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
+ 	{
+ 		int xarg;
+ 
+-		mutex_lock(&tu->tread_sem);
+-		if (tu->timeri)	{	/* too late */
+-			mutex_unlock(&tu->tread_sem);
++		if (tu->timeri)	/* too late */
+ 			return -EBUSY;
+-		}
+-		if (get_user(xarg, p)) {
+-			mutex_unlock(&tu->tread_sem);
++		if (get_user(xarg, p))
+ 			return -EFAULT;
+-		}
+ 		tu->tread = xarg ? 1 : 0;
+-		mutex_unlock(&tu->tread_sem);
+ 		return 0;
+ 	}
+ 	case SNDRV_TIMER_IOCTL_GINFO:
+@@ -1829,6 +1833,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
+ 	return -ENOTTY;
+ }
+ 
++static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
++				 unsigned long arg)
++{
++	struct snd_timer_user *tu = file->private_data;
++	long ret;
++
++	mutex_lock(&tu->ioctl_lock);
++	ret = __snd_timer_user_ioctl(file, cmd, arg);
++	mutex_unlock(&tu->ioctl_lock);
++	return ret;
++}
++
+ static int snd_timer_user_fasync(int fd, struct file * file, int on)
+ {
+ 	struct snd_timer_user *tu;
 diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c
 index 2a008a9..a1efb3f 100644
 --- a/sound/drivers/mts64.c
@@ -150708,10 +151597,10 @@ index 0000000..fc58e16
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 new file mode 100644
-index 0000000..0a36c4a
+index 0000000..9da833a
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,21743 @@
+@@ -0,0 +1,21745 @@
 +enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
 +enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
 +enable_so_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL
@@ -163535,7 +164424,8 @@ index 0000000..0a36c4a
 +enable_so_prism2_ap_translate_scan_fndecl_38540 prism2_ap_translate_scan fndecl 0 38540 NULL
 +enable_so_cx18_av_read_fndecl_38542 cx18_av_read fndecl 0 38542 NULL
 +enable_so_hw_channels_sh_cmt_device_38544 hw_channels sh_cmt_device 0 38544 NULL
-+enable_so_clk_fd_set_rate_fndecl_38545 clk_fd_set_rate fndecl 2-3 38545 NULL
++enable_so_clk_fd_set_rate_fndecl_38545 clk_fd_set_rate fndecl 2-3 38545 NULL nohasharray
++enable_so_snd_timer_user_tselect_fndecl_38545 snd_timer_user_tselect fndecl 0 38545 &enable_so_clk_fd_set_rate_fndecl_38545
 +enable_so_ulist_add_merge_fndecl_38547 ulist_add_merge fndecl 0-2 38547 NULL nohasharray
 +enable_so_krb5_encrypt_fndecl_38547 krb5_encrypt fndecl 5 38547 &enable_so_ulist_add_merge_fndecl_38547
 +enable_so_fb_base_phys_radeonfb_info_38551 fb_base_phys radeonfb_info 0 38551 NULL
@@ -168363,6 +169253,7 @@ index 0000000..0a36c4a
 +enable_so_real_vram_size_radeon_mc_53132 real_vram_size radeon_mc 0 53132 NULL
 +enable_so_fault_inject_read_fndecl_53133 fault_inject_read fndecl 3 53133 NULL
 +enable_so_data_dma_td_53137 data_dma td 0 53137 NULL
++enable_so_snd_timer_user_params_fndecl_53139 snd_timer_user_params fndecl 0 53139 NULL
 +enable_so_log_rq_size_mlx5e_params_53140 log_rq_size mlx5e_params 0 53140 NULL
 +enable_so_mmc_spi_readbytes_fndecl_53146 mmc_spi_readbytes fndecl 2-0 53146 NULL
 +enable_so_zlib_tr_stored_block_fndecl_53147 zlib_tr_stored_block fndecl 3 53147 NULL